Stefan Eßer [Thu, 8 Jun 2023 14:45:11 +0000 (16:45 +0200)]
usr.bin/bc: fix build issue of version 6.6.0 on MIPS
The update removed MIPS and POWERPC64 from the list of architectures
that cannot use LTO to build this software.
Restore the previous exception list and do not use LTO on MIPS,
MIPS64, POWERPC64, and RISCV64. This is necessary due to differences
in compiler support for LTO in -CURRENT vs. 13-STABLE.
This release that fixes an infinite loop bug in the (non-standard)
extended math library functions root() and cbrt(), fixes a bug with
BC_LINE_LENGTH=0, and adds the fib() function to the extended math
library to calculate Fibonacci numbers.
Ed Maste [Wed, 8 Feb 2023 13:16:53 +0000 (08:16 -0500)]
ssh: fix leak and apply style(9) to hostname canonicalization
Fixes: bf2e2524a2ce ("ssh: canonicize the host name before...")
Fixes: 3e74849a1ee2 ("ssh: canonicize the host name before...")
Reviewed by: rew
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D38441
Ed Maste [Wed, 7 Sep 2022 14:12:37 +0000 (10:12 -0400)]
Cirrus-CI: move QEMU pkg installation to test script
Occasionally the QEMU package fails to build and isn't available on
-CURRENT using the Latest package set. Move the package installation
to the test script, so that if the package isn't available we at least
still perform a build test.
Ed Maste [Tue, 9 May 2023 18:26:47 +0000 (14:26 -0400)]
Cirrus-CI: add gcc12 automatic task on primary GitHub mirror
We want to get GCC coverage via Cirrus-CI, but don't want to trigger
excessive runs across all forks and branches. Create a duplicate gcc12
task to run automatically for freebsd/freebsd-src.
Reviewed by: jhb
Sponsored by: The FreeBSD Foundation
Chuck Silvers [Tue, 30 May 2023 02:26:28 +0000 (19:26 -0700)]
ffs: restore backward compatibility of newfs and makefs with older binaries
The previous change to CGSIZE had the unintended side-effect of allowing
newfs and makefs to create file systems that would fail validation when
examined by older commands and kernels, by allowing newfs/makefs to pack
slightly more blocks into a CG than those older binaries think is valid.
Fix this by having newfs/makefs artificially restrict the number of blocks
in a CG to the slightly smaller value that those older binaries will accept.
The validation code will continue to accept the slightly larger value
that the current newfs/makefs (before this change) could create.
This patch fixes TCP connection hangs for 1 rxq and 1 txq without rxcsum
enabled. Documentation for 10G cards and other drivers suggest enabling
rxcsum for RSS and disabling otherwise. When PCSD bit is not set then
fragment checksum and IP identification are reported in the rx
descriptor. When PCSD bit is set then RSS hash value is reported in the
rx descriptor. RSS and RX IPP checksum are mutually exclusive.
Eric Joyner [Wed, 24 May 2023 23:38:02 +0000 (16:38 -0700)]
ice(4): Update to 1.37.11-k
This driver update has no corresponding ice_ddp update, and doesn't
contain very many functional changes:
- Some refactoring for future SR-IOV PF support
- Various minor fixes
Dimitry Andric [Mon, 29 May 2023 14:27:58 +0000 (16:27 +0200)]
Apply clang fixes for crashes compiling ARM/AArch64 CRC intrinsics
Merge commit 069ecd0c6e2c from llvm-project (by Fangrui Song):
[ARM] Check target feature support for __builtin_arm_crc*
`__builtin_arm_crc*` requires the target feature crc which is available on armv8
and above. Calling the fuctions for armv7 leads to a SelectionDAG crash.
```
% clang -c --target=armv7-unknown-linux-gnueabi -c a.c
fatal error: error in backend: Cannot select: intrinsic %llvm.arm.crc32b
PLEASE submit a bug report to ...
```
Add `TARGET_BUILTIN` and define required features for these builtins to
report an error in `CodeGenFunction::checkTargetFeatures`. The problem is quite widespread.
I will add `TARGET_BUILTIN` for more builtins later.
Merge commit b2d7a0dcf1ff from llvm-project (by Fangrui Song):
[AArch64] Check target feature support for __builtin_arm_crc*
This is the AArch64 counterpart of D134127.
Daniel Kiss will change more `BUILTIN` to `TARGET_BUILTIN`.
Fix #57802
Note that programs attempting to use ARM/AArch64 CRC intrinsics, when
they are not supported by the targeted CPU, will still receive a regular
compilation error (instead of a fatal backend error) similar to:
Clang 16 got new builtins that are equivalent to hand-written parts of
<type_traits>. When building world with the devel/llvm16 package
installed and CROSS_TOOLCHAIN=llvm16 set, this would lead to -Werror
warnings about those builtins being overridden.
MFC: listen(2): improve administrator control over logging
As documented in listen.2 manual page, the kernel emits a LOG_DEBUG
syslog message if a socket listen queue overflows. For some appliances,
it may be desirable to change the priority to some higher value
like LOG_INFO while keeping other debugging suppressed.
OTOH there are cases when such overflows are normal and expected.
Then it may be desirable to suppress overflow logging altogether,
so that dmesg buffer is not flooded over long run.
In addition to existing sysctl kern.ipc.sooverinterval,
introduce new sysctl kern.ipc.sooverprio that defaults to 7 (LOG_DEBUG)
to preserve current behavior. It may be changed to any value
in a range of 0..7 for corresponding priority or to -1 to suppress logging.
Document it in the listen.2 manual page.
Mark Johnston [Tue, 18 Apr 2023 18:32:04 +0000 (14:32 -0400)]
loader.efi: Fix some arm64 PE metadata
- Mark the file as an executable in the COFF header.
- Provide separate .text and .data sections.
- Provide sane file and section alignment values. These values are the
defaults defined in the PE specification.
- Set appropriate characteristics for each of .text and .data.
This is required for the MS devkit to load our UEFI image.
Kirk McKusick [Mon, 15 May 2023 19:56:27 +0000 (12:56 -0700)]
Fix size differences between architectures of the UFS/FFS CGSIZE macro value.
Reported-by: Tijl Coosemans Tested-by: Tijl Coosemans and Peter Holm Sponsored-by: The FreeBSD Foundation
(cherry picked from commit 0a6e34e950cd5889122a199c34519b67569be9cc)
Dimitry Andric [Tue, 23 May 2023 17:40:36 +0000 (19:40 +0200)]
Update -ftrivial-auto-var-init flags for clang >= 16
As of clang 16, the -ftrivial-auto-var-init=zero option no longer needs
-enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang
to enable the option. Only add it for older clang versions.
Rick Macklem [Tue, 11 Apr 2023 19:17:09 +0000 (12:17 -0700)]
mount_nfs.8: Update man page for the "syskrb5" option
Commit 896516e54a8c added a new NFS mount option
used for Kerberized NFSv4.1/4.2 mounts. It specifies that
AUTH_SYS be used for state maintenance (also called system)
operations. This allows the mount to be done without the
"gssname" option or a valid Kerberos TGT being held by the
user doing the mount (so it can be specified in fstab(5) for
example).
Rick Macklem [Wed, 29 Mar 2023 00:08:45 +0000 (17:08 -0700)]
nfscl: Make coverity happy
Coverity does not like code that checks a function's
return value sometimes. Add "(void)" in front of the
function when the return value does not matter to try
and make it happy.
A recent commit deleted "(void)"s in front of nfsm_fhtom().
This commit puts them back in.
Rick Macklem [Thu, 16 Mar 2023 22:55:36 +0000 (15:55 -0700)]
nfscl: Add a new NFSv4.1/4.2 mount option for Kerberized mounts
Without this patch, a Kerberized NFSv4.1/4.2 mount must provide
a Kerberos credential for the client at mount time. This credential
is typically referred to as a "machine credential". It can be
created one of two ways:
- The user (usually root) has a valid TGT at the time the mount
is done and this becomes the machine credential.
There are two problems with this.
1 - The user doing the mount must have a valid TGT for a user
principal at mount time. As such, the mount cannot be put
in fstab(5) or similar.
2 - When the TGT expires, the mount breaks.
- The client machine has a service principal in its default keytab
file and this service principal (typically called a host-based
initiator credential) is used as the machine credential.
There are problems with this approach as well:
1 - There is a certain amount of administrative overhead creating
the service principal for the NFS client, creating a keytab
entry for this principal and then copying the keytab entry
into the client's default keytab file via some secure means.
2 - The NFS client must have a fixed, well known, DNS name, since
that FQDN is in the service principal name as the instance.
This patch uses a feature of NFSv4.1/4.2 called SP4_NONE, which
allows the state maintenance operations to be performed by any
authentication mechanism, to do these operations via AUTH_SYS
instead of RPCSEC_GSS (Kerberos). As such, neither of the above
mechanisms is needed.
It is hoped that this option will encourage adoption of Kerberized
NFS mounts using TLS, to provide a more secure NFS mount.
This new NFSv4.1/4.2 mount option, called "syskrb5" must be used
with "sec=krb5[ip]" to avoid the need for either of the above
Kerberos setups to be done by the client.
Note that all file access/modification operations still require
users on the NFS client to have a valid TGT recognized by the
NFSv4.1/4.2 server. As such, this option allows, at most, a
malicious client to do some sort of DOS attack.
Although not required, use of "tls" with this new option is
encouraged, since it provides on-the-wire encryption plus,
optionally, client identity verification via a X.509
certificate provided to the server during TLS handshake.
Alternately, "sec=krb5p" does provide on-the-wire
encryption of file data.
A mount_nfs(8) man page update will be done in a separate commit.
Kristof Provost [Thu, 18 May 2023 19:37:48 +0000 (21:37 +0200)]
pfsync tests: check for the correct IP address
When checking if the state synced over we should look for
198.51.100.254, not 198.51.100.2. The test worked because the incorrect
address is a substring of the correct one, but we should fix it anyway.
Reported by: Naman Sood <naman@freebsdfoundation.org>
MFC after: 1 week
Rick Macklem [Wed, 22 Feb 2023 22:09:15 +0000 (14:09 -0800)]
nfsd.c: Log a more meaningful failure message
For the cases where the nfsd(8) daemon is already running or
has failed to start within a prison due to an incorrect prison
configuration, the failure message logged is:
Can't read stable storage file: operation not permitted
This patch replaces the above with more meaningful messages.
It depends on commit 10dff9da9748 to differentiate between the
above two cases, however even without this commit, the messages
should be an improvement.
Rick Macklem [Wed, 22 Feb 2023 21:19:07 +0000 (13:19 -0800)]
nfsd: Return ENXIO instead of EPERM when nfsd(8) already running
The nfsd(8) daemon generates an error message that does not
indicate that the nfsd daemon is already running when the nfssvc(2)
syscall fails for the NFSSVC_STABLERESTART. Also, the check for
running nfsd(8) in a vnet prison will return EPERM when it fails.
This patch replaces EPERM with ENXIO so that the nfsd(8) daemon
can generate more reasonable failure messages. The nfsd(8) daemon
will be patched in a future commit.
Rick Macklem [Fri, 5 May 2023 22:43:55 +0000 (15:43 -0700)]
nfsd: Fix NFSv3 Readdir/ReaddirPlus reply for large i-node numbers
If the i-node number (d_fileno) for a file on the server did
not fit in 32bits, it would be truncated to the low order 32bits
for the NFSv3 Readdir and ReaddirPlus RPC replies.
This is no longer correct, given that ino_t is now 64bits.
This patch fixes this by sending the full 64bits of d_fileno
on the wire in the NFSv3 Readdir/ReaddirPlus RPC reply.
Rick Macklem [Sat, 17 Dec 2022 21:54:33 +0000 (13:54 -0800)]
jail.8: Update the man page for allow.nfsd
Commit bba7a2e89602 added "allow.nfsd" to optionally allow
mountd/nfsd to be run inside a vnet prison when the kernel
is built with "options VNET_NFSD".
Rick Macklem [Sun, 12 Mar 2023 21:34:25 +0000 (14:34 -0700)]
rc.d: Fix NFS server startup scripts to enable vnet prison use
Now that commit cbbb22031f9b is in main,
it is possible to run nfsd(8), nfsuserd(8), mountd(8),
gssd(8) and rpc.tlsservd(8) in an appropriately configured vnet
prison if the "allow.nfsd" option is specified in jail.conf.
This patch fixes the rc scripts for this.
Mostly just replaces the "nojail" KEYWORD with "nojailvnet",
but also avoids setting vfs.nfsd.srvmaxio in a prison, since it
must be set outside of the prisons and applies to all
nfsd(8) instances.
Rick Macklem [Thu, 2 Mar 2023 21:09:01 +0000 (13:09 -0800)]
vfs_mount.c: Allow mountd(8) to do exports in a vnet prison
To run mountd in a vnet prison, three checks in vfs_domount()
and vfs_domount_update() related to doing exports needed
to be changed, so that a file system visible within the
prison but mounted outside the prison can be exported.
I did all three in a minimal way, only changing the checks for
the specific case of a process (typically mountd) doing exports
within a vnet prison and not updating the mount point in other
ways. The changes are:
- Ignore the error return from vfs_suser(), since the file
system being mounted outside the prison will cause it to fail.
- Use the priv_check(PRIV_NFS_DAEMON) for this specific case
within a prison.
- Skip the call to VFS_MOUNT(), since it will return an error,
due to the "from" argument not being set correctly. VFS_MOUNT()
does not appear to do anything for the case of doing exports only.
Rick Macklem [Tue, 21 Feb 2023 21:00:42 +0000 (13:00 -0800)]
vfs_export: Add mnt_exjail to control exports done in prisons
If there are multiple instances of mountd(8) (in different
prisons), there will be confusion if they manipulate the
exports of the same file system. This patch adds mnt_exjail
to "struct mount" so that the credentials (and, therefore,
the prison) that did the exports for that file system can
be recorded. If another prison has already exported the
file system, vfs_export() will fail with an error.
If mnt_exjail == NULL, the file system has not been exported.
mnt_exjail is checked by the NFS server, so that exports done
from within a different prison will not be used.
The patch also implements vfs_exjail_destroy(), which is
called from prison_cleanup() to release all the mnt_exjail
credential references, so that the prison can be removed.
Mainly to avoid doing a scan of the mountlist for the case
where there were no exports done from within the prison,
a count of how many file systems have been exported from
within the prison is kept in pr_exportcnt.
Changing the new argument for vfs_export() to "int" and
moving the prototype for vfs_exjail_delete() to jail.h
were both necessary to allow libprocstat to build.