sysctl.conf.5: Document rc.d/sysctl and rc.d/sysctl_lastload
Also, update the BUGS section. The example describes an issue, which is
not true anymore thanks to sysctl_lastload. Point readers to rcorder(8)
instead.
rc.conf.5: Improve documentation of <name>_oomprotect
Apart from improving readability, this commit mentions that
<name>_oomprotect is ignored in a jail environment. Also, replace
${name}_cmd with the correct ${argument}_cmd and point the reader to
rc.subr(8).
rc.conf(5): Add _limits, _login_class, and _oomprotect
Add a few very useful variables that might easily be overlooked, since
they're only documented in rc.subr(8) which might not be the first place
that people look.
At least _oomprotect has existed since 11.0-RELEASE, and doesn't appear
to be very well-known. While the others aren't as new, in my estimation,
a lot more people would use them if they knew about them.
While here, also add a reference to rc.subr(8) and login.conf(5), and
sort the variables alphabetically.
Reported by: Daniel Dettlaff <dmilith at gmail.com>
Reviewed by: ceri, gbe, 0mp, ygy, a.wolk, pauamma
Mike Walker [Thu, 7 Jul 2022 20:28:37 +0000 (22:28 +0200)]
rc.subr: Make sure oomprotect protects existing children
The rc(8) framework support protecting services from OOM killer.
The current implementation applies the protection after the service has
already started. This works fine if only the main process is to be
protected (*_oomprotect=yes). However, the current implementation fails
to protect existing children when children are also to be protected
(*_oomprotect=all). This patch fixes that.
Note: it is not easy to apply the protectoin earlier because we want to
support both the services which use the "command" variable and those
that use the "start_cmd" variable.
PR: 256148
Approved by: adrian, osogbo
Tested by: Jamie Landeg-Jones <jamie@catflap.org>
Fixes: 3bead71e959d - Add a global option where we can protect
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D35747
protect.1: Document that protect(1) does not work in jails
The reason is that in order to protect a process procctl(2) needs
the PRIV_VM_MADV_PROTECT privilege, which is currently denied in jails
(see kern_jail.c).
Adam Wolk [Mon, 11 Apr 2022 22:23:43 +0000 (00:23 +0200)]
protect.1: document existence of _oomprotect
Improve discoverability of the functionality by mentioning in the
userland tool manual. Add a SEE ALSO entry to rc.conf(5) where more
details are provided.
sys/dev/cxgbe/cudbg/cudbg_lib.c:2949:6: error: variable 'i' set but not used [-Werror,-Wunused-but-set-variable]
int i = 0;
^
Apparently 'i' was meant as the current retry counter, but '1' was used
in the while loop comparison instead, making the loop potentially
infinite, if 'busy' never gets reset.
MFC after: 3 days
Reviewed by: np
Differential Revision: https://reviews.freebsd.org/D35834
Mark Johnston [Mon, 20 Jun 2022 16:17:11 +0000 (12:17 -0400)]
aio: Improve UMA usage
- Remove the AIO proc zone. This zone gets one allocation per AIO
daemon process, which isn't enough to warrant a dedicated zone. Plus,
unlike other AIO structures, aiops are small (32 bytes with LP64), so
UMA doesn't provide better space efficiency than malloc(9). Change
one of the malloc types in vfs_aio.c to make it more general.
- Don't set the NOFREE flag on the other AIO zones. This flag means
that memory allocated to the AIO subsystem is never freed back to the
VM, so it's always preferable to avoid using it when possible. NOFREE
was set without explanation when AIO was converted to use UMA 20 years
ago, but it does not appear to be required; all of the structures
allocated from UMA (per-process kaioinfo, kaiocb, and aioliojob) keep
track of references and get freed only when none exist. Plus, these
structures will contain dangling pointer after they're freed (e.g.,
the "cred", "fd_file" and "uiop" fields of struct kaiocb), so
use-after-frees are dangerous even when the structures themselves are
type-stable.
Reviewed by: asomers
Sponsored by: The FreeBSD Foundation
Adjust agp_find_device() definition in agp.c to avoid clang 15 warning
With clang 15, the following -Werror warning is produced:
sys/dev/agp/agp.c:910:16: error: a function declaration without a prototype is deprecated in all versions of C [-Werror,-Wstrict-prototypes]
agp_find_device()
^
void
This is because agp_find_device() is declared with a (void) argument
list, and defined with an empty argument list. Make the definition match
the declaration.
sys/dev/cxgb/cxgb_sge.c:1290:21: error: variable 'txsd' set but not used [-Werror,-Wunused-but-set-variable]
struct tx_sw_desc *txsd = &txq->sdesc[txqs->pidx];
^
It appears 'txsd' is a leftover from a previous refactoring (see 3f345a5d09b6), but is no longer used for anything, and can be removed
without any functional change.
MFC after: 3 days
Reviewed by: np
Differential Revision: https://reviews.freebsd.org/D35833
tests/sys/cddl/zfs/bin/readmmap.c:97:9: error: call to undeclared function 'time'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
Obtained from: https://github.com/CTSRD-CHERI/cheribsd/commit/1737d8397a0
MFC after: 3 days
Mark Johnston [Mon, 18 Apr 2022 21:16:10 +0000 (17:16 -0400)]
geli: Add a chicken switch for unmapped I/O
We have a report of a panic in GELI that appears to go away when
unmapped I/O is disabled. Add a tunable to make such investigations
easier in the future. No functional change intended.
PR: 262894
Reviewed by: asomers
Sponsored by: The FreeBSD Foundation
Mark Johnston [Mon, 30 May 2022 14:43:44 +0000 (10:43 -0400)]
rc: Add a zpoolreguid rc.d script
If one boots up multiple copies of a template VM image containing a
zpool, the pool GUIDs will be identical, making it impossible to, e.g.,
share datasets between them.
This diff introduces a simple workaround for the problem: one can use
the script to, upon first boot, assign a new GUID to one or more zpools.
This will be useful when building ZFS-based VM images from release(7).
Reviewed by: mav, allanjude, asomers
Reviewed by: Pau Amma (docs)
Sponsored by: The FreeBSD Foundation
Because now ASLR is enabled by default for 64-bit architectures
and the purpose of the installation menu is to allow choosing
additional 'mitigation'/'hardening' options that are originally
disabled, remove the ASLR knob from bsdinstall.
Marcin Wojtas [Sun, 24 Oct 2021 14:53:06 +0000 (16:53 +0200)]
Enable ASLR by default for 64-bit executables
Address Space Layout Randomization (ASLR) is an exploit mitigation
technique implemented in the majority of modern operating systems.
It involves randomly positioning the base address of an executable
and the position of libraries, heap, and stack, in a process's address
space. Although over the years ASLR proved to not guarantee full OS
security on its own, this mechanism can make exploitation more difficult.
Tests on the tier 1 64-bit architectures demonstrated that the ASLR is
stable and does not result in noticeable performance degradation,
therefore it should be safe to enable this mechanism by default.
Moreover its effectiveness is increased for PIE (Position Independent
Executable) binaries. Thanks to commit 9a227a2fd642 ("Enable PIE by
default on 64-bit architectures"), building from src is not necessary
to have PIE binaries. It is enough to control usage of ASLR in the
OS solely by setting the appropriate sysctls.
This patch toggles the kernel settings to use address map randomization
for PIE & non-PIE 64-bit binaries. It also disables SBRK, in order
to allow utilization of the bss grow region for mappings. The latter
has no effect if ASLR is disabled, so apply it to all architectures.
As for the drawbacks, a consequence of using the ASLR is more
significant VM fragmentation, hence the issues may be encountered
in the systems with a limited address space in high memory consumption
cases, such as buildworld. As a result, although the tests on 32-bit
architectures with ASLR enabled were mostly on par with what was
observed on 64-bit ones, the defaults for the former are not changed
at this time. Also, for the sake of safety keep the feature disabled
for 32-bit executables on 64-bit machines, too.
The committed change affects the overall OS operation, so the
following should be taken into consideration:
* Address space fragmentation.
* A changed ABI due to modified layout of address space.
* More complicated debugging due to:
* Non-reproducible address space layout between runs.
* Some debuggers automatically disable ASLR for spawned processes,
making target's environment different between debug and
non-debug runs.
In order to confirm/rule-out the dependency of any encountered issue
on ASLR it is strongly advised to re-run the test with the feature
disabled - it can be done by setting the following sysctls
in the /etc/sysctl.conf file:
kern.elf64.aslr.enable=0
kern.elf64.aslr.pie_enable=0
Albert Jakiela [Tue, 28 Jun 2022 15:28:35 +0000 (17:28 +0200)]
stand/uboot: setup archsw before probing devices
In some cases ubldr would try to mount a disk device before
the archsw struct was filled with functions pointers.
This would result in a NULL pointer derefrence of the arch_getdev field.
Fix that filling the archsw functions earlier.
Note that this matches the EFI behavoiur.
lockstat: Fix construction of comparision predicates
Passing "0x%p" to sprintf results in double "0x" being printed.
This causes a dtrace script compilation failure when "-d" flag
is specified.
Fix that by removing the extraneous "0x".
When accessing a register directly from etherswitchcfg one must specify
a register group(e.g. registers of portN) and the register offset within
the group. The latter is passed as the 5 least significant bits.
Extract the former by dividing the register address by 32, not by 5.
Kornel Dulęba [Thu, 30 Jun 2022 11:57:58 +0000 (13:57 +0200)]
igc: Change default duplex setting
During media selection through ifconfig one might not specify
the duplex setting through the mediaopt flag.
In that case the igc driver would default to full-duplex.
The problem with this approach is that e1000(em/igb) driver
defaults to half-duplex.
Because of that if one connects both NICs and sets media to
e.g. 100baseTX on both of them no link will be found.
Fix that by matching igc behaviour with what e1000 does.
Andrew Turner [Tue, 28 Jun 2022 11:44:49 +0000 (11:44 +0000)]
Decode the arm64 SVE ID register
The field values are only valid when the ID_AA64PFR0_EL1.SVE or
ID_AA64PFR1_EL1.SME vields are non-zero. When this is not the case
the register is reserved as zero so is safe to read, but the SVEver
field will be incorrect so only print the decoded register when
the SVE or SME fields indicate it is valid.
Andrew Turner [Wed, 29 Jun 2022 16:34:41 +0000 (17:34 +0100)]
Allow use of the arm64 unnamed register form
On arm64 all registers have a name that encodes op0, op1, CRn, CRm, and
op2 that are used to encode the register in the instruction. As some
registers we need to access may not be supportedby older compilers, or
are only supported when specific extensions are enabled support this
alternative form.
Andrew Turner [Wed, 25 May 2022 09:55:40 +0000 (10:55 +0100)]
Add arm64 CnP support
Set the Common not Private bit in the ttbr registers when supported on
arm64. This tells the hardware it can share the translation table
entries on multiple CPUs.
Reviewed by: alc, kib
Sponsored by: The FreeBSD Foundation
Ed Maste [Tue, 7 Jun 2022 14:20:39 +0000 (10:20 -0400)]
Add SPLIT_KERNEL_DEBUG knob
Prior to 9b6edf364eb0 WITHOUT_KERNEL_SYMBOLS split kernel debug data
into standalone debug files at build time, but did not install those
files. As of 9b6edf364eb0 it stopped splitting the debug data, leaving
it in the kernel and modules (the default kernel configs include
DEBUG=-g).
Revert 9b6edf364eb0 and introduce a new build-time SPLIT_KERNEL_DEBUG
knob, as some people rely on the pre-9b6edf364eb0 WITHOUT_KERNEL_SYMBOLS
behaviour and that was imp's original intent.
PR: 264433
Reviewed by: eugen, imp
MFC after: 3 weeks
Relnotes: yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D35437
Split the current FDT-only implementation up into an FDT and an
ACPI part reusing and sharing as much code as possible (thanks mw!).
This makes the Synopsis XHCI root hubs attach correctly on SolidRun's
HoenyComb instead of just the generic XHCI root and this means we
are also doing proper chip setup and applying the quirk needed there [1].
There is one problem with ACPI attachment in that it uses the generic
XHCI PNP ID. So we need to do extra checks in order to not claim
all xhci, which means we check for a known quirk to be present
in acpi_probe. Long term this isn't scaling and this was discussed
in SolidRun's Discord Channel in 2021 with the intend that "jnettlet"
will take this to a steering committee. Since then ACPI has kind-of
become a technology non grata (due to not getting changes into Linux
timely) so it is unclear if this will ever happen. If there will be
further hardware with dwc3/ACPI we should go and make sure this problem
gets solved.
Rather than hiding behind #if 0, hide the debugging behind DWC3_DEBUG
so it can be turned on with a single define. Require bootverbose
to print anything so we can still avoid spamming the console if DWC3_DEBUG
is on.
Harmonize the format string in snsp_dwc3_dump_regs() to always print the
full register and also print the XHCI quirks.
Call snsp_dwc3_dump_regs() twice, before and after generic XHCI attachment
and initialisation as this may have an effect on the confirgumation state.
Obtained from: an old debug patch
Reviewed by: mw
Differential Revision: https://reviews.freebsd.org/D35700
Rather than just printing the Global SNPS ID Register store it as well
so we can do a version check later.
In addition, for debugging purposes, read the Global Hardware Parameters
Registers and print them.
Based on the snpsid disable an XHCI feature using a quirk prepared
in 447c418da03454a2a00bc115a69c62055a6d5272.
Add the "snps,dis_u3_susphy_quirk" quirk and handle Suspend USB3.0 SS PHY
after power-on-reset/during core initialization (suggested to be cleared)
based on the DWC3_GHWPARAMS0 register.
Obtained from: an old debugging patch
Reviewed by: mw (earlier version), mmel
Differential Revision: https://reviews.freebsd.org/D35699
Enable dwc3's auto retry feature. For IN transfers with crc errors
or internal overruns this will make the host reply with a
non-terminating retry ACK. I believe the hope was to improve
reliability after seeing occasional hiccups.
Obtained from: an old debugging patch
Reviewed by: mw
Differential Revision: https://reviews.freebsd.org/D35698
pca954x: harmonize pca9547 and pca954x and add pca9540 support
The two implementations for the pca9548 switch and the pca9547 mux
seemed close enough so we can put them together and with a bit more
abstraction add pca9540 support.
While here apply a bit of consistency in variable and driver naming and
use device_has_property instead of the FDT-only OF_ variant.
This disconnects pca9547 from the build but does not yet delete it.
Bjoern A. Zeeb [Tue, 28 Jun 2022 00:02:17 +0000 (00:02 +0000)]
arm64: NXP add LS1088a clockgen support
Add a driver for NXP LS1088a clockgen support which passes
configuration information to QorIQ clockgen class.
The implementaiton started off as copy of ls1028 support and was
adjusted accordingly.
Bjoern A. Zeeb [Thu, 23 Jun 2022 00:17:14 +0000 (00:17 +0000)]
ACPI: change arguments to internal acpi_find_dsd()
acpi_find_dsd() is not a bus function and we only need the acpi_device (ad).
The only caller has already looked up the ad (from ivars) for us.
Directly pass the ad to acpi_find_dsd() instead of bus, dev and remove
the extra call to device_get_ivars(); the changed argument also means we
now call AcpiEvaluateObject directly on the handle.
This optimisation was done a while ago while debugging a driver which
ended up with a bad bus, dev combination making the old version fail.
It turns out that we still need xlocal.h protection for when we're
cross building on Linux. Linux doesn't have this file, but os/x
does. Before, we'd assume we didn't have it, like old FreeBSD, when
cross compiling. After the latest update, all that code was removed so
cross compiling needs to be handled separaetly. Do so by defining
HAVE_XLOCALE_H only when we're not building on linux. This allows us
to build the mkmagic build tool needed to build file(1).
Rick Macklem [Sun, 3 Jul 2022 20:37:23 +0000 (13:37 -0700)]
mount_nfs.8: Update BUGS section for NFSv4.1/4.2
If the "intr" and/or "soft" mount options are used for
NFSv4 mounts, the protocol can be broken when the
operation returns without waiting for the RPC reply.
The likelyhood of failure increases for NFSv4.1/4.2
mounts, since the session slot will be broken when
an RPC reply is not processed.
This is mentioned in the BUGS section of "man mount_nfs",
but there was no specific mention of the session slot
problem. This patch adds a sentence for this case.
Bootstrap crunchgen after removing -dc from linker invocation
In ec81497cc726 crunchgen was updated to remove -dc from the linker
invocations in its generated makefile output, as this flag is no longer
necessary, and is going to be an error with lld 15.
Update the BOOTSTRAPPING conditions for copying the crunchgen binary
from the host, or actually bootstrapping it when necessary. Since ec81497cc726 did not bump __FreeBSD_version, I have chosen the nearest
values.
Mark Johnston [Wed, 15 Jun 2022 14:47:13 +0000 (10:47 -0400)]
loader: Relax the check in is_kernphys_relocatable()
The check fails in kernels compiled with KASAN because AddressSanitizer
inserts redzones around global variables, so the size of the "kernphys"
symbol is 32 rather than 8. Thus we fall back to copying even though
it's not necessary.
Simply remove the size check. I didn't want to extend the symbol size
check since there's no guarantee that AddressSanitizer will always emit
32 bytes for "kernphys".
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Rick Macklem [Fri, 1 Jul 2022 21:43:17 +0000 (14:43 -0700)]
mount_nfs: Warn that intr, soft are not safe for NFSv4
If the "intr" and/or "soft" mount options are used for
NFSv4 mounts, the protocol can be broken when the
operation returns without waiting for the RPC reply.
The likelyhood of failure increases for NFSv4.1/4.2
mounts, since the session slot will be broken when
an RPC reply is not processed.
This is mentioned in the BUGS section of "man mount_nfs",
but more needs to be done. This patch adds code that
generates a warning message when the mount is done.
Cy Schubert [Thu, 17 Mar 2022 18:05:05 +0000 (11:05 -0700)]
ipfilter: Support only jails in VNET
Jails without VNET have complete access to the ipfilter rules, NAT,
pools and logs. This is insecure. Only allow jails to manipulate
ipfilter rules, NAT tables and ippools if the jail has its own VNET.
Otherwise a jail can affect the global system.
This patch brings ipfilter in line with ipfw's support of VNET jails and
non-support of non-VNET jails.
Mark Johnston [Tue, 14 Jun 2022 14:52:03 +0000 (10:52 -0400)]
pipe: Use a distinct wait channel for I/O serialization
Suppose a thread tries to read from an empty pipe. pipe_read() does the
following:
1. pipelock(), possibly sleeping
2. check for buffered data
3. pipeunlock()
4. set PIPE_WANTR and sleep
5. goto 1
pipelock() is an open-coded mutex; if a thread blocks in pipelock(), it
sleeps until the lock holder calls pipeunlock().
Both sleeps use the same wait channel. So if there are multiple threads
in pipe_read(), a thread T1 in step 3 can wake up a thread T2 sleeping
in step 4. Then T1 goes to sleep in step 4, and T2 acquires and
releases the pipelock, waking up T1 again. This can go on indefinitely,
livelocking the process (and potentially starving a would-be writer).
Fix the problem by using a separate wait channel for pipelock().
Reported by: Paul Floyd <paulf2718@gmail.com>
Reviewed by: mjg, kib
PR: 264441
Sponsored by: The FreeBSD Foundation
Mark Johnston [Thu, 30 Jun 2022 14:19:23 +0000 (10:19 -0400)]
pf: Make sure that pfi_update_status() always zeros counters
pfi_update_status() can return early if the status interface doesn't
exist. But in this case pf_getstatus() was copying uninitialized stack
memory into the output nvlist.
Reported by: Jenkins (KMSAN job)
Reviewed by: kp
Sponsored by: The FreeBSD Foundation
Arseny Smalyuk [Sat, 4 Jun 2022 16:12:29 +0000 (19:12 +0300)]
ipfw: add support radix tables and table lookup for MAC addresses
By analogy with IP address matching, add a way to use ipfw radix
tables for MAC matching. This is implemented using new ipfw table
with mac:radix type. Also there are src-mac and dst-mac lookup
commands added.
John Baldwin [Tue, 18 Jan 2022 22:47:13 +0000 (14:47 -0800)]
crypto: Add a simple API for [X]ChaCha20-Poly1035 on flat buffers.
This is a synchronous software API which wraps the existing software
implementation in libsodium. This is different from the code in main
in that this uses libsodium directly. The version in main uses the
software backend shared with OCF, but main required changes that break
the ABI of struct enc_xform that cannot be merged to stable/13.
John Baldwin [Wed, 25 May 2022 21:20:40 +0000 (14:20 -0700)]
etcupdate: Preserve permissions when installing a resolved file.
Similar to the change in 1a04446f088c79cc2cf85fd86e60ebcc228d3075, use
cat to overwrite the contents of the existing file rather than cp so
that metadata of the existing file such as permissions and ownership
is preserved.
John Baldwin [Wed, 25 May 2022 21:02:51 +0000 (14:02 -0700)]
etcupdate: Don't rotate trees for a dry run.
When performing a dry run, remove the temporary tree created rather
than rotating the trees. Rotating the trees meant that etcupdate
thought the latest changes were already merged and would not merge
them on the next real run.
PR: 260281
Reported by: Tomoaki AOKI <junchoon@dec.sakura.ne.jp>
Fixes: 0611aec3cf3a etcupdate: Always extract to a temporary tree.
John Baldwin [Thu, 30 Jun 2022 17:10:00 +0000 (10:10 -0700)]
crypto: Fix assertions for digest-only sessions with separate output.
Digest-only sessions do not generate modified payload as an output, so
don't bother asserting anything about the payload with respect to the
output buffer other than the payload output start being zero.
In addition, a verify request on a digest-only session doesn't
generate any output at all so should never have a separate output
buffer.
projects / FreeBSD / FreeBSD.git / log