jch [Mon, 12 Nov 2018 17:57:12 +0000 (17:57 +0000)]
cxgbe/netmap: Fix cxgbe netmap when interface is DOWN
A kernel panic can occur if the cxgbe interface is DOWN
when activating netmap. This patch prevents the driver
from freeing up cxgbe netmap resources when they have not
been allocated.
Submitted by: Nicolas Witkowski <nwitkowski@verisign.com>
Reviewed by: np
MFC after: 1 week
Sponsored by: Verisign, Inc.
Differential Revision: https://reviews.freebsd.org/D17802
oshogbo [Mon, 12 Nov 2018 17:40:47 +0000 (17:40 +0000)]
libcasper: introduce cap_fileargs service
cap_fileargs is a Casper service which helps to sandbox applications that need
access to the filesystem namespace. The main purpose of the service is to make
easy to capsicumize applications that works on multiple files passed in argv.
We have a couple example of using it but we still treat this service as an
experimental one.
Reviewed by: emsate (previous version), jonathan (partially)
Discussed with: many
Differential Revision: https://reviews.freebsd.org/D14407
tuexen [Mon, 12 Nov 2018 13:26:13 +0000 (13:26 +0000)]
Fix printing of 64-bit counters on 32-bit ppc platforms.
Several statistic counters are uint64_t values and are printed by systat
using %lu. This results in displaying wrong numbers. Use PRIu64 instead.
While there, print variables of size_t using %zd.
MFC after:i 3 days
Differential Revision: https://reviews.freebsd.org/D17838
ae [Mon, 12 Nov 2018 11:20:59 +0000 (11:20 +0000)]
Add ability to use dynamic external prefix in ipfw_nptv6 module.
Now an interface name can be specified for nptv6 instance instead of
ext_prefix. The module will track if_addr_ext events and when suitable
IPv6 address will be added to specified interface, it will be configured
as external prefix. When address disappears instance becomes unusable,
i.e. it doesn't match any packets.
yuripv [Sun, 11 Nov 2018 13:41:32 +0000 (13:41 +0000)]
Use blank am_pm and t_fmt_ampm for de_AT and de_DE locales as apparently
they use 24-hour clock notation. The visible change is that w(1) now
uses 24-hour clock format as it checks for t_fmt_ampm presence.
kib [Sun, 11 Nov 2018 00:04:36 +0000 (00:04 +0000)]
Allow absolute paths for O_BENEATH.
The path must have a tail which does not escape starting/topping
directory. The documentation will come shortly, see the man pages
commit message for the reason of separate commit.
trasz [Sat, 10 Nov 2018 23:07:46 +0000 (23:07 +0000)]
Don't call stat(2) on nsswitch.conf(5) every time nsdispatch(3)
and dependent functions (eg getpwname(3)) get called. This can
improve performance of binaries that perform a lot of name
lookups, such as gssd(8). It also matches documented behaviour
of Linux and Solaris.
The old code is left in place, should anyone need it, guarded
by #ifdef NS_REREAD_CONF.
kevans [Sat, 10 Nov 2018 20:42:29 +0000 (20:42 +0000)]
libbe(3): Set canmount properly when activating a new BE
The previously activated BE should have canmount=noauto set on it upon
activation of the new BE, but we previously did not touch canmount on either
old or new BE.
markj [Sat, 10 Nov 2018 20:33:08 +0000 (20:33 +0000)]
Re-apply r336984, reverting r339934.
r336984 exposed the bug fixed in r340241, leading to the initial revert
while the bug was being hunted down. Now that the bug is fixed, we
can revert the revert.
cem [Sat, 10 Nov 2018 20:26:55 +0000 (20:26 +0000)]
rm(1): Formalize non-functional status of -P flag
-P was introduced in 4.4BSD-Lite2 around 1994. It overwrote file contents
with a pass of 0xff, 0x00, then 0xff, in a low effort attempt to "really
delete" files.
It has no user-visible effect; at the end of the day, the file is unlinked via
the filesystem. Furthermore, the utility of overwriting files with patterned
data is extremely limited due to caveats at every layer of the stack[0] and
therefore mostly futile. At the least, three passes is likely wasteful on
modern hardware[1]. It could also be seen as a violation of the "Unix
Philosophy" to do one thing per tiny, composable program.
Since 1994, FreeBSD has left it alone; OpenBSD replaced it with a single
pass of arc4random(3) output in 2012[2]; and NetBSD implemented partial, but
explicitly incomplete support for U.S. DoD 5220.22-M, "National Industrial
Security Program Operating Manual" in 2004[3].
NetBSD's enhanced comment above rm_overwrite makes a strong case for removing
the flag entirely:
> This is an expensive way to keep people from recovering files from your
> non-snapshotted FFS filesystems using fsdb(8). Really. No more.
>
> It is impossible to actually conform to the exact procedure given in
> [NISPOM] if one is overwriting a file, not an entire disk, because the
> procedure requires examination and comparison of the disk's defect lists.
> Any program that claims to securely erase *files* while conforming to the
> standard, then, is not correct.
>
> Furthermore, the presence of track caches, disk and controller write
> caches, and so forth make it extremely difficult to ensure that data have
> actually been written to the disk, particularly when one tries to repeatedly
> overwrite the same sectors in quick succession. We call fsync(), but
> controllers with nonvolatile cache, as well as IDE disks that just plain lie
> about the stable storage of data, will defeat this.
>
> [NISPOM] requires physical media destruction, rather than any technique of
> the sort attempted here, for secret data.
As a first step towards evental removal, make it a placebo. It's not like
it was serving any security function. It is not defined in or mentioned by
POSIX.
If you are security conscious and need to erase your files, use a
woodchipper. At a minimum, the entire disk needs to be overwritten, not
just one file.
emaste [Sat, 10 Nov 2018 20:26:19 +0000 (20:26 +0000)]
build(7): clarify buildenv target can be used for non-cross builds
make buildenv can be used for building for the same architecture as
the host (perhaps this is a degenerate case of cross-building).
TARGET and TARGET_ARCH do not need to be set in this case.
Reviewed by: bdrewery
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D10759
eugen [Sat, 10 Nov 2018 14:21:26 +0000 (14:21 +0000)]
Prevent periodic/etc/weekly/340.noid from descending into root directories
of jails. Jails have their own user/group databases and this script
can produce multiple false warnings, not to mention significant extra
load in case of large jailed subtrees. Leave this check for jailed
invocations of the same script.
eugen [Sat, 10 Nov 2018 14:11:54 +0000 (14:11 +0000)]
Move definition of $jail_conf variable to /etc/defaults/rc.conf
from jail startup script so it can be successfully queried
with the command "sysrc jail_conf".
eugen [Sat, 10 Nov 2018 12:03:57 +0000 (12:03 +0000)]
jail(8): introduce new command option -e to exhibit
a list of configured non-wildcard jails with their parameters,
no matter running or not.
The option -e takes separator argument that is used
to separate printed parameters. It will be used with following
additions to system periodic scripts to differentiate parts
of directory tree belonging jails as opposed to host's.
woodsb02 [Sat, 10 Nov 2018 10:46:38 +0000 (10:46 +0000)]
newsyslog.conf: Restrict included files in default config to [!.]*.conf
The new default config will only include files from the following
directories which end with '.conf' and do not beginning with a '.'
character:
- /etc/newsyslog.conf.d/
- /usr/local/etc/newsyslog.conf.d/
This matches the syslog.conf(5) functionality, and also prevents '.sample' or
'.pkgnew' files being included. This is important for ports which install files
in /usr/local/etc/newsyslog.conf.d/ and also for pkgbase.
asomers [Sat, 10 Nov 2018 03:10:22 +0000 (03:10 +0000)]
libjail: fix handling of allow.mount.fusefs in jailparam_init
fusefs is inconsistently named. The kernel module is named "fuse", but the
mount helper is named "mount_fusefs" and the jail(8) parameter is named
"allow.mount.fusefs". Special case it in libjail.
markj [Sat, 10 Nov 2018 03:00:36 +0000 (03:00 +0000)]
Ensure that IP fragments do not extend beyond IP_MAXPACKET.
Such fragments are obviously invalid, and when processed may end up
violating the sort order (by offset) of fragments of a given packet.
This doesn't appear to be exploitable, however.
Reviewed by: emaste
Discussed with: jtl
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D17914
jhibbits [Sat, 10 Nov 2018 02:37:56 +0000 (02:37 +0000)]
powerpc: Use MAX() macro instead of max() inline function to calculate Maxmem
Maxmem is the highest address for physical memory in the system. It's
measured in pages which, since max() returns a u_int, should allow for up to
2^44 bytes of memory addressable by the system. However, on POWER9 systems
at least, memory addressed by additional socketed CPUs begins at addresses
far above the 2^44 mark, causing issues with memory accesses and DMA, when
memory is addressed on the auxiliary CPUs. Use the MAX() macro instead,
which doesn't convert arguments, so retains Maxmem and all calculations as
its defined long type (64-bit on powerpc64), keeping the maximum address
correct.
mav [Sat, 10 Nov 2018 01:58:37 +0000 (01:58 +0000)]
Do not ignore arc_adjust() return value.
This covers scenario when ARC may not shrink as fast as it could:
1. arc_size < arc_c and arc_adjust() does not evict anything, returning
zero to arc_reclaim_thread();
2. arc_available_memory() reports memory pressure, which can not be
satisfied by arc_kmem_reap_now();
3. arc_shrink() reduces arc_c and calls arc_adjust(), return of which is
ignored;
4. even if the last arc_adjust() could not satisfy arc_size < arc_c,
arc_reclaim_thread() will still go to sleep, since the first one
returned zero.
Reviewed by: allanjude, markj, sef
MFC after: 2 weeks
Sponsored by: iXsystems, Inc.
Differential Revision: https://reviews.freebsd.org/D17927
shurd [Fri, 9 Nov 2018 22:18:43 +0000 (22:18 +0000)]
Fix first-packet completion
The first packet after the ring is initialized was never
completed as isc_txd_credits_update() would not include it in the
count of completed packets. This caused netmap to never complete
a batch. See PR 233022 for more details.
PR: 233022
Reported by: lev
Reviewed by: lev
MFC after: 3 days
Sponsored by: Limelight Networks
Differential Revision: https://reviews.freebsd.org/D17931
jhb [Fri, 9 Nov 2018 21:16:45 +0000 (21:16 +0000)]
Use tcp_state_change() in the cxgbe(4) TOE module.
r254889 added tcp_state_change() as a centralized place to log state
changes in TCP connections for DTrace. r294869 and r296881 took
advantage of this central location to manage per-state counters.
However, TOE sockets were still performing some (but not all) state
change updates via direct assignments to t_state. This resulted in
state counters underflowing when TOE was in use. Fix by using
tcp_state_change() when changing a TOE connection's state.
brooks [Fri, 9 Nov 2018 21:01:16 +0000 (21:01 +0000)]
Fix freebsd32 mknod(at).
As dev_t is now a 64-bit integer, it requires special handling as a
system call argument. 64-bit arguments are split between two 64-bit
integers due to the way arguments are promoted to allow reuse of most
system call implementations. They must be reassembled before use.
Further, 64-bit arguments at an odd offset (counting from zero) are
padded and slid to the next slot on powerpc and mips. Fix the
non-COMPAT11 system call by adding a freebsd32_mknodat() and
appropriately padded declerations.
The COMPAT11 system calls are fully compatible with the 64-bit
implementations so remove the freebsd32_ versions.
Use uint32_t consistently as the type of the old dev_t. This matches
the old definition.
emaste [Fri, 9 Nov 2018 19:51:26 +0000 (19:51 +0000)]
libllvm: Move SampleProfWriter to SRCS_MIN
It is required by llvm-profdata, now built by default under the
LLVM_COV knob. The additional complexity that would come from avoiding
building it if CLANG_EXTRAS and LLVM_COV are both disabled is not worth
the small savings in build time.
emaste [Fri, 9 Nov 2018 19:16:01 +0000 (19:16 +0000)]
use -m ${LD_EMULATION} for binary->elf link invocation
r306041 changed ld invocations for converting binary files to kernel
ELF objects to pass -m, but missed bespoke ld invocations in a pair of
arm file configs (one of which has since been removed).
This is needed to support some external toolchains and lld.
emaste [Fri, 9 Nov 2018 18:35:09 +0000 (18:35 +0000)]
Move llvm-profdata build into MK_LLVM_COV block
llvm-profdata is used with llvm-cov for code coverage (although llvm-cov
can also operate independently in a gcov-compatible mode).
Although llvm-profdata can be used independently of llvm-cov it makes
sense to group these under one option.
Also handle these in OptionalObsoleteFiles.inc while here.
brooks [Fri, 9 Nov 2018 18:03:01 +0000 (18:03 +0000)]
Fix a number of bugs in freebsd32's capabilities.conf.
Bugs range from failure to update after changing syscall implementaion
names to using the wrong name. Somewhat confusingly, the name in
capabilities.conf is exactly the string that appears in syscalls.master,
not the name with a COMPAT* prefix which is the actual function name.
Found while making a change to use the default capabilities.conf.
vmaffione [Fri, 9 Nov 2018 08:43:40 +0000 (08:43 +0000)]
netmap: add load balancer program
Add the lb program, which is able to load-balance input traffic
received from a netmap port over M groups, with N netmap pipes in
each group. Each received packet is forwarded to one of the pipes
chosen from each group (using an L3/L4 connection-consistent hash function).
This also adds a man page for lb and some cross-references in related
man pages.
yuripv [Fri, 9 Nov 2018 03:32:53 +0000 (03:32 +0000)]
Reset persistent mbstates when rune locale encoding changes.
This was shown to be a problem by side effect of now-enabled test case,
which was going through C, en_US.UTF-8, ja_JP.SJIS, and ja_JP.eucJP,
and failing eventually as data in mbrtowc's mbstate, that was
perfectly correct for en_US.UTF-8 was treated as incorrect for
ja_JP.SJIS, failing the entire test case.
This makes the persistent mbstates to be per ctype-component,
and not per-locale so we could easily reset the mbstates when
only LC_CTYPE is changed.
jhibbits [Thu, 8 Nov 2018 20:48:44 +0000 (20:48 +0000)]
powerpc64: Fix "show spr" command on ELFv2 kernels
Summary: When compiling for ELFv2, it is necessary to adjust the offset to
get_spr and factor in the function prologue to ensure the correct instruction is
being edited.
Test Plan:
Before:
```
db> show spr 110
KDB: reentering
KDB: stack backtrace:
0xc008000020fb96e0: at 0xc000000002bb2e34 = kdb_backtrace+0x68
0xc008000020fb97f0: at 0xc000000002bb3798 = kdb_reenter+0x54
0xc008000020fb9860: at 0xc000000002f87090 = trap+0x4e4
0xc008000020fb9990: at 0xc000000002f78a60 = powerpc_interrupt+0x110
0xc008000020fb9a20: kernel trap 0xe40 by 0xc000000002401978 = get_spr+0x8: srr1=0x9000000000001032
r1=0xc008000020fb9cd0 cr=0x80009438 xer=0x20040000 ctr=0xc000000002f7b40c r2=0xc0000000037fd000
saved LR(0xfffffffffffffffb) is invalid.
```
jhibbits [Thu, 8 Nov 2018 20:31:12 +0000 (20:31 +0000)]
powerpc/powernv: Restrict the busdma tag to only POWER8
It seems this tag is causing problems on POWER9 systems. Since no POWER9 user
has encountered the problem fixed by r339589 just restrict it to POWER8 for now.
A better fix will likely be to update powerpc/busdma_machdep.c to handle the
window correctly.
emaste [Thu, 8 Nov 2018 20:17:36 +0000 (20:17 +0000)]
Avoid buffer underwrite in icmp_error
icmp_error allocates either an mbuf (with pkthdr) or a cluster depending
on the size of data to be quoted in the ICMP reply, but the calculation
failed to account for the additional padding that m_align may apply.
Include the ip header in the size passed to m_align. On 64-bit archs
this will have the net effect of moving everything 4 bytes later in the
mbuf or cluster. This will result in slightly pessimal alignment for
the ICMP data copy.
Also add an assertion that we do not move m_data before the beginning of
the mbuf or cluster.
Reported by: A reddit user
Reviewed by: bz, jtl
MFC after: 3 days
Security: CVE-2018-17156
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D17909
vangyzen [Thu, 8 Nov 2018 19:50:23 +0000 (19:50 +0000)]
in6_ifattach_linklocal: handle immediate removal of the new LLA
If another thread immediately removes the link-local address
added by in6_update_ifa(), in6ifa_ifpforlinklocal() can return NULL,
so the following assertion (or dereference) is wrong.
Remove the assertion, and handle NULL somewhat better than panicking.
This matches all of the other callers of in6_update_ifa().
erj [Thu, 8 Nov 2018 19:10:43 +0000 (19:10 +0000)]
ixl/iavf(4): Fix TSO offloads when TXCSUM is disabled
From Jake:
The iflib stack does not disable TSO automatically when TXCSUM is
disabled, instead assuming that the driver will correctly handle TSOs
even when CSUM_IP is not set.
This results in iflib calling ixl_isc_txd_encap with packets which have
CSUM_IP_TSO, but do not have CSUM_IP or CSUM_IP_TCP set. Because of
this, ixl_tx_setup_offload will not setup the IPv4 checksum offloading.
This results in bad TSO packets being sent if a user disables TXCSUM
without disabling TSO.
Fix this by updating the ixl_tx_setup_offload function to check both
CSUM_IP and CSUM_IP_TSO when deciding whether to enable IPv4 checksums.
Once this is corrected, another issue for TSO packets is revealed. The
driver sets IFLIB_NEED_ZERO_CSUM in order to enable a work around that
causes the ip->sum field to be zero'd. This is necessary for ixl
hardware to correctly perform TSOs.
However, if TXCSUM is disabled, then the work around is not enabled, as
CSUM_IP will not be set when the iflib stack checks to see if it should
clear the sum field.
Fix this by adding IFLIB_TSO_INIT_IP to the iflib flags for the iavf and
ixl interface files.
It is uncertain if the hardware needs IFLIB_NEED_ZERO_CSUM for any other
case besides TSO, so leave that flag assigned. It may be worth
investigating to see if this work around flag could be disabled in
a future change.
Once both of these changes are made, the ixl driver should correctly
offload TSO packets when TSO4 offload is enabled, regardless of whether
TXCSUM is enabled or disabled.
Submitted by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed by: erj@, shurd@
MFC after: 0 days
Sponsored by: Intel Corporation
Differential Revision: https://reviews.freebsd.org/D17900
brooks [Thu, 8 Nov 2018 00:35:00 +0000 (00:35 +0000)]
Add a top-level make target to rebuild all sysent files.
The sysent target is useful when changing makesyscalls.sh, when
making paired changes to syscalls.master files, or in a future where
freebsd32 sysent entries are built from the default syscalls.master.
markj [Wed, 7 Nov 2018 23:28:11 +0000 (23:28 +0000)]
Fix a use-after-free in swp_pager_meta_free().
This was introduced in r326329 and explains the crashes mentioned in
the commit log message for r339934. In particular, on INVARIANTS
kernels, UMA trashing causes the loop to exit early, leaving swap
blocks behind when they should have been freed. After r336984 this
became more problematic since new anonymous mappings were more
likely to reuse swapped-out subranges of existing VM objects, so faults
would trigger pageins of freed memory rather than returning zeroed
pages.
Reviewed by: kib
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D17897
tsoome [Wed, 7 Nov 2018 21:36:52 +0000 (21:36 +0000)]
loader: ptable_open() check for ptable_cd9660read result is wrong
The ptable_*read() functions return NULL on read errors (and partition table
closed as an side effect). The ptable_open must check the return value and
act properly.
oshogbo [Wed, 7 Nov 2018 21:01:14 +0000 (21:01 +0000)]
bspatch: simplify capsicumization
Assume that user wants to run with capsicum support if he builds the software
with HAVE_CAPSICUM. Treat running application without capsicum in the kernel as
an error.
emaste [Wed, 7 Nov 2018 20:36:57 +0000 (20:36 +0000)]
newvers.sh: avoid regenerating vers.c if content unchanged
When reproducible build mode is enabled vers.c may be unchanged between
successive builds. In this case avoid changing the file's metadata so
that it does not cause dependent targets to be rebuilt.
Sponsored by: The FreeBSD Foundation
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D17892
shurd [Wed, 7 Nov 2018 19:31:48 +0000 (19:31 +0000)]
Fix rxcsum issue introduced in r338838
r338838 attempted to fix issues with rxcsum and rxcsum6.
However, the rxcsum bits were set as though if_setcapenablebit() was
being called, not if_togglecapenable() which is in use. As a result,
it was not possible to disable rxcsum when rxcsum6 was supported.
PR: 233004
Reported by: lev
Reviewed by: lev
MFC after: 3 days
Sponsored by: Limelight Networks
Differential Revision: https://reviews.freebsd.org/D17881
projects / FreeBSD / FreeBSD.git / log