hselasky [Tue, 11 Jun 2019 08:53:26 +0000 (08:53 +0000)]
MFC r348797:
Fix for reading the configuration descriptor in libusb. Catch invalid
configuration descriptor reads early on to avoid issues with devices
that don't check for a valid USB configuration read request.
hselasky [Mon, 10 Jun 2019 13:37:38 +0000 (13:37 +0000)]
MFC r348631:
In usb(4) fix a lost completion event issue towards libusb(3). It may happen
if a USB transfer is cancelled that we need to fake a completion event.
Implement missing support in ugen_fs_copy_out() to handle this.
hselasky [Mon, 10 Jun 2019 13:17:39 +0000 (13:17 +0000)]
MFC r348604:
In xhci(4) there is no stream ID in the completion TRB.
Instead iterate all the stream IDs in stream mode to find
the matching USB transfer.
Relevant vendor changes:
Issue #795: XAR - do not try to add xattrs without an allocated name
PR #812: non-recursive option for extract and list
PR #958: support reading metadata from compressed files
PR #999: add --exclude-vcs option to bsdtar
Issue #1062: treat empty archives with a GNU volume header as valid
PR #1074: Handle ZIP files with trailing 0s in the extra fields
(Android APK archives)
PR #1109: Ignore padding in Zip extra field data (Android APK archives)
PR #1167: fix problems related to unreadable directories
Issue #1168: fix handling of strtol() and strtoul()
PR #1172: RAR5 - fix invalid window buffer read in E8E9 filter
PR #1174: ZIP reader - fix of MSZIP signature parsing
PR #1175: gzip filter - fix reading files larger than 4GB from memory
PR #1177: gzip filter - fix memory leak with repeated header reads
PR #1180: ZIP reader - add support for Info-ZIP Unicode Path Extra Field
PR #1181: RAR5 - fix merge_block() recursion
(OSS-Fuzz 12999, 13029, 13144, 13478, 13490)
PR #1183: fix memory leak when decompressing ZIP files with LZMA
PR #1184: fix RAR5 OSS-Fuzz issues 12466, 14490, 14491, 12817
OSS-Fuzz 12466: RAR5 - fix buffer overflow when parsing huffman tables
OSS-Fuzz 14490, 14491: RAR5 - fix bad shift-left operations
OSS-Fuzz 12817: RAR5 - handle a case with truncated huffman tables
PR #1186: RAR5 - fix invalid type used for dictionary size mask
(OSS-Fuzz 14537)
PR #1187: RAR5 - fix integer overflow (OSS-Fuzz 14555)
PR #1190: RAR5 - RAR5 don't try to unpack entries marked as directories
(OSS-Fuzz 14574)
PR #1196: RAR5 - fix a potential SIGSEGV on 32-bit builds
OSS-Fuzz 2582: RAR - fix use after free if there is an invalid entry
OSS-Fuzz 14331: RAR5 - fix maximum owner name length
OSS-Fuzz 13965: RAR5 - use unsigned int for volume number + range check
Additional RAR5 reader changes:
- support symlinks, hardlinks, file owner, file group, versioned files
- change ARCHIVE_FORMAT_RAR_V5 to 0x100000
- set correct mode for readonly directories
- support readonly, hidden and system Windows file attributes
MFC r347999:
Install missing data file for
lib.libarchive.functional_test.test_read_format_zip_utf8_paths
rmacklem [Mon, 6 May 2019 03:20:02 +0000 (03:20 +0000)]
MFC: r346856
Add #ifdef INET6 around declaration of nbuf.
It was reported that without #ifdef INET6 around the declaration of "nbuf",
a build would report an unused variable. For some reason, I didn't see that
warning when I did a build, but it seems reasonable to add these #ifdef INET6's.
rmacklem [Fri, 3 May 2019 02:30:01 +0000 (02:30 +0000)]
MFC: r346365
Fix the NFSv4.0 server so that it does not support NFSv4.1 attributes.
During inspection of a packet trace, I noticed that an NFSv4.0 mount
reported that it supported attributes that are only defined for NFSv4.1.
In practice, this bug appears to be benign, since NFSv4.0 clients will
not use attributes that were added for NFSv4.1.
However, this was not correct and this patch fixes the NFSv4.0 server
so that it only supports attributes defined for NFSv4.0.
It also adds a definition for NFSv4.1 attributes that can only be set,
although it is only defined as 0 for now.
This is anticipation of the addition of support for the NFSv4.1 mode+mask
attribute soon.
rmacklem [Thu, 2 May 2019 01:17:55 +0000 (01:17 +0000)]
MFC: r346709
Add support to nfsdumpstate for printing of INET6 addresses for locks.
r346190 added support for printing of INET6 addresses for the "-o" option
(all opens) but missed adding support for INET6 addresses for the "-l" option.
This patch adds that support.
MFC: r346191
Add support for INET6 addresses to the kernel code that dumps open/lock state.
PR#223036 reported that INET6 callback addresses were not printed by
nfsdumpstate(8). This kernel patch adds INET6 addresses to the dump structure,
so that nfsdumpstate(8) can print them out, post-r346190.
MFC: r345994
Fix nfsuserd so that it handles the mapped localhost address when jails
are enabled.
The nfsuserd(8) daemon does not function correctly when jails are enabled,
since localhost gets mapped to another IP address and, as such, the upcall
RPC fails.
This patch fixes the problem by doing a getsockname(2) of a socket mapped
to localhost to find out what the correct address is for the comparison
test with the upcall's from IP address.
This patch also adds INET6 support and the required #ifdef's for INET and
INET6. It now uses INET6 by default for the upcalls, if the kernel has
INET6 support and the daemon is also built with INET6 support.
MFC: r345992, r346087
Add INET6 support for the upcalls to the nfsuserd daemon.
The kernel code uses UDP to do upcalls to the nfsuserd(8) daemon to get
updates to the username<->uid and groupname<->gid mappings.
A change to AF_LOCAL last year had to be reverted, since it could result
in vnode locking issues on the AF_LOCAL socket.
This patch adds INET6 support and the required #ifdef INET and INET6
to the code.
MFC: r345866
Fix malloc stats for the RPCSEC_GSS server code when DEBUG is enabled.
The code enabled when "DEBUG" is defined uses mem_alloc(), which is a
malloc(.., M_RPC, M_WAITOK | M_ZERO), but then calls gss_release_buffer()
which does a free(.., M_GSSAPI) to free the memory.
This patch fixes the problem by replacing mem_alloc() with a
malloc(.., M_GSSAPI, M_WAITOK | M_ZERO).
This bug affects almost no one, since the sources are not normally built
with "DEBUG" defined.
MFC: r345818, r345828
Fix a race in the RPCSEC_GSS server code that caused crashes.
When a new client structure was allocated, it was added to the list
so that it was visible to other threads before the expiry time was
initialized, with only a single reference count.
The caller would increment the reference count, but it was possible
for another thread to decrement the reference count to zero and free
the structure before the caller incremented the reference count.
This could occur because the expiry time was still set to zero when
the new client structure was inserted in the list and the list was
unlocked.
This patch fixes the race by initializing the reference count to two
and initializing all fields, including the expiry time, before inserting
it in the list.
mm [Wed, 10 Apr 2019 21:46:28 +0000 (21:46 +0000)]
MFC r345497:
Sync libarchive with vendor.
Relevant vendor changes:
PR #1153: fixed 2 bugs in ZIP reader [1]
PR #1143: ensure archive_read_disk_entry_from_file() uses ARCHIVE_READ_DISK
Changes to file flags code, support more file flags on FreeBSD:
UF_OFFLINE, UF_READONLY, UF_SPARSE, UF_REPARSE, UF_SYSTEM
UF_ARCHIVE is not supported by intention (yet)
Teach jedec_dimm(4) to be more forgiving of non-fatal errors.
It looks like some DIMMs claim to have a TSOD, but actually don't. Some
claim they weren't able to change the SPD page, but they did. Neither of
those should be fatal errors.
dab [Mon, 25 Mar 2019 17:04:33 +0000 (17:04 +0000)]
MFC r345009:
Fix a scribbler in the PMS driver.
The ESGL bit was left uninitialized when executing the REPORT LUNS
ioctl. This could allow a zeroed data buffer to be treated as a
scatter/gather list. The firmware would eventually walk past the end
of the data buffer, potentially find what looked like a valid
address/length pair, and write the result to semi-random memory.
dab [Thu, 7 Mar 2019 13:11:00 +0000 (13:11 +0000)]
MFC r344470:
Fix several Coverity-detected issues in newsyslog.
- CID 1394815, CID 1305673: Dereference before null check - memory was
allocated and the allocation checked for NULL with a call to errx()
if it failed. Code below that was guaranteed that the pointer was
non-NULL, but there was another check for NULL at the exit of the
function (after the memory had already been referenced). Eliminate
the useless NULL check.
- CID 1007452: Resource leak - Storage intended to be allocated and
returned to the caller was never freed. This was the result of a
regression in the function signature introduced in r208648 (2010)
(thanks for that find, @cem!). Fixed by altering the function
signature and passing the allocated memory to the caller as
intended. This also fixes PR158794.
- CID 1008620: Logically dead code in newsyslog.c - This was a direct
result of CID 1007452. Since the memory allocated as described there
was not returned to the caller, a subsequent check for the memory
having been allocated was dead code. Returning the memory
re-animates the code that is the subject of this CID.
- CID 1006131: Unused value - in parsing a configuration file, a
pointer to the end of the last field was saved, but not used after
that. Rewrite to use the pointer value. This could have been fixed
by avoiding the assignment altogether, but this solutions more
closely follows the pattern used in the preceding code.
mm [Thu, 28 Feb 2019 22:57:09 +0000 (22:57 +0000)]
MFC r344063,r344088:
MFC r344063:
Sync libarchive with vendor.
Relevant vendor changes:
PR #1085: Fix a null pointer dereference bug in zip writer
PR #1110: ZIP reader added support for XZ, LZMA, PPMD8 and BZIP2
decopmpression
PR #1116: Add support for 64-bit ar format
PR #1120: Fix a 7zip crash [1] and a ISO9660 infinite loop [2]
PR #1125: RAR5 reader - fix an invalid read and a memory leak
PR #1131: POSIX reader - do not fail when tree_current_lstat() fails
due to ENOENT [3]
PR #1134: Delete unnecessary null pointer checks before calls of free()
OSS-Fuzz 10843: Force intermediate to uint64_t to make UBSAN happy.
OSS-Fuzz 11011: Avoid buffer overflow in rar5 reader
dab [Wed, 27 Feb 2019 22:29:37 +0000 (22:29 +0000)]
MFC r344473:
CID 1332000: Logically dead code in sys/dev/pms/RefTisa/tisa/sassata/sas/ini/itdio.c
A pointer is first tested for NULL. If non-NULL, another pointer is
set equal to the first. The second pointer is then checked for NULL
and an error path taken if so. This second test and the associated
path is dead code as the pointer value, having just been checked for
NULL, cannot be NULL at this point. Remove the dead code.
dab [Wed, 20 Feb 2019 22:49:09 +0000 (22:49 +0000)]
MFC r344024:
CID 1009492: Logically dead code in sys/cam/scsi/scsi_xpt.c
In `probedone()`, for the `PROBE_REPORT_LUNS` case, all paths that
fall to the bottom of the case set `lp` to `NULL`, so the test for a
non-NULL value of `lp` and call to `free()` if true is dead code as
the test can never be true. Fix by eliminating the whole if
statement. To guard against a possible future change that accidentally
violates this assumption, use a `KASSERT()` to catch if `lp` is
non-NULL.
For 11n / 11ac we are still using non-11n rates for management and
multicast traffic by default; check 'MCS rate' bit to determine how
to print them correctly.
avos [Wed, 6 Feb 2019 01:53:01 +0000 (01:53 +0000)]
MFC r343697:
net80211(4): fix rate check when 'roaming' ifconfig(8) option is set to 'auto'
Do not try to clear 'basic rate' bit from roamRate; it cannot be here and,
actually, this operation clears 'MCS rate' bit instead, breaking comparison
for 11n / 11ac modes.
marius [Sun, 27 Jan 2019 19:05:18 +0000 (19:05 +0000)]
MFC: r342634 (partial)
o Don't allocate resources for SDMA in sdhci(4) if the controller or the
front-end doesn't support SDMA or the latter implements a platform-
specific transfer method instead. While at it, factor out allocation
and freeing of SDMA resources to sdhci_dma_{alloc,free}() in order to
keep the code more readable when adding support for ADMA variants.
o Base the size of the SDMA bounce buffer on MAXPHYS up to the maximum
of 512 KiB instead of using a fixed 4-KiB-buffer. With the default
MAXPHYS of 128 KiB and depending on the controller and medium, this
reduces the number of SDHCI interrupts by a factor of ~16 to ~32 on
sequential reads while an increase of throughput of up to ~84 % was
seen.
Front-ends for broken controllers that only support an SDMA buffer
boundary of a specific size may set SDHCI_QUIRK_BROKEN_SDMA_BOUNDARY
and supply a size via struct sdhci_slot. According to Linux, only -
unsupported in stable/10 anyway - Qualcomm MSM-type SDHCI controllers
are affected by this, though.
Requested by: Shreyank Amartya (unconditional bump to 512 KiB)
o Introduce a SDHCI_DEPEND macro for specifying the dependency of the
front-end modules on the sdhci(4) one and bump the module version
of sdhci(4) to 2 via an also newly introduced SDHCI_VERSION in order
to ensure that all components are in sync WRT struct sdhci_slot.
o In sdhci(4):
- Make pointers const were applicable, and
- replace a few device_printf(9) calls with slot_printf() for
consistency.
avos [Sat, 26 Jan 2019 12:41:16 +0000 (12:41 +0000)]
MFC r343190:
net80211: drop m_pullup call from ieee80211_crypto_decap.
For most wireless drivers Rx mbuf is allocated as one
contiguous chunk; only few are using chains for allocations -
but even then at least MCLBYTES (minus Rx descriptor size) is
available in the first mbuf.
In addition to the above, m_pullup was never called here - otherwise,
reallocation will break post-crypto_decap logic (ieee80211_decap,
ieee80211_deliver_data...), so just remove it; length check is left
in case if some truncated frame appears here.
rgrimes [Tue, 22 Jan 2019 21:52:07 +0000 (21:52 +0000)]
MFC: 325765 (imp) Add notes about overlapping copies.
Add notes to each of these that specifically state that results are
undefined if the strings overlap. In the case of memcpy, we document
the overlapping behavior on FreeBSD (pre-existing). For str*, it is
left unspecified, however, since the default (and x86) implementations
do not handle overlapping strings properly.
hselasky [Fri, 18 Jan 2019 08:59:00 +0000 (08:59 +0000)]
MFC r342884:
Fix loopback traffic when using non-lo0 link local IPv6 addresses.
The loopback interface can only receive packets with a single scope ID,
namely the scope ID of the loopback interface itself. To mitigate this
packets which use the scope ID are appearing as received by the real
network interface, see "origifp" in the patch. The current code would
drop packets which are designated for loopback which use a link-local
scope ID in the destination address or source address, because they
won't match the lo0's scope ID. To fix this restore the network
interface pointer from the scope ID in the destination address for
the problematic cases. See comments added in patch for a more detailed
description.
This issue was introduced with route caching by karels@ .
hselasky [Fri, 18 Jan 2019 08:49:10 +0000 (08:49 +0000)]
MFC r342778:
Reduce timeout for reading the USB HUB port status to 1000ms and try to filter
out dead USB HUB devices by implementing an error counter, so that the USB
enumeration thread does not spend all its time reading from non-responding
devices, blocking user-space access in the end.
avos [Tue, 15 Jan 2019 02:26:03 +0000 (02:26 +0000)]
MFC r342966:
net80211: fix possible panic for some drivers after r342465
Check if rate control structures were allocated before trying to
access them in various places; this was possible before on
allocation failure (unlikely), but was revealed after r342211
where allocation was deferred.
The patch was adjusted a bit since file contents are different enough
since r306591.
Also, 'rate_stats' sysctl is not available here, so the panic is
unlikely to happen here even without this patch.
avos [Sun, 13 Jan 2019 02:27:10 +0000 (02:27 +0000)]
MFC r342810:
powerd(8): allow to force a method of battery state query
This change allows to determine power source via sysctl or /dev/apm
when devd(8) is running (used by default).
Based on patch from PR; other changes on top of it:
- '-f' (force) -> '-s' (source) parameter renaming;
- allow 'apm' -> 'devd' transition when '-s devd' is set
(if APM is enabled);
- man page update.
TCP_PAWS_IDLE is does not exist in NetBSD and illumos. In FreeBSD
TCP_PAWS_IDLE is defined in netinet/tcp_seq.h, however this header
isn't included explicitly or implicitly at this point therefore
as far ipfilter is concerned TCP_PAWS_IDLE is not defined. Remove
the #ifdef and include netinet/tcp.h unconditionally.
marius [Sat, 5 Jan 2019 19:35:10 +0000 (19:35 +0000)]
MFC: r336610 (partial), r339207, r339267
- Or in the DMA coalescing Rx threshold so the other bits set in E1000_DMACR
remain intact as intended in igb_init_dmac(). [1]
- Fix igb corrupting checksums with BPF and VLAN
In stable/11, this merely syncs the code with head as the problem was
introduced with r311849 in the latter and then fixed by r339207 with
a different approach than the code used pre-r311849 and in stable/11.
- Use mbuf defines to construct csum offload masks rather than literals
jhb [Wed, 2 Jan 2019 19:11:49 +0000 (19:11 +0000)]
MFC 341800: Don't report stale signal information in ptrace_lwpinfo.
Once a signal's siginfo was copied to 'td_si' as part of the signal
exchange in issignal(), it was never cleared. This caused future
thread events that are reported as SIGTRAP events without signal
information to report the stale siginfo in 'td_si'. For example, if a
debugger created a new process and used SIGSTOP to stop it after
PT_ATTACH, future system call entry / exit events would set PL_FLAG_SI
with the SIGSTOP siginfo in pl_siginfo. This broke 'catch syscall' in
current versions of gdb as it assumed PL_FLAG_SI with SIGTRAP
indicates a breakpoint or single step trap.
cy [Mon, 31 Dec 2018 03:53:33 +0000 (03:53 +0000)]
MFC r342385:
Remove an empty #if block.
The interesting thing is that looking through Darren's commit logs,
the line containing an extern ppsratecheck() definition was removed
from the v5-1-RELEASE branch but not from HEAD (I have taken his
CVS tree and converted it to GIT). There is a commit adding an
additional #if defined to the empty block. I can only assume that
this was intentional for something later. Looking through HEAD the
extern ppsratecheck() is there. However if we put it back it would
conflict with a static ppsratecheck() definition in fil.c when
building ipftest.
Therefore we remove this empty block.
ppsratecheck() is a function in the FreeBSD kernel. However ipftest
cannot call the ppsratecheck() in the kernel. Therefore one exists in
fil.c for use when building the userland ipftest utility which
approximates the packet filter in userland for testing of ipfilter
rules against packets captured with tcpdump.
cy [Sun, 30 Dec 2018 04:37:49 +0000 (04:37 +0000)]
MFC r342377:
Remove NETBSD_PF. NETBSD_PF is a flag that defines whether the pfil(9)
framework is available. pfil(9) has been in FreeBSD since FreeBSD 5
and according to svn log was first committed to HEAD in 2000, therefore
it is safe to say the check is no longer needed in FreeBSD.
pfil(9) first appeared in NetBSD 1.3 (hence the name NETBSD_PF).
Therefore it is safe to say that it is supported by every NetBSD system
today. The framework also exists in illumos.
As ipfilter code is shared and exchanged between FreeBSD and NetBSD, and
at some point in the future illumos too, and as all three platforms have
pfil(9), the redundant NETBSD_PF #defines and #ifdefs are removed.
cy [Sun, 30 Dec 2018 04:31:51 +0000 (04:31 +0000)]
MFC r341279:
Clean up a redundant non-redefinition of IFNAMSIZ. IFNAMSIZ
is defined in net/if.h, therefore the condition is never met and
confusing to those who follow.
jhb [Sat, 29 Dec 2018 01:19:14 +0000 (01:19 +0000)]
MFC 340441: Revert r332735 and fix MSI-X to properly fail allocations when full.
The off-by-one errors in 332735 weren't actual errors and were
preventing the last MSI interrupt source from being used. Instead,
the issue is that when all MSI interrupt sources were allocated, the
loop in msix_alloc() would terminate with 'msi' still set to non-null.
The only check for 'i' overflowing was in the 'msi' == NULL case, so
msix_alloc() would try to reuse the last MSI interrupt source instead
of failing.
Fix by moving the check for all sources being in use to just after the
loop.
eugen [Sat, 29 Dec 2018 00:44:11 +0000 (00:44 +0000)]
MFC r342367: ifconfig.8, lagg.4: fix documentation bug: -use_flowid
needs to be used to force local hash computation and disable usage
of RSS hash provided by driver.
jhb [Sat, 29 Dec 2018 00:30:17 +0000 (00:30 +0000)]
MFC 340304: Use tcp_state_change() in the cxgbe(4) TOE module.
r254889 added tcp_state_change() as a centralized place to log state
changes in TCP connections for DTrace. r294869 and r296881 took
advantage of this central location to manage per-state counters.
However, TOE sockets were still performing some (but not all) state
change updates via direct assignments to t_state. This resulted in
state counters underflowing when TOE was in use. Fix by using
tcp_state_change() when changing a TOE connection's state.
arybchik [Wed, 26 Dec 2018 10:39:34 +0000 (10:39 +0000)]
MFC r341785
sfxge(4): use n Tx queues instead of n + 2 on EF10 HW
On EF10 HW we can avoid sending packets without checksum offload
or with IP-only checksum offload to dedicated queues. Instead, we
can use option descriptors to change offload policy on any queue
during runtime. Thus, we don't need to create two dedicated queues.
Submitted by: Ivan Malov <Ivan.Malov at oktetlabs.ru>
Sponsored by: Solarflare Communications, Inc.
Differential Revision: https://reviews.freebsd.org/D18390
arybchik [Wed, 26 Dec 2018 10:38:51 +0000 (10:38 +0000)]
MFC r341784
sfxge(4): prepare the number of Tx queues on event queue 0 to become
variable
The number of Tx queues on event queue 0 can depend on the NIC family
type, and this property will be leveraged by future patches.
This patch prepares the code for this change.
Submitted by: Ivan Malov <Ivan.Malov at oktetlabs.ru>
Sponsored by: Solarflare Communications, Inc.
Differential Revision: https://reviews.freebsd.org/D18389