Commit Graph

163938 Commits

Author SHA1 Message Date
Pawel Jakub Dawidek
12b9f8e47d Imagine situation where a security problem is found in setuid binary.
User upgrades his system to fix the problem, but if he has any ZFS snapshots
for the file system which contains problematic binary, any user can mount the
snapshot and execute vulnerable binary.

Prevent this from happening by always mounting snapshots with setuid turned off.

MFC after:	2 weeks
2011-05-31 07:02:49 +00:00
Pyun YongHyeon
7c017a713e Correctly check MAC running status before disabling TX/RX MACs. 2011-05-31 01:30:58 +00:00
Bjoern A. Zeeb
1dd53eaea3 No logner set an IPv4 loopback address by default in defaults/rc.conf.
If not specified, network.subr will add it automatically if we have
INET support (1).

In network.subr only call the address family up/down functions
if the respective AF is available.

Switch to new kern.features variables for inet and inet6 as the
inet sysctl tree is also available for IPv6-only kernels leading
to unexpected results.

Suggested by:	hrs (1)
Reviewed by:	hrs
Sponsored by:	The FreeBSD Foundation
Sponsored by:	iXsystems
MFC after:	20 days
2011-05-31 00:25:52 +00:00
Navdeep Parhar
b400f1ea97 Update to firmware interface 1.3.10
MFC after:	1 week
2011-05-30 21:56:37 +00:00
Jilles Tjoelker
36ae1a9441 sh: Add tests for some somewhat obscure aspects of function definitions. 2011-05-30 21:49:59 +00:00
Jilles Tjoelker
562b28821e posix_spawn(): Do not fail when trying to close an fd that is not open.
As noted in Austin Group issue #370 (an interpretation has been issued),
failing posix_spawn() because an fd specified with
posix_spawn_file_actions_addclose() is not open is unnecessarily harsh, and
there are existing implementations that do not fail posix_spawn() for this
reason.

Reviewed by:	ed
MFC after:	10 days
2011-05-30 21:41:06 +00:00
Navdeep Parhar
56599263c5 - Specialized ingress queues that take interrupts for other ingress
queues.  Try to have a set of these per port when possible, fall back
  to sharing a common pool between all ports otherwise.

- One control queue per port (used to be one per hardware channel).

- t4_eth_rx now handles Ethernet rx only.

- sysctls to display pidx/cidx for some queues.

MFC after:	1 week
2011-05-30 21:34:44 +00:00
Navdeep Parhar
4dba21f17e L2 table code. This is enough to get the T4's switch + L2 rewrite
filters working.  (All other filters - switch without L2 info rewrite,
steer, and drop - were already fully-functional).

Some contrived examples of "switch" filters with L2 rewriting:

# cxgbetool t4nex0  iport 0  dport 80  action switch  vlan +9  eport 3
Intercept all packets received on physical port 0 with TCP port 80 as
destination, insert a vlan tag with VID 9, and send them out of port 3.

# cxgbetool t4nex0  sip 192.168.1.1/32  ivlan 5  action switch \
	vlan =9  smac aa:bb:cc:dd:ee:ff  eport 0
Intercept all packets (received on any port) with source IP address
192.168.1.1 and VLAN id 5, rewrite the VLAN id to 9, rewrite source mac
to aa:bb:cc:dd:ee:ff, and send it out of port 0.

MFC after:	1 week
2011-05-30 21:07:26 +00:00
Steve Kargl
9aa461b570 Clean up the unneeded cpp macro INLINE_REM_PIO2L.
Reviewed by:	das
Approved by:	das (mentor)
2011-05-30 19:41:28 +00:00
Bjoern A. Zeeb
d2025bd0f6 Unbreak NOINET kernels after r222488.
Reviewed by:	rwatson
Sponsored by:	The FreeBSD Foundation
Sponsored by:	iXsystems!
Pointy hat:	to myself for missing this during review?
2011-05-30 18:07:35 +00:00
Bjoern A. Zeeb
f07f97be05 Contrary to the rc.conf framework, when manualy enabling IPv6 we have
to -ifdiabled ourselves.

Sponsored by:	The FreeBSD Foundation
Sponsored by:	iXsystems
2011-05-30 17:27:48 +00:00
Adrian Chadd
6246be6e58 Enable setting the short-GI bit when TX'ing HT rates but only if the
hardware supports it.

Since ni->ni_htcap in hostap mode is what the remote end has advertised,
not what has been negotiated/decided, we need to check ourselves what
the current channel width is and what the hardware supports before
enabling short-GI.

It's important that short-GI isn't enabled when it isn't negotiated
and when the hardware doesn't support it (ie, short-gi for 20mhz channels
on any chip < AR9287.)

I've quickly verified this on the AR9285 in 11n mode.
2011-05-30 15:06:57 +00:00
Adrian Chadd
9be25f4a3a Set default A-MPDU density/size. 2011-05-30 14:57:00 +00:00
Andrey V. Elsukov
6f5286dca6 Document kern.geom.part.check_integrity sysctl variable. 2011-05-30 11:17:42 +00:00
Benedict Reuschling
69a2457d15 Bump document date.
I accidently committed the actual change (typo fix) in r222492, which
is a completely unrelated change.
2011-05-30 10:28:55 +00:00
Benedict Reuschling
b7642c92bf Add a short description about NO_CHECKSUM.
PR:		docs/155980
Submitted by	KOIE Hidetaka (koie at suri co jp)
MFC after:	7 days
2011-05-30 10:23:59 +00:00
Adrian Chadd
e849bb3ecb Mention in ath(4) that ath_pci is required now. 2011-05-30 10:12:17 +00:00
Adrian Chadd
0259f5a250 Add ath_ahb and ath_pci module manpages. 2011-05-30 10:07:46 +00:00
Adrian Chadd
c324f2c1ae Update chipset support list for ath_hal. 2011-05-30 10:02:51 +00:00
Robert Watson
fa046d8774 Decompose the current single inpcbinfo lock into two locks:
- The existing ipi_lock continues to protect the global inpcb list and
  inpcb counter.  This lock is now relegated to a small number of
  allocation and free operations, and occasional operations that walk
  all connections (including, awkwardly, certain UDP multicast receive
  operations -- something to revisit).

- A new ipi_hash_lock protects the two inpcbinfo hash tables for
  looking up connections and bound sockets, manipulated using new
  INP_HASH_*() macros.  This lock, combined with inpcb locks, protects
  the 4-tuple address space.

Unlike the current ipi_lock, ipi_hash_lock follows the individual inpcb
connection locks, so may be acquired while manipulating a connection on
which a lock is already held, avoiding the need to acquire the inpcbinfo
lock preemptively when a binding change might later be required.  As a
result, however, lookup operations necessarily go through a reference
acquire while holding the lookup lock, later acquiring an inpcb lock --
if required.

A new function in_pcblookup() looks up connections, and accepts flags
indicating how to return the inpcb.  Due to lock order changes, callers
no longer need acquire locks before performing a lookup: the lookup
routine will acquire the ipi_hash_lock as needed.  In the future, it will
also be able to use alternative lookup and locking strategies
transparently to callers, such as pcbgroup lookup.  New lookup flags are,
supplementing the existing INPLOOKUP_WILDCARD flag:

  INPLOOKUP_RLOCKPCB - Acquire a read lock on the returned inpcb
  INPLOOKUP_WLOCKPCB - Acquire a write lock on the returned inpcb

Callers must pass exactly one of these flags (for the time being).

Some notes:

- All protocols are updated to work within the new regime; especially,
  TCP, UDPv4, and UDPv6.  pcbinfo ipi_lock acquisitions are largely
  eliminated, and global hash lock hold times are dramatically reduced
  compared to previous locking.
- The TCP syncache still relies on the pcbinfo lock, something that we
  may want to revisit.
- Support for reverting to the FreeBSD 7.x locking strategy in TCP input
  is no longer available -- hash lookup locks are now held only very
  briefly during inpcb lookup, rather than for potentially extended
  periods.  However, the pcbinfo ipi_lock will still be acquired if a
  connection state might change such that a connection is added or
  removed.
- Raw IP sockets continue to use the pcbinfo ipi_lock for protection,
  due to maintaining their own hash tables.
- The interface in6_pcblookup_hash_locked() is maintained, which allows
  callers to acquire hash locks and perform one or more lookups atomically
  with 4-tuple allocation: this is required only for TCPv6, as there is no
  in6_pcbconnect_setup(), which there should be.
- UDPv6 locking remains significantly more conservative than UDPv4
  locking, which relates to source address selection.  This needs
  attention, as it likely significantly reduces parallelism in this code
  for multithreaded socket use (such as in BIND).
- In the UDPv4 and UDPv6 multicast cases, we need to revisit locking
  somewhat, as they relied on ipi_lock to stablise 4-tuple matches, which
  is no longer sufficient.  A second check once the inpcb lock is held
  should do the trick, keeping the general case from requiring the inpcb
  lock for every inpcb visited.
- This work reminds us that we need to revisit locking of the v4/v6 flags,
  which may be accessed lock-free both before and after this change.
- Right now, a single lock name is used for the pcbhash lock -- this is
  undesirable, and probably another argument is required to take care of
  this (or a char array name field in the pcbinfo?).

This is not an MFC candidate for 8.x due to its impact on lookup and
locking semantics.  It's possible some of these issues could be worked
around with compatibility wrappers, if necessary.

Reviewed by:    bz
Sponsored by:   Juniper Networks, Inc.
2011-05-30 09:43:55 +00:00
Bjoern A. Zeeb
3e622db1cb Upgrade jail(2) to latest jail(2) API to make the regression test work
again.  Eventually should switch to jail_set(2).

Reported by:	rwatson
MFC after:	10 days
2011-05-30 09:41:38 +00:00
Robert Watson
0d9535331d Rework TIMEWAIT regression test so that kernel-allocated port numbers are
used rather than a fixed userspace one, avoiding conflicts between the two
test runs.

MFC after:	3 days
Sponsored by:	Juniper Networks, Inc.
2011-05-30 09:34:15 +00:00
Robert Watson
57431792c8 Add missing include of stdio.h.
MFC after:	3 days
Sponsored by:	Juniper Networks, Inc.
2011-05-30 09:06:24 +00:00
Robert Watson
e8c546028b In the tcpdrop regression test, allow the kernel to allocate us a port
rather than using a fixed port number.  This means that the regression test
can be run many times in a row without waiting on TIMEWAIT to release a
hard-coded port number.

MFC after:	3 days
Sponsored by:	Juniper Networks, Inc.
2011-05-30 09:04:35 +00:00
Robert Watson
27d36ca1a8 Add missing #include of err.h.
MFC after:	3 days
Sponsored by:	Juniper Networks, Inc.
2011-05-30 08:54:32 +00:00
Bjoern A. Zeeb
2cdbac6cee While doing it right for current configuration, fix the entry for rc.conf
adding the missing mandatory "inet6" keyword.

Sponsored by:	The FreeBSD Foundation
Sponsored by:	iXsystems
2011-05-30 08:40:59 +00:00
Jayachandran C.
bcd91d25da Fix read_ivar implementation for MMC and SD.
1. Both mmc_read_ivar() and sdhci_read_ivar() use the expression
'*(int *)result = val' to assign to result which is uintptr_t *.
This does not work on big-endian 64 bit systems.

2. The media_size ivar is declared as 'off_t' which does not fit
into uintptr_t in 32bit systems, change this to long.

Submitted by:	kanthms at netlogicmicro com (initial version)
2011-05-30 06:23:51 +00:00
Andrey V. Elsukov
d832ded1a1 Wrap long line.
MFC after:	2 weeks
2011-05-30 05:53:00 +00:00
Andrey V. Elsukov
41b6083752 Add tablearg support for ipfw setfib.
PR:		kern/156410
MFC after:	2 weeks
2011-05-30 05:37:26 +00:00
Julian Elischer
9d4a4b2a03 Include forgotten framework changes to get some of the new menu files installed correctly on non x86/amd systems.
pointy-hut to  devin
2011-05-30 04:23:33 +00:00
Nathan Whitehorn
9d2a3635c1 Use kproc_exit() instead of returning from the management function on
systems with no manageable thermal control devices.
2011-05-29 22:37:23 +00:00
Bjoern A. Zeeb
7986af23a4 Split netconfig into three parts:
- netconfig - what auto will call which in turn will check for
  IPv4 and IPv6 to be available and ask the user to configure it
  by calling
- netconfig_ipv4 doing DHCP and static IPv4 addresses, and
- netconfig_ipv6 doing rtsol and static IPv6 addresses,
and then checking, querying and updating resolv.conf upon return.
Both DHCP and rtsol (in the future) might update resolv.conf already so
we seed ourselves from that file if available.

Reviewed by:	nwhitehorn
Sponsored by:	The FreeBSD Foundation
Sponsored by:	iXsystems
2011-05-29 21:24:20 +00:00
Mikolaj Golub
a01a750f32 If READ from the local node failed we send the request to the remote
node. There is no use in doing this for synchronization requests.

Approved by:	pjd (mentor)
MFC after:	1 week
2011-05-29 21:20:47 +00:00
Rick Macklem
b37ce15446 Modify the umount(8) command so that it doesn't do
a sync(2) syscall before unmount(2) for the "-f" case.
This avoids a forced dismount from getting stuck for
an NFS mountpoint in sync() when the server is not
responsive. With this commit, forced dismounts should
normally work for the NFS clients, but can take up to
about 1minute to complete.

PR:		kern/157365
Reviewed by:	kib
MFC after:	2 weeks
2011-05-29 21:13:53 +00:00
Bjoern A. Zeeb
15ede76031 Check for IPv4 or IPv6 to be available by the kernel to not
provoke errors trying to query options not available.
Make it possible to compile out INET or INET6 only parts.

Reviewed by:	jamie
Sponsored by:	The FreeBSD Foundation
Sponsored by:	iXsystems
MFC after:	10 days
2011-05-29 21:03:40 +00:00
Rick Macklem
a8842a96db Add a check for MNTK_UNMOUNTF at the beginning of nfs_sync()
in the old NFS client so that a forced dismount doesn't
get stuck in the VFS_SYNC() call that happens before
VFS_UNMOUNT() in dounmount(). Analagous to r222329 for the new NFS client.
An additional change is needed before forced dismounts will work.

PR:		kern/157365
MFC after:	2 weeks
2011-05-29 20:55:23 +00:00
Nathan Whitehorn
d015abb774 Add some error handling here: if a sensor returns an error code (a negative
Kelvin temperature, which is impossible except for some contrived magnetic
spin systems), use the previous measurement from that sensor instead of
corrupting everything and randomly changing the fans or shutting off the
machine.
2011-05-29 20:46:53 +00:00
Nathan Whitehorn
d54e775e1e Add the next digit of precision to temperatures, which I missed when
converting the reporting format from degrees C to 0.1 degree K.
2011-05-29 20:04:02 +00:00
Nathan Whitehorn
6b9a12b391 Move the celsius-to-kelvin conversion to a place that powermac_thermal can
see it as well.
2011-05-29 19:53:46 +00:00
Nathan Whitehorn
cbfd4d0cbc Don't put negative values into the averages. 2011-05-29 19:53:11 +00:00
Michael Tuexen
14cfa970bf Get rid of unused functions.
MFC after: 1 week.
2011-05-29 18:41:06 +00:00
Nathan Whitehorn
815d7d92c1 Update the I2C-based temperature/fan drivers to connect to the Powermac
thermal control module. This provides automatic fan management on all G5
PowerMacs and Xserves.
2011-05-29 18:35:57 +00:00
Attilio Rao
da3dd8b7ab MFC 2011-05-29 18:33:13 +00:00
Attilio Rao
8e8b0e4625 Remove the unnecessary _KERNEL protection 2011-05-29 18:13:04 +00:00
Mikolaj Golub
3204c8e596 In soreceive_generic(), if MSG_WAITALL is set but the request is
larger than the receive buffer, we have to receive in sections.
When notifying the protocol that some data has been drained the
lock is released for a moment. Returning we block waiting for the
rest of data. There is a race, when data could arrive while the
lock was released and then the connection stalls in sbwait.

Fix this by checking for data before blocking and skip blocking
if there are some.

PR:		kern/154504
Reported by:	Andrey Simonenko <simon@comsys.ntu-kpi.kiev.ua>
Tested by:	Andrey Simonenko <simon@comsys.ntu-kpi.kiev.ua>
Reviewed by:	rwatson
Approved by:	kib (co-mentor)
MFC after:	2 weeks
2011-05-29 18:00:50 +00:00
Jilles Tjoelker
562c9f003e sh: Add test for 'set +o'. 2011-05-29 15:02:10 +00:00
Andreas Tobler
c931ccf1b0 Add some missing files. Without we hang in the OF prompt asking for screen.4th.
Approved by:	nwhitehorn (mentor)
2011-05-29 14:27:11 +00:00
Andreas Tobler
d188174a4f Add a new driver, the ad7417, to read temperatures and voltages on some
PowerMac's.

Approved by:	nwhitehorn (mentor)
2011-05-29 14:25:42 +00:00
Benedict Reuschling
e6b71fcb16 Mention that jumbo frame support is disabled on PCIe VT6130/VT6132
controllers because of TX MAC hangs when trying to send a frame
that is larger than 4K (see r200759).

PR:		docs/156742
Submitted by:	Michael Moll (kvedulv at kvedulv dot de)
Reviewed by:	yongari@
MFC after:	6 days
2011-05-29 11:10:56 +00:00
Bjoern A. Zeeb
541ab6a6c5 The argument to setsockopt for IP_MULTICAST_LOOP depends on operating
system and is decided upon by configure and could be an u_int or a
u_char.  For FreeBSD it is a u_char.

For IPv6 however RFC 3493, 5.2 defines the argument to
IPV6_MULTICAST_LOOP to be an unsigned integer so make sure we always
use that using a second variable for the IPV6 case.
This is to get rid of these error messages every 5 minutes on some
systems:
ntpd[1530]: setsockopt IPV6_MULTICAST_LOOP failure: Invalid argument
  on socket 22, addr fe80::... for multicast address ff02::101

While here also fix the copy&paste error in the log message for
IPV6_MULTICAST_LOOP.

Reviewed by:	roberto
Sponsored by:	The FreeBSD Foundation
Sponsored by:	iXsystems
MFC after:	10 days
Filed as:	Bug 1936 on ntp.org
2011-05-29 07:40:48 +00:00