The CAM version bump 0x19 -> 0x1a changed the CAMGETPASSTHRU definition,
so applications using the old ioctl are broken. However, that version
change did not affect anything relating to the ioctl implementation for
periphs.
Approved by: so
Security: FreeBSD-EN-22:26.cam
Fixes: 8f9be1eed1 ("cam(4): Improve XPT_DEV_MATCH")
PR: 264709
Tested by: andreas.mahling@googlemail.com
Reviewed by: imp
(cherry picked from commit 0cd631ee06)
(cherry picked from commit 16d4c1de7b)
As an optimization, vm_page_activate() avoids requeuing a page that's
already in the active queue. A page's location in the active queue is
mostly unimportant.
When a page is unwired and placed back in the page queues,
vm_page_unwire() avoids moving pages out of PQ_ACTIVE to honour the
request, the idea being that they're likely mapped and so will simply
get bounced back in to PQ_ACTIVE during a queue scan.
In both cases, if the page was logically in PQ_ACTIVE but had not yet
been physically enqueued (i.e., the page is in a per-CPU batch), we
would end up clearing PGA_REQUEUE from the page. Then, batch processing
would ignore the page, so it would end up unwired and not in any queues.
This can arise, for example, when a page is allocated and then
vm_page_activate() is called multiple times in quick succession. The
result is that the page is hidden from the page daemon, so while it will
be freed when its VM object is destroyed, it cannot be reclaimed under
memory pressure.
Fix the bug: when checking if a page is in PQ_ACTIVE, only perform the
optimization if the page is physically enqueued.
Approved by: so
Security: FreeBSD-EN-22:23.vm
PR: 256507
Fixes: f3f38e2580 ("Start implementing queue state updates using fcmpset loops.")
Reviewed by: alc, kib
Sponsored by: E-CARD Ltd.
Sponsored by: Klara, Inc.
(cherry picked from commit 2c9dc2384f)
(cherry picked from commit 6094749a1a)
This cherry-picks upstream ed566bf1cd
- Add a zfs_exit() call in an error path, otherwise a lock is
leaked.
- Remove the fid_gen > 1 check. That appears to be Linux-specific:
zfsctl_snapdir_fid() sets fid_gen to 0 or 1 depending on whether
the snapshot directory is mounted. On FreeBSD it fails, making
snapshot dirs inaccessible via NFS.
Approved by: so
PR: 266236
Security: FreeBSD-EN-22:24.zfs
(cherry picked from commit 6fe0a6c80a)
(cherry picked from commit 562c9ac58c)
If the extra field was larger than the space the user provided with
inflateGetHeader(), and if multiple calls of inflate() delivered
the extra header data, then there could be a buffer overflow of the
provided space. This commit assures that provided space is not
exceeded.
(cherry picked from zlib commit eff308af425b67093bab25f80f1ae950166bece1)
(cherry picked from zlib commit 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d)
(cherry picked from commit dc3509f1aa)
(cherry picked from commit 2969066f73)
(cherry picked from commit 10cc2bf5f7)
Approved by: so
Security: CVE-2022-37434
Structure l9p_f_wralk reserves at most L9P_MAX_WELEM entries
and that number actually set the maximum we can safely use.
Approved by: so
Security: FreeBSD-SA-22:12.lib9p
PR: 265385
Reviewed by: markj
(cherry picked from commit 2dd83b3f05)
(cherry picked from commit c536045c51)
As in vm_fault_cow(), it's possible, albeit rare, for multiple vm_maps
to share a shadow object. When copying a page from a backing object
into the shadow, all mappings of the source page must therefore be
removed. Otherwise, future operations on the object tree may detect
that the source page is fully shadowed and thus can be freed.
Approved by: so
Security: FreeBSD-SA-22:11.vm
Reviewed by: alc, kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D35635
(cherry picked from commit 5c50e900ad)
(cherry picked from commit 3ea8c7ad90)
Resulting sbuf_len() from proc_getargv() might return 0 if user mangled
ps_strings enough. Also, sbuf_len() API contract is to return -1 if the
buffer overflowed. The later should not occur because get_ps_strings()
checks for catenated length, but check for this subtle detail explicitly
as well to be more resilent.
The end result is that p_comm is used in this situations.
Approved by: so
Security: FreeBSD-SA-22:09.elf
Reported by: Josef 'Jeff' Sipek <jeffpc@josefsipek.net>
Reviewed by: delphij, markj
admbugs: 988
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D35391
(cherry picked from commit 00d17cf342)
(cherry picked from commit 8a44a2c644)
According to pam_exec(8), the `expose_authtok` option should be ignored
when the service function is `pam_sm_setcred`. Currently `pam_exec` only
prevent prompt for anth token when `expose_authtok` is set on
`pam_sm_setcred`. This subsequently led to segfault when there isn't an
existing auth token available.
Bug reported on this: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263893
After reading https://reviews.freebsd.org/rS349556 I am not sure if the
default behaviour supposed to be simply not prompt for authentication
token, or is it to ignore the option entirely as stated in the man page.
This patch is therefore only adding an additional NULL check on the item
`pam_get_item` provide, and exit with `PAM_SYSTEM_ERR` when such item is
NULL.
Approved by: so
Security: FreeBSD-EN-22:19.pam_exec
MFC after: 1 week
Reviewed by: des, khng
Differential Revision: https://reviews.freebsd.org/D35169
(cherry picked from commit b75e0eed34)
(cherry picked from commit ea80848e1c)
Suppose a periodic kevent timer fires close to its deadline, so that
now - kc->next is small. Then delta ends up being 1, and the next timer
deadline is set to (delta + 1) * kc->to, where kc->to is the timer
period. This means that the timer fires at half of the requested rate,
and the value returned in kn_data is similarly inaccurate.
Approved by: so
Security: FreeBSD-EN-22:16.kqueue
PR: 264131
Fixes: 7cb40543e9 ("filt_timerexpire: do not iterate over the interval")
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 524dadf7a8)
(cherry picked from commit 129112f80d)
While recovery command executed, some other commands from the periph
may complete, that may affect periph_links of this CCB. So restoring
original CCB we must keep current periph_links as more up to date.
I've found this triggering assertions with debug kernel and suspect
some memory corruptions otherwise when spun down disk receives two
or sometimes more concurrent requests.
Approved by: so
Security: FreeBSD-EN22:17.cam
MFC after: 1 week
Sponsored by: iXsystems, Inc.
(cherry picked from commit 404f001161)
(cherry picked from commit 84849cfd1d)
- Bump BRANCH to RELEASE
- Add the anticipated RELEASE announcement date
- Set a static __FreeBSD_version
Approved by: re (implicit)
Sponsored by: Rubicon Communications, LLC ("Netgate")
tc_counter_mask is an unsigned int and in the TSC timecounter is equal
to UINT_MAX, so the addition tc->tc_counter_mask + 1 can overflow to 0,
resulting in a hang during boot.
Approved by: re (gjb)
Fixes: c2705ceaeb ("x86: Speed up clock calibration")
Reviewed by: cperciva
Sponsored by: The FreeBSD Foundation
(cherry picked from commit c3196306f0)
(cherry picked from commit 58f49b7da7)
Because the maximum number of endpoint contexts is stored there.
Tested by: ehaupt@
PR: 262882
Approved by: re (gjb, early MFC)
Sponsored by: NVIDIA Networking
(cherry picked from commit 09dd1adfa4)
(cherry picked from commit 6d8c6b24ee)
Only drop BULK and INTERRUPT endpoints, to reset the data toggle,
because for other endpoint types this is not critical.
While at it fix some whitespace.
Tested by: ehaupt@
PR: 262882
Approved by: re (gjb, early MFC)
Sponsored by: NVIDIA Networking
(cherry picked from commit e276d28150)
(cherry picked from commit 610528736f)
Use the drop and enable endpoint context commands to force a reset of
the data toggle for USB 2.0 and USB 3.0 after:
- clear endpoint halt command (when the driver wishes).
- set config command (when the kernel or user-space wants).
- set alternate setting command (only affected endpoints).
Some XHCI HW implementations may not allow the endpoint reset command when
the endpoint context is not in the halted state.
Reported by: Juniper and Gary Jennejohn
Approved by: re (gjb)
Sponsored by: NVIDIA Networking
(cherry picked from commit cda31e7349)
Padding was added to __cxa_exception in 45ca8b19 and
__cxa_dependent_exception needs the same layout.
Add some static_asserts to detect this in the future.
Merge of libcxxrt commit b00c6c564357
(cherry picked from commit c40e434988)
(cherry picked from commit 69a40d9241)
Approved by: re (gjb)
When allocating memory with a kernel memory allocator we may get
memory that will later be promoted to a superpage. If this happens
while another CPU is using the pointer they can race and when the
promotion passes through the break-before-make sequence the pointer
will be invalid for a short length of time.
Revert the commit that added the use of the kernel allocator and
subsequent fixes to the original change.
Revert "Pass the ACPI ID when reading the ACPI domain"
This reverts commit aa3b5d79b2.
Revert "Stop reading the arm64 domain when it's known"
This reverts commit b7c23efd74.
Revert "Allocate arm64 per-CPU data in the correct domain"
This reverts commit f51997c6e4.
Approved by: re (gjb)
Reported by: dch
Sponsored by: The FreeBSD Foundation
When VLAN HW filter is disabled, the NIC does not pass any vlan tagged
traffic. Setting these flags on the device allows vlan tagged traffic to
pass.
Approved by: re (gjb)
PR: 236983
Tested by: pi
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D34824
(cherry picked from commit 0c6a2fa33e)
(cherry picked from commit e54505277c)
This mirrors dmu_read_impl(), zeroing out the tail end of the buffer and
clipping the read to what's contained by the block that exists.
This fixes an issue that arose during the 13.1 release process; in
13.1-RC1 and later, setting up GELI+ZFS will result in a failure to
boot. The culprit is this, which causes us to fail to load geom_eli.ko
as there's a residual portion after the single datablk that should be
zeroed out.
PR: 263407
Reviewed by: tsoome
Approved by: re (gjb)
(cherry picked from commit 914dc91d12)
(cherry picked from commit 0c9c8a4c64)
The time() system call first appeared in Version 1 AT&T UNIX. Through
the Version 3 AT&T UNIX, it returned 60 Hz ticks since an epoch that
changed occasionally, because it was a 32-bit value that overflowed in a
little over 2 years.
In Version 4 AT&T UNIX the granularity of the return value was reduced to
whole seconds, delaying the aforementioned overflow until 2038.
Version 7 AT&T UNIX introduced the ftime() system call, which returned
time at a millisecond level, though retained the gtime() system call
(exposed as time() in userland). time() could have been implemented as a
wrapper around ftime(), but that wasn't done.
4.1cBSD implemented a higher-precision time function gettimeofday() to
replace ftime() and reimplemented time() in terms of that.
Since FreeBSD 9 the implementation of time() uses
clock_gettime(CLOCK_SECOND) instead of gettimeofday() for performance
reasons.
With most valuable input from Warner (imp@).
Reviewed by: 0mp, jilles, imp
Approved by: re (gjb)
Differential Revision: https://reviews.freebsd.org/D34751
(cherry picked from commit 3e0f3678ec)
Insert padding in __cxa_exception struct for compatibility
Similar to https://github.com/llvm/llvm-project/commit/f2a436058fcb, the
addition of __attribute__((__aligned__)) to _Unwind_Exception (in commit
b9616964) causes implicit padding to be inserted before the unwindHeader
field in __cxa_exception.
Applications attempt to get at the earlier fields in __cxa_exception, so
preserve the same negative offsets in __cxa_exception, by moving the
padding to the beginning of the struct.
The assumption here is that if the ABI is not aware of the padding
before unwindHeader and put the referenceCount/primaryException in
there, no padding should exist before unwindHeader.
This should make libreoffice's custom exception handling mechanisms work
correctly, even if it was built against an older cxxabi.h/unwind.h pair.
PR: 263370
Approved by: re (gjb)
MFC after: immediately
(cherry picked from commit 434215c26d)
(cherry picked from commit 06394327dd)
For some reason I can't reproduce this locally, but Jenkins complains.
Approved by: re (gjb)
Reported by: Jenkins
Fixes: bdf290cd3e ("ctf: Add v3 support to CTF tools, ctf{convert,dump,merge}")
(cherry picked from commit 3fe1f21fb3)
(cherry picked from commit fb89cf93a5)
ctfdump handles v2 and v3. ctfconvert now emits only CTFv3, whereas
ctfmerge can merge v2 and v3 containers into v3 containers.
Approved by: re (gjb)
Sponsored by: The FreeBSD Foundation
(cherry picked from commit bdf290cd3e)
(cherry picked from commit e5b54808f7)
In general, the patch adds indirection to minimize the amount of code
that needs to know about differences between v2 and v3. Specifically,
some new ctf_get_ctt_* functions are added, and new LCTF_* macros are
added to use the underlying container's version to do the right thing.
CTF containers can have parent/child relationships, wherein a type ID in
one container refers to a type in the parent. It is permitted for the
parent and child to have different versions.
Approved by: re (gjb)
Sponsored by: The FreeBSD Foundation
(cherry picked from commit a6fb869173)
(cherry picked from commit a49aa9da78)
Approved by: re (gjb)
Reviewed by: Domagoj Stolfa
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 8dbae4ce32)
(cherry picked from commit 8409eb0251)
The general aim in this and subsequent patches is to minimize the
amount of code that directly references CTF types such as ctf_type_t,
ctf_array_t, etc. To that end, introduce some routines similar to the
existing fbt_get_ctt_size() (which exists to deal with differences
between v1 and v2) and change ctf_lookup_by_id() to return a void
pointer.
Support for v2 containers is preserved.
Approved by: re (gjb)
Sponsored by: The FreeBSD Foundation
(cherry picked from commit d9175438c0)
(cherry picked from commit 2ecf3b58eb)
These are based on definitions added to binutils' libctf. Specifically:
- Type IDs are now encoded in 32 bits rather than 16, changing the
layout of ctf_type_t, ctf_array_t, ctf_member_t and ctf_lmember_t.
- Type info is encoded in 32 bits rather than 16. The type "kind" is
extended from 5 bits to 6, and the type "vlen" is extended from 10
bits to 25.
The main upside is that we remove the current limit, imposed by CTFv2,
of 2^{15} distinct types in the main kernel executable. Other limits,
such as that on the number of elements in an enum, imposed by the vlen
limit, are also raised.
This change adds v2 and v3 flavours of macros and type definitions which
differ between the two versions. Compatibility is preserved for now by
having generic names refer to the v2 definitions, so, e.g., ctf_type_t
is still a v2 type.
No functional change intended.
Approved by: re (gjb)
Reviewed by: Domagoj Stolfa
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 994297b01b)
(cherry picked from commit 9818e5ebf3)
Use sys/ctf.h to provide various definitions required to parse the CTF
header. No functional change intended.
Approved by: re (gjb)
Reviewed by: Domagoj Stolfa, emaste
Sponsored by: The FreeBSD Foundation
(cherry picked from commit cab9382a2c)
(cherry picked from commit 24597a09b9)
Use it instead of the existing ctf.h from OpenSolaris. This makes it
easier to use CTF in the core kernel, and to extend the CTF format to
support wider type IDs.
The imported ctf.h is modified to depend only on _types.h, and also to
provide macros which use the "parent" bit of a type ID to refer to types
in a parent CTF container.
No functional change intended.
Approved by: re (gjb)
Reviewed by: Domagoj Stolfa, emaste
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 2d5d2a986c)
(cherry picked from commit 3681c4f065)
Note that a console typewriter device /dev/tty
and asynchronous communication interfaces /dev/tty[0-5]
first appeared in Version 1 AT&T UNIX.
Obtained from: OpenBSD
Approved by: re@ (gjb)
(cherry picked from commit b988af5b43)
