MFH r339206-r339212, r339215-r339239

Sponsored by:	The FreeBSD Foundation
This commit is contained in:
Glen Barber 2018-10-08 18:06:40 +00:00
commit fc3f42d80f
32 changed files with 443 additions and 180 deletions

View File

@ -31,6 +31,13 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 12.x IS SLOW:
disable the most expensive debugging functionality run
"ln -s 'abort:false,junk:false' /etc/malloc.conf".)
20181006:
The legacy DRM modules and drivers have now been added to the loader's
module blacklist, in favor of loading them with kld_list in rc.conf(5).
The module blacklist may be overridden with the loader.conf(5)
'module_blacklist' variable, but loading them via rc.conf(5) is strongly
encouraged.
20181002:
The cam(4) based nda(4) driver will be used over nvd(4) by default on
powerpc64. You may set 'options NVME_USE_NVD=1' in your kernel conf or

View File

@ -316,7 +316,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
#ifdef HAVE_LOGIN_CAP
if (authctxt->pw != NULL &&
(lc = login_getpwclass(authctxt->pw)) != NULL) {
(lc = PRIVSEP(login_getpwclass(authctxt->pw))) != NULL) {
logit("user %s login class %s", authctxt->pw->pw_name,
authctxt->pw->pw_class);
from_host = auth_get_canonical_hostname(ssh, options.use_dns);
@ -331,7 +331,7 @@ input_userauth_request(int type, u_int32_t seq, struct ssh *ssh)
authctxt->pw->pw_name, from_host);
packet_disconnect("Logins not available right now.");
}
login_close(lc);
PRIVSEP(login_close(lc));
}
#endif /* HAVE_LOGIN_CAP */

View File

@ -114,6 +114,7 @@ static struct sshbuf *child_state;
int mm_answer_moduli(int, struct sshbuf *);
int mm_answer_sign(int, struct sshbuf *);
int mm_answer_login_getpwclass(int, struct sshbuf *);
int mm_answer_pwnamallow(int, struct sshbuf *);
int mm_answer_auth2_read_banner(int, struct sshbuf *);
int mm_answer_authserv(int, struct sshbuf *);
@ -189,6 +190,7 @@ struct mon_table mon_dispatch_proto20[] = {
{MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli},
#endif
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_GETPWCLASS, MON_AUTH, mm_answer_login_getpwclass},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
@ -707,6 +709,46 @@ mm_answer_sign(int sock, struct sshbuf *m)
return (0);
}
int
mm_answer_login_getpwclass(int sock, struct sshbuf *m)
{
login_cap_t *lc;
struct passwd *pw;
int r;
u_int len;
debug3("%s", __func__);
pw = sshbuf_get_passwd(m);
if (pw == NULL)
fatal("%s: receive get struct passwd failed", __func__);
lc = login_getpwclass(pw);
sshbuf_reset(m);
if (lc == NULL) {
if (r = sshbuf_put_u8(m, 0) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
goto out;
}
if ((r = sshbuf_put_u8(m, 1)) != 0 ||
(r = sshbuf_put_cstring(m, lc->lc_class)) != 0 ||
(r = sshbuf_put_cstring(m, lc->lc_cap)) != 0 ||
(r = sshbuf_put_cstring(m, lc->lc_style)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
login_close(lc);
out:
debug3("%s: sending MONITOR_ANS_GETPWCLASS", __func__);
mm_request_send(sock, MONITOR_ANS_GETPWCLASS, m);
sshbuf_free_passwd(pw);
return (0);
}
/* Retrieves the password entry and also checks if the user is permitted */
int
@ -745,19 +787,8 @@ mm_answer_pwnamallow(int sock, struct sshbuf *m)
authctxt->pw = pwent;
authctxt->valid = 1;
/* XXX don't sent pwent to unpriv; send fake class/dir/shell too */
if ((r = sshbuf_put_u8(m, 1)) != 0 ||
(r = sshbuf_put_string(m, pwent, sizeof(*pwent))) != 0 ||
(r = sshbuf_put_cstring(m, pwent->pw_name)) != 0 ||
(r = sshbuf_put_cstring(m, "*")) != 0 ||
#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
(r = sshbuf_put_cstring(m, pwent->pw_gecos)) != 0 ||
#endif
#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
(r = sshbuf_put_cstring(m, pwent->pw_class)) != 0 ||
#endif
(r = sshbuf_put_cstring(m, pwent->pw_dir)) != 0 ||
(r = sshbuf_put_cstring(m, pwent->pw_shell)) != 0)
(r = sshbuf_put_passwd(m, pwent)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
out:

View File

@ -53,7 +53,8 @@ enum monitor_reqtype {
MONITOR_REQ_GSSSTEP = 44, MONITOR_ANS_GSSSTEP = 45,
MONITOR_REQ_GSSUSEROK = 46, MONITOR_ANS_GSSUSEROK = 47,
MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
MONITOR_REQ_TERM = 50,
MONITOR_REQ_GETPWCLASS = 50, MONITOR_ANS_GETPWCLASS = 51,
MONITOR_REQ_TERM = 52,
MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,

View File

@ -247,6 +247,57 @@ mm_sshkey_sign(struct sshkey *key, u_char **sigp, size_t *lenp,
return (0);
}
login_cap_t *
mm_login_getpwclass(const struct passwd *pwent)
{
int r;
struct sshbuf *m;
char rc;
login_cap_t *lc;
debug3("%s entering", __func__);
if ((m = sshbuf_new()) == NULL)
fatal("%s: sshbuf_new failed", __func__);
if ((r = sshbuf_put_passwd(m, pwent)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GETPWCLASS, m);
debug3("%s: waiting for MONITOR_ANS_GETPWCLASS", __func__);
mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GETPWCLASS, m);
if ((r = sshbuf_get_u8(m, &rc)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
if (rc == 0) {
lc = NULL;
goto out;
}
lc = xmalloc(sizeof(*lc));
if ((r = sshbuf_get_cstring(m, &lc->lc_class, NULL)) != 0 ||
(r = sshbuf_get_cstring(m, &lc->lc_cap, NULL)) != 0 ||
(r = sshbuf_get_cstring(m, &lc->lc_style, NULL)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
out:
sshbuf_free(m);
return (lc);
}
void
mm_login_close(login_cap_t *lc)
{
if (lc == NULL)
return;
free(lc->lc_style);
free(lc->lc_class);
free(lc->lc_cap);
free(lc);
}
struct passwd *
mm_getpwnamallow(const char *username)
{
@ -279,25 +330,9 @@ mm_getpwnamallow(const char *username)
goto out;
}
/* XXX don't like passing struct passwd like this */
pw = xcalloc(sizeof(*pw), 1);
if ((r = sshbuf_get_string_direct(m, &p, &len)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
if (len != sizeof(*pw))
fatal("%s: struct passwd size mismatch", __func__);
memcpy(pw, p, sizeof(*pw));
if ((r = sshbuf_get_cstring(m, &pw->pw_name, NULL)) != 0 ||
(r = sshbuf_get_cstring(m, &pw->pw_passwd, NULL)) != 0 ||
#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
(r = sshbuf_get_cstring(m, &pw->pw_gecos, NULL)) != 0 ||
#endif
#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
(r = sshbuf_get_cstring(m, &pw->pw_class, NULL)) != 0 ||
#endif
(r = sshbuf_get_cstring(m, &pw->pw_dir, NULL)) != 0 ||
(r = sshbuf_get_cstring(m, &pw->pw_shell, NULL)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
pw = sshbuf_get_passwd(m);
if (pw == NULL)
fatal("%s: receive get struct passwd failed", __func__);
out:
/* copy options block as a Match directive may have changed some */

View File

@ -28,6 +28,8 @@
#ifndef _MM_WRAP_H_
#define _MM_WRAP_H_
#include <login_cap.h>
extern int use_privsep;
#define PRIVSEP(x) (use_privsep ? mm_##x : x)
@ -45,6 +47,8 @@ int mm_sshkey_sign(struct sshkey *, u_char **, size_t *, const u_char *, size_t,
const char *, u_int compat);
void mm_inform_authserv(char *, char *);
struct passwd *mm_getpwnamallow(const char *);
login_cap_t *mm_login_getpwclass(const struct passwd *pwd);
void mm_login_close(login_cap_t *lc);
char *mm_auth2_read_banner(void);
int mm_auth_password(struct ssh *, char *);
int mm_key_allowed(enum mm_keytype, const char *, const char *, struct sshkey *,

View File

@ -31,6 +31,7 @@ __RCSID("$FreeBSD$");
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <capsicum_helpers.h>
#include "log.h"
#include "monitor.h"
@ -71,6 +72,8 @@ ssh_sandbox_child(struct ssh_sandbox *box)
struct rlimit rl_zero;
cap_rights_t rights;
caph_cache_tzdata();
rl_zero.rlim_cur = rl_zero.rlim_max = 0;
if (setrlimit(RLIMIT_FSIZE, &rl_zero) == -1)

View File

@ -25,6 +25,7 @@
#include <stdio.h>
#include <string.h>
#include "xmalloc.h"
#include "ssherr.h"
#include "sshbuf.h"
@ -462,3 +463,95 @@ sshbuf_get_bignum2_bytes_direct(struct sshbuf *buf,
}
return 0;
}
/*
* store struct pwd
*/
int
sshbuf_put_passwd(struct sshbuf *buf, const struct passwd *pwent)
{
int r;
/*
* We never send pointer values of struct passwd.
* It is safe from wild pointer even if a new pointer member is added.
*/
if ((r = sshbuf_put_u64(buf, sizeof(*pwent)) != 0) ||
(r = sshbuf_put_cstring(buf, pwent->pw_name)) != 0 ||
(r = sshbuf_put_cstring(buf, "*")) != 0 ||
(r = sshbuf_put_u32(buf, pwent->pw_uid)) != 0 ||
(r = sshbuf_put_u32(buf, pwent->pw_gid)) != 0 ||
(r = sshbuf_put_u64(buf, pwent->pw_change)) != 0 ||
#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
(r = sshbuf_put_cstring(buf, pwent->pw_gecos)) != 0 ||
#endif
#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
(r = sshbuf_put_cstring(buf, pwent->pw_class)) != 0 ||
#endif
(r = sshbuf_put_cstring(buf, pwent->pw_dir)) != 0 ||
(r = sshbuf_put_cstring(buf, pwent->pw_shell)) != 0 ||
(r = sshbuf_put_u64(buf, pwent->pw_expire)) != 0 ||
(r = sshbuf_put_u32(buf, pwent->pw_fields)) != 0) {
return r;
}
return 0;
}
/*
* extract struct pwd
*/
struct passwd *
sshbuf_get_passwd(struct sshbuf *buf)
{
struct passwd *pw;
int r;
size_t len;
/* check if size of struct passwd is as same as sender's size */
r = sshbuf_get_u64(buf, &len);
if (r != 0 || len != sizeof(*pw))
return NULL;
pw = xcalloc(1, sizeof(*pw));
if (sshbuf_get_cstring(buf, &pw->pw_name, NULL) != 0 ||
sshbuf_get_cstring(buf, &pw->pw_passwd, NULL) != 0 ||
sshbuf_get_u32(buf, &pw->pw_uid) != 0 ||
sshbuf_get_u32(buf, &pw->pw_gid) != 0 ||
sshbuf_get_u64(buf, &pw->pw_change) != 0 ||
#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
sshbuf_get_cstring(buf, &pw->pw_gecos, NULL) != 0 ||
#endif
#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
sshbuf_get_cstring(buf, &pw->pw_class, NULL) != 0 ||
#endif
sshbuf_get_cstring(buf, &pw->pw_dir, NULL) != 0 ||
sshbuf_get_cstring(buf, &pw->pw_shell, NULL) != 0 ||
sshbuf_get_u64(buf, &pw->pw_expire) != 0 ||
sshbuf_get_u32(buf, &pw->pw_fields) != 0) {
sshbuf_free_passwd(pw);
return NULL;
}
return pw;
}
/*
* free struct passwd obtained from sshbuf_get_passwd.
*/
void
sshbuf_free_passwd(struct passwd *pwent)
{
if (pwent == NULL)
return;
free(pwent->pw_shell);
free(pwent->pw_dir);
#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
free(pwent->pw_class);
#endif
#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
free(pwent->pw_gecos);
#endif
free(pwent->pw_passwd);
free(pwent->pw_name);
free(pwent);
}

View File

@ -21,6 +21,7 @@
#include <sys/types.h>
#include <stdarg.h>
#include <stdio.h>
#include <pwd.h>
#ifdef WITH_OPENSSL
# include <openssl/bn.h>
# ifdef OPENSSL_HAS_ECC
@ -246,6 +247,21 @@ int sshbuf_b64tod(struct sshbuf *buf, const char *b64);
*/
char *sshbuf_dup_string(struct sshbuf *buf);
/*
* store struct pwd
*/
int sshbuf_put_passwd(struct sshbuf *buf, const struct passwd *pwent);
/*
* extract struct pwd
*/
struct passwd *sshbuf_get_passwd(struct sshbuf *buf);
/*
* free struct passwd obtained from sshbuf_get_passwd.
*/
void sshbuf_free_passwd(struct passwd *pwent);
/* Macros for decoding/encoding integers */
#define PEEK_U64(p) \
(((u_int64_t)(((const u_char *)(p))[0]) << 56) | \

View File

@ -2143,6 +2143,11 @@ main(int ac, char **av)
*/
remote_ip = ssh_remote_ipaddr(ssh);
#ifdef HAVE_LOGIN_CAP
/* Also caches remote hostname for sandboxed child. */
auth_get_canonical_hostname(ssh, options.use_dns);
#endif
#ifdef SSH_AUDIT_EVENTS
audit_connection_from(remote_ip, remote_port);
#endif

View File

@ -31,7 +31,7 @@
#include <machine/asm.h>
__FBSDID("$FreeBSD$");
.macro MEMSET bzero
.macro MEMSET bzero erms
.if \bzero == 1
movq %rsi,%rcx
movq %rsi,%rdx
@ -43,21 +43,75 @@ __FBSDID("$FreeBSD$");
movabs $0x0101010101010101,%rax
imulq %r8,%rax
.endif
cmpq $15,%rcx
jbe 1f
shrq $3,%rcx
rep
stosq
movq %rdx,%rcx
andq $7,%rcx
jne 1f
cmpq $32,%rcx
jb 1016f
cmpq $256,%rcx
ja 1256f
1032:
movq %rax,(%rdi)
movq %rax,8(%rdi)
movq %rax,16(%rdi)
movq %rax,24(%rdi)
leaq 32(%rdi),%rdi
subq $32,%rcx
cmpq $32,%rcx
jae 1032b
cmpb $0,%cl
je 1000f
1016:
cmpb $16,%cl
jl 1008f
movq %rax,(%rdi)
movq %rax,8(%rdi)
subb $16,%cl
jz 1000f
leaq 16(%rdi),%rdi
1008:
cmpb $8,%cl
jl 1004f
movq %rax,(%rdi)
subb $8,%cl
jz 1000f
leaq 8(%rdi),%rdi
1004:
cmpb $4,%cl
jl 1002f
movl %eax,(%rdi)
subb $4,%cl
jz 1000f
leaq 4(%rdi),%rdi
1002:
cmpb $2,%cl
jl 1001f
movw %ax,(%rdi)
subb $2,%cl
jz 1000f
leaq 2(%rdi),%rdi
1001:
cmpb $1,%cl
jl 1000f
movb %al,(%rdi)
1000:
.if \bzero == 0
movq %r9,%rax
.endif
ret
1:
1256:
.if \erms == 1
rep
stosb
.else
shrq $3,%rcx
rep
stosq
movq %rdx,%rcx
andb $7,%cl
jne 1004b
.endif
.if \bzero == 0
movq %r9,%rax
.endif
@ -66,11 +120,11 @@ __FBSDID("$FreeBSD$");
#ifndef BZERO
ENTRY(memset)
MEMSET bzero=0
MEMSET bzero=0 erms=0
END(memset)
#else
ENTRY(bzero)
MEMSET bzero=1
MEMSET bzero=1 erms=0
END(bzero)
#endif

View File

@ -163,7 +163,7 @@ firewall_simple_onet="192.0.2.0/28" # Outside network address for "simple"
# firewall.
#firewall_simple_onet_ipv6="2001:db8:2:0::/56" # Outside IPv6 network prefix
# for "simple" firewall.
firewall_myservices="" # List of TCP ports on which this host
firewall_myservices="" # List of ports/protocols on which this host
# offers services for "workstation" firewall.
firewall_allowservices="" # List of IPs which have access to
# $firewall_myservices for "workstation"

View File

@ -97,6 +97,7 @@ efi_max_resolution="1x1" # Set the max resolution for EFI loader to use:
#console="vidconsole" # A comma separated list of console(s)
#currdev="disk1s1a" # Set the current device
module_path="/boot/modules;/boot/dtb;/boot/dtb/overlays" # Set the module search path
module_blacklist="drm drm2 radeonkms i915kms amdgpu" # Loader module blacklist
#prompt="\\${interpret}" # Set the command prompt
#root_disk_unit="0" # Force the root disk unit number
#rootdev="disk1s1a" # Set the root filesystem

View File

@ -23,7 +23,7 @@
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
.Dd August 28, 2018
.Dd October 6, 2018
.Dt LOADER.CONF 5
.Os
.Sh NAME
@ -147,6 +147,15 @@ If a password is set, the user must provide specified password to boot.
If set to
.Dq YES ,
module names will be displayed as they are loaded.
.It Ar module_blacklist
Blacklist of modules.
Modules specified in the blacklist may not be loaded automatically with a
.Ar *_load
directive, but they may be loaded directly at the
.Xr loader 8
prompt.
Blacklisted modules may still be loaded indirectly as dependencies of other
moduled.
.It Ar *_load
If set to
.Dq YES ,

View File

@ -54,6 +54,7 @@ local MSG_XENKERNFAIL = "Failed to load Xen kernel '%s'"
local MSG_XENKERNLOADING = "Loading Xen kernel..."
local MSG_KERNLOADING = "Loading kernel..."
local MSG_MODLOADING = "Loading configured modules..."
local MSG_MODBLACKLIST = "Not loading blacklisted module '%s'"
local MSG_MODLOADFAIL = "Could not load one or more modules!"
local MODULEEXPR = '([%w-_]+)'
@ -265,20 +266,37 @@ local function isValidComment(line)
return true
end
local function getBlacklist()
local blacklist_str = loader.getenv('module_blacklist')
if blacklist_str == nil then
return nil
end
local blacklist = {}
for mod in blacklist_str:gmatch("[;, ]?([%w-_]+)[;, ]?") do
blacklist[mod] = true
end
return blacklist
end
local function loadModule(mod, silent)
local status = true
local blacklist = getBlacklist()
local pstatus
for k, v in pairs(mod) do
if v.load ~= nil and v.load:lower() == "yes" then
local module_name = v.name or k
if blacklist[module_name] ~= nil then
if not silent then
print(MSG_MODBLACKLIST:format(module_name))
end
goto continue
end
local str = "load "
if v.type ~= nil then
str = str .. "-t " .. v.type .. " "
end
if v.name ~= nil then
str = str .. v.name
else
str = str .. k
end
str = str .. module_name
if v.flags ~= nil then
str = str .. " " .. v.flags
end
@ -309,6 +327,7 @@ local function loadModule(mod, silent)
end
end
::continue::
end
return status

View File

@ -34,6 +34,10 @@ local hook = require("hook")
local core = {}
local default_safe_mode = false
local default_single_user = false
local default_verbose = false
local function composeLoaderCmd(cmd_name, argstr)
if argstr ~= nil then
cmd_name = cmd_name .. " " .. argstr
@ -41,6 +45,26 @@ local function composeLoaderCmd(cmd_name, argstr)
return cmd_name
end
local function recordDefaults()
-- On i386, hint.acpi.0.rsdp will be set before we're loaded. On !i386,
-- it will generally be set upon execution of the kernel. Because of
-- this, we can't (or don't really want to) detect/disable ACPI on !i386
-- reliably. Just set it enabled if we detect it and leave well enough
-- alone if we don't.
local boot_acpi = core.isSystem386() and core.getACPIPresent(false)
local boot_single = loader.getenv("boot_single") or "no"
local boot_verbose = loader.getenv("boot_verbose") or "no"
default_single_user = boot_single:lower() ~= "no"
default_verbose = boot_verbose:lower() ~= "no"
if boot_acpi then
core.setACPI(true)
end
core.setSingleUser(default_single_user)
core.setVerbose(default_verbose)
end
-- Globals
-- try_include will return the loaded module on success, or nil on failure.
-- A message will also be printed on failure, with one exception: non-verbose
@ -268,9 +292,9 @@ end
function core.setDefaults()
core.setACPI(core.getACPIPresent(true))
core.setSafeMode(false)
core.setSingleUser(false)
core.setVerbose(false)
core.setSafeMode(default_safe_mode)
core.setSingleUser(default_single_user)
core.setVerbose(default_verbose)
end
function core.autoboot(argstr)
@ -367,13 +391,6 @@ function core.popFrontTable(tbl)
return first_value, new_tbl
end
-- On i386, hint.acpi.0.rsdp will be set before we're loaded. On !i386, it will
-- generally be set upon execution of the kernel. Because of this, we can't (or
-- don't really want to) detect/disable ACPI on !i386 reliably. Just set it
-- enabled if we detect it and leave well enough alone if we don't.
if core.isSystem386() and core.getACPIPresent(false) then
core.setACPI(true)
end
recordDefaults()
hook.register("config.reloaded", core.clearCachedKernels)
return core

View File

@ -52,7 +52,6 @@ options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_PART_GPT # GUID Partition Tables.
options GEOM_RAID # Soft RAID functionality.
options GEOM_LABEL # Provides labelization
options EFIRT # EFI Runtime Services support

View File

@ -7,7 +7,6 @@ include MINIMAL
ident GENERIC-MMCCAM
# Access GPT-formatted and labeled root volume
options GEOM_PART_GPT
options GEOM_LABEL
# UART -- for bhyve console

View File

@ -50,7 +50,6 @@ options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_PART_GPT # GUID Partition Tables.
options GEOM_RAID # Soft RAID functionality.
options GEOM_LABEL # Provides labelization
options COMPAT_FREEBSD32 # Incomplete, but used by cloudabi32.ko.

View File

@ -2964,6 +2964,8 @@ dsl_scan_need_resilver(spa_t *spa, const dva_t *dva, size_t psize,
{
vdev_t *vd;
vd = vdev_lookup_top(spa, DVA_GET_VDEV(dva));
if (vd->vdev_ops == &vdev_indirect_ops) {
/*
* The indirect vdev can point to multiple
@ -2974,6 +2976,7 @@ dsl_scan_need_resilver(spa_t *spa, const dva_t *dva, size_t psize,
*/
return (B_TRUE);
}
if (DVA_GET_GANG(dva)) {
/*
* Gang members may be spread across multiple
@ -2986,8 +2989,6 @@ dsl_scan_need_resilver(spa_t *spa, const dva_t *dva, size_t psize,
return (B_TRUE);
}
vd = vdev_lookup_top(spa, DVA_GET_VDEV(dva));
/*
* Check if the txg falls within the range which must be
* resilvered. DVAs outside this range can always be skipped.

View File

@ -1804,13 +1804,11 @@ em_if_update_admin_status(if_ctx_t ctx)
}
iflib_link_state_change(ctx, LINK_STATE_UP,
IF_Mbps(adapter->link_speed));
printf("Link state changed to up\n");
} else if (!link_check && (adapter->link_active == 1)) {
adapter->link_speed = 0;
adapter->link_duplex = 0;
adapter->link_active = 0;
iflib_link_state_change(ctx, LINK_STATE_DOWN, 0);
printf("Link state changed to down\n");
}
em_update_stats_counters(adapter);

View File

@ -152,7 +152,6 @@ igb_tx_ctx_setup(struct tx_ring *txr, if_pkt_info_t pi, u32 *cmd_type_len, u32 *
u32 vlan_macip_lens, type_tucmd_mlhl;
u32 mss_l4len_idx;
mss_l4len_idx = vlan_macip_lens = type_tucmd_mlhl = 0;
int offload = TRUE;
/* First check if TSO is to be used */
if (pi->ipi_csum_flags & CSUM_TSO)
@ -186,7 +185,6 @@ igb_tx_ctx_setup(struct tx_ring *txr, if_pkt_info_t pi, u32 *cmd_type_len, u32 *
type_tucmd_mlhl |= E1000_ADVTXD_TUCMD_IPV6;
break;
default:
offload = FALSE;
break;
}
@ -195,25 +193,27 @@ igb_tx_ctx_setup(struct tx_ring *txr, if_pkt_info_t pi, u32 *cmd_type_len, u32 *
switch (pi->ipi_ipproto) {
case IPPROTO_TCP:
if (pi->ipi_csum_flags & (CSUM_IP_TCP | CSUM_IP6_TCP))
if (pi->ipi_csum_flags & (CSUM_IP_TCP | CSUM_IP6_TCP)) {
type_tucmd_mlhl |= E1000_ADVTXD_TUCMD_L4T_TCP;
*olinfo_status |= E1000_TXD_POPTS_TXSM << 8;
}
break;
case IPPROTO_UDP:
if (pi->ipi_csum_flags & (CSUM_IP_UDP | CSUM_IP6_UDP))
if (pi->ipi_csum_flags & (CSUM_IP_UDP | CSUM_IP6_UDP)) {
type_tucmd_mlhl |= E1000_ADVTXD_TUCMD_L4T_UDP;
*olinfo_status |= E1000_TXD_POPTS_TXSM << 8;
}
break;
case IPPROTO_SCTP:
if (pi->ipi_csum_flags & (CSUM_IP_SCTP | CSUM_IP6_SCTP))
if (pi->ipi_csum_flags & (CSUM_IP_SCTP | CSUM_IP6_SCTP)) {
type_tucmd_mlhl |= E1000_ADVTXD_TUCMD_L4T_SCTP;
*olinfo_status |= E1000_TXD_POPTS_TXSM << 8;
}
break;
default:
offload = FALSE;
break;
}
if (offload) /* For the TX descriptor setup */
*olinfo_status |= E1000_TXD_POPTS_TXSM << 8;
/* 82575 needs the queue index added */
if (adapter->hw.mac.type == e1000_82575)
mss_l4len_idx = txr->me << 4;

View File

@ -905,28 +905,6 @@ static void mlx4_en_do_multicast(struct mlx4_en_priv *priv,
priv->flags &= ~MLX4_EN_FLAG_MC_PROMISC;
}
/* Update unicast list */
mlx4_en_cache_uclist(dev);
update_addr_list_flags(priv, &priv->curr_uc_list, &priv->uc_list);
list_for_each_entry_safe(addr_list, tmp, &priv->curr_uc_list, list) {
if (addr_list->action == MLX4_ADDR_LIST_REM) {
mlx4_en_uc_steer_release(priv, addr_list->addr,
priv->rss_map.indir_qp.qpn,
addr_list->reg_id);
/* remove from list */
list_del(&addr_list->list);
kfree(addr_list);
} else if (addr_list->action == MLX4_ADDR_LIST_ADD) {
err = mlx4_en_uc_steer_add(priv, addr_list->addr,
&priv->rss_map.indir_qp.qpn,
&addr_list->reg_id);
if (err)
en_err(priv, "Fail to add unicast address\n");
}
}
err = mlx4_SET_MCAST_FLTR(mdev->dev, priv->port, 0,
0, MLX4_MCAST_DISABLE);
if (err)
@ -996,6 +974,36 @@ static void mlx4_en_do_multicast(struct mlx4_en_priv *priv,
}
}
static void mlx4_en_do_unicast(struct mlx4_en_priv *priv,
struct net_device *dev,
struct mlx4_en_dev *mdev)
{
struct mlx4_en_addr_list *addr_list, *tmp;
int err;
/* Update unicast list */
mlx4_en_cache_uclist(dev);
update_addr_list_flags(priv, &priv->curr_uc_list, &priv->uc_list);
list_for_each_entry_safe(addr_list, tmp, &priv->curr_uc_list, list) {
if (addr_list->action == MLX4_ADDR_LIST_REM) {
mlx4_en_uc_steer_release(priv, addr_list->addr,
priv->rss_map.indir_qp.qpn,
addr_list->reg_id);
/* remove from list */
list_del(&addr_list->list);
kfree(addr_list);
} else if (addr_list->action == MLX4_ADDR_LIST_ADD) {
err = mlx4_en_uc_steer_add(priv, addr_list->addr,
&priv->rss_map.indir_qp.qpn,
&addr_list->reg_id);
if (err)
en_err(priv, "Fail to add unicast address\n");
}
}
}
static void mlx4_en_do_set_rx_mode(struct work_struct *work)
{
struct mlx4_en_priv *priv = container_of(work, struct mlx4_en_priv,
@ -1026,17 +1034,19 @@ static void mlx4_en_do_set_rx_mode(struct work_struct *work)
}
}
/* Set unicast rules */
mlx4_en_do_unicast(priv, dev, mdev);
/* Promsicuous mode: disable all filters */
if ((dev->if_flags & IFF_PROMISC) ||
(priv->flags & MLX4_EN_FLAG_FORCE_PROMISC)) {
mlx4_en_set_promisc_mode(priv, mdev);
goto out;
} else if (priv->flags & MLX4_EN_FLAG_PROMISC) {
/* Not in promiscuous mode */
mlx4_en_clear_promisc_mode(priv, mdev);
}
/* Not in promiscuous mode */
if (priv->flags & MLX4_EN_FLAG_PROMISC)
mlx4_en_clear_promisc_mode(priv, mdev);
/* Set multicast rules */
mlx4_en_do_multicast(priv, dev, mdev);
out:
mutex_unlock(&mdev->state_lock);

View File

@ -51,7 +51,6 @@ options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_PART_GPT # GUID Partition Tables.
options GEOM_RAID # Soft RAID functionality.
options GEOM_LABEL # Provides labelization
options COMPAT_FREEBSD4 # Compatible with FreeBSD4

View File

@ -1393,11 +1393,12 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags)
* there is a duplicate on a jail with more than one
* IP stop checking and return error.
*/
tppr = ppr;
#ifdef VIMAGE
for (; tppr != &prison0; tppr = tppr->pr_parent)
for (tppr = ppr; tppr != &prison0; tppr = tppr->pr_parent)
if (tppr->pr_flags & PR_VNET)
break;
#else
tppr = &prison0;
#endif
FOREACH_PRISON_DESCENDANT(tppr, tpr, descend) {
if (tpr == pr ||
@ -1460,11 +1461,12 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags)
}
}
/* Check for conflicting IP addresses. */
tppr = ppr;
#ifdef VIMAGE
for (; tppr != &prison0; tppr = tppr->pr_parent)
for (tppr = ppr; tppr != &prison0; tppr = tppr->pr_parent)
if (tppr->pr_flags & PR_VNET)
break;
#else
tppr = &prison0;
#endif
FOREACH_PRISON_DESCENDANT(tppr, tpr, descend) {
if (tpr == pr ||

View File

@ -262,11 +262,12 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct route *ro, int flags,
ip->ip_v = IPVERSION;
ip->ip_hl = hlen >> 2;
ip_fillid(ip);
IPSTAT_INC(ips_localout);
} else {
/* Header already set, fetch hlen from there */
hlen = ip->ip_hl << 2;
}
if ((flags & IP_FORWARDING) == 0)
IPSTAT_INC(ips_localout);
/*
* dst/gw handling:

View File

@ -4983,7 +4983,6 @@ sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt,
struct sctp_paramhdr *phdr, params;
struct mbuf *mat, *op_err;
char tempbuf[SCTP_PARAM_BUFFER_SIZE];
int at, limit, pad_needed;
uint16_t ptype, plen, padded_size;
int err_at;
@ -5123,15 +5122,13 @@ sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt,
l_len = SCTP_MIN_V4_OVERHEAD;
#endif
l_len += sizeof(struct sctp_chunkhdr);
l_len += plen;
l_len += sizeof(struct sctp_paramhdr);
l_len += sizeof(struct sctp_gen_error_cause);
op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA);
if (op_err) {
SCTP_BUF_LEN(op_err) = 0;
/*
* pre-reserve space for ip
* and sctp header and
* chunk hdr
* Pre-reserve space for IP,
* SCTP, and chunk header.
*/
#ifdef INET6
SCTP_BUF_RESV_UF(op_err, sizeof(struct ip6_hdr));
@ -5144,7 +5141,7 @@ sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt,
}
if (op_err) {
/* If we have space */
struct sctp_paramhdr s;
struct sctp_gen_error_cause cause;
if (err_at % 4) {
uint32_t cpthis = 0;
@ -5153,26 +5150,15 @@ sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt,
m_copyback(op_err, err_at, pad_needed, (caddr_t)&cpthis);
err_at += pad_needed;
}
s.param_type = htons(SCTP_CAUSE_UNRESOLVABLE_ADDR);
s.param_length = htons(sizeof(s) + plen);
m_copyback(op_err, err_at, sizeof(s), (caddr_t)&s);
err_at += sizeof(s);
if (plen > sizeof(tempbuf)) {
plen = sizeof(tempbuf);
}
phdr = sctp_get_next_param(mat, at, (struct sctp_paramhdr *)tempbuf, plen);
if (phdr == NULL) {
cause.code = htons(SCTP_CAUSE_UNRESOLVABLE_ADDR);
cause.length = htons((uint16_t)(sizeof(struct sctp_gen_error_cause) + plen));
m_copyback(op_err, err_at, sizeof(struct sctp_gen_error_cause), (caddr_t)&cause);
err_at += sizeof(struct sctp_gen_error_cause);
SCTP_BUF_NEXT(op_err) = SCTP_M_COPYM(mat, at, plen, M_NOWAIT);
if (SCTP_BUF_NEXT(op_err) == NULL) {
sctp_m_freem(op_err);
/*
* we are out of memory but
* we still need to have a
* look at what to do (the
* system is in trouble
* though).
*/
return (NULL);
}
m_copyback(op_err, err_at, plen, (caddr_t)phdr);
}
return (op_err);
break;
@ -5196,7 +5182,6 @@ sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt,
l_len = SCTP_MIN_V4_OVERHEAD;
#endif
l_len += sizeof(struct sctp_chunkhdr);
l_len += plen;
l_len += sizeof(struct sctp_paramhdr);
op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA);
if (op_err) {
@ -5222,14 +5207,11 @@ sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt,
err_at += pad_needed;
}
s.param_type = htons(SCTP_UNRECOG_PARAM);
s.param_length = htons(sizeof(s) + plen);
m_copyback(op_err, err_at, sizeof(s), (caddr_t)&s);
err_at += sizeof(s);
if (plen > sizeof(tempbuf)) {
plen = sizeof(tempbuf);
}
phdr = sctp_get_next_param(mat, at, (struct sctp_paramhdr *)tempbuf, plen);
if (phdr == NULL) {
s.param_length = htons((uint16_t)sizeof(struct sctp_paramhdr) + plen);
m_copyback(op_err, err_at, sizeof(struct sctp_paramhdr), (caddr_t)&s);
err_at += sizeof(struct sctp_paramhdr);
SCTP_BUF_NEXT(op_err) = SCTP_M_COPYM(mat, at, plen, M_NOWAIT);
if (SCTP_BUF_NEXT(op_err) == NULL) {
sctp_m_freem(op_err);
/*
* we are out of memory but
@ -5241,7 +5223,6 @@ sctp_arethere_unrecognized_parameters(struct mbuf *in_initpkt,
op_err = NULL;
goto more_processing;
}
m_copyback(op_err, err_at, plen, (caddr_t)phdr);
err_at += plen;
}
}

View File

@ -41,6 +41,7 @@ options INET6 #IPv6 communications protocols
options IPSEC # IP (v4/v6) security
options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5
options TCP_HHOOK # hhook(9) framework for TCP
options TCP_RFC7413 # TCP Fast Open
options SCTP #Stream Control Transmission Protocol
options FFS #Berkeley Fast Filesystem
options SOFTUPDATES #Enable FFS soft updates support

View File

@ -40,6 +40,7 @@ options VIMAGE # Subsystem virtualization, e.g. VNET
options INET #InterNETworking
options INET6 #IPv6 communications protocols
options TCP_HHOOK # hhook(9) framework for TCP
options TCP_RFC7413 # TCP Fast Open
options SCTP #Stream Control Transmission Protocol
options FFS #Berkeley Fast Filesystem
options SOFTUPDATES #Enable FFS soft updates support

View File

@ -95,8 +95,6 @@ static int opalpci_route_interrupt(device_t bus, device_t dev, int pin);
*/
static void opalpic_pic_enable(device_t dev, u_int irq, u_int vector);
static void opalpic_pic_eoi(device_t dev, u_int irq);
static void opalpic_pic_mask(device_t dev, u_int irq);
static void opalpic_pic_unmask(device_t dev, u_int irq);
/*
* Commands
@ -143,8 +141,6 @@ static device_method_t opalpci_methods[] = {
/* PIC interface for MSIs */
DEVMETHOD(pic_enable, opalpic_pic_enable),
DEVMETHOD(pic_eoi, opalpic_pic_eoi),
DEVMETHOD(pic_mask, opalpic_pic_mask),
DEVMETHOD(pic_unmask, opalpic_pic_unmask),
DEVMETHOD_END
};
@ -650,7 +646,10 @@ opalpci_map_msi(device_t dev, device_t child, int irq, uint64_t *addr,
static void
opalpic_pic_enable(device_t dev, u_int irq, u_int vector)
{
struct opalpci_softc *sc = device_get_softc(dev);
PIC_ENABLE(root_pic, irq, vector);
opal_call(OPAL_PCI_MSI_EOI, sc->phb_id, irq);
}
static void opalpic_pic_eoi(device_t dev, u_int irq)
@ -662,21 +661,3 @@ static void opalpic_pic_eoi(device_t dev, u_int irq)
PIC_EOI(root_pic, irq);
}
static void opalpic_pic_mask(device_t dev, u_int irq)
{
PIC_MASK(root_pic, irq);
}
static void opalpic_pic_unmask(device_t dev, u_int irq)
{
struct opalpci_softc *sc;
sc = device_get_softc(dev);
PIC_UNMASK(root_pic, irq);
opal_call(OPAL_PCI_MSI_EOI, sc->phb_id, irq);
}

View File

@ -381,17 +381,9 @@ xicp_dispatch(device_t dev, struct trapframe *tf)
}
xirr &= 0x00ffffff;
if (xirr == 0) { /* No more pending interrupts? */
if (regs)
bus_write_1(regs, 4, 0xff);
#ifdef POWERNV
else if (sc->xics_emu)
opal_call(OPAL_INT_SET_CPPR, 0xff);
#endif
else
phyp_hcall(H_CPPR, (uint64_t)0xff);
if (xirr == 0) /* No more pending interrupts? */
break;
}
if (xirr == XICP_IPI) { /* Magic number for IPIs */
xirr = MAX_XICP_IRQS; /* Map to FreeBSD magic */
@ -471,7 +463,7 @@ xicp_eoi(device_t dev, u_int irq)
if (irq == MAX_XICP_IRQS) /* Remap IPI interrupt to internal value */
irq = XICP_IPI;
xirr = irq | (XICP_PRIORITY << 24);
xirr = irq | (0xff << 24);
#ifdef POWERNV
if (mfmsr() & PSL_HV) {

View File

@ -461,6 +461,10 @@ static struct syscall decoded_syscalls[] = {
{ .name = "setsockopt", .ret_type = 1, .nargs = 5,
.args = { { Int, 0 }, { Sockoptlevel, 1 }, { Sockoptname, 2 },
{ Ptr | IN, 3 }, { Socklent, 4 } } },
{ .name = "shm_open", .ret_type = 1, .nargs = 3,
.args = { { Name | IN, 0 }, { Open, 1 }, { Octal, 2 } } },
{ .name = "shm_unlink", .ret_type = 1, .nargs = 1,
.args = { { Name | IN, 0 } } },
{ .name = "shutdown", .ret_type = 1, .nargs = 2,
.args = { { Int, 0 }, { Shutdown, 1 } } },
{ .name = "sigaction", .ret_type = 1, .nargs = 3,