Commit Graph

250167 Commits

Author SHA1 Message Date
kp
00ad8fadf0 pf tests: Basic ioctl validation for DIOCIGETIFACES and DIOCXCOMMIT
Validate the DIOCIGETIFACES and DIOCXCOMMIT ioctls with invalid values.

MFC after:	1 week
2018-04-06 19:21:29 +00:00
kp
dab34860eb pf: Improve ioctl validation for DIOCIGETIFACES and DIOCXCOMMIT
These ioctls can process a number of items at a time, which puts us at
risk of overflow in mallocarray() and of impossibly large allocations
even if we don't overflow.

There's no obvious limit to the request size for these, so we limit the
requests to something which won't overflow. Change the memory allocation
to M_NOWAIT so excessive requests will fail rather than stall forever.

MFC after:	1 week
2018-04-06 19:20:45 +00:00
brooks
5f7443b68d Add an unused _COMPAT_LINUX32 option to ensure opt_compat.h exists on
platforms without COMPAT_LINUX32.

Reported by:	kib
2018-04-06 19:11:22 +00:00
brooks
9d79658aab Move most of the contents of opt_compat.h to opt_global.h.
opt_compat.h is mentioned in nearly 180 files. In-progress network
driver compabibility improvements may add over 100 more so this is
closer to "just about everywhere" than "only some files" per the
guidance in sys/conf/options.

Keep COMPAT_LINUX32 in opt_compat.h as it is confined to a subset of
sys/compat/linux/*.c.  A fake _COMPAT_LINUX option ensure opt_compat.h
is created on all architectures.

Move COMPAT_LINUXKPI to opt_dontuse.h as it is only used to control the
set of compiled files.

Reviewed by:	kib, cem, jhb, jtl
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D14941
2018-04-06 17:35:35 +00:00
brooks
d99229a822 Support -DNO_CLEAN builds across r332119. 2018-04-06 17:23:47 +00:00
jtl
c40b31d1bf If a user closes the socket before we call tcp_usr_abort(), then
tcp_drop() may unlock the INP.  Currently, tcp_usr_abort() does not
check for this case, which results in a panic while trying to unlock
the already-unlocked INP (not to mention, a use-after-free violation).

Make tcp_usr_abort() check the return value of tcp_drop(). In the case
where tcp_drop() returns NULL, tcp_usr_abort() can skip further steps
to abort the connection and simply unlock the INP_INFO lock prior to
returning.

Reviewed by:	glebius
MFC after:	2 weeks
Sponsored by:	Netflix, Inc.
2018-04-06 17:20:37 +00:00
brooks
013f31df9d Remove caching from getlogin(2).
This caching has existed since the CSRG import, but serves no obvious
purpose. Sure, setlogin() is called rarely, but calls to getlogin()
should also be infrequent. The required invalidation was not
implemented on aarch64, arm, mips, amd riscv so updates would never
occur if getlogin() was called before setlogin().

Reported by:	Ali Mashtizadeh <ali@mashtizadeh.com>
Reviewed by:	kib
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D14965
2018-04-06 17:17:34 +00:00
ed
fa41fad703 Push RFC 5424 message format from logmsg() into fprintlog().
Now that all of parsemsg() parses both RFC 3164 and 5424 messages and
hands them to logmsg(), alter the latter to properly forward all RFC
5424 message attributes to fprintlog(). While there, make some minor
cleanups to this code:

- Instead of extending the existing code that compares hostnames and
  message bodies for deduplication, print all of the relevant message
  fields into a single string that we can compare ('saved').

- No longer let the behaviour of fprintflog() depend on whether
  'msg == NULL' to print repetition messages, Simply decompose this
  function into fprintlog_first() and fprintlog_successive(). This
  makes the interpretation of function arguments less magical and also
  allows us to get consistent behaviour across RFC 3164 and 5424 when
  adding support for the RFC 5424 output format.

- As RFC 5424 syslog messages have a dedicated application name field,
  alter the repetition messages to be printed on behalf of syslogd on
  the current system. Change these messages to use the local hostname,
  so that it's obvious which syslogd instance detected the repetition.
  Remove f_prevhost, as it has now become unnecessary.

- Remove a useless strdup(). Deconsting the message string is safe in
  this specific case.
2018-04-06 17:16:50 +00:00
jtl
77cc11ce79 Pat the watchdog less while producing a coredump. Prior to this change,
we patted the watchdog approximately once per 4KB page of memory.  After
this change, we pat the watchdog approximately once per 128MB of memory.
On a sample machine, this translated to patting the watchdog approximately
every 5.4 seconds, which "seems reasonable". We can choose a different
value in the future, if warranted.

This has extensive field experience. It is a performance improvement, and
has not caused any known problems.

Reviewed by:	imp, kib
Sponsored by:	Netflix, Inc.
Differential Revision:	https://reviews.freebsd.org/D14988
2018-04-06 17:06:22 +00:00
jtl
15af8ae175 Check that in_pcbfree() is only called once for each PCB. If that
assumption is violated, "bad things" could follow.

I believe such an assert would have detected some of the problems jch@
was chasing in PR 203175 (see r307551).  We also use it in our internal
TCP development efforts.  And, in case a bug does slip through to
released code, this change silently ignores subsequent calls to
in_pcbfree().

Reviewed by:	rrs
Sponsored by:	Netflix, Inc.
Differential Revision:	https://reviews.freebsd.org/D14990
2018-04-06 16:48:11 +00:00
ed
8a4e129ce8 Remove some places where error messages are prefixed with "syslogd".
Due to using RFC 5424, the application name is stored in a dedicated
field. It can simply be passed as an argument to logmsg() now.
2018-04-06 16:26:46 +00:00
ed
14eb2a468f Properly respect the passed in hostname for RFC 5424 messages.
Only override the hostname in case none is provided or when remote
hostnames should be ignored.
2018-04-06 16:24:03 +00:00
royger
e51e4bdd98 x86: fix trampoline memory allocation after r332073
Add the missing breaks in the for loops, in order to exit the loop
when a suitable entry is found.

Also switch amd64 native_start_all_aps to use PHYS_TO_DMAP in order to
find the virtual address of the boot_trampoline and the initial page
tables.

Reported and tested by:	pho
Sponsored by:		Citrix Systems R&D
2018-04-06 16:22:14 +00:00
kp
01a46893f7 pf tests: Basic ioctl validation for DIOCRGETTABLES, DIOCRGETTSTATS, DIOCRCLRTSTATS and DIOCRSETTFLAGS
Validate the DIOCRGETTABLES, DIOCRGETTSTATS, DIOCRCLRTSTATS and
DIOCRSETTFLAGS ioctls with invalid values. These may succeed (because
the kernel uses the minimally required size, not the specified size),
but should not trigger kernel panics.

MFC after:	1 week
2018-04-06 15:57:20 +00:00
kp
337a0778fc pf: Improve ioctl validation for DIOCRGETTABLES, DIOCRGETTSTATS, DIOCRCLRTSTATS and DIOCRSETTFLAGS
These ioctls can process a number of items at a time, which puts us at
risk of overflow in mallocarray() and of impossibly large allocations
even if we don't overflow.

Limit the allocation to required size (or the user allocation, if that's
smaller). That does mean we need to do the allocation with the rules
lock held (so the number doesn't change while we're doing this), so it
can't M_WAITOK.

MFC after:	1 week
2018-04-06 15:54:30 +00:00
kevans
87196146cf lualoader: Fix menu skipping with loader.conf(5) vars
Earlier efforts to stop loading the menu broke the ability to skip the menu
with, e.g., beastie_disable in loader.conf(5) as it was decided before
configuration was read.

Defer bringing in the menu module until we've loaded configuration so that
we can make a more informed decision on whether the menu should be skipped
or not.
2018-04-06 15:19:48 +00:00
kevans
86cea92a59 aw_sid(4): Use prctl read for all reads when it's required
It was later found that some operation on the OrangePi one will cause
direct accesses to the eeprom to return wrong data again, so reading it all
once via prctl at attach time is no longer sufficient.
2018-04-06 15:17:09 +00:00
jtl
b94f9c58dc In cases where an application issues certain IPMI commands at a high
enough rate, the IPMI code can print large numbers of messages to the
console, such as:
  ipmi0: KCS: Failed to read completion code
  ipmi0: KCS error: ff
  ipmi0: KCS: Failed to read completion code
  ipmi0: KCS error: ff

These seem to be innocuous from a system standpoint, and the user-
space code can deal with the failures. Therefore, suppress printing
these messages to the console unless bootverbose is enabled.

Obtained from:	Netflix, Inc.
2018-04-06 15:15:21 +00:00
kp
7cad8d5216 pf tests: Basic ioctl validation tests
Validate the DIOCRADDTABLES and DIOCRDELTABLES ioctls with invalid size
values. All of these requests should fail.

MFC after:	1 week
2018-04-06 15:03:48 +00:00
kp
8f7d14d304 pf: Improve ioctl validation for DIOCRADDTABLES and DIOCRDELTABLES
The DIOCRADDTABLES and DIOCRDELTABLES ioctls can process a number of
tables at a time, and as such try to allocate <number of tables> *
sizeof(struct pfr_table). This multiplication can overflow. Thanks to
mallocarray() this is not exploitable, but an overflow does panic the
system.

Arbitrarily limit this to 65535 tables. pfctl only ever processes one
table at a time, so it presents no issues there.

MFC after:	1 week
2018-04-06 15:01:45 +00:00
ed
591ef7c807 Let syslog(3) use RFC 5424.
With r332099 changing syslogd(8) to parse RFC 5424 formatted syslog
messages, go ahead and also change the syslog(3) libc function to
generate them. Compared to RFC 3164, RFC 5424 has various advantages,
such as sub-second precision for log entry timestamps.

As this change could have adverse effects when not updating syslogd(8)
or using a different system logging daemon, add a notice to UPDATING and
increase __FreeBSD_version.

Differential Revision:	https://reviews.freebsd.org/D14926
2018-04-06 13:00:45 +00:00
ed
6301688144 Add RFC 5424 syslog message parsing to syslogd.
Syslogd currently uses the RFC 3164 format for its log messages.One
limitation of RFC 3164 is that it cannot be used to log entries with
sub-second precision timestamps. One of our users has expressed a desire
for doing this for doing some basic performance measurements.

This change attempts to make a first cut at switching to RFC 5424 based
logging. The first step is to alter syslogd's input path to properly
parse such messages. It alters the logmsg() prototype to match the
fields of RFC 5424. The parsemsg() function is extended to parse both
RFC 3164 and 5424 messages and call into logmsg() accordingly.

Additional changes include:

- Introducing proper parsing of timestamps, so that they can be printed
  in any desired output format. This means we need to infer the year and
  timezone for RFC 3164 timestamps.
- Removing ISKERNEL. This can now be realised by simply providing an
  APP-NAME (== "kernel").
- Extending RFC 3164 parsing to trim off the TAG prefix and using that
  to derive APP-NAME and PROCID.
- Increase MAXLINE. RFC 5424 mentions we should support 2k messages.

Differential Revision:	https://reviews.freebsd.org/D14926
2018-04-06 12:57:01 +00:00
royger
e1f89be1d3 remove GiB/MiB macros from param.h
And instead define them in the files where they are used.

Requested by: bde
2018-04-06 11:20:06 +00:00
emaste
5e76fb407e stand: pass --no-rosegment for i386 bits when linking with lld
btxld does not correctly handle input with other than 2 PT_LOAD
segments.  Passing --no-rosegment lets lld produce output eqivalent to
ld.bfd: 2 PT_LOAD segments and no PT_GNU_RELRO.

PR:		225775
MFC after:	3 weeks
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D14956
2018-04-06 02:57:58 +00:00
brooks
0080e81d7c Add 32-bit compat for ioctls that take struct ifgroupreq.
Use an accessor to access ifgr_group and ifgr_groups.

Use an macro CASE_IOC_IFGROUPREQ(cmd) in place of case statements such
as "case SIOCAIFGROUP:". This avoids poluting the switch statements
with large numbers of #ifdefs.

Reviewed by:	kib
Obtained from:	CheriBSD
MFC after:	1 week
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D14960
2018-04-05 22:14:55 +00:00
brooks
8f46ff8fe4 ifconf(): Always zero the whole struct ifreq.
The previous split of zeroing ifr_name and ifr_addr seperately is safe
on current architectures, but would be unsafe if pointers were larger
than 8 bytes. Combining the zeroing adds no real cost (a few
instructions) and makes the security property easier to verify.

Reviewed by:	kib, emaste
Obtained from:	CheriBSD
MFC after:	3 days
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D14912
2018-04-05 21:58:28 +00:00
brooks
416a043285 Added SAL annotatations to system calls.
Modify makesyscalls.sh to strip out SAL annotations.

No functional change.

This is based on work I started in CheriBSD and use to validate fat
pointers at the syscall boundary.  Tal Garfinkel reviewed the changes,
added annotations to COMPAT* syscalls and is using them in a record and
playback framework.  One can envision other uses such as a WITNESS-like
validator for copyin/out as speculated on in the review.

As this time we are only annotating sys/kern/syscalls.master as that is
sufficient for userspace work.  If kernel use cases materialize, we can
annotate other syscalls.master as needed.

Submitted by:	Tal Garfinkel <talg@cs.stanford.edu>
Sponsored by:	DARPA, AFRL (in part)
Differential Revision:	https://reviews.freebsd.org/D14285
2018-04-05 20:31:45 +00:00
benno
818a504b94 Add an ISO9660 "partition table" type to loader.
When booted via isoboot(8) loader will be handed a disk that simply contains
an ISO9660 image. Currently this confuses it greatly. Teach it how to spot
that it's in this situation and that ISO9660 has one "partition" covering
the whole disk.

Reviewed by:	imp
Sponsored by:	iXsystems, Inc.
Differential Revision:	https://reviews.freebsd.org/D14915
2018-04-05 19:45:30 +00:00
benno
0b8d8dcffd Add isoboot(8) for booting BIOS systems from HDDs containing ISO images.
This is part of a project for adding the ability to create hybrid CD/USB boot
images. In the BIOS case when booting from something that isn't a CD we need
some extra boot code to actually find our next stage (loader) within an
ISO9660 filesystem. This code will reside in a GPT partition (similar to
gptboot(8) from which it is derived) and looks for /boot/loader in an
ISO9660 filesystem on the image.

Reviewed by:	imp
Sponsored by:	iXsystems, Inc.
Differential Revision:	https://reviews.freebsd.org/D14914
2018-04-05 19:40:46 +00:00
benno
c45837807b Various style(9) fixes.
Reviewed by:	strip --strip-debug -o - gptboot.o | md5
Sponsored by:	iXsystems, Inc.
2018-04-05 19:29:22 +00:00
benno
75db17a2d6 Use consistent whitespace.
Reviewed by:	strip --strip-debug -o - gptboot.o | md5
Sponsored by:	iXsystems, Inc.
2018-04-05 19:27:24 +00:00
brooks
198d9fcdd8 Allow -DNO_CLEAN buildworld after r332080. 2018-04-05 18:19:48 +00:00
brooks
9928a4ad73 Remove architecture specific shmat.S files.
These files are identical to the generated system calls.
In the case of MIPS, the file was already disconnected from the build.

Submitted by:	Ali Mashtizadeh <ali@mashtizadeh.com>
Reviewed by:	kib
Differential Revision:	https://reviews.freebsd.org/D14976
2018-04-05 18:17:46 +00:00
markj
53726df9f4 Fix the definitions of get_cpu() and put_cpu().
They are supposed to disable preemption.

Reported by:	rstone
MFC after:	5 days
2018-04-05 17:26:03 +00:00
br
7d671d9b44 Add support for the Coresight technology from ARM Ltd.
ARM Coresight is a solution for debug and trace of complex SoC designs.

This includes a collection of drivers for ARM Coresight interconnect
devices within a small Coresight framework.

Supported devices are:
o Embedded Trace Macrocell v4 (ETMv4)
o Funnel
o Dynamic Replicator
o Trace Memory Controller (TMC)
o CPU debug module

Devices are connected to each other internally in SoC and the
configuration of each device endpoints is described in FDT.

Typical trace flow (as found on Qualcomm Snapdragon 410e):
CPU0 -> ETM0 -> funnel1 -> funnel0 -> ETF -> replicator -> ETR -> DRAM
CPU1 -> ETM1 -^
CPU2 -> ETM2 -^
CPU3 -> ETM3 -^

Note that both Embedded Trace FIFO (ETF) and Embedded Trace Router (ETR)
are hardware configurations of TMC.

This is required for upcoming HWPMC tracing support.

This is tested on single-core system only.

Reviewed by:	andrew (partially)
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D14618
2018-04-05 15:45:54 +00:00
rgrimes
0b35cef2b2 Exit with usage when extra arguments are on command line
preventing mistakes such as "halt 0p" for "halt -p".
Approved by:	bde (mentor), phk (mentor)
MFC after:	1 week
2018-04-05 15:00:08 +00:00
royger
5f1547e410 x86: improve reservation of AP trampoline memory
So that it doesn't rely on physmap[1] containing an address below
1MiB. Instead scan the full physmap and search for a suitable address
to place the trampoline code (below 1MiB) and the initial memory pages
(below 4GiB).

Sponsored by:		Citrix Systems R&D
Reviewed by:		kib
Differential Revision:	https://reviews.freebsd.org/D14878
2018-04-05 14:39:51 +00:00
royger
6699cd8b0f introduce GiB and MiB macros
This macros convert from GiB or MiB into bytes.

Sponsored by: Citrix Systems R&D
2018-04-05 14:31:54 +00:00
sbruno
2e02693803 Squash error from geom by sizing ident strings to DISK_IDENT_SIZE.
Display attribute in future error strings and differentiate g_handleattr()
error messages for ease of debugging in the future.

"g_handleattr: md1 bio_length 24 strlen 31 -> EFAULT"

Reported by:	swills
Reviewed by:	imp cem avg
Sponsored by:	Limelight Networks
Differential Revision:	https://reviews.freebsd.org/D14962
2018-04-05 13:56:40 +00:00
kib
85654290ba Fix ERESTART for lcall $7,$0 syscalls.
The lcall trampoline enters kernel by int $0x80, which sets up invalid
length of the instruction for %rip rewind.

Reviewed by:	bde
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
2018-04-05 11:03:21 +00:00
kib
22ab7ec03b Make the INTO instruction operational in 32bit mode.
Having the IDT entry specify ring 0 DPL caused delivery of #GP instead
of #OF.

The instruction is not valid in 64bit mode, which probably explains
why the IDT entry for #OF was initially set this way.  It is
interesting to note that the BOUND instruction works with the IDT #BR
entry DPL 0, most likely CPU considers #BR from BOUND as generated by
a machine, not user.

Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
2018-04-05 11:03:05 +00:00
emaste
a5aa6a91a2 remove special handling for stale ptrace dependencies
r318957 added special handling for stale ptrace dependency files to
support a -DNO_CLEAN build in a tree last built before r305012.  That
revision is now over a year and a half old, so retire the special case.

Sponsored by:	The FreeBSD Foundation
2018-04-05 03:26:42 +00:00
mckusick
50d7ca2454 Renumber soft-update types starting at 1 instead of 0 to avoid confusion
of zero'ed memory appearing to have a valid soft-update type.

Also correct some comments.

Reviewed by: kib
2018-04-05 00:32:01 +00:00
np
6f570a6cb8 cxgbe(4): Always display an error message if SIOCSIFFLAGS will leave
IFF_UP and IFF_DRV_RUNNING out of sync.  ifhwioctl in the kernel pays no
attention to the return code from the driver ioctl during SIOCSIFFLAGS
so these messages are the only indication that the ioctl was called but
failed.

MFC after:	1 week
Sponsored by:	Chelsio Communications
2018-04-04 22:52:24 +00:00
brooks
d2b366f384 Allow -DNO_CLEAN builds over r332048. 2018-04-04 22:46:30 +00:00
brooks
797201a4c8 Remove architecture specific sigreturn.S files.
All of these files are identical (modulo license blocks and VCS IDs) to
the files generated by lib/libc/sys/Makefile.inc and serve no purpose.

Reported by:	Ali Mashtizadeh <ali@mashtizadeh.com>
Reviewed by:	kib
Sponsored by:	DARPA, AFRL
Differential Revision:	https://reviews.freebsd.org/D14953
2018-04-04 22:45:08 +00:00
vmaffione
6dfc9aee0f netmap: align if_ptnet guest driver to the upstream code (commit 0e15788)
The change upgrades the driver to use the split Communication Status
Block (CSB) format. In this way the variables written by the guest
and read by the host are allocated in a different cacheline than
the variables written by the host and read by the guest; this is
needed to avoid cache thrashing.

Approved by:	hrs (mentor)
2018-04-04 21:31:12 +00:00
ian
cf4f9e9181 Add a missing MODULE_DEPEND(). 2018-04-04 21:19:33 +00:00
emaste
44d4315517 Fix kernel memory disclosure in tcp_ctloutput
strcpy was used to copy a string into a buffer copied to userland, which
left uninitialized data after the terminating 0-byte.  Use the same
approach as in tcp_subr.c: strncpy and explicit '\0'.

admbugs:	765, 822
MFC after:	1 day
Reported by:	Ilja Van Sprundel <ivansprundel@ioactive.com>
Reported by:	Vlad Tsyrklevich
Security:	Kernel memory disclosure
Sponsored by:	The FreeBSD Foundation
2018-04-04 21:12:35 +00:00
markj
958788bce2 Typo.
MFC after:	3 days
2018-04-04 20:15:41 +00:00