Commit Graph

258070 Commits

Author SHA1 Message Date
mmel
7986a38d8f Fix bug introduced by r343962.
DMAMAP_DMAMEM_ALLOC is property of dmamap, not dmatag.

MFC after:	1 week
Reported by:	ian
Pointy hat:	mmel
2019-02-10 18:28:37 +00:00
kib
08849e56ba Implement Address Space Layout Randomization (ASLR)
With this change, randomization can be enabled for all non-fixed
mappings.  It means that the base address for the mapping is selected
with a guaranteed amount of entropy (bits). If the mapping was
requested to be superpage aligned, the randomization honours the
superpage attributes.

Although the value of ASLR is diminshing over time as exploit authors
work out simple ASLR bypass techniques, it elimintates the trivial
exploitation of certain vulnerabilities, at least in theory.  This
implementation is relatively small and happens at the correct
architectural level.  Also, it is not expected to introduce
regressions in existing cases when turned off (default for now), or
cause any significant maintaince burden.

The randomization is done on a best-effort basis - that is, the
allocator falls back to a first fit strategy if fragmentation prevents
entropy injection.  It is trivial to implement a strong mode where
failure to guarantee the requested amount of entropy results in
mapping request failure, but I do not consider that to be usable.

I have not fine-tuned the amount of entropy injected right now. It is
only a quantitive change that will not change the implementation.  The
current amount is controlled by aslr_pages_rnd.

To not spoil coalescing optimizations, to reduce the page table
fragmentation inherent to ASLR, and to keep the transient superpage
promotion for the malloced memory, locality clustering is implemented
for anonymous private mappings, which are automatically grouped until
fragmentation kicks in.  The initial location for the anon group range
is, of course, randomized.  This is controlled by vm.cluster_anon,
enabled by default.

The default mode keeps the sbrk area unpopulated by other mappings,
but this can be turned off, which gives much more breathing bits on
architectures with small address space, such as i386.  This is tied
with the question of following an application's hint about the mmap(2)
base address. Testing shows that ignoring the hint does not affect the
function of common applications, but I would expect more demanding
code could break. By default sbrk is preserved and mmap hints are
satisfied, which can be changed by using the
kern.elf{32,64}.aslr.honor_sbrk sysctl.

ASLR is enabled on per-ABI basis, and currently it is only allowed on
FreeBSD native i386 and amd64 (including compat 32bit) ABIs.  Support
for additional architectures will be added after further testing.

Both per-process and per-image controls are implemented:
- procctl(2) adds PROC_ASLR_CTL/PROC_ASLR_STATUS;
- NT_FREEBSD_FCTL_ASLR_DISABLE feature control note bit makes it possible
  to force ASLR off for the given binary.  (A tool to edit the feature
  control note is in development.)
Global controls are:
- kern.elf{32,64}.aslr.enable - for non-fixed mappings done by mmap(2);
- kern.elf{32,64}.aslr.pie_enable - for PIE image activation mappings;
- kern.elf{32,64}.aslr.honor_sbrk - allow to use sbrk area for mmap(2);
- vm.cluster_anon - enables anon mapping clustering.

PR:	208580 (exp runs)
Exp-runs done by:	antoine
Reviewed by:	markj (previous version)
Discussed with:	emaste
Tested by:	pho
MFC after:	1 month
Sponsored by:	The FreeBSD Foundation
Differential revision:	https://reviews.freebsd.org/D5603
2019-02-10 17:19:45 +00:00
mmel
d856ea7e91 Don't allocate same clock twice..
MFC after:	1 week
Reported by:	jah
2019-02-10 14:30:15 +00:00
mmel
dd190a8f15 Properly handle alignment requests bigger that page size.
- for now, alignments bigger that page size is allowed only for buffers
   allocated by bus_dmamem_alloc(), cover this fact by KASSERT.
 - never bounce buffers allocated by bus_dmamem_alloc(), these always comply
   with the required rules (alignment, boundary, address range).

MFC after:	1 week
Reviewed by:	jah
PR:		235542
2019-02-10 14:25:29 +00:00
tuexen
b80fcf68dd Fix a locking issue when reporing outbount messages.
MFC after:		3 days
2019-02-10 14:02:14 +00:00
tuexen
eee3d66791 Fix a locking issue in the IPPROTO_SCTP level SCTP_PEER_ADDR_THLDS socket
option. The problem affects only setsockopt with invalid parameters.

This issue was found by syzkaller.

MFC after:		3 days
2019-02-10 13:55:32 +00:00
dim
e54591675d Fix the first couple of AddressSanitizer violations in usr.bin/top.
Avoid setting zero bytes beyond the length of the 'thisline' parameters
in i_process() and u_process(), and don't attempt to memset a negative
number of bytes.

MFC after:	1 week
2019-02-10 13:44:36 +00:00
dim
6390240351 Fix multiple warnings in usr.bin/top about variables shadowing global
declarations from base gcc, by renaming those variables.

MFC after:	1 week
2019-02-10 13:34:21 +00:00
dim
24a0b90e26 Fix multiple warnings in usr.bin/top about discarded qualifiers from
both clang and gcc, by either constifying variables, or when that is not
possible, using __DECONST.

MFC after:	1 week
2019-02-10 13:31:08 +00:00
tuexen
fb17e65b4c Fix a locking bug in the IPPROTO_SCTP level SCTP_EVENT socket option.
This occurs when call setsockopt() with invalid parameters.

This issue was found by syzkaller.

MFC after:		3 days
2019-02-10 10:42:16 +00:00
peterj
cd5c424771 Replace calls to sin(x) and cos(x) with a single call to sincos().
Replace calls to sinf(x) and cosf(x) with a single call to sincosf().

Submitted by:	Steve Kargl <sgk@troutmask.apl.washington.edu>
Reviewed by:	bde
Approved by:	grog
MFC after:	3 days
2019-02-10 08:46:07 +00:00
ganbold
a8ffff1898 Enable necessary bits when activating interrupts. This allows
reading some events from the interrupt status registers. These events
are reported to devd via system "PMU" and subsystem "Battery", "AC"
and "USB" such as plugged/unplugged, absent, charged and charging.

Reviewed by:	manu
Differential Revision:	https://reviews.freebsd.org/D19116
2019-02-10 08:41:52 +00:00
tuexen
b30530d5f6 Fix locking for IPPROTO_SCTP level SCTP_DEFAULT_PRINFO socket option.
This problem occurred when calling setsockopt() will invalid parameters.

This issue was found by running syzkaller.

MFC after:		3 days
2019-02-10 08:28:56 +00:00
manu
329de1d73b arm64: Fix compile when removing SOC_ROCKCHIP_* options
Make every rockchip file depend on the multiple soc_rockchip options
While here make rk_i2c and rk_gpio depend on their device options.

Reported by:	sbruno
2019-02-10 08:14:06 +00:00
cem
78a5bf8935 Revert r343713 temporarily
The COVERAGE option breaks xtoolchain-gcc GENERIC kernel early boot
extremely badly and hasn't been fixed for the ~week since it was committed.
Please enable for GENERIC only when it doesn't do that.

Related fallout reported by:	lwhsu, tuexen (pr 235611)
2019-02-10 07:54:46 +00:00
jhibbits
15481914ff powerpc: Fix AIM build
cpu_idle_e500mc is only used in booke, so ignore it completely in AIM.

MFC after:	2 weeks
MFC with:	r343944
2019-02-09 23:19:33 +00:00
pluknet
16482aa8e6 Document the ENOBUFS errno in setsockopt(2).
In particular, it is the case if SO_SNDBUF/SO_RCVBUF would exceed sb_max_adj.

PR:		200649
MFC after:	1 week
2019-02-09 21:33:32 +00:00
jhibbits
9745f424d1 powerpc: Split out the e500mc idling from rest of Book-E
The e500v2 and e500mc (and derivatives) have different idling procedures, so
make them different functions.

MFC after:	2 weeks
2019-02-09 21:19:53 +00:00
jhibbits
b673a11d47 ddb: Print the thread's pcb in 'show thread'
This can aid with debugging when a thread is running and has no backtrace.
State can be estimated based on the pcb, and refined from there, for
example, to get a rough idea of the stack pointer.
2019-02-09 21:08:19 +00:00
johalun
1c46a14971 Add myself to committers-src.dot and calendar.freebsd
Reviewed by:	imp (mentor)
Approved by:	imp (mentor)
Differential Revision:	https://reviews.freebsd.org/D19101
2019-02-09 16:53:39 +00:00
marius
84fd25b2a5 - Remove the redundant device disabled hint handling; ever since
r241119 that's performed globally by device_attach(9).
- As for the EM-class of devices, em(4) supports multiple queues
  and MSI-X respectively only with 82574 devices. However, since
  the conversion to iflib(4), em(4) relies on the interrupt type
  fallback mechanism, i. e. MSI-X -> MSI -> INTx, of iflib(4) to
  figure out the interrupt type to use for the EM-class (as well
  as the IGB-class) of MACs. Moreover, despite the datasheet for
  82583V not mentioning any support of MSI-X, there actually are
  82583V devices out there that report a varying number of MSI-X
  messages as supported. The interrupt type fallback of iflib(4)
  is causing two failure modes depending on the actual number of
  MSI-X messages supported for such instances of 82583V:
  1) With only one MSI-X message supported, none is left for the
     RX/TX queues as that one message gets assigned to the admin
     interrupt. Worse, later on - which will be addressed with a
     separate fix - iflib(4) interprets that one messages as MSI
     or INTx to be set up, but fails to actually do so as it has
     previously called pci_alloc_msix(9). [1, 2]
  2) With more message supported, their distribution is okay but
     then em_if_msix_intr_assign() doesn't work for 82583V, with
     the interface being left in a non-working state, too. [3]
  Thus, let em_if_attach_pre() indicate to iflib(4) to try MSI-X
  with 82574 only, and at most MSI for the remainder of EM-class
  devices.
  While at it, remove "try_second_bar" as it's polarity inverted
  and not actually needed.
- Remove code from em_if_timer() that effectively is a NOP since
  the conversion to iflib(4) ("trigger" is no longer read).
  While at it, let the comment for em_if_timer() reflect reality
  after said conversion.
- Implement an ifdi_watchdog_reset method which only updates the
  em(4) "watchdog_events" counter but doesn't perform any reset,
  so that the em(4) "watchdog_timeouts" SYSCTL (iflib(4) doesn't
  provide a counterpart) reflects reality and these timeouts add
  to IFCOUNTER_OERRORS again after the iflib(4) conversion.
- Remove the "mbuf_defrag_fail" and "tx_dma_fail" SYSCTLS; since
  the iflib(4) conversion, associated counters are disconnected,
  but iflib(4) provides "mbuf_defrag_failed" and "tx_map_failed"
  respectively as equivalents.
- Move the description preceding lem_smartspeed() to the correct
  spot before em_reset() and bring back appropriate comments for
  {igb,em}_initialize_rss_mapping() and lem_smartspeed() lost in
  the iflib(4) conversion.
- Adapt some other function descriptions and INIT_DEBUGOUT() use
  to match reality after the iflib(4) conversion.
- Put the debugging message of em_enable_vectors_82574() (missed
  in r343578) under bootverbose, too.

PR:		219428 [1], 235246 [2], 235147 [3]
Reviewed by:	erj (previous version)
Differential Revision:	https://reviews.freebsd.org/D19108
2019-02-09 11:58:40 +00:00
ygy
c124a49913 Remove -R option which was added to sysctl(8) man page per r244106, but it is not implemented.
MFC after:	3 days
Submitted by:	Alfonso Siciliano <alfix86@gmail.com>
Reviewed by:	0mp, imp
Differential Revision: 	https://reviews.freebsd.org/D19012
2019-02-09 04:36:02 +00:00
kib
d0cb5e667f i386: honor kern.elf32.read_exec for ommap(2) and break(2), as already
done on amd64.

Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
2019-02-09 03:56:48 +00:00
kib
32c9348f1f Normalize the declaration of i386_read_exec variable.
It is currently re-declared in sys/sysent.h which is a wrong place for
MD variable.  Which causes redeclaration error with gcc when
sys/sysent.h and machine/md_var.h are included both.

Remove it from sys/sysent.h and instead include machine/md_var.h when
needed, under #ifdef for both i386 and amd64.

Reported and tested by:	bde
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
2019-02-09 03:51:51 +00:00
glebius
941de281ca Remove remnants of byte order manipulation, back when FreeBSD stack
stored packets in host byte order.
2019-02-09 03:00:00 +00:00
jhibbits
6b73c508ad Correct the CPU target for powerpcspe
The MPC8540 is actually e500v1, which doesn't have double-precision floating
point support.  The 8548 does, so use that as the CPU target.

MFC after:	2 weeks
2019-02-09 02:04:27 +00:00
np
d07b4e7839 cxgbe(4): Delay the panic due to a fatal error by 30s.
This lets information logged by the interrupt handler reach the system
log before the system goes down.
2019-02-09 01:49:53 +00:00
jilles
8f8b9d94a5 dhclient: Return non-zero status when script exits due to a signal
r343896 made it such that a non-zero exit status was passed through, but was
still wrong if the script exits on a signal. POSIX does not say what the
WEXITSTATUS macro returns in this case and in practice 0 is a common value.

Instead, translate the wait status into 8 bits the same way as the shell
calculates $?.

Reviewed by:	kib, Nash Kaminski
MFC after:	1 week
2019-02-08 23:03:28 +00:00
bcr
e9437734f7 Add an example to pw.8 about how to add an existing user to a group.
Instead of using pw to modify group membership, users often edit
/etc/group by hand, which is discouraged.  Provide an example of
adding a user to the wheel group, which is a common use case.
I'm using a different user here as in the previous example as that
deleted the user (although the examples don't necessarily have to
be followed in order).

Reviewed by:	rgrimes,0mp
Approved by:	0mp
MFC after:	3 days
Differential Revision:	https://reviews.freebsd.org/D19123
2019-02-08 22:10:40 +00:00
tuexen
57ec47006e Ensure that when using the TCP CDG congestion control and setting the
sysctl variable net.inet.tcp.cc.cdg.smoothing_factor to 0, the smoothing
is disabled. Without this patch, a division by zero orrurs.

PR:			193762
Reviewed by:		lstewart@, rrs@
MFC after:		3 days
Sponsored by:		Netflix, Inc.
Differential Revision:	https://reviews.freebsd.org/D19071
2019-02-08 20:42:49 +00:00
pkelsey
e26567e467 Fix em(4) interrupt routing
When configured with more tx queues than rx queues,
em_if_msix_intr_assign() was incorrectly routing the tx event
interrupts.

Reviewed by:	erj, marius
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D19070
2019-02-08 20:34:47 +00:00
cperciva
67d2201786 Teach /etc/rc.d/growfs how to handle systems running ZFS.
There are many cases which this code does not handle (e.g. ZFS mirrors)
but the code can handle the single-disk case -- so it's enough to take
care of the "disk image which gets booted into a VM with a larger than
expected disk" case for which this firstboot script was created.

MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D19095
2019-02-08 19:19:31 +00:00
dim
8eb3289c7f Amend r343442, by only expecting the lib.msun.cbrt_test.cbrtl_powl and
trig_test.reduction test cases to fail, if the fixes from r343916 have
not yet been applied to the base compiler.

Reported by:    lwhsu
PR:		234040
Upstream PR:	https://bugs.llvm.org/show_bug.cgi?id=40206
MFC after:	1 week
2019-02-08 18:31:54 +00:00
dim
3a3bb53835 Pull in r352607 from upstream llvm trunk (by Craig Topper):
[X86] Add FPSW as a Def on some FP instructions that were missing it.

Pull in r353141 from upstream llvm trunk (by Craig Topper):

  [X86] Connect the default fpsr and dirflag clobbers in inline
  assembly to the registers we have defined for them.

  Summary:
  We don't currently map these constraints to physical register numbers
  so they don't make it to the MachineIR representation of inline
  assembly.

  This could have problems for proper dependency tracking in the
  machine schedulers though I don't have a test case that shows that.

  Reviewers: rnk

  Reviewed By: rnk

  Subscribers: eraman, llvm-commits

  Tags: #llvm

  Differential Revision: https://reviews.llvm.org/D57641

Pull in r353489 from upstream llvm trunk (by Craig Topper):

  [X86] Add FPCW as a register and start using it as an implicit use on
  floating point instructions.

  Summary:
  FPCW contains the rounding mode control which we manipulate to
  implement fp to integer conversion by changing the roudning mode,
  storing the value to the stack, and then changing the rounding mode
  back. Because we didn't model FPCW and its dependency chain, other
  instructions could be scheduled into the middle of the sequence.

  This patch introduces the register and adds it as an implciit def of
  FLDCW and implicit use of the FP binary arithmetic instructions and
  store instructions. There are more instructions that need to be
  updated, but this is a good start. I believe this fixes at least the
  reduced test case from PR40529.

  Reviewers: RKSimon, spatel, rnk, efriedma, andrew.w.kaylor

  Subscribers: dim, llvm-commits

  Tags: #llvm

  Differential Revision: https://reviews.llvm.org/D57735

These should fix a problem in clang 7.0 where it would sometimes emit
long double floating point instructions in a slightly wrong order,
leading to failures in our libm tests.  In particular, the cbrt_test
test case 'cbrtl_powl' and the trig_test test case 'reduction'.

Also bump __FreeBSD_cc_version, to be able to detect this in our test
suite.

Reported by:    lwhsu
PR:		234040
Upstream PR:	https://bugs.llvm.org/show_bug.cgi?id=40206
MFC after:	1 week
2019-02-08 18:24:53 +00:00
kai
22b52df3fe Add myself to committers-ports.dot and calendar.freebsd
Reviewed by:	miwi (mentor)
Approved by:	miwi (mentor)
Differential Revision:	https://reviews.freebsd.org/D19119
2019-02-08 17:57:39 +00:00
andrew
5e27fbdcee Fix the spelling of cov_unregister_pc.
When unregistering kcov from the coverage interface we should use the
unregister function, not the register function.

Sponsored by:	DARPA, AFRL
2019-02-08 16:18:17 +00:00
tychon
d2a0697166 pms(4) should use bus_get_dma_tag() to get parent tag.
Reviewed by:	imp
Sponsored by:	Dell EMC Isilon
2019-02-08 16:05:38 +00:00
mw
15fd10a41e Allow reading the UEFI variable size
When loading bigger variables form UEFI it is necessary to know their
size beforehand, so that an appropriate amount of memory can be
allocated. The easiest way to do this is to try to read the variable
with buffer size equal 0, expecting EFI_BUFFER_TOO_SMALL error to be
returned. Allow such possible approach in efi_getenv routine.

Extracted from a bigger patch as suggested by imp.

Submitted by: Kornel Duleba <mindal@semihalf.com>
Obtained from: Semihalf
Sponsored by: Stormshield
2019-02-08 14:56:28 +00:00
avos
d983f80ab4 newkey(8): fix 'tmpname' memory leak (always) and input file descriptor leak
when output file cannot be opened

PR:		201732
Reported by:	David Binderman <dcb314@hotmail.com>
MFC after:	1 week
2019-02-08 14:31:44 +00:00
dab
a78d504626 Fix several Coverity-detected issues in newsyslog.
- CID 1394815, CID 1305673: Dereference before null check - memory was
  allocated and the allocation checked for NULL with a call to errx()
  if it failed. Code below that was guaranteed that the pointer was
  non-NULL, but there was another check for NULL at the exit of the
  function (after the memory had already been referenced). Eliminate
  the useless NULL check.

- CID 1007454, CID 1007453: Resource leak - The result of a strdup()
  was stored in a global variable and not freed before program exit.

- CID 1007452: Resource leak - Storage intended to be allocated and
  returned to the caller was never freed. This was the result of a
  regression in the function signature introduced in r208648 (2010)
  (thanks for that find, @cem!). Fixed by altering the function
  signature and passing the allocated memory to the caller as
  intended. This also fixes PR158794.

- CID 1008620: Logically dead code in newsyslog.c - This was a direct
  result of CID 1007452. Since the memory allocated as described there
  was not returned to the caller, a subsequent check for the memory
  having been allocated was dead code. Returning the memory
  re-animates the code that is the subject of this CID.

- CID 1006131: Unused value - in parsing a configuration file, a
  pointer to the end of the last field was saved, but not used after
  that. Rewrite to use the pointer value. This could have been fixed
  by avoiding the assignment altogether, but this solutions more
  closely follows the pattern used in the preceding code.

PR:		158794
Reported by:	Coverity, Ken-ichi EZURA <k.ezura@gmail.com> (PR158794)
Reviewed by:	cem, markj
MFC after:	1 week
Sponsored by:	Dell EMC Isilon
2019-02-08 13:54:16 +00:00
hselasky
1bb271fef9 Improve Bluetooth device discovery support for Android and Microsoft devices.
Tested using the virtual_bt_speaker(8) tool from the virtual_oss(8)
project at github.com.

PR:			210089
MFC after:		1 week
Sponsored by:		Mellanox Technologies
2019-02-08 13:10:45 +00:00
pluknet
59479897cb Add macOS 10.14. 2019-02-08 11:49:59 +00:00
kib
50ac923f6c Un null_vptocnp(), cache vp->v_mount and use it for null_nodeget() call.
The vp vnode is unlocked during the execution of the VOP method and
can be reclaimed, zeroing vp->v_data.  Caching allows to use the
correct mount point.

Reported and tested by:	pho
PR: 235549
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
2019-02-08 08:20:18 +00:00
kib
c1a7cfd5df Before using VTONULL(), check that the covered vnode belongs to nullfs.
Reported and tested by:	pho
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
2019-02-08 08:17:31 +00:00
kib
ef547a4448 Some style for nullfs_mount(). Also use bool type for isvnunlocked.
Tested by:	pho
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
2019-02-08 08:15:29 +00:00
kib
0a987876ef Correctly return exit status from the exited process.
This is also OpenBSD rev. 1.117, as pointed out by
Ryan Moeller <ryan@ixsystems.com>.

Submitted by:	Nash Kaminski <nashkaminski@gmail.com>
MFC after:	1 week
2019-02-08 07:36:08 +00:00
glebius
b0eb264052 Allow some nesting of ng_iface(4) interfaces and add a configuration knob.
PR:		235500
MFC after:	1 week
2019-02-08 06:19:28 +00:00
kib
fe9ffad6ed Fix renameat(2) for CAPABILITIES kernels.
When renameat(2) is used with:
- absolute path for to;
- tofd not set to AT_FDCWD;
- the target exists
kern_renameat() requires CAP_UNLINK capability on tofd, but
corresponding namei ni_filecap is not initialized at all because the
lookup is absolute.  As result, the check was done against empty filecap
and syscall fails erronously.

Fix it by creating a return flags namei member and reporting if the
lookup was absolute, then do not touch to.ni_filecaps at all.

PR:	222258
Reviewed by:	jilles, ngie
Sponsored by:	The FreeBSD Foundation
MFC after:	1 week
X-MFC-note:	KBI breakage
Differential revision:	https://reviews.freebsd.org/D19096
2019-02-08 04:18:17 +00:00
kib
ca4620a431 do_execve(): lock vnode when needed.
Code after exec_fail_dealloc label expects that the image vnode is
locked if present.  When copyout() of the strings or auxv vectors fails,
goto to the error handling did not relocked the vnode as required.

The copyout() can be made failing e.g. by creating an ELF image with
PT_GNU_STACK segment disabling the write.

Reported by:	Jonathan Stuart <n0t.jcs@gmail.com> (found by fuzzing)
Sponsored by:	The FreeBSD Foundation
MFC after:	3 days
2019-02-08 04:06:48 +00:00
np
bed9753584 cxgbev(4): Initialize debug_flags from the environment like in the PF driver. 2019-02-08 03:31:38 +00:00