Commit Graph

250653 Commits

Author SHA1 Message Date
Chuck Silvers
bd7d64f548 Don't mark pages as valid if reading the contents from disk fails.
Instead, just skip marking pages valid if the read fails.  Future
attempts to access such pages will notice that they are not marked valid
and try to read them from disk again.

Reviewed by:	kib, markj
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D25138
2020-06-06 00:47:59 +00:00
Rick Macklem
7674d489fc Fix mountd so that it will not lose SIGHUPs that indicate "reload exports".
Without this patch, if a SIGHUP is handled while the process is executing
get_exportlist(), that SIGHUP is essentially ignored because the got_sighup
variable is reset to 0 after get_exportlist().
This results in the exports file(s) not being reloaded until another SIGHUP
signal is sent to mountd.
This patch fixes this by resetting got_sighup to zero before the
get_exportlist() call while SIGHUP is blocked.
It also defines a delay time of 250msec before doing another exports reload
if there are RPC request(s) to process. This prevents repeated exports reloads
from delaying handling of RPC requests significantly.

PR:		246597
Reported by:	patrykkotlowski@gmail.com
Tested by:	patrykkotlowski@gmail.com
Reviewed by:	markj
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D25127
2020-06-06 00:40:02 +00:00
Ed Maste
24ed6f550a Rename skein_block_asm.s to .S and assemble using Clang IAS
Comparing the object files produced by GNU as 2.17.50 and Clang IAS
shows many immaterial changes in strtab etc., and one material change
in .text:

   1bac:  4c 8b 4f 18             mov    0x18(%rdi),%r9
   1bb0:  eb 0e                   jmp    1bc0 <Skein1024_block_loop>
-  1bb2:  66 66 2e 0f 1f 84 00    data16 nopw %cs:0x0(%rax,%rax,1)
-  1bb9:  00 00 00 00
-  1bbd:  0f 1f 00                nopl   (%rax)
+  1bb2:  66 2e 0f 1f 84 00 00    nopw   %cs:0x0(%rax,%rax,1)
+  1bb9:  00 00 00
+  1bbc:  0f 1f 40 00             nopl   0x0(%rax)

 0000000000001bc0 <Skein1024_block_loop>:
 Skein1024_block_loop():
   1bc0:  4c 8b 47 10             mov    0x10(%rdi),%r8
   1bc4:  4c 03 85 c0 00 00 00    add    0xc0(%rbp),%r8

That is, GNU as and Clang's integrated assembler use different multi-
byte NOPs for alignment (GNU as emits an 11 byte NOP + a 3 byte NOP,
while Clang IAS emits a 10 byte NOP + a 4 byte NOP).

Dependency cleanup hacks are not required, because we do not create
.depend files from GNU as.

Reviewed by:	allanjude, arichardson, cem, tsoome
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D8434
2020-06-06 00:35:41 +00:00
Chuck Silvers
c2ea3d44bf Fix hang due to missing unbusy in sendfile when an async data I/O fails.
r359473 removed the page unbusy logic from sendfile_iodone() because when
vm_pager_get_pages_async() would return an error after failing to start
the async I/O (eg. because VOP_BMAP failed), sendfile_swapin() would also
unbusy the pages, and it was wrong to unbusy twice.  However this breaks
the case where vm_pager_get_pages_async() succeeds in starting an async I/O
and the async I/O is what fails.  In this case, sendfile_iodone() must
unbusy the pages, and because sendfile_iodone() doesn't know which case
it is in, sendfile_iodone() must always unbusy pages and relookup pages
which have been substituted with bogus_page, which in turn means that
sendfile_swapin() must never do unbusy or relookup for pages which have
been given to vm_pager_get_pages_async(), even if there is an error.

Reviewed by:	kib, markj
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D25136
2020-06-06 00:02:50 +00:00
Ed Maste
5843b6e7b2 Makefile.inc1: remove stale dependency cleanup from 2018 2020-06-05 20:18:55 +00:00
Emmanuel Vadot
f81b2b9a8a dts: patch the am33xx dts for upcoming clock support
Some ranges are too small compared to what they really are.
Add functional clocks for the timers.

Submitted by:	 Oskar Holmlund (oskar.holmlund@ohdata.se)
X-Differential Revision:	https://reviews.freebsd.org/D25118
2020-06-05 20:14:54 +00:00
Emmanuel Vadot
62352ec9fb dts: Update our copy to be in sync with Linux 5.7
MFC after:	2 months
2020-06-05 20:09:13 +00:00
Emmanuel Vadot
5df7ea339a Import DTS files from Linux 5.7 2020-06-05 19:28:32 +00:00
Ed Maste
f2b8688664 Also pass SKEIN_USE_ASM to the assembler, via AFLAGS 2020-06-05 18:56:43 +00:00
Mark Johnston
13776bf736 librtld_db: Handle anonymous mappings below the first file mapping.
r360979 erroneously assumed that the lowest mapping in an address space
would be a file mapping, but of course this is not true in general.

Reported and tested by:	Frederic Chardon <chardon.frederic@gmail.com>
MFC after:	3 days
2020-06-05 18:44:14 +00:00
Ed Maste
16c0b6eef9 skein_block_asm.S: use #ifdef not .ifdef, for Clang IAS
Clang IAS does not support the --defsym argument, and

.ifndef SKEIN_USE_ASM

gets turned into

.ifndef 1792

by the preprocessor, which results in

error: expected identifier after '.ifdef'
.ifndef 1792
        ^

Use #ifdef instead, which still works with GNU as.

Reviewed by:	cem
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D25154
2020-06-05 18:37:04 +00:00
Toomas Soome
007278ebf0 zfsbootcfg: use vfs.root.mountfrom and update nextboot on every vdev
vfs.zfs.boot.primary_pool is only set on BIOS boot, use vfs.root.mountfrom
instead and update all vdevs on pool.

Reviewed by:	allanjude
Sponsored by:	Netflix, Klara Inc.
Differential Revision:	https://reviews.freebsd.org/D25103
2020-06-05 18:18:27 +00:00
Ed Maste
310e81aede Apply C SKEIN_LOOP setting only to skein_block.c
Otherwise if assembling skein_block_asm.s with Clang's integrated assembler
we can pass conflicting SKEIN_LOOP settings (via CFLAGS and ACFLAGS).
2020-06-05 17:00:38 +00:00
Benjamin Kaduk
5ff9cf9f06 Belatedly bump .Dd for r361783
Reported by:	lwhsu
Pointy hat to:	bjk
2020-06-05 16:59:14 +00:00
Conrad Meyer
5b9b571cb3 geom_label: Use provider aliasing to alias upstream geoms
For synthetic aliases (just pseudonyms inferred from metadata like GPT or
UFS labels, GPT UUIDs, etc), use the GEOM provider aliasing system to create
a symlink to the real device instead of creating an independent device.
This makes it more clear which labels and devices correspond, and we can
safely have multiple labels to a single device accessed at once.

The confusingly named geom_label on-disk construct continues to behave
identically to how it did before.

This requires teaching GEOM's provider aliasing about the possibility
that aliases might be added later in time, and GEOM's devfs interaction
layer not to worry about existing aliases during retaste.

Discussed with:	imp
Relnotes:	sure, if we don't end up reverting it
Differential Revision:	https://reviews.freebsd.org/D24968
2020-06-05 16:12:21 +00:00
Conrad Meyer
c726a670df geom: Don't re-add duplicate aliases
Reviewed by:	imp (informal +1; extracted from phab 24968)
2020-06-05 16:05:09 +00:00
Alexander Motin
fc68af7962 Add bunch of HDA controller and codec IDs.
MFC after:	2 weeks
2020-06-05 15:06:58 +00:00
Adrian Chadd
c3739eb66f [net80211] Don't call ic_updateslot if it's not set.
Turns out this isn't a required call. I didn't pick it up because my
uncommitted changes involve new updateslot methods for cards I'm working
on.

Dunce hat to: adrian
2020-06-05 14:17:19 +00:00
Alex Richardson
7de010f2ee Allow assembling skein_block_asm.s with clang
GNU as seems to allow macro arguments without the '\' but clang is more
strict in that regard.
This change makes the source code compatible with LLVM's but does not yet
change the build system or rename it to .S.

The new code assembles identically with GNU as 2.17.50.

Reviewed By:	emaste
Differential Revision: https://reviews.freebsd.org/D25143
2020-06-05 13:54:13 +00:00
Alex Richardson
3fe733f375 csu: Avoid additional nops in the MIPS INIT_CALL_SEQ macro
Since we had a .set reorder, the nop after the "jal" was being placed after
the delay slot, resulting in two nops.
While changing this code also guard the .set noreorder with .set push/pop
and use $zero as the cpsetup save register since we don't need to save $gp.

Reviewed By:	jhb
Differential Revision: https://reviews.freebsd.org/D25025
2020-06-05 08:46:55 +00:00
Alex Richardson
652f26f9c5 Avoid using non-portable dd status=none flag
Copying the approach chosen in r309412. This fixes building the libc tests
on a macOS host since the macOS /bin/dd binary does not support status=none.

As there only seem to be two uses, this commit changes the two Makefiles.
If this becomes more common, we could also add a wrapper bootstrap script
that ignores status= and forwards the remaining args to the real dd.
Another alternative would be to remove the status flag and pipe stderr to
/dev/null, but them we lose error messages.

Reviewed By:	brooks
Differential Revision: https://reviews.freebsd.org/D24785
2020-06-05 08:46:50 +00:00
Hans Petter Selasky
c51613866f Ensure pci_channel_offline() actually queries the PCI register space,
and not only the software cache of that register.  Else
pci_channel_offline() won't detect that the PCI device is gone when
using the LinuxKPI.

MFC after:	1 week
Sponsored by:	Mellanox Technologies
2020-06-05 08:12:08 +00:00
Hans Petter Selasky
eff8154913 USB HID descriptors may push/pop the current state to allow
description of items residing in a so-called union. FreeBSD currently
only supports 4 such pop levels.

If the push level is not restored within the processing of the same
HID item, an invalid memory location may be used for subsequent HID
item processing.

Verify that the push level is always valid when processing HID items.

Reported by:	Andy Nguyen (Google)
MFC after:	3 days
Sponsored by:	Mellanox Technologies
2020-06-05 07:57:16 +00:00
Adrian Chadd
48f25cc3c2 [net80211] print out node A-MSDU state.
Now that the node AMSDU TX/RX flags are correctly set in ieee80211_ht.c,
we can print out the AMSDU state here.
2020-06-05 07:38:46 +00:00
Adrian Chadd
ebb9b25672 [net80211] Add initial A-MSDU in A-MPDU negotation support.
This is hopefully a big no-op unless you're running some extra
patches to flip on A-MSDU options in a driver.

802.11n supports sending A-MSDU in A-MPDU. That lets you do things
like pack small frames into an A-MSDU and stuff /those/ into an A-MPDU.
It allows for much more efficient airtime because you're not
wasting time sending small frames - which is still a problem when
doing A-MPDU as there's still per-frame overhead and minimum A-MPDU
density requirements.

It, however, is optional for 802.11n.  A lot of stuff doesn't advertise
it (but does it, just wait!); and I know that ath10k does it and my
ath(4) driver work supports it.

Now, 802.11ac makes A-MSDU in A-MPDU something that can happen more
frequently, because even though you can send very large A-MPDUs
(like 1 megabyte and larger) you still have the small frame problem.
So, 802.11ac NICs like ath10k and iwm will support A-MSDU in A-MPDU
out of the box if it's enabled - and you can negotiate it.

So, let's lay down the ground work to enable A-MSDU in A-MPDU.
This will allow hardware like iwn(4) and ath(4) which supports
software A-MSDU but hardware A-MPDU to be more efficient.

Drivers that support A-MSDU in A-MPDU will set TX/RX htcap flags.
Note this is separate from the software A-MSDU encap path; /that/
dictates whether net80211 is doing A-MSDU encapsulation or not.
These HTC flags control negotiation, NOT encapsulation.

Once this negotiation and driver bits are done, hardware like
rtwn(4), run(4), and others will be able to use A-MSDU even without
A-MPDU working;  right now FF and A-MSDU aren't even attempted
if you're an 11n node.  It's a small hold-over from the initial
A-MPDU work and I know how to fix it, but to flip it on properly
I need to be able to negotiate or ignore A-MSDU in A-MPDU.

Oh and the fun part - some 11ac APs I've tested will quite happily
decap A-MSDU in A-MPDU even though they don't negotiate it when
doing 802.11n.  So hey, I know it works - I just want to properly
handle things. :-)

Tested:

* AR9380, STA/AP mode
2020-06-05 07:38:10 +00:00
Adrian Chadd
d20ff6e680 [net80211] Migrate short slot time configuration into per-vap and deferred taskqueue updates.
The 11b/11g ERP and slot time update handling are two things which weren't
migrated into the per-VAP state when Sam did the initial VAP work.
That makes sense for a lot of setups where net80211 is driving radio state
and the radio only cares about the shared state.

However, as noted by a now deleted comment, the ERP and slot time updates
aren't EXACTLY correct/accurate - they only take into account the most
RECENTLY created VAP, and the state updates when one creates/destroys
VAPs isn't exactly great.

So:

* track the short slot logic per VAP;
* whenever the slot time configuration changes, just push it into a deferred
  task queue update so drivers don't have to serialise it themselves;
* if a driver registers a per-VAP slot time handler then it'll just get the
  per VAP one;
* .. if a driver registers a global one then the legacy behaviour is maintained -
  a single slot time is calculated and pushed out.

Note that the calculated slot time is better than the existing logic - if ANY
of the VAPs require long slot then it's disabled for all VAPs rather than
whatever the last configured VAP did.

Now, this isn't entirely complete - the rest of ERP tracking around short/long
slot capable station tracking needs to be converted into per-VAP, as well
as the preamble/barker flags.  Luckily those also can be done in a similar
fashion - keep per-VAP counters/flags and unify them before doing the driver
update.  I'll defer that work until later.

All the existing drivers can keep doing what they're doing with the global
slot time flags as that is maintained. One driver (iwi) used the per-VAP
flags instead of the ic flags, so now that driver will work properly.

This unblocks some ath10k porting work as the firmware takes the slot time
configuration per-VAP rather than globally, and some firmware handles
STA+AP and STA+STA (on same/different channels) configurations where
the firmware will switch slot time as appropriate.

Tested:

* AR9380, STA/AP mode
* AR9880 (ath10k), STA mode
2020-06-05 06:21:23 +00:00
Adrian Chadd
7280f37401 [net80211] Add some TODOs around A-MSDU in A-MPDU negotiation.
net80211 currently doesn't negotiate A-MSDU in A-MPDU during ADDBA.
I've added the field in net80211 and this commit:

* Prints out the ADDBA field value during ADDBA;
* Adds some comments around where I need to follow up with some
  negotiation logic.

Right now we don't have a driver flag anywhere which controls
whether A-MSDU in A-MPDU is allowed.  I know it works (I have it
manually turned on at home on a couple test APs, heh!) but
I can't flip it on until we can negotiate it.

Tested:

* AR9380, STA/AP mode, printing out ADDBA requests
2020-06-05 06:07:23 +00:00
Adrian Chadd
60a9489509 [iwn] Set default ampdu parameters.
These are from the linux iwlwifi driver ;the default use smaller
maximum AMPDUs (8k) and a much smaller density (none.)  The latter
could cause stability issues.

Tested:

* Tested on Intel 6300, STA mode.

Differential Revision: https://reviews.freebsd.org/D25113
2020-06-05 04:24:34 +00:00
Adrian Chadd
83fbae0ca6 [net80211] Add field definition for A-MSDU inside A-MPDU.
Now that I have A-MSDU and A-MPDU coexisting together, we need to actually
announce if (a) it's permitted and (b) figure out if we should use it
when transmitting.

This just adds the field; it doesn't yet include it in ADDBA exchanges.
2020-06-05 04:04:47 +00:00
Alexander Motin
abab2155ed Limit AHCI to only one MSI if more is not needed.
My AMD Ryzen system has 4 AHCI controllers, each supporting 16 MSI vectors.
Since two of the controllers have only one SATA port, limit to single MSI
saves system 30 interrupt vectors for free.

It may be possible to also limit number of MSI vectors to 4 and 8 for the
other two controllers, but according to the AHCI specification after that
controllers may revert to only one vector, that would be a bigger loss to
risk.

MFC after:	2 weeks
2020-06-05 02:21:46 +00:00
Kirk McKusick
52488b5148 Further evaluation of the POSIX spec for fdatasync() shows that it
requires that new data on growing files be accessible. Thus, the
the fsyncdata() system call must update the on-disk inode when the
size of the file has changed.

This commit adds another inode update flag, IN_SIZEMOD, that gets
set any time that the file size changes. If either the IN_IBLKDATA
or the IN_SIZEMOD flag is set when fdatasync() is called, the
associated inode is synchronously written to disk. We could have
overloaded the IN_IBLKDATA flag to also track size changes since
the only (current) use case for these flags are for fsyncdata(),
but it does seem useful for possible future uses to separately
track the file size changes and the inode block pointer changes.

Reviewed by: kib
MFC with: -r361785
Differential revision:  https://reviews.freebsd.org/D25072
2020-06-05 01:00:55 +00:00
Adrian Chadd
a6ca7ce3c2 [net80211] Add some more debugging during scanning
I'm trying to chase down more weird "I am not doing an incremental scan
when being asked" issues so these debugging statements help.
Notably, I've added more debugging around reasons why the scan is skipped -
eg because the cache is considered hot.

This should be a no-op unless you care about the debugging output!
2020-06-05 00:16:54 +00:00
Adrian Chadd
998bd62c31 [net80211] Print out a bad PN in both hex and decimal.
I've been using this to visually identify when I'm getting corrupted PNs
from the hardware. :(
2020-06-05 00:14:02 +00:00
Adrian Chadd
0b5aeb89eb [net80211] Send a probe request after IBSS node discovery
This sends a probe request after IBSS node discovery through
beacon frames. This allows things like HT and VHT capabilities
to be "negotiated" in adhoc mode.

It is .. kinda fire and pray - this isn't retried after discovery
so it's quite possible that nodes occasionally don't come up with
HT/VHT rate upgrades. At some point it may be a fun side project
to add support for retrying these probe requests/negotiations
after IBSS node discovery.

Tested:

* tested with multiple ath(4) NICs in 11n mode.

Differential Revision:	https://reviews.freebsd.org/D24979
2020-06-05 00:11:44 +00:00
John Baldwin
00a4311adc Refer to AES-CBC as "aes-cbc" rather than "rijndael-cbc" for IPsec.
At this point, AES is the more common name for Rijndael128.  setkey(8)
will still accept the old name, and old constants remain for
compatiblity.

Reviewed by:	cem, bcr (manpages)
MFC after:	2 weeks
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D24964
2020-06-04 22:58:37 +00:00
John Baldwin
82785a3cc8 Update crypto(7) to list current ciphers.
Add descriptions of AES-CCM, Camellia-CBC, and Chacha20.

Reviewed by:	cem (previous version)
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D24963
2020-06-04 22:16:19 +00:00
Mitchell Horne
7814aaf5a9 Document upgrade procedure in FREEBSD-upgrade
It was pointed out to me that this is the convention for documenting upgrade
instructions, rather than just leaving the instructions in the commit message.
It's possible these commands won't be used again before we transition to git,
but then at least they'll give a path forward for whoever touches this next.

Suggested by:	lwhsu
2020-06-04 20:48:57 +00:00
Richard Scheffenegger
f4b4526f23 Add O_DIRECT flag to DD for cache bypass
FreeBSD DD utility has not had support for the O_DIRECT flag, which
is useful to bypass local caching, e.g. for unconditionally issuing
NFS IO requests during testing.

Reviewed by:	rgrimes (mentor)
Approved by:	rgrimes (mentor, blanket)
MFC after:	3 weeks
Sponsored by:	NetApp, Inc.
Differential Revision:	https://reviews.freebsd.org/D25066
2020-06-04 20:47:11 +00:00
Eric Joyner
51569bd793 em(4): Add support for Comet Lake Mobile Platform, update shared code
This change introduces Comet Lake Mobile Platform support in the e1000
driver along with shared code patches described below.

- Cast return value of e1000_ltr2ns() to higher type to avoid overflow
- Remove useless statement of assigning act_offset
- Add initialization of identification LED
- Fix flow control setup after connected standby:
  After connected standby the driver blocks resets during
  "AdapterStart" and skips flow control setup. This change adds
  condition in e1000_setup_link_ich8lan() to always setup flow control
  and to setup physical interface only when there is no need to block
  resets.

Signed-off-by: Piotr Pietruszewski <piotr.pietruszewski@intel.com>

Submitted by:	Piotr Pietruszewski <piotr.pietruszewski@intel.com>
Reviewed by:	erj@
Tested by:	Jeffrey Pieper <jeffrey.e.pieper@intel.com>
MFC after:	1 week
Relnotes:	yes
Sponsored by:	Intel Corporation
Differential Revision:	https://reviews.freebsd.org/D25035
2020-06-04 20:39:28 +00:00
John Baldwin
080933c050 Use separate output buffers for OCF requests in KTLS.
KTLS encryption requests for file-backed data such as from sendfile(2)
require the encrypted data to be stored in a separate buffer from the
unencrypted file input data.  Previously the OCF backend for KTLS
manually copied the data from the input buffer to the output buffer
before queueing the crypto request.  Now the OCF backend will use a
separate output buffer for such requests and avoid the copy.  This
mostly helps when an async co-processor is used by saving CPU cycles
used on the copy.

Reviewed by:	gallatin (earlier version)
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D24545
2020-06-04 20:12:34 +00:00
Stefan Eßer
23e84cf153 Fix obvious typo: IN_BLKDATA should be IN_IBLKDATA 2020-06-04 19:54:25 +00:00
Mitchell Horne
3245fa215a Update edk2 headers to stable202005
We use these to compile libefivar. The particular motivation for this update is
the inclusion of the RISC-V machine definitions that allow us to build the
library on the platform. This support could easily have been submitted as a
small local diff, but the timing of the release coincided with this work, and
it has been over 3 years since these sources were initially imported.

Note that this comes with a license change from regular BSD 2-clause to the
BSD+Patent license. This has been approved by core@ for this particular
project [1].

As with the original import, we retain only the subset of headers that we
actually need to build libefivar. I adapted imp@'s process slightly for this
update:

    # Generate list of the headers needed to build
    cp -r ../vendor/edk2/dist/MdePkg/Include sys/contrib/edk2
    cd lib/libefivar
    make
    pushd `make -V .OBJDIR`
    cat .depend*.o | grep sys/contrib | cut -d' ' -f 3 |
        sort -u | sed -e 's=/full/path/sys/contrib/edk2/==' > /tmp/xxx
    popd

    # Merge the needed files
    cd ../../sys/contrib/edk2
    svn revert -R .
    for i in `cat /tmp/xxx`; do
        svn merge -c VendorRevision svn+ssh://repo.freebsd.org/base/vendor/edk2/dist/MdePkg/$i $i
    done
    svn merge -c VendorRevision svn+ssh://repo.freebsd.org/base/vendor/edk2/dist/MdePkg/MdePkg.dec MdePkg.dec

[1] https://www.freebsd.org/internal/software-license.html
2020-06-04 19:21:41 +00:00
Kirk McKusick
30296c428a Two additional places that need to identify IN_IBLKDATA.
Reviewed by: kib
MFC with: -r361785
Differential Revision:  https://reviews.freebsd.org/D25072
2020-06-04 18:35:21 +00:00
Kyle Evans
9b16365fca RELNOTES and UPDATING: Document the new policy on read(2) of dirfd
These changes have been completely flushed as of r361799; note it.
2020-06-04 18:19:16 +00:00
Kyle Evans
63619b6dba vfs: add restrictions to read(2) of a directory [2/2]
This commit adds the priv(9) that waters down the sysctl to make it only
allow read(2) of a dirfd by the system root. Jailed root is not allowed, but
jail policy and superuser policy will abstain from allowing/denying it so
that a MAC module can fully control the policy.

Such a MAC module has been written, and can be found at:
https://people.freebsd.org/~kevans/mac_read_dir-0.1.0.tar.gz

It is expected that the MAC module won't be needed by many, as most only
need to do such diagnostics that require this behavior as system root
anyways. Interested parties are welcome to grab the MAC module above and
create a port or locally integrate it, and with enough support it could see
introduction to base. As noted in mac_read_dir.c, it is released under the
BSD 2 clause license and allows the restrictions to be lifted for only
jailed root or for all unprivileged users.

PR:		246412
Reviewed by:	mckusick, kib, emaste, jilles, cy, phk, imp (all previous)
Reviewed by:	rgrimes (latest version)
Differential Revision:	https://reviews.freebsd.org/D24596
2020-06-04 18:17:25 +00:00
Kyle Evans
dcef4f65ae vfs: add restrictions to read(2) of a directory [1/2]
Historically, we've allowed read() of a directory and some filesystems will
accommodate (e.g. ufs/ffs, msdosfs). From the history department staffed by
Warner: <<EOF

pdp-7 unix seemed to allow reading directories, but they were weird, special
things there so I'm unsure (my pdp-7 assembler sucks).

1st Edition's sources are lost, mostly. The kernel allows it. The
reconstructed sources from 2nd or 3rd edition read it though.

V6 to V7 changed the filesystem format, and should have been a warning, but
reading directories weren't materially changed.

4.1b BSD introduced readdir because of UFS. UFS broke all directory reading
programs in 1983. ls, du, find, etc all had to be rewritten. readdir() and
friends were introduced here.

SysVr3 picked up readdir() in 1987 for the AT&T fork of Unix. SysVr4 updated
all the directory reading programs in 1988 because different filesystem
types were introduced.

In the 90s, these interfaces became completely ubiquitous as PDP-11s running
V7 faded from view and all the folks that initially started on V7 upgraded
to SysV. Linux never supported this (though I've not done the software
archeology to check) because it has always had a pathological diversity of
filesystems.
EOF

Disallowing read(2) on a directory has the side-effect of masking
application bugs from relying on other implementation's behavior
(e.g. Linux) of rejecting these with EISDIR across the board, but allowing
it has been a vector for at least one stack disclosure bug in the past[0].

By POSIX, this is implementation-defined whether read() handles directories
or not. Popular implementations have chosen to reject them, and this seems
sensible: the data you're reading from a directory is not structured in some
unified way across filesystem implementations like with readdir(2), so it is
impossible for applications to portably rely on this.

With this patch, we will reject most read(2) of a dirfd with EISDIR. Users
that know what they're doing can conscientiously set
bsd.security.allow_read_dir=1 to allow read(2) of directories, as it has
proven useful for debugging or recovery. A future commit will further limit
the sysctl to allow only the system root to read(2) directories, to make it
at least relatively safe to leave on for longer periods of time.

While we're adding logic pertaining to directory vnodes to vn_io_fault, an
additional assertion has also been added to ensure that we're not reaching
vn_io_fault with any write request on a directory vnode. Such request would
be a logical error in the kernel, and must be debugged rather than allowing
it to potentially silently error out.

Commented out shell aliases have been placed in root's chsrc/shrc to promote
awareness that grep may become noisy after this change, depending on your
usage.

A tentative MFC plan has been put together to try and make it as trivial as
possible to identify issues and collect reports; note that this will be
strongly re-evaluated. Tentatively, I will MFC this knob with the default as
it is in HEAD to improve our odds of actually getting reports. The future
priv(9) to further restrict the sysctl WILL NOT BE MERGED BACK, so the knob
will be a faithful reversion on stable/12. We will go into the merge
acknowledging that the sysctl default may be flipped back to restore
historical behavior at *any* point if it's warranted.

[0] https://www.freebsd.org/security/advisories/FreeBSD-SA-19:10.ufs.asc

PR:		246412
Reviewed by:	mckusick, kib, emaste, jilles, cy, phk, imp (all previous)
Reviewed by:	rgrimes (latest version)
MFC after:	1 month (note the MFC plan mentioned above)
Relnotes:	absolutely, but will amend previous RELNOTES entry
Differential Revision:	https://reviews.freebsd.org/D24596
2020-06-04 18:09:55 +00:00
Oleksandr Tymoshenko
c847212986 Remove licenses
I haven't requested explicit permission from authors and shouldn't have
added BSDL headers without it.

Requestes by:	imp
2020-06-04 17:20:58 +00:00
Mark Johnston
0006082054 dhclient: Fix a logic bug remove_protocol().
A logic bug in remove_protocol() meant that it would remove (leak) all
structures in the list preceding the one intended for removal.

PR:		245971
Submitted by:	joost@jodocus.org (original version)
MFC after:	1 week
2020-06-04 16:24:13 +00:00
Mark Johnston
e9ee2675cb Update vt(4) config option names to chase r303043.
PR:		246080
Submitted by:	David Marec <david@lapinbilly.eu>
MFC after:	1 week
2020-06-04 16:05:24 +00:00
Conrad Meyer
a35bc248fd Restrict default /root permissions
Remove world-readability from the root directory.  Sensitive information may be
stored in /root and we diverge here from normative administrative practice, as
well as installation defaults of other Unix-alikes.  The wheel group is still
permitted to read the directory.

750 is no more restrictive than defaults for the rest of the open source
Unix-alike world.  In particular, Ben Woods surveyed DragonFly, NetBSD,
OpenBSD, ArchLinux, CentOS, Debian, Fedora, Slackware, and Ubuntu.  None have a
world-readable /root by default.

Submitted by:	Gordon Bergling <gbergling AT gmail.com>
Reviewed by:	ian, myself
Discussed with:	emaste (informal approval)
Relnotes:	sure?
Differential Revision:	https://reviews.freebsd.org/D23392
2020-06-04 16:04:19 +00:00