The debug print in nvme_opc_get_log_page() would print an uninitialized
local variable.
In nvme_opc_write_read(), a failed LBA bounds check would cause
pci_nvme_stats_write_read_update() to be called with an uninitialized
variable as a parameter. Although the parameter is unused when the
check fails (and so status != 0), LLVM 14 emits some bogus machine code
in this path, which happens to result in a segfault when it gets
executed.
PR: 265749
Reviewed by: chuck, emaste
Sponsored by: The FreeBSD Foundation
(cherry picked from commit b6ecef28bf)
Currently these are not reported because bhyve is compiled with WARNS=2.
Let's start taking small steps towards enabling more warnings.
No functional change intended.
Reviewed by: chuck, imp, emaste
Sponsored by: The FreeBSD Foundation
(cherry picked from commit af86d12c80)
Classify VLAN devices as ethernet in rdma_copy_addr().
This fixes the following error message:
rdma_bind_addr: No such file or directory
Submitted by: Piotr Kubaj <pkubaj@FreeBSD.org>
Differential Revision: https://reviews.freebsd.org/D36120
Sponsored by: NVIDIA Networking
(cherry picked from commit 57af517ac4)
Fixes INVARIANTS build with Clang 15, which previously failed due to
set-but-not-used variable warnings.
Reviewed by: dim
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D36097
(cherry picked from commit 7dc4d5118c)
Fixes INVARIANTS build with Clang 15, which previously failed due to
set-but-not-used variable warnings.
Reviewed by: jhb
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D36096
(cherry picked from commit 0fd8d3589a)
Fixes INVARIANTS build with Clang 15, which previously failed due to
set-but-not-used variable warnings.
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 3471fcf3a4)
Use memset instead of bzero, memcpy instead of bcopy, and add some
optional {}s.
Reviewed by: kp
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D36267
(cherry picked from commit 6b598e263b)
iommu_gas_augment_entry updates a map entry element. Invoked as
RB_AUGMENT in RB tree code, it is applied from the point where the
tree is modified, all the way up to the root, and is also applied when
rotation moves a node down in the tree.
There are several opportunities to invoke it less. The automatic
augmentation with every rotation is a mistake. Delaying these
augmentations until RB_INSERT_COLOR or RB_REMOVE_COLOR are finishing
allows the augmentation code to be duplicated less, to work when there
is less register pressure, and to be skipped when conditions allow it:
In the double-rotate case of RB_INSERT_COLOR, augmentation after
the first rotation is not necessary when the element being moved
down the tree becomes a leaf. It was in the tree, and was a leaf,
before the RB_INSERT operation began, and so recomputing
augmentation for it would do nothing.
In the final (possibly only) rotation of RB_REMOVE_COLOR, both the
elements - the one moving up and the one moving down - end up in
the path from the deletion point to the tree root, so there's no
need to augment either of them immediately.
In RB_REMOVE, when the right child of the removed node replaces it
in tree, it began with a null left child. Replacement creates a
non-NULL left child, and then rotation may put a NULL node back in
that place. If that happens, start the augmenting-up-to-root with
the parent of that node, since augmentation would do nothing.
Adjust to avoid these needless augmentations.
Reviewed by: alc
MFC after: 3 weeks
Differential Revision: https://reviews.freebsd.org/D35502
(cherry picked from commit 7f2ec173e4)
Reject attempts to map host physical address ranges that are not
subsets of a passthrough device's BAR into a guest.
Reviewed by: markj, emaste
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D36238
(cherry picked from commit c94f30ea85)
Permit naming pass through devices using the syntax accepted by
pciconf (pci[<domain>:]<bus>:<slot>:<func>) as well as by device name
(e.g. "ppt0").
While here, fix an error in the manpage that had the bus and slot
arguments for the original /-delimited scheme swapped.
Reviewed by: imp, markj
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D36147
(cherry picked from commit baf753cc19)
Certain operations such as checksum insertion and VLAN insertion
require the device model to rewrite the packet header. The first step
in rewriting the packet header is to copy the existing packet header
from the source packet. This copy is done by copying data from an
iovec array that corresponds to the S/G entries described by transmit
descriptors. However, if the total packet length is smaller than the
headers that need to be copied as the initial template, this copy can
overflow the iovec array and use garbage values as the source pointer
to memcpy. The PR used a single descriptor with a length of 0 in its
PoC.
To fix, track the total packet length and drop requests to transmit
packets whose payload is smaller than the required header length.
While here, fix another issue where the final descriptor could have an
invalid length (too short) that could underflow 'len' when stripping
the checksum. Skip those requests instead, too.
PR: 264372
Reported by: Robert Morris <rtm@lcs.mit.edu>
Reviewed by: grehan, markj
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D36182
(cherry picked from commit fa46f3704b)
This avoids type confusion where a malicious guest could rewrite the
MaxPStreams field in an endpoint context after the endpoint was
initialized causing the device model to interpret a guest provided
address (stored in ep_ringaddr of the "software" endpoint state) as a
bhyve host process address (ep_sctx_trbs). It also prevents a malicious
guest from triggering overflows of ep_sctx_trbs[] by increasing the
number of streams after the endpoint has been initialized.
Rather than re-reading the MaxPStreams value out of the endpoint context
in guest memory on subsequent operations, cache the value in the software
endpoint state. Possibly the device model should raise errors if the
value of MaxPStreams changes while an endpoint is running. This approach
simply ignores any such changes by the guest.
PR: 264294, 264347
Reported by: Robert Morris <rtm@lcs.mit.edu>
Reviewed by: markj
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D36181
(cherry picked from commit e7439f6aeb)
This doesn't matter for real traffic but fixes failures in the KTLS
unit tests that use unusual record types.
Sponsored by: Chelsio Communications
(cherry picked from commit 782db2881b)
Round down the maximim ISO payload by the current MSS. Otherwise the
round up by MSS when calculating the 16-bit maximum payload len passed
along in the FLOWC work request can overflow.
Discussed with: np
Sponsored by: Chelsio Communications
(cherry picked from commit 8020c05683)
As per Utility Syntax Guidelines, accept both forms: -l -n and -ln.
To do that, anticipate the source string for the next option that will
be parsed by nextopt(). It's not always *argptr, sometimes it is
nextopt_optptr.
To simplify the check for not_fcnumber, slightly modify nextopt() to
always nullify nextopt_optptr in cases where it would have been set
to point to a NUL character.
(cherry picked from commit 755a1be6d0)
The main change was v1.57 by djm@:
Randomise the rekey interval a little. Previously, the chacha20
instance would be rekeyed every 1.6MB. This makes it happen at a
random point somewhere in the 1-2MB range.
Reviewed by: csprng (markm, cem)
Differential Revision: https://reviews.freebsd.org/D36088
(cherry picked from commit e9a2e4d1d2)
The new tests exercise simulated COW that occurs when the protections on
a wired, copy-on-write mapping are changed from read-only to read-write.
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 1dfa8b73f6)
Mark them const as well when it makes sense to do so. No functional
change intended.
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 37045dfa89)
Here, the provider is responsible for updating the trapframe to redirect
control flow and for computing the return address. Once software-saved
registers are restored, the emulation shifts the remaining context down
on the stack to make space for the return address, then copies the
address provided by the invop handler. dtrace_invop() is modified to
allocate temporary storage space on the stack for use by the provider to
return the return address.
This is to support a new provider for amd64 which can instrument
arbitrary instructions, not just function entry and exit instructions as
FBT does.
In collaboration with: christos
Sponsored by: Google, Inc. (GSoC 2022)
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 3ba8e9dc4a)
dtrace invop handlers have access to the whole trapframe, just use that
to extract %rax/%eax for return probes instead of relying on an
additional parameter to the handler. No functional change intended.
Sponsored by: The FreeBSD Foundation
(cherry picked from commit a7aa3d4d75)
