During recent testing related to the IETF NFSv4 Bakeathon, it was
discovered that Kerberized NFSv4.1/4.2 mounts to pNFS servers
(sec=krb5[ip],pnfs mount options) was broken.
The FreeBSD client was using the "service principal" for
the MDS to try and establish a rpcsec_gss credential for a DS,
which is incorrect. (A "service principal" looks like
"nfs@<fqdn-of-server>" and the <fqdn-of-server> for the DS is not
the same as the MDS for most pNFS servers.)
To fix this, the rpcsec_gss code needs to be able to do a
reverse DNS lookup of the DS's IP address. A new kgssapi upcall
to the gssd(8) daemon is added by this patch to do the reverse DNS
along with a new rpcsec_gss function to generate the "service
principal".
A separate patch to the gssd(8) will be committed, so that this
patch will fix the problem. Without the gssd(8) patch, the new
upcall fails and current/incorrect behaviour remains.
This bug only affects the rare case of a Kerberized (sec=krb5[ip],pnfs)
mount using pNFS.
This patch changes the internal KAPI between the kgssapi and
nfscl modules, but since I did a version bump a few days ago,
I will not do one this time.
(cherry picked from commit dd7d42a1fae5a4879b62689a165238082421f343)
A future commit needs a new upcall function that can do reverse
DNS in order to generate a "service principal".
This patch adds the file.
(cherry picked from commit 428879dc9110240ad0940c7ac8cd69bcaf6e686e)
xpt_path_string() is now a wrapper around xpt_path_sbuf(). Using it
to than concatenate result to another sbuf makes no sense. Just call
xpt_path_sbuf() directly.
MFC after: 1 month
(cherry picked from commit 8c4ee0b22c98fc1e208dd133f617bd329cd10728)
Most all of the memory used by the cards in the mpr(4) and mps(4)
drivers is required, according to the specs and Broadcom developers,
to be within a 4GB segment of memory.
This includes:
System Request Message Frames pool
Reply Free Queues pool
ReplyDescriptorPost Queues pool
Chain Segments pool
Sense Buffers pool
SystemReply message pool
We got a bug report from Dwight Engen, who ran into data corruption
in the BAE port of FreeBSD:
> We have a port of the FreeBSD mpr driver to our kernel and recently
> I found an issue under heavy load where a DMA may go to the wrong
> address. The test system is a Supermicro X10SRH-CLN4F with the
> onboard SAS3008 controller setup with 2 enterprise Micron SSDs in
> RAID 0 (striped). I have debugged the issue and narrowed down that
> the errant DMA is one that has a segment that crosses a 4GB
> physical boundary. There are more details I can provide if you'd
> like, but with the attached patch in place I can no longer
> re-create the issue.
> I'm not sure if this is a known limit of the card (have not found a
> datasheet/programming docs for the chip) or our system is just
> doing something a bit different. Any helpful info or insight would
> be welcome.
> Anyway, just thought this might be helpful info if you want to
> apply a similar fix to FreeBSD. You can ignore/discard the commit
> message as it is my internal commit (blkio is our own tool we use
> to write/read every block of a device with CRC verification which
> is how I found the problem).
The commit message was:
> [PATCH 8/9] mpr: fix memory corrupting DMA when sg segment crosses
> 4GB boundary
> Test case was two SSD's in RAID 0 (stripe). The logical disk was
> then partitioned into two partitions. One partition had lots of
> filesystem I/O and the other was initially filled using blkio with
> CRCable data and then read back with blkio CRC verify in a loop.
> Eventually blkio would report a bad CRC block because the physical
> page being read-ahead into didn't contain the right data. If the
> physical address in the arq/segs was for example 0x500003000 the
> data would actually be DMAed to 0x400003000.
The original patch was against mpr(4) before busdma templates were
introduced, and only affected the buffer pool (sc->buffer_dmat) in
the mpr(4) driver. After some discussion with Dwight and the
LSI/Broadcom developers and looking through the driver, it looks
like most of the queues in the driver are ok, because they limit
the memory used to memory below 4GB. The buffer queue and the chain
frames seem to be the exceptions.
This is pretty much the same between the mpr(4) and mps(4) drivers.
So, apply a 4GB boundary limitation for the buffer and chain frame pools
in the mpr(4) and mps(4) drivers.
Reported by: Dwight Engen <dwight.engen@gmail.com>
Reviewed by: imp
Obtained from: Dwight Engen <dwight.engen@gmail.com>
Differential Revision: <https://reviews.freebsd.org/D43008>
(cherry picked from commit 264610a86e14f8e123d94c3c3bd9632d75c078a3)
syzbot reported a single boot-time crash in g_event_procbody(), a page
fault when dereferencing g_event_td. g_event_td is initialized by the
kproc_kthread_add() call which creates the GEOM event thread:
kproc_kthread_add(g_event_procbody, NULL, &g_proc, &g_event_td,
RFHIGHPID, 0, "geom", "g_event");
I believe that the caller of kproc_kthread_add() was preempted after
adding the new thread to the scheduler, and before setting *newtdp,
which is equal to g_event_td. Thus, since the first action of the GEOM
event thread is to lock itself, it ended up dereferencing a NULL
pointer.
Fix the problem simply by initializing *newtdp earlier. I see no harm
in that, and it matches kproc_create1(). The scheduler provides
sufficient synchronization to ensure that the store is visible to the
new thread, wherever it happens to run.
Reported by: syzbot+5397f4d39219b85a9409@syzkaller.appspotmail.com
Reviewed by: kib
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D42986
(cherry picked from commit ae77041e0714627f9ec8045ca9ee2b6ea563138e)
The VFP code expects the kernel to boot with VFP disabled, but some
boards will boot with it enabled. Make sure that vfp_init() disables
the VFP on each CPU during boot.
PR: 273752
Reviewed by: andrew
Diagnosed by: Thomas Skibo <thomas-bsd@skibo.net>
MFC after: 1 week
(cherry picked from commit ce2f34ade8b787b068085fa8a8ddd295b06c2737)
vfp_bounce() is called when handling an undefined instruction exception,
to see if we need to enable the VFP. Previously it would
unconditionally panic if the exception came from the kernel, which was
simply wrong, and it did not permit lazy initialization of VFP state in
the kernel. However, this functionality can be useful and is supported
by arm's fpu_kern_enter() implementation. Thus, relax assertions and
consume the exception if the thread was in an FPU section.
Based on a patch from Stormshield.
Reviewed by: andrew
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D42971
(cherry picked from commit 03a07de0d5ee7d58069152070c42d55f7ec32b7c)
Only panic if no undefined instruction handler matched the exception.
This can arise in practice if the VFP is enabled lazily.
While here, fix the panic string to not include a newline.
Reviewed by: andrew
Obtained from: Stormshield
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D42970
(cherry picked from commit ecc2e6deae71b69a30bf3b7e3354aba002a37d69)
This enables the use of some out-of-tree crypto libraries on arm.
No functional change intended, there are no callers of this function in
the tree currently.
Reviewed by: andrew
MFC after: 1 week
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D42969
(cherry picked from commit a6a481eaa2e0f02e24b874f1a08bb494a68972c0)
Commit 6aded1e6b2e5 fixed a rare case when handling an NFSv4
Rename reply when delegations are in use. This patch fixes the
associated comment.
(cherry picked from commit 0a958aa16fed1978879d64e3b225f1d232cc5a98)
When delegations are enabled (they are not by default in
the FreeBSD NFSv4 server), rename will check for and return
delegations. If the second of these DelegReturn operations
were to fail (they rarely do), then the code would not retry
the rename with returning delegations, as it is intended to do.
The patch fixes the problem, since the DelegReturn reply status
is the second iteration of the loop and not the first iteration.
As noted, this bug would have rarely manifested a problem, since
DelegReturn operations do not normally fail.
(cherry picked from commit 6aded1e6b2e5549120031032e1c7f8b002882327)
Improve Proportional Rate Reduction (RFC6937) by using a
heuristic, which automatically chooses between
conservative CRB and more aggressive SSRB modes.
Only when snd_una advances (a partial ACK), SSRB may be
used. Also, that ACK must not have any indication of
ongoing loss - using the addition of new holes into the
scoreboard as proxy for such an event.
MFC after: 4 weeks
Reviewed By: #transport, kbowling, rrs
Sponsored By: NetApp, Inc.
Differential Revision: https://reviews.freebsd.org/D28822
(cherry picked from commit 49a6fbe38728173da74d5b497f700178e2a6c830)
Inherit the setting from the listener socket in syncache_socket.
MFC after: 2 weeks
Reviewed By: tuexen, #transport
Sponsored by: NetApp, Inc.
Differential Revision: https://reviews.freebsd.org/D42874
(cherry picked from commit f071abd92e726fc12e9256662e1f286f364252ee)
This grows the block enough to fit a 4K 32-bit depth framebuffer; some
firmware would present smaller GOP modes to be able to boot with a
smaller framebuffer on these devices, but the Windows Devkit firmware
is simply not that nice. Instead, it offers exactly one GOP mode that
matches the current resolution of the attached display, so with limited
control over resolution on most of my displays it'd be nice if we could
Just Work(TM) at 4K.
andrew notes that he has some ideas for removing PMAP_MAPDEV_EARLY_SIZE
entirely, so this limitation could end up removed altogether in the
future.
Reviewed by: andrew, emaste
(cherry picked from commit a3ceeef26bc880b86f4e181bddd9924a2b5e0691)
This was handy for some ad-hoc debugging and fits in with other
kmsan_check_*() routines which operate on some kind of data container.
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
(cherry picked from commit be5464ae233ada46a778cc82f7107a10a7d5343b)
Four pad bytes at the end of each xtty structure were not being cleared
before being copied out. Fix this by clearing the whole structure
before populating fields.
MFC after: 3 days
Reported by: KMSAN
(cherry picked from commit 3c0fb026b2fc998fa9bea8aed76e96c58671aee3)
Ensure that the vnet list cannot be modified while we're running through
it.
Reviewed by: mjg (previous version), zlei (previous version)
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D42927
(cherry picked from commit bd7b2f95019e9715150c34736279805de0818d09)
Don't let PRR pass up on the opportunity of clocking
out packets on arrival of ACKs - by pulling sends
forward by about half a packet. Prevents unexpectedly
long runs of incoming ACKs without eliciting a
packet transmission.
MFC after: 1 week
Reviewed By: #transport, tuexen
Sponsored by: NetApp, Inc.
Differential Revision: https://reviews.freebsd.org/D42918
(cherry picked from commit 9276ad23b872eddc42e05304acb10bf5421b043c)
The various time fields are time_t's which are only 32-bit on i386.
Fixing the old versions is probably of little use, but it's more correct
and in theory there could be powerpc binaries from 6.x.
PR: 240035
Fixes: fbb273bc05 Properly support for FreeBSD 4 32bit System V shared memory.
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D42870
(cherry picked from commit 957f014dc076a7f74ed0c8c8699e6f39b55785e7)
We only want to produce syscall.mk for the main syscall table so default
to not producing it (send it to /dev/null) and add a syscalls.conf to
sys/kern to trigger the creation of sys/sys/syscall.mk. This eliminates
the need for entries in other syscalls.conf files and is a cleaner
pattern going forward.
Reviewed by: kevans, imp
Differential Revision: https://reviews.freebsd.org/D42663
(cherry picked from commit 54d487c4d01d68ef0ac03eae1fc574f7533d46f6)
Replace int with either size_t or ssize_t (depending on context) in
order to support bit strings up to SSIZE_MAX bits in length. Since
some of the arguments that need to change type are pointers, we must
resort to light preprocessor trickery to avoid breaking existing code.
MFC after: 3 weeks
Sponsored by: Klara, Inc.
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D42698
(cherry picked from commit c56f45f2a9da7d989b79fd6c34b63100609ff9ae)
Approved by: so
Security: SA-23:18.nfsclient
Reviewed by: rmacklem
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 6fa843f6e647a1a1e0e42af1e7abc9e903699f31)
struct siba_bhndb_softc embeds struct siba_softc and adds an extra
field, "quirks". In practice, this bug was harmless since "quirks" is
unconditionally initialized during driver attach and would have lived in
the redzone of the softc allocation, but KASAN catches the out-of-bounds
access.
PR: 275515
Reported by: Frank Hilgendorf <frank.hilgendorf@posteo.de>
MFC after: 1 week
(cherry picked from commit 4c3aa00c0a0093c78f42d138bb9eef9b1a7cbb39)
Otherwise the field is left uninitialized, leading to a possible kernel
memory disclosure to userspace or to the network. Use the same
initialization value we use in zfsctl_common_getattr().
Reported-by: KMSAN
Sponsored-by: The FreeBSD Foundation
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Reviewed-by: Ed Maste <emaste@FreeBSD.org>
Signed-off-by: Mark Johnston <markj@FreeBSD.org>
(cherry picked from commit 11656234b560c401dec6a16e1bf048b20fd31aac)
Use u_long for memory accesses instead of uint32_t. On my tests on
amd64 this by ~30% reduces time spent in those functions thanks to
bigger 64bit accesses. i386 still uses 32bit accesses.
MFC after: 1 month
(cherry picked from commit 7c566d6cfc7bfb913bad89d87386fa21dce8c2e6)
It is possible to reach this function from ddb via the "reset" command.
When this happens, we don't actually exit kdb, meaning we never execute
the latter steps of kdb_break() to restore the system state (e.g.
re-enable scheduler).
Therefore, we should not clear the kdb_active flag in this function, as
the debugger is still active. Put differently, kern_reboot() is not an
authority on kdb state, and should not touch it. The original motivation
for this assignment is not clear; I have checked thoroughly and I am
convinced it is not required by any reset code.
This fixes an edge case where a panic can be triggered during reset from
ddb:
1. Enter ddb via keyboard break sequence (KERNEL_PANICKED() == false &&
td->td_critnest > 0)
2. Execute the "reset" command
3. kern_reboot() sets kdb_active = false
4. A witness_checkorder() call via shutdown handler sees !kdb_active
and panics
Reviewed by: imp, markj
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D42684
(cherry picked from commit 4e78a766f607192698514d970ff4e9fa91d0482d)
This is to handle the case where the system has not panicked but the
debugger is active, where we still can't wait for thread termination.
Reviewed by: markj
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D42683
(cherry picked from commit 960612a19f009df602a4cb008fa90a45a6e869bb)
It is desirable to shut down the raid controller even in the face of a
panic. In the SCHEDULER_STOPPED() case, set the interrupt mask bits so
that we request a polled wait, rather than sleep(), from
iop_queue_wait_msg().
Tweak the function name and signature.
Reviewed by: markj
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D42337
(cherry picked from commit c4dacfa7f4b82f23ec0924d9db772860b2066f9b)
(cherry picked from commit f97aab79868cd7d891c52b14bd964523fa56f015)
Don't attempt to service reconnections if RB_NOSYNC is set. More
crucially, don't do it if the scheduler is stopped, as the maintenance
thread will never run again.
Reviewed by: jhb
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D42342
(cherry picked from commit 2ce1c45b3411410a5d0a4d08198a3b0010d493b7)
RB_HALT does not mean poweroff, RB_POWEROFF does.
Reviewed by: jhibbits
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D42339
(cherry picked from commit 41e26e8288f1743c8584e5f9c461d36dce1cccc6)
Don't try to gracefully terminate the pkt_manager thread if the
scheduler is not running.
We should not attempt to shutdown ald if RB_NOSYNC is set, and must not
if the scheduler is stopped (the function calls wakeup()).
Reviewed by: markj
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D42340
(cherry picked from commit d79a9edb5ce162c1ba49e12e5c93b894e6a25ad2)
Make better use of the shutdown flags. In particular this now handles
standard reboot where RB_POWERCYCLE is not set, and indicates a crash
when the system has panicked.
While here, give the function a prefix.
Reviewed by: royger, markj
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D42343
(cherry picked from commit 9e0b0f5de67fd46bddf0e12ef7b71d76a7ec1667)
In this case, just return.
Reviewed by: markj
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D42341
(cherry picked from commit 9d61fd08499609a2c95d1c66f97587932b446f06)
Ensure they are all panic/debugger safe.
Most handlers for this event are for disk drivers/geom modules. There
are a mix of checks being used here (or not), so let's standardize on
checking the presence of the RB_NOSYNC flag.
This flag is set whenever:
1. The kernel has panicked and kern.sync_on_panic=0*
2. We reboot from within the kernel debugger (the "reset" command)
3. Userspace requested it, e.g. by 'reboot -n'
Name the functions consistently.
*This sysctl is tuned to zero by default, but its existence means that
these handlers can be executed after a panic, at the user's discretion.
IMO this use-case is implicitly understood to be risky, and we'd be
better off eliminating it altogether.
Reviewed by: markj
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D42337
(cherry picked from commit 4eb861d362d6a9493df7f77eab8e28f9c826702a)
This is not exhaustive, just done ahead of some upcoming changes to
these files.
Don't include sys/cdefs.h explicitly. No functional change intended.
Reviewed by: imp, jhb
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D42335
(cherry picked from commit f3dc172763aee039c917fdba03f1e27095f5a7a9)
The registration was removed in favor of DEVICE_SHUTDOWN(). Drop the
unused eventhandler tag from the IAL_ADAPTER_T structure.
Reviewed by: jhb
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Fixes: cd3ef66680 ("Use DEVICE_SHUTDOWN(9) mechanism...")
Differential Revision: https://reviews.freebsd.org/D42334
(cherry picked from commit a4b19cf5c76ac66d02a3ef8a549115ba865d630c)
This is needed to support the bhyve gdb stub implementation on arm64.
Reviewed by: andrew
MFC after: 1 week
Sponsored by: Innovate UK
Differential Revision: https://reviews.freebsd.org/D42867
(cherry picked from commit 4f12883c360dbb03562f11713e711e3a3a330a0f)
Filter functions are deprecated, and unused in the tree. If either of
the filter or filterarg arguments to bus_dma_tag_create() are non-NULL,
print a warning.
This is a direct commit to stable/14.
Reviewed by: jhb
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D42897
There is no need to allocate buffer, worry about overflows, etc.
MFC after: 2 weeks
(cherry picked from commit 1b44079584dc317230cf810c0fe0a8c401a5c791)
It is wrong to call sbuf_len() on third-party sbuf. If that sbuf
has a drain function, it ends up in assertion. But even would it
work, it would return not newly written length, but the full one.
Searching through the sources I don't see this value used.
(cherry picked from commit 6332e0f1a4b34707654d6ae2cd3c1e8799970d0b)
Add missing cleanup actions:
- remove user defined anchor rulesets
- remove user defined ether anchor rulesets
- remove tables linked to user defined anchors
- deal with wildcard anchor peculiarities to get them removed correctly
PR: 274310
Reviewed by: kp
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D42747
(cherry picked from commit 0626d30e41cba64b41667314c3a4f7611f0eb685)
