When a file is created via p9fs with restrictive permissions (like 000),
the 9P TCREATE request successfully creates and natively opens the file,
returning an open, writable file descriptor. Previously, p9fs would
attempt a subsequent TOPEN. That TOPEN would fail with EACCES due to the
restrictive mode, leaving a 0-byte file and causing operations like 'mv'
to abort.
We now preserve the writable descriptor returned by TCREATE so that the
subsequent VOP_OPEN can use it directly, avoiding the failing TOPEN.
Additionally, p9fs_compatible_mode now appropriately isolates the base
access intent when matching fids, preventing extended flags from
breaking the match.
A test case for this behavior has been submitted to pjdfstest:
https://github.com/pjd/pjdfstest/pull/87
Resolves: https://github.com/CTSRD-CHERI/cheribsd/issues/2617
Reviewed by: markj
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D56494
This is needed for various pjdfstest tests which fail with syntax errors
if pathconf _PC_NAME_MAX/_PC_PATH_MAX return -1. For NAME_MAX we can use
the 9P2000.L Tstatfs call to get namelen from the host. While this could
theoretically be different for nested filesystems in the shared mount it
is a much better guess than just returning 255.
There does not seem to be a way to get the host PATH_MAX, so we just
return the conservative kernel default.
Found while fixing https://github.com/CTSRD-CHERI/cheribsd/issues/2617.
Reviewed by: markj, kib
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D56493
Previously, the UMA zones required for 9P requests (p9fs_buf_zone,
p9fs_req_zone, etc.) were initialized and destroyed in the
virtio_p9fs transport module. This caused issues when unloading
the core p9fs module.
This change moves p9_init_zones() and p9_destroy_zones() into
p9fs_init() and p9fs_uninit() inside p9fs_vfsops.c so that they
are correctly bound to the VFS filesystem module lifecycle via
vfs_modevent, aligning p9fs with standard FreeBSD VFS semantics.
Found while fixing https://github.com/CTSRD-CHERI/cheribsd/issues/2617.
Reviewed by: kib
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D56492
The virtio_p9fs module event handler can be invoked multiple times.
Previously, this caused p9_init_zones() and p9_register_trans() to be
executed multiple times, leaking UMA zones and corrupting the transport
list. During module unload, p9_destroy_zones() was also called multiple
times on the same zone pointers, triggering a duplicate free kernel panic
in uma_zdestroy().
This patch introduces a static reference counter in vt9p_modevent() to
ensure the zones and transports are only initialized and destroyed exactly
once, aligning with the approach used by other virtio drivers like vtnet.
Reviewed by: kib, markj
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D56497
This ensures this header can be included without an explicit or implicit
sys/types.h include first. This causes issues building SPEC2017 which
includes sys/rtprio.h and then we get an error due to missing u_char
definition.
Reviewed by: emaste
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D52041
Avoid dependency on INET (IPv4) by using PF_LOCAL,
allowing media check to work on systems without INET support.
PR: 295045
Reviewed by: kevans
MFC after: 1 week
The jail(8) command must not leave parsed configuration files open
since the file descriptors will be leaked to child processes
including the untrusted exec.start or exec.stop hooks.
While fopen() doesn't provide direct access to O_CLOEXEC, it does
provide access to FD_CLOEXEC via "e" in the mode string which
provides the desired defense in depth against leaking file descriptors
into exec.* hooks since those always execve() into a shell.
Jail configuration is potentially sensitive and some hooks execute from
within the jail context, leaving some opening for the jail to exfiltrate
information about the host environment.
(Commit message wordsmithed by kevans)
PR: 295052
Reviewed by: kevans
MFC after: 3 days
Ensure the script used is invalid when parsed by libyaml which
highlight the issue revealed in PR295062
while at here validate the mode of the file is properly changed
PR: 295062
MFC After: 1 day
Blocking allocation is safe in all of the current callers of kobj_init
(most of them do a M_WAITOK malloc of the structure passed as the
first argument to kobj_init just before calling it). kobj_init
doesn't return an error code but instead panics if the nested malloc
in kobj_class_compile1 fails, so using M_WAITOK here is more robust.
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D56625
Reorder the TLS RX teardown sequence so the TIR is destroyed before
the DEK. DESTROY_TIR for a TLS-enabled TIR issues a TRA RX fence
that drains all in-flight packets from the crypto pipeline. If the
DEK is destroyed first, packets still in flight hit a TPT encryption
error (vendor syndrome 0x55) because the key they reference is
already gone.
Reviewed by: kib
Sponsored by: Nvidia networking
MFC after: 1 week
This fixes a regression introduced in cae280931c which prevents
user_data as a shell script to be used
PR: 295062
Reported by: Ross McKelvie <ross@exitzero.uk>
MFC After: 1 day
The __maybe_unused attribute should be used for variables which may or
may not be used, such as when their only use is in an assertion. This
attribute is functionally identical to __unused, suppressing compiler
warnings for particular variable if it remains unused.
Reviewed by: Minsoo Choo <minsoo@minsoo.io>, imp
Differential Revision: https://reviews.freebsd.org/D56517
Currently rtadvd ignores interface pltime/vltime specifications
unless the (static) address range is also included in the config file.
This extends the validity of a pltime and/or vltime stanza in
the config file for an interface to delegated addresses from
an upstream provider.
Signed-off-by: tickerguy <karl@denninger.net>
PR: 288426
Reviewed by: pouria
Pull Request: https://github.com/freebsd/freebsd-src/pull/1863
If anyone would build bhyve with -DNDEBUG, any code in the expression
in assert() won't be executed. Instead put the return value in a
temporary variable to assert that it has the expected value.
Reviewed by: emaste, markj (earlier version)
Fixes: 2a514d377b ("bhyve/virtio-scsi: Preallocate all I/O requests")
Differential Revision: https://reviews.freebsd.org/D55803
Commit f828a80c may have resolved the underlying cause for
the occasional CI failures observed for this test. Remove
the exception to ensure any new occurrences are noticed.
Reviewed-by: Tony Hutter <hutter2@llnl.gov>
Reviewed-by: Tino Reichardt <milky-zfs@mcmilk.de>
Signed-off-by: Brian Behlendorf <behlendorf1@llnl.gov>
Closes#6136Closes#18495
The import of Zstd v1.5.7 in a2ac9cd606
added an unconditional renaming of ZSTD_isError to zfs_ZSTD_isError
with an asm directive. Instead, do it with a define that is conditioned
on whether zstd_compat_wrapper.h is actually in use. Also add a define
to that header so that it can be detected. This allows the build to
work without using the compat wrapper.
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: Ryan Libby <rlibby@FreeBSD.org>
Closes#18483
The mode=0 and FALLOC_FL_KEEP_SIZE preallocation path can reach
zfs_freesp() directly and call zfs_statvfs() before going through the
normal zpl_enter_verify_zp() boundary.
When zfs_rezget() tears down a failed SA reload, a stale inode may
remain alive in the VFS with z_sa_hdl cleared. The unchecked
fallocate path can then reach sa_lookup(zp->z_sa_hdl, ...) through
zfs_statvfs() or zfs_freesp() and crash on a NULL SA handle.
Use zfs_enter_verify_zp() in zfs_statvfs() so stale znodes are
rejected under the teardown lock for both fallocate and statfs.
Also wrap the direct zfs_freesp() call in
zpl_enter_verify_zp()/zfs_exit() so this path follows the same
validation rules as the other Linux ZPL file operations.
Fixes: f734301d22
("linux: add basic fallocate(mode=0/2) compatibility")
Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
Co-authored-by: gality369 <gality369@example.com>
Closes#18458
In ncl_getcookie(), a very large value for "off" for
a directory can result in "pos" being set to a bogus
value (including a negative one), due to truncation.
When "pos" is negative, is can skip past the
while (pos >= NFSNUMCOOKIES) loop and return a
bogus pointer instead of NULL.
This patch changes the type to u_int and also adds
a sanity check for a very large "off" to ensure that
a NULL pointer is returned for this case.
This bug has been in the code for decades and I am
not aware of any report of it causing a problem for
users.
Reviewed by: markj
Reported by: Joshua Rogers of AISLE Research Team
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D56779
Previously, devmatch would stop at the first linker.hints file
found in kern.module_path. This meant modules installed in
/boot/modules/ were invisible to devmatch if /boot/kernel/
contained a linker.hints file (which it always does).
Merge hints from all directories in kern.module_path.
This allows third-party or out-of-tree kernel modules in
/boot/modules/ to be auto-loaded by devmatch just like
built-in modules.
Reviewed by: imp
Differential Revivion: https://reviews.freebsd.org/D56847
Running sys/net tests in parallel reveals some panics which look like
the one below:
```
shared lock of (sx) vlan_sx @ /home/markj/sb/main/src/sys/net/if_vlan.c:2395
while exclusively locked from /home/markj/sb/main/src/sys/net/if_vlan.c:1850
panic: excl->share
cpuid = 9
time = 1776467219
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00d84e0780
vpanic() at vpanic+0x136/frame 0xfffffe00d84e08b0
panic() at panic+0x43/frame 0xfffffe00d84e0910
witness_checkorder() at witness_checkorder+0xdb1/frame 0xfffffe00d84e0ad0
_sx_slock_int() at _sx_slock_int+0x64/frame 0xfffffe00d84e0b10
vlan_ioctl() at vlan_ioctl+0x25c/frame 0xfffffe00d84e0b70
if_setflag() at if_setflag+0xdc/frame 0xfffffe00d84e0be0
ifpromisc() at ifpromisc+0x27/frame 0xfffffe00d84e0c00
vlan_setflags() at vlan_setflags+0x64/frame 0xfffffe00d84e0c30
vlan_unconfig_locked() at vlan_unconfig_locked+0xb7/frame 0xfffffe00d84e0c70
vlan_clone_destroy() at vlan_clone_destroy+0x5d/frame 0xfffffe00d84e0cb0
if_clone_destroyif_flags() at if_clone_destroyif_flags+0x8c/frame 0xfffffe00d84e0cf0
if_clone_detach() at if_clone_detach+0x106/frame 0xfffffe00d84e0d20
vnet_destroy() at vnet_destroy+0x154/frame 0xfffffe00d84e0d50
prison_deref() at prison_deref+0xaf5/frame 0xfffffe00d84e0dc0
sys_jail_remove() at sys_jail_remove+0x1a7/frame 0xfffffe00d84e0e00
amd64_syscall() at amd64_syscall+0x169/frame 0xfffffe00d84e0f30
fast_syscall_common() at fast_syscall_common+0xf8/frame 0xfffffe00d84e0f30
--- syscall (508, FreeBSD ELF64, jail_remove), rip = 0x25bd44705ca, rsp = 0x25bcfe72ab8, rbp = 0x25bcfe72b40 ---
```
All vlan interfaces are locked by a single recursive global lock. There
are cases, like in the panic above where vlans are stacked on top of
each other, where the driver tries to acquire an exclusive lock while
holding a shared lock, and vice versa.
With longer-term goals of making the networking regression test suites
stable when run in parallel, and simplifying network control plane
locking, which I find is quite complex and buggy, let's change if_vlan
to use the exclusive lock everywhere.
Reviewed by: pouria, zlei, kp, glebius
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D56778
By default, eventhandler_deregister() blocks until it reaches some point
where no threads are invoking the event. At this point, it knows that
1) no threads are currently executing the handler,
2) some thread has freed the eventhandler structure by virtue of having
called eventhandler_prune_list(),
so it is safe to return.
Suppose a thread is trying to deregister an event handler. A different
thread prunes it, and wakes up the first thread. Before the first
thread runs, a third thread grabs the event handler lock, and starts
executing handlers. The first thread observes el_runcount > 0, and goes
back to sleep. The third thread sees no event handlers to prune, and
doesn't wake up the first thread, which sleeps forever.
This change fixes the race and tries to make eventhandler_invoke() more
efficient: keep a count of the number of dead list entries and only
prune the list if there is at least one dead entry. Also, in
eventhandler_deregister(), we only need to sleep if some dead entries
are present, rather than sleeping whenever some thread is running
handlers.
Reviewed by: kib
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D56767
Add PCI device IDs for two Ice Lake PCH SMBus controller variants:
- 0x34a3 (Ice Lake-LP), previously listed as the generic "Ice Lake" entry (ID_ICELAKE), renamed to ID_ICELAKELP for clarity.
- 0x38a3 (Ice Lake-N), a separate PCH variant not previously supported.
Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D56732
Ever since certctl was rewritten in C, the rehash command has reingested
TRUSTDESTDIR / UNTRUSTDESTDIR in addition to TRUSTPATH / UNTRUSTPATH.
This seemed like a good idea at the time but was, in retrospect, a
mistake, as it means a (un)trusted certificate remains (un)trusted
forever (or at least until it expires) even if it is removed from
(UN)TRUSTPATH. Among other issues, it causes ports QA to fail for any
port that either installs certificates or depends on a port that does.
Although this behavior was undocumented, the change may surprise users
who have added certificates manually, so update the manual page to point
it out and add prominent warnings to the trust and untrust commands.
PR: 290078
MFC after: 1 week
Reviewed by: kevans, bcr
Differential Revision: https://reviews.freebsd.org/D56617
We insert rules in pf_krule_global solely for the benefit of the
'keepcounters' feature. Failing to insert (beause the rule hash
collides, or an identical rule already exists) would be worse than
restoring counts to the wrong rule (or failing to restore them at all).
PR: 282863, 294860, 294859, 294858
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D56745
acpi_panasonic_shutdown() calls hkey_sound_mute() without holding
the ACPI serial lock. Every other call site holds
`ACPI_SERIAL_BEGIN(panasonic)` before calling it, as the locking
model is caller-owned.
This seems to affect the whole Panasonic Toughtbook lineup btw.
Reviewed by: ngie
Differential Revision: https://reviews.freebsd.org/D56718
Don't waste time generating Perl test cases for algorithms that are not
supported in Perl mode only to skip them when they are run.
MFC after: 1 week
Reviewed by: ngie
Differential Revision: https://reviews.freebsd.org/D56687
The test assumes UTC, which is what I use on my development systems and
clearly what is used on our CI runners.
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D56836
The LAN8700 / LAN8710 PHYs were Standard Microsystems Corporation (SMSC)
parts. I presume SMC was chosen as an abbreviation, but the company
always used SMSC as its short name.
SMSC was acquired by Microchip in 2012. I kept the pre-acquisition
name, as NetBSD (from where we obtained miidevs) uses SMSC.
Reviewed by: adrian
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D56819
Writing to /proc/$pid/regs can also be leveraged to mess with memory.
Only allow a trusted process to do so.
Sponsored by: Hewlett Packard Enterprise Development LP.
Reviewed by: olce
Differential Revision: https://reviews.freebsd.org/D56763
libusb upstream uses int for register handler. This causes some library
user (like pyusb) to assume that we have int in all implementations and
therefore provides a 4 byte storage only. This causes Segmentation
fault as we will right the pointer.
Reviewed by: adrian
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D54211