The kern.arandom sysctl handler uses an intermediate buffer on the stack
to hold random data that it subsequently copies out to the sysctl
request. Err on the side of caution and zero out the stack buffer after
we're done with it to avoid a potential entropy leak later on.
Reviewed by: cem, emaste, markj
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D45978
This causes these hints to be only used to wire device unit numbers
for serial ports enumerated by ACPI but will not create ISA device
nodes if ACPI doesn't enumerate them. Note that IRQ hints are not
used for wiring so have been removed.
PR: 270707
Reported by: aixdroix_OSS@protonmail.com, Michael Dexter
Reported by: mfw_burn@pm.me, Hannes Hfauswedell <h2+fbsdports@fsfe.org>
Reported by: Matthias Lanter <freebsd@lanter-it.ch>
Reported by: William Bulley <web@umich.edu>
Reviewed by: imp
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D45945
Commit 9a7bf07ccd from 2016 introduced a workaround for some broken
BIOSes that specified active-lo instead of active-hi polarity for ISA
IRQs for UARTs. The workaround assumed that edge-sensitive ISA IRQs
on x86 should always be active-hi. However, some recent AMD systems
actually use active-lo edge-sensitive ISA IRQs (and not just for
UARTs, but also for the keyboard and PS/2 mouse devices) and the
override causes interrupts to be dropped resulting in boot time hangs,
non-working keyboards, etc.
Add a hw.acpi.override_isa_irq_polarity tunable (readable as a sysctl
post-boot) to control this quirk. It can be set to 1 to force enable
the override and 0 to disable it. The log of original message
mentions an Intel motherboard as the sample case, so default the
tunable to 1 on systems with an Intel CPU and 0 otherwise.
Special thanks to Matthias Lanter <freebsd@lanter-it.ch> for tracking
down boot time issues on recent AMD systems to mismatched interrupt
polarity.
PR: 270707
Reported by: aixdroix_OSS@protonmail.com, Michael Dexter
Reported by: mfw_burn@pm.me, Hannes Hfauswedell <h2+fbsdports@fsfe.org>
Reported by: Matthias Lanter <freebsd@lanter-it.ch>
Reported by: William Bulley <web@umich.edu>
Reviewed by: imp, emaste
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D45554
The RSN capability field may be the last two bytes in the IE.
802.11-2016 9.4.2.25.1 (General) doesn't require anything
afterwards - the PMKID/List and Group Management Cipher Suite
are optional.
Thus having a check of len > 2 will miss the situation where it
IS the last field.
This showed up when developing MFP, as I'm using optional MFP
at home and optional MFP doesn't encrypt group management frames.
(It should only add the BIP message integrity check IE in each
action frame.)
Differential Revision: https://reviews.freebsd.org/D45936
The way that net80211 and drivers are checking for the /type/ of key
is to check if it's in the vap WEP key array and if so, it's a group
key. If not, it's a unicast key.
That's not only kind of terrible, but it's also going to be
problematic with future 802.11 support (for multiple unicast keys
and IGTK keys for management frame protection.)
So as part of this, remove the places where this is done and
instead use a pair inline functions - ieee80211_is_key_global() and
ieee80211_is_key_unicast(). They currenly still use the same logic
but the drivers and net80211 stack isn't doing it itself.
There are still open questions about why keys are not being
correctly tagged as GROUP, GTK, PTK, etc. That will be investigated
and addressed in follow-up work as a pre-cursor to MFP, IGTK, etc.
as mentioned above.
Testing:
* iwn, rtwn - STA mode
Differential Revision: https://reviews.freebsd.org/D45516
Ignore SIP servers dhcp option to shut up the warning message.
This option is defined in the RFC 3361 and sent from NSD-G1000T router.
PR: 280119
Reviewed by: jrm (mentor), brooks
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D45873
Previously, when transmitting short runs of packets via cxgbe_nm_tx(),
we would wait until a large number of packets were buffered before
scheduling a task to clean transmit buffers.
Obtained from: np
Upstream unbound includes a backup configure file which is distributed
in the upstream tarball. It must be created by their release process and
not deleted prior to packaging the tarball. I've received two emails so
far asking about it. Let's remove it so nobody else asks about it.
MFC: 1 week
Modern x86 systems do not ship with ISA floppy disk controllers or LPT
ports.
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D45946
Preserve object reference and block bit during refcount arithmetic
and obliteration, by using vm_page_wire()/unwire_noq().
Reviewed by: markj
Sponsored by: Advanced Micro Devices (AMD)
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D45910
It is supposed to be used for ref_count manipulations when the pages
are owned by an object, but ref_count is used for something else than
the wiring, e.g. PTE population count on the page table page.
Reviewed by: markj
Sponsored by: Advanced Micro Devices (AMD)
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D45910
It relies on being able inspect the dmesg buffer to see whether the
kernel logged certain messages. If it's interleaved with tests that
generate large amounts of console output (e.g., GELI tests), then it can
fail spuriously.
MFC after: 2 weeks
These are only included in the amd64 vmm code, so it doesn't make sense
to list them unconditionally.
PR: 280171
Reviewed by: wosch, imp, emaste
Differential Revision: https://reviews.freebsd.org/D45964
While char is signed on some of FreeBSD's architecutres, it's unsigned
on others. So the naked 'char' cast here needs to be 'signed char'
because in this context, we want the signed interpretation.
We don't really use %hh conversions in the run time linker, so this is
likely a nop. However, for correctness, we need this, like we did in the
kernel in fc3e5334ab. It's a nop on x86 and riscv due to defaults as
well, but does fix a bug on arm and powerpc where char is unsigned.
Suggested by: kib
Sponsored by: Netflix
There were two stray places where armv6 remained that shouldn't be
there. Remove them. Replace one with aarch64 and update MACHINE_ARCH
description of amd64 while I'm here. Eliminate a near-by contraction
igor noted.
Sponsored by: Netflix
Enabled PTI for given pmap is equivalent to pm_ucr3 being valid is
equivalent to root userspace page table page pm_pmltopu being
allocated.
Reviewed by: alc, markj
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D45966
Update pagesizes[] to include the L3 ATTR_CONTIGUOUS (L3C) page size,
which is 64KB when the base page size is 4KB and 2MB when the base page
size is 16KB.
Add support for L3C pages to shm_create_largepage().
Add support for creating L3C page mappings to pmap_enter(psind=1).
Add support for reporting L3C page mappings to mincore(2) and
procstat(8).
Update vm_fault_soft_fast() and vm_fault_populate() to handle multiple
superpage sizes.
Declare arm64 as supporting two superpage reservation sizes, and
simulate two superpage reservation sizes, updating the vm_page's psind
field to reflect the correct page size from pagesizes[]. (The next
patch in this series will replace this simulation. This patch is
already big enough.)
Co-authored-by: Eliot Solomon <ehs3@rice.edu>
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D45766
Test case to check if an implementation of memset correctly
handles the value passed being wider than a byte
Approved by: emaste
Reviewed By: fuz (GSoC mentor), emaste
Sponsored by: Google LLC (GSoC 2024)
Differential Revision: https://reviews.freebsd.org/D45738
For years we display the time in seconds how long it takes to
run `make buildworld' (see PR 224433). Now we will display the
time for "installworld" and "installkernel" as well.
e.g.:
--------------------------------------------------------------
>>> Installing everything completed on Sun Jul 7 16:11:37 UTC 2024
>>> Install world completed in 110 seconds, ncpu: 2, make -j2
--------------------------------------------------------------
PR: 280187
Approved by: imp
Differential Revision: https://reviews.freebsd.org/D45912
Refactor register_tcp_functions_as_names() such that either all or
no (in error cases) registrations happen atomically (while holding
the tcp_function_lock write lock). Also ensure that the TCP function
block is not already registered.
This avoids situations, where some registrations were performed and
then they were removed without holding a lock in between or checking
ref counts.
Reviewed by: cc
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D45947
The entire recv*() implementation set is ripe for opportunities to
validate, so do what we can with what we have.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45686
Notably sanity check indices passed to the FD_*() macros against the
size of the fd_set itself.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45685
Check both the buffer size of the iov object itself, as well as that
of each indidvidually io base.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45684
That is to say, fortify getrandom(2).
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45683
This includes all of the w*() equivalents to str*()/mem*() implemented
in more or less the same way. For these ones, we'll just use
header-only implementations from the start to stop further cluttering
the libc symbol table.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45682
The immediately obvious and attractive targets from <stdlib.h> are
arc4random_buf(3) and realpath(3) -- scraping the header didn't reveal
much else of interest.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45681
For poll/ppoll we just need to bounds-check the poll array that we're
about to write out to.
Reviewed by: kib, markj (earlier version)
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45680
ssp/ssp.h needed some improvements:
- `len` isn't always a size_t, it may need casted
- In some cases we may want to use a len that isn't specified as a
parameter (e.g., L_ctermid), so __ssp_redirect() should be more
flexible.
- In other cases we may want additional checking, so pull all of the
declaration bits out of __ssp_redirect_raw() so that some functions
can implement the body themselves.
strlcat/strlcpy should be the last of the fortified functions that get
their own __*_chk symbols, and these cases are only done to be
consistent with the rest of the str*() set.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45679
Switch away from pointer arithmetic to provide more obvious semantics
for checking overlap on pointer ranges. This lets us remove some casts
that need not exist and removes some possible fragility in its use.
While we're here, check for overflow just in case; sometimes we use a
caller-supplied size if __builtin_object_size(3) can't deduce the buffer
size, and we should fail the check if the size is nonsensical for the
provided buffers.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
The _FORTIFY_SOURCE tests will be generated by a lua script to avoid a
lot of redundancy in writing these tests. For each function that we're
fortifying, the plan is to test at least the following three scenarios:
- Writing up to one byte before the end of the buffer,
- Writing up to the end of the buffer,
- Writing one byte past the end of the buffer
The buffer is shoved into a struct on the stack to guarantee a stack
layout in which we have a valid byte after the buffer so that level 2
fortification will trip and we can have confidence that it wasn't some
other stack/memory protection instead.
The generated tests are divided roughly into which header we're
attributing them to so that we can parallelize the build -- the full set
is a bit over 9000 lines of C and takes 11s to build on the hardware
that I'm testing on if it's a single monolothic file.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45678
We'll be using it in some upcoming definitions in headers, so move it
back now but slap a warning on it. Our upcoming uses will all be inside
of inline functions, so we're not overly concerned about double
evaluation immediately.
Reviewed by: markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45677
ZFS' libspl needs to be made aware that we have strlcat(3) and
strlcpy(3) to avoid some more complicated declaration duplication, so
go ahead and define these HAVE_ macros now.
libprocstat has to define `_KERNEL` and include kernel headers in order
to get what it wants, but this results in sys/cdefs.h being included too
late and we pick up the build breaking version of the __RENAME
definition. Just explicitly include sys/cdefs.h earlier rather than
disabling _FORTIFY_SOURCE. The zfs/ subdir only builds an object that
holds some structures and sizes, so just disable _FORTIFY_SOURCE there
entirely rather than trying to move #define _KERNEL into the file..
While we're here, make sure that we disable _FORTIFY_SOURCE in the
bootloader because we don't have the symbol renaming support today to do
it as cleanly as we'd like. ssp/ssp.h needs to be pulled into the libsa
environment so that other bits can understand that ssp is disabled in
the consistent __SSP_FORTIFY_LEVEL way that we try to do.
Reviewed by: allanjude (previous version), markj
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D45676
Fix a stale variable name that snuck into a tracepoint from an earlier
version of the change.
Fixes: eb60ff1e "unionfs: rework locking scheme to only lock a single
vnode"
Reported by: jenkins
This code is using the vnode after it has been released and causing a
panic when a p9fs shared volume is unmounted. In fact, it seems like it's
just duplicated code left behind from a bad merge.
PR: 279887
Reported by: Michael Dexter
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1323
