p9fs: Fix creating files with restrictive permissions
When a file is created via p9fs with restrictive permissions (like 000),
the 9P TCREATE request successfully creates and natively opens the file,
returning an open, writable file descriptor. Previously, p9fs would
attempt a subsequent TOPEN. That TOPEN would fail with EACCES due to the
restrictive mode, leaving a 0-byte file and causing operations like 'mv'
to abort.
We now preserve the writable descriptor returned by TCREATE so that the
subsequent VOP_OPEN can use it directly, avoiding the failing TOPEN.
Additionally, p9fs_compatible_mode now appropriately isolates the base
access intent when matching fids, preventing extended flags from
breaking the match.
A test case for this behavior has been submitted to pjdfstest:
https://github.com/pjd/pjdfstest/pull/87
Resolves: https://github.com/CTSRD-CHERI/cheribsd/issues/2617
[4 lines not shown]
p9fs: implement basic pathconf support
This is needed for various pjdfstest tests which fail with syntax errors
if pathconf _PC_NAME_MAX/_PC_PATH_MAX return -1. For NAME_MAX we can use
the 9P2000.L Tstatfs call to get namelen from the host. While this could
theoretically be different for nested filesystems in the shared mount it
is a much better guess than just returning 255.
There does not seem to be a way to get the host PATH_MAX, so we just
return the conservative kernel default.
Found while fixing https://github.com/CTSRD-CHERI/cheribsd/issues/2617.
Reviewed by: markj, kib
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D56493
p9fs: Move UMA zone initialization to VFS module lifecycle
Previously, the UMA zones required for 9P requests (p9fs_buf_zone,
p9fs_req_zone, etc.) were initialized and destroyed in the
virtio_p9fs transport module. This caused issues when unloading
the core p9fs module.
This change moves p9_init_zones() and p9_destroy_zones() into
p9fs_init() and p9fs_uninit() inside p9fs_vfsops.c so that they
are correctly bound to the VFS filesystem module lifecycle via
vfs_modevent, aligning p9fs with standard FreeBSD VFS semantics.
Found while fixing https://github.com/CTSRD-CHERI/cheribsd/issues/2617.
Reviewed by: kib
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D56492
virtio_p9fs: Fix kernel panic on module unload
The virtio_p9fs module event handler can be invoked multiple times.
Previously, this caused p9_init_zones() and p9_register_trans() to be
executed multiple times, leaking UMA zones and corrupting the transport
list. During module unload, p9_destroy_zones() was also called multiple
times on the same zone pointers, triggering a duplicate free kernel panic
in uma_zdestroy().
This patch introduces a static reference counter in vt9p_modevent() to
ensure the zones and transports are only initialized and destroyed exactly
once, aligning with the approach used by other virtio drivers like vtnet.
Reviewed by: kib, markj
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D56497
sys: Make priority.h and rtprio.h include all dependencies
This ensures this header can be included without an explicit or implicit
sys/types.h include first. This causes issues building SPEC2017 which
includes sys/rtprio.h and then we get an error due to missing u_char
definition.
Reviewed by: emaste
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D52041
Remove PROC_CHECK_PRIV macro from sys_process.c
Just put the priv_check calls in the code.
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D56864
devd: Use PF_LOCAL instead of PF_INET
Avoid dependency on INET (IPv4) by using PF_LOCAL,
allowing media check to work on systems without INET support.
PR: 295045
Reviewed by: kevans
MFC after: 1 week
jail: open the fstab files with fopen("re")
This protects against accidentally leaking them past fork()+exec()
in future refactorings.
PR: 295052
Reviewed by: kevans
jail: avoid leaking jail config fds to exec.* hooks
The jail(8) command must not leave parsed configuration files open
since the file descriptors will be leaked to child processes
including the untrusted exec.start or exec.stop hooks.
While fopen() doesn't provide direct access to O_CLOEXEC, it does
provide access to FD_CLOEXEC via "e" in the mode string which
provides the desired defense in depth against leaking file descriptors
into exec.* hooks since those always execve() into a shell.
Jail configuration is potentially sensitive and some hooks execute from
within the jail context, leaving some opening for the jail to exfiltrate
information about the host environment.
(Commit message wordsmithed by kevans)
PR: 295052
Reviewed by: kevans
MFC after: 3 days
Unskip test sys.netinet6.frag6.frag6_07.frag6_07
This is now consistently passing with 100+ consecutive runs.
Signed-off-by: Siva Mahadevan <me at svmhdvn.name>
PR: 244170
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 681e9d3e391f30a512c523514f69a63c9782a901)
tests/if_lagg_test: unskip 'witness' testcase
This testcase passes consistently (in 100+ runs) now.
Signed-off-by: Siva Mahadevan <me at svmhdvn.name>
PR: 244163, 251726
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 7a83fedc116d827cc9c6d8e049b785f1d7b68dcd)
nuageninit: modify the test to show the issue fixed inc316ec259011
Ensure the script used is invalid when parsed by libyaml which
highlight the issue revealed in PR295062
while at here validate the mode of the file is properly changed
PR: 295062
MFC After: 1 day
kobj: Use M_WAITOK in kobj_init
Blocking allocation is safe in all of the current callers of kobj_init
(most of them do a M_WAITOK malloc of the structure passed as the
first argument to kobj_init just before calling it). kobj_init
doesn't return an error code but instead panics if the nested malloc
in kobj_class_compile1 fails, so using M_WAITOK here is more robust.
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D56625
mlx5en: destroy TIR before DEK during TLS RX teardown
Reorder the TLS RX teardown sequence so the TIR is destroyed before
the DEK. DESTROY_TIR for a TLS-enabled TIR issues a TRA RX fence
that drains all in-flight packets from the crypto pipeline. If the
DEK is destroyed first, packets still in flight hit a TPT encryption
error (vendor syndrome 0x55) because the key they reference is
already gone.
Reviewed by: kib
Sponsored by: Nvidia networking
MFC after: 1 week
nuageinit: only parse user_data as yaml when necessary
This fixes a regression introduced in cae280931c9e which prevents
user_data as a shell script to be used
PR: 295062
Reported by: Ross McKelvie <ross at exitzero.uk>
MFC After: 1 day
sys/cdefs.h: Introduce __maybe_unused attribute
The __maybe_unused attribute should be used for variables which may or
may not be used, such as when their only use is in an assertion. This
attribute is functionally identical to __unused, suppressing compiler
warnings for particular variable if it remains unused.
Reviewed by: Minsoo Choo <minsoo at minsoo.io>, imp
Differential Revision: https://reviews.freebsd.org/D56517
rtadvd(8): Honor pltime/vltime in interface declarations
Currently rtadvd ignores interface pltime/vltime specifications
unless the (static) address range is also included in the config file.
This extends the validity of a pltime and/or vltime stanza in
the config file for an interface to delegated addresses from
an upstream provider.
Signed-off-by: tickerguy <karl at denninger.net>
PR: 288426
Reviewed by: pouria
Pull Request: https://github.com/freebsd/freebsd-src/pull/1863
Makefile.vm: Split error condition
Make it clear which of two possible cases applies.
Reviewed by: cperciva
Differential Revision: https://reviews.freebsd.org/D56837
bhyve/virtio-scsi: Don't invoke iov_to_buf() in an assert() expression
If anyone would build bhyve with -DNDEBUG, any code in the expression
in assert() won't be executed. Instead put the return value in a
temporary variable to assert that it has the expected value.
Reviewed by: emaste, markj (earlier version)
Fixes: 2a514d377b37 ("bhyve/virtio-scsi: Preallocate all I/O requests")
Differential Revision: https://reviews.freebsd.org/D55803
ZTS: Remove threadsappend_001_pos exception
Commit f828a80c may have resolved the underlying cause for
the occasional CI failures observed for this test. Remove
the exception to ensure any new occurrences are noticed.
Reviewed-by: Tony Hutter <hutter2 at llnl.gov>
Reviewed-by: Tino Reichardt <milky-zfs at mcmilk.de>
Signed-off-by: Brian Behlendorf <behlendorf1 at llnl.gov>
Closes #6136
Closes #18495
Zstd: rework ZSTD_isError symbol renaming
The import of Zstd v1.5.7 in a2ac9cd606ce2428c23cc89cec6f0392424e82c9
added an unconditional renaming of ZSTD_isError to zfs_ZSTD_isError
with an asm directive. Instead, do it with a define that is conditioned
on whether zstd_compat_wrapper.h is actually in use. Also add a define
to that header so that it can be detected. This allows the build to
work without using the compat wrapper.
Reviewed-by: Brian Behlendorf <behlendorf1 at llnl.gov>
Signed-off-by: Ryan Libby <rlibby at FreeBSD.org>
Closes #18483
linux: verify stale znodes in legacy fallocate
The mode=0 and FALLOC_FL_KEEP_SIZE preallocation path can reach
zfs_freesp() directly and call zfs_statvfs() before going through the
normal zpl_enter_verify_zp() boundary.
When zfs_rezget() tears down a failed SA reload, a stale inode may
remain alive in the VFS with z_sa_hdl cleared. The unchecked
fallocate path can then reach sa_lookup(zp->z_sa_hdl, ...) through
zfs_statvfs() or zfs_freesp() and crash on a NULL SA handle.
Use zfs_enter_verify_zp() in zfs_statvfs() so stale znodes are
rejected under the teardown lock for both fallocate and statfs.
Also wrap the direct zfs_freesp() call in
zpl_enter_verify_zp()/zfs_exit() so this path follows the same
validation rules as the other Linux ZPL file operations.
Fixes: f734301d2267
("linux: add basic fallocate(mode=0/2) compatibility")
[4 lines not shown]