FreshBSD

HBSD: Do not require non-existent cfi_blacklist.txt

clang 7.0.0 adopted a linux-ism of forcing everyone to adopt something.
HardenedBSD does not currently need or use cfi_blacklist.txt, so undo
the linux-ism.

Signed-off-by:  Shawn Webb <shawn.webb at hardenedbsd.org>
Sponsored-by:   SoldierX
(cherry picked from commit a86776ebe535e12dd9b41ff1e71a6776f4b0d393)
Signed-off-by: Shawn Webb <shawn.webb at hardenedbsd.org>

Merge remote-tracking branch 'origin/hardened/current/master' into 
hardened/current/unstable

* origin/hardened/current/master: (98 commits)
  HBSD: clang/llvm 7.0.1 fixups
  Continuing efforts to provide hardening of FFS. This change adds a check hash to the 
filesystem inodes. Access attempts to files associated with an inode with an invalid check 
hash will fail with EINVAL (Invalid argument). Access is reestablished after an fsck is 
run to find and validate the inodes with invalid check-hashes. This check avoids a class 
of filesystem panics related to corrupted inodes. The hash is done using crc32c.
  pf tests: Use the ATF cleanup infrastructure in the ioctl tests
  pf tests: ioctl tests require root rights
  pf: Prevent integer overflow in PF when calculating the adaptive timeout.
  Remove a dead file.  CVS was removed in r251794.
  Allow CTL device specification in bhyve virtio-scsi.
  HBSD: Resolve merge conflict
  Remove unused argument to priv_check_cred.
  Fix !tx_abdicate error from r336560
  Set tentative merge date, and add UPDATING note.
  audi: replace open-coded TDP_AUDITREC checks with the macro
  Fix the PAE kernel gcc build.
  asmc: Add Support for MacBookAir 7,1 and 7,2
  For arm and armv6, only enable LLVM target support for arm by default, to shrink 
libllvm.a.
  Merge llvm, clang, lld, lldb, compiler-rt and libc++ release_70 branch r348686 

    [7 lines not shown]

Merge remote-tracking branch 'origin/freebsd/current/master' into hardened/current/master

HBSD: clang/llvm 7.0.1 fixups

The sanitizer runtime now causes the compiler toolchain to link with
libz. Update the libraries clang, llvm, etc. depend on to add libz.

retpolineplt/retpolineplt is no longer an available linker option for
kernel builds (kmod and kern).

One of the sanitizer files libcfi depends on was renamed.

Signed-off-by:  Shawn Webb <shawn.webb at hardenedbsd.org>
Sponsored-by:   SoldierX

Merge branch 'freebsd/12-stable/master' into hardened/12-stable/master

* freebsd/12-stable/master:
  MFC 340694: Enable evdev on ppc32
  MFC 340632
  Call stable/12 -STABLE now that 12.0-RELEASE is out.

Merge remote-tracking branch 'origin/hardened/11-stable/master' into 
hardened/11-stable/unstable

* origin/hardened/11-stable/master:
  MFC: r339289: Resolve a hang in ZFS during vnode reclaimation

Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master

* freebsd/11-stable/master:
  MFC: r339289: Resolve a hang in ZFS during vnode reclaimation

Continuing efforts to provide hardening of FFS. This change adds a
check hash to the filesystem inodes. Access attempts to files
associated with an inode with an invalid check hash will fail with
EINVAL (Invalid argument). Access is reestablished after an fsck
is run to find and validate the inodes with invalid check-hashes.
This check avoids a class of filesystem panics related to corrupted
inodes. The hash is done using crc32c.

Note this check-hash is for the inode itself and not any of its
indirect blocks. Check-hash validation may be extended to also
cover indirect block pointers, but that will be a separate (and
more costly) feature.

Check hashes are added only to UFS2 and not to UFS1 as UFS1 is
primarily used in embedded systems with small memories and low-powered
processors which need as light-weight a filesystem as possible.

Reviewed by:  kib
Tested by:    Peter Holm
Sponsored by: Netflix

pf tests: Use the ATF cleanup infrastructure in the ioctl tests

Use ATF_TC_CLEANUP(), because that means the cleanup code will get
called even if a test fails. Before it would only be executed if every
test within the body succeeded.

Reported by:    Marie Helene Kvello-Aune <marieheleneka at gmail.com>
MFC after:      2 weeks

pf tests: ioctl tests require root rights

Explicitly mark these tests as requiring root rights. We need to be able
to open /dev/pf.

Reported by:    Marie Helene Kvello-Aune <marieheleneka at gmail.com>
MFC after:      2 weeks

pf: Prevent integer overflow in PF when calculating the adaptive timeout.

Mainly states of established TCP connections would be affected resulting
in immediate state removal once the number of states is bigger than
adaptive.start.  Disabling adaptive timeouts is a workaround to avoid this bug.
Issue found and initial diff by Mathieu Blanc (mathieu.blanc at cea dot fr)

Reported by: Andreas Longwitz <longwitz AT incore.de>
Obtained from:  OpenBSD
MFC after:      2 weeks

Remove a dead file.  CVS was removed in r251794.

MFC 340694: Enable evdev on ppc32

Enable evdev on ppc32 as well, similar to what was done i386 and amd64 in
r340387 and ppc64 in r340632.

Evdev can be used by X and is used by wayland to handle input devices.

Approved by:    jhibbits

MFC 340632

Enable evdev on ppc64

Enable evdev on ppc64 as well, similar to what was done for amd64 and i386
in r340387.

Evdev can be used by X and is used by wayland to handle input devices.

Approved by:    mmacy

Allow CTL device specification in bhyve virtio-scsi.

There was a large refactoring done in CTL to allow multiple ioctl frontend
ports (and respective devices) to be created, particularly for bhyve.
Unfortunately, respective part of bhyve functionality got lost somehow from
the original virtio-scsi commit.  This change allows wanted device path to
be specified in either of two ways:
 -s 6,virtio-scsi,/dev/cam/ctl1.1
 -s 6,virtio-scsi,dev=/dev/cam/ctl2.3
If neither is specified, the default /dev/cam/ctl device is used.

While there, remove per-queue CTL device opening, which makes no sense at
this point.

Reported by:    wg
Reviewed by:    araujo
MFC after:      3 days
Sponsored by:   iXsystems, Inc.
Differential Revision:  https://reviews.freebsd.org/D18504

HBSD: Resolve merge conflict

Signed-off-by:  Shawn Webb <shawn.webb at hardenedbsd.org>
Sponsored-by:   SoldierX

Merge remote-tracking branch 'origin/freebsd/current/master' into hardened/current/master

Conflicts:
        contrib/compiler-rt/lib/cfi/cfi.cc (unresolved)

MFC: r339289: Resolve a hang in ZFS during vnode reclaimation

  This is caused by a deadlock between zil_commit() and zfs_zget()
  Add a way for zfs_zget() to break out of the retry loop in the common case

PR:            229614, 231117
Reported by:    grembo, jhb, Andreas Sommer, others
Relnotes:       yes
Sponsored by:   Klara Systems

Remove unused argument to priv_check_cred.

Patch mostly generated with cocinnelle:

@@
expression E1,E2;
@@

- priv_check_cred(E1,E2,0)
+ priv_check_cred(E1,E2)

Sponsored by:   The FreeBSD Foundation

Call stable/12 -STABLE now that 12.0-RELEASE is out.

Sponsored by:   The FreeBSD Foundation

Upgrade our copies of clang, llvm, lld, lldb, compiler-rt and libc++ to
the upstream release_70 branch r348686 (effectively, 7.0.1 rc3).  The
release will follow very soon, but no more functional changes are
expected.

Release notes for llvm, clang and lld 7.0.0 are available here:
<http://releases.llvm.org/7.0.0/docs/ReleaseNotes.html>
<http://releases.llvm.org/7.0.0/tools/clang/docs/ReleaseNotes.html>
<http://releases.llvm.org/7.0.0/tools/lld/docs/ReleaseNotes.html>

PR:            230240, 230355
Relnotes:       yes
MFC after:      2 months

Merge remote-tracking branch 'origin/hardened/current/master' into 
hardened/current/unstable

* origin/hardened/current/master:
  fd: dedup code in sys_getdtablesize
  Make lim_cur inline if possible.
  fd: tidy up closing a fd
  fd: stop looking for exact freefile after allocation

Merge branch 'freebsd/current/master' into hardened/current/master

* freebsd/current/master:
  fd: dedup code in sys_getdtablesize
  Make lim_cur inline if possible.
  fd: tidy up closing a fd
  fd: stop looking for exact freefile after allocation

HBSD: Resolve merge conflict

Signed-off-by:  Shawn Webb <shawn.webb at hardenedbsd.org>
Sponsored-by:   SoldierX

Merge remote-tracking branch 'origin/freebsd/12-stable/master' into 
hardened/12-stable/master

Conflicts:
        usr.sbin/jail/jail.8 (unresolved)

Fix !tx_abdicate error from r336560

r336560 was supposed to restore pre-r323954 behaviour when tx_abdicate is
not set (the default case). However, it appears that rather than the drainage
check being made conditional on tx_abdicate being set, it was duplicated
so it occured twice if tx_abdicate was set and once if it was not.

Now when !tx_abdicate, drainage is only checked if the doorbell isn't
pending.

Reported by:    lev
MFC after:      1 week
Sponsored by:   Limelight Networks

Set tentative merge date, and add UPDATING note.

audi: replace open-coded TDP_AUDITREC checks with the macro

Sponsored by:   The FreeBSD Foundation

Fix the PAE kernel gcc build.

The error was caused by map_ucode() casting a vm_paddr_t to a void *.
Use a uintptr_t instead to match the caller.  Fix some style bugs while
here.

Reported by:    bde
Reviewed by:    bde
MFC after:      1 week
Sponsored by:   The FreeBSD Foundation

asmc: Add Support for MacBookAir 7,1 and 7,2

PR:            226172
Submitted by:   James Wright <james.wright at jigsawdezign.com>
Reported by:    James Wright <james.wright at jigsawdezign.com>
MFC after:      1 week
Differential Revision:  https://reviews.freebsd.org/D18396

Merge remote-tracking branch 'origin/hardened/current/master' into 
hardened/current/unstable

* origin/hardened/current/master:
  Only read the ACPI proximity tabled on arm64 when we are booting from ACPI.
  Remove questionable initialization for ICH8M, rely on BIOS to properly initialize the 
controller.

fd: dedup code in sys_getdtablesize

Sponsored by:   The FreeBSD Foundation

Make lim_cur inline if possible.

It is a function call only to accomodate *some* ABIs which install a hook.
They only care for 3 types of limits: DATA, STACK, VMEM

Instead of always calling the func, see at compilation time if the requested
limit is something else and just do the read if so.

Sponsored by:   The FreeBSD Foundation

fd: tidy up closing a fd

- avoid a call to knote_close in the common case
- annotate mqueue as unlikely

Sponsored by:   The FreeBSD Foundation

Merge branch 'freebsd/current/master' into hardened/current/master

* freebsd/current/master:
  Only read the ACPI proximity tabled on arm64 when we are booting from ACPI.
  Remove questionable initialization for ICH8M, rely on BIOS to properly initialize the 
controller.

fd: stop looking for exact freefile after allocation

If a lower fd is closed later, the lookup goes to waste. Allocation
always performs the lookup anyway.

Sponsored by:   The FreeBSD Foundation

MFC r341516, r341589

netmap: align codebase to the current upstream (760279cfb2730a585)

Changelist:
  - Replace netmap passthrough host support with a more general
    mechanism to call TXSYNC/RXSYNC from an in-kernel event-loop.
    No kernel threads are used to use this feature: the application
    is required to spawn a thread (or a process) and issue a
    SYNC_KLOOP_START (NIOCCTRL) command in the thread body. The
    kernel loop is executed by the ioctl implementation, which returns
    to userspace only when a different thread calls SYNC_KLOOP_STOP
    or the netmap file descriptor is closed.
  - Update the if_ptnet driver to cope with the new data structures,
    and prune all the obsolete ptnetmap code.
  - Add support for "null" netmap ports, useful to allocate netmap_if,
    netmap_ring and netmap buffers to be used by specialized applications
    (e.g. hypervisors). TXSYNC/RXSYNC on these ports have no effect.
  - Various fixes and code refactoring.

Sponsored by:   Sunny Valley Networks
Differential Revision:  https://reviews.freebsd.org/D18015

Only read the ACPI proximity tabled on arm64 when we are booting from
ACPI.

Sponsored by:   DARPA, AFRL

Merge ^/head r341764 through r341812.

For arm and armv6, only enable LLVM target support for arm by default,
to shrink libllvm.a.

This is a workaround for "relocation truncated to fit" errors with BFD
ld 2.17.50 on arm and armv6, when linking executables against it.

The required range extensions are not yet supported by this very old
version of BFD ld.  When arm and armv6 userland can be successfully
linked by lld, this workaround can be removed.

Merge remote-tracking branch 'origin/hardened/current/master' into 
hardened/current/unstable

* origin/hardened/current/master:
  Free bootstacks after AP startup.
  Remove special case handling for getfhat(fd, NULL, handle).
  Remove an unused malloc(9) type.
  Use inline tests for individual PTE bits in the RISC-V pmap.
  Add uk.macbook.kbd keymap (vt)
  powerpc/booke: Don't get and use the load offset for TOC on APs
  rc.subr: Implement list_vars without using 'read'

Merge branch 'freebsd/current/master' into hardened/current/master

* freebsd/current/master:
  Free bootstacks after AP startup.
  Remove special case handling for getfhat(fd, NULL, handle).
  Remove an unused malloc(9) type.
  Use inline tests for individual PTE bits in the RISC-V pmap.
  Add uk.macbook.kbd keymap (vt)
  powerpc/booke: Don't get and use the load offset for TOC on APs
  rc.subr: Implement list_vars without using 'read'

Merge remote-tracking branch 'origin/hardened/11-stable/master' into 
hardened/11-stable/unstable

* origin/hardened/11-stable/master:
  As part of the general cleanup of the ipfilter code, special cases are committed 
separately to document fixing them separately from the general cleanup. In this case we 
don't want to hide the utter brokenness of what is being fixed.

Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master

* freebsd/11-stable/master:
  As part of the general cleanup of the ipfilter code, special cases are committed 
separately to document fixing them separately from the general cleanup. In this case we 
don't want to hide the utter brokenness of what is being fixed.

Remove questionable initialization for ICH8M, rely on BIOS to properly
initialize the controller.

According to the datasheet, the old code checks if port 2 (P2E, 0x4) was
the only enabled port (except port 0, which was ignored by mask 0xfe),
and issue a write to the PCS register to disable all but port 0, right
before ahci_ctlr_reset.

Some other operating systems would issue a port enable to all ports, but
since the current code only does the special initialization for ICH8M,
it entirely and rely on BIOS to do the right thing (the alternative
would be https://reviews.freebsd.org/D18300?id=50922 , should we see
reports that we really need to do it).

Reviewed by:    mav
MFC after:      3 months
Differential Revision:  https://reviews.freebsd.org/D18300

Merge branch 'freebsd/10-stable/master' into hardened/10-stable/master

* freebsd/10-stable/master:
  As part of the general cleanup of the ipfilter code, special cases are committed 
separately to document fixing them separately from the general cleanup. In this case we 
don't want to hide the utter brokenness of what is being fixed.

Free bootstacks after AP startup.

Bootstacks are unused after APs executed sched_throw() in
init_secondary_tail() and started executing on proper idle thread
stack.  Add sysinit that detects that the idle thread for each CPU was
scheduled at least once, and free corresponding bootstack.

Slight addition of the code (~200 bytes) is compensated by the saving,
because even on typical small modern desktop CPU we leak 128K of
memory otherwise (4 pages x 8 threads).

Reviewed by:    jhb
MFC after:      1 week
Differential revision:  https://reviews.freebsd.org/D18486

Remove special case handling for getfhat(fd, NULL, handle).

There is no reason for it to behave differently from openat(fd, NULL).
Also the handling did not worked because the substituted path was from
the system address space, causing EFAULT.

Submitted by:   Jack Halford <jack at gandi.net>
MFC after:      1 week
Differential revision:  https://reviews.freebsd.org/D18501

Remove an unused malloc(9) type.

MFC after:      1 week
Sponsored by:   The FreeBSD Foundation

Use inline tests for individual PTE bits in the RISC-V pmap.

Inline tests for PTE_* bits are easy to read and don't really require a
predicate function, and predicates which operate on a pt_entry_t are
inconvenient when working with L1 and L2 page table entries.

Reviewed by:    jhb
MFC after:      1 week
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D18461