heimdal-kadmin: Add support for the -f dump option
The "-f" dump option allows a dump of the Heimdal
KDC in a format that the MIT kdb5_util command can
load into a MIT KDC's database.
This makes transitioning from the Heimdal KDC to
the current MIT one feasible without having to
re-create the KDC database from scratch.
glebius@ did the initial work, cherry picking these
commits from the Heimdal sources on github and then doing
extensive merge conflict resolution and other fixes so
that it would build.
Heimdal commit fca5399 authored by Nico Williams:
Initial commit for second approach for multiple kvno. NOT TESTED!
Heimdal commit 57f1545 authored by Nico Williams:
Add support for writing to KDB and dumping HDB to MIT KDB dump format
Before this change Heimdal could read KDBs. Now it can write to
[73 lines not shown]
gdb: Improve doc strings
These are printed by gdb when requesting help for the corresponding
function or command, so phrase them such that they make sense in that
context.
MFC after: 1 week
altq: Clear stats structures in get_class_stats()
These structures are copied out to userspace, and it's possible to leak
uninitialized stack bytes since these routines and their callers weren't
careful to clear them first. Add memsets to avoid this.
Reported by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Reviewed by: kp, emaste
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D53342
net: Validate interface group names in ioctl handlers
The handlers were not checking that the group names are nul-terminated.
Add checks for this.
Reported by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Reviewed by: zlei
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D53344
ipfw: Remove more unused IP_FW_* cases
All of the do_cmd() calls are in dummynet.c and specify the socket
option at compile time; none of these removed cases are used in ipfw
after the v3 work.
Reviewed by: markj
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D53378
blocklist: Fix rcorder(8)
The blocklist daemon depends on a packet filter in order to block.
Add all supported packet filters to the REQUIRE line, not just pf, to
indicate rcorder(8) that it should start after the packet filter service
has started.
While here, change the mode of the rc file to include the executable
bit, just like the rest of the files in the rc.d source directory.
Reviewed by: 0mp
MFC after: 2 days
Differential Revision: https://reviews.freebsd.org/D53364
blocklist: blacklist: Chase recent upstream changes
Upstream introduced a fix that avoids blocklistd(8) from running into an
endless loop when it tries to delete an address from the database which
has been added multiple times.
Apply the same fix to blacklistd(8).
Upstream PR: https://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=57193
MFC after: 2 days
nfs_clrpcops.c: Check for too large a write reply
The "rlen" reply length for a Write operation/RPC
could cause trouble if a broken server replies with
too large a value.
Improve the sanity check for "rlen" to avoid this.
Reported by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Reviewed by: emaste, markj
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D53368
nfs_clrpcops.c: Fix two possible large NFSM_DISSECT()s
There are two cases in nfs_clrpcops.c where it was possible
for the code to attempt to NFSM_DISSECT() a large size,
which is not allowed by nfsm_dissct().
This patch fixes them.
Reducing the maximum stripecnt should be no problem,
since there in no extant NFSv4.n server that does striped
File Layout pNFS and current development is centered
around the Flex File layout.
Reported by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Reviewed by: markj
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D53367
nfs_clrpcops.c: Add sanity checks for the slot cnts
The reply to CreateSession includes the slot cnt for
both fore and back slots. It should never be larger
than the argument specified and the fore slot cnt
should always be at least 1.
Without this patch, the replied slot cnts were not
being sanity checked.
While here, replace 64 with NFSV4_SLOTS (which is 64).
Reported by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Reviewed by: emaste, markj
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D53363
getrlimitusage.2: Update HISTORY section
Add 14.2, as this was cherry-picked prior to release.
Reported by: Harald Eilertsen
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D53320
(cherry picked from commit 2387a51af235e4304c63f95465a569c878f49dcd)
kexec: Add dummy headers for arm, i386, powerpc, and riscv
kexec hasn't been ported to these architectures, yet, so appease the
build with dummy headers.
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D51625
amd64: Add kexec support
The biggest difference between this and arm64 kexec is that we can't
disable the MMU for amd64, we have to instead create a new "safe" page
table that the trampoline and "child" kernel can use. This requires a
lot more work to create identity mappings, etc.
Reviewed by: kib
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D51623
kexec: Introduce basic arm64 support
This works on older arm64 platforms, but may not work with arm64 devices
using GICv3, due to a quirk in the GICv3, where some registers are
write-once.
Most of the kexec reboot work on arm64 can be done entirely in C code,
by disabling the MMU, as the kernel is carved out of the vm_phys_segs
array, so cannot be overwritten.
Reviewed by: andrew
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D51621
kern: Introduce kexec system feature (MI)
Introduce a new system call and reboot method to support booting a new
kernel directly from FreeBSD.
Linux has included a system call, kexec_load(), since 2005, which
permits booting a new kernel at reboot instead of requiring a full
reboot cycle through the BIOS/firmware. This change brings that same
system call to FreeBSD. Other changesets will add the MD components for
some of our architectures, with stubs for the rest until the MD
components have been written.
kexec_load() supports loading up to an arbitrary limit of 16 memory
segments. These segments must be contained inside memory bounded in
vm_phys_segs (vm.phys_segs sysctl), and a segment must be contained
within a single vm.phys_segs segment, cannot cross adjacent segments.
Reviewed by: imp, kib
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D51619
x86/intr: Handle case of disabling MSI after release
Once an interrupt source is registered it's never deregistered.
However, when an MSI is released the pointer for it becomes NULLed out,
resulting in a NULL pointer dereference when attempting to disable the
now-released MSI source. Add NULL check to avoid this.
Reviewed by: kib
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D51624
amd64: Add cpu_stop() support to go UP after SMP
Reviewed by: kib
Sponsored by: Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D51622
nfs_nfsdserv.c: Add a sanity check for layout commit cnt
If a client were to send a LayoutCommit (seldom
used and only for a pNFS server) with a bogus
cnt, there could be problems with a malloc() call
that uses it.
This patch adds a sanity check for the cnt. Note
that RFC8881 does not specify any upper bound
on the cnt.
Reported by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Reviewed by: markj
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D53354
audit: convert audit event class lookup to lockless
When system call auditing is enabled, every audited call
does a lookup in the evclass hash table. This table
appears to be insert only (eg, nothing can be removed)
and protecting it with an rwlock is overkill. Using
an rwlock causes just the atomic operations to maintain
uncontended rwlock state to be responsible for measurable
overhead on high core count servers making lots of system calls.
Given that the evclass hash table can never have items removed,
only added, using a mutex to serialize additions and converting
to ck_list allows sufficient protection for lockless lookups.
In a contrived example of 64 cores, all reading 1 byte from their
own file, this change increases performance from 5M reads/sec
to 70M reads/sec on an AMD 7502P.
Reviewed by: markj, mjg, glebius (privately)
[2 lines not shown]
ice(4): Add support for E835-XXV-4 adapter
Add subdevice ID and branding string for E835-XXV-4
adapter.
Signed-off-by: Krzysztof Galazka <krzysztof.galazka at intel.com>
Approved by: kbowling (mentor), erj (mentor)
Sponsored by: Intel Corporation
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D53319
mtree: Remove stray atm directory
ATM support for netgraph was removed in af0cc0b22362 ("NgATM: Remove
netgraph ATM support")
Remove the directory from the mtree specification.
Reviewed by: emaste
Fixes: 21735dfaebdf ("include: Remove no longer existing netgraph/atm")
MFC after: 5 days
Differential Revision: https://reviews.freebsd.org/D53260
(cherry picked from commit 8e8ee8bbe2a112f7d1cc1b005dbdb8868522b640)
bsdinstall: jail: Fix DISTMENU items
The menu was incorrectly using the fourth column (distname) instead of
the first (dist) of the MANIFEST.
The actual file name is on the first column of the MANIFEST file.
Remove the .txz part of the name to build the menu options.
Reviewed by: jamie
MFC after: 5 days
Differential Revision: https://reviews.freebsd.org/D53177
(cherry picked from commit 74921426d552f7491c61684465f964b446379dac)
