rpcsec_gss.c: Avoid panics in clnt_nl_call()
When rpc_gss_init() calls gssd upcall functions like
gssd_import_name(), clnt_nl_call() gets calls.
clnt_nl_call() requires that the currect vnet be set up.
The calling sequence looks something like:
rpc_gss_init()->gssd_import_name()->gssd_import_name_1()->
clnt_call_private()->clnt_nl_call()
(The call to rpc_gss_init() can happen from various places,
such as nfs_getauth() and clnt_vc_call().)
rpc_gss_init() does not know what socket is being
used for NFS client->server RPCs and may be called
from various places when any VOP_xxx()->RPC call
is made. As such, the calling thread might be running
within a jail. However, the gssd upcalls for the NFS
client must always be done to the gssd running outside
of any jails.
[9 lines not shown]
tcp: fix the test that a duplicate ACK has no data
When processing a TCP segment, data is removed from the head or
the tail. The test whether a segment has no data on it should
depend on the TCP segment before the removal. Without this,
received segments might trigger a fast retransmit even when they
should not.
Reported by: syzbot+fc97a2b5a0f7ea161161 at syzkaller.appspotmail.com
Reviewed by: Peter Lei
MFC after: 3 days
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D51425
inetd.conf: remove -[46] from the ssh entry
sshd doesn't require these flags, and including them makes outgoing
connections (e.g., port forwarding) restricted to the family of the
inbound connection, which is not usually desirable and also not how
standalone sshd works.
MFC after: 3 days
Reviewed by: kevans
Approved by: kevans (mentor)
Differential Revision: https://reviews.freebsd.org/D51296
(cherry picked from commit 6738882248a755aad859784150969085e006cf89)
deprecate RIP
Per https://wiki.freebsd.org/DeprecationPlan, deprecate RIP in 15.0R,
with the intention of removing it in 16.0R.
Add a note to the manpages of routed(8), rdisc(8), rtquery(8),
route6d(8) and rip6query(8) noting that they will be removed
in a future release.
RIP has been obsolete for over 20 years and no one is running it on
modern networks. If someone really needs RIP, there are alternatives
such as 'bird' or 'quagga' available from ports; there is no need to
ship it in base.
Relnotes: yes
Reviewed by: des
Approved by: des (mentor)
Differential Revision: https://reviews.freebsd.org/D50292
(cherry picked from commit 4b7cdb5a420f518fbe1968a6916b6d017f54025d)
inetd.conf: remove -[46] from the ssh entry
sshd doesn't require these flags, and including them makes outgoing
connections (e.g., port forwarding) restricted to the family of the
inbound connection, which is not usually desirable and also not how
standalone sshd works.
MFC after: 3 days
Reviewed by: kevans
Approved by: kevans (mentor)
Differential Revision: https://reviews.freebsd.org/D51296
(cherry picked from commit 6738882248a755aad859784150969085e006cf89)
deprecate RIP
Per https://wiki.freebsd.org/DeprecationPlan, deprecate RIP in 15.0R,
with the intention of removing it in 16.0R.
Add a note to the manpages of routed(8), rdisc(8), rtquery(8),
route6d(8) and rip6query(8) noting that they will be removed
in a future release.
RIP has been obsolete for over 20 years and no one is running it on
modern networks. If someone really needs RIP, there are alternatives
such as 'bird' or 'quagga' available from ports; there is no need to
ship it in base.
Relnotes: yes
Reviewed by: des
Approved by: des (mentor)
Differential Revision: https://reviews.freebsd.org/D50292
(cherry picked from commit 4b7cdb5a420f518fbe1968a6916b6d017f54025d)
clnt_rc.c: Fix the case where a TLS handshake fails
When a TLS handshake fails during a NFS-over-TLS
mount attempt, the socket was left around because
it needed to be dereferenced. The dereference was
not happening in clnt_vc_destroy() because ct_closeit
was not set to TRUE.
This patch moves the code that sets ct_closeit to TRUE
up to before the rpctls_connect() call, so that ct_closeit
is set to TRUE if it fails and clnt_vc_destroy() will then
dereference the socket.
Reviewed by: glebius
Differential Revision: https://reviews.freebsd.org/D51084
tzcode: Add an explicit "the timezone file has changed" case
This is required for the WITHOUT_DETECT_TZ_CHANGES case, since there the
value being tested is a numeric literal.
Fixes: d63ffdd1ef63 ("tzcode: Fix time zone change detection.")
random: Treat writes to /dev/random as separate from /entropy
RANDOM_CACHED is overloaded to refer both to entropy obtained from files
loaded by the boot loader, and entropy obtained via writes to
/dev/random. Introduce a new source, RANDOM_RANDOMDEV, to refer to the
latter. This is to enable treating RANDOM_CACHED as a special case in
the NIST health test implementation.
Update the default harvest_mask in rc.conf to include RANDOM_RANDOMDEV,
preserving the old behaviour of accepting writes to /dev/random.
Bump __FreeBSD_version for modules which register a pure source, since
all of their values have now shifted.
Reviewed by: cem
MFC after: 3 months
Sponsored by: Stormshield
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D51155
random: Add NIST SP 800-90B entropy source health test implementations
This patch implements the noise source health tests described in chapter
four of NIST SP 800-90B[1]. The repetition count test and adaptive
proportion test both help identify cases where a noise source is stuck
and generating the same output too frequently. The tests are disabled
by default, but making an implementation available may help implementors
conform to FIPS validation requirements. This implementation aims to
comply with the requirements listed in section 4.3 of the document.
To enable health testing, set the kern.random.nist_healthtest_enabled
tunable to 1. Startup testing is implemented as specified in the
document: the first 1024 samples from a source are evaluated according
to the two tests, and they are discarded. The RANDOM_CACHED and
RANDOM_PURE_VMGENID sources are excluded from testing, as they are
effectively a one-time source of entropy, and statistical testing
doesn't seem to provide much use.
Since the first 1024 samples from entropy sources are discarded by the
[39 lines not shown]
stress2/fullpath2: Clean up the vn_fullpath DTrace one-liner
- Remove -w; there is no need for destructive actions here.
- Remove the glob from before "vn_fullpath"; the probe description
matches vn_fullpath only anyway, so there is no need for the glob
here.
PR 288222
Reviewed by: christos
Approved by: christos (mentor)
Fixes: 113f2f0c76a7 stress2: Updated dtrace comment
Differential Revision: https://reviews.freebsd.org/D51341
ice(4): Fix setting VF MAC address
MAC address assigned to a Virtual Function using iovctl configuration
was not passed to the VF, but its presence caused ICE to reject random
address generated by the VF. This lead to VF not being able to send
or recieve traffic. Send the administratively assigned MAC address to
a VF in a response to the 'Get VF Resources' virtual channel command.
While at that replace bcopy with memcpy for consistency, and shorten
an over 80 characters line.
Signed-off-by: Krzysztof Galazka <krzysztof.galazka at intel.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1573
ice(4): Add MAC filter and VLAN resource limits to VFs
Adds two new parameters to iovctl config for VLAN filter limits and MAC
filter limits and gives them defaults of 64 and 16, respectively.
These are intended to limit the number of resources that a VF can
consume so that any one VF cannot starve an other VFs or the PF of
filters.
Signed-off-by: Eric Joyner <eric.joyner at intel.com>
Signed-off-by: Krzysztof Galazka <krzysztof.galazka at intel.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1573
ice(4): Enable WB_ON_ITR capability for VFs (#76)
Let VF driver know that HW supports WB_ON_ITR
feature. It allows polling mode driver such
as DPDK to configure an immediate write-back
of completed descriptors.
Signed-off-by: Krzysztof Galazka <krzysztof.galazka at intel.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1573
ice(4): Fix set RSS hena virtchnl op handler
Remove existing RSS HENA configuration to make sure that
only config requested by VF is applied and allow VFs to
disable RSS completely.
Signed-off-by: Krzysztof Galazka <krzysztof.galazka at intel.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1573
ice: Add broadcast filter while creating VF
Filter for unicast MAC address is configured
with a virtual channel message, but filter for
a broadcast traffic was missing. It caused
issues with e.g. ARP.
Signed-off-by: Krzysztof Galazka <krzysztof.galazka at intel.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1573
ice(4): Fix panic when VF uses less queues then available
VF driver may request to configure MSI-X vectors for less
queues than assigned by PF. Don't try to configure
unassigned vectors to avoid panic.
While at that make the loop process whole array of vectors
received in a VIRTCHNL_OP_CFG_IRQ_MAP message from a VF.
It's not guarantied that vector '0', which is used for other
interrupt causes and is not mapped to a queue, will be always
on the last position. Condition inside the loop already
handles that vector correctly.
Signed-off-by: Krzysztof Galazka <krzysztof.galazka at intel.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1573
ice: Add host SR-IOV support
Enable basic SR-IOV support for E800 adapters.
Authored-by: Eric Joyner <erj at FreeBSD.org>
Signed-off-by: Krzysztof Galazka <krzysztof.galazka at intel.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1573
ice(4): Fix re-enabling VF queues
On receiving a virtual channel request from VF driver tried
to configure and enable Tx and Rx queues without making
sure that they were disabled. It caused issue with reloading
a VF driver without a reset e.g. in case it crashed.
Fix that by always disabling all Rx and Tx queues.
While at that make sure that only queues requested by VF
driver are enabled. VF driver may use less queues than
assigned to the function when it was created.
Signed-off-by: Krzysztof Galazka <krzysztof.galazka at intel.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1573
ice(4): Add basic VFLR handler
PF driver needs to tear down and setup VF configuration after
a reset event, e.g. due to reloading a VF driver. Re-use
ice_reset_vf function for that by adding new parameter,
which decides if new reset has to be triggered.
This most likely does not cover all necessary steps
and will be extended in future commits.
Signed-off-by: Krzysztof Galazka <krzysztof.galazka at intel.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1573
pf tests: make mbuf:inet6_in_mbuf_len more robust
The mbuf:inet6_in_mbuf_len test sometimes fails because it encountered
unexpected extra packets. These turn out to be MLD packets, so block these
packets on the host with pf so they don't disturb what we're actually trying
to test.
Reviewed by: igoro
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D51408
nfs_nfsdserv.c: Fix nfsrvd_openattr() for vnode locking
Without this patch, nfsrvd_openattr() requests an unlocked
vnode via VOP_LOOKUP(). This is not allowed for
"options DEBUG_VFS_LOCKS" kernels, so this patch requests a
locked vnode and then unlocks it.
Fixes: e4c7b2b6053f ("nfsv4: Add support to NFSv4 for named attributes")
rpctls_impl.c: Fix handling of hung rpc tls daemon
Commit 26ee05939209 replaced soshutdown()
with soclose() for the case where the RPC TLS
daemon has not removed the socket from the RB
tree during an upcall.
It turns out that soshutdown() is needed for the
"else" case, which is the case that occurs when the
daemon is stuck in SSL_accept() or SSL_connect().
This patch adds a soshutdown() call to this else case,
which unsticks the daemon when the other end does
not do the actual TLS handshake. This can occur if
the daemon is not running at the other end.
Reviewed by: glebius
Differential Revision: https://reviews.freebsd.org/D51083
Fixes: 26ee05939209 ("rpctls_impl.c: Fix handling of socket for daemon failure")
libc: Test time zone change detection.
While here, clean the detection code up a bit.
Sponsored by: Klara, Inc.
Sponsored by: NetApp, Inc.
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D51343
tzcode: Fix time zone change detection.
Prior to the 2022g import, tzloadbody() returned -1 on error. Now it
returns an errno code. When I updated the time zone change detection
logic to match, I improperly returned errno in all cases, which means
that if the time zone file has not changed since we last loaded it,
tzloadbody() returns a random errno value instead of 0.
Fixes: bc42155199b5
MFC after: 1 week
Sponsored by: Klara, Inc.
Sponsored by: NetApp, Inc.
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D51405
release: Install wireless firmware to bootonly media
Also install wireless firmware packages to the bootonly ISO and the
mini-memstick image so users can fetch installation files over a
wireless connection.
Reported by: Mark Philips <mark at freebsdfoundation.org>
Reviewed by: bz, emaste, imp, releng (cperciva)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D51348
inotify: Fix a couple of locking bugs
When hooking vop_rename_post(), the preexisting dst vnode will be
unlocked. But, we need to invoke VOP_GETATTR on it in vn_inotify() to
check its link count.
In inotify_unlink_watch_locked(), the vnode interlock is not held, so
don't use vn_irflag_unset_locked().
Reviewed by: kib
Fixes: f1f230439fa4 ("vfs: Initial revision of inotify")
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D51401
