We include too many references to networking things in the
non-networking build for loader.efi. Ifdef out netserver command when we
are disabling network support to resolve.
PR: 277528
MFC After: 2 days
Reviewed by: imp
Only the gfx-enabled boot loader supports unicode. Otherwise, we have to
use the old cons25 / ibmpc upper code page drawing characters. Check to
see if we have the gfx.term_drawbox function. If we do, we support the
unicode drawing characters. If we don't, then we have an older loader
that doesn't support it *OR* we have the reduced function, text-only
boot loader. In either of those cases, we need to use the old graphics
characters. Abstract all those details into core.hasUnicode function.
PR: 282465
MFC After: 2 day
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D47403
This tolerance had been introduced in commit caa309c881 ("nfsd: Fix
handling of credentials with cr_ngroups == 0", on 2024/10/21).
Now that NFS has been modified in the previous commit (cfbe7a62dc,
"nfs, rpc: Ensure kernel credentials have at least one group") to rule
out credentials with empty 'cr_groups' (and thus, no 'cr_gid'), remove
it back.
This basically reverts the above-mentioned commit except for the not
directly related modifications it contains, which are still valid.
Discussed with: rmacklem (by mail)
Approved by: markj (mentor)
MFC after: 3 days
This fixes several bugs where some 'struct ucred' in the kernel,
constructed from user input (via nmount(2)) or obtained from other
servers (e.g., gssd(8)), could have an unfilled 'cr_groups' field and
whose 'cr_groups[0]' (or 'cr_gid', which is an alias) was later
accessed, causing an uninitialized access giving random access rights.
Use crsetgroups_fallback() to enforce a fallback group when possible.
For NFS, the chosen fallback group is that of the NFS server in the
current VNET (NFSD_VNET(nfsrv_defaultgid)).
There does not seem to be any sensible fallback available in rpc code
(sys/rpc/svc_auth.c, svc_getcred()) on AUTH_UNIX (TLS or not), so just
fail credential retrieval there. Stock NSS sources, rpc.tlsservd(8) or
rpc.tlsclntd(8) provide non-empty group lists, so will not be impacted.
Discussed with: rmacklem (by mail)
Approved by: markj (mentor)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D46918
Similar to crsetgroups(), but allows an empty group array in input,
treating it like a one-element array containing the passed fallback
group.
Approved by: markj (mentor)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D46917
Harden by adding more assertions, and a plain panic in case of an
unrepresentable size for the groups array (this can never happen after
the change of the 'kern.ngroups' computation to impose some not too high
maximum value a few commits ago). Fix an impact in kern_setgroups().
Simplify by removing the iterative process whose purpose is actually to
determine the closest power of two that is greater than the wanted
number of bytes. Using the proper target quantity (number of bytes)
incidentally helps with eliminating divisions (and the reliance on
sizeof(gid_t) being a power of two).
Reviewed by: mhorne (older version)
Approved by: markj (mentor)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D46915
Leverage the normalization check functions introduced in the previous
commit in all public-facing groups search functions to catch programming
errors early.
Approved by: markj (mentor)
MFC after: 3 days
The groups array has been sorted (not including the first element, which
is always the effective GID) to enable performing a binary search for
determining if some group is part of the supplementary groups set.
Factor out this sorting operation into an internal normalization
function (groups_normalize()), adding to it the removal of duplicates
after the sort.
Separating groups normalization code allows to perform it in advance,
and in particular before calling MAC hooks which need the groups array
to be sorted to perform better. This also enables sorting input arrays
ahead of acquiring the process lock (which is not necessary for this
operation).
kern_setgroups() has been changed accordingly, so MAC modules
implementing the mac_cred_check_setgroups() hook now can assume
a normalized groups array (and also that it has at least one element, as
if kern_setgroups() is passed no groups, the hook is called with an
array of one element being the current effective GID, as this is
effectively the effect of such a call to kern_setgroups()). Further
commits introducing the setcred() system call and associated MAC hooks
will also guarantee a normalized groups array to MAC modules
implementing these hooks.
Rename crsetgroups_locked() into crsetgroups_internal(), as it is no
more "locked" than crsetgroups() itself. However, it can be called
under any lock (as needed), whereas the second may sleep to allocate
memory. Update their herald comments to make that explicit.
In passing, using qsort() instead of the old open-coded insertion sort
(in crsetgroups_locked()) fixes the performance concern about the latter
when using a large number of groups. Also, our qsort() falls back to
insertion sort for small arrays and in case the array is likely to be
mostly sorted, so this shouldn't cause concerns for the small number of
groups common case.
While here, add assertions in inner modification routines to check that
the passed credentials object has a reference count of exactly 1 (in
particular, it must not be shared). Remove a redundant one from some
outer routine.
Reviewed by: mhorne
Approved by: markj (mentor)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D46914
As the comment introduced with the tunable said (but the code didn't
do), make sure that 'ngroups_max' can't be INT_MAX, as this would cause
overflow in the usual 'ngroups_max + 1' computations (as we store the
effective GID and supplementary groups' IDs in the same array, and
'ngroups_max' only applies to supplementary groups).
Further, we limit the maximum number of groups somewhat arbitrarily to
~17M so as to avoid overflow when computing the size in bytes of the
groups set's backing array and to avoid obvious configuration errors.
We really don't think that more than ~17M groups will ever be needed (if
I'm proven wrong one day, please drop me a note about your use case).
While here, document more precisely why NGROUPS_MAX needs to be the
minimum value for 'ngroups_max'.
Reviewed by: mhorne (older version)
Approved by: markj (mentor)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D46913
sys_setgroups() (and sys_getgroups()) was changed in commit "kern: fail
getgroup and setgroup with negative int" (4bc2174a1b) to take the
number of groups as an 'int' (for sys_getgroups(), POSIX mandates this
change; for sys_setgroups(), which it does not standardize, it's
arguably for consistency).
All our internal APIs related to groups on 'struct ucred', as well as
related members on the latter, treat that number as an 'int' as well
(and not a 'u_int').
Consequently, to avoid surprises, change kern_setgroups() to behave the
same, and fix audit_arg_groupset() accordingly. With that change,
everything is handled with signed integers internally.
Update sanity checks accordingly.
Reviewed by: mhorne
Approved by: markj (mentor)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D46912
CRED_SMALLGROUPS_NB now holds the number of inlined groups in field
'cr_smallgroups'. XU_NGROUPS stays the number of groups allowed in
'struct xucred'. The first is an implementation detail, while the
second is part of a public interface. All mentions of XU_NGROUPS in the
tree have been reviewed and only those concerning the implementation
detail have been changed to use CRED_SMALLGROUPS_NB (they were all in
'kern_prot.c').
No functional change, as CRED_SMALLGROUPS_NB is set to 16, the same
value as XU_NGROUPS.
Reviewed by: mhorne (slightly different version)
Approved by: markj (mentor)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D46911
This makes that function use a more efficient version of binary search
instead, and removes one more hand-rolled binary search code from the
tree (and the kernel binary).
Reviewed by: mhorne, emaste
Approved by: markj (mentor)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D46907
The new name seems more immediately descriptive.
While here, constify its signature ('struct ucred' isn't modified).
While here, replace "supplemental" => "supplementary" in some comments.
No functional change (intended).
Reviewed by: mhorne, emaste
Approved by: markj (mentor)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D46906
The previous version used a case-insensitive match (default for -x).
The presence of packages like freebsd-git-devtools and freebsd-ftpd
would falsely trigger the packaged base check.
Instead, just use `pkg which /usr/bin/uname` as a packaged base
indication. pkg uses /usr/bin/uname to determine ABI, so we can rely on
it existing. If it comes from a package then packaged base is in use.
Also, extend the check to all freebsd-update commands. It is easier to
just disallow all commands, and easier to test.
Reported by: Mark Millard
Reviewed by: manu
Fixes: cf1aba2857 ("freebsd-update: refuse to operate on a pkgbase system")
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47378
This should have no effect on scripting, but when reading it, sct/sc is
the natural order of things (and the order we print them in
elsewhere). Report them in that order.
Sponsored by: Netflix
There's no reason to write to bus_current_pass outside of the controlled
times subr_bus.c does it, so move to an accessor and make
bus_current_pass private to newbus.
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1457
syscons(4) is not compatible with UEFI, does not support UTF-8, and is
Giant-locked. There is no specific timeline yet for removing it, but
support for the Giant lock is expected to go away in one or two major
release cycles. Add a deprecation notice to avoid surprises, and help
ensure that any material deficiencies in vt(4) become known.
Reviewed by: manu, markj, imp
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47396
The KDMKTONE ioctl, introduced in commit 916347f77e, is used to beep
the PC speaker. For historical reasons the frequency is specified as an
8254 PIT divisor for a 1.19MHz clock. Linux provides this same ioctl.
Add a comment to vtterm_beep to avoid someone wanting to "fix" this in
the future.
Also add an XXX comment that the period unit is supposed to be "timer
ticks." Note that nothing in the base system uses this ioctl.
Reviewed by: imp
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D47395
Expand the comment a little to make it clearer: Once we've restarted,
we're out of the resetting phase in our state machine. The controller
has actually been out of reset since we started issuing commands to it
earlier in the resetting phase.
Sponsored by: Netflix
Previously the handler was removed from the wrong eventhandler list.
Fixes: f46d4971b5 nvmf: Handle shutdowns more gracefully
Sponsored by: Chelsio Communications
PDU data alignment (PDA) isn't necessarily a power of 2, just a
multiple of 4, so use roundup() instead of roundup2() to compute the
PDU data offset (PDO).
Sponsored by: Chelsio Communications
The caller supplied PDU data alignment (PDA) field from
nvmf_association_params is the caller's restriction on data alignment
(so affects received PDUs), and the PDA value received from the other
end is the remote end's restriction (so affects transmitted PDUs).
I had these backwards so that if the remote end advertised a PDA it
was used as the receive PDA instead of the transmit PDA.
Sponsored by: Chelsio Communications
Add sys/sytm.h for __diagused which unbreaks compilation of
drm-kmod 5.10-lts on main.
Sponsored by: The FreeBSD Foundation
Reported by: Evgenii Khramtsov
PR: 282479
Fixes: 5c92f84bb6
MFC after: 3 days
There is no easy way to set ipfilter optionlist variables during boot.
Add plumbing to the rc script to support this.
PR: 130555
Reviewed by: jlduran
MFC 1 week
Differential Revision: https://reviews.freebsd.org/D47346
Limit the number of units a newbus device can have to be a positive
number. Reserve and reject the unit INT_MAX so that we can set maxunit
to INT_MAX without ill effect and so the normal signed int math
works. Add sanity checks to make sure we don't get negative unit numbers
from bus routines that can set the unit. Remove now-redundant check for
unit >=0 since it must be after an earlier check.
This should be largely a nop, since we'll likely run out of memory
before we have 2^31 devices. Also, finding unit number is O(n^2) since
we do linear searches for the next unit number, which even on very fast
machines will grind to a halt well before we reach this limit...
Add note to device_find_free_unit that says it can return INT_MAX when
all the unit numbers are in use. The one user in the tree
(ata_pci_attach) will then add a child with this unit and it will fail
and that failure will be handled properly. Hardware limitations, though
mean there will never be more than tens of units, let alone billions.
Update docs to document that EINVAL can be returned for bogus unit
numbers, or when we run out.
Sponsored-by: Netflix
Reviewed-by: jhb
Differential-Revision: https://reviews.freebsd.org/D47359
Co-Authored-by: Elliott Mitchell <ehem+freebsd@m5p.com>
Simplify the complex expression down to what it is on 64-bit systems.
32-bit kernels would allocate 2 at a time. Replace all that with
reallocf which will eliminate a bunch of copies. This should be faster
and simpler on both types of kernels. In addition, transition to
M_WAITOK since this is a sleepable context.
Suggested by: jhb
Sponsored by: Netflix
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D47362
386BSD provided a MD function sysbeep. This took two arguments (pitch
and period). Pitch was jammed into the PIT's divisor directly (which
means the argument was expected to sound a tone at '1193182 / pitch'
Hz). FreeBSD inherited this interface.
In commit e465985885 (svn 177642, Mar 26 2008), phk changed this
function to take a tone to sound in hz. He converted all in-tree
instances of 1193182 / hz to just hz (and kept the few misguided folks
that passed hz directly unchanged -- this was part of what motivated the
change). He converted the places where we pre-computed the 8254 divisor
from being pitch to 1193182 / pitch (since that converts the divisor to
the frequency and the interfaces that were exposed to userland exposed
it in these units in places, continuing the tradition inherited from SCO
System V/386 Unix in spots).
In 2009, Ed Shouten was contracted by the FreeBSD Foundation to write /
finish newcons. This work was done in perforce and was imported into
subversion in user/ed/newcons in revision 199072
(https://svnweb.freebsd.org/base?view=revision&revision=199072) which
was later imported into FreeBSD by ray@ (Aleksandr Rybalko).
From that earliest import into svn import to this date, we ring the bell
with:
sysbeep(1193182 / VT_BELLPITCH, VT_BELLDURATION);
where VT_BELLPITCH was defined to be 800. This results in a bell
frequency of 1491Hz, more or less today. This is similar to the
frequency that syscons and pcvt used (1493Hz and 1500Hz respectively).
This in turn was inherited from 386BSD, it seems, which used the hard
coded value 0x31b which is 795 -> 1500Hz.
This '800' was intended to be the bell tone (eg 800Hz) and this
interface was one that wasn't converted. The most common terminal prior
to the rise of PCs was the VT100, which had an approximately 800Hz
bell. Ed Shouten has confirmed that the original intent was 800Hz and
changing this was overlooked after the change to -current was made.
This restors that original intent and makes the bell less obnoxious in
the process.
Reviewed by: des, adrian
Differential Revision: https://reviews.freebsd.org/D32594
Sponsored by: Netflix
(cherry picked from commit ba48d52ca6)
This change was accidentally reverted in 80f21bb039.
There's a little bit of code that appears in each PCTRIE_REMOVE
function in pctrie.h. Make a new function for it, and invoke it from
those PCTRIE_REMOVE functions.
Reviewed by: bnovkov
Differential Revision: https://reviews.freebsd.org/D47320
Do the `1193182 / pitch` hack only for sc(4).
PR: 281713
Reported by: Rudolf Polzer
Reviewed by: imp
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D46803
The yield system call has long existed, but never had a stub. Replace
the hardcoded checks for it in libsys_h.lua and syscalls_map.lua and
stop inserting it into MIASM (requiring libsys/Makefile.sys to disable
the stub).
(This seems like overkill, but I've got another case in CheriBSD so this
reduces my diff appreciably.)
Reviewed by: emaste
Pull Request: https://github.com/freebsd/freebsd-src/pull/1503
None of these drivers are for bus devices, so bus_generic_* is not
appropriate. Most of these were nops except that detach would
actually "succeed" (but not do any cleanup).
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D47374
If a device was detached (e.g. via devctl) and then re-attached, the
ivars would be freed by the previous bus_child_detached method during
detach, but device_get_ivars during the subsequent attach would return
a stale pointer resulting in a use after free.
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D47371
