Date: Mon, 8 Oct 2018 18:06:40 +0000 (UTC) From: Glen Barber <gjb@FreeBSD.org> To: src-committers@freebsd.org, svn-src-projects@freebsd.org Subject: svn commit: r339240 - in projects/openssl111: . crypto/openssh lib/libc/amd64/string sbin/init stand/defaults stand/lua sys/amd64/conf sys/arm64/conf sys/cddl/contrib/opensolaris/uts/common/fs/zfs ... Message-ID: <201810081806.w98I6ebr084624@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: gjb Date: Mon Oct 8 18:06:40 2018 New Revision: 339240 URL: https://svnweb.freebsd.org/changeset/base/339240 Log: MFH r339206-r339212, r339215-r339239 Sponsored by: The FreeBSD Foundation Modified: projects/openssl111/UPDATING projects/openssl111/crypto/openssh/auth2.c projects/openssl111/crypto/openssh/monitor.c projects/openssl111/crypto/openssh/monitor.h projects/openssl111/crypto/openssh/monitor_wrap.c projects/openssl111/crypto/openssh/monitor_wrap.h projects/openssl111/crypto/openssh/sandbox-capsicum.c projects/openssl111/crypto/openssh/sshbuf-getput-basic.c projects/openssl111/crypto/openssh/sshbuf.h projects/openssl111/crypto/openssh/sshd.c projects/openssl111/lib/libc/amd64/string/memset.S projects/openssl111/sbin/init/rc.conf projects/openssl111/stand/defaults/loader.conf projects/openssl111/stand/defaults/loader.conf.5 projects/openssl111/stand/lua/config.lua projects/openssl111/stand/lua/core.lua projects/openssl111/sys/amd64/conf/GENERIC projects/openssl111/sys/amd64/conf/GENERIC-MMCCAM projects/openssl111/sys/arm64/conf/GENERIC projects/openssl111/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dsl_scan.c projects/openssl111/sys/dev/e1000/if_em.c projects/openssl111/sys/dev/e1000/igb_txrx.c projects/openssl111/sys/dev/mlx4/mlx4_en/mlx4_en_netdev.c projects/openssl111/sys/i386/conf/GENERIC projects/openssl111/sys/kern/kern_jail.c projects/openssl111/sys/netinet/ip_output.c projects/openssl111/sys/netinet/sctp_output.c projects/openssl111/sys/powerpc/conf/GENERIC projects/openssl111/sys/powerpc/conf/GENERIC64 projects/openssl111/sys/powerpc/powernv/opal_pci.c projects/openssl111/sys/powerpc/pseries/xics.c projects/openssl111/usr.bin/truss/syscalls.c Directory Properties: projects/openssl111/ (props changed) projects/openssl111/crypto/openssh/ (props changed) projects/openssl111/sys/cddl/contrib/opensolaris/ (props changed) Modified: projects/openssl111/UPDATING ============================================================================== --- projects/openssl111/UPDATING Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/UPDATING Mon Oct 8 18:06:40 2018 (r339240) @@ -31,6 +31,13 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 12.x IS SLOW: disable the most expensive debugging functionality run "ln -s 'abort:false,junk:false' /etc/malloc.conf".) +20181006: + The legacy DRM modules and drivers have now been added to the loader's + module blacklist, in favor of loading them with kld_list in rc.conf(5). + The module blacklist may be overridden with the loader.conf(5) + 'module_blacklist' variable, but loading them via rc.conf(5) is strongly + encouraged. + 20181002: The cam(4) based nda(4) driver will be used over nvd(4) by default on powerpc64. You may set 'options NVME_USE_NVD=1' in your kernel conf or Modified: projects/openssl111/crypto/openssh/auth2.c ============================================================================== --- projects/openssl111/crypto/openssh/auth2.c Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/crypto/openssh/auth2.c Mon Oct 8 18:06:40 2018 (r339240) @@ -316,7 +316,7 @@ input_userauth_request(int type, u_int32_t seq, struct #ifdef HAVE_LOGIN_CAP if (authctxt->pw != NULL && - (lc = login_getpwclass(authctxt->pw)) != NULL) { + (lc = PRIVSEP(login_getpwclass(authctxt->pw))) != NULL) { logit("user %s login class %s", authctxt->pw->pw_name, authctxt->pw->pw_class); from_host = auth_get_canonical_hostname(ssh, options.use_dns); @@ -331,7 +331,7 @@ input_userauth_request(int type, u_int32_t seq, struct authctxt->pw->pw_name, from_host); packet_disconnect("Logins not available right now."); } - login_close(lc); + PRIVSEP(login_close(lc)); } #endif /* HAVE_LOGIN_CAP */ Modified: projects/openssl111/crypto/openssh/monitor.c ============================================================================== --- projects/openssl111/crypto/openssh/monitor.c Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/crypto/openssh/monitor.c Mon Oct 8 18:06:40 2018 (r339240) @@ -114,6 +114,7 @@ static struct sshbuf *child_state; int mm_answer_moduli(int, struct sshbuf *); int mm_answer_sign(int, struct sshbuf *); +int mm_answer_login_getpwclass(int, struct sshbuf *); int mm_answer_pwnamallow(int, struct sshbuf *); int mm_answer_auth2_read_banner(int, struct sshbuf *); int mm_answer_authserv(int, struct sshbuf *); @@ -189,6 +190,7 @@ struct mon_table mon_dispatch_proto20[] = { {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli}, #endif {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, + {MONITOR_REQ_GETPWCLASS, MON_AUTH, mm_answer_login_getpwclass}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, @@ -707,6 +709,46 @@ mm_answer_sign(int sock, struct sshbuf *m) return (0); } +int +mm_answer_login_getpwclass(int sock, struct sshbuf *m) +{ + login_cap_t *lc; + struct passwd *pw; + int r; + u_int len; + + debug3("%s", __func__); + + pw = sshbuf_get_passwd(m); + if (pw == NULL) + fatal("%s: receive get struct passwd failed", __func__); + + lc = login_getpwclass(pw); + + sshbuf_reset(m); + + if (lc == NULL) { + if (r = sshbuf_put_u8(m, 0) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + goto out; + } + + if ((r = sshbuf_put_u8(m, 1)) != 0 || + (r = sshbuf_put_cstring(m, lc->lc_class)) != 0 || + (r = sshbuf_put_cstring(m, lc->lc_cap)) != 0 || + (r = sshbuf_put_cstring(m, lc->lc_style)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + + login_close(lc); + out: + debug3("%s: sending MONITOR_ANS_GETPWCLASS", __func__); + mm_request_send(sock, MONITOR_ANS_GETPWCLASS, m); + + sshbuf_free_passwd(pw); + + return (0); +} + /* Retrieves the password entry and also checks if the user is permitted */ int @@ -745,19 +787,8 @@ mm_answer_pwnamallow(int sock, struct sshbuf *m) authctxt->pw = pwent; authctxt->valid = 1; - /* XXX don't sent pwent to unpriv; send fake class/dir/shell too */ if ((r = sshbuf_put_u8(m, 1)) != 0 || - (r = sshbuf_put_string(m, pwent, sizeof(*pwent))) != 0 || - (r = sshbuf_put_cstring(m, pwent->pw_name)) != 0 || - (r = sshbuf_put_cstring(m, "*")) != 0 || -#ifdef HAVE_STRUCT_PASSWD_PW_GECOS - (r = sshbuf_put_cstring(m, pwent->pw_gecos)) != 0 || -#endif -#ifdef HAVE_STRUCT_PASSWD_PW_CLASS - (r = sshbuf_put_cstring(m, pwent->pw_class)) != 0 || -#endif - (r = sshbuf_put_cstring(m, pwent->pw_dir)) != 0 || - (r = sshbuf_put_cstring(m, pwent->pw_shell)) != 0) + (r = sshbuf_put_passwd(m, pwent)) != 0) fatal("%s: buffer error: %s", __func__, ssh_err(r)); out: Modified: projects/openssl111/crypto/openssh/monitor.h ============================================================================== --- projects/openssl111/crypto/openssh/monitor.h Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/crypto/openssh/monitor.h Mon Oct 8 18:06:40 2018 (r339240) @@ -53,7 +53,8 @@ enum monitor_reqtype { MONITOR_REQ_GSSSTEP = 44, MONITOR_ANS_GSSSTEP = 45, MONITOR_REQ_GSSUSEROK = 46, MONITOR_ANS_GSSUSEROK = 47, MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49, - MONITOR_REQ_TERM = 50, + MONITOR_REQ_GETPWCLASS = 50, MONITOR_ANS_GETPWCLASS = 51, + MONITOR_REQ_TERM = 52, MONITOR_REQ_PAM_START = 100, MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103, Modified: projects/openssl111/crypto/openssh/monitor_wrap.c ============================================================================== --- projects/openssl111/crypto/openssh/monitor_wrap.c Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/crypto/openssh/monitor_wrap.c Mon Oct 8 18:06:40 2018 (r339240) @@ -247,6 +247,57 @@ mm_sshkey_sign(struct sshkey *key, u_char **sigp, size return (0); } +login_cap_t * +mm_login_getpwclass(const struct passwd *pwent) +{ + int r; + struct sshbuf *m; + char rc; + login_cap_t *lc; + + debug3("%s entering", __func__); + + if ((m = sshbuf_new()) == NULL) + fatal("%s: sshbuf_new failed", __func__); + if ((r = sshbuf_put_passwd(m, pwent)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GETPWCLASS, m); + + debug3("%s: waiting for MONITOR_ANS_GETPWCLASS", __func__); + mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GETPWCLASS, m); + + if ((r = sshbuf_get_u8(m, &rc)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + + if (rc == 0) { + lc = NULL; + goto out; + } + + lc = xmalloc(sizeof(*lc)); + if ((r = sshbuf_get_cstring(m, &lc->lc_class, NULL)) != 0 || + (r = sshbuf_get_cstring(m, &lc->lc_cap, NULL)) != 0 || + (r = sshbuf_get_cstring(m, &lc->lc_style, NULL)) != 0) + fatal("%s: buffer error: %s", __func__, ssh_err(r)); + + out: + sshbuf_free(m); + + return (lc); +} + +void +mm_login_close(login_cap_t *lc) +{ + if (lc == NULL) + return; + free(lc->lc_style); + free(lc->lc_class); + free(lc->lc_cap); + free(lc); +} + struct passwd * mm_getpwnamallow(const char *username) { @@ -279,25 +330,9 @@ mm_getpwnamallow(const char *username) goto out; } - /* XXX don't like passing struct passwd like this */ - pw = xcalloc(sizeof(*pw), 1); - if ((r = sshbuf_get_string_direct(m, &p, &len)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); - if (len != sizeof(*pw)) - fatal("%s: struct passwd size mismatch", __func__); - memcpy(pw, p, sizeof(*pw)); - - if ((r = sshbuf_get_cstring(m, &pw->pw_name, NULL)) != 0 || - (r = sshbuf_get_cstring(m, &pw->pw_passwd, NULL)) != 0 || -#ifdef HAVE_STRUCT_PASSWD_PW_GECOS - (r = sshbuf_get_cstring(m, &pw->pw_gecos, NULL)) != 0 || -#endif -#ifdef HAVE_STRUCT_PASSWD_PW_CLASS - (r = sshbuf_get_cstring(m, &pw->pw_class, NULL)) != 0 || -#endif - (r = sshbuf_get_cstring(m, &pw->pw_dir, NULL)) != 0 || - (r = sshbuf_get_cstring(m, &pw->pw_shell, NULL)) != 0) - fatal("%s: buffer error: %s", __func__, ssh_err(r)); + pw = sshbuf_get_passwd(m); + if (pw == NULL) + fatal("%s: receive get struct passwd failed", __func__); out: /* copy options block as a Match directive may have changed some */ Modified: projects/openssl111/crypto/openssh/monitor_wrap.h ============================================================================== --- projects/openssl111/crypto/openssh/monitor_wrap.h Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/crypto/openssh/monitor_wrap.h Mon Oct 8 18:06:40 2018 (r339240) @@ -28,6 +28,8 @@ #ifndef _MM_WRAP_H_ #define _MM_WRAP_H_ +#include <login_cap.h> + extern int use_privsep; #define PRIVSEP(x) (use_privsep ? mm_##x : x) @@ -45,6 +47,8 @@ int mm_sshkey_sign(struct sshkey *, u_char **, size_t const char *, u_int compat); void mm_inform_authserv(char *, char *); struct passwd *mm_getpwnamallow(const char *); +login_cap_t *mm_login_getpwclass(const struct passwd *pwd); +void mm_login_close(login_cap_t *lc); char *mm_auth2_read_banner(void); int mm_auth_password(struct ssh *, char *); int mm_key_allowed(enum mm_keytype, const char *, const char *, struct sshkey *, Modified: projects/openssl111/crypto/openssh/sandbox-capsicum.c ============================================================================== --- projects/openssl111/crypto/openssh/sandbox-capsicum.c Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/crypto/openssh/sandbox-capsicum.c Mon Oct 8 18:06:40 2018 (r339240) @@ -31,6 +31,7 @@ __RCSID("$FreeBSD$"); #include <stdlib.h> #include <string.h> #include <unistd.h> +#include <capsicum_helpers.h> #include "log.h" #include "monitor.h" @@ -70,6 +71,8 @@ ssh_sandbox_child(struct ssh_sandbox *box) { struct rlimit rl_zero; cap_rights_t rights; + + caph_cache_tzdata(); rl_zero.rlim_cur = rl_zero.rlim_max = 0; Modified: projects/openssl111/crypto/openssh/sshbuf-getput-basic.c ============================================================================== --- projects/openssl111/crypto/openssh/sshbuf-getput-basic.c Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/crypto/openssh/sshbuf-getput-basic.c Mon Oct 8 18:06:40 2018 (r339240) @@ -25,6 +25,7 @@ #include <stdio.h> #include <string.h> +#include "xmalloc.h" #include "ssherr.h" #include "sshbuf.h" @@ -461,4 +462,96 @@ sshbuf_get_bignum2_bytes_direct(struct sshbuf *buf, return SSH_ERR_INTERNAL_ERROR; } return 0; +} + +/* + * store struct pwd + */ +int +sshbuf_put_passwd(struct sshbuf *buf, const struct passwd *pwent) +{ + int r; + + /* + * We never send pointer values of struct passwd. + * It is safe from wild pointer even if a new pointer member is added. + */ + + if ((r = sshbuf_put_u64(buf, sizeof(*pwent)) != 0) || + (r = sshbuf_put_cstring(buf, pwent->pw_name)) != 0 || + (r = sshbuf_put_cstring(buf, "*")) != 0 || + (r = sshbuf_put_u32(buf, pwent->pw_uid)) != 0 || + (r = sshbuf_put_u32(buf, pwent->pw_gid)) != 0 || + (r = sshbuf_put_u64(buf, pwent->pw_change)) != 0 || +#ifdef HAVE_STRUCT_PASSWD_PW_GECOS + (r = sshbuf_put_cstring(buf, pwent->pw_gecos)) != 0 || +#endif +#ifdef HAVE_STRUCT_PASSWD_PW_CLASS + (r = sshbuf_put_cstring(buf, pwent->pw_class)) != 0 || +#endif + (r = sshbuf_put_cstring(buf, pwent->pw_dir)) != 0 || + (r = sshbuf_put_cstring(buf, pwent->pw_shell)) != 0 || + (r = sshbuf_put_u64(buf, pwent->pw_expire)) != 0 || + (r = sshbuf_put_u32(buf, pwent->pw_fields)) != 0) { + return r; + } + return 0; +} + +/* + * extract struct pwd + */ +struct passwd * +sshbuf_get_passwd(struct sshbuf *buf) +{ + struct passwd *pw; + int r; + size_t len; + + /* check if size of struct passwd is as same as sender's size */ + r = sshbuf_get_u64(buf, &len); + if (r != 0 || len != sizeof(*pw)) + return NULL; + + pw = xcalloc(1, sizeof(*pw)); + if (sshbuf_get_cstring(buf, &pw->pw_name, NULL) != 0 || + sshbuf_get_cstring(buf, &pw->pw_passwd, NULL) != 0 || + sshbuf_get_u32(buf, &pw->pw_uid) != 0 || + sshbuf_get_u32(buf, &pw->pw_gid) != 0 || + sshbuf_get_u64(buf, &pw->pw_change) != 0 || +#ifdef HAVE_STRUCT_PASSWD_PW_GECOS + sshbuf_get_cstring(buf, &pw->pw_gecos, NULL) != 0 || +#endif +#ifdef HAVE_STRUCT_PASSWD_PW_CLASS + sshbuf_get_cstring(buf, &pw->pw_class, NULL) != 0 || +#endif + sshbuf_get_cstring(buf, &pw->pw_dir, NULL) != 0 || + sshbuf_get_cstring(buf, &pw->pw_shell, NULL) != 0 || + sshbuf_get_u64(buf, &pw->pw_expire) != 0 || + sshbuf_get_u32(buf, &pw->pw_fields) != 0) { + sshbuf_free_passwd(pw); + return NULL; + } + return pw; +} + +/* + * free struct passwd obtained from sshbuf_get_passwd. + */ +void +sshbuf_free_passwd(struct passwd *pwent) +{ + if (pwent == NULL) + return; + free(pwent->pw_shell); + free(pwent->pw_dir); +#ifdef HAVE_STRUCT_PASSWD_PW_CLASS + free(pwent->pw_class); +#endif +#ifdef HAVE_STRUCT_PASSWD_PW_GECOS + free(pwent->pw_gecos); +#endif + free(pwent->pw_passwd); + free(pwent->pw_name); + free(pwent); } Modified: projects/openssl111/crypto/openssh/sshbuf.h ============================================================================== --- projects/openssl111/crypto/openssh/sshbuf.h Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/crypto/openssh/sshbuf.h Mon Oct 8 18:06:40 2018 (r339240) @@ -21,6 +21,7 @@ #include <sys/types.h> #include <stdarg.h> #include <stdio.h> +#include <pwd.h> #ifdef WITH_OPENSSL # include <openssl/bn.h> # ifdef OPENSSL_HAS_ECC @@ -245,6 +246,21 @@ int sshbuf_b64tod(struct sshbuf *buf, const char *b64) * nul character. */ char *sshbuf_dup_string(struct sshbuf *buf); + +/* + * store struct pwd + */ +int sshbuf_put_passwd(struct sshbuf *buf, const struct passwd *pwent); + +/* + * extract struct pwd + */ +struct passwd *sshbuf_get_passwd(struct sshbuf *buf); + +/* + * free struct passwd obtained from sshbuf_get_passwd. + */ +void sshbuf_free_passwd(struct passwd *pwent); /* Macros for decoding/encoding integers */ #define PEEK_U64(p) \ Modified: projects/openssl111/crypto/openssh/sshd.c ============================================================================== --- projects/openssl111/crypto/openssh/sshd.c Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/crypto/openssh/sshd.c Mon Oct 8 18:06:40 2018 (r339240) @@ -2143,6 +2143,11 @@ main(int ac, char **av) */ remote_ip = ssh_remote_ipaddr(ssh); +#ifdef HAVE_LOGIN_CAP + /* Also caches remote hostname for sandboxed child. */ + auth_get_canonical_hostname(ssh, options.use_dns); +#endif + #ifdef SSH_AUDIT_EVENTS audit_connection_from(remote_ip, remote_port); #endif Modified: projects/openssl111/lib/libc/amd64/string/memset.S ============================================================================== --- projects/openssl111/lib/libc/amd64/string/memset.S Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/lib/libc/amd64/string/memset.S Mon Oct 8 18:06:40 2018 (r339240) @@ -31,7 +31,7 @@ #include <machine/asm.h> __FBSDID("$FreeBSD$"); -.macro MEMSET bzero +.macro MEMSET bzero erms .if \bzero == 1 movq %rsi,%rcx movq %rsi,%rdx @@ -43,21 +43,75 @@ __FBSDID("$FreeBSD$"); movabs $0x0101010101010101,%rax imulq %r8,%rax .endif - cmpq $15,%rcx - jbe 1f - shrq $3,%rcx - rep - stosq - movq %rdx,%rcx - andq $7,%rcx - jne 1f + + cmpq $32,%rcx + jb 1016f + + cmpq $256,%rcx + ja 1256f + +1032: + movq %rax,(%rdi) + movq %rax,8(%rdi) + movq %rax,16(%rdi) + movq %rax,24(%rdi) + leaq 32(%rdi),%rdi + subq $32,%rcx + cmpq $32,%rcx + jae 1032b + cmpb $0,%cl + je 1000f +1016: + cmpb $16,%cl + jl 1008f + movq %rax,(%rdi) + movq %rax,8(%rdi) + subb $16,%cl + jz 1000f + leaq 16(%rdi),%rdi +1008: + cmpb $8,%cl + jl 1004f + movq %rax,(%rdi) + subb $8,%cl + jz 1000f + leaq 8(%rdi),%rdi +1004: + cmpb $4,%cl + jl 1002f + movl %eax,(%rdi) + subb $4,%cl + jz 1000f + leaq 4(%rdi),%rdi +1002: + cmpb $2,%cl + jl 1001f + movw %ax,(%rdi) + subb $2,%cl + jz 1000f + leaq 2(%rdi),%rdi +1001: + cmpb $1,%cl + jl 1000f + movb %al,(%rdi) +1000: .if \bzero == 0 movq %r9,%rax .endif ret -1: + +1256: +.if \erms == 1 rep stosb +.else + shrq $3,%rcx + rep + stosq + movq %rdx,%rcx + andb $7,%cl + jne 1004b +.endif .if \bzero == 0 movq %r9,%rax .endif @@ -66,11 +120,11 @@ __FBSDID("$FreeBSD$"); #ifndef BZERO ENTRY(memset) - MEMSET bzero=0 + MEMSET bzero=0 erms=0 END(memset) #else ENTRY(bzero) - MEMSET bzero=1 + MEMSET bzero=1 erms=0 END(bzero) #endif Modified: projects/openssl111/sbin/init/rc.conf ============================================================================== --- projects/openssl111/sbin/init/rc.conf Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/sbin/init/rc.conf Mon Oct 8 18:06:40 2018 (r339240) @@ -163,7 +163,7 @@ firewall_simple_onet="192.0.2.0/28" # Outside network # firewall. #firewall_simple_onet_ipv6="2001:db8:2:0::/56" # Outside IPv6 network prefix # for "simple" firewall. -firewall_myservices="" # List of TCP ports on which this host +firewall_myservices="" # List of ports/protocols on which this host # offers services for "workstation" firewall. firewall_allowservices="" # List of IPs which have access to # $firewall_myservices for "workstation" Modified: projects/openssl111/stand/defaults/loader.conf ============================================================================== --- projects/openssl111/stand/defaults/loader.conf Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/stand/defaults/loader.conf Mon Oct 8 18:06:40 2018 (r339240) @@ -97,6 +97,7 @@ efi_max_resolution="1x1" # Set the max resolution for #console="vidconsole" # A comma separated list of console(s) #currdev="disk1s1a" # Set the current device module_path="/boot/modules;/boot/dtb;/boot/dtb/overlays" # Set the module search path +module_blacklist="drm drm2 radeonkms i915kms amdgpu" # Loader module blacklist #prompt="\\${interpret}" # Set the command prompt #root_disk_unit="0" # Force the root disk unit number #rootdev="disk1s1a" # Set the root filesystem Modified: projects/openssl111/stand/defaults/loader.conf.5 ============================================================================== --- projects/openssl111/stand/defaults/loader.conf.5 Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/stand/defaults/loader.conf.5 Mon Oct 8 18:06:40 2018 (r339240) @@ -23,7 +23,7 @@ .\" SUCH DAMAGE. .\" .\" $FreeBSD$ -.Dd August 28, 2018 +.Dd October 6, 2018 .Dt LOADER.CONF 5 .Os .Sh NAME @@ -147,6 +147,15 @@ If a password is set, the user must provide specified If set to .Dq YES , module names will be displayed as they are loaded. +.It Ar module_blacklist +Blacklist of modules. +Modules specified in the blacklist may not be loaded automatically with a +.Ar *_load +directive, but they may be loaded directly at the +.Xr loader 8 +prompt. +Blacklisted modules may still be loaded indirectly as dependencies of other +moduled. .It Ar *_load If set to .Dq YES , Modified: projects/openssl111/stand/lua/config.lua ============================================================================== --- projects/openssl111/stand/lua/config.lua Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/stand/lua/config.lua Mon Oct 8 18:06:40 2018 (r339240) @@ -54,6 +54,7 @@ local MSG_XENKERNFAIL = "Failed to load Xen kernel '%s local MSG_XENKERNLOADING = "Loading Xen kernel..." local MSG_KERNLOADING = "Loading kernel..." local MSG_MODLOADING = "Loading configured modules..." +local MSG_MODBLACKLIST = "Not loading blacklisted module '%s'" local MSG_MODLOADFAIL = "Could not load one or more modules!" local MODULEEXPR = '([%w-_]+)' @@ -265,20 +266,37 @@ local function isValidComment(line) return true end +local function getBlacklist() + local blacklist_str = loader.getenv('module_blacklist') + if blacklist_str == nil then + return nil + end + + local blacklist = {} + for mod in blacklist_str:gmatch("[;, ]?([%w-_]+)[;, ]?") do + blacklist[mod] = true + end + return blacklist +end + local function loadModule(mod, silent) local status = true + local blacklist = getBlacklist() local pstatus for k, v in pairs(mod) do if v.load ~= nil and v.load:lower() == "yes" then + local module_name = v.name or k + if blacklist[module_name] ~= nil then + if not silent then + print(MSG_MODBLACKLIST:format(module_name)) + end + goto continue + end local str = "load " if v.type ~= nil then str = str .. "-t " .. v.type .. " " end - if v.name ~= nil then - str = str .. v.name - else - str = str .. k - end + str = str .. module_name if v.flags ~= nil then str = str .. " " .. v.flags end @@ -309,6 +327,7 @@ local function loadModule(mod, silent) end end + ::continue:: end return status Modified: projects/openssl111/stand/lua/core.lua ============================================================================== --- projects/openssl111/stand/lua/core.lua Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/stand/lua/core.lua Mon Oct 8 18:06:40 2018 (r339240) @@ -34,6 +34,10 @@ local hook = require("hook") local core = {} +local default_safe_mode = false +local default_single_user = false +local default_verbose = false + local function composeLoaderCmd(cmd_name, argstr) if argstr ~= nil then cmd_name = cmd_name .. " " .. argstr @@ -41,6 +45,26 @@ local function composeLoaderCmd(cmd_name, argstr) return cmd_name end +local function recordDefaults() + -- On i386, hint.acpi.0.rsdp will be set before we're loaded. On !i386, + -- it will generally be set upon execution of the kernel. Because of + -- this, we can't (or don't really want to) detect/disable ACPI on !i386 + -- reliably. Just set it enabled if we detect it and leave well enough + -- alone if we don't. + local boot_acpi = core.isSystem386() and core.getACPIPresent(false) + local boot_single = loader.getenv("boot_single") or "no" + local boot_verbose = loader.getenv("boot_verbose") or "no" + default_single_user = boot_single:lower() ~= "no" + default_verbose = boot_verbose:lower() ~= "no" + + if boot_acpi then + core.setACPI(true) + end + core.setSingleUser(default_single_user) + core.setVerbose(default_verbose) +end + + -- Globals -- try_include will return the loaded module on success, or nil on failure. -- A message will also be printed on failure, with one exception: non-verbose @@ -268,9 +292,9 @@ end function core.setDefaults() core.setACPI(core.getACPIPresent(true)) - core.setSafeMode(false) - core.setSingleUser(false) - core.setVerbose(false) + core.setSafeMode(default_safe_mode) + core.setSingleUser(default_single_user) + core.setVerbose(default_verbose) end function core.autoboot(argstr) @@ -367,13 +391,6 @@ function core.popFrontTable(tbl) return first_value, new_tbl end --- On i386, hint.acpi.0.rsdp will be set before we're loaded. On !i386, it will --- generally be set upon execution of the kernel. Because of this, we can't (or --- don't really want to) detect/disable ACPI on !i386 reliably. Just set it --- enabled if we detect it and leave well enough alone if we don't. -if core.isSystem386() and core.getACPIPresent(false) then - core.setACPI(true) -end - +recordDefaults() hook.register("config.reloaded", core.clearCachedKernels) return core Modified: projects/openssl111/sys/amd64/conf/GENERIC ============================================================================== --- projects/openssl111/sys/amd64/conf/GENERIC Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/sys/amd64/conf/GENERIC Mon Oct 8 18:06:40 2018 (r339240) @@ -52,7 +52,6 @@ options MSDOSFS # MSDOS Filesystem options CD9660 # ISO 9660 Filesystem options PROCFS # Process filesystem (requires PSEUDOFS) options PSEUDOFS # Pseudo-filesystem framework -options GEOM_PART_GPT # GUID Partition Tables. options GEOM_RAID # Soft RAID functionality. options GEOM_LABEL # Provides labelization options EFIRT # EFI Runtime Services support Modified: projects/openssl111/sys/amd64/conf/GENERIC-MMCCAM ============================================================================== --- projects/openssl111/sys/amd64/conf/GENERIC-MMCCAM Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/sys/amd64/conf/GENERIC-MMCCAM Mon Oct 8 18:06:40 2018 (r339240) @@ -7,7 +7,6 @@ include MINIMAL ident GENERIC-MMCCAM # Access GPT-formatted and labeled root volume -options GEOM_PART_GPT options GEOM_LABEL # UART -- for bhyve console Modified: projects/openssl111/sys/arm64/conf/GENERIC ============================================================================== --- projects/openssl111/sys/arm64/conf/GENERIC Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/sys/arm64/conf/GENERIC Mon Oct 8 18:06:40 2018 (r339240) @@ -50,7 +50,6 @@ options MSDOSFS # MSDOS Filesystem options CD9660 # ISO 9660 Filesystem options PROCFS # Process filesystem (requires PSEUDOFS) options PSEUDOFS # Pseudo-filesystem framework -options GEOM_PART_GPT # GUID Partition Tables. options GEOM_RAID # Soft RAID functionality. options GEOM_LABEL # Provides labelization options COMPAT_FREEBSD32 # Incomplete, but used by cloudabi32.ko. Modified: projects/openssl111/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dsl_scan.c ============================================================================== --- projects/openssl111/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dsl_scan.c Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dsl_scan.c Mon Oct 8 18:06:40 2018 (r339240) @@ -2964,6 +2964,8 @@ dsl_scan_need_resilver(spa_t *spa, const dva_t *dva, s { vdev_t *vd; + vd = vdev_lookup_top(spa, DVA_GET_VDEV(dva)); + if (vd->vdev_ops == &vdev_indirect_ops) { /* * The indirect vdev can point to multiple @@ -2974,6 +2976,7 @@ dsl_scan_need_resilver(spa_t *spa, const dva_t *dva, s */ return (B_TRUE); } + if (DVA_GET_GANG(dva)) { /* * Gang members may be spread across multiple @@ -2985,8 +2988,6 @@ dsl_scan_need_resilver(spa_t *spa, const dva_t *dva, s */ return (B_TRUE); } - - vd = vdev_lookup_top(spa, DVA_GET_VDEV(dva)); /* * Check if the txg falls within the range which must be Modified: projects/openssl111/sys/dev/e1000/if_em.c ============================================================================== --- projects/openssl111/sys/dev/e1000/if_em.c Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/sys/dev/e1000/if_em.c Mon Oct 8 18:06:40 2018 (r339240) @@ -1804,13 +1804,11 @@ em_if_update_admin_status(if_ctx_t ctx) } iflib_link_state_change(ctx, LINK_STATE_UP, IF_Mbps(adapter->link_speed)); - printf("Link state changed to up\n"); } else if (!link_check && (adapter->link_active == 1)) { adapter->link_speed = 0; adapter->link_duplex = 0; adapter->link_active = 0; iflib_link_state_change(ctx, LINK_STATE_DOWN, 0); - printf("Link state changed to down\n"); } em_update_stats_counters(adapter); Modified: projects/openssl111/sys/dev/e1000/igb_txrx.c ============================================================================== --- projects/openssl111/sys/dev/e1000/igb_txrx.c Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/sys/dev/e1000/igb_txrx.c Mon Oct 8 18:06:40 2018 (r339240) @@ -152,7 +152,6 @@ igb_tx_ctx_setup(struct tx_ring *txr, if_pkt_info_t pi u32 vlan_macip_lens, type_tucmd_mlhl; u32 mss_l4len_idx; mss_l4len_idx = vlan_macip_lens = type_tucmd_mlhl = 0; - int offload = TRUE; /* First check if TSO is to be used */ if (pi->ipi_csum_flags & CSUM_TSO) @@ -186,7 +185,6 @@ igb_tx_ctx_setup(struct tx_ring *txr, if_pkt_info_t pi type_tucmd_mlhl |= E1000_ADVTXD_TUCMD_IPV6; break; default: - offload = FALSE; break; } @@ -195,24 +193,26 @@ igb_tx_ctx_setup(struct tx_ring *txr, if_pkt_info_t pi switch (pi->ipi_ipproto) { case IPPROTO_TCP: - if (pi->ipi_csum_flags & (CSUM_IP_TCP | CSUM_IP6_TCP)) + if (pi->ipi_csum_flags & (CSUM_IP_TCP | CSUM_IP6_TCP)) { type_tucmd_mlhl |= E1000_ADVTXD_TUCMD_L4T_TCP; + *olinfo_status |= E1000_TXD_POPTS_TXSM << 8; + } break; case IPPROTO_UDP: - if (pi->ipi_csum_flags & (CSUM_IP_UDP | CSUM_IP6_UDP)) + if (pi->ipi_csum_flags & (CSUM_IP_UDP | CSUM_IP6_UDP)) { type_tucmd_mlhl |= E1000_ADVTXD_TUCMD_L4T_UDP; + *olinfo_status |= E1000_TXD_POPTS_TXSM << 8; + } break; case IPPROTO_SCTP: - if (pi->ipi_csum_flags & (CSUM_IP_SCTP | CSUM_IP6_SCTP)) + if (pi->ipi_csum_flags & (CSUM_IP_SCTP | CSUM_IP6_SCTP)) { type_tucmd_mlhl |= E1000_ADVTXD_TUCMD_L4T_SCTP; + *olinfo_status |= E1000_TXD_POPTS_TXSM << 8; + } break; default: - offload = FALSE; break; } - - if (offload) /* For the TX descriptor setup */ - *olinfo_status |= E1000_TXD_POPTS_TXSM << 8; /* 82575 needs the queue index added */ if (adapter->hw.mac.type == e1000_82575) Modified: projects/openssl111/sys/dev/mlx4/mlx4_en/mlx4_en_netdev.c ============================================================================== --- projects/openssl111/sys/dev/mlx4/mlx4_en/mlx4_en_netdev.c Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/sys/dev/mlx4/mlx4_en/mlx4_en_netdev.c Mon Oct 8 18:06:40 2018 (r339240) @@ -905,28 +905,6 @@ static void mlx4_en_do_multicast(struct mlx4_en_priv * priv->flags &= ~MLX4_EN_FLAG_MC_PROMISC; } - /* Update unicast list */ - mlx4_en_cache_uclist(dev); - - update_addr_list_flags(priv, &priv->curr_uc_list, &priv->uc_list); - - list_for_each_entry_safe(addr_list, tmp, &priv->curr_uc_list, list) { - if (addr_list->action == MLX4_ADDR_LIST_REM) { - mlx4_en_uc_steer_release(priv, addr_list->addr, - priv->rss_map.indir_qp.qpn, - addr_list->reg_id); - /* remove from list */ - list_del(&addr_list->list); - kfree(addr_list); - } else if (addr_list->action == MLX4_ADDR_LIST_ADD) { - err = mlx4_en_uc_steer_add(priv, addr_list->addr, - &priv->rss_map.indir_qp.qpn, - &addr_list->reg_id); - if (err) - en_err(priv, "Fail to add unicast address\n"); - } - } - err = mlx4_SET_MCAST_FLTR(mdev->dev, priv->port, 0, 0, MLX4_MCAST_DISABLE); if (err) @@ -996,6 +974,36 @@ static void mlx4_en_do_multicast(struct mlx4_en_priv * } } +static void mlx4_en_do_unicast(struct mlx4_en_priv *priv, + struct net_device *dev, + struct mlx4_en_dev *mdev) +{ + struct mlx4_en_addr_list *addr_list, *tmp; + int err; + + /* Update unicast list */ + mlx4_en_cache_uclist(dev); + + update_addr_list_flags(priv, &priv->curr_uc_list, &priv->uc_list); + + list_for_each_entry_safe(addr_list, tmp, &priv->curr_uc_list, list) { + if (addr_list->action == MLX4_ADDR_LIST_REM) { + mlx4_en_uc_steer_release(priv, addr_list->addr, + priv->rss_map.indir_qp.qpn, + addr_list->reg_id); + /* remove from list */ + list_del(&addr_list->list); + kfree(addr_list); + } else if (addr_list->action == MLX4_ADDR_LIST_ADD) { + err = mlx4_en_uc_steer_add(priv, addr_list->addr, + &priv->rss_map.indir_qp.qpn, + &addr_list->reg_id); + if (err) + en_err(priv, "Fail to add unicast address\n"); + } + } +} + static void mlx4_en_do_set_rx_mode(struct work_struct *work) { struct mlx4_en_priv *priv = container_of(work, struct mlx4_en_priv, @@ -1026,17 +1034,19 @@ static void mlx4_en_do_set_rx_mode(struct work_struct } } + /* Set unicast rules */ + mlx4_en_do_unicast(priv, dev, mdev); + /* Promsicuous mode: disable all filters */ if ((dev->if_flags & IFF_PROMISC) || (priv->flags & MLX4_EN_FLAG_FORCE_PROMISC)) { mlx4_en_set_promisc_mode(priv, mdev); - goto out; + } else if (priv->flags & MLX4_EN_FLAG_PROMISC) { + /* Not in promiscuous mode */ + mlx4_en_clear_promisc_mode(priv, mdev); } - /* Not in promiscuous mode */ - if (priv->flags & MLX4_EN_FLAG_PROMISC) - mlx4_en_clear_promisc_mode(priv, mdev); - + /* Set multicast rules */ mlx4_en_do_multicast(priv, dev, mdev); out: mutex_unlock(&mdev->state_lock); Modified: projects/openssl111/sys/i386/conf/GENERIC ============================================================================== --- projects/openssl111/sys/i386/conf/GENERIC Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/sys/i386/conf/GENERIC Mon Oct 8 18:06:40 2018 (r339240) @@ -51,7 +51,6 @@ options MSDOSFS # MSDOS Filesystem options CD9660 # ISO 9660 Filesystem options PROCFS # Process filesystem (requires PSEUDOFS) options PSEUDOFS # Pseudo-filesystem framework -options GEOM_PART_GPT # GUID Partition Tables. options GEOM_RAID # Soft RAID functionality. options GEOM_LABEL # Provides labelization options COMPAT_FREEBSD4 # Compatible with FreeBSD4 Modified: projects/openssl111/sys/kern/kern_jail.c ============================================================================== --- projects/openssl111/sys/kern/kern_jail.c Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/sys/kern/kern_jail.c Mon Oct 8 18:06:40 2018 (r339240) @@ -1393,11 +1393,12 @@ kern_jail_set(struct thread *td, struct uio *optuio, i * there is a duplicate on a jail with more than one * IP stop checking and return error. */ - tppr = ppr; #ifdef VIMAGE - for (; tppr != &prison0; tppr = tppr->pr_parent) + for (tppr = ppr; tppr != &prison0; tppr = tppr->pr_parent) if (tppr->pr_flags & PR_VNET) break; +#else + tppr = &prison0; #endif FOREACH_PRISON_DESCENDANT(tppr, tpr, descend) { if (tpr == pr || @@ -1460,11 +1461,12 @@ kern_jail_set(struct thread *td, struct uio *optuio, i } } /* Check for conflicting IP addresses. */ - tppr = ppr; #ifdef VIMAGE - for (; tppr != &prison0; tppr = tppr->pr_parent) + for (tppr = ppr; tppr != &prison0; tppr = tppr->pr_parent) if (tppr->pr_flags & PR_VNET) break; +#else + tppr = &prison0; #endif FOREACH_PRISON_DESCENDANT(tppr, tpr, descend) { if (tpr == pr || Modified: projects/openssl111/sys/netinet/ip_output.c ============================================================================== --- projects/openssl111/sys/netinet/ip_output.c Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/sys/netinet/ip_output.c Mon Oct 8 18:06:40 2018 (r339240) @@ -262,11 +262,12 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct rou ip->ip_v = IPVERSION; ip->ip_hl = hlen >> 2; ip_fillid(ip); - IPSTAT_INC(ips_localout); } else { /* Header already set, fetch hlen from there */ hlen = ip->ip_hl << 2; } + if ((flags & IP_FORWARDING) == 0) + IPSTAT_INC(ips_localout); /* * dst/gw handling: Modified: projects/openssl111/sys/netinet/sctp_output.c ============================================================================== --- projects/openssl111/sys/netinet/sctp_output.c Mon Oct 8 17:22:27 2018 (r339239) +++ projects/openssl111/sys/netinet/sctp_output.c Mon Oct 8 18:06:40 2018 (r339240) @@ -4983,7 +4983,6 @@ sctp_arethere_unrecognized_parameters(struct mbuf *in_ struct sctp_paramhdr *phdr, params; struct mbuf *mat, *op_err; - char tempbuf[SCTP_PARAM_BUFFER_SIZE]; int at, limit, pad_needed; uint16_t ptype, plen, padded_size; int err_at; @@ -5123,15 +5122,13 @@ sctp_arethere_unrecognized_parameters(struct mbuf *in_ l_len = SCTP_MIN_V4_OVERHEAD; #endif l_len += sizeof(struct sctp_chunkhdr); - l_len += plen; - l_len += sizeof(struct sctp_paramhdr); + l_len += sizeof(struct sctp_gen_error_cause); op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA); if (op_err) { SCTP_BUF_LEN(op_err) = 0; /* *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201810081806.w98I6ebr084624>