macOS, like Linux, does not include an outer const qualifier for its
fts_open callback arguments, so -Wincompatible-function-pointer-types
also picks this up and breaks the build now Clang 16 makes it an error
by default. Extend the existing Linux support to fix this.
MFC after: 1 week
(cherry picked from commit ce312ef72d)
The glibc fts_open() callback type does not have the second const
qualifier and it appears that Clang 16 errors by default for mismatched
function pointer types. Add an ifdef to handle this case.
Reviewed By: imp, emaste
Differential Revision: https://reviews.freebsd.org/D43000
(cherry picked from commit 60e845ceef)
It appears that Clang 16 errors by default for the mismatched function
pointer types that are triggered by the fts callback (since glibc has a
callback type without the second const qualifier).
Fortunately, there is already code to handle glibc inside mandoc, we
just have to edit the checked-in config.h.
Reviewed By: imp, emaste
Differential Revision: https://reviews.freebsd.org/D42999
(cherry picked from commit 0156465c6d)
A crash occurred during testing, where the client structures had
already been free'd when the upcall thread tried to lock them.
This patch acquires a reference count on both of the structures
and these are released when the upcall is done, so that the
structures cannot be free'd prematurely. This happened because
the testing is done over a very slow vpn.
Found during a IETF bakeathon testing event this week.
(cherry picked from commit 4ba444de70)
There is only one place in the unpatched sources where B_DIRECT is
set in the NFS client and this code is never executed. As such, this patch
removes this code that is never executed, since B_DIRECT should never
be set.
During a IETF testing event this week, I saw a crash in ncl_doio_directwrite(),
but this function is only called if B_DIRECT is set.
I cannot explain how ncl_doio_directwrite() got called, but once this patch
was applied to the sources, the crash did not recur. This is not surprising,
since this patch deleted the function.
(cherry picked from commit 03a39a1708)
When an initial attempt to close an NFSv4 lock returns NFSERR_DELAY,
the open structure is put on a list for delayed closing. When this
is done, the nfso_own field is set to NULL, so it cannot be used by
nfsrpc_doclose().
Without this patch, the NFSv4 client can crash when a NFSv4 server
replies NFSERR_DELAY to a Close operation. Fortunately, most extant
NFSv4 servers do not do this. This patch avoids the crash for any
that do return NFSERR_DELAY for Close.
Found during a IETF bakeathon testing event this week.
(cherry picked from commit 6251027c42)
ng_btsocket_hci_raw_send() wasn't verifying that the destination address
specified by sendto() is large enough to fill a struct sockaddr_hci.
Thus, when copying the socket address into an mbuf,
ng_btsocket_hci_raw_send() may read past the end of the input sockaddr
while copying.
In practice this is effectively harmless since
ng_btsocket_hci_raw_output() only uses the address to identify a
netgraph node.
Reported by: Oliver Sieber <oliver@secfault-security.com>
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 7f7b4926a7)
Add a new kdc_restart rc variable that manages kdc (or krb5kdc) under
daemon(8). This automatically restarts the kdc should it fail, i.e.
when it's configured to use LDAP as a backend and cannot connect to its
LDAP directory.
Set kdc_restart="YES" to auto restart kdc on abnormal termination.
Set kdc_restart_delay="N" to the number of seconds to delay before
restarting the kdc. The daemon(8) default seconds applies when not set.
Reported by: Lexi Winter <lexi.freebsd@le-fay.org>
PR: 278395
Differential Revision: https://reviews.freebsd.org/D44898
(cherry picked from commit 9e248b7f64)
Most importantly:
* Make local variables local.
* Use `$()` instead of backticks.
* Avoid unsafe use of `-a` and `-o` operators in `test` expressions.
* Remove a hack intended to ease the transition from Perl 22 years ago.
MFC after: 1 week
Reviewed by: allanjude
Differential Revision: https://reviews.freebsd.org/D44863
(cherry picked from commit 170d088290)
adduser: A few more improvements.
MFC after: 1 week
Reviewed by: jrm
Differential Revision: https://reviews.freebsd.org/D44871
(cherry picked from commit b37333899b)
adduser: Fix a syntax error
Reported by: Jose Luis Duran <jlduran@gmail.com>
Fixes: b37333899b
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D44871
(cherry picked from commit 5cafc38f11)
adduser: Really fix a syntax error
Fixes: 5cafc38f11
Differential Revision: https://reviews.freebsd.org/D44871
(cherry picked from commit 9e8618276f)
On systems utilizing ZFS, default to creating a ZFS dataset for a new
user's home directory if the parent directory resides on a ZFS dataset.
Add a flag that disables this behavior if the administrator explicitly
does not want it.
If run during installation from within a chroot, set mountpoint to legacy
after dataset creation and mount directly into the chroot. Then umount
and reset the mountpoint to inherit from parent.
Also support ZFS default encryption on user's home directory.
Feedback by: delphij
Reviewed by: imp, kevans
Pull Request: https://github.com/freebsd/freebsd-src/pull/881
(cherry picked from commit 215c0a5158)
An initial reading of the preamble of sys_procctl() gives the impression
that no test prevents a malicious user from passing a negative commands
index (in 'uap->com'), which is soon used as an index into the static
array procctl_cmds_info[].
However, a closer examination leads to the conclusion that the existing
code is technically correct. Indeed, the comparison of 'uap->com' to
the nitems() expression, which expands to a ratio of sizeof(), leads to
a conversion of 'uap->com' to an 'unsigned int' as per Usual Arithmetic
Conversions/Integer Promotions applied by '<=', because sizeof() returns
'size_t' values, and we define 'size_t' as an equivalent of 'unsigned
int' (which is not mandated by the standard, the latter allowing, e.g.,
integers of lower ranks).
With this conversion, negative values of 'uap->com' are automatically
ruled-out since they are converted to very big unsigned integers which
are caught by the test. An analysis of assembly code produced by LLVM
16 on amd64 and practical tests confirm that no exploitation is possible.
However, the guard code as written is misleading to readers and might
trip up static analysis tools. Make sure that negative values are
explicitly excluded so that it is immediately clear that EINVAL will be
returned in this case.
Build tested with clang 16 and GCC 12.
Approved by: markj (mentor)
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
(cherry picked from commit afc10f8bba)
Approved by: emaste (mentor)
Add a -w flag to forward terminal resize events on to the child, which
can be useful in some circumstances to avoid terminal corruption.
Reviewed by: des
Co-authored-by: Xavier Beaudouin <xavier.beaudouin@klarasystems.com>
Sponsored by: Modirum MDPay
Sponsored by: Klara, Inc.
(cherry picked from commit 8ceac8e13d)
Fix some nits pointed out by checkstyle9.pl in advance of functional
changes to script(1).
Reviewed by: des
Sponsored by: Modirum MDPay
Sponsored by: Klara, Inc.
(cherry picked from commit 4459abe334)
The Seagate IronWolf 110 SATA SSD drive has been reported to be unstable
with NCQ trim enabled.
PR: 264139
Sponsored by: Netflix
(cherry picked from commit a6cef61766)
People still believe that it is essential to run sync(8) a couple of
times before a reboot/halt. Document that this has not been necessary
for a long time now.
Reviewed by: imp, bcr, Pau Amma <pauamma@gundo.com>
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D33233
(cherry picked from commit 177ba18307)
[sanitizer_symbolizer] Cast arguments for format strings in markup (#89815)
When compiling the common sanitizer libraries, there are many warnings
about format specifiers, similar to:
compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_markup.cpp:31:32: warning: format specifies type 'void *' but the argument has type 'uptr' (aka 'unsigned long') [-Wformat]
31 | buffer->AppendF(kFormatData, DI->start);
| ~~~~~~~~~~~ ^~~~~~~~~
compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_markup_constants.h:33:46: note: format string is defined here
33 | constexpr const char *kFormatData = "{{{data:%p}}}";
| ^~
| %lu
compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_markup.cpp:46:43: warning: format specifies type 'void *' but the argument has type 'uptr' (aka 'unsigned long') [-Wformat]
46 | buffer->AppendF(kFormatFrame, frame_no, address);
| ~~~~~~~~~~~~ ^~~~~~~
compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_markup_constants.h:36:48: note: format string is defined here
36 | constexpr const char *kFormatFrame = "{{{bt:%u:%p}}}";
| ^~
| %lu
...
This is because `uptr` is dependent on the platform, and can be either
`unsigned long long`, `unsigned long`, or `unsigned int`.
To fix the warnings, cast the arguments to the expected type of the
format strings.
PR: 276104
Reported by: pstef
MFC after: 3 days
(cherry picked from commit f08bf5a3ac)
This reverts commit f300335d9a.
It turns out that the old code was correct and it was wireshark
that was broken and indicated that the RPC's XDR was bogus.
Found during IETF bakeathon testing this week.
(cherry picked from commit 54c3aa02e9)
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: allanjude
Differential Revision: https://reviews.freebsd.org/D44805
(cherry picked from commit 64d6925d19)
cp: Additional sanity check.
Once we've successfully opened the file we've been asked to copy, check
that it's of the same type as FTS told us it was.
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: allanjude, markj
Differential Revision: https://reviews.freebsd.org/D44806
(cherry picked from commit 9075d4cfad)
cp: Use warnc().
MFC after: 1 week
Sponsored by: Klara, Inc.
(cherry picked from commit f070188c3a)
Previously, we would only use a temporary file if explicitly asked to
with the `-S` option, and even then, only if the target file already
existed. This meant that an outside observer looking for the target
file might see a partial file, and might see the file disappear and
then reappear.
With this patch, we always use a temporary file, ensuring atomicity.
The downside is slightly increased disk usage. The upside is never
having to worry about, for instance, cron jobs randomly failing if
they happen to run simultaneously with `make installworld`.
The `-S` option is retained, partly for compatibility, and partly
to control the use of `fsync(2)`, which has a non-negligible cost
(approximately 10% increase in wall time for `make installworld`).
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: 0mp, brooks, imp, markj
Differential Revision: https://reviews.freebsd.org/D44742
(cherry picked from commit e5035d0857)
install: Simplify path construction.
There's no need to copy the path twice to split it into base and dir.
We simply call `basename()` first, then handle the two trivial cases in
which it isn't safe to call `dirname()`.
While here, add an early check that the destination is not an empty
string. This would always fail eventually, so it may as well fail
right away. Also add a test case for this shortcut.
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D44743
(cherry picked from commit 17dc7017d7)
install: Remove the mmap(2) option.
We already removed it from cp(1) over a year ago but never followed up
here. Do so now, for the same reasons: significant complexity for
little to no benefit.
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D44809
(cherry picked from commit a0439a1b82)
install: Assorted nitpickery.
* Use `errc()` instead of manually setting `errno` before calling `err()`.
* Change one warning into a fatal error.
* Drop some unnecessary casts.
* `strlcat()` bounds checks were off-by-one. This does not matter in
practice because the subsequent code renders an overrun harmless.
* We were passing `SSIZE_MAX` to `copy_file_range()` instead of the
requested size. This only matters if we're asked to install a file
which is still being written to while we are copying it.
MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D44810
(cherry picked from commit 000a533e6d)
The MNT_IGNORE flag can be used to mark certain filesystem mounts so
that utilities such as df(1) and mount(8) can filter out those mounts by
default. This can be used, for instance, to reduce the noise from
running container workloads inside jails which often have at least three
and sometimes as many as ten mounts per container.
The flag is supplied by the nmount(2) system call and is recorded so
that it can be reported by statfs(2). Unfortunately several filesystems
override the default behaviour and mask out the flag, defeating its
purpose. This change preserves the MNT_IGNORE flag for those filesystems
so that it can be reported correctly.
MFC after: 1 week
(cherry picked from commit b5c4616582)
This is used by 802.3 Ethernet. (Also be used by 802.4 Token Bus and
802.5 Token Ring, but we don't support those.)
This was accidentally removed along with FDDI support in commit
0437c8e3b1, presumably because comments implied it was used only by
FDDI or Token Ring.
Fixes: 0437c8e3b1 ("Remove support for FDDI networks.")
Reviewed-by: emaste
Signed-off-by: Denny Page <dennypage@me.com>
Pull-request: https://github.com/freebsd/freebsd-src/pull/1166
(cherry picked from commit fcdf9a1989)
(cherry picked from commit d776dd5fbd)
This is a smaller version of upstream
1fafd968b48e5cea6c85f126d77071a8de707a55 to address the
issue that less not being able to operate on files
residing in pseudo-filesystems that advertize a zero
size value.
PR: bin/276133
(cherry picked from commit cae336280b)
In ahc_init(), qoutfifo is already assigned to effectively the same
value a couple lines up, except in the first assignment it uses the
proper definition; keep the more descriptive assignment.
ahc_targetcmd_offset() gets the offset wrong entirely; as per the
area of ahc_init() this diff also touches, targetcmds is laid out first
in the shared map and it's followed by the qoutfifo. As a result, we'd
generally be getting negative offsets here. We can't actually do a
partial sync anyways, so there was no consequence to getting this wrong.
Reviewed by: imp, mav
(cherry picked from commit b5e0cc2fa4)
One of the comments in ahc_execute_scb() notes that the CAM direction is
actually w.r.t. the initiator. As a consequence, all of our sync ops
end up being wrong because the direction is flipped from that of the
transfer. Fix it to do proper invalidation and avoid spewing random
garbage out on the SCSI bus.
Reported and tested by: HP van Braam <hp@tmm.cx>
Reviewed by: imp, mav
(cherry picked from commit 9dcf39575e)
Import upstream 6747e1628:
asn1: Use unsigned bitfields for named bitsets
Signed 1-bit bitfields are undefined in C.
This should fix the following warnings, which for unknown reasons are
errors in CI:
/usr/src/crypto/heimdal/lib/hx509/ca.c:1020:22: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion]
1020 | ku.digitalSignature = 1;
| ^ ~
/usr/src/crypto/heimdal/lib/hx509/ca.c:1021:21: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion]
1021 | ku.keyEncipherment = 1;
| ^ ~
/usr/src/crypto/heimdal/lib/hx509/ca.c:1028:17: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion]
1028 | ku.keyCertSign = 1;
| ^ ~
/usr/src/crypto/heimdal/lib/hx509/ca.c:1029:13: warning: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Wsingle-bit-bitfield-constant-conversion]
1029 | ku.cRLSign = 1;
| ^ ~
PR: 276960
Fixes: 1b74875929
MFC after: 1 week
(cherry picked from commit 219b6e4423)
Import upstream 19d378f44:
ASN.1 INTEGERs will now compile to C int64_t or uint64_t, depending
on whether the constraint ranges include numbers that cannot be
represented in 32-bit ints and whether they include negative
numbers.
Template backend support included. check-template is now built with
--template, so we know we're testing it.
Tests included.
Also adjusts the generated files:
* asn1parse.c, asn1parse.h (not strictly necessary, but nice to have)
* der-protos.h, which needs a bunch of new prototypes. I copied these
from a der-protos.h generated by the upstream build system, which
uses a perl script for this.
* adjust printf format strings for int64_t. Upstream uses %lld for this,
but that is not portable, and leads to lots of -Werror warnings.
This should fix target-dependent differences between headers generated
by asn1_compile. For example, when cross compiling world from amd64 to
i386, the generated cms_asn1.h header has:
CMSRC2CBCParameter ::= SEQUENCE {
rc2ParameterVersion INTEGER (0..-1),
iv OCTET STRING,
}
while a native build on i386 has:
CMSRC2CBCParameter ::= SEQUENCE {
rc2ParameterVersion INTEGER (0..2147483647),
iv OCTET STRING,
}
These are _both_ wrong, since the source file, cms.asn1, has:
CMSRC2CBCParameter ::= SEQUENCE {
rc2ParameterVersion INTEGER (0..4294967295),
iv OCTET STRING -- exactly 8 octets
}
PR: 276960
Reviewed by: cy, emaste
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D44814
Differential Revision: https://reviews.freebsd.org/D44815
(cherry picked from commit 1b74875929)
Clang/LLVM 17 is currently the in-tree default compiler, so use it as
the default Cirrus-CI toolchain. Clang/LLVM 18 is coming soon and needs
to be added here, but I ran into trouble with llvm18-lite package
availability so will look at that later.
Reviewed by: dim (earlier), Jose Luis Duran
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D44162
(cherry picked from commit 51c6bf0478)
(cherry picked from commit adc61137fd)
On laptops with builtin batteries, disconnecting the battery may show up
as a battery without any capacity information. (The theory is that one
is disconnecting the cells but the electronics identifying the battery
are still connected.) As a result, the loop over all batteries in
acpi_battery_get_battinfo results in total_lfcap == 0.
So, just check that total_lfcap is non-zero to avoid a division by zero
(triggerable by sysctl hw.acpi.battery).
Reported by: Stefano Marinelli
Tested by: Stefano Marinelli
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D44818
(cherry picked from commit 2e850b832f)
(cherry picked from commit 788987e034)
- Point --rootdir at the installed destdir in the dvd tree. This
causes pkg to determine the ABI from the installed destdir instead
of the host's binaries. Previously the result was that packages
for the host's ABI were always downloaded breaking cross-releases
(e.g. arm64 releases built on an amd64 host included amd64
packages on the DVD ISO image rather than arm64 packages). This
also handles version mismatches, and I tested this by cross-building
a 15.x arm64 release on a 14.x amd64 host.
- As a result, pkg now does a chdir(3) to the rootdir before running,
so the -o argument to fetch needs to be updated to be relative to
rootdir instead of the CWD as make runs.
- Add a new ROOTDIR variable to limit references to "dvd" to one
place. Ideally ROOTDIR would be an argument to this script so
that it didn't really know about the dvd layout at all.
- While here, simplify creation of symlinks by just using a longer
path to the link name instead of using 'cd' in the shell before
invoking ln(1). Also use ln -sf to create the pkg.pkg symlink
rather than rm + ln.
PR: 278273
Reported by: gatekeeper <tiago.gasiba@gmail.com>
Reviewed by: imp, delphij
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D44749
(cherry picked from commit ea2663040d)
