ispfw(4) recently gained firmware for Qlogic 27XX and 28XX
FC controllers, and isp(4) now selects the newer of firmware in
flash or in ispfw(4) to load for those controllers.
This differs from the previous behavior (which remains for older
controllers), which was to always load the ispfw(4) firmware if it
is available.
This adds a loader tunable, hint.isp.N.fwload_force to default to
loading the ispfw(4) firmware, whether or not it is newer than the
firmware in flash. This allows the user to always use the known
firmware version included with the kernel.
Note that there is an existing fwload_disable tunable that tells
the driver to always load the firmware from flash and ignore
ispfw(4). If fwload_disable is set, fwload_force will be ignored.
So users with existing fwload_disable tunables will have the same
behavior.
If a user specifies both fwload_force and fwload_disable for the
same controller, the isp(4) driver prints a warning message,
and fwload_disable will be honored.
The user can see which firmware is active through the
dev.isp.N.fw_version* sysctl variables.
share/man/man4/isp.4:
Document the new loader tunable.
sys/dev/isp/isp.c:
In isp_load_risc_flash(), changet the decision logic to
also consider ISP_CFG_FWLOAD_ONLY. Load the flash firmware
and get the version, so the user knows what it is, but if
the user set fwload_force, honor that. If the user didn't
set fwload_force, the behavior remains to select the newer
firmware version.
sys/dev/isp/isp_pci.c:
Add a new fwload_force tunable. Print out a warning if the
user sets both fwload_disable and fwload_force.
sys/dev/isp/ispvar.h:
Add a new ISP_CFG_FWLOAD_FORCE configuration bit.
Reviewed by: mav
MFC after: 1 week
Sponsored by: Spectra Logic
Differential Revision: <https://reviews.freebsd.org/D45688>
The 11th and 12th columns are the effective and real UIDs, respectively.
The 13th column is a group list whose first member is the effective
GID.
Reviewed by: arrowd
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D45700
Describe and link the following functions in the lockgmr API:
- lockmgr_disowned
- lockmgr_lock_flags
- lockmgr_slock
- lockmgr_unlock
- lockmgr_xlock
This is not a complete update of lock.9 but at least covers all the main
lock operations.
Reviewed by: gbe, kib
Sponsored by: Dell EMC Isilon
Differential Revision: https://reviews.freebsd.org/D45689
It is in the process of being removed from the tree.
Reviewed by: manu, imp, emaste
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D45640
These are already removed from the tree, or are in the process of being
removed.
Reviewed by: manu, imp, emaste
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D45638
Remove the pre-armv7 architecture options from the example make.conf.
These have either been removed, or will soon be removed from the build.
Reviewed by: manu, imp, emaste
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D45636
This is derived from swills@ fork of the Juniper virtfs with many
changes by me including bug fixes, style improvements, clearer layering
and more consistent logging. The filesystem is renamed to p9fs to better
reflect its function and to prevent possible future confusion with
virtio-fs.
Several updates and fixes from Juniper have been integrated into this
version by Val Packett and these contributions along with the original
Juniper authors are credited below.
To use this with bhyve, add 'virtio_p9fs_load=YES' to loader.conf. The
bhyve virtio-9p device allows access from the guest to files on the host
by mapping a 'sharename' to a host path. It is possible to use p9fs as a
root filesystem by adding this to /boot/loader.conf:
vfs.root.mountfrom="p9fs:sharename"
for non-root filesystems add something like this to /etc/fstab:
sharename /mnt p9fs rw 0 0
In both examples, substitute the share name used on the bhyve command
line.
The 9P filesystem protocol relies on stateful file opens which map
protocol-level FIDs to host file descriptors. The FreeBSD vnode
interface doesn't really support this and we use heuristics to guess the
right FID to use for file operations. This can be confused by privilege
lowering and does not guarantee that the FID created for a given file
open is always used for file operations, even if the calling process is
using the file descriptor from the original open call. Improving this
would involve changes to the vnode interface which is out-of-scope for
this import.
Differential Revision: https://reviews.freebsd.org/D41844
Reviewed by: kib, emaste, dch
MFC after: 3 months
Co-authored-by: Val Packett <val@packett.cool>
Co-authored-by: Ka Ho Ng <kahon@juniper.net>
Co-authored-by: joyu <joyul@juniper.net>
Co-authored-by: Kumara Babu Narayanaswamy <bkumara@juniper.net>
The targ example program doesn't compile with current clang, and
probably hasn't for multiple releases. Fix the build. I don't have the
right hardware to test it, though.
MFC after: 2 weeks
Sponsored by: Axcient
Clarify that the "sysvipc" svcj option inherits from the host / parent.
Add "sysvipcnew" which creates a new SysV namespace for the service
jail.
Sanity check that only one of them is used.
This was true at time of commit, but the path was changed 2 weeks later
to just be the /dev/flash/spiN name, without updating the manpage.
Reported by: David Gilbert <dgilbert@daveg.ca>
Fixes: 68dd779577 ("Give the mx25l device sole ownership of the name /dev/flash/spi* ...")
MFC after: 1 week
Some of the string functions in contrib/arm-optimized routines are SIMD
enhanced which is not reflect on the simd(7) manpage. This commit
addresses that and introduces a new label A for functions enhanced with
the Arm ASIMD (Neon) extension.
Approved by: emaste
Reviewed by: fuz (GSoC mentor)
MFC to: stable/14
Sponsored by: Google LLC (GSoC 2024)
Differential Revision: https://reviews.freebsd.org/D45523
Extend SNDST_DSPS_PROVIDER_INFO for sound(4) to include information
about each channel in a given device, similar to how cat'ing
/dev/sndstat with hw.snd.verbose=2 works.
While here, document all provider_info fields.
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Reviewed by: dev_submerge.ch, markj
Differential Revision: https://reviews.freebsd.org/D45501
Before this patch, a stack (tfb) accepts a tcpcb (tp), if the
tp->t_state is TCPS_CLOSED or tfb->tfb_tcp_handoff_ok is not NULL
and tfb->tfb_tcp_handoff_ok(tp) returns 0.
After this patch, the only check is tfb->tfb_tcp_handoff_ok(tp)
returns 0. tfb->tfb_tcp_handoff_ok must always be provided.
For existing TCP stacks (FreeBSD, RACK and BBR) there is no
functional change. However, the logic is simpler.
Reviewed by: lstewart, peter_lei_ieee_.org, rrs
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D45253
Add a kern.nvmf.fail_on_disconnection sysctl similar to the
kern.iscsi.fail_on_disconnection sysctl. This causes pending I/O
requests to fail with an error if an association is disconnected
instead of requeueing to be retried once the association is
reconnected. As with iSCSI, the default is to queue and retry
operations.
Reviewed by: imp
Sponsored by: Chelsio Communications
Differential Revision: https://reviews.freebsd.org/D45308
Unfortunately this results in make universe's environment, i.e.
corresponding to the host, being used for every one of its sub-makes, so
they're in the wrong place and trample over each other.
This reverts commit 2b7c1402f9.
New variable ${name}_offcmd may be used to supply commands
executed if named service is not enabled. Previously start_precmd
could be used for such a task but now rc.subr(8) does not call it
if a service is not enabled.
Fix devd startup script to use it instead of start_precmd.
PR: 279198
MFC after: 2 weeks
Reported by: Dmitry S. Lukhtionov
Tested by: Dmitry S. Lukhtionov
Stack Smashing Protection (SSP) is a software vulnerability mitigation,
and fits with this page. Add a note to the beginning of security.7
providing a more explicit cross reference to mitigations.7.
Reviewed by: kevans
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45435
A brief description of supervisor mode memory access protection was
added in 72ece341b4. Uncomment the existing reference to this section
in the table of contents.
Fixes: 72ece341b4 ("mitigations.7: mention supervisor mode memory...")
Sponsored by: The FreeBSD Foundation
Its base privileged architecture provides these. Read/write is
toggleable via the SUM bit, so use that as its feature name. Execute is
always-on so has no name.
Reload is used for service reconfiguration as well
and lacks a NAME_prepend-like mechanism so it makes
sense to extend the NAME_reload hook into this
action.
precmd may use configuration checks and blocks setup
from doing its designated work (e.g. nginx). In moving
the invoke of the setup script in front allows us to
provide custom scripts for config file generation and
fixing prior to precmd checking configuration integrity.
Also introduce _run_rc_setup to separate the launcher
from the main one. Let it run correctly in the case
of restart_precmd and block further execution as
would be the case in start due to the internal plumbing
of restart being split into calling stop and start
afterwards.
Differential-Revsiion: https://reviews.freebsd.org/D36259
Signed-off-by: Franco Fichtner <franco@opnsense.org>
Reviewed by: imp, oshogbo
Pull Request: https://github.com/freebsd/freebsd-src/pull/1258
If we had to set OBJTOP we want to .export it (if .MAKE.LEVEL > 0)
for the benefit of things like x!= ${.MAKE} -r ... and similar.
Without OBJTOP, the default MAKEOBJDIR setting will result in
attempting to use an objdir like /lib or /bin etc in some cases.
This patch is based on D30990
with the addition of the check for level > 0.
Reviewed by: jrtc27
Differential Revision: <https://reviews.freebsd.org/D30990>
There are two improvements to the TCP blackhole support:
(1) If net.inet.tcp.blackhole is set to 2, also sent no RST whenever
a segment is received on an existing closed socket or if there is
a port mismatch when using UDP encapsulation.
(2) If net.inet.tcp.blackhole is set to 3, no RST segment is sent in
response to incoming segments on closed sockets or in response to
unexpected segments on listening sockets.
Thanks to gallatin@ for suggesting such an improvement.
Reviewed by: gallatin
MFC after: 1 week
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D45304
syscons is not compatible with UEFI boot. This is noted in syscons(4),
but not mentioned in vt(4) where the kern.vty tunable (used to select vt
or sc) is documented. Add a note so that if someone reads vt(4) but not
sc(4) they are not surprised by having no usable console.
PR: 276206
Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45357
Not the connection is dropped, but the incoming SYN segment.
Reviewed by: concussious.bugzilla_runbox.com
MFC after: 3 days
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D45296
Add the WITH/WITHOUT_BRANCH_PROTECTION build flags. This can be used
to enable the use of pointer authentication (FEAT_PAuth) and branch
target identification (FEAT_BTI) in userspace.
The kernel already handles both of these is userspace, we just need
to enable it.
Leave disabled for a short period for this to settle before enabling.
Reviewed by: emaste
Sponsored by: Arm Ltd
Differential Revision: https://reviews.freebsd.org/D42596
This takes a rc.d-service and starts it in a jail which shares the same
root-path as the host (or parent jail) and may inherit the network from
the host (or parent jail). Per service there is the possibility to
specify some arguments which give more permissions (e.g. netv4, netv6,
sysvipc...).
Reviewed by: bcr (man page)
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D40370
This policy enables a user to become another user without having to be
root (hence no setuid binary). it is configured via rules using sysctl
security.mac.do.rules
For example:
security.mac.do.rules=uid=1001:80,gid=0:any
The above rule means the user identifier by the uid 1001 is able to
become user 80
Any user of the group 0 are allowed to become any user on the system.
The mdo(1) utility expects the MAC/do policy to be installed and its
rules defined.
Reviewed by: des
Differential Revision: https://reviews.freebsd.org/D45145
Not once has rman_reserve_resource_bound() ever been used. There are
though several uses of RF_ALIGNMENT. In light of this remove this
extra and leave the actually used portion in place.
This partially reverts commit 13fb665772.
Reviewed by: imp,jhb
Pull Request: https://github.com/freebsd/freebsd-src/pull/1224
