02af91c5 arichardson Feb. 17, 2021, 9:54 a.m.
Clang 12 no longer allows re-defining a weak symbol as non-weak. This
happed here because we compile err.c with _err defined to err. To fix
this, use the same approach as the libc namespace.h
cgit
8a439f32 kp Feb. 17, 2021, 8:15 a.m.
These functions always return 0, which is good, because the code calling
them doesn't handle this error gracefully.

As the functions always succeed remove their return value, and the code
handling their errors (because it was never executed anyway).

MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC (“Netgate”’)
cgit
6b7e592c jkim Feb. 17, 2021, 7:22 a.m.
Importing flex 2.6.4 has introduced a regression: input() now returns 0
instead of EOF to indicate that the end of input was reached, just like
traditional AT&T and POSIX lex.  Note the behavior contradicts flex(1).
See "INCOMPATIBILITIES WITH LEX AND POSIX" section for information.
This incompatibility traces back to the original version and documented
in its manual page by the Vern Paxson.

Apparently, it has been reported in a few places, e.g.,

https://github.com/westes/flex/issues/448
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911415

Unfortunately, this also breaks the scanner used by libdtrace and
dtrace is unable to resolve some probe argument types as a result.  See
PR253440 for more information.

Note the regression was introduced by the following upstream commit
without any explanation or documentation change:

https://github.com/westes/flex/commit/f863c9490e6912ffcaeb12965fb3a567a10745ff

Now we restore the traditional flex behavior unless lex-compatibility
mode is set with "-l" option because I believe the author originally
wanted to make it more lex and POSIX compatible.

PR:		253440
Reported by:	markj
cgit
3396647c jkim Feb. 17, 2021, 5:35 a.m.
b8408160 jkim Feb. 17, 2021, 3:53 a.m.
This directory was deprecated since OpenSSL 1.1.1e.

https://github.com/openssl/openssl/pull/9681
cgit
294e62be mav Feb. 17, 2021, 2:15 a.m.
When refill_fl() fails to allocate large (9/16KB) mbuf cluster, it
falls back to safe (4KB) ones.  But it still saved into sd->zidx
the original fl->zidx instead of fl->safe_zidx.  It caused problems
with the later use of that cluster, including memory and/or data
corruption.

While there, make refill_fl() to use the safe zone for all following
clusters for the call, since it is unlikely that large succeed.

MFC after:	3 days
Sponsored by:	iXsystems, Inc.
Reviewed by:	np, jhb
Differential Revision:	https://reviews.freebsd.org/D28716
cgit
aa5fef60 markj Feb. 16, 2021, 10:07 p.m.
This was missed in commit 0fc8a796722 ("linux: Unmap the VDSO page when
unloading").

Reported by:	Mark Millard
MFC with:	0fc8a796722
cgit
e25db73f jkim Feb. 16, 2021, 10:05 p.m.
88e852c0 jkim Feb. 16, 2021, 10 p.m.
Merge commit '4f55bd5321b72491d4eff396e4928e9ab0706735'
cgit
a4513bac melifaro Feb. 16, 2021, 9:49 p.m.
Reported by:	mjg
cgit
2fe5a794 melifaro Feb. 16, 2021, 8:30 p.m.
Traditionally routing socket code did almost zero checks on
 the input message except for the most basic size checks.

This resulted in the unclear KPI boundary for the routing system code
 (`rtrequest*` and now `rib_action()`) w.r.t message validness.

Multiple potential problems and nuances exists:
* Host bits in RTAX_DST sockaddr. Existing applications do send prefixes
 with hostbits uncleared. Even `route(8)` does this, as they hope the kernel
 would do the job of fixing it. Code inside `rib_action()` needs to handle
 it on its own (see `rt_maskedcopy()` ugly hack).
* There are multiple way of adding the host route: it can be DST without
 netmask or DST with /32(/128) netmask. Also, RTF_HOST has to be set correspondingly.
 Currently, these 2 options create 2 DIFFERENT routes in the kernel.
* no sockaddr length/content checking for the "secondary" fields exists: nothing
 stops rtsock application to send sockaddr_in with length of 25 (instead of 16).
 Kernel will accept it, install to RIB as is and propagate to all rtsock consumers,
 potentially triggering bugs in their code. Same goes for sin_port, sin_zero, etc.

The goal of this change is to make rtsock verify all sockaddr and prefix consistency.
Said differently, `rib_action()` or internals should NOT require to change any of the
 sockaddrs supplied by `rt_addrinfo` structure due to incorrectness.

To be more specific, this change implements the following:
* sockaddr cleanup/validation check is added immediately after getting sockaddrs from rtm.
* Per-family dst/netmask checks clears host bits in dst and zeros all dst/netmask "secondary" fields.
* The same netmask checking code converts /32(/128) netmasks to "host" route case
 (NULL netmask, RTF_HOST), removing the dualism.
* Instead of allowing ANY "known" sockaddr families (0<..<AF_MAX), allow only actually
 supported ones (inet, inet6, link).
* Automatically convert `sockaddr_sdl` (AF_LINK) gateways to
  `sockaddr_sdl_short`.

Reported by:	Guy Yur <guyyur at gmail.com>
Reviewed By:	donner
Differential Revision: https://reviews.freebsd.org/D28668
MFC after:	3 days
cgit
600eade2 melifaro Feb. 16, 2021, 8:14 p.m.
More and more code migrates from lock-based protection to the NET_EPOCH
 umbrella. It requires some logic changes, including, notably, refcount
 handling.

When we have an `ifa` pointer and we're running inside epoch we're
 guaranteed that this pointer will not be freed.
However, the following case can still happen:
 * in thread 1 we drop to 0 refcount for ifa and schedule its deletion.
 * in thread 2 we use this ifa and reference it
 * destroy callout kicks in
 * unhappy user reports bug

To address it, new `ifa_try_ref()` function is added, allowing to return
 failure when we try to reference `ifa` with 0 refcount.
Additionally, existing `ifa_ref()` is enforced with `KASSERT` to provide
 cleaner error in such scenarious.

Reviewed By: rstone, donner
Differential Revision: https://reviews.freebsd.org/D28639
MFC after:	1 week
cgit
9fdbf7ee melifaro Feb. 16, 2021, 8 p.m.
It fixes loopback route installation for the interfaces
 in the different fibs using the same prefix.

Reviewed By:	donner
PR:		189088
Differential Revision: https://reviews.freebsd.org/D28673
MFC after:	1 week
cgit
cc7b7306 jamie Feb. 16, 2021, 7:19 p.m.
jail_remove(2) includes a loop that sends SIGKILL to all processes
in a jail, but skips processes in PRS_NEW state.  Thus it is possible
the a process in mid-fork(2) during jail removal can survive the jail
being removed.

Add a prison flag PR_REMOVE, which is checked before the new process
returns.  If the jail is being removed, the process will then exit.
Also check this flag in jail_attach(2) which has a similar issue.

Reported by:    trasz
Approved by:    kib
MFC after:      3 days
cgit
922cf8ac allanjude Feb. 16, 2021, 7:02 p.m.
iflib_init_locked() assumes that iflib_stop() has been called, however,
it is not called for media changes.
iflib_if_init_locked() calls stop then init, so fixes the problem.

PR:	253473
MFC after:	3 days
Reviewed by:	markj
Sponsored by:	Juniper Networks, Inc., Klara, Inc.
Differential Revision:	https://reviews.freebsd.org/D28667
cgit