1739de97 brooks Nov. 17, 2021, 8:12 p.m.
Allow strip_abi_prefix() to be called with nil and return nil in that
case.  This simplifies handling of RESERVED entries.

Reviewed by:	kevans
8a693ccf markj Nov. 17, 2021, 6:51 p.m.
Both modules provide many symbols used by various DTrace provider
modules, so just export everything.

MFC after:	1 week
Sponsored by:	The FreeBSD Foundation
8406182d ygy Nov. 17, 2021, 5:52 p.m.
PR:		237725
MFC after:	3 days
2e946f87 allanjude Nov. 17, 2021, 3:07 p.m.
resolves: link_elf_obj: symbol abd_checksum_edonr_native undefined

The required module-build bits were originally identified in the
upstream pull request: https://github.com/openzfs/zfs/pull/12735
But were missed when the code was imported (since they are not
committed upstream).

X-MFC-With:	dae1713419a6, 09cd63416051
Submitted by:	freqlabs
Sponsored by:	Klara Inc.
97e28f0f rrs Nov. 17, 2021, 2:45 p.m.
Previously we added ack-war prevention for misbehaving firewalls. This is
where the f/w or nat messes up its sequence numbers and causes an ack-war.
There is yet another type of ack war that we have found in the wild that is
like unto this. Basically the f/w or nat gets a ack (keep-alive probe or such)
and instead of turning the ack/seq around and adding a TH_RST it does something
real stupid and sends a new packet with seq=0. This of course triggers the challenge
ack in the reset processing which then sends in a challenge ack (if the seq=0 is within
the range of possible sequence numbers allowed by the challenge) and then we rinse-repeat.

This will add the needed tweaks (similar to the last ack-war prevention using the same sysctls and counters)
to prevent it and allow say 5 per second by default.

Reviewed by: Michael Tuexen
Sponsored by: Netflix Inc.
Differential Revision: https://reviews.freebsd.org/D32938
09cd6341 se Nov. 17, 2021, 12:16 p.m.
Commit dae1713419a6 did not add two required lines for edonr specific
functionality to this file, causing kernel build failures if ZFS is
compiled in.

This commit should be included in an eventual MFC of dae1713419a6.
dae17134 mm Nov. 17, 2021, 8:39 a.m.
Notable upstream pull request merges:
  #12285 Introduce a tunable to exclude special class buffers from L2ARC
  #12689 Check l2cache vdevs pending list inside the vdev_inuse()
  #12735 Enable edonr in FreeBSD
  #12743 FreeBSD: fix world build after de198f2
  #12745 Restore dirty dnode detection logic

Obtained from:	OpenZFS
OpenZFS commit:	269b5dadcfd1d5732cf763dddcd46009a332eae4
b6cbbcae kp Nov. 17, 2021, 2:09 a.m.
Reported by:	markj
8e492101 kp Nov. 17, 2021, 2:09 a.m.
DIOCKEEPCOUNTERS used to overlap with DIOCGIFSPEEDV0, which has been
fixed in 14, but remains in stable/12 and stable/13.
Support the old, overlapping, call under COMPAT_FREEBSD13.

Reviewed by:	jhb
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D33001
4e85b648 kp Nov. 17, 2021, 2:08 a.m.
Use it wherever COMPAT_FREEBSD11 is currently specified.

Reviewed by:	jhb (previous version)
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D33005
23e1961e kp Nov. 17, 2021, 2:08 a.m.
Turn on compat option for older FreeBSD versions (i.e. 12). We do not
enable the compat options for 11 or older because riscv was never
supported in those versions.

Reviewed by:	jrtc27 (previous version)
MFC after:	1 week
Sponsored by:	Rubicon Communications, LLC ("Netgate")
Differential Revision:	https://reviews.freebsd.org/D33015
5509bad7 rmacklem Nov. 17, 2021, 12:02 a.m.
Since vfs.nfsd.srvmaxio can only be set when nfsd.ko
is loaded, but nfsd is not running, setting it in
/etc/sysctl.conf is not feasible when "options NFSD"
was not specified for the kernel.

This patch adds a new rc variable nfs_server_maxio,
which sets vfs.nfsd.srvmaxio at the correct time.

rc.conf.5 will be patched separately.

Reviewed by:	0mp
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D32997
d677d4be imp Nov. 16, 2021, 11:23 p.m.
There likely should be a macro for the ports that support lto, but I'm
making sure that all the mips things build before decommissioning it and
this is the only thing that's broken...

Sponsored by:		Netflix
bf410c6e mw Nov. 16, 2021, 10:16 p.m.
This reverts commit 020f4112559ebf7e94665c9a69f89d21929ce82a.

Because now ASLR is enabled by default for 64-bit architectures
and the purpose of the installation menu is to allow choosing
additional 'mitigation'/'hardening' options that are originally
disabled, remove the ASLR knob from bsdinstall.

Discussed with: emaste
Obtained from: Semihalf
Sponsored by: Stormshield
b014e0f1 mw Nov. 16, 2021, 10:16 p.m.
Address Space Layout Randomization (ASLR) is an exploit mitigation
technique implemented in the majority of modern operating systems.
It involves randomly positioning the base address of an executable
and the position of libraries, heap, and stack, in a process's address
space. Although over the years ASLR proved to not guarantee full OS
security on its own, this mechanism can make exploitation more difficult.

Tests on the tier 1 64-bit architectures demonstrated that the ASLR is
stable and does not result in noticeable performance degradation,
therefore it should be safe to enable this mechanism by default.
Moreover its effectiveness is increased for PIE (Position Independent
Executable) binaries. Thanks to commit 9a227a2fd642 ("Enable PIE by
default on 64-bit architectures"), building from src is not necessary
to have PIE binaries. It is enough to control usage of ASLR in the
OS solely by setting the appropriate sysctls.

This patch toggles the kernel settings to use address map randomization
for PIE & non-PIE 64-bit binaries. It also disables SBRK, in order
to allow utilization of the bss grow region for mappings. The latter
has no effect if ASLR is disabled, so apply it to all architectures.

As for the drawbacks, a consequence of using the ASLR is more
significant VM fragmentation, hence the issues may be encountered
in the systems with a limited address space in high memory consumption
cases, such as buildworld. As a result, although the tests on 32-bit
architectures with ASLR enabled were mostly on par with what was
observed on 64-bit ones, the defaults for the former are not changed
at this time. Also, for the sake of safety keep the feature disabled
for 32-bit executables on 64-bit machines, too.

The committed change affects the overall OS operation, so the
following should be taken into consideration:
* Address space fragmentation.
* A changed ABI due to modified layout of address space.
* More complicated debugging due to:
  * Non-reproducible address space layout between runs.
  * Some debuggers automatically disable ASLR for spawned processes,
    making target's environment different between debug and
    non-debug runs.

In order to confirm/rule-out the dependency of any encountered issue
on ASLR it is strongly advised to re-run the test with the feature
disabled - it can be done by setting the following sysctls
in the /etc/sysctl.conf file:

Co-developed by: Dawid Gorecki <dgr@semihalf.com>
Reviewed by: emaste, kib
Obtained from: Semihalf
Sponsored by: Stormshield
MFC after: 1 month
Differential revision: https://reviews.freebsd.org/D27666