bb8acd55 jhb Jan. 28, 2021, 6:24 p.m.
MFC after:	1 week
aa906e2a jhb Jan. 28, 2021, 6:24 p.m.
This merges upstream patches from OpenSSL's master branch to add
KTLS infrastructure for TLS 1.0-1.3 including both RX and TX
offload and SSL_sendfile support on both Linux and FreeBSD.

Note that TLS 1.3 only supports TX offload.

A new WITH/WITHOUT_OPENSSL_KTLS determines if OpenSSL is built with
KTLS support.  It defaults to enabled on amd64 and disabled on all
other architectures.

Reviewed by:	jkim (earlier version)
Approved by:	secteam
Obtained from:	OpenSSL (patches from master)
MFC after:	1 week
Relnotes:	yes
Sponsored by:	Netflix
Differential Revision:
f8c0d7e1 noreply Jan. 28, 2021, 5:28 p.m.
`__vdev_disk_physio()` uses `abd_nr_pages_off()` to allocate a bio with
a sufficient number of iovec's to process this zio (i.e.
`nr_iovecs`/`bi_max_vecs`).  If there are not enough iovec's in the bio,
then additional bio's will be allocated.  However, this is a sub-optimal
code path.  In particular, it requires several abd calls (to
`abd_nr_pages_off()` and `abd_bio_map_off()`) which will have to walk
the constituents of the ABD (the pages or the gang children) because
they are looking for offsets > 0.

For gang ABD's, `abd_nr_pages_off()` returns the number of iovec's
needed for the first constituent, rather than the sum of all
constituents (within the requested range).  This always under-estimates
the required number of iovec's, which causes us to always need several
bio's.  The end result is that `__vdev_disk_physio()` is usually O(n^2)
for gang ABD's (and occasionally O(n^3), when more than 16 bio's are

This commit fixes `abd_nr_pages_off()`'s handling of gang ABD's, to
correctly determine how many iovec's are needed, by adding up the number
of iovec's for each of the gang children in the requested range.

Reviewed-by: Mark Maybee <>
Reviewed-by: Brian Behlendorf <>
Reviewed-by: Brian Atkinson <>
Signed-off-by: Matthew Ahrens <>
Closes #11536
9a0a48b1 arichardson Jan. 28, 2021, 5:25 p.m.
The file already includes sys/param.h and should use that definition.
I found this while testing D28332.

Reviewed By:	bapt
Differential Revision:
869cc064 arichardson Jan. 28, 2021, 5:24 p.m.
This changes the behaviour to a 30s total timeout (needed when running
on slow emulated uniprocessor systems) and timing out after 10s without
any input. This also uses timespecsub() instead of ignoring the
nanoseconds field.

After this change the tests runs more reliably on QEMU and time out less

Reviewed By:	asomers
Differential Revision:
83ff5d5d arichardson Jan. 28, 2021, 5:24 p.m.
SVN r343917 fixed this for in-tree clang, but when building with a newer
out-of-tree clang the test was still marked as XFAIL.

Reviewed By:	dim
Differential Revision:
bcc5b244 arichardson Jan. 28, 2021, 5:24 p.m.
auditd creates a pidfile so we should use it for status checks.
This also seems to speed up the frequent onestatus checks used in

Reviewed By:	asomers
Differential Revision:
0ae184a6 noreply Jan. 28, 2021, 5:20 p.m.
If we do not write any buffers to the cache device and the evict hand
has not advanced do not update the cache device header.

Reviewed-by: Brian Behlendorf <>
Signed-off-by: George Amanakis <>
Closes #11522 
Closes #11537
416015ef noreply Jan. 28, 2021, 5:15 p.m.
Moving the call to zfs_refcount_remove_many() in abd_free() to be called
before any of the ABD free variants are called. This is necessary
because abd_free_gang() adjusts the abd_size for the gang ABD. If the
parent's child references are removed after free'ing the gang ABD the
refcount is not adjusted correctly for the parent's children.

I also removed some stray abd_put() in comments and changed
abd_free_gang_abd() -> abd_free_gang().

Reviewed-by: Mark Maybee <>
Reviewed-by: Matthew Ahrens <>
Reviewed-by: Brian Behlendorf <>
Signed-off-by: Brian Atkinson <>
Closes #11539
1a714ff2 rrs Jan. 28, 2021, 4:53 p.m.
tree that fix the ratelimit code. There were several bugs
in tcp_ratelimit itself and we needed further work to support
the multiple tag format coming for the joint TLS and Ratelimit dances.

    Sponsored by: Netflix Inc.
    Differential Revision:
a3330ae7 arichardson Jan. 28, 2021, 3:48 p.m.
cd579b6f kp Jan. 28, 2021, 3:46 p.m.
0c458752 kp Jan. 28, 2021, 3:46 p.m.
When using DUP-TO rule, frames are duplicated 3 times on both output
interfaces and duplication interface. Add a flag to not duplicate a
duplicated frame.

Inspired by a patch from MiƂosz Kaniewski milosz.kaniewski at

Reviewed by:		kp@
Differential Revision:
d386f3a3 bz Jan. 28, 2021, 4:37 p.m.
with DRM.  Be sure to update your drm-kmod port to after the update.
fa765ca7 bz Jan. 28, 2021, 4:32 p.m.
This code implements a version of the devres framework found
working for various iwlwifi use cases and also providing functions
for ttm_page_alloc_dma.c from DRM.

Part of the framework replicates the consumed KPI, while others
are internal helper functions.

In addition the simple devm_k*malloc() consumers were implemented
and kvasprintf() was enhanced to also work for the devm_kasprintf()
Addmittingly lkpi_devm_kmalloc_release() could be avoided but for
the overall understanding of the code and possible memory tracing
it may still be helpful.

Further devsres consumer are implemented for iwlwifi but will follow
later as the main reason for this change is to sort out overlap with

Sponsored-by:	The FreeBSD Foundation
Obtained-from:	bz_iwlwifi
MFC After:	3 days
Reviewed-by:	hselasky, manu
Differential Revision: