svn commit: r339240 - in projects/openssl111: . crypto/openssh lib/libc/amd64/string sbin/init stand/defaults stand/lua sys/amd64/conf sys/arm64/conf sys/cddl/contrib/opensolaris/uts/common/fs/zfs ...
Glen Barber
gjb at FreeBSD.org
Mon Oct 8 18:06:46 UTC 2018
Author: gjb
Date: Mon Oct 8 18:06:40 2018
New Revision: 339240
URL: https://svnweb.freebsd.org/changeset/base/339240
Log:
MFH r339206-r339212, r339215-r339239
Sponsored by: The FreeBSD Foundation
Modified:
projects/openssl111/UPDATING
projects/openssl111/crypto/openssh/auth2.c
projects/openssl111/crypto/openssh/monitor.c
projects/openssl111/crypto/openssh/monitor.h
projects/openssl111/crypto/openssh/monitor_wrap.c
projects/openssl111/crypto/openssh/monitor_wrap.h
projects/openssl111/crypto/openssh/sandbox-capsicum.c
projects/openssl111/crypto/openssh/sshbuf-getput-basic.c
projects/openssl111/crypto/openssh/sshbuf.h
projects/openssl111/crypto/openssh/sshd.c
projects/openssl111/lib/libc/amd64/string/memset.S
projects/openssl111/sbin/init/rc.conf
projects/openssl111/stand/defaults/loader.conf
projects/openssl111/stand/defaults/loader.conf.5
projects/openssl111/stand/lua/config.lua
projects/openssl111/stand/lua/core.lua
projects/openssl111/sys/amd64/conf/GENERIC
projects/openssl111/sys/amd64/conf/GENERIC-MMCCAM
projects/openssl111/sys/arm64/conf/GENERIC
projects/openssl111/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dsl_scan.c
projects/openssl111/sys/dev/e1000/if_em.c
projects/openssl111/sys/dev/e1000/igb_txrx.c
projects/openssl111/sys/dev/mlx4/mlx4_en/mlx4_en_netdev.c
projects/openssl111/sys/i386/conf/GENERIC
projects/openssl111/sys/kern/kern_jail.c
projects/openssl111/sys/netinet/ip_output.c
projects/openssl111/sys/netinet/sctp_output.c
projects/openssl111/sys/powerpc/conf/GENERIC
projects/openssl111/sys/powerpc/conf/GENERIC64
projects/openssl111/sys/powerpc/powernv/opal_pci.c
projects/openssl111/sys/powerpc/pseries/xics.c
projects/openssl111/usr.bin/truss/syscalls.c
Directory Properties:
projects/openssl111/ (props changed)
projects/openssl111/crypto/openssh/ (props changed)
projects/openssl111/sys/cddl/contrib/opensolaris/ (props changed)
Modified: projects/openssl111/UPDATING
==============================================================================
--- projects/openssl111/UPDATING Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/UPDATING Mon Oct 8 18:06:40 2018 (r339240)
@@ -31,6 +31,13 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 12.x IS SLOW:
disable the most expensive debugging functionality run
"ln -s 'abort:false,junk:false' /etc/malloc.conf".)
+20181006:
+ The legacy DRM modules and drivers have now been added to the loader's
+ module blacklist, in favor of loading them with kld_list in rc.conf(5).
+ The module blacklist may be overridden with the loader.conf(5)
+ 'module_blacklist' variable, but loading them via rc.conf(5) is strongly
+ encouraged.
+
20181002:
The cam(4) based nda(4) driver will be used over nvd(4) by default on
powerpc64. You may set 'options NVME_USE_NVD=1' in your kernel conf or
Modified: projects/openssl111/crypto/openssh/auth2.c
==============================================================================
--- projects/openssl111/crypto/openssh/auth2.c Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/crypto/openssh/auth2.c Mon Oct 8 18:06:40 2018 (r339240)
@@ -316,7 +316,7 @@ input_userauth_request(int type, u_int32_t seq, struct
#ifdef HAVE_LOGIN_CAP
if (authctxt->pw != NULL &&
- (lc = login_getpwclass(authctxt->pw)) != NULL) {
+ (lc = PRIVSEP(login_getpwclass(authctxt->pw))) != NULL) {
logit("user %s login class %s", authctxt->pw->pw_name,
authctxt->pw->pw_class);
from_host = auth_get_canonical_hostname(ssh, options.use_dns);
@@ -331,7 +331,7 @@ input_userauth_request(int type, u_int32_t seq, struct
authctxt->pw->pw_name, from_host);
packet_disconnect("Logins not available right now.");
}
- login_close(lc);
+ PRIVSEP(login_close(lc));
}
#endif /* HAVE_LOGIN_CAP */
Modified: projects/openssl111/crypto/openssh/monitor.c
==============================================================================
--- projects/openssl111/crypto/openssh/monitor.c Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/crypto/openssh/monitor.c Mon Oct 8 18:06:40 2018 (r339240)
@@ -114,6 +114,7 @@ static struct sshbuf *child_state;
int mm_answer_moduli(int, struct sshbuf *);
int mm_answer_sign(int, struct sshbuf *);
+int mm_answer_login_getpwclass(int, struct sshbuf *);
int mm_answer_pwnamallow(int, struct sshbuf *);
int mm_answer_auth2_read_banner(int, struct sshbuf *);
int mm_answer_authserv(int, struct sshbuf *);
@@ -189,6 +190,7 @@ struct mon_table mon_dispatch_proto20[] = {
{MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli},
#endif
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
+ {MONITOR_REQ_GETPWCLASS, MON_AUTH, mm_answer_login_getpwclass},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
@@ -707,6 +709,46 @@ mm_answer_sign(int sock, struct sshbuf *m)
return (0);
}
+int
+mm_answer_login_getpwclass(int sock, struct sshbuf *m)
+{
+ login_cap_t *lc;
+ struct passwd *pw;
+ int r;
+ u_int len;
+
+ debug3("%s", __func__);
+
+ pw = sshbuf_get_passwd(m);
+ if (pw == NULL)
+ fatal("%s: receive get struct passwd failed", __func__);
+
+ lc = login_getpwclass(pw);
+
+ sshbuf_reset(m);
+
+ if (lc == NULL) {
+ if (r = sshbuf_put_u8(m, 0) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ goto out;
+ }
+
+ if ((r = sshbuf_put_u8(m, 1)) != 0 ||
+ (r = sshbuf_put_cstring(m, lc->lc_class)) != 0 ||
+ (r = sshbuf_put_cstring(m, lc->lc_cap)) != 0 ||
+ (r = sshbuf_put_cstring(m, lc->lc_style)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+
+ login_close(lc);
+ out:
+ debug3("%s: sending MONITOR_ANS_GETPWCLASS", __func__);
+ mm_request_send(sock, MONITOR_ANS_GETPWCLASS, m);
+
+ sshbuf_free_passwd(pw);
+
+ return (0);
+}
+
/* Retrieves the password entry and also checks if the user is permitted */
int
@@ -745,19 +787,8 @@ mm_answer_pwnamallow(int sock, struct sshbuf *m)
authctxt->pw = pwent;
authctxt->valid = 1;
- /* XXX don't sent pwent to unpriv; send fake class/dir/shell too */
if ((r = sshbuf_put_u8(m, 1)) != 0 ||
- (r = sshbuf_put_string(m, pwent, sizeof(*pwent))) != 0 ||
- (r = sshbuf_put_cstring(m, pwent->pw_name)) != 0 ||
- (r = sshbuf_put_cstring(m, "*")) != 0 ||
-#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
- (r = sshbuf_put_cstring(m, pwent->pw_gecos)) != 0 ||
-#endif
-#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
- (r = sshbuf_put_cstring(m, pwent->pw_class)) != 0 ||
-#endif
- (r = sshbuf_put_cstring(m, pwent->pw_dir)) != 0 ||
- (r = sshbuf_put_cstring(m, pwent->pw_shell)) != 0)
+ (r = sshbuf_put_passwd(m, pwent)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
out:
Modified: projects/openssl111/crypto/openssh/monitor.h
==============================================================================
--- projects/openssl111/crypto/openssh/monitor.h Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/crypto/openssh/monitor.h Mon Oct 8 18:06:40 2018 (r339240)
@@ -53,7 +53,8 @@ enum monitor_reqtype {
MONITOR_REQ_GSSSTEP = 44, MONITOR_ANS_GSSSTEP = 45,
MONITOR_REQ_GSSUSEROK = 46, MONITOR_ANS_GSSUSEROK = 47,
MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
- MONITOR_REQ_TERM = 50,
+ MONITOR_REQ_GETPWCLASS = 50, MONITOR_ANS_GETPWCLASS = 51,
+ MONITOR_REQ_TERM = 52,
MONITOR_REQ_PAM_START = 100,
MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
Modified: projects/openssl111/crypto/openssh/monitor_wrap.c
==============================================================================
--- projects/openssl111/crypto/openssh/monitor_wrap.c Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/crypto/openssh/monitor_wrap.c Mon Oct 8 18:06:40 2018 (r339240)
@@ -247,6 +247,57 @@ mm_sshkey_sign(struct sshkey *key, u_char **sigp, size
return (0);
}
+login_cap_t *
+mm_login_getpwclass(const struct passwd *pwent)
+{
+ int r;
+ struct sshbuf *m;
+ char rc;
+ login_cap_t *lc;
+
+ debug3("%s entering", __func__);
+
+ if ((m = sshbuf_new()) == NULL)
+ fatal("%s: sshbuf_new failed", __func__);
+ if ((r = sshbuf_put_passwd(m, pwent)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GETPWCLASS, m);
+
+ debug3("%s: waiting for MONITOR_ANS_GETPWCLASS", __func__);
+ mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GETPWCLASS, m);
+
+ if ((r = sshbuf_get_u8(m, &rc)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+
+ if (rc == 0) {
+ lc = NULL;
+ goto out;
+ }
+
+ lc = xmalloc(sizeof(*lc));
+ if ((r = sshbuf_get_cstring(m, &lc->lc_class, NULL)) != 0 ||
+ (r = sshbuf_get_cstring(m, &lc->lc_cap, NULL)) != 0 ||
+ (r = sshbuf_get_cstring(m, &lc->lc_style, NULL)) != 0)
+ fatal("%s: buffer error: %s", __func__, ssh_err(r));
+
+ out:
+ sshbuf_free(m);
+
+ return (lc);
+}
+
+void
+mm_login_close(login_cap_t *lc)
+{
+ if (lc == NULL)
+ return;
+ free(lc->lc_style);
+ free(lc->lc_class);
+ free(lc->lc_cap);
+ free(lc);
+}
+
struct passwd *
mm_getpwnamallow(const char *username)
{
@@ -279,25 +330,9 @@ mm_getpwnamallow(const char *username)
goto out;
}
- /* XXX don't like passing struct passwd like this */
- pw = xcalloc(sizeof(*pw), 1);
- if ((r = sshbuf_get_string_direct(m, &p, &len)) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
- if (len != sizeof(*pw))
- fatal("%s: struct passwd size mismatch", __func__);
- memcpy(pw, p, sizeof(*pw));
-
- if ((r = sshbuf_get_cstring(m, &pw->pw_name, NULL)) != 0 ||
- (r = sshbuf_get_cstring(m, &pw->pw_passwd, NULL)) != 0 ||
-#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
- (r = sshbuf_get_cstring(m, &pw->pw_gecos, NULL)) != 0 ||
-#endif
-#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
- (r = sshbuf_get_cstring(m, &pw->pw_class, NULL)) != 0 ||
-#endif
- (r = sshbuf_get_cstring(m, &pw->pw_dir, NULL)) != 0 ||
- (r = sshbuf_get_cstring(m, &pw->pw_shell, NULL)) != 0)
- fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ pw = sshbuf_get_passwd(m);
+ if (pw == NULL)
+ fatal("%s: receive get struct passwd failed", __func__);
out:
/* copy options block as a Match directive may have changed some */
Modified: projects/openssl111/crypto/openssh/monitor_wrap.h
==============================================================================
--- projects/openssl111/crypto/openssh/monitor_wrap.h Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/crypto/openssh/monitor_wrap.h Mon Oct 8 18:06:40 2018 (r339240)
@@ -28,6 +28,8 @@
#ifndef _MM_WRAP_H_
#define _MM_WRAP_H_
+#include <login_cap.h>
+
extern int use_privsep;
#define PRIVSEP(x) (use_privsep ? mm_##x : x)
@@ -45,6 +47,8 @@ int mm_sshkey_sign(struct sshkey *, u_char **, size_t
const char *, u_int compat);
void mm_inform_authserv(char *, char *);
struct passwd *mm_getpwnamallow(const char *);
+login_cap_t *mm_login_getpwclass(const struct passwd *pwd);
+void mm_login_close(login_cap_t *lc);
char *mm_auth2_read_banner(void);
int mm_auth_password(struct ssh *, char *);
int mm_key_allowed(enum mm_keytype, const char *, const char *, struct sshkey *,
Modified: projects/openssl111/crypto/openssh/sandbox-capsicum.c
==============================================================================
--- projects/openssl111/crypto/openssh/sandbox-capsicum.c Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/crypto/openssh/sandbox-capsicum.c Mon Oct 8 18:06:40 2018 (r339240)
@@ -31,6 +31,7 @@ __RCSID("$FreeBSD$");
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#include <capsicum_helpers.h>
#include "log.h"
#include "monitor.h"
@@ -70,6 +71,8 @@ ssh_sandbox_child(struct ssh_sandbox *box)
{
struct rlimit rl_zero;
cap_rights_t rights;
+
+ caph_cache_tzdata();
rl_zero.rlim_cur = rl_zero.rlim_max = 0;
Modified: projects/openssl111/crypto/openssh/sshbuf-getput-basic.c
==============================================================================
--- projects/openssl111/crypto/openssh/sshbuf-getput-basic.c Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/crypto/openssh/sshbuf-getput-basic.c Mon Oct 8 18:06:40 2018 (r339240)
@@ -25,6 +25,7 @@
#include <stdio.h>
#include <string.h>
+#include "xmalloc.h"
#include "ssherr.h"
#include "sshbuf.h"
@@ -461,4 +462,96 @@ sshbuf_get_bignum2_bytes_direct(struct sshbuf *buf,
return SSH_ERR_INTERNAL_ERROR;
}
return 0;
+}
+
+/*
+ * store struct pwd
+ */
+int
+sshbuf_put_passwd(struct sshbuf *buf, const struct passwd *pwent)
+{
+ int r;
+
+ /*
+ * We never send pointer values of struct passwd.
+ * It is safe from wild pointer even if a new pointer member is added.
+ */
+
+ if ((r = sshbuf_put_u64(buf, sizeof(*pwent)) != 0) ||
+ (r = sshbuf_put_cstring(buf, pwent->pw_name)) != 0 ||
+ (r = sshbuf_put_cstring(buf, "*")) != 0 ||
+ (r = sshbuf_put_u32(buf, pwent->pw_uid)) != 0 ||
+ (r = sshbuf_put_u32(buf, pwent->pw_gid)) != 0 ||
+ (r = sshbuf_put_u64(buf, pwent->pw_change)) != 0 ||
+#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
+ (r = sshbuf_put_cstring(buf, pwent->pw_gecos)) != 0 ||
+#endif
+#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
+ (r = sshbuf_put_cstring(buf, pwent->pw_class)) != 0 ||
+#endif
+ (r = sshbuf_put_cstring(buf, pwent->pw_dir)) != 0 ||
+ (r = sshbuf_put_cstring(buf, pwent->pw_shell)) != 0 ||
+ (r = sshbuf_put_u64(buf, pwent->pw_expire)) != 0 ||
+ (r = sshbuf_put_u32(buf, pwent->pw_fields)) != 0) {
+ return r;
+ }
+ return 0;
+}
+
+/*
+ * extract struct pwd
+ */
+struct passwd *
+sshbuf_get_passwd(struct sshbuf *buf)
+{
+ struct passwd *pw;
+ int r;
+ size_t len;
+
+ /* check if size of struct passwd is as same as sender's size */
+ r = sshbuf_get_u64(buf, &len);
+ if (r != 0 || len != sizeof(*pw))
+ return NULL;
+
+ pw = xcalloc(1, sizeof(*pw));
+ if (sshbuf_get_cstring(buf, &pw->pw_name, NULL) != 0 ||
+ sshbuf_get_cstring(buf, &pw->pw_passwd, NULL) != 0 ||
+ sshbuf_get_u32(buf, &pw->pw_uid) != 0 ||
+ sshbuf_get_u32(buf, &pw->pw_gid) != 0 ||
+ sshbuf_get_u64(buf, &pw->pw_change) != 0 ||
+#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
+ sshbuf_get_cstring(buf, &pw->pw_gecos, NULL) != 0 ||
+#endif
+#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
+ sshbuf_get_cstring(buf, &pw->pw_class, NULL) != 0 ||
+#endif
+ sshbuf_get_cstring(buf, &pw->pw_dir, NULL) != 0 ||
+ sshbuf_get_cstring(buf, &pw->pw_shell, NULL) != 0 ||
+ sshbuf_get_u64(buf, &pw->pw_expire) != 0 ||
+ sshbuf_get_u32(buf, &pw->pw_fields) != 0) {
+ sshbuf_free_passwd(pw);
+ return NULL;
+ }
+ return pw;
+}
+
+/*
+ * free struct passwd obtained from sshbuf_get_passwd.
+ */
+void
+sshbuf_free_passwd(struct passwd *pwent)
+{
+ if (pwent == NULL)
+ return;
+ free(pwent->pw_shell);
+ free(pwent->pw_dir);
+#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
+ free(pwent->pw_class);
+#endif
+#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
+ free(pwent->pw_gecos);
+#endif
+ free(pwent->pw_passwd);
+ free(pwent->pw_name);
+ free(pwent);
}
Modified: projects/openssl111/crypto/openssh/sshbuf.h
==============================================================================
--- projects/openssl111/crypto/openssh/sshbuf.h Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/crypto/openssh/sshbuf.h Mon Oct 8 18:06:40 2018 (r339240)
@@ -21,6 +21,7 @@
#include <sys/types.h>
#include <stdarg.h>
#include <stdio.h>
+#include <pwd.h>
#ifdef WITH_OPENSSL
# include <openssl/bn.h>
# ifdef OPENSSL_HAS_ECC
@@ -245,6 +246,21 @@ int sshbuf_b64tod(struct sshbuf *buf, const char *b64)
* nul character.
*/
char *sshbuf_dup_string(struct sshbuf *buf);
+
+/*
+ * store struct pwd
+ */
+int sshbuf_put_passwd(struct sshbuf *buf, const struct passwd *pwent);
+
+/*
+ * extract struct pwd
+ */
+struct passwd *sshbuf_get_passwd(struct sshbuf *buf);
+
+/*
+ * free struct passwd obtained from sshbuf_get_passwd.
+ */
+void sshbuf_free_passwd(struct passwd *pwent);
/* Macros for decoding/encoding integers */
#define PEEK_U64(p) \
Modified: projects/openssl111/crypto/openssh/sshd.c
==============================================================================
--- projects/openssl111/crypto/openssh/sshd.c Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/crypto/openssh/sshd.c Mon Oct 8 18:06:40 2018 (r339240)
@@ -2143,6 +2143,11 @@ main(int ac, char **av)
*/
remote_ip = ssh_remote_ipaddr(ssh);
+#ifdef HAVE_LOGIN_CAP
+ /* Also caches remote hostname for sandboxed child. */
+ auth_get_canonical_hostname(ssh, options.use_dns);
+#endif
+
#ifdef SSH_AUDIT_EVENTS
audit_connection_from(remote_ip, remote_port);
#endif
Modified: projects/openssl111/lib/libc/amd64/string/memset.S
==============================================================================
--- projects/openssl111/lib/libc/amd64/string/memset.S Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/lib/libc/amd64/string/memset.S Mon Oct 8 18:06:40 2018 (r339240)
@@ -31,7 +31,7 @@
#include <machine/asm.h>
__FBSDID("$FreeBSD$");
-.macro MEMSET bzero
+.macro MEMSET bzero erms
.if \bzero == 1
movq %rsi,%rcx
movq %rsi,%rdx
@@ -43,21 +43,75 @@ __FBSDID("$FreeBSD$");
movabs $0x0101010101010101,%rax
imulq %r8,%rax
.endif
- cmpq $15,%rcx
- jbe 1f
- shrq $3,%rcx
- rep
- stosq
- movq %rdx,%rcx
- andq $7,%rcx
- jne 1f
+
+ cmpq $32,%rcx
+ jb 1016f
+
+ cmpq $256,%rcx
+ ja 1256f
+
+1032:
+ movq %rax,(%rdi)
+ movq %rax,8(%rdi)
+ movq %rax,16(%rdi)
+ movq %rax,24(%rdi)
+ leaq 32(%rdi),%rdi
+ subq $32,%rcx
+ cmpq $32,%rcx
+ jae 1032b
+ cmpb $0,%cl
+ je 1000f
+1016:
+ cmpb $16,%cl
+ jl 1008f
+ movq %rax,(%rdi)
+ movq %rax,8(%rdi)
+ subb $16,%cl
+ jz 1000f
+ leaq 16(%rdi),%rdi
+1008:
+ cmpb $8,%cl
+ jl 1004f
+ movq %rax,(%rdi)
+ subb $8,%cl
+ jz 1000f
+ leaq 8(%rdi),%rdi
+1004:
+ cmpb $4,%cl
+ jl 1002f
+ movl %eax,(%rdi)
+ subb $4,%cl
+ jz 1000f
+ leaq 4(%rdi),%rdi
+1002:
+ cmpb $2,%cl
+ jl 1001f
+ movw %ax,(%rdi)
+ subb $2,%cl
+ jz 1000f
+ leaq 2(%rdi),%rdi
+1001:
+ cmpb $1,%cl
+ jl 1000f
+ movb %al,(%rdi)
+1000:
.if \bzero == 0
movq %r9,%rax
.endif
ret
-1:
+
+1256:
+.if \erms == 1
rep
stosb
+.else
+ shrq $3,%rcx
+ rep
+ stosq
+ movq %rdx,%rcx
+ andb $7,%cl
+ jne 1004b
+.endif
.if \bzero == 0
movq %r9,%rax
.endif
@@ -66,11 +120,11 @@ __FBSDID("$FreeBSD$");
#ifndef BZERO
ENTRY(memset)
- MEMSET bzero=0
+ MEMSET bzero=0 erms=0
END(memset)
#else
ENTRY(bzero)
- MEMSET bzero=1
+ MEMSET bzero=1 erms=0
END(bzero)
#endif
Modified: projects/openssl111/sbin/init/rc.conf
==============================================================================
--- projects/openssl111/sbin/init/rc.conf Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/sbin/init/rc.conf Mon Oct 8 18:06:40 2018 (r339240)
@@ -163,7 +163,7 @@ firewall_simple_onet="192.0.2.0/28" # Outside network
# firewall.
#firewall_simple_onet_ipv6="2001:db8:2:0::/56" # Outside IPv6 network prefix
# for "simple" firewall.
-firewall_myservices="" # List of TCP ports on which this host
+firewall_myservices="" # List of ports/protocols on which this host
# offers services for "workstation" firewall.
firewall_allowservices="" # List of IPs which have access to
# $firewall_myservices for "workstation"
Modified: projects/openssl111/stand/defaults/loader.conf
==============================================================================
--- projects/openssl111/stand/defaults/loader.conf Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/stand/defaults/loader.conf Mon Oct 8 18:06:40 2018 (r339240)
@@ -97,6 +97,7 @@ efi_max_resolution="1x1" # Set the max resolution for
#console="vidconsole" # A comma separated list of console(s)
#currdev="disk1s1a" # Set the current device
module_path="/boot/modules;/boot/dtb;/boot/dtb/overlays" # Set the module search path
+module_blacklist="drm drm2 radeonkms i915kms amdgpu" # Loader module blacklist
#prompt="\\${interpret}" # Set the command prompt
#root_disk_unit="0" # Force the root disk unit number
#rootdev="disk1s1a" # Set the root filesystem
Modified: projects/openssl111/stand/defaults/loader.conf.5
==============================================================================
--- projects/openssl111/stand/defaults/loader.conf.5 Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/stand/defaults/loader.conf.5 Mon Oct 8 18:06:40 2018 (r339240)
@@ -23,7 +23,7 @@
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
-.Dd August 28, 2018
+.Dd October 6, 2018
.Dt LOADER.CONF 5
.Os
.Sh NAME
@@ -147,6 +147,15 @@ If a password is set, the user must provide specified
If set to
.Dq YES ,
module names will be displayed as they are loaded.
+.It Ar module_blacklist
+Blacklist of modules.
+Modules specified in the blacklist may not be loaded automatically with a
+.Ar *_load
+directive, but they may be loaded directly at the
+.Xr loader 8
+prompt.
+Blacklisted modules may still be loaded indirectly as dependencies of other
+moduled.
.It Ar *_load
If set to
.Dq YES ,
Modified: projects/openssl111/stand/lua/config.lua
==============================================================================
--- projects/openssl111/stand/lua/config.lua Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/stand/lua/config.lua Mon Oct 8 18:06:40 2018 (r339240)
@@ -54,6 +54,7 @@ local MSG_XENKERNFAIL = "Failed to load Xen kernel '%s
local MSG_XENKERNLOADING = "Loading Xen kernel..."
local MSG_KERNLOADING = "Loading kernel..."
local MSG_MODLOADING = "Loading configured modules..."
+local MSG_MODBLACKLIST = "Not loading blacklisted module '%s'"
local MSG_MODLOADFAIL = "Could not load one or more modules!"
local MODULEEXPR = '([%w-_]+)'
@@ -265,20 +266,37 @@ local function isValidComment(line)
return true
end
+local function getBlacklist()
+ local blacklist_str = loader.getenv('module_blacklist')
+ if blacklist_str == nil then
+ return nil
+ end
+
+ local blacklist = {}
+ for mod in blacklist_str:gmatch("[;, ]?([%w-_]+)[;, ]?") do
+ blacklist[mod] = true
+ end
+ return blacklist
+end
+
local function loadModule(mod, silent)
local status = true
+ local blacklist = getBlacklist()
local pstatus
for k, v in pairs(mod) do
if v.load ~= nil and v.load:lower() == "yes" then
+ local module_name = v.name or k
+ if blacklist[module_name] ~= nil then
+ if not silent then
+ print(MSG_MODBLACKLIST:format(module_name))
+ end
+ goto continue
+ end
local str = "load "
if v.type ~= nil then
str = str .. "-t " .. v.type .. " "
end
- if v.name ~= nil then
- str = str .. v.name
- else
- str = str .. k
- end
+ str = str .. module_name
if v.flags ~= nil then
str = str .. " " .. v.flags
end
@@ -309,6 +327,7 @@ local function loadModule(mod, silent)
end
end
+ ::continue::
end
return status
Modified: projects/openssl111/stand/lua/core.lua
==============================================================================
--- projects/openssl111/stand/lua/core.lua Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/stand/lua/core.lua Mon Oct 8 18:06:40 2018 (r339240)
@@ -34,6 +34,10 @@ local hook = require("hook")
local core = {}
+local default_safe_mode = false
+local default_single_user = false
+local default_verbose = false
+
local function composeLoaderCmd(cmd_name, argstr)
if argstr ~= nil then
cmd_name = cmd_name .. " " .. argstr
@@ -41,6 +45,26 @@ local function composeLoaderCmd(cmd_name, argstr)
return cmd_name
end
+local function recordDefaults()
+ -- On i386, hint.acpi.0.rsdp will be set before we're loaded. On !i386,
+ -- it will generally be set upon execution of the kernel. Because of
+ -- this, we can't (or don't really want to) detect/disable ACPI on !i386
+ -- reliably. Just set it enabled if we detect it and leave well enough
+ -- alone if we don't.
+ local boot_acpi = core.isSystem386() and core.getACPIPresent(false)
+ local boot_single = loader.getenv("boot_single") or "no"
+ local boot_verbose = loader.getenv("boot_verbose") or "no"
+ default_single_user = boot_single:lower() ~= "no"
+ default_verbose = boot_verbose:lower() ~= "no"
+
+ if boot_acpi then
+ core.setACPI(true)
+ end
+ core.setSingleUser(default_single_user)
+ core.setVerbose(default_verbose)
+end
+
+
-- Globals
-- try_include will return the loaded module on success, or nil on failure.
-- A message will also be printed on failure, with one exception: non-verbose
@@ -268,9 +292,9 @@ end
function core.setDefaults()
core.setACPI(core.getACPIPresent(true))
- core.setSafeMode(false)
- core.setSingleUser(false)
- core.setVerbose(false)
+ core.setSafeMode(default_safe_mode)
+ core.setSingleUser(default_single_user)
+ core.setVerbose(default_verbose)
end
function core.autoboot(argstr)
@@ -367,13 +391,6 @@ function core.popFrontTable(tbl)
return first_value, new_tbl
end
--- On i386, hint.acpi.0.rsdp will be set before we're loaded. On !i386, it will
--- generally be set upon execution of the kernel. Because of this, we can't (or
--- don't really want to) detect/disable ACPI on !i386 reliably. Just set it
--- enabled if we detect it and leave well enough alone if we don't.
-if core.isSystem386() and core.getACPIPresent(false) then
- core.setACPI(true)
-end
-
+recordDefaults()
hook.register("config.reloaded", core.clearCachedKernels)
return core
Modified: projects/openssl111/sys/amd64/conf/GENERIC
==============================================================================
--- projects/openssl111/sys/amd64/conf/GENERIC Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/sys/amd64/conf/GENERIC Mon Oct 8 18:06:40 2018 (r339240)
@@ -52,7 +52,6 @@ options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
-options GEOM_PART_GPT # GUID Partition Tables.
options GEOM_RAID # Soft RAID functionality.
options GEOM_LABEL # Provides labelization
options EFIRT # EFI Runtime Services support
Modified: projects/openssl111/sys/amd64/conf/GENERIC-MMCCAM
==============================================================================
--- projects/openssl111/sys/amd64/conf/GENERIC-MMCCAM Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/sys/amd64/conf/GENERIC-MMCCAM Mon Oct 8 18:06:40 2018 (r339240)
@@ -7,7 +7,6 @@ include MINIMAL
ident GENERIC-MMCCAM
# Access GPT-formatted and labeled root volume
-options GEOM_PART_GPT
options GEOM_LABEL
# UART -- for bhyve console
Modified: projects/openssl111/sys/arm64/conf/GENERIC
==============================================================================
--- projects/openssl111/sys/arm64/conf/GENERIC Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/sys/arm64/conf/GENERIC Mon Oct 8 18:06:40 2018 (r339240)
@@ -50,7 +50,6 @@ options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
-options GEOM_PART_GPT # GUID Partition Tables.
options GEOM_RAID # Soft RAID functionality.
options GEOM_LABEL # Provides labelization
options COMPAT_FREEBSD32 # Incomplete, but used by cloudabi32.ko.
Modified: projects/openssl111/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dsl_scan.c
==============================================================================
--- projects/openssl111/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dsl_scan.c Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dsl_scan.c Mon Oct 8 18:06:40 2018 (r339240)
@@ -2964,6 +2964,8 @@ dsl_scan_need_resilver(spa_t *spa, const dva_t *dva, s
{
vdev_t *vd;
+ vd = vdev_lookup_top(spa, DVA_GET_VDEV(dva));
+
if (vd->vdev_ops == &vdev_indirect_ops) {
/*
* The indirect vdev can point to multiple
@@ -2974,6 +2976,7 @@ dsl_scan_need_resilver(spa_t *spa, const dva_t *dva, s
*/
return (B_TRUE);
}
+
if (DVA_GET_GANG(dva)) {
/*
* Gang members may be spread across multiple
@@ -2985,8 +2988,6 @@ dsl_scan_need_resilver(spa_t *spa, const dva_t *dva, s
*/
return (B_TRUE);
}
-
- vd = vdev_lookup_top(spa, DVA_GET_VDEV(dva));
/*
* Check if the txg falls within the range which must be
Modified: projects/openssl111/sys/dev/e1000/if_em.c
==============================================================================
--- projects/openssl111/sys/dev/e1000/if_em.c Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/sys/dev/e1000/if_em.c Mon Oct 8 18:06:40 2018 (r339240)
@@ -1804,13 +1804,11 @@ em_if_update_admin_status(if_ctx_t ctx)
}
iflib_link_state_change(ctx, LINK_STATE_UP,
IF_Mbps(adapter->link_speed));
- printf("Link state changed to up\n");
} else if (!link_check && (adapter->link_active == 1)) {
adapter->link_speed = 0;
adapter->link_duplex = 0;
adapter->link_active = 0;
iflib_link_state_change(ctx, LINK_STATE_DOWN, 0);
- printf("Link state changed to down\n");
}
em_update_stats_counters(adapter);
Modified: projects/openssl111/sys/dev/e1000/igb_txrx.c
==============================================================================
--- projects/openssl111/sys/dev/e1000/igb_txrx.c Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/sys/dev/e1000/igb_txrx.c Mon Oct 8 18:06:40 2018 (r339240)
@@ -152,7 +152,6 @@ igb_tx_ctx_setup(struct tx_ring *txr, if_pkt_info_t pi
u32 vlan_macip_lens, type_tucmd_mlhl;
u32 mss_l4len_idx;
mss_l4len_idx = vlan_macip_lens = type_tucmd_mlhl = 0;
- int offload = TRUE;
/* First check if TSO is to be used */
if (pi->ipi_csum_flags & CSUM_TSO)
@@ -186,7 +185,6 @@ igb_tx_ctx_setup(struct tx_ring *txr, if_pkt_info_t pi
type_tucmd_mlhl |= E1000_ADVTXD_TUCMD_IPV6;
break;
default:
- offload = FALSE;
break;
}
@@ -195,24 +193,26 @@ igb_tx_ctx_setup(struct tx_ring *txr, if_pkt_info_t pi
switch (pi->ipi_ipproto) {
case IPPROTO_TCP:
- if (pi->ipi_csum_flags & (CSUM_IP_TCP | CSUM_IP6_TCP))
+ if (pi->ipi_csum_flags & (CSUM_IP_TCP | CSUM_IP6_TCP)) {
type_tucmd_mlhl |= E1000_ADVTXD_TUCMD_L4T_TCP;
+ *olinfo_status |= E1000_TXD_POPTS_TXSM << 8;
+ }
break;
case IPPROTO_UDP:
- if (pi->ipi_csum_flags & (CSUM_IP_UDP | CSUM_IP6_UDP))
+ if (pi->ipi_csum_flags & (CSUM_IP_UDP | CSUM_IP6_UDP)) {
type_tucmd_mlhl |= E1000_ADVTXD_TUCMD_L4T_UDP;
+ *olinfo_status |= E1000_TXD_POPTS_TXSM << 8;
+ }
break;
case IPPROTO_SCTP:
- if (pi->ipi_csum_flags & (CSUM_IP_SCTP | CSUM_IP6_SCTP))
+ if (pi->ipi_csum_flags & (CSUM_IP_SCTP | CSUM_IP6_SCTP)) {
type_tucmd_mlhl |= E1000_ADVTXD_TUCMD_L4T_SCTP;
+ *olinfo_status |= E1000_TXD_POPTS_TXSM << 8;
+ }
break;
default:
- offload = FALSE;
break;
}
-
- if (offload) /* For the TX descriptor setup */
- *olinfo_status |= E1000_TXD_POPTS_TXSM << 8;
/* 82575 needs the queue index added */
if (adapter->hw.mac.type == e1000_82575)
Modified: projects/openssl111/sys/dev/mlx4/mlx4_en/mlx4_en_netdev.c
==============================================================================
--- projects/openssl111/sys/dev/mlx4/mlx4_en/mlx4_en_netdev.c Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/sys/dev/mlx4/mlx4_en/mlx4_en_netdev.c Mon Oct 8 18:06:40 2018 (r339240)
@@ -905,28 +905,6 @@ static void mlx4_en_do_multicast(struct mlx4_en_priv *
priv->flags &= ~MLX4_EN_FLAG_MC_PROMISC;
}
- /* Update unicast list */
- mlx4_en_cache_uclist(dev);
-
- update_addr_list_flags(priv, &priv->curr_uc_list, &priv->uc_list);
-
- list_for_each_entry_safe(addr_list, tmp, &priv->curr_uc_list, list) {
- if (addr_list->action == MLX4_ADDR_LIST_REM) {
- mlx4_en_uc_steer_release(priv, addr_list->addr,
- priv->rss_map.indir_qp.qpn,
- addr_list->reg_id);
- /* remove from list */
- list_del(&addr_list->list);
- kfree(addr_list);
- } else if (addr_list->action == MLX4_ADDR_LIST_ADD) {
- err = mlx4_en_uc_steer_add(priv, addr_list->addr,
- &priv->rss_map.indir_qp.qpn,
- &addr_list->reg_id);
- if (err)
- en_err(priv, "Fail to add unicast address\n");
- }
- }
-
err = mlx4_SET_MCAST_FLTR(mdev->dev, priv->port, 0,
0, MLX4_MCAST_DISABLE);
if (err)
@@ -996,6 +974,36 @@ static void mlx4_en_do_multicast(struct mlx4_en_priv *
}
}
+static void mlx4_en_do_unicast(struct mlx4_en_priv *priv,
+ struct net_device *dev,
+ struct mlx4_en_dev *mdev)
+{
+ struct mlx4_en_addr_list *addr_list, *tmp;
+ int err;
+
+ /* Update unicast list */
+ mlx4_en_cache_uclist(dev);
+
+ update_addr_list_flags(priv, &priv->curr_uc_list, &priv->uc_list);
+
+ list_for_each_entry_safe(addr_list, tmp, &priv->curr_uc_list, list) {
+ if (addr_list->action == MLX4_ADDR_LIST_REM) {
+ mlx4_en_uc_steer_release(priv, addr_list->addr,
+ priv->rss_map.indir_qp.qpn,
+ addr_list->reg_id);
+ /* remove from list */
+ list_del(&addr_list->list);
+ kfree(addr_list);
+ } else if (addr_list->action == MLX4_ADDR_LIST_ADD) {
+ err = mlx4_en_uc_steer_add(priv, addr_list->addr,
+ &priv->rss_map.indir_qp.qpn,
+ &addr_list->reg_id);
+ if (err)
+ en_err(priv, "Fail to add unicast address\n");
+ }
+ }
+}
+
static void mlx4_en_do_set_rx_mode(struct work_struct *work)
{
struct mlx4_en_priv *priv = container_of(work, struct mlx4_en_priv,
@@ -1026,17 +1034,19 @@ static void mlx4_en_do_set_rx_mode(struct work_struct
}
}
+ /* Set unicast rules */
+ mlx4_en_do_unicast(priv, dev, mdev);
+
/* Promsicuous mode: disable all filters */
if ((dev->if_flags & IFF_PROMISC) ||
(priv->flags & MLX4_EN_FLAG_FORCE_PROMISC)) {
mlx4_en_set_promisc_mode(priv, mdev);
- goto out;
+ } else if (priv->flags & MLX4_EN_FLAG_PROMISC) {
+ /* Not in promiscuous mode */
+ mlx4_en_clear_promisc_mode(priv, mdev);
}
- /* Not in promiscuous mode */
- if (priv->flags & MLX4_EN_FLAG_PROMISC)
- mlx4_en_clear_promisc_mode(priv, mdev);
-
+ /* Set multicast rules */
mlx4_en_do_multicast(priv, dev, mdev);
out:
mutex_unlock(&mdev->state_lock);
Modified: projects/openssl111/sys/i386/conf/GENERIC
==============================================================================
--- projects/openssl111/sys/i386/conf/GENERIC Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/sys/i386/conf/GENERIC Mon Oct 8 18:06:40 2018 (r339240)
@@ -51,7 +51,6 @@ options MSDOSFS # MSDOS Filesystem
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
-options GEOM_PART_GPT # GUID Partition Tables.
options GEOM_RAID # Soft RAID functionality.
options GEOM_LABEL # Provides labelization
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
Modified: projects/openssl111/sys/kern/kern_jail.c
==============================================================================
--- projects/openssl111/sys/kern/kern_jail.c Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/sys/kern/kern_jail.c Mon Oct 8 18:06:40 2018 (r339240)
@@ -1393,11 +1393,12 @@ kern_jail_set(struct thread *td, struct uio *optuio, i
* there is a duplicate on a jail with more than one
* IP stop checking and return error.
*/
- tppr = ppr;
#ifdef VIMAGE
- for (; tppr != &prison0; tppr = tppr->pr_parent)
+ for (tppr = ppr; tppr != &prison0; tppr = tppr->pr_parent)
if (tppr->pr_flags & PR_VNET)
break;
+#else
+ tppr = &prison0;
#endif
FOREACH_PRISON_DESCENDANT(tppr, tpr, descend) {
if (tpr == pr ||
@@ -1460,11 +1461,12 @@ kern_jail_set(struct thread *td, struct uio *optuio, i
}
}
/* Check for conflicting IP addresses. */
- tppr = ppr;
#ifdef VIMAGE
- for (; tppr != &prison0; tppr = tppr->pr_parent)
+ for (tppr = ppr; tppr != &prison0; tppr = tppr->pr_parent)
if (tppr->pr_flags & PR_VNET)
break;
+#else
+ tppr = &prison0;
#endif
FOREACH_PRISON_DESCENDANT(tppr, tpr, descend) {
if (tpr == pr ||
Modified: projects/openssl111/sys/netinet/ip_output.c
==============================================================================
--- projects/openssl111/sys/netinet/ip_output.c Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/sys/netinet/ip_output.c Mon Oct 8 18:06:40 2018 (r339240)
@@ -262,11 +262,12 @@ ip_output(struct mbuf *m, struct mbuf *opt, struct rou
ip->ip_v = IPVERSION;
ip->ip_hl = hlen >> 2;
ip_fillid(ip);
- IPSTAT_INC(ips_localout);
} else {
/* Header already set, fetch hlen from there */
hlen = ip->ip_hl << 2;
}
+ if ((flags & IP_FORWARDING) == 0)
+ IPSTAT_INC(ips_localout);
/*
* dst/gw handling:
Modified: projects/openssl111/sys/netinet/sctp_output.c
==============================================================================
--- projects/openssl111/sys/netinet/sctp_output.c Mon Oct 8 17:22:27 2018 (r339239)
+++ projects/openssl111/sys/netinet/sctp_output.c Mon Oct 8 18:06:40 2018 (r339240)
@@ -4983,7 +4983,6 @@ sctp_arethere_unrecognized_parameters(struct mbuf *in_
struct sctp_paramhdr *phdr, params;
struct mbuf *mat, *op_err;
- char tempbuf[SCTP_PARAM_BUFFER_SIZE];
int at, limit, pad_needed;
uint16_t ptype, plen, padded_size;
int err_at;
@@ -5123,15 +5122,13 @@ sctp_arethere_unrecognized_parameters(struct mbuf *in_
l_len = SCTP_MIN_V4_OVERHEAD;
#endif
l_len += sizeof(struct sctp_chunkhdr);
- l_len += plen;
- l_len += sizeof(struct sctp_paramhdr);
+ l_len += sizeof(struct sctp_gen_error_cause);
op_err = sctp_get_mbuf_for_msg(l_len, 0, M_NOWAIT, 1, MT_DATA);
if (op_err) {
SCTP_BUF_LEN(op_err) = 0;
/*
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-projects
mailing list