diff options
159 files changed, 2754 insertions, 1996 deletions
diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc index 6ce096ac92d1..51338fea9bf6 100644 --- a/ObsoleteFiles.inc +++ b/ObsoleteFiles.inc @@ -51,15 +51,18 @@ # xargs -n1 | sort | uniq -d; # done +# 20251121: Remove duplicate pam_krb5 manual page +OLD_FILES+=usr/share/man/man8/pam-krb5.8.gz + # 20251112: Remove old MLINK to apmconf(8) -OLD_FILES+=share/man/man8/apmconf.8.gz +OLD_FILES+=usr/share/man/man8/apmconf.8.gz # 20251112: Remove pccard(4) and related -OLD_FILES+=share/man/man4/pccard.4.gz -OLD_FILES+=share/man/man4/pcic.4.gz +OLD_FILES+=usr/share/man/man4/pccard.4.gz +OLD_FILES+=usr/share/man/man4/pcic.4.gz # 20251028: Remove hifn(4) -OLD_FILES+=share/man/man4/hifn.4.gz +OLD_FILES+=usr/share/man/man4/hifn.4.gz # 20251006: Remove libnss_tacplus.a (it never should have been installed) OLD_FILES+=usr/lib/libnss_tacplus.a diff --git a/cddl/lib/drti/Makefile b/cddl/lib/drti/Makefile index 50250887e379..dda6168a8195 100644 --- a/cddl/lib/drti/Makefile +++ b/cddl/lib/drti/Makefile @@ -12,11 +12,11 @@ CLEANFILES= ${FILES} .undef LIBRARIES_ONLY CFLAGS+= -DIN_BASE CFLAGS+= -DSKIP_SPL_SYS_CONDVAR_H -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/ -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/ +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd CFLAGS+= -I${SRCTOP}/sys -CFLAGS+= -include ${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/spl/sys/ccompile.h +CFLAGS+= -include ${ZFSTOP}/include/os/freebsd/spl/sys/ccompile.h CFLAGS+= -DHAVE_ISSETUGID CFLAGS+= -I${SRCTOP}/sys/cddl/compat/opensolaris \ -I${SRCTOP}/cddl/compat/opensolaris/include \ diff --git a/cddl/lib/libavl/Makefile b/cddl/lib/libavl/Makefile index 4ce1de20a3d9..aef8c34c853c 100644 --- a/cddl/lib/libavl/Makefile +++ b/cddl/lib/libavl/Makefile @@ -1,4 +1,4 @@ -.PATH: ${SRCTOP}/sys/contrib/openzfs/module/avl +.PATH: ${ZFSTOP}/module/avl PACKAGE= zfs LIB_PACKAGE= @@ -8,9 +8,10 @@ LIBADD= spl SRCS= avl.c WARNS?= 3 CFLAGS+= -DIN_BASE -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/ -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/ +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd CFLAGS+= -I${SRCTOP}/sys -CFLAGS+= -include ${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/spl/sys/ccompile.h +CFLAGS+= -include ${ZFSTOP}/include/os/freebsd/spl/sys/ccompile.h + .include <bsd.lib.mk> diff --git a/cddl/lib/libctf/Makefile b/cddl/lib/libctf/Makefile index 1c605182bc1d..b47f4a47551a 100644 --- a/cddl/lib/libctf/Makefile +++ b/cddl/lib/libctf/Makefile @@ -22,10 +22,10 @@ WARNS?= 2 CFLAGS+= -DCTF_OLD_VERSIONS CFLAGS+= -DIN_BASE -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/ -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd -CFLAGS+= -include ${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/spl/sys/ccompile.h +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/ +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd +CFLAGS+= -include ${ZFSTOP}/include/os/freebsd/spl/sys/ccompile.h CFLAGS+= -DHAVE_ISSETUGID CFLAGS+= -I${SRCTOP}/sys/cddl/compat/opensolaris \ diff --git a/cddl/lib/libdtrace/Makefile b/cddl/lib/libdtrace/Makefile index dae6200d80c1..0742d0b5cd5a 100644 --- a/cddl/lib/libdtrace/Makefile +++ b/cddl/lib/libdtrace/Makefile @@ -78,11 +78,11 @@ WARNS?= 1 CFLAGS+= -DIN_BASE CFLAGS+= -DSKIP_SPL_SYS_CONDVAR_H -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/ -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/ +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd CFLAGS+= -I${SRCTOP}/sys -CFLAGS+= -include ${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/spl/sys/ccompile.h +CFLAGS+= -include ${ZFSTOP}/include/os/freebsd/spl/sys/ccompile.h CFLAGS+= -DHAVE_ISSETUGID diff --git a/cddl/lib/libicp/Makefile b/cddl/lib/libicp/Makefile index 833ecbb1c7f7..15846e67a14b 100644 --- a/cddl/lib/libicp/Makefile +++ b/cddl/lib/libicp/Makefile @@ -1,4 +1,4 @@ -.PATH: ${SRCTOP}/sys/contrib/openzfs/module/icp +.PATH: ${ZFSTOP}/module/icp PACKAGE= zfs LIB_PACKAGE= @@ -97,14 +97,14 @@ WARNS?= 2 SHLIB_MAJOR= 3 CSTD= c99 CFLAGS+= -DIN_BASE -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/ -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/ +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd CFLAGS+= -I${SRCTOP}/sys CFLAGS+= -I${SRCTOP}/cddl/compat/opensolaris/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/module/icp/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libzpool/include -CFLAGS+= -include ${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/spl/sys/ccompile.h +CFLAGS+= -I${ZFSTOP}/module/icp/include +CFLAGS+= -I${ZFSTOP}/lib/libzpool/include +CFLAGS+= -include ${ZFSTOP}/include/os/freebsd/spl/sys/ccompile.h CFLAGS+= -DHAVE_ISSETUGID CFLAGS+= -include ${SRCTOP}/sys/modules/zfs/zfs_config.h diff --git a/cddl/lib/libicp_rescue/Makefile b/cddl/lib/libicp_rescue/Makefile index 0a5a81f4ab7f..8dc8c396774c 100644 --- a/cddl/lib/libicp_rescue/Makefile +++ b/cddl/lib/libicp_rescue/Makefile @@ -1,4 +1,4 @@ -.PATH: ${SRCTOP}/sys/contrib/openzfs/module/icp +.PATH: ${ZFSTOP}/module/icp PACKAGE= utilities LIB= icp_rescue @@ -86,7 +86,7 @@ KERNEL_C = \ core/kcf_prov_tabs.c \ $(ASM_SOURCES_C) -.PATH: ${SRCTOP}/sys/contrib/openzfs/module/zfs +.PATH: ${ZFSTOP}/module/zfs KERNEL_C+= zfs_impl.c SRCS= $(ASM_SOURCES_AS) $(KERNEL_C) @@ -95,14 +95,14 @@ WARNS?= 2 SHLIB_MAJOR= 3 CSTD= c99 CFLAGS+= -DIN_BASE -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/ -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/ +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd CFLAGS+= -I${SRCTOP}/sys CFLAGS+= -I${SRCTOP}/cddl/compat/opensolaris/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/module/icp/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libzpool/include -CFLAGS+= -include ${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/spl/sys/ccompile.h +CFLAGS+= -I${ZFSTOP}/module/icp/include +CFLAGS+= -I${ZFSTOP}/lib/libzpool/include +CFLAGS+= -include ${ZFSTOP}/include/os/freebsd/spl/sys/ccompile.h CFLAGS+= -DHAVE_ISSETUGID -UHAVE_AVX -DRESCUE CFLAGS+= -include ${SRCTOP}/sys/modules/zfs/zfs_config.h diff --git a/cddl/lib/libnvpair/Makefile b/cddl/lib/libnvpair/Makefile index 8245b324688b..c66424cef219 100644 --- a/cddl/lib/libnvpair/Makefile +++ b/cddl/lib/libnvpair/Makefile @@ -1,6 +1,6 @@ -.PATH: ${SRCTOP}/sys/contrib/openzfs/module/nvpair -.PATH: ${SRCTOP}/sys/contrib/openzfs/lib/libnvpair -.PATH: ${SRCTOP}/sys/contrib/openzfs/include +.PATH: ${ZFSTOP}/module/nvpair +.PATH: ${ZFSTOP}/lib/libnvpair +.PATH: ${ZFSTOP}/include PACKAGE= zfs LIB_PACKAGE= @@ -20,12 +20,12 @@ SRCS+= nvpair_alloc_fixed.c \ WARNS?= 2 CFLAGS+= -DIN_BASE -DHAVE_RPC_TYPES -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/ -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/ +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd CFLAGS+= -I${SRCTOP}/sys CFLAGS+= -I${SRCTOP}/cddl/compat/opensolaris/include -CFLAGS+= -include ${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/spl/sys/ccompile.h +CFLAGS+= -include ${ZFSTOP}/include/os/freebsd/spl/sys/ccompile.h CFLAGS+= -DHAVE_ISSETUGID -DHAVE_CONFIG_H -DHAVE_XDR_BYTESREC .include <bsd.lib.mk> diff --git a/cddl/lib/libspl/Makefile b/cddl/lib/libspl/Makefile index 173e9116e284..b0f47172e52d 100644 --- a/cddl/lib/libspl/Makefile +++ b/cddl/lib/libspl/Makefile @@ -1,8 +1,8 @@ .include <bsd.init.mk> .include <bsd.compiler.mk> -.PATH: ${SRCTOP}/sys/contrib/openzfs/lib/libspl -.PATH: ${SRCTOP}/sys/contrib/openzfs/include +.PATH: ${ZFSTOP}/lib/libspl +.PATH: ${ZFSTOP}/include PACKAGE= zfs LIB_PACKAGE= @@ -49,12 +49,12 @@ SRCS += \ WARNS?= 2 CSTD= c99 CFLAGS+= -DIN_BASE -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/ -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/ +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd CFLAGS+= -I${SRCTOP}/cddl/compat/opensolaris/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/module/icp/include -CFLAGS+= -include ${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/spl/sys/ccompile.h +CFLAGS+= -I${ZFSTOP}/module/icp/include +CFLAGS+= -include ${ZFSTOP}/include/os/freebsd/spl/sys/ccompile.h CFLAGS+= -DHAVE_ISSETUGID CFLAGS+= -include ${SRCTOP}/sys/modules/zfs/zfs_config.h .if ${COMPILER_TYPE} == "clang" diff --git a/cddl/lib/libtpool/Makefile b/cddl/lib/libtpool/Makefile index 3a50a21bf62c..1ebfc52f5be9 100644 --- a/cddl/lib/libtpool/Makefile +++ b/cddl/lib/libtpool/Makefile @@ -1,5 +1,5 @@ -.PATH: ${SRCTOP}/sys/contrib/openzfs/lib/libtpool -.PATH: ${SRCTOP}/sys/contrib/openzfs/include +.PATH: ${ZFSTOP}/lib/libtpool +.PATH: ${ZFSTOP}/include PACKAGE= zfs LIB_PACKAGE= @@ -14,13 +14,13 @@ SRCS= thread_pool.c WARNS?= 2 CSTD= c99 CFLAGS+= -DIN_BASE -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/ -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/ +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd CFLAGS+= -I${SRCTOP}/sys CFLAGS+= -I${SRCTOP}/cddl/compat/opensolaris/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/module/icp/include -CFLAGS+= -include ${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/spl/sys/ccompile.h +CFLAGS+= -I${ZFSTOP}/module/icp/include +CFLAGS+= -include ${ZFSTOP}/include/os/freebsd/spl/sys/ccompile.h CFLAGS+= -DHAVE_ISSETUGID CFLAGS+= -include ${SRCTOP}/sys/modules/zfs/zfs_config.h diff --git a/cddl/lib/libtpool/tests/Makefile b/cddl/lib/libtpool/tests/Makefile index 19e43cc18821..72a82b6afa59 100644 --- a/cddl/lib/libtpool/tests/Makefile +++ b/cddl/lib/libtpool/tests/Makefile @@ -1,5 +1,3 @@ -ZFSTOP= ${SRCTOP}/sys/contrib/openzfs - ATF_TESTS_C+= libtpool_test TEST_METADATA+= timeout="10" diff --git a/cddl/lib/libuutil/Makefile b/cddl/lib/libuutil/Makefile index 947e755d4aae..ca5a71d811f7 100644 --- a/cddl/lib/libuutil/Makefile +++ b/cddl/lib/libuutil/Makefile @@ -1,4 +1,4 @@ -.PATH: ${SRCTOP}/sys/contrib/openzfs/lib/libuutil +.PATH: ${ZFSTOP}/lib/libuutil PACKAGE= zfs LIB_PACKAGE= @@ -14,12 +14,12 @@ SRCS=\ WARNS?= 2 CFLAGS+= -DIN_BASE -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/ -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/ +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd CFLAGS+= -I${SRCTOP}/sys CFLAGS+= -I${SRCTOP}/cddl/compat/opensolaris/include -CFLAGS+= -include ${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/spl/sys/ccompile.h +CFLAGS+= -include ${ZFSTOP}/include/os/freebsd/spl/sys/ccompile.h LIBADD= avl spl diff --git a/cddl/lib/libzdb/Makefile b/cddl/lib/libzdb/Makefile index 040d7d2c63f9..f5a6a42d7aad 100644 --- a/cddl/lib/libzdb/Makefile +++ b/cddl/lib/libzdb/Makefile @@ -1,5 +1,5 @@ -.PATH: ${SRCTOP}/sys/contrib/openzfs/lib/libzdb -.PATH: ${SRCTOP}/sys/contrib/openzfs/include +.PATH: ${ZFSTOP}/lib/libzdb +.PATH: ${ZFSTOP}/include PACKAGE= zfs LIB_PACKAGE= @@ -13,15 +13,15 @@ SRCS = libzdb.c WARNS?= 2 CSTD= c99 -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libzpool/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/zfs +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/lib/libzpool/include +CFLAGS+= -I${ZFSTOP}/include/os/freebsd/zfs CFLAGS+= -I${SRCTOP}/sys CFLAGS+= -I${SRCTOP}/cddl/compat/opensolaris/include -CFLAGS+= -include ${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/spl/sys/ccompile.h -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libzutil +CFLAGS+= -include ${ZFSTOP}/include/os/freebsd/spl/sys/ccompile.h +CFLAGS+= -I${ZFSTOP}/lib/libzutil CFLAGS+= -DHAVE_ISSETUGID -DIN_BASE CFLAGS+= -include ${SRCTOP}/sys/modules/zfs/zfs_config.h diff --git a/cddl/lib/libzfs/Makefile b/cddl/lib/libzfs/Makefile index 376e32fb893f..ed0c240b1113 100644 --- a/cddl/lib/libzfs/Makefile +++ b/cddl/lib/libzfs/Makefile @@ -1,11 +1,11 @@ -.PATH: ${SRCTOP}/sys/contrib/openzfs/module/icp -.PATH: ${SRCTOP}/sys/contrib/openzfs/module/zcommon -.PATH: ${SRCTOP}/sys/contrib/openzfs/lib/libzfs -.PATH: ${SRCTOP}/sys/contrib/openzfs/lib/libzfs/os/freebsd -.PATH: ${SRCTOP}/sys/contrib/openzfs/lib/libshare -.PATH: ${SRCTOP}/sys/contrib/openzfs/include -.PATH: ${SRCTOP}/sys/contrib/openzfs/module/zstd -.PATH: ${SRCTOP}/sys/contrib/openzfs/module/zstd/lib +.PATH: ${ZFSTOP}/module/icp +.PATH: ${ZFSTOP}/module/zcommon +.PATH: ${ZFSTOP}/lib/libzfs +.PATH: ${ZFSTOP}/lib/libzfs/os/freebsd +.PATH: ${ZFSTOP}/lib/libshare +.PATH: ${ZFSTOP}/include +.PATH: ${ZFSTOP}/module/zstd +.PATH: ${ZFSTOP}/module/zstd/lib PACKAGE= zfs LIB_PACKAGE= @@ -89,17 +89,17 @@ WARNS?= 2 SHLIB_MAJOR= 4 CSTD= c99 CFLAGS+= -DIN_BASE -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include/os/freebsd -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libshare -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libzpool/include +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/lib/libspl/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/lib/libshare +CFLAGS+= -I${ZFSTOP}/lib/libzpool/include CFLAGS+= -I${SRCTOP}/sys/contrib/ck/include CFLAGS+= -I${SRCTOP}/sys CFLAGS+= -I${SRCTOP}/cddl/compat/opensolaris/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/module/icp/include -CFLAGS+= -include ${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/spl/sys/ccompile.h +CFLAGS+= -I${ZFSTOP}/module/icp/include +CFLAGS+= -include ${ZFSTOP}/include/os/freebsd/spl/sys/ccompile.h CFLAGS+= -DHAVE_ISSETUGID CFLAGS+= -DHAVE_EXECVPE CFLAGS+= -include ${SRCTOP}/sys/modules/zfs/zfs_config.h diff --git a/cddl/lib/libzfs_core/Makefile b/cddl/lib/libzfs_core/Makefile index 10533c5de05b..72b0f519e21d 100644 --- a/cddl/lib/libzfs_core/Makefile +++ b/cddl/lib/libzfs_core/Makefile @@ -1,7 +1,7 @@ -.PATH: ${SRCTOP}/sys/contrib/openzfs/lib/libzfs_core -.PATH: ${SRCTOP}/sys/contrib/openzfs/include -.PATH: ${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/zfs -.PATH: ${SRCTOP}/sys/contrib/openzfs/module/os/freebsd/zfs +.PATH: ${ZFSTOP}/lib/libzfs_core +.PATH: ${ZFSTOP}/include +.PATH: ${ZFSTOP}/include/os/freebsd/zfs +.PATH: ${ZFSTOP}/module/os/freebsd/zfs PACKAGE= zfs LIB_PACKAGE= @@ -17,17 +17,17 @@ SRCS= libzfs_core.c \ WARNS?= 2 CSTD= c99 CFLAGS+= -DIN_BASE -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libzfs_core -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libzfs_core/common -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/ -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libzpool/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/zfs +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/lib/libzfs_core +CFLAGS+= -I${ZFSTOP}/lib/libzfs_core/common +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/ +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/lib/libzpool/include +CFLAGS+= -I${ZFSTOP}/include/os/freebsd/zfs CFLAGS+= -I${SRCTOP}/sys CFLAGS+= -I${SRCTOP}/cddl/compat/opensolaris/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/module/icp/include -CFLAGS+= -include ${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/spl/sys/ccompile.h +CFLAGS+= -I${ZFSTOP}/module/icp/include +CFLAGS+= -include ${ZFSTOP}/include/os/freebsd/spl/sys/ccompile.h CFLAGS+= -DHAVE_ISSETUGID CFLAGS+= -include ${SRCTOP}/sys/modules/zfs/zfs_config.h diff --git a/cddl/lib/libzfsbootenv/Makefile b/cddl/lib/libzfsbootenv/Makefile index 22f5da1ee5b1..eba6a1d8bea8 100644 --- a/cddl/lib/libzfsbootenv/Makefile +++ b/cddl/lib/libzfsbootenv/Makefile @@ -1,5 +1,5 @@ -.PATH: ${SRCTOP}/sys/contrib/openzfs/lib/libzfsbootenv -.PATH: ${SRCTOP}/sys/contrib/openzfs/include +.PATH: ${ZFSTOP}/lib/libzfsbootenv +.PATH: ${ZFSTOP}/include PACKAGE= zfs LIB_PACKAGE= @@ -20,16 +20,16 @@ SRCS= $(USER_C) CSTD= c99 CFLAGS+= -DIN_BASE -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/ -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libzpool/include +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/ +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/lib/libzpool/include CFLAGS+= -I${SRCTOP}/cddl/compat/opensolaris/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/module/icp/include -CFLAGS+= -include ${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/spl/sys/ccompile.h +CFLAGS+= -I${ZFSTOP}/module/icp/include +CFLAGS+= -include ${ZFSTOP}/include/os/freebsd/spl/sys/ccompile.h CFLAGS+= -DHAVE_ISSETUGID CFLAGS+= -include ${SRCTOP}/sys/modules/zfs/zfs_config.h -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/zfs +CFLAGS+= -I${ZFSTOP}/include/os/freebsd/zfs CFLAGS.lzbe_device.c= -Wno-cast-qual CFLAGS.lzbe_util.c= -Wno-cast-qual CFLAGS.lzbe_pair.c= -Wno-cast-qual diff --git a/cddl/lib/libzpool/Makefile b/cddl/lib/libzpool/Makefile index 031cc27fb431..80fec2eb3fb1 100644 --- a/cddl/lib/libzpool/Makefile +++ b/cddl/lib/libzpool/Makefile @@ -1,5 +1,3 @@ -ZFSTOP= ${SRCTOP}/sys/contrib/openzfs - .PATH: ${ZFSTOP}/lib/libzpool # ZFS_COMMON_SRCS @@ -263,7 +261,7 @@ CFLAGS+= \ -I${ZFSTOP}/include \ -I${ZFSTOP}/lib/libspl/include \ -I${ZFSTOP}/lib/libspl/include/os/freebsd \ - -I${SRCTOP}/sys/contrib/openzfs/lib/libzpool/include \ + -I${ZFSTOP}/lib/libzpool/include \ -I${SRCTOP}/sys \ -I${SRCTOP}/cddl/compat/opensolaris/include \ -I${ZFSTOP}/module/icp/include \ diff --git a/cddl/lib/libzutil/Makefile b/cddl/lib/libzutil/Makefile index 37e9e8dd5e63..952ebda889b2 100644 --- a/cddl/lib/libzutil/Makefile +++ b/cddl/lib/libzutil/Makefile @@ -1,6 +1,6 @@ -.PATH: ${SRCTOP}/sys/contrib/openzfs/lib/libzutil -.PATH: ${SRCTOP}/sys/contrib/openzfs/lib/libzutil/os/freebsd -.PATH: ${SRCTOP}/sys/contrib/openzfs/module/os/freebsd/zfs +.PATH: ${ZFSTOP}/lib/libzutil +.PATH: ${ZFSTOP}/lib/libzutil/os/freebsd +.PATH: ${ZFSTOP}/module/os/freebsd/zfs PACKAGE= zfs LIB_PACKAGE= @@ -27,15 +27,15 @@ SRCS += zfs_ioctl_compat.c WARNS?= 2 CSTD= c99 -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/ -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libzpool/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/zfs +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/ +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/lib/libzpool/include +CFLAGS+= -I${ZFSTOP}/include/os/freebsd/zfs CFLAGS+= -I${SRCTOP}/sys CFLAGS+= -I${SRCTOP}/cddl/compat/opensolaris/include -CFLAGS+= -include ${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/spl/sys/ccompile.h -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libzutil +CFLAGS+= -include ${ZFSTOP}/include/os/freebsd/spl/sys/ccompile.h +CFLAGS+= -I${ZFSTOP}/lib/libzutil CFLAGS+= -DHAVE_ISSETUGID -DIN_BASE CFLAGS+= -include ${SRCTOP}/sys/modules/zfs/zfs_config.h diff --git a/cddl/lib/pam_zfs_key/Makefile b/cddl/lib/pam_zfs_key/Makefile index 517ca402d4da..345321b5926d 100644 --- a/cddl/lib/pam_zfs_key/Makefile +++ b/cddl/lib/pam_zfs_key/Makefile @@ -1,5 +1,5 @@ -.PATH: ${SRCTOP}/sys/contrib/openzfs/contrib/pam_zfs_key -.PATH: ${SRCTOP}/sys/contrib/openzfs/include +.PATH: ${ZFSTOP}/contrib/pam_zfs_key +.PATH: ${ZFSTOP}/include PACKAGE= zfs LIB= pam_zfs_key @@ -13,17 +13,17 @@ SRCS= pam_zfs_key.c WARNS?= 2 CSTD= c99 CFLAGS+= -DIN_BASE -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/ -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libzpool/include +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP} +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/ +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/lib/libzpool/include CFLAGS+= -I${SRCTOP}/cddl/compat/opensolaris/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/module/icp/include -CFLAGS+= -include ${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/spl/sys/ccompile.h +CFLAGS+= -I${ZFSTOP}/module/icp/include +CFLAGS+= -include ${ZFSTOP}/include/os/freebsd/spl/sys/ccompile.h CFLAGS+= -DHAVE_ISSETUGID CFLAGS+= -include ${SRCTOP}/sys/modules/zfs/zfs_config.h -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/zfs +CFLAGS+= -I${ZFSTOP}/include/os/freebsd/zfs CFLAGS+= -DRUNSTATEDIR=\"/var/run\" .include "../../lib/libpam/modules/Makefile.inc" diff --git a/cddl/sbin/zfs/Makefile b/cddl/sbin/zfs/Makefile index 9a0a5198602e..3b9abe4446e8 100644 --- a/cddl/sbin/zfs/Makefile +++ b/cddl/sbin/zfs/Makefile @@ -1,5 +1,3 @@ -ZFSTOP= ${SRCTOP}/sys/contrib/openzfs - .PATH: ${ZFSTOP}/cmd/zfs .PATH: ${ZFSTOP}/man/man7 .PATH: ${ZFSTOP}/man/man8 diff --git a/cddl/sbin/zpool/Makefile b/cddl/sbin/zpool/Makefile index ab7b852b4d9a..e2d8bf61e75b 100644 --- a/cddl/sbin/zpool/Makefile +++ b/cddl/sbin/zpool/Makefile @@ -1,5 +1,3 @@ -ZFSTOP= ${SRCTOP}/sys/contrib/openzfs - .PATH: ${ZFSTOP}/man/man4 .PATH: ${ZFSTOP}/man/man5 .PATH: ${ZFSTOP}/man/man7 @@ -67,7 +65,7 @@ CFLAGS+= \ -I${ZFSTOP}/include \ -I${ZFSTOP}/lib/libspl/include \ -I${ZFSTOP}/lib/libspl/include/os/freebsd \ - -I${SRCTOP}/sys/contrib/openzfs/lib/libzpool/include \ + -I${ZFSTOP}/lib/libzpool/include \ -I${SRCTOP}/sys \ -I${SRCTOP}/cddl/compat/opensolaris/include \ -I${ZFSTOP}/cmd/zpool \ diff --git a/cddl/share/zfs/compatibility.d/Makefile b/cddl/share/zfs/compatibility.d/Makefile index 6d3663081ae6..4bc8da774168 100644 --- a/cddl/share/zfs/compatibility.d/Makefile +++ b/cddl/share/zfs/compatibility.d/Makefile @@ -1,5 +1,3 @@ -ZFSTOP= ${SRCTOP}/sys/contrib/openzfs - .PATH: ${ZFSTOP}/cmd/zpool/compatibility.d PACKAGE= zfs diff --git a/cddl/usr.bin/ctfconvert/Makefile b/cddl/usr.bin/ctfconvert/Makefile index df53c46b7246..8ce1fce2a711 100644 --- a/cddl/usr.bin/ctfconvert/Makefile +++ b/cddl/usr.bin/ctfconvert/Makefile @@ -25,9 +25,9 @@ SRCS= alist.c \ util.c CFLAGS+= -DIN_BASE -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/ -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/ +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd CFLAGS+= -I${SRCTOP}/cddl/compat/opensolaris/include CFLAGS+= -I${SRCTOP}/sys/cddl/compat/opensolaris \ -I${SRCTOP}/cddl/compat/opensolaris/include \ diff --git a/cddl/usr.bin/ctfdump/Makefile b/cddl/usr.bin/ctfdump/Makefile index 357598583ae7..03d4632603ba 100644 --- a/cddl/usr.bin/ctfdump/Makefile +++ b/cddl/usr.bin/ctfdump/Makefile @@ -8,9 +8,9 @@ SRCS= dump.c \ utils.c CFLAGS+= -DIN_BASE -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/ -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/ +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd CFLAGS+= -I${SRCTOP}/sys CFLAGS+= -I${SRCTOP}/cddl/compat/opensolaris/include CFLAGS+= -I${OPENSOLARIS_USR_DISTDIR} \ diff --git a/cddl/usr.bin/ctfmerge/Makefile b/cddl/usr.bin/ctfmerge/Makefile index 81bccc047a25..73c929605414 100644 --- a/cddl/usr.bin/ctfmerge/Makefile +++ b/cddl/usr.bin/ctfmerge/Makefile @@ -25,9 +25,9 @@ WARNS?= 1 CFLAGS+= -DIN_BASE -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/ -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/ +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd CFLAGS+= -I${SRCTOP}/cddl/compat/opensolaris/include CFLAGS+= -I${SRCTOP}/sys/cddl/compat/opensolaris \ -I${SRCTOP}/cddl/compat/opensolaris/include \ diff --git a/cddl/usr.bin/zinject/Makefile b/cddl/usr.bin/zinject/Makefile index fd8437ed3f2c..cd22feda937a 100644 --- a/cddl/usr.bin/zinject/Makefile +++ b/cddl/usr.bin/zinject/Makefile @@ -1,5 +1,3 @@ -ZFSTOP= ${SRCTOP}/sys/contrib/openzfs - .PATH: ${ZFSTOP}/cmd/zinject .PATH: ${ZFSTOP}/man/man8 @@ -15,7 +13,7 @@ CFLAGS+= \ -I${ZFSTOP}/include \ -I${ZFSTOP}/lib/libspl/include \ -I${ZFSTOP}/lib/libspl/include/os/freebsd \ - -I${SRCTOP}/sys/contrib/openzfs/lib/libzpool/include \ + -I${ZFSTOP}/lib/libzpool/include \ -I${SRCTOP}/sys \ -I${SRCTOP}/cddl/compat/opensolaris/include \ -I${ZFSTOP}/module/icp/include \ diff --git a/cddl/usr.bin/zstream/Makefile b/cddl/usr.bin/zstream/Makefile index 7b753f79c4d7..d3371101f6dc 100644 --- a/cddl/usr.bin/zstream/Makefile +++ b/cddl/usr.bin/zstream/Makefile @@ -1,5 +1,3 @@ -ZFSTOP= ${SRCTOP}/sys/contrib/openzfs - .PATH: ${ZFSTOP}/cmd/zstream .PATH: ${ZFSTOP}/man/man8 @@ -25,7 +23,7 @@ CFLAGS+= \ -I${ZFSTOP}/include \ -I${ZFSTOP}/lib/libspl/include \ -I${ZFSTOP}/lib/libspl/include/os/freebsd \ - -I${SRCTOP}/sys/contrib/openzfs/lib/libzpool/include \ + -I${ZFSTOP}/lib/libzpool/include \ -I${SRCTOP}/sys \ -I${SRCTOP}/cddl/compat/opensolaris/include \ -I${ZFSTOP}/module/icp/include \ diff --git a/cddl/usr.bin/ztest/Makefile b/cddl/usr.bin/ztest/Makefile index ef4bd561b41a..192c0222377a 100644 --- a/cddl/usr.bin/ztest/Makefile +++ b/cddl/usr.bin/ztest/Makefile @@ -1,7 +1,5 @@ .include <src.opts.mk> -ZFSTOP= ${SRCTOP}/sys/contrib/openzfs - .PATH: ${ZFSTOP}/cmd .PATH: ${ZFSTOP}/man/man1 @@ -15,7 +13,7 @@ CFLAGS+= \ -I${ZFSTOP}/include \ -I${ZFSTOP}/lib/libspl/include \ -I${ZFSTOP}/lib/libspl/include/os/freebsd \ - -I${SRCTOP}/sys/contrib/openzfs/lib/libzpool/include \ + -I${ZFSTOP}/lib/libzpool/include \ -I${SRCTOP}/cddl/compat/opensolaris/include \ -I${ZFSTOP}/module/icp/include \ -include ${ZFSTOP}/include/os/freebsd/spl/sys/ccompile.h \ diff --git a/cddl/usr.libexec/zfs_prepare_disk/Makefile b/cddl/usr.libexec/zfs_prepare_disk/Makefile index 0d3f9b56b28c..1a261c5684bc 100644 --- a/cddl/usr.libexec/zfs_prepare_disk/Makefile +++ b/cddl/usr.libexec/zfs_prepare_disk/Makefile @@ -1,5 +1,3 @@ -ZFSTOP= ${SRCTOP}/sys/contrib/openzfs - .PATH: ${ZFSTOP}/scripts PACKAGE= zfs diff --git a/cddl/usr.libexec/zpool_influxdb/Makefile b/cddl/usr.libexec/zpool_influxdb/Makefile index f91ce1a7a213..53779443573d 100644 --- a/cddl/usr.libexec/zpool_influxdb/Makefile +++ b/cddl/usr.libexec/zpool_influxdb/Makefile @@ -1,5 +1,3 @@ -ZFSTOP= ${SRCTOP}/sys/contrib/openzfs - .PATH: ${ZFSTOP}/cmd/zpool_influxdb .PATH: ${ZFSTOP}/man/man8 diff --git a/cddl/usr.sbin/dtrace/Makefile b/cddl/usr.sbin/dtrace/Makefile index cdfd8af8fe72..2cc5376c5fed 100644 --- a/cddl/usr.sbin/dtrace/Makefile +++ b/cddl/usr.sbin/dtrace/Makefile @@ -11,9 +11,9 @@ WARNS?= 1 CFLAGS+= -DIN_BASE CFLAGS+= -DSKIP_SPL_SYS_CONDVAR_H -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/ -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/ +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd CFLAGS+= -I${SRCTOP}/sys CFLAGS+= -I${SRCTOP}/cddl/compat/opensolaris/include CFLAGS+= -I${SRCTOP}/sys/cddl/compat/opensolaris \ diff --git a/cddl/usr.sbin/lockstat/Makefile b/cddl/usr.sbin/lockstat/Makefile index 498e2a5857e0..cd2cb8c0c861 100644 --- a/cddl/usr.sbin/lockstat/Makefile +++ b/cddl/usr.sbin/lockstat/Makefile @@ -11,9 +11,9 @@ WARNS?= 1 CFLAGS+= -DIN_BASE CFLAGS+= -DSKIP_SPL_SYS_CONDVAR_H -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/ -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/ +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd CFLAGS+= -I${SRCTOP}/sys CFLAGS+= -I${SRCTOP}/cddl/compat/opensolaris/include CFLAGS+= -I${SRCTOP}/sys/cddl/compat/opensolaris diff --git a/cddl/usr.sbin/plockstat/Makefile b/cddl/usr.sbin/plockstat/Makefile index 2880c6aeafc7..dcc51d9ac2b4 100644 --- a/cddl/usr.sbin/plockstat/Makefile +++ b/cddl/usr.sbin/plockstat/Makefile @@ -11,9 +11,9 @@ WARNS?= 1 CFLAGS+= -DIN_BASE CFLAGS+= -DSKIP_SPL_SYS_CONDVAR_H -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/ -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/ +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd CFLAGS+= -I${SRCTOP}/sys CFLAGS+= -I${SRCTOP}/cddl/compat/opensolaris/include CFLAGS+= -I${SRCTOP}/sys/cddl/compat/opensolaris \ diff --git a/cddl/usr.sbin/zdb/Makefile b/cddl/usr.sbin/zdb/Makefile index f8f7eea6050b..6707d8fdaae7 100644 --- a/cddl/usr.sbin/zdb/Makefile +++ b/cddl/usr.sbin/zdb/Makefile @@ -1,5 +1,3 @@ -ZFSTOP= ${SRCTOP}/sys/contrib/openzfs - .PATH: ${ZFSTOP}/cmd/zdb .PATH: ${ZFSTOP}/man/man8 @@ -18,7 +16,7 @@ CFLAGS+= \ -I${ZFSTOP}/lib/libspl/include \ -I${ZFSTOP}/lib/libspl/include/os/freebsd \ -I${ZFSTOP}/lib/libspl/include/os/freebsd/spl \ - -I${SRCTOP}/sys/contrib/openzfs/lib/libzpool/include \ + -I${ZFSTOP}/lib/libzpool/include \ -I${SRCTOP}/sys \ -include ${ZFSTOP}/include/os/freebsd/spl/sys/ccompile.h \ -DHAVE_ISSETUGID diff --git a/cddl/usr.sbin/zfsd/Makefile.common b/cddl/usr.sbin/zfsd/Makefile.common index 487caf54a0ce..c610a3bf3e5b 100644 --- a/cddl/usr.sbin/zfsd/Makefile.common +++ b/cddl/usr.sbin/zfsd/Makefile.common @@ -14,12 +14,12 @@ WARNS?= 2 IGNORE_PRAGMA= YES CFLAGS+= -DIN_BASE -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libzpool/include +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/lib/libzpool/include CFLAGS+= -I${SRCTOP}/sys -CFLAGS+= -include ${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/spl/sys/ccompile.h +CFLAGS+= -include ${ZFSTOP}/include/os/freebsd/spl/sys/ccompile.h CFLAGS+= -I${SRCTOP}/cddl/usr.sbin CFLAGS+= -DHAVE_ISSETUGID diff --git a/cddl/usr.sbin/zhack/Makefile b/cddl/usr.sbin/zhack/Makefile index 2b981919e17b..a238da39a243 100644 --- a/cddl/usr.sbin/zhack/Makefile +++ b/cddl/usr.sbin/zhack/Makefile @@ -1,5 +1,3 @@ -ZFSTOP= ${SRCTOP}/sys/contrib/openzfs - .PATH: ${ZFSTOP}/cmd .PATH: ${ZFSTOP}/man/man1 @@ -12,14 +10,14 @@ CSTD= c99 WARNS?= 2 CFLAGS+= -DIN_BASE -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/ -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libzpool/include +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/ +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/lib/libzpool/include CFLAGS+= -I${SRCTOP}/sys CFLAGS+= -I${SRCTOP}/cddl/compat/opensolaris/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/module/icp/include -CFLAGS+= -include ${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/spl/sys/ccompile.h +CFLAGS+= -I${ZFSTOP}/module/icp/include +CFLAGS+= -include ${ZFSTOP}/include/os/freebsd/spl/sys/ccompile.h CFLAGS+= -DHAVE_ISSETUGID CFLAGS+= -include ${SRCTOP}/sys/modules/zfs/zfs_config.h diff --git a/contrib/llvm-project/clang/lib/Driver/ToolChains/FreeBSD.h b/contrib/llvm-project/clang/lib/Driver/ToolChains/FreeBSD.h index 7ab63905ed4f..7d090ba682b3 100644 --- a/contrib/llvm-project/clang/lib/Driver/ToolChains/FreeBSD.h +++ b/contrib/llvm-project/clang/lib/Driver/ToolChains/FreeBSD.h @@ -78,6 +78,11 @@ public: void AddHIPIncludeArgs(const llvm::opt::ArgList &DriverArgs, llvm::opt::ArgStringList &CC1Args) const override; + bool IsAArch64OutlineAtomicsDefault( + const llvm::opt::ArgList &Args) const override { + return true; + } + UnwindTableLevel getDefaultUnwindTableLevel(const llvm::opt::ArgList &Args) const override; bool isPIEDefault(const llvm::opt::ArgList &Args) const override; diff --git a/contrib/llvm-project/lldb/source/Host/freebsd/Host.cpp b/contrib/llvm-project/lldb/source/Host/freebsd/Host.cpp index 110e803b3354..0778eb320dcf 100644 --- a/contrib/llvm-project/lldb/source/Host/freebsd/Host.cpp +++ b/contrib/llvm-project/lldb/source/Host/freebsd/Host.cpp @@ -14,12 +14,13 @@ #include <sys/sysctl.h> #include <sys/user.h> -#include <machine/elf.h> - #include <cstdio> #include <dlfcn.h> #include <execinfo.h> +#include "llvm/Object/ELF.h" + +#include "lldb/Host/FileSystem.h" #include "lldb/Host/Host.h" #include "lldb/Host/HostInfo.h" #include "lldb/Utility/DataBufferHeap.h" @@ -101,17 +102,33 @@ GetFreeBSDProcessArgs(const ProcessInstanceInfoMatch *match_info_ptr, proc_args.AppendArgument(llvm::StringRef(cstr)); } - return true; -} - -static bool GetFreeBSDProcessCPUType(ProcessInstanceInfo &process_info) { - if (process_info.ProcessIDIsValid()) { - process_info.GetArchitecture() = - HostInfo::GetArchitecture(HostInfo::eArchKindDefault); + auto buffer_sp = FileSystem::Instance().CreateDataBuffer(pathname, 0x20, 0); + if (!buffer_sp) { + process_info.Clear(); return true; } - process_info.GetArchitecture().Clear(); - return false; + uint8_t exe_class = + llvm::object::getElfArchType( + {reinterpret_cast<const char *>(buffer_sp->GetBytes()), + size_t(buffer_sp->GetByteSize())}) + .first; + + switch (exe_class) { + case llvm::ELF::ELFCLASS32: + process_info.SetArchitecture( + HostInfo::GetArchitecture(HostInfo::eArchKind32)); + break; + case llvm::ELF::ELFCLASS64: + process_info.SetArchitecture( + HostInfo::GetArchitecture(HostInfo::eArchKind64)); + break; + case llvm::ELF::ELFCLASSNONE: + process_info.SetArchitecture( + HostInfo::GetArchitecture(HostInfo::eArchKindDefault)); + break; + } + + return true; } static bool GetFreeBSDProcessUserAndGroup(ProcessInstanceInfo &process_info) { @@ -218,7 +235,6 @@ uint32_t Host::FindProcessesImpl(const ProcessInstanceInfoMatch &match_info, // Make sure our info matches before we go fetch the name and cpu type if (match_info_noname.Matches(process_info) && GetFreeBSDProcessArgs(&match_info, process_info)) { - GetFreeBSDProcessCPUType(process_info); if (match_info.Matches(process_info)) process_infos.push_back(process_info); } @@ -232,7 +248,6 @@ bool Host::GetProcessInfo(lldb::pid_t pid, ProcessInstanceInfo &process_info) { if (GetFreeBSDProcessArgs(NULL, process_info)) { // should use libprocstat instead of going right into sysctl? - GetFreeBSDProcessCPUType(process_info); GetFreeBSDProcessUserAndGroup(process_info); return true; } diff --git a/contrib/llvm-project/lldb/source/Plugins/Process/Utility/RegisterContextFreeBSD_x86_64.cpp b/contrib/llvm-project/lldb/source/Plugins/Process/Utility/RegisterContextFreeBSD_x86_64.cpp index e0f3971c6e27..c361b2abb726 100644 --- a/contrib/llvm-project/lldb/source/Plugins/Process/Utility/RegisterContextFreeBSD_x86_64.cpp +++ b/contrib/llvm-project/lldb/source/Plugins/Process/Utility/RegisterContextFreeBSD_x86_64.cpp @@ -9,6 +9,7 @@ #include "RegisterContextFreeBSD_x86_64.h" #include "RegisterContextFreeBSD_i386.h" #include "RegisterContextPOSIX_x86.h" +#include "llvm/Support/Threading.h" #include <vector> using namespace lldb_private; @@ -69,40 +70,34 @@ struct UserArea { #include "RegisterInfos_x86_64.h" #undef DECLARE_REGISTER_INFOS_X86_64_STRUCT -static std::vector<lldb_private::RegisterInfo> &GetSharedRegisterInfoVector() { - static std::vector<lldb_private::RegisterInfo> register_infos; - return register_infos; -} - -static const RegisterInfo * -GetRegisterInfo_i386(const lldb_private::ArchSpec &arch) { - static std::vector<lldb_private::RegisterInfo> g_register_infos( - GetSharedRegisterInfoVector()); - - // Allocate RegisterInfo only once - if (g_register_infos.empty()) { - // Copy the register information from base class - std::unique_ptr<RegisterContextFreeBSD_i386> reg_interface( - new RegisterContextFreeBSD_i386(arch)); - const RegisterInfo *base_info = reg_interface->GetRegisterInfo(); - g_register_infos.insert(g_register_infos.end(), &base_info[0], - &base_info[k_num_registers_i386]); +static std::vector<lldb_private::RegisterInfo> & +GetSharedRegisterInfoVector_i386(const lldb_private::ArchSpec &arch) { + static std::vector<lldb_private::RegisterInfo> g_register_infos; + static llvm::once_flag g_initialized; + llvm::call_once(g_initialized, [&]() { + if (g_register_infos.empty()) { + // Copy the register information from base class + std::unique_ptr<RegisterContextFreeBSD_i386> reg_interface( + new RegisterContextFreeBSD_i386(arch)); + const RegisterInfo *base_info = reg_interface->GetRegisterInfo(); + g_register_infos.insert(g_register_infos.end(), &base_info[0], + &base_info[k_num_registers_i386]); // Include RegisterInfos_x86_64 to update the g_register_infos structure // with x86_64 offsets. #define UPDATE_REGISTER_INFOS_I386_STRUCT_WITH_X86_64_OFFSETS #include "RegisterInfos_x86_64.h" #undef UPDATE_REGISTER_INFOS_I386_STRUCT_WITH_X86_64_OFFSETS - } - - return &g_register_infos[0]; + } + }); + return g_register_infos; } static const RegisterInfo * PrivateGetRegisterInfoPtr(const lldb_private::ArchSpec &target_arch) { switch (target_arch.GetMachine()) { case llvm::Triple::x86: - return GetRegisterInfo_i386(target_arch); + return &GetSharedRegisterInfoVector_i386(target_arch)[0]; case llvm::Triple::x86_64: return g_register_infos_x86_64; default: @@ -116,9 +111,10 @@ PrivateGetRegisterCount(const lldb_private::ArchSpec &target_arch) { switch (target_arch.GetMachine()) { case llvm::Triple::x86: // This vector should have already been filled. - assert(!GetSharedRegisterInfoVector().empty() && + assert(!GetSharedRegisterInfoVector_i386(target_arch).empty() && "i386 register info vector not filled."); - return static_cast<uint32_t>(GetSharedRegisterInfoVector().size()); + return static_cast<uint32_t>( + GetSharedRegisterInfoVector_i386(target_arch).size()); case llvm::Triple::x86_64: return static_cast<uint32_t>(sizeof(g_register_infos_x86_64) / sizeof(g_register_infos_x86_64[0])); diff --git a/contrib/pam-krb5/docs/pam_krb5.pod b/contrib/pam-krb5/docs/pam_krb5.pod index 024584dfd4cd..f352af71b553 100644 --- a/contrib/pam-krb5/docs/pam_krb5.pod +++ b/contrib/pam-krb5/docs/pam_krb5.pod @@ -57,12 +57,10 @@ is vulnerable to KDC spoofing, but it requires that the system have a local key and that the PAM module be running as a user that can read the keytab file (normally F</etc/krb5.keytab>. You can point the Kerberos PAM module at a different keytab with the I<keytab> option. If that keytab -cannot be read or if no keys are found in it, the default (potentially -insecure) behavior is to skip this check. If you want to instead fail -authentication if the obtained tickets cannot be checked, set -C<verify_ap_req_nofail> to true in the [libdefaults] section of -F</etc/krb5.conf>. Note that this will affect applications other than -this PAM module. +cannot be read or if no keys are found in it, the default behavior is to +fail authentication. If you want to skip this check, set the +C<allow_kdc_spoof> option to true either in the [appdefaults] section of +F</etc/krb5.conf> or in the PAM policy. By default, whenever the user is authenticated, a basic authorization check will also be done using krb5_kuserok(). The default behavior of @@ -218,6 +216,11 @@ pam-krb5 in which that option was added with the current meaning. =over 4 +=item allow_kdc_spoof + +Allow authentication to succeed even if there is no host or service +key available in a keytab to authenticate the Kerberos KDC's ticket. + =item alt_auth_map=<format> [3.12] This functions similarly to the I<search_k5login> option. The diff --git a/contrib/pam-krb5/module/auth.c b/contrib/pam-krb5/module/auth.c index 065ce97b6596..46f2be791000 100644 --- a/contrib/pam-krb5/module/auth.c +++ b/contrib/pam-krb5/module/auth.c @@ -696,6 +696,12 @@ verify_creds(struct pam_args *args, krb5_creds *creds) if (cursor_valid) krb5_kt_end_seq_get(c, keytab, &cursor); } +#ifdef __FreeBSD__ + if (args->config->allow_kdc_spoof) + opts.flags &= ~KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL; + else + opts.flags |= KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL; +#endif /* __FreeBSD__ */ retval = krb5_verify_init_creds(c, creds, princ, keytab, NULL, &opts); if (retval != 0) putil_err_krb5(args, retval, "credential verification failed"); diff --git a/contrib/pam-krb5/module/internal.h b/contrib/pam-krb5/module/internal.h index f3ea30139815..c797f7a56cd3 100644 --- a/contrib/pam-krb5/module/internal.h +++ b/contrib/pam-krb5/module/internal.h @@ -62,6 +62,9 @@ struct pam_config { long minimum_uid; /* Ignore users below this UID. */ bool only_alt_auth; /* Alt principal must be used. */ bool search_k5login; /* Try password with each line of .k5login. */ +#ifdef __FreeBSD__ + bool allow_kdc_spoof;/* Allow auth even if KDC cannot be verified */ +#endif /* __FreeBSD__ */ /* Kerberos behavior. */ char *fast_ccache; /* Cache containing armor ticket. */ diff --git a/contrib/pam-krb5/module/options.c b/contrib/pam-krb5/module/options.c index 799b3a33e168..0118fb451af6 100644 --- a/contrib/pam-krb5/module/options.c +++ b/contrib/pam-krb5/module/options.c @@ -30,6 +30,9 @@ #define K(name) (#name), offsetof(struct pam_config, name) /* clang-format off */ static const struct option options[] = { +#ifdef __FreeBSD__ + { K(allow_kdc_spoof), true, BOOL (false) }, +#endif /* __FreeBSD__ */ { K(alt_auth_map), true, STRING (NULL) }, { K(anon_fast), true, BOOL (false) }, { K(banner), true, STRING ("Kerberos") }, diff --git a/include/Makefile b/include/Makefile index 661b2ee131ca..b8cbf0ecc1c2 100644 --- a/include/Makefile +++ b/include/Makefile @@ -233,7 +233,7 @@ RPCDIR= ${INCLUDEDIR}/rpc TEKEN= teken.h TEKENDIR= ${INCLUDEDIR}/teken -.PATH: ${SRCTOP}/sys/contrib/openzfs/include/sys +.PATH: ${ZFSTOP}/include/sys NVPAIR= nvpair.h NVPAIRDIR= ${INCLUDEDIR}/sys diff --git a/krb5/util/ss/Makefile b/krb5/util/ss/Makefile index 2c48ccf56573..30e1bf7b025e 100644 --- a/krb5/util/ss/Makefile +++ b/krb5/util/ss/Makefile @@ -85,7 +85,7 @@ ${GEN_SS_ERR_C}: ${GEN_SS_ERR} rm -f et-c-${.PREFIX}.et et-c-${.PREFIX}.c std_rqs.c: mk_cmds std_rqs.ct ss_err.h - ./mk_cmds ${KRB5_DIR}/util/ss/std_rqs.ct + sh mk_cmds ${KRB5_DIR}/util/ss/std_rqs.ct .include <bsd.lib.mk> diff --git a/lib/clang/freebsd_cc_version.h b/lib/clang/freebsd_cc_version.h index b493dc96db5e..cf525916fe29 100644 --- a/lib/clang/freebsd_cc_version.h +++ b/lib/clang/freebsd_cc_version.h @@ -1 +1 @@ -#define FREEBSD_CC_VERSION 1600000 +#define FREEBSD_CC_VERSION 1600001 diff --git a/lib/libbe/Makefile b/lib/libbe/Makefile index 3ba456aee4b7..860a4aa1962a 100644 --- a/lib/libbe/Makefile +++ b/lib/libbe/Makefile @@ -53,15 +53,15 @@ LIBADD+= spl LIBADD+= zfsbootenv CFLAGS+= -DIN_BASE -DHAVE_RPC_TYPES -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include/os/freebsd -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libzfs -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libzpool/include +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/lib/libspl/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/lib/libzfs +CFLAGS+= -I${ZFSTOP}/lib/libzpool/include CFLAGS+= -I${SRCTOP}/sys CFLAGS+= -I${SRCTOP}/cddl/compat/opensolaris/include -CFLAGS+= -include ${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/spl/sys/ccompile.h +CFLAGS+= -include ${ZFSTOP}/include/os/freebsd/spl/sys/ccompile.h CFLAGS+= -DHAVE_ISSETUGID -DHAVE_STRLCAT -DHAVE_STRLCPY CFLAGS.be.c= -Wno-cast-qual CFLAGS.be_access.c= -Wno-cast-qual diff --git a/lib/libbe/tests/Makefile b/lib/libbe/tests/Makefile index 80731ed1effc..dfe49bd7f3e5 100644 --- a/lib/libbe/tests/Makefile +++ b/lib/libbe/tests/Makefile @@ -14,12 +14,12 @@ LIBADD+= zfs \ CFLAGS+= -I${SRCTOP}/lib/libbe CFLAGS+= -DIN_BASE -DHAVE_RPC_TYPES -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/ -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/ +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd CFLAGS+= -I${SRCTOP}/sys CFLAGS+= -I${SRCTOP}/cddl/compat/opensolaris/include -CFLAGS+= -include ${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/spl/sys/ccompile.h +CFLAGS+= -include ${ZFSTOP}/include/os/freebsd/spl/sys/ccompile.h CFLAGS+= -DHAVE_ISSETUGID .include <bsd.test.mk> diff --git a/lib/libc/stdlib/malloc/jemalloc/jemalloc.3 b/lib/libc/stdlib/malloc/jemalloc/jemalloc.3 index a4ea3e1f54a9..1c99352a6ae2 100644 --- a/lib/libc/stdlib/malloc/jemalloc/jemalloc.3 +++ b/lib/libc/stdlib/malloc/jemalloc/jemalloc.3 @@ -1,13 +1,13 @@ '\" t .\" Title: JEMALLOC .\" Author: Jason Evans -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 11/10/2019 +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 05/06/2022 .\" Manual: User Manual -.\" Source: jemalloc 5.2.1-0-gea6b3e973b477b8061e0076bb257dbd7f3faa756 +.\" Source: jemalloc 5.3.0-0-g54eaed1d8b56b1aa528be3bdd1877e59c56fa90c .\" Language: English .\" -.TH "JEMALLOC" "3" "11/10/2019" "jemalloc 5.2.1-0-gea6b3e973b47" "User Manual" +.TH "JEMALLOC" "3" "05/06/2022" "jemalloc 5.3.0-0-g54eaed1d8b56" "User Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -31,7 +31,7 @@ jemalloc \- general purpose memory allocation functions .SH "LIBRARY" .PP -This manual describes jemalloc 5\&.2\&.1\-0\-gea6b3e973b477b8061e0076bb257dbd7f3faa756\&. More information can be found at the +This manual describes jemalloc 5\&.3\&.0\-0\-g54eaed1d8b56b1aa528be3bdd1877e59c56fa90c\&. More information can be found at the \m[blue]\fBjemalloc website\fR\m[]\&\s-2\u[1]\d\s+2\&. .PP The following configuration options are enabled in libc\*(Aqs built\-in jemalloc: @@ -603,7 +603,7 @@ T} :T{ 8 KiB T}:T{ -[40 KiB, 48 KiB, 54 KiB, 64 KiB] +[40 KiB, 48 KiB, 56 KiB, 64 KiB] T} :T{ 16 KiB @@ -848,6 +848,11 @@ in these cases\&. This option is disabled by default unless is specified during configuration, in which case it is enabled by default\&. .RE .PP +opt\&.cache_oblivious (\fBbool\fR) r\- +.RS 4 +Enable / Disable cache\-oblivious large allocation alignment, for large requests with no alignment constraints\&. If this feature is disabled, all large allocations are page\-aligned as an implementation artifact, which can severely harm CPU cache utilization\&. However, the cache\-oblivious layout comes at the cost of one extra page per large allocation, which in the most extreme case increases physical memory usage for the 16 KiB size class to 20 KiB\&. This option is enabled by default\&. +.RE +.PP opt\&.metadata_thp (\fBconst char *\fR) r\- .RS 4 Controls whether to allow jemalloc to use transparent huge page (THP) for internal metadata (see @@ -859,6 +864,11 @@ uses no THP initially, but may begin to do so when metadata usage reaches certai \(lqdisabled\(rq\&. .RE .PP +opt\&.trust_madvise (\fBbool\fR) r\- +.RS 4 +If true, do not perform runtime check for MADV_DONTNEED, to check that it actually zeros pages\&. The default is disabled on Linux and enabled elsewhere\&. +.RE +.PP opt\&.retain (\fBbool\fR) r\- .RS 4 If true, retain unused virtual memory for later reuse rather than discarding it by calling @@ -990,6 +1000,28 @@ is enabled\&. The default is \(lq\(rq\&. .RE .PP +opt\&.stats_interval (\fBint64_t\fR) r\- +.RS 4 +Average interval between statistics outputs, as measured in bytes of allocation activity\&. The actual interval may be sporadic because decentralized event counters are used to avoid synchronization bottlenecks\&. The output may be triggered on any thread, which then calls +malloc_stats_print()\&. +opt\&.stats_interval_opts +can be combined to specify output options\&. By default, interval\-triggered stats output is disabled (encoded as \-1)\&. +.RE +.PP +opt\&.stats_interval_opts (\fBconst char *\fR) r\- +.RS 4 +Options (the +\fIopts\fR +string) to pass to the +malloc_stats_print() +for interval based statistics printing (enabled through +opt\&.stats_interval)\&. See available options in +malloc_stats_print()\&. Has no effect unless +opt\&.stats_interval +is enabled\&. The default is +\(lq\(rq\&. +.RE +.PP opt\&.junk (\fBconst char *\fR) r\- [\fB\-\-enable\-fill\fR] .RS 4 Junk filling\&. If set to @@ -1046,13 +1078,13 @@ This option is disabled by default\&. opt\&.tcache (\fBbool\fR) r\- .RS 4 Thread\-specific caching (tcache) enabled/disabled\&. When there are multiple threads, each thread uses a tcache for objects up to a certain size\&. Thread\-specific caching allows many allocations to be satisfied without performing any thread synchronization, at the cost of increased memory use\&. See the -opt\&.lg_tcache_max +opt\&.tcache_max option for related tuning information\&. This option is enabled by default\&. .RE .PP -opt\&.lg_tcache_max (\fBsize_t\fR) r\- +opt\&.tcache_max (\fBsize_t\fR) r\- .RS 4 -Maximum size class (log base 2) to cache in the thread\-specific cache (tcache)\&. At a minimum, all small size classes are cached, and at a maximum all large size classes are cached\&. The default maximum is 32 KiB (2^15)\&. +Maximum size class to cache in the thread\-specific cache (tcache)\&. At a minimum, the first size class is cached; and at a maximum, size classes up to 8 MiB can be cached\&. The default maximum is 32 KiB (2^15)\&. As a convenience, this may also be set by specifying lg_tcache_max, which will be taken to be the base\-2 logarithm of the setting of tcache_max\&. .RE .PP opt\&.thp (\fBconst char *\fR) r\- @@ -1091,7 +1123,8 @@ for heap profile format documentation\&. opt\&.prof_prefix (\fBconst char *\fR) r\- [\fB\-\-enable\-prof\fR] .RS 4 Filename prefix for profile dumps\&. If the prefix is set to the empty string, no automatic dumps will occur; this is primarily useful for disabling the automatic final heap dump (which also disables leak reporting, if enabled)\&. The default prefix is -jeprof\&. +jeprof\&. This prefix value can be overridden by +prof\&.prefix\&. .RE .PP opt\&.prof_active (\fBbool\fR) r\- [\fB\-\-enable\-prof\fR] @@ -1129,7 +1162,9 @@ Average interval (log base 2) between memory profile dumps, as measured in bytes <prefix> is controlled by the opt\&.prof_prefix -option\&. By default, interval\-triggered profile dumping is disabled (encoded as \-1)\&. +and +prof\&.prefix +options\&. By default, interval\-triggered profile dumping is disabled (encoded as \-1)\&. .RE .PP opt\&.prof_gdump (\fBbool\fR) r\- [\fB\-\-enable\-prof\fR] @@ -1147,7 +1182,9 @@ function to dump final memory usage to a file named according to the pattern <prefix> is controlled by the opt\&.prof_prefix -option\&. Note that +and +prof\&.prefix +options\&. Note that atexit() may allocate memory during application initialization and then deadlock internally when jemalloc in turn calls atexit(), so this option is not universally usable (though the application can register its own @@ -1161,7 +1198,46 @@ Leak reporting enabled/disabled\&. If enabled, use an \fBatexit\fR(3) function to report memory leaks detected by allocation sampling\&. See the opt\&.prof -option for information on analyzing heap profile output\&. This option is disabled by default\&. +option for information on analyzing heap profile output\&. Works only when combined with +opt\&.prof_final, otherwise does nothing\&. This option is disabled by default\&. +.RE +.PP +opt\&.prof_leak_error (\fBbool\fR) r\- [\fB\-\-enable\-prof\fR] +.RS 4 +Similar to +opt\&.prof_leak, but makes the process exit with error code 1 if a memory leak is detected\&. This option supersedes +opt\&.prof_leak, meaning that if both are specified, this option takes precedence\&. When enabled, also enables +opt\&.prof_leak\&. Works only when combined with +opt\&.prof_final, otherwise does nothing\&. This option is disabled by default\&. +.RE +.PP +opt\&.zero_realloc (\fBconst char *\fR) r\- +.RS 4 +Determines the behavior of +realloc() +when passed a value of zero for the new size\&. +\(lqalloc\(rq +treats this as an allocation of size zero (and returns a non\-null result except in case of resource exhaustion)\&. +\(lqfree\(rq +treats this as a deallocation of the pointer, and returns +\fBNULL\fR +without setting +\fIerrno\fR\&. +\(lqabort\(rq +aborts the process if zero is passed\&. The default is +\(lqfree\(rq +on Linux and Windows, and +\(lqalloc\(rq +elsewhere\&. +.sp +There is considerable divergence of behaviors across implementations in handling this case\&. Many have the behavior of +\(lqfree\(rq\&. This can introduce security vulnerabilities, since a +\fBNULL\fR +return value indicates failure, and the continued validity of the passed\-in pointer (per POSIX and C11)\&. +\(lqalloc\(rq +is safe, but can cause leaks in programs that expect the common behavior\&. Programs intended to be portable and leak\-free cannot assume either behavior, and must therefore never call realloc with a size of 0\&. The +\(lqabort\(rq +option enables these testing this behavior\&. .RE .PP thread\&.arena (\fBunsigned\fR) rw @@ -1182,7 +1258,7 @@ Get a pointer to the the value that is returned by the thread\&.allocated mallctl\&. This is useful for avoiding the overhead of repeated mallctl*() -calls\&. +calls\&. Note that the underlying counter should not be modified by the application\&. .RE .PP thread\&.deallocated (\fBuint64_t\fR) r\- [\fB\-\-enable\-stats\fR] @@ -1196,7 +1272,23 @@ Get a pointer to the the value that is returned by the thread\&.deallocated mallctl\&. This is useful for avoiding the overhead of repeated mallctl*() -calls\&. +calls\&. Note that the underlying counter should not be modified by the application\&. +.RE +.PP +thread\&.peak\&.read (\fBuint64_t\fR) r\- [\fB\-\-enable\-stats\fR] +.RS 4 +Get an approximation of the maximum value of the difference between the number of bytes allocated and the number of bytes deallocated by the calling thread since the last call to +thread\&.peak\&.reset, or since the thread\*(Aqs creation if it has not called +thread\&.peak\&.reset\&. No guarantees are made about the quality of the approximation, but jemalloc currently endeavors to maintain accuracy to within one hundred kilobytes\&. +.RE +.PP +thread\&.peak\&.reset (\fBvoid\fR) \-\- [\fB\-\-enable\-stats\fR] +.RS 4 +Resets the counter for net bytes allocated in the calling thread to zero\&. This affects subsequent calls to +thread\&.peak\&.read, but not the values returned by +thread\&.allocated +or +thread\&.deallocated\&. .RE .PP thread\&.tcache\&.enabled (\fBbool\fR) rw @@ -1224,11 +1316,27 @@ Control whether sampling is currently active for the calling thread\&. This is a prof\&.active; both must be active for the calling thread to sample\&. This flag is enabled by default\&. .RE .PP +thread\&.idle (\fBvoid\fR) \-\- +.RS 4 +Hints to jemalloc that the calling thread will be idle for some nontrivial period of time (say, on the order of seconds), and that doing some cleanup operations may be beneficial\&. There are no guarantees as to what specific operations will be performed; currently this flushes the caller\*(Aqs tcache and may (according to some heuristic) purge its associated arena\&. +.sp +This is not intended to be a general\-purpose background activity mechanism, and threads should not wake up multiple times solely to call it\&. Rather, a thread waiting for a task should do a timed wait first, call +thread\&.idle +if no task appears in the timeout interval, and then do an untimed wait\&. For such a background activity mechanism, see +background_thread\&. +.RE +.PP tcache\&.create (\fBunsigned\fR) r\- .RS 4 Create an explicit thread\-specific cache (tcache) and return an identifier that can be passed to the \fBMALLOCX_TCACHE(\fR\fB\fItc\fR\fR\fB)\fR macro to explicitly use the specified cache rather than the automatically managed one that is used by default\&. Each explicit cache can be used by only one thread at a time; the application must assure that this constraint holds\&. +.sp +If the amount of space supplied for storing the thread\-specific cache identifier does not equal +sizeof(\fBunsigned\fR), no thread\-specific cache will be created, no data will be written to the space pointed by +\fIoldp\fR, and +\fI*oldlenp\fR +will be set to 0\&. .RE .PP tcache\&.flush (\fBunsigned\fR) \-w @@ -1634,6 +1742,12 @@ Maximum size supported by this large size class\&. arenas\&.create (\fBunsigned\fR, \fBextent_hooks_t *\fR) rw .RS 4 Explicitly create a new arena outside the range of automatically managed arenas, with optionally specified extent hooks, and return the new arena index\&. +.sp +If the amount of space supplied for storing the arena index does not equal +sizeof(\fBunsigned\fR), no arena will be created, no data will be written to the space pointed by +\fIoldp\fR, and +\fI*oldlenp\fR +will be set to 0\&. .RE .PP arenas\&.lookup (\fBunsigned\fR, \fBvoid*\fR) rw @@ -1666,7 +1780,16 @@ Dump a memory profile to the specified file, or if NULL is specified, to a file <prefix> is controlled by the opt\&.prof_prefix -option\&. +and +prof\&.prefix +options\&. +.RE +.PP +prof\&.prefix (\fBconst char *\fR) \-w [\fB\-\-enable\-prof\fR] +.RS 4 +Set the filename prefix for profile dumps\&. See +opt\&.prof_prefix +for the default setting\&. This can be useful to differentiate profile dumps such as from forked processes\&. .RE .PP prof\&.gdump (\fBbool\fR) rw [\fB\-\-enable\-prof\fR] @@ -1676,7 +1799,9 @@ When enabled, trigger a memory profile dump every time the total virtual memory <prefix> is controlled by the opt\&.prof_prefix -option\&. +and +prof\&.prefix +options\&. .RE .PP prof\&.reset (\fBsize_t\fR) \-w [\fB\-\-enable\-prof\fR] @@ -1752,6 +1877,18 @@ for details)\&. Retained memory is excluded from mapped memory statistics, e\&.g stats\&.mapped\&. .RE .PP +stats\&.zero_reallocs (\fBsize_t\fR) r\- [\fB\-\-enable\-stats\fR] +.RS 4 +Number of times that the +realloc() +was called with a non\-\fBNULL\fR +pointer argument and a +\fB0\fR +size argument\&. This is a fundamentally unsafe pattern in portable programs; see +opt\&.zero_realloc +for details\&. +.RE +.PP stats\&.background_thread\&.num_threads (\fBsize_t\fR) r\- [\fB\-\-enable\-stats\fR] .RS 4 Number of @@ -1825,6 +1962,26 @@ is one of the counters in mutex profiling counters\&. .RE .PP +stats\&.mutexes\&.prof_thds_data\&.{counter} (\fBcounter specific type\fR) r\- [\fB\-\-enable\-stats\fR] +.RS 4 +Statistics on +\fIprof\fR +threads data mutex (global scope; profiling related)\&. +{counter} +is one of the counters in +mutex profiling counters\&. +.RE +.PP +stats\&.mutexes\&.prof_dump\&.{counter} (\fBcounter specific type\fR) r\- [\fB\-\-enable\-stats\fR] +.RS 4 +Statistics on +\fIprof\fR +dumping mutex (global scope; profiling related)\&. +{counter} +is one of the counters in +mutex profiling counters\&. +.RE +.PP stats\&.mutexes\&.reset (\fBvoid\fR) \-\- [\fB\-\-enable\-stats\fR] .RS 4 Reset all mutex profile statistics, including global mutexes, arena mutexes and bin mutexes\&. @@ -2242,7 +2399,7 @@ heap_v2/524288 [\&.\&.\&.] @ 0x5f86da8 0x5f5a1dc [\&.\&.\&.] 0x29e4d4e 0xa200316 0xabb2988 [\&.\&.\&.] t*: 13: 6688 [0: 0] - t3: 12: 6496 [0: ] + t3: 12: 6496 [0: 0] t99: 1: 192 [0: 0] [\&.\&.\&.] @@ -2264,9 +2421,9 @@ to indicate descriptions of the corresponding fields\&. <heap_profile_format_version>/<mean_sample_interval> <aggregate>: <curobjs>: <curbytes> [<cumobjs>: <cumbytes>] [\&.\&.\&.] - <thread_3_aggregate>: <curobjs>: <curbytes>[<cumobjs>: <cumbytes>] + <thread_3_aggregate>: <curobjs>: <curbytes> [<cumobjs>: <cumbytes>] [\&.\&.\&.] - <thread_99_aggregate>: <curobjs>: <curbytes>[<cumobjs>: <cumbytes>] + <thread_99_aggregate>: <curobjs>: <curbytes> [<cumobjs>: <cumbytes>] [\&.\&.\&.] @ <top_frame> <frame> [\&.\&.\&.] <frame> <frame> <frame> [\&.\&.\&.] <backtrace_aggregate>: <curobjs>: <curbytes> [<cumobjs>: <cumbytes>] @@ -2432,7 +2589,8 @@ is not \fInewlen\fR is too large or too small\&. Alternatively, \fI*oldlenp\fR -is too large or too small; in this case as much data as possible are read despite the error\&. +is too large or too small; when it happens, except for a very few cases explicitly documented otherwise, as much data as possible are read despite the error, with the amount of data read being recorded in +\fI*oldlenp\fR\&. .RE .PP ENOENT diff --git a/lib/libc/stdlib/strfmon.c b/lib/libc/stdlib/strfmon.c index 68a36a6d5567..230d194233f5 100644 --- a/lib/libc/stdlib/strfmon.c +++ b/lib/libc/stdlib/strfmon.c @@ -106,7 +106,7 @@ vstrfmon_l(char *__restrict s, size_t maxsize, locale_t loc, const char *__restrict format, va_list ap) { char *dst; /* output destination pointer */ - const char *fmt; /* current format poistion pointer */ + const char *fmt; /* current format position pointer */ struct lconv *lc; /* pointer to lconv structure */ char *asciivalue; /* formatted double pointer */ diff --git a/lib/libefivar/FreeBSD-update b/lib/libefivar/FreeBSD-update index 52d0db4021ef..53b8f0dfff1a 100644 --- a/lib/libefivar/FreeBSD-update +++ b/lib/libefivar/FreeBSD-update @@ -8,7 +8,7 @@ These files are first mechnaically processed with sed -e "s/L'/'/g;"'s/L"/"/g;s/%g/%36s/g;s/%a/%s/g;s/^VOID/static VOID/g;s/ *$//g' -for several reasons. We're moving from wide rotuines to narrow routines. The +for several reasons. We're moving from wide routines to narrow routines. The UTC-2 this code is written for is a bad match for wchar_t which is an int. It's a much better match for plain narrow characters on FreeBSD. So we pretend that CHAR16 for these files is really char * (ASCII). diff --git a/lib/libefivar/efivar-dp-parse.c b/lib/libefivar/efivar-dp-parse.c index c594e94580da..f2eb46a54509 100644 --- a/lib/libefivar/efivar-dp-parse.c +++ b/lib/libefivar/efivar-dp-parse.c @@ -313,7 +313,6 @@ GetNextDeviceNodeStr ( return ReturnStr; } - #ifndef __FreeBSD__ /** Return whether the integer string is a hex string. diff --git a/lib/libefivar/efivar-dp-xlate.c b/lib/libefivar/efivar-dp-xlate.c index 78d82ba4bce0..2012842b6f80 100644 --- a/lib/libefivar/efivar-dp-xlate.c +++ b/lib/libefivar/efivar-dp-xlate.c @@ -221,7 +221,7 @@ efi_hd_to_unix(struct gmesh *mesh, const_efidp dp, char **dev, char **relpath, c provider = pp; for (i = 0; i < n; i++) { /* - * Skip all pseudo filesystems. This also skips the real filesytsem + * Skip all pseudo filesystems. This also skips the real filesystem * of ZFS. There's no EFI designator for ZFS in the standard, so * we'll need to invent one, but its decoding will be handled in * a separate function. @@ -328,7 +328,7 @@ errout: * * Extract the path from the File path node(s). translate any \ file separators * to /. Append the result to the mount point. Copy the resulting path into - * *path. Stat that path. If it is not found, return the errorr from stat. + * *path. Stat that path. If it is not found, return the error from stat. * * Finally, check to make sure the resulting path is still on the same * device. If not, return ENODEV. @@ -433,7 +433,7 @@ efivar_device_path_to_unix_path(const_efidp dp, char **dev, char **relpath, char * For paths of the first form: * find where the filesystem is mount (either the file directly, or * its parent directory). - * translate any logical device name (eg lable) to a physical one + * translate any logical device name (eg label) to a physical one * If not possible, return ENXIO * If the physical path is unsupported (Eg not on a GPT or MBR disk), * return ENXIO @@ -442,7 +442,7 @@ efivar_device_path_to_unix_path(const_efidp dp, char **dev, char **relpath, char * as a file path. * * For paths matching the second form: - * find the EFI partition corresponding to the root fileystem. + * find the EFI partition corresponding to the root filesystem. * If none found, return ENXIO * Create a media device path node for the found partition * Append a File Path to the end for the rest of the file. @@ -553,7 +553,7 @@ find_geom_efimedia(struct gmesh *mesh, const char *dev) efimedia = geom_pp_attr(mesh, pp, "efimedia"); /* - * If this device doesn't hav an efimedia attribute, see if it is a + * If this device doesn't have an efimedia attribute, see if it is a * glabel node, and if so look for the underlying provider to get the * efimedia attribute from. */ diff --git a/lib/libefivar/efivar.h b/lib/libefivar/efivar.h index e159f4cccd3d..238b23a8b2b8 100644 --- a/lib/libefivar/efivar.h +++ b/lib/libefivar/efivar.h @@ -31,7 +31,7 @@ #include <sys/endian.h> #include <stdint.h> -/* Shoud these be elsewhere ? */ +/* Should these be elsewhere ? */ #define EFI_VARIABLE_NON_VOLATILE 0x00000001 #define EFI_VARIABLE_BOOTSERVICE_ACCESS 0x00000002 #define EFI_VARIABLE_RUNTIME_ACCESS 0x00000004 diff --git a/lib/libefivar/uefi-dplib.h b/lib/libefivar/uefi-dplib.h index 4787088dac19..c048a280a08e 100644 --- a/lib/libefivar/uefi-dplib.h +++ b/lib/libefivar/uefi-dplib.h @@ -175,8 +175,7 @@ typedef struct { #pragma pack() -#ifdef FreeBSD /* Remove these on FreeBSD */ - +#ifndef __FreeBSD__ /* Remove these on FreeBSD */ /** Returns the size of a device path in bytes. diff --git a/lib/libefivar/uefi-dputil.c b/lib/libefivar/uefi-dputil.c index c31da14eed2d..da87bffb7bd5 100644 --- a/lib/libefivar/uefi-dputil.c +++ b/lib/libefivar/uefi-dputil.c @@ -35,11 +35,9 @@ #include <sys/endian.h> #include "uefi-dplib.h" -/* XXX maybe I should include the entire DevicePathUtiltiies.c and ifdef out what we don't use */ - /* * Taken from MdePkg/Library/UefiDevicePathLib/DevicePathUtilities.c - * hash a11928f3310518ab1c6fd34e8d0fdbb72de9602c 2017-Mar-01 + * hash 2f88bd3a1296c522317f1c21377876de63de5be7 2021-Dec-07 */ /** @file @@ -52,17 +50,13 @@ environment varibles. Multi-instance device paths should never be placed on a Handle. - Copyright (c) 2006 - 2016, Intel Corporation. All rights reserved.<BR> - This program and the accompanying materials - are licensed and made available under the terms and conditions of the BSD License - which accompanies this distribution. The full text of the license may be found at - http://opensource.org/licenses/bsd-license.php. - - THE PROGRAM IS DISTRIBUTED UNDER THE BSD LICENSE ON AN "AS IS" BASIS, - WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED. + Copyright (c) 2006 - 2018, Intel Corporation. All rights reserved.<BR> + SPDX-License-Identifier: BSD-2-Clause-Patent **/ +// #include "UefiDevicePathLib.h" + // // Template for an end-of-device path node. // @@ -75,59 +69,16 @@ static CONST EFI_DEVICE_PATH_PROTOCOL mUefiDevicePathLibEndDevicePath = { } }; - -/** - Returns the size of a device path in bytes. - - This function returns the size, in bytes, of the device path data structure - specified by DevicePath including the end of device path node. - If DevicePath is NULL or invalid, then 0 is returned. - - @param DevicePath A pointer to a device path data structure. - - @retval 0 If DevicePath is NULL or invalid. - @retval Others The size of a device path in bytes. - -**/ -UINTN -EFIAPI -GetDevicePathSize ( - IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath - ) -{ - CONST EFI_DEVICE_PATH_PROTOCOL *Start; - - if (DevicePath == NULL) { - return 0; - } - - if (!IsDevicePathValid (DevicePath, 0)) { - return 0; - } - - // - // Search for the end of the device path structure - // - Start = DevicePath; - while (!IsDevicePathEnd (DevicePath)) { - DevicePath = NextDevicePathNode (DevicePath); - } - - // - // Compute the size and add back in the size of the end device path structure - // - return ((UINTN) DevicePath - (UINTN) Start) + DevicePathNodeLength (DevicePath); -} - /** Determine whether a given device path is valid. - If DevicePath is NULL, then ASSERT(). @param DevicePath A pointer to a device path data structure. @param MaxSize The maximum size of the device path data structure. @retval TRUE DevicePath is valid. - @retval FALSE The length of any node in the DevicePath is less + @retval FALSE DevicePath is NULL. + @retval FALSE Maxsize is less than sizeof(EFI_DEVICE_PATH_PROTOCOL). + @retval FALSE The length of any node Node in the DevicePath is less than sizeof (EFI_DEVICE_PATH_PROTOCOL). @retval FALSE If MaxSize is not zero, the size of the DevicePath exceeds MaxSize. @@ -137,27 +88,25 @@ GetDevicePathSize ( BOOLEAN EFIAPI IsDevicePathValid ( - IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath, - IN UINTN MaxSize + IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath, + IN UINTN MaxSize ) { - UINTN Count; - UINTN Size; - UINTN NodeLength; - - ASSERT (DevicePath != NULL); - - if (MaxSize == 0) { - MaxSize = MAX_UINTN; - } + UINTN Count; + UINTN Size; + UINTN NodeLength; // - // Validate the input size big enough to touch the first node. + // Validate the input whether exists and its size big enough to touch the first node // - if (MaxSize < sizeof (EFI_DEVICE_PATH_PROTOCOL)) { + if ((DevicePath == NULL) || ((MaxSize > 0) && (MaxSize < END_DEVICE_PATH_LENGTH))) { return FALSE; } + if (MaxSize == 0) { + MaxSize = MAX_UINTN; + } + for (Count = 0, Size = 0; !IsDevicePathEnd (DevicePath); DevicePath = NextDevicePathNode (DevicePath)) { NodeLength = DevicePathNodeLength (DevicePath); if (NodeLength < sizeof (EFI_DEVICE_PATH_PROTOCOL)) { @@ -167,6 +116,7 @@ IsDevicePathValid ( if (NodeLength > MAX_UINTN - Size) { return FALSE; } + Size += NodeLength; // @@ -182,12 +132,22 @@ IsDevicePathValid ( return FALSE; } } + + // + // FilePath must be a NULL-terminated string. + // + if ((DevicePathType (DevicePath) == MEDIA_DEVICE_PATH) && + (DevicePathSubType (DevicePath) == MEDIA_FILEPATH_DP) && + (*(const CHAR16 *)((const UINT8 *) DevicePath + NodeLength - 2) != 0)) + { + return FALSE; + } } // // Only return TRUE when the End Device Path node is valid. // - return (BOOLEAN) (DevicePathNodeLength (DevicePath) == END_DEVICE_PATH_LENGTH); + return (BOOLEAN)(DevicePathNodeLength (DevicePath) == END_DEVICE_PATH_LENGTH); } /** @@ -212,7 +172,6 @@ DevicePathType ( return ((const EFI_DEVICE_PATH_PROTOCOL *)(Node))->Type; } - /** Returns the SubType field of a device path node. @@ -257,6 +216,7 @@ DevicePathNodeLength ( ) { ASSERT (Node != NULL); +// return ReadUnaligned16 ((UINT16 *)&((EFI_DEVICE_PATH_PROTOCOL *)(Node))->Length[0]); return ((const EFI_DEVICE_PATH_PROTOCOL *)Node)->Length[0] | (((const EFI_DEVICE_PATH_PROTOCOL *)Node)->Length[1] << 8); } @@ -282,7 +242,7 @@ NextDevicePathNode ( ) { ASSERT (Node != NULL); - return ((EFI_DEVICE_PATH_PROTOCOL *)(__DECONST(UINT8 *, Node) + DevicePathNodeLength(Node))); + return (EFI_DEVICE_PATH_PROTOCOL *)(__DECONST(UINT8 *, Node) + DevicePathNodeLength (Node)); } /** @@ -312,7 +272,7 @@ IsDevicePathEndType ( ) { ASSERT (Node != NULL); - return (BOOLEAN) (DevicePathType (Node) == END_DEVICE_PATH_TYPE); + return (BOOLEAN)(DevicePathType (Node) == END_DEVICE_PATH_TYPE); } /** @@ -339,34 +299,37 @@ IsDevicePathEnd ( ) { ASSERT (Node != NULL); - return (BOOLEAN) (IsDevicePathEndType (Node) && DevicePathSubType(Node) == END_ENTIRE_DEVICE_PATH_SUBTYPE); + return (BOOLEAN)(IsDevicePathEndType (Node) && DevicePathSubType (Node) == END_ENTIRE_DEVICE_PATH_SUBTYPE); } +#ifndef __FreeBSD__ /** - Fills in all the fields of a device path node that is the end of an entire device path. + Determines if a device path node is an end node of a device path instance. - Fills in all the fields of a device path node specified by Node so Node represents - the end of an entire device path. The Type field of Node is set to - END_DEVICE_PATH_TYPE, the SubType field of Node is set to - END_ENTIRE_DEVICE_PATH_SUBTYPE, and the Length field of Node is set to - END_DEVICE_PATH_LENGTH. Node is not required to be aligned on a 16-bit boundary, - so it is recommended that a function such as WriteUnaligned16() be used to set - the contents of the Length field. + Determines if a device path node specified by Node is an end node of a device + path instance. If Node represents the end of a device path instance, then TRUE + is returned. Otherwise, FALSE is returned. If Node is NULL, then ASSERT(). @param Node A pointer to a device path node data structure. + @retval TRUE The device path node specified by Node is the end of a device + path instance. + @retval FALSE The device path node specified by Node is not the end of a + device path instance. + **/ -VOID +BOOLEAN EFIAPI -SetDevicePathEndNode ( - OUT VOID *Node +IsDevicePathEndInstance ( + IN CONST VOID *Node ) { ASSERT (Node != NULL); - memcpy (Node, &mUefiDevicePathLibEndDevicePath, sizeof (mUefiDevicePathLibEndDevicePath)); + return (BOOLEAN)(IsDevicePathEndType (Node) && DevicePathSubType (Node) == END_INSTANCE_DEVICE_PATH_SUBTYPE); } +#endif /** Sets the length, in bytes, of a device path node. @@ -401,49 +364,72 @@ SetDevicePathNodeLength ( } /** - Creates a device node. + Fills in all the fields of a device path node that is the end of an entire device path. - This function creates a new device node in a newly allocated buffer of size - NodeLength and initializes the device path node header with NodeType and NodeSubType. - The new device path node is returned. - If NodeLength is smaller than a device path header, then NULL is returned. - If there is not enough memory to allocate space for the new device path, then - NULL is returned. - The memory is allocated from EFI boot services memory. It is the responsibility - of the caller to free the memory allocated. + Fills in all the fields of a device path node specified by Node so Node represents + the end of an entire device path. The Type field of Node is set to + END_DEVICE_PATH_TYPE, the SubType field of Node is set to + END_ENTIRE_DEVICE_PATH_SUBTYPE, and the Length field of Node is set to + END_DEVICE_PATH_LENGTH. Node is not required to be aligned on a 16-bit boundary, + so it is recommended that a function such as WriteUnaligned16() be used to set + the contents of the Length field. - @param NodeType The device node type for the new device node. - @param NodeSubType The device node sub-type for the new device node. - @param NodeLength The length of the new device node. + If Node is NULL, then ASSERT(). - @return The new device path. + @param Node A pointer to a device path node data structure. **/ -EFI_DEVICE_PATH_PROTOCOL * +VOID EFIAPI -CreateDeviceNode ( - IN UINT8 NodeType, - IN UINT8 NodeSubType, - IN UINT16 NodeLength +SetDevicePathEndNode ( + OUT VOID *Node ) { - EFI_DEVICE_PATH_PROTOCOL *DevicePath; + ASSERT (Node != NULL); + memcpy (Node, &mUefiDevicePathLibEndDevicePath, sizeof (mUefiDevicePathLibEndDevicePath)); +} - if (NodeLength < sizeof (EFI_DEVICE_PATH_PROTOCOL)) { - // - // NodeLength is less than the size of the header. - // - return NULL; +/** + Returns the size of a device path in bytes. + + This function returns the size, in bytes, of the device path data structure + specified by DevicePath including the end of device path node. + If DevicePath is NULL or invalid, then 0 is returned. + + @param DevicePath A pointer to a device path data structure. + + @retval 0 If DevicePath is NULL or invalid. + @retval Others The size of a device path in bytes. + +**/ +UINTN +EFIAPI +GetDevicePathSize ( + IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath + ) +{ + CONST EFI_DEVICE_PATH_PROTOCOL *Start; + + if (DevicePath == NULL) { + return 0; } - DevicePath = AllocateZeroPool (NodeLength); - if (DevicePath != NULL) { - DevicePath->Type = NodeType; - DevicePath->SubType = NodeSubType; - SetDevicePathNodeLength (DevicePath, NodeLength); + if (!IsDevicePathValid (DevicePath, 0)) { + return 0; } - return DevicePath; + // + // Search for the end of the device path structure + // + Start = DevicePath; + while (!IsDevicePathEnd (DevicePath)) { + DevicePath = NextDevicePathNode (DevicePath); + } + + // + // Compute the size and add back in the size of the end device path structure + // + return ((UINTN)DevicePath - (UINTN)Start) + DevicePathNodeLength (DevicePath); } /** @@ -468,7 +454,7 @@ DuplicateDevicePath ( IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath ) { - UINTN Size; + UINTN Size; // // Compute the size @@ -512,7 +498,7 @@ DuplicateDevicePath ( EFI_DEVICE_PATH_PROTOCOL * EFIAPI AppendDevicePath ( - IN CONST EFI_DEVICE_PATH_PROTOCOL *FirstDevicePath, OPTIONAL + IN CONST EFI_DEVICE_PATH_PROTOCOL *FirstDevicePath OPTIONAL, IN CONST EFI_DEVICE_PATH_PROTOCOL *SecondDevicePath OPTIONAL ) { @@ -541,9 +527,9 @@ AppendDevicePath ( // Allocate space for the combined device path. It only has one end node of // length EFI_DEVICE_PATH_PROTOCOL. // - Size1 = GetDevicePathSize (FirstDevicePath); - Size2 = GetDevicePathSize (SecondDevicePath); - Size = Size1 + Size2 - END_DEVICE_PATH_LENGTH; + Size1 = GetDevicePathSize (FirstDevicePath); + Size2 = GetDevicePathSize (SecondDevicePath); + Size = Size1 + Size2 - END_DEVICE_PATH_LENGTH; NewDevicePath = AllocatePool (Size); @@ -552,8 +538,8 @@ AppendDevicePath ( // // Over write FirstDevicePath EndNode and do the copy // - DevicePath2 = (EFI_DEVICE_PATH_PROTOCOL *) ((CHAR8 *) NewDevicePath + - (Size1 - END_DEVICE_PATH_LENGTH)); + DevicePath2 = (EFI_DEVICE_PATH_PROTOCOL *)((CHAR8 *)NewDevicePath + + (Size1 - END_DEVICE_PATH_LENGTH)); CopyMem (DevicePath2, SecondDevicePath, Size2); } @@ -591,7 +577,7 @@ AppendDevicePath ( EFI_DEVICE_PATH_PROTOCOL * EFIAPI AppendDevicePathNode ( - IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath, OPTIONAL + IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath OPTIONAL, IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePathNode OPTIONAL ) { @@ -603,6 +589,7 @@ AppendDevicePathNode ( if (DevicePathNode == NULL) { return DuplicateDevicePath ((DevicePath != NULL) ? DevicePath : &mUefiDevicePathLibEndDevicePath); } + // // Build a Node that has a terminator on it // @@ -612,6 +599,7 @@ AppendDevicePathNode ( if (TempDevicePath == NULL) { return NULL; } + TempDevicePath = CopyMem (TempDevicePath, DevicePathNode, NodeLength); // // Add and end device path node to convert Node to device path @@ -627,3 +615,302 @@ AppendDevicePathNode ( return NewDevicePath; } + +#ifndef __FreeBSD__ +/** + Creates a new device path by appending the specified device path instance to the specified device + path. + + This function creates a new device path by appending a copy of the device path + instance specified by DevicePathInstance to a copy of the device path specified + by DevicePath in a allocated buffer. + The end-of-device-path device node is moved after the end of the appended device + path instance and a new end-of-device-path-instance node is inserted between. + If DevicePath is NULL, then a copy if DevicePathInstance is returned. + If DevicePathInstance is NULL, then NULL is returned. + If DevicePath or DevicePathInstance is invalid, then NULL is returned. + If there is not enough memory to allocate space for the new device path, then + NULL is returned. + The memory is allocated from EFI boot services memory. It is the responsibility + of the caller to free the memory allocated. + + @param DevicePath A pointer to a device path data structure. + @param DevicePathInstance A pointer to a device path instance. + + @return A pointer to the new device path. + +**/ +EFI_DEVICE_PATH_PROTOCOL * +EFIAPI +UefiDevicePathLibAppendDevicePathInstance ( + IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath OPTIONAL, + IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePathInstance OPTIONAL + ) +{ + EFI_DEVICE_PATH_PROTOCOL *NewDevicePath; + EFI_DEVICE_PATH_PROTOCOL *TempDevicePath; + UINTN SrcSize; + UINTN InstanceSize; + + if (DevicePath == NULL) { + return DuplicateDevicePath (DevicePathInstance); + } + + if (DevicePathInstance == NULL) { + return NULL; + } + + if (!IsDevicePathValid (DevicePath, 0) || !IsDevicePathValid (DevicePathInstance, 0)) { + return NULL; + } + + SrcSize = GetDevicePathSize (DevicePath); + InstanceSize = GetDevicePathSize (DevicePathInstance); + + NewDevicePath = AllocatePool (SrcSize + InstanceSize); + if (NewDevicePath != NULL) { + TempDevicePath = CopyMem (NewDevicePath, DevicePath, SrcSize); + + while (!IsDevicePathEnd (TempDevicePath)) { + TempDevicePath = NextDevicePathNode (TempDevicePath); + } + + TempDevicePath->SubType = END_INSTANCE_DEVICE_PATH_SUBTYPE; + TempDevicePath = NextDevicePathNode (TempDevicePath); + CopyMem (TempDevicePath, DevicePathInstance, InstanceSize); + } + + return NewDevicePath; +} + +/** + Creates a copy of the current device path instance and returns a pointer to the next device path + instance. + + This function creates a copy of the current device path instance. It also updates + DevicePath to point to the next device path instance in the device path (or NULL + if no more) and updates Size to hold the size of the device path instance copy. + If DevicePath is NULL, then NULL is returned. + If DevicePath points to a invalid device path, then NULL is returned. + If there is not enough memory to allocate space for the new device path, then + NULL is returned. + The memory is allocated from EFI boot services memory. It is the responsibility + of the caller to free the memory allocated. + If Size is NULL, then ASSERT(). + + @param DevicePath On input, this holds the pointer to the current + device path instance. On output, this holds + the pointer to the next device path instance + or NULL if there are no more device path + instances in the device path pointer to a + device path data structure. + @param Size On output, this holds the size of the device + path instance, in bytes or zero, if DevicePath + is NULL. + + @return A pointer to the current device path instance. + +**/ +EFI_DEVICE_PATH_PROTOCOL * +EFIAPI +UefiDevicePathLibGetNextDevicePathInstance ( + IN OUT EFI_DEVICE_PATH_PROTOCOL **DevicePath, + OUT UINTN *Size + ) +{ + EFI_DEVICE_PATH_PROTOCOL *DevPath; + EFI_DEVICE_PATH_PROTOCOL *ReturnValue; + UINT8 Temp; + + ASSERT (Size != NULL); + + if ((DevicePath == NULL) || (*DevicePath == NULL)) { + *Size = 0; + return NULL; + } + + if (!IsDevicePathValid (*DevicePath, 0)) { + return NULL; + } + + // + // Find the end of the device path instance + // + DevPath = *DevicePath; + while (!IsDevicePathEndType (DevPath)) { + DevPath = NextDevicePathNode (DevPath); + } + + // + // Compute the size of the device path instance + // + *Size = ((UINTN)DevPath - (UINTN)(*DevicePath)) + sizeof (EFI_DEVICE_PATH_PROTOCOL); + + // + // Make a copy and return the device path instance + // + Temp = DevPath->SubType; + DevPath->SubType = END_ENTIRE_DEVICE_PATH_SUBTYPE; + ReturnValue = DuplicateDevicePath (*DevicePath); + DevPath->SubType = Temp; + + // + // If DevPath is the end of an entire device path, then another instance + // does not follow, so *DevicePath is set to NULL. + // + if (DevicePathSubType (DevPath) == END_ENTIRE_DEVICE_PATH_SUBTYPE) { + *DevicePath = NULL; + } else { + *DevicePath = NextDevicePathNode (DevPath); + } + + return ReturnValue; +} +#endif + +/** + Creates a device node. + + This function creates a new device node in a newly allocated buffer of size + NodeLength and initializes the device path node header with NodeType and NodeSubType. + The new device path node is returned. + If NodeLength is smaller than a device path header, then NULL is returned. + If there is not enough memory to allocate space for the new device path, then + NULL is returned. + The memory is allocated from EFI boot services memory. It is the responsibility + of the caller to free the memory allocated. + + @param NodeType The device node type for the new device node. + @param NodeSubType The device node sub-type for the new device node. + @param NodeLength The length of the new device node. + + @return The new device path. + +**/ +EFI_DEVICE_PATH_PROTOCOL * +EFIAPI +CreateDeviceNode ( + IN UINT8 NodeType, + IN UINT8 NodeSubType, + IN UINT16 NodeLength + ) +{ + EFI_DEVICE_PATH_PROTOCOL *DevicePath; + + if (NodeLength < sizeof (EFI_DEVICE_PATH_PROTOCOL)) { + // + // NodeLength is less than the size of the header. + // + return NULL; + } + + DevicePath = AllocateZeroPool (NodeLength); + if (DevicePath != NULL) { + DevicePath->Type = NodeType; + DevicePath->SubType = NodeSubType; + SetDevicePathNodeLength (DevicePath, NodeLength); + } + + return DevicePath; +} + +#ifndef __FreeBSD__ +/** + Determines if a device path is single or multi-instance. + + This function returns TRUE if the device path specified by DevicePath is + multi-instance. + Otherwise, FALSE is returned. + If DevicePath is NULL or invalid, then FALSE is returned. + + @param DevicePath A pointer to a device path data structure. + + @retval TRUE DevicePath is multi-instance. + @retval FALSE DevicePath is not multi-instance, or DevicePath + is NULL or invalid. + +**/ +BOOLEAN +EFIAPI +UefiDevicePathLibIsDevicePathMultiInstance ( + IN CONST EFI_DEVICE_PATH_PROTOCOL *DevicePath + ) +{ + CONST EFI_DEVICE_PATH_PROTOCOL *Node; + + if (DevicePath == NULL) { + return FALSE; + } + + if (!IsDevicePathValid (DevicePath, 0)) { + return FALSE; + } + + Node = DevicePath; + while (!IsDevicePathEnd (Node)) { + if (IsDevicePathEndInstance (Node)) { + return TRUE; + } + + Node = NextDevicePathNode (Node); + } + + return FALSE; +} + +/** + Allocates a device path for a file and appends it to an existing device path. + + If Device is a valid device handle that contains a device path protocol, then a device path for + the file specified by FileName is allocated and appended to the device path associated with the + handle Device. The allocated device path is returned. If Device is NULL or Device is a handle + that does not support the device path protocol, then a device path containing a single device + path node for the file specified by FileName is allocated and returned. + The memory for the new device path is allocated from EFI boot services memory. It is the responsibility + of the caller to free the memory allocated. + + If FileName is NULL, then ASSERT(). + If FileName is not aligned on a 16-bit boundary, then ASSERT(). + + @param Device A pointer to a device handle. This parameter + is optional and may be NULL. + @param FileName A pointer to a Null-terminated Unicode string. + + @return The allocated device path. + +**/ +EFI_DEVICE_PATH_PROTOCOL * +EFIAPI +FileDevicePath ( + IN EFI_HANDLE Device OPTIONAL, + IN CONST CHAR16 *FileName + ) +{ + UINTN Size; + FILEPATH_DEVICE_PATH *FilePath; + EFI_DEVICE_PATH_PROTOCOL *DevicePath; + EFI_DEVICE_PATH_PROTOCOL *FileDevicePath; + + DevicePath = NULL; + + Size = StrSize (FileName); + FileDevicePath = AllocatePool (Size + SIZE_OF_FILEPATH_DEVICE_PATH + END_DEVICE_PATH_LENGTH); + if (FileDevicePath != NULL) { + FilePath = (FILEPATH_DEVICE_PATH *)FileDevicePath; + FilePath->Header.Type = MEDIA_DEVICE_PATH; + FilePath->Header.SubType = MEDIA_FILEPATH_DP; + CopyMem (&FilePath->PathName, FileName, Size); + SetDevicePathNodeLength (&FilePath->Header, Size + SIZE_OF_FILEPATH_DEVICE_PATH); + SetDevicePathEndNode (NextDevicePathNode (&FilePath->Header)); + + if (Device != NULL) { + DevicePath = DevicePathFromHandle (Device); + } + + DevicePath = AppendDevicePath (DevicePath, FileDevicePath); + FreePool (FileDevicePath); + } + + return DevicePath; +} +#endif diff --git a/lib/libgcc_s/Makefile b/lib/libgcc_s/Makefile index 992fc930ee9f..7e3911043843 100644 --- a/lib/libgcc_s/Makefile +++ b/lib/libgcc_s/Makefile @@ -11,7 +11,9 @@ MK_SSP= no WARNS?= 2 LDFLAGS+= -nodefaultlibs +LDFLAGS+= -Wl,-Bsymbolic LIBADD+= c +LIBADD+= compiler_rt VERSION_DEF= ${.CURDIR}/Versions.def SYMBOL_MAPS= ${.CURDIR}/Symbol.map diff --git a/lib/libpam/modules/pam_krb5/Makefile b/lib/libpam/modules/pam_krb5/Makefile index 0c933f8f7e57..d55f2d0b5971 100644 --- a/lib/libpam/modules/pam_krb5/Makefile +++ b/lib/libpam/modules/pam_krb5/Makefile @@ -30,6 +30,7 @@ SRCDIR= ${SRCTOP}/contrib/pam-krb5 .PATH: ${SRCDIR}/module \ ${SRCDIR}/portable \ ${SRCDIR}/pam-util \ + ${SRCDIR}/docs \ ${SRCDIR} PACKAGE= kerberos @@ -57,8 +58,8 @@ SRCS= account.c \ support.c \ vector.c -MANNODEV= pam-krb5.8 -MANNODEVLINKS= pam-krb5.8 pam_krb5.8 +MANNODEV= pam_krb5.8 +MANSRC.pam_krb5.8=pam-krb5.8 CFLAGS= -I${SRCDIR} \ -I${.CURDIR} \ @@ -74,6 +75,13 @@ pam-util_options.c: .PHONY module_options.c: .PHONY cp ${SRCDIR}/module/options.c module_options.c + +.ifdef VENDOR_IMPORT +# Regenerate the manual page from the pod source after vendor import +pam-krb5.8: pam_krb5.pod + sed -e 's/pam(7)/pam.conf(5)/' <${.ALLSRC} | \ + pod2mdoc -n pam_krb5 -s 8 >${.CURDIR}/${.TARGET} +.endif .else PACKAGE= kerberos diff --git a/lib/libpam/modules/pam_krb5/pam-krb5.8 b/lib/libpam/modules/pam_krb5/pam-krb5.8 index 3413748c7850..ad4fa5c422c4 100644 --- a/lib/libpam/modules/pam_krb5/pam-krb5.8 +++ b/lib/libpam/modules/pam_krb5/pam-krb5.8 @@ -1,1025 +1,1356 @@ -.\" -*- mode: troff; coding: utf-8 -*- -.\" Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) -.\" -.\" Standard preamble: -.\" ======================================================================== -.de Sp \" Vertical space (when we can't use .PP) -.if t .sp .5v -.if n .sp -.. -.de Vb \" Begin verbatim text -.ft CW -.nf -.ne \\$1 -.. -.de Ve \" End verbatim text -.ft R -.fi -.. -.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>. -.ie n \{\ -. ds C` "" -. ds C' "" -'br\} -.el\{\ -. ds C` -. ds C' -'br\} -.\" -.\" Escape single quotes in literal strings from groff's Unicode transform. -.ie \n(.g .ds Aq \(aq -.el .ds Aq ' -.\" -.\" If the F register is >0, we'll generate index entries on stderr for -.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index -.\" entries marked with X<> in POD. Of course, you'll have to process the -.\" output yourself in some meaningful fashion. -.\" -.\" Avoid warning from groff about undefined register 'F'. -.de IX -.. -.nr rF 0 -.if \n(.g .if rF .nr rF 1 -.if (\n(rF:(\n(.g==0)) \{\ -. if \nF \{\ -. de IX -. tm Index:\\$1\t\\n%\t"\\$2" -.. -. if !\nF==2 \{\ -. nr % 0 -. nr F 2 -. \} -. \} -.\} -.rr rF -.\" ======================================================================== -.\" -.IX Title "PAM_KRB5 1" -.TH PAM_KRB5 1 2025-06-05 "perl v5.40.2" "User Contributed Perl Documentation" -.\" For nroff, turn off justification. Always turn off hyphenation; it makes -.\" way too many mistakes in technical documents. -.if n .ad l -.nh -.SH NAME -pam_krb5 \- Kerberos PAM module -.SH SYNOPSIS -.IX Header "SYNOPSIS" -.Vb 4 -\& auth sufficient pam_krb5.so minimum_uid=1000 -\& session required pam_krb5.so minimum_uid=1000 -\& account required pam_krb5.so minimum_uid=1000 -\& password sufficient pam_krb5.so minimum_uid=1000 -.Ve -.SH DESCRIPTION -.IX Header "DESCRIPTION" +.Dd November 21, 2025 +.Dt PAM_KRB5 8 +.Os +.Sh NAME +.Nm pam_krb5 +.Nd Kerberos PAM module +.Sh SYNOPSIS +.Bd -literal + auth sufficient pam_krb5.so minimum_uid=1000 + session required pam_krb5.so minimum_uid=1000 + account required pam_krb5.so minimum_uid=1000 + password sufficient pam_krb5.so minimum_uid=1000 +.Ed +.Sh DESCRIPTION The Kerberos service module for PAM, typically installed at -\&\fI/lib/security/pam_krb5.so\fR, provides functionality for the four PAM -operations: authentication, account management, session management, and -password management. \fIpam_krb5.so\fR is a shared object that is -dynamically loaded by the PAM subsystem as necessary, based on the system -PAM configuration. PAM is a system for plugging in external -authentication and session management modules so that each application -doesn't have to know the best way to check user authentication or create a -user session on that system. For details on how to configure PAM on your -system, see the PAM man page, often \fBpam\fR\|(7). -.PP +.Pa /lib/security/pam_krb5.so , +provides functionality for the four PAM operations: authentication, +account management, session management, and password management. +.Pa pam_krb5.so +is a shared object that is dynamically loaded by the PAM subsystem as +necessary, based on the system PAM configuration. +PAM is a system for plugging in external authentication and session +management modules so that each application doesn't have to know the +best way to check user authentication or create a user session on that +system. +For details on how to configure PAM on your system, see the PAM man +page, often pam.conf(5). +.Pp Here are the actions of this module when called from each group: -.IP auth 4 -.IX Item "auth" -Provides implementations of \fBpam_authenticate()\fR and \fBpam_setcred()\fR. The -former takes the username from the PAM session, prompts for the user's -password (unless configured to use an already-entered password), and then -performs a Kerberos initial authentication, storing the obtained -credentials (if successful) in a temporary ticket cache. The latter, -depending on the flags it is called with, either takes the contents of the -temporary ticket cache and writes it out to a persistent ticket cache -owned by the user or uses the temporary ticket cache to refresh an -existing user ticket cache. -.Sp +.Bl -tag -width Ds +.It auth +Provides implementations of +.Xr pam_authenticate 3 +and +.Xr pam_setcred 3 . +The former takes the username from the PAM session, prompts for the +user's password (unless configured to use an already-entered password), +and then performs a Kerberos initial authentication, storing the +obtained credentials (if successful) in a temporary ticket cache. +The latter, depending on the flags it is called with, either takes the +contents of the temporary ticket cache and writes it out to a persistent +ticket cache owned by the user or uses the temporary ticket cache to +refresh an existing user ticket cache. +.Pp Passwords as long or longer than PAM_MAX_RESP_SIZE octets (normally 512 -octets) will be rejected, since excessively long passwords can be used as -a denial of service attack. -.Sp +octets) will be rejected, since excessively long passwords can be used +as a denial of service attack. +.Pp After doing the initial authentication, the Kerberos PAM module will attempt to obtain tickets for a key in the local system keytab and then -verify those tickets. Unless this step is performed, the authentication -is vulnerable to KDC spoofing, but it requires that the system have a -local key and that the PAM module be running as a user that can read the -keytab file (normally \fI/etc/krb5.keytab\fR. You can point the Kerberos PAM -module at a different keytab with the \fIkeytab\fR option. If that keytab -cannot be read or if no keys are found in it, the default (potentially -insecure) behavior is to skip this check. If you want to instead fail -authentication if the obtained tickets cannot be checked, set -\&\f(CW\*(C`verify_ap_req_nofail\*(C'\fR to true in the [libdefaults] section of -\&\fI/etc/krb5.conf\fR. Note that this will affect applications other than -this PAM module. -.Sp +verify those tickets. +Unless this step is performed, the authentication is vulnerable to KDC +spoofing, but it requires that the system have a local key and that the +PAM module be running as a user that can read the keytab file (normally +.Pa /etc/krb5.keytab . +You can point the Kerberos PAM module at a different keytab with the +.Em keytab +option. +If that keytab cannot be read or if no keys are found in it, the default +behavior is to fail authentication. +If you want to skip this check, set the +.Qo Li allow_kdc_spoof Qc +option to true either in the [appdefaults] section of +.Pa /etc/krb5.conf +or in the PAM policy. +.Pp By default, whenever the user is authenticated, a basic authorization -check will also be done using \fBkrb5_kuserok()\fR. The default behavior of -this function is to check the user's account for a \fI.k5login\fR file and, -if one is present, ensure that the user's principal is listed in that -file. If \fI.k5login\fR is not present, the default check is to ensure that -the user's principal is in the default local realm and the user portion of -the principal matches the account name (this can be changed by configuring -a custom aname to localname mapping in \fIkrb5.conf\fR; see the Kerberos -documentation for details). This can be customized with several -configuration options; see below. -.Sp -If the username provided to PAM contains an \f(CW\*(C`@\*(C'\fR and Kerberos can, -treating the username as a principal, map it to a local account name, -\&\fBpam_authenticate()\fR will change the PAM user to that local account name. -This allows users to log in with their Kerberos principal and let Kerberos -do the mapping to an account. This can be disabled with the -\&\fIno_update_user\fR option. Be aware, however, that this facility cannot be -used with OpenSSH. OpenSSH will reject usernames that don't match local -accounts before this remapping can be done and will pass an invalid -password to the PAM module. Also be aware that several other common PAM -modules, such as pam_securetty, expect to be able to look up the user with -\&\fBgetpwnam()\fR and cannot be called before pam_krb5 when using this feature. -.Sp -When \fBpam_setcred()\fR is called to initialize a new ticket cache, the -environment variable KRB5CCNAME is set to the path to that ticket cache. -By default, the cache will be named \fI/tmp/krb5cc_UID_RANDOM\fR where UID is -the user's UID and RANDOM is six randomly-chosen letters. This can be -configured with the \fIccache\fR and \fIccache_dir\fR options. -.Sp -pam\-krb5 does not use the default ticket cache location or -\&\fIdefault_cc_name\fR in the \f(CW\*(C`[libdefaults]\*(C'\fR section of \fIkrb5.conf\fR. The -default cache location would share a cache for all sessions of the same -user, which causes confusing behavior when the user logs out of one of -multiple sessions. -.Sp -If \fBpam_setcred()\fR initializes a new ticket cache, it will also set up that -ticket cache so that it will be deleted when the PAM session is closed. -Normally, the calling program (\fBlogin\fR, \fBsshd\fR, etc.) will run the -user's shell as a sub-process, wait for it to exit, and then close the PAM -session, thereby cleaning up the user's session. -.IP session 4 -.IX Item "session" -Provides implementations of \fBpam_open_session()\fR, which is equivalent to -calling \fBpam_setcred()\fR with the PAM_ESTABLISH_CRED flag, and -\&\fBpam_close_session()\fR, which destroys the ticket cache created by -\&\fBpam_setcred()\fR. -.IP account 4 -.IX Item "account" -Provides an implementation of \fBpam_acct_mgmt()\fR. All it does is do the same -authorization check as performed by the \fBpam_authenticate()\fR implementation -described above. -.IP password 4 -.IX Item "password" -Provides an implementation of \fBpam_chauthtok()\fR, which implements password -changes. The user is prompted for their existing password (unless -configured to use an already entered one) and the PAM module then obtains -credentials for the special Kerberos principal \f(CW\*(C`kadmin/changepw\*(C'\fR. It -then prompts the user for a new password, twice to ensure that the user -entered it properly (again, unless configured to use an already entered -password), and then does a Kerberos password change. -.Sp +check will also be done using +.Xr krb5_kuserok 3 . +The default behavior of this function is to check the user's account for +a +.Pa .k5login +file and, if one is present, ensure that the user's principal is listed +in that file. +If +.Pa .k5login +is not present, the default check is to ensure that the user's principal +is in the default local realm and the user portion of the principal +matches the account name (this can be changed by configuring a custom +aname to localname mapping in +.Pa krb5.conf ; +see the Kerberos documentation for details). +This can be customized with several configuration options; see below. +.Pp +If the username provided to PAM contains an +.Qo Li @ Qc +and Kerberos can, treating the username as a principal, map it to a +local account name, +.Xr pam_authenticate 3 +will change the PAM user to that local account name. +This allows users to log in with their Kerberos principal and let +Kerberos do the mapping to an account. +This can be disabled with the +.Em no_update_user +option. +Be aware, however, that this facility cannot be used with OpenSSH. +OpenSSH will reject usernames that don't match local accounts before +this remapping can be done and will pass an invalid password to the PAM +module. +Also be aware that several other common PAM modules, such as +pam_securetty, expect to be able to look up the user with +.Xr getpwnam 3 +and cannot be called before pam_krb5 when using this feature. +.Pp +When +.Xr pam_setcred 3 +is called to initialize a new ticket cache, the environment variable +KRB5CCNAME is set to the path to that ticket cache. +By default, the cache will be named +.Pa /tmp/krb5cc_UID_RANDOM +where UID is the user's UID and RANDOM is six randomly-chosen letters. +This can be configured with the +.Em ccache +and +.Em ccache_dir +options. +.Pp +pam-krb5 does not use the default ticket cache location or +.Em default_cc_name +in the +.Qo Li [libdefaults] Qc +section of +.Pa krb5.conf . +The default cache location would share a cache for all sessions of the +same user, which causes confusing behavior when the user logs out of one +of multiple sessions. +.Pp +If +.Xr pam_setcred 3 +initializes a new ticket cache, it will also set up that ticket cache so +that it will be deleted when the PAM session is closed. +Normally, the calling program +.Pf ( Sy login , +.Sy sshd , +etc.) +will run the user's shell as a sub-process, wait for it to exit, and +then close the PAM session, thereby cleaning up the user's session. +.It session +Provides implementations of +.Xr pam_open_session 3 , +which is equivalent to calling +.Xr pam_setcred 3 +with the PAM_ESTABLISH_CRED flag, and +.Xr pam_close_session 3 , +which destroys the ticket cache created by +.Xr pam_setcred 3 . +.It account +Provides an implementation of +.Xr pam_acct_mgmt 3 . +All it does is do the same authorization check as performed by the +.Xr pam_authenticate 3 +implementation described above. +.It password +Provides an implementation of +.Xr pam_chauthtok 3 , +which implements password changes. +The user is prompted for their existing password (unless configured to +use an already entered one) and the PAM module then obtains credentials +for the special Kerberos principal +.Qo Li kadmin/changepw Qc . +It then prompts the user for a new password, twice to ensure that the +user entered it properly (again, unless configured to use an already +entered password), and then does a Kerberos password change. +.Pp Passwords as long or longer than PAM_MAX_RESP_SIZE octets (normally 512 -octets) will be rejected, since excessively long passwords can be used as -a denial of service attack. -.Sp -Unlike the normal Unix password module, this module will allow any user to -change any other user's password if they know the old password. Also, -unlike the normal Unix password module, root will always be prompted for -the old password, since root has no special status in Kerberos. (To -change passwords in Kerberos without knowing the old password, use -\&\fBkadmin\fR\|(8) instead.) -.PP +octets) will be rejected, since excessively long passwords can be used +as a denial of service attack. +.Pp +Unlike the normal Unix password module, this module will allow any user +to change any other user's password if they know the old password. +Also, unlike the normal Unix password module, root will always be +prompted for the old password, since root has no special status in +Kerberos. +(To change passwords in Kerberos without knowing the old password, use +kadmin(8) instead.) +.El +.Pp Both the account and session management calls of the Kerberos PAM module will return PAM_IGNORE if called in the context of a PAM session for a -user who did not authenticate with Kerberos (a return code of \f(CW\*(C`ignore\*(C'\fR in -the Linux PAM configuration language). -.PP +user who did not authenticate with Kerberos (a return code of +.Qo Li ignore Qc +in the Linux PAM configuration language). +.Pp Note that this module assumes the network is available in order to do a -Kerberos authentication. If the network is not available, some Kerberos -libraries have timeouts longer than the timeout imposed by the login -process. This means that using this module incautiously can make it -impossible to log on to console as root. For this reason, you should -always use the \fIignore_root\fR or \fIminimum_uid\fR options, list a local -authentication module such as \fBpam_unix\fR first with a control field of -\&\f(CW\*(C`sufficient\*(C'\fR so that the Kerberos PAM module will be skipped if local -password authentication was successful. -.PP -This is not the same PAM module as the Kerberos PAM module available from -Sourceforge, or the one included on Red Hat systems. It supports many of -the same options, has some additional options, and doesn't support some of -the options those modules do. -.SH CONFIGURATION -.IX Header "CONFIGURATION" -The Kerberos PAM module takes many options, not all of which are relevant -to every PAM group; options that are not relevant will be silently -ignored. Any of these options can be set in the PAM configuration as -arguments listed after \f(CW\*(C`pam_krb5.so\*(C'\fR. Some of the options can also be -set in the system \fIkrb5.conf\fR file; if this is possible, it will be noted -below in the option description. -.PP -To set a boolean option in the PAM configuration file, just give the name -of the option in the arguments. To set an option that takes an argument, -follow the option name with an equal sign (=) and the value, with no -separating whitespace. Whitespace in option arguments is not supported in -the PAM configuration. -.PP -To set an option for the PAM module in the system \fIkrb5.conf\fR file, put -that option in the \f(CW\*(C`[appdefaults]\*(C'\fR section. All options must be followed -by an equal sign (=) and a value, so for boolean options add \f(CW\*(C`= true\*(C'\fR. +Kerberos authentication. +If the network is not available, some Kerberos libraries have timeouts +longer than the timeout imposed by the login process. +This means that using this module incautiously can make it impossible to +log on to console as root. +For this reason, you should always use the +.Em ignore_root +or +.Em minimum_uid +options, list a local authentication module such as +.Sy pam_unix +first with a control field of +.Qo Li sufficient Qc +so that the Kerberos PAM module will be skipped if local password +authentication was successful. +.Pp +This is not the same PAM module as the Kerberos PAM module available +from Sourceforge, or the one included on Red Hat systems. +It supports many of the same options, has some additional options, and +doesn't support some of the options those modules do. +.Sh CONFIGURATION +The Kerberos PAM module takes many options, not all of which are +relevant to every PAM group; options that are not relevant will be +silently ignored. +Any of these options can be set in the PAM configuration as arguments +listed after +.Qo Li pam_krb5.so Qc . +Some of the options can also be set in the system +.Pa krb5.conf +file; if this is possible, it will be noted below in the option +description. +.Pp +To set a boolean option in the PAM configuration file, just give the +name of the option in the arguments. +To set an option that takes an argument, follow the option name with an +equal sign (=) and the value, with no separating whitespace. +Whitespace in option arguments is not supported in the PAM +configuration. +.Pp +To set an option for the PAM module in the system +.Pa krb5.conf +file, put that option in the +.Qo Li [appdefaults] Qc +section. +All options must be followed by an equal sign (=) and a value, so for +boolean options add +.Qo Li = true Qc . The Kerberos PAM module will look for options either at the top level of -the \f(CW\*(C`[appdefaults]\*(C'\fR section or in a subsection named \f(CW\*(C`pam\*(C'\fR, inside or -outside a section for the realm. For example, the following fragment of a -\&\fIkrb5.conf\fR file would set \fIforwardable\fR to true, \fIminimum_uid\fR to -1000, and set \fIignore_k5login\fR only if the realm is EXAMPLE.COM. -.PP -.Vb 8 -\& [appdefaults] -\& forwardable = true -\& pam = { -\& minimum_uid = 1000 -\& EXAMPLE.COM = { -\& ignore_k5login = true -\& } -\& } -.Ve -.PP -For more information on the syntax of \fIkrb5.conf\fR, see \fBkrb5.conf\fR\|(5). -Note that options that depend on the realm will be set only on the basis -of the default realm, either as configured in \fBkrb5.conf\fR\|(5) or as set by -the \fIrealm\fR option described below. If the user authenticates to an -account qualified with a realm, that realm will not be used when -determining which options will apply. -.PP -There is no difference to the PAM module whether options are specified at -the top level or in a \f(CW\*(C`pam\*(C'\fR section; the \f(CW\*(C`pam\*(C'\fR section is supported in -case there are options that should be set for the PAM module but not for -other applications. -.PP -If the same option is set in \fIkrb5.conf\fR and in the PAM configuration, -the latter takes precedent. Note, however, that due to the configuration -syntax, there's no way to turn off a boolean option in the PAM -configuration that was turned on in \fIkrb5.conf\fR. -.PP +the +.Qo Li [appdefaults] Qc +section or in a subsection named +.Qo Li pam Qc , +inside or outside a section for the realm. +For example, the following fragment of a +.Pa krb5.conf +file would set +.Em forwardable +to true, +.Em minimum_uid +to 1000, and set +.Em ignore_k5login +only if the realm is EXAMPLE.COM. +.Bd -literal + [appdefaults] + forwardable = true + pam = { + minimum_uid = 1000 + EXAMPLE.COM = { + ignore_k5login = true + } + } +.Ed +.Pp +For more information on the syntax of +.Pa krb5.conf , +see krb5.conf(5). Note that options that depend on the realm will be set +only on the basis of the default realm, either as configured in +krb5.conf(5) or as set by the +.Em realm +option described below. +If the user authenticates to an account qualified with a realm, that +realm will not be used when determining which options will apply. +.Pp +There is no difference to the PAM module whether options are specified +at the top level or in a +.Qo Li pam Qc +section; the +.Qo Li pam Qc +section is supported in case there are options that should be set for +the PAM module but not for other applications. +.Pp +If the same option is set in +.Pa krb5.conf +and in the PAM configuration, the latter takes precedent. +Note, however, that due to the configuration syntax, there's no way to +turn off a boolean option in the PAM configuration that was turned on in +.Pa krb5.conf . +.Pp The start of each option description is annotated with the version of -pam\-krb5 in which that option was added with the current meaning. -.SS Authorization -.IX Subsection "Authorization" -.IP alt_auth_map=<format> 4 -.IX Item "alt_auth_map=<format>" -[3.12] This functions similarly to the \fIsearch_k5login\fR option. The -<format> argument is used as the authentication Kerberos principal, with -any \f(CW%s\fR in <format> replaced with the username. If the username -contains an \f(CW\*(C`@\*(C'\fR, only the part of the username before the realm is used -to replace \f(CW%s\fR. If <format> contains a realm, it will be used; -otherwise, the realm of the username (if any) will be appended to the -result. There is no quote removal. -.Sp +pam-krb5 in which that option was added with the current meaning. +.Ss Authorization +.Bl -tag -width Ds +.It allow_kdc_spoof +Allow authentication to succeed even if there is no host or service key +available in a keytab to authenticate the Kerberos KDC's ticket. +.It alt_auth_map=<format> +[3.12] This functions similarly to the +.Em search_k5login +option. +The <format> argument is used as the authentication Kerberos principal, +with any +.Qo Li %s Qc +in <format> replaced with the username. +If the username contains an +.Qo Li @ Qc , +only the part of the username before the realm is used to replace +.Qo Li %s Qc . +If <format> contains a realm, it will be used; otherwise, the realm of +the username (if any) will be appended to the result. +There is no quote removal. +.Pp If this option is present, the default behavior is to try this alternate principal first and then fall back to the standard behavior if it fails. The primary usage is to allow alternative principals to be used for -authentication in programs like \fBsudo\fR. Most examples will look like: -.Sp -.Vb 1 -\& alt_auth_map=%s/root -.Ve -.Sp +authentication in programs like +.Sy sudo . +Most examples will look like: +.Bd -literal + alt_auth_map=%s/root +.Ed +.Pp which attempts authentication as the root instance of the username first -and then falls back to the regular username (but see \fIforce_alt_auth\fR and -\&\fIonly_alt_auth\fR). -.Sp +and then falls back to the regular username (but see +.Em force_alt_auth +and +.Em only_alt_auth Ns ). +.Pp This option also allows a cheap way to attempt authentication in an -alternative realm first and then fall back to the primary realm. A -setting like: -.Sp -.Vb 1 -\& alt_auth_map=%s@EXAMPLE.COM -.Ve -.Sp +alternative realm first and then fall back to the primary realm. +A setting like: +.Bd -literal + alt_auth_map=%s@EXAMPLE.COM +.Ed +.Pp will attempt authentication in the EXAMPLE.COM realm first and then fall -back on the local default realm. This is more convenient than running the -module multiple times with multiple default realms set with \fIrealm\fR, but -it is very limited: only two realms can be tried, and the alternate realm -is always tried first. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR, although -normally it doesn't make sense to do that; normally it is used in the PAM -options of configuration for specific programs. It is only applicable to -the auth and account groups. If this option is set for the auth group, be -sure to set it for the account group as well or account authorization may -fail. -.IP force_alt_auth 4 -.IX Item "force_alt_auth" -[3.12] This option is used with \fIalt_auth_map\fR and forces authentication -as the mapped principal if that principal exists in the KDC. Only if the -KDC returns principal unknown does the Kerberos PAM module fall back to -normal authentication. This can be used to force authentication with an -alternate instance. If \fIalt_auth_map\fR is not set, it has no effect. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only -applicable to the auth group. -.IP ignore_k5login 4 -.IX Item "ignore_k5login" -[2.0] Never look for a \fI.k5login\fR file in the user's home directory. -Instead, only check that the Kerberos principal maps to the local account -name. The default check is to ensure the realm matches the local realm -and the user portion of the principal matches the local account name, but -this can be customized by setting up an aname to localname mapping in -\&\fIkrb5.conf\fR. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only -applicable to the auth and account groups. -.IP ignore_root 4 -.IX Item "ignore_root" -[1.1] Do not do anything if the username is \f(CW\*(C`root\*(C'\fR. The authentication -and password calls will silently fail (allowing that status to be ignored -via a control of \f(CW\*(C`optional\*(C'\fR or \f(CW\*(C`sufficient\*(C'\fR), and the account and -session calls (including pam_setcred) will return PAM_IGNORE, telling the -PAM library to proceed as if they weren't mentioned in the PAM -configuration. This option is supported and will remain, but normally you -want to use \fIminimum_uid\fR instead. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR. -.IP minimum_uid=<uid> 4 -.IX Item "minimum_uid=<uid>" -[2.0] Do not do anything if the authenticated account name corresponds to -a local account and that local account has a UID lower than <uid>. If +back on the local default realm. +This is more convenient than running the module multiple times with +multiple default realms set with +.Em realm , +but it is very limited: only two realms can be tried, and the alternate +realm is always tried first. +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf , +although normally it doesn't make sense to do that; normally it is used +in the PAM options of configuration for specific programs. +It is only applicable to the auth and account groups. +If this option is set for the auth group, be sure to set it for the +account group as well or account authorization may fail. +.It force_alt_auth +[3.12] This option is used with +.Em alt_auth_map +and forces authentication as the mapped principal if that principal +exists in the KDC. Only if the KDC returns principal unknown does the +Kerberos PAM module fall back to normal authentication. +This can be used to force authentication with an alternate instance. +If +.Em alt_auth_map +is not set, it has no effect. +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf +and is only applicable to the auth group. +.It ignore_k5login +[2.0] Never look for a +.Pa .k5login +file in the user's home directory. +Instead, only check that the Kerberos principal maps to the local +account name. +The default check is to ensure the realm matches the local realm and the +user portion of the principal matches the local account name, but this +can be customized by setting up an aname to localname mapping in +.Pa krb5.conf . +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf +and is only applicable to the auth and account groups. +.It ignore_root +[1.1] Do not do anything if the username is +.Qo Li root Qc . +The authentication and password calls will silently fail (allowing that +status to be ignored via a control of +.Qo Li optional Qc +or +.Qo Li sufficient Qc Ns ), +and the account and session calls (including pam_setcred) will return +PAM_IGNORE, telling the PAM library to proceed as if they weren't +mentioned in the PAM configuration. +This option is supported and will remain, but normally you want to use +.Em minimum_uid +instead. +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf . +.It minimum_uid=<uid> +[2.0] Do not do anything if the authenticated account name corresponds +to a local account and that local account has a UID lower than <uid>. If both of those conditions are true, the authentication and password calls will silently fail (allowing that status to be ignored via a control of -\&\f(CW\*(C`optional\*(C'\fR or \f(CW\*(C`sufficient\*(C'\fR), and the account and session calls -(including pam_setcred) will return PAM_IGNORE, telling the PAM library to -proceed as if they weren't mentioned in the PAM configuration. -.Sp -Using this option is highly recommended if you don't need to use Kerberos -to authenticate password logins to the root account (which isn't -recommended since Kerberos requires a network connection). It provides -some defense in depth against user principals that happen to match a -system account incorrectly authenticating as that system account. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR. -.IP only_alt_auth 4 -.IX Item "only_alt_auth" -[3.12] This option is used with \fIalt_auth_map\fR and forces the use of the -mapped principal for authentication. It disables fallback to normal -authentication in all cases and overrides \fIsearch_k5login\fR and -\&\fIforce_alt_auth\fR. If \fIalt_auth_map\fR is not set, it has no effect and -the standard authentication behavior is used. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only -applicable to the auth group. -.IP search_k5login 4 -.IX Item "search_k5login" +.Qo Li optional Qc +or +.Qo Li sufficient Qc Ns ), +and the account and session calls (including pam_setcred) will return +PAM_IGNORE, telling the PAM library to proceed as if they weren't +mentioned in the PAM configuration. +.Pp +Using this option is highly recommended if you don't need to use +Kerberos to authenticate password logins to the root account (which +isn't recommended since Kerberos requires a network connection). +It provides some defense in depth against user principals that happen to +match a system account incorrectly authenticating as that system +account. +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf . +.It only_alt_auth +[3.12] This option is used with +.Em alt_auth_map +and forces the use of the mapped principal for authentication. +It disables fallback to normal authentication in all cases and overrides +.Em search_k5login +and +.Em force_alt_auth . +If +.Em alt_auth_map +is not set, it has no effect and the standard authentication behavior is +used. +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf +and is only applicable to the auth group. +.It search_k5login [2.0] Normally, the Kerberos implementation of pam_authenticate attempts -to obtain tickets for the authenticating username in the local realm. If -this option is set and the local user has a \fI.k5login\fR file in their home -directory, the module will instead open and read that \fI.k5login\fR file, -attempting to use the supplied password to authenticate as each principal -listed there in turn. If any of those authentications succeed, the user -will be successfully authenticated; otherwise, authentication will fail. -This option is useful for allowing password authentication (via console or -\&\fBsshd\fR without GSS-API support) to shared accounts. If there is no -\&\fI.k5login\fR file, the behavior is the same as normal. Using this option -requires that the user's \fI.k5login\fR file be readable at the time of -authentication. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only -applicable to the auth group. -.SS "Kerberos Behavior" -.IX Subsection "Kerberos Behavior" -.IP anon_fast 4 -.IX Item "anon_fast" +to obtain tickets for the authenticating username in the local realm. +If this option is set and the local user has a +.Pa .k5login +file in their home directory, the module will instead open and read that +.Pa .k5login +file, attempting to use the supplied password to authenticate as each +principal listed there in turn. +If any of those authentications succeed, the user will be successfully +authenticated; otherwise, authentication will fail. +This option is useful for allowing password authentication (via console +or +.Sy sshd +without GSS-API support) to shared accounts. +If there is no +.Pa .k5login +file, the behavior is the same as normal. +Using this option requires that the user's +.Pa .k5login +file be readable at the time of authentication. +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf +and is only applicable to the auth group. +.El +.Ss Kerberos Behavior +.Bl -tag -width Ds +.It anon_fast [4.6] Attempt to use Flexible Authentication Secure Tunneling (FAST) by -first authenticating as the anonymous user (WELLKNOWN/ANONYMOUS) and using -its credentials as the FAST armor. This requires anonymous PKINIT be -enabled for the local realm, that PKINIT be configured on the local -system, and that the Kerberos library support FAST and anonymous PKINIT. -.Sp -FAST is a mechanism to protect Kerberos against password guessing attacks -and provide other security improvements. To work, FAST requires that a -ticket be obtained with a strong key to protect exchanges with potentially -weaker user passwords. This option uses anonymous authentication to -obtain that key and then uses it to protect the subsequent authentication. -.Sp +first authenticating as the anonymous user (WELLKNOWN/ANONYMOUS) and +using its credentials as the FAST armor. +This requires anonymous PKINIT be enabled for the local realm, that +PKINIT be configured on the local system, and that the Kerberos library +support FAST and anonymous PKINIT. +.Pp +FAST is a mechanism to protect Kerberos against password guessing +attacks and provide other security improvements. +To work, FAST requires that a ticket be obtained with a strong key to +protect exchanges with potentially weaker user passwords. +This option uses anonymous authentication to obtain that key and then +uses it to protect the subsequent authentication. +.Pp If anonymous PKINIT is not available or fails, FAST will not be used and the authentication will proceed as normal. -.Sp +.Pp To instead use an existing ticket cache for the FAST credentials, use -\&\fIfast_ccache\fR instead of this option. If both \fIfast_ccache\fR and -\&\fIanon_fast\fR are set, the ticket cache named by \fIfast_ccache\fR will be -tried first, and the Kerberos PAM module will fall back on attempting -anonymous PKINIT if that cache could not be used. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only -applicable to the auth and password groups. -.Sp -The operation is the same as if using the \fIfast_ccache\fR option, but the -cache is created and destroyed automatically. If both \fIfast_ccache\fR and -\&\fIanon_fast\fR options are used, the \fIfast_ccache\fR takes precedent and no -anonymous authentication is done. -.IP fast_ccache=<ccache_name> 4 -.IX Item "fast_ccache=<ccache_name>" -[4.3] The same as \fIanon_fast\fR, but use an existing Kerberos ticket cache -rather than anonymous PKINIT. This allows use of FAST with a realm that -doesn't support PKINIT or doesn't support anonymous authentication. -.Sp +.Em fast_ccache +instead of this option. +If both +.Em fast_ccache +and +.Em anon_fast +are set, the ticket cache named by +.Em fast_ccache +will be tried first, and the Kerberos PAM module will fall back on +attempting anonymous PKINIT if that cache could not be used. +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf +and is only applicable to the auth and password groups. +.Pp +The operation is the same as if using the +.Em fast_ccache +option, but the cache is created and destroyed automatically. +If both +.Em fast_ccache +and +.Em anon_fast +options are used, the +.Em fast_ccache +takes precedent and no anonymous authentication is done. +.It fast_ccache=<ccache_name> +[4.3] The same as +.Em anon_fast , +but use an existing Kerberos ticket cache rather than anonymous PKINIT. +This allows use of FAST with a realm that doesn't support PKINIT or +doesn't support anonymous authentication. +.Pp <ccache_name> should be a credential cache containing a ticket obtained using a strong key, such as the randomized key for the host principal of -the local system. If <ccache_name> names a ticket cache that is readable -by the authenticating process and has tickets then FAST will be attempted. -The easiest way to use this option is to use a program like \fBk5start\fR to -maintain a ticket cache using the host's keytab. This ticket cache should -normally only be readable by root, so this option will not be able to -protect authentications done as non-root users (such as screensavers). -.Sp -If no credentials are present in the ticket cache, or if the ticket cache -does not exist or is not readable, FAST will not used and authentication -will proceed as normal. However, if the credentials in that ticket cache -are expired, authentication will fail if the KDC supports FAST. -.Sp -To use anonymous PKINIT to protect the FAST exchange, use the \fIanon_fast\fR -option instead. \fIanon_fast\fR is easier to configure, since no existing -ticket cache is required, but requires PKINIT be available and configured -and that the local realm support anonymous authentication. If both -\&\fIfast_ccache\fR and \fIanon_fast\fR are set, the ticket cache named by -\&\fIfast_ccache\fR will be tried first, and the Kerberos PAM module will fall -back on attempting anonymous PKINIT if that cache could not be used. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only -applicable to the auth and password groups. -.IP forwardable 4 -.IX Item "forwardable" -[1.0] Obtain forwardable tickets. If set (to either true or false, -although it can only be set to false in \fIkrb5.conf\fR), this overrides the -Kerberos library default set in the [libdefaults] section of \fIkrb5.conf\fR. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only -applicable to the auth group. -.IP keytab=<path> 4 -.IX Item "keytab=<path>" -[3.0] Specifies the keytab to use when validating the user's credentials. -The default is the default system keytab (normally \fI/etc/krb5.keytab\fR), -which is usually only readable by root. Applications not running as root -that use this PAM module for authentication may wish to point it to -another keytab the application can read. The first principal found in the -keytab will be used as the principal for credential verification. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only -applicable to the auth group. -.IP realm=<realm> 4 -.IX Item "realm=<realm>" -[2.2] Set the default Kerberos realm and obtain credentials in that realm, -rather than in the normal default realm for this system. If this option -is used, it should be set for all groups being used for consistent -results. This setting will affect authorization decisions since it -changes the default realm. This setting will also change the service -principal used to verify the obtained credentials to be in the specified -realm. -.Sp +the local system. +If <ccache_name> names a ticket cache that is readable by the +authenticating process and has tickets then FAST will be attempted. +The easiest way to use this option is to use a program like +.Sy k5start +to maintain a ticket cache using the host's keytab. +This ticket cache should normally only be readable by root, so this +option will not be able to protect authentications done as non-root +users (such as screensavers). +.Pp +If no credentials are present in the ticket cache, or if the ticket +cache does not exist or is not readable, FAST will not used and +authentication will proceed as normal. +However, if the credentials in that ticket cache are expired, +authentication will fail if the KDC supports FAST. +.Pp +To use anonymous PKINIT to protect the FAST exchange, use the +.Em anon_fast +option instead. +.Em anon_fast +is easier to configure, since no existing ticket cache is required, but +requires PKINIT be available and configured and that the local realm +support anonymous authentication. +If both +.Em fast_ccache +and +.Em anon_fast +are set, the ticket cache named by +.Em fast_ccache +will be tried first, and the Kerberos PAM module will fall back on +attempting anonymous PKINIT if that cache could not be used. +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf +and is only applicable to the auth and password groups. +.It forwardable +[1.0] Obtain forwardable tickets. +If set (to either true or false, although it can only be set to false in +.Pa krb5.conf Ns ), +this overrides the Kerberos library default set in the [libdefaults] +section of +.Pa krb5.conf . +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf +and is only applicable to the auth group. +.It keytab=<path> +[3.0] Specifies the keytab to use when validating the user's +credentials. +The default is the default system keytab (normally +.Pa /etc/krb5.keytab Ns ), +which is usually only readable by root. +Applications not running as root that use this PAM module for +authentication may wish to point it to another keytab the application +can read. +The first principal found in the keytab will be used as the principal +for credential verification. +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf +and is only applicable to the auth group. +.It realm=<realm> +[2.2] Set the default Kerberos realm and obtain credentials in that +realm, rather than in the normal default realm for this system. +If this option is used, it should be set for all groups being used for +consistent results. +This setting will affect authorization decisions since it changes the +default realm. +This setting will also change the service principal used to verify the +obtained credentials to be in the specified realm. +.Pp If you only want to set the realm assumed for user principals without changing the realm for authorization decisions or the service principal -used to verify credentials, see the \fIuser_realm\fR option. -.IP renew_lifetime=<lifetime> 4 -.IX Item "renew_lifetime=<lifetime>" +used to verify credentials, see the +.Em user_realm +option. +.It renew_lifetime=<lifetime> [2.0] Obtain renewable tickets with a maximum renewable lifetime of -<lifetime>. <lifetime> should be a Kerberos lifetime string such as -\&\f(CW\*(C`2d4h10m\*(C'\fR or a time in minutes. If set, this overrides the Kerberos -library default set in the [libdefaults] section of \fIkrb5.conf\fR. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only -applicable to the auth group. -.IP ticket_lifetime=<lifetime> 4 -.IX Item "ticket_lifetime=<lifetime>" -[3.0] Obtain tickets with a maximum lifetime of <lifetime>. <lifetime> -should be a Kerberos lifetime string such as \f(CW\*(C`2d4h10m\*(C'\fR or a time in -minutes. If set, this overrides the Kerberos library default set in the -[libdefaults] section of \fIkrb5.conf\fR. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only -applicable to the auth group. -.IP user_realm 4 -.IX Item "user_realm" -[4.6] Obtain credentials in the specified realm rather than in the default -realm for this system. If this option is used, it should be set for all -groups being used for consistent results (although the account group -currently doesn't care about realm). This will not change authorization -decisions. If the obtained credentials are supposed to allow access to a -shell account, the user will need an appropriate \fI.k5login\fR file entry or -the system will have to have a custom aname_to_localname mapping. -.SS "PAM Behavior" -.IX Subsection "PAM Behavior" -.IP clear_on_fail 4 -.IX Item "clear_on_fail" -[3.9] When changing passwords, PAM first does a preliminary check through -the complete password stack, and then calls each module again to do the -password change. After that preliminary check, the order of module -invocation is fixed. This means that even if the Kerberos password change -fails (or if one of the other password changes in the stack fails), other -password PAM modules in the stack will still be called even if the failing -module is marked required or requisite. When using multiple password PAM -modules to synchronize passwords between multiple systems when they -change, this behavior can cause unwanted differences between the -environments. -.Sp -Setting this option provides a way to work around this behavior. If this -option is set and a Kerberos password change is attempted and fails (due -to network errors or password strength checking on the KDC, for example), -this module will clear the stored password in the PAM stack. This will -force any subsequent modules that have \fIuse_authtok\fR set to fail so that -those environments won't get out of sync with the password in Kerberos. +<lifetime>. <lifetime> should be a Kerberos lifetime string such as +.Qo Li 2d4h10m Qc +or a time in minutes. +If set, this overrides the Kerberos library default set in the +[libdefaults] section of +.Pa krb5.conf . +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf +and is only applicable to the auth group. +.It ticket_lifetime=<lifetime> +[3.0] Obtain tickets with a maximum lifetime of <lifetime>. <lifetime> +should be a Kerberos lifetime string such as +.Qo Li 2d4h10m Qc +or a time in minutes. +If set, this overrides the Kerberos library default set in the +[libdefaults] section of +.Pa krb5.conf . +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf +and is only applicable to the auth group. +.It user_realm +[4.6] Obtain credentials in the specified realm rather than in the +default realm for this system. +If this option is used, it should be set for all groups being used for +consistent results (although the account group currently doesn't care +about realm). +This will not change authorization decisions. +If the obtained credentials are supposed to allow access to a shell +account, the user will need an appropriate +.Pa .k5login +file entry or the system will have to have a custom aname_to_localname +mapping. +.El +.Ss PAM Behavior +.Bl -tag -width Ds +.It clear_on_fail +[3.9] When changing passwords, PAM first does a preliminary check +through the complete password stack, and then calls each module again to +do the password change. +After that preliminary check, the order of module invocation is fixed. +This means that even if the Kerberos password change fails (or if one of +the other password changes in the stack fails), other password PAM +modules in the stack will still be called even if the failing module is +marked required or requisite. +When using multiple password PAM modules to synchronize passwords +between multiple systems when they change, this behavior can cause +unwanted differences between the environments. +.Pp +Setting this option provides a way to work around this behavior. +If this option is set and a Kerberos password change is attempted and +fails (due to network errors or password strength checking on the KDC, +for example), this module will clear the stored password in the PAM +stack. +This will force any subsequent modules that have +.Em use_authtok +set to fail so that those environments won't get out of sync with the +password in Kerberos. The Kerberos PAM module will not meddle with the stored password if it skips the user due to configuration such as minimum_uid. -.Sp +.Pp Unfortunately, setting this option interferes with other desirable PAM configurations, such as attempting to change the password in Kerberos -first and falling back on the local Unix password database if that fails. -It therefore isn't the default. Turn it on (and list pam_krb5 first after -pam_cracklib if used) when synchronizing passwords between multiple -environments. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only -applicable to the password group. -.IP debug 4 -.IX Item "debug" +first and falling back on the local Unix password database if that +fails. +It therefore isn't the default. +Turn it on (and list pam_krb5 first after pam_cracklib if used) when +synchronizing passwords between multiple environments. +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf +and is only applicable to the password group. +.It debug [1.0] Log more verbose trace and debugging information to syslog at -LOG_DEBUG priority, including entry and exit from each of the external PAM -interfaces (except pam_close_session). -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR. -.IP defer_pwchange 4 -.IX Item "defer_pwchange" -[3.11] By default, pam\-krb5 lets the Kerberos library handle prompting for -a password change if an account's password is expired during the auth -group. If this fails, \fBpam_authenticate()\fR returns an error. -.Sp +LOG_DEBUG priority, including entry and exit from each of the external +PAM interfaces (except pam_close_session). +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf . +.It defer_pwchange +[3.11] By default, pam-krb5 lets the Kerberos library handle prompting +for a password change if an account's password is expired during the +auth group. +If this fails, +.Xr pam_authenticate 3 +returns an error. +.Pp According to the PAM standard, this is not the correct way to handle -expired passwords. Instead, \fBpam_authenticate()\fR should return success -without attempting a password change, and then \fBpam_acct_mgmt()\fR should -return PAM_NEW_AUTHTOK_REQD, at which point the calling application is -responsible for either rejecting the authentication or calling -\&\fBpam_chauthtok()\fR. However, following the standard requires that all -applications call \fBpam_acct_mgmt()\fR and check its return status; otherwise, -expired accounts may be able to successfully authenticate. Many -applications do not do this. -.Sp -If this option is set, pam\-krb5 uses the fully correct PAM mechanism for -handling expired accounts instead of failing in \fBpam_authenticate()\fR. Due -to the security risk of widespread broken applications, be very careful -about enabling this option. It should normally only be turned on to solve -a specific problem (such as using Solaris Kerberos libraries that don't -support prompting for password changes during authentication), and then -only for specific applications known to call \fBpam_acct_mgmt()\fR and check its -return status properly. -.Sp -This option is only supported when pam\-krb5 is built with MIT Kerberos. +expired passwords. +Instead, +.Xr pam_authenticate 3 +should return success without attempting a password change, and then +.Xr pam_acct_mgmt 3 +should return PAM_NEW_AUTHTOK_REQD, at which point the calling +application is responsible for either rejecting the authentication or +calling +.Xr pam_chauthtok 3 . +However, following the standard requires that all applications call +.Xr pam_acct_mgmt 3 +and check its return status; otherwise, expired accounts may be able to +successfully authenticate. +Many applications do not do this. +.Pp +If this option is set, pam-krb5 uses the fully correct PAM mechanism for +handling expired accounts instead of failing in +.Xr pam_authenticate 3 . +Due to the security risk of widespread broken applications, be very +careful about enabling this option. +It should normally only be turned on to solve a specific problem (such +as using Solaris Kerberos libraries that don't support prompting for +password changes during authentication), and then only for specific +applications known to call +.Xr pam_acct_mgmt 3 +and check its return status properly. +.Pp +This option is only supported when pam-krb5 is built with MIT Kerberos. If built against Heimdal, this option does nothing and normal expired -password change handling still happens. (Heimdal is missing the required -API to implement this option, at least as of version 1.6.) -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only -applicable to the auth group. -.IP fail_pwchange 4 -.IX Item "fail_pwchange" -[4.2] By default, pam\-krb5 lets the Kerberos library handle prompting for -a password change if an account's password is expired during the auth -group. If this option is set, expired passwords are instead treated as an -authentication failure identical to an incorrect password. Also see -\&\fIdefer_pwchange\fR and \fIforce_pwchange\fR. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only -applicable to the auth group. -.IP force_pwchange 4 -.IX Item "force_pwchange" +password change handling still happens. +(Heimdal is missing the required API to implement this option, at least +as of version 1.6.) +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf +and is only applicable to the auth group. +.It fail_pwchange +[4.2] By default, pam-krb5 lets the Kerberos library handle prompting +for a password change if an account's password is expired during the +auth group. +If this option is set, expired passwords are instead treated as an +authentication failure identical to an incorrect password. +Also see +.Em defer_pwchange +and +.Em force_pwchange . +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf +and is only applicable to the auth group. +.It force_pwchange [3.11] If this option is set and authentication fails with a Kerberos error indicating the user's password is expired, attempt to immediately -change their password during the authenticate step. Under normal -circumstances, this is unnecessary. Most Kerberos libraries will do this -for you, and setting this option will prompt the user twice to change -their password if the first attempt (done by the Kerberos library) fails. -However, some system Kerberos libraries (such as Solaris's) have password -change prompting disabled in the Kerberos library; on those systems, you -can set this option to simulate the normal library behavior. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only -applicable to the auth group. -.IP no_update_user 4 -.IX Item "no_update_user" -[4.7] Normally, if pam\-krb5 is able to canonicalize the principal to a -local name using \fBkrb5_aname_to_localname()\fR or similar calls, it changes -the PAM_USER variable for this PAM session to the canonicalized local -name. Setting this option disables this behavior and leaves PAM_USER set -to the initial authentication identity. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only -applicable to the auth group. -.IP silent 4 -.IX Item "silent" +change their password during the authenticate step. +Under normal circumstances, this is unnecessary. +Most Kerberos libraries will do this for you, and setting this option +will prompt the user twice to change their password if the first attempt +(done by the Kerberos library) fails. +However, some system Kerberos libraries (such as Solaris's) have +password change prompting disabled in the Kerberos library; on those +systems, you can set this option to simulate the normal library +behavior. +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf +and is only applicable to the auth group. +.It no_update_user +[4.7] Normally, if pam-krb5 is able to canonicalize the principal to a +local name using +.Xr krb5_aname_to_localname 3 +or similar calls, it changes the PAM_USER variable for this PAM session +to the canonicalized local name. +Setting this option disables this behavior and leaves PAM_USER set to +the initial authentication identity. +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf +and is only applicable to the auth group. +.It silent [1.0] Don't show messages and errors from Kerberos, such as warnings of -expiring passwords, to the user via the prompter. This is equivalent to -the behavior when the application passes in PAM_SILENT, but can be set in -the PAM configuration. -.Sp +expiring passwords, to the user via the prompter. +This is equivalent to the behavior when the application passes in +PAM_SILENT, but can be set in the PAM configuration. +.Pp This option is only applicable to the auth and password groups. -.IP trace=<log\-file> 4 -.IX Item "trace=<log-file>" -[4.6] Enables Kerberos library trace logging to the specified log file if -it is supported by the Kerberos library. This is intended for temporary -debugging. The specified file will be appended to without further -security checks, so do not specify a file in a publicly writable directory -like \fI/tmp\fR. -.SS PKINIT -.IX Subsection "PKINIT" -.IP pkinit_anchors=<anchors> 4 -.IX Item "pkinit_anchors=<anchors>" -[3.0] When doing PKINIT authentication, use <anchors> as the client trust -anchors. This is normally a reference to a file containing the trusted -certificate authorities. This option is only used if \fItry_pkinit\fR or -\&\fIuse_pkinit\fR are set. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only -applicable to the auth and password groups. -.IP pkinit_prompt 4 -.IX Item "pkinit_prompt" -[3.0] Before attempting PKINIT authentication, prompt the user to insert a -smart card. You may want to set this option for programs such as -\&\fBgnome-screensaver\fR that call PAM as soon as the mouse is touched and -don't give the user an opportunity to enter the smart card first. Any -information entered at the first prompt is ignored. If \fItry_pkinit\fR is -set, a user who wishes to use a password instead can just press Enter and -then enter their password as normal. This option is only used if -\&\fItry_pkinit\fR or \fIuse_pkinit\fR are set. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only -applicable to the auth and password groups. -.IP pkinit_user=<userid> 4 -.IX Item "pkinit_user=<userid>" -[3.0] When doing PKINIT authentication, use <userid> as the user ID. The +.It trace=<log-file> +[4.6] Enables Kerberos library trace logging to the specified log file +if it is supported by the Kerberos library. +This is intended for temporary debugging. +The specified file will be appended to without further security checks, +so do not specify a file in a publicly writable directory like +.Pa /tmp . +.El +.Ss PKINIT +.Bl -tag -width Ds +.It pkinit_anchors=<anchors> +[3.0] When doing PKINIT authentication, use <anchors> as the client +trust anchors. +This is normally a reference to a file containing the trusted +certificate authorities. +This option is only used if +.Em try_pkinit +or +.Em use_pkinit +are set. +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf +and is only applicable to the auth and password groups. +.It pkinit_prompt +[3.0] Before attempting PKINIT authentication, prompt the user to insert +a smart card. +You may want to set this option for programs such as +.Sy gnome-screensaver +that call PAM as soon as the mouse is touched and don't give the user an +opportunity to enter the smart card first. +Any information entered at the first prompt is ignored. +If +.Em try_pkinit +is set, a user who wishes to use a password instead can just press Enter +and then enter their password as normal. +This option is only used if +.Em try_pkinit +or +.Em use_pkinit +are set. +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf +and is only applicable to the auth and password groups. +.It pkinit_user=<userid> +[3.0] When doing PKINIT authentication, use <userid> as the user ID. The value of this string is highly dependent on the type of PKINIT implementation you're using, but will generally be something like: -.Sp -.Vb 1 -\& PKCS11:/usr/lib/pkcs11/lib/soft\-pkcs11.so -.Ve -.Sp -to specify the module to use with a smart card. It may also point to a -user certificate or to other types of user IDs. See the Kerberos library -documentation for more details. This option is only used if \fItry_pkinit\fR -or \fIuse_pkinit\fR are set. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only -applicable to the auth and password groups. -.IP preauth_opt=<option> 4 -.IX Item "preauth_opt=<option>" -[3.3] Sets a preauth option (currently only applicable when built with MIT -Kerberos). <option> is either a key/value pair with the key separated -from the value by \f(CW\*(C`=\*(C'\fR or a boolean option (in which case it's turned on). -In \fIkrb5.conf\fR, multiple options should be separated by whitespace. In -the PAM configuration, this option can be given multiple times to set -multiple options. In either case, <option> may not contain whitespace. -.Sp +.Bd -literal + PKCS11:/usr/lib/pkcs11/lib/soft-pkcs11.so +.Ed +.Pp +to specify the module to use with a smart card. +It may also point to a user certificate or to other types of user IDs. +See the Kerberos library documentation for more details. +This option is only used if +.Em try_pkinit +or +.Em use_pkinit +are set. +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf +and is only applicable to the auth and password groups. +.It preauth_opt=<option> +[3.3] Sets a preauth option (currently only applicable when built with +MIT Kerberos). +<option> is either a key/value pair with the key separated from the +value by +.Qo Li = Qc +or a boolean option (in which case it's turned on). +In +.Pa krb5.conf , +multiple options should be separated by whitespace. +In the PAM configuration, this option can be given multiple times to set +multiple options. +In either case, <option> may not contain whitespace. +.Pp The primary use of this option, at least in the near future, will be to -set options for the MIT Kerberos PKINIT support. For the full list of -possible options, see the PKINIT plugin documentation. At the time of -this writing, \f(CW\*(C`X509_user_identity\*(C'\fR is equivalent to \fIpkinit_user\fR and -\&\f(CW\*(C`X509_anchors\*(C'\fR is equivalent to \fIpkinit_anchors\fR. \f(CW\*(C`flag_DSA_PROTOCOL\*(C'\fR +set options for the MIT Kerberos PKINIT support. +For the full list of possible options, see the PKINIT plugin +documentation. +At the time of this writing, +.Qo Li X509_user_identity Qc +is equivalent to +.Em pkinit_user +and +.Qo Li X509_anchors Qc +is equivalent to +.Em pkinit_anchors . +.Qo Li flag_DSA_PROTOCOL Qc can only be set via this option. -.Sp -Any settings made with this option are applied after the \fIpkinit_anchors\fR -and \fIpkinit_user\fR options, so if an equivalent setting is made via -\&\fIpreauth_opt\fR, it will probably override the other setting. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only -applicable to the auth and password groups. Note that there is no way to -remove a setting made in \fIkrb5.conf\fR using the PAM configuration, but -options set in the PAM configuration are applied after options set in -\&\fIkrb5.conf\fR and therefore may override earlier settings. -.IP try_pkinit 4 -.IX Item "try_pkinit" -[3.0] Attempt PKINIT authentication before trying a regular password. You -will probably also need to set the \fIpkinit_user\fR configuration option. +.Pp +Any settings made with this option are applied after the +.Em pkinit_anchors +and +.Em pkinit_user +options, so if an equivalent setting is made via +.Em preauth_opt , +it will probably override the other setting. +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf +and is only applicable to the auth and password groups. +Note that there is no way to remove a setting made in +.Pa krb5.conf +using the PAM configuration, but options set in the PAM configuration +are applied after options set in +.Pa krb5.conf +and therefore may override earlier settings. +.It try_pkinit +[3.0] Attempt PKINIT authentication before trying a regular password. +You will probably also need to set the +.Em pkinit_user +configuration option. If PKINIT fails, the PAM module will fall back on regular password -authentication. This option is currently only supported if pam\-krb5 was -built against Heimdal 0.8rc1 or later or MIT Kerberos 1.6.3 or later. -.Sp -If this option is set and pam\-krb5 is built against MIT Kerberos, and +authentication. +This option is currently only supported if pam-krb5 was built against +Heimdal 0.8rc1 or later or MIT Kerberos 1.6.3 or later. +.Pp +If this option is set and pam-krb5 is built against MIT Kerberos, and PKINIT fails and the module falls back to password authentication, the user's password will not be stored in the PAM stack for subsequent -modules. This is a bug in the interaction between the module and MIT -Kerberos that requires some reworking of the PKINIT authentication method -to fix. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only -applicable to the auth and password groups. -.IP use_pkinit 4 -.IX Item "use_pkinit" -[3.0, 4.9 for MIT Kerberos] Require PKINIT authentication. You will -probably also need to set the \fIpkinit_user\fR configuration option. If -PKINIT fails, authentication will fail. This option is only supported if -pam\-krb5 was built against Heimdal 0.8rc1 or later or MIT Kerberos 1.12 or -later. -.Sp +modules. +This is a bug in the interaction between the module and MIT Kerberos +that requires some reworking of the PKINIT authentication method to fix. +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf +and is only applicable to the auth and password groups. +.It use_pkinit +[3.0, 4.9 for MIT Kerberos] Require PKINIT authentication. +You will probably also need to set the +.Em pkinit_user +configuration option. +If PKINIT fails, authentication will fail. +This option is only supported if pam-krb5 was built against Heimdal +0.8rc1 or later or MIT Kerberos 1.12 or later. +.Pp Be aware that, with MIT Kerberos, this option is implemented by using a -responder without a prompter, and thus any informational messages from the -Kerberos libraries or KDC during authentication will not be displayed. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only -applicable to the auth and password groups. -.SS Prompting -.IX Subsection "Prompting" -.IP banner=<banner> 4 -.IX Item "banner=<banner>" +responder without a prompter, and thus any informational messages from +the Kerberos libraries or KDC during authentication will not be +displayed. +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf +and is only applicable to the auth and password groups. +.El +.Ss Prompting +.Bl -tag -width Ds +.It banner=<banner> [3.0] By default, the prompts when a user changes their password are: -.Sp -.Vb 3 -\& Current Kerberos password: -\& Enter new Kerberos password: -\& Retype new Kerberos password: -.Ve -.Sp +.Bd -literal + Current Kerberos password: + Enter new Kerberos password: + Retype new Kerberos password: +.Ed +.Pp The string "Kerberos" is inserted so that users aren't confused about -which password they're changing. Setting this option replaces the word -"Kerberos" with whatever this option is set to. Setting this option to -the empty string removes the word before "password:" entirely. -.Sp -If set in the PAM configuration, <banner> may not contain whitespace. If -you want a value containing whitespace, set it in \fIkrb5.conf\fR. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only -applicable to the password group. -.IP expose_account 4 -.IX Item "expose_account" +which password they're changing. +Setting this option replaces the word "Kerberos" with whatever this +option is set to. +Setting this option to the empty string removes the word before +"password:" entirely. +.Pp +If set in the PAM configuration, <banner> may not contain whitespace. +If you want a value containing whitespace, set it in +.Pa krb5.conf . +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf +and is only applicable to the password group. +.It expose_account [3.0] By default, the Kerberos PAM module password prompt is simply -"Password:". This avoids leaking any information about the system realm -or account to principal conversions. If this option is set, the string -"for <principal>" is added before the colon, where <principal> is the -user's principal. This string is also added before the colon on prompts -when changing the user's password. -.Sp +"Password:". This avoids leaking any information about the system realm +or account to principal conversions. +If this option is set, the string "for <principal>" is added before the +colon, where <principal> is the user's principal. +This string is also added before the colon on prompts when changing the +user's password. +.Pp Enabling this option with ChallengeResponseAuthentication enabled in OpenSSH may cause problems for some ssh clients that only recognize -"Password:" as a prompt. This option is automatically disabled if -\&\fIsearch_k5login\fR is enabled since the principal displayed would be -inaccurate. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only -applicable to the auth and password groups. -.IP force_first_pass 4 -.IX Item "force_first_pass" +"Password:" as a prompt. +This option is automatically disabled if +.Em search_k5login +is enabled since the principal displayed would be inaccurate. +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf +and is only applicable to the auth and password groups. +.It force_first_pass [4.0] Use the password obtained by a previous authentication or password -module to authenticate the user without prompting the user again. If no -previous module obtained the user's password, fail without prompting the -user. Also see \fItry_first_pass\fR and \fIuse_first_pass\fR for weaker -versions of this option. -.Sp -This option is only applicable to the auth and password groups. For the -password group, it applies only to the old password. See \fIuse_authtok\fR +module to authenticate the user without prompting the user again. +If no previous module obtained the user's password, fail without +prompting the user. +Also see +.Em try_first_pass +and +.Em use_first_pass +for weaker versions of this option. +.Pp +This option is only applicable to the auth and password groups. +For the password group, it applies only to the old password. +See +.Em use_authtok for a similar setting for the new password. -.IP no_prompt 4 -.IX Item "no_prompt" -[4.6] Never prompt for the current password. Instead, pass in a NULL -password to the Kerberos library and let the Kerberos library do the -prompting. This may be needed if, for example, the Kerberos library is -configured to use other authentication mechanisms than passwords and needs -full control over the prompting process. -.Sp -The major disadvantage of this option is that it means the PAM module will -never see the user's password and therefore cannot save it in the PAM -module data for any subsequent modules. In other words, this option -cannot be used if another module is in the stack behind the Kerberos PAM -module and wants to use \fIuse_first_pass\fR. The Kerberos library also -usually includes the principal in the prompt, and therefore this option -implies behavior similar to \fIexpose_account\fR. Similar to -\&\fIexpose_account\fR, this can cause problems with OpenSSH if -ChallengeResponseAuthentication is enabled, since clients may not -recognize password prompts other than "Password:". -.Sp -Using this option with \fIsearch_k5login\fR would result in a password prompt -for every principal listed in the user's \fI.k5login\fR file. This is -probably not desired behavior, although it's not prohibited by the module. -.Sp -This option is only applicable to the auth and password groups. For the -password group, it applies only to the authentication process; the user -will still be prompted for a new password. -.IP prompt_principal 4 -.IX Item "prompt_principal" +.It no_prompt +[4.6] Never prompt for the current password. +Instead, pass in a NULL password to the Kerberos library and let the +Kerberos library do the prompting. +This may be needed if, for example, the Kerberos library is configured +to use other authentication mechanisms than passwords and needs full +control over the prompting process. +.Pp +The major disadvantage of this option is that it means the PAM module +will never see the user's password and therefore cannot save it in the +PAM module data for any subsequent modules. +In other words, this option cannot be used if another module is in the +stack behind the Kerberos PAM module and wants to use +.Em use_first_pass . +The Kerberos library also usually includes the principal in the prompt, +and therefore this option implies behavior similar to +.Em expose_account . +Similar to +.Em expose_account , +this can cause problems with OpenSSH if ChallengeResponseAuthentication +is enabled, since clients may not recognize password prompts other than +"Password:". +.Pp +Using this option with +.Em search_k5login +would result in a password prompt for every principal listed in the +user's +.Pa .k5login +file. +This is probably not desired behavior, although it's not prohibited by +the module. +.Pp +This option is only applicable to the auth and password groups. +For the password group, it applies only to the authentication process; +the user will still be prompted for a new password. +.It prompt_principal [3.6] Before prompting for the user's password (or using the previously -entered password, if \fItry_first_pass\fR, \fIuse_first_pass\fR, or -\&\fIforce_first_pass\fR are set), prompt the user for the Kerberos principal -to use for authentication. This allows the user to authenticate with a -different principal than the one corresponding to the local username, -provided that either a \fI.k5login\fR file or local Kerberos principal to -account mapping authorize that principal to access the local account. -.Sp +entered password, if +.Em try_first_pass , +.Em use_first_pass , +or +.Em force_first_pass +are set), prompt the user for the Kerberos principal to use for +authentication. +This allows the user to authenticate with a different principal than the +one corresponding to the local username, provided that either a +.Pa .k5login +file or local Kerberos principal to account mapping authorize that +principal to access the local account. +.Pp Be cautious when using this configuration option and don't use it with OpenSSH PasswordAuthentication, only ChallengeResponseAuthentication. Some PAM-enabled applications expect PAM modules to only prompt for passwords and may even blindly give the password to the first prompt, no -matter what it is. Such applications, in combination with this option, -may expose the user's password in log messages and Kerberos requests. -.IP try_first_pass 4 -.IX Item "try_first_pass" +matter what it is. +Such applications, in combination with this option, may expose the +user's password in log messages and Kerberos requests. +.It try_first_pass [1.0] If the authentication module isn't the first on the stack, and a previous module obtained the user's password, use that password to -authenticate the user without prompting them again. If that -authentication fails, fall back on prompting the user for their password. +authenticate the user without prompting them again. +If that authentication fails, fall back on prompting the user for their +password. This option has no effect if the authentication module is first in the -stack or if no previous module obtained the user's password. Also see -\&\fIuse_first_pass\fR and \fIforce_first_pass\fR for stronger versions of this -option. -.Sp -This option is only applicable to the auth and password groups. For the -password group, it applies only to the old password. -.IP use_authtok 4 -.IX Item "use_authtok" +stack or if no previous module obtained the user's password. +Also see +.Em use_first_pass +and +.Em force_first_pass +for stronger versions of this option. +.Pp +This option is only applicable to the auth and password groups. +For the password group, it applies only to the old password. +.It use_authtok [4.0] Use the new password obtained by a previous password module when -changing passwords rather than prompting for the new password. If the new -password isn't available, fail. This can be used to require passwords be -checked by another, prior module, such as \fBpam_cracklib\fR. -.Sp +changing passwords rather than prompting for the new password. +If the new password isn't available, fail. +This can be used to require passwords be checked by another, prior +module, such as +.Sy pam_cracklib . +.Pp This option is only applicable to the password group. -.IP use_first_pass 4 -.IX Item "use_first_pass" +.It use_first_pass [1.0] Use the password obtained by a previous authentication module to -authenticate the user without prompting the user again. If no previous -module obtained the user's password for either an authentication or -password change, fall back on prompting the user. If a previous module -did obtain the user's password but authentication with that password -fails, fail without further prompting the user. Also see -\&\fItry_first_pass\fR and \fIforce_first_pass\fR for other versions of this -option. -.Sp -This option is only applicable to the auth and password groups. For the -password group, it applies only to the old password. See \fIuse_authtok\fR +authenticate the user without prompting the user again. +If no previous module obtained the user's password for either an +authentication or password change, fall back on prompting the user. +If a previous module did obtain the user's password but authentication +with that password fails, fail without further prompting the user. +Also see +.Em try_first_pass +and +.Em force_first_pass +for other versions of this option. +.Pp +This option is only applicable to the auth and password groups. +For the password group, it applies only to the old password. +See +.Em use_authtok for a similar setting for the new password. -.SS "Ticket Caches" -.IX Subsection "Ticket Caches" -.IP ccache=<pattern> 4 -.IX Item "ccache=<pattern>" +.El +.Ss Ticket Caches +.Bl -tag -width Ds +.It ccache=<pattern> [2.0] Use <pattern> as the pattern for creating credential cache names. <pattern> must be in the form <type>:<residual> where <type> and the -following colon are optional if a file cache should be used. The special -token \f(CW%u\fR, anywhere in <pattern>, is replaced with the user's numeric -UID. The special token \f(CW%p\fR, anywhere in <pattern>, is replaced with the -current process ID. -.Sp -If <pattern> ends in the literal string \f(CW\*(C`XXXXXX\*(C'\fR (six X's), that string -will be replaced by randomly generated characters and the ticket cache -will be created using \fBmkstemp\fR\|(3). This is strongly recommended if -<pattern> points to a world-writable directory. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only -applicable to the auth and session groups. -.IP ccache_dir=<directory> 4 -.IX Item "ccache_dir=<directory>" -[1.2] Store both the temporary ticket cache used during authentication and -user ticket caches in <directory> instead of in \fI/tmp\fR. The algorithm -for generating the ticket cache name is otherwise unchanged. <directory> -may be prefixed with \f(CW\*(C`FILE:\*(C'\fR to make the cache type unambiguous (and this -may be required on systems that use a cache type other than file as the -default). -.Sp +following colon are optional if a file cache should be used. +The special token +.Qo Li %u Qc , +anywhere in <pattern>, is replaced with the user's numeric UID. The +special token +.Qo Li %p Qc , +anywhere in <pattern>, is replaced with the current process ID. +.Pp +If <pattern> ends in the literal string +.Qo Li XXXXXX Qc +(six X's), that string will be replaced by randomly generated characters +and the ticket cache will be created using mkstemp(3). This is strongly +recommended if <pattern> points to a world-writable directory. +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf +and is only applicable to the auth and session groups. +.It ccache_dir=<directory> +[1.2] Store both the temporary ticket cache used during authentication +and user ticket caches in <directory> instead of in +.Pa /tmp . +The algorithm for generating the ticket cache name is otherwise +unchanged. +<directory> may be prefixed with +.Qo Li FILE: Qc +to make the cache type unambiguous (and this may be required on systems +that use a cache type other than file as the default). +.Pp Be aware that pam_krb5 creates and stores a temporary ticket cache file -owned by root during the login process. If you set \fIccache\fR above to -avoid using the system \fI/tmp\fR directory for user ticket caches, you may -also want to set \fIccache_dir\fR to move those temporary caches to some -other location. This will allow pam_krb5 to continue working even if the -system \fI/tmp\fR directory is full. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only -applicable to the auth and session groups. -.IP no_ccache 4 -.IX Item "no_ccache" -[1.0] Do not create a ticket cache after authentication. This option -shouldn't be set in general, but is useful as part of the PAM -configuration for a particular service that uses PAM for authentication -but isn't creating user sessions and doesn't want the overhead of ever -writing the user credentials to disk. When using this option, the -application should only call \fBpam_authenticate()\fR; other functions like -\&\fBpam_setcred()\fR, \fBpam_start_session()\fR, and \fBpam_acct_mgmt()\fR don't make sense -with this option. Don't use this option if the application needs PAM -account and session management calls. -.Sp +owned by root during the login process. +If you set +.Em ccache +above to avoid using the system +.Pa /tmp +directory for user ticket caches, you may also want to set +.Em ccache_dir +to move those temporary caches to some other location. +This will allow pam_krb5 to continue working even if the system +.Pa /tmp +directory is full. +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf +and is only applicable to the auth and session groups. +.It no_ccache +[1.0] Do not create a ticket cache after authentication. +This option shouldn't be set in general, but is useful as part of the +PAM configuration for a particular service that uses PAM for +authentication but isn't creating user sessions and doesn't want the +overhead of ever writing the user credentials to disk. +When using this option, the application should only call +.Xr pam_authenticate 3 ; +other functions like +.Xr pam_setcred 3 , +.Xr pam_start_session 3 , +and +.Xr pam_acct_mgmt 3 +don't make sense with this option. +Don't use this option if the application needs PAM account and session +management calls. +.Pp This option is only applicable to the auth group. -.IP retain_after_close 4 -.IX Item "retain_after_close" -[2.3] Normally, the user's ticket cache is destroyed when either \fBpam_end()\fR -or \fBpam_close_session()\fR is called by the authenticating application so that -ticket caches aren't left behind after the user logs out. In some cases, -however, this isn't desirable. (On Solaris 8, for instance, the default -behavior means login will destroy the ticket cache before running the -user's shell.) If this option is set, the PAM module will never destroy -the user's ticket cache. If you set this, you may want to call -\&\fBkdestroy\fR in the shell's logout configuration or run a temporary file -removal program to avoid accumulating hundreds of ticket caches in -\&\fI/tmp\fR. -.Sp -This option can be set in \f(CW\*(C`[appdefaults]\*(C'\fR in \fIkrb5.conf\fR and is only -applicable to the auth and session groups. -.SH ENVIRONMENT -.IX Header "ENVIRONMENT" -.IP KRB5CCNAME 4 -.IX Item "KRB5CCNAME" -Set by \fBpam_setcred()\fR with the PAM_ESTABLISH_CRED option, and therefore -also by \fBpam_open_session()\fR, to point to the new credential cache for the -user. See the \fIccache\fR and \fIccache_dir\fR options. By default, the cache -name will be prefixed with \f(CW\*(C`FILE:\*(C'\fR to make the cache type unambiguous. -.IP PAM_KRB5CCNAME 4 -.IX Item "PAM_KRB5CCNAME" -Set by \fBpam_authenticate()\fR to point to the temporary ticket cache used for -authentication (unless the \fIno_ccache\fR option was given). \fBpam_setcred()\fR -then uses that environment variable to locate the temporary cache even if -it was not called in the same PAM session as \fBpam_authenticate()\fR (a problem -with \fBsshd\fR running in some modes). This environment variable is only -used internal to the PAM module. -.SH FILES -.IX Header "FILES" -.IP \fI/tmp/krb5cc_UID_RANDOM\fR 4 -.IX Item "/tmp/krb5cc_UID_RANDOM" -The default credential cache name. UID is the decimal UID of the local -user and RANDOM is a random six-character string. The pattern may be -changed with the \fIccache\fR option and the directory with the \fIccache_dir\fR +.It retain_after_close +[2.3] Normally, the user's ticket cache is destroyed when either +.Xr pam_end 3 +or +.Xr pam_close_session 3 +is called by the authenticating application so that ticket caches aren't +left behind after the user logs out. +In some cases, however, this isn't desirable. +(On Solaris 8, for instance, the default behavior means login will +destroy the ticket cache before running the user's shell.) +If this option is set, the PAM module will never destroy the user's +ticket cache. +If you set this, you may want to call +.Sy kdestroy +in the shell's logout configuration or run a temporary file removal +program to avoid accumulating hundreds of ticket caches in +.Pa /tmp . +.Pp +This option can be set in +.Qo Li [appdefaults] Qc +in +.Pa krb5.conf +and is only applicable to the auth and session groups. +.El +.Sh ENVIRONMENT +.Bl -tag -width Ds +.It KRB5CCNAME +Set by +.Xr pam_setcred 3 +with the PAM_ESTABLISH_CRED option, and therefore also by +.Xr pam_open_session 3 , +to point to the new credential cache for the user. +See the +.Em ccache +and +.Em ccache_dir +options. +By default, the cache name will be prefixed with +.Qo Li FILE: Qc +to make the cache type unambiguous. +.It PAM_KRB5CCNAME +Set by +.Xr pam_authenticate 3 +to point to the temporary ticket cache used for authentication (unless +the +.Em no_ccache +option was given). +.Xr pam_setcred 3 +then uses that environment variable to locate the temporary cache even +if it was not called in the same PAM session as +.Xr pam_authenticate 3 +(a problem with +.Sy sshd +running in some modes). +This environment variable is only used internal to the PAM module. +.El +.Sh FILES +.Bl -tag -width Ds +.It Pa /tmp/krb5cc_UID_RANDOM +The default credential cache name. +UID is the decimal UID of the local user and RANDOM is a random +six-character string. +The pattern may be changed with the +.Em ccache +option and the directory with the +.Em ccache_dir option. -.IP \fI/tmp/krb5cc_pam_RANDOM\fR 4 -.IX Item "/tmp/krb5cc_pam_RANDOM" -The credential cache name used for the temporary credential cache created -by \fBpam_authenticate()\fR. This cache is removed again when the PAM session -is ended or when \fBpam_setcred()\fR is called and will normally not be -user-visible. RANDOM is a random six-character string. -.IP \fI~/.k5login\fR 4 -.IX Item "~/.k5login" +.It Pa /tmp/krb5cc_pam_RANDOM +The credential cache name used for the temporary credential cache +created by +.Xr pam_authenticate 3 . +This cache is removed again when the PAM session is ended or when +.Xr pam_setcred 3 +is called and will normally not be user-visible. +RANDOM is a random six-character string. +.It Pa ~/.k5login File containing Kerberos principals that are allowed access to that account. -.SH BUGS -.IX Header "BUGS" -If \fItry_pkinit\fR is set and pam\-krb5 is built with MIT Kerberos, the -user's password is not saved in the PAM data if PKINIT fails and the -module falls back to password authentication. -.SH CAVEATS -.IX Header "CAVEATS" -Be sure to list this module in the session group as well as the auth group -when using it for interactive logins. Otherwise, some applications (such -as OpenSSH) will not set up the user's ticket cache correctly. -.PP -The Kerberos library, via pam\-krb5, will prompt the user to change their +.El +.Sh BUGS +If +.Em try_pkinit +is set and pam-krb5 is built with MIT Kerberos, the user's password is +not saved in the PAM data if PKINIT fails and the module falls back to +password authentication. +.Sh CAVEATS +Be sure to list this module in the session group as well as the auth +group when using it for interactive logins. +Otherwise, some applications (such as OpenSSH) will not set up the +user's ticket cache correctly. +.Pp +The Kerberos library, via pam-krb5, will prompt the user to change their password if their password is expired, but when using OpenSSH, this will -only work when ChallengeResponseAuthentication is enabled. Unless this -option is enabled, OpenSSH doesn't pass PAM messages to the user and can -only respond to a simple password prompt. -.PP +only work when ChallengeResponseAuthentication is enabled. +Unless this option is enabled, OpenSSH doesn't pass PAM messages to the +user and can only respond to a simple password prompt. +.Pp If you are using MIT Kerberos, be aware that users whose passwords are expired will not be prompted to change their password unless the KDC configuration for your realm in [realms] in krb5.conf contains a -master_kdc setting or, if using DNS SRV records, you have a DNS entry for -_kerberos\-master as well as _kerberos. -.PP -\&\fBpam_authenticate()\fR returns failure when called for an ignored account, -requiring the system administrator to use \f(CW\*(C`optional\*(C'\fR or \f(CW\*(C`sufficient\*(C'\fR to -ignore the module and move on to the next module. It's arguably more -correct to return PAM_IGNORE, which causes the module to be ignored as if -it weren't in the configuration, but this increases the risk of -inadvertent security holes when listing pam\-krb5 as the only +master_kdc setting or, if using DNS SRV records, you have a DNS entry +for _kerberos-master as well as _kerberos. +.Pp +.Xr pam_authenticate 3 +returns failure when called for an ignored account, requiring the system +administrator to use +.Qo Li optional Qc +or +.Qo Li sufficient Qc +to ignore the module and move on to the next module. +It's arguably more correct to return PAM_IGNORE, which causes the module +to be ignored as if it weren't in the configuration, but this increases +the risk of inadvertent security holes when listing pam-krb5 as the only authentication module. -.PP +.Pp This module treats the empty password as an authentication failure rather than attempting to use that password to avoid unwanted prompting -behavior in the Kerberos libraries. If you have a Kerberos principal that -intentionally has an empty password, it won't work with this module. -.PP +behavior in the Kerberos libraries. +If you have a Kerberos principal that intentionally has an empty +password, it won't work with this module. +.Pp This module will not refresh an existing ticket cache if called with an -effective UID or GID different than the real UID or GID, since refreshing -an existing ticket cache requires trusting the KRB5CCNAME environment -variable and the environment should not be trusted in a setuid context. -.PP +effective UID or GID different than the real UID or GID, since +refreshing an existing ticket cache requires trusting the KRB5CCNAME +environment variable and the environment should not be trusted in a +setuid context. +.Pp Old versions of OpenSSH are known to call pam_authenticate followed by -pam_setcred(PAM_REINITIALIZE_CRED) without first calling pam_open_session, -thereby requesting that an existing ticket cache be renewed (similar to -what a screensaver would want) rather than requesting a new ticket cache -be created. Since this behavior is indistinguishable at the PAM level -from a screensaver, pam\-krb5 when used with these old versions of OpenSSH -will refresh the ticket cache of the OpenSSH daemon rather than setting up -a new ticket cache for the user. The resulting ticket cache will have the -correct permissions, but will not be named correctly or referenced in the -user's environment and will be overwritten by the next user login. The -best solution to this problem is to upgrade OpenSSH. I'm not sure exactly -when this problem was fixed, but at the very least OpenSSH 4.3 and later -do not exhibit it. -.SH AUTHOR -.IX Header "AUTHOR" -pam\-krb5 was originally written by Frank Cusack. Andres Salomon made -extensive modifications, and then Russ Allbery <eagle@eyrie.org> adopted -it and made even more extensive modifications. Russ Allbery currently -maintains the module. -.SH "COPYRIGHT AND LICENSE" -.IX Header "COPYRIGHT AND LICENSE" -Copyright 2005\-2010, 2014, 2020 Russ Allbery <eagle@eyrie.org> -.PP -Copyright 2008\-2014 The Board of Trustees of the Leland Stanford Junior +pam_setcred(PAM_REINITIALIZE_CRED) without first calling +pam_open_session, thereby requesting that an existing ticket cache be +renewed (similar to what a screensaver would want) rather than +requesting a new ticket cache be created. +Since this behavior is indistinguishable at the PAM level from a +screensaver, pam-krb5 when used with these old versions of OpenSSH will +refresh the ticket cache of the OpenSSH daemon rather than setting up a +new ticket cache for the user. +The resulting ticket cache will have the correct permissions, but will +not be named correctly or referenced in the user's environment and will +be overwritten by the next user login. +The best solution to this problem is to upgrade OpenSSH. I'm not sure +exactly when this problem was fixed, but at the very least OpenSSH 4.3 +and later do not exhibit it. +.Sh AUTHOR +pam-krb5 was originally written by Frank Cusack. +Andres Salomon made extensive modifications, and then Russ Allbery +<eagle@eyrie.org> adopted it and made even more extensive modifications. +Russ Allbery currently maintains the module. +.Sh COPYRIGHT AND LICENSE +Copyright 2005-2010, 2014, 2020 Russ Allbery <eagle@eyrie.org> +.Pp +Copyright 2008-2014 The Board of Trustees of the Leland Stanford Junior University -.PP +.Pp Copying and distribution of this file, with or without modification, are -permitted in any medium without royalty provided the copyright notice and -this notice are preserved. This file is offered as-is, without any -warranty. -.PP +permitted in any medium without royalty provided the copyright notice +and this notice are preserved. +This file is offered as-is, without any warranty. +.Pp SPDX-License-Identifier: FSFAP -.SH "SEE ALSO" -.IX Header "SEE ALSO" -\&\fBkadmin\fR\|(8), \fBkdestroy\fR\|(1), \fBkrb5.conf\fR\|(5), \fBpam\fR\|(7), \fBpasswd\fR\|(1), \fBsyslog\fR\|(3) -.PP +.Sh SEE ALSO +kadmin(8), kdestroy(1), krb5.conf(5), pam.conf(5), passwd(1), syslog(3) +.Pp The current version of this module is available from its web page at -<https://www.eyrie.org/~eagle/software/pam\-krb5/>. +.Lk https://www.eyrie.org/~eagle/software/pam-krb5/ . diff --git a/lib/libpfctl/libpfctl.c b/lib/libpfctl/libpfctl.c index e747763ae6ef..3db596d6fd38 100644 --- a/lib/libpfctl/libpfctl.c +++ b/lib/libpfctl/libpfctl.c @@ -76,7 +76,6 @@ pfctl_open(const char *pf_device) struct pfctl_handle *h; h = calloc(1, sizeof(struct pfctl_handle)); - h->fd = -1; h->fd = open(pf_device, O_RDWR); if (h->fd < 0) @@ -87,7 +86,8 @@ pfctl_open(const char *pf_device) return (h); error: - close(h->fd); + if (h->fd != -1) + close(h->fd); snl_free(&h->ss); free(h); diff --git a/lib/libproc/Makefile b/lib/libproc/Makefile index 5720dfdb6621..670c4399f63e 100644 --- a/lib/libproc/Makefile +++ b/lib/libproc/Makefile @@ -20,10 +20,10 @@ LIBADD+= ctf IGNORE_PRAGMA= YES CFLAGS+= -DIN_BASE CFLAGS+= -DSKIP_SPL_SYS_CONDVAR_H -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/ -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd -CFLAGS+= -include ${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/spl/sys/ccompile.h +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/ +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd +CFLAGS+= -include ${ZFSTOP}/include/os/freebsd/spl/sys/ccompile.h CFLAGS+= -DHAVE_ISSETUGID -DHAVE_BOOLEAN -DHAVE_STRLCAT -DHAVE_STRLCPY CFLAGS+= -I${SRCTOP}/cddl/contrib/opensolaris/lib/libctf/common \ -I${SRCTOP}/sys/cddl/contrib/opensolaris/uts/common \ diff --git a/lib/libprocstat/Makefile b/lib/libprocstat/Makefile index ab0c8157b393..648da69e2fcb 100644 --- a/lib/libprocstat/Makefile +++ b/lib/libprocstat/Makefile @@ -55,7 +55,6 @@ MLINKS+=libprocstat.3 procstat_close.3 \ .if ${MK_CDDL} != "no" CFLAGS+= -DLIBPROCSTAT_ZFS SRCS+= zfs.c -ZFSTOP= ${SRCTOP}/sys/contrib/openzfs CFLAGS.zfs.c+= -DIN_BASE CFLAGS.zfs.c+= -DHAVE_ISSETUGID CFLAGS.zfs.c+= -DZFS_DEBUG diff --git a/lib/libsys/lseek.2 b/lib/libsys/lseek.2 index 6df543d8ce72..7fabe8fc3b4d 100644 --- a/lib/libsys/lseek.2 +++ b/lib/libsys/lseek.2 @@ -209,7 +209,8 @@ and .Dv SEEK_DATA directives, along with the .Er ENXIO -error, are extensions to that specification. +error, are expected to conform to +.St -p1003.1-2024 . .Sh HISTORY The .Fn lseek diff --git a/libexec/nuageinit/nuage.lua b/libexec/nuageinit/nuage.lua index 3eeb2ea0b44c..2d962b540b23 100644 --- a/libexec/nuageinit/nuage.lua +++ b/libexec/nuageinit/nuage.lua @@ -69,7 +69,7 @@ local function errmsg(str, prepend) end local function chmod(path, mode) - local mode = tonumber(mode, 8) + mode = tonumber(mode, 8) local _, err, msg = sys_stat.chmod(path, mode) if err then errmsg("chmod(" .. path .. ", " .. mode .. ") failed: " .. msg) @@ -150,8 +150,6 @@ local function splitlines(s) end local function getgroups() - local ret = {} - local root = os.getenv("NUAGE_FAKE_ROOTDIR") local cmd = "pw " if root then @@ -579,7 +577,7 @@ local function settimezone(timezone) root = "/" end - f, _, rc = os.execute("tzsetup -s -C " .. root .. " " .. timezone) + local f, _, rc = os.execute("tzsetup -s -C " .. root .. " " .. timezone) if not f then warnmsg("Impossible to configure time zone ( rc = " .. rc .. " )") diff --git a/libexec/nuageinit/nuageinit b/libexec/nuageinit/nuageinit index dc33f20464dc..a5411c60b410 100755 --- a/libexec/nuageinit/nuageinit +++ b/libexec/nuageinit/nuageinit @@ -229,10 +229,10 @@ local function nameservers(interface, obj) local resolv_conf = root .. "/etc/resolv.conf" - resolv_conf_attr = lfs.attributes(resolv_conf) + local resolv_conf_attr = lfs.attributes(resolv_conf) if resolv_conf_attr == nil then - resolv_conf_handler = open_resolv_conf() + local resolv_conf_handler = open_resolv_conf() resolv_conf_handler:close() end @@ -295,10 +295,11 @@ local function match_rules(rules) -- with the matching interfaces must be returned. This changes the way we initially -- thought about our implementation, since at first we only needed one interface, -- but cloud-init performs actions on a group of matching interfaces. + local interface local interfaces = {} if rules.macaddress then local ifaces = get_ifaces_by_mac() - local interface = ifaces[rules.macaddress] + interface = ifaces[rules.macaddress] if not interface then nuage.warn("not interface matching by MAC address: " .. rules.macaddress) return @@ -348,11 +349,11 @@ local function write_files(files, defer) end end -local function write_files_not_defered(obj) +local function write_files_not_deferred(obj) write_files(obj.write_files, false) end -local function write_files_defered(obj) +local function write_files_deferred(obj) write_files(obj.write_files, true) end -- Set network configuration from user_data @@ -381,6 +382,7 @@ local function network_config(obj) extra_opts = extra_opts .. " wol" end if v.mtu then + local mtu if type(v.mtu) == "number" then mtu = tostring(v.mtu) else @@ -661,8 +663,16 @@ if not f then os.exit(0) end local line = f:read("*l") +if not line or #string.gsub(line, "^%s*(.-)%s*$", "%1") == 0 then + f:close() + os.exit(0) +end if citype ~= "postnet" then local content = f:read("*a") + if not content or #string.gsub(content, "^%s*(.-)%s*$", "%1") == 0 then + f:close() + os.exit(0) + end nuage.mkdir_p(root .. "/var/cache/nuageinit") local tof = assert(io.open(root .. "/var/cache/nuageinit/user_data", "w")) tof:write(line .. "\n" .. content) @@ -680,14 +690,14 @@ if line == "#cloud-config" then network_config, ssh_pwauth, runcmd, - write_files_not_defered, + write_files_not_deferred, } local post_network_calls = { packages, users, chpasswd, - write_files_defered, + write_files_deferred, } f = io.open(ni_path .. "/" .. ud) @@ -704,12 +714,8 @@ if line == "#cloud-config" then for i = 1, #calls_table do if citype == "nocloud" and calls_table[i] == network_config then - netobj = parse_network_config() - if netobj == nil then - network_config(obj) - else - network_config(netobj) - end + local netobj = parse_network_config() or obj + network_config(netobj) else calls_table[i](obj) end diff --git a/libexec/nuageinit/tests/addfile.lua b/libexec/nuageinit/tests/addfile.lua index 98d020e557c0..ea98369f1909 100644 --- a/libexec/nuageinit/tests/addfile.lua +++ b/libexec/nuageinit/tests/addfile.lua @@ -35,7 +35,7 @@ if str ~= f.content then n.err("Invalid file content") end --- the file is overwriten +-- the file is overwritten f.content = "test" str = addfile_and_getres(f) diff --git a/libexec/nuageinit/tests/nuageinit.sh b/libexec/nuageinit/tests/nuageinit.sh index 2b7c5226c97a..851f7110378a 100644 --- a/libexec/nuageinit/tests/nuageinit.sh +++ b/libexec/nuageinit/tests/nuageinit.sh @@ -890,7 +890,7 @@ EOF atf_check -o inline:"plop" cat file1 atf_check -o inline:"" cat emptyfile atf_check -o inline:"bla\n" cat file_base64 - test -f foo && atf_fail "foo creation should have been defered" + test -f foo && atf_fail "foo creation should have been deferred" atf_check -o match:"^-rwxr-xr-x.*nobody" ls -l file_base64 rm file1 emptyfile file_base64 atf_check -o empty /usr/libexec/nuageinit "${PWD}"/media/nuageinit postnet diff --git a/libexec/rtld-elf/powerpc/reloc.c b/libexec/rtld-elf/powerpc/reloc.c index a38cadfe76ba..c160028cea6d 100644 --- a/libexec/rtld-elf/powerpc/reloc.c +++ b/libexec/rtld-elf/powerpc/reloc.c @@ -844,10 +844,8 @@ __tls_get_addr(tls_index* ti) void arch_fix_auxv(Elf_Auxinfo *aux, Elf_Auxinfo *aux_info[]) { - Elf_Auxinfo *aux; - bool old_auxv_format; + Elf_Auxinfo *auxp; - old_auxv_format = true; for (auxp = aux; auxp->a_type != AT_NULL; auxp++) { if (auxp->a_type == 23) /* AT_STACKPROT */ return; diff --git a/libexec/rtld-elf/powerpc64/reloc.c b/libexec/rtld-elf/powerpc64/reloc.c index 29c52d8fc19f..4a4107aef861 100644 --- a/libexec/rtld-elf/powerpc64/reloc.c +++ b/libexec/rtld-elf/powerpc64/reloc.c @@ -741,10 +741,8 @@ __tls_get_addr(tls_index* ti) void arch_fix_auxv(Elf_Auxinfo *aux, Elf_Auxinfo *aux_info[]) { - Elf_Auxinfo *aux; - bool old_auxv_format; + Elf_Auxinfo *auxp; - old_auxv_format = true; for (auxp = aux; auxp->a_type != AT_NULL; auxp++) { if (auxp->a_type == 23) /* AT_STACKPROT */ return; diff --git a/libexec/rtld-elf/rtld.1 b/libexec/rtld-elf/rtld.1 index 62e4fc5676c2..04dcb28d7f8f 100644 --- a/libexec/rtld-elf/rtld.1 +++ b/libexec/rtld-elf/rtld.1 @@ -26,7 +26,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd July 24, 2024 +.Dd November 25, 2025 .Dt RTLD 1 .Os .Sh NAME @@ -153,6 +153,11 @@ If set, .Nm will print a table containing all relocations after symbol binding and relocation. +.It Ev LD_DEBUG +If set, +.Nm +will print voluminous internal debugging messages as it loads +and links a program. .It Ev LD_DUMP_REL_PRE If set, .Nm diff --git a/release/scripts/pkg-stage.sh b/release/scripts/pkg-stage.sh index 083b1baa3358..c575f2d32bae 100755 --- a/release/scripts/pkg-stage.sh +++ b/release/scripts/pkg-stage.sh @@ -15,7 +15,7 @@ export PORTSDIR="${PORTSDIR:-/usr/ports}" _DVD_PACKAGES=" devel/git@lite -editors/emacs +editors/emacs@nox editors/vim misc/freebsd-doc-all net/mpd5 diff --git a/sbin/bectl/Makefile b/sbin/bectl/Makefile index cfd6ee2ccb97..0eb56d247ab5 100644 --- a/sbin/bectl/Makefile +++ b/sbin/bectl/Makefile @@ -15,13 +15,13 @@ LIBADD+= be \ pthread CFLAGS+= -DIN_BASE -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/ -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd +CFLAGS+= -I${ZFSTOP}/include +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/ +CFLAGS+= -I${ZFSTOP}/lib/libspl/include/os/freebsd CFLAGS+= -I${SRCTOP}/sys CFLAGS+= -I${SRCTOP}/cddl/compat/opensolaris/include -CFLAGS+= -I${SRCTOP}/sys/contrib/openzfs/module/icp/include -CFLAGS+= -include ${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/spl/sys/ccompile.h +CFLAGS+= -I${ZFSTOP}/module/icp/include +CFLAGS+= -include ${ZFSTOP}/include/os/freebsd/spl/sys/ccompile.h CFLAGS+= -DHAVE_ISSETUGID -DHAVE_STRLCAT -DHAVE_STRLCPY CFLAGS+= -include ${SRCTOP}/sys/modules/zfs/zfs_config.h diff --git a/sbin/mount/mount.8 b/sbin/mount/mount.8 index 154ad293aee4..877001727a8f 100644 --- a/sbin/mount/mount.8 +++ b/sbin/mount/mount.8 @@ -270,8 +270,11 @@ Note: this option is worthless if a public available suid or sgid wrapper is installed on your system. It is set automatically when the user does not have super-user privileges. .It Cm nosymfollow -Do not follow symlinks -on the mounted file system. +Do not follow symlinks on the mounted file system. +.Pp +This option is intended to be used when mounting file systems +from untrusted external storage systems or public writable /tmp file systems. +You can still create or remove symlinks, or read the value of a symbolic link. .It Cm ro Mount the filesystem read-only, even the super-user may not write it. Equivalent to @@ -571,6 +574,7 @@ support for a particular file system might be provided either on a static .Xr lsvfs 1 , .Xr setfacl 1 , .Xr nmount 2 , +.Xr symlink 2 , .Xr acl 3 , .Xr getmntinfo 3 , .Xr libxo 3 , @@ -584,6 +588,7 @@ support for a particular file system might be provided either on a static .Xr tarfs 4 , .Xr tmpfs 4 , .Xr fstab 5 , +.Xr symlink 7 , .Xr automount 8 , .Xr fstyp 8 , .Xr kldload 8 , diff --git a/share/keys/pkgbase-15/trusted/Makefile b/share/keys/pkgbase-15/trusted/Makefile index e6205999b12f..32db72ae368a 100644 --- a/share/keys/pkgbase-15/trusted/Makefile +++ b/share/keys/pkgbase-15/trusted/Makefile @@ -1,6 +1,7 @@ PACKAGE= pkg-bootstrap -FILES= awskms-15 +FILES= awskms-15 \ + backup-signing-15 FILESDIR= ${SHAREDIR}/keys/pkgbase-15/trusted FILESMODE= 644 diff --git a/share/keys/pkgbase-15/trusted/backup-signing-15 b/share/keys/pkgbase-15/trusted/backup-signing-15 new file mode 100644 index 000000000000..a147d6788cf2 --- /dev/null +++ b/share/keys/pkgbase-15/trusted/backup-signing-15 @@ -0,0 +1,2 @@ +function: "sha256" +fingerprint: "56a77bdcb6c3cf7984729c6138bd5617c24aa0d466b3b604c96205b2c5629f3c" diff --git a/share/mk/src.sys.mk b/share/mk/src.sys.mk index ec035fb71e54..6d6523f24754 100644 --- a/share/mk/src.sys.mk +++ b/share/mk/src.sys.mk @@ -48,6 +48,9 @@ CFLAGS+= -fmacro-prefix-map=${SRCTOP}=/usr/src -fdebug-prefix-map=${SRCTOP}=/usr DEFAULTWARNS?= 6 +# ZFS source directory +ZFSTOP?= ${SRCTOP}/sys/contrib/openzfs + # tempting, but bsd.compiler.mk causes problems this early # probably need to remove dependence on bsd.own.mk #.include "src.opts.mk" diff --git a/stand/defs.mk b/stand/defs.mk index 54149f5f7b9e..504493ebe648 100644 --- a/stand/defs.mk +++ b/stand/defs.mk @@ -56,12 +56,11 @@ LIBLUASRC= ${BOOTSRC}/liblua LIBOFWSRC= ${BOOTSRC}/libofw LUASRC= ${SRCTOP}/contrib/lua/src SASRC= ${BOOTSRC}/libsa +SAZFSSRC= ${SASRC}/zfs SYSDIR= ${SRCTOP}/sys UBOOTSRC= ${BOOTSRC}/uboot -ZFSSRC= ${SASRC}/zfs -OZFS= ${SRCTOP}/sys/contrib/openzfs -ZFSOSSRC= ${OZFS}/module/os/freebsd/ -ZFSOSINC= ${OZFS}/include/os/freebsd +ZFSOSSRC= ${ZFSTOP}/module/os/freebsd/ +ZFSOSINC= ${ZFSTOP}/include/os/freebsd LIBCSRC= ${SRCTOP}/lib/libc BOOTOBJ= ${OBJTOP}/stand diff --git a/stand/efi/boot1/Makefile b/stand/efi/boot1/Makefile index c9f04546b56b..17fa849beb0b 100644 --- a/stand/efi/boot1/Makefile +++ b/stand/efi/boot1/Makefile @@ -32,7 +32,7 @@ CWARNFLAGS.zfs_module.c += -Wno-unused-function SRCS+= boot1.c proto.c self_reloc.c start.S ufs_module.c .if ${MK_LOADER_ZFS} != "no" SRCS+= zfs_module.c -CFLAGS.zfs_module.c+= -I${ZFSSRC} +CFLAGS.zfs_module.c+= -I${SAZFSSRC} CFLAGS.zfs_module.c+= -I${SYSDIR}/cddl/boot/zfs CFLAGS.zfs_module.c+= -I${SYSDIR}/crypto/skein CFLAGS.zfs_module.c+= -I${SYSDIR}/contrib/openzfs/include diff --git a/stand/efi/libefi/Makefile b/stand/efi/libefi/Makefile index aaf9ef666fde..4f4586fbf253 100644 --- a/stand/efi/libefi/Makefile +++ b/stand/efi/libefi/Makefile @@ -53,7 +53,7 @@ CFLAGS.efi_console.c+= -I${SRCTOP}/sys/teken -I${SRCTOP}/contrib/pnglite CFLAGS.efi_console.c+= -I${.CURDIR}/../loader CFLAGS.teken.c+= -I${SRCTOP}/sys/teken .if ${MK_LOADER_ZFS} != "no" -CFLAGS+= -I${ZFSSRC} +CFLAGS+= -I${SAZFSSRC} CFLAGS+= -I${SYSDIR}/cddl/boot/zfs CFLAGS+= -I${SYSDIR}/cddl/contrib/opensolaris/uts/common CFLAGS+= -DEFI_ZFS_BOOT diff --git a/stand/efi/loader/Makefile b/stand/efi/loader/Makefile index 8000e2f6df7d..addb7652249d 100644 --- a/stand/efi/loader/Makefile +++ b/stand/efi/loader/Makefile @@ -36,7 +36,7 @@ CFLAGS+= -I${EFISRC}/acpica/include CFLAGS+= -I${.CURDIR}/../loader .if ${MK_LOADER_ZFS} != "no" -CFLAGS+= -I${ZFSSRC} +CFLAGS+= -I${SAZFSSRC} CFLAGS+= -I${SYSDIR}/contrib/openzfs/include CFLAGS+= -I${SYSDIR}/contrib/openzfs/include/os/freebsd/zfs CFLAGS+= -DEFI_ZFS_BOOT diff --git a/stand/i386/gptzfsboot/Makefile b/stand/i386/gptzfsboot/Makefile index ebdd4958c5f2..2b3b5422031b 100644 --- a/stand/i386/gptzfsboot/Makefile +++ b/stand/i386/gptzfsboot/Makefile @@ -27,7 +27,7 @@ CFLAGS+=-DBOOTPROG=\"gptzfsboot\" \ -I${LDRSRC} \ -I${BOOTSRC}/i386/common \ -I${BOOTSRC}/i386/libi386 \ - -I${ZFSSRC} \ + -I${SAZFSSRC} \ -I${SYSDIR}/crypto/skein \ -I${SYSDIR}/cddl/boot/zfs \ -I${SYSDIR}/contrib/openzfs/include \ @@ -77,6 +77,6 @@ gptzfsboot.bin: gptzfsboot.out gptzfsboot.out: ${BTXCRT} ${OBJS} ${LD} ${LD_FLAGS} --defsym ORG=${ORG2} -T ${LDSCRIPT} -o ${.TARGET} ${.ALLSRC} ${LIBI386} ${LIBSA32} -zfsboot.o: ${ZFSSRC}/zfsimpl.c +zfsboot.o: ${SAZFSSRC}/zfsimpl.c .include <bsd.prog.mk> diff --git a/stand/kboot/kboot/Makefile b/stand/kboot/kboot/Makefile index 19bae09df5ea..68bb67096851 100644 --- a/stand/kboot/kboot/Makefile +++ b/stand/kboot/kboot/Makefile @@ -32,7 +32,7 @@ SRCS+= kbootfdt.c .endif .if ${MK_LOADER_ZFS} != "no" -CFLAGS+= -I${ZFSSRC} +CFLAGS+= -I${SAZFSSRC} CFLAGS+= -I${SYSDIR}/contrib/openzfs/include CFLAGS+= -I${SYSDIR}/contrib/openzfs/include/os/freebsd/zfs HAVE_ZFS=yes diff --git a/stand/libsa/zfs/Makefile.inc b/stand/libsa/zfs/Makefile.inc index 2e9d5679f71f..c747078a115b 100644 --- a/stand/libsa/zfs/Makefile.inc +++ b/stand/libsa/zfs/Makefile.inc @@ -1,12 +1,12 @@ -.PATH: ${ZFSSRC} +.PATH: ${SAZFSSRC} .PATH: ${SYSDIR}/crypto/skein .PATH: ${ZFSOSSRC}/spl -.PATH: ${OZFS}/module/zstd -.PATH: ${OZFS}/module/zstd/lib/common -.PATH: ${OZFS}/module/zstd/lib/compress -.PATH: ${OZFS}/module/zstd/lib/decompress -.PATH: ${OZFS}/module/icp/asm-aarch64/blake3 -.PATH: ${OZFS}/module/icp/algs/blake3 +.PATH: ${ZFSTOP}/module/zstd +.PATH: ${ZFSTOP}/module/zstd/lib/common +.PATH: ${ZFSTOP}/module/zstd/lib/compress +.PATH: ${ZFSTOP}/module/zstd/lib/decompress +.PATH: ${ZFSTOP}/module/icp/asm-aarch64/blake3 +.PATH: ${ZFSTOP}/module/icp/algs/blake3 ZFS_SRC= zfs.c nvlist.c skein.c skein_block.c list.c ZFS_SRC+= zfs_zstd.c ZFS_SRC+= blake3.c blake3_generic.c blake3_impl.c @@ -30,7 +30,7 @@ SRCS+= ${ZFS_SRC} ${ZSTD_SRC} ${ZFS_SRC_AS} # tweak something defined in that file. # -ZFS_EARLY= -I${ZFSSRC}/spl \ +ZFS_EARLY= -I${SAZFSSRC}/spl \ -I${ZFSOSINC} \ -I${ZFSOSINC}/spl \ -I${ZFSOSINC}/zfs @@ -41,7 +41,7 @@ ZFS_EARLY= -I${ZFSSRC}/spl \ # from FreeBSD. # .for i in ${ZFS_SRC} ${ZSTD_SRC} -CFLAGS.$i+= -include ${ZFSOSINC}/spl/sys/ccompile.h -Wformat -Wall -I${OZFS}/include \ +CFLAGS.$i+= -include ${ZFSOSINC}/spl/sys/ccompile.h -Wformat -Wall -I${ZFSTOP}/include \ -DNEED_SOLARIS_BOOLEAN .endfor @@ -76,7 +76,7 @@ CFLAGS.$i+= -U__BMI__ ${NO_WBITWISE_INSTEAD_OF_LOGICAL} CFLAGS.zfs_zstd.c+= -DIN_BASE -DIN_LIBSA -CFLAGS.blake3_impl.c+= -I${OZFS}/module/icp/algs/blake3 -I${OZFS}/module/icp/include -DIN_LIBSA +CFLAGS.blake3_impl.c+= -I${ZFSTOP}/module/icp/algs/blake3 -I${ZFSTOP}/module/icp/include -DIN_LIBSA # Do not unroll skein loops, reduce code size CFLAGS.skein_block.c+= -DSKEIN_LOOP=111 diff --git a/stand/loader.mk b/stand/loader.mk index e26ba1401912..496252e7a534 100644 --- a/stand/loader.mk +++ b/stand/loader.mk @@ -152,7 +152,7 @@ CFLAGS+= -DLOADER_MBR_SUPPORT .if ${HAVE_ZFS:Uno} == "yes" CFLAGS+= -DLOADER_ZFS_SUPPORT -CFLAGS+= -I${ZFSSRC} +CFLAGS+= -I${SAZFSSRC} CFLAGS+= -I${SYSDIR}/cddl/boot/zfs CFLAGS+= -I${SYSDIR}/cddl/contrib/opensolaris/uts/common SRCS+= zfs_cmd.c diff --git a/stand/man/loader.efi.8 b/stand/man/loader.efi.8 index c488ac257804..d9a5c827ba71 100644 --- a/stand/man/loader.efi.8 +++ b/stand/man/loader.efi.8 @@ -158,6 +158,7 @@ The serial ports are assigned as follows on IBM PC compatible systems: .It COM3 Ta 0x3e8 Ta Pa /dev/uart2 .It COM4 Ta 0x2e8 Ta Pa /dev/uart3 .El +.Pp Though .Dv COM3 and @@ -191,8 +192,9 @@ of any behavior not covered in this document. .It Fl s Ta Dv boot_single Ta Va RB_SINGLE .It Fl v Ta Dv boot_verbose Ta Va RB_VERBOSE .El +.Pp And the following flags determine the primary console: -.Bl -column -offset indent ".Sy Flags" ".Sy Kernel Flags" ".Sy Kernel Consoles" ".Sy Primary Console" +.Bl -column -offset xxx "Flags" "RB_SERIAL | RB_MULTIPLE" "Kernel Consoles" "Primary Console" .It Sy Flags Ta Sy Kernel Flags Ta Sy Kernel Consoles Ta Sy Primary Console .It none Ta 0 Ta Video Ta Video .It Fl h Ta RB_SERIAL Ta Serial Ta Serial @@ -380,6 +382,7 @@ To check: # mount | grep nda0p1 /dev/nda0p1 on /boot/efi (msdosfs, local) .Ed +.Pp If it's not mounted, you will need to mount it: .Bd -literal -offset indent # mount -t msdosfs /dev/nda0p1 /boot/efi @@ -398,6 +401,7 @@ BootOrder : 0000, 0001, 0003, 0004, 0005, 0006, 0001, 0008, 000A, 000B, 000C, 0 nda0p1:/EFI/FREEBSD/LOADER.EFI /boot/efi//EFI/FREEBSD/LOADER.EFI \&... .Ed +.Pp Often there are several options, depending on the BIOS. The entry that we booted with is marked with a .Sq + @@ -416,6 +420,7 @@ loader, which varies by architecture. .It i386 Ta Pa /EFI/BOOT/BOOTIA32.EFI .It riscv Ta Pa /EFI/BOOT/BOOTRISCV64.EFI .El +.Pp However, care must be taken: some multiple-boot environments rely on a special .Pa bootXXX.efi to function. @@ -436,10 +441,12 @@ above table): .Bd -literal -offset indent # cmp /boot/efi/EFI/FREEBSD/LOADER.EFI /boot/efi/EFI/BOOT/BOOTX64.EFI .Ed +.Pp Copy the loader: .Bd -literal -offset indent # cp /boot/loader.efi /boot/efi/EFI/FREEBSD/LOADER.EFI .Ed +.Pp replacing the all caps part of the example with the proper path. .Pp If ESP path was diff --git a/sys/amd64/conf/NOTES b/sys/amd64/conf/NOTES index e0a9e1b77d93..d48fd10c0e62 100644 --- a/sys/amd64/conf/NOTES +++ b/sys/amd64/conf/NOTES @@ -172,5 +172,4 @@ options PV_STATS #options KUBSAN # Kernel Undefined Behavior Sanitizer #options KCSAN # Kernel Concurrency Sanitizer #options KASAN # Kernel Address Sanitizer -#options KCSAN # Kernel Concurrency Sanitizer #options KMSAN # Kernel Memory Sanitizer diff --git a/sys/arm/freescale/imx/imx6_ssi.c b/sys/arm/freescale/imx/imx6_ssi.c index 76870cfb29c9..f4ef955761b4 100644 --- a/sys/arm/freescale/imx/imx6_ssi.c +++ b/sys/arm/freescale/imx/imx6_ssi.c @@ -736,11 +736,7 @@ ssi_attach(device_t dev) sc->pos = 0; sc->conf = malloc(sizeof(struct sdma_conf), M_DEVBUF, M_WAITOK | M_ZERO); - mtx_init(&sc->lock, device_get_nameunit(dev), "ssi softc"); - if (sc->lock == NULL) { - device_printf(dev, "Can't create mtx\n"); - return (ENXIO); - } + mtx_init(&sc->lock, device_get_nameunit(dev), "ssi softc", MTX_DEF); if (bus_alloc_resources(dev, ssi_spec, sc->res)) { device_printf(dev, "could not allocate resources\n"); diff --git a/sys/arm/freescale/vybrid/vf_sai.c b/sys/arm/freescale/vybrid/vf_sai.c index 6ccfcae2bc2e..d3a3ab93fe80 100644 --- a/sys/arm/freescale/vybrid/vf_sai.c +++ b/sys/arm/freescale/vybrid/vf_sai.c @@ -691,11 +691,7 @@ sai_attach(device_t dev) sc->sr = &rate_map[0]; sc->pos = 0; - mtx_init(&sc->lock, device_get_nameunit(dev), "sai softc"); - if (sc->lock == NULL) { - device_printf(dev, "Cant create mtx\n"); - return (ENXIO); - } + mtx_init(&sc->lock, device_get_nameunit(dev), "sai softc", MTX_DEF); if (bus_alloc_resources(dev, sai_spec, sc->res)) { device_printf(dev, "could not allocate resources\n"); diff --git a/sys/arm64/arm64/mp_machdep.c b/sys/arm64/arm64/mp_machdep.c index ba673ce9d6ee..0bdd2ecfd8a7 100644 --- a/sys/arm64/arm64/mp_machdep.c +++ b/sys/arm64/arm64/mp_machdep.c @@ -270,8 +270,6 @@ init_secondary(uint64_t cpu) install_cpu_errata(); enable_cpu_feat(CPU_FEAT_AFTER_DEV); - intr_pic_init_secondary(); - /* Signal we are done */ atomic_add_int(&aps_started, 1); @@ -290,6 +288,8 @@ init_secondary(uint64_t cpu) ("pmap0 doesn't match cpu %ld's ttbr0", cpu)); pcpup->pc_curpmap = pmap0; + intr_pic_init_secondary(); + /* Start per-CPU event timers. */ cpu_initclocks_ap(); diff --git a/sys/cam/nvme/nvme_da.c b/sys/cam/nvme/nvme_da.c index 506fce3d99d3..833738cfcb98 100644 --- a/sys/cam/nvme/nvme_da.c +++ b/sys/cam/nvme/nvme_da.c @@ -648,7 +648,6 @@ static void ndasetgeom(struct nda_softc *softc, struct cam_periph *periph) { struct disk *disk = softc->disk; - struct ccb_pathinq cpi; const struct nvme_namespace_data *nsd; const struct nvme_controller_data *cd; uint8_t flbas_fmt, lbads, vwc_present; @@ -667,10 +666,6 @@ ndasetgeom(struct nda_softc *softc, struct cam_periph *periph) vwc_present = NVMEV(NVME_CTRLR_DATA_VWC_PRESENT, cd->vwc); if (vwc_present) disk->d_flags |= DISKFLAG_CANFLUSHCACHE; - if ((cpi.hba_misc & PIM_UNMAPPED) != 0) { - disk->d_flags |= DISKFLAG_UNMAPPED_BIO; - softc->unmappedio = 1; - } } static void @@ -944,6 +939,10 @@ ndaregister(struct cam_periph *periph, void *arg) maxio = maxphys; /* for safety */ disk->d_maxsize = maxio; ndasetgeom(softc, periph); + if ((cpi.hba_misc & PIM_UNMAPPED) != 0) { + disk->d_flags |= DISKFLAG_UNMAPPED_BIO; + softc->unmappedio = 1; + } /* * d_ident and d_descr are both far bigger than the length of either diff --git a/sys/compat/freebsd32/freebsd32_misc.c b/sys/compat/freebsd32/freebsd32_misc.c index e62c76924d22..7913940338c2 100644 --- a/sys/compat/freebsd32/freebsd32_misc.c +++ b/sys/compat/freebsd32/freebsd32_misc.c @@ -4240,6 +4240,24 @@ ofreebsd32_sethostid(struct thread *td, struct ofreebsd32_sethostid_args *uap) int freebsd32_setcred(struct thread *td, struct freebsd32_setcred_args *uap) { - /* Last argument is 'is_32bit'. */ - return (user_setcred(td, uap->flags, uap->wcred, uap->size, true)); + struct setcred wcred; + struct setcred32 wcred32; + int error; + + if (uap->size != sizeof(wcred32)) + return (EINVAL); + error = copyin(uap->wcred, &wcred32, sizeof(wcred32)); + if (error != 0) + return (error); + memset(&wcred, 0, sizeof(wcred)); + CP(wcred32, wcred, sc_uid); + CP(wcred32, wcred, sc_ruid); + CP(wcred32, wcred, sc_svuid); + CP(wcred32, wcred, sc_gid); + CP(wcred32, wcred, sc_rgid); + CP(wcred32, wcred, sc_svgid); + CP(wcred32, wcred, sc_supp_groups_nb); + PTRIN_CP(wcred32, wcred, sc_supp_groups); + PTRIN_CP(wcred32, wcred, sc_label); + return (user_setcred(td, uap->flags, &wcred)); } diff --git a/sys/conf/NOTES b/sys/conf/NOTES index 3d5f7dd8a71b..8a11f8ec86b1 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -1727,7 +1727,7 @@ device ata # Legacy ATA/SATA controllers # PCI ATA chipsets #device ataacard # ACARD #device ataacerlabs # Acer Labs Inc. (ALI) -#device ataamd # American Micro Devices (AMD) +#device ataamd # Advanced Micro Devices (AMD) #device ataati # ATI #device atacenatek # Cenatek #device atacypress # Cypress diff --git a/sys/conf/files b/sys/conf/files index 53fcb80f2b8d..3314274b47a8 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -4238,10 +4238,10 @@ net/route/route_rtentry.c standard net/route/route_subscription.c standard net/route/route_tables.c standard net/route/route_temporal.c standard -net/rss_config.c optional inet rss | inet6 rss +net/rss_config.c standard net/rtsock.c standard net/slcompress.c optional netgraph_vjc -net/toeplitz.c optional inet rss | inet6 rss | route_mpath +net/toeplitz.c optional inet | inet6 | route_mpath net/vnet.c optional vimage net80211/ieee80211.c optional wlan net80211/ieee80211_acl.c optional wlan wlan_acl @@ -4384,7 +4384,7 @@ netinet/in_pcb.c optional inet | inet6 netinet/in_prot.c optional inet | inet6 netinet/in_proto.c optional inet | inet6 netinet/in_rmx.c optional inet -netinet/in_rss.c optional inet rss +netinet/in_rss.c optional inet netinet/ip_divert.c optional ipdivert inet | ipdivert inet6 netinet/ip_ecn.c optional inet | inet6 netinet/ip_encap.c optional inet | inet6 @@ -4486,7 +4486,7 @@ netinet6/in6_mcast.c optional inet6 netinet6/in6_pcb.c optional inet6 netinet6/in6_proto.c optional inet6 netinet6/in6_rmx.c optional inet6 -netinet6/in6_rss.c optional inet6 rss +netinet6/in6_rss.c optional inet6 netinet6/in6_src.c optional inet6 netinet6/ip6_fastfwd.c optional inet6 netinet6/ip6_forward.c optional inet6 diff --git a/sys/contrib/device-tree/src/arm64/rockchip/rk3568.dtsi b/sys/contrib/device-tree/src/arm64/rockchip/rk3568.dtsi index e719a3df126c..695cccbdab0f 100644 --- a/sys/contrib/device-tree/src/arm64/rockchip/rk3568.dtsi +++ b/sys/contrib/device-tree/src/arm64/rockchip/rk3568.dtsi @@ -152,7 +152,7 @@ compatible = "rockchip,rk3568-pcie"; #address-cells = <3>; #size-cells = <2>; - bus-range = <0x10 0x1f>; + bus-range = <0x0 0xf>; clocks = <&cru ACLK_PCIE30X1_MST>, <&cru ACLK_PCIE30X1_SLV>, <&cru ACLK_PCIE30X1_DBI>, <&cru PCLK_PCIE30X1>, <&cru CLK_PCIE30X1_AUX_NDFT>; @@ -175,7 +175,7 @@ num-ib-windows = <6>; num-ob-windows = <2>; max-link-speed = <3>; - msi-map = <0x1000 &its 0x1000 0x1000>; + msi-map = <0x0 &gic 0x1000 0x1000>; num-lanes = <1>; phys = <&pcie30phy>; phy-names = "pcie-phy"; @@ -205,7 +205,7 @@ compatible = "rockchip,rk3568-pcie"; #address-cells = <3>; #size-cells = <2>; - bus-range = <0x20 0x2f>; + bus-range = <0x0 0xf>; clocks = <&cru ACLK_PCIE30X2_MST>, <&cru ACLK_PCIE30X2_SLV>, <&cru ACLK_PCIE30X2_DBI>, <&cru PCLK_PCIE30X2>, <&cru CLK_PCIE30X2_AUX_NDFT>; @@ -228,7 +228,7 @@ num-ib-windows = <6>; num-ob-windows = <2>; max-link-speed = <3>; - msi-map = <0x2000 &its 0x2000 0x1000>; + msi-map = <0x0 &gic 0x2000 0x1000>; num-lanes = <2>; phys = <&pcie30phy>; phy-names = "pcie-phy"; diff --git a/sys/contrib/device-tree/src/arm64/rockchip/rk356x-base.dtsi b/sys/contrib/device-tree/src/arm64/rockchip/rk356x-base.dtsi index fd2214b6fad4..81e635620301 100644 --- a/sys/contrib/device-tree/src/arm64/rockchip/rk356x-base.dtsi +++ b/sys/contrib/device-tree/src/arm64/rockchip/rk356x-base.dtsi @@ -283,18 +283,6 @@ mbi-alias = <0x0 0xfd410000>; mbi-ranges = <296 24>; msi-controller; - ranges; - #address-cells = <2>; - #size-cells = <2>; - dma-noncoherent; - - its: msi-controller@fd440000 { - compatible = "arm,gic-v3-its"; - reg = <0x0 0xfd440000 0 0x20000>; - dma-noncoherent; - msi-controller; - #msi-cells = <1>; - }; }; usb_host0_ehci: usb@fd800000 { @@ -968,7 +956,7 @@ num-ib-windows = <6>; num-ob-windows = <2>; max-link-speed = <2>; - msi-map = <0x0 &its 0x0 0x1000>; + msi-map = <0x0 &gic 0x0 0x1000>; num-lanes = <1>; phys = <&combphy2 PHY_TYPE_PCIE>; phy-names = "pcie-phy"; diff --git a/sys/dev/cxgbe/common/t4_msg.h b/sys/dev/cxgbe/common/t4_msg.h index 214080964fbb..31a52dbb616e 100644 --- a/sys/dev/cxgbe/common/t4_msg.h +++ b/sys/dev/cxgbe/common/t4_msg.h @@ -2478,7 +2478,7 @@ struct cpl_rx_data_ack_core { #define F_RX_DACK_CHANGE V_RX_DACK_CHANGE(1U) struct cpl_rx_phys_addr { - __be32 RSS[2]; + __be32 rss[2]; __be32 op_to_tid; __be32 pci_rlx_order_to_len; __be64 phys_addr; diff --git a/sys/dev/cxgbe/t4_main.c b/sys/dev/cxgbe/t4_main.c index 9bd5e02fabf0..5e02b47da8d9 100644 --- a/sys/dev/cxgbe/t4_main.c +++ b/sys/dev/cxgbe/t4_main.c @@ -57,9 +57,7 @@ #include <net/if_types.h> #include <net/if_dl.h> #include <net/if_vlan_var.h> -#ifdef RSS #include <net/rss_config.h> -#endif #include <netinet/in.h> #include <netinet/ip.h> #ifdef KERN_TLS @@ -2819,7 +2817,7 @@ cxgbe_probe(device_t dev) #define T4_CAP (IFCAP_VLAN_HWTAGGING | IFCAP_VLAN_MTU | IFCAP_HWCSUM | \ IFCAP_VLAN_HWCSUM | IFCAP_TSO | IFCAP_JUMBO_MTU | IFCAP_LRO | \ IFCAP_VLAN_HWTSO | IFCAP_LINKSTATE | IFCAP_HWCSUM_IPV6 | IFCAP_HWSTATS | \ - IFCAP_HWRXTSTMP | IFCAP_MEXTPG) + IFCAP_HWRXTSTMP | IFCAP_MEXTPG | IFCAP_NV) #define T4_CAP_ENABLE (T4_CAP) static void @@ -3067,7 +3065,7 @@ cxgbe_ioctl(if_t ifp, unsigned long cmd, caddr_t data) struct port_info *pi = vi->pi; struct adapter *sc = pi->adapter; struct ifreq *ifr = (struct ifreq *)data; - uint32_t mask; + uint32_t mask, mask2; switch (cmd) { case SIOCSIFMTU: @@ -3126,12 +3124,24 @@ cxgbe_ioctl(if_t ifp, unsigned long cmd, caddr_t data) end_synchronized_op(sc, 0); break; + case SIOCGIFCAPNV: + break; + case SIOCSIFCAPNV: case SIOCSIFCAP: rc = begin_synchronized_op(sc, vi, SLEEP_OK | INTR_OK, "t4cap"); if (rc) return (rc); - mask = ifr->ifr_reqcap ^ if_getcapenable(ifp); + if (cmd == SIOCSIFCAPNV) { + const struct siocsifcapnv_driver_data *ifr_nv = + (struct siocsifcapnv_driver_data *)data; + + mask = ifr_nv->reqcap ^ if_getcapenable(ifp); + mask2 = ifr_nv->reqcap2 ^ if_getcapenable2(ifp); + } else { + mask = ifr->ifr_reqcap ^ if_getcapenable(ifp); + mask2 = 0; + } if (mask & IFCAP_TXCSUM) { if_togglecapenable(ifp, IFCAP_TXCSUM); if_togglehwassist(ifp, CSUM_TCP | CSUM_UDP | CSUM_IP); @@ -3266,6 +3276,9 @@ cxgbe_ioctl(if_t ifp, unsigned long cmd, caddr_t data) CSUM_INNER_IP_TSO); } + MPASS(mask2 == 0); + (void)mask2; + #ifdef VLAN_CAPABILITIES VLAN_CAPABILITIES(ifp); #endif @@ -7035,7 +7048,6 @@ t4_setup_intr_handlers(struct adapter *sc) static void write_global_rss_key(struct adapter *sc) { -#ifdef RSS int i; uint32_t raw_rss_key[RSS_KEYSIZE / sizeof(uint32_t)]; uint32_t rss_key[RSS_KEYSIZE / sizeof(uint32_t)]; @@ -7047,7 +7059,6 @@ write_global_rss_key(struct adapter *sc) rss_key[i] = htobe32(raw_rss_key[nitems(rss_key) - 1 - i]); } t4_write_rss_key(sc, &rss_key[0], -1, 1); -#endif } /* @@ -7127,7 +7138,6 @@ adapter_full_uninit(struct adapter *sc) sc->flags &= ~FULL_INIT_DONE; } -#ifdef RSS #define SUPPORTED_RSS_HASHTYPES (RSS_HASHTYPE_RSS_IPV4 | \ RSS_HASHTYPE_RSS_TCP_IPV4 | RSS_HASHTYPE_RSS_IPV6 | \ RSS_HASHTYPE_RSS_TCP_IPV6 | RSS_HASHTYPE_RSS_UDP_IPV4 | \ @@ -7190,7 +7200,6 @@ hashen_to_hashconfig(int hashen) return (hashconfig); } -#endif /* * Idempotent. @@ -7200,11 +7209,10 @@ vi_full_init(struct vi_info *vi) { struct adapter *sc = vi->adapter; struct sge_rxq *rxq; - int rc, i, j; + int rc, i, j, extra; + int hashconfig = rss_gethashconfig(); #ifdef RSS int nbuckets = rss_getnumbuckets(); - int hashconfig = rss_gethashconfig(); - int extra; #endif ASSERT_SYNCHRONIZED_OP(sc); @@ -7259,7 +7267,6 @@ vi_full_init(struct vi_info *vi) return (rc); } -#ifdef RSS vi->hashen = hashconfig_to_hashen(hashconfig); /* @@ -7295,12 +7302,7 @@ vi_full_init(struct vi_info *vi) CH_ALERT(vi, "UDP/IPv4 4-tuple hashing forced on.\n"); if (extra & RSS_HASHTYPE_RSS_UDP_IPV6) CH_ALERT(vi, "UDP/IPv6 4-tuple hashing forced on.\n"); -#else - vi->hashen = F_FW_RSS_VI_CONFIG_CMD_IP6FOURTUPEN | - F_FW_RSS_VI_CONFIG_CMD_IP6TWOTUPEN | - F_FW_RSS_VI_CONFIG_CMD_IP4FOURTUPEN | - F_FW_RSS_VI_CONFIG_CMD_IP4TWOTUPEN | F_FW_RSS_VI_CONFIG_CMD_UDPEN; -#endif + rc = -t4_config_vi_rss(sc, sc->mbox, vi->viid, vi->hashen, vi->rss[0], 0, 0); if (rc != 0) { diff --git a/sys/dev/e1000/em_txrx.c b/sys/dev/e1000/em_txrx.c index ced8d0f41d14..647255417b3e 100644 --- a/sys/dev/e1000/em_txrx.c +++ b/sys/dev/e1000/em_txrx.c @@ -29,10 +29,8 @@ #include "if_em.h" -#ifdef RSS #include <net/rss_config.h> #include <netinet/in_rss.h> -#endif #ifdef VERBOSE_DEBUG #define DPRINTF device_printf diff --git a/sys/dev/e1000/if_em.c b/sys/dev/e1000/if_em.c index 02f4c431badd..7d7655a7ae6f 100644 --- a/sys/dev/e1000/if_em.c +++ b/sys/dev/e1000/if_em.c @@ -3415,12 +3415,8 @@ igb_initialize_rss_mapping(struct e1000_softc *sc) */ mrqc = E1000_MRQC_ENABLE_RSS_MQ; -#ifdef RSS /* XXX ew typecasting */ rss_getkey((uint8_t *) &rss_key); -#else - arc4rand(&rss_key, sizeof(rss_key), 0); -#endif for (i = 0; i < 10; i++) E1000_WRITE_REG_ARRAY(hw, E1000_RSSRK(0), i, rss_key[i]); @@ -3642,7 +3638,7 @@ em_initialize_transmit_unit(if_ctx_t ctx) bus_addr = txr->tx_paddr; /* Clear checksum offload context. */ - offp = (caddr_t)&txr->csum_flags; + offp = (caddr_t)txr + offsetof(struct tx_ring, csum_flags); endp = (caddr_t)(txr + 1); bzero(offp, endp - offp); diff --git a/sys/dev/e1000/if_em.h b/sys/dev/e1000/if_em.h index 582e8d9c6327..4c80c7696952 100644 --- a/sys/dev/e1000/if_em.h +++ b/sys/dev/e1000/if_em.h @@ -72,10 +72,8 @@ #include <net/if_dl.h> #include <net/if_media.h> #include <net/iflib.h> -#ifdef RSS #include <net/rss_config.h> #include <netinet/in_rss.h> -#endif #include <net/if_types.h> #include <net/if_vlan_var.h> diff --git a/sys/dev/e1000/igb_txrx.c b/sys/dev/e1000/igb_txrx.c index 568d84807173..46fe5c741055 100644 --- a/sys/dev/e1000/igb_txrx.c +++ b/sys/dev/e1000/igb_txrx.c @@ -28,10 +28,8 @@ #include "if_em.h" -#ifdef RSS #include <net/rss_config.h> #include <netinet/in_rss.h> -#endif #ifdef VERBOSE_DEBUG #define DPRINTF device_printf diff --git a/sys/dev/ena/ena_datapath.c b/sys/dev/ena/ena_datapath.c index ab082fa1810f..ec64ae9324bf 100644 --- a/sys/dev/ena/ena_datapath.c +++ b/sys/dev/ena/ena_datapath.c @@ -34,9 +34,7 @@ #ifdef DEV_NETMAP #include "ena_netmap.h" #endif /* DEV_NETMAP */ -#ifdef RSS #include <net/rss_config.h> -#endif /* RSS */ #include <netinet6/ip6_var.h> @@ -351,7 +349,6 @@ ena_rx_hash_mbuf(struct ena_ring *rx_ring, struct ena_com_rx_ctx *ena_rx_ctx, if (likely(ENA_FLAG_ISSET(ENA_FLAG_RSS_ACTIVE, adapter))) { mbuf->m_pkthdr.flowid = ena_rx_ctx->hash; -#ifdef RSS /* * Hardware and software RSS are in agreement only when both are * configured to Toeplitz algorithm. This driver configures @@ -362,7 +359,6 @@ ena_rx_hash_mbuf(struct ena_ring *rx_ring, struct ena_com_rx_ctx *ena_rx_ctx, M_HASHTYPE_SET(mbuf, M_HASHTYPE_OPAQUE_HASH); return; } -#endif if (ena_rx_ctx->frag && (ena_rx_ctx->l3_proto != ENA_ETH_IO_L3_PROTO_UNKNOWN)) { diff --git a/sys/dev/ena/ena_rss.c b/sys/dev/ena/ena_rss.c index b7706e33065d..88fb3c902f5d 100644 --- a/sys/dev/ena/ena_rss.c +++ b/sys/dev/ena/ena_rss.c @@ -125,7 +125,6 @@ ena_rss_init_default(struct ena_adapter *adapter) } -#ifdef RSS uint8_t rss_algo = rss_gethashalgo(); if (rss_algo == RSS_HASH_TOEPLITZ) { uint8_t hash_key[RSS_KEYSIZE]; @@ -133,7 +132,6 @@ ena_rss_init_default(struct ena_adapter *adapter) rss_getkey(hash_key); rc = ena_rss_set_hash(ena_dev, hash_key); } else -#endif rc = ena_com_fill_hash_function(ena_dev, ENA_ADMIN_TOEPLITZ, NULL, ENA_HASH_KEY_SIZE, 0x0); if (unlikely((rc != 0) && (rc != EOPNOTSUPP))) { diff --git a/sys/dev/ena/ena_rss.h b/sys/dev/ena/ena_rss.h index 64dd41851fec..b7c5181397af 100644 --- a/sys/dev/ena/ena_rss.h +++ b/sys/dev/ena/ena_rss.h @@ -36,9 +36,7 @@ #include <sys/types.h> -#ifdef RSS #include <net/rss_config.h> -#endif #include "ena.h" diff --git a/sys/dev/hyperv/netvsc/if_hn.c b/sys/dev/hyperv/netvsc/if_hn.c index b23c0d76115d..2ae9e710978e 100644 --- a/sys/dev/hyperv/netvsc/if_hn.c +++ b/sys/dev/hyperv/netvsc/if_hn.c @@ -98,9 +98,7 @@ #include <net/if_types.h> #include <net/if_var.h> #include <net/rndis.h> -#ifdef RSS #include <net/rss_config.h> -#endif #include <netinet/in_systm.h> #include <netinet/in.h> @@ -621,17 +619,6 @@ static struct rmlock hn_vfmap_lock; static int hn_vfmap_size; static if_t *hn_vfmap; -#ifndef RSS -static const uint8_t -hn_rss_key_default[NDIS_HASH_KEYSIZE_TOEPLITZ] = { - 0x6d, 0x5a, 0x56, 0xda, 0x25, 0x5b, 0x0e, 0xc2, - 0x41, 0x67, 0x25, 0x3d, 0x43, 0xa3, 0x8f, 0xb0, - 0xd0, 0xca, 0x2b, 0xcb, 0xae, 0x7b, 0x30, 0xb4, - 0x77, 0xcb, 0x2d, 0xa3, 0x80, 0x30, 0xf2, 0x0c, - 0x6a, 0x42, 0xb7, 0x3b, 0xbe, 0xac, 0x01, 0xfa -}; -#endif /* !RSS */ - static const struct hyperv_guid hn_guid = { .hv_guid = { 0x63, 0x51, 0x61, 0xf8, 0x3e, 0xdf, 0xc5, 0x46, @@ -6552,11 +6539,7 @@ hn_synth_attach(struct hn_softc *sc, int mtu) */ if (bootverbose) if_printf(sc->hn_ifp, "setup default RSS key\n"); -#ifdef RSS rss_getkey(rss->rss_key); -#else - memcpy(rss->rss_key, hn_rss_key_default, sizeof(rss->rss_key)); -#endif sc->hn_flags |= HN_FLAG_HAS_RSSKEY; } diff --git a/sys/dev/iavf/iavf_lib.c b/sys/dev/iavf/iavf_lib.c index 433d31904ea4..8596cf71bfff 100644 --- a/sys/dev/iavf/iavf_lib.c +++ b/sys/dev/iavf/iavf_lib.c @@ -1079,9 +1079,7 @@ iavf_config_rss_reg(struct iavf_sc *sc) u64 set_hena = 0, hena; int i, j, que_id; u32 rss_seed[IAVF_RSS_KEY_SIZE_REG]; -#ifdef RSS u32 rss_hash_config; -#endif /* Don't set up RSS if using a single queue */ if (IAVF_NRXQS(vsi) == 1) { @@ -1091,19 +1089,14 @@ iavf_config_rss_reg(struct iavf_sc *sc) return; } -#ifdef RSS /* Fetch the configured RSS key */ rss_getkey((uint8_t *) &rss_seed); -#else - iavf_get_default_rss_key(rss_seed); -#endif /* Fill out hash function seed */ for (i = 0; i < IAVF_RSS_KEY_SIZE_REG; i++) wr32(hw, IAVF_VFQF_HKEY(i), rss_seed[i]); /* Enable PCTYPES for RSS: */ -#ifdef RSS rss_hash_config = rss_gethashconfig(); if (rss_hash_config & RSS_HASHTYPE_RSS_IPV4) set_hena |= ((u64)1 << IAVF_FILTER_PCTYPE_NONF_IPV4_OTHER); @@ -1119,9 +1112,6 @@ iavf_config_rss_reg(struct iavf_sc *sc) set_hena |= ((u64)1 << IAVF_FILTER_PCTYPE_NONF_IPV6_TCP); if (rss_hash_config & RSS_HASHTYPE_RSS_UDP_IPV6) set_hena |= ((u64)1 << IAVF_FILTER_PCTYPE_NONF_IPV6_UDP); -#else - set_hena = IAVF_DEFAULT_RSS_HENA_XL710; -#endif hena = (u64)rd32(hw, IAVF_VFQF_HENA(0)) | ((u64)rd32(hw, IAVF_VFQF_HENA(1)) << 32); hena |= set_hena; diff --git a/sys/dev/iavf/iavf_lib.h b/sys/dev/iavf/iavf_lib.h index 48c0f4560e5a..955f5c69288b 100644 --- a/sys/dev/iavf/iavf_lib.h +++ b/sys/dev/iavf/iavf_lib.h @@ -42,9 +42,7 @@ #include <sys/malloc.h> #include <sys/stdarg.h> #include <sys/sysctl.h> -#ifdef RSS #include <net/rss_config.h> -#endif #include "iavf_debug.h" #include "iavf_osdep.h" diff --git a/sys/dev/ice/ice_rss.h b/sys/dev/ice/ice_rss.h index df485f4b1f5a..4efebb362025 100644 --- a/sys/dev/ice/ice_rss.h +++ b/sys/dev/ice/ice_rss.h @@ -42,36 +42,17 @@ #ifndef _ICE_RSS_H_ #define _ICE_RSS_H_ -#ifdef RSS -// We have the kernel RSS interface available #include <net/rss_config.h> /* Make sure our key size buffer has enough space to store the kernel RSS key */ CTASSERT(ICE_AQC_GET_SET_RSS_KEY_DATA_RSS_KEY_SIZE >= RSS_KEYSIZE); -#else -/* The kernel RSS interface is not enabled. Use suitable defaults for the RSS - * configuration functions. - * - * The RSS hash key will be a pre-generated random key. - * The number of buckets will just match the number of CPUs. - * The lookup table will be assigned using round-robin with no indirection. - * The RSS hash configuration will be set to suitable defaults. - */ -#define RSS_HASHTYPE_RSS_IPV4 (1 << 1) /* IPv4 2-tuple */ -#define RSS_HASHTYPE_RSS_TCP_IPV4 (1 << 2) /* TCPv4 4-tuple */ -#define RSS_HASHTYPE_RSS_IPV6 (1 << 3) /* IPv6 2-tuple */ -#define RSS_HASHTYPE_RSS_TCP_IPV6 (1 << 4) /* TCPv6 4-tuple */ -#define RSS_HASHTYPE_RSS_IPV6_EX (1 << 5) /* IPv6 2-tuple + ext hdrs */ -#define RSS_HASHTYPE_RSS_TCP_IPV6_EX (1 << 6) /* TCPv6 4-tiple + ext hdrs */ -#define RSS_HASHTYPE_RSS_UDP_IPV4 (1 << 7) /* IPv4 UDP 4-tuple */ -#define RSS_HASHTYPE_RSS_UDP_IPV6 (1 << 9) /* IPv6 UDP 4-tuple */ -#define RSS_HASHTYPE_RSS_UDP_IPV6_EX (1 << 10) /* IPv6 UDP 4-tuple + ext hdrs */ - -#define rss_getkey(key) ice_get_default_rss_key(key) +#ifdef RSS +/* RSS CPU/bucket mapping functions - only available with options RSS */ +#else +/* Stub CPU/bucket functions when RSS not configured */ #define rss_getnumbuckets() (mp_ncpus) #define rss_get_indirection_to_bucket(index) (index) -#define rss_gethashconfig() (ICE_DEFAULT_RSS_HASH_CONFIG) /** * rss_hash2bucket - Determine the bucket for a given hash value @@ -102,7 +83,6 @@ rss_hash2bucket(uint32_t hash_val, uint32_t hash_type, uint32_t *bucket_id) return (-1); } } - #endif /* !RSS */ #define ICE_DEFAULT_RSS_HASH_CONFIG \ diff --git a/sys/dev/igc/if_igc.c b/sys/dev/igc/if_igc.c index d6c06803990f..a4e5de2ae82a 100644 --- a/sys/dev/igc/if_igc.c +++ b/sys/dev/igc/if_igc.c @@ -32,10 +32,9 @@ #include <sys/sbuf.h> #include <machine/_inttypes.h> -#ifdef RSS #include <net/rss_config.h> #include <netinet/in_rss.h> -#endif + /********************************************************************* * PCI Device ID Table @@ -1940,12 +1939,8 @@ igc_initialize_rss_mapping(struct igc_softc *sc) */ mrqc = IGC_MRQC_ENABLE_RSS_4Q; -#ifdef RSS /* XXX ew typecasting */ rss_getkey((uint8_t *) &rss_key); -#else - arc4rand(&rss_key, sizeof(rss_key), 0); -#endif for (i = 0; i < RSSKEYLEN; i++) IGC_WRITE_REG_ARRAY(hw, IGC_RSSRK(0), i, rss_key[i]); diff --git a/sys/dev/igc/igc_txrx.c b/sys/dev/igc/igc_txrx.c index 92ba81c79c58..96949492fd24 100644 --- a/sys/dev/igc/igc_txrx.c +++ b/sys/dev/igc/igc_txrx.c @@ -30,10 +30,8 @@ #include <sys/cdefs.h> #include "if_igc.h" -#ifdef RSS #include <net/rss_config.h> #include <netinet/in_rss.h> -#endif #ifdef VERBOSE_DEBUG #define DPRINTF device_printf diff --git a/sys/dev/irdma/icrdma.c b/sys/dev/irdma/icrdma.c index 576a185b013f..a4f3904a820c 100644 --- a/sys/dev/irdma/icrdma.c +++ b/sys/dev/irdma/icrdma.c @@ -1,7 +1,7 @@ /*- * SPDX-License-Identifier: GPL-2.0 or Linux-OpenIB * - * Copyright (c) 2021 - 2023 Intel Corporation + * Copyright (c) 2021 - 2025 Intel Corporation * * This software is available to you under a choice of one of two * licenses. You may choose to be licensed under the terms of the GNU @@ -52,7 +52,7 @@ /** * Driver version */ -char irdma_driver_version[] = "1.2.36-k"; +char irdma_driver_version[] = "1.2.37-k"; /** * irdma_init_tunable - prepare tunables diff --git a/sys/dev/irdma/irdma_cm.c b/sys/dev/irdma/irdma_cm.c index d4d4f328fb43..f3ca761b32f6 100644 --- a/sys/dev/irdma/irdma_cm.c +++ b/sys/dev/irdma/irdma_cm.c @@ -1,7 +1,7 @@ /*- * SPDX-License-Identifier: GPL-2.0 or Linux-OpenIB * - * Copyright (c) 2015 - 2023 Intel Corporation + * Copyright (c) 2015 - 2025 Intel Corporation * * This software is available to you under a choice of one of two * licenses. You may choose to be licensed under the terms of the GNU @@ -1683,31 +1683,6 @@ irdma_get_vlan_ipv4(struct iw_cm_id *cm_id, u32 *addr) return vlan_id; } -static int -irdma_manage_qhash_wait(struct irdma_pci_f *rf, struct irdma_cm_info *cm_info) -{ - struct irdma_cqp_request *cqp_request = cm_info->cqp_request; - int cnt = rf->sc_dev.hw_attrs.max_cqp_compl_wait_time_ms * CQP_TIMEOUT_THRESHOLD; - u32 ret_val; - - if (!cqp_request) - return -ENOMEM; - do { - irdma_cqp_ce_handler(rf, &rf->ccq.sc_cq); - mdelay(1); - } while (!READ_ONCE(cqp_request->request_done) && --cnt); - - ret_val = cqp_request->compl_info.op_ret_val; - irdma_put_cqp_request(&rf->cqp, cqp_request); - if (cnt) { - if (!ret_val) - return 0; - return -EINVAL; - } - - return -ETIMEDOUT; -} - /** * irdma_add_mqh_ifa_cb - Adds multiple qhashes for IPv4/IPv6 * @arg: Calback argument structure from irdma_add_mqh @@ -1771,16 +1746,7 @@ irdma_add_mqh_ifa_cb(void *arg, struct ifaddr *ifa, u_int count) irdma_iw_get_vlan_prio(child_listen_node->loc_addr, cm_info->user_pri, cm_info->ipv4); - ret = irdma_manage_qhash(iwdev, cm_info, - IRDMA_QHASH_TYPE_TCP_SYN, - IRDMA_QHASH_MANAGE_TYPE_ADD, - NULL, false); - if (ret) { - kfree(child_listen_node); - return ret; - } - /* wait for qhash finish */ - ret = irdma_manage_qhash_wait(iwdev->rf, cm_info); + ret = irdma_add_qhash_wait_no_lock(iwdev, cm_info); if (ret) { kfree(child_listen_node); return ret; diff --git a/sys/dev/irdma/irdma_hw.c b/sys/dev/irdma/irdma_hw.c index 05004b1ccc83..64c05b8663e0 100644 --- a/sys/dev/irdma/irdma_hw.c +++ b/sys/dev/irdma/irdma_hw.c @@ -1,7 +1,7 @@ /*- * SPDX-License-Identifier: GPL-2.0 or Linux-OpenIB * - * Copyright (c) 2015 - 2023 Intel Corporation + * Copyright (c) 2015 - 2025 Intel Corporation * * This software is available to you under a choice of one of two * licenses. You may choose to be licensed under the terms of the GNU @@ -2581,35 +2581,22 @@ irdma_send_syn_cqp_callback(struct irdma_cqp_request *cqp_request) } /** - * irdma_manage_qhash - add or modify qhash + * irdma_qhash_info_prepare - fill info for qhash op * @iwdev: irdma device + * @cqp_info: cqp info * @cminfo: cm info for qhash * @etype: type (syn or quad) * @mtype: type of qhash - * @cmnode: cmnode associated with connection - * @wait: wait for completion */ -int -irdma_manage_qhash(struct irdma_device *iwdev, struct irdma_cm_info *cminfo, - enum irdma_quad_entry_type etype, - enum irdma_quad_hash_manage_type mtype, void *cmnode, - bool wait) +static void +irdma_qhash_info_prepare(struct irdma_device *iwdev, + struct cqp_cmds_info *cqp_info, + struct irdma_cm_info *cminfo, + enum irdma_quad_entry_type etype, + enum irdma_quad_hash_manage_type mtype) { struct irdma_qhash_table_info *info; - struct irdma_cqp *iwcqp = &iwdev->rf->cqp; - struct irdma_cqp_request *cqp_request; - struct cqp_cmds_info *cqp_info; - struct irdma_cm_node *cm_node = cmnode; - int status; - - cqp_request = irdma_alloc_and_get_cqp_request(iwcqp, wait); - if (!cqp_request) - return -ENOMEM; - cminfo->cqp_request = cqp_request; - if (!wait) - atomic_inc(&cqp_request->refcnt); - cqp_info = &cqp_request->info; info = &cqp_info->in.u.manage_qhash_table_entry.info; memset(info, 0, sizeof(*info)); info->vsi = &iwdev->vsi; @@ -2641,6 +2628,105 @@ irdma_manage_qhash(struct irdma_device *iwdev, struct irdma_cm_info *cminfo, info->src_ip[2] = cminfo->rem_addr[2]; info->src_ip[3] = cminfo->rem_addr[3]; } + cqp_info->cqp_cmd = IRDMA_OP_MANAGE_QHASH_TABLE_ENTRY; + cqp_info->post_sq = 1; +} + +/** + * irdma_add_qhash_wait_no_lock - add qhash, blocking w/o lock + * @iwdev: irdma device + * @cminfo: cm info for qhash + */ +int +irdma_add_qhash_wait_no_lock(struct irdma_device *iwdev, + struct irdma_cm_info *cminfo) +{ + struct irdma_qhash_table_info *info; + struct irdma_cqp *iwcqp = &iwdev->rf->cqp; + struct irdma_cqp_request *cqp_request; + struct cqp_cmds_info *cqp_info; + int cnt = iwdev->rf->sc_dev.hw_attrs.max_cqp_compl_wait_time_ms * CQP_TIMEOUT_THRESHOLD; + int status; + int ret_val; + + cqp_request = irdma_alloc_and_get_cqp_request(iwcqp, false); + if (!cqp_request) + return -ENOMEM; + + cqp_info = &cqp_request->info; + info = &cqp_info->in.u.manage_qhash_table_entry.info; + irdma_qhash_info_prepare(iwdev, cqp_info, cminfo, IRDMA_QHASH_TYPE_TCP_SYN, + IRDMA_QHASH_MANAGE_TYPE_ADD); + if (info->ipv4_valid) + irdma_debug(&iwdev->rf->sc_dev, IRDMA_DEBUG_CM, + "ADD caller: %pS loc_port=0x%04x rem_port=0x%04x loc_addr=%x rem_addr=%x mac=%x:%x:%x:%x:%x:%x, vlan_id=%d\n", + __builtin_return_address(0), info->src_port, + info->dest_port, info->src_ip[0], info->dest_ip[0], + info->mac_addr[0], info->mac_addr[1], + info->mac_addr[2], info->mac_addr[3], + info->mac_addr[4], info->mac_addr[5], + cminfo->vlan_id); + else + irdma_debug(&iwdev->rf->sc_dev, IRDMA_DEBUG_CM, + "ADD caller: %pS loc_port=0x%04x rem_port=0x%04x loc_addr=%x:%x:%x:%x rem_addr=%x:%x:%x:%x mac=%x:%x:%x:%x:%x:%x, vlan_id=%d\n", + __builtin_return_address(0), info->src_port, + info->dest_port, IRDMA_PRINT_IP6(info->src_ip), + IRDMA_PRINT_IP6(info->dest_ip), info->mac_addr[0], + info->mac_addr[1], info->mac_addr[2], + info->mac_addr[3], info->mac_addr[4], + info->mac_addr[5], cminfo->vlan_id); + + cqp_info->in.u.manage_qhash_table_entry.cqp = &iwdev->rf->cqp.sc_cqp; + cqp_info->in.u.manage_qhash_table_entry.scratch = (uintptr_t)cqp_request; + status = irdma_handle_cqp_op(iwdev->rf, cqp_request); + if (status) { + irdma_put_cqp_request(iwcqp, cqp_request); + irdma_dev_warn(&iwdev->ibdev, "manage_qhash cqp op failure %d\n", status); + return status; + } + + do { + irdma_cqp_ce_handler(iwdev->rf, &iwdev->rf->ccq.sc_cq); + mdelay(1); + } while (!READ_ONCE(cqp_request->request_done) && --cnt); + + ret_val = cqp_request->compl_info.op_ret_val; + status = (cnt) ? ret_val : -ETIMEDOUT; + + irdma_put_cqp_request(iwcqp, cqp_request); + + return status; +} + +/** + * irdma_manage_qhash - add or modify qhash + * @iwdev: irdma device + * @cminfo: cm info for qhash + * @etype: type (syn or quad) + * @mtype: type of qhash + * @cmnode: cmnode associated with connection + * @wait: wait for completion + */ +int +irdma_manage_qhash(struct irdma_device *iwdev, struct irdma_cm_info *cminfo, + enum irdma_quad_entry_type etype, + enum irdma_quad_hash_manage_type mtype, void *cmnode, + bool wait) +{ + struct irdma_qhash_table_info *info; + struct irdma_cqp *iwcqp = &iwdev->rf->cqp; + struct irdma_cqp_request *cqp_request; + struct cqp_cmds_info *cqp_info; + struct irdma_cm_node *cm_node = cmnode; + int status; + + cqp_request = irdma_alloc_and_get_cqp_request(iwcqp, wait); + if (!cqp_request) + return -ENOMEM; + + cqp_info = &cqp_request->info; + info = &cqp_info->in.u.manage_qhash_table_entry.info; + irdma_qhash_info_prepare(iwdev, cqp_info, cminfo, etype, mtype); if (cmnode) { cqp_request->callback_fcn = irdma_send_syn_cqp_callback; cqp_request->param = cmnode; @@ -2671,8 +2757,6 @@ irdma_manage_qhash(struct irdma_device *iwdev, struct irdma_cm_info *cminfo, cqp_info->in.u.manage_qhash_table_entry.cqp = &iwdev->rf->cqp.sc_cqp; cqp_info->in.u.manage_qhash_table_entry.scratch = (uintptr_t)cqp_request; - cqp_info->cqp_cmd = IRDMA_OP_MANAGE_QHASH_TABLE_ENTRY; - cqp_info->post_sq = 1; status = irdma_handle_cqp_op(iwdev->rf, cqp_request); if (status && cm_node && !wait) irdma_rem_ref_cm_node(cm_node); diff --git a/sys/dev/irdma/irdma_main.h b/sys/dev/irdma/irdma_main.h index 5b292ceafea8..9181f3b70463 100644 --- a/sys/dev/irdma/irdma_main.h +++ b/sys/dev/irdma/irdma_main.h @@ -1,7 +1,7 @@ /*- * SPDX-License-Identifier: GPL-2.0 or Linux-OpenIB * - * Copyright (c) 2015 - 2023 Intel Corporation + * Copyright (c) 2015 - 2025 Intel Corporation * * This software is available to you under a choice of one of two * licenses. You may choose to be licensed under the terms of the GNU @@ -563,6 +563,7 @@ int irdma_manage_qhash(struct irdma_device *iwdev, struct irdma_cm_info *cminfo, enum irdma_quad_entry_type etype, enum irdma_quad_hash_manage_type mtype, void *cmnode, bool wait); +int irdma_add_qhash_wait_no_lock(struct irdma_device *iwdev, struct irdma_cm_info *cminfo); void irdma_receive_ilq(struct irdma_sc_vsi *vsi, struct irdma_puda_buf *rbuf); void irdma_free_sqbuf(struct irdma_sc_vsi *vsi, void *bufp); void irdma_free_qp_rsrc(struct irdma_qp *iwqp); diff --git a/sys/dev/ixgbe/ixgbe_rss.h b/sys/dev/ixgbe/ixgbe_rss.h index 84c802671195..6e02c5ec9ed5 100644 --- a/sys/dev/ixgbe/ixgbe_rss.h +++ b/sys/dev/ixgbe/ixgbe_rss.h @@ -34,30 +34,16 @@ #ifndef _IXGBE_RSS_H_ #define _IXGBE_RSS_H_ -#ifdef RSS - #include <net/rss_config.h> #include <netinet/in_rss.h> +#ifdef RSS +/* RSS CPU/bucket mapping functions - only available with options RSS */ #else - -#define RSS_HASHTYPE_RSS_IPV4 (1 << 1) -#define RSS_HASHTYPE_RSS_TCP_IPV4 (1 << 2) -#define RSS_HASHTYPE_RSS_IPV6 (1 << 3) -#define RSS_HASHTYPE_RSS_TCP_IPV6 (1 << 4) -#define RSS_HASHTYPE_RSS_IPV6_EX (1 << 5) -#define RSS_HASHTYPE_RSS_TCP_IPV6_EX (1 << 6) -#define RSS_HASHTYPE_RSS_UDP_IPV4 (1 << 7) -#define RSS_HASHTYPE_RSS_UDP_IPV4_EX (1 << 8) -#define RSS_HASHTYPE_RSS_UDP_IPV6 (1 << 9) -#define RSS_HASHTYPE_RSS_UDP_IPV6_EX (1 << 10) - +/* Stub CPU/bucket functions when RSS not configured */ #define rss_getcpu(_a) 0 #define rss_getnumbuckets() 1 -#define rss_getkey(_a) #define rss_get_indirection_to_bucket(_a) 0 -#define rss_gethashconfig() 0x7E #define rss_hash2bucket(_a,_b,_c) -1 - #endif #endif /* _IXGBE_RSS_H_ */ diff --git a/sys/dev/ixl/ixl.h b/sys/dev/ixl/ixl.h index ab0f38307d90..e265c8fbe3eb 100644 --- a/sys/dev/ixl/ixl.h +++ b/sys/dev/ixl/ixl.h @@ -98,10 +98,8 @@ #include <sys/sbuf.h> #include <machine/smp.h> -#ifdef RSS #include <net/rss_config.h> #include <netinet/in_rss.h> -#endif #include "ifdi_if.h" #include "i40e_type.h" diff --git a/sys/dev/ixl/ixl_pf_main.c b/sys/dev/ixl/ixl_pf_main.c index b62619ced5cb..674e45823cc4 100644 --- a/sys/dev/ixl/ixl_pf_main.c +++ b/sys/dev/ixl/ixl_pf_main.c @@ -1101,12 +1101,8 @@ ixl_set_rss_key(struct ixl_pf *pf) u32 rss_seed[IXL_RSS_KEY_SIZE_REG]; enum i40e_status_code status; -#ifdef RSS - /* Fetch the configured RSS key */ - rss_getkey((uint8_t *) &rss_seed); -#else - ixl_get_default_rss_key(rss_seed); -#endif + /* Fetch the configured RSS key */ + rss_getkey((uint8_t *) &rss_seed); /* Fill out hash function seed */ if (hw->mac.type == I40E_MAC_X722) { struct i40e_aqc_get_set_rss_key_data key_data; @@ -1132,7 +1128,6 @@ ixl_set_rss_pctypes(struct ixl_pf *pf) struct i40e_hw *hw = &pf->hw; u64 set_hena = 0, hena; -#ifdef RSS u32 rss_hash_config; rss_hash_config = rss_gethashconfig(); @@ -1150,12 +1145,6 @@ ixl_set_rss_pctypes(struct ixl_pf *pf) set_hena |= ((u64)1 << I40E_FILTER_PCTYPE_NONF_IPV6_TCP); if (rss_hash_config & RSS_HASHTYPE_RSS_UDP_IPV6) set_hena |= ((u64)1 << I40E_FILTER_PCTYPE_NONF_IPV6_UDP); -#else - if (hw->mac.type == I40E_MAC_X722) - set_hena = IXL_DEFAULT_RSS_HENA_X722; - else - set_hena = IXL_DEFAULT_RSS_HENA_XL710; -#endif hena = (u64)i40e_read_rx_ctl(hw, I40E_PFQF_HENA(0)) | ((u64)i40e_read_rx_ctl(hw, I40E_PFQF_HENA(1)) << 32); hena |= set_hena; diff --git a/sys/dev/liquidio/lio_main.c b/sys/dev/liquidio/lio_main.c index 3c73a6b10eed..7b6eeb460095 100644 --- a/sys/dev/liquidio/lio_main.c +++ b/sys/dev/liquidio/lio_main.c @@ -64,10 +64,8 @@ static int num_queues_per_pf1; TUNABLE_INT("hw.lio.num_queues_per_pf0", &num_queues_per_pf0); TUNABLE_INT("hw.lio.num_queues_per_pf1", &num_queues_per_pf1); -#ifdef RSS static int lio_rss = 1; TUNABLE_INT("hw.lio.rss", &lio_rss); -#endif /* RSS */ /* Hardware LRO */ unsigned int lio_hwlro = 0; @@ -1437,13 +1435,10 @@ lio_setup_nic_devices(struct octeon_device *octeon_dev) lio_set_feature(ifp, LIO_CMD_TNL_TX_CSUM_CTL, LIO_CMD_TXCSUM_ENABLE); -#ifdef RSS if (lio_rss) { if (lio_send_rss_param(lio)) goto setup_nic_dev_fail; } else -#endif /* RSS */ - lio_set_feature(ifp, LIO_CMD_SET_FNV, LIO_CMD_FNV_ENABLE); diff --git a/sys/dev/liquidio/lio_network.h b/sys/dev/liquidio/lio_network.h index 856cc8f7ab09..65896bf8cfa9 100644 --- a/sys/dev/liquidio/lio_network.h +++ b/sys/dev/liquidio/lio_network.h @@ -125,9 +125,7 @@ struct lio { /* VLAN Filtering related */ eventhandler_tag vlan_attach; eventhandler_tag vlan_detach; -#ifdef RSS struct lio_rss_params_set rss_set; -#endif /* RSS */ }; #define LIO_MAX_CORES 12 diff --git a/sys/dev/liquidio/lio_rss.c b/sys/dev/liquidio/lio_rss.c index df10cbbe3a05..da1e18142e81 100644 --- a/sys/dev/liquidio/lio_rss.c +++ b/sys/dev/liquidio/lio_rss.c @@ -31,8 +31,6 @@ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#ifdef RSS - #include "lio_bsd.h" #include "lio_common.h" #include "lio_droq.h" @@ -69,7 +67,11 @@ lio_set_rss_info(struct lio *lio) uint8_t queue_id; for (i = 0; i < LIO_RSS_TABLE_SZ; i++) { +#ifdef RSS queue_id = rss_get_indirection_to_bucket(i); +#else + queue_id = i; +#endif queue_id = queue_id % oct->num_oqs; rss_set->fw_itable[i] = queue_id; } @@ -168,5 +170,3 @@ lio_send_rss_param(struct lio *lio) return (0); } - -#endif /* RSS */ diff --git a/sys/dev/liquidio/lio_rss.h b/sys/dev/liquidio/lio_rss.h index 8a5020d47f7e..727f08b5fb0d 100644 --- a/sys/dev/liquidio/lio_rss.h +++ b/sys/dev/liquidio/lio_rss.h @@ -34,8 +34,6 @@ #ifndef __LIO_RSS_H__ #define __LIO_RSS_H__ -#ifdef RSS - #include <net/rss_config.h> #include <netinet/in_rss.h> @@ -76,8 +74,6 @@ struct lio_rss_params_set { }; -#endif /* RSS */ - #define LIO_RSS_HASH_IPV4 0x100 #define LIO_RSS_HASH_TCP_IPV4 0x200 #define LIO_RSS_HASH_IPV6 0x400 diff --git a/sys/dev/mlx5/mlx5_en/en.h b/sys/dev/mlx5/mlx5_en/en.h index f59902be226a..768f58188220 100644 --- a/sys/dev/mlx5/mlx5_en/en.h +++ b/sys/dev/mlx5/mlx5_en/en.h @@ -53,10 +53,8 @@ #include <sys/kthread.h> #include <sys/counter.h> -#ifdef RSS #include <net/rss_config.h> #include <netinet/in_rss.h> -#endif #include <machine/bus.h> diff --git a/sys/dev/mlx5/mlx5_en/mlx5_en_main.c b/sys/dev/mlx5/mlx5_en/mlx5_en_main.c index 4658bebb7845..daa98752c59b 100644 --- a/sys/dev/mlx5/mlx5_en/mlx5_en_main.c +++ b/sys/dev/mlx5/mlx5_en/mlx5_en_main.c @@ -2915,24 +2915,7 @@ err_modify: static void mlx5e_get_rss_key(void *key_ptr) { -#ifdef RSS rss_getkey(key_ptr); -#else - static const u32 rsskey[] = { - cpu_to_be32(0xD181C62C), - cpu_to_be32(0xF7F4DB5B), - cpu_to_be32(0x1983A2FC), - cpu_to_be32(0x943E1ADB), - cpu_to_be32(0xD9389E6B), - cpu_to_be32(0xD1039C2C), - cpu_to_be32(0xA74499AD), - cpu_to_be32(0x593D56D9), - cpu_to_be32(0xF3253C06), - cpu_to_be32(0x2ADC1FFC), - }; - CTASSERT(sizeof(rsskey) == MLX5E_RSS_KEY_SIZE); - memcpy(key_ptr, rsskey, MLX5E_RSS_KEY_SIZE); -#endif } static void @@ -3044,15 +3027,12 @@ mlx5e_build_tir_ctx(struct mlx5e_priv *priv, u32 * tirc, int tt, bool inner_vxla CTASSERT(MLX5_FLD_SZ_BYTES(tirc, rx_hash_toeplitz_key) >= MLX5E_RSS_KEY_SIZE); -#ifdef RSS + /* * The FreeBSD RSS implementation does currently not * support symmetric Toeplitz hashes: */ MLX5_SET(tirc, tirc, rx_hash_symmetric, 0); -#else - MLX5_SET(tirc, tirc, rx_hash_symmetric, 1); -#endif mlx5e_get_rss_key(hkey); switch (tt) { @@ -3061,12 +3041,10 @@ mlx5e_build_tir_ctx(struct mlx5e_priv *priv, u32 * tirc, int tt, bool inner_vxla MLX5_L3_PROT_TYPE_IPV4); MLX5_SET(rx_hash_field_select, hfs, l4_prot_type, MLX5_L4_PROT_TYPE_TCP); -#ifdef RSS if (!(rss_gethashconfig() & RSS_HASHTYPE_RSS_TCP_IPV4)) { MLX5_SET(rx_hash_field_select, hfs, selected_fields, MLX5_HASH_IP); } else -#endif MLX5_SET(rx_hash_field_select, hfs, selected_fields, MLX5_HASH_ALL); break; @@ -3076,12 +3054,10 @@ mlx5e_build_tir_ctx(struct mlx5e_priv *priv, u32 * tirc, int tt, bool inner_vxla MLX5_L3_PROT_TYPE_IPV6); MLX5_SET(rx_hash_field_select, hfs, l4_prot_type, MLX5_L4_PROT_TYPE_TCP); -#ifdef RSS if (!(rss_gethashconfig() & RSS_HASHTYPE_RSS_TCP_IPV6)) { MLX5_SET(rx_hash_field_select, hfs, selected_fields, MLX5_HASH_IP); } else -#endif MLX5_SET(rx_hash_field_select, hfs, selected_fields, MLX5_HASH_ALL); break; @@ -3091,12 +3067,10 @@ mlx5e_build_tir_ctx(struct mlx5e_priv *priv, u32 * tirc, int tt, bool inner_vxla MLX5_L3_PROT_TYPE_IPV4); MLX5_SET(rx_hash_field_select, hfs, l4_prot_type, MLX5_L4_PROT_TYPE_UDP); -#ifdef RSS if (!(rss_gethashconfig() & RSS_HASHTYPE_RSS_UDP_IPV4)) { MLX5_SET(rx_hash_field_select, hfs, selected_fields, MLX5_HASH_IP); } else -#endif MLX5_SET(rx_hash_field_select, hfs, selected_fields, MLX5_HASH_ALL); break; @@ -3106,12 +3080,10 @@ mlx5e_build_tir_ctx(struct mlx5e_priv *priv, u32 * tirc, int tt, bool inner_vxla MLX5_L3_PROT_TYPE_IPV6); MLX5_SET(rx_hash_field_select, hfs, l4_prot_type, MLX5_L4_PROT_TYPE_UDP); -#ifdef RSS if (!(rss_gethashconfig() & RSS_HASHTYPE_RSS_UDP_IPV6)) { MLX5_SET(rx_hash_field_select, hfs, selected_fields, MLX5_HASH_IP); } else -#endif MLX5_SET(rx_hash_field_select, hfs, selected_fields, MLX5_HASH_ALL); break; diff --git a/sys/dev/mlx5/mlx5_en/mlx5_en_rx.c b/sys/dev/mlx5/mlx5_en/mlx5_en_rx.c index eb569488631a..262558d529dc 100644 --- a/sys/dev/mlx5/mlx5_en/mlx5_en_rx.c +++ b/sys/dev/mlx5/mlx5_en/mlx5_en_rx.c @@ -358,7 +358,6 @@ mlx5e_build_rx_mbuf(struct mlx5_cqe64 *cqe, struct mlx5e_rq *rq, /* check if a Toeplitz hash was computed */ if (cqe->rss_hash_type != 0) { mb->m_pkthdr.flowid = be32_to_cpu(cqe->rss_hash_result); -#ifdef RSS /* decode the RSS hash type */ switch (cqe->rss_hash_type & (CQE_RSS_DST_HTYPE_L4 | CQE_RSS_DST_HTYPE_IP)) { @@ -386,9 +385,6 @@ mlx5e_build_rx_mbuf(struct mlx5_cqe64 *cqe, struct mlx5e_rq *rq, M_HASHTYPE_SET(mb, M_HASHTYPE_OPAQUE_HASH); break; } -#else - M_HASHTYPE_SET(mb, M_HASHTYPE_OPAQUE_HASH); -#endif #ifdef M_HASHTYPE_SETINNER if (cqe_is_tunneled(cqe)) M_HASHTYPE_SETINNER(mb); diff --git a/sys/dev/nvme/nvme.h b/sys/dev/nvme/nvme.h index c8eba3df9c2a..61e4aa8cb94b 100644 --- a/sys/dev/nvme/nvme.h +++ b/sys/dev/nvme/nvme.h @@ -29,15 +29,13 @@ #ifndef __NVME_H__ #define __NVME_H__ -#ifdef _KERNEL -#include <sys/types.h> -#endif - #include <sys/param.h> -#include <sys/endian.h> -#ifndef _KERNEL +#ifdef _KERNEL +#include <sys/systm.h> +#else #include <stdbool.h> #endif +#include <sys/endian.h> struct sbuf; @@ -1540,8 +1538,7 @@ enum nvme_log_page { /* 0xC0-0xFF - vendor specific */ /* - * The following are Intel Specific log pages, but they seem - * to be widely implemented. + * The following are Intel Specific log pages for older models. */ INTEL_LOG_READ_LAT_LOG = 0xc1, INTEL_LOG_WRITE_LAT_LOG = 0xc2, @@ -1550,7 +1547,7 @@ enum nvme_log_page { INTEL_LOG_DRIVE_MKT_NAME = 0xdd, /* - * HGST log page, with lots ofs sub pages. + * HGST log page, with lots of sub pages. */ HGST_INFO_LOG = 0xc1, }; @@ -1910,7 +1907,6 @@ void nvme_sc_sbuf(const struct nvme_completion *cpl, struct sbuf *sbuf); void nvme_strvis(uint8_t *dst, const uint8_t *src, int dstlen, int srclen); #ifdef _KERNEL -#include <sys/systm.h> #include <sys/disk.h> struct bio; @@ -2194,7 +2190,7 @@ void nvme_namespace_data_swapbytes(struct nvme_namespace_data *s __unused) s->anagrpid = le32toh(s->anagrpid); s->nvmsetid = le16toh(s->nvmsetid); s->endgid = le16toh(s->endgid); - for (unsigned i = 0; i < nitems(s->lbaf); i++) + for (unsigned int i = 0; i < nitems(s->lbaf); i++) s->lbaf[i] = le32toh(s->lbaf[i]); #endif } diff --git a/sys/dev/nvme/nvme_ctrlr.c b/sys/dev/nvme/nvme_ctrlr.c index 41542d24c107..1ad4735cbef8 100644 --- a/sys/dev/nvme/nvme_ctrlr.c +++ b/sys/dev/nvme/nvme_ctrlr.c @@ -907,7 +907,7 @@ again: size = sizeof(struct nvme_hmb_desc) * ctrlr->hmb_nchunks; err = bus_dma_tag_create(bus_get_dma_tag(ctrlr->dev), - 16, 0, BUS_SPACE_MAXADDR, BUS_SPACE_MAXADDR, NULL, NULL, + PAGE_SIZE, 0, BUS_SPACE_MAXADDR, BUS_SPACE_MAXADDR, NULL, NULL, size, 1, size, 0, NULL, NULL, &ctrlr->hmb_desc_tag); if (err != 0) { nvme_printf(ctrlr, "HMB desc tag create failed %d\n", err); diff --git a/sys/dev/sfxge/sfxge.c b/sys/dev/sfxge/sfxge.c index 7d3217fb50de..5ad9313a841f 100644 --- a/sys/dev/sfxge/sfxge.c +++ b/sys/dev/sfxge/sfxge.c @@ -60,9 +60,7 @@ #include <net/if_media.h> #include <net/if_types.h> -#ifdef RSS #include <net/rss_config.h> -#endif #include "common/efx.h" diff --git a/sys/dev/sfxge/sfxge_rx.c b/sys/dev/sfxge/sfxge_rx.c index 7e0948425d77..961fea2e5f79 100644 --- a/sys/dev/sfxge/sfxge_rx.c +++ b/sys/dev/sfxge/sfxge_rx.c @@ -57,9 +57,7 @@ #include <machine/in_cksum.h> -#ifdef RSS #include <net/rss_config.h> -#endif #include "common/efx.h" @@ -165,17 +163,7 @@ sfxge_rx_qflush_failed(struct sfxge_rxq *rxq) rxq->flush_state = SFXGE_FLUSH_FAILED; } -#ifdef RSS static uint8_t toep_key[RSS_KEYSIZE]; -#else -static uint8_t toep_key[] = { - 0x6d, 0x5a, 0x56, 0xda, 0x25, 0x5b, 0x0e, 0xc2, - 0x41, 0x67, 0x25, 0x3d, 0x43, 0xa3, 0x8f, 0xb0, - 0xd0, 0xca, 0x2b, 0xcb, 0xae, 0x7b, 0x30, 0xb4, - 0x77, 0xcb, 0x2d, 0xa3, 0x80, 0x30, 0xf2, 0x0c, - 0x6a, 0x42, 0xb7, 0x3b, 0xbe, 0xac, 0x01, 0xfa -}; -#endif static void sfxge_rx_post_refill(void *arg) @@ -1143,9 +1131,7 @@ sfxge_rx_start(struct sfxge_softc *sc) EFX_RX_HASH_IPV4 | EFX_RX_HASH_TCPIPV4 | EFX_RX_HASH_IPV6 | EFX_RX_HASH_TCPIPV6, B_TRUE); -#ifdef RSS rss_getkey(toep_key); -#endif if ((rc = efx_rx_scale_key_set(sc->enp, EFX_RSS_CONTEXT_DEFAULT, toep_key, sizeof(toep_key))) != 0) diff --git a/sys/dev/sound/midi/midi.c b/sys/dev/sound/midi/midi.c index e14a28557406..cca7b93abf5f 100644 --- a/sys/dev/sound/midi/midi.c +++ b/sys/dev/sound/midi/midi.c @@ -658,21 +658,19 @@ midi_poll(struct cdev *i_dev, int events, struct thread *td) mtx_lock(&m->lock); mtx_lock(&m->qlock); - if (events & (POLLIN | POLLRDNORM)) + if (events & (POLLIN | POLLRDNORM)) { if (!MIDIQ_EMPTY(m->inq)) - events |= events & (POLLIN | POLLRDNORM); - - if (events & (POLLOUT | POLLWRNORM)) - if (MIDIQ_AVAIL(m->outq) < m->hiwat) - events |= events & (POLLOUT | POLLWRNORM); - - if (revents == 0) { - if (events & (POLLIN | POLLRDNORM)) + revents |= events & (POLLIN | POLLRDNORM); + else selrecord(td, &m->rsel); - - if (events & (POLLOUT | POLLWRNORM)) + } + if (events & (POLLOUT | POLLWRNORM)) { + if (MIDIQ_AVAIL(m->outq) < m->hiwat) + revents |= events & (POLLOUT | POLLWRNORM); + else selrecord(td, &m->wsel); } + mtx_unlock(&m->lock); mtx_unlock(&m->qlock); diff --git a/sys/dev/sound/pcm/channel.c b/sys/dev/sound/pcm/channel.c index 011dc1427c2e..7c3f0e3dc9f0 100644 --- a/sys/dev/sound/pcm/channel.c +++ b/sys/dev/sound/pcm/channel.c @@ -581,14 +581,30 @@ chn_read(struct pcm_channel *c, struct uio *buf) } void -chn_intr(struct pcm_channel *c) +chn_intr_locked(struct pcm_channel *c) { - CHN_LOCK(c); + + CHN_LOCKASSERT(c); + c->interrupts++; + if (c->direction == PCMDIR_PLAY) chn_wrintr(c); else chn_rdintr(c); +} + +void +chn_intr(struct pcm_channel *c) +{ + + if (CHN_LOCKOWNED(c)) { + chn_intr_locked(c); + return; + } + + CHN_LOCK(c); + chn_intr_locked(c); CHN_UNLOCK(c); } diff --git a/sys/dev/sound/pcm/channel.h b/sys/dev/sound/pcm/channel.h index 6415f5c88984..0b17c4a130a7 100644 --- a/sys/dev/sound/pcm/channel.h +++ b/sys/dev/sound/pcm/channel.h @@ -298,6 +298,7 @@ int chn_oss_setorder(struct pcm_channel *, unsigned long long *); int chn_oss_getmask(struct pcm_channel *, uint32_t *); void chn_resetbuf(struct pcm_channel *c); +void chn_intr_locked(struct pcm_channel *c); void chn_intr(struct pcm_channel *c); int chn_abort(struct pcm_channel *c); diff --git a/sys/dev/vmware/vmxnet3/if_vmx.c b/sys/dev/vmware/vmxnet3/if_vmx.c index 1a314ca6660e..c3706ed24ff5 100644 --- a/sys/dev/vmware/vmxnet3/if_vmx.c +++ b/sys/dev/vmware/vmxnet3/if_vmx.c @@ -46,9 +46,7 @@ #include <net/if_media.h> #include <net/if_vlan_var.h> #include <net/iflib.h> -#ifdef RSS #include <net/rss_config.h> -#endif #include <netinet/in_systm.h> #include <netinet/in.h> @@ -1141,18 +1139,6 @@ vmxnet3_init_shared_data(struct vmxnet3_softc *sc) static void vmxnet3_reinit_rss_shared_data(struct vmxnet3_softc *sc) { - /* - * Use the same key as the Linux driver until FreeBSD can do - * RSS (presumably Toeplitz) in software. - */ - static const uint8_t rss_key[UPT1_RSS_MAX_KEY_SIZE] = { - 0x3b, 0x56, 0xd1, 0x56, 0x13, 0x4a, 0xe7, 0xac, - 0xe8, 0x79, 0x09, 0x75, 0xe8, 0x65, 0x79, 0x28, - 0x35, 0x12, 0xb9, 0x56, 0x7c, 0x76, 0x4b, 0x70, - 0xd8, 0x56, 0xa3, 0x18, 0x9b, 0x0a, 0xee, 0xf3, - 0x96, 0xa6, 0x9f, 0x8f, 0x9e, 0x8c, 0x90, 0xc9, - }; - if_softc_ctx_t scctx; struct vmxnet3_rss_shared *rss; #ifdef RSS @@ -1169,16 +1155,18 @@ vmxnet3_reinit_rss_shared_data(struct vmxnet3_softc *sc) rss->hash_func = UPT1_RSS_HASH_FUNC_TOEPLITZ; rss->hash_key_size = UPT1_RSS_MAX_KEY_SIZE; rss->ind_table_size = UPT1_RSS_MAX_IND_TABLE_SIZE; -#ifdef RSS /* - * If the software RSS is configured to anything else other than - * Toeplitz, then just do Toeplitz in "hardware" for the sake of - * the packet distribution, but report the hash as opaque to - * disengage from the software RSS. + * Always use the kernel RSS key for consistent hashing. + * If software RSS is configured to Toeplitz and RSS CPU steering + * is available, use the RSS indirection table. Otherwise use + * simple round-robin but still report hash as opaque to disengage + * from software RSS when CPU steering is not available. */ + rss_getkey(rss->hash_key); + +#ifdef RSS rss_algo = rss_gethashalgo(); if (rss_algo == RSS_HASH_TOEPLITZ) { - rss_getkey(rss->hash_key); for (i = 0; i < UPT1_RSS_MAX_IND_TABLE_SIZE; i++) { rss->ind_table[i] = rss_get_indirection_to_bucket(i) % scctx->isc_nrxqsets; @@ -1187,7 +1175,6 @@ vmxnet3_reinit_rss_shared_data(struct vmxnet3_softc *sc) } else #endif { - memcpy(rss->hash_key, rss_key, UPT1_RSS_MAX_KEY_SIZE); for (i = 0; i < UPT1_RSS_MAX_IND_TABLE_SIZE; i++) rss->ind_table[i] = i % scctx->isc_nrxqsets; sc->vmx_flags &= ~VMXNET3_FLAG_SOFT_RSS; diff --git a/sys/kern/firmw.S b/sys/kern/firmw.S index cd808d4a9396..1d74f17e449e 100644 --- a/sys/kern/firmw.S +++ b/sys/kern/firmw.S @@ -35,7 +35,7 @@ #define FIRMW_START(S) __CONCAT(_binary_, __CONCAT(S, _start)) #define FIRMW_END(S) __CONCAT(_binary_, __CONCAT(S, _end)) - .section rodata, "a", %progbits + .section .rodata, "a", %progbits .globl FIRMW_START(FIRMW_SYMBOL) .type FIRMW_START(FIRMW_SYMBOL), %object FIRMW_START(FIRMW_SYMBOL): diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c index 81099aa7d28d..34d68927be71 100644 --- a/sys/kern/kern_prot.c +++ b/sys/kern/kern_prot.c @@ -526,61 +526,58 @@ gidp_cmp(const void *p1, const void *p2) } /* - * Final storage for supplementary groups will be returned via 'groups'. - * '*groups' must be NULL on input, and if not equal to 'smallgroups' - * on output, must be freed (M_TEMP) *even if* an error is returned. + * 'smallgroups' must be an (uninitialized) array of length CRED_SMALLGROUPS_NB. + * Always sets 'sc_supp_groups', either to a valid kernel-space groups array + * (which may or may not be 'smallgroups'), or NULL if SETCREDF_SUPP_GROUPS was + * not specified, or a buffer containing garbage on copyin() failure. In the + * last two cases, 'sc_supp_groups_nb' is additionally set to 0 as a security + * measure. 'sc_supp_groups' must be freed (M_TEMP) if not equal to + * 'smallgroups' even on failure. */ static int kern_setcred_copyin_supp_groups(struct setcred *const wcred, - const u_int flags, gid_t *const smallgroups, gid_t **const groups) + const u_int flags, gid_t *const smallgroups) { - MPASS(*groups == NULL); + gid_t *groups; + int error; - if (flags & SETCREDF_SUPP_GROUPS) { - int error; + if ((flags & SETCREDF_SUPP_GROUPS) == 0) { + wcred->sc_supp_groups_nb = 0; + wcred->sc_supp_groups = NULL; + return (0); + } - /* - * Check for the limit for number of groups right now in order - * to limit the amount of bytes to copy. - */ - if (wcred->sc_supp_groups_nb > ngroups_max) - return (EINVAL); + /* + * Check the number of groups' limit right now in order to limit the + * amount of bytes to copy. + */ + if (wcred->sc_supp_groups_nb > ngroups_max) + return (EINVAL); - /* - * Since we are going to be copying the supplementary groups - * from userland, make room also for the effective GID right - * now, to avoid having to allocate and copy again the - * supplementary groups. - */ - *groups = wcred->sc_supp_groups_nb <= CRED_SMALLGROUPS_NB ? - smallgroups : malloc(wcred->sc_supp_groups_nb * - sizeof(*groups), M_TEMP, M_WAITOK); + groups = wcred->sc_supp_groups_nb <= CRED_SMALLGROUPS_NB ? + smallgroups : malloc(wcred->sc_supp_groups_nb * sizeof(gid_t), + M_TEMP, M_WAITOK); - error = copyin(wcred->sc_supp_groups, *groups, - wcred->sc_supp_groups_nb * sizeof(*groups)); - if (error != 0) - return (error); - wcred->sc_supp_groups = *groups; - } else { + error = copyin(wcred->sc_supp_groups, groups, + wcred->sc_supp_groups_nb * sizeof(gid_t)); + wcred->sc_supp_groups = groups; + if (error != 0) { wcred->sc_supp_groups_nb = 0; - wcred->sc_supp_groups = NULL; + return (error); } return (0); } int -user_setcred(struct thread *td, const u_int flags, - const void *const uwcred, const size_t size, bool is_32bit) +user_setcred(struct thread *td, const u_int flags, struct setcred *const wcred) { - struct setcred wcred; #ifdef MAC struct mac mac; /* Pointer to 'struct mac' or 'struct mac32'. */ void *umac; #endif gid_t smallgroups[CRED_SMALLGROUPS_NB]; - gid_t *groups = NULL; int error; /* @@ -593,70 +590,40 @@ user_setcred(struct thread *td, const u_int flags, if ((flags & ~SETCREDF_MASK) != 0) return (EINVAL); -#ifdef COMPAT_FREEBSD32 - if (is_32bit) { - struct setcred32 wcred32; - - if (size != sizeof(wcred32)) - return (EINVAL); - error = copyin(uwcred, &wcred32, sizeof(wcred32)); - if (error != 0) - return (error); - /* These fields have exactly the same sizes and positions. */ - memcpy(&wcred, &wcred32, __rangeof(struct setcred32, - setcred32_copy_start, setcred32_copy_end)); - /* Remaining fields are pointers and need PTRIN*(). */ - PTRIN_CP(wcred32, wcred, sc_supp_groups); - PTRIN_CP(wcred32, wcred, sc_label); - } else -#endif /* COMPAT_FREEBSD32 */ - { - if (size != sizeof(wcred)) - return (EINVAL); - error = copyin(uwcred, &wcred, sizeof(wcred)); - if (error != 0) - return (error); - } #ifdef MAC - umac = wcred.sc_label; + umac = wcred->sc_label; #endif /* Also done on !MAC as a defensive measure. */ - wcred.sc_label = NULL; + wcred->sc_label = NULL; /* * Copy supplementary groups as needed. There is no specific * alternative for 32-bit compatibility as 'gid_t' has the same size * everywhere. */ - error = kern_setcred_copyin_supp_groups(&wcred, flags, smallgroups, - &groups); + error = kern_setcred_copyin_supp_groups(wcred, flags, smallgroups); if (error != 0) goto free_groups; #ifdef MAC if ((flags & SETCREDF_MAC_LABEL) != 0) { -#ifdef COMPAT_FREEBSD32 - if (is_32bit) - error = mac_label_copyin32(umac, &mac, NULL); - else -#endif - error = mac_label_copyin(umac, &mac, NULL); + error = mac_label_copyin(umac, &mac, NULL); if (error != 0) goto free_groups; - wcred.sc_label = &mac; + wcred->sc_label = &mac; } #endif - error = kern_setcred(td, flags, &wcred, groups); + error = kern_setcred(td, flags, wcred); #ifdef MAC - if (wcred.sc_label != NULL) - free_copied_label(wcred.sc_label); + if (wcred->sc_label != NULL) + free_copied_label(wcred->sc_label); #endif free_groups: - if (groups != smallgroups) - free(groups, M_TEMP); + if (wcred->sc_supp_groups != smallgroups) + free(wcred->sc_supp_groups, M_TEMP); return (error); } @@ -672,29 +639,31 @@ struct setcred_args { int sys_setcred(struct thread *td, struct setcred_args *uap) { - return (user_setcred(td, uap->flags, uap->wcred, uap->size, false)); + struct setcred wcred; + int error; + + if (uap->size != sizeof(wcred)) + return (EINVAL); + error = copyin(uap->wcred, &wcred, sizeof(wcred)); + if (error != 0) + return (error); + return (user_setcred(td, uap->flags, &wcred)); } /* * CAUTION: This function normalizes groups in 'wcred'. - * - * If 'preallocated_groups' is non-NULL, it must be an already allocated array - * of size 'wcred->sc_supp_groups_nb' containing the supplementary groups, and - * 'wcred->sc_supp_groups' then must point to it. */ int kern_setcred(struct thread *const td, const u_int flags, - struct setcred *const wcred, gid_t *preallocated_groups) + struct setcred *const wcred) { struct proc *const p = td->td_proc; - struct ucred *new_cred, *old_cred, *to_free_cred; + struct ucred *new_cred, *old_cred, *to_free_cred = NULL; struct uidinfo *uip = NULL, *ruip = NULL; #ifdef MAC void *mac_set_proc_data = NULL; bool proc_label_set = false; #endif - gid_t *groups = NULL; - gid_t smallgroups[CRED_SMALLGROUPS_NB]; int error; bool cred_set = false; @@ -706,32 +675,18 @@ kern_setcred(struct thread *const td, const u_int flags, * Part 1: We allocate and perform preparatory operations with no locks. */ - if (flags & SETCREDF_SUPP_GROUPS) { - if (wcred->sc_supp_groups_nb > ngroups_max) + if ((flags & SETCREDF_SUPP_GROUPS) != 0 && + wcred->sc_supp_groups_nb > ngroups_max) return (EINVAL); - if (preallocated_groups != NULL) { - groups = preallocated_groups; - MPASS(preallocated_groups == wcred->sc_supp_groups); - } else { - if (wcred->sc_supp_groups_nb <= CRED_SMALLGROUPS_NB) - groups = smallgroups; - else - groups = malloc(wcred->sc_supp_groups_nb * - sizeof(*groups), M_TEMP, M_WAITOK); - memcpy(groups, wcred->sc_supp_groups, - wcred->sc_supp_groups_nb * sizeof(*groups)); - } - } if (flags & SETCREDF_MAC_LABEL) { #ifdef MAC error = mac_set_proc_prepare(td, wcred->sc_label, &mac_set_proc_data); if (error != 0) - goto free_groups; + return (error); #else - error = ENOTSUP; - goto free_groups; + return (ENOTSUP); #endif } @@ -757,8 +712,10 @@ kern_setcred(struct thread *const td, const u_int flags, * Output the raw supplementary groups array for better * traceability. */ - AUDIT_ARG_GROUPSET(groups, wcred->sc_supp_groups_nb); - groups_normalize(&wcred->sc_supp_groups_nb, groups); + AUDIT_ARG_GROUPSET(wcred->sc_supp_groups, + wcred->sc_supp_groups_nb); + groups_normalize(&wcred->sc_supp_groups_nb, + wcred->sc_supp_groups); } /* @@ -799,7 +756,7 @@ kern_setcred(struct thread *const td, const u_int flags, */ if (flags & SETCREDF_SUPP_GROUPS) crsetgroups_internal(new_cred, wcred->sc_supp_groups_nb, - groups); + wcred->sc_supp_groups); if (flags & SETCREDF_GID) change_egid(new_cred, wcred->sc_gid); if (flags & SETCREDF_RGID) @@ -886,9 +843,7 @@ unlock_finish: uifree(uip); if (ruip != NULL) uifree(ruip); -free_groups: - if (groups != preallocated_groups && groups != smallgroups) - free(groups, M_TEMP); /* Deals with 'groups' being NULL. */ + return (error); } diff --git a/sys/modules/agp/Makefile b/sys/modules/agp/Makefile index d27a78b7e437..f24f05f28407 100644 --- a/sys/modules/agp/Makefile +++ b/sys/modules/agp/Makefile @@ -36,6 +36,7 @@ EXPORT_SYMS+= intel_gtt_clear_range \ intel_gtt_install_pte \ intel_gtt_get \ intel_gtt_chipset_flush \ + intel_gtt_read_pte \ intel_gtt_unmap_memory \ intel_gtt_map_memory \ intel_gtt_insert_sg_entries \ diff --git a/sys/net/if.h b/sys/net/if.h index d54190f6ccf8..0bbd9906f5cf 100644 --- a/sys/net/if.h +++ b/sys/net/if.h @@ -253,8 +253,8 @@ struct if_data { #define IFCAP_B_VXLAN_HWCSUM 29 /* can do IFCAN_HWCSUM on VXLANs */ #define IFCAP_B_VXLAN_HWTSO 30 /* can do IFCAP_TSO on VXLANs */ #define IFCAP_B_TXTLS_RTLMT 31 /* can do TLS with rate limiting */ -#define IFCAP_B_RXTLS4 32 /* can to TLS receive for TCP */ -#define IFCAP_B_RXTLS6 33 /* can to TLS receive for TCP6 */ +#define IFCAP_B_RXTLS4 32 /* can do TLS receive for TCP */ +#define IFCAP_B_RXTLS6 33 /* can do TLS receive for TCP6 */ #define IFCAP_B_IPSEC_OFFLOAD 34 /* inline IPSEC offload */ #define __IFCAP_B_SIZE 35 diff --git a/sys/net/if_loop.c b/sys/net/if_loop.c index 3005965a4fcb..ec0ff0e77aa6 100644 --- a/sys/net/if_loop.c +++ b/sys/net/if_loop.c @@ -219,9 +219,7 @@ looutput(struct ifnet *ifp, struct mbuf *m, const struct sockaddr *dst, if_inc_counter(ifp, IFCOUNTER_OPACKETS, 1); if_inc_counter(ifp, IFCOUNTER_OBYTES, m->m_pkthdr.len); -#ifdef RSS M_HASHTYPE_CLEAR(m); -#endif /* BPF writes need to be handled specially. */ if (dst->sa_family == AF_UNSPEC || dst->sa_family == pseudo_AF_HDRCMPLT) diff --git a/sys/net/rss_config.c b/sys/net/rss_config.c index 266ea57b2dc9..9e4120a4e9dd 100644 --- a/sys/net/rss_config.c +++ b/sys/net/rss_config.c @@ -29,6 +29,8 @@ #include "opt_inet6.h" +#include "opt_inet.h" +#include "opt_rss.h" #include <sys/param.h> #include <sys/mbuf.h> @@ -72,6 +74,10 @@ * placement and pcbgroup expectations. */ +#if !defined(INET) && !defined(INET6) +#define _net_inet _net +#define _net_inet_rss _net_rss +#endif SYSCTL_DECL(_net_inet); SYSCTL_NODE(_net_inet, OID_AUTO, rss, CTLFLAG_RW | CTLFLAG_MPSAFE, 0, "Receive-side steering"); @@ -84,6 +90,7 @@ static u_int rss_hashalgo = RSS_HASH_TOEPLITZ; SYSCTL_INT(_net_inet_rss, OID_AUTO, hashalgo, CTLFLAG_RDTUN, &rss_hashalgo, 0, "RSS hash algorithm"); +#ifdef RSS /* * Size of the indirection table; at most 128 entries per the RSS spec. We * size it to at least 2 times the number of CPUs by default to allow useful @@ -132,6 +139,7 @@ static const u_int rss_basecpu; SYSCTL_INT(_net_inet_rss, OID_AUTO, basecpu, CTLFLAG_RD, __DECONST(int *, &rss_basecpu), 0, "RSS base CPU"); +#endif /* * Print verbose debugging messages. * 0 - disable @@ -159,6 +167,7 @@ static uint8_t rss_key[RSS_KEYSIZE] = { 0x6a, 0x42, 0xb7, 0x3b, 0xbe, 0xac, 0x01, 0xfa, }; +#ifdef RSS /* * RSS hash->CPU table, which maps hashed packet headers to particular CPUs. * Drivers may supplement this table with a separate CPU<->queue table when @@ -168,13 +177,15 @@ struct rss_table_entry { uint8_t rte_cpu; /* CPU affinity of bucket. */ }; static struct rss_table_entry rss_table[RSS_TABLE_MAXLEN]; +#endif static void rss_init(__unused void *arg) { +#ifdef RSS u_int i; u_int cpuid; - +#endif /* * Validate tunables, coerce to sensible values. */ @@ -189,6 +200,7 @@ rss_init(__unused void *arg) rss_hashalgo = RSS_HASH_TOEPLITZ; } +#ifdef RSS /* * Count available CPUs. * @@ -248,7 +260,7 @@ rss_init(__unused void *arg) rss_table[i].rte_cpu = cpuid; cpuid = CPU_NEXT(cpuid); } - +#endif /* RSS */ /* * Randomize rrs_key. * @@ -293,6 +305,30 @@ rss_hash(u_int datalen, const uint8_t *data) } /* + * Query the current RSS key; likely to be used by device drivers when + * configuring hardware RSS. Caller must pass an array of size RSS_KEYSIZE. + * + * XXXRW: Perhaps we should do the accept-a-length-and-truncate thing? + */ +void +rss_getkey(uint8_t *key) +{ + + bcopy(rss_key, key, sizeof(rss_key)); +} + +/* + * Query the RSS hash algorithm. + */ +u_int +rss_gethashalgo(void) +{ + + return (rss_hashalgo); +} + +#ifdef RSS +/* * Query the number of RSS bits in use. */ u_int @@ -407,29 +443,6 @@ rss_m2bucket(struct mbuf *m, uint32_t *bucket_id) } /* - * Query the RSS hash algorithm. - */ -u_int -rss_gethashalgo(void) -{ - - return (rss_hashalgo); -} - -/* - * Query the current RSS key; likely to be used by device drivers when - * configuring hardware RSS. Caller must pass an array of size RSS_KEYSIZE. - * - * XXXRW: Perhaps we should do the accept-a-length-and-truncate thing? - */ -void -rss_getkey(uint8_t *key) -{ - - bcopy(rss_key, key, sizeof(rss_key)); -} - -/* * Query the number of buckets; this may be used by both network device * drivers, which will need to populate hardware shadows of the software * indirection table, and the network stack itself (such as when deciding how @@ -454,6 +467,7 @@ rss_getnumcpus(void) return (rss_ncpus); } +#endif /* * Return the supported RSS hash configuration. * @@ -517,6 +531,7 @@ SYSCTL_PROC(_net_inet_rss, OID_AUTO, key, CTLTYPE_OPAQUE | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0, sysctl_rss_key, "", "RSS keying material"); +#ifdef RSS static int sysctl_rss_bucket_mapping(SYSCTL_HANDLER_ARGS) { @@ -544,3 +559,4 @@ sysctl_rss_bucket_mapping(SYSCTL_HANDLER_ARGS) SYSCTL_PROC(_net_inet_rss, OID_AUTO, bucket_mapping, CTLTYPE_STRING | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0, sysctl_rss_bucket_mapping, "", "RSS bucket -> CPU mapping"); +#endif diff --git a/sys/net/rss_config.h b/sys/net/rss_config.h index 07c2d09b44c5..aaa282b12e72 100644 --- a/sys/net/rss_config.h +++ b/sys/net/rss_config.h @@ -104,6 +104,7 @@ extern int rss_debug; +#ifdef RSS /* * Device driver interfaces to query RSS properties that must be programmed * into hardware. @@ -112,16 +113,8 @@ u_int rss_getbits(void); u_int rss_getbucket(u_int hash); u_int rss_get_indirection_to_bucket(u_int index); u_int rss_getcpu(u_int bucket); -void rss_getkey(uint8_t *key); -u_int rss_gethashalgo(void); u_int rss_getnumbuckets(void); u_int rss_getnumcpus(void); -u_int rss_gethashconfig(void); - -/* - * Hash calculation functions. - */ -uint32_t rss_hash(u_int datalen, const uint8_t *data); /* * Network stack interface to query desired CPU affinity of a packet. @@ -132,4 +125,15 @@ int rss_hash2bucket(uint32_t hash_val, uint32_t hash_type, uint32_t *bucket_id); int rss_m2bucket(struct mbuf *m, uint32_t *bucket_id); +#endif /* RSS */ + +void rss_getkey(uint8_t *key); +u_int rss_gethashalgo(void); +u_int rss_gethashconfig(void); +/* + * Hash calculation functions. + */ +uint32_t rss_hash(u_int datalen, const uint8_t *data); + + #endif /* !_NET_RSS_CONFIG_H_ */ diff --git a/sys/netinet/in_rss.c b/sys/netinet/in_rss.c index f93a1d2bfd7b..4854265bd9f4 100644 --- a/sys/netinet/in_rss.c +++ b/sys/netinet/in_rss.c @@ -29,6 +29,7 @@ #include "opt_inet6.h" +#include "opt_rss.h" #include <sys/param.h> #include <sys/mbuf.h> @@ -350,6 +351,7 @@ rss_mbuf_software_hash_v4(const struct mbuf *m, int dir, uint32_t *hashval, } } +#ifdef RSS /* * Similar to rss_m2cpuid, but designed to be used by the IP NETISR * on incoming frames. @@ -387,3 +389,4 @@ rss_soft_m2cpuid_v4(struct mbuf *m, uintptr_t source, u_int *cpuid) } return (m); } +#endif diff --git a/sys/netinet/tcp_usrreq.c b/sys/netinet/tcp_usrreq.c index 4d1a6455d09e..aeb28cd6a144 100644 --- a/sys/netinet/tcp_usrreq.c +++ b/sys/netinet/tcp_usrreq.c @@ -75,6 +75,7 @@ #include <netinet/in.h> #include <netinet/in_kdtrace.h> #include <netinet/in_pcb.h> +#include <netinet/in_rss.h> #include <netinet/in_systm.h> #include <netinet/in_var.h> #include <netinet/ip.h> @@ -82,6 +83,7 @@ #ifdef INET6 #include <netinet/ip6.h> #include <netinet6/in6_pcb.h> +#include <netinet6/in6_rss.h> #include <netinet6/ip6_var.h> #include <netinet6/scope6_var.h> #endif @@ -1487,6 +1489,10 @@ tcp_connect(struct tcpcb *tp, struct sockaddr_in *sin, struct thread *td) if (error != 0) return (error); + /* set the hash on the connection */ + rss_proto_software_hash_v4(inp->inp_faddr, inp->inp_laddr, + inp->inp_fport, inp->inp_lport, IPPROTO_TCP, + &inp->inp_flowid, &inp->inp_flowtype); /* * Compute window scaling to request: * Scale to fit into sweet spot. See tcp_syncache.c. @@ -1532,6 +1538,10 @@ tcp6_connect(struct tcpcb *tp, struct sockaddr_in6 *sin6, struct thread *td) if (error != 0) return (error); + /* set the hash on the connection */ + rss_proto_software_hash_v6(&inp->in6p_faddr, + &inp->in6p_laddr, inp->inp_fport, inp->inp_lport, IPPROTO_TCP, + &inp->inp_flowid, &inp->inp_flowtype); /* Compute window scaling to request. */ while (tp->request_r_scale < TCP_MAX_WINSHIFT && (TCP_MAXWIN << tp->request_r_scale) < sb_max) diff --git a/sys/netinet6/in6_rss.c b/sys/netinet6/in6_rss.c index 79c7bfa6e68c..3d98d0065d1e 100644 --- a/sys/netinet6/in6_rss.c +++ b/sys/netinet6/in6_rss.c @@ -29,6 +29,7 @@ #include "opt_inet6.h" +#include "opt_rss.h" #include <sys/param.h> #include <sys/mbuf.h> @@ -375,6 +376,7 @@ rss_mbuf_software_hash_v6(const struct mbuf *m, int dir, uint32_t *hashval, } } +#ifdef RSS /* * Similar to rss_m2cpuid, but designed to be used by the IPv6 NETISR * on incoming frames. @@ -412,3 +414,4 @@ rss_soft_m2cpuid_v6(struct mbuf *m, uintptr_t source, u_int *cpuid) } return (m); } +#endif diff --git a/sys/netlink/netlink_snl.h b/sys/netlink/netlink_snl.h index 57f7e1e29d08..1e560e029718 100644 --- a/sys/netlink/netlink_snl.h +++ b/sys/netlink/netlink_snl.h @@ -1082,6 +1082,7 @@ snl_init_writer(struct snl_state *ss, struct snl_writer *nw) static inline bool snl_realloc_msg_buffer(struct snl_writer *nw, size_t sz) { + void *new_base; uint32_t new_size = nw->size * 2; while (new_size < nw->size + sz) @@ -1090,23 +1091,27 @@ snl_realloc_msg_buffer(struct snl_writer *nw, size_t sz) if (nw->error) return (false); - if (snl_allocz(nw->ss, new_size) == NULL) { + new_base = snl_allocz(nw->ss, new_size); + if (new_base == NULL) { nw->error = true; return (false); } - nw->size = new_size; - void *new_base = nw->ss->lb->base; - if (new_base != nw->base) { - memcpy(new_base, nw->base, nw->offset); - if (nw->hdr != NULL) { - int hdr_off = (char *)(nw->hdr) - nw->base; + if (new_base == nw->ss->lb->base) { + /* Claim the entire linear buffer. */ + nw->size = nw->ss->lb->size; + nw->ss->lb->offset = nw->ss->lb->size; + } else + nw->size = new_size; - nw->hdr = (struct nlmsghdr *) - (void *)((char *)new_base + hdr_off); - } - nw->base = (char *)new_base; + memcpy(new_base, nw->base, nw->offset); + if (nw->hdr != NULL) { + int hdr_off = (char *)(nw->hdr) - nw->base; + + nw->hdr = (struct nlmsghdr *) + (void *)((char *)new_base + hdr_off); } + nw->base = (char *)new_base; return (true); } diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 5e919e35b07b..74d2182fe77b 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -7396,7 +7396,11 @@ pf_sctp_track(struct pf_kstate *state, struct pf_pdesc *pd, } if (src->scrub != NULL) { - if (src->scrub->pfss_v_tag == 0) + /* + * Allow tags to be updated, in case of retransmission of + * INIT/INIT_ACK chunks. + **/ + if (src->state <= SCTP_COOKIE_WAIT) src->scrub->pfss_v_tag = pd->hdr.sctp.v_tag; else if (src->scrub->pfss_v_tag != pd->hdr.sctp.v_tag) return (PF_DROP); diff --git a/sys/riscv/conf/GENERIC b/sys/riscv/conf/GENERIC index 36e3fcd41970..b645cd3499cb 100644 --- a/sys/riscv/conf/GENERIC +++ b/sys/riscv/conf/GENERIC @@ -31,6 +31,7 @@ options INET6 # IPv6 communications protocols options TCP_HHOOK # hhook(9) framework for TCP options IPSEC_SUPPORT # Allow kldload of ipsec and tcpmd5 options ROUTE_MPATH # Multipath routing support +options FIB_ALGO # Modular fib lookups options TCP_OFFLOAD # TCP offload options TCP_BLACKBOX # Enhanced TCP event logging options TCP_RFC7413 # TCP Fast Open diff --git a/sys/security/mac/mac_syscalls.c b/sys/security/mac/mac_syscalls.c index 26181781a394..13c7998041f9 100644 --- a/sys/security/mac/mac_syscalls.c +++ b/sys/security/mac/mac_syscalls.c @@ -57,6 +57,7 @@ #include <sys/proc.h> #include <sys/systm.h> #include <sys/sysctl.h> +#include <sys/sysent.h> #include <sys/sysproto.h> #include <sys/vnode.h> #include <sys/mount.h> @@ -94,15 +95,15 @@ struct mac32 { * after use by calling free_copied_label() (which see). On success, 'u_string' * if not NULL is filled with the userspace address for 'u_mac->m_string'. */ -static int -mac_label_copyin_impl(const void *const u_mac, struct mac *const mac, - char **const u_string, bool is_32bit) +int +mac_label_copyin(const void *const u_mac, struct mac *const mac, + char **const u_string) { char *buffer; int error; #ifdef COMPAT_FREEBSD32 - if (is_32bit) { + if (SV_CURPROC_FLAG(SV_ILP32)) { struct mac32 mac32; error = copyin(u_mac, &mac32, sizeof(mac32)); @@ -138,28 +139,12 @@ mac_label_copyin_impl(const void *const u_mac, struct mac *const mac, return (0); } -int -mac_label_copyin(const struct mac *const u_mac, struct mac *const mac, - char **const u_string) -{ - return (mac_label_copyin_impl(u_mac, mac, u_string, false)); -} - void free_copied_label(const struct mac *const mac) { free(mac->m_string, M_MACTEMP); } -#ifdef COMPAT_FREEBSD32 -int -mac_label_copyin32(const struct mac32 *const u_mac, - struct mac *const mac, char **const u_string) -{ - return (mac_label_copyin_impl(u_mac, mac, u_string, true)); -} -#endif - int sys___mac_get_pid(struct thread *td, struct __mac_get_pid_args *uap) { diff --git a/sys/security/mac/mac_syscalls.h b/sys/security/mac/mac_syscalls.h index 4efeaf300d31..f95ff3ef1264 100644 --- a/sys/security/mac/mac_syscalls.h +++ b/sys/security/mac/mac_syscalls.h @@ -19,17 +19,10 @@ #error "no user-serviceable parts inside" #endif -int mac_label_copyin(const struct mac *const u_mac, struct mac *const mac, +int mac_label_copyin(const void *const u_mac, struct mac *const mac, char **const u_string); void free_copied_label(const struct mac *const mac); -#ifdef COMPAT_FREEBSD32 -struct mac32; - -int mac_label_copyin32(const struct mac32 *const u_mac, - struct mac *const mac, char **const u_string); -#endif /* COMPAT_FREEBSD32 */ - int mac_set_proc_prepare(struct thread *const td, const struct mac *const mac, void **const mac_set_proc_data); int mac_set_proc_core(struct thread *const td, struct ucred *const newcred, diff --git a/sys/sys/efi-edk2.h b/sys/sys/efi-edk2.h index b27b26bd613c..d591c253a3e0 100644 --- a/sys/sys/efi-edk2.h +++ b/sys/sys/efi-edk2.h @@ -72,7 +72,7 @@ typedef void VOID; /* * Note: the EDK2 code assumed #pragma packed works and PACKED is a * workaround for some old toolchain issues for EDK2 that aren't - * relevent to FreeBSD. + * relevant to FreeBSD. */ #define PACKED diff --git a/sys/sys/syscallsubr.h b/sys/sys/syscallsubr.h index 350e4073604e..4ddd2eba25c8 100644 --- a/sys/sys/syscallsubr.h +++ b/sys/sys/syscallsubr.h @@ -326,7 +326,7 @@ int kern_select(struct thread *td, int nd, fd_set *fd_in, fd_set *fd_ou, int kern_sendit(struct thread *td, int s, struct msghdr *mp, int flags, struct mbuf *control, enum uio_seg segflg); int kern_setcred(struct thread *const td, const u_int flags, - struct setcred *const wcred, gid_t *preallocated_groups); + struct setcred *const wcred); int kern_setgroups(struct thread *td, int *ngrpp, gid_t *groups); int kern_setitimer(struct thread *, u_int, struct itimerval *, struct itimerval *); diff --git a/sys/sys/ucred.h b/sys/sys/ucred.h index 254f58841993..ba241cf9ff3a 100644 --- a/sys/sys/ucred.h +++ b/sys/sys/ucred.h @@ -181,7 +181,6 @@ struct setcred { SETCREDF_MAC_LABEL) struct setcred32 { -#define setcred32_copy_start sc_uid uid_t sc_uid; uid_t sc_ruid; uid_t sc_svuid; @@ -190,7 +189,6 @@ struct setcred32 { gid_t sc_svgid; u_int sc_pad; u_int sc_supp_groups_nb; -#define setcred32_copy_end sc_supp_groups uint32_t sc_supp_groups; /* gid_t [*] */ uint32_t sc_label; /* struct mac32 [*] */ }; @@ -198,8 +196,8 @@ struct setcred32 { struct thread; /* Common native and 32-bit compatibility entry point. */ -int user_setcred(struct thread *td, const u_int flags, - const void *const uwcred, const size_t size, bool is_32bit); +int user_setcred(struct thread *td, const u_int flags, + struct setcred *const wcred); struct proc; diff --git a/sys/vm/vm_object.c b/sys/vm/vm_object.c index 5b4517d2bf0c..413ba5459e3d 100644 --- a/sys/vm/vm_object.c +++ b/sys/vm/vm_object.c @@ -1988,7 +1988,7 @@ vm_object_page_remove(vm_object_t object, vm_pindex_t start, vm_pindex_t end, (options & (OBJPR_CLEANONLY | OBJPR_NOTMAPPED)) == OBJPR_NOTMAPPED, ("vm_object_page_remove: illegal options for object %p", object)); if (object->resident_page_count == 0) - return; + goto remove_pager; vm_object_pip_add(object, 1); vm_page_iter_limit_init(&pages, object, end); again: @@ -2061,6 +2061,7 @@ wired: } vm_object_pip_wakeup(object); +remove_pager: vm_pager_freespace(object, start, (end == 0 ? object->size : end) - start); } diff --git a/tests/sys/netpfil/pf/sctp.py b/tests/sys/netpfil/pf/sctp.py index f492f26b63a1..9f1d7dea4ef6 100644 --- a/tests/sys/netpfil/pf/sctp.py +++ b/tests/sys/netpfil/pf/sctp.py @@ -551,6 +551,73 @@ class TestSCTP(VnetTestTemplate): assert re.search(r"epair.*sctp 192.0.2.1:.*192.0.2.3:1234", states) assert re.search(r"epair.*sctp 192.0.2.1:.*192.0.2.2:1234", states) +class TestSCTP_SRV(VnetTestTemplate): + REQUIRED_MODULES = ["sctp", "pf"] + TOPOLOGY = { + "vnet1": {"ifaces": ["if1"]}, + "vnet2": {"ifaces": ["if1"]}, + "if1": {"prefixes4": [("192.0.2.1/24", "192.0.2.2/24")]}, + } + + def vnet2_handler(self, vnet): + ToolsHelper.print_output("/sbin/pfctl -e") + ToolsHelper.pf_rules([ + "set state-policy if-bound", + "pass inet proto sctp", + "pass on lo"]) + + # Start an SCTP server process, pipe the ppid + data back to the other vnet? + srv = SCTPServer(socket.AF_INET, port=1234) + while True: + srv.accept(vnet) + + @pytest.mark.require_user("root") + @pytest.mark.require_progs(["scapy"]) + def test_initiate_tag_check(self): + # Ensure we don't send ABORTs in response to the other end's INIT_ACK + # That'd interfere with our test. + ToolsHelper.print_output("/sbin/sysctl net.inet.sctp.blackhole=2") + + import scapy.all as sp + + packet = sp.IP(src="192.0.2.1", dst="192.0.2.2") \ + / sp.SCTP(sport=1234, dport=1234) \ + / sp.SCTPChunkInit(init_tag=1, n_in_streams=1, n_out_streams=1, a_rwnd=1500) + packet.show() + + r = sp.sr1(packet, timeout=3) + assert r + r.show() + assert r.getlayer(sp.SCTP) + assert r.getlayer(sp.SCTPChunkInitAck) + assert r.getlayer(sp.SCTP).tag == 1 + + # Send another INIT with the same initiate tag, expect another init ack + packet = sp.IP(src="192.0.2.1", dst="192.0.2.2") \ + / sp.SCTP(sport=1234, dport=1234) \ + / sp.SCTPChunkInit(init_tag=1, n_in_streams=1, n_out_streams=1, a_rwnd=1500) + packet.show() + + r = sp.sr1(packet, timeout=3) + assert r + r.show() + assert r.getlayer(sp.SCTP) + assert r.getlayer(sp.SCTPChunkInitAck) + assert r.getlayer(sp.SCTP).tag == 1 + + # Send an INIT with a different initiate tag, expect another init ack + packet = sp.IP(src="192.0.2.1", dst="192.0.2.2") \ + / sp.SCTP(sport=1234, dport=1234) \ + / sp.SCTPChunkInit(init_tag=42, n_in_streams=1, n_out_streams=1, a_rwnd=1500) + packet.show() + + r = sp.sr1(packet, timeout=3) + assert r + r.show() + assert r.getlayer(sp.SCTP) + assert r.getlayer(sp.SCTPChunkInitAck) + assert r.getlayer(sp.SCTP).tag == 42 + class TestSCTPv6(VnetTestTemplate): REQUIRED_MODULES = ["sctp", "pf"] TOPOLOGY = { diff --git a/usr.bin/beep/beep.1 b/usr.bin/beep/beep.1 index 732f2ae261cd..a13d220a7882 100644 --- a/usr.bin/beep/beep.1 +++ b/usr.bin/beep/beep.1 @@ -21,53 +21,55 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd November 4, 2021 -.Dt beep 1 +.Dd November 19, 2025 +.Dt BEEP 1 .Os .Sh NAME .Nm beep .Nd play a beep sound .Sh SYNOPSIS .Nm -.Op Fl F Ar frequency +.Op Fl Bh .Op Fl D Ar duration_ms -.Op Fl r Ar sample_rate_hz +.Op Fl F Ar frequency_hz .Op Fl d Ar oss_device .Op Fl g Ar gain -.Op Fl B -.Op Fl h +.Op Fl r Ar sample_rate_hz .Sh DESCRIPTION The .Nm -utility is used to playback a beep on the soundcard. +utility is used to play a beep on the sound card. .Pp The options are as follows: -.Bl -tag -width "-f device" -.It Fl F -Sets the center frequency of the beep in Hz. -The default is 440 Hz . -.It Fl D -Sets the duration of the beep in milliseconds. -The default is 150 ms . -.It Fl d -Sets the soundcard to use. -The default is /dev/dsp . -.It Fl r -Sets the soundcard samplerate in Hz. -The default is 48000 Hz. -.It Fl g -Sets the waveform gain, between 0 and 100 inclusively. -The default is 75. +.Bl -tag -width "-r sample_rate_hz" .It Fl B Runs the .Nm utility in the background. +.It Fl D Ar duration_ms +Sets the duration of the beep in milliseconds, +between 50\~ms and 2000\~ms inclusively. +The default is 150\~ms. +.It Fl F Ar frequency_hz +Sets the center frequency of the beep in Hz. +The default is 440\~Hz. +.It Fl d Ar oss_device +Sets the OSS device to use. +The default is +.Pa /dev/dsp . +.It Fl g Ar gain +Sets the waveform gain, between 0 and 100 inclusively. +The default is 75. .It Fl h Display summary of options. +.It Fl r Ar sample_rate_hz +Sets the sound card sample rate in Hz, +between 8000\~Hz and 48000\~Hz inclusively. +The default is 48000\~Hz. .El .Sh EXAMPLES -.Pp -Playback default beep sound using /dev/dsp . +Play default beep sound on +.Pa /dev/dsp : .Bl -tag -width Ds -offset indent .It $ beep .El @@ -77,6 +79,7 @@ Playback default beep sound using /dev/dsp . .Sh HISTORY The .Nm -utility first appeared in FreeBSD 14.0. +utility first appeared in +.Fx 14.0 . .Sh AUTHORS .An Hans Petter Selasky Aq Mt hselasky@FreeBSD.org diff --git a/usr.bin/beep/beep.c b/usr.bin/beep/beep.c index 9d274770ad75..d16ad5b699c3 100644 --- a/usr.bin/beep/beep.c +++ b/usr.bin/beep/beep.c @@ -133,20 +133,21 @@ wave_function_16(float phase, float power) static void usage(void) { - fprintf(stderr, "Usage: %s [parameters]\n" - "\t" "-F <frequency in HZ, default %d Hz>\n" + fprintf(stderr, "Usage: %s [-Bh] [-D duration_ms] [-F frequency_hz] " + "[-d oss_device] [-g gain] [-r sample_rate_hz]\n" + "\t" "-B Run in background\n" "\t" "-D <duration in ms, from %d ms to %d ms, default %d ms>\n" - "\t" "-r <sample rate in HZ, from %d Hz to %d Hz, default %d Hz>\n" - "\t" "-d <OSS device (default %s)>\n" + "\t" "-F <frequency in Hz, default %d Hz>\n" + "\t" "-d <OSS device, default %s>\n" "\t" "-g <gain from %d to %d, default %d>\n" - "\t" "-B Run in background\n" - "\t" "-h Show usage\n", + "\t" "-h Show usage\n" + "\t" "-r <sample rate in Hz, from %d Hz to %d Hz, default %d Hz>\n", getprogname(), - DEFAULT_HZ, DURATION_MIN, DURATION_MAX, DURATION_DEF, - SAMPLE_RATE_MIN, SAMPLE_RATE_MAX, SAMPLE_RATE_DEF, + DEFAULT_HZ, DEFAULT_DEVICE, - GAIN_MIN, GAIN_MAX, GAIN_DEF); + GAIN_MIN, GAIN_MAX, GAIN_DEF, + SAMPLE_RATE_MIN, SAMPLE_RATE_MAX, SAMPLE_RATE_DEF); exit(1); } diff --git a/usr.bin/mdo/mdo.c b/usr.bin/mdo/mdo.c index 3eb5d4e5c23f..879423bc0128 100644 --- a/usr.bin/mdo/mdo.c +++ b/usr.bin/mdo/mdo.c @@ -753,8 +753,14 @@ main(int argc, char **argv) */ setcred_flags |= SETCREDF_SUPP_GROUPS; } - } else if (supp_groups_str == NULL && (supp_mod_str == NULL || - supp_mod_str[0] != '@')) { + } else if (supp_groups_str == NULL && supp_mod_str != NULL && + supp_mod_str[0] != '@') { + /* + * We do not need to determine the current groups if, as for the + * '!start_from_current_groups' case, we are going to replace + * them entirely, but here also if we do not amend them at all + * (because they are by definition already in place). + */ const int ngroups = getgroups(0, NULL); if (ngroups > 0) { diff --git a/usr.sbin/bhyve/net_backend_slirp.c b/usr.sbin/bhyve/net_backend_slirp.c index c98e54b2ee88..f2b483c5e314 100644 --- a/usr.sbin/bhyve/net_backend_slirp.c +++ b/usr.sbin/bhyve/net_backend_slirp.c @@ -73,11 +73,12 @@ struct slirp_priv { struct mevent *mevp; }; +extern char **environ; + static int slirp_init(struct net_backend *be, const char *devname __unused, nvlist_t *nvl, net_be_rxeof_t cb, void *param) { - extern char **environ; struct slirp_priv *priv = NET_BE_PRIV(be); nvlist_t *config; posix_spawn_file_actions_t fa; diff --git a/usr.sbin/bhyve/slirp/slirp-helper.c b/usr.sbin/bhyve/slirp/slirp-helper.c index ee62dd212369..06f393aab724 100644 --- a/usr.sbin/bhyve/slirp/slirp-helper.c +++ b/usr.sbin/bhyve/slirp/slirp-helper.c @@ -548,6 +548,11 @@ main(int argc, char **argv) priv.slirp = slirp; /* + * Drop root privileges if we have them. + */ + drop_privs(); + + /* * In restricted mode, we can enter a Capsicum sandbox without losing * functionality. */ @@ -555,11 +560,6 @@ main(int argc, char **argv) err(1, "caph_enter"); /* - * Drop root privileges if we have them. - */ - drop_privs(); - - /* * Enter our main loop. If bhyve goes away, we should observe a hangup * on the socket and exit. */ diff --git a/usr.sbin/fdread/fdread.c b/usr.sbin/fdread/fdread.c index ee8548699783..02dbaf98da8c 100644 --- a/usr.sbin/fdread/fdread.c +++ b/usr.sbin/fdread/fdread.c @@ -275,12 +275,13 @@ doread(int fd, FILE *of, const char *_devname) errx(EX_OSERR, "unexpected read() result: %d", rv); } + continue; } if ((unsigned)rv < tracksize) { /* should not happen */ nbytes += rv; if (!quiet) - fprintf(stderr, "\nshort after %5d KB\r", + fprintf(stderr, "\nshort after %5d KB\n", nbytes / 1024); fwrite(trackbuf, sizeof(unsigned char), rv, of); fflush(of); diff --git a/usr.sbin/fstyp/Makefile b/usr.sbin/fstyp/Makefile index c1f812cb5b97..02fb9030ab1f 100644 --- a/usr.sbin/fstyp/Makefile +++ b/usr.sbin/fstyp/Makefile @@ -26,12 +26,12 @@ IGNORE_PRAGMA= YES CFLAGS+= -DHAVE_ZFS CFLAGS.zfs.c+= -DIN_BASE -CFLAGS.zfs.c+= -I${SRCTOP}/sys/contrib/openzfs/include -CFLAGS.zfs.c+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include -CFLAGS.zfs.c+= -I${SRCTOP}/sys/contrib/openzfs/lib/libspl/include/os/freebsd -CFLAGS.zfs.c+= -I${SRCTOP}/sys/contrib/openzfs/lib/libzpool/include -CFLAGS.zfs.c+= -I${SRCTOP}/sys/contrib/openzfs/module/icp/include -CFLAGS.zfs.c+= -include ${SRCTOP}/sys/contrib/openzfs/include/os/freebsd/spl/sys/ccompile.h +CFLAGS.zfs.c+= -I${ZFSTOP}/include +CFLAGS.zfs.c+= -I${ZFSTOP}/lib/libspl/include +CFLAGS.zfs.c+= -I${ZFSTOP}/lib/libspl/include/os/freebsd +CFLAGS.zfs.c+= -I${ZFSTOP}/lib/libzpool/include +CFLAGS.zfs.c+= -I${ZFSTOP}/module/icp/include +CFLAGS.zfs.c+= -include ${ZFSTOP}/include/os/freebsd/spl/sys/ccompile.h CFLAGS.zfs.c+= -DHAVE_ISSETUGID CFLAGS.zfs.c+= -include ${SRCTOP}/sys/modules/zfs/zfs_config.h CFLAGS.zfs.c+= -Wno-cast-qual |