[Git][hardenedbsd/HardenedBSD][hardened/15-stable/main] 5 commits: vnode_if.src: fix function name in locking annotation

[HardenedBSD Services (@hardenedbsd-services)]

HardenedBSD Services pushed to branch hardened/15-stable/main at HardenedBSD / HardenedBSD


Commits:
04190ace by Jason A. Harmening at 2025-12-26T00:32:47-06:00
vnode_if.src: fix function name in locking annotation

getwritevnode->getlowvnode

Reviewed by: kib, olce
Tested by: pho
Differential Revision: https://reviews.freebsd.org/D53988

(cherry picked from commit 38d60d453caad0f7377946d69d05d9421323f23f)

- - - - -
177e0097 by Jason A. Harmening at 2025-12-26T00:34:13-06:00
unionfs: Implement VOP_GETLOWVNODE

This function returns the vnode that will be used to resolve the
access type specified in the 'flags' argument, and is useful for
optimal behavior of vn_copy_file_range(). While most filesystems
can simply use the default implementation which returns the passed-
in vnode, unionfs (like nullfs) ideally should resolve the access
request to whichever base layer vnode will be used for the I/O.

For unionfs, write accesses must be resolved through the upper vnode,
while read accesses will be resolved through the upper vnode if
present or the lower vnode otherwise. Provide a simple
unionfs_getlowvnode() implementation that reflects this policy.

Reviewed by: kib, olce
Tested by: pho
Differential Revision: https://reviews.freebsd.org/D53988

(cherry picked from commit 5c025978fc3649730329994eecc56ada119e6717)

- - - - -
da6f3951 by Jason A. Harmening at 2025-12-26T00:38:06-06:00
unionfs: detect common deadlock-producing mount misconfigurations

When creating a unionfs mount, it's fairly easy to shoot oneself
in the foot by specifying upper and lower file hierarchies that
resolve back to the same vnodes. This is fairly easy to do if
the sameness is not obvious due to aliasing through nullfs or other
unionfs mounts (as in the associated PR), and will produce either
deadlock or failed locking assertions on any attempt to use the
resulting unionfs mount.

Leverage VOP_GETLOWVNODE() to detect the most common cases of
foot-shooting at mount time and fail the mount with EDEADLK.
This is not meant to be an exhaustive check for all possible
deadlock-producing scenarios, but it is an extremely cheap and
simple approach that, unlike previous proposed fixes, also works
in the presence of nullfs aliases.

PR: 172334
Reported by: ngie, Karlo Miličević <karl...@gmail.com>
Reviewed by: kib, olce
Tested by: pho
Differential Revision: https://reviews.freebsd.org/D53988

(cherry picked from commit 0247b4018de2c341ac59a585362c10044cea86ad)

- - - - -
535fac0b by Michael Osipov at 2025-12-26T11:47:46+01:00
bhyve.8: Fix consistency and terms in manpage

Correct inconsistent spelling of terms and duplication.

Reviewed by: ziaee
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D54332

(cherry picked from commit 5819f8b285fc55a75e5dea56ffe73b376525150c)

- - - - -
7703c663 by HardenedBSD Sync Services at 2025-12-26T06:00:48-07:00
Merge branch 'freebsd/15-stable/main' into hardened/15-stable/main

- - - - -


6 changed files:

- sys/fs/unionfs/union_vfsops.c
- sys/fs/unionfs/union_vnops.c
- sys/kern/vfs_default.c
- sys/kern/vnode_if.src
- sys/sys/vnode.h
- usr.sbin/bhyve/bhyve.8


Changes:

=====================================
sys/fs/unionfs/union_vfsops.c
=====================================
@@ -73,6 +73,8 @@ unionfs_domount(struct mount *mp)
{
struct vnode *lowerrootvp;
struct vnode *upperrootvp;
+ struct vnode *lvp1;
+ struct vnode *lvp2;
struct unionfs_mount *ump;
char *target;
char *tmp;
@@ -276,11 +278,32 @@ unionfs_domount(struct mount *mp)
*/
VOP_UNLOCK(ump->um_uppervp);

+ /*
+ * Detect common cases in which constructing a unionfs hierarchy
+ * would produce deadlock (or failed locking assertions) upon
+ * use of the resulting unionfs vnodes. This typically happens
+ * when the requested upper and lower filesytems (which themselves
+ * may be unionfs instances and/or nullfs aliases) end up resolving
+ * to the same base-layer files. Note that this is not meant to be
+ * an exhaustive check of all possible deadlock-producing scenarios.
+ */
+ lvp1 = lvp2 = NULL;
+ VOP_GETLOWVNODE(ump->um_lowervp, &lvp1, FREAD);
+ VOP_GETLOWVNODE(ump->um_uppervp, &lvp2, FREAD);
+ if (lvp1 != NULL && lvp1 == lvp2)
+ error = EDEADLK;
+ if (lvp1 != NULL)
+ vrele(lvp1);
+ if (lvp2 != NULL)
+ vrele(lvp2);
+
/*
* Get the unionfs root vnode.
*/
- error = unionfs_nodeget(mp, ump->um_uppervp, ump->um_lowervp,
- NULLVP, &(ump->um_rootvp), NULL);
+ if (error == 0) {
+ error = unionfs_nodeget(mp, ump->um_uppervp, ump->um_lowervp,
+ NULL, &(ump->um_rootvp), NULL);
+ }
if (error != 0) {
vrele(upperrootvp);
free(ump, M_UNIONFSMNT);


=====================================
sys/fs/unionfs/union_vnops.c
=====================================
@@ -2115,6 +2115,49 @@ unionfs_getwritemount(struct vop_getwritemount_args *ap)
return (error);
}

+static int
+unionfs_getlowvnode(struct vop_getlowvnode_args *ap)
+{
+ struct unionfs_node *unp;
+ struct vnode *vp, *basevp;
+
+ vp = ap->a_vp;
+ VI_LOCK(vp);
+ unp = VTOUNIONFS(vp);
+ if (unp == NULL) {
+ VI_UNLOCK(vp);
+ return (EBADF);
+ }
+
+ if (ap->a_flags & FWRITE) {
+ basevp = unp->un_uppervp;
+ /*
+ * If write access is being requested, we expect the unionfs
+ * vnode has already been opened for write access and thus any
+ * necessary copy-up has already been performed. Return an
+ * error if that expectation is not met and an upper vnode has
+ * not been instantiated. We could proactively do a copy-up
+ * here, but that would require additional locking as well as
+ * the addition of a 'cred' argument to VOP_GETLOWVNODE().
+ */
+ if (basevp == NULL) {
+ VI_UNLOCK(vp);
+ return (EACCES);
+ }
+ } else {
+ basevp = (unp->un_uppervp != NULL) ?
+ unp->un_uppervp : unp->un_lowervp;
+ }
+
+ VNASSERT(basevp != NULL, vp, ("%s: no upper/lower vnode", __func__));
+
+ vholdnz(basevp);
+ VI_UNLOCK(vp);
+ VOP_GETLOWVNODE(basevp, ap->a_vplp, ap->a_flags);
+ vdrop(basevp);
+ return (0);
+}
+
static int
unionfs_inactive(struct vop_inactive_args *ap)
{
@@ -3010,6 +3053,7 @@ struct vop_vector unionfs_vnodeops = {
.vop_getattr = unionfs_getattr,
.vop_getextattr = unionfs_getextattr,
.vop_getwritemount = unionfs_getwritemount,
+ .vop_getlowvnode = unionfs_getlowvnode,
.vop_inactive = unionfs_inactive,
.vop_need_inactive = vop_stdneed_inactive,
.vop_islocked = vop_stdislocked,
@@ -3049,5 +3093,6 @@ struct vop_vector unionfs_vnodeops = {
.vop_unp_bind = unionfs_unp_bind,
.vop_unp_connect = unionfs_unp_connect,
.vop_unp_detach = unionfs_unp_detach,
+ .vop_copy_file_range = vop_stdcopy_file_range,
};
VFS_VOP_VECTOR_REGISTER(unionfs_vnodeops);


=====================================
sys/kern/vfs_default.c
=====================================
@@ -77,7 +77,6 @@ static int dirent_exists(struct vnode *vp, const char *dirname,
static int vop_stdis_text(struct vop_is_text_args *ap);
static int vop_stdunset_text(struct vop_unset_text_args *ap);
static int vop_stdadd_writecount(struct vop_add_writecount_args *ap);
-static int vop_stdcopy_file_range(struct vop_copy_file_range_args *ap);
static int vop_stdfdatasync(struct vop_fdatasync_args *ap);
static int vop_stdgetpages_async(struct vop_getpages_async_args *ap);
static int vop_stdread_pgcache(struct vop_read_pgcache_args *ap);
@@ -1426,7 +1425,7 @@ vfs_stdnosync(struct mount *mp, int waitfor)
return (0);
}

-static int
+int
vop_stdcopy_file_range(struct vop_copy_file_range_args *ap)
{
int error;


=====================================
sys/kern/vnode_if.src
=====================================
@@ -469,7 +469,7 @@ vop_getwritemount {
OUT struct mount **mpp;
};

-%% getwritevnode vp = = =
+%% getlowvnode vp = = =

vop_getlowvnode {
IN struct vnode *vp;


=====================================
sys/sys/vnode.h
=====================================
@@ -915,6 +915,7 @@ int vop_stdunp_bind(struct vop_unp_bind_args *ap);
int vop_stdunp_connect(struct vop_unp_connect_args *ap);
int vop_stdunp_detach(struct vop_unp_detach_args *ap);
int vop_stdadd_writecount_nomsync(struct vop_add_writecount_args *ap);
+int vop_stdcopy_file_range(struct vop_copy_file_range_args *ap);
int vop_eopnotsupp(struct vop_generic_args *ap);
int vop_ebadf(struct vop_generic_args *ap);
int vop_einval(struct vop_generic_args *ap);


=====================================
usr.sbin/bhyve/bhyve.8
=====================================
@@ -25,7 +25,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd October 28, 2025
+.Dd December 23, 2025
.Dt BHYVE 8
.Os
.Sh NAME
@@ -224,7 +224,7 @@ This specification only works when loaded with UEFI mode for VNC.
When using a VNC client that supports QEMU Extended Key Event Message (e.g.
TigerVNC), this option isn't needed.
When using a VNC client that doesn't support QEMU Extended Key Event Message
-(e.g. tightVNC), the layout defaults to the US keyboard unless specified
+(e.g. TightVNC), the layout defaults to the US keyboard unless specified
otherwise.
.It Fl l Cm help
Print a list of supported LPC devices.
@@ -486,7 +486,7 @@ PCI 16550 serial device.
.It Cm lpc
LPC PCI-ISA bridge with COM1, COM2, COM3, and COM4 16550 serial ports,
a boot ROM, and,
-optionally, a TPM module, a fwcfg type, and the debug/test device.
+optionally, a TPM module, a fw_cfg type, and the debug/test device.
The LPC bridge emulation can only be configured on bus 0.
.It Cm fbuf
Raw framebuffer device attached to VNC server.
@@ -636,10 +636,10 @@ Disable emulation of guest trim requests via
.Dv DIOCGDELETE
requests.
.It Li bootindex= Ns Ar index
-Add the device to the bootorder at
+Add the device to the boot order at
.Ar index .
-A fwcfg file is used to specify the bootorder.
-The guest firmware may ignore or doesn't support this fwcfg file.
+A fw_cfg file is used to specify the boot order.
+The guest firmware may ignore or doesn't support this fw_cfg file.
In that case, this feature doesn't work as expected.
.El
.Ss SCSI device backends
@@ -658,10 +658,10 @@ are:
Initiator ID to use when sending requests to specified CTL port.
The default value is 0.
.It Li bootindex= Ns Ar index
-Add the device to the bootorder at
+Add the device to the boot order at
.Ar index .
-A fwcfg file is used to specify the bootorder.
-The guest firmware may ignore or doesn't support this fwcfg file.
+A fw_cfg file is used to specify the boot order.
+The guest firmware may ignore or not support this fw_cfg file.
In that case, this feature doesn't work as expected.
.El
.Ss 9P device backends
@@ -691,10 +691,11 @@ Use the host TTY device for serial port I/O.
.It Ar tcp=ip:port
Use the TCP server for serial port I/O.
Configuring this option will start a TCP server that waits for connections.
-Only one connection is allowed at any time. Other connection try to connect
-to TCP server will be disconnected immediately. Note that this feature
-allows unprivileged users to access the guest console, so ensure that
-access is appropriately restricted.
+Only one connection is allowed at any time.
+The TCP server will immediately close new connections while an existing
+connection is active.
+Note that this feature allows unprivileged users to access the guest console,
+so ensure that access is appropriately restricted.
.El
.Ss TPM device backends
.Bl -bullet
@@ -753,10 +754,10 @@ is provided, that file is also mapped in the boot firmware guest
address space, and any modifications the guest makes will be saved
to that file.
.Pp
-Fwcfg types:
+fw_cfg types:
.Bl -tag -width 10n
.It Ar fwcfg
-The fwcfg interface is used to pass information such as the CPU count
+The fw_cfg interface is used to pass information such as the CPU count
or ACPI tables to the guest firmware.
Supported values are
.Ql bhyve
@@ -771,13 +772,13 @@ is used, bhyve's fwctl interface is used.
It currently reports only the CPU count to the guest firmware.
The
.Ql qemu
-option uses QEMU's fwcfg interface.
+option uses QEMU's fw_cfg interface.
This interface is widely used and allows user-defined information to
be passed to the guest.
It is used for passing the CPU count, ACPI tables, a boot order and
many other things to the guest.
Some operating systems such as Fedora CoreOS can be configured by
-qemu's fwcfg interface as well.
+QEMU's fw_cfg interface as well.
.El
.Ss Pass-through device backends
.Sm off
@@ -813,10 +814,10 @@ as option ROM to the PCI device.
The ROM will be loaded by firmware and should be capable of
initializing the device.
.It Li bootindex= Ns Ar index
-Add the device to the bootorder at
+Add the device to the boot order at
.Ar index .
-A fwcfg file is used to specify the bootorder.
-The guest firmware may ignore or doesn't support this fwcfg file.
+A fw_cfg file is used to specify the boot order.
+The guest firmware may ignore or doesn't support this fw_cfg file.
In that case, this feature doesn't work as expected.
.El
.Pp
@@ -824,7 +825,7 @@ Guest memory must be wired using the
.Fl S
option when a pass-through device is configured.
.Pp
-The host device must have been reserved at boot-time using the
+The host device must have been reserved at boot time using the
.Va pptdevs
loader variable as described in
.Xr vmm 4 .
@@ -920,7 +921,7 @@ standard PCI devices with BAR addressing, but may also
implicitly decode legacy VGA I/O space
.Pq Ad 0x3c0-3df
and memory space
-.Pq 64KB at Ad 0xA0000 .
+.Pq 64 KiB at Ad 0xA0000 .
The default
.Cm io
option should be used for guests that attempt to issue BIOS calls which result
@@ -1005,7 +1006,7 @@ Serial number with maximum 20 characters.
.It Cm eui64
IEEE Extended Unique Identifier (8 byte value).
.It Cm dsm
-DataSet Management support.
+Dataset Management support.
Supported values are:
.Cm auto , enable ,
and
@@ -1027,14 +1028,15 @@ Configuration options are defined as follows:
.Bl -tag -width 10n
.It Cm nmrr
Nominal Media Rotation Rate, known as RPM.
-Value 1 will indicate device as Solid State Disk.
-Default value is 0, not report.
+A value of 1 indicates that the device is a solid state drive, i.e.,
+non-rotational.
+Default value is 0.
.It Cm ser
-Serial Number with maximum 20 characters.
+Serial number with maximum 20 characters.
.It Cm rev
-Revision Number with maximum 8 characters.
+Revision number with maximum 8 characters.
.It Cm model
-Model Number with maximum 40 characters.
+Model number with maximum 40 characters.
.El
.Ss HD Audio device backends
.Bl -bullet
@@ -1158,7 +1160,7 @@ or a similar boot loader before
can be run.
Otherwise, the boot loader is not needed.
.Pp
-To run a virtual machine with 1GB of memory, two virtual CPUs, a virtio
+To run a virtual machine with 1 GiB of memory, two virtual CPUs, a virtio
block device backed by the
.Pa /my/image
filesystem image, and a serial port for the console:
@@ -1169,11 +1171,11 @@ bhyve -c 2 -s 0,hostbridge -s 1,lpc -s 2,virtio-blk,/my/image \\
.Pp
To do the same on arm64:
.Bd -literal -offset indent
-.Ed
bhyve -c 2 -s 0,hostbridge -s 1,virtio-blk,/my/image -o console=stdio \\
-o bootrom=/usr/local/share/u-boot/u-boot-bhyve-arm64/u-boot.bin -m 1G vm1
+.Ed
.Pp
-Run a 24GB single-CPU virtual machine with three network ports, one of which
+Run a 24 GiB single-CPU virtual machine with three network ports, one of which
has a MAC address specified:
.Bd -literal -offset indent
bhyve -s 0,hostbridge -s 1,lpc -s 2:0,virtio-net,tap0 \\
@@ -1183,7 +1185,7 @@ bhyve -s 0,hostbridge -s 1,lpc -s 2:0,virtio-net,tap0 \\
-H -P -m 24G bigvm
.Ed
.Pp
-Run an 8GB quad-CPU virtual machine with 8 AHCI SATA disks, an AHCI ATAPI
+Run an 8 GiB quad-CPU virtual machine with 8 AHCI SATA disks, an AHCI ATAPI
CD-ROM, a single virtio network port, an AMD hostbridge, and the console
port connected to an
.Xr nmdm 4



View it on GitLab: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/compare/b49ac18c90ad49ca1a9164216cae29ba863abbd1...7703c663bc00bb1a89e9d6a80f7fa96286b7aa93

--
View it on GitLab: https://git.hardenedbsd.org/hardenedbsd/HardenedBSD/-/compare/b49ac18c90ad49ca1a9164216cae29ba863abbd1...7703c663bc00bb1a89e9d6a80f7fa96286b7aa93
You're receiving this email because of your account on git.hardenedbsd.org.