Re: TSC synchronization on MP machines
/*
* Version of https://marc.info/?l=openbsd-tech&m=155978126517159&w=2
* without non-breaking spaces, thus appeasing -Wunicode-whitespace.
*/
#include
#include
#include
#include
int
main(void)
{
int r;
struct timespec tp1, tp2, tout;
tout.tv_sec = 0;
tout.tv_nsec = 10;
for (;;) {
r = clock_gettime(CLOCK_MONOTONIC, &tp1);
if (r == -1) {
perror("clock_gettime");
exit(-1);
}
nanosleep(&tout, NULL);
r = clock_gettime(CLOCK_MONOTONIC, &tp2);
if (r == -1) {
perror("clock_gettime");
exit(-1);
}
// tp1 should never be larger than tp2
r = timespeccmp(&tp1, &tp2, >);
if (r == 1) {
printf("timespeccmp failed\n");
printf("tp1 s:%lld n:%ld\n", tp1.tv_sec, tp1.tv_nsec);
printf("tp2 s:%lld n:%ld\n", tp2.tv_sec, tp2.tv_nsec);
exit(-1);
}
}
return 0;
}
Re: TSC synchronization on MP machines
> There is another test program flying around the mailing lists I guess, > but I could not locate it now so if someone is kind enough to reply with > the code, that would be lovely! I think this is the program you're looking for: https://marc.info/?l=openbsd-tech&m=155978126517159&w=2
Re: TSC synchronization on MP machines
Hi,
Here is a fourth diff addressing all the issues so far, that have been
mainly pointed out by kettenis@, thanks!
Changes:
- stop resetting the observed drift as it does not affect tsc
re-initialization on resume, thus removing all changes from
acpi_machdep.c
- fix comment and put a temporary pretty printf of resume
- rename cpu_cc_skew to ci_tsc_skew
- remove unfinished code using MSR_TSC for synchronization (to
be added later on together with the missing IA32_TSC_ADJUST
wrmsr commands)
All other technical issues were discussed and settled in private and
require no change to the former diff.
For testing you can also use the regress test after booting with tsc as
default clock and waiting for an hour or so to let the clocks go wild:
# cd /usr/src/regress/sys/kern/clock_gettime
# make regress
There is another test program flying around the mailing lists I guess,
but I could not locate it now so if someone is kind enough to reply with
the code, that would be lovely!
Paul
Index: arch/amd64/amd64/cpu.c
===
RCS file: /cvs/src/sys/arch/amd64/amd64/cpu.c,v
retrieving revision 1.137
diff -u -p -u -p -r1.137 cpu.c
--- arch/amd64/amd64/cpu.c 28 May 2019 18:17:01 - 1.137
+++ arch/amd64/amd64/cpu.c 6 Aug 2019 20:19:27 -
@@ -754,6 +754,10 @@ cpu_init(struct cpu_info *ci)
cr4 = rcr4();
lcr4(cr4 & ~CR4_PGE);
lcr4(cr4);
+
+ /* Synchronize TSC */
+ if (cold && !CPU_IS_PRIMARY(ci))
+ tsc_sync_ap(ci);
#endif
}
@@ -808,6 +812,7 @@ void
cpu_start_secondary(struct cpu_info *ci)
{
int i;
+ u_long s;
ci->ci_flags |= CPUF_AP;
@@ -828,6 +833,18 @@ cpu_start_secondary(struct cpu_info *ci)
printf("dropping into debugger; continue from here to resume
boot\n");
db_enter();
#endif
+ } else {
+ /*
+* Synchronize time stamp counters. Invalidate cache and
+* synchronize twice (in tsc_sync_bp) to minimize possible
+* cache effects. Disable interrupts to try and rule out any
+* external interference.
+*/
+ s = intr_disable();
+ wbinvd();
+ tsc_sync_bp(ci);
+ intr_restore(s);
+ printf("TSC skew=%lld\n", (long long)ci->ci_tsc_skew);
}
if ((ci->ci_flags & CPUF_IDENTIFIED) == 0) {
@@ -852,6 +869,8 @@ void
cpu_boot_secondary(struct cpu_info *ci)
{
int i;
+ int64_t drift;
+ u_long s;
atomic_setbits_int(&ci->ci_flags, CPUF_GO);
@@ -864,6 +883,17 @@ cpu_boot_secondary(struct cpu_info *ci)
printf("dropping into debugger; continue from here to resume
boot\n");
db_enter();
#endif
+ } else if (cold) {
+ /* Synchronize TSC again, check for drift. */
+ drift = ci->ci_tsc_skew;
+ s = intr_disable();
+ wbinvd();
+ tsc_sync_bp(ci);
+ intr_restore(s);
+ drift -= ci->ci_tsc_skew;
+ printf("TSC skew=%lld drift=%lld\n",
+ (long long)ci->ci_tsc_skew, (long long)drift);
+ tsc_sync_drift(drift);
}
}
@@ -888,7 +918,14 @@ cpu_hatch(void *v)
panic("%s: already running!?", ci->ci_dev->dv_xname);
#endif
+ /*
+* Synchronize the TSC for the first time. Note that interrupts are
+* off at this point.
+*/
+ wbinvd();
ci->ci_flags |= CPUF_PRESENT;
+ ci->ci_tsc_skew = 0;/* reset on resume */
+ tsc_sync_ap(ci);
lapic_enable();
lapic_startclock();
Index: arch/amd64/amd64/tsc.c
===
RCS file: /cvs/src/sys/arch/amd64/amd64/tsc.c,v
retrieving revision 1.11
diff -u -p -u -p -r1.11 tsc.c
--- arch/amd64/amd64/tsc.c 6 Jun 2019 19:43:35 - 1.11
+++ arch/amd64/amd64/tsc.c 6 Aug 2019 20:19:27 -
@@ -1,8 +1,10 @@
/* $OpenBSD: tsc.c,v 1.11 2019/06/06 19:43:35 kettenis Exp $ */
/*
+ * Copyright (c) 2008 The NetBSD Foundation, Inc.
* Copyright (c) 2016,2017 Reyk Floeter
* Copyright (c) 2017 Adam Steen
* Copyright (c) 2017 Mike Belopuhov
+ * Copyright (c) 2019 Paul Irofti
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -20,6 +22,7 @@
#include
#include
#include
+#include
#include
#include
@@ -33,6 +36,12 @@ int tsc_recalibrate;
uint64_t tsc_frequency;
inttsc_is_invariant;
+int64_ttsc_drift_max = 250;/* max cycles */
+int64_ttsc_drift_observed;
+
+volatile int64_t tsc_sync_val;
+volatile struct cpu_info *tsc_sync_cpu;
+
u
Re: unveil pathname pool
On Tue, Aug 06, 2019 at 06:57:49AM +0200, Sebastien Marie wrote:
> On Mon, Aug 05, 2019 at 07:21:22PM +0200, Alexander Bluhm wrote:
> > unveil(2) allocates 1024 bytes on the stack. That is a lot. Better
> > use namei pool like sys___realpath() does.
>
> There is a missing pool_put() in early return.
>
>999 #ifdef KTRACE
> 1000 if (KTRPOINT(p, KTR_STRUCT))
> 1001 ktrstruct(p, "unveil", permissions,
> strlen(permissions));
> 1002 #endif
> 1003 if (pathlen < 2)
> 1004 return EINVAL;
>
> else it seems fine.
>
> ok semarie@ with that added.
oops, how could I miss that?
Perhaps a goto end is nicer then. sys___realpath does that also.
ok?
bluhm
Index: kern/vfs_syscalls.c
===
RCS file: /data/mirror/openbsd/cvs/src/sys/kern/vfs_syscalls.c,v
retrieving revision 1.332
diff -u -p -r1.332 vfs_syscalls.c
--- kern/vfs_syscalls.c 5 Aug 2019 23:28:55 - 1.332
+++ kern/vfs_syscalls.c 6 Aug 2019 19:47:29 -
@@ -975,7 +975,7 @@ sys_unveil(struct proc *p, void *v, regi
syscallarg(const char *) path;
syscallarg(const char *) permissions;
} */ *uap = v;
- char pathname[MAXPATHLEN], *c;
+ char *pathname, *c;
struct nameidata nd;
size_t pathlen;
char permissions[5];
@@ -992,17 +992,20 @@ sys_unveil(struct proc *p, void *v, regi
error = copyinstr(SCARG(uap, permissions), permissions,
sizeof(permissions), NULL);
if (error)
- return(error);
- error = copyinstr(SCARG(uap, path), pathname, sizeof(pathname),
&pathlen);
+ return (error);
+ pathname = pool_get(&namei_pool, PR_WAITOK);
+ error = copyinstr(SCARG(uap, path), pathname, MAXPATHLEN, &pathlen);
if (error)
- return(error);
+ goto end;
#ifdef KTRACE
if (KTRPOINT(p, KTR_STRUCT))
ktrstruct(p, "unveil", permissions, strlen(permissions));
#endif
- if (pathlen < 2)
- return EINVAL;
+ if (pathlen < 2) {
+ error = EINVAL;
+ goto end;
+ }
/* find root "/" or "//" */
for (c = pathname; *c != '\0'; c++) {
@@ -1019,7 +1022,7 @@ sys_unveil(struct proc *p, void *v, regi
nd.ni_pledge = PLEDGE_UNVEIL;
if ((error = namei(&nd)) != 0)
- goto end;
+ goto ndfree;
/*
* XXX Any access to the file or directory will allow us to
@@ -1059,8 +1062,10 @@ sys_unveil(struct proc *p, void *v, regi
vrele(nd.ni_dvp);
pool_put(&namei_pool, nd.ni_cnd.cn_pnbuf);
-end:
+ndfree:
unveil_free_traversed_vnodes(&nd);
+end:
+ pool_put(&namei_pool, pathname);
return (error);
}
bgpd properly implement RFC7607 (AS 0 processing)
Found while looking for something else. We did not fully implement RFC7607
the AGGREGATOR and AS4_AGGREGATOR could slip through a AS 0. This fixes
the issue. While there also change the check in parse.y to only allow AS 0
for templates (the only case where remote-as can be 0 aka uninitalized).
Last but not least, order the RFC by numbers.
OK?
--
:wq Claudio
Index: bgpd.8
===
RCS file: /cvs/src/usr.sbin/bgpd/bgpd.8,v
retrieving revision 1.60
diff -u -p -r1.60 bgpd.8
--- bgpd.8 4 Dec 2018 14:13:40 - 1.60
+++ bgpd.8 5 Aug 2019 17:06:51 -
@@ -353,16 +353,6 @@ control socket
.Re
.Pp
.Rs
-.%A W. Kumari
-.%A R. Bush
-.%A H. Schiller
-.%A K. Patel
-.%D August 2015
-.%R RFC 7607
-.%T Codification of AS 0 Processing
-.Re
-.Pp
-.Rs
.%A L. Blunk
.%A M. Karir
.%A C. Labovitz
@@ -378,6 +368,16 @@ control socket
.%D May 2012
.%R RFC 6608
.%T Subcodes for BGP Finite State Machine Error
+.Re
+.Pp
+.Rs
+.%A W. Kumari
+.%A R. Bush
+.%A H. Schiller
+.%A K. Patel
+.%D August 2015
+.%R RFC 7607
+.%T Codification of AS 0 Processing
.Re
.Pp
.Rs
Index: parse.y
===
RCS file: /cvs/src/usr.sbin/bgpd/parse.y,v
retrieving revision 1.397
diff -u -p -r1.397 parse.y
--- parse.y 5 Aug 2019 08:46:55 - 1.397
+++ parse.y 6 Aug 2019 09:39:56 -
@@ -4211,7 +4211,7 @@ neighbor_consistent(struct peer *p)
if (p->conf.enforce_local_as == ENFORCE_AS_UNDEF)
p->conf.enforce_local_as = ENFORCE_AS_ON;
- if (p->conf.remote_as == 0 && p->conf.enforce_as != ENFORCE_AS_OFF) {
+ if (p->conf.remote_as == 0 && !p->conf.template) {
yyerror("peer AS may not be zero");
return (-1);
}
Index: rde.c
===
RCS file: /cvs/src/usr.sbin/bgpd/rde.c,v
retrieving revision 1.481
diff -u -p -r1.481 rde.c
--- rde.c 5 Aug 2019 08:46:55 - 1.481
+++ rde.c 6 Aug 2019 15:36:04 -
@@ -1508,7 +1508,7 @@ rde_attr_parse(u_char *p, u_int16_t len,
struct bgpd_addr nexthop;
struct rde_aspath *a = &state->aspath;
u_char *op = p, *npath;
- u_int32_ttmp32;
+ u_int32_ttmp32, zero = 0;
int error;
u_int16_tattr_len, nlen;
u_int16_tplen = 0;
@@ -1682,12 +1682,25 @@ bad_flags:
t[0] = t[1] = 0;
UPD_READ(&t[2], p, plen, 2);
UPD_READ(&t[4], p, plen, 4);
+ if (memcmp(t, &zero, sizeof(u_int32_t)) == 0) {
+ /* As per RFC7606 use "attribute discard". */
+ log_peer_warnx(&peer->conf, "bad AGGREGATOR, "
+ "AS 0 not allowed, attribute discarded");
+ break;
+ }
if (attr_optadd(a, flags, type, t,
sizeof(t)) == -1)
goto bad_list;
break;
}
/* 4-byte ready server take the default route */
+ if (memcmp(p, &zero, sizeof(u_int32_t)) == 0) {
+ /* As per RFC7606 use "attribute discard" here. */
+ log_peer_warnx(&peer->conf, "bad AGGREGATOR, "
+ "AS 0 not allowed, attribute discarded");
+ plen += attr_len;
+ break;
+ }
goto optattr;
case ATTR_COMMUNITIES:
if (!CHECK_FLAGS(flags, ATTR_OPTIONAL|ATTR_TRANSITIVE,
@@ -1793,6 +1806,13 @@ bad_flags:
if (!CHECK_FLAGS(flags, ATTR_OPTIONAL|ATTR_TRANSITIVE,
ATTR_PARTIAL))
goto bad_flags;
+ if (memcmp(p, &zero, sizeof(u_int32_t)) == 0) {
+ /* As per RFC6793 use "attribute discard" here. */
+ log_peer_warnx(&peer->conf, "bad AS4_AGGREGATOR, "
+ "AS 0 not allowed, attribute discarded");
+ plen += attr_len;
+ break;
+ }
a->flags |= F_ATTR_AS4BYTE_NEW;
goto optattr;
case ATTR_AS4_PATH:
NSD 4.2.1
Here's an update to NSD 4.2.1 (we're currently at 4.1.7 so see entries
from 21 March onwards in changelog).
https://github.com/NLnetLabs/nsd/blob/NSD_4_2_1_REL/doc/ChangeLog
I haven't read it thoroughly yet but thought I'd send it out early to
save anyone doing duplicate work. (There is also 4.2.2rc1 now, with
some fixes relating to fuzzing done by fcambus@, I haven't looked at
that at all yet).
Index: config.h.in
===
RCS file: /cvs/src/usr.sbin/nsd/config.h.in,v
retrieving revision 1.29
diff -u -p -r1.29 config.h.in
--- config.h.in 30 Mar 2019 01:20:29 - 1.29
+++ config.h.in 6 Aug 2019 11:53:07 -
@@ -76,6 +76,14 @@
/* if time.h provides ctime_r prototype */
#undef HAVE_CTIME_R_PROTO
+/* Define to 1 if you have the declaration of `SSL_CTX_set_ecdh_auto', and to
+ 0 if you don't. */
+#undef HAVE_DECL_SSL_CTX_SET_ECDH_AUTO
+
+/* Define to 1 if you have the declaration of `SSL_CTX_set_tmp_ecdh', and to 0
+ if you don't. */
+#undef HAVE_DECL_SSL_CTX_SET_TMP_ECDH
+
/* Define to 1 if you have the `dup2' function. */
#undef HAVE_DUP2
@@ -221,6 +229,9 @@
/* Define to 1 if you have the `OPENSSL_init_ssl' function. */
#undef HAVE_OPENSSL_INIT_SSL
+/* Define to 1 if you have the header file. */
+#undef HAVE_OPENSSL_OCSP_H
+
/* Define to 1 if you have the header file. */
#undef HAVE_OPENSSL_RAND_H
@@ -239,7 +250,7 @@
/* Define to 1 if you have the `pwrite' function. */
#undef HAVE_PWRITE
-/* Define to 1 if you have the `reallocarray' function. */
+/* If we have reallocarray(3) */
#undef HAVE_REALLOCARRAY
/* Define if recvmmsg is implemented */
@@ -281,6 +292,9 @@
/* Define if you have the SSL libraries installed. */
#undef HAVE_SSL
+/* Define to 1 if you have the `SSL_CTX_set_security_level' function. */
+#undef HAVE_SSL_CTX_SET_SECURITY_LEVEL
+
/* Define to 1 if you have the header file. */
#undef HAVE_STDARG_H
@@ -507,6 +521,9 @@
/* Define to the default tcp timeout. */
#undef TCP_TIMEOUT
+/* Define to the default DNS over TLS port. */
+#undef TLS_PORT
+
/* Define to the default maximum udp message length. */
#undef UDP_MAX_MESSAGE_LEN
@@ -550,6 +567,9 @@
#endif
+/* Define this to enable TCP fast open. */
+#undef USE_TCP_FASTOPEN
+
/* Define this to enable per-zone statistics gathering. */
#undef USE_ZONE_STATS
@@ -687,6 +707,9 @@
# endif
# ifndef _BSD_SOURCE
#define _BSD_SOURCE 1
+# endif
+# ifndef _OPENBSD_SOURCE
+#define _OPENBSD_SOURCE 1
# endif
# ifndef _DEFAULT_SOURCE
#define _DEFAULT_SOURCE 1
Index: configlexer.lex
===
RCS file: /cvs/src/usr.sbin/nsd/configlexer.lex,v
retrieving revision 1.11
diff -u -p -r1.11 configlexer.lex
--- configlexer.lex 10 Dec 2018 16:09:11 - 1.11
+++ configlexer.lex 6 Aug 2019 11:53:07 -
@@ -201,9 +201,12 @@ ip-address{COLON} { LEXOUT(("v(%s) ", yy
interface{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_IP_ADDRESS;}
ip-transparent{COLON} { LEXOUT(("v(%s) ", yytext)); return
VAR_IP_TRANSPARENT;}
ip-freebind{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_IP_FREEBIND;}
+send-buffer-size{COLON}{ LEXOUT(("v(%s) ", yytext)); return
VAR_SEND_BUFFER_SIZE;}
+receive-buffer-size{COLON} { LEXOUT(("v(%s) ", yytext)); return
VAR_RECEIVE_BUFFER_SIZE;}
debug-mode{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DEBUG_MODE;}
use-systemd{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_USE_SYSTEMD;}
hide-version{COLON}{ LEXOUT(("v(%s) ", yytext)); return VAR_HIDE_VERSION;}
+hide-identity{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_HIDE_IDENTITY;}
ip4-only{COLON}{ LEXOUT(("v(%s) ", yytext)); return
VAR_IP4_ONLY;}
ip6-only{COLON}{ LEXOUT(("v(%s) ", yytext)); return
VAR_IP6_ONLY;}
do-ip4{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_DO_IP4;}
@@ -215,6 +218,7 @@ nsid{COLON} { LEXOUT(("v(%s) ", yytext)
logfile{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_LOGFILE;}
server-count{COLON}{ LEXOUT(("v(%s) ", yytext)); return VAR_SERVER_COUNT;}
tcp-count{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_TCP_COUNT;}
+tcp-reject-overflow{COLON} { LEXOUT(("v(%s) ", yytext)); return
VAR_TCP_REJECT_OVERFLOW;}
tcp-query-count{COLON} { LEXOUT(("v(%s) ", yytext)); return
VAR_TCP_QUERY_COUNT;}
tcp-timeout{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_TCP_TIMEOUT;}
tcp-mss{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_TCP_MSS;}
@@ -287,6 +291,10 @@ min-refresh-time{COLON}{ LEXOUT(("v(%s)
max-retry-time{COLON} { LEXOUT(("v(%s) ", yytext)); return
VAR_MAX_RETRY_TIME;}
min-retry-time{COLON} { LEXOUT(("v(%s) ", yytext)); return
VAR_MIN_RETRY_TIME;}
multi-master-check{COLON} { LEXOUT(("v(%s) ", yytext)); return
VAR_MULTI_MASTER_CHECK;}
+tls-service-key{COLON} { LEXOUT(("v(%s) ", yytext)); return
VAR_TLS_SERVICE_KEY
