Commit by pjd :: r222268 /head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_dir.c: (link)

Don't pass pointer to name buffer which is on the stack to another thread,
because the stack might be paged out once the other thread tries to use the
data. Instead, just allocate memory.

MFC after: 2 weeks

Commit by pjd :: r222267 /head/sys/cddl/ (4 files in 4 dirs): (link)

Don't access task structure once we call task function.
The task structure might be no longer available.
This also allows to eliminates the need for two tasks in the zio structure.

Submitted by: anonymous
MFC after: 2 weeks

Commit by pjd :: r222108 /head/sbin/hastd/ (parse.y hastd.c hast.h hast.conf.5): (link)

In preparation for IPv6 support allow to specify multiple addresses to
listen on.

MFC after: 3 weeks

Commit by pjd :: r222087 /head/sbin/hastd/pjdlog.c: (link)

• Add support for AF_INET6 sockets for %S format character.
• Use inet_ntop(3) instead of reimplementing it.
• Use %hhu for unsigned char instead of casting it to unsigned int and using %u. MFC after: 1 week

Commit by pjd :: r221899 /head/sbin/ (5 files in 2 dirs): (link)

Currently we are unable to use capsicum for the primary worker process,
because we need to do ioctl(2)s, which are not permitted in the capability
mode. What we do now is to chroot(2) to /var/empty, which restricts access
to file system name space and we drop privileges to hast user and hast
group.

This still allows to access to other name spaces, like list of processes,
network and sysvipc.

To address that, use jail(2) instead of chroot(2). Using jail(2) will restrict
access to process table, network (we use ip-less jails) and sysvipc (if
security.jail.sysvipc_allowed is turned off). This provides much better
separation.

MFC after: 1 week

Commit by pjd :: r221898 /head/sbin/hastd/subr.c: (link)

When using capsicum to sanbox, still use other methods first, just in case
one of them have some problems.

Commit by pjd :: r221643 /head/sbin/hastd/parse.y: (link)

Allow to specify remote as 'none' again which was broken by r219351, where
'none' was defined as a value for checksum.

Reported by: trasz
MFC after: 1 week

Commit by pjd :: r221633 /head/sbin/geom/class/eli/geli.8: (link)

Document the following sysctls:

kern.geom.eli.version
kern.geom.eli.key_cache_limit
kern.geom.eli.key_cache_hits
kern.geom.eli.key_cache_misses

MFC after: 1 week

Commit by pjd :: r221631 /head/sys/geom/eli/g_eli.c: (link)

Export GELI class version via sysctl kern.geom.eli.version.

MFC after: 1 week

Commit by pjd :: r221630 /head/sys/geom/eli/g_eli_ctl.c: (link)

Version 6 is compatible with version 5 when it comes to control commands.

MFC after: 1 week

Commit by pjd :: r221629 /head/sys/geom/eli/g_eli.h: (link)

Detect and handle metadata of version 6.

MFC after: 1 week

Commit by pjd :: r221628 /head/sys/geom/eli/ (g_eli.h g_eli_integrity.c g_eli.c): (link)

When support for multiple encryption keys was committed, GELI integrity mode
was not updated to pass CRD_F_KEY_EXPLICIT flag to opencrypto. This resulted in
always using first key.

We need to support providers created with this bug, so set special
G_ELI_FLAG_FIRST_KEY flag for GELI provider in integrity mode with version
smaller than 6 and pass the CRD_F_KEY_EXPLICIT flag to opencrypto only if
G_ELI_FLAG_FIRST_KEY doesn't exist.

Reported by: Anton Yuzhaninov <citrin at citrin dot ru>
MFC after: 1 week

Commit by pjd :: r221626 /head/sys/geom/eli/g_eli.h: (link)

Remove prototype for a function that no longer exist.

MFC after: 1 week

Commit by pjd :: r221625 /head/sys/geom/eli/g_eli_integrity.c: (link)

Drop proper key.

MFC after: 1 week

Commit by pjd :: r221624 /head/sys/geom/eli/g_eli_key_cache.c: (link)

Add magic field to the g_eli_key structure to detect if we are really
operating on proper structures.

MFC after: 1 week

Commit by pjd :: r220984 /head/sys/geom/eli/g_eli_key_cache.c: (link)

One key is expected from providers smaller than or equal to (2^20)*sectorsize
bytes. Remove bogus assertion and while here remove another too obvious
assertion.

Reported by: Fabian Keil <freebsd-listen at fabiankeil dot de>
MFC after: 2 weeks

Commit by pjd :: r220930 /head/sys/conf/files: (link)

Add g_eli_key_cache.c to GELI.

MFC after: 2 weeks

Commit by pjd :: r220923 /head/sys/geom/eli/g_eli_key_cache.c: (link)

If number of keys for the given provider doesn't exceed the limit,
allocate all of them at attach time. This allows to avoid moving
keys around in the most-recently-used queue and needs no mutex
synchronization nor refcounting.

MFC after: 2 weeks

Commit by pjd :: r220922 /head/sys/ (8 files in 2 dirs): (link)

Instead of allocating memory for all the keys at device attach,
create reasonably large cache for the keys that is filled when
needed. The previous version was problematic for very large providers
(hundreds of terabytes or serval petabytes). Every terabyte of data
needs around 256kB for keys. Make the default cache limit big enough
to fit all the keys needed for 4TB providers, which will eat at most
1MB of memory.

MFC after: 2 weeks

Commit by pjd :: r220899 /head/sbin/hastd/hastd.c: (link)

Correct comment.

MFC after: 1 week