Takahiro HAYASHI | 31 Oct 04:59 2014

patch: 3.0 hub support for xhci


This patch tries to support 3.0 hubs for xhci.

still xhci is at best experimental.


- USB hubs should work.
- The root hub of xhci is now changed to have separated SS and HS ports,
   so that SS and HS hubs in 3.0 hub are hung from SS and HS roothub port
- Fix more for FS and LS device recognition.
- Fix device recognition at boot.
     uhub_intr() drops latter interrupts while uhub is exploring
     (sc_explorepending=1) for devices of former interrupt.
     I changed to force-rescan all ports of xhci root hub recursively.
- Expand size of DeviceRemovable in usb_hub_ss_descriptor_t
   from 2 to 32 as num of ports on root hub may exceeds 15.
- Temporarily set IMOD to 160 (25000 irq/sec).
     Intel PantherPoint/LynxPoint/BayTrail need interrupt rate capped,
     otherwise some devices seem to stall.
     This value is taken from linux xhci.c, but I'm not sure this is optimal.
     Large IMOD value may impact performance seriously.
     (e.g. xfer rate of my thumb drive falls off 177mb/s -> 80mb/s
      with IMOD=1000.)
- Temporarily USBHIST_CALLED in xhci_init() is disabled.
     If USBHIST_CALLED is called before USBHIST_INIT, it panics.
     Something has been changed recently.
- Support WRC PLC CEC port status changes.
(Continue reading)

Maxime Villard | 27 Oct 19:59 2014

FFS: memory corruption

There is a kmem inconsistency in ffs_reload().

676	newfs = kmem_alloc(fs->fs_sbsize, KM_SLEEP);
677	memcpy(newfs, bp->b_data, fs->fs_sbsize);

and later:

705	memcpy(fs, newfs, (u_int)fs->fs_sbsize);
706	brelse(bp, 0);
707	kmem_free(newfs, fs->fs_sbsize);

The memcpy here overwrites fs->fs_sbsize with the new superblock
size read on the disk; so the value may change. kmem_free may
then pick up the wrong cache - and panic.

This looks like a proper bug, not "intentional". I would suggest
the following:

Index: ffs_vfsops.c
RCS file: /cvsroot/src/sys/ufs/ffs/ffs_vfsops.c,v
retrieving revision 1.300
diff -u -r1.300 ffs_vfsops.c
--- ffs_vfsops.c	24 Oct 2014 13:18:51 -0000	1.300
+++ ffs_vfsops.c	27 Oct 2014 18:34:17 -0000
 <at>  <at>  -648,6 +648,7  <at>  <at> 
 	struct ufsmount *ump;
 	daddr_t sblockloc;
 	struct vnode_iterator *marker;
+	u_int32_t sbsize;
(Continue reading)

Maxime Villard | 27 Oct 16:42 2014

rwlock issue in secmodel

I think there's a rwlock issue in secmodel/secmodel.c:

174	if (sm == NULL) {
175		error = EFAULT;
176		goto out;
177	}
179	/* Check if the secmodel is already present. */
180	rw_enter(&secmodels_lock, RW_WRITER);
194	/* Unlock the secmodels list. */
195	rw_exit(&secmodels_lock);
197	return error;

This goto out will release secmodels_lock while it is not yet held,

The same in secmodel_unplug().

Maxime Villard | 27 Oct 16:49 2014

netbsd32_compat_50 inconsistency

Can someone explain me what this means?


256		(void) copyout(&atv,
257			       SCARG_P32(uap, olddelta),
258			       sizeof(atv));
259		if (error)
260			return (error);

Emmanuel Dreyfus | 25 Oct 06:39 2014

[PATCH] PUFFS backend allocation (round 3)

Summary: when writing to a PUFFS filesystem through page cache, we do
not know if backend storage is really available. If it is not, cache
flush may get EDQUOT or ENOSPC and the process cannot terminate (it gets
stuck in DE state).

Proposed solution: detect that a write may not have backend storage, and
if it is the case, try to allocate the backend storage.

Detecting is done on two conditions:
- if allocated blocks is shorter than size, the file is sparse and we
never know if we are writing in a hole or not: in that case, always
- if writing beyond EOF

Allocating the backend storage is done
- through newly introduced PUFFS fallocate operation (unlikely to work
on NetBSD as the system call exists but FFS does not support it)
- otherwise by reading from the file and rewriting the readen data

The latest patch doing this:



Emmanuel Dreyfus
manu <at> netbsd.org

(Continue reading)

Emmanuel Dreyfus | 24 Oct 09:42 2014

Enable FFS extended attributes in GENERIC?


Is there any opposition to enable FFS extended attributes in 

I have been using them for a while and it seems stable, The
relevant code is only involved if the filesystem is explicitely 
mounted with -o extattr, which means a bug will not affect people
that do not use the feature.

The only issues are:
- storage in sparse file (like ancient quota) means fsck do not
know about it and cannot repair it.
- dump/restore/pax ignore extended attributes (cp and mv preserve them)

It means FFS extended attributes in NetBSD are fragile and that one
should be ready to loose them, but that leaves some reasonable usages.


Emmanuel Dreyfus
manu <at> netbsd.org

Emmanuel Dreyfus | 24 Oct 09:19 2014

is a vnode page in memory?

oAnother question related to PUFFS page cache write once: how can I 
check if a given page for a vnode is already in memory?


Emmanuel Dreyfus
manu <at> netbsd.org

Emmanuel Dreyfus | 24 Oct 06:27 2014

ubc_uiomove returns EINVAL


I am working on PUFFS page cache write-once: before entering data in the
page cache, we must make sure the backend storage is available,
otherwise we will not be able to flush the cache later. Flush may fail
because of EDQUOT or ENOSPC, which lets processes stuck in DE state
(exiting, disk I/O in progress).

The idea is that when file grows, or if file is known to be sparse
(because its allocated block size is lower than its size), then before
entering data in cache, we first read from the file and rewrite to make
sure backend is allocated. I do it using ubc_uiomove, but it always
returns me EINVAL. What did I do wrong?

/* sample value: off = 0xa0000, len = 0x20000 */

        zbuf = kmem_alloc(len, KM_SLEEP);

        iov.iov_base = zbuf;
        iov.iov_len = len;

        uio.uio_iov = &iov;
        uio.uio_iovcnt = 1;
        uio.uio_offset = off;
        uio.uio_resid = len;
        uio.uio_rw = UIO_READ;

        error = ubc_uiomove(&vp->v_uobj, &uio, len,
(Continue reading)

Maxime Villard | 20 Oct 15:38 2014

FFS: wrong superblock check ~> crash

Probably with the conviction I would find some bugs I opened ffs/ffs_vfsops.c
and something immediately stroke me:

918		error = bread(devvp, sblock_try[i] / DEV_BSIZE, SBLOCKSIZE, cred,
919			      0, &bp);

SBLOCKSIZE (=8192) bytes are read on the disk and put into bp->b_data

924		fs = (struct fs*)bp->b_data;
939			sbsize = fs->fs_sbsize;

'sbsize' is set to a value that was read on the disk.

976		/* Validate size of superblock */
977		if (sbsize > MAXBSIZE || sbsize < sizeof(struct fs))
978			continue;

Basic sanity checks. MAXBSIZE = 64 * 1024.

991	fs = kmem_alloc((u_long)sbsize, KM_SLEEP);
992	memcpy(fs, bp->b_data, sbsize);

And then comes this memcpy. The problem here is that the size of b_data is
8192, but the values of sbsize are located in [1376; 65536].

With a broken superblock the kernel will read far beyond the allocated
area, which mostly means it will crash.

(Continue reading)

Maxime Villard | 18 Oct 13:06 2014

Unreleased vnode in linux_sys_uselib()

there seems to be a vnode issue in compat/linux/common/linux_uselib.c:

116		return ENOEXEC;

Here 'vp' is not released. Patch:

Index: linux_uselib.c
RCS file: /cvsroot/src/sys/compat/linux/common/linux_uselib.c,v
retrieving revision 1.30
diff -u -r1.30 linux_uselib.c
--- linux_uselib.c	28 Aug 2009 01:39:03 -0000	1.30
+++ linux_uselib.c	18 Oct 2014 10:48:53 -0000
 <at>  <at>  -103,17 +103,18  <at>  <at> 
 	if ((error = vn_rdwr(UIO_READ, vp, (void *) &hdr, LINUX_AOUT_HDR_SIZE,
 			     0, UIO_SYSSPACE, IO_NODELOCKED, l->l_cred,
 			     &rem, NULL))) {
-		vrele(vp);
-		return error;
+		goto out;

 	if (rem != 0) {
-		vrele(vp);
-		return ENOEXEC;
+		error = ENOEXEC;
+		goto out;
(Continue reading)

Emmanuel Dreyfus | 14 Oct 19:05 2014

[PATCH] GOP_ALLOC and fallocate for puffs (round 2)


Here is the latest iteration of my patch to ensure we avoid sending data
to the page cache we cannot flush later.

- When writing, we make sure backend storage is allocated in two cases:
  1) the file is sparse, hence we never know if backend storage is here.
  2) the file grows: we know we need to allocated for the new area.
- sparse file detection is done at when updating metadata cache: if
  size is bigger than allocated blocks, it is sparse.
- I add fallocate FUSE operation (userland support is in another patch)
  for efficient backend storage allocation.
- If fallocate is unavailable, I fallback to explicit zero-filling. 
- puffs_vnop_write() is split into two functions, puffs_vnop_write_cache()
  that writes in cache, puffs_vnop_write_fs that writes to the FS

The change lets NetBSD pass GlusterFS quota test. Without it, process
writing over quota hang in DE state (exitting, disk I/O ongoing: it cannot
flush cached data overquota and therefore cannot exit).


One possible improvement: if PUFFS fallocate returne EOPNOTSUP / ENOSYS, 
we remove it from the operation array? This is dirty, but since we have 
a fallocate systemcalls that has no implementation for FFS, we are very
likely to encounter that case.


Emmanuel Dreyfus
(Continue reading)