the underlying media fails or becomes inaccessible. For example
when a USB flash memory card hosting a UFS filesystem is unplugged.

The strategy for handling disk I/O errors when soft updates are
enabled is to stop writing to the disk of the affected file system
but continue to accept I/O requests and report that all future
writes by the file system to that disk actually succeed. Then
initiate an asynchronous forced unmount of the affected file system.

There are two cases for disk I/O errors:

   - ENXIO, which means that this disk is gone and the lower layers
     of the storage stack already guarantee that no future I/O to
     this disk will succeed.

   - EIO (or most other errors), which means that this particular
     I/O request has failed but subsequent I/O requests to this
     disk might still succeed.

For ENXIO, we can just clear the error and continue, because we
know that the file system cannot affect the on-disk state after we
see this error. For EIO or other errors, we arrange for the geom_vfs
layer to reject all future I/O requests with ENXIO just like is
done when the geom_vfs is orphaned. In both cases, the file system
code can just clear the error and proceed with the forcible unmount.

This new treatment of I/O errors is needed for writes of any buffer
that is involved in a dependency. Most dependencies are described
by a structure attached to the buffer's b_dep field. But some are
created and processed as a result of the completion of the dependencies
attached to the buffer.

Clearing of some dependencies require a read. For example if there
is a dependency that requires an inode to be written, the disk block
containing that inode must be read, the updated inode copied into
place in that buffer, and the buffer then written back to disk.

Often the needed buffer is already in memory and can be used. But
if it needs to be read from the disk, the read will fail, so we
fabricate a buffer full of zeroes and pretend that the read succeeded.
This zero'ed buffer can be updated and written back to disk.

The only case where a buffer full of zeros causes the code to do
the wrong thing is when reading an inode buffer containing an inode
that still has an inode dependency in memory that will reinitialize
the effective link count (i_effnlink) based on the actual link count
(i_nlink) that we read. To handle this case we now store the i_nlink
value that we wrote in the inode dependency so that it can be
restored into the zero'ed buffer thus keeping the tracking of the
inode link count consistent.

Because applications depend on knowing when an attempt to write
their data to stable storage has failed, the fsync(2) and msync(2)
system calls need to return errors if data fails to be written to
stable storage. So these operations return ENXIO for every call
made on files in a file system where we have otherwise been ignoring
I/O errors.

Coauthered by: mckusick
Reviewed by:   kib
Tested by:     Peter Holm
Approved by:   mckusick (mentor)
Sponsored by:  Netflix
Differential Revision:  https://reviews.freebsd.org/D24088

This does not add support for separate output buffers but updates the
driver to cope with the changes.

Pointy hat to:	jhb

This does not add support for separate output buffers but updates the
driver to cope with the changes.

Pointy hat to:	jhb

- When -z is used, include small buffers from 1 to 32 bytes to test
  stream ciphers.  Note that while AES-XTS claims to support a block
  size of 1 in OpenSSL, it does require a minimum of 1 block of cipher
  text as it is not a stream cipher but depends on CTS to pad out the
  final partial block.

- Permit multiple AAD sizes to be set via multiple -A options, or via
  -z.  When -z is set, use small buffers from 0 to 32 bytes followed
  by powers of 2 up to 256.  When multiple sizes are specified, the
  ETA and AEAD algorithms perform the full matrix of AAD sizes by
  payload sizes.

- Only warn on unchanged ciphertext instead of erroring.  The
  currently generated plaintext and key for a couple of AES-CTR tests
  with a buffer size of 1 results in ciphertext that matches the
  plaintext.

Reviewed by:	cem
Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D25006

Although I added the reset type field to ath_hal_reset() years ago,
I never finished adding it both throughout the HALs and in if_ath.c.

This will eventually deprecate the ath_hal force_full_reset option
because it can be requested at the driver layer.

So:

* Teach ar5416ChipReset() and ar9300_chip_reset() about the HAL type
* Use it in ar5416Reset() and ar9300_reset() when doing a full chip reset
* Extend ath_reset() to include the HAL_RESET_TYPE parameter added in the above functions
* Use HAL_RESET_NORMAL in most calls to ath_reset()
* .. but use HAL_RESET_BBPANIC for the BB panics, and HAL_RESET_FORCE_COLD during fatal, beacon miss and other hardware related hangs.

This should be a glorified no-op outside of actual hardware issues.
I've tested things with ath_hal force_full_reset set to 1 for years now,
so I know that feature and a full reset works (albeit much slower than
a warm reset!) and it does unwedge hardware.

The eventual aim is to use this for all the places where the driver
detects a potential hang as well as if long calibration - ie, noise floor
calibration - fails to complete. That's one of the big hardware related
things that causes station mode operation to hang without easy recovery.

Differential Revision:	https://reviews.freebsd.org/D24981

The backend routines aesni(4) call for specific encryption modes all
expect virtually contiguous input/output buffers.  If the existing
output buffer is virtually contiguous, always write to the output
buffer directly from the mode-specific routines.  If the output buffer
is not contiguous, then a temporary buffer is allocated whose output
is then copied to the output buffer.  If the input buffer is not
contiguous, then the existing buffer used to hold the input is also
used to hold temporary output.

Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D24545

Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D24545

This is a testing aid to permit using testing a driver's support of
separate output buffers via cryptocheck.

Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D24545

Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D24545

Some crypto consumers such as GELI and KTLS for file-backed sendfile
need to store their output in a separate buffer from the input.
Currently these consumers copy the contents of the input buffer into
the output buffer and queue an in-place crypto operation on the output
buffer.  Using a separate output buffer avoids this copy.

- Create a new 'struct crypto_buffer' describing a crypto buffer
  containing a type and type-specific fields.  crp_ilen is gone,
  instead buffers that use a flat kernel buffer have a cb_buf_len
  field for their length.  The length of other buffer types is
  inferred from the backing store (e.g. uio_resid for a uio).
  Requests now have two such structures: crp_buf for the input buffer,
  and crp_obuf for the output buffer.

- Consumers now use helper functions (crypto_use_*,
  e.g. crypto_use_mbuf()) to configure the input buffer.  If an output
  buffer is not configured, the request still modifies the input
  buffer in-place.  A consumer uses a second set of helper functions
  (crypto_use_output_*) to configure an output buffer.

- Consumers must request support for separate output buffers when
  creating a crypto session via the CSP_F_SEPARATE_OUTPUT flag and are
  only permitted to queue a request with a separate output buffer on
  sessions with this flag set.  Existing drivers already reject
  sessions with unknown flags, so this permits drivers to be modified
  to support this extension without requiring all drivers to change.

- Several data-related functions now have matching versions that
  operate on an explicit buffer (e.g. crypto_apply_buf,
  crypto_contiguous_subsegment_buf, bus_dma_load_crp_buf).

- Most of the existing data-related functions operate on the input
  buffer.  However crypto_copyback always writes to the output buffer
  if a request uses a separate output buffer.

- For the regions in input/output buffers, the following conventions
  are followed:
  - AAD and IV are always present in input only and their
    fields are offsets into the input buffer.
  - payload is always present in both buffers.  If a request uses a
    separate output buffer, it must set a new crp_payload_start_output
    field to the offset of the payload in the output buffer.
  - digest is in the input buffer for verify operations, and in the
    output buffer for compute operations.  crp_digest_start is relative
    to the appropriate buffer.

- Add a crypto buffer cursor abstraction.  This is a more general form
  of some bits in the cryptosoft driver that tried to always use uio's.
  However, compared to the original code, this avoids rewalking the uio
  iovec array for requests with multiple vectors.  It also avoids
  allocate an iovec array for mbufs and populating it by instead walking
  the mbuf chain directly.

- Update the cryptosoft(4) driver to support separate output buffers
  making use of the cursor abstraction.

Sponsored by:	Netflix
Differential Revision:	https://reviews.freebsd.org/D24545

This reapplies logical r360944 and r360946 (reverting r360955), with fixed
copystr() stand-in replacement macro.  Eventually the goal is to convert
consumers and kill the macro, but for a first step it helps if the macro is
correct.

Prior commit message:

Unlike the other copy*() functions, it does not serve to copy from one
address space to another or protect against potential faults.  It's just
an older incarnation of the now-more-common strlcpy().

Add a coccinelle script to tools/ which can be used to mechanically
convert existing instances where replacement with strlcpy is trivial.
In the two cases which matched, fuse_vfsops.c and union_vfsops.c, the
code was further refactored manually to simplify.

Replace the declaration of copystr() in systm.h with a small macro
wrapper around strlcpy (with correction from brooks@ -- thanks).

Remove N redundant MI implementations of copystr.  For MIPS, this
entailed inlining the assembler copystr into the only consumer,
copyinstr, and making the latter a leaf function.

Reviewed by:		jhb (earlier version)
Discussed with:		brooks (thanks!)
Differential Revision:	https://reviews.freebsd.org/D24672

Implement support for AHCI controller found in
NXP QorIQ Layerscape SoCs.

Submitted by: Artur Rojek <ar@semihalf.com>
Reviewed by: manu
Obtained from: Semihalf
Sponsored by: Alstom Group
Differential Revision: https://reviews.freebsd.org/D24466

This patch introduces support for Epson RX-8803 RTC controller accessible
over I2C bus. It has a resolution of 1 sec.
Support for interrupt based alarm was not implemented.

Submitted by: Kornel Duleba <mindal@semihalf.com>
Reviewed by: manu
Obtained from: Semihalf
Sponsored by: Alstom Group
Differential Revision: https://reviews.freebsd.org/D24364

Add basic TCA6416 GPIO expander support over I2C bus. The driver handles
enabling and disabling pins, setting pin mode to IN and OUT and
toggling the pins. External interrupts are not supported.

Submitted by: Dawid Gorecki <dgr@semihalf.com>
Reviewed by: manu, mmel
Obtained from: Semihalf
Sponsored by: Alstom Group
Differential Revision: https://reviews.freebsd.org/D24363

NXP LS1046A contains I2C controller compatible with Vybrid VF610.
Existing Vybrid MVF600 driver can be used to support it. For that purpose
declare driver as ofw_iicbus and add methods associated with ofw_iicbus.

For VF610 add dynamic clock prescaler calculation using clock information
from clock driver and clock frequency requested in device tree.

On the occasion add detach function and add additional error handling
in i2c_attach function.

Submitted by: Dawid Gorecki <dgr@semihalf.com>
Reviewed by: manu
Obtained from: Semihalf
Sponsored by: Alstom Group
Differential Revision: https://reviews.freebsd.org/D24361

This patch adds a GPIO controller support targeted for NXP LS1046A
SoC. The driver implements the following features:
 * setting direction of each pin (IN or OUT)
 * setting the mode of output pins (PUSHPULL or OPENDRAIN)
 * setting the state of each output pin (1 or 0)
 * reading the state of each input pin (1 or 0)

Submitted by: Kamil Koczurek <kek@semihalf.com>
              Dawid Gorecki <dgr@semihalf.com>
Reviewed by: manu
Obtained from: Semihalf
Sponsored by: Alstom Group
Differential Revision: https://reviews.freebsd.org/D24353

Driver provides probe and attach functions for LS1046A clockgen and passes
configuration information to QorIQ clockgen class. It may be used as
a reference implementation for different QorIQ clockgen devices.

Submitted by: Dawid Gorecki <dgr@semihalf.com>
Reviewed by: mmel, manu
Obtained from: Semihalf
Sponsored by: Alstom Group
Differential Revision: https://reviews.freebsd.org/D24352

This patch adds classes and functions that can be used with various NXP
QorIQ Layerscape SoCs.

As for the clock topology - there is single platform PLL, which supplies
clocks for the peripheral bus and additional PLLs for CPU cores. There
can be multiple core PLLs (For example - LS1046A has two PLLs - CGAPLL1
and CGAPLL2). Each PLL has fixed dividers on output. The core PLLs
are not accessible from dts.

This is a preparation patch for NXP LS1046A SoC support.

Submitted by: Dawid Gorecki <dgr@semihalf.com>
Reviewed by: mmel
Obtained from: Semihalf
Sponsored by: Alstom Group
Differential Revision: https://reviews.freebsd.org/D24351

mod_timer is supposed to return 1 if the modified timer was pending, which
is exactly what callout_reset does so return the value after checking
that it's a correct one in case the api change.
del_timer_sync returns int so add a function and handle that.

Reviewed by:	hselasky
Differential Revision:	https://reviews.freebsd.org/D24983

Implement some refcount functions needed by drm.
Just use the atomic_t struct and functions from linuxkpi for simplicity.

Sponsored-by: The FreeBSD Foundation

Reviewed by:	hselsasky
Differential Revision:	https://reviews.freebsd.org/D24985

The same_type macro simply wraps around builtin_types_compatible_p which
exist for both GCC and CLANG, which returns 1 if both types are the same.
The __must_be_array macros returns 1 if the argument is an array.

This is needed for DRM v5.3

Sponsored-by: The FreeBSD Foundation
Reviewed by:	hselasky
Differential Revision:	https://reviews.freebsd.org/D24953

There is no need for a fence and there is no need to provide
the TCP sequence number.

Sponsored by:	Mellanox Technologies

For TLS v1.3 the 12 bytes of the initial vector, IV, should just be copied
as-is from the kernel to the gcm_iv field, which hold the first 4 bytes,
and the remaining 8 bytes go to the subsequent implicit_iv field.
There is no need to consider the byte order on the 12 bytes of IV like
initially done.

Sponsored by:	Mellanox Technologies

A CX6-DX firmware version equal to or newer than 12.27.0372 is
now required.

Sponsored by:	Mellanox Technologies

contained example here in the fdformat man page will allow us to
modernize and streamline the FreeBSD Handbook by cutting out some of
this legacy material.

While here, address some other minor grammatical nits in this man page.

Reviewed by:	bcr (mentor)
Approved by:	bcr (mentor)
MFC after:	2 weeks
Differential Revision:	https://reviews.freebsd.org/D24971

- Return 2 x 16-bit registers in the correct byte order
 for a 4-byte read that spans the CMD/STATUS register.
  This reversal was hiding the capabilities-list, which prevented
 the MSI capability from being found for XHCI passthru.

- Reorganize MSI/MSI-x config writes so that a 4-byte write at the
 capability offset would have the read-only portion skipped.
  This prevented MSI interrupts from being enabled.

 Reported and extensively tested by Anatoli (me at anatoli dot ws)

PR:	245392
Reported by:	Anatoli (me at anatoli dot ws)
Reviewed by:	jhb (bhyve)
Approved by:	jhb, bz (mentor)
MFC after:	1 week
Differential Revision:	https://reviews.freebsd.org/D24951

... instead of depending on the compiler not to mess them up

They depend on it to accurately read the offset.

The new code is not used as it would add an interrupt enable/disable
trip on top of the atomic.

This also fixes a bug where 32-bit nolock request would still lock the offset.

No changes for 64-bit.

Reported by:	emaste

MFC after:	2 weeks

Reported by:	mike tancsa <mike@sentex.net>
MFC after:	1 day

This reverts the i386 part of r342283, "Rework UEFI ESP generation", and
the followup commit in r342690.

r342283 added an ESP to the i386 memstick image, and as a side effect
made the ESP the active partition, not the bootcode-containing UFS
partition.  As a result the i386 memstick images would not boot in
either UEFI or legacy mode - UEFI failed because we do not support i386
UEFI booting, and legacy mode failed because the partition with legacy
bootcode was not active.

The bootcode-containing UFS partition is again the only, and active,
partition.

PR:		246494
Reported by:	Jorge Maidana
Differential Revision:	The FreeBSD Foundation

The revision caused libprocstat to have two undefined symbols:
- __start_set_pcpu
- __stop_set_pcpu
probably because of __GLOBL() used in sys/pcpu.h under _KERNEL.
The symbols are not accessed by anything and the linker in base does not
complain about them, but some ports are failing to build.
Hack around the problem by providing definitions for those symbols.

Probably there is a better solution, but I could not think of it yet.

Reported by:	zeising
MFC after:	3 days
X-MFC with:	r361363
Sponsored by:	Panzura

Contending cases still serialize on sleepq (which would be taken anyway).

Reviewed by:	kib (previous version)
Differential Revision:	https://reviews.freebsd.org/D21626

X-MFC-With:	r361426

As usual, the full release notes are found on Github:

  https://github.com/facebook/zstd/releases/tag/v1.4.5

Notable changes include:

* Improved decompress performance on amd64 and arm (5-10%
  and 15-50%, respectively).
* '--patch-from' zstd(1) CLI option, which provides something like a very fast
  version of bspatch(1) with slightly worse compression.  See release notes.

In this update, I dropped the 3-year old -O0 workaround for an LLVM ARM bug;
the bug was fixed in LLVM SVN in 2017, but we didn't remove this workaround
from our tree until now.

MFC after:	I won't, but feel free
Relnotes:	yes

This unbreak LINT build

Reported by:	jenkins, melifaro