sys: Remove $FreeBSD$: two-line .h pattern

Remove /^\s*\*\n \*\s+\$FreeBSD\$$\n/

spdx: The BSD-2-Clause-FreeBSD identifier is obsolete, drop -FreeBSD

The SPDX folks have obsoleted the BSD-2-Clause-FreeBSD identifier. Catch
up to that fact and revert to their recommended match of BSD-2-Clause.

Discussed with: pfg
MFC After: 3 days
Sponsored by: Netflix

Allow sys/refcount.h to be used by standalone builds.
No functional change.

MFC after: 1 week
Sponsored by: Mellanox Technologies // NVIDIA Networking

refcount(9): Add refcount_release_if_last() and refcount_load()

The former is intended for use in vmspace_exit(). The latter is to
encourage use of explicit loads rather than relying on the volatile
qualifier. This works better with kernel sanitizers, which can
intercept atomic(9) calls, and makes tricky lockless code easier to read
by not forcing the reader to remember which variables are declared
volatile.

Reviewed by: kib, mjg, mmel
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D27056

refcount: make it atomic-clean

While here consistently use 'old' in all places.

Tested by: pho

Remove an #include erroneously added in r358432.

Reported by: erj

Add a blocking counter KPI.

refcount(9) was recently extended to support waiting on a refcount to
drop to zero, as this was needed for a lockless VM object
paging-in-progress counter. However, this adds overhead to all uses of
refcount(9) and doesn't really match traditional refcounting semantics:
once a counter has dropped to zero, the protected object may be freed at
any point and it is not safe to dereference the counter.

This change removes that extension and instead adds a new set of KPIs,
blockcount_*, for use by VM object PIP and busy.

Reviewed by: jeff, kib, mjg
Tested by: pho
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D23723

refcount: update comments about fencing when releasing counts after r357989

Requested by: kib
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D23719

refcount: add missing release fence to refcount_release_if_gt

The CPU succeeding in releasing the not last reference can still have pending
stores to the object protected by the affected counter. This opens a time
window where another CPU can release the last reference and free the object,
resulting in use-after-free. On top of that this prevents the compiler from
generating more accesses to the object regardless of how atomic_fcmpset_rel_int
is implemented (of course as long as it provides the release semantic).

Reviewed by: markj

Provide an API for interlocked refcount sleeps.

Reviewed by: kib, markj
Differential Revision: https://reviews.freebsd.org/D22908

Use atomics in more cases for object references. We now can completely
omit the object lock if we are above a certain threshold. Hold only a
single vnode reference when the vnode object has any ref > 0. This
allows us to only lock the object and vnode on 0-1 and 1-0 transitions.

Differential Revision: https://reviews.freebsd.org/D22452

Use atomics and a shared object lock to protect the object reference count.

Certain consumers still need to guarantee a stable reference so we can not
switch entirely to atomics yet. Exclusive lock holders can still modify
and examine the refcount without using the ref api.

Reviewed by: kib
Tested by: pho
Sponsored by: Netflix, Intel
Differential Revision: https://reviews.freebsd.org/D21598

Use %u instead of %d to print unsigned integer.
While at it remove an empty line.

MFC after: 1 week
Sponsored by: Mellanox Technologies

Fix for undefined behaviour.
Left shift of 1 by 31 places cannot be represented in type 'int'.

MFC after: 1 week
Sponsored by: Mellanox Technologies

Add a blocking wait bit to refcount. This allows refs to be used as a simple
barrier.

Reviewed by: markj, kib
Discussed with: jhb
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D21254

Handle refcount(9) wraparound.

Attempt to mitigate the security risks around refcount overflows by
introducing a "saturated" state for the counter. Once a counter reaches
INT_MAX+1, subsequent acquire and release operations will blindly set
the counter value to INT_MAX + INT_MAX/2, ensuring that the protected
resource will not be freed; instead, it will merely be leaked.

The approach introduces a small race: if a refcount value reaches
INT_MAX+1, a subsequent release will cause the releasing thread to set
the counter to the saturation value after performing the decrement. If
in the intervening window INT_MAX refcount releases are performed by a
different thread, a use-after-free is possible. This is very difficult
to trigger in practice, and any situation where it could be triggered
would likely be vulnerable to reference count wraparound problems
to begin with. An alternative would be to use atomic_cmpset to acquire
and release references, but this would introduce a larger performance
penalty, particularly when the counter is contended.

Note that refcount_acquire_checked(9) maintains its previous behaviour;
code which must accurately track references should use it instead of
refcount_acquire(9).

Reviewed by: kib, mjg
MFC after: 3 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D21089

Switch the rest of the refcount(9) functions to bool return type.

There are some explicit comparisions of refcount_release(9) result
with 0/1, which are fine.

Reviewed by: markj, mjg
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D21014

Fix userspace build after r350199.

Sponsored by: The FreeBSD Foundation
MFC after: 1 week

Check and avoid overflow when incrementing fp->f_count in
fget_unlocked() and fhold().

On sufficiently large machine, f_count can be legitimately very large,
e.g. malicious code can dup same fd up to the per-process
filedescriptors limit, and then fork as much as it can.
On some smaller machine, I see
kern.maxfilesperproc: 939132
kern.maxprocperuid: 34203
which already overflows u_int. More, the malicious code can create
transient references by sending fds over unix sockets.

I realized that this check is missed after reading
https://secfault-security.com/blog/FreeBSD-SA-1902.fd.html

Reviewed by: markj (previous version), mjg
Tested by: pho (previous version)
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D20947

Drop "All rights reserved" from my copyright statements.

Reviewed by: rgrimes
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D19485

refcount: remove a stale comment about conditional ref/unref routines

It was there for vfs-specific variants and was copied over when it should not.

Sponsored by: The FreeBSD Foundation

Make sure returned value is checked and assert a valid refcount.
While at it fix a print: Unsigned types cannot be negative.

Reviewed by: kib, mjg
Differential revision: https://reviews.freebsd.org/D17616
MFC after: 1 week
Sponsored by: Mellanox Technologies

ZFS vn_rele_async: catch up with the use of refcount(9) for the vnode use count

It's not sufficient nor required to use the vnode interlock when
checking if we are going to drop the last use count as the code in
vputx() uses refcount (atomic) operations for both checking and
decrementing the use code. Apply the same method to vn_rele_async().
While here, remove vn_rele_inactive(), a wrapper around vrele() that
didn't add any value.

Also, the change required making vfs_refcount_release_if_not_last()
public. I've made vfs_refcount_acquire_if_not_zero() public as well.
They are in sys/refcount.h now. While making the move I've dropped the
vfs_ prefix.

Reviewed by: mjg
MFC after: 2 weeks
Sponsored by: Panzura
Differential Revision: https://reviews.freebsd.org/D14869

sys/sys: further adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 2-Clause license, however the tool I
was using misidentified many licenses so this was mostly a manual - error
prone - task.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

Correct fences for sys/refcount.h.

The acq barrier in refcount_acquire() has no use, constructor must
ensure that the changes are visible before publication by other means.
Last release must sync/with the constructor and all updaters.

This is based on the refcount/shared_ptr analysis I heard at the Hans
Boehm and Herb Sutter talks about C++ atomics.

Reviewed by: alc, jhb, markj
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D11270

Drop the 3rd clause from all 3 clause BSD licenses where I am the sole
holder to convert them to 2 clause BSD licenses.

MFC after: 1 week

Add assertion for refcount overflow.

Submitted by: Andrey Zonov <andrey zonov.org>
Reviewed by: kib

A new jail(8) with a configuration file, to replace the work currently done
by /etc/rc.d/jail.

- Import the HEAD csup code which is the basis for the cvsmode work.

Remove debugging cruft.

pjd@'s r180759 was intended to revert r180755 due to ipfilter breakage,
but removed too much, breaking the build in other places instead. Now
that the ipfilter issue has been fixed (or hacked around), address the
second issue by restoring r180755, with one small change. I don't feel
comfortable using assert(3) in a header that will be included in userland
code that may or may not already have an assertion mechanism in place,
so KASSERT() evaluates to a no-op in the !_KERNEL case.

Back out this change, as it breaks the build and I don't have time for
a better fix today.

Check for negative reference count.

Reviewed by: des

Add a simple reference count API that is simply a thin wrapper API around
atomic operations on ints.

Reviewed by: arch@
MFC after: 1 week