pfctl: parser must not ignore error from pfctl_optimize_ruleset()
Ignoring the error may cause pfctl(8) to load inconsistent ruleset
preventing pf(4) to enforce desired policy.
Issue reported and fix suggested by berts _from_ fastmail _dot_ com
'Looks good.' @deraadt
MFC after: 1 week
Obtained from: OpenBSD, sashan <sashan at openbsd.org>, 9fd28a8cca
Sponsored by: Rubicon Communications, LLC ("Netgate")
release.sh: add chroot cleanup routine
The chroot_cleanup routine handles any cleanup needed post-chroot_setup,
etc. This consists of purely tearing down `${CHROOTDIR}/dev` today, but
might involve additional steps, as needed for custom functions. This
allows end-users to override the various chroot functions without having
to modify code in main() or replicate the unmount procedure in an
equivalent routine setup via the trap builtin.
This change modifies the /dev unmount process to use `umount -f` instead
of `umount`. The latter can result in failures if resources are still
mounted or are running post-build, whereas the former will clean up any
resources still in use by processes running in the chroot at time of
build. Moreover, the `chroot_cleanup` routine is now called when the
script is killed with `SIGINT` and `SIGTERM`, as well as at `EXIT`,
better ensuring that the script's resources are cleaned up in relatively common
scenarios that can be detected/handled.
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D55450 (as part of a larger change)
release.sh: document user-overriddable functions
This helps others attempting to customize the behavior of `release.sh`.
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D55450 (as part of a larger change)
libc: Fix cxa_thread_atexit{,nothr} test.
After patch 9d26b82, we don't provide recursive call protection anymore.
Therefore, to pass the test, we adjust the testcase by protecting on
caller and the testcase is to make sure the dtors is properly handled.
Reported by: siva
Reviewed by: kib
Approved by: markj (mentor)
Fixes: 9d26b82826d9 ("libc: Fix dtor order in __cxa_thread_atexit")
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D55893
hwpstate_amd: Refactor the cpufreq code by using delegation pattenr
We separate the code of CPPC and legacy pstate driver to make it easier
to read.
Reviewed by: olce
Approved by: markj (mentor)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D55604
libcrypto: compile all PIC objects with -DOPENSSL_PIC -fPIC
This change modifies the libcrypto PIC objects to always compile with
`-DOPENSSL_PIC -fPIC` to restore parity with the upstream build process.
This ensures that the legacy provider is built with parity to the
upstream legacy provider.
MFC after: 12 days
Tested with: `make check` (legacy provider), `make universe`
Fixes: 14b9955e
Differential Revision: https://reviews.freebsd.org/D44896
nfs_clstate.c: Handle the same stateid case correctly
When an NFSv4.1/4.2 sarver upgrades a read delegation to
a write delegation, it does not need to change the
delegation's stateid.
Without this patch, a DELEGRETURN of the stateid was done
for the case where the delegation stateid had not changed.
This return was bogus, since the delegation stateid now
represents the new write delegation.
This patch fixes the priblem by checking for "same stateid"
and only doing the DELEGRETURN when it is not the same.
PR: 289711
(cherry picked from commit 016570c4463d5908953355ee1cf9a385ad9601b4)
nfs_clstate.c: Handle the same stateid case correctly
When an NFSv4.1/4.2 sarver upgrades a read delegation to
a write delegation, it does not need to change the
delegation's stateid.
Without this patch, a DELEGRETURN of the stateid was done
for the case where the delegation stateid had not changed.
This return was bogus, since the delegation stateid now
represents the new write delegation.
This patch fixes the priblem by checking for "same stateid"
and only doing the DELEGRETURN when it is not the same.
PR: 289711
(cherry picked from commit 016570c4463d5908953355ee1cf9a385ad9601b4)
amd64: revert back struct trapframe to the pre-FRED definition
Trying to use the grown struct trapframe for IDT case broke in cases
where code supposed that hardware consumed sizeof(struct trapframe) of
the stack space when delivering interrupt or exception. In particular,
this was broken for #NM/#DB/#MC. Naive attempt of using IDT-trapframe
size for stack consumption caused later problems with larger C type.
Instead of pretending that IDT event delivery pushed two never-accessed
doubleword to the stack, keep it honest and provide separate type for
the FRED interrupt frame, i.e. struct trapframe_fred.
Convert between trapframe_fred and trapframe can be done by trivial pointer
arithmetic.
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
LinuxKPI: add supporting #includes
Compiling drm-kmod on !X86 does not include asm/smp.h which includes
preempt.h on FreeBSD. In order to compile drm-kmod on other
architectures add the secondary #includes for preempt.h to
spinlock.h and hardirq.h (which now also gets included from highmem.h)
to connect the #include chain.
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
PR: 279864
Reviewed by: jhibbits, emaste
Differential Revision: https://reviews.freebsd.org/D55974
sbuf: make assertion message a lot more useable
Saying that we are called with an (un)finished or corrupted sbuf
is like saying "error" (though [un]finished is an extra hint).
Add the pointer to the sbuf so one could easily check it,
add the flags we are checking so one could see quickly about
a possible state mismatch.
Given we already dereference the pointer in the KASSERT there is no
extra harm adding it to the message.
Found while: testing lindebugfs changes
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D55919
Revert "vmimage.subr: pkg autoremove after pkg install"
This reverts commit 6a13aeac3c1f98db7cf156f24a4d6bc8d3c321f6.
The "bogus dependencies being installed" issue was traced down to pkg
confusion surrounding libclang_rt.asan-i386.so linking to a 32-bit
libgcc_s.so.1, and a more minimal workaround of "install clibs-lib32"
has been applied, so this hack is no longer required.
MFC after: 3 days
Sponsored by: Amazon
EC2: Add clibs-lib32 pkg to small/builder images
The FreeBSD-clang package on amd64 contains libclang_rt.asan-i386.so,
which links to the 32-bit version of libgcc_s.so.1. It is not clear
if that file belongs in FreeBSD-clang or if it should be placed into
a different package.
For unknown reasons, pkg *sometimes* recognizes this and decides that
it needs to install a package to supply libgcc_s.so.1:32.
In particular, when we initially install the VM with 'pkg install
[long list of FreeBSD-* packages]', pkg does not recognize that it
wants this; but the *next* time 'pkg install' runs, it decides that
it needs libgcc_s.so.1:32 -- even though that particular library is
not needed by the particular package we're trying to install -- and
goes looking for it... and ends up picking gcc12-devel as a provider.
Later in the EC2 image building process, we run 'pkg autoremove' (which
was added during 15.0 to get rid of the "bogus dependencies" which were
[19 lines not shown]
tunefs: Don't combine GEOM journaling with SU
GEOM journaling shouldn't be used at the same time as soft updates, so
don't enable one if the other is already in use.
MFC after: 1 week
PR: 293896
Reviewed by: mckusick
Differential Revision: https://reviews.freebsd.org/D56002
kernel: Be clearer about what ZSTDIO is for
ZSTDIO is not just for core dumps, and it is now required by ZFS, so
move it (and GZIO, which is still just for dumps) to a new “Compression
support” section in GENERIC, and add them both to MINIMAL.
MFC after: 1 week
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D55940
newfs: Don't combine GEOM journaling with SU
GEOM journaling shouldn't be used at the same time as soft updates, so
don't enable soft updates if GEOM journaling has been requested, and
error out if both are explicitly requested.
MFC after: 1 week
PR: 293896
Reviewed by: mckusick
Differential Revision: https://reviews.freebsd.org/D55999
alloca.3: Add entry about defining VLAs in same block as alloca() to BUGS
Refer to alloca() as a (builtin) function or macro, as it could be
defined as either depending on the compiler.
Paragraph about bug comes from Darwin's libc, and example added to
illustrate it.
Reviewed by: bnovkov
Approved by: bnovkov
MFC after: 3 days
Obtained from: https://github.com/apple-oss-distributions/libc (partially)
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D55370
(cherry picked from commit 4da237aee328f368cd85b659854c4556a39f15ef)
acpi.4: Update sysctl descriptions for new stypes
The previous S1-S5 options are still accepted for compatibility, but
they are now deprecated in favour of the new generic sleep types.
Reported by: markj
Reviewed by: markj
Approved by: markj
Fixes: 97d152698f48 ("acpi: Use sleep types defined in sys/power.h")
Event: AsiaBSDCon 2026
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D56008
acpi: Print sysctl name in deprecated sleep type warning
Reported by: markj
Fixes: 97d152698f48 ("acpi: Use sleep types defined in sys/power.h")
Event: AsiaBSDCon 2026
Sponsored by: The FreeBSD Foundation
amd64: remove assertion about sizeof(struct pcb)
We no longer put pcb on stack, it is part of the struct thread.
Similarly, we do not put user fpu save area on stack. There is no
constraints on the pcb size due to the XSAVE area required alignment.
Reviewed by: jhb, markj
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D55931
amd64: check that %cs and %ss values from ucontext fit into registers
This change only checks that the values from the user-supplied context
are not truncated by C implicit type convertions. The validity of the
segment selectors is still checked by hardware.
Reviewed by: jhb, markj
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D55861
amd64: move code to check for traps with interrupts disabled into helpers
Reviewed by: jhb, markj
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D55809
x86 FRED: add hardware definitions for the trap frames fields
as provided by the Intel document 346446-009 AKA FRED 8.0 and SDM v90,
February 2026.
Note that the layout of the struct trapframe does not change with
FRED. The differences are in addition of two fields at the end of the
structure. Other members are carved from existing tf_cs and tf_ss by
limiting hw-written segments to 16 bits officially, and reusing rest
from the doubleword for the new data.
Reviewed by: jhb, markj
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D55831
Revert "libcrypto: compile all PIC objects with -DOPENSSL_PIC"
This commit broke the build with some build options.
Some validation needs to be done to confirm that moving the preprocessor
argument to `secure/lib/libcrypto/Makefile.inc` works without breaking
the build, but revert for now until a `tinderbox` run can be done with
the change.
PR: 293934
Reported by: Jenkins, Trond Endrestøl
This reverts commit 14b9955e57cc28b61e785165b9effcbe620edb46.
