FreshBSD

Add SECURITY section to loader(8).

Reviewed by:        bcr, jilles, imp (earlier version)
MFC after:        2 weeks
Sponsored by:        DARPA, AFRL
Differential Revision:        https://reviews.freebsd.org/D16700

cd9660 pointer sign issues and missing __packed attribute

The isonum_* functions are defined to take unsigend char* as an argument,
but the structure fields are defined as char. Change to u_char where needed.

Probably the full structure should be changed, but I'm not sure about the
side affects.

While there, add __packed attribute.

Differential Revision:        https://reviews.freebsd.org/D16564

Fix unauthenticated EAPOL-Key decryption vulnerability. [SA-18:11.hostapd]

Approved by:        so

cxgbe(4): Use two hashes instead of a table to keep track of
hashfilters.  Two because the driver needs to look up a hashfilter by
its 4-tuple or tid.

A couple of fixes while here:
- Reject attempts to add duplicate hashfilters.
- Do not assume that any part of the 4-tuple that isn't specified is 0.
  This makes it consistent with all other mandatory parameters that
  already require explicit user input.

MFC after:        2 weeks
Sponsored by:        Chelsio Communications

Revis manual pages. [SA-18:08.tcp]

Fix L1 Terminal Fault (L1TF) kernel information disclosure.
[SA-18:09.l1tf]

Fix resource exhaustion in IP fragment reassembly. [SA-18:10.ip]

Fix unauthenticated EAPOL-Key decryption vulnerability.
[SA-18:11.hostapd]

Approved by:        so

HBSD: Add HARDENEDBSD-MMCCAM arm64 kernel config

Signed-off-by:        Shawn Webb <shawn.webb at hardenedbsd.org>
Sponsored-by:        SoldierX

arm/ralink cleanup

Remove the non-INTRNG code.
Remove left over cut and paste code from the lpc code that was the start for the port.
Set KERNPHYSADDR and KERNVIRTADDR

Tested on Buffalo_WZR2-G300N

Differential Revision: https://reviews.freebsd.org/D16622

    MFC r336203, r336499, r336501-r336502, r336506, r336510, r336512-r336513, r336515, 
r336528-r336531
    
    r336203:
    MFV r324714:
    
    Update wpa 2.5 --> 2.6.
    
    r336499:
    MFV: r336485
    
    Address: hostapd: Avoid key reinstallation in FT handshake
    
    Obtained from:        https://w1.fi/security/2017-1/\
                    rebased-v2.6-0001-hostapd-Avoid-key-\
                    reinstallation-in-FT-handshake.patch
    
    r336501:
    MFV: r336486
    
    Prevent reinstallation of an already in-use group key.
    Upline git commit cb5132bb35698cc0c743e34fe0e845dfc4c3e410.
    
    Obtained from:        https://w1.fi/security/2017-1/\
                    rebased-v2.6-0002-Prevent-reinstallation-\

    [104 lines not shown]

MFC r337520: Fix WITHOUT_LOADER_GELI (gptboot) and isoboot in general

gptboot was broken when r316078 added the LOADER_GELI_SUPPORT #ifdef to
not pass geliargs via __exec.  KARGS_FLAGS_EXTARG must not be used if we're
not going to pass an additional argument to __exec.

PR:                228151

ubldr: Bump heap size, 1MB -> 2MB

1MB was leaving very little margin in some of the worse-case scenarios with
lualoader. 2MB is still low enough that we shouldn't have any problems with
UBoot-supported boards.

Fix several (more) memory leaks.

A follow-up to r337812 to catch a couple more memory leaks that should
have been included in that change.

Reported by:        Coverity
CID:                1296064, 1296067 (for real this time)
MFC after:        3 days
X-MFC-with:        r337812
Sponsored by:        Dell EMC

Help ensure that the copy loop doesn't get converted to a memcpy() call.

Reported and reviewed by: kib
X-MFC with:        r337715
Sponsored by:        The FreeBSD Foundation

    HBSD: back out d138fc7b3d368a10326b6eaf70951c553adc7a4f commit due boot problems
    
    This commit effectively reverts the
    "HBSD MFC r337773: amd64: ensure that curproc->p_vmspace pmap always matches PCPU 
curpmap."
    (d138fc7b3d368a10326b6eaf70951c553adc7a4f) commit.
    
    The observed behaviour was triple-fault.
    
    Signed-off-by: Oliver Pinter <oliver.pinter at hardenedbsd.org>

    HBSD: do not allow to override init_exec by default from loader when the kernel 
compiled with PAX_HARDENING
    
    MFC-to: 11-STABLE
    Signed-off-by: Oliver Pinter <oliver.pinter at hardenedbsd.org>
    (cherry picked from commit a45587a750d3da65138eb609cf411b4c5f0b1397)
    Signed-off-by: Oliver Pinter <oliver.pinter at hardenedbsd.org>

    HBSD: do not allow to override init_exec by default from loader when the kernel 
compiled with PAX_HARDENING
    
    MFC-to: 11-STABLE
    Signed-off-by: Oliver Pinter <oliver.pinter at hardenedbsd.org>

HBSD MFC r337774: Reserve page at the physical address zero on amd64.

We always zero the invalidated PTE/PDE for superpage, which means that
L1TF CPU vulnerability (CVE-2018-3620) can be only used for reading
from the page at zero.

Note that both i386 and amd64 exclude the page from phys_avail[]
array, so this change is redundant, but I think that phys_avail[] on
UEFI-boot does not need to do that.  Eventually the blacklisting
should be made conditional on CPUs which report that they are not
vulnerable to L1TF.

Reviewed by:        emaste. jhb
Sponsored by:        The FreeBSD Foundation

(cherry picked from commit eda5a2bfbab3159d24ceaa612bf280e5c927e9f8)

Author: kib <kib at FreeBSD.org>
Original-commit-date: Tue Aug 14 17:14:33 2018 +0000
svn-commit-id: /head/ r337774
Signed-off-by: Oliver Pinter <oliver.pinter at hardenedbsd.org>

MFC r337788:
  Update the inet(4) and inet6(4) man pages to reflect the changes made
  to the reassembly code in r337778, r337780, r337781, r337782, and
  r337783.

Approved by:        so
Security:        FreeBSD-SA-18:10.ip
Security:        CVE-2018-6923

MFC r337787:
  Lower the default limits on the IPv6 reassembly queue.

  Currently, the limits are quite high. On machines with millions of
  mbuf clusters, the reassembly queue limits can also run into
  the millions. Lower these values.

  Also, try to ensure that no bucket will have a reassembly
  queue larger than approximately 100 items. This limits the cost to
  find the correct reassembly queue when processing an incoming
  fragment.

  Due to the low limits on each bucket's length, increase the size of
  the hash table from 64 to 1024.

Approved by:        so
Security:        FreeBSD-SA-18:10.ip
Security:        CVE-2018-6923

MFC r337786:
  Lower the default limits on the IPv4 reassembly queue.

  In particular, try to ensure that no bucket will have a reassembly
  queue larger than approximately 100 items. This limits the cost to
  find the correct reassembly queue when processing an incoming
  fragment.

  Due to the low limits on each bucket's length, increase the size of
  the hash table from 64 to 1024.

Approved by:        so
Security:        FreeBSD-SA-18:10.ip
Security:        CVE-2018-6923

MFC r337784:
  Drop 0-byte IPv6 fragments.

  Currently, we process IPv6 fragments with 0 bytes of payload, add them
  to the reassembly queue, and do not recognize them as duplicating or
  overlapping with adjacent 0-byte fragments. An attacker can exploit this
  to create long fragment queues.

  There is no legitimate reason for a fragment with no payload. However,
  because IPv6 packets with an empty payload are acceptable, allow an
  "atomic" fragment with no payload.

Approved by:        so
Security:        FreeBSD-SA-18:10.ip
Security:        CVE-2018-6923

MFC r337783:
  Implement a limit on on the number of IPv6 reassembly queues per bucket.

  There is a hashing algorithm which should distribute IPv6 reassembly
  queues across the available buckets in a relatively even way. However,
  if there is a flaw in the hashing algorithm which allows a large number
  of IPv6 fragment reassembly queues to end up in a single bucket, a per-
  bucket limit could help mitigate the performance impact of this flaw.

  Implement such a limit, with a default of twice the maximum number of
  reassembly queues divided by the number of buckets. Recalculate the
  limit any time the maximum number of reassembly queues changes.
  However, allow the user to override the value using a sysctl
  (net.inet6.ip6.maxfragbucketsize).

Approved by:        so
Security:        FreeBSD-SA-18:10.ip
Security:        CVE-2018-6923

MFC r337782:
  Add a limit of the number of fragments per IPv6 packet.

  The IPv4 fragment reassembly code supports a limit on the number of
  fragments per packet. The default limit is currently 17 fragments.
  Among other things, this limit serves to limit the number of fragments
  the code must parse when trying to reassembly a packet.

  Add a limit to the IPv6 reassembly code. By default, limit a packet
  to 65 fragments (64 on the queue, plus one final fragment to complete
  the packet). This allows an average fragment size of 1,008 bytes, which
  should be sufficient to hold a fragment. (Recall that the IPv6 minimum
  MTU is 1280 bytes. Therefore, this configuration allows a full-size
  IPv6 packet to be fragmented on a link with the minimum MTU and still
  carry approximately 272 bytes of headers before the fragmented portion
  of the packet.)

  Users can adjust this limit using the net.inet6.ip6.maxfragsperpacket
  sysctl.

Approved by:        so
Security:        FreeBSD-SA-18:10.ip
Security:        CVE-2018-6923

MFC r337781:
 Make the IPv6 fragment limits be global, rather than per-VNET, limits.

 The IPv6 reassembly fragment limit is based on the number of mbuf clusters,
 which are a global resource. However, the limit is currently applied
 on a per-VNET basis. Given enough VNETs (or given sufficient customization
 on enough VNETs), it is possible that the sum of all the VNET fragment
 limits will exceed the number of mbuf clusters available in the system.

 Given the fact that the fragment limits are intended (at least in part) to
 regulate access to a global resource, the IPv6 fragment limit should
 be applied on a global basis.

 Note that it is still possible to disable fragmentation for a particular
 VNET by setting the net.inet6.ip6.maxfragpackets sysctl to 0 for that
 VNET. In addition, it is now possible to disable fragmentation globally
 by setting the net.inet6.ip6.maxfrags sysctl to 0.

Approved by:        so
Security:        FreeBSD-SA-18:10.ip
Security:        CVE-2018-6923

HBSD MFC r337745: MFV r337744: Sync libarchive with vendor..

Vendor changes:
  PR #1042: validate iso9660 directory record length

MFC after:        3 days
Security:        CVE-2017-14501

(cherry picked from commit d7f61560073be7a53d452e813c7a08f72f522b0e)

Author: mm <mm at FreeBSD.org>
Original-commit-date: Tue Aug 14 11:42:32 2018 +0000
svn-commit-id: /head/ r337745
Signed-off-by: Oliver Pinter <oliver.pinter at hardenedbsd.org>

    HBSD MFC r337773: amd64: ensure that curproc->p_vmspace pmap always matches PCPU 
curpmap.
    
    When performing context switch on a machine without PCID, if current
    %cr3 equals to the new pmap %cr3, which is typical for kernel_pmap
    vs. kernel process, I overlooked to update PCPU curpmap value.  Remove
    check for %cr3 not equal to pm_cr3 for doing the update.  It is
    believed that this case cannot happen at all, due to other changes in
    this revision.
    
    Also, do not set the very first curpmap to kernel_pmap, it should be
    vmspace0 pmap instead to match curproc.
    
    Move the common code to activate the initial pmap both on BSP and APs
    into pmap_activate_boot() helper.
    
    Reported by: eadler, ambrisko
    Discussed with: kevans
    Reviewed by:        alc, markj (previous version)
    Tested by: ambrisko (previous version)
    Sponsored by:        The FreeBSD Foundation
    MFC after:        1 week
    Differential revision:        https://reviews.freebsd.org/D16618
    
    (cherry picked from commit bf861eb1969b7dbac16fcb6904b58a86ed1de8d7)

    [5 lines not shown]

Remove cpu_pfr from arm. It's unused.

Remove an old comment now the code it references has been removed.

Fix the spelling of armv4_idcache_inv_all in an END macro.

Use the correct PTE when changing the attribute of multiple pages.

Submitted by:        andrew (long time ago)
Sponsored by:        Rubicon Communications, LLC (Netgate)

Explain why we aren't using memcpy().

Reported by:        jmg
X-MFC with:        r337715
Sponsored by:        The FreeBSD Foundation

MFC r337426:
ifconfig: Fix use of _Noreturn.

Bump the mlx5core, mlx5en(4) and mlx5ib driver version.

This is a direct commit.

Sponsored by:        Mellanox Technologies

MFC r330657:
Use vport rather than physical-port MTU in mlx5en(4).

Set and report vport MTU rather than physical MTU,
The driver will set both vport and physical port mtu
and will rely on the query of vport mtu.

SRIOV VFs have to report their MTU to their vport manager (PF),
and this will allow them to work with any MTU they need
without failing the request.

Also for some cases where the PF is not a port owner, PF can
work with MTU less than the physical port mtu if set physical
port mtu didn't take effect.

Based on Linux upstream commit:
cd255efff9baadd654d6160e52d17ae7c568c9d3

Submitted by:        Meny Yossefi <menyy at mellanox.com>
Sponsored by:        Mellanox Technologies

MFC r325661:
Expose the current hardware MTU in mlx5en(4) as a separate entry
in the sysctl tree.

Sponsored by:        Mellanox Technologies

Enter error state when handling bad device in mlx5core and add checks
for error state to mlx5en(4) to make live migration work.

This is a direct commit.

Sponsored by:        Mellanox Technologies

MFC r336450:
Do not inline transmit headers and use HW VLAN tagging if supported by mlx5en(4).

Query the minimal inline mode supported by the card.
When creating a send queue, cache the queried mode and optimize the transmit
if no inlining is required.  In this case, we can avoid touching the headers
cache line and avoid dirtying several more lines by copying headers into
the send WQEs.  Also, if no inline headers are used, hardware assists in
the VLAN tag framing.

Submitted by:        kib@, slavash@
Sponsored by:        Mellanox Technologies

MFC r336407:
Handle jumbo frames without requiring big clusters in mlx5en(4).

The scatter list is formed by the chunks of MCLBYTES each, and larger
than default packets are returned to the stack as the mbuf chain.

Submitted by:        kib@
Sponsored by:        Mellanox Technologies

Use a macro to set the assoc state. I missed this in r337706.

Remove a set but not used warning showing up in usrsctp.

Restore ability to send ICMP and ICMPv6 redirects.

It was lost when tryforward appeared. Now ip[6]_tryforward will be enabled
only when sending redirects for corresponding IP version is disabled via
sysctl. Otherwise will be used default forwarding function.

PR:                221137
Submitted by:        mckay@
MFC after:        2 weeks

Add library and kernel support for AMD Family 17h counters

NB: lacks default sample rate for most counters

MFC r322325: cat: fix build with -DNO_UDOM_SUPPORT

PR:                230489

Remove the duplicated CSUM_IP6_TCP introduced in r311849 from the TX
checksum capabilities of IGB-class MACs. While at it, fix the line
wrapping.

PR:        230571

Port the mps panic-safe shutdown_final handling to mpr

r330951 by smh fixed the mps driver to avoid deadlocks when panicing.
The same code is needed for mpr, so port it here, along with the fix
which allows the CCBs scheduled to complete avoiding at least a scary
message and likely other unintended consequences.

Sponsored by: Netflix
Differential Review: https://reviews.freebsd.org/D16663

Call xpt_sim_poll in shutdown_final handler.

When we're shutting down, we send a number of start/stop commands to
the known targets. We have to wait for them to complete. During a
panic, the interrupts are off, and using pause to wait for them to
fire and complete won't work: we have to poll after pause returns so
the completion routines of the CCBs run so we decrement work
outstanding counts.

Sponsored by: Netflix
Differential Review: https://reviews.freebsd.org/D16663

Create xpt_sim_poll and refactor a bit using it.

xpt_sim_poll takes the sim to poll as an argument. It will do the
proper locking protocol, call the SIM polling routine, and then call
camisr_runqueue to process completions on any CCBs the SIM's poll
routine completed. It will be used during late shutdown when a SIM is
waiting for CCBs it sent during shutdown to finish and the scheduler
isn't running because we've panic'd.

This sequence was used twice in cam_xpt, so refactor those to use this
new function.

Sponsored by: Netflix
Differential Review: https://reviews.freebsd.org/D16663

Whitespace nit in t4_tom.h

evdev: Remove evdev.ko linkage dependency on kbd driver

Move evdev_ev_kbd_event() helper from evdev to kbd.c as otherwise evdev
unconditionally requires all keyboard and console stuff to be compiled
into the kernel. This dependency happens as evdev_ev_kbd_event() helper
references kbdsw global variable defined in kbd.c through use of
kbdd_ioctl() macro.

While here make all keyboard drivers respect evdev_rcpt_mask while setting
typematic rate and LEDs with evdev interface.

Requested by:        Milan Obuch <bsd at dino.sk>
Reviewed by:        hselasky, gonzo
Differential Revision:        https://reviews.freebsd.org/D16614

evdev: remove soft context from evdev methods parameter list.

Now softc should be retrieved from struct edvev * pointer
with evdev_get_softc() helper.

wmt(4) is a sample of driver that support both KPI.

Reviewed by:        hselasky, gonzo
Differential Revision:        https://reviews.freebsd.org/D16614

[ig4] Fix initialization sequence for newer ig4 chips

Newer chips may require assert/deassert after power down for proper
startup. Check respective flag in DEVIDLE_CTRL and perform operation
if neccesssary.

PR:                221777
Submitted by:        marc.priggemeyer at gmail.com
Obtained from:        DragonFly BSD
Tested on:        Thinkpad T470