FreshBSD

   Start cleaning up tls_decrypt_ticket().

   Rather than returning from multiple places and trying to clean up as we go,
   move to a single exit point and clean/free in one place. Also invert the
   logic that handles NULL sessions - fail early, rather than having an
   indented if test for success.

   ok tb@

   Interpret ENETRESET from ifm_change() as success in ifmedia_ioctl().

   Drivers will return ENETREST if the hardware needs to be reinitialized
   after successfully switching to the new media mode; it's not an error.

   This change fixes unreliable 'ifconfig mode' with some wireless drivers.

   ok phessler@ jmatthew@

   fix some style nits to reduce noise in an upcoming diff

   Improve comment grammar

   Now that all Elf_foo types are correct, we don't need to use Elf32_Word
   anywhere and can use Elf_Word instead.
   ok guenther

   On alpha, the buckets of DT_HASH are 8 bytes instead of 4 bytes.  This was
   previously 'implemented' by having the Elf_Word typedef in <sys/exec_elf.h>
   vary, but that doesn't match the spec and breaks libelf so it's gone away.
   Implement the variation here by defining our own type locally for this.

   ok deraadt@

   pledge "stdio" after opening file and before doing operations
   from Rafael Neves

   Revert enabling VMM_DEBUG which slipped through the previous commit.

   Fixes panic on `vmctl start foo'.

   OK tedu deraadt

   knf, ok bluhm

   #define        ELFROUNDSIZE    4       /* XXX Should it be sizeof(Elf_Word)? */
   Now that alpha is fixed, we can use sizeof().

   The conversion of rdsetroot to -lelf failed on alpha: -lelf thought ELF SHDR
   was 80 bytes in size, rather than 64 as listed in the ELF header.  In Sep 2001
   when ELF was being integrated into the tree, two of the ELF object types (and two
   more via #define) were given different (incorrect) sizes, and hid behind an
   #ifdef __alpha__ all this time.  -lelf constructs the SHDR object by accumulating
   sizes of types, so this was finally exposed.
   A review of the tree shows no other consequences, so we can fix this now.

   When copying the EFI-stored kernel to the correct operating location,
   use memmove.  We don't know whether EFI allocated overlapping memory.

   libsa's memcpy() is actually memmove().  make a proper memmove(), and give
   memcpy() correct behaviour.  This also brings the bcopy() macro into line.

   armv7 RAMDISK is now compiled with -Oz (just to be like other ramdisks),
   so clang's rule about "static inline" comes into play.
   ok patrick

   as discussed with beck, crank dma-range bufcache to a high number
   (he suggested 90 but I prefer 80).  This is so we learn the downside
   from user reports.

   print locked range in decimal in debug routines

   The rip6 checksum errors are accounted per socket.  So the no socket
   errors include these, do not subtract both from delivered.  Avoids
   an underflow in the rip6 delivered counter.
   OK deraadt@ claudio@

   Statistics of "netstat -s -f inet6 -p rip6" did not work.  In
   rip6_sysctl_rip6stat() copy out rip6counters, not ip6counters.
   OK deraadt@ claudio@

   Restore previous section after setting the MIPS ABI marker. This keeps
   the .text section in use after the file header, improving compatibility
   with gcc. Without this change, module-level inline assembly blocks could
   end up into wrong section.

   OK kettenis@ guenther@

   Avoid undefined behaviour that results from negating a signed long with
   minimum value.

   Fixes oss-fuzz #14354.

   ok beck@ bcook@ tb@

   drm/ttm: Fix bo_global and mem_global kfree error

   From Trigger Huang
   b10cc08374728ea79555a1cd98f962b0f942e942 in linux 4.19.y/4.19.36
   30f33126feca0fe16df9e9302ffc28a953e2eb37 in mainline linux

   Move lockf structures from header to implementation since external users
   only need a lockf_state pointer by now.

   ok mpi@ visa@

   Adapt radeondrm_detach_kms() to struct drm_device being split from
   drm softc.

   Avoids uvm_fault() when firmware is missing and radeondrm is forcibly
   detached.  Reported by Mihai Popescu on misc@

   On powerpc, link with -Wl,-relax as clang is a monster and code exceeds the
   maximum reachability of the PowerPC branch instructions.

   Also override NOPIE_FLAGS to avoid building code with -fno-pie as doing so
   is incompatible with secure-plt when using clang as the compiler.

   ok visa@, guenther@

   strongly hint at pkg_info -z   to clone installations from machine to machine

   Start a realpath(2) regress test, currently not enabled.

   This will extend as I add more cases to it. It will come
   into use once an in-kernel version of realpath(2) becomes
   a real thing

   Allocate md_data with calloc to avoid use of uninitialised memory.

   Found by Guido Vranken when fuzzing and trying to use GOST with HMAC.

   Fix confirmed by Guido; ok tb@

   Allocate fixed NIDs for SM3/SM4.

   Add a subsystem lock for vfs_lockf.c. This enables calling lf_advlock()
   and lf_purgelocks() without the kernel lock.

   OK anton@ mpi@

   Work around a limitation of clang integrated assembler on mips64.
   The assembler does not handle undeclared local symbols properly
   and generates R_MIPS_CALL16 relocations where it should generate
   local GOT references. For now, get along with the problem by
   declaring local symbols where necessary.

   OK kettenis@ guenther@

   Prevent clang from using builtins and jump tables in _dl_boot_bind()
   on mips64. They need relocation and consequently cannot be used
   in that function.

   OK kettenis@

   use the common code in if.c to check if txhprio is good.

   no functional change.

   use the factored out txhprio and rxhprio checks

   reduces code duplication and chance for error.

   provide factored out txhprio and rxhprio checks

   l2 and l3 drivers do the same thing all the time, so reduce the
   chance of error by doing the checks once and making it available
   for drivers to call instead of rolling on their own again.

   add rxprio support

   this is modelled on vlan(4) where the packet prio is put in the bpe
   header in tx, and the bpe header prio is put on the packet in rx.

   add rxprio support

   implement rxprio

   Document new default RSA key size.  From sebastiaanlokhorst at gmail.com
   via bz#2997.

   allow configuration of rxprio

   ok claudio@

   add support for configuring rxprio.

   vlan already used the 802.1p prio in packets to set the mbuf prio.
   this maintains that as the default.

   ok claudio@

   rxprio.

   add support for getting and setting rxprio

   this complements txprio and should finish support for RFC 2983

   ok claudio@

   only root can change rxprio

   add SIOCSRXHPRIO and SIOCGRXHPRIO for configuring rx prio handling

   this is the complement of txprio handling, and helps support RFC 2983.

   ok claudio@

   add IF_HDRPRIO_OUTER for rxprio

   IF_HDRPRIO_OUTER says you want the priority from the outer encap header.

   ok claudio@

   describe EIO failure state. noted by Maximilian Lorlacks

   unfold some compound operations to make this easier to follow

   Always check for namespace collisions on table commands

   `-t table -T add|replace ...' would only check for duplicate tables in case
   addresses where actually to the table.

   Instead of using a positive number of added addresses as prove for
   successful table operations, rely on the fact that CREATE_TABLE() is
   guaranteed to be called only if pf(4) can be accessed, that is
   warn_duplicate_tables() will return.

   This improves duplicate detection rate as warnings are now also emitted
   even when table commands eventually leave tables unchanged.

   OK benno sashan

   Fix table definition parsing as unprivileged user

   revision 1.689 introduced warn_duplicate_tables() unconditionally, breaking
   the parser on tables withs insufficient permissions to open pf(4):

        $ echo 'table <t>' | pfctl -nf-
        pfctl: pfr_get_tables: Bad file descriptor

   So simply check whether pfctl is able to get the table list first.  If not,
   instead of silently avoiding namespace collision checks, print a brief
   notice iff `-v' is given to help finding duplicate definitions by hand:

        $ echo 'table <t>' | ./obj/pfctl -vnf-
        table <t>
        stdin:1: skipping duplicate table checks for <t>

   Reported by Rivo Nurges, thanks!
   OK benno sashan

   Add tests for sshd -T -C with Match.