FreeBSD/src fc9369asys/compat/linuxkpi/common/src linux_80211.c

LinuxKPI: 802.11: do not leak BA sessions when tearing down state

In certain cases we may tear down state of a node with 'ongoing'
BA sessions.  This can trigger a firmware crash with iwlwifi as
reported in [1] when trying to remove the sta from the firmware.

   0x2010303A | ADVANCED_SYSASSERT
   ..
   0x00000000 | umac data1 (sta id=0)
   ..
   0x0088030C | last host cmd (STA_RM)

[1] https://lists.freebsd.org/archives/freebsd-wireless/2025-November/003901.html

I hit the same problem while running regression tests after
reworking some LinuxKPI 802.11 sta state machine bits.

Add the missing calls to lkpi_sta_run_to_assoc() and lkpi_sta_run_to_init()
to make sure (through net80211) we call (*ampdu_action) with

    [10 lines not shown]
DeltaFile
+22-0sys/compat/linuxkpi/common/src/linux_80211.c
+22-01 files

FreeBSD/src 5153ca3sys/kern vfs_mount.c

vfs_mount.c: Don't call VFS_MOUNT() if only exports are being updated

PR#293198 reports a hang within ZFS when exports
are being updated concurrently with a VOP_SETEXTATTR().
The hang appears to be caused by mishandling of the
z_teardown_lock, but fixing handling of this lock appears
to be a major effort. Since the hang occurs when
VFS_MOUNT() acquires a write/exclusive z_teardown_lock,
which rarely occurs, except when exports are being updated,
this patch avoids the VFS_MOUNT() call for this case.

Avoiding a VFS_MOUNT() call fixes the hang for the case
reported by PR#293198 and is also an optimization.
As such, this patch avoids the VFS_MOUNT() call when only exports
are being updated similar to what was already being done
within vnet prisons.

PR:     293198

(cherry picked from commit 935cf3284f520c90a63baaadb762caaa30084f5c)
DeltaFile
+31-21sys/kern/vfs_mount.c
+31-211 files

FreeBSD/src a4e3090sys/arm64/qoriq qoriq_dw_pci.c

qoriq: fix spelling in device_set_desc()

The product series is called NXP QorIQ Layerscape.  Remove the extra 'e.

MFC after:      3 days
Reviewed by:    mmel, emaste
Differential Revision: https://reviews.freebsd.org/D55388
DeltaFile
+1-1sys/arm64/qoriq/qoriq_dw_pci.c
+1-11 files

FreeBSD/src 5edf24asys/ofed/include/rdma ib_verbs.h

ofed: reduce usage of struct dma_attrs *dma_attrs

ib_verbs.h still uses struct dma_attrs *dma_attrs everywhere.
It is beyond my knowledge when that struct got deprecated upstream but
it is still supported by our LinuxKPI.  The problem is that the
functions called with that argument (dma_map_single_attrs,
dma_unmap_single_attrs, dma_map_sg_attrs, dma_unmap_sg_attrs) so far
are #defines in LinuxKPI and drop the last argument (attrs) so it was
never a problem.

In preparation to pass the attrs to the actual implementation in LinuxKPI,
which has gained support for them, we now pass dma_sttrs->flags which
is the expected unsigned long bit field.

If anyone has serious interest in updating our ofed implementation they
could look into this some more and remove the usage of struct dma_attrs
entirely.

Sponsored by:   The FreeBSD Foundation

    [3 lines not shown]
DeltaFile
+4-4sys/ofed/include/rdma/ib_verbs.h
+4-41 files

FreeBSD/src aabd524sys/dev/ahci ahci_pci.c

ahci: Restrict NVMe redirection by BAR size

Attempts to access vendor-specific registers on emulator of older
Intel hardware was reported to confuse one.  Since the redirection
obviously require BAR size bigger than normal 2KB of AHCI, add
the condition, similar to what Linux is doing.

Requested by:   kib
MFC after:      2 weeks

(cherry picked from commit b9d3945831fc7a60f2065c7a0afc747dc5653c9f)
DeltaFile
+2-1sys/dev/ahci/ahci_pci.c
+2-11 files

FreeBSD/src 56a6305sys/dev/ahci ahci_pci.c

ahci: Restrict NVMe redirection by BAR size

Attempts to access vendor-specific registers on emulator of older
Intel hardware was reported to confuse one.  Since the redirection
obviously require BAR size bigger than normal 2KB of AHCI, add
the condition, similar to what Linux is doing.

Requested by:   kib
MFC after:      2 weeks

(cherry picked from commit b9d3945831fc7a60f2065c7a0afc747dc5653c9f)
DeltaFile
+2-1sys/dev/ahci/ahci_pci.c
+2-11 files

FreeBSD/src 0c075dbtools/build stddef.h

tools/build/stddef.h: fix stock clang/gcc headers

Both clang and gcc's stddef.h are designed to be included multiple times
with different combinations of __need_* macros defined (e.g
__need_size_t). Remove the #pragma once to accommodate this, ptraddr_t
is guarded by _PTRADDR_T_DECLARED anyways.

Also use __SIZE_TYPE__ instead of size_t since it's not guaranteed to be
defined.

Reviewed by:    brooks, imp, kib
Differential Revision:  https://reviews.freebsd.org/D55453
DeltaFile
+12-2tools/build/stddef.h
+12-21 files

FreeBSD/src 0fd91c4usr.sbin/bsdinstall/scripts bootconfig

bsdinstall: fix EFI boot entry creation

update_uefi_bootentry assumes that the caller sets FREEBSD_BOOTNAME and
mntpt, which isn't the case anymore. The result is that there is no
"FreeBSD" boot entry created/updated after install. Most machines manage
to boot from the removable media path (if the loader is installed there
too), but some don't.

Take the loader's path as an argument and rename the variable used in
the ZFS mirror loop so mntpt can be reused below.

Also mark nentries as a local variable so it doesn't leak out of the
function.

PR:             293385
Fixes:          494de51bc0074472d1b01604f085daea0844f240
MFC after:      2 days
Reviewed by:    imp
Differential Revision:  https://reviews.freebsd.org/D55469
DeltaFile
+14-11usr.sbin/bsdinstall/scripts/bootconfig
+14-111 files

FreeBSD/src fac9ae3usr.sbin/efibootmgr efibootmgr.8

efibootmgr.8: capitalize examples section header

MFC after:      3 days
DeltaFile
+1-1usr.sbin/efibootmgr/efibootmgr.8
+1-11 files

FreeBSD/src 591127bsys/dev/acpica acpivar.h

acpi: Use __BUS_ACCESSOR_DEFAULT and __BUS_ACCESSOR for IVARs

- Use __BUS_ACCESSOR_DEFAULT for the global handle IVAR to preserve
  existing behavior for acpi_get_handle.

- Use __BUS_ACCESSOR for the private ACPI IVARs as these are only used
  with direct children of acpi0.

Reviewed by:    imp
Differential Revision:  https://reviews.freebsd.org/D55355
DeltaFile
+4-25sys/dev/acpica/acpivar.h
+4-251 files

FreeBSD/src 0bb867esys/dev/acpica acpivar.h acpi.c, sys/isa isavar.h

acpi: Split ACPI IVARs into global and private sets

ACPI_IVAR_HANDLE is the only true "global" IVAR that can be used
across multiple bus drivers.  The other IVARs are private to direct
children of acpi0.  However, they need to be numbered after ISA IVARs
as ACPI mimics an ISA bus device.  To ensure this remains true, add an
ISA_IVAR_LAST to use in assert that the private ACPI IVARs do not
overlap with ISA IVARs.

Reviewed by:    imp
Differential Revision:  https://reviews.freebsd.org/D55354
DeltaFile
+3-3sys/dev/acpica/acpivar.h
+3-0sys/dev/acpica/acpi.c
+2-1sys/isa/isavar.h
+8-43 files

FreeBSD/src b937f9bsys/sys bus.h

bus: Add __BUS_ACCESSOR_DEFAULT

This macro is similar to __BUS_ACCESSOR in that it creates three
helper routines for an ivar, but the "get" wrapper returns a default
value if BUS_READ_IVAR does not return a value.

Reviewed by:    imp
Differential Revision:  https://reviews.freebsd.org/D55353
DeltaFile
+32-14sys/sys/bus.h
+32-141 files

FreeBSD/src cb5a0ebsys/sys bus.h

bus: Add a new IVAR accessor to check for the existence of an IVAR

<varp>_has_<var> returns true if the given IVAR can be read.

Reviewed by:    imp
Differential Revision:  https://reviews.freebsd.org/D55352
DeltaFile
+11-0sys/sys/bus.h
+11-01 files

FreeBSD/src 82b293esys/dev/sdio sdiob.h

sdiob: Forward-declare struct sdio_func

Currently this happens as a side effect of the return type of
sdio_get_function() in the expansion of __BUS_ACCESSOR, but this is
fragile and can break if __BUS_ACCESSOR changes to define other
functions first.

Reviewed by:    imp
Differential Revision:  https://reviews.freebsd.org/D55351
DeltaFile
+2-0sys/dev/sdio/sdiob.h
+2-01 files

FreeBSD/src 8d3f41dsys/crypto/ccp ccp_hardware.h, sys/modules/ccp Makefile

ccp: Don't name anonymous structure and union types

Keep the dword labels as comments instead.  Anonymous structs and
unions don't have type names in C11+.

Differential Revision:  https://reviews.freebsd.org/D55144
DeltaFile
+5-5sys/crypto/ccp/ccp_hardware.h
+0-3sys/modules/ccp/Makefile
+5-82 files

FreeBSD/src 5faceb8sys/sys cdefs.h

__builtin_align_down: Cast value to __uintptr_t in the fallback

This matches the behavior of the fallbacks for __builtin_align_up
and __builtin_is_aligned.

Reviewed by:    arichardson, ngie, kib
Differential Revision:  https://reviews.freebsd.org/D55161
DeltaFile
+1-1sys/sys/cdefs.h
+1-11 files

FreeBSD/src 9063968sys/netinet/tcp_stacks rack.c

Mitigate a case where TCP rack can send an extra ack.

Rack will in theory send an extra rate limited ack when we get to a closing state (sending a FIN) so that
if we have only 1 packet outstanding we might encourage the connection to close out. However it does this
always which is not always wise. Change it so that it only does that if its been more than an srtt since
we have had some activity i.e. a send or a receive of a packet.
Reviewed by:tuexen, rscheff
Differential Revision:<https://reviews.freebsd.org/D55459>
DeltaFile
+11-2sys/netinet/tcp_stacks/rack.c
+11-21 files

FreeBSD/src 9d3e842. UPDATING, sys/conf newvers.sh

Add UPDATING entries and bump version

Approved by:    so
DeltaFile
+8-0UPDATING
+1-1sys/conf/newvers.sh
+9-12 files

FreeBSD/src c2e2bfbsys/net rtsock.c

rtsock: Fix stack overflow

Approved by:    so
Security:       FreeBSD-SA-26:05.route
Security:       CVE-2026-3038
Fixes:          92be2847e845 ("rtsock: Avoid copying uninitialized padding bytes")

(cherry picked from commit f3be7df50f01d9a6ead9f27b55bb4dfd7dc4f9d2)
(cherry picked from commit 8b476ffc4ea3f82f758714fee0289209bc980782)
DeltaFile
+2-2sys/net/rtsock.c
+2-21 files

FreeBSD/src 8b476ffsys/net rtsock.c

rtsock: Fix stack overflow

Approved by:    so
Security:       FreeBSD-SA-26:05.route
Security:       CVE-2026-3038
Fixes:          92be2847e845 ("rtsock: Avoid copying uninitialized padding bytes")

(cherry picked from commit f3be7df50f01d9a6ead9f27b55bb4dfd7dc4f9d2)
DeltaFile
+2-2sys/net/rtsock.c
+2-21 files

FreeBSD/src 7465d0bsys/net rtsock.c

rtsock: Fix stack overflow

Approved by:    so
Approved by:    re (cperciva)
Security:       FreeBSD-SA-26:05.route
Security:       CVE-2026-3038
Fixes:          92be2847e845 ("rtsock: Avoid copying uninitialized padding bytes")

(cherry picked from commit f3be7df50f01d9a6ead9f27b55bb4dfd7dc4f9d2)
(cherry picked from commit 1eb2beb3686c50a870ed7688f753f89dd0f0ab3e)
DeltaFile
+2-2sys/net/rtsock.c
+2-21 files

FreeBSD/src 1eb2bebsys/net rtsock.c

rtsock: Fix stack overflow

Approved by:    so
Security:       FreeBSD-SA-26:05.route
Security:       CVE-2026-3038
Fixes:          92be2847e845 ("rtsock: Avoid copying uninitialized padding bytes")

(cherry picked from commit f3be7df50f01d9a6ead9f27b55bb4dfd7dc4f9d2)
DeltaFile
+2-2sys/net/rtsock.c
+2-21 files

FreeBSD/src df93237sys/net rtsock.c

rtsock: Fix stack overflow

Approved by:    so
Security:       FreeBSD-SA-26:05.route
Security:       CVE-2026-3038
Fixes:          92be2847e845 ("rtsock: Avoid copying uninitialized padding bytes")

(cherry picked from commit f3be7df50f01d9a6ead9f27b55bb4dfd7dc4f9d2)
DeltaFile
+2-2sys/net/rtsock.c
+2-21 files

FreeBSD/src f3be7dfsys/net rtsock.c

rtsock: Fix stack overflow

Approved by:    so
Security:       FreeBSD-SA-26:05.route
Security:       CVE-2026-3038
Fixes:          92be2847e845 ("rtsock: Avoid copying uninitialized padding bytes")
DeltaFile
+2-2sys/net/rtsock.c
+2-21 files

FreeBSD/src 24c5517. UPDATING, sys/conf newvers.sh

Add UPDATING entries and bump version

Approved by:    so
DeltaFile
+8-0UPDATING
+1-1sys/conf/newvers.sh
+9-12 files

FreeBSD/src 0ff08b8sys/sys elf_common.h

elf_common.h: Sort SHT_ entries

Reviewed by:    jrtc27
Sponsored by:   The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D55488
DeltaFile
+3-2sys/sys/elf_common.h
+3-21 files

FreeBSD/src d7d4da9usr.sbin/bhyve iov.c

bhyve: Fix truncate_iov()

The implementation was simply wrong.  It would always just return the
first entry in the iovec, even if the requested length is larger than
that first entry.

Note, this function will be removed soon, see D53468.

Reported by:    Vinod p n <vinod272 at gmail.com>
Reviewed by:    des, emaste, Hans Rosenfeld <rosenfeld at grumpf.hope-2000.org>
MFC after:      3 days
Differential Revision:  https://reviews.freebsd.org/D55438
DeltaFile
+5-10usr.sbin/bhyve/iov.c
+5-101 files

FreeBSD/src f4f9054sbin/camcontrol camcontrol.c

camcontrol: Print 'transport revision'

As described in Serial ATA Revision 3.5a

Reviewed by:    mav
Pull Request:   https://github.com/freebsd/freebsd-src/pull/2044
DeltaFile
+29-0sbin/camcontrol/camcontrol.c
+29-01 files

FreeBSD/src 9ed56cdusr.sbin/ngctl ngctl.8

ngctl.8: fix incorrect synopsis

Tiny manpage bug I caused in D50241
I left a line in the manpage that shouldn't be there.

MFC after:      3 days
Fixes:          72d01e62b082 ("netgraph: teach ngctl to attach and run itself in a jail")
Reviewed by:    des, markj
Differential Revision:  https://reviews.freebsd.org/D55485
DeltaFile
+0-1usr.sbin/ngctl/ngctl.8
+0-11 files

FreeBSD/src 6c4777cusr.sbin/ngctl main.c

ngctl: Fix getline loop

I misremembered when I wrote this code: getline() returns -1 on EOF, not
zero, so the loop condition and the error check are both incorrect
(though in practice getline() will never return 0).

MFC after:      3 days
Fixes:          3cbdcabf714d ("ngctl: Modernize code somewhat")
Reviewed by:    markj
Differential Revision:  https://reviews.freebsd.org/D55487
DeltaFile
+2-2usr.sbin/ngctl/main.c
+2-21 files