FreeBSD/src 5ba2b4fsys/kern kern_jail.c

jail: prevent a race between jail_attach in different threads

Attaching to a jail changes its root directory and its process
credentials. These operations both require unlocking the jail, and also
need allprison_lock unlocked. That means that if two threads are trying
to attach to different jails at the same time, it's possible for the
process to end up with one jail's root directory but the other jail's
credentials.

Solve this by forcing the process into single-threaded mode during
system calls that attach to a jail (jail_attach, jail_attach_jd, and
sometimes jail_set).

Reviewed by:    kib, markj
Differential Revision:  https://reviews.freebsd.org/D57858

(cherry picked from commit d4e0f4dab2d7f4de46bb79db1ca7e6e8a2e34746)
DeltaFile
+67-20sys/kern/kern_jail.c
+67-201 files

FreeBSD/src 530ee29sys/kern kern_jail.c

jail: clean up locking around do_jail_attach

jail_attach_jd passed PD_DEREF to do_jail_attach, assuming it would take
care of freeing the held prison. This is not true, as do_jail_attach
immediately cleared that flag, leaving the jail stock in dying state
when it is later removed.

Reported by:    markj
Reviewed by:    markj
Differential Revision:  <https://reviews.freebsd.org/D57674>

(cherry picked from commit 3584cde63e416d150214192721cead4b735ca0b5)
DeltaFile
+38-19sys/kern/kern_jail.c
+38-191 files

FreeBSD/src 4efbcf3lib/libc/locale localeconv.c

libc locale/localeconv.c: use release semantic when clearing locale_changed

PR:     296410
Submitted by:   Tomas Vondra <tomas at vondra.me>
MFC after:      1 week
DeltaFile
+2-2lib/libc/locale/localeconv.c
+2-21 files

FreeBSD/src 334c8basys/kern kern_jail.c

jail: call PR_METHOD_ATTACH again (with old jail) if the first call fails

jail_attach lets modules do attachment-specific work by calling
osd_jail_call(PR_METHOD_ATTACH).  If one of the modules returns an
error, the call needs to be repeated with the thread's current prison,
so possible earlier modules and undo any changes they may have made.

(cherry picked from commit e91e8ebefadcce9d57c8ff945ff70050cbbe1ce1)
DeltaFile
+6-6sys/kern/kern_jail.c
+6-61 files

FreeBSD/src a4df9e3sys/kern kern_jail.c, tests/sys/kern jail_thread.c Makefile

jail: prevent a race between jail_attach in different threads

Attaching to a jail changes its root directory and its process
credentials. These operations both require unlocking the jail, and also
need allprison_lock unlocked. That means that if two threads are trying
to attach to different jails at the same time, it's possible for the
process to end up with one jail's root directory but the other jail's
credentials.

Solve this by forcing the process into single-threaded mode during
system calls that attach to a jail (jail_attach, jail_attach_jd, and
sometimes jail_set).

Reviewed by:    kib, markj
Differential Revision:  https://reviews.freebsd.org/D57858

(cherry picked from commit d4e0f4dab2d7f4de46bb79db1ca7e6e8a2e34746)
DeltaFile
+231-0tests/sys/kern/jail_thread.c
+61-11sys/kern/kern_jail.c
+2-0tests/sys/kern/Makefile
+294-113 files

FreeBSD/src aca9811usr.sbin/jail config.c

jail: prevent a null derefence on array parameter assignment

The same variable was used as a counter for an inner and out loop.
Add a new one for the inner loop.

PR:             283934
Reported by:    crest at rlwinm.de

(cherry picked from commit 6d9bc46cd7fc48ece597162d3ca413fc9d67b5f0)
DeltaFile
+4-3usr.sbin/jail/config.c
+4-31 files

FreeBSD/src cb0b277usr.sbin/jail config.c

jail: prevent a null derefence on array parameter assignment

The same variable was used as a counter for an inner and out loop.
Add a new one for the inner loop.

PR:             283934
Reported by:    crest at rlwinm.de

(cherry picked from commit 6d9bc46cd7fc48ece597162d3ca413fc9d67b5f0)
DeltaFile
+4-3usr.sbin/jail/config.c
+4-31 files

FreeBSD/src fe6677esys/fs/nfs nfsclstate.h, sys/fs/nfsclient nfs_clstate.c

nfs_clstate.c: Fix handling of delegation upgrades

Commit 016570c4463d modified the client to handle
the upgrade of a read delegation to a write delegation,
where the server provides the same delegation stateid
to the client.  However, it failed to check if the
delegation structure was currently in use.  Without this
patch, if the structure was in use, a use after free
could occur.

This patch handles the "in use" case by copying the
necessary fields into the current/old structure and
free's the new one instead of the old one that is
"in use".

PR:     296224
MFC after:      2 weeks
DeltaFile
+36-9sys/fs/nfsclient/nfs_clstate.c
+4-2sys/fs/nfs/nfsclstate.h
+40-112 files

FreeBSD/src b2ee6besys/dev/sound sndstat.c

sound: Use sx_assert instead of KASSERT(sx_xlocked())

It's redundant.

Sponsored by:   The FreeBSD Foundation
MFC after:      1 week

(cherry picked from commit 72acd1720af365e6fd186cc1706994d72c43650a)
DeltaFile
+1-2sys/dev/sound/sndstat.c
+1-21 files

FreeBSD/src fdaee44sys/dev/sound dummy.c

snd_dummy: advance pointers for both channels

Previously only the play pointer advanced each tick; the record channel
refilled the whole buffer with silence and left the DMA pointer at 0.
Advance the record pointer by one block per tick and fill that block
with silence, so the DMA pointer changes and mmap kqueue consumers can
track progress.

MFC after:      1 week
Reviewed by:    christos
Differential Revision:  https://reviews.freebsd.org/D57834

(cherry picked from commit 968e748c439a50ad0a1a4463f4753f58a2bdaf9f)
DeltaFile
+3-4sys/dev/sound/dummy.c
+3-41 files

FreeBSD/src b77f6aesys/conf kern.pre.mk, sys/contrib/openzfs/include/os/freebsd/spl/sys simd_x86.h

Revert "zfs: Wire sha512 offload to the build"

This reverts commit cd61eb4f6681b13d98b6a7be252500ad30f05f74.

Some people report module load failure due to undefined symbol.
I don't have those problems myself, so it might be a question of
full rebuild.  But I don't have time right now, so just revert.
DeltaFile
+0-14sys/contrib/openzfs/include/os/freebsd/spl/sys/simd_x86.h
+2-1sys/conf/kern.pre.mk
+1-1sys/contrib/openzfs/module/Makefile.bsd
+1-1sys/modules/zfs/Makefile
+4-174 files

FreeBSD/src bcb471csys/sys systm.h

sys/systm.h: include sys/limits.h for SSIZE_MAX

This makes the header more self-contained.
The symbol is needed only on 32bit arches, but the include file is
provided unconditionally to make the namespace population predictable.

PR:     296489
Sponsored by:   The FreeBSD Foundation
MFC after:      1 week
DeltaFile
+1-0sys/sys/systm.h
+1-01 files

FreeBSD/src 830f690sys/dev/iwn if_iwn.c

iwn: assign sequence number to raw transmit frames

This fixes associating to various APs.

It worked fine to a FreeBSD AP (which is a wholly separate problem
I'm going to need to dive into) but not to my tplink AX1800 Wifi-6
router.

PR: kern/296503

Locally tested:

* STA: Intel Centrino Advanced-N 6205 (iwn), Lenovo T420
* AP: TP-Link AX1800 wifi-6 router
DeltaFile
+4-0sys/dev/iwn/if_iwn.c
+4-01 files

FreeBSD/src 0dbd497tests/sys/net if_wg.sh

tests/if_wg: Let wg_vnet_parent_routing run in a VNET jail

MFC after:      1 week
DeltaFile
+2-0tests/sys/net/if_wg.sh
+2-01 files

FreeBSD/src 81cf9a0tests/sys/kern aslr.c

tests/aslr: Fix spurious test failures

/sbin/ping and /sbin/ping6 are hard-linked, and the vmmap sysctl handler
doesn't know which name was used to launch the process.

PR:             296116
MFC after:      3 days
Fixes:          080a4087014e ("tests: Fix race condition in aslr_setuid")
DeltaFile
+16-4tests/sys/kern/aslr.c
+16-41 files

FreeBSD/src 2de20c5sys/fs/autofs autofs_vnops.c

autofs: enable witness for autofs node lock

Previously, an_vnode_lock was initialized with SX_NOWITNESS to silence
lock order reversals. The reversals would occur when autofs_node_vn()
was called with the directory vnode lock held, then lock an_vnode_lock,
then lock the vnode attached to the autofs node. It looked like:

    directory vnode -> an_vnode_lock -> vnode attached to autofs node

The established lock order is now vnode -> an_vnode_lock

Currently, we don't have to worry about losing an autofs node during the
unlock/lock as autofs nodes are only removed during an unmount() after
vflush(). When autofs_node_vn() is called, the mountpoint has either
been busied (preventing unmount) or a directory vnode is locked which
prevents vflush() from finishing until the directory vnode is unlocked.

Reviewed by:    kib
Differential Revision:  https://reviews.freebsd.org/D57857
DeltaFile
+18-26sys/fs/autofs/autofs_vnops.c
+18-261 files

FreeBSD/src e89a398share/misc committers-ports.dot

Add myself as ports committer, update mentor/mentee

This completes step 5 from Committer's Guide.

Approved by:            jbo (mentor)
Differential Revision:  https://reviews.freebsd.org/D57934
DeltaFile
+3-0share/misc/committers-ports.dot
+3-01 files

FreeBSD/src ee1c3d3sys/fs/fuse fuse_io.c fuse_vnops.c, tests/sys/fs/fusefs misc.cc ext2-misc.sh

fusefs: fix vnode locking violations during execve

Fix two locking violations that could happen during execve, while
executing a file stored on fusefs.  Both would cause panics on an
INVARIANTS kernel after 15.0, or a DEBUG_VFS_LOCKS kernel prior to that.
Neither is likely to be noticeable on a release kernel.

* Don't assume that the vnode is exclusively locked during VOP_CLOSE.
  It usually is thanks to !MNTK_LOOKUP_SHARED, but isn't during execve,
  which locks the vnode outside of the lookup path.

* Totally rewrite fuse_io_invalbuf.  It's had a number of problems ever
  since its original introduction[^1]:

  - Don't assume that the vnode is exclusively locked.  That assumption
    failed during execve just like the assumption in fuse_vnop_close.

  - Don't livelock forever if vinvalbuf returns ENOSPC or EDQUOT.


    [20 lines not shown]
DeltaFile
+304-0tests/sys/fs/fusefs/misc.cc
+55-0tests/sys/fs/fusefs/ext2-misc.sh
+2-47sys/fs/fuse/fuse_io.c
+22-5sys/fs/fuse/fuse_vnops.c
+2-1tests/sys/fs/fusefs/utils.cc
+0-2sys/fs/fuse/fuse_node.h
+385-552 files not shown
+388-568 files

FreeBSD/src 7e0df6asys/x86/cpufreq hwpstate_amd.c

hwpstate_amd(4): Use new cpu_get_pcpuid(), constify related variables

Also, add a check in the attach method that a per-CPU structure is
provided by the bus.  This allows to remove such checks in multiple
functions.  The check cannot currently fail as all x86 CPU drivers
(ACPI, legacy) provide the CPU_IVAR_PCPU instance variable, but it is
safer to have it, especially as an example to other driver writers.

Event:          Halifax Hackathon 202606
Location:       Seat 25A in AF0349, before leaving Montréal-Trudeau
Sponsored by:   The FreeBSD Foundation
DeltaFile
+45-47sys/x86/cpufreq/hwpstate_amd.c
+45-471 files

FreeBSD/src 74e43f6sys/x86/cpufreq hwpstate_intel.c

hwpstate_intel(4): Use new cpu_get_pcpuid(), constify related variables

Also, add a check in the attach method that a per-CPU structure is
provided by the bus.  This allows to remove such checks in multiple
functions.  The check cannot currently fail as all x86 CPU drivers
(ACPI, legacy) provide the CPU_IVAR_PCPU instance variable, but it is
safer to have it, especially as an example to other driver writers.

Event:          Halifax Hackathon 202606
Location:       Seat 36K in AC667, still waiting for a gate at Montréal-Trudeau
Sponsored by:   The FreeBSD Foundation
DeltaFile
+31-54sys/x86/cpufreq/hwpstate_intel.c
+31-541 files

FreeBSD/src c3c8f4dsys/sys cpu.h

cpu: New cpu_get_pcpuid(), retrieves internal CPU ID

It is a handy shortcut that will be used extensively in
hwpstate_intel(4) and hwpstate_amd(4).

Warn users that it panics if the parent bus does not provide the
CPU_IVAR_PCPU instance variable.  That condition should be tested by
callers (doing so once is enough).  Suggest to do that in driver's
attach method.

Reviewed by:    jhb (code)
Event:          Halifax Hackathon 202606
Location:       Seat 36K in AC667, waiting for a gate at Montréal-Trudeau
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D57897
DeltaFile
+11-0sys/sys/cpu.h
+11-01 files

FreeBSD/src 465a3b7sys/conf newvers.sh

newvers.sh: Avoid spurious -dirty in git revision

If git is installed and .git exists but git rev-parse failed to report a
hash we previously produced just "-dirty" as the git revision.  Gate the
git commit count and -dirty check on the rev-parse passing.

Reviewed by:    jlduran
Sponsored by:   The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57995
DeltaFile
+15-13sys/conf/newvers.sh
+15-131 files

FreeBSD/src c9d98c0sys/netlink netlink_snl.h

netlink: add const variants of NLA iteration macros

Add const-qualified versions of the NLA iteration helpers to allow
walking immutable netlink attribute buffers without discarding const
qualifiers.

This introduces NLA_NEXT_CONST(), _NLA_END_CONST(), and
NLA_FOREACH_CONST() in netlink_snl.h.

Signed-off-by: Ishan Agrawal <iagrawal9990 at gmail.com>
Sponsored-by : Google LLC (GSoC 2026)
DeltaFile
+12-0sys/netlink/netlink_snl.h
+12-01 files

FreeBSD/src c041b82sys/ufs/ffs ffs_vfsops.c

ffs: do not return ESTALE on attempt to ffs_unotovp() on unlinked inode

The consequences are:
- for nfs exports and fhopen(2), unlinked but still referenced inodes
  are accessible
- for ffs_vput_pair() with unlock_vp = false, spurious ESTALE is not
  returned when the inode is still alive but unlinked

Note that tmpfs does not return ESTALE for the unlinked nodes.
The same behavior is claimed for Linux in
https://github.com/openzfs/zfs/issues/18699

Reviewed by:    rmacklem
Sponsored by:   The FreeBSD Foundation
MFC after:      1 week
Differential revision:  https://reviews.freebsd.org/D57982
DeltaFile
+1-1sys/ufs/ffs/ffs_vfsops.c
+1-11 files

FreeBSD/src 0cff90fsys/kern vfs_default.c, sys/sys vnode.h

VOP_VPUT_PAIR(): handle the case when dvp == vp

(cherry picked from commit be9295deedd1e837ee3645583d07e1dffbe1ead0)
DeltaFile
+23-5sys/kern/vfs_default.c
+11-7sys/ufs/ffs/ffs_vnops.c
+1-0sys/sys/vnode.h
+35-123 files

FreeBSD/src d1b6249sys/dev/acpica acpi.c acpivar.h

acpi: ignore wake button press replayed by firmware on resume

Some firmware delivers the power or sleep button press that woke the
system as an ordinary button press (Notify 0x80) shortly after resume,
rather than as the wakeup notification (Notify 0x02) the ACPI
specification requires for a button that is also a wake source.

On affected machines (e.g. the Framework Laptop 12, Intel Raptor Lake-P)
the power button is a control-method device behind the embedded
controller.  The EC latches the key press that woke the system across the
sleep transition and flushes it through its normal _Qxx query path as
soon as it is reinitialized on resume.  The replayed press is
indistinguishable from a genuine one, so the kernel honors it as a fresh
suspend request and the machine suspends again immediately after waking;
it cannot be kept awake with the button.

The event cannot be filtered at its source: it arrives over the same EC
query path that also carries legitimate events (lid, AC, thermal,
battery), so suppressing the drain would lose real notifications.

    [24 lines not shown]
DeltaFile
+43-0sys/dev/acpica/acpi.c
+1-0sys/dev/acpica/acpivar.h
+44-02 files

FreeBSD/src d4e0f4dsys/kern kern_jail.c, tests/sys/kern jail_thread.c Makefile

jail: prevent a race between jail_attach in different threads

Attaching to a jail changes its root directory and its process
credentials. These operations both require unlocking the jail, and also
need allprison_lock unlocked. That means that if two threads are trying
to attach to different jails at the same time, it's possible for the
process to end up with one jail's root directory but the other jail's
credentials.

Solve this by forcing the process into single-threaded mode during
system calls that attach to a jail (jail_attach, jail_attach_jd, and
sometimes jail_set).

Reviewed by:    kib, markj
MFC after:      3 days
Differential Revision:  https://reviews.freebsd.org/D57858
DeltaFile
+231-0tests/sys/kern/jail_thread.c
+61-11sys/kern/kern_jail.c
+2-0tests/sys/kern/Makefile
+294-113 files

FreeBSD/src cd61eb4sys/conf kern.pre.mk, sys/contrib/openzfs/include/os/freebsd/spl/sys simd_x86.h

zfs: Wire sha512 offload to the build

FreeBSD main just got the CPUID_STDEXT4_SHA512 define.

OpenZFS PR #18732
DeltaFile
+14-0sys/contrib/openzfs/include/os/freebsd/spl/sys/simd_x86.h
+1-2sys/conf/kern.pre.mk
+1-1sys/contrib/openzfs/module/Makefile.bsd
+1-1sys/modules/zfs/Makefile
+17-44 files

FreeBSD/src a2545f6share/man/man5 src.conf.5, tools/build/options WITH_CCACHE_BUILD

src.conf(5): Suggest using ccache4

We have separate ports for Ccache 3 and 4.  Suggest both, rather than
only the Ccache 3 port.  Rearrange the text somewhat to avoid an
excessively ragged edge on a standard 80-column terminal.

MFC after:      1 week
Reviewed by:    markj
Differential Revision:  https://reviews.freebsd.org/D58005
DeltaFile
+8-11share/man/man5/src.conf.5
+7-10tools/build/options/WITH_CCACHE_BUILD
+15-212 files

FreeBSD/src 90130f3contrib/ofed/libirdma irdma_uk.c, sys/dev/irdma irdma_cm.c irdma_utils.c

irdma(4): update irdma to version 1.3.56-k

Update Intel irdma driver to version 1.3.56-k

Notable changes:
- adding E830 support
- adding E835 support

Signed-off-by: Sobczak, Bartosz <bartosz.sobczak at intel.com>

Reviewed by:    Andrew Zhu <anzhu at netapp.com>
Tested by:      Mateusz Moga <mateusz.moga at intel.com>
Sponsored by:   Intel Corporation
Differential Revision:  https://reviews.freebsd.org/D55479

(cherry picked from commit 5b7aa6c7bc9db19e8bd34a5b7892fb5df2a3068b)
DeltaFile
+359-134sys/dev/irdma/irdma_cm.c
+260-116sys/dev/irdma/irdma_utils.c
+240-63sys/dev/irdma/irdma_kcompat.c
+122-151sys/dev/irdma/irdma_ctrl.c
+149-113contrib/ofed/libirdma/irdma_uk.c
+147-113sys/dev/irdma/irdma_uk.c
+1,277-69031 files not shown
+2,236-1,24537 files