FreeBSD/src a28a651sys/rpc/rpcsec_gss rpcsec_gss.c

rpcsec_gss.c: Avoid panics in clnt_nl_call()

When rpc_gss_init() calls gssd upcall functions like
gssd_import_name(), clnt_nl_call() gets calls.
clnt_nl_call() requires that the currect vnet be set up.
The calling sequence looks something like:
rpc_gss_init()->gssd_import_name()->gssd_import_name_1()->
clnt_call_private()->clnt_nl_call()
(The call to rpc_gss_init() can happen from various places,
such as nfs_getauth() and clnt_vc_call().)

rpc_gss_init() does not know what socket is being
used for NFS client->server RPCs and may be called
from various places when any VOP_xxx()->RPC call
is made. As such, the calling thread might be running
within a jail. However, the gssd upcalls for the NFS
client must always be done to the gssd running outside
of any jails.


    [9 lines not shown]
DeltaFile
+14-0sys/rpc/rpcsec_gss/rpcsec_gss.c
+14-01 files

FreeBSD/src e46c15asys/netinet tcp_input.c

tcp: fix the test that a duplicate ACK has no data

When processing a TCP segment, data is removed from the head or
the tail. The test whether a segment has no data on it should
depend on the TCP segment before the removal. Without this,
received segments might trigger a fast retransmit even when they
should not.

Reported by:            syzbot+fc97a2b5a0f7ea161161 at syzkaller.appspotmail.com
Reviewed by:            Peter Lei
MFC after:              3 days
Sponsored by:           Netflix, Inc.
Differential Revision:  https://reviews.freebsd.org/D51425
DeltaFile
+5-4sys/netinet/tcp_input.c
+5-41 files

FreeBSD/src 42dd8f4usr.sbin/inetd inetd.conf

inetd.conf: remove -[46] from the ssh entry

sshd doesn't require these flags, and including them makes outgoing
connections (e.g., port forwarding) restricted to the family of the
inbound connection, which is not usually desirable and also not how
standalone sshd works.

MFC after:      3 days
Reviewed by:    kevans
Approved by:    kevans (mentor)
Differential Revision:  https://reviews.freebsd.org/D51296

(cherry picked from commit 6738882248a755aad859784150969085e006cf89)
DeltaFile
+2-2usr.sbin/inetd/inetd.conf
+2-21 files

FreeBSD/src 2c8c8fesys/netlink netlink_message_parser.h

nlmsg_report_err_msg: add __printflike annotation

Reviewed by:    kevans, kp
Approved by:    kevans (mentor)
Differential Revision:  https://reviews.freebsd.org/D51234

(cherry picked from commit db55cc8110ceea084c6f52a1ecfd6ab87e0aac2b)
DeltaFile
+2-1sys/netlink/netlink_message_parser.h
+2-11 files

FreeBSD/src ae3b38bsbin/routed routed.8, sbin/routed/rtquery rtquery.8

deprecate RIP

Per https://wiki.freebsd.org/DeprecationPlan, deprecate RIP in 15.0R,
with the intention of removing it in 16.0R.

Add a note to the manpages of routed(8), rdisc(8), rtquery(8),
route6d(8) and rip6query(8) noting that they will be removed
in a future release.

RIP has been obsolete for over 20 years and no one is running it on
modern networks.  If someone really needs RIP, there are alternatives
such as 'bird' or 'quagga' available from ports; there is no need to
ship it in base.

Relnotes:       yes
Reviewed by:    des
Approved by:    des (mentor)
Differential Revision:  https://reviews.freebsd.org/D50292

(cherry picked from commit 4b7cdb5a420f518fbe1968a6916b6d017f54025d)
DeltaFile
+8-1sbin/routed/routed.8
+7-1usr.sbin/rip6query/rip6query.8
+6-1sbin/routed/rtquery/rtquery.8
+6-1usr.sbin/route6d/route6d.8
+27-44 files

FreeBSD/src a6693b0usr.sbin/inetd inetd.conf

inetd.conf: remove -[46] from the ssh entry

sshd doesn't require these flags, and including them makes outgoing
connections (e.g., port forwarding) restricted to the family of the
inbound connection, which is not usually desirable and also not how
standalone sshd works.

MFC after:      3 days
Reviewed by:    kevans
Approved by:    kevans (mentor)
Differential Revision:  https://reviews.freebsd.org/D51296

(cherry picked from commit 6738882248a755aad859784150969085e006cf89)
DeltaFile
+2-2usr.sbin/inetd/inetd.conf
+2-21 files

FreeBSD/src ecf8894sys/netlink netlink_message_parser.h

nlmsg_report_err_msg: add __printflike annotation

Reviewed by:    kevans, kp
Approved by:    kevans (mentor)
Differential Revision:  https://reviews.freebsd.org/D51234

(cherry picked from commit db55cc8110ceea084c6f52a1ecfd6ab87e0aac2b)
DeltaFile
+2-1sys/netlink/netlink_message_parser.h
+2-11 files

FreeBSD/src d350c18sbin/routed routed.8, sbin/routed/rtquery rtquery.8

deprecate RIP

Per https://wiki.freebsd.org/DeprecationPlan, deprecate RIP in 15.0R,
with the intention of removing it in 16.0R.

Add a note to the manpages of routed(8), rdisc(8), rtquery(8),
route6d(8) and rip6query(8) noting that they will be removed
in a future release.

RIP has been obsolete for over 20 years and no one is running it on
modern networks.  If someone really needs RIP, there are alternatives
such as 'bird' or 'quagga' available from ports; there is no need to
ship it in base.

Relnotes:       yes
Reviewed by:    des
Approved by:    des (mentor)
Differential Revision:  https://reviews.freebsd.org/D50292

(cherry picked from commit 4b7cdb5a420f518fbe1968a6916b6d017f54025d)
DeltaFile
+8-1sbin/routed/routed.8
+7-1usr.sbin/rip6query/rip6query.8
+6-1sbin/routed/rtquery/rtquery.8
+6-1usr.sbin/route6d/route6d.8
+27-44 files

FreeBSD/src 4be9c6fsys/rpc clnt_rc.c

clnt_rc.c: Fix the case where a TLS handshake fails

When a TLS handshake fails during a NFS-over-TLS
mount attempt, the socket was left around because
it needed to be dereferenced. The dereference was
not happening in clnt_vc_destroy() because ct_closeit
was not set to TRUE.

This patch moves the code that sets ct_closeit to TRUE
up to before the rpctls_connect() call, so that ct_closeit
is set to TRUE if it fails and clnt_vc_destroy() will then
dereference the socket.

Reviewed by:    glebius
Differential Revision:  https://reviews.freebsd.org/D51084
DeltaFile
+6-1sys/rpc/clnt_rc.c
+6-11 files

FreeBSD/src 0bf113econtrib/tzcode localtime.c

tzcode: Add an explicit "the timezone file has changed" case

This is required for the WITHOUT_DETECT_TZ_CHANGES case, since there the
value being tested is a numeric literal.

Fixes:  d63ffdd1ef63 ("tzcode: Fix time zone change detection.")
DeltaFile
+2-0contrib/tzcode/localtime.c
+2-01 files

FreeBSD/src fa8db72libexec/rc rc.conf, sys/dev/random random_harvestq.c randomdev.c

random: Treat writes to /dev/random as separate from /entropy

RANDOM_CACHED is overloaded to refer both to entropy obtained from files
loaded by the boot loader, and entropy obtained via writes to
/dev/random.  Introduce a new source, RANDOM_RANDOMDEV, to refer to the
latter.  This is to enable treating RANDOM_CACHED as a special case in
the NIST health test implementation.

Update the default harvest_mask in rc.conf to include RANDOM_RANDOMDEV,
preserving the old behaviour of accepting writes to /dev/random.

Bump __FreeBSD_version for modules which register a pure source, since
all of their values have now shifted.

Reviewed by:    cem
MFC after:      3 months
Sponsored by:   Stormshield
Sponsored by:   Klara, Inc.
Differential Revision:  https://reviews.freebsd.org/D51155
DeltaFile
+2-1sys/sys/random.h
+2-1sys/dev/random/random_harvestq.c
+1-1sys/dev/random/randomdev.c
+1-1libexec/rc/rc.conf
+6-44 files

FreeBSD/src f92ff79sys/dev/random random_harvestq.c fortuna.c

random: Add NIST SP 800-90B entropy source health test implementations

This patch implements the noise source health tests described in chapter
four of NIST SP 800-90B[1].  The repetition count test and adaptive
proportion test both help identify cases where a noise source is stuck
and generating the same output too frequently.  The tests are disabled
by default, but making an implementation available may help implementors
conform to FIPS validation requirements.  This implementation aims to
comply with the requirements listed in section 4.3 of the document.

To enable health testing, set the kern.random.nist_healthtest_enabled
tunable to 1.  Startup testing is implemented as specified in the
document: the first 1024 samples from a source are evaluated according
to the two tests, and they are discarded.  The RANDOM_CACHED and
RANDOM_PURE_VMGENID sources are excluded from testing, as they are
effectively a one-time source of entropy, and statistical testing
doesn't seem to provide much use.

Since the first 1024 samples from entropy sources are discarded by the

    [39 lines not shown]
DeltaFile
+229-0sys/dev/random/random_harvestq.c
+7-0sys/dev/random/fortuna.c
+2-0sys/dev/random/random_harvestq.h
+238-03 files

FreeBSD/src 3193839tools/test/stress2/misc fullpath2.sh

stress2/fullpath2: Clean up the vn_fullpath DTrace one-liner

- Remove -w; there is no need for destructive actions here.
- Remove the glob from before "vn_fullpath"; the probe description
  matches vn_fullpath only anyway, so there is no need for the glob
  here.

PR              288222
Reviewed by:    christos
Approved by:    christos (mentor)
Fixes:          113f2f0c76a7 stress2: Updated dtrace comment
Differential Revision:  https://reviews.freebsd.org/D51341
DeltaFile
+1-1tools/test/stress2/misc/fullpath2.sh
+1-11 files

FreeBSD/src 0464725sys/dev/ice ice_iov.c

ice(4): Fix setting VF MAC address

MAC address assigned to a Virtual Function using iovctl configuration
was not passed to the VF, but its presence caused ICE to reject random
address generated by the VF. This lead to VF not being able to send
or recieve traffic. Send the administratively assigned MAC address to
a VF in a response to the 'Get VF Resources' virtual channel command.

While at that replace bcopy with memcpy for consistency, and shorten
an over 80 characters line.

Signed-off-by: Krzysztof Galazka <krzysztof.galazka at intel.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1573
DeltaFile
+11-6sys/dev/ice/ice_iov.c
+11-61 files

FreeBSD/src 430f1acsys/dev/ice ice_iov.c ice_iov.h

ice(4): Add MAC filter and VLAN resource limits to VFs

Adds two new parameters to iovctl config for VLAN filter limits and MAC
filter limits and gives them defaults of 64 and 16, respectively.

These are intended to limit the number of resources that a VF can
consume so that any one VF cannot starve an other VFs or the PF of
filters.

Signed-off-by: Eric Joyner <eric.joyner at intel.com>
Signed-off-by: Krzysztof Galazka <krzysztof.galazka at intel.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1573
DeltaFile
+42-3sys/dev/ice/ice_iov.c
+8-0sys/dev/ice/ice_iov.h
+50-32 files

FreeBSD/src 51ed28csys/dev/ice ice_iov.c

ice(4): Enable WB_ON_ITR capability for VFs (#76)

Let VF driver know that HW supports WB_ON_ITR
feature. It allows polling mode driver such
as DPDK to configure an immediate write-back
of completed descriptors.

Signed-off-by: Krzysztof Galazka <krzysztof.galazka at intel.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1573
DeltaFile
+3-0sys/dev/ice/ice_iov.c
+3-01 files

FreeBSD/src 69bb592sys/dev/ice ice_iov.c

ice(4): Fix set RSS hena virtchnl op handler

Remove existing RSS HENA configuration to make sure that
only config requested by VF is applied and allow VFs to
disable RSS completely.

Signed-off-by: Krzysztof Galazka <krzysztof.galazka at intel.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1573
DeltaFile
+25-8sys/dev/ice/ice_iov.c
+25-81 files

FreeBSD/src 160beccsys/dev/ice ice_iov.c

ice: Add broadcast filter while creating VF

Filter for unicast MAC address is configured
with a virtual channel message, but filter for
a broadcast traffic was missing. It caused
issues with e.g. ARP.

Signed-off-by: Krzysztof Galazka <krzysztof.galazka at intel.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1573
DeltaFile
+8-0sys/dev/ice/ice_iov.c
+8-01 files

FreeBSD/src 21f3395sys/dev/ice ice_iov.c

ice(4): Fix panic when VF uses less queues then available

VF driver may request to configure MSI-X vectors for less
queues than assigned by PF. Don't try to configure
unassigned vectors to avoid panic.

While at that make the loop process whole array of vectors
received in a VIRTCHNL_OP_CFG_IRQ_MAP message from a VF.
It's not guarantied that vector '0', which is used for other
interrupt causes and is not mapped to a queue, will be always
on the last position. Condition inside the loop already
handles that vector correctly.

Signed-off-by: Krzysztof Galazka <krzysztof.galazka at intel.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1573
DeltaFile
+7-5sys/dev/ice/ice_iov.c
+7-51 files

FreeBSD/src bc76198sys/dev/ice ice_iov.c ice_vf_mbx.c

ice: Add host SR-IOV support

Enable basic SR-IOV support for E800 adapters.

Authored-by: Eric Joyner <erj at FreeBSD.org>
Signed-off-by: Krzysztof Galazka <krzysztof.galazka at intel.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1573
DeltaFile
+1,732-0sys/dev/ice/ice_iov.c
+471-0sys/dev/ice/ice_vf_mbx.c
+117-0sys/dev/ice/if_ice_iflib.c
+115-0sys/dev/ice/ice_iov.h
+67-0sys/dev/ice/ice_vf_mbx.h
+20-0sys/dev/ice/ice_lib.c
+2,522-05 files not shown
+2,549-011 files

FreeBSD/src d6958f3sys/dev/ice ice_iov.c ice_lib.c

ice(4): Fix re-enabling VF queues

On receiving a virtual channel request from VF driver tried
to configure and enable Tx and Rx queues without making
sure that they were disabled. It caused issue with reloading
a VF driver without a reset e.g. in case it crashed.
Fix that by always disabling all Rx and Tx queues.

While at that make sure that only queues requested by VF
driver are enabled. VF driver may use less queues than
assigned to the function when it was created.

Signed-off-by: Krzysztof Galazka <krzysztof.galazka at intel.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1573
DeltaFile
+26-5sys/dev/ice/ice_iov.c
+8-0sys/dev/ice/ice_lib.c
+34-52 files

FreeBSD/src 925a15bsys/dev/ice ice_iov.c if_ice_iflib.c

ice(4): Add basic VFLR handler

PF driver needs to tear down and setup VF configuration after
a reset event, e.g. due to reloading a VF driver. Re-use
ice_reset_vf function for that by adding new parameter,
which decides if new reset has to be triggered.
This most likely does not cover all necessary steps
and will be extended in future commits.

Signed-off-by: Krzysztof Galazka <krzysztof.galazka at intel.com>
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1573
DeltaFile
+35-6sys/dev/ice/ice_iov.c
+18-3sys/dev/ice/if_ice_iflib.c
+2-0sys/dev/ice/ice_iov.h
+55-93 files

FreeBSD/src 7986051tests/sys/netpfil/pf mbuf.sh

pf tests: make mbuf:inet6_in_mbuf_len more robust

The mbuf:inet6_in_mbuf_len test sometimes fails because it encountered
unexpected extra packets. These turn out to be MLD packets, so block these
packets on the host with pf so they don't disturb what we're actually trying
to test.

Reviewed by:    igoro
Sponsored by:   Rubicon Communications, LLC ("Netgate")
Differential Revision:  https://reviews.freebsd.org/D51408
DeltaFile
+6-0tests/sys/netpfil/pf/mbuf.sh
+6-01 files

FreeBSD/src cf2ff49sys/fs/nfsserver nfs_nfsdserv.c

nfs_nfsdserv.c: Fix nfsrvd_openattr() for vnode locking

Without this patch, nfsrvd_openattr() requests an unlocked
vnode via VOP_LOOKUP().  This is not allowed for
"options DEBUG_VFS_LOCKS" kernels, so this patch requests a
locked vnode and then unlocks it.

Fixes:  e4c7b2b6053f ("nfsv4: Add support to NFSv4 for named attributes")
DeltaFile
+4-1sys/fs/nfsserver/nfs_nfsdserv.c
+4-11 files

FreeBSD/src 2420e64sys/rpc/rpcsec_tls rpctls_impl.c

rpctls_impl.c: Fix handling of hung rpc tls daemon

Commit 26ee05939209 replaced soshutdown()
with soclose() for the case where the RPC TLS
daemon has not removed the socket from the RB
tree during an upcall.

It turns out that soshutdown() is needed for the
"else" case, which is the case that occurs when the
daemon is stuck in SSL_accept() or SSL_connect().

This patch adds a soshutdown() call to this else case,
which unsticks the daemon when the other end does
not do the actual TLS handshake. This can occur if
the daemon is not running at the other end.

Reviewed by:    glebius
Differential Revision:  https://reviews.freebsd.org/D51083
Fixes:  26ee05939209 ("rpctls_impl.c: Fix handling of socket for daemon failure")
DeltaFile
+8-0sys/rpc/rpcsec_tls/rpctls_impl.c
+8-01 files

FreeBSD/src 57ee565contrib/tzcode localtime.c, lib/libc/stdtime Symbol.map Makefile.inc

libc: Test time zone change detection.

While here, clean the detection code up a bit.

Sponsored by:   Klara, Inc.
Sponsored by:   NetApp, Inc.
Reviewed by:    markj
Differential Revision:  https://reviews.freebsd.org/D51343
DeltaFile
+281-0lib/libc/tests/stdtime/detect_tz_changes_test.c
+5-13contrib/tzcode/localtime.c
+6-0lib/libc/stdtime/Symbol.map
+4-1lib/libc/tests/stdtime/Makefile
+4-0tools/build/mk/OptionalObsoleteFiles.inc
+1-0lib/libc/stdtime/Makefile.inc
+301-146 files

FreeBSD/src d63ffddcontrib/tzcode localtime.c

tzcode: Fix time zone change detection.

Prior to the 2022g import, tzloadbody() returned -1 on error.  Now it
returns an errno code.  When I updated the time zone change detection
logic to match, I improperly returned errno in all cases, which means
that if the time zone file has not changed since we last loaded it,
tzloadbody() returns a random errno value instead of 0.

Fixes:          bc42155199b5
MFC after:      1 week
Sponsored by:   Klara, Inc.
Sponsored by:   NetApp, Inc.
Reviewed by:    markj
Differential Revision:  https://reviews.freebsd.org/D51405
DeltaFile
+5-9contrib/tzcode/localtime.c
+5-91 files

FreeBSD/src 655fcddrelease Makefile

release: Install wireless firmware to bootonly media

Also install wireless firmware packages to the bootonly ISO and the
mini-memstick image so users can fetch installation files over a
wireless connection.

Reported by:    Mark Philips <mark at freebsdfoundation.org>
Reviewed by:    bz, emaste, imp, releng (cperciva)
Sponsored by:   The FreeBSD Foundation
Differential Revision:  https://reviews.freebsd.org/D51348
DeltaFile
+1-0release/Makefile
+1-01 files

FreeBSD/src bab21aesbin/kldstat kldstat.c

kldstat: Memory zeroing using memset()

Use memset() instead of the outdated bzero() function when zeroing
memory. bzero() was in the POSIX.1-2001 standard.

Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/1774
Closes: https://github.com/freebsd/freebsd-src/pull/1774
DeltaFile
+2-2sbin/kldstat/kldstat.c
+2-21 files

FreeBSD/src af0ec3fsys/kern vfs_inotify.c, sys/sys inotify.h

inotify: Fix a couple of locking bugs

When hooking vop_rename_post(), the preexisting dst vnode will be
unlocked.  But, we need to invoke VOP_GETATTR on it in vn_inotify() to
check its link count.

In inotify_unlink_watch_locked(), the vnode interlock is not held, so
don't use vn_irflag_unset_locked().

Reviewed by:    kib
Fixes:          f1f230439fa4 ("vfs: Initial revision of inotify")
Sponsored by:   Klara, Inc.
Differential Revision:  https://reviews.freebsd.org/D51401
DeltaFile
+11-3sys/sys/inotify.h
+3-2sys/kern/vfs_inotify.c
+14-52 files