HardenedBSD/src 576e7a1share/misc bsd-family-tree, sys/compat/linuxkpi/common/src linux_page.c

Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/cross-dso-cfi
DeltaFile
+45-93sys/vm/swap_pager.c
+13-67sys/vm/vnode_pager.c
+58-0sys/vm/vm_object.c
+9-10usr.sbin/wlanstats/wlanstats.8
+7-4share/misc/bsd-family-tree
+4-6sys/compat/linuxkpi/common/src/linux_page.c
+136-18013 files not shown
+172-18819 files

HardenedBSD/src c18ad27share/misc bsd-family-tree

Merge branch 'freebsd/current/main' into hardened/current/master
DeltaFile
+7-4share/misc/bsd-family-tree
+7-41 files

HardenedBSD/src 2bc9d7ashare/misc bsd-family-tree

bsd-family-tree: add FreeBSD 13.5
DeltaFile
+7-4share/misc/bsd-family-tree
+7-41 files

HardenedBSD/src 7b871e9share/man/man5 src.conf.5

HBSD: Resolve merge conflict

Signed-off-by:  Shawn Webb <shawn.webb at hardenedbsd.org>
DeltaFile
+1-8share/man/man5/src.conf.5
+1-81 files

HardenedBSD/src 6a2122econtrib/ofed/libibverbs verbs.c, sys/compat/linuxkpi/common/src linux_page.c

Merge remote-tracking branch 'origin/freebsd/current/main' into hardened/current/master

Conflicts:
        share/man/man5/src.conf.5 (unresolved)
DeltaFile
+45-93sys/vm/swap_pager.c
+13-67sys/vm/vnode_pager.c
+58-0sys/vm/vm_object.c
+9-10usr.sbin/wlanstats/wlanstats.8
+4-6sys/compat/linuxkpi/common/src/linux_page.c
+8-0contrib/ofed/libibverbs/verbs.c
+137-17612 files not shown
+171-18318 files

HardenedBSD/src 1245f6ebin/sh sh.1

sh(1): Replace recommendation of use of -e with a note

This partially reverts b14cfdf665bb8b7b2898a4ee5b073ab87f8ea3d0 and has
been discussed in D42719.

Reviewed by:    jrm (mentor), otis (mentor), mandree, ziaee (manpages)
MFC after:      1 week
Differential Revision:  https://reviews.freebsd.org/D45073

(cherry picked from commit 7bd8da72c5814b486ae7f492286fe3ac0a5bf03d)
DeltaFile
+4-6bin/sh/sh.1
+4-61 files

HardenedBSD/src 4fd560bsecure/caroot MAca-bundle.pl

caroot: Ignore soft distrust of server CA certificates after 398 days

Mozilla introduced the field CKA_NSS_SERVER_DISTRUST_AFTER which indicates that
a CA certificate will be distrusted in the future before its NotAfter time.
This means that the CA stops issuing new certificates, but previous ones are
still valid, but at most for 398 days after the distrust date.

See also:
* https://bugzilla.mozilla.org/show_bug.cgi?id=1465613
* https://github.com/Lukasa/mkcert/issues/19
* https://gitlab.alpinelinux.org/alpine/ca-certificates/-/merge_requests/16
* https://github.com/curl/curl/commit/448df98d9280b3290ecf63e5fc9452d487f41a7c

Tested by:      michaelo
Reviewed by:    emaste
MFC after:      1 week
Differential Revision:  https://reviews.freebsd.org/D49075

(cherry picked from commit 457c03b397c80d44da92684d417a58b3ca1fed02)
DeltaFile
+10-10secure/caroot/MAca-bundle.pl
+10-101 files

HardenedBSD/src fa30153sys/arm64/include bus.h

arm64: bus: Add 36-bit address mask for use in bus space allocations

Obtained from:  Juniper Networks, Inc.
MFC after:      1 week
Reviewed by:    imp
Differential Revision:  https://reviews.freebsd.org/D44764

(cherry picked from commit 5484c3d6eb31a78f07ed5e66862a1e7d3b5225b6)
DeltaFile
+1-0sys/arm64/include/bus.h
+1-01 files

HardenedBSD/src 5963423contrib/ofed/libibverbs verbs.c verbs.h, contrib/ofed/libibverbs/examples devinfo.c

libibverbs: Extend support of NDR rates

NDR(106.25 Gbps) support exposed new data rates:
800 Gbps - NDR 8x.
1200 Gbps - NDR 12x.

Utility methods were updated to support the new rates mentioned above:
1) Rate to mult - Convert the IB rate enum to a multiple of 2.5 Gbps.
2) Rate to mbps - Convert IB rate enum to the mbps value.

In addition, speed_str() of ibv_devinfo was updated to consider the new
NDR rate.

Reference:      IB Spec Release 1.5
PR:             285305
MFC after:      1 week
Sponsored by:   NVidia networking

Change-Id: I77541e406f700585fbfeddc162d5a0e7b79a1c11
Signed-off-by: Slava Shwartsman <slavash at nvidia.com>
DeltaFile
+8-0contrib/ofed/libibverbs/verbs.c
+2-0contrib/ofed/libibverbs/verbs.h
+1-0contrib/ofed/libibverbs/examples/devinfo.c
+11-03 files

HardenedBSD/src 7215aedsys/dev/wg if_wg.c, tests/sys/net if_wg.sh

kern: wg: remove overly-restrictive address family check

IPv4 packets can be routed via an IPv6 nexthop, so the handling of the
parsed address family is more strict than it needs to be.  If we have a
valid header that matches a known peer, then we have no reason to
decline the packet.

Convert it to an assertion that it matches the destination as viewed by
the stack below it, instead.  `dst` may be the gateway instead of the
destination in the case of a nexthop, so the `af` assignment must be
switched to use the destination in all cases.

Add a test case that approximates a setup like in the PR and
demonstrates the issue.

PR:             284857
Reviewed by:    markj (earlier version), zlei

(cherry picked from commit 2bef0d54f74dad6962ef7d1dfa407e95cb4fb4ad)
DeltaFile
+79-0tests/sys/net/if_wg.sh
+3-5sys/dev/wg/if_wg.c
+82-52 files

HardenedBSD/src b82d789sys/vm swap_pager.c vnode_pager.c

vm_object: add getpages utility

vnode_pager_generic_getpages() and swap_pager_getpages_locked() each
include code to read a few pages behind, and a few pages ahead of, a
specified page range. The same code can serve each function, and that
code is encapsulated in a new vm_object_page function. For the swap
case, this also eliminates some needless linked-list traversal.

Reviewed by:    alc, kib
Differential Revision:  https://reviews.freebsd.org/D49224
DeltaFile
+45-93sys/vm/swap_pager.c
+13-67sys/vm/vnode_pager.c
+58-0sys/vm/vm_object.c
+2-0sys/vm/vm_object.h
+118-1604 files

HardenedBSD/src 36782aausr.sbin/wlanstats wlanstats.8 main.c

wlanstats: update usage, improve man page

wlanstats prints the wrong usage statement, including a nonexistent -a
flag (*) and a description of -m that suggests multiple arguments.
Make the manpage slightly more clear.

(*) the implementation of that is #if 0 and the option was disabled
    in 530c13c5401c.

Sponsored by:   The FreeBSD Foundation (commit)
PR:             285413
MFC after:      3 days
Reviewed by:    ziaee
Differential Revision: https://reviews.freebsd.org/D49365
DeltaFile
+9-10usr.sbin/wlanstats/wlanstats.8
+1-1usr.sbin/wlanstats/main.c
+10-112 files

HardenedBSD/src 222c850sys/conf kern.mk

kern.mk: Update SSP comment (not limited to GCC)

Sponsored by:   The FreeBSD Foundation
DeltaFile
+1-1sys/conf/kern.mk
+1-11 files

HardenedBSD/src 55c3348release/tools ec2.conf, sys/dev/acpica acpivar.h acpi_pci.c

acpi_pci: Add quirk for DELAY-after-EJ0

On some EC2 instances, there is a race between removing a device from
the system and making the PCI bus stop reporting the presence of the
device.  As a result, a PCI BUS_RESCAN performed immediately after
the _EJ0 method returns "sees" the device which is being ejected, which
then causes problems later (e.g. we won't recognize a new device being
plugged into that slot because we never knew it was vacant).

On other operating systems the bus is synchronously marked as needing
to be rescanned but the rescan does not occur until O(1) seconds later.

Create a new ACPI_Q_DELAY_BEFORE_EJECT_RESCAN quirk and set it in EC2
AMIs, and add a 10 ms DELAY between _EJ0 and BUS_RESCAN when tht quirk
is set.

Reviewed by:    jhb
MFC after:      1 month
Sponsored by:   Amazon
Differential Revision:  https://reviews.freebsd.org/D49252
DeltaFile
+3-2release/tools/ec2.conf
+3-0sys/dev/acpica/acpivar.h
+2-0sys/dev/acpica/acpi_pci.c
+8-23 files

HardenedBSD/src 63f721eusr.sbin/unbound/host Makefile

Merge branch 'cherry-pick-1b490915' into 'hardened/13-stable/master'

HBSD: Fix build of unbound-host(1)

See merge request hardenedbsd/HardenedBSD!100
DeltaFile
+16-8usr.sbin/unbound/host/Makefile
+16-81 files

HardenedBSD/src 81eb546share/vt/keymaps ca-multi.kbd INDEX.keymaps

keymaps: Add Canadian Mulitlingual Standard

Pull Request: https://github.com/freebsd/freebsd-src/pull/1586

(cherry picked from commit 602be8e1a8711dd9c264e75078a35533f07526eb)
DeltaFile
+142-0share/vt/keymaps/ca-multi.kbd
+3-0share/vt/keymaps/INDEX.keymaps
+1-0share/vt/keymaps/Makefile
+146-03 files

HardenedBSD/src 53ec864usr.sbin/unbound/host Makefile

HBSD: Fix build of unbound-host(1)

FreeBSD re-organized some files, including an unbound configuration
header that unbound-host(1) depends on.

Signed-off-by:  Shawn Webb <shawn.webb at hardenedbsd.org>


(cherry picked from commit 1b4909155b405f7e7f2cbf8453810b35be169c78)

Co-authored-by: Shawn Webb <shawn.webb at hardenedbsd.org>
DeltaFile
+16-8usr.sbin/unbound/host/Makefile
+16-81 files

HardenedBSD/src b9296d4sys/geom geom_dev.c

g_dev_orphan(): Return early if the device is already gone

The following panic was the result of running "cdcontrol eject" after
using the physical ejection key on the device before the tray was
actually ejected. So we have hardware racing software.

The device was loaded with a DVD.

Resulted in a NULL pointer dereference

g_dev_orphan() at g_dev_orphan+0x2e/frame 0xfffffe01eba0a9f0
g_resize_provider_event() at g_resize_provider_event+0x71/frame 0xfffffe01eba0aa20
g_run_events() at g_run_events+0x20e/frame 0xfffffe01eba0aa70
fork_exit() at fork_exit+0x85/frame 0xfffffe01eba0aab0
fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe01eba0aab0

Avoid this possibility and return early of dev is NULL already.

PR:  215856

    [4 lines not shown]
DeltaFile
+3-0sys/geom/geom_dev.c
+3-01 files

HardenedBSD/src 8130722sys/sys signal.h

posix: POSIX-1.2008 moved SA_* from XSI to base standard

Starting with POSIX-1.2008, "The SA_RESETHAND, SA_RESTART, SA_SIGINFO,
SA_NOCLDWAIT, and SA_NODEFER constants are moved from the XSI option to
the Base." Make them so visible.

PR: 275328
Sponsored by:           Netflix

(cherry picked from commit 06af7bd12a4a654f5c5e8da41cf329eee3aa61f6)
DeltaFile
+1-1sys/sys/signal.h
+1-11 files

HardenedBSD/src 1cae712. UPDATING, share/man/man5 src.conf.5

Enable LLVM_BINUTILS by default

Starting in 2014 FreeBSD migrated from GNU binutils to ELF Tool Chain
tools.  At that time there were no usable LLVM versions of those tools,
but they have been developing rapidly since then.  Migrate to LLVML's
tools for both functionality and maintainability reasons.

This will eventually support the use of link-time optimization (LTO) in
the FreeBSD base system.  LTO runs optimization passes over the entire
executable (or library) at link time and thus allows for more effective
optimization than when performed on individual compilation units.

When using LTO object files (.o) including those contained in static
library archives (.a) contain LLVM IR bitcode rather than target
object code.  This means that utilities that operate on object files
need to support LLVM IR.

As with ELF Tool Chain the LLVM tools aim for command line and output
format compatibility with GNU binutils, although there are a few minor

    [8 lines not shown]
DeltaFile
+12-4share/man/man5/src.conf.5
+5-0UPDATING
+1-1share/mk/src.opts.mk
+18-53 files

HardenedBSD/src 4a4eee5sys/contrib/dev/iwlwifi/mvm tx.c

iwlwifi: adjust a debug comment referring to a PR

A FreeBSD specific comment asked people to report to a PR if they see
this.  By now we got enough feedback and also left this in a release.
Simply point to the PR so people can check the status but not longer
ask to submit a report to the PR.

Sponsored by:   The FreeBSD Foundation
PR:             274382
MFC after:      3 days
DeltaFile
+2-2sys/contrib/dev/iwlwifi/mvm/tx.c
+2-21 files

HardenedBSD/src a5c7b44sys/compat/linuxkpi/common/src linux_page.c

LinuxKPI: always use contig allocations in linux_alloc_kmem()

In linux_alloc_kmem() [used by *get_page*()] we always at least allocate
PAGE_SIZE and we want the allocation to be contiguous so it can be passed
to DMA.  Always use kmem_alloc_contig() and only change the low argument
depending on the GFP_DMA32 flag being given or not.

Sponsored by:   The FreeBSD Foundation
MFC after:      3 days
Reviewed by:    jhb, dumbbell
Differential Revision: https://reviews.freebsd.org/D46661
DeltaFile
+4-6sys/compat/linuxkpi/common/src/linux_page.c
+4-61 files

HardenedBSD/src 19df0c5sys/compat/linuxkpi/common/src linux_slab.c

LinuxKPI: make __kmalloc() play by the rules

According to Documentation/core-api/dma-api.rst kmalloc() is supposd
to provide physically contiguous memory. [1]

In order to guarantee that allocations are contiguous even if using
PAGE_SIZE or larger check the size and use contigmalloc if needed.
This makes use of 9e6544dd6e02 (and following) allowing free(9) to
also work for contigmalloced memory.

Sponsored by:   The FreeBSD Foundation
Pointed out by: jhb [1]
Reviewed by:    jhb, emaste
MFC after:      3 days
Differential Revision: https://reviews.freebsd.org/D46656
DeltaFile
+5-1sys/compat/linuxkpi/common/src/linux_slab.c
+5-11 files

HardenedBSD/src 59f469ecrypto/openssl/apps speed.c, crypto/openssl/doc/man1 openssl-verification-options.pod openssl.pod

Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/cross-dso-cfi
DeltaFile
+292-79crypto/openssl/apps/speed.c
+127-127crypto/openssl/providers/fips-sources.checksums
+114-78crypto/openssl/doc/man1/openssl-verification-options.pod
+94-95crypto/openssl/util/check-format-commit.sh
+72-54crypto/openssl/test/evp_libctx_test.c
+9-98crypto/openssl/doc/man1/openssl.pod
+708-531163 files not shown
+2,048-1,086169 files

HardenedBSD/src ab4695fcrypto/openssl/apps speed.c, crypto/openssl/doc/man1 openssl-verification-options.pod openssl.pod

Merge branch 'freebsd/current/main' into hardened/current/master
DeltaFile
+292-79crypto/openssl/apps/speed.c
+127-127crypto/openssl/providers/fips-sources.checksums
+114-78crypto/openssl/doc/man1/openssl-verification-options.pod
+94-95crypto/openssl/util/check-format-commit.sh
+72-54crypto/openssl/test/evp_libctx_test.c
+9-98crypto/openssl/doc/man1/openssl.pod
+708-531163 files not shown
+2,048-1,086169 files

HardenedBSD/src d2a55e6crypto/openssl/include/openssl opensslv.h, secure/lib/libcrypto Makefile.inc

openssl: update ASM and version info for 3.0.16 import

MFC after:      1 week
MFC with:       0d0c8621fd181e507f0fb50ffcca606faf66a8c2
Differential Revision:  https://reviews.freebsd.org/D49297
DeltaFile
+5-5crypto/openssl/include/openssl/opensslv.h
+2-2secure/lib/libcrypto/Makefile.inc
+2-0sys/crypto/openssl/aarch64/armv8-mont.S
+9-73 files

HardenedBSD/src 0d0c862crypto/openssl/apps speed.c, crypto/openssl/doc/man1 openssl-verification-options.pod openssl.pod

openssl: Import OpenSSL 3.0.16

This release incorporates the following bug fixes and mitigations:
- [CVE-2024-13176](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-13176
- [CVE-2024-9143](https://www.openssl.org/news/vulnerabilities.html#CVE-2024-9143)

Release notes can be found at:
https://openssl-library.org/news/openssl-3.0-notes/index.html

MFC after:      1 week
Differential Revision:  https://reviews.freebsd.org/D49296
DeltaFile
+292-79crypto/openssl/apps/speed.c
+127-127crypto/openssl/providers/fips-sources.checksums
+114-78crypto/openssl/doc/man1/openssl-verification-options.pod
+94-95crypto/openssl/util/check-format-commit.sh
+72-54crypto/openssl/test/evp_libctx_test.c
+9-98crypto/openssl/doc/man1/openssl.pod
+708-531160 files not shown
+2,039-1,079166 files

HardenedBSD/src 47d4641sys/dev/mana mana_en.c

Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/cross-dso-cfi
DeltaFile
+0-7sys/dev/mana/mana_en.c
+0-71 files

HardenedBSD/src c153e9csys/dev/mana mana_en.c

Merge branch 'freebsd/current/main' into hardened/current/master
DeltaFile
+0-7sys/dev/mana/mana_en.c
+0-71 files

HardenedBSD/src 47f4137sys/dev/mana mana_en.c

mana: remove redundant doorbell in mana_poll_rx_cq()

With the last commit to refill the rx mbuf in batch, the doorbell
in mana_poll_rx_cq() becomes redundant. Remove it to save a few
microseconds spent in mmio call.

Reported by:    NetApp
Reviewed by:    Tallamraju, Sai
Tested by:      whu
Fixes:          9b8701b8 ("mana: refill the rx mbuf in batch")
MFC after:      3 days
Sponsored by:   Microsoft
DeltaFile
+0-7sys/dev/mana/mana_en.c
+0-71 files