Delete error-check code that can never happen.
Near the top of kern_mmap() that implements the mmap(2) system call,
it sets
prot = PROT_EXTRACT(prot);
with
So prot can only be the three PROT_ flags.
The following test of the user's mmap(2) parameters (near line 275
in vm/vm_mmap.c):
if (prot != PROT_NONE &&
(prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC)) != 0) {
return (EXTERROR(EINVAL, "invalid prot %#jx", prot));
}
[8 lines not shown]
rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()
svc_rpc_gss_validate() copies the input message into a stack buffer
without ensuring that the buffer is large enough. Sure enough,
oa_length may be up to 400 bytes, much larger than the provided space.
This enables an unauthenticated user to trigger an overflow and obtain
remote code execution.
Add a runtime check which verifies that the copy won't overflow.
Approved by: so
Security: FreeBSD-SA-26:08.rpcsec_gss
Security: CVE-2026-4747
Reported by: Nicholas Carlini <npc at anthropic.com>
Reviewed by: rmacklem
Fixes: a9148abd9da5d
(cherry picked from commit 143293c14f8de00c6d3de88cd23fc224e7014206)
tcp: plug an mbuf leak
When a challenge ACK should be sent via tcp_send_challenge_ack(),
but the rate limiter suppresses the sending, free the mbuf chain.
The caller of tcp_send_challenge_ack() expects this similar to the
callers of tcp_respond().
Approved by: so
Security: FreeBSD-SA-26:06.tcp
Security: CVE-2026-4247
Reviewed by: lstewart
Tested by: lstewart
Sponsored by: Netflix, Inc.
(cherry picked from commit 6b2d6ccad2552e46a5c9c3ba70b2d0ed27c70ca8)
rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()
svc_rpc_gss_validate() copies the input message into a stack buffer
without ensuring that the buffer is large enough. Sure enough,
oa_length may be up to 400 bytes, much larger than the provided space.
This enables an unauthenticated user to trigger an overflow and obtain
remote code execution.
Add a runtime check which verifies that the copy won't overflow.
Approved by: so
Security: FreeBSD-SA-26:08.rpcsec_gss
Security: CVE-2026-4747
Reported by: Nicholas Carlini <npc at anthropic.com>
Reviewed by: rmacklem
Fixes: a9148abd9da5d
tcp: plug an mbuf leak
When a challenge ACK should be sent via tcp_send_challenge_ack(),
but the rate limiter suppresses the sending, free the mbuf chain.
The caller of tcp_send_challenge_ack() expects this similar to the
callers of tcp_respond().
Approved by: so
Security: FreeBSD-SA-26:06.tcp
Security: CVE-2026-4247
Reviewed by: lstewart
Tested by: lstewart
Sponsored by: Netflix, Inc.
timerfd: Expect periodic timer performance failures
The current timerfd implementation fails to correctly count events on a
nanosecond callout interval. The timerfd__periodic_timer_performance
test detects this and reports failure.
Mark this test as an expected failure so it isn't flagged by CI. A link
to the bug report is attached to the test for reference.
While we're here, clean up some minor style and Make issues.
Fixes: 834c1ba793d9 ("timerfd: Add tests")
MFC after: 1 week
pmc: Fix copyright in previous commits
Fix the copyright attribution to Netflix and the date and missing SPDX
line in pmc.ibs man page.
Sponsored by: Netflix
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/2094
clnt_bck.c: Delete a couple of old diagnostic printfs
There were two debug printf()s that were left in the
code while debugging the handling of callbacks over
a NFSv4.1/4.2 backchannel was being done.
This patch removes them, since they are no longer
of benefit and cause "noise".
Requested by: wollman
MFC after: 2 weeks
tests/netinet: add raw:reconnect test
It tests repetitive connect(2) on AF_INET/SOCK_RAW including connect(2)
to INADDR_ANY that puts socket back into receive-all mode.
ipfw: skip tests if required sysctl is not set
Since this is a configuration prerequisite rather than a test failure, use
atf_skip instead.
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D56069
packages: Remove stale libsdp-all.ucl
This package no longer exists since it was merged into bluetooth.
Fixes: 41ee4321cc52 ("libsdp: Move to bluetooth-lib package")
MFC after: 3 days
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D55822
Sponsored by: https://www.patreon.com/bsdivy
pf: include all elements when hashing rules
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit c6bcf6e6fd507d952a48226b51cc161b8ef972a2)
pf tests: verify that we handle address range rules correctly
There's been a problem where rules which differed only in address ranges
were considered duplicates and not added. Test for this.
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit ab74151e8d097b263237942c0b12277098bc9533)
pf: Fix hashing of IP address ranges
This corrects the false detection of duplicate rules.
MFC after: 1 week
Reviewed by: kp
(cherry picked from commit 1fa873c93c8b08561c53107c7b90c53dfad30ddc)
stand: Force disable RETPOLINE for boot loaders
Boot loaders do not require speculative execution protection, and may be
too large if enabled.
Reported by: Shawn Webb
Reviewed by: dim, imp
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D56068
kern/amd64/machdep: Replace memset in wrmsr_early_safe_end
GENERIC-KASAN kernel failed to boot on a Dell PowerEdge C6615 with
an AMD EPYC 8224P CPU; UEFI BIOS caught a #GP exception with %RIP
in kasan_memset where %GS relative pointer (curthread->td_pflags2)
was dereferenced. Investigation led to wrmsr_early_safe_end which
calls memset to clear early #GP IDT entry. Replacing memset with
__builtin_memset_inline still resulted in the compiler emitting a
call to the memset resolver in GENERIC-KASAN build and the kernel
stil faulted during boot. This version which has been successfully
tested with both GENERIC and GENERIC-KASAN kernels uses memset_early.
Signed-off-by: Kristofer Peterson <kris at tranception.com>
Reviewed-by: kib
Pull-Request: https://github.com/freebsd/freebsd-src/pull/2069
rge: make rx_process_limit a sysctl tunable
The number of packets processed per interrupt was hardcoded to 16.
Add a per-interface sysctl dev.rge.%d.rx_process_limit tunable so
users can adjust this value at runtime.
Signed-off-by: Christos Longros <chris.longros at gmail.com>
Reviewed by: ziaee, adrian
Differential Revision: https://reviews.freebsd.org/D56014
rge.4: fix incorrect speed range in HARDWARE section
The HARDWARE section stated "PCIe 1GB to 1GB Ethernet devices"
which is incorrect. The RTL8125/8126/8127 chips support speeds
from 1Gbps to 10Gbps. Correct the range.
Signed-off-by: Christos Longros <chris.longros at gmail.com>
rge.4: note that the driver manages PHY directly
The rge(4) driver does not use the miibus(4) interface for PHY
management. Instead, it accesses PHY registers directly via the
chip's OCP (On-Chip Peripheral) bus. Document this in the
DESCRIPTION section.
Signed-off-by: Christos Longros <chris.longros at gmail.com>
Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D55995
