FreeBSD/src 33424fdusr.bin/diff3 diff3.c

diff3: plug fd leak

MFC After:      1 week
Reported by:    kib
DeltaFile
+1-0usr.bin/diff3/diff3.c
+1-01 files

FreeBSD/src 6d8b2acusr.bin/diff pr.c

diff: prefer posix_spawn over pdfork/execl

MFC After:              1 week
Reviewed by:            kib
Differential Revision:  https://reviews.freebsd.org/D56076
DeltaFile
+39-23usr.bin/diff/pr.c
+39-231 files

FreeBSD/src 5f7f0efusr.bin/diff3 diff3.c

diff3: prefer posix_spawn over pdfork/execlp

MFC After:              1 week
Reviewed by:            kib
Differential Revision:  https://reviews.freebsd.org/D56075
DeltaFile
+29-18usr.bin/diff3/diff3.c
+29-181 files

FreeBSD/src 981cd08sys/vm vm_mmap.c

Provide more precise error explanations for mmap(2) EINVAL errors.

Reviewed by:  kib
Differential Revision: https://reviews.freebsd.org/D55888
Sponsored by: Netflix

(cherry picked from commit dad6e6fc1ea4b737e9f1661ebd30da5d551e3d4a)
DeltaFile
+23-13sys/vm/vm_mmap.c
+23-131 files

FreeBSD/src b0ef93asys/vm vm_mmap.c

Delete error-check code that can never happen.

Near the top of kern_mmap() that implements the mmap(2) system call,
it sets

        prot = PROT_EXTRACT(prot);

with

So prot can only be the three PROT_ flags.

The following test of the user's mmap(2) parameters (near line 275
in vm/vm_mmap.c):

        if (prot != PROT_NONE &&
            (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC)) != 0) {
                return (EXTERROR(EINVAL, "invalid prot %#jx", prot));
        }


    [8 lines not shown]
DeltaFile
+0-4sys/vm/vm_mmap.c
+0-41 files

FreeBSD/src 5c4e558. UPDATING, sys/conf newvers.sh

Add UPDATING entries and bump version

Approved by:    so
DeltaFile
+5-0UPDATING
+1-1sys/conf/newvers.sh
+6-12 files

FreeBSD/src c4f53a1lib/librpcsec_gss svc_rpcsec_gss.c, sys/rpc/rpcsec_gss svc_rpcsec_gss.c

rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()

svc_rpc_gss_validate() copies the input message into a stack buffer
without ensuring that the buffer is large enough.  Sure enough,
oa_length may be up to 400 bytes, much larger than the provided space.
This enables an unauthenticated user to trigger an overflow and obtain
remote code execution.

Add a runtime check which verifies that the copy won't overflow.

Approved by:    so
Security:       FreeBSD-SA-26:08.rpcsec_gss
Security:       CVE-2026-4747
Reported by:    Nicholas Carlini <npc at anthropic.com>
Reviewed by:    rmacklem
Fixes:          a9148abd9da5d
DeltaFile
+9-1sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
+8-1lib/librpcsec_gss/svc_rpcsec_gss.c
+17-22 files

FreeBSD/src 99ec7f9lib/librpcsec_gss svc_rpcsec_gss.c, sys/rpc/rpcsec_gss svc_rpcsec_gss.c

rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()

svc_rpc_gss_validate() copies the input message into a stack buffer
without ensuring that the buffer is large enough.  Sure enough,
oa_length may be up to 400 bytes, much larger than the provided space.
This enables an unauthenticated user to trigger an overflow and obtain
remote code execution.

Add a runtime check which verifies that the copy won't overflow.

Approved by:    so
Security:       FreeBSD-SA-26:08.rpcsec_gss
Security:       CVE-2026-4747
Reported by:    Nicholas Carlini <npc at anthropic.com>
Reviewed by:    rmacklem
Fixes:          a9148abd9da5d

(cherry picked from commit 143293c14f8de00c6d3de88cd23fc224e7014206)
DeltaFile
+9-1sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
+8-1lib/librpcsec_gss/svc_rpcsec_gss.c
+17-22 files

FreeBSD/src e5ed09flib/librpcsec_gss svc_rpcsec_gss.c, sys/rpc/rpcsec_gss svc_rpcsec_gss.c

rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()

svc_rpc_gss_validate() copies the input message into a stack buffer
without ensuring that the buffer is large enough.  Sure enough,
oa_length may be up to 400 bytes, much larger than the provided space.
This enables an unauthenticated user to trigger an overflow and obtain
remote code execution.

Add a runtime check which verifies that the copy won't overflow.

Approved by:    so
Security:       FreeBSD-SA-26:08.rpcsec_gss
Security:       CVE-2026-4747
Reported by:    Nicholas Carlini <npc at anthropic.com>
Reviewed by:    rmacklem
Fixes:          a9148abd9da5d

(cherry picked from commit 143293c14f8de00c6d3de88cd23fc224e7014206)
DeltaFile
+9-1sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
+8-1lib/librpcsec_gss/svc_rpcsec_gss.c
+17-22 files

FreeBSD/src b45e753sys/netinet tcp_subr.c

tcp: plug an mbuf leak

When a challenge ACK should be sent via tcp_send_challenge_ack(),
but the rate limiter suppresses the sending, free the mbuf chain.
The caller of tcp_send_challenge_ack() expects this similar to the
callers of tcp_respond().

Approved by:    so
Security:       FreeBSD-SA-26:06.tcp
Security:       CVE-2026-4247
Reviewed by:    lstewart
Tested by:      lstewart
Sponsored by:   Netflix, Inc.

(cherry picked from commit 6b2d6ccad2552e46a5c9c3ba70b2d0ed27c70ca8)
DeltaFile
+2-0sys/netinet/tcp_subr.c
+2-01 files

FreeBSD/src 1b00fdclib/librpcsec_gss svc_rpcsec_gss.c, sys/rpc/rpcsec_gss svc_rpcsec_gss.c

rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()

svc_rpc_gss_validate() copies the input message into a stack buffer
without ensuring that the buffer is large enough.  Sure enough,
oa_length may be up to 400 bytes, much larger than the provided space.
This enables an unauthenticated user to trigger an overflow and obtain
remote code execution.

Add a runtime check which verifies that the copy won't overflow.

Approved by:    so
Security:       FreeBSD-SA-26:08.rpcsec_gss
Security:       CVE-2026-4747
Reported by:    Nicholas Carlini <npc at anthropic.com>
Reviewed by:    rmacklem
Fixes:          a9148abd9da5d

(cherry picked from commit 143293c14f8de00c6d3de88cd23fc224e7014206)
DeltaFile
+9-1sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
+8-1lib/librpcsec_gss/svc_rpcsec_gss.c
+17-22 files

FreeBSD/src 1fddb54sys/netinet tcp_subr.c

tcp: plug an mbuf leak

When a challenge ACK should be sent via tcp_send_challenge_ack(),
but the rate limiter suppresses the sending, free the mbuf chain.
The caller of tcp_send_challenge_ack() expects this similar to the
callers of tcp_respond().

Approved by:    so
Security:       FreeBSD-SA-26:06.tcp
Security:       CVE-2026-4247
Reviewed by:    lstewart
Tested by:      lstewart
Sponsored by:   Netflix, Inc.

(cherry picked from commit 6b2d6ccad2552e46a5c9c3ba70b2d0ed27c70ca8)
DeltaFile
+2-0sys/netinet/tcp_subr.c
+2-01 files

FreeBSD/src 143293clib/librpcsec_gss svc_rpcsec_gss.c, sys/rpc/rpcsec_gss svc_rpcsec_gss.c

rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()

svc_rpc_gss_validate() copies the input message into a stack buffer
without ensuring that the buffer is large enough.  Sure enough,
oa_length may be up to 400 bytes, much larger than the provided space.
This enables an unauthenticated user to trigger an overflow and obtain
remote code execution.

Add a runtime check which verifies that the copy won't overflow.

Approved by:    so
Security:       FreeBSD-SA-26:08.rpcsec_gss
Security:       CVE-2026-4747
Reported by:    Nicholas Carlini <npc at anthropic.com>
Reviewed by:    rmacklem
Fixes:          a9148abd9da5d
DeltaFile
+9-1sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
+8-1lib/librpcsec_gss/svc_rpcsec_gss.c
+17-22 files

FreeBSD/src 6b2d6ccsys/netinet tcp_subr.c

tcp: plug an mbuf leak

When a challenge ACK should be sent via tcp_send_challenge_ack(),
but the rate limiter suppresses the sending, free the mbuf chain.
The caller of tcp_send_challenge_ack() expects this similar to the
callers of tcp_respond().

Approved by:    so
Security:       FreeBSD-SA-26:06.tcp
Security:       CVE-2026-4247
Reviewed by:    lstewart
Tested by:      lstewart
Sponsored by:   Netflix, Inc.
DeltaFile
+2-0sys/netinet/tcp_subr.c
+2-01 files

FreeBSD/src cb69238tests/sys/kern timerfd.c Makefile

timerfd: Expect periodic timer performance failures

The current timerfd implementation fails to correctly count events on a
nanosecond callout interval. The timerfd__periodic_timer_performance
test detects this and reports failure.

Mark this test as an expected failure so it isn't flagged by CI. A link
to the bug report is attached to the test for reference.

While we're here, clean up some minor style and Make issues.

Fixes:          834c1ba793d9 ("timerfd: Add tests")
MFC after:      1 week
DeltaFile
+2-3tests/sys/kern/timerfd.c
+0-1tests/sys/kern/Makefile
+2-42 files

FreeBSD/src 98bedcalib/libpmc pmc.ibs.3, sys/dev/hwpmc hwpmc_ibs.h hwpmc_ibs.c

pmc: Fix copyright in previous commits

Fix the copyright attribution to Netflix and the date and missing SPDX
line in pmc.ibs man page.

Sponsored by: Netflix

Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/2094
DeltaFile
+4-1lib/libpmc/pmc.ibs.3
+1-2sys/dev/hwpmc/hwpmc_ibs.h
+1-2sys/dev/hwpmc/hwpmc_ibs.c
+6-53 files

FreeBSD/src 41b423csys/rpc clnt_bck.c

clnt_bck.c: Delete a couple of old diagnostic printfs

There were two debug printf()s that were left in the
code while debugging the handling of callbacks over
a NFSv4.1/4.2 backchannel was being done.

This patch removes them, since they are no longer
of benefit and cause "noise".

Requested by:   wollman
MFC after:      2 weeks
DeltaFile
+0-2sys/rpc/clnt_bck.c
+0-21 files

FreeBSD/src 12e1ab8sys/amd64/conf NOTES, sys/conf options.amd64

Add ASMC_DEBUG make option

This allows folks to enable debug statements in asmc(4) using kernel
configs via the `options ASMC_DEBUG` directive.

While here, remove a duplicate `device vt_efifb` directive in `NOTES`
as it's already handled in the `GENERIC` config

MFC after:      1 week
Differential Revision:  https://reviews.freebsd.org/D54511

(cherry picked from commit f224591746bdaf14ad5f63de4738a3146cc2f55f)
DeltaFile
+4-0sys/amd64/conf/NOTES
+3-0sys/conf/options.amd64
+7-02 files

FreeBSD/src 432c95csys/x86/conf NOTES

asmc(4): pull 32-bit support for the driver

The asmc(4) driver should work for 32-bit Intel-based Macs, in theory, if
the model details were added to the detection list. That being said,
32-bit Intel Macs were only released and available to the general public
for 8 months [1], so the value in maintaining i386 support in the driver is
reduced due to limited hardware access.

Remove 32-bit support for the driver officially to make it clear its use is
not supported.

This should fix building `NOTES.i386` by proxy as well.

Relnotes:       yes
MFC after:      2 weeks
Fixes:          f224591746b ("Add ASMC_DEBUG make option")
Fixes:          8342d9f7b5f ("asmc(4): Stop building it on i386, as...")
Differential Revision:  https://reviews.freebsd.org/D55544
(cherry picked from commit 1f2f5eba24aa53e180a4eb46b772410e5a782469)
DeltaFile
+0-2sys/x86/conf/NOTES
+0-21 files

FreeBSD/src f698988tests/sys/netinet raw.c

tests/netinet: add raw:reconnect test

It tests repetitive connect(2) on AF_INET/SOCK_RAW including connect(2)
to INADDR_ANY that puts socket back into receive-all mode.
DeltaFile
+170-71tests/sys/netinet/raw.c
+170-711 files

FreeBSD/src 9ac7e03stand/lua gfx-fbsdbw.lua gfx-beastie.lua

loader: Fix beastie and fbsdbw logo positions

Fix the beaste, beastiebw and fbsdbw postions broken after
ee233742a569

PR: 285044, 286356
Fixes: 1b4e11713153
Reviewed by: imp
MFC After: 2 days (14.3 candiate)
Sponsored by: PANS Jarosław
(cherry picked from commit 9486d6d57d14844972ee63382045e2ed7a300963)
DeltaFile
+1-1stand/lua/gfx-fbsdbw.lua
+1-0stand/lua/gfx-beastie.lua
+1-0stand/lua/gfx-beastiebw.lua
+3-13 files

FreeBSD/src 2321f54. UPDATING, sys/conf newvers.sh

Add UPDATING entries and bump version

Approved by:    so
DeltaFile
+11-0UPDATING
+1-1sys/conf/newvers.sh
+12-12 files

FreeBSD/src c03577dsys/netpfil/pf pf_ioctl.c

pf: include all elements when hashing rules

Approved by:    so
Security:       FreeBSD-SA-26:09.pf
Security:       CVE-2026-4748
Sponsored by:   Rubicon Communications, LLC ("Netgate")

(cherry picked from commit c6bcf6e6fd507d952a48226b51cc161b8ef972a2)
(cherry picked from commit e3b801edded92c1ccef67f9aef8653e996493460)
DeltaFile
+83-8sys/netpfil/pf/pf_ioctl.c
+83-81 files

FreeBSD/src 926ee63sbin/pfctl pfctl.c

pfctl: always warn if a duplicate rule was detected

Approved by:    so
Security:       FreeBSD-SA-26:09.pf
Security:       CVE-2026-4748
Sponsored by:   Rubicon Communications, LLC ("Netgate")

(cherry picked from commit 66d66dd0f6f83926980fc1d68dd366c0057350c5)
(cherry picked from commit e79818ec36efafc994d8c5a912dcb94986c038c5)
DeltaFile
+2-2sbin/pfctl/pfctl.c
+2-21 files

FreeBSD/src 89ab511tests/sys/netpfil/pf pass_block.sh

pf tests: verify that we handle address range rules correctly

There's been a problem where rules which differed only in address ranges
were considered duplicates and not added. Test for this.

Approved by:    so
Security:       FreeBSD-SA-26:09.pf
Security:       CVE-2026-4748
Sponsored by:   Rubicon Communications, LLC ("Netgate")

(cherry picked from commit ab74151e8d097b263237942c0b12277098bc9533)
(cherry picked from commit 958dbc87e9c59a2e9f83d84115ce03fb96e9b249)
DeltaFile
+38-0tests/sys/netpfil/pf/pass_block.sh
+38-01 files

FreeBSD/src d3c0dffsys/netpfil/pf pf_ioctl.c

pf: Fix hashing of IP address ranges

This corrects the false detection of duplicate rules.

Approved by:    so
Security:       FreeBSD-SA-26:09.pf
Security:       CVE-2026-4748
Reviewed by:    kp

(cherry picked from commit 1fa873c93c8b08561c53107c7b90c53dfad30ddc)
(cherry picked from commit ac6bb58a715eaf0afb7a80dc87083f9819e10ac1)
DeltaFile
+1-0sys/netpfil/pf/pf_ioctl.c
+1-01 files

FreeBSD/src a5812c7. UPDATING, sys/conf newvers.sh

Add UPDATING entries and bump version

Approved by:    so
DeltaFile
+11-0UPDATING
+1-1sys/conf/newvers.sh
+12-12 files

FreeBSD/src b6865bcsys/netpfil/pf pf_ioctl.c

pf: include all elements when hashing rules

Approved by:    so
Security:       FreeBSD-SA:26:09.pf
Security:       CVE-2026-4748
Sponsored by:   Rubicon Communications, LLC ("Netgate")

(cherry picked from commit c6bcf6e6fd507d952a48226b51cc161b8ef972a2)
(cherry picked from commit e3b801edded92c1ccef67f9aef8653e996493460)
DeltaFile
+83-8sys/netpfil/pf/pf_ioctl.c
+83-81 files

FreeBSD/src a429dbbsbin/pfctl pfctl.c

pfctl: always warn if a duplicate rule was detected

Approved by:    so
Security:       FreeBSD-SA:26:09.pf
Security:       CVE-2026-4748
Sponsored by:   Rubicon Communications, LLC ("Netgate")

(cherry picked from commit 66d66dd0f6f83926980fc1d68dd366c0057350c5)
(cherry picked from commit e79818ec36efafc994d8c5a912dcb94986c038c5)
DeltaFile
+2-2sbin/pfctl/pfctl.c
+2-21 files

FreeBSD/src 984b570tests/sys/netpfil/pf pass_block.sh

pf tests: verify that we handle address range rules correctly

There's been a problem where rules which differed only in address ranges
were considered duplicates and not added. Test for this.

Approved by:    so
Security:       FreeBSD-SA:26:09.pf
Security:       CVE-2026-4748
Sponsored by:   Rubicon Communications, LLC ("Netgate")

(cherry picked from commit ab74151e8d097b263237942c0b12277098bc9533)
(cherry picked from commit 958dbc87e9c59a2e9f83d84115ce03fb96e9b249)
DeltaFile
+38-0tests/sys/netpfil/pf/pass_block.sh
+38-01 files