BSD Commit Log Search

ipfilter: Add NULL check for fin_m in ipf_pr_icmp6()

Add NULL check for fin->fin_m before calling M_LEN() in the ICMPv6
error handling code path. When ipf_checkicmp6matchingstate() calls
ipf_makefrip() with a synthesized fr_info_t that has fin_m set to
NULL, the subsequent call to ipf_pr_ipv6hdr() can reach ipf_pr_icmp6()
which would crash when trying to access the mbuf via M_LEN().

PR:             288333
MFC after:      1 week
Pull Request:   https://github.com/freebsd/freebsd-src/pull/2214
Signed-off-by:  Teddy Engel <engel.teddy at gmail.com>

ipfilter: Fix NULL dereferences in ipf_checkicmp6matchingstate()

Add NULL checks for ic6 (the ICMPv6 header pointer from fin->fin_dp)
and oic (the inner ICMPv6 header from ofin.fin_dp after ipf_makefrip).
These pointers can be NULL when processing malformed ICMPv6 error
packets with extension headers.

Also fix the length validation: the original check (fin->fin_plen <
sizeof(ip6_t)) could never trigger because an earlier check already
ensures fin->fin_plen >= ICMP6ERR_MINPKTLEN (48). Replace with a proper
check that fin->fin_dlen contains at least ICMPERR_ICMPHLEN +
sizeof(ip6_t) bytes to ensure sufficient data exists for both the
ICMPv6 error header and the embedded IPv6 header.

PR:             288333
MFC after:      1 week
Pull Request:   https://github.com/freebsd/freebsd-src/pull/2214
Signed-off-by:  Teddy Engel <engel.teddy at gmail.com>

ipfilter: Add NULL check for fin_dp in ICMP packet handlers

Add NULL checks for fin->fin_dp in ipf_pr_icmp6() and ipf_pr_icmp()
before dereferencing. When processing packets with IPv6 extension
headers, ipf_pr_pullup() can succeed but fin->fin_dp may still be NULL
due to extension header processing leaving insufficient data for the
protocol header.

PR:             288333
MFC after:      1 week
Pull Request:   https://github.com/freebsd/freebsd-src/pull/2214
Signed-off-by:  Teddy Engel <engel.teddy at gmail.com>

ipfilter: Validate length before checksum

Validate the length of the packet listed in the mbuf is the same as
the calculated packet length. If not reject the packet and bump the
bad packet stat.

PR:             295198
MFC after:      1 week
Differential Revision:  https://reviews.freebsd.org/D57095

nlist.3: Move deprecation notice after intro

Its more clear and good practice for the first sentence of a description
to describe what something is, because there are a lot of different use
cases for documentation.

Fixes:          94b7a335683a ("nlist.3: Add discouraged use notice")
Reviewed by:            emaste
Differential Revision:  https://reviews.freebsd.org/D57128

kinst/arm64: Handle an additional PC-relative instruction

"ldr <reg>, <literal>" loads a value from a literal memory address into
a register.  It's PC-relative and so cannot be directly implemented
using the trampoline mechanism.  Unfortunately, on arm64 it can't easily
be emulated either since the return-to-EL1 handler does not restore
callee-saved registers, so like adr/adrp, we simply don't handle it.
These instructions are fairly rare in an arm64 kernel.

While here, refactor the code so that all instruction decoding is done
in one place: introduce an enum type which characterizes the instruction
type, add a helper to map instructions to enum values, and store the
corresponding enum value in the probe description.

Reviewed by:    christos
MFC after:      1 week
Differential Revision:  https://reviews.freebsd.org/D56988

kinst/arm64: Fix return values from kinst_invop()

After commit 853cd8723494 it became invalid for kinst_invop() to return
0: dtrace_invop_start() would convert this to a sentinel value
indicating that it did not consume the breakpoint, and so we'd just
call kdb_trap() to handle it.

Change kinst_invop() to return NOP_INSTR after handling a matching
breakpoint.  NOP_INSTR is handled by advancing the ELR, so we have to
compensate by subtracting INSTR_SIZE before returning.

Reviewed by:    christos
MFC after:      1 week
Fixes:          853cd8723494 ("arm64: Clean up usage of the dtrace invop handler")
Differential Revision:  https://reviews.freebsd.org/D56987

amd64/vmparam: Fix KASAN shadow map size in comment

The address range 0xfffff78000000000 - 0xfffff7bfffffffff spans exactly 256GB
(0x4000000000 bytes), not 512GB.

For a 2TB kernel map, based on the KASAN 1:8 shadow map ratio, the required
shadow map size is indeed 256GB. The current comment incorrectly states 512GB,
which can be misleading and cause confusion.

Reviewed by:    markj
MFC after:      1 week
Differential Revision:  https://reviews.freebsd.org/D57129

bsd-family-tree: add OpenBSD 7.9

(cherry picked from commit 9958d0f1dc64fafe73ff6f93c65b3a9f8b39f960)

bsd-family-tree: add FreeBSD 14.4

(cherry picked from commit d1180d47c9653335c75f6ec9e18eff19109f0119)

bsd-family-tree: add OpenBSD 7.9

(cherry picked from commit 9958d0f1dc64fafe73ff6f93c65b3a9f8b39f960)

bsd-family-tree: add FreeBSD 14.4

(cherry picked from commit d1180d47c9653335c75f6ec9e18eff19109f0119)

netlink: fix unsigned overflow on a truncated message

PR:                     295106
Submitted by:           Robert Morris <rtm at lcs.mit.edu>
Reviewed by:            pouria, melifaro
Differential Revision:  https://reviews.freebsd.org/D56916

netlink: factor out compatibility code from inlined function

This is a refactor of 228c632ab3f62.  First, move compatibility one level
up, where we yet work with the full header.  Second, move this rarely
executed code outside of the inline function.  Should be no functional
change.

Reviewed by:            pouria, melifaro
Differential Revision:  https://reviews.freebsd.org/D56915

kern_umtx.c: remove dead code

It was a placeholder for the access control for process-shared umtx
memory, which is not needed.

Reviewed by:    markj
Sponsored by:   The FreeBSD Foundation
MFC after:      3 days
Differential revision:  https://reviews.freebsd.org/D57122

crypto driver manuals: Add crypto to search index

While here, tag spdx and sync the drivers in crypto(4)/SEE ALSO.

MFC after:              2 days (add back hifn)
Differential Revision:  https://reviews.freebsd.org/D57060

d.7: Document no support for ddi_pathnam(), getmajor(), and getminor()

MFC after:      3 days

contrib/expat: import expat 2.8.1

Changes: https://github.com/libexpat/libexpat/blob/R_2_8_1/expat/Changes

Security:       CVE-2026-45186

(cherry picked from commit 9cc9b8b372842b9a941d235c5e9949a214e5284f)

contrib/expat: import expat 2.8.1

Changes: https://github.com/libexpat/libexpat/blob/R_2_8_1/expat/Changes

Security:       CVE-2026-45186

(cherry picked from commit 9cc9b8b372842b9a941d235c5e9949a214e5284f)

dpaa: Restore Semihalf license header

This is a "new" file, but is mostly copied from if_dtsec_fdt.c, so need to
retain the original license header in addition to the new one.

Reviewed by:    ziaee
Differential Revision:  https://reviews.freebsd.org/D57123

i2c/sensors: Add driver for W83793 hardware monitor

The Winbond/Nuvoton W83793G system monitor chip includes many features
not currently supported by this driver.  The following are currently
supported:

* Up to 6 temperature sensors, 4 of which have 10-bit resolution
  (8.2),two with 8-bit resolution (no decimal component)
* Up to 12 fans
  - Fans 0-4 (1-5 on the datasheet) are always enabled.  The remaining 7
    fans are individually enabled.
* Multiple voltage sensors, reading up to 10 voltage sources.  Sysctls
  are labeled to match the datasheet.
* Chassis open detection.

The W83793AG is a feature-reduced version, which lacks 3 thermal diodes
and 2 voltage monitors.  Since there is no way to tell the difference
between the W83793AG and W83793G programmatically, sensors reported on
the W83793AG will report strange values.

    [18 lines not shown]

pseries/llan: call init when ioctl sets interface UP

This should fix dhcp on an unitialized interface.  This solution was
found while comparing against another driver, SIOCSIFFLAGS is used by
dhclient to force the interface up before it has an IP address.
However, all setup work is done in llan_init(), so the interface would
not be enabled if configured via only the SIOCSIFFLAGS ioctl.  By
running llan_init() when the interface is forced up via SIOCSIFFLAGS,
the interface is initialized properly.

PR:             292164
(cherry picked from commit 74dff310698b9a4da9804ed0ded00428b0aebbe8)

pseries/llan: call init when ioctl sets interface UP

This should fix dhcp on an unitialized interface.  This solution was
found while comparing against another driver, SIOCSIFFLAGS is used by
dhclient to force the interface up before it has an IP address.
However, all setup work is done in llan_init(), so the interface would
not be enabled if configured via only the SIOCSIFFLAGS ioctl.  By
running llan_init() when the interface is forced up via SIOCSIFFLAGS,
the interface is initialized properly.

PR:             292164
(cherry picked from commit 74dff310698b9a4da9804ed0ded00428b0aebbe8)

linuxulator: fix SO_PEERCRED emulation after 1d24638d3e8

For Linux binaries, sopt->sopt_td may be null.  And there's also no
need to check it, since struct l_ucred has the same layout on 32-bit
systems as on 64-bit ones.

PR:             295333
Reported by:    Miguel Gomes <miguel.dias.gomes at protonmail.com>
Fixes:          1d24638d3e8 ("Fix LOCAL_PEERCRED in 32-bit compat mode")
Reviewed by:    emaste
Differential Revision: https://reviews.freebsd.org/D57032

(cherry picked from commit 4cee16d471d47f4673e4d2c66f7a96d4e6d86ee9)

ping: fix listing test cases when scapy is not installed

The ATF-python test program was attempting to list test cases that
require scapy.  But it attempted to import the scapy module before the
test cases had been listed, resulting in an ImportError that kyua
interpreted as a test program crash.

Fix this behavior by handling that ImportError well enough to list test
cases, but not run them.  If scapy isn't present, Kyua will refuse to
run the test cases.  But it needs to be able to list them in order to
know to skip them.

Sponsored by:           ConnectWise
Reviewed by:            maxim
Differential Revision:  https://reviews.freebsd.org/D56765

(cherry picked from commit 3e845b1090565912375c5578cf0399d27b7fa70c)

locking.9: warn about using sleepable lock address as a sleep channel

(cherry picked from commit 56bc43f5d02bd0745d597db44c285bf78d083762)

nfs_clsubs.c: Fix ncl_getcookie() when "pos" is negative

In ncl_getcookie(), a very large value for "off" for
a directory can result in "pos" being set to a bogus
value (including a negative one), due to truncation.
When "pos" is negative, is can skip past the
while (pos >= NFSNUMCOOKIES) loop and return a
bogus pointer instead of NULL.

This patch changes the type to u_int and also adds
a sanity check for a very large "off" to ensure that
a NULL pointer is returned for this case.

This bug has been in the code for decades and I am
not aware of any report of it causing a problem for
users.

(cherry picked from commit 448b4c3f7f7dd4c7e1707d7b833a26294c297182)

nfs_clsubs.c: Fix ncl_getcookie() when "pos" is negative

In ncl_getcookie(), a very large value for "off" for
a directory can result in "pos" being set to a bogus
value (including a negative one), due to truncation.
When "pos" is negative, is can skip past the
while (pos >= NFSNUMCOOKIES) loop and return a
bogus pointer instead of NULL.

This patch changes the type to u_int and also adds
a sanity check for a very large "off" to ensure that
a NULL pointer is returned for this case.

This bug has been in the code for decades and I am
not aware of any report of it causing a problem for
users.

(cherry picked from commit 448b4c3f7f7dd4c7e1707d7b833a26294c297182)

elfdump: Decode SHT_LLVM_ADDRSIG section header type

Reported by:    bz
Sponsored by:   The FreeBSD Foundation

cap_net: do not allow new limits to drop keys from the old ones

If the old limit had family/hosts/sockaddr set, the new limit must
have them too. Before, a missing key in the new limit was treated as
"allow any", which let a caller silently extend their limits.

Reported by:    Joshua Rogers of AISLE Research Team
Reviewed by:    markj
MFC after:      1 day
Differential Revision:  https://reviews.freebsd.org/D56991

(cherry picked from commit d705a519525f2acae3c1efba11436ec6ee8aea0a)