kernel: Enable -fstack-protector-strong by default
This extends stack canary use to all functions which define arrays on
the stack, not just those which operate on byte buffers. This option
would have made it harder to exploit SA-26:18.setcred and
SA-26:08.rpcsec_gss.
The change bloats the amd64 kernel text by about 350KB and increases the
number of covered functions from ~1500 to ~9000 (within the kernel
itself, i.e., not counting kernel modules).
Reviewed by: olce, olivier, emaste
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D56870
tests/net: Run all tests with execenv=jail and enable parallelism
This has been stable in my testing, and enabling parallelism speeds up
test runs considerably. In particular, with -v parallelism=16 in a
16-vcpu bhyve VM my test runs go from ~50m to ~40m; the exact numbers
depend on the kernel config in use.
Reviewed by: pouria
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D57094
netlink: Avoid undefined behaviour
Even though it is not dereferenced, it is UB to take the address of an
out of bounds array element.
Reviewed by: pouria, bz, des, adrian
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57158
sound: Remove SV_ABI_LINUX ifdef
This ifdef does not do anything, SV_ABI_LINUX is a flag.
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Reviewed by: ivy, brooks
Pull-Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/37
power: Fix stype name lengths
When updating the names of the sleep types in 95b4436e989d ("power:
Rename sleep types"), I forgot to update the lengths of the buffers they
went into.
Reported by: mhorne
Fixes: 95b4436e989d ("power: Rename sleep types")
Sponsored by: The FreeBSD Foundation
sound: Improve hw.snd.compat_linux_mmap
- Reject PROT_EXEC in all cases when Linux support is not compiled in.
- Define sysctl only when Linux support is compiled in.
- Document better.
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Reviewed by: emaste
Pull Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/29
(cherry picked from commit b9c10eeb380b3ba629421062af8658e79a9171cd)
xhci: Do not drop and add bits in xhci
Drop and Add bits reset the data toggle for high-speed devices in XHCI.
The toggle bit represents the sequence number in USB 2.0 transfers. However,
a device can only recognize that the toggle bit has been reset while in
the HALT state. As a result, the host and device toggle values may
become mismatched, causing xHCI to reject the packet. This issue was
observed while testing the EZ-USB FX2 device.
The transfer may then return to the original value after a
bi-directional TD because the toggle field is only one bit wide. This
explains the reson that we can only receive packets bi-transfer in some
case. Therefore, we do not reset the toggle bit here.
Reviewed by: adrian
MFC after: 2 weeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57146
vop_read_pgcache_post(): the vnode is unlocked
Reported by: markj
Fixes: e9a5eb0e5e44 ("vop_read_pgcache_post(): report inotify IN_ACCESS same as for vop_read_post()")
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
EC2: Don't enable firstboot_pkgs in small flavour
The EC2 "base" flavour installs the devel/py-awscli package at boot
time by default; we don't do this in the "small" flavour, so the
default behaviour was to update the FreeBSD-ports repository and
then do nothing with it.
Turn off firstboot_pkgs by default; if someone is using the "small"
flavour of AMIs and wants to install packages at instance launch
time, they simply need to add 'firstboot_pkgs_enable="YES"' to
/etc/rc.conf (which they must already be editing via user-data, in
order to provide the list of packages they want installed).
Approved by: re (cperciva)
Sponsored by: Amazon
MFC after: 3 days
MFC to: stable/15
Relnotes: EC2 "small" images now have firstboot_pkgs_enable="NO".
[2 lines not shown]
ipfw: fix checksum after NAT
When checksum offloading is used, IPFW needs to fix the checksum
after libalias has done NAT. The ipfw_nat() function does so, but
only for mbufs without a receiving interface. However, if, for example,
the packet was sent inside a jail that used checksum offloading over
an epair, ipfw still needs to fix the checksum even though the mbuf
has set a receiving interface (epair).
This patch just removes the check whether a receiving interface is set.
Approved by: re (cperciva)
PR: 295057
Reviewed by: tuexen
Differential Revision: https://reviews.freebsd.org/D57091
(cherry picked from commit 81b47a7c604f1d563283759572fa7a1f9d4dc56f)
(cherry picked from commit 198379d2c29fae7300b650a96199e51a66b87364)
mac_do.4: Jail parameter takes 'new', not 'enable'; uid_t/gid_t are 32-bit
Approved by: re (cperciva)
MFC after: 1 minute
Sponsored by: The FreeBSD Foundation
(cherry picked from commit 21df76d01fce35b0398cf38c31928c6f47111d55)
linuxulator: fix SO_PEERCRED emulation after 1d24638d3e8
For Linux binaries, sopt->sopt_td may be null. And there's also no
need to check it, since struct l_ucred has the same layout on 32-bit
systems as on 64-bit ones.
Approved by: re (cperciva)
PR: 295333
Reported by: Miguel Gomes <miguel.dias.gomes at protonmail.com>
Fixes: 1d24638d3e8 ("Fix LOCAL_PEERCRED in 32-bit compat mode")
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D57032
(cherry picked from commit 4cee16d471d47f4673e4d2c66f7a96d4e6d86ee9)
(cherry picked from commit 57fb48f8e2fca5f069e9bc3cf080608f602919a9)
fwget: update realtek and intel pci entries
For Realtek we only add new entries.
For Intel the old way of extracting IDs from the driver no longer
works. The new list is shortened as we drop more specific entries
which were already covered by wildcard entries. The new lists are
also sorted within the groups.
There are 4 entries the new driver no longer carries but are still
present in older versions, so we keep them manually.
Approved by: re (cperciva)
Sponsored by: The FreeBSD Foundation
(cherry picked from commit ca67cfa5237f7ac537ca8611054b5af2098e2d86)
(cherry picked from commit 3f702b299aa1d7625ee0e520c827e73e355775c9)
