BSD Commit Log Search

Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/cross-dso-cfi

Merge branch 'freebsd/current/main' into hardened/current/master

Merge branch 'freebsd/14-stable/main' into hardened/14-stable/master

Merge branch 'freebsd/15-stable/main' into hardened/15-stable/main

pt: Switch to swi(9)

The pt hwt(4) backend uses NMIs to receive updates about the latest t
racing buffer offsets from the tracing hardware. However, it uses
taskqueue(9) to schedule the bottom-half handler. This can lead to
a panic since the taskqueue(9) code isn't aware it's being called
from an NMI context and uses the regular scheduling interfaces.

Fix this by scheduling the bottom-half handler using swi(9) and the
SWI_FROMNMI flag.

Fixes:  310162ea218a
MFC after:      3 days
Differential Revision:  https://reviews.freebsd.org/D52491

(cherry picked from commit 96d82d2d133acaf8effa2e3aee546276e39ff9f2)

sys/arm64: fix COMPAT_FREEBSD32 __syscall()

It seems like _QUAD_LOWWORD was incorrectly expanded into 1,
which is correct for big endian but not little endian.  This
means we always grab the padding word for the syscall number,
which is usually 0, causing SIGSYS to be delivered to the caller.
Reintroduce _QUAD_LOWWORD to fix the syscall.

PR:             290411
MFC after:      1 week
Discussed with: jrtc27
Reviewed by:    cognet, emaste
Approved by:    markj (mentor)
Fixes:          8c9c3144ccfa3061879b8cec015ee7d1010e4766
Differential Revision:  https://reviews.freebsd.org/D53250

(cherry picked from commit 1ca09538d94273601dac08204c1d0b3ca9115864)

sys/arm: add fp[gs]et* prototypes to <ieeefp.h>

We have provided implementations for hard float of these for
a while now.  Add them to the header to make things official.
This is required for a bunch of legacy programs in ports.

Approved by:    markj (mentor)
MFC after:      1 week
Differential Revision: https://reviews.freebsd.org/D53156

(cherry picked from commit a8079d40ae7f3cee17c94e61e43c24780a64a010)

sys/arm: add fp[gs]et* prototypes to <ieeefp.h>

We have provided implementations for hard float of these for
a while now.  Add them to the header to make things official.
This is required for a bunch of legacy programs in ports.

Approved by:    markj (mentor)
MFC after:      1 week
Differential Revision: https://reviews.freebsd.org/D53156

(cherry picked from commit a8079d40ae7f3cee17c94e61e43c24780a64a010)

sys/arm64: fix COMPAT_FREEBSD32 __syscall()

It seems like _QUAD_LOWWORD was incorrectly expanded into 1,
which is correct for big endian but not little endian.  This
means we always grab the padding word for the syscall number,
which is usually 0, causing SIGSYS to be delivered to the caller.
Reintroduce _QUAD_LOWWORD to fix the syscall.

PR:             290411
MFC after:      1 week
Discussed with: jrtc27
Reviewed by:    cognet, emaste
Approved by:    markj (mentor)
Fixes:          8c9c3144ccfa3061879b8cec015ee7d1010e4766
Differential Revision:  https://reviews.freebsd.org/D53250

(cherry picked from commit 1ca09538d94273601dac08204c1d0b3ca9115864)

tcp: improve credential handling in syncache

When adding a syncache entry, take a reference count of the
credentials while the inp is still locked.
Thanks to markj@ for providing a hint regarding the root cause.

Reported by:            David Marker
Reviewed by:            glebius
Tested by:              David Marker
Fixes:                  cbc9438f0505 ("tcp: improve ref count handling when processing SYN")
Sponsored by:           Netflix, Inc.
Differential Revision:  https://reviews.freebsd.org/D53380

(cherry picked from commit 44cb1e857f048d2326bdc1a032ccd2c04d2bcdc9)

udp: honor IPV6_TCLASS cmsg for UDP/IPv4 packets

Honor the IPPROTO_IPV6-level cmsg of type IPV6_TCLASS when sending
an UDP/IPv4 packet on an AF_INET6 socket.

Reviewed by:            bz
Sponsored by:           Netflix, Inc.
Differential Revision:  https://reviews.freebsd.org/D53347

(cherry picked from commit d3a3854fdc6e8da3bc6c1c13aab8d371445d2914)

udp: honor IPV6_TCLASS socket option for UDP/IPv4 packets

Honor the IPPROTO_IPV6-level socket option IPV6_TCLASS when sending
an UDP/IPv4 packet on an AF_INET6 socket.

Reviewed by:            bz, glebius
Sponsored by:           Netflix, Inc.
Differential Revision:  https://reviews.freebsd.org/D53346

(cherry picked from commit 3535546a86846ddb0ca5fe4a0689ac635b504459)

pf tests: tftp-proxy test case

Sponsored by:   Rubicon Communications, LLC ("Netgate")

aic7xxx: Fix a couple of typos in device messages

- s/Reseting/Resetting/
- s/staus/status/
- s/referrenced/referenced/

MFC after:      1 week

nfsclient: Fix a typo in a panic message

- s/eroneous/erroneous/

MFC after:      1 week

cam: Fix three typos in kernel messages

- s/maximun/maximum/
- s/queing/queueing/
- s/exhausing/exhausting/

MFC after:      1 week

padlock(4)/nehemiah: move i386-only entropy source to MD files

Reviewed by: khng
Differential Revision:  https://reviews.freebsd.org/D53309
(cherry picked from commit d1ca01059d5d756a4aef09d955e98aa59a284344)
(cherry picked from commit 88a53301e198b043e9b046b1c824eae5a24064f9)

Document the DEPRECATION NOTICE section for kernel interfaces

random: add RDSEED as a provably unique entropy source

NIST SP800-90B allows for only a single entropy source to be claimed
in a FIPS-140-3 certificate.  In addition, only hardware sources that
have a NIST Entropy Source Validation (ESV) certificate, backed by
a SP800-90B Entropy Assessment Report, are usable.  Intel has obtained
ESV certificates for several of their processors, so RDSEED is a
FIPS-140-3 suitable entropy source.

However, even though RDRAND is seeded by RDSEED internally, RDRAND
would need a RBG certificate and CAVP testing run on the DRBG in order
to use it for FIPS-140-3 (SP800-90B) purposes.  So we need to know
down in the CSPRNG-subsystem which source the entropy came from.

In light of the potential issues surrounding AMD Zen 5 CPU's RDSEED
implementation[*], allow RDSEED to be disabled in loader.conf.
[*] https://www.phoronix.com/news/AMD-EPYC-Turin-RDSEED-Bug

Reviewed by:    cem

    [6 lines not shown]

Add FENESTRASX to LINT to avoid breakage

(cherry picked from commit c1e7e8f5cb0f948abc4679dab295f1447363604d)

Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/cross-dso-cfi

Merge branch 'freebsd/current/main' into hardened/current/master

Merge branch 'freebsd/15-stable/main' into hardened/15-stable/main

libutil: defer setting the MAC label until after the login class

MAC policies, like mac_biba(4), may forbid changing the login class once
a label has been applied.  For setting up the initial login context,
this isn't really expected and in-fact may break some class-based
configuration.

Defer setting the MAC label until after the login class is set, and
remove the requirement that we have a pwd entry since the label is
pulled from the login class -- we only use pwd for syslog in this path.

Patch is largely by Kevin Barry, with some modifications and this commit
message by kevans@.

PR:             177698
Reviewed by:    des, olce
MFC after:      3 days
Co-authored-by: Kevin Barry <ta0kira gmail com>
Differential Revision:  https://reviews.freebsd.org/D53362

random: garbage collect the RANDOM_PURE_OCTEON entropy source

It was used for Octeon MIPS and all producers have been removed
from the source tree.

Reviewed by: emaste
Differential Revision:  https://reviews.freebsd.org/D53146
(cherry picked from commit 283699338c5724253f721f4d0e488113dd49bd17)

nfs_commonsubs.c: Get rid of variable used as a constant

The variable ncl_mbuf_mhlen is set to MHLEN and only
used in one place.  This patch simply deletes it and
replaces it with MHLEN.

This patch should not affect semantics.

Spotted while fixing cases that could do large
NFSM_DISSECT() sizes.

MFC after:      2 weeks

padlock.4: only install on i386

random: remove hifn(4)

Fixes:  685a78

Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/cross-dso-cfi

Merge branch 'freebsd/current/main' into hardened/current/master