FreshBSD

Bump newvers.sh and add UPDATING block.

Approved by:    so

Mitigations for Microarchitectural Data Sampling.

Approved by:    so
Security:       FreeBSD-SA-19:07.mds
Security:       CVE-2018-12126
Security:       CVE-2018-12127
Security:       CVE-2018-12130
Security:       CVE-2019-11091

Update ntpd to 4.2.8p13 to fix authenticated denial of service.

Approved by:    so
Security:       FreeBSD-SA-19:04.ntp
Security:       CVE-2019-8936

Update hostapd/wpa_supplicant to 2.8 to fix multiple vulnerabilities.

Approved by:    so
Security:       FreeBSD-SA-19:03.wpa
Security:       CVE-2019-9494
Security:       CVE-2019-9495
Security:       CVE-2019-9496
Security:       CVE-2019-9497
Security:       CVE-2019-9498
Security:       CVE-2019-9499
Security:       CVE-2019-11555

Fix partially matching relative paths in xinstall.

Approved by:    so
Security:       FreeBSD-EN-19:09.xinstall

Import tzdata 2019a.

Approved by:    so
Security:       FreeBSD-EN-19:08.tzdata

Bump newvers.sh and add UPDATING block.

Approved by:    so

Mitigations for Microarchitectural Data Sampling.

Approved by:    so
Security:       FreeBSD-SA-19:07.mds
Security:       CVE-2018-12126
Security:       CVE-2018-12127
Security:       CVE-2018-12130
Security:       CVE-2019-11091

Update ntpd to 4.2.8p13 to fix authenticated denial of service.

Approved by:    so
Security:       FreeBSD-SA-19:04.ntp
Security:       CVE-2019-8936

Update hostapd/wpa_supplicant to 2.8 to fix multiple vulnerabilities.

Approved by:    so
Security:       FreeBSD-SA-19:03.wpa
Security:       CVE-2019-9494
Security:       CVE-2019-9495
Security:       CVE-2019-9496
Security:       CVE-2019-9497
Security:       CVE-2019-9498
Security:       CVE-2019-9499
Security:       CVE-2019-11555

Fix partially matching relative paths in xinstall.

Approved by:    so
Security:       FreeBSD-EN-19:09.xinstall

Import tzdata 2019a.

Approved by:    so
Security:       FreeBSD-EN-19:08.tzdata

MFC r346602, r346670-r346671, r347183: tun/tap race fixes

r346602:
tun(4): Defer clearing TUN_OPEN until much later

tun destruction will not continue until TUN_OPEN is cleared. There are brief
moments in tunclose where the mutex is dropped and we've already cleared
TUN_OPEN, so tun_destroy would be able to proceed while we're in the middle
of cleaning up the tun still. tun_destroy should be blocked until these
parts (address/route purges, mostly) are complete.

r346670:
tun/tap: close race between destroy/ioctl handler

It seems that there should be a better way to handle this, but this seems to
be the more common approach and it should likely get replaced in all of the
places it happens... Basically, thread 1 is in the process of destroying the
tun/tap while thread 2 is executing one of the ioctls that requires the
tun/tap mutex and the mutex is destroyed before the ioctl handler can
acquire it.

This is only one of the races described/found in PR 233955.

r346671:
tun(4): Don't allow open of open or dying devices

    [54 lines not shown]

MFC r336405:
  Move invoking of callout_stop(&lle->lle_timer) into llentry_free().

  This deduplicates the code a bit, and also implicitly adds missing
  callout_stop() to in[6]_lltable_delete_entry() functions.

  PR:          209682, 225927

MFC r336405:
  Move invoking of callout_stop(&lle->lle_timer) into llentry_free().

  This deduplicates the code a bit, and also implicitly adds missing
  callout_stop() to in[6]_lltable_delete_entry() functions.

  PR:          209682, 225927

MFC: r340495

- Restore setting the clock for devices which support the default/legacy
  transfer mode only (lost with r321385). [1]
- Similarly, don't try to set the power class on MMC devices that comply
  to version 4.0 of the system specification but are operated in default/
  legacy transfer or 1-bit bus mode as no power class is specified for
  these cases. Trying to set a power class nevertheless resulted in an -
  albeit harmless - error message.

PR:     231713 [1]

MFC: r333647, r338275, r338280, r338513

- If present, take advantage of the R/W cache of eMMC revision 1.5 and
  later devices. These caches work akin to the ones found in HDDs/SSDs
  that ada(4)/da(4) also enable if existent, but likewise increase the
  likelihood of data loss in case of a sudden power outage etc. On the
  other hand, write performance is up to twice as high for e. g. 1 GiB
  files depending on the actual chip and transfer mode employed.
  For maximum data integrity, the usage of eMMC caches can be disabled
  via the hw.mmcsd.cache tunable.
- Get rid of the NOP mmcsd_open().
- Obtain the bus mode (MMC or SD) from the directly superordinated
  bus rather than reaching up to the bridge and use the cached mode
  in mmcsd_delete(), too.
- Use le32dec(9) for decoding EXT_CSD values where it makes sense. [1]
- Locally cache some instance variable values in mmc_discover_cards()
  in order to improve the code readability a bit.

Obtained from:  NetBSD [1]

MFC: r338304

The read accessors generated by __BUS_ACCESSOR() have the problem that
they don't check the result of BUS_READ_IVAR(9) and silently return stack
garbage on failure in case a bus doesn't implement a particular instance
variable for example. With MMC bridges not providing MMCBR_IVAR_RETUNE_REQ,
yet, this in turn can cause mmc(4) to get into a state in which re-tuning
seems to be necessary but is inappropriate, causing mmc_wait_for_request()
to fail. Thus, don't use __BUS_ACCESSOR() for mmcbr_get_retune_req() and
instead provide a version of the latter which returns retune_req_none if
reading MMCBR_IVAR_RETUNE_REQ fails.

Revert "MMC, HS200/HS400 support seems to break mmc legacy support, clock probing seems to 
have issues."

This reverts commit c4ec367c3d9c4c29da94411b29fe6bfa55cb5d09.

pf: Ensure that IP addresses match in ICMP error packets

States in pf(4) let ICMP and ICMP6 packets pass if they have a
packet in their payload that matches an exiting connection.  It was
not checked whether the outer ICMP packet has the same destination
IP as the source IP of the inner protocol packet.  Enforce that
these addresses match, to prevent ICMP packets that do not make
sense.

Reported by:    Nicolas Collignon, Corentin Bayet, Eloi Vanderbeken, Luca Moro at 
Synacktiv
Obtained from:  OpenBSD
Security:       CVE-2019-5598

pf: Ensure that IP addresses match in ICMP error packets

States in pf(4) let ICMP and ICMP6 packets pass if they have a
packet in their payload that matches an exiting connection.  It was
not checked whether the outer ICMP packet has the same destination
IP as the source IP of the inner protocol packet.  Enforce that
these addresses match, to prevent ICMP packets that do not make
sense.

Reported by:    Nicolas Collignon, Corentin Bayet, Eloi Vanderbeken, Luca Moro at 
Synacktiv
Obtained from:  OpenBSD
Security:       CVE-2019-5598

MFC r344510

netmap: remove redundant call to nm_set_native_flags()

This redundant call was introduced by mistake in r343772.

Sponsored by:   Sunny Valley Networks

MFC r343579, r344253

netmap: fix lock order reversal related to kqueue usage

When using poll(), select() or kevent() on netmap file descriptors,
netmap executes the equivalent of NIOCTXSYNC and NIOCRXSYNC commands,
before collecting the events that are ready. In other words, the
poll/kevent callback has side effects. This is done to avoid the
overhead of two system call per iteration (e.g., poll() + ioctl(NIOC*XSYNC)).

When the kqueue subsystem invokes the kqueue(9) f_event callback
(netmap_knrw), it holds the lock of the struct knlist object associated
to the netmap port (the lock is provided at initialization, by calling
knlist_init_mtx).
However, netmap_knrw() may need to wake up another netmap port (or even
the same one), which means that it may need to call knote().
Since knote() needs the lock of the struct knlist object associated to
the to-be-wake-up netmap port, it is possible to have a lock order reversal
problem (AB/BA deadlock).

This change prevents the deadlock by executing the knote() call in a
per-selinfo taskqueue, where it is possible to hold a mutex.
The change also adds a counter (kqueue_users) to keep track of how many
kqueue users are referencing a given struct nm_selinfo.
In this way, nm_os_selwakeup() can schedule the kevent notification

    [6 lines not shown]

vmx(4): add native netmap support

This change adds native netmap support for the vmx(4) adapter
(vmxnet3). Native support comes for free in 12, since the driver has been
ported to iflib. To make it minimally intrusive, the native support is
only enabled if vmxnet3.netmap_native is set at boot (e.g., in loader.conf).

Tested on stable/11 running inside vmplayer.

Submitted by:   Giuseppe Lettieri <g.lettieri at iet.unipi.it>
Reviewed by:    vmaffione, bryanv
Sponsored by:   Sunny Valley Networks
Differential Revision:  https://reviews.freebsd.org/D19104

MFC r343772, r343867

netmap: refactor logging macros and pipes

Changelist:
    - Replace ND, D and RD macros with nm_prdis, nm_prinf, nm_prerr
      and nm_prlim, to avoid possible naming conflicts.
    - Add netmap_krings_mode_commit() helper function and use that
      to reduce code duplication.
    - Refactor pipes control code to export some functions that
      can be reused by the veth driver (on Linux) and epair(4).
    - Add check to reject API requests with version less than 11.
    - Small code refactoring for the null adapter.

Conflicts:
        sys/dev/netmap/netmap.c

MFC r343689

netmap: upgrade sync-kloop support

Add SYNC_KLOOP_MODE option, and add support for direct mode, where application
executes the TXSYNC and RXSYNC in the context of the ioeventfd wake up callback.

MFC r343549

netmap: add notifications on kloop stop

On sync-kloop stop, send a wake-up signal to the kloop, so that
waiting for the timeout is not needed.
Also, improve logging in netmap_freebsd.c.

MFC r343346

netmap: improvements to the netmap kloop (CSB mode)

Changelist:
    - Add the proper memory barriers in the kloop ring processing
      functions.
    - Fix memory barriers usage in the user helpers (nm_sync_kloop_appl_write,
      nm_sync_kloop_appl_read).
    - Fix nm_kr_txempty() helper to look at rhead rather than rcur. This
      is important since the kloop can read a value of rcur which is ahead
      of the value of rhead (see explanation in nm_sync_kloop_appl_write)
    - Remove obsolete ptnetmap_guest_write_kring_csb() and
      ptnet_guest_read_kring_csb().
    - Prepare in advance the arguments for netmap_sync_kloop_[tr]x_ring(),
      to make the kloop faster.
    - Provide kernel and user implementation for nm_ldld_barrier() and
      nm_ldst_barrier()

MFC r343344

netmap: fix knote() argument to match the mutex state

The nm_os_selwakeup function needs to call knote() to wake up kqueue(9)
users. However, this function can be called from different code paths,
with different lock requirements.
This patch fixes the knote() call argument to match the relavant lock state.
Also, comments have been updated to reflect current code.

PR:     https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=219846
Reported by:    Aleksandr Fedorov <aleksandr.fedorov at itglobal.com>
Reviewed by:    markj
Differential Revision:  https://reviews.freebsd.org/D18876

netmap: small cleanup on em, lem, igb, ixgbe

Replace D, ND and RD macros with the corresponding nm_pr* ones.

ixl: remove unnecessary limitations related to netmap

Netmap supports the case where TX rings and RX rings have different size.
Remove unnecessary limitations related to netmap support, making the code
simpler.
Also, check that the value of the hw head index written back from the NIC
is valid.

Reviewed by:    erj
Differential Revision:  https://reviews.freebsd.org/D18984

MFC r343413

netmap: fix crash with monitors and VALE ports

Crash report described here:
    https://github.com/luigirizzo/netmap/issues/583
Fixed by providing dummy sync callback in case it is missing.

pf: IPv6 fragments with malformed extension headers could be erroneously passed by pf or 
cause a panic

We mistakenly used the extoff value from the last packet to patch the
next_header field. If a malicious host sends a chain of fragmented packets
where the first packet and the final packet have different lengths or number of
extension headers we'd patch the next_header at the wrong offset.
This can potentially lead to panics or rule bypasses.

Security:       CVE-2019-5597
Obtained from:  OpenBSD
Reported by:    Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv

revert 
https://github.com/HardenedBSD/hardenedBSD-stable/commit/77a10c68ac3bf9cd0da50bd537dab858462c07f7 
 (https://reviews.freebsd.org/D14282) since it seems to cause crashes for some uefi boot 
systems.

pf: IPv6 fragments with malformed extension headers could be erroneously passed by pf or 
cause a panic

We mistakenly used the extoff value from the last packet to patch the
next_header field. If a malicious host sends a chain of fragmented packets
where the first packet and the final packet have different lengths or number of
extension headers we'd patch the next_header at the wrong offset.
This can potentially lead to panics or rule bypasses.

Security:       CVE-2019-5597
Obtained from:  OpenBSD
Reported by:    Corentin Bayet, Nicolas Collignon, Luca Moro at Synacktiv

revert 
https://github.com/HardenedBSD/hardenedBSD-stable/commit/77a10c68ac3bf9cd0da50bd537dab858462c07f7 
 (https://reviews.freebsd.org/D14282) since it seems to cause crashes for some uefi boot 
systems.

re: compile on arm

re: compile on arm

Revert "pmcstat: that doesn't make any sense..."

This reverts commit 7913071e4c5a9e09fab097d50af7c695377b4136.

Revert "uathload: same as previous"

This reverts commit 9c051fee57a1e1c13b9a9bae7555d1c548eda9b8.

Revert "nghook: disable compilation, armv6 issue and usused"

This reverts commit 2160e45071f999387fef62f79b5a46483450ae5a.

pmcstat: that doesn't make any sense...

uathload: same as previous

nghook: disable compilation, armv6 issue and usused

PR: https://github.com/opnsense/tools/issues/113

UPDATING and newvers entries for 11.2-p9

Approved by:    so
Security:       FreeBSD-SA-19:01.syscall

amd64: clear callee-preserved registers on syscall exit

Submitted by:   kib
Approved by:    so
Security:       CVE-2019-5595
Security:       FreeBSD-SA-19:01.syscall

amd64: clear callee-preserved registers on syscall exit

Submitted by:   kib
Approved by:    so
Security:       CVE-2019-5595
Security:       FreeBSD-SA-19:01.syscall

UPDATING and newvers entries for 11.2-p9

Approved by:    so
Security:       FreeBSD-SA-19:01.syscall

MMC, HS200/HS400 support seems to break mmc legacy support, clock probing seems to have 
issues.

Original source 
https://github.com/freebsd/freebsd/commit/398d5fc6afb7ce20f0cf9ecc4fe286e72afdbf29

This commit resets mmc_calculate_clock() to it's original behaviour.

MMC, HS200/HS400 support seems to break mmc legacy support, clock probing seems to have 
issues.

Original source 
https://github.com/freebsd/freebsd/commit/398d5fc6afb7ce20f0cf9ecc4fe286e72afdbf29

This commit resets mmc_calculate_clock() to it's original behaviour.

UPDATING and newvers entries for 11.2-p8

Approved by:    so
Security:       FreeBSD-EN-19:03.sqlite
Security:       FreeBSD-EN-19:04.tzdata
Security:       FreeBSD-EN-19:05.kqueue

MFS11 r340904: Avoid unsynchronized updates to kn_status.

Approved by:    so
Security:       FreeBSD-EN-19:05.kqueue