The loopback device allows us to record desktop sound by reading from
it, or even use it as an input device, for example during a call.
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Reviewed by: emaste
Pull-Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/16
Make sure the user is part of the audio group to avoid unintended
snooping of loopback audio by unprivileged users.
While here, retire voss_dsp_perm, since we don't use the same value
everywhere now.
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Reviewed by: emaste
Pull-Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/26
To be initially used by virtual_oss(8) loopback devices.
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Reviewed by: emaste
Pull-Request: https://ron-dev.freebsd.org/FreeBSD/src/pulls/26
Since we are sleeping for an indefinite period of time waiting
for the default route to appear, the expire times may be gone
past 1+ seconds, causing the Expire column to show <1800 or <600.
Fixes: f6bcc0925f
Reviewed by: pouria
Approved by: lwhsu (mentor)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D56712
When doing a large `make universe` build with multiple KERNCONFS,
it should not be an error when a particular target has a missing
KERNCONF.
In this example,
```
$ make universe TARGETS='arm64 riscv' KERNCONFS='QEMU VIRT'
```
Currently, arm64 does not have a QEMU conf, and riscv
does not have a VIRT conf. However, this command should still
succeed instead of failing with the following message:
```
make[2]: /usr/src/Makefile:767: Target architecture for riscv/conf/VIRT unknown. config(8) likely too old.
in .for loop from /usr/src/Makefile:761 with kernel = VIRT
in make[2] in directory "/usr/src"
make[2]: stopped making "universe_kernels" in /usr/src
```
Since the opposite is true, we should build whatever confs are available
from the requested list of KERNCONFS, while making sure to still
emit warnings along the way.
Reviewed by: imp
Approved by: lwhsu (mentor), emaste (mentor)
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D55571
This reverts commit 2fe37927d4.
This turns out to have been misguided. First, clearing the
hash results in all loopback ip/ip6 traffic being hashed
to the netisr queue associated with the if_index of the loopback
interface. Eg, it bottlenecks loopback traffic. When the
hash is kept, traffic is spread evenly among netisrs.
Also, it is safe to keep the hash here. The clearing was only
needed when RSS core selection is enabled; we only enabled the
consistent hashing parts of RSS globally, not the cpuid mapping
stuff. So there is no need to clear it.
Reviewed by: glebius
Sponsored by: Netflix
When checksum offloading is used, IPFW needs to fix the checksum
after libalias has done NAT. The ipfw_nat() function does so, but
only for mbufs without a receiving interface. However, if, for example,
the packet was sent inside a jail that used checksum offloading over
an epair, ipfw still needs to fix the checksum even though the mbuf
has set a receiving interface (epair).
This patch just removes the check whether a receiving interface is set.
PR: 295057
Reviewed by: tuexen
MFC after: immediately
Differential Revision: https://reviews.freebsd.org/D57091
pselect(2) might overflow if the desciptor number is above
FD_SETSIZE and silently corrupt the stack. Switch to ppoll(2) so
the receive socket fd is no longer constrained by FD_SETSIZE.
Reported by: Joshua Rogers of AISLE Research Team
Reviewed by: markj
MFC after: 7 days
Differential Revision: https://reviews.freebsd.org/D56721
Add metric support and show its value in wide flag and
libxo output.
Also, add metric to the description of wide flag (`-w`) in
routing display (`-r`) section of manual page.
Reviewed by: markj (manpage)
Discussed with: markj
Differential Revision: https://reviews.freebsd.org/D57011
* Use our new 32-bit metric for RTA_PRIORITY support.
* Update snl library for new RTA_PRIORITY support.
* return RTA_PRIORITY for both MPATH and non-MPATH routes.
Reviewed by: glebius (previous version)
Discussed with: markj
Differential Revision: https://reviews.freebsd.org/D56323
In our routing stack implementation, metric is an attribute
of the nexthop, not the route itself.
Store metric in nhop_priv which is control-plane data of
nexthop, filter the nexthops by metric and populate the mpath
slots in nexthop group with only the lowest metric nexthops
for use in the forwarding path.
`cmp_priv()` compares nhops based on priv hash.
Add metric compare logic to it and only return nexthops
with different metrics if the input nexthop's metric is
zero (wildcard).
Also, add support for metric via rtsock by introducing rmx_metric.
Finally, remove the upper 8-bit reservation of weight for
administrative distance.
Reviewed by: adrian
Discussed with: markj
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D56322
The f_menu_wpa_scan_results() function returns a list of networks
discovered by a scan. The untrusted network names are evaluated in
f_dialog_menu_wireless_edit. The quoting applied in
f_menu_wpa_scan_results() protects against evaluation of something like
"$(whoami)" but one can add single quotes to defeat that.
Pass the SSID names through f_shell_escape to work around this. Escape
single quotes in f_dialog_wireless_edit() and f_menu_wireless_configs()
too for consistency.
I note that this module doesn't seem to actually work, see e.g.,
bugzilla PR 229883.
Approved by: so
Security: FreeBSD-SA-26:23.bsdinstall
Security: CVE-2026-45255
Reported by: Austin Ralls
Reviewed by: dteske, des
Differential Revision: https://reviews.freebsd.org/D56974
The wlanconfig utility is not careful about handling untrusted network
names, which can contain shell metacharacters. Factor network selection
into a subroutine and use the `set -- "$@"` trick to build up a list of
positional parameters for bsddialog without evaluating them.
Approved by: so
Security: FreeBSD-SA-26:23.bsdinstall
Security: CVE-2026-45255
Reported by: Austin Ralls
Reviewed by: dteske, des, asiciliano
Differential Revision: https://reviews.freebsd.org/D56973
The previous implementation used FD_SET() on a stack-allocated fd_set,
which is an out-of-bounds write whenever the socket fd is >= FD_SETSIZE
(1024).
poll(2) takes an array indexed by slot rather than by fd value, so it
has no FD_SETSIZE limit.
Approved by: so
Security: FreeBSD-SA-26:22.libcasper
Security: CVE-2026-39461
Reported by: Joshua Rogers
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D56695
- Fix an off-by-one in the system call number check. A value of
SYS_MAXSYSCALL was permitted.
- Validate the system call number after we've dealt with
syscall(2)/__syscall(2), since they pass the syscall number as an
argument.
- When the syscall number is for syscall(2) or __syscall(2), we must
make sure that nargs > 0 to avoid an underflow when shifting arguments
down.
Add regression tests.
Approved by: so
Security: FreeBSD-SA-26:21.ptrace
Security: CVE-2026-45253
Fixes: 140ceb5d95 ("ptrace(2): add PT_SC_REMOTE remote syscall request")
Reported by: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai
Reviewed by: kib, emaste
Differential Revision: https://reviews.freebsd.org/D56978
The fuse protocol requires server to respond to LISTXATTR with a
NUL-terminated string. If they don't, report an error rather than
attempt to scan through uninitialized memory for a NUL.
Approved by: so
Security: FreeBSD-SA-26:20.fusefs
Security: CVE-2026-45252
admbugs: 1039
Reported by: Joshua Rogers
Sponsored by: ConnectWise
Otherwise they may be left on a freed selinfo list after the
corresponding jaildesc struct is freed. This can be exploited to
elevate privileges.
Remove the JDF_SELECTED micro-optimization. doselwakeup() is a no-op if
no one ever called selrecord() on the file description, so I see no
reason to complicate the code to avoid the call.
Add some regression tests.
Approved by: so
Security: FreeBSD-SA-26:19.file
Security: CVE-2026-45251
Fixes: 66d8ffe304 ("jaildesc: add kevent support")
Reviewed by: kib, jamie
Differential Revision: https://reviews.freebsd.org/D56945
Otherwise they are left on a freed list after procdesc_free() is called.
This can be exploited to elevate privileges.
Remove the PDF_SELECTED micro-optimization. doselwakeup() is a no-op if
no one ever called selrecord() on the file description, so I see no
reason to complicate the code to avoid the call.
Add some regression tests.
Approved by: so
Security: FreeBSD-SA-26:19.file
Security: CVE-2026-45251
Reported by: 75Acol, Lexpl0it, fcgboy, and robinzeng2015
Reviewed by: kib, oshogbo
Fixes: cfb5f76865 ("Add experimental support for process descriptors")
Differential Revision: https://reviews.freebsd.org/D56887
Add NULL checks for ic6 (the ICMPv6 header pointer from fin->fin_dp)
and oic (the inner ICMPv6 header from ofin.fin_dp after ipf_makefrip).
These pointers can be NULL when processing malformed ICMPv6 error
packets with extension headers.
Also fix the length validation: the original check (fin->fin_plen <
sizeof(ip6_t)) could never trigger because an earlier check already
ensures fin->fin_plen >= ICMP6ERR_MINPKTLEN (48). Replace with a proper
check that fin->fin_dlen contains at least ICMPERR_ICMPHLEN +
sizeof(ip6_t) bytes to ensure sufficient data exists for both the
ICMPv6 error header and the embedded IPv6 header.
PR: 288333
MFC after: 1 week
Pull Request: https://github.com/freebsd/freebsd-src/pull/2214
Signed-off-by: Teddy Engel <engel.teddy@gmail.com>
Add NULL check for fin->fin_m before calling M_LEN() in the ICMPv6
error handling code path. When ipf_checkicmp6matchingstate() calls
ipf_makefrip() with a synthesized fr_info_t that has fin_m set to
NULL, the subsequent call to ipf_pr_ipv6hdr() can reach ipf_pr_icmp6()
which would crash when trying to access the mbuf via M_LEN().
PR: 288333
MFC after: 1 week
Pull Request: https://github.com/freebsd/freebsd-src/pull/2214
Signed-off-by: Teddy Engel <engel.teddy@gmail.com>
Add NULL checks for fin->fin_dp in ipf_pr_icmp6() and ipf_pr_icmp()
before dereferencing. When processing packets with IPv6 extension
headers, ipf_pr_pullup() can succeed but fin->fin_dp may still be NULL
due to extension header processing leaving insufficient data for the
protocol header.
PR: 288333
MFC after: 1 week
Pull Request: https://github.com/freebsd/freebsd-src/pull/2214
Signed-off-by: Teddy Engel <engel.teddy@gmail.com>
Validate the length of the packet listed in the mbuf is the same as
the calculated packet length. If not reject the packet and bump the
bad packet stat.
PR: 295198
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D57095
Its more clear and good practice for the first sentence of a description
to describe what something is, because there are a lot of different use
cases for documentation.
Fixes: 94b7a33568 ("nlist.3: Add discouraged use notice")
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D57128
"ldr <reg>, <literal>" loads a value from a literal memory address into
a register. It's PC-relative and so cannot be directly implemented
using the trampoline mechanism. Unfortunately, on arm64 it can't easily
be emulated either since the return-to-EL1 handler does not restore
callee-saved registers, so like adr/adrp, we simply don't handle it.
These instructions are fairly rare in an arm64 kernel.
While here, refactor the code so that all instruction decoding is done
in one place: introduce an enum type which characterizes the instruction
type, add a helper to map instructions to enum values, and store the
corresponding enum value in the probe description.
Reviewed by: christos
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D56988
After commit 853cd87234 it became invalid for kinst_invop() to return
0: dtrace_invop_start() would convert this to a sentinel value
indicating that it did not consume the breakpoint, and so we'd just
call kdb_trap() to handle it.
Change kinst_invop() to return NOP_INSTR after handling a matching
breakpoint. NOP_INSTR is handled by advancing the ELR, so we have to
compensate by subtracting INSTR_SIZE before returning.
Reviewed by: christos
MFC after: 1 week
Fixes: 853cd87234 ("arm64: Clean up usage of the dtrace invop handler")
Differential Revision: https://reviews.freebsd.org/D56987
The address range 0xfffff78000000000 - 0xfffff7bfffffffff spans exactly 256GB
(0x4000000000 bytes), not 512GB.
For a 2TB kernel map, based on the KASAN 1:8 shadow map ratio, the required
shadow map size is indeed 256GB. The current comment incorrectly states 512GB,
which can be misleading and cause confusion.
Reviewed by: markj
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D57129
This is a refactor of 228c632ab3. First, move compatibility one level
up, where we yet work with the full header. Second, move this rarely
executed code outside of the inline function. Should be no functional
change.
Reviewed by: pouria, melifaro
Differential Revision: https://reviews.freebsd.org/D56915
It was a placeholder for the access control for process-shared umtx
memory, which is not needed.
Reviewed by: markj
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Differential revision: https://reviews.freebsd.org/D57122
While here, tag spdx and sync the drivers in crypto(4)/SEE ALSO.
MFC after: 2 days (add back hifn)
Differential Revision: https://reviews.freebsd.org/D57060
This is a "new" file, but is mostly copied from if_dtsec_fdt.c, so need to
retain the original license header in addition to the new one.
Reviewed by: ziaee
Differential Revision: https://reviews.freebsd.org/D57123
The Winbond/Nuvoton W83793G system monitor chip includes many features
not currently supported by this driver. The following are currently
supported:
* Up to 6 temperature sensors, 4 of which have 10-bit resolution
(8.2),two with 8-bit resolution (no decimal component)
* Up to 12 fans
- Fans 0-4 (1-5 on the datasheet) are always enabled. The remaining 7
fans are individually enabled.
* Multiple voltage sensors, reading up to 10 voltage sources. Sysctls
are labeled to match the datasheet.
* Chassis open detection.
The W83793AG is a feature-reduced version, which lacks 3 thermal diodes
and 2 voltage monitors. Since there is no way to tell the difference
between the W83793AG and W83793G programmatically, sensors reported on
the W83793AG will report strange values.
Temperature sensors and 7 of the fans can be individually enabled on the
chip, but currently not configured by this driver. The driver only
reports what was configured by the firmware. Additionally, this driver
numbers the sensors and fans according to the datasheet, so even if, for
instance, fan 8 is disabled, it would skip from fan 7 to fan 9, it does
not renumber. This makes it easier to follow for hardware debugging
purposes.
Missing features:
* Smart Fan support
* Fan PWM control
* ASF (Alert Standard Format)
Only Bank 0 registers are used at this time.
Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D56776
The stale include line caused config -m to fail with an error trying
to parse the config file during make universe/tinderbox which in turn
caused universe/tinderbox to abort without building any powerpc
kernels (or subsequent architectures such as riscv64) with the error:
make[2]: freebsd/main/Makefile:767: Target architecture for powerpc/conf/MPC85XX unknown. config(8) likely too old.
in .for loop from freebsd/main/Makefile:761 with kernel = MPC85XX
in make[2] in directory "freebsd/main"
make[2]: stopped making "universe_kernels" in freebsd/main
*** Error code 1
Reported by: npn, many others
Fixes: fd8d34ce27 ("dpaa: Migrate from NCSW base to a home-grown driver")