Add metric support and show its value in wide flag and
libxo output.
Also, add metric to the description of wide flag (`-w`) in
routing display (`-r`) section of manual page.
Reviewed by: markj (manpage)
Discussed with: markj
Differential Revision: https://reviews.freebsd.org/D57011
* Use our new 32-bit metric for RTA_PRIORITY support.
* Update snl library for new RTA_PRIORITY support.
* return RTA_PRIORITY for both MPATH and non-MPATH routes.
Reviewed by: glebius (previous version)
Discussed with: markj
Differential Revision: https://reviews.freebsd.org/D56323
In our routing stack implementation, metric is an attribute
of the nexthop, not the route itself.
Store metric in nhop_priv which is control-plane data of
nexthop, filter the nexthops by metric and populate the mpath
slots in nexthop group with only the lowest metric nexthops
for use in the forwarding path.
`cmp_priv()` compares nhops based on priv hash.
Add metric compare logic to it and only return nexthops
with different metrics if the input nexthop's metric is
zero (wildcard).
Also, add support for metric via rtsock by introducing rmx_metric.
Finally, remove the upper 8-bit reservation of weight for
administrative distance.
Reviewed by: adrian
Discussed with: markj
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D56322
The f_menu_wpa_scan_results() function returns a list of networks
discovered by a scan. The untrusted network names are evaluated in
f_dialog_menu_wireless_edit. The quoting applied in
f_menu_wpa_scan_results() protects against evaluation of something like
"$(whoami)" but one can add single quotes to defeat that.
Pass the SSID names through f_shell_escape to work around this. Escape
single quotes in f_dialog_wireless_edit() and f_menu_wireless_configs()
too for consistency.
I note that this module doesn't seem to actually work, see e.g.,
bugzilla PR 229883.
Approved by: so
Security: FreeBSD-SA-26:23.bsdinstall
Security: CVE-2026-45255
Reported by: Austin Ralls
Reviewed by: dteske, des
Differential Revision: https://reviews.freebsd.org/D56974
The wlanconfig utility is not careful about handling untrusted network
names, which can contain shell metacharacters. Factor network selection
into a subroutine and use the `set -- "$@"` trick to build up a list of
positional parameters for bsddialog without evaluating them.
Approved by: so
Security: FreeBSD-SA-26:23.bsdinstall
Security: CVE-2026-45255
Reported by: Austin Ralls
Reviewed by: dteske, des, asiciliano
Differential Revision: https://reviews.freebsd.org/D56973
The previous implementation used FD_SET() on a stack-allocated fd_set,
which is an out-of-bounds write whenever the socket fd is >= FD_SETSIZE
(1024).
poll(2) takes an array indexed by slot rather than by fd value, so it
has no FD_SETSIZE limit.
Approved by: so
Security: FreeBSD-SA-26:22.libcasper
Security: CVE-2026-39461
Reported by: Joshua Rogers
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D56695
- Fix an off-by-one in the system call number check. A value of
SYS_MAXSYSCALL was permitted.
- Validate the system call number after we've dealt with
syscall(2)/__syscall(2), since they pass the syscall number as an
argument.
- When the syscall number is for syscall(2) or __syscall(2), we must
make sure that nargs > 0 to avoid an underflow when shifting arguments
down.
Add regression tests.
Approved by: so
Security: FreeBSD-SA-26:21.ptrace
Security: CVE-2026-45253
Fixes: 140ceb5d95 ("ptrace(2): add PT_SC_REMOTE remote syscall request")
Reported by: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai
Reviewed by: kib, emaste
Differential Revision: https://reviews.freebsd.org/D56978
The fuse protocol requires server to respond to LISTXATTR with a
NUL-terminated string. If they don't, report an error rather than
attempt to scan through uninitialized memory for a NUL.
Approved by: so
Security: FreeBSD-SA-26:20.fusefs
Security: CVE-2026-45252
admbugs: 1039
Reported by: Joshua Rogers
Sponsored by: ConnectWise
Otherwise they may be left on a freed selinfo list after the
corresponding jaildesc struct is freed. This can be exploited to
elevate privileges.
Remove the JDF_SELECTED micro-optimization. doselwakeup() is a no-op if
no one ever called selrecord() on the file description, so I see no
reason to complicate the code to avoid the call.
Add some regression tests.
Approved by: so
Security: FreeBSD-SA-26:19.file
Security: CVE-2026-45251
Fixes: 66d8ffe304 ("jaildesc: add kevent support")
Reviewed by: kib, jamie
Differential Revision: https://reviews.freebsd.org/D56945
Otherwise they are left on a freed list after procdesc_free() is called.
This can be exploited to elevate privileges.
Remove the PDF_SELECTED micro-optimization. doselwakeup() is a no-op if
no one ever called selrecord() on the file description, so I see no
reason to complicate the code to avoid the call.
Add some regression tests.
Approved by: so
Security: FreeBSD-SA-26:19.file
Security: CVE-2026-45251
Reported by: 75Acol, Lexpl0it, fcgboy, and robinzeng2015
Reviewed by: kib, oshogbo
Fixes: cfb5f76865 ("Add experimental support for process descriptors")
Differential Revision: https://reviews.freebsd.org/D56887
Add NULL checks for ic6 (the ICMPv6 header pointer from fin->fin_dp)
and oic (the inner ICMPv6 header from ofin.fin_dp after ipf_makefrip).
These pointers can be NULL when processing malformed ICMPv6 error
packets with extension headers.
Also fix the length validation: the original check (fin->fin_plen <
sizeof(ip6_t)) could never trigger because an earlier check already
ensures fin->fin_plen >= ICMP6ERR_MINPKTLEN (48). Replace with a proper
check that fin->fin_dlen contains at least ICMPERR_ICMPHLEN +
sizeof(ip6_t) bytes to ensure sufficient data exists for both the
ICMPv6 error header and the embedded IPv6 header.
PR: 288333
MFC after: 1 week
Pull Request: https://github.com/freebsd/freebsd-src/pull/2214
Signed-off-by: Teddy Engel <engel.teddy@gmail.com>
Add NULL check for fin->fin_m before calling M_LEN() in the ICMPv6
error handling code path. When ipf_checkicmp6matchingstate() calls
ipf_makefrip() with a synthesized fr_info_t that has fin_m set to
NULL, the subsequent call to ipf_pr_ipv6hdr() can reach ipf_pr_icmp6()
which would crash when trying to access the mbuf via M_LEN().
PR: 288333
MFC after: 1 week
Pull Request: https://github.com/freebsd/freebsd-src/pull/2214
Signed-off-by: Teddy Engel <engel.teddy@gmail.com>
Add NULL checks for fin->fin_dp in ipf_pr_icmp6() and ipf_pr_icmp()
before dereferencing. When processing packets with IPv6 extension
headers, ipf_pr_pullup() can succeed but fin->fin_dp may still be NULL
due to extension header processing leaving insufficient data for the
protocol header.
PR: 288333
MFC after: 1 week
Pull Request: https://github.com/freebsd/freebsd-src/pull/2214
Signed-off-by: Teddy Engel <engel.teddy@gmail.com>
Validate the length of the packet listed in the mbuf is the same as
the calculated packet length. If not reject the packet and bump the
bad packet stat.
PR: 295198
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D57095
Its more clear and good practice for the first sentence of a description
to describe what something is, because there are a lot of different use
cases for documentation.
Fixes: 94b7a33568 ("nlist.3: Add discouraged use notice")
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D57128
"ldr <reg>, <literal>" loads a value from a literal memory address into
a register. It's PC-relative and so cannot be directly implemented
using the trampoline mechanism. Unfortunately, on arm64 it can't easily
be emulated either since the return-to-EL1 handler does not restore
callee-saved registers, so like adr/adrp, we simply don't handle it.
These instructions are fairly rare in an arm64 kernel.
While here, refactor the code so that all instruction decoding is done
in one place: introduce an enum type which characterizes the instruction
type, add a helper to map instructions to enum values, and store the
corresponding enum value in the probe description.
Reviewed by: christos
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D56988
After commit 853cd87234 it became invalid for kinst_invop() to return
0: dtrace_invop_start() would convert this to a sentinel value
indicating that it did not consume the breakpoint, and so we'd just
call kdb_trap() to handle it.
Change kinst_invop() to return NOP_INSTR after handling a matching
breakpoint. NOP_INSTR is handled by advancing the ELR, so we have to
compensate by subtracting INSTR_SIZE before returning.
Reviewed by: christos
MFC after: 1 week
Fixes: 853cd87234 ("arm64: Clean up usage of the dtrace invop handler")
Differential Revision: https://reviews.freebsd.org/D56987
The address range 0xfffff78000000000 - 0xfffff7bfffffffff spans exactly 256GB
(0x4000000000 bytes), not 512GB.
For a 2TB kernel map, based on the KASAN 1:8 shadow map ratio, the required
shadow map size is indeed 256GB. The current comment incorrectly states 512GB,
which can be misleading and cause confusion.
Reviewed by: markj
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D57129
This is a refactor of 228c632ab3. First, move compatibility one level
up, where we yet work with the full header. Second, move this rarely
executed code outside of the inline function. Should be no functional
change.
Reviewed by: pouria, melifaro
Differential Revision: https://reviews.freebsd.org/D56915
It was a placeholder for the access control for process-shared umtx
memory, which is not needed.
Reviewed by: markj
Sponsored by: The FreeBSD Foundation
MFC after: 3 days
Differential revision: https://reviews.freebsd.org/D57122
While here, tag spdx and sync the drivers in crypto(4)/SEE ALSO.
MFC after: 2 days (add back hifn)
Differential Revision: https://reviews.freebsd.org/D57060
This is a "new" file, but is mostly copied from if_dtsec_fdt.c, so need to
retain the original license header in addition to the new one.
Reviewed by: ziaee
Differential Revision: https://reviews.freebsd.org/D57123
The Winbond/Nuvoton W83793G system monitor chip includes many features
not currently supported by this driver. The following are currently
supported:
* Up to 6 temperature sensors, 4 of which have 10-bit resolution
(8.2),two with 8-bit resolution (no decimal component)
* Up to 12 fans
- Fans 0-4 (1-5 on the datasheet) are always enabled. The remaining 7
fans are individually enabled.
* Multiple voltage sensors, reading up to 10 voltage sources. Sysctls
are labeled to match the datasheet.
* Chassis open detection.
The W83793AG is a feature-reduced version, which lacks 3 thermal diodes
and 2 voltage monitors. Since there is no way to tell the difference
between the W83793AG and W83793G programmatically, sensors reported on
the W83793AG will report strange values.
Temperature sensors and 7 of the fans can be individually enabled on the
chip, but currently not configured by this driver. The driver only
reports what was configured by the firmware. Additionally, this driver
numbers the sensors and fans according to the datasheet, so even if, for
instance, fan 8 is disabled, it would skip from fan 7 to fan 9, it does
not renumber. This makes it easier to follow for hardware debugging
purposes.
Missing features:
* Smart Fan support
* Fan PWM control
* ASF (Alert Standard Format)
Only Bank 0 registers are used at this time.
Reviewed by: adrian
Differential Revision: https://reviews.freebsd.org/D56776
The stale include line caused config -m to fail with an error trying
to parse the config file during make universe/tinderbox which in turn
caused universe/tinderbox to abort without building any powerpc
kernels (or subsequent architectures such as riscv64) with the error:
make[2]: freebsd/main/Makefile:767: Target architecture for powerpc/conf/MPC85XX unknown. config(8) likely too old.
in .for loop from freebsd/main/Makefile:761 with kernel = MPC85XX
in make[2] in directory "freebsd/main"
make[2]: stopped making "universe_kernels" in freebsd/main
*** Error code 1
Reported by: npn, many others
Fixes: fd8d34ce27 ("dpaa: Migrate from NCSW base to a home-grown driver")
The new KPI is only used in <asm/set_memory.h>, but it's provided in
linux_page.c. The latter only includes the former indirectly by way of
<linux/io.h>, and that's only conditionally included outside of 32-bit
ARM there.
All of our archs have the necessary pmap_page_set_memattr(), so just
move the declaration into <linux/page.h> instead of trying to reason
about the usability of <asm/set_memory.h> directly in linux_page.c.
Reported by: jenkins (via ivy)
Some firmware (e.g. Apple EFI on Sandy Bridge Mac hardware) programs all
HDMI/DP output pins in an association with identical sequence numbers.
The existing code disables the entire association on the first
duplicate, leaving HDMI/DP audio non-functional.
For digital output pins (HDMI/DP) with seq=0 duplicates, search for the
next free sequence slot and reassign the duplicate rather than
disabling.
The seq=0 restriction targets the known Apple firmware pattern; any
other duplicate sequence is more likely a genuine firmware error and the
association is still disabled.
Update first after reassignment so that hpredir is not left pointing at
a stale sequence. Non-digital and input associations retain the existing
disable behaviour.
MFC after: 1 week
Reviewed by: christos
Differential Revision: https://reviews.freebsd.org/D55473
On remount, we must accept all the same options as on initial mount.
For parameters which we're unable to modify on the fly, fail only if
the new value is different from the existing one.
PR: 295096
MFC after: 1 week
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D57044
* Instead of looking for and stopping at the first SHT_SYMTAB section,
iterate over all SHT_DYNSYM and SHT_SYMTAB sections until we've either
found all our symbols or run out.
* Perform bounds checks on section and string table offsets and sizes
before attempting to mmap() the string table.
* Perform bounds checks on individual symbol table entries before
attempting to access the corresponding strings.
* Stop treating _Foo and Foo as the same symbol.
This unbreaks OpenSSH which uses nlist(3) to verify PKCS#11 providers.
PR: 295336
MFC after: 1 week
Fixes: 77909f5978 ("Initial elf nlist support [...]")
Fixes: 644b4646c7 ("OpenSSH: Update to 10.1p1")
Reviewed by: kib, emaste
Differential Revision: https://reviews.freebsd.org/D57034
These are the last two uses of the wk_rxmic / wk_txmic macros.
Everything should be using the accessor methods at ths point.
Reviewed by: bz
Differential Revision: https://reviews.freebsd.org/D54790
* Document what iwx_rxmq_get_signal_strength() is doing in a comment,
noting what the firmware returns and what math is being done on it
to turn it into a dBm value.
* Document what iwx_get_noise() is supposed to do, that we can't just
go do math with log numbers like we're doing, but also that we're
seeing zeros in this firmware (AX210), which may mean we're decoding
using the wrong structs.
* Swizzle around the RSSI calculation as a function, add min/max RSSI
values, and calculate RSSI against the noise floor.
* And handle the lowest noise floor value - it can't be -127dBm as
that will throw things off. Cap it at -100dBm which is a little
lower than the thermal noise floor at 20MHz (-98dBm), but it matches
IWX_MIN_DBM.
Differential Revision: https://reviews.freebsd.org/D53780
These calls are used for buddy pages at least in drm's ttm_pool, which
leads to a panic when we invoke lowmem handlers and drm tries to shrink
the pool.
Cope with numpages > 1 by traversing the contiguous pages and executing
the adjustment there, as well, as suggested by markj@. Previous
versions have tried to use the corresponding `set_memory_*()` functions,
but it is believed that not updating `md.pat_mode` breaks subsequent
userspace mappings in ways that may result in things like screen tearing
or other artifacts when running i915kms.
This stabilized my amdgpu laptop running two VMs, chromium and a
concurrent buildworld.
Reviewed by: bz, markj
Differential Revision: https://reviews.freebsd.org/D57004
Commit 876a17321c removed the a.out Xref as nlist(3) no longer
supports a.out, but this left nlist(3) without a reference to a page
documenting struct nlist.
struct nlist is documented in both a.out(5) and stab(5), so add an Xref
to the latter.
Reported by: brooks
Fixes: 876a17321c ("nlist.3: Replace a.out(5) Xref with elf(5)")
It is a relic from a.out days and is poorly specified. Although ELF
support was added to nlist, there are better ways to access ELF data.
Reviewed by: kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57078