new bind

(christos)

merge conflicts between 9.16.37 and 9.16.42

(christos)

indent: improve heuristics for '*' as pointer in for loops

(rillig)

indent: improve heuristics for '*' as a pointer type

(rillig)

indent: implement 'blank line above first statement in function body'

(rillig)

Make this compile when BIGNUM limbs (BN_ULONG) are not the same
size as "unsigned long" (e.g. in bn(64/32) configurations of openssl).

(martin)

indent: in -bad mode, don't add a blank line above a comment or '}'

(rillig)

tests/indent: strengthen requirements for test input files

Previously, 'indent run-equals-prev-output' was allowed even when there
was no 'indent run' section above. This created an ambiguity, since
'previous output' could mean either the 'indent run' section or the
'indent run-equals-input' section.

(rillig)

tests/indent: extend test for -badp option

(rillig)

s/privious/previous/ in comment.

(andvar)

indent: clean up indentation

(rillig)

jemalloc: reduce CONSTCOND diff to upstream

Since 2021-01-31, lint no longer needs these comments.

(rillig)

jemalloc: remove redundant CONSTCOND comments

Since 2021-01-31, lint no longer needs them.

(rillig)

indent: move cast detection from the lexer to the main processor

It is not the job of the lexer to modify the parser state.

(rillig)

indent: treat 'complex' and 'imaginary' as type modifiers, not as types

(rillig)

indent: fix formatting of parenthesized name in function definition

(rillig)

indent: don't use strspn on inp_p, as it is not null-terminated

No functional change.

(rillig)

s/responible/responsible/ in comment.

(andvar)

G/C an unused struct cpu_info member

(skrll)

lint: reduce memory allocations

The type val_t has the same size as the tn_s member in the same union.

No functional change.

(rillig)

lint: don't warn about comparison between char and character constant

(rillig)

lint: add query for comparing 'char' with plain integers

(rillig)

Add comments and remove nonexistent status registers.

(tsutsui)

tests/lint: allow accept.sh to override lint1 for local testing

(rillig)

Always initialise ci_tlb_info in cpu_info_store[0].

Fixes non-MP boot for me.

(skrll)

lint: remove redundant 'extern' from function declarations

No binary change.

(rillig)

make: remove redundant 'extern' in function declaration

No binary change.

(rillig)

Fix a wrong cdb size of SCSI disk write command.  From OpenBSD/luna88k.

(tsutsui)

lint: add query for redundant 'extern' in function declaration

(rillig)

Fix typo in error message.

(msaitoh)

Fix typo in comment.

(msaitoh)

Fix typo in comment.

(msaitoh)

Fix typo in comment.

(msaitoh)

Fix typo in comment.

(msaitoh)

Fix typo.

(msaitoh)

Fix typo.

(msaitoh)

Fix typo in comment.

(msaitoh)

Fix typo in comment.

(msaitoh)

Fix typo in a debug message.

(msaitoh)

Fix typo in comment.

(msaitoh)

Fix typo in comment.

(msaitoh)

Fix typo in comment.

(msaitoh)

tsleep: Comment out kernel lock assertion for now.

Breaks tpm(4) which breaks boot on a lot of systems.  tpm(4)
shouldn't be using tsleep; it doesn't appear to even have an
interrupt handler for wakeups, so it could get by with kpause.  If it
ever did sprout an interrupt handler it should use condvar(9) anyway.
But for now I don't have time to fix it tonight.

(riastradh)

tsleep(9): Assert kernel lock held.

This is never safe to use without the kernel lock.  It should only
appear in legacy subsystems that still run with the kernel lock.

(riastradh)

rump: KASSERT(x && y) -> KASSERT(x); KASSERT(y)

Add some KASSERTMSG while here.

(riastradh)

indent: fix scanning of no-wrap comments (since 2021.11.07.10.34.03)

The "refactoring" back then tried to be too clever.

(rillig)

tests/indent: fix comments

(rillig)

indent: properly store parser state in debug mode

The stacks in the parser state are allocated now and need to be copied
individually.

The test whether two paren stacks are equal was broken since 2023-06-14
14:11:28.

(rillig)

lint: remove redundant printflike declarations from debugging code

(rillig)

Pad the trapframe so it's a multiple of 16 bytes so that when a trapframe
is created on the stack SP remains 16-byte aligned as per the ABI
requirements.

Patch from Rin with some updates from me.

(skrll)

paxctl(8): brush up

Tell the user how to list flags right away, not at the very end.

Do not repeat "for the program" 6 times for each flag letter, it's a
noise by itself already and the italics of .Ar program exacerbates it.

Make the list of flags compact but manually add breaks between the
pairs of enable/disable flags.

(uwe)

paxctl(8): fix markup

(uwe)

Use Fl for options.

(wiz)

tests/make: explain and extend tests for expansion in .for loops

(rillig)

make: sync a comment with reality

No binary change.

(rillig)

Ticket #210.

(msaitoh)

Pull up following revision(s) (requested by martin in ticket #212):
usr.sbin/sysinst/main.c: revision 1.31
If the install medium does not come with any openssl trusted root certs,
tell ftp(1) not to verify trust chains when doing https downloads.

(msaitoh)

Add missing read to count Circuit Breaker Rx Dropped Packet correctly.

(msaitoh)

make: clean up variable and function names

No functional change.

(rillig)

make: reduce indentation in pattern matching code

No functional change.

(rillig)

make: warn about malformed patterns in ':M', ':N' and '.if make(...)'

These patterns shouldn't occur in practice, as their results are tricky
to predict.  Generate a warning for now, and maybe an error later.

Reviewed by sjg@.

(rillig)

tests/make: sort missing 'expect' comments by their location

(rillig)

crunchgen(1): Clear PaX flags instead of removing its ELF note section.

The latter results in zero-filled hole in ELF note segment for EARM,
where PaX section is not located the bottom of that segment (see
src/lib/csu/sysident.S). Fortunately, this hole does not cause real
harms for our in-kernel ELF note parser, except for noisy warnings on
DIAGNOSTIC kernels.

Bump CRUNCH_VERSION.

PR toolchain/52675

(rin)

paxctl(8): Introduce -0 option to clear all PaX flag bits in ELF note.
Part of PR toolchain/52675

(rin)

elex-20230622

+ restore bug fix lost in previous - reset yyleng to 0 when deleting input
  from the parser
+ API change to make function name more descriptive in API
+ bring license up to date
+ bump version number for header file

(agc)

fix sun2

(christos)

fix sun2

(christos)

tests/make: demonstrate inconsistency in pattern matching with ranges

(rillig)

make: unclutter string matching code

(rillig)

make: rename variables in string matching, remove redundant code

No functional change.

(rillig)

lint: add query for comma operator

(rillig)

tests/make: fix line numbers in test result, since the previous commit

(rillig)

make: speed up pattern matching in the ':M' and ':N' modifiers

In the code coverage report, the highest count for Str_Match goes from
5,298,924 down to 79,646.

(rillig)

make: clean up comments related to pattern matching

(rillig)

make: merge common code for handling the ':M' and ':N' modifiers

No functional change.

(rillig)

Ticket #213

(martin)

Pull up following revision(s) (requested by msaitoh in ticket #213):

sys/dev/pci/if_wm.c: revision 1.770
sys/dev/pci/if_wm.c: revision 1.771
sys/dev/pci/if_wm.c: revision 1.772
sys/dev/pci/if_wm.c: revision 1.773
sys/dev/pci/if_wm.c: revision 1.774
sys/dev/pci/if_wm.c: revision 1.775
sys/dev/pci/if_wm.c: revision 1.776
sys/dev/pci/if_wmreg.h: revision 1.129
sys/dev/pci/if_wm.c: revision 1.777
sys/dev/pci/if_wm.c: revision 1.778
sys/dev/pci/if_wmvar.h: revision 1.49
sys/dev/pci/if_wm.c: revision 1.779
sys/dev/pci/if_wm.c: revision 1.768
sys/dev/pci/if_wm.c: revision 1.769
sys/dev/pci/if_wmreg.h: revision 1.130
sys/dev/pci/if_wm.c: revision 1.780
sys/dev/pci/if_wm.c: revision 1.781

Count some 64bit counters correctly.
- Fix calculation of GORC, GOTC, TOR and TOT counters correctly.
- Found by knakahara.

Add note for the TORL register.

The TOR register includes error, flow control and broadcast rejected.

Sort lines. No functional change.

Rearrange the order of the registers so that they are roughly in ascending
order.

Sort lines. No functional change.

Reorder evcnt_attach_dynamic(), WM_EVCNT_ADD() and evcnt_detach() to match.
IC{TX,RX}*C registers are for older than 82575.

Fix a bug that the transmit underrun counter is incorrectly counted.
The transmit underrun bit in the transmit status filed is only for 82544
(and older?), so don't use the counter for newer chips. The bit is reserved
for newer chips, but the bit sometimes set on 82575 at least.

Don't add "Count" for event counter's description.

Some statistics registers were replaced with new counters.
- 0x403c was CEXTERR(Carrier Extension Error). 82575 and newer except 80003,
  ICHs and PCHs have HTDPMC(Host Tx Discarded Packets by MAC). I don't really
  know for 82575. The 82575 datasheet say nothing about it.
- The following two are changed for circuit breaker. Only 82576's datasheet
  describes abut it, so the registers might be only for 82576.
  Use those registers for 82575 and newer except 80003, ICHs and PCHs just in
  case.
  - 0x40fc was TSCTFC(TCP Segmentation Context Tx Fail). It was replaced by
    the CBRMPC(Circuit Breaker Rx Manageability Packet) register.
  - 0x4124 was ICRXOC(Interrupt Cause Receiver Overrun). It was replaced by
    the HTCBDPC(Host Tx Circuit Breaker Dropped Packet) register.
- From 0x4104 to 0x4124:
  - For 0x4124, 82575's datasheet says it's not changed(ICRXOC).
    I don't know if it's correct. We use new HTCBDPC register for 82575.
  - 82576 and newer changed the meaning.
  - I don't know for 80003, ICHs and PCHs. Don't count those registers.
    At least, those registers in PCH2 and PCH_CNP are all zero.

Add some new event counters.

Add the following counters for 82575 and newer except 80003, ICHs and PCHs:
    - Only 82576 document describes about the circuit breaker,
      so the following two might be only for 82575:
        - Circuit Breaker TX Manageability Packet
        - Circuit Breaker RX Dropped Packet
    - 82575's document doesn't describe the following two, but we can see
      the same value as GO{T,R}C have:
        - Host Good Octets RX
        - Host Good Octets TX
    - 82575's document doesn't describe the LENERRS (Length Errors) counter.
      I don't know if it has.
    - Perhaps Non-SerDes/SGMII devices don't have SCVPC
      (SerDes/SGMII Code Violation Packet) register. We don't care if
      it's SerDes/SGMII or not for now.
    - HRMPC (Header Redirection Missed Packet) appears only once
      in 8257[56]'s datasheet. FreeBSD's igb counts it, so we do, too.
    - Count the following two for I350 and newer. I don't know if PCHs have:
        - EEE TX LPI
        - EEE RX LPI

Move statistics updating code from wm_tick() to new wm_update_stats().
- To reuse.
- No functional change.

Add SOICZIFDATA (ifconfig -z) support for evcnt(9).

First update the statistics data, then clear the event counters,
and finally copy and clear if_data via ether_ioctl().

Fix prc511's comment and description.

Use WM_IS_ICHPCH(). No functional change.

Fix typo. s/ictxact/ictxatc/. No functional change.

(martin)

Ammend #1836 for file missed in original pullup

(martin)

Pull up the following revision, requested by riastradh in ticket #1836

sys/compat/freebsd/freebsd_machdep.c 1.5

Memset before copyout

(martin)

Add (accidently) missing entry for ticket #1645

(martin)

Bump date for previous commit.

XXX pullup-10.

(nat)

agcre version 20230621
======================

+ agcre - added internal magic numbers to agcre to attempt to catch
  if misbehaving programs overwrite sections of memory
+ agcre - check internal magic numbers before attempting to execute
  regex programs
+ agcre - bump agcre magic number in the external structure
+ agcre - bump version number in header file. Fix up tests to ensure
  correct operation

(agc)

Elex version 20230621
=====================

+ agcre - added internal magic numbers to agcre to attempt to catch
  misbehaving programs overwriting sections of memory (extremely coarse-
  grained checks here).
+ agcre - check internal magic numbers before attempting to execute
  regex programs
+ agcre - bump agcre magic number in the external structure
+ elex - remove striter (simple) and move to using buffer gap functions
+ elex - fix a bug whereby we check if a rule has a return value
  before attempting to parse that return value.
+ elex - fix up tests for all of these fixes
+ elex - error out when reading rules if a bad rule is encountered (as
  the resulting lexer would be erroneous if we continued)
+ elex - bump elex version to 20230621

(agc)

Tickets #196 - #198, #200 - #211

(martin)

Pull up following revision(s) (requested by msaitoh in ticket #211):

sys/dev/mii/mii_physubr.c: revision 1.103

Fix a bug when a media is changed to IFM_AUTO.

Fix a bug that ifconfig ifN media auto doesn't change the setting when
the previous media setting used autonego. When the mii_phy_setmedia()
function is called to change the media to IFM_AUTO, the BMCR_AUTOEN bit was
used to check if the previous setting was IFM_AUTO. It's not correct.

IFM_1000_T also uses autonego. So if a previous setting is IFM_1000_T and
the next setting is IFM_AUTO, mii_phy_auto() is not called if neither
MIIF_FORCEANEG nor MIIF_DOPAUSE are set. As a result, after changing
IFM_AUTO, neither 10Mbps nor 100Mbps are not advertised.

Note that almost all drivers uses MIIF_DOPAUSE flags.

TODO: cleanup ciphy.c and rgephy.c. Those have #ifdef foo.

(martin)

Pull up following revision(s) (requested by msaitoh in ticket #210):

usr.sbin/tprof/tprof.8: revision 1.30
sys/dev/tprof/tprof_x86_amd.c: revision 1.8
sys/dev/tprof/tprof_armv8.c: revision 1.20
sys/dev/tprof/tprof_types.h: revision 1.7
sys/dev/tprof/tprof_x86_intel.c: revision 1.6
sys/dev/tprof/tprof_x86_intel.c: revision 1.7
sys/dev/tprof/tprof_x86_intel.c: revision 1.8
sys/dev/tprof/tprof.c: revision 1.23
usr.sbin/tprof/tprof.8: revision 1.25
usr.sbin/tprof/tprof.8: revision 1.26
usr.sbin/tprof/arch/tprof_x86.c: revision 1.16
usr.sbin/tprof/tprof.8: revision 1.27
usr.sbin/tprof/arch/tprof_x86.c: revision 1.17
usr.sbin/tprof/tprof.8: revision 1.28
usr.sbin/tprof/tprof.h: revision 1.5
usr.sbin/tprof/tprof.8: revision 1.29
sys/dev/tprof/tprof_armv7.c: revision 1.13
usr.sbin/tprof/tprof_top.c: revision 1.9
usr.sbin/tprof/tprof.c: revision 1.21

Add Cometlake support.

Obtain the number of general counters from CPUID 0xa.

Test cpuid_level in tprof_intel_ncounters().
This function is called before tprof_intel_ident().

KNF. No functional change.

Add two note to the tprof(8)'s manual page.
- "list" command prints the maximum number of counters that can be used
  simultaneously.
- multiple -e arguments can be specified.

Use the default counter if -e argument is not specified.
monitor command:
    The default counter is selected if -e argument is not specified.
list command:
    Print the name of the default counter for monitor and top command.

tprof.8: new sentence, new line

tprof(8): fix markup nits

tprof.8: fix typo, s/speficied/specified/

(martin)

3RDPARTY: new versions of libuv, unbound, and nsd out

(gutteridge)

Tickets #1825, #1827 - #1831, #1833, #1835 - #1846

(martin)

Regen for ticket #1846

(martin)

Pull up following revision(s) (requested by msaitoh in ticket #1846):

sys/dev/pci/pcidevs: revision 1.1478
sys/dev/pci/pcidevs: revision 1.1479
sys/dev/pci/pcidevs: revision 1.1480

Add Samsung SM990.

Add devices from PPR for AMD Family 19h Model 61h Revision B1 processors.

The SATA device ID for Apollo Lake is not 0x5ae0 but 0x5ae3.

(martin)

Tickets #1643, #1644, #1646 - #1654

(martin)

Regen for ticket #1654

(martin)

Pull up following revision(s) (requested by msaitoh in ticket #1654):

sys/dev/pci/pcidevs: revision 1.1478
sys/dev/pci/pcidevs: revision 1.1479
sys/dev/pci/pcidevs: revision 1.1480

Add Samsung SM990.

Add devices from PPR for AMD Family 19h Model 61h Revision B1 processors.

The SATA device ID for Apollo Lake is not 0x5ae0 but 0x5ae3.

(martin)

Regen for ticket #209

(martin)

Pull up following revision(s) (requested by msaitoh in ticket #209):

sys/dev/pci/pcidevs: revision 1.1478
sys/dev/pci/pcidevs: revision 1.1479
sys/dev/pci/pcidevs: revision 1.1480

Add Samsung SM990.

Add devices from PPR for AMD Family 19h Model 61h Revision B1 processors.

The SATA device ID for Apollo Lake is not 0x5ae0 but 0x5ae3.

(martin)

Regen for ticket #209

(martin)

Pull up following revision(s) (requested by msaitoh in ticket #208):

sys/dev/mii/ciphy.c: revision 1.42
sys/dev/mii/brgphy.c: revision 1.91
sys/dev/mii/mii_physubr.c: revision 1.102
sys/dev/mii/ipgphy.c: revision 1.11
sys/dev/mii/tlphy.c: revision 1.72
sys/dev/mii/jmphy.c: revision 1.5
sys/dev/mii/urlphy.c: revision 1.40
sys/dev/mii/atphy.c: revision 1.31

Retry autonegotiation every mii_anegticks seconds instead of mii_anegticks+1.

(martin)

Pull up following revision(s) (requested by riastradh in ticket #1845):

lib/libpam/modules/pam_ksu/pam_ksu.c: revision 1.10

pam_ksu: No need for homedir access.

(martin)

Pull up following revision(s) (requested by riastradh in ticket #1653):

lib/libpam/modules/pam_ksu/pam_ksu.c: revision 1.10

pam_ksu: No need for homedir access.

(martin)

Pull up following revision(s) (requested by riastradh in ticket #207):

lib/libpam/modules/pam_ksu/pam_ksu.c: revision 1.10

pam_ksu: No need for homedir access.

(martin)

Pull up following revision(s) (requested by riastradh in ticket #1844):

lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.31
lib/libpam/modules/pam_krb5/pam_krb5.8: revision 1.13

pam_krb5: Refuse to operate without a key to verify tickets.

New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.

This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.

Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:
- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
  more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
  workaround that might introduce potentially worse security issues
  or more compatibility issues.

Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.

References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
  https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
  https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html
  https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4
  https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
  https://github.com/heimdal/heimdal/issues/1129

(martin)

Pull up following revision(s) (requested by riastradh in ticket #1652):

lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.31
lib/libpam/modules/pam_krb5/pam_krb5.8: revision 1.13

pam_krb5: Refuse to operate without a key to verify tickets.

New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.

This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.

Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:
- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
  more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
  workaround that might introduce potentially worse security issues
  or more compatibility issues.

Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.

References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
  https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
  https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html
  https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4
  https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
  https://github.com/heimdal/heimdal/issues/1129

(martin)

Pull up following revision(s) (requested by riastradh in ticket #206):

lib/libpam/modules/pam_krb5/pam_krb5.c: revision 1.31
lib/libpam/modules/pam_krb5/pam_krb5.8: revision 1.13

pam_krb5: Refuse to operate without a key to verify tickets.

New allow_kdc_spoof overrides this to restore previous behaviour
which was vulnerable to KDC spoofing, because without a host or
service key, pam_krb5 can't distinguish the legitimate KDC from a
spoofed one.

This way, having pam_krb5 enabled isn't dangerous even if you create
an empty /etc/krb5.conf to use client SSO without any host services.

Perhaps this should use krb5_verify_init_creds(3) instead, and
thereby respect the rather obscurely named krb5.conf option
verify_ap_req_nofail like the Linux pam_krb5 does, but:
- verify_ap_req_nofail is default-off (i.e., vulnerable by default),
- changing verify_ap_req_nofail to default-on would probably affect
  more things and therefore be riskier,
- allow_kdc_spoof is a much clearer way to spell the idea,
- this patch is a smaller semantic change and thus less risky, and
- a security change with compatibility issues shouldn't have a
  workaround that might introduce potentially worse security issues
  or more compatibility issues.

Perhaps this should use krb5_verify_user(3) with secure=1 instead,
for simplicity, but it's not clear how to do that without first
prompting for the password -- which we shouldn't do at all if we
later decide we won't be able to use it anyway -- and without
repeating a bunch of the logic here anyway to pick the service name.

References about verify_ap_req_nofail:
- mit-krb5 discussion about verify_ap_req_nofail:
  https://mailman.mit.edu/pipermail/krbdev/2011-January/009778.html
- Oracle has the default-secure setting in their krb5 system:
  https://docs.oracle.com/cd/E26505_01/html/E27224/setup-148.html
  https://docs.oracle.com/cd/E26505_01/html/816-5174/krb5.conf-4.html#REFMAN4krb5.conf-4
  https://docs.oracle.com/cd/E19253-01/816-4557/gihyu/
- Heimdal issue on verify_ap_req_nofail default:
  https://github.com/heimdal/heimdal/issues/1129

(martin)

Pull up following revision(s) (requested by riastradh in ticket #1843):

etc/pam.d/ftpd: revision 1.8
etc/pam.d/su: revision 1.9
etc/pam.d/system: revision 1.9
etc/pam.d/display_manager: revision 1.6
etc/pam.d/sshd: revision 1.10

pam: Disable pam_krb5, pam_ksu by default.

These are not useful unless you also set up /etc/krb5.conf and a
keytab for the host from the Kerberos KDC.  But having them enabled
by default means that creating /etc/krb5.conf just to enable use of
Kerberos for _client-side_ single sign-on creates usability issues.

As proposed on tech-security:
https://mail-index.netbsd.org/tech-security/2023/06/16/msg001160.html

(martin)

Pull up following revision(s) (requested by riastradh in ticket #1651):

etc/pam.d/ftpd: revision 1.8
etc/pam.d/su: revision 1.9
etc/pam.d/system: revision 1.9
etc/pam.d/display_manager: revision 1.6
etc/pam.d/sshd: revision 1.10

pam: Disable pam_krb5, pam_ksu by default.

These are not useful unless you also set up /etc/krb5.conf and a
keytab for the host from the Kerberos KDC.  But having them enabled
by default means that creating /etc/krb5.conf just to enable use of
Kerberos for _client-side_ single sign-on creates usability issues.

As proposed on tech-security:
https://mail-index.netbsd.org/tech-security/2023/06/16/msg001160.html

(martin)

libedit: fix pkg-config to really provide readline directory as intended

(wiz)

Pull up following revision(s) (requested by riastradh in ticket #205):

etc/pam.d/ftpd: revision 1.8
etc/pam.d/su: revision 1.9
etc/pam.d/system: revision 1.9
etc/pam.d/display_manager: revision 1.6
etc/pam.d/sshd: revision 1.10

pam: Disable pam_krb5, pam_ksu by default.

These are not useful unless you also set up /etc/krb5.conf and a
keytab for the host from the Kerberos KDC.  But having them enabled
by default means that creating /etc/krb5.conf just to enable use of
Kerberos for _client-side_ single sign-on creates usability issues.

As proposed on tech-security:
https://mail-index.netbsd.org/tech-security/2023/06/16/msg001160.html

(martin)

Apply patch, requested by riastradh in ticket #1842:

sys/dev/pci/if_wm.c (apply patch)

Fix a bug introduced in ticket #1795.

(martin)

Pull up following revision(s) (requested by riastradh in ticket #1841):

sys/compat/sunos32/sunos32_misc.c: revision 1.86
sys/compat/ossaudio/ossaudio.c: revision 1.85
sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.48

compat_sunos32: Memset zero before copyout.

Unclear if this can leak anything but let's be on the safe side.

compat_ossaudio: Zero-initialize idat before copyout.
Unclear if there are any paths to the copyout without initialization,
but let's play it safe to keep the auditing effort low.

linux32_rt_sendsig: Memset zero before copyout.
Not sure if there's any padding here, but it's a pretty big
structure, fairly likely, so let's be rather safe than sorry.

(martin)

Pull up following revision(s) (requested by riastradh in ticket #1650):

sys/compat/sunos32/sunos32_misc.c: revision 1.86
sys/compat/ossaudio/ossaudio.c: revision 1.85
sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.48

compat_sunos32: Memset zero before copyout.

Unclear if this can leak anything but let's be on the safe side.

compat_ossaudio: Zero-initialize idat before copyout.
Unclear if there are any paths to the copyout without initialization,
but let's play it safe to keep the auditing effort low.

linux32_rt_sendsig: Memset zero before copyout.
Not sure if there's any padding here, but it's a pretty big
structure, fairly likely, so let's be rather safe than sorry.

(martin)

Pull up following revision(s) (requested by riastradh in ticket #204):

sys/compat/sunos32/sunos32_misc.c: revision 1.86
sys/compat/ossaudio/ossaudio.c: revision 1.85
sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.48

compat_sunos32: Memset zero before copyout.

Unclear if this can leak anything but let's be on the safe side.

compat_ossaudio: Zero-initialize idat before copyout.
Unclear if there are any paths to the copyout without initialization,
but let's play it safe to keep the auditing effort low.

linux32_rt_sendsig: Memset zero before copyout.
Not sure if there's any padding here, but it's a pretty big
structure, fairly likely, so let's be rather safe than sorry.

(martin)

Cleanup guard tests

The .PARSEFILE:tA tests add no value, the correct form
is ${.PARSEDIR:tA}/${.PARSEFILE} but even there :tA rarely matters.

(sjg)

Pull up following revision(s) (requested by riastradh in ticket #1840):

sys/compat/netbsd32/netbsd32_nfssvc.c: revision 1.7

compat_netbsd32: Copy out 32-bit version in nfssvc32_nsd_out.

(martin)

Pull up following revision(s) (requested by riastradh in ticket #1839):

sys/compat/common/kern_time_30.c: revision 1.6
sys/compat/netbsd32/netbsd32_time.c: revision 1.50

Paranoia: zero COMPAT_30 ntptimeval and 32-bit ntptimeval too.

These structs don't have padding but safer to keep the code
structured the same way between the various ntp_gettimes in case
anyone makes more copypasta of it for future updates.

(martin)

Pull up following revision(s) (requested by riastradh in ticket #1838):

sys/compat/common/kern_time_50.c: revision 1.32

Zero ntptimeval50 too to prevent 4-byte kernel stack disclosure.

>From Thomas Barabosch of Fraunhofer FKIE.

(martin)

Apply patch, requested by riastradh in ticket #1837:

sys/compat/osf1/osf1_cvt.c
sys/compat/osf1/osf1_file.c
sys/compat/osf1/osf1_misc.c

Memset structures to zero before passing them to copyout to expose them
to userland.
No equivalent change in newer branches, commpat/osf1 has been deleted.

(martin)

Pull up following revision(s) (requested by riastradh in ticket #1836):

sys/compat/linux/arch/i386/linux_machdep.c: revision 1.168
sys/compat/sunos/sunos_misc.c: revision 1.177
sys/compat/netbsd32/netbsd32_compat_50.c: revision 1.52
sys/compat/common/kern_resource_43.c: revision 1.23
sys/compat/netbsd32/netbsd32_conv.h: revision 1.46
sys/compat/linux/arch/i386/linux_ptrace.c: revision 1.35
sys/compat/common/vfs_syscalls_12.c: revision 1.38
sys/compat/ultrix/ultrix_misc.c: revision 1.126
sys/compat/common/kern_sig_43.c: revision 1.37
sys/compat/linux/common/linux_mtio.c: revision 1.8
sys/compat/freebsd/freebsd_misc.c: revision 1.34
sys/compat/linux/common/linux_olduname.c: revision 1.67
sys/compat/linux/arch/mips/linux_machdep.c: revision 1.44
sys/compat/freebsd/freebsd_sched.c: revision 1.23
sys/compat/ossaudio/ossaudio.c: revision 1.84
sys/compat/sys/time_types.h: revision 1.6
sys/compat/linux/arch/powerpc/linux_machdep.c: revision 1.51
sys/compat/linux/common/linux_file.c: revision 1.119
sys/compat/linux/arch/arm/linux_machdep.c: revision 1.34
sys/compat/netbsd32/netbsd32_wait.c: revision 1.25
sys/compat/linux32/common/linux32_time.c: revision 1.38
sys/compat/linux/arch/powerpc/linux_ptrace.c: revision 1.33
sys/compat/linux/arch/alpha/linux_machdep.c: revision 1.52
sys/compat/linux32/arch/amd64/linux32_machdep.c: revision 1.46
sys/compat/netbsd32/netbsd32_compat_12.c: revision 1.36
sys/compat/ultrix/ultrix_ioctl.c: revision 1.39
sys/compat/linux/common/linux_misc.c: revision 1.252
sys/compat/linux/common/linux_hdio.c: revision 1.19
sys/compat/sunos/sunos_ioctl.c: revision 1.71
sys/compat/linux/common/linux_sched.c: revision 1.79
sys/compat/common/kern_info_43.c: revision 1.40
sys/compat/linux32/common/linux32_exec_elf32.c: revision 1.20
sys/compat/linux/common/linux_socket.c: revision 1.153
sys/compat/linux/arch/amd64/linux_machdep.c: revision 1.60
sys/compat/common/vfs_syscalls_43.c: revision 1.68
sys/compat/linux/arch/powerpc/linux_exec_powerpc.c: revision 1.25
sys/compat/netbsd32/netbsd32_ptrace.c: revision 1.9
sys/compat/common/kern_time_50.c: revision 1.37
sys/compat/netbsd32/netbsd32_compat_20.c: revision 1.42
sys/compat/linux/common/linux_cdrom.c: revision 1.28
sys/compat/linux/arch/m68k/linux_machdep.c: revision 1.43
sys/compat/common/kern_info_09.c: revision 1.22
sys/compat/linux32/common/linux32_resource.c: revision 1.12
sys/compat/linux/common/linux_oldolduname.c: revision 1.67
sys/compat/netbsd32/netbsd32_nfssvc.c: revision 1.8
sys/compat/linux32/common/linux32_signal.c: revision 1.21
sys/compat/common/kern_sig_13.c: revision 1.22
sys/compat/sunos32/sunos32_ioctl.c: revision 1.36
sys/compat/netbsd32/netbsd32_compat_43.c: revision 1.62
sys/compat/linux/arch/arm/linux_ptrace.c: revision 1.23
sys/compat/netbsd32/netbsd32_time.c: revision 1.56
sys/compat/linux/common/linux_signal.c: revision 1.84
sys/compat/netbsd32/netbsd32_signal.c: revision 1.52
sys/compat/sunos32/sunos32_misc.c: revision 1.85
sys/compat/linux/common/linux_time.c: revision 1.40
sys/compat/linux/common/linux_fdio.c: revision 1.14
sys/compat/common/vfs_syscalls_30.c: revision 1.43

sys/compat: Memset zero before copyout.

Just in case of uninitialized padding which would lead to kernel
stack disclosure.  If the compiler can prove the memset redundant
then it can optimize it away; otherwise better safe than sorry.

(martin)

Pull up following revision(s) (requested by riastradh in ticket #1835):

sys/dev/pci/if_iwi.c: revision 1.117
sys/dev/raidframe/rf_netbsdkintf.c: revision 1.401
sys/dev/scsipi/ses.c: revision 1.52
sys/dev/isa/mcd.c: revision 1.121
(all via patch)

sys/dev: Memset zero before copyout.

Just in case of uninitialized padding which would lead to kernel
stack disclosure.  If the compiler can prove the memset redundant
then it can optimize it away; otherwise better safe than sorry.

I think the iwi(4), mcd(4), and ses(4) changes actually plug leaks;
the raidframe(4) change probably doesn't (but doesn't hurt).

(martin)

Pull up following revision(s) (requested by riastradh in ticket #1833):

sys/compat/netbsd32/netbsd32_netbsd.c: revision 1.232
sys/compat/netbsd32/netbsd32_socket.c: revision 1.56
sys/compat/netbsd32/netbsd32_conv.h: revision 1.45
sys/compat/netbsd32/netbsd32_fs.c: revision 1.92
sys/compat/netbsd32/netbsd32.h: revision 1.137

The read/write/send/recv system calls return ssize_t because -1 is
returned on error.  Therefore we must restrict the lengths of any
buffers to NETBSD32_SSIZE_MAX with compat32 to avoid garbage return
values.

Fixes ATF lib/libc/sys/t_write:write_err.

(martin)

Fix merge mishap in ticket #1820

(martin)

Pull up following revision(s) (requested by riastradh in ticket #1831):

sys/altq/altq_hfsc.c: revision 1.29
sys/altq/altq_priq.c: revision 1.27

sys/altq: Memset zero before copyout.

Just in case of uninitialized padding which would lead to kernel
stack disclosure.  If the compiler can prove the memset redundant
then it can optimize it away; otherwise better safe than sorry.

(martin)

Pull up following revision(s) (requested by msaitoh in ticket #1830):

sys/arch/x86/x86/procfs_machdep.c: revision 1.47

Add Intel lam and AMD vnmi.

(martin)

Pull up following revision(s) (requested by msaitoh in ticket #1649):

sys/arch/x86/x86/procfs_machdep.c: revision 1.47

Add Intel lam and AMD vnmi.

(martin)

Pull up following revision(s) (requested by msaitoh in ticket #203):

sys/arch/x86/x86/procfs_machdep.c: revision 1.47

Add Intel lam and AMD vnmi.

(martin)

Pullup the following revisions, requested by msaitoh in ticket #1828:

sys/dev/pci/ixgbe/ixgbe.c 1.325-1.326 via patch
sys/dev/pci/ixgbe/ixgbe_common.c 1.44
sys/dev/pci/ixgbe/ixgbe_type.h 1.56

- PCI device ID 0x15c8 also uses X557-AT PHY, so create the thermal
  sensor sysctl for it, too.
- Count the number of link down events in the MAC using with
  LINK_DN_CNT register.

(martin)

Pull up the following revisions, requested by msaitoh in ticket #1647:

sys/dev/pci/ixgbe/ixgbe.c 1.325-1.326 via patch
sys/dev/pci/ixgbe/ixgbe_common.c 1.44
sys/dev/pci/ixgbe/ixgbe_type.h 1.56

- PCI device ID 0x15c8 also uses X557-AT PHY, so create the thermal
  sensor sysctl for it, too.
- Count the number of link down events in the MAC using with
  LINK_DN_CNT register.

(martin)

Pull up following revision(s) (requested by msaitoh in ticket #202):

sys/dev/pci/ixgbe/ixgbe_type.h: revision 1.56
sys/dev/pci/ixgbe/ixgbe.c: revision 1.325
sys/dev/pci/ixgbe/ixgbe.c: revision 1.326
sys/dev/pci/ixgbe/ixgbe_common.c: revision 1.44

Use thermal sensor code for IXGBE_DEV_ID_X550EM_A_10G_T, too.
PCI device ID 0x15c8 also use X557-AT PHY, so create the thermal sensor
sysctl for it, too.

Count the number of link down events in the MAC using with LINK_DN_CNT.
- Add new event counter "link_dn_cnt" to count the number of link down
  events in the MAC.
- The LINK_DN_CNT register (at 0x0403c) is described only in the
  Denverton's datasheet, so use it only on ixgbe_mac_X550EM_a.

(martin)

Pull up following revision(s) (requested by abs in ticket #1829):

sys/arch/vax/vax/pmap.c: revision 1.196
sys/arch/vax/include/trap.h: revision 1.25

Change CASMAGIC to 0xFEDABABE so that it cannot accidentally end up in
valid kernel memory.  Due to the VARM accesses above S0 should always
give a ptelen trap.

Bug found by Kalvis Duckmanton.

Ensure that the kernel do not try to allocate a S0 segment larger than 1G,
since the hardware prohibits that.

(martin)