pass(4): Allowlist CCB func_codes to harden passthrough ioctls

The pass(4) driver's CAMIOCOMMAND and CAMIOQUEUE ioctls accept arbitrary
CCBs from userland. This device requires root to open, and th

pass(4): Allowlist CCB func_codes to harden passthrough ioctls

The pass(4) driver's CAMIOCOMMAND and CAMIOQUEUE ioctls accept arbitrary
CCBs from userland. This device requires root to open, and thus send
these commands. Previously, the only func_code filter was a blocklist
check against the XPT_FC_XPT_ONLY flag. This missed several dangerous
func_codes that lack that flag:

- XPT_ABORT: the abort_ccb field is a raw kernel pointer from the
user CCB payload. xpt_action_default() dereferences it without
validation, leading to kernel crashes or worse.

- XPT_SASYNC_CB: the callback and callback_arg fields come directly
from the user CCB payload and get registered as a kernel async
callback, allowing arbitrary kernel code execution.

- Target mode CCBs (XPT_EN_LUN, XPT_TARGET_IO, etc.) fall through
directly to the SIM with user-controlled payloads.

Replace the XPT_FC_XPT_ONLY blocklist with an explicit allowlist of CCB
function codes that are known to be safe for userland to submit: I/O
operations (SCSI, ATA, NVMe, SMP, MMC), device queries, transport
settings, and a handful of safe control operations (NOOP, REL_SIMQ,
RESET_DEV, DEBUG). Normally, the /dev/pass* permissions only allow root
to access them, so this is only a safety issue by default.

Also reject CAM_DATA_PADDR and CAM_DATA_SG_PADDR, since these pass
user-supplied physical addresses directly to DMA with no validation,
which on systems without an IOMMU allows arbitrary host memory access.
Add `options PASS_UNSAFE_PADDR` to allow the old behavior.

Verified that camdd, camcontrol, smartmontools, and cdrtools use only
func_codes on the allowlist (XPT_SCSI_IO, XPT_ATA_IO, XPT_NVME_IO,
XPT_NVME_ADMIN, XPT_PATH_INQ, XPT_GDEV_TYPE, XPT_GET_TRAN_SETTINGS,
XPT_SET_TRAN_SETTINGS, XPT_RESET_DEV, XPT_DEBUG) and none use
CAM_DATA_PADDR.

PR: 293888, 293890
Assisted-By: Claude Opus 4.6 (1M context)
Sponsored by: Netflix
Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D56486

show more ...

conf: remove trailing whitespace

This prevents unwanted change when saving files on IDEs (e.g. VSCode,
Zed)

Signed-off-by: Minsoo Choo <minsoo@minsoo.io>
Sponsored by: The FreeBSD Foundation
Pull r

conf: remove trailing whitespace

This prevents unwanted change when saving files on IDEs (e.g. VSCode,
Zed)

Signed-off-by: Minsoo Choo <minsoo@minsoo.io>
Sponsored by: The FreeBSD Foundation
Pull request: https://github.com/freebsd/freebsd-src/pull/2152

show more ...

nd6: Remove DRAFT_IETF_6MAN_IPV6ONLY_FLAG and EXPERIMENTAL options

The draft-ietf-6man-ipv6only-flag has been obsoleted by RFC 8925.
Remove the EXPERIMENTAL compile option from the kernel and remove

nd6: Remove DRAFT_IETF_6MAN_IPV6ONLY_FLAG and EXPERIMENTAL options

The draft-ietf-6man-ipv6only-flag has been obsoleted by RFC 8925.
Remove the EXPERIMENTAL compile option from the kernel and remove
DRAFT_IETF_6MAN_IPV6ONLY_FLAG from userland.
This compile option was not enabled by default.
Also regenerate src.conf.5.

Reviewed by: bz
Differential Revision: https://reviews.freebsd.org/D56228

show more ...

routing: Retire ROUTE_MPATH compile option

The ROUTE_MPATH compile option was introduced to
test the new multipath implementation.
Since compiling it has no overhead and it's enabled
by default, rem

routing: Retire ROUTE_MPATH compile option

The ROUTE_MPATH compile option was introduced to
test the new multipath implementation.
Since compiling it has no overhead and it's enabled
by default, remove it.

Reviewed by: melifaro, markj
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D55884

show more ...

sound: Retire SND_FEEDER_MULTIFORMAT and SND_FEEDER_FULL_MULTIFORMAT

There is no reason to have these legacy controls anymore, all these
formats can be handled just fine nowadays.

Sponsored by: The

sound: Retire SND_FEEDER_MULTIFORMAT and SND_FEEDER_FULL_MULTIFORMAT

There is no reason to have these legacy controls anymore, all these
formats can be handled just fine nowadays.

Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D55937

show more ...

sound: Retire SND_OLDSTEREO

This is a legacy option and does not serve a good purpose anymore.

Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Reviewed by: markj
Differential Revision: https

sound: Retire SND_OLDSTEREO

This is a legacy option and does not serve a good purpose anymore.

Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D55933

show more ...

sound: Retire SND_DEBUG

Not useful anymore.

Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D55932

arm: Add EARLY_PRINTF for ns8250 on arm/aarch64 platforms.

Reviewed by: adrian (previous version)
MFC after: 3 weeks

sys/conf/options: remove improper full stops

Only keep them when used in a sentence.

Reviewed by: vexeduxr
Signed-off-by: Quentin Thébault <quentin.thebault@defenso.fr>
Sponsored by: Defenso
Closes

sys/conf/options: remove improper full stops

Only keep them when used in a sentence.

Reviewed by: vexeduxr
Signed-off-by: Quentin Thébault <quentin.thebault@defenso.fr>
Sponsored by: Defenso
Closes: https://github.com/freebsd/freebsd-src/pull/2004

show more ...

Remove the DEBUG_VFS_LOCKS kernel option

After commit 3bd8fab2415b ("vfs: Move DEBUG_VFS_LOCKS checks to
INVARIANTS"), this option has no effect. Let's finish the removal.

There are a couple of ad

Remove the DEBUG_VFS_LOCKS kernel option

After commit 3bd8fab2415b ("vfs: Move DEBUG_VFS_LOCKS checks to
INVARIANTS"), this option has no effect. Let's finish the removal.

There are a couple of additional uses in zfs, I will submit a separate
patch upstream for them.

Reviewed by: mckusick, kib
Differential Revision: https://reviews.freebsd.org/D54662

show more ...

ipfilter: Disable ipfs(8) by default

At the moment ipfs(8) is a tool that can be easily abused. Though the
concept is sound the implementation needs some work.

ipfs(8) should be considered experime

ipfilter: Disable ipfs(8) by default

At the moment ipfs(8) is a tool that can be easily abused. Though the
concept is sound the implementation needs some work.

ipfs(8) should be considered experimental at the moment.

This commit also makes ipfs support in the kernel optional.

Reviewed by: emaste, glebius
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D53787

show more ...

random: allow disabling of entropy harvesting from keyboard & mice

Reviewed by: jmg
Sponsored by: Juniper Networks
Differential Revision: https://reviews.freebsd.org/D53390

random: TPM_HARVEST should have been named RANDOM_ENABLE_TPM

* Enable RANDOM_ENABLE_TPM by default

* The commit of TPM_HARVEST failed to add it to NOTES
so that the LINT kernel would build the co

random: TPM_HARVEST should have been named RANDOM_ENABLE_TPM

* Enable RANDOM_ENABLE_TPM by default

* The commit of TPM_HARVEST failed to add it to NOTES
so that the LINT kernel would build the code.

Fixes: 4ee7d3b0118c82e651712bb65da53d08e78cd7b1
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D53460

show more ...

random: remove hifn(4)

The Hifn 7955 & 7956 only supports deprecated & NIST disallowed
algorithms (NIST SP800-224idp): SHA1 and SHA1-HMAC.

Furthermore the entropy RNG of the Hifn 7751, 7951, 7811,

random: remove hifn(4)

The Hifn 7955 & 7956 only supports deprecated & NIST disallowed
algorithms (NIST SP800-224idp): SHA1 and SHA1-HMAC.

Furthermore the entropy RNG of the Hifn 7751, 7951, 7811, 7955,
and 7956 has no NIST Entropy Source Validation (ESV) certificate
and cannot be used in a FIPS-140-3 nor Common Criteara environment.

Furthermore the most prolific instance for FreeBSD was the
Soekris Engineering vpn1201, vpn1211, vpn1401, and vpn1411
offerings. These are all 32-bit only processors. The i386
kernel was de-supported in 15.0.

Reviewed by: jhb
Differential Revision: https://reviews.freebsd.org/D53182

show more ...

tcp: improve testing of HPTS

Improve the HPTS API to allow testing and add several tests.

Reviewed by: tuexen
Sponsored by: Netflix, Inc.

u2f(4): Invert U2F_MAKE_UHID_ALIAS kernel build option

This makes non-GENERIC kernel configs easier to maintain.

Requested by: glebius
MFC after: 2 days

sys: Rename BLOAT_KERNEL_WITH_EXTERR to EXTERR_STRINGS

There's no need for an implied value judgement.

Suggested by: jhb
Reviewed by: kib, jhb
Sponsored by: The FreeBSD Foundation
Differential Revi

sys: Rename BLOAT_KERNEL_WITH_EXTERR to EXTERR_STRINGS

There's no need for an implied value judgement.

Suggested by: jhb
Reviewed by: kib, jhb
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D52351

show more ...

options: remove stale comment

Fixes: ea916b64125b ("Remove TCP_SAD optional code now that the sack filter performs this function.")
Sponsored by: Netflix, Inc.

u2f(4): a HID driver for FIDO/U2F security keys

While FIDO/U2F keys were already supported by the generic uhid(4) and
hidraw(4) drivers, this driver adds some additional features an does
steps to ti

u2f(4): a HID driver for FIDO/U2F security keys

While FIDO/U2F keys were already supported by the generic uhid(4) and
hidraw(4) drivers, this driver adds some additional features an does
steps to tighten the security of FIDO/U2F access.

- It automatically loads through devd.
- Automatically enables HQ_NO_READAHEAD for FIDO/U2F devices.
- Implements only miminum set of features.
- Do not requires external devfs configuration to set character device
permissions.
- Names character device as u2f/# to make possible capsicum or any
other pledge()-style sandboxing.

PR: 265528
Differential Revision: https://reviews.freebsd.org/D51612

show more ...

Import the Hardware Trace (HWT) framework.

The HWT framework provides infrastructure for hardware-assisted tracing. It
collects detailed information about software execution and records it as
"event

Import the Hardware Trace (HWT) framework.

The HWT framework provides infrastructure for hardware-assisted tracing. It
collects detailed information about software execution and records it as
"events" in highly compressed format into DRAM. The events cover information
about control flow changes of a program, whether branches taken or not,
exceptions taken, timing information, cycles elapsed and more. This allows
to reconstruct entire program flow of a given application.

This comes with separate machine-dependent tracing backends for trace
collection, trace decoder libraries and an instrumentation tool.

Reviewed by: kib (sys/kern bits)
Sponsored by: UKRI
Differential Revision: https://reviews.freebsd.org/D40466

show more ...

qat: add disable safe dc mode for QAT SPR devices

Build and sysctl configuration modes are introduced for QAT SPR
devices to disable safe dc mode. A new QAT driver build option
‘QAT_DISABLE_SAFE_DC_

qat: add disable safe dc mode for QAT SPR devices

Build and sysctl configuration modes are introduced for QAT SPR
devices to disable safe dc mode. A new QAT driver build option
‘QAT_DISABLE_SAFE_DC_MODE’ is required to build the QAT driver
with code that allows a request to be sent to FW to override the
‘History Buffer’ mitigation. Default QAT driver builds do not
include this ‘QAT_DISABLE_SAFE_DC_MODE’ build option. Even if the
QAT driver was built with code that allows a request to be sent to
FW to override the ‘History Buffer’ mitigation, the QAT driver must
still be configured using sysctl to request an override of the
‘History Buffer’ mitigation if desired. The default QAT driver
configuration option sysctl dev.qat.X.disable_safe_dc_mode does not
allow override of the mitigation. The new sysctl attribute
disable_safe_dc_mode is to be set to 1 for overriding the history
buffer mitigation. Firmware for qat_4xxx is updated for this change.
If this mode is enabled, decompression throughput increases but may
result in a data leak if num_user_processes is more than 1.
This option is to be enabled only if your system is not prone to
user data leaks.

Reviewed by: markj, ziaee
MFC after: 2 weeks
Sponsored by: Intel Corporation
Differential Revision: https://reviews.freebsd.org/D50379

show more ...

Rename BLOW_KERNEL_WITH_EXTERR to BLOAT_KERNEL_WITH_EXTERR

Guessed by: alc
Sponsored by: The FreeBSD Foundation
MFC after: 1 week

kern: add extended errors support

Reviewed by: brooks
Sponsored by: The FreeBSD Foundation
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D50483

mac_do(4): allow compiling into kernel

The manual page says this is possible, but it's not. Make it possible.

Reviewed by: olce, kevans
Approved by: kevans (mentor)
Differential Revision: https://

mac_do(4): allow compiling into kernel

The manual page says this is possible, but it's not. Make it possible.

Reviewed by: olce, kevans
Approved by: kevans (mentor)
Differential Revision: https://reviews.freebsd.org/D50451

show more ...

tcp: remove support for TCPPCAP

This feature could be used to store the last sent and received TCP
packets for a TCP endpoint. There was no utility to get these packets
from a live system or core.
T

tcp: remove support for TCPPCAP

This feature could be used to store the last sent and received TCP
packets for a TCP endpoint. There was no utility to get these packets
from a live system or core.
This functionality is now provided by TCP Black Box Logging, which also
stores additional events. There are tools to get these traces from a
live system or a core.
Therefore remove TCPPCAP to avoid maintaining it, when it is not
used anymore.

Reviewed by: rrs, rscheff, Peter Lei, glebiu
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D49589

show more ...