HardenedBSD/hardenedbsd a708ad4contrib/llvm/tools/lldb/source/Plugins/Process/FreeBSD ProcessMonitor.cpp, sys/conf files

Merge remote-tracking branch 'origin/hardened/current/master' into 
hardened/current/unstable

* origin/hardened/current/master:
  blake2: Disable warnings (not just error) for code we will not modify
  bsdgrep: if chain => switch
  bsdgrep: More trivial cleanup/style cleanup
  bsdgrep: Some light cleanup
  lldb: propagate error to user if memory read fails
  makefs: tidy up reach-over source

HardenedBSD/hardenedbsd 246b366sys/conf files, sys/modules/blake2 Makefile

Merge branch 'freebsd/current/master' into hardened/current/master

* freebsd/current/master:
  blake2: Disable warnings (not just error) for code we will not modify
  bsdgrep: if chain => switch
  bsdgrep: More trivial cleanup/style cleanup
  bsdgrep: Some light cleanup
  lldb: propagate error to user if memory read fails
  makefs: tidy up reach-over source

HardenedBSD/hardenedbsd 8c37677tools/tools README

Merge remote-tracking branch 'origin/hardened/11-stable/master' into 
hardened/11-stable/unstable

* origin/hardened/11-stable/master:
  MFC r332673: Remove mention of tools/recoverdisk, now in sbin
DeltaFile
+0-1tools/tools/README
+0-11 files

HardenedBSD/hardenedbsd b85c780tools/tools README

Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master

* freebsd/11-stable/master:
  MFC r332673: Remove mention of tools/recoverdisk, now in sbin
DeltaFile
+0-1tools/tools/README
+0-11 files

HardenedBSD/hardenedbsd 9c0d215sys/conf files, sys/modules/blake2 Makefile

blake2: Disable warnings (not just error) for code we will not modify

Leave libb2 pristine and silence the warnings for mjg.

HardenedBSD/hardenedbsd 564bfbdusr.bin/grep file.c

bsdgrep: if chain => switch

This makes some of this a little easier to follow (in my opinion).
DeltaFile
+70-49usr.bin/grep/file.c
+70-491 files

HardenedBSD/hardenedbsd ad41916usr.bin/grep util.c

bsdgrep: More trivial cleanup/style cleanup

We can avoid branching for these easily reduced patterns
DeltaFile
+5-14usr.bin/grep/util.c
+5-141 files

HardenedBSD/hardenedbsd 00c090fusr.bin/grep util.c

bsdgrep: Some light cleanup

There's no point checking for a bunch of file modes if we're not a
practicing believer of DIR_SKIP or DEV_SKIP.

This also reduces some style violations that were particularly ugly looking
when browsing through.

HardenedBSD/hardenedbsd 0a9663econtrib/llvm/tools/lldb/source/Plugins/Process/FreeBSD ProcessMonitor.cpp

lldb: propagate error to user if memory read fails

Previously, an attempt to read an unreadable access reported zeros:

(lldb) memory read -format hex -size 8 0
0x00000000: 0x0000000000000000 0x0000000000000000
0x00000010: 0x0000000000000000 0x0000000000000000
...

Now, if DoReadMemory encounters error then return 0 (bytes read) so we
report the error to the user:

(lldb) memory read -format hex -size 8 0
error: Bad address

LLVM PR:        37190

MFC after:      1 week
Sponsored by:   The FreeBSD Foundation

HardenedBSD/hardenedbsd 1005f2atools/tools README

MFC r332673: Remove mention of tools/recoverdisk, now in sbin

PR:            227570
DeltaFile
+0-1tools/tools/README
+0-11 files

HardenedBSD/hardenedbsd 67d0626usr.sbin/makefs Makefile, usr.sbin/makefs/cd9660 Makefile.inc

makefs: tidy up reach-over source

- cd9660 relies on an #include "iso.h" but does not build any .c files
  out of source, so remove reach-over .PATH
- ffs does not rely on any sys/ headers, so remove -I from CFLAGS.
- ffs_tables from sys/ is used by ffs; move the SRCS entry from the top-
  level Makefile to ffs' Makefile.inc.

Sponsored by:   The FreeBSD Foundation

HardenedBSD/hardenedbsd 4529352contrib/llvm/lib/Target/X86 X86FlagsCopyLowering.cpp, sys/gnu/dts/arm dra7xx-clocks.dtsi omap44xx-clocks.dtsi

Merge remote-tracking branch 'origin/hardened/current/master' into 
hardened/current/unstable

* origin/hardened/current/master:
  regulator: Check status before disabling
  dts: Update our copy from files from Linux 4.16
  Recommit r332501, with an additional upstream fix for "Cannot lower EFLAGS copy that 
lives out of a basic block!" errors on i386.
  bsdgrep: Break procmatches down a little bit more
  Update our copies of the Device Tree Source to Linux 4.15

HardenedBSD/hardenedbsd cc6cb20contrib/llvm/lib/Target/X86 X86FlagsCopyLowering.cpp, sys/gnu/dts/arm dra7xx-clocks.dtsi omap44xx-clocks.dtsi

Merge branch 'freebsd/current/master' into hardened/current/master

* freebsd/current/master:
  regulator: Check status before disabling
  dts: Update our copy from files from Linux 4.16
  Recommit r332501, with an additional upstream fix for "Cannot lower EFLAGS copy that 
lives out of a basic block!" errors on i386.
  bsdgrep: Break procmatches down a little bit more
  Update our copies of the Device Tree Source to Linux 4.15

HardenedBSD/hardenedbsd d931da6sys/kern subr_terminal.c, sys/net ieee8023ad_lacp.c

Merge remote-tracking branch 'origin/hardened/11-stable/master' into 
hardened/11-stable/unstable

* origin/hardened/11-stable/master:
  MFC r319216:   Fix an unnecessary/incorrect check in the PKTOPT_EXTHDRCPY macro.
  MFC r319215:   Fix two places in the ICMP6 code where we could dereference a NULL 
pointer   in the icmp6_input() function.
  MFC r319214:   Enforce the limit on ICMP messages before doing work to formulate the   
response.
  MFC r314286:   Do some minimal work to better conform to the 802.3ad (LACP) standard.   
In particular, don't set the synchronized bit for the peer unless it truly   appears to be 
synchronized to us. Also, don't set our own synchronized bit   unless we have actually 
seen a remote system.
  MFC r314116:   Fix a panic during boot caused by inadequate locking of some vt(4) driver 
  data structures.
  MFC r313447:   Ensure the idle thread's loop services interrupts in a timely way when   
using the ACPI C1/mwait sleep method.
  MFC r307083:  Currently, when tcp_input() receives a packet on a session that matches a  
TCPCB, it checks (so->so_options & SO_ACCEPTCONN) to determine whether or  not the socket 
is a listening socket. However, this causes the code to  access a different cacheline. If 
we first check if the socket is in the  LISTEN state, we can avoid accessing 
so->so_options when processing packets  received for ESTABLISHED sessions.

HardenedBSD/hardenedbsd a04d74fsys/kern subr_terminal.c, sys/net ieee8023ad_lacp.c

Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master

* freebsd/11-stable/master:
  MFC r319216:   Fix an unnecessary/incorrect check in the PKTOPT_EXTHDRCPY macro.
  MFC r319215:   Fix two places in the ICMP6 code where we could dereference a NULL 
pointer   in the icmp6_input() function.
  MFC r319214:   Enforce the limit on ICMP messages before doing work to formulate the   
response.
  MFC r314286:   Do some minimal work to better conform to the 802.3ad (LACP) standard.   
In particular, don't set the synchronized bit for the peer unless it truly   appears to be 
synchronized to us. Also, don't set our own synchronized bit   unless we have actually 
seen a remote system.
  MFC r314116:   Fix a panic during boot caused by inadequate locking of some vt(4) driver 
  data structures.
  MFC r313447:   Ensure the idle thread's loop services interrupts in a timely way when   
using the ACPI C1/mwait sleep method.
  MFC r307083:  Currently, when tcp_input() receives a packet on a session that matches a  
TCPCB, it checks (so->so_options & SO_ACCEPTCONN) to determine whether or  not the socket 
is a listening socket. However, this causes the code to  access a different cacheline. If 
we first check if the socket is in the  LISTEN state, we can avoid accessing 
so->so_options when processing packets  received for ESTABLISHED sessions.

HardenedBSD/hardenedbsd 1319378sys/dev/extres/regulator regulator.c

regulator: Check status before disabling

When disabling regulator when they are unused, check before is they are
enabled.
While here don't check the enable_cnt on the regulator entry as it is
checked by regnode_stop.
This solve the panic on any board using a fixed regulator that is driven
by a gpio when the regulator is unused.

Tested On: OrangePi One
Pointy Hat to:      myself
Reported by:    kevans, Milan Obuch (freebsd-arm at dino.sk)

HardenedBSD/hardenedbsd 6044bc4sys/netinet6 ip6_output.c

MFC r319216:
  Fix an unnecessary/incorrect check in the PKTOPT_EXTHDRCPY macro.

  This macro allocates memory and, if malloc does not return NULL, copies
  data into the new memory. However, it doesn't just check whether malloc
  returns NULL. It also checks whether we called malloc with M_NOWAIT. That
  is not necessary.

  While it may be that malloc() will only return NULL when the M_NOWAIT flag
  is set, we don't need to check for this when checking malloc's return
  value. Further, in this case, the check was not completely accurate,
  because it checked for flags == M_NOWAIT, rather than treating it as a bit
  field and checking for (flags & M_NOWAIT).

Sponsored by:   Netflix, Inc.

HardenedBSD/hardenedbsd 5470c0dsys/netinet6 icmp6.c

MFC r319215:
  Fix two places in the ICMP6 code where we could dereference a NULL pointer
  in the icmp6_input() function.

  When processing an ICMP6_ECHO_REQUEST, if IP6_EXTHDR_GET fails, it will
  set nicmp6 and n to NULL. Therefore, we should condition our modification
  to nicmp6 on n being not NULL.

  And, when processing an ICMP6_WRUREQUEST in the (mode != FQDN) case, if
  m_dup_pkthdr() fails, the code will set n to NULL. However, the very next
  line dereferences n. Therefore, when m_dup_pkthdr() fails, we should
  discontinue further processing and follow the same path as when m_gethdr()
  fails.

Reported by:    clang static analyzer
Sponsored by:   Netflix, Inc.

HardenedBSD/hardenedbsd 60c641csys/netinet ip_icmp.c, sys/netinet6 udp6_usrreq.c

MFC r319214:
  Enforce the limit on ICMP messages before doing work to formulate the
  response.

  Delete an unneeded rate limit for UDP under IPv6. Because ICMP6
  messages have their own rate limit, it is unnecessary to apply a
  second rate limit to UDP messages.

Sponsored by:   Netflix, Inc.

HardenedBSD/hardenedbsd 8897e4csys/gnu/dts/arm dra7xx-clocks.dtsi omap44xx-clocks.dtsi

gnu/dts: Update our copy of arm dts from Linux 4.16

HardenedBSD/hardenedbsd 930961dsrc/arm dra7xx-clocks.dtsi omap44xx-clocks.dtsi

dts: Update our copy from files from Linux 4.16

HardenedBSD/hardenedbsd 33c12c7sys/net ieee8023ad_lacp.c

MFC r314286:
  Do some minimal work to better conform to the 802.3ad (LACP) standard.
  In particular, don't set the synchronized bit for the peer unless it truly
  appears to be synchronized to us. Also, don't set our own synchronized bit
  unless we have actually seen a remote system.

  Prior to this change, we were seeing some strange behavior, such as:

  1. We send an advertisement with the Activity, Aggregation, and Default
  flags, followed by an advertisement with the Activity, Aggregation,
  Synchronization, and Default flags. However, we hadn't seen an
  advertisement from another peer and were still advertising the default
  (NULL) peer. A closer examination of the in-kernel data structures (using
  kgdb) showed that the system had added the default (NULL) peer as a valid
  aggregator for the segment.
  2. We were receiving an advertisement from a peer that included the
  default (NULL) peer instead of including our system information. However,
  we responded with an advertisement that included the Synchronization flag
  for both our system and the peer. (Since the peer's advertisement did not
  include our system information, we shouldn't add the synchronization bit
  for the peer.)

  This patch corrects those two items.

Sponsored by:   Netflix, Inc.

HardenedBSD/hardenedbsd f13397ccontrib/llvm/lib/Target/X86 X86FlagsCopyLowering.cpp X86InstrInfo.cpp

Recommit r332501, with an additional upstream fix for "Cannot lower
EFLAGS copy that lives out of a basic block!" errors on i386.

Pull in r325446 from upstream clang trunk (by me):

  [X86] Add 'sahf' CPU feature to frontend

  Summary:
  Make clang accept `-msahf` (and `-mno-sahf`) flags to activate the
  `+sahf` feature for the backend, for bug 36028 (Incorrect use of
  pushf/popf enables/disables interrupts on amd64 kernels).  This was
  originally submitted in bug 36037 by Jonathan Looney
  <jonlooney at gmail.com>.

  As described there, GCC also uses `-msahf` for this feature, and the
  backend already recognizes the `+sahf` feature. All that is needed is
  to teach clang to pass this on to the backend.

  The mapping of feature support onto CPUs may not be complete; rather,
  it was chosen to match LLVM's idea of which CPUs support this feature
  (see lib/Target/X86/X86.td).

  I also updated the affected test case (CodeGen/attr-target-x86.c) to
  match the emitted output.


    [118 lines not shown]

HardenedBSD/hardenedbsd 0dde510usr.bin/grep util.c

bsdgrep: Break procmatches down a little bit more

Split the matching and non-matching cases out into their own functions to
reduce future complexity. As the name implies, procmatches will eventually
process more than one match itself in the future.
DeltaFile
+54-43usr.bin/grep/util.c
+54-431 files

HardenedBSD/hardenedbsd 57774d8lib/libc/sys procctl.2, sys/kern kern_prot.c kern_procctl.c

Merge remote-tracking branch 'origin/hardened/current/master' into 
hardened/current/unstable

* origin/hardened/current/master:
  Rename PROC_PDEATHSIG_SET -> PROC_PDEATHSIG_CTL and PROC_PDEATHSIG_GET -> 
PROC_PDEATHSIG_STATUS for consistency with other procctl(2) operations names.
  call racct_proc_ucred_changed() under the proc lock
  Fix use of pointer after being set NULL.
  Add dead_bpf_if structure, that should be used as fake bpf_if during ifnet detach.

HardenedBSD/hardenedbsd 48f9821lib/libc/sys procctl.2, sys/kern kern_prot.c kern_procctl.c

Merge branch 'freebsd/current/master' into hardened/current/master

* freebsd/current/master:
  Rename PROC_PDEATHSIG_SET -> PROC_PDEATHSIG_CTL and PROC_PDEATHSIG_GET -> 
PROC_PDEATHSIG_STATUS for consistency with other procctl(2) operations names.
  call racct_proc_ucred_changed() under the proc lock
  Fix use of pointer after being set NULL.
  Add dead_bpf_if structure, that should be used as fake bpf_if during ifnet detach.

HardenedBSD/hardenedbsd d6861casys/amd64/amd64 pmap.c, sys/dev/nvme nvme_ns.c

Merge remote-tracking branch 'origin/hardened/11-stable/master' into 
hardened/11-stable/unstable

* origin/hardened/11-stable/master:
  MFC r306768:   If the new window size is less than the old window size, skip the   
calculations to check if we should advertise a larger window.
  MFC r330511:   We shouldn't need to execute code in the recursive page table mappings;   
therefore, it should be safe to set the NX bit on the PML4E for the   recursive page table 
mappings.  According to the Intel docs, the effect   of the NX bit should propogate to any 
page reached through a PML4E which   has the NX bit set.
  MFC r330510:   Prior to r329071, pmap_bootstrap() used pmap_kmem_choose() to round the   
first available virtual address to a 2MB boundary. After r329071,   create_pagetables() 
rounds firstaddr up to a 2MB boundary. This ensures   the kernel is mapped in super-pages, 
which is the point of the logic   in pmap_kmem_choose(). Therefore, it is no longer 
necessary for   pmap_bootstrap() to round up to the 2MB boundary again.
  MFC r332780,r332783:     Intel drives have an optimal alignment for I/O. While they 
honor I/Os     that cross this boundary, they perform better when this isn't the     case. 
Intel uses the 3rd byte in the vendor specific area for     this. The DC P3500 was 
previously listed without any explanation. Add     the DC P3520 and DC P4500 to the list.
  MFC r329171:   Mark the pages used for the initial page-table entries as wired. This   
makes them consistent with the way other page-table pages are allocated.   It also 
provides the rest of the VM system a good clue that these pages   are used.
  MFC r329071:   On bootup, the amd64 pmap initialization code creates page-table   
mappings for the pages used for the kernel and some initial allocations   used for the 
page table. It maps the kernel and the blocks used for   these initial allocations using 

    [23 lines not shown]

HardenedBSD/hardenedbsd 6e85474sys/amd64/amd64 pmap.c, sys/dev/nvme nvme_ns.c

Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master

* freebsd/11-stable/master:
  MFC r306768:   If the new window size is less than the old window size, skip the   
calculations to check if we should advertise a larger window.
  MFC r330511:   We shouldn't need to execute code in the recursive page table mappings;   
therefore, it should be safe to set the NX bit on the PML4E for the   recursive page table 
mappings.  According to the Intel docs, the effect   of the NX bit should propogate to any 
page reached through a PML4E which   has the NX bit set.
  MFC r330510:   Prior to r329071, pmap_bootstrap() used pmap_kmem_choose() to round the   
first available virtual address to a 2MB boundary. After r329071,   create_pagetables() 
rounds firstaddr up to a 2MB boundary. This ensures   the kernel is mapped in super-pages, 
which is the point of the logic   in pmap_kmem_choose(). Therefore, it is no longer 
necessary for   pmap_bootstrap() to round up to the 2MB boundary again.
  MFC r332780,r332783:     Intel drives have an optimal alignment for I/O. While they 
honor I/Os     that cross this boundary, they perform better when this isn't the     case. 
Intel uses the 3rd byte in the vendor specific area for     this. The DC P3500 was 
previously listed without any explanation. Add     the DC P3520 and DC P4500 to the list.
  MFC r329171:   Mark the pages used for the initial page-table entries as wired. This   
makes them consistent with the way other page-table pages are allocated.   It also 
provides the rest of the VM system a good clue that these pages   are used.
  MFC r329071:   On bootup, the amd64 pmap initialization code creates page-table   
mappings for the pages used for the kernel and some initial allocations   used for the 
page table. It maps the kernel and the blocks used for   these initial allocations using 
2MB pages.

    [22 lines not shown]

HardenedBSD/hardenedbsd e9074b7sys/kern subr_terminal.c

MFC r314116:
  Fix a panic during boot caused by inadequate locking of some vt(4) driver
  data structures.

  vt_change_font() calls vtbuf_grow() to change some vt driver data
  structures. It uses TF_MUTE to prevent the console from trying to use
  those data structures while it changes them.

  During the early stage of the boot process, the vt driver's tc_done
  routine uses those data structures; however, it is currently called
  outside the TF_MUTE check.

  Move the tc_done routine inside the locked TF_MUTE check.

PR:            217282
Sponsored by:   Netflix, Inc.

HardenedBSD/hardenedbsd b7da047sys/dev/acpica acpi_cpu.c, sys/x86/x86 cpu_machdep.c

MFC r313447:
  Ensure the idle thread's loop services interrupts in a timely way when
  using the ACPI C1/mwait sleep method.

  Previously, the mwait instruction would return when an interrupt was
  pending; however, the idle loop did not actually enable interrupts when
  this occurred. This led to a situation where the idle loop could quickly
  spin through the C1/mwait sleep method a number of times when an interrupt
  was pending. (Eventually, the situation corrected itself when something
  other than an interrupt triggered the idle loop to either enable
  interrupts or schedule another thread.)

Sponsored by:   Netflix, Inc.

HardenedBSD/hardenedbsd e1c59d7sys/netinet tcp_input.c

MFC r307083:
 Currently, when tcp_input() receives a packet on a session that matches a
 TCPCB, it checks (so->so_options & SO_ACCEPTCONN) to determine whether or
 not the socket is a listening socket. However, this causes the code to
 access a different cacheline. If we first check if the socket is in the
 LISTEN state, we can avoid accessing so->so_options when processing packets
 received for ESTABLISHED sessions.

 If INVARIANTS is defined, the code still needs to access both variables to
 check that so->so_options is consistent with the state.

Sponsored by:   Netflix, Inc.

HardenedBSD/hardenedbsd 7b0bf1csys/netinet tcp_output.c

MFC r306768:
  If the new window size is less than the old window size, skip the
  calculations to check if we should advertise a larger window.

HardenedBSD/hardenedbsd 7707c38sys/amd64/amd64 pmap.c

MFC r330511:
  We shouldn't need to execute code in the recursive page table mappings;
  therefore, it should be safe to set the NX bit on the PML4E for the
  recursive page table mappings.  According to the Intel docs, the effect
  of the NX bit should propogate to any page reached through a PML4E which
  has the NX bit set.

Sponsored by:   Netflix, Inc.

HardenedBSD/hardenedbsd 22473a6sys/amd64/amd64 pmap.c

MFC r330510:
  Prior to r329071, pmap_bootstrap() used pmap_kmem_choose() to round the
  first available virtual address to a 2MB boundary. After r329071,
  create_pagetables() rounds firstaddr up to a 2MB boundary. This ensures
  the kernel is mapped in super-pages, which is the point of the logic
  in pmap_kmem_choose(). Therefore, it is no longer necessary for
  pmap_bootstrap() to round up to the 2MB boundary again.

  As pmap_bootstrap() was the only user of pmap_kmem_choose(), we can
  delete pmap_kmem_choose().

Sponsored by:   Netflix, Inc.

HardenedBSD/hardenedbsd f051bf8lib/libc/sys procctl.2, sys/compat/freebsd32 freebsd32_misc.c

Rename PROC_PDEATHSIG_SET -> PROC_PDEATHSIG_CTL and PROC_PDEATHSIG_GET
-> PROC_PDEATHSIG_STATUS for consistency with other procctl(2)
operations names.

Requested by:   emaste
Sponsored by:   The FreeBSD Foundation
MFC after:      13 days

HardenedBSD/hardenedbsd 44ba640sys/dev/nvme nvme_ns.c

MFC r332780,r332783:
    Intel drives have an optimal alignment for I/O. While they honor I/Os
    that cross this boundary, they perform better when this isn't the
    case. Intel uses the 3rd byte in the vendor specific area for
    this. The DC P3500 was previously listed without any explanation. Add
    the DC P3520 and DC P4500 to the list.

    There won't be any others drives needing this quirk. Intel has
    standardized a field in the namespace data in 1.3 (noiob).  A future
    patch will use that if it exists, with fallback to this method.

    Submitted by: Keith Busch
    Reviewed by: jimharris@
    [[ plus tweak comments from 332783 ]]

Sponsored by: Netflix

HardenedBSD/hardenedbsd 6a07d22sys/amd64/amd64 pmap.c

MFC r329171:
  Mark the pages used for the initial page-table entries as wired. This
  makes them consistent with the way other page-table pages are allocated.
  It also provides the rest of the VM system a good clue that these pages
  are used.

Sponsored by:   Netflix, Inc.

HardenedBSD/hardenedbsd a595981sys/amd64/amd64 pmap.c

MFC r329071:
  On bootup, the amd64 pmap initialization code creates page-table
  mappings for the pages used for the kernel and some initial allocations
  used for the page table. It maps the kernel and the blocks used for
  these initial allocations using 2MB pages.

  However, if the kernel does not end on a 2MB boundary, it still maps the
  last portion using a 2MB page, but reports that the unused 4K blocks
  within this 2MB allocation are free physical blocks. This means that
  these same physical blocks could also be mapped elsewhere - for example,
  into a user process. Given the proximity to the kernel text and data
  area, it seems wise to avoid allowing someone to write data to physical
  blocks also mapped into these virtual addresses.

  (Note that this isn't a security vulnerability: the direct map makes
  most/all memory on the system mapped into kernel space. And, nothing
  in the kernel should be trying to access these pages, as the virtual
  addresses are unused. It simply seems wise to avoid reusing these
  physical blocks while they are mapped to virtual addresses so close
  to the kernel text and data area.)

  Consequently, let's reserve the physical blocks covered by the
  page-table mappings for these initial allocations.

Sponsored by:   Netflix, Inc.

HardenedBSD/hardenedbsd c8becd3sys/netinet in_pcb.c, sys/netinet6 in6_pcb.c

MFC r331309:
  If the INP lock is uncontested, avoid taking a reference and jumping
  through the lock-switching hoops.

  A few of the INP lookup operations that lock INPs after the lookup do
  so using this mechanism (to maintain lock ordering):

  1. Lock lookup structure.
  2. Find INP.
  3. Acquire reference on INP.
  4. Drop lock on lookup structure.
  5. Acquire INP lock.
  6. Drop reference on INP.

  This change provides a slightly shorter path for cases where the INP
  lock is uncontested:

  1. Lock lookup structure.
  2. Find INP.
  3. Try to acquire the INP lock.
  4. If successful, drop lock on lookup structure.

  Of course, if the INP lock is contested, the functions will need to
  revert to the previous way of switching locks safely.


    [3 lines not shown]

HardenedBSD/hardenedbsd 5098b0esys/netinet6 dest6.c ip6_output.c

MFC r331484:
  Remove some unneccessary variable sets in IPv6 code, as detected by
  clang's static analyzer.

Sponsored by:   Netflix, Inc.

HardenedBSD/hardenedbsd ed4cc7bsys/netinet6 nd6_nbr.c

MFC r331488:
  This change adds a flag to the DAD entry to indicate whether it is
  currently on the queue. This prevents accidentally doubly-removing a DAD
  entry from the queue, while also simplifying some of the logic in
  nd6_dad_stop().

Sponsored by:   Netflix, Inc.
DeltaFile
+17-12sys/netinet6/nd6_nbr.c
+17-121 files

HardenedBSD/hardenedbsd 11361cfsys/netinet tcp_seq.h

MFC r331926:
  r330675 introduced an extra window check in the LRO code to ensure it
  captured and reported the highest window advertisement with the same
  SEQ/ACK.  However, the window comparison uses modulo 2**16 math, rather
  than directly comparing the absolute values.  Because windows use
  absolute values and not modulo 2**16 math (i.e. they don't wrap), we
  need to compare the absolute values.

Sponsored by:   Netflix, Inc.

HardenedBSD/hardenedbsd e17863csys/netinet tcp_usrreq.c

MFC r332120:
  If a user closes the socket before we call tcp_usr_abort(), then
  tcp_drop() may unlock the INP.  Currently, tcp_usr_abort() does not
  check for this case, which results in a panic while trying to unlock
  the already-unlocked INP (not to mention, a use-after-free violation).

  Make tcp_usr_abort() check the return value of tcp_drop(). In the case
  where tcp_drop() returns NULL, tcp_usr_abort() can skip further steps
  to abort the connection and simply unlock the INP_INFO lock prior to
  returning.

Sponsored by:   Netflix, Inc.

HardenedBSD/hardenedbsd 3cd5284sys/kern kern_prot.c kern_jail.c

call racct_proc_ucred_changed() under the proc lock

The lock is required to ensure that the switch to the new credentials
and the transfer of the process's accounting data from the old
credentials to the new ones is done atomically.  Otherwise, some updates
may be applied to the new credentials and then additionally transferred
from the old credentials if the updates happen after proc_set_cred() and
before racct_proc_ucred_changed().

The problem is especially pronounced for RACCT_RSS because
- there is a strict accounting for this resource (it's reclaimable)
- it's updated asynchronously by the vm daemon
- it's updated by setting an absolute value instead of applying a delta

I had to remove a call to rctl_proc_ucred_changed() from
racct_proc_ucred_changed() and make all callers of latter call the
former as well.  The reason is that rctl_proc_ucred_changed, as it is
implemented now, cannot be called while holding the proc lock, so the
lock is dropped after calling racct_proc_ucred_changed.  Additionally,
I've added calls to crhold / crfree around the rctl call, because
without the proc lock there is no gurantee that the new credentials,
owned by the process, will stay stable.  That does not eliminate a
possibility that the credentials passed to the rctl will get stale.
Ideally, rctl_proc_ucred_changed should be able to work under the proc
lock.

    [8 lines not shown]

HardenedBSD/hardenedbsd b466e4bsys/pc98/cbus scterm-sck.c

- Use __FBSDID().
- Fix pc98 build.
  Merge from sys/dev/syscons/scterm-teken.c r330918.

HardenedBSD/hardenedbsd e604fd7sys/conf files.pc98

MFi386: r329199

  Move signal trampolines out of locore.s into separate source file.

This fixes pc98 build.

HardenedBSD/hardenedbsd 894b340sys/fs/nfsclient nfs_clport.c

Fix use of pointer after being set NULL.

Using a pointer after setting it NULL is probably not a good plan.
Spotted by inspection during changes for Flexible File Layout Ioerr handling.
This code path obviously isn't normally executed.

MFC after:      1 week

HardenedBSD/hardenedbsd c6192ecsys/net bpf.c

Add dead_bpf_if structure, that should be used as fake bpf_if
during ifnet detach.

Since destroying interface is not atomic operation and due to the
lack of synhronization during destroy, it is possible, that in the
time between bpfdetach() and if_free() some queued on destroying
interface mbuf will be used by ether_input_internal() and
bpf_peers_present() can dereference NULL bpf_if pointer. To protect
from this, assign pointer to empty bpf_if_ext structure instead of
NULL pointer after bpfdetach().

Reviewed by:    melifaro, eugen
Obtained from:  Yandex LLC
MFC after:      1 week
Sponsored by:   Yandex LLC
Differential Revision:  https://reviews.freebsd.org/D15083
DeltaFile
+5-1sys/net/bpf.c
+5-11 files

HardenedBSD/hardenedbsd 8eaaab0sys/netpfil/ipfw/nat64 nat64lsn.c

MFC r332467:
  To avoid possible deadlock do not acquire JQUEUE_LOCK before callout_drain.

HardenedBSD/hardenedbsd 3d8e00bsys/netinet6 ip6_fastfwd.c

MFC r332475:
  Add check that mbuf had not multicast layer2 address.
  Such packets should be handled by ip6_mforward().