IABSD.fr/src

Branch :


Log

Author Commit Date CI Message
bf77f779 2025-05-24 06:50:02 sync
75937829 2025-05-24 06:49:16 In the old gprof profiling subsystem, the simplistic profil() syscall told the kernel about the sample buffer, and then the normal exit-time _mcleanup() would finalize the buffer, open()'ed a file and write out the details. This file opening has become increasingly impossible because of our privsep / privdrop, chroot, setresuid uid-dropping, pledge, unveil, and other efforts. So people stopped using gprof. Programs which needed profiling needed substantial mitigation removal changes to put them under test. In the new gprof profiling subsystem, profil() is enhanced to provide more buffer information to the kernel, as well as better instructions for where the file should be written. At normal exit-time mcleanup(), after finalizing the buffer, the process simply terminates via _exit(2), and the kernel does all the opening and writing in a safe way. The file is now deposited into the starting directory, or into PROFDIR as determined at program start, with safety issues taken into consideration. Additional side effecs: - The monstartup(3) interface will go away, it cannot be supported. - profil() is now allowed in pledge "stdio", access is decided by the -pg ELF note - gmon.out is renamed to gmon.progname.pid.out, due to pervasive multi-process privsep practices prompted originally by job and claudio for use in rpki-client and bgpd advice from kettenis and claudio
c56c8d96 2025-05-24 06:47:27 Adapt to new maloc_options declaration
d6f14666 2025-05-24 06:43:37 Plug leak of startup_pollfd in debug and child paths. Coverity CID 405024, ok djm@
a0e2dd05 2025-05-24 06:40:29 Adapt test to new malloc_options regime
27c41a1c 2025-05-24 06:32:12 As a first step in making the gprof profiling subsystem compatible with all of our privsep work, add an ELF note to gcrt0, this means we know which binaries have been compiled with -pg. ok kettenis
58e1f4f3 2025-05-24 04:41:12 add some verbosity
a274c9fc 2025-05-24 04:41:03 use start_ssh_agent() to ensure we get logging add some verbosity
914a0bf5 2025-05-24 04:40:37 add a start_ssh_agent() function that sets up an agent with logging
cbb4578c 2025-05-24 04:19:06 Link regress udpthread to build.
088dbb11 2025-05-24 04:17:26 Fix races in regress udpthread. Other threads could cause errors that are stored at the socket. If next system call gets such an error, just ignore it.
e76dad40 2025-05-24 04:05:18 Update and improve documentation for pkcs8 -v2 with input from jsing
42c46e78 2025-05-24 03:44:06 Bring regress tcpthread in sync with udpthread. Switch tcpthread to arc4random() to run through test cases more aggressively. Fix or workaround races that caused test abort. Reduce difference between tcp and udp thread tests.
d89dc0d6 2025-05-24 03:40:54 Remove ssh-keygen's moduli screen -Omemory option. This vaguely made sense 20 years ago, but these days you'd be hard pressed to *find* a machine small enough to not support the maximum (127MB), and no one is screening moduli on such machines anyway, so just use the max. This also fixes Coverity CID 470522 by deleting code in question. "kill it with fire" djm@.
3bab43df 2025-05-24 03:39:48 Remove ssh-keygen's moduli screen -Omemory option. This vaguely made sense 20 years ago, but these days you'd be hard pressed to *find* a machine small enough to not support the maximum (127MB), and no one is screening moduli on such machines anyway, so just use the max. This also fixes Coverity CID 470522 by deleting code in question. "kill it with fire" djm@.
4a91b963 2025-05-24 03:37:40 Remove ssh-keygen's moduli screen -Omemory option. This vaguely made sense 20 years ago, but these days you'd be hard pressed to *find* a machine small enough to not support the maximum (127MB), and no one is screening moduli on such machines anyway, so just use the max. This also fixes Coverity CID 470522 by deleting code in question. "kill it with fire" djm@.
6a4a1089 2025-05-24 02:57:14 Crank default salt length of PBE2 to 16 octets FIPS is currently revising their PBKDF2 recommendations and apparently they want to require 16 octets. https://github.com/pyca/cryptography/issues/12949 https://github.com/libressl/portable/issues/1168 ok kenjiro joshua jsing
79d0c6f3 2025-05-24 02:56:41 Add [-w percent] and /etc/apm/warnlow hook So '-w25 -Z15' can log charge level and run the warnlow script to, e.g. play a sound or pop a window when running on battery below 25%, *before* life^work saving hibernate/suspend kicks in. OK tobhe Feedback jmc
08d9e4c1 2025-05-24 02:54:09 Switch the default PBMAC to hmacWithSHA256 Using hmacWithSHA1 isn't outrageously bad, but newly generated encrypted password files ought to be using something better. Make it so. https://github.com/pyca/cryptography/issues/12949 https://github.com/libressl/portable/issues/1168 ok joshua
3f2f4c76 2025-05-24 02:46:02 add directory for gbm backends, used by newer Mesa
716755a3 2025-05-24 02:35:25 Switch default to PBES2 for openssl pkcs8 -topk8 We currently use the glorious default of NID_pbeWithMD5AndDES_CBC which we inherited from OpenSSL. This could have been worse - there is also NID_pbeWithMD2AndDES_CBC... The way this diff works is that the undocumented PKCS8_encrypt() API uses the PKCS#5v2 code path when it's passed a NID of -1 and requires a cipher to succeed, otherwise it uses the PKCS#5v1.5 path. So pass in a sensible cipher, namely AES-CBC-256, and let layers of muppetry cascade to doing something resembling the right thing. This still uses the default of hmacWithSHA1 and a somewhat short salt, which will be improved in a subsequent commit. https://github.com/pyca/cryptography/issues/12949 https://github.com/libressl/portable/issues/1168 ok kenjiro joshua jsing
ab118c17 2025-05-24 02:33:33 Fix compile error on 32bit platforms. Spotted by & ok tb@
754ffb53 2025-05-24 02:03:02 openssl speed: use single md buffer for digests ok jsing tb
44dd73a1 2025-05-24 02:01:28 Use pointer from strprefix in error message, missed in previous.
173f4495 2025-05-24 00:19:09 timeout_add_ticks doesnt have to do rounding now it's callers do it. timeout_add_ticks turned short (less than 1 tick but greater than 0) timeouts into 1 tick timeouts. timeout_add_nsec/usec/msec round themselves up now, so this isn't necessary anymore.
86ddee2d 2025-05-24 00:11:08 have timeout_add_nsec/usec/msec wait at least their specified time. timeouts run off kernel clock ticks which are longer than nsec/usec/msec intervals, so simply dividing these values by how long a tick is will truncate the desired times. to mitigate this, round up the value before the divide. rounding up can lead to integer overflow, so detect this and clamp the value to the max sleep time. while here get timeout_add_sec to check for a negative time like timeout_add does to the specified tick interval. discussed with many help with the int overflow stuff from djm@ ok sashan@
a86a4190 2025-05-23 23:56:14 deprecate timeout_add_tv now that nothing uses it anymore. i feel like it was a bit of a footgun because timeouts had to assume that the timeval passed is valid. the api only returns whether the timeout was added or already pending, it's not clear what it should do if the timeval is invalid. ok mpi@ bluhm@
b00facf8 2025-05-23 23:41:46 replace timeout_add_tv with timeout_add_nsec via TIMEVAL_TO_NSEC. this is the last use of timeout_add_tv, which id like to deprecate. ok mp@ bluhm@
403e61e5 2025-05-23 23:39:30 replace timeout_add_tv with timeout_add_usec this changes the calculation of the interval slightly, but in practice it should not make a difference. this is a step toward deprecating timeout_add_tv. ok mpi@ bluhm@
0cc6f778 2025-05-23 16:19:52 Spawn multiple threads and run system calls on UDP socket in parallel. Setup UDP sockets on localhost and run system calls connect(2), send(2), recv(2), recvfrom(2), and close(2) in parallel. In addition stress test for socket splicing, unsplice, max length and idle timeout can run. The successful operations are counted.
b59df021 2025-05-23 14:33:23 Fix a mismerge in the tzcode2013d update
ce54b553 2025-05-23 12:52:45 Replace strncmp and strncasecmp with hand-counting bytes with strprefix. nits lucas@, ok lucas@ djm@
6c206b51 2025-05-23 11:54:50 Include stdint.h for UINT32_MAX.
c75d946f 2025-05-23 11:50:21 remove unused ice(4) softc fields inherited from FreeBSD iflib if_softc_ctx Leaving TSO-related ones in place for now, since TSO is still a todo item.
801be1c5 2025-05-23 11:25:35 Ensure args to nh_update() fit within uint32, which it should always anyway. Placates Coverity CID 470520. While there, fix the upstream URL. ok djm@
09743abc 2025-05-23 09:56:26 Set an RSS key and lookup table so traffic is properly distributed across the queues, and copy the RSS hash into received packets as the flow ID. from Yuichiro NAITO, lightly modified
d88d09a1 2025-05-23 09:53:15 ice(4) supports some offloading now, remove CAVEATS section. Mention that firmware is required for multi-queue operation.
3f82bc0a 2025-05-23 09:26:25 Don't leak the args list. Coverity CIDs 481569 & 481570, ok job@ tb@.
f3256d04 2025-05-23 09:16:14 enable RSS in ice(4), and enable Tx/Rx across multiple queues Port ice_upd_prof_hw() and related functions from FreeBSD which were still missing from the RSS init code path. With 9k jumbo frames I am now seeing about 10Gbit/s throughput in multi-threaded iperf benchmarks against FreeBSD ice(4).
19fb9659 2025-05-23 09:11:06 remove unused and redundant isc_nrxqsets and isc_ntxqsets variables from ice(4)
dc13af7a 2025-05-23 08:57:49 implement ice(4) Tx checksum offloading test + ok bluhm@
ae5c9834 2025-05-23 08:40:13 Explictly set LC_ALL=C on each sort invocation. Remove it from sshd_config (where it could be overridden by shell startup scripts, eg on macos-15) causing random test failures. with & ok djm@
27d5f987 2025-05-23 05:48:13 put -R in the right place in the options list: apologies, ken, for not spotting this in the diff review; i also added a colon to "For example", and added a missing space in ".Ar file."
c9e61bd7 2025-05-23 03:46:08 Add the ability to run individual ruby ssl test for figuring out what is going on when these break ok tb@
cad777a1 2025-05-23 03:13:33 stacktrace_save_utrace() should be more robust Currently the function assumes the frame pointer address which comes from userland is always valid frame pointer address. Unfortunately if the frame address gets corrupted such it fits a kernel memory address range, then stacktrace_save_utrace() function just dereferences the address causing a kernel crash. The fix makes sure that as soon as stack unwinding crosses kernel<->userland boundary it never attempts to interpret the frame address to be coming from kernel. So after crossing the boundary all frame pointer addresses are passed to copyin(9f) to obtain a next frame. copyin(9f) then may fail with error indicating the stack is corrupted and stack unwinding process should stop. The fix was discussed at tech@. The idea to use two loops comes from tedu@ There is also a todo note from claudio@: skip iteration over kernel frames just find the first userland's frame and start there. OK tedu@
449dd8e0 2025-05-23 03:06:09 Add preliminary support for RTL8157. Tested: RTL8153 (0x5c20/0x5c30): stsp
1a842094 2025-05-23 03:05:05 sync
191dd14a 2025-05-23 03:04:43 Add USB product ID for RTL8157
1b0dae99 2025-05-23 02:50:08 handle in_s4 moving to pm notifier
5a206aca 2025-05-23 02:48:47 drm/amdgpu: fix pm notifier handling From Alex Deucher 25e07c8403f4daad35cffc18d96e32a80a2a3222 in linux-6.12.y/6.12.30 4aaffc85751da5722e858e4333e8cf0aa4b6c78f in mainline linux
5c0b549e 2025-05-23 02:47:09 drm/fbdev-dma: Support struct drm_driver.fbdev_probe From Thomas Zimmermann 25998ed87f0c8772bd5faf8ee92d831f1c69e1d0 in linux-6.12.y/6.12.30 8998eedda2539d2528cfebdc7c17eed0ad35b714 in mainline linux
f621b50a 2025-05-23 02:44:18 dma-buf: insert memory barrier before updating num_fences From Hyejeong Choi fe1bebd0edb22e3536cbc920ec713331d1367ad4 in linux-6.12.y/6.12.30 72c7d62583ebce7baeb61acce6057c361f73be4a in mainline linux
6f46f340 2025-05-23 02:42:45 drm/amd/display: Avoid flooding unnecessary info messages From Wayne Lin 64a33088adf2b4b23f34566d18ac73e8b4f64243 in linux-6.12.y/6.12.30 d33724ffb743d3d2698bd969e29253ae0cff9739 in mainline linux
bfa243c3 2025-05-23 02:41:09 drm/amd/display: Correct the reply value when AUX write incomplete From Wayne Lin 2d125a1f0d61bf224ed7fe6ce2f4f7d4f37b4c61 in linux-6.12.y/6.12.30 d433981385c62c72080e26f1c00a961d18b233be in mainline linux
98b3332a 2025-05-23 02:39:20 drm/amdgpu: csa unmap use uninterruptible lock From Philip Yang 8d71c3231b33e24a911b8f2d8c3a17ee40aa32d5 in linux-6.12.y/6.12.30 a0fa7873f2f869087b1e7793f7fac3713a1e3afe in mainline linux
ecabef8d 2025-05-23 02:37:58 drm/amdgpu: fix incorrect MALL size for GFX1151 From Tim Huang e54f20c5a17e8dff4bb54f4f88ec098dc905ee41 in linux-6.12.y/6.12.30 2d73b0845ab3963856e857b810600e5594bc29f4 in mainline linux
5133bdf5 2025-05-23 02:36:37 Revert "drm/amd/display: Hardware cursor changes color when switched to software cursor" From Melissa Wen c75f3f9cbfb7a84254285c587840afe4494d6992 in linux-6.12.y/6.12.30 fe14c0f096f58d2569e587e9f4b05d772272bbb4 in mainline linux
4d9edfda 2025-05-23 02:35:08 Revert "drm/amd: Stop evicting resources on APUs in suspend" From Alex Deucher 5d9d62323e1893e6f429fad7da19a652088cac21 in linux-6.12.y/6.12.30 d0ce1aaa8531a4a4707711cab5721374751c51b0 in mainline linux
7eb2eeb0 2025-05-23 02:32:31 drm/amd: Add Suspend/Hibernate notification callback support From Mario Limonciello 4d45a5f1e2a04f5f84d5d5121dfbfff8d65c9c1c in linux-6.12.y/6.12.30 2965e6355dcdf157b5fafa25a2715f00064da8bf in mainline linux
c9b0513d 2025-05-23 02:26:42 add register_pm_notifier() for 6.12.30 drm
0142a991 2025-05-23 01:14:35 Import regenerated moduli.
d5361483 2025-05-23 00:40:45 use "const char * const" for malloc_options here also
fb69fb32 2025-05-23 00:40:05 When commons were deprecated, noone noticed that malloc_options in static binaries had become unlinkable. Change the libc definition to weak to solve that, and to "const char * const" so that noone will try to set it late. It must be stable before the first malloc() call, which could be before main()... discussion with otto, kettenis, tedu
a3f9d031 2025-05-23 00:20:02 Add -R to recover/create GPT or MBR from a file or partial GPT. Feedback from lucas@ kettenis@ jmc@ Tests, fixes and ok lucas@
2f076c17 2025-05-22 15:00:32 Fix vmm(4) regress test after recent UVM change. Now VMM_IOC_SHAREMEM creates the shared mappings for vmd(8). So vmd(8) does no have to map -> unmap -> VMM_IOC_SHAREMEM, i.e. remap. from hshoexer@; OK dv@
896a7df4 2025-05-22 12:44:14 Do a clean up pass over the GCM code. Rework some logic, add explicit numerical checks, move assignment out of variable declaration and use post-increment/post-decrement unless there is a specific reason to do pre-increment. ok kenjiro@ tb@
38645cd8 2025-05-22 12:33:36 Use timingsafe_memcmp() in CRYPTO_gcm128_finish(). When checking the GCM tag, use timingsafe_memcmp() instead of memcmp(). ok tb@
3a8b92ef 2025-05-22 12:14:19 Adjust debug message to prevent (unsigned) integer overflow. Fixes Coverity CID 481110, ok djm@
3d8cde81 2025-05-22 11:33:04 Update/improve FAT partition names. FAT has survived the rise and fall of DOS and Win95. No need to continue to defer to them. Originally from sobrado@
ba45935f 2025-05-22 10:50:10 ix(4): use 4k clusters in LRO mode to avoid m_defrag calls ok bluhm
90a7f92b 2025-05-22 09:15:48 Bring up multiple transmit and receive queues. The IAVF spec only says we have at least 5 vectors, so limit to 4 queues. We're not setting a proper RSS key or lookup table yet, so traffic is not distributed across queues correctly. from Yuichiro NAITO
4e120550 2025-05-22 08:55:11 sync
134c5a4e 2025-05-22 08:32:50 pass correct sizes to free() calls in ice_free_vsi_qmaps()
a10bf9eb 2025-05-22 08:25:26 Simplify SSL_alert_desc_string SSL_alert_desc_string() is only used by our good old friends M2Crypto and Net::SSLeay. While some of the two-letter combinations can be made sense of without looking at the switch, I guess, this is just a completely useless interface. The same level of uselessness can be acchieved in a single line matching BoringSSL. ok joshua kenjiro
80f2f779 2025-05-22 08:01:29 Bump UTF8_SIZE to the maximum 32 because there are some crazy long UTF-8 sequences out there (GitHub issue 4506). This should not significantly increase typical memory consumption because we only store each Unicode character once in the shared cache.
abdf2f73 2025-05-22 07:49:24 Typo, from someone in GitHub issue 4511.
8e7844d6 2025-05-22 07:46:38 When there are more than two horizontal windows and the active window is in not on an edge, correctly highlight both its left and right borders. GitHub issue 4513 from Michael Grant.
9bb79675 2025-05-22 07:43:38 Add a set-default style attribute which replaces the current default colours and attributes completely, useful at the start of compound format strings (like status-format) to set the default colours for all the following options.
e037dc57 2025-05-22 07:31:18 Use literal <> characters instead of Aq macros. From Evan Silberman
0814c25f 2025-05-22 06:41:20 Move packet classifier defines to if_ixlreg.h so iavf(4) can see them too. ok dlg@
e4db903d 2025-05-22 06:40:26 Fix HTTP CONNECT proxy support to not treat responses like "HTTP/1.0 200poo" as success; patch from Spiros Thanasoulas
85baac77 2025-05-22 06:34:03 The current way to adjust pf(4) limits in pf.conf(5) is inconvenient. For example when ruleset uses more than 512 anchors (the current default limit) one would typically add 'set limit anchor 1024' to adjust the limit so the 'pf.conf(5)' gets processed. Unfortunately it does not work because limit gets changed with DIOCXCOMMIT which is too late. The pf.conf(5) fails to load the anchors to transaction, because the old lower limit is still in place. To fix it we must set the limit as soon as we parse 'set limit ...' option. The issue has been reported and fix tested by rafal _dot_ ramocki _von_ eo.pl OK @bluhm
ec3f7096 2025-05-22 05:58:36 Reinstate mention of chroot(2) and user quoting That should clarify the implications of, e.g. symlink behaviour inside the directory being served. Input OK schwarze jmc
f30feaa1 2025-05-22 04:54:14 asn1: merge invalid generalized time tests into invalid time tests Previously, invalid generalized time tests were split into a separate set of test vectors and a flag was used when calling the test function to indicate they should be tested as generalized only. This simplifies the code a bit, and makes converting to the new test framework easier. ok jsing
43496798 2025-05-22 04:34:18 Fix OpenBSD RCS ID typos. from Andrius V
94488e84 2025-05-22 04:24:11 get rid of unecessary casts ok florian@
133e2625 2025-05-22 04:22:03 Output the current name for PermitRootLogin's "prohibit-password" in sshd -T instead of its deprecated alias "without-password". bz#3788, patch from cjwatson at debian.org.
533f560f 2025-05-22 03:53:46 Copy arg to be passed to dirname(). POSIX allows dirname() to modify its args and return a pointer into it, so this prevents an overlapping strlcpy. bz#3819, patch from cjwatson at debian.org
3ac71bda 2025-05-22 03:41:10 Add $OpenBSD$ marker for easier syncing.
0a034d76 2025-05-22 03:35:40 Convert sha_test to use new test framework ok beck
afab96b3 2025-05-22 03:24:47 Convert md_test to use new test framework ok jsing tb beck
40adde36 2025-05-22 03:12:33 Fix trailing whitespace.
f4df864d 2025-05-22 03:09:00 Remove redundant NULL check from divert_packet() that it already in in_pcbunref().
0487f6a6 2025-05-22 03:04:01 Add PERFORMANCE_LEVEL_SET logic and initialize all domains to the same level. On Snapdragon X Elite there are 3 performance domains spanning 4 CPUs each, where each can go from level 0 (719 Mhz) to 12 (3418 Mhz). By default domain 0 boots into level 10, domains 1 and 2 boot into level 12. Since the kernel only understands a single global performance value we keep them in sync by initializing them all to 12 for now. While there, also move PERFORMANCE_LEVEL_GET to a separate function and clean up a bit. ok patrick@
32856335 2025-05-22 02:23:41 Fix test_errorf macro expanding to two lines This caused test_fail to always be called when used in certain conditions, and wrapping with do {} while (0) fixes this.
6359e523 2025-05-22 02:10:27 TAL stands for Trust Anchor Locator, not Location ok beck
d758b026 2025-05-22 01:40:21 pkg_delete -c does more than file cleanup
58283cdb 2025-05-22 00:13:47 Add basic HKDF test using EVP_PKEY_HKDF Add a basic test case for HKDF using EVP_PKEY_HKDF to evp_test.c. This test verifies the correct derivation of output keying material using SHA-256, matching the test vector from RFC 5869 Appendix A.1. ok tb@ joshua@
91d6bc35 2025-05-21 21:42:19 Fix wrong description of PKG_CONFIG_DEBUG_SPEW. Add complete description of PKG_CONFIG_MAXIMUM_TRAVERSE_DEPTH. Improve descriptions of various other options and variables. This patch was accepted and pushed upstream by Ariadne Conill.
c902741c 2025-05-21 18:41:41 Define CPU_MIN_BUSY_CYCLES and CPU_MAX_BUSY_CYCLES outside of MULTIPROCESSOR since the ddb_mtx_enter is not under MULTIPROCESSOR. This is enough to unbreak GENERIC kernels. Reported by tb@