Git 1111a44301 - main - Defer the January 19, 2038 date limit in
UFS1 file systems to February 7, 2106 - did so by changing the UFS1
32-bit signed timestamps to unsigned. With this change, time stamps
from before January 1, 1970 went from being negative numbers to
large positive numbers implying times in the future. When such a
time stamp is encountered when an inode is read into memory or when
it is encountered by fsck, its timestamp is replaced with the
kernel's current time.
Andre Albsmeier reported that he had a machine reboot after a power
failure and the battery that maintained its real-time clock had
died. The result was that the system booted with the time set to
five years earlier (absent a real-time clock value, the boot ROM
used the time that the boot ROM had last been updated). The net
result was that fsck reset the time stamps of all files newer than
five years old to the five year old time.
Andres's original request was for a flag in the file system superblock
to say that there are no timestamps from before 1970 in the file
system, so there shouldn't be anything to fix because of the signed
to unsigned switch. But this assumes that no one every does an rsync
or extracts a tar file or restores a dump that introduces an incorrect
time stamp on their system. So this approach was not taken.
This change compares the system's version of the current time to
the last modification time in the file system superblock. If the
current time is earlier than that time then use the last modification
time in the superblock as the value for the current time. There
should be no files in the file system with times newer than the
last modification time in the superblock.
The superblock time stamp is updated in the in-memory superblock
every time any change is made to anything in the file system. The
superblock is written to the disk every 30 seconds, so it may be
off by up to 30 seconds plus the time it sits in the disk cache
waiting to be written if the system has an unclean shutdown (such
as a power failure). Thus, the worst case scenario with this change
is that files written in the last 30 seconds plus disk cache delay
time before the crash may have their times adjusted back by up to
30 seconds plus the disk cache delay time.
Requested by: Andre Albsmeier
Approved by: kib
Reviewed by: kib, imp, Andre Albsmeier
MFC-after: 1 week
Differential Revision: https://reviews.freebsd.org/D57371
Include `<stdbool.h>` instead of defining a local bool enum.
This avoids duplicating a standard type name and keeps the
source compatible with headers that provide bool as a macro,
or in case of C23 that compilers provide it as keyword.
Signed-off-by: Faraz Vahedi <kfv@kfv.io>
Reviewed by: fuz
MFC after: 1 month
Pull Request: https://github.com/freebsd/freebsd-src/pull/2203
The timestamp_origin test sends an ICMP Timestamp Request (ping -Mt) and parses
the tso/tsr fields out of the reply.
When the sysctl net.inet.icmp.tstamprepl is 0, the kernel silently drops the
request, ping receives no reply, and the sed extraction yields an empty $tso.
The test then fails inside atf_check test -n "$tso" with the unhelpful message
Approved by: maxim
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D57287
pselect(2) might overflow if the desciptor number is above
FD_SETSIZE and silently corrupt the stack. Switch to ppoll(2) so
the receive socket fd is no longer constrained by FD_SETSIZE.
Reported by: Joshua Rogers of AISLE Research Team
Reviewed by: markj
MFC after: 7 days
Differential Revision: https://reviews.freebsd.org/D56721
Make the behaviour similar for both IPv4 and IPv6. Also add
the corresponding tests.
PR: 294733
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D56618
- gjournal.c needs param.h to get a definition of isclr().
- fsck.h needs signal.h for sig_atomic_t.
Sort includes while here.
Reviewed by: kib
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D56858
* do not require just only ip6 proto for flow-id opcode in ipfw(8).
ipv6-icmp, tcp, udp should be fine too.
* fix off-by-one bug leading to out-of-bounds read.
* apply IPV6_FLOWLABEL_MASK before comparison in flow6id_match(),
so flow-id opcode will match a specified flow label. No need to
take protocol version and traffic class into account.
* add the test to verify that opcode is working correctly.
Reviewed by: pouria
Obtained from: Yandex LLC
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D56869
When fsck_msdosfs runs with FAT32 cache mode (used for large
filesystems that cannot be mmap'd), a detected FAT header correction
was written into the in-memory buffer but the corresponding cache
entry (fat32_cache_allentries[0]) was never marked dirty. As a
result, fat_flush_fat32_cache_entry() skipped it, the corrected
bytes were never written to disk, and copyfat() propagated the
uncorrected on-disk data to all backup FAT copies. Every subsequent
fsck run would repeat the same "FAT starts with odd byte sequence /
FIXED" cycle indefinitely.
Fix by marking fat32_cache_allentries[0].dirty = true after applying
the in-memory correction, ensuring the chunk is flushed before
copyfat() runs.
Obtained from: https://android-review.googlesource.com/c/platform/external/fsck_msdos/+/4047981
MFC after: 3 days
The FreeBSD network stack, for better or worse, does not impose any
requirements on interface names. As such it's valid for an interface
name to start with a number (or indeed, be something like '⭐').
Allow this in pfctl, and add a test case for the specific case of
interface names starting with a number.
Note that we don't support UTF-8 names fully, so those may still fail.
PR: 295064
MFC after: 1 week
Sponsored by: Rubicon Communications, LLC ("Netgate")
When dumping states optionally (at '-vv') also show the rule which
created the state. This can be helpful if the ruleset changed and we
want to know what rule created the state.
Sponsored by: Rubicon Communications, LLC ("Netgate")
Avoid dependency on INET (IPv4) by using PF_LOCAL,
allowing media check to work on systems without INET support.
PR: 295045
Reviewed by: kevans
MFC after: 1 week
Previously, devmatch would stop at the first linker.hints file
found in kern.module_path. This meant modules installed in
/boot/modules/ were invisible to devmatch if /boot/kernel/
contained a linker.hints file (which it always does).
Merge hints from all directories in kern.module_path.
This allows third-party or out-of-tree kernel modules in
/boot/modules/ to be auto-loaded by devmatch just like
built-in modules.
Reviewed by: imp
Differential Revivion: https://reviews.freebsd.org/D56847
Don't waste time generating Perl test cases for algorithms that are not
supported in Perl mode only to skip them when they are run.
MFC after: 1 week
Reviewed by: ngie
Differential Revision: https://reviews.freebsd.org/D56687
This is useful for testing alternative service managers
without modifying /etc/rc
MFC After: 1 weeks
Reviewed by: kib
Differential Revision: https://reviews.freebsd.org/D56828
The ATF-python test program was attempting to list test cases that
require scapy. But it attempted to import the scapy module before the
test cases had been listed, resulting in an ImportError that kyua
interpreted as a test program crash.
Fix this behavior by handling that ImportError well enough to list test
cases, but not run them. If scapy isn't present, Kyua will refuse to
run the test cases. But it needs to be able to list them in order to
know to skip them.
Sponsored by: ConnectWise
MFC after: 2 weeks
Reviewed by: maxim
Differential Revision: https://reviews.freebsd.org/D56765
RFC 792 defines the ICMP Originate Timestamp field as milliseconds
since midnight UTC. However, ping(8) currently derives this value
from CLOCK_MONOTONIC, which represents time since an unspecified
starting point and is not related to UTC.
The issue was introduced by commit 1ad76f1b60, which replaced
gettimeofday(2) with clock_gettime(CLOCK_MONOTONIC) for timekeeping
in ping(8).
Fix this by using CLOCK_REALTIME when generating the ICMP originate
timestamp.
Before:
$ ping -Mt -c1 127.0.0.1
ICMP_TSTAMP
PING 127.0.0.1 (127.0.0.1): 56 data bytes
<...> time=0.061 ms tso=16:50:31 tsr=17:38:28 tst=17:38:28
(note the tso is off)
After:
$ ping -Mt -c1 127.0.0.1
ICMP_TSTAMP
PING 127.0.0.1 (127.0.0.1): 56 data bytes
<...> time=0.038 ms tso=17:42:09 tsr=17:42:09 tst=17:42:09
Reviewed by: asomers, glebius
Fixes: 1ad76f1b60
MFC after: 1 month
Differential Revision: https://reviews.freebsd.org/D56759
Get the next hops of the specified route.
route.8 manual will be updated when other actions for
this option are implemented.
Reviewed by: glebius
Differential Revision: https://reviews.freebsd.org/D56191
Add an example for allowing members of the network group to read from
bpf devices. In particular, this allows members of the network group
to monitor traffic without running with root privileges.
Reviewed by: markj, glebius
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D56742
Kernel timestamps are relative to kern.boottime.
With -t, kern.boottime is added and converted to either
a default format or the one specified using the -f option.
Signed-off-by: Andre Albsmeier <mail@ghub.e4m.org>
Reviewed by: kib, pouria
Discussed with: imp
Pull-Request: https://github.com/freebsd/freebsd-src/pull/1985
* Don't iterate over each string three times; once is enough.
* Reject control characters (anything below space) in addition to the
double quote and backslash.
* If an unsafe character is encountered, discard the string instead of
rejecting the entire lease.
* If backslashes are encountered in the file name option, convert them
to forward slashes instead of rejecting the option.
* Tweak the warning messages a bit. Looking through the rest of the
code, it seems to me that notes generally end with a period while
warnings generally don't.
Fixes: 8008e4b88d ("dhclient: Check for unexpected characters in some DHCP server options")
PR: 294886
MFC after: 1 week
Reviewed by: brooks, markj
Differential Revision: https://reviews.freebsd.org/D56740
Encode filenames in the VIS_CSTYLE | VIS_OCTAL style regardless of
output mode. When reading filenames from a checksum file, attempt to
decode them, and use the decoded name unless the decoded name does not
exist but the undecoded one does.
This breaks compatibility with GNU coreutils, which unfortunately uses
a non-reversible encoding when outputting filenames containing
non-printable characters.
While here, drop a sentence about preimage attacks against MD5 and SHA1
from the manual page, as I no longer trust it to be true.
MFC after: 1 week
Reviewed by: bcr, markj
Differential Revision: https://reviews.freebsd.org/D56615
When the number of DHCP options exceeds a threshold, script_set_env()
will reallocate the environment, stored as an array of pointers. The
calculation of the array size failed to multiply by the pointer size,
resulting in a smaller than expected buffer which admits out-of-bounds
writes.
Approved by: so
Security: FreeBSD-SA-26:15.dhclient
Security: CVE-2026-42511
Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/)
Some options are written directly to the lease file, which may be parsed
by subsequent dhclient invocations. We must make sure that a malicious
server can't control the "medium" field of a lease definition, otherwise
they can achieve RCE by injecting one into the lease file, whereupon it
will be passed to dhclient-script, which passes it through eval.
Approved by: so
Security: FreeBSD-SA-26:12.dhclient
Security: CVE-2026-42511
Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/)
ACPI is only supported on amd64, arm64 and i386. Don't install the
power_profile rc script or devd configuration on other platforms.
This avoids creating a useless FreeBSD-acpi package on those platforms.
MFC after: 2 weeks
Reviewed by: imp
Sponsored by: https://www.patreon.com/bsdivy
Differential Revision: https://reviews.freebsd.org/D56650
This makes it easier to downgrade kernel when it stops providing some
syscall required by libc. In this case, it is enough to downgrade libc
as well, our crt1 delegates all non-trivial work to
libc::__libc_start1(). With static init, the /sbin/init should be
downgraded as well, which might be not easy.
This does not mean that we support forward compatibility.
Reviewed by: imp, jilles, zlei
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Differential revision: https://reviews.freebsd.org/D56536
Initialize nla_geneve_link structure to zero to prevent
segfault when a TLV is not received by the netlink parser.
Reported by: Seth Hoffert <seth.hoffert@gmail.com>
Fixes: 688e289ee9 ("ifconfig: Add support for geneve (netlink)")
The gpart manual says that sizes are specified in blocks, unless an SI
unit suffix is provided. This confuses new operators because GEOM uses
binary bytes, a large difference at modern storage pool sizes. Rewrite
suffixes in all GEOM manuals to consistently clarify this, matching what
we and the rest of the industry have been doing in other documentation.
While here, use non-breaking spaces between numbers and units, unless
they are already written with a hyphen.
MFC after: 3 days
Reviewed by: fuz
Reported by: bbaovanc <bbaovanc@bbaovanc.com>
Differential Revision: https://reviews.freebsd.org/D56534
The `pfctl -S` flag was added to disable DNS resolution in
<https://reviews.freebsd.org/D50724> but documentation and error
messages refer to a `pfctl -N` flag for the same purpose. The `pfctl -N`
flag performs an unrelated function, so the docs and error messages need
to be changed. Caught this when revising documentation for the `-N`
flag.
Reviewed by: kp
Signed-off-by: Ross Williams <ross@ross-williams.net>
`pfctl -A`, `-N`, `-O`, and `-R` restrict which rule types and options
are loaded. The man page language ("Load only...") does not make it
clear that these options can be combined to (re)load multiple rule types
and/or options without reloading the entire packet filter.
Add language to make it explicitly clear that these flags combine.
Reviewed by: kp
Signed-off-by: Ross Williams <ross@ross-williams.net>
ping6 needs IPV6_RECVPKTINFO and IPV6_RECVHOPLIMIT to process
incoming replies. When these options fail, replies are silently
dropped and ping6 appears to hang. Use err(3) instead of warn(3)
so the user gets a clear error and immediate exit.
Signed-off-by: Christos Longros <chris.longros@gmail.com>
Reviewed by: pouria, jlduran, glebius
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D56237
i messed up when we added support for names on these things. the
id and names are each supposed to be unique, which is checked by
putting the one limiter into an rb tree based on their id and another
based on their name. unfortunately i used the same RBT_ENTRY fields
for both trees, which meant using both trees on the same limiter
corrupted the topology, which goes badly when you want to use
multiple limiters.
found by, tested, and ok dgl@ (who is not me, this is not a typo)
ok jmatthew@
Obtained from: OpenBSD, dlg <dlg@openbsd.org>, f951d642cc
Sponsored by: Rubicon Communications, LLC ("Netgate")
geneve(4) is netlink-only, therefore, don't build it with
WITHOUT_NETLINK_SUPPORT=1 set.
Reported by: kp
Fixes: 688e289ee9 ("ifconfig: Add support for geneve (netlink)")
Differential Revision: https://reviews.freebsd.org/D55184
The -t option gives the user the ability to create a control device for
a given virtual_oss(8) instance, so that the instance's configuration
can be manipulated during runtime with virtual_oss_cmd(8). As is
expected, the control device's name is not known, since it is specified
by the user.
This patch introduces a virtual_oss_default_control_device rc variable,
which defaults to "vdsp.ctl". The goal of this is that third-party
programs and scripts can access the control device of the default
virtual_oss(8) configuration without guessing. This is especially useful
for sbin/devd/snd.conf which deals with hot-swapping sound devices using
virtual_oss(8).
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D55670
Kirk McKusick