HardenedBSD-11-STABLE-v1100055.4 - https://github.com/HardenedBSD/hardenedBSD-stable/releases/tag/HardenedB...
Highlights:
- MFC r335072: Enable eager FPU context switch by default on amd64. (dee6710f89d54744c1d97a4088c547b6541dbb0e) [FreeBSD-SA-Candidate CVE-2018-3665)
- MFC r334038: Enable IBRS when entering an interrupt handler from usermode. (2de20d5b1b0faaf2c7dcb503515af88bfb5aae90) [FreeBSD-SA-Candidate]
- MFC r334004: Add Intel Spec Store Bypass Disable control. (425d57954121d3b228a3f7aa395e9bc8d2929214) [FreeBSD-SA-Candidate CVE-2018-3639]
- MFC syslog from master (667052415ebdbade0cd55a3c66b7902227a78760)
- MFC r334091: md5: perform compare case-insenstive (bc94720a7e512e88c6235155019d5f7c5972ab41)
- MFC: r333580 Fix a slow leak of session structures in the NFSv4.1 server. (4a4ab2a82843ba496b969eb11f32aeb2f09c2c63)
- MFC r333783: MFV r333779: xz 5.2.4. (e303059a606066e6076cca385aedac5958b17f34)
- MFC r334068 (phil): Import libxo-0.9.0 (3549c1ab7a2950f9e8cd373af83fa0a4c6fb8903)
- MFC Lock primitive updates (8b9af5c67de5a51974b9d4bc7570e0b9700c4fcb)
- MFC r334050, r334051: Flush caches before initiating a microcode update on Intel CPUs. (cb1c0651a46b4d36bf9eed4a3cdd986aad9c9936)
- MFC r333892: Fix PCID+PTI pmap operations on Xen/HVM. (a933e7a326f122cb0beb9fdc960f6ab327bf1908)
- MFC r333228 Implement support for ifuncs in the kernel linker on x86. (0166dfd0a87d24c0280d715e42d03d82610265ad)
- MFC r333404, r333405: Remove PG_U from the recursive pte for kernel pmap' PML4 page and from the rest of the kernel pmap ptes. (e27432718ce82962556986419ed12b9928d56690)
- MFC r332504: Set PG_G global mapping bit on the trampoline ptes. (8bba637677bb95dc889605a2dc7b9e5204d2a4a5)
- MFC r332450: Optimize context switch for PTI on PCID pmap. (3d88b710fd631da86a68457176c459133083e14f)
- pf updates
- nat64 updates
- linuxkpi updates
- sctp updates
- nfs updates
- dwatch updates
Installer images:
http://installer.hardenedbsd.org/pub/HardenedBSD/releases/amd64/amd64/IS...
CHECKSUM.SHA512:
SHA512 (HardenedBSD-11-STABLE-v1100055.4-amd64-bootonly.iso) = 55280d25a0da2254c92d9f1a1b9e8c2e6e88acfa17abcb55b363e64bc078f609f549c2670069e532197cd6808ecd81adfb3452ddc116bc6cc5247e7017078af3
SHA512 (HardenedBSD-11-STABLE-v1100055.4-amd64-disc1.iso) = c96086f53c42e3e72d401a9334ff5e258c73ad50190d51a6316c9a00ebb9f141458c0d3a569543ece99e446e5e98a3287faf37f1242d9185141a86fcae704646
SHA512 (HardenedBSD-11-STABLE-v1100055.4-amd64-memstick.img) = 5feb136a3477e9c8932f08742b7d9efaaa482835843311f285c233d6cfb9fdde07a75665333d78cdd2167a618edc31f9ba6fd2fc8147ea5f776adfdd49ba9f9d
SHA512 (HardenedBSD-11-STABLE-v1100055.4-amd64-mini-memstick.img) = 117364b3fbea0c4ad5db900f8f96bd85f47616132950735930117c3bce1e3cee9b284cd7773fcc18a94a42656f2ec87ff18ac3e933cf69aad0025d8f9a3ea972
CHECKSUM.SHA512.asc:
-----BEGIN PGP SIGNATURE-----
iQIyBAABCAAdFiEEu1M4jTvZiSgVy54wgZsRom/9GI0FAlsh0zkACgkQgZsRom/9
GI3tsQ/48+0KyrmFU9Ccw3gyklMh853LM1Y/eyCihQXlaCFk4o9W76Nzh67+mTF3
txjrCnJBBNJ2laG2EhgzQZnRgBT6Mbmr+VweyBzy4uLwW4Yihm8EIbaVV7hduFdg
jDV6EAKO1hiBD3QzA6cSgCD8E2AfP3uTLmQ6dKAtr0imz0UCB30bHrp7ISufprhg
qnHkritW5/pUw/xVfm2foll1JM5p4QOBPzid2IKYWfvFDdK5lUXJm54eYdAKHtdH
HzR1eetB3/HqyKs1edlMFUar/B8f5pZ7bwo1wWtaa9impJ74y6K8L9zyGH4xtZLF
Yla5wJiioq3QJIxg0USt0bqevH1qLhFHxDtehEbyJMXzq8NTrV+/rSHLj9IkEO+F
6j+OFOpnLiQin5Zvgj+Ks45sgKqCyZDpIvAx+q9M8nzClGXAwpda3U7viEXAkphZ
BT0OZBO3jh+ZsFBm33zR+cH4Yk14HuQ8E9Jd/fObTnnt5+VSxNf0w624qJgiqX7r
h6e3waF2q5EpRzMazmzzzjqFJnf3LzjXcB3bYvqTH8XIsXccHlWTxkgYwNk5Uwvn
EVgTa5G+Hae5zc2u7Mv7J1mszqQOjeiW7AuZYY8zlycZXdqGG/NbHGSZ+evnuF52
8LqhVk9iG+V8c89OrOJjxWBscxWmb5pri0iDO1C+AoFeyeioAQ==
=blBu
-----END PGP SIGNATURE-----
Changelog:
Oliver Pinter + (60):
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
- Merge branch 'freebsd/11-stable/master' into hardened/11-stable/master
ae (9):
- MFC r333244: Immediately propagate EACCES error code to application from tcp_output.
- MFC r333458: Fix the printing of rule comments.
- MFC r333497: Apply the change from r272770 to if_ipsec(4) interface.
- MFC r333986: Remove check for matching the rulenum, ruleid and rule pointer from dyn_lookup_ipv[46]_state_locked(). These checks are remnants of not ready to be committed code, and they are there by accident. Due to the race these checks can lead to creating of duplicate states when concurrent threads in the same time will try to add state for two packets of the same flow, but in reverse directions and matched by different parent rules.
- MFC r333400: Add IFCAP_LINKSTATE support to if_loop(4).
- MFC r333403: Bring in some last changes in NAT64 implementation:
- MFC r334324: Remove empty encap_init() function.
- MFC r334707: Use m_copyback() function to write delayed checksum when it isn't located in the first mbuf of the chain.
- MFC r334875: Explicitly change the link state when we assingn an address.
brooks (1):
- MFC r334176:
cy (1):
- MFC r333392-r333393, r333427
davidcs (1):
- MFC r333003 Upgraded FW Related Files to version 5.4.67
delphij (3):
- MFC r332905:
- MFC r333098:
- MFC r333783: MFV r333779: xz 5.2.4.
dim (5):
- MFC r333715:
- MFC r334432:
- MFC r334445:
- Fix build of si with base gcc on i386
- MFC r334886:
dteske (3):
- MFC SVN r329188,329334,329353,329914,329995-329996: DTrace Enhancements
- MFC SVN r334261-334262,334359: dwatch(1) touch-ups
- MFC r334594: dwatch(1): Update manual to reference actual release
eadler (3):
- MFC r332399:
- indent(1) in stable/11 is known to be incomplete or incorrect in some ways. Since the code is not planned for MFC, just remove the failing tests.
- MFC r334091:
ed (1):
- MFC r309925, r309931, r309933, r310035, r310278, r310310, r310311, r310323, r310349, r310350, r310351, r310352, r310383, r310384, r310385, r310386, r310393, r310453, r310456, r310494, r310504, r310528, r310890, r310893, r310974, r311918, r312921, r313357, r314563, r314585, r314642, r315322, r315618, r315620, r315622, r315643, r316951, r316973, r326338, r326339, r326573, r331270, r332099, r332110, r332111, r332118, r332165, r332510 and r332511.
emaste (2):
- MFC r332446: switch i386 memstick installer images to MBR
- MFC r332966: Add deprecation notice for lmc(4)
gjb (39):
- Rename stable/11 from PRERELEASE to BETA1 as part of the 11.2-RELEASE cycle.
- Create a sun7i-a20-bananapi.dtb hard link to bananapi.dtb to fix a boot failure on the Banana Pi SoC.
- MFC r333473: Add a special GCE_LICENSE variable to Makefile.gce, which when set, will include license metadata in the resultant GCE image.
- Document r331465, BSD-licensed diff(1) imported from OpenBSD.
- Document r328495, dtc(1) update from upstream.
- Document r328139, du(1) '--si' option.
- Document r324124, getconf(1) '-a' flag addition.
- Document r322525, rgrep(1) hard link addition.
- Document r322555, various bsdgrep(1) pattern matching fixes.
- Bump copyright year.
- Document r327837, lint(1) is no longer built and installed by default.
- Document r322509, top(1) enhancement to filter on multiple user names.
- Document r328138, indent(1) supports the SIMPLE_BACKUP_SUFFIX environment variable also used by patch(1).
- Document r332947, etdump(1) utility addition.
- Document r333006, amd64 hybrid ISO images.
- Document r322753, mount(8) 'autoro' option addition.
- Document r332460, makefs(8) default block and fragment sizes synced with newfs(8).
- Document r332929, pwd_mkdb(8) deprecation notice when legacy (-l) mode is used.
- Document r333312, tzdata version 2018e.
- MFC r333079 (imp): No need to make objects here.
- Document r331882, cm(4) and fpa(4) deprecation in FreeBSD 12.
- Document r332519, various GEOM classes deprecation in FreeBSD 12.
- Document r333171, ixgb(4) deprecation in FreeBSD 12.
- Document r333367, nxge(4) deprecation in FreeBSD 12.
- Document r333412, lmc(4) deprecation in FreeBSD 12.
- Document r333738, vxge(4) deprecation in FreeBSD 12.
- Further expand on the description of r333006, noting the ISO images can now be used to write to a memory stick, as well as a CD.
- Document r333410, i386 memory stick installer images now use MBR.
- Update stable/11 to BETA2 as part of the 11.2-RELEASE cycle.
- Revert r333774, which renames stable/11 from BETA1 to BETA2 in order to address an issue what was discovered with the BETA2 builds.
- MFC r315733, r315737, r315740, r330054:
- Update stable/11 to BETA2 as part of the 11.2-RELEASE cycle.
- Update stable/11 to BETA3 as part of the 11.2-RELEASE cycle.
- MFC r334310, r334337:
- MFC r334068 (phil): Import libxo-0.9.0: - Add xo_format_is_numeric() with improved logic to decide if format strings are numeric, so json output quotes them - Convert docs to sphinx/rst - update tests
- Rename stable/11 back to -PRERELEASE for the duration of the 11.2-RELEASE cycle, now that releng/11.2 had branched.
- Fix __FreeBSD_version on stable/11, following r334460.
- Revert r333474 in stable/11, which switches the default pkg repository from latest to quarterly, now that releng/11.2 had branched.
- MFC r333374: Use vYYYYMMDD in the timestamp suffix for Google Compute Engine snapshot images for consistency with other OSes.
gonzo (2):
- MFC r332317, r332439, r332442
- MFC r331906:
hselasky (14):
- MFC r333362: Fix for missing network interface address event when adding the default IPv6 based link-local address.
- MFC r333623: Add support for setting type of service, TOS, for outgoing RDMA connections in the krping kernel test utility.
- MFC r334158: Add function to wait for USB ethernet attach to complete.
- MFC r334280: Allow TASK_PARKED bit being set when going to sleep in the LinuxKPI.
- MFC r334281: Implement wait_event_killable() in the LinuxKPI.
- MFC r334283: The schedule_timeout_killable() function should listen for signals in the LinuxKPI.
- MFC r334320 and r334328:
- MFC r334422: Correct argument for evdev_push_rel().
- MFC r334423: Implement idr_is_empty() in the LinuxKPI and make idr_remove() API compatible with upstream Linux by returning the pointer to the removed element.
- MFC r334425: Implement bitmap_complement() in the LinuxKPI.
- MFC r334426: Define __initconst in the LinuxKPI.
- MFC r334427: Correct macroname in the LinuxKPI.
- MFC r334428: Implement support for the kvmalloc_array() function in the LinuxKPI.
- MFC r334429: Implement support for the PCI_BUS_NUM() function macro in the LinuxKPI.
ian (1):
- MFC r334656, r334665, r334695
imp (1):
- MFC r333436: only launch getty if underlying device exists
jhb (2):
- MFC 332891,332892: Fixes for atomic_*cmpset() on arm.
- MFC 333606: Make the common interrupt entry point labels local labels.
jtl (1):
- r285910 attempted to make shutdown() be POSIX compliant by returning ENOTCONN when shutdown() is called on unconnected sockets. This change was slightly modified by r316874, which returns ENOTCONN in the case of an unconnected datagram socket, but still runs the shutdown code for the socket. This specifically supports the case where the user-space code is using the shutdown() call to wakeup another thread blocked on the socket.
ken (1):
- MFC r333492: ------------------------------------------------------------------------ r333492 | ken | 2018-05-11 08:50:26 -0600 (Fri, 11 May 2018) | 10 lines
kib (24):
- MFC r333182: mlx5en: Always allow VLAN id 0.
- MFC r332450: Optimize context switch for PTI on PCID pmap.
- MFC r332504: Set PG_G global mapping bit on the trampoline ptes.
- MFC r333460: Add the test program to examine CPU behaviour for pop ss issue CVE-2018-8897.
- Handle the difference between HEAD and stable/11 tests build. This is a direct commit to stable/11.
- MFC r333504: Remove dead declaration.
- MFC r333521: PROC_PDEATHSIG_CTL will appear first in 11.2.
- MFC r333404, r333405: Remove PG_U from the recursive pte for kernel pmap' PML4 page and from the rest of the kernel pmap ptes.
- MFC r333228 Implement support for ifuncs in the kernel linker on x86.
- MFC r333229: Add helper macros to hide some boring repeatable ceremonies to define ifuncs on x86.
- MFC r333534: Add a test for vm86(2).
- MFC r333896: Style.
- MFC r333891: Fix IBRS handling around MWAIT.
- MFC r333892: Fix PCID+PTI pmap operations on Xen/HVM.
- MFC r334003: Preserve other bits in IA32_SPEC_CTL MSR when changing the IBRS and STIBP states.
- MFC r334004: Add definition for Intel Speculative Store Bypass Disable MSR bits.
- MFC r334004: Add Intel Spec Store Bypass Disable control.
- MFC r334064: Fix UP build.
- MFC r334111: Note that PT_SETSTEP is auto-cleared.
- MFC r333990, r333992: Add missed barrier for pm_gen/pm_active interaction.
- MFC r334038: Enable IBRS when entering an interrupt handler from usermode.
- MFC r333577: Add implementations for clog(3), clogf(3), and clogl(3).
- MFC r334031: Implement printf(3) family %m format string extension.
- MFC r335072: Enable eager FPU context switch by default on amd64.
kp (1):
- MFC r334726:
manu (1):
- MFC r333737:
marius (7):
- MFC: r333613
- MFC: r333614
- MFC: r333600 (phil)
- MFC: r333955
- MFC: r327364, r334293
- Akin r302691 in head, synchronize the build stripping for the disc1 image with that of the bootonly image (but similarly modulo games and groff(1)) as the amd64 disc1 image is overflowing. This also removes the redundant MK_LLDB.
- MFC: r334443 (by cem@)
markj (9):
- MFC r334050, r334051: Flush caches before initiating a microcode update on Intel CPUs.
- MFC r333278, r333279: Avoid dropping the topology lock in gmirror's dumpconf implementation.
- MFC r334100: Document the return value of sbuf_bcat(9).
- MFC r333570: DTrace aarch64: Avoid calling unwind_frame() in the probe context.
- MFC r319792: Override the locale so that file lists get a consistent sort order.
- MFC r334389: Typo.
- MFC r334101: Add GET_STACK_USAGE() for arm64.
- MFC r334504: Remove an inaccuracy from mincore.2.
- MFC r334505: Don't export _end on arm64 and riscv.
mav (1):
- MFC r333158: Clean enclosure_table when resetting num_enc_table_entries to zero.
mjg (1):
- MFC r329276,r329451,r330294,r330414,r330415,r330418,r331109,r332394,r332398, r333831:
np (2):
- MFC r331340, r331342, r331472, r332050, r333276, r333448:
- MFC r333650, r333652, r333682, r334406, r334409-r334410, and r334489.
pfg (2):
- MFC r333239: msdosfs: long names of files are created incorrectly.
- MFC r333311: msdosfs: use vfs_timestamp() to generate timestamps instead of getnanotime().
ram (2):
- MFC r333099: Included opt_stack.h in Makefile, to fix module build outside kernel build environment.
- Issue: Utility hangs when OCS_IOCTL_CMD_MGMT_GET_ALL called in parallel on port 0 and port 1.
rmacklem (4):
- MFC: r333592 Fix the eir_server_scope reply argument for NFSv4.1 ExchangeID.
- MFC: r334252 Fix the sleep event for layout recall.
- MFC: r334396 Strengthen locking for the NFSv4.1 server DestroySession operation.
- MFC: r333580 Fix a slow leak of session structures in the NFSv4.1 server.
royger (1):
- MFC r334027: xen-blkback: do not use state 3
sbruno (6):
- MFC r333019 r333046 r333085 r333086 r333132
- MFC r303848
- MFC r333499
- MFC r323829 cam iosched: Add a handler for the quanta sysctl to enforce valid values
- Activate Wake On Lan features for Ice Lake and Cannon Lake devices.
- r334229 mismerged and broke kernel options CAM_IOSCHED_DYNAMIC.
shurd (2):
- MFC r333329, r333366, r333373
- MFC: r333792
trasz (1):
- MFC r333493:
tuexen (10):
- MFC r333186:
- MFC r333382:
- MFC r333176:
- MFC r333178:
- MFC r333304:
- MFC r333603:
- MFC r334494:
- MFC r334497:
- MFC r334532:
- MFC r334725:
