src/sys/dev, branch releng/12.2 FreeBSD source tree vt: bound buffer access in redraw optimization 2022-01-10T18:04:06+00:00 Ed Maste emaste@FreeBSD.org 2021-09-22T18:41:00+00:00 9c9d0d90512f0e5950b179d1a07f717ad7c8fe28 PR: 248628 Reported by: oleg Reviewed by: cem, oleg (both earlier) Fixes: ee97b2336aa4 ("Speed up vt(4) by keeping...") MFC after: 3 days Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D32059 (cherry picked from commit dbc7ca59451561a179f9852642e13ef024169d84) (cherry picked from commit e4fcff8ee124f8faed2f1fcc1e15b7ae6906d4d7) Approved by: so Security: FreeBSD-SA-22:01.vt 
PR:		248628
Reported by:	oleg
Reviewed by:	cem, oleg (both earlier)
Fixes:		ee97b2336aa4 ("Speed up vt(4) by keeping...")
MFC after:	3 days
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D32059

(cherry picked from commit dbc7ca59451561a179f9852642e13ef024169d84)
(cherry picked from commit e4fcff8ee124f8faed2f1fcc1e15b7ae6906d4d7)

Approved by:	so
Security:	FreeBSD-SA-22:01.vt
Hyper-V: vPCI: Prepopulate device bars 2022-01-10T18:04:06+00:00 Wei Hu whu@FreeBSD.org 2021-11-27T06:42:34+00:00 f1b8efb1b4ffc2182385d3f5cc26c37a4ad59026 In recent Hyper-V releases on Windows Server 2022, vPCI code does not initialize the last 4 bit of device bar registers. This behavior change could result weird problems cuasing PCI code failure when configuring bars. Just write all 1's to those bars whose probed values are not the same as current read ones. This seems to make Hyper-V vPCI and pci_write_bar() to cooperate correctly on these releases. Reported by: khng@freebsd.org Tested by: khng@freebsd.org MFC after: 2 weeks Sponsored by: Microsoft (cherry picked from commit 75412a521f60d4b0393c730ffb284e7c6ff9d2de) (cherry picked from commit eabea1c700ad8eacb8dc780d8620b59ce72b2cf2) Approved by: so Errata: FreeBSD-EN-22:03.hyperv 
In recent Hyper-V releases on Windows Server 2022, vPCI code does not
initialize the last 4 bit of device bar registers. This behavior change
could result weird problems cuasing PCI code failure when configuring
bars.

Just write all 1's to those bars whose probed values are not the same
as current read ones. This seems to make Hyper-V vPCI and
pci_write_bar() to cooperate correctly on these releases.

Reported by:	khng@freebsd.org
Tested by:	khng@freebsd.org
MFC after:	2 weeks
Sponsored by:	Microsoft

(cherry picked from commit 75412a521f60d4b0393c730ffb284e7c6ff9d2de)
(cherry picked from commit eabea1c700ad8eacb8dc780d8620b59ce72b2cf2)

Approved by:	so
Errata:		FreeBSD-EN-22:03.hyperv
Fix kernel panic in vmci driver initialization. 2021-11-03T20:43:03+00:00 Gordon Tetlow gordon@FreeBSD.org 2021-11-03T20:43:03+00:00 b13a6827931f159ab616c5395bed207059347284 Approved by: so Security: EN-21:28.vmci 
Approved by:	so
Security:	EN-21:28.vmci
pms(4): Do not return CAM_REQ_CMP on errors. 2021-05-26T19:37:18+00:00 Alexander Motin mav@FreeBSD.org 2021-04-16T19:16:09+00:00 bf30c74e5a2a3be431f16961c5ac1c9340e8e045 It is a direct request for data corruptions, one report of which we have received. I am very surprised that only one. Approved by: so Security: EN-21:14.pms MFC after: 1 week Sponsored by: iXsystems, Inc. (cherry picked from commit 8434a65ce49bd6bc6779f0e57b0ce0f4bc46f48e) (cherry picked from commit 320fd259c69ef16e9b8d64424f66eeed8ddc3c77) 
It is a direct request for data corruptions, one report of which we
have received.  I am very surprised that only one.

Approved by:	so
Security:	EN-21:14.pms
MFC after:	1 week
Sponsored by:	iXsystems, Inc.

(cherry picked from commit 8434a65ce49bd6bc6779f0e57b0ce0f4bc46f48e)
(cherry picked from commit 320fd259c69ef16e9b8d64424f66eeed8ddc3c77)
xen-blkback: fix leak of grant maps on ring setup failure 2021-02-24T01:42:01+00:00 Roger Pau Monné royger@FreeBSD.org 2021-01-20T18:40:51+00:00 602f1da04217967e7627be3fe19a56098ad29b6f Multi page rings are mapped using a single hypercall that gets passed an array of grants to map. One of the grants in the array failing to map would lead to the failure of the whole ring setup operation, but there was no cleanup of the rest of the grant maps in the array that could have likely been created as a result of the hypercall. Add proper cleanup on the failure path during ring setup to unmap any grants that could have been created. This is part of XSA-361. Approved by: so Security: CVE-2021-26932 Security: FreeBSD-SA-21:06.xen Security: XSA-361 Sponsored by: Citrix Systems R&D (cherry picked from commit 808d4aad1022a2a33d222663b0c9badde30b9d45) (cherry picked from commit dfb372f5d38c302953a6a4e2838179cd0a1a6438) 
Multi page rings are mapped using a single hypercall that gets passed
an array of grants to map. One of the grants in the array failing to
map would lead to the failure of the whole ring setup operation, but
there was no cleanup of the rest of the grant maps in the array that
could have likely been created as a result of the hypercall.

Add proper cleanup on the failure path during ring setup to unmap any
grants that could have been created.

This is part of XSA-361.

Approved by:	so
Security:	CVE-2021-26932
Security:	FreeBSD-SA-21:06.xen
Security:	XSA-361
Sponsored by:	Citrix Systems R&D

(cherry picked from commit 808d4aad1022a2a33d222663b0c9badde30b9d45)
(cherry picked from commit dfb372f5d38c302953a6a4e2838179cd0a1a6438)
xen: allow limiting the amount of duplicated pending xenstore watches 2021-01-29T01:15:45+00:00 Roger Pau Monné royger@FreeBSD.org 2020-11-25T11:34:38+00:00 0b9b9a15c24142efcd675b454843991856af1c97 Xenstore watches received are queued in a list and processed in a deferred thread. Such queuing was done without any checking, so a guest could potentially trigger a resource starvation against the FreeBSD kernel if such kernel is watching any user-controlled xenstore path. Allowing limiting the amount of pending events a watch can accumulate to prevent a remote guest from triggering this resource starvation issue. For the PV device backends and frontends this limitation is only applied to the other end /state node, which is limited to 1 pending event, the rest of the watched paths can still have unlimited pending watches because they are either local or controlled by a privileged domain. The xenstore user-space device gets special treatment as it's not possible for the kernel to know whether the paths being watched by user-space processes are controlled by a guest domain. For this reason watches set by the xenstore user-space device are limited to 1000 pending events. Note this can be modified using the max_pending_watch_events sysctl of the device. This is XSA-349. Sponsored by: Citrix Systems R&D MFC after: 3 days (cherry picked from commit 4e4e43dc9e1afc863670a031cc5cc75eb5e668d6) (cherry picked from commit 2d194dc219892049dd03564c4083080cac1aa688) Approved by: so Security: XSA-349, CVE-2020-29568 
Xenstore watches received are queued in a list and processed in a
deferred thread. Such queuing was done without any checking, so a
guest could potentially trigger a resource starvation against the
FreeBSD kernel if such kernel is watching any user-controlled xenstore
path.

Allowing limiting the amount of pending events a watch can accumulate
to prevent a remote guest from triggering this resource starvation
issue.

For the PV device backends and frontends this limitation is only
applied to the other end /state node, which is limited to 1 pending
event, the rest of the watched paths can still have unlimited pending
watches because they are either local or controlled by a privileged
domain.

The xenstore user-space device gets special treatment as it's not
possible for the kernel to know whether the paths being watched by
user-space processes are controlled by a guest domain. For this reason
watches set by the xenstore user-space device are limited to 1000
pending events. Note this can be modified using the
max_pending_watch_events sysctl of the device.

This is XSA-349.

Sponsored by:	Citrix Systems R&D
MFC after:	3 days

(cherry picked from commit 4e4e43dc9e1afc863670a031cc5cc75eb5e668d6)
(cherry picked from commit 2d194dc219892049dd03564c4083080cac1aa688)

Approved by:	so
Security:	XSA-349, CVE-2020-29568
MFS r365964: 2020-10-14T06:25:55+00:00 Ganael LAPLANCHE martymac@FreeBSD.org 2020-10-14T06:25:55+00:00 5a0826ac57e37ec226ec61c1bfa9d74a28165c89 Allow slow USB devices to be given more time to return their USB descriptors, like Logitech HD Pro Webcam C920. PR: 248926 Approved by: re (gjb), hselasky 
Allow slow USB devices to be given more time to return their USB descriptors,
like Logitech HD Pro Webcam C920.

PR:		248926
Approved by:	re (gjb), hselasky
MFS r366438: 2020-10-05T16:39:38+00:00 Navdeep Parhar np@FreeBSD.org 2020-10-05T16:39:38+00:00 f4d391bd542adf0d4c21248d88c2b1e439955e40 cxgbe(4): set up the firmware flowc for the tid before send_abort_rpl. Approved by: re@ (gjb@) Sponsored by: Chelsio Communications 
cxgbe(4): set up the firmware flowc for the tid before send_abort_rpl.

Approved by:	re@ (gjb@)
Sponsored by:	Chelsio Communications
MFS r366179: Make nvmecontrol work with nda like it does with nvd, and 2020-09-28T00:53:45+00:00 Colin Percival cperciva@FreeBSD.org 2020-09-28T00:53:45+00:00 88afe3774d72804d7cb88f554ba3b5cda371b2ee associated bits. Approved by: re (delphij) Sponsored by: https://www.patreon.com/cperciva 
associated bits.

Approved by:	re (delphij)
Sponsored by:	https://www.patreon.com/cperciva
MFS r365983 2020-09-23T23:56:49+00:00 Eric Joyner erj@FreeBSD.org 2020-09-23T23:56:49+00:00 97f844cd60ddb0b56fa4ed0977620fd0cd7e15b0 Contains fixes for issues in em(4)/igb(4): - Fix define and includes with RSS option enabled - Properly retain promisc flag in init PR: 249191, 248869 Approved by: re (gjb@) 
Contains fixes for issues in em(4)/igb(4):
- Fix define and includes with RSS option enabled
- Properly retain promisc flag in init

PR:		249191, 248869
Approved by:	re (gjb@)