src/sys/net, branch stable/14 FreeBSD source tree routing: Fix use-after-free in finalize_nhop 2026-04-17T06:44:34+00:00 Pouria Mousavizadeh Tehrani pouria@FreeBSD.org 2026-04-14T09:36:53+00:00 67a7c5f70986a24a8374146e6bcce2005e767b6d FIB_NH_LOG calls the `nhop_get_upper_family(nh)` to read `nh->nh_priv->nh_upper_family` for failure logging. Call FIB_NH_LOG before freeing nh so failures are logged without causing a panic. MFC after: 3 days (cherry picked from commit 7d38eb720a8d8345949986d779e785984ae19ae0) 
FIB_NH_LOG calls the `nhop_get_upper_family(nh)` to read
`nh->nh_priv->nh_upper_family` for failure logging.
Call FIB_NH_LOG before freeing nh so failures are logged
without causing a panic.

MFC after: 3 days

(cherry picked from commit 7d38eb720a8d8345949986d779e785984ae19ae0)
if_tuntap: make SIOCIFDESTROY interruptible 2026-04-12T13:43:37+00:00 Kyle Evans kevans@FreeBSD.org 2025-08-21T14:21:41+00:00 fd67a7587c1a187cc162cf02ece94f4142874f35 There's no good justification to permanently hang a thread until the tunnel can be destroyed. Make it interruptible so that the admin can ^C it and remedy the situation if something erroneously has the tunnel open, rather than forcing them to open another shell to resolve it. Reviewed by: markj (cherry picked from commit 274bf7c8ae7e7b51853cd541481985f0e687f10e) 
There's no good justification to permanently hang a thread until the
tunnel can be destroyed.  Make it interruptible so that the admin can
^C it and remedy the situation if something erroneously has the tunnel
open, rather than forcing them to open another shell to resolve it.

Reviewed by:	markj

(cherry picked from commit 274bf7c8ae7e7b51853cd541481985f0e687f10e)
libpcap: Update to 1.10.6 2026-04-08T19:09:25+00:00 Joseph Mingrone jrm@FreeBSD.org 2026-03-15T01:42:55+00:00 09db15067248b297bf2d419fa77a3b2e39184a64 Changes: https://raw.githubusercontent.com/the-tcpdump-group/libpcap/89e982c37c36ad0bf9f10b7ded421cb42422effa/CHANGES Reviewed by: bms, emaste Obtained from: https://www.tcpdump.org/release/libpcap-1.10.6.tar.gz Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D55545 Differential Revision: https://reviews.freebsd.org/D55858 (cherry picked from commit 16cef5f7a65588def71db4fdfa961f959847e3b6) 
Changes:	https://raw.githubusercontent.com/the-tcpdump-group/libpcap/89e982c37c36ad0bf9f10b7ded421cb42422effa/CHANGES
Reviewed by:	bms, emaste
Obtained from:	https://www.tcpdump.org/release/libpcap-1.10.6.tar.gz
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D55545
Differential Revision:	https://reviews.freebsd.org/D55858

(cherry picked from commit 16cef5f7a65588def71db4fdfa961f959847e3b6)
if_types: Fix a typo in a source code comment 2026-03-30T11:27:14+00:00 Gordon Bergling gbe@FreeBSD.org 2026-03-27T06:57:49+00:00 71ca167e36915865d1bdbb672652491a6934b1cc - s/Circiut/Circuit/ Obtained from: OpenBSD (cherry picked from commit 8bc31c88d65ad99cd510fbe511958799d3531477) 
- s/Circiut/Circuit/

Obtained from:	OpenBSD

(cherry picked from commit 8bc31c88d65ad99cd510fbe511958799d3531477)
ifnet: Fix decreasing the vnet interface count 2026-03-20T10:02:19+00:00 Zhenlei Huang zlei@FreeBSD.org 2026-03-16T16:20:08+00:00 47339e4a9209c1d1323f58d792e277792990e060 It should be decreased only when the interface has been successfully removed from the "active" list. This prevents vnet_if_return() from potential OOB writes to the allocated memory "pending". Reviewed by: kp, pouria Fixes: a779388f8bb3 if: Protect V_ifnet in vnet_if_return() MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D55873 (cherry picked from commit 8065ff63c0e5c3bb4abb02f55b20cb47bb51d1a7) (cherry picked from commit 1b7687f053afcf251ee7643ee5a4f22a225f4a02) 
It should be decreased only when the interface has been successfully
removed from the "active" list.

This prevents vnet_if_return() from potential OOB writes to the
allocated memory "pending".

Reviewed by:	kp, pouria
Fixes:		a779388f8bb3 if: Protect V_ifnet in vnet_if_return()
MFC after:	3 days
Differential Revision:	https://reviews.freebsd.org/D55873

(cherry picked from commit 8065ff63c0e5c3bb4abb02f55b20cb47bb51d1a7)
(cherry picked from commit 1b7687f053afcf251ee7643ee5a4f22a225f4a02)
vnet: Ensure the space allocated by vnet_data_alloc() is sufficent aligned 2026-03-05T11:04:20+00:00 Zhenlei Huang zlei@FreeBSD.org 2026-02-28T11:35:42+00:00 baee504b868b9417c815c0de6474a0d6e5d6b4ac Some 32-bit architectures, e.g., armv7, require strict 8-byte alignment while doing atomic 64-bit access. Hence aligning to the pointer type (4-byte alignment) does not meet the requirement on those architectures. Make the space allocated by vnet_data_alloc() sufficent aligned to avoid unaligned access. PR: 265639 Diagnosed by: markj Reviewed by: jhb, markj Co-authored-by: jhb MFC after: 5 days Differential Revision: https://reviews.freebsd.org/D55560 (cherry picked from commit 32beb3ae71cb320dbe4190a01c036943d99083b3) (cherry picked from commit 973d607b284ba68e63f0386af44c28bfde15add2) 
Some 32-bit architectures, e.g., armv7, require strict 8-byte
alignment while doing atomic 64-bit access. Hence aligning to the
pointer type (4-byte alignment) does not meet the requirement on
those architectures.

Make the space allocated by vnet_data_alloc() sufficent aligned to
avoid unaligned access.

PR:		265639
Diagnosed by:	markj
Reviewed by:	jhb, markj
Co-authored-by:	jhb
MFC after:	5 days
Differential Revision:	https://reviews.freebsd.org/D55560

(cherry picked from commit 32beb3ae71cb320dbe4190a01c036943d99083b3)
(cherry picked from commit 973d607b284ba68e63f0386af44c28bfde15add2)
rtsock: Fix stack overflow 2026-02-24T16:00:52+00:00 Mark Johnston markj@FreeBSD.org 2026-02-23T15:52:50+00:00 1eb2beb3686c50a870ed7688f753f89dd0f0ab3e Approved by: so Security: FreeBSD-SA-26:05.route Security: CVE-2026-3038 Fixes: 92be2847e845 ("rtsock: Avoid copying uninitialized padding bytes") (cherry picked from commit f3be7df50f01d9a6ead9f27b55bb4dfd7dc4f9d2) 
Approved by:	so
Security:	FreeBSD-SA-26:05.route
Security:	CVE-2026-3038
Fixes:		92be2847e845 ("rtsock: Avoid copying uninitialized padding bytes")

(cherry picked from commit f3be7df50f01d9a6ead9f27b55bb4dfd7dc4f9d2)
sys/net/sff8436.h: Fix the register address of link length of copper or active cable 2026-01-31T18:25:08+00:00 Kirill Kochnev sabashlive@gmail.com 2025-11-06T18:22:30+00:00 58cf2a2840532208ab1442fc421ca6c985274c2c The register address of link length of copper or active cable is 146 as per the SFF-8436 specification [1]. [1] 7.6.2 Upper Memory Map Page 00h SFF-8436 Specification (pdf): https://members.snia.org/document/dl/25896 Reviewed by: imp, zlei MFC after: 1 week Pull Request: https://github.com/freebsd/freebsd-src/pull/1885 Closes: https://github.com/freebsd/freebsd-src/pull/1885 (cherry picked from commit a537694b49f719d84e3a69a2b8a3098f603da7d7) (cherry picked from commit fdd23fc3d0aacd1c80d0565d736591521b2421fc) 
The register address of link length of copper or active cable is 146 as
per the SFF-8436 specification [1].

[1] 7.6.2 Upper Memory Map Page 00h SFF-8436 Specification (pdf): https://members.snia.org/document/dl/25896

Reviewed by:	imp, zlei
MFC after:	1 week
Pull Request:	https://github.com/freebsd/freebsd-src/pull/1885
Closes:		https://github.com/freebsd/freebsd-src/pull/1885

(cherry picked from commit a537694b49f719d84e3a69a2b8a3098f603da7d7)
(cherry picked from commit fdd23fc3d0aacd1c80d0565d736591521b2421fc)
net: Use proper prototype for SYSINIT functions 2026-01-31T18:25:03+00:00 Zhenlei Huang zlei@FreeBSD.org 2025-10-13T10:12:32+00:00 ea3567e3bf79a859418b8127db8707a6e8c6130c MFC after: 1 week (cherry picked from commit 6f8259eae61981d7e5d049be7eed9235f0e8172e) (cherry picked from commit fa80382b99f934ab46b9365d1081c6425ed58026) 
MFC after:	1 week

(cherry picked from commit 6f8259eae61981d7e5d049be7eed9235f0e8172e)
(cherry picked from commit fa80382b99f934ab46b9365d1081c6425ed58026)
if_ovpn: add interface counters 2026-01-28T09:09:07+00:00 Kristof Provost kp@FreeBSD.org 2026-01-15T14:15:12+00:00 03094f3700be5c339443fc6372c5e0be9e4ff908 Count input/output packets and bytes on the interface as well, not just in openvpn-specific counters. PR: 292464 MFC after: 2 weeks Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit 21d666a19331f31fb6dfa1e370de5a84a1a5cb46) 
Count input/output packets and bytes on the interface as well, not just
in openvpn-specific counters.

PR:		292464
MFC after:	2 weeks
Sponsored by:	Rubicon Communications, LLC ("Netgate")

(cherry picked from commit 21d666a19331f31fb6dfa1e370de5a84a1a5cb46)