diff options
Diffstat (limited to 'website/content/en/releases/15.0R/relnotes.adoc')
| -rw-r--r-- | website/content/en/releases/15.0R/relnotes.adoc | 390 |
1 files changed, 291 insertions, 99 deletions
diff --git a/website/content/en/releases/15.0R/relnotes.adoc b/website/content/en/releases/15.0R/relnotes.adoc index 0394b651f9..0ec00bdadb 100644 --- a/website/content/en/releases/15.0R/relnotes.adoc +++ b/website/content/en/releases/15.0R/relnotes.adoc @@ -199,6 +199,18 @@ This section lists the various Security Advisories and Errata Notices since {rel |https://www.freebsd.org/security/advisories/FreeBSD-SA-25:07.libarchive.asc[FreeBSD-SA-25:07.libarchive] |08 August 2025 |Integer overflow in libarchive leading to double free + +|https://www.freebsd.org/security/advisories/FreeBSD-SA-25:08.openssl.asc[FreeBSD-SA-25:08.openssl] +|30 September 2025 +|Multiple vulnerabilities in OpenSSL + +|https://www.freebsd.org/security/advisories/FreeBSD-SA-25:09.netinet.asc[FreeBSD-SA-25:09.netinet] +|22 October 2025 +|`SO_REUSEPORT_LB` breaks man:connect[2] for UDP sockets + +|https://www.freebsd.org/security/advisories/FreeBSD-SA-25:10.unbound.asc[FreeBSD-SA-25:10.unbound] +|26 November 2025 +|Cache poison in local-unbound service |=== [[errata]] @@ -353,7 +365,7 @@ This section lists the various Security Advisories and Errata Notices since {rel |https://www.freebsd.org/security/advisories/FreeBSD-EN-25:11.ena.asc[FreeBSD-EN-25:11:ena] |02 July 2025 -|ena resets and kernel panic on Nitro v4 or newer instances +|`ena` resets and kernel panic on Nitro v4 or newer instances |https://www.freebsd.org/security/advisories/FreeBSD-EN-25:12.efi.asc[FreeBSD-EN-25:12:efi] |08 August 2025 @@ -366,6 +378,22 @@ This section lists the various Security Advisories and Errata Notices since {rel |https://www.freebsd.org/security/advisories/FreeBSD-EN-25:14.route.asc[FreeBSD-EN-25:14:route] |08 August 2025 |man:route[8] monitor buffers too much when redirected to a file + +|https://www.freebsd.org/security/advisories/FreeBSD-EN-25:15.arm64.asc[FreeBSD-EN-25:15:arm64] +|16 September 2025 +|arm64 man:syscall[2] allows unprivileged user to panic kernel + +|https://www.freebsd.org/security/advisories/FreeBSD-EN-25:16.vfs.asc[FreeBSD-EN-25:16:vfs] +|16 September 2025 +|man:copy_file_range[2] fails to set output parameters + +|https://www.freebsd.org/security/advisories/FreeBSD-EN-25:17.bnxt.asc[FreeBSD-EN-25:17:bnxt] +|16 September 2025 +|man:bnxt[4] fails to set media type in some cases + +|https://www.freebsd.org/security/advisories/FreeBSD-EN-25:18.freebsd-update.asc[FreeBSD-EN-25:18:freebsd-update] +|30 September 2025 +|man:freebsd-update[8] installs libraries in incorrect order |=== [[userland]] @@ -411,25 +439,42 @@ gitref:fa7b31166ddb[repository=src] The man:usbconfig[8] utility now reads the descriptions of usb vendor and products from [.filename]#/usr/share/misc/usb_vendors# when available, similar to what man:pciconf[8] does. gitref:7b9a772f9f64[repository=src] -An option has been added to change the directory in man:env[1] which closely resembles the feature in the GNU version of env although it does not support long options. +An option has been added to change the directory in man:env[1] which closely resembles the feature in the GNU version of env, although it does not support long options. gitref:08e8554c4a39[repository=src] (Sponsored by Klara, Inc.) -Fix `-U` flag of man:ps[1] to select processes by real user IDs. -This is what POSIX mandates for option `-U` and arguably the behavior that most users actually need in most cases. -Before, `-U` would select processes by their effective user IDs (which is the behavior mandated by POSIX for option `-u`). -gitref:a2132d91739d[repository=src]. -(Sponsored by The FreeBSD Foundation). +man:ps[1] now automatically removes canned displays' columns that contain same data as some explicitly-requested columns. +Before this change, if some user requested to add some "canned display" (options `-j`, `-l`, `-u` or `-v`), columns in it that were duplicates of explicitly-requested ones earlier on the command line were omitted, but this did not work the other way around, when a canned display appears before explicitly-requested columns. +Additionally, columns with different keywords but which are aliases to the same +keyword are now also considered holding the same data, in addition to columns having the same keyword. +gitref:cd768a840644[repository=src] +(Sponsored by The FreeBSD Foundation.) -Make '-O' more versatile and predictable for man:ps[1]. +man:ps[1]'s `-O` option is now more versatile and predictable. The man:ps[1] display's list of columns is now first built without taking into account the `-O` options. In a second step, all columns passed via `-O` are finally inserted after the built-so-far display's first PID column (if it exists, else at start), in their order of appearance as arguments to the `-O` options. -gitref:1fc8cb547cd4[repository=src]. -(Sponsored by The FreeBSD Foundation). - -Remove not-explicitly-requested columns with duplicate data in man:ps[1]. -Before this change, when stacking up more columns in the display through command-line options, if user requested to add some "canned" display (through options `-j`, `-l`, `-u` or `-v`), columns in it that were "duplicates" of already requested ones (meaning that they share the same keyword, regardless of whether their headers have been customized) were in the end omitted. -gitref:7aa2f4826717[repository=src]. -(Sponsored by The FreeBSD Foundation). +gitref:5dad61d9b949[repository=src] +(Sponsored by The FreeBSD Foundation.) + +man:ps[1]'s `-a` and `-A` options now always show all processes. +When combined with other options affecting the selection of processes, except for `-X` and `-x`, option `-a` would have no effect (and `-A` would reduce to just `-x`). +This was in contradiction with the rule applying to all other selection options stating that one process is listed as soon as any of these options has been specified and selects it, which is both mandated by POSIX and arguably a natural expectation. +As a practical consequence, specifying `-a` or `-A` now causes all processes to be listed regardless of other selection options such as `-U`, `-p`, `-G`, etc., except for the `-X` and `-x` filter options, which continue to apply. +In particular, to list only processes from specific jails, one must not use `-a` with `-J`. +Option `-J`, contrary to its apparent initial intent, never worked as a filter in practice, except by accident with only `-a` due to the bug. +gitref:93a94ce731a8[repository=src] +(Sponsored by The FreeBSD Foundation.) + +man:ps[1] now matches current user's processes using the effective user ID. +Previously, we would match using the real user ID. +This puts man:ps[1] in conformance with POSIX on that topic. +gitref:1aabbb25c9f9c4372[repository=src] +(Sponsored by The FreeBSD Foundation.) + +man:ps[1]'s `-U` flag now selects processes by real user IDs. +This is what POSIX mandates for option `-U` and arguably the behavior that most users actually need in most cases. +Before, `-U` would select processes by their effective user IDs (which is the behavior mandated by POSIX for option `-u`). +gitref:995b690d1398[repository=src] +(Sponsored by The FreeBSD Foundation.) Add flags to filter jail prison and vnet variables in man:sysctl[8] output. So users do not have to contact the source code to tell whether a variable is a jail prison / vnet one or not. @@ -439,6 +484,13 @@ man:grep[1] no longer follows symbolic links by default for recursive searches. This matches the documented behavior in the manual page. gitref:3a2ec5957ea9[repository=src] +man:mdo[1] now supports fully specifying all users and groups in the target credentials. +As a convenience, in addition to a full explicit specification, it allows starting from a baseline providing default values for all attributes, which is either the login credentials from some user in the password database or the current credentials, and then amending these attributes selectively. +The manual page has been updated to describe the new options and their interactions. +gitref:4ffcb1a4a99c[repository=src] +(Sponsored by The FreeBSD Foundation.) +(Sponsored by Google LLC (GSoC 2025).) + [[userland-contrib]] === Contributed Software @@ -446,12 +498,22 @@ One True Awk (man:awk[1]) has been updated to 2nd Edition, with new -csv support The snapshot used is 20250804. gitref:b45a181a74c8[repository=src] +`bmake` has been upgraded to 20250804, providing many debugging +improvements, bug fixes such as detecting and rejecting `gmake` +syntax, and feature improvements such as a floating point argument to +`-j` being used as a multiple of the number of cpus available. + The man:sendmail[8] suite has been upgraded to version 8.18.1, addressing CVE-2023-51765. gitref:58ae50f31e95[repository=src] `bc` has been upgraded to 7.0.2. gitref:90ea553a0d30[repository=src] +`blacklist` has been renamed upstream to `blocklist`. +Existing setups will continue to work emitting a warning. +The snapshot used is 20251026. +gitref:4afb96fdd272[repository=src]. + `libarchive` has been upgraded to 3.7.7. gitref:2ae238160f20[repository=src] @@ -505,7 +567,10 @@ One notable change is that GoogleTest 1.15.x now officially requires C++-14 (1.1 The man:setusercontext[3] routine in `libutil` will now set the process priority (nice) from the [.filename]#.login.conf# file from the home directory under appropriate conditions, as well as the system man:login.conf[5]. The priority can now have the value `inherit`, indicating that the priority should be unchanged from that of the parent process. Similarly, the umask can have the value `inherit`. -gitref:6f6186e19fe5[repository=src], gitref:a8c273b3c97f[repository=src], gitref:d2d66fedc418[repository=src] (Sponsored by Kumacom SAS) +gitref:c328e6c6ccaa[repository=src], +gitref:d162d7e2ad32[repository=src], +gitref:f2a0277d3e51[repository=src] +(Sponsored by Kumacom SAS) Many string and memory operations in the C library now use SIMD (single instruction multiple data) extensions for improved performance when available on amd64 systems; see man:simd[7]. (Sponsored by The FreeBSD Foundation) @@ -524,15 +589,36 @@ gitref:e77813f7e4a3[repository=src] `libcxxrt` has been updated to upstream 6f2fdfebcd62(gitref:d9901a23bd2f[repository=src]). +The accuracy of man:asinf[3] and man:acosf[3] has improved. +gitref:33c82f11c267[repository=src] + +The man:setgroups[2] and man:getgroups[2] system calls and the man:initgroups[3] library function have been changed to avoid setting or reporting the effective group ID, now only concerning themselves with the supplementary groups. +The main purpose of this change is to avoid security issues going forward by becoming compatible with Linux/glibc, OpenBSD, NetBSD and illumos-based systems. +Consequently, almost all portable applications should already be compliant with this new behavior and will continue to work correctly or even get fixed in the process (see, e.g., gitref:239e8c98636a[repository=src] for an example affecting OpenSSH). +However, out of caution, porters, system administrators and users are advised to audit their applications using man:setgroups[2], man:getgroups[2] and man:initgroups[3], watching out for the following points. +Applications must be using man:setgid[2] or man:setegid[2] in addition to man:setgroups[2] or man:initgroups[3] to set the effective group ID. +They must not treat the first element of the array returned by man:getgroups[2] specially, but instead as any other supplementary group. +For more information, please consult the SECURITY CONSIDERATIONS sections that have been added to the man:setgroups[2], man:getgroups[2] and man:initgroups[3] manual pages. +Compatibility system calls and library functions have been provided so that binaries and libraries compiled on FreeBSD 14 systems or earlier will continue to work exactly as before. +gitref:9da2fe96ff2e[repository=src], +gitref:8878569103a3[repository=src], +gitref:7132fb5edbc9[repository=src], +gitref:2932e6f59bff[repository=src], +gitref:8878569103a3[repository=src] +(Sponsored by The FreeBSD Foundation.) + +`libc` contains compatibility functions enabling running executables/libraries compiled for older versions of FreeBSD. +Those that are themselves using compatibility system calls would not reference them correctly, causing misbehavior at runtime. +This has been fixed. +gitref:47f5f89dbd27[repository=src] +(Sponsored by The FreeBSD Foundation.) + [[userland-deprecated-programs]] === Deprecated Applications man:fdisk[8] has been deprecated in favor of man:gpart[8] for a long time but has not been removed, running this application will show a warning to migrate to man:gpart[8]. gitref:3958be5c29da[repository=src] (Sponsored by The FreeBSD Foundation) -The accuracy of man:asinf[3] and man:acosf[3] has improved. -gitref:33c82f11c267[repository=src] - Update deprecation warning to note that man:gvinum[8] is removed in 15.0(gitref:dec497a9fcbf[repository=src]). Deprecation notice for man:syscons[4] has been added. @@ -555,7 +641,7 @@ This section covers changes in support for cloud environments. {releaseCurrent} supports cloudinit, including the `nuageinit` startup script and support for a `config-drive` partition. It is compatible with OpenStack and many hosting facilities. See the https://cloud-init.io[cloud-init] web site and the commit messages, -gitref:16a6da44e28d[repository=src] gitref:227e7a205edf[repository=src]. (Sponsored by OVHCloud) +gitref:16a6da44e28d[repository=src] gitref:227e7a205edf[repository=src]. (Sponsored by OVHcloud) The FreeBSD project is now publishing OCI-compatible container images. gitref:8a688fcc242e[repository=src] @@ -566,13 +652,25 @@ link:https://cloudmarketplace.oracle.com/marketplace/app/freebsd-release[Oracle for more information. gitref:77b296a2582b[repository=src] -The "shutdown" and "reboot" API in the Amazon EC2 cloud now work for arm64 instances. -Older instances upgraded to FreeBSD {releaseCurrent} will need to have `debug.acpi.quirks="8"` set in `/boot/loader.conf`. +The "shutdown" and "reboot" API in the Amazon EC2 cloud now work for arm64 ("Graviton") instances. gitref:28b881840df7[repository=src] (Sponsored by Amazon) -The FreeBSD projects now publishes "small" EC2 images; these are the "base" images minus debug symbols, tests, 32-bit libraries, the LLDB debugger, the Amazon SSM Agent, and the AWS CLI. +Several bug fixes and configuration changes collectively allow device hotplug on both x86 and arm64 ("Graviton") EC2 instances. +gitref:ce9a34b1614e[repository=src] +gitref:55c3348ed78f[repository=src] +gitref:d70bac252d30[repository=src] +(Sponsored by Amazon) + +Users upgrading EC2 instances from earlier FreeBSD releases should set `hw.pci.intx_reroute=0` and `debug.acpi.quirks="56"` in `/boot/loader.conf`. + +The FreeBSD project now publishes "small" EC2 images; these are the "base" images minus debug symbols, tests, 32-bit libraries, the LLDB debugger, the Amazon SSM Agent, and the AWS CLI. gitref:953142d6baf3[repository=src] (Sponsored by Amazon) +The FreeBSD project now publishes "builder" EC2 images; these boot into a memory disk and extract a clean "base" image onto the root disk (mounted at `/mnt`) to be customized before creating an AMI. +gitref:584265890303[repository=src] (Sponsored by Amazon) + +FreeBSD "base" EC2 images now boot up to 76% faster than corresponding {releasePrev} images, with the largest improvements found on arm64 ("Graviton") instances. + [[kernel]] == Kernel @@ -581,6 +679,11 @@ This section covers changes to kernel configurations, system tuning, and system [[kernel-general]] === General Kernel Changes +FreeBSD now natively implements the Linux man:inotify[2] interface. +The system calls themselves are not API-compatible, but libc provides an API-compatible interface, so software which relies on inotify can be run unmodified. +gitref:f1f230439fa4[repository=src], +(Sponsored by Klara, Inc.) + The `fpu_kern_enter` and `fpu_kern_leave` routines have been implemented for powerpc, allowing the use of man:ossl[4] crypto functions in the kernel that use floating point and vector registers. gitref:91e53779b4fc[repository=src] @@ -588,22 +691,52 @@ Support legacy PCI hotplug on arm64. gitref:355f02cddbf0[repository=src]. (Sponsored by Arm Ltd). -Define a common 'mac' node for MAC's jail parameters for man:mac[3]. -To be used by man:mac_do[4]. -gitref:66fb52a27279[repository=src]. -(Sponsored by The FreeBSD Foundation). - -New `setcred()` system call and associated MAC hooks. -This new system call allows to set all necessary credentials of a process in one go: Effective, real and saved UIDs, effective, real and saved GIDs, supplementary groups and the MAC label. -Its advantage over standard credential-setting system calls (such as `setuid()`, `seteuid()`, etc.) is that it enables MAC modules, such as man:mac_do[4], to restrict the set of credentials some process may gain in a fine-grained manner. -gitref:c1d7552dddb5[repository=src]. -(Sponsored by The FreeBSD Foundation). +Jails can now be accessed via jail descriptors in jail_set(2) and jail_get(2), as well as the new jail_attach_jd(2) and jail_remove_jd(2). They allow manipulation of jails through the file descriptor interface without the race conditions inherent in jail IDs, and can also optionally control jail lifetime. +gitref:851dc7f859c2[repository=src] + +Jails and jail descriptors now have associated kevent(2) filters that allow tracking jail creation, changes, attachment, and removal. +gitref:1bd74d201a53[repository=src] +gitref:66d8ffe3046d[repository=src] + +A new common 'mac' node for MAC modules' jail parameters has been created. +All future MAC modules' jail parameters will appear under this node. +See man:mac[4] for an introduction to MAC. +First consumer is man:mac_do[4]. +gitref:5041b20503db[repository=src], gitref:f3a06ced2568[repository=src] +(Sponsored by The FreeBSD Foundation.) + +man:mac_do[4] is now considered production-ready, after a number of important fixes. +gitref:bbf8af664dc9[repository=src], +gitref:292c814931d9[repository=src], +gitref:53d2e0d48549[repository=src], +gitref:add521c1a5d2[repository=src], +gitref:2a20ce91dc29[repository=src], +gitref:fa4352b74580[repository=src], +gitref:3d8d91a5b32c[repository=src], +gitref:8f7e8726e3f5[repository=src], +gitref:89958992b618[repository=src] +(Sponsored by The FreeBSD Foundation.) + +man:mac_do[4] now supports changing rules within jails with the `security.mac.do.rules` man:sysctl[8] knob. +gitref:b3f93680e39b[repository=src] +(Sponsored by The FreeBSD Foundation.) + +Introduce the man:setcred[2] system call and associated MAC hooks. +This new system call allows to set all necessary credentials of a process in one go: Effective, real and saved user IDs, effective, real and saved group IDs, supplementary groups and the MAC label. +Besides providing atomicity, its advantage over standard credentials-setting system calls, such as `setuid()`, `seteuid()`, etc., is that it enables MAC modules, such as man:mac_do[4], to restrict the set of credentials some process may gain in a fine-grained manner, as they can now see the final desired state and compare it with the initial one. +gitref:ddb3eb4efe55[repository=src] +(Sponsored by The FreeBSD Foundation.) Support multiple users and groups as single rule's targets in man:mac_do[4]. -Supporting group targets is a requirement for man:mac_do[4] to be able to enforce a limited set of valid new groups passed to `setgroups()`. -Additionally, it must be possible for this set of groups to also depend on the target UID, since users and groups are quite tied in UNIX (users are automatically placed in only the groups specified through '/etc/passwd' (primary group) and '/etc/group' (supplementary ones)). -gitref:83ffc412b2e9[repository=src]. -(Sponsored by The FreeBSD Foundation). +Supporting group targets is a requirement for man:mac_do[4] to be able to enforce a limited set of valid new groups in the target credentials and to allow group-only credentials transitions. +The allowed groups are tied to one or multiple user IDs. +Multiple users and groups in a rule's target part are treated as alternatives (inclusive disjunction), except for the clauses expressing the mandatory presence or absence of a supplementary group. +The rules syntax has been changed incompatibly, but migrating existing rules is just a matter of adding `uid=` in front of the target part, substituting commas (`,`) with semi-colons (`;`) and colons (`:`) with greater-than signs (`>`). +Please consult the man:mac_do[4] manual page for more information. +gitref:83ffc412b2e9[repository=src], +gitref:8f7e8726e3f5[repository=src], +gitref:f01d26dec67f[repository=src] +(Sponsored by The FreeBSD Foundation.) Teach man:sysctl[8] to attach and run itself in a jail. This allows the parent jail to retrieve or set kernel state when child does not have man:sysctl[8] installed (for example light weighted OCI containers or slim jails). @@ -628,16 +761,45 @@ Since these sysctls do not trigger any (de-)allocations anymore, their effect is gitref:960ee8094913[repository=src]. (Sponsored by The FreeBSD Foundation). -LinuxKPI: `linux_alloc_pages()` now honors `__GFP_NORETRY`. -This is to fix slowdowns with drm-kmod that get worse over time as physical memory become more fragmented (and probably also depending on other factors). -gitref:831e6fb0baf6[repository=src] -(Sponsored by The FreeBSD Foundation). +Gradual slowdowns and freezes experienced by owners of some AMD GPUs using the amdgpu DRM driver from the `drm-kmod` ports, starting with v5.15 (`graphics/drm-515-kmod` port), have been fixed. +In particular, owners of graphics cards with Green Sardine, Polaris 10 and 20 chips were known to be affected. +Recent Intel-based GPUs (gen 13+) may also have been affected. +The main cause is that the Linux's DRM subsystem's TTM component frequently requests memory that is physically contiguous although this property is not strictly necessary, and the kernel was trying too hard to fulfill them, leading to longer and more frequent freezes as physical memory got more fragmented over time. +In the LinuxKPI, `linux_alloc_pages()` now honors `__GFP_NORETRY` by not trying to break superpage reservations or defragment memory if the request for contiguous physical memory cannot be fulfilled immediately. +Another cause was that, during recent LinuxKPI evolution, `kmalloc()` was changed to always return physically contiguous memory as it does in Linux, but unfortunately `kvzalloc()` relied on `kmalloc()` and this was not changed, effectively turning all large memory allocations of zeroed pages into costly physically contiguous ones. +On allocation success, the TTM component sets page attributes unconditionally, regardless of whether they are already in place, which triggerred expensive TLB shootdowns even when not necessary. +Yet another cause was a flaw in the code iterating over memory domains (NUMA) leading to re-examining the same domain multiple times even if it could not fulfill the contiguous allocation request. +More details about this are given below. +Finally, some useless temporary physically contiguous allocation routinely performed in the case of Carrizo, Polaris and Vega M based AMD GPUs was converted to a regular one in the DRM drivers from the latest `drm-*-kmod` ports. +gitref:718d1928f874[repository=src], +gitref:4ca9190251bb[repository=src], +gitref:986edb19a49c[repository=src], +gitref:9d1f3ce79d85[repository=src], +gitref:da257e519bc0[repository=src] +(Sponsored by The FreeBSD Foundation.) + +Multiple flaws were fixed in the code iterating over memory domains (NUMA). +A failing contiguous allocation request would lead to re-examine the same domain multiple times even if it could not fulfill the request, wasting time and increasing allocation latency. +This would happen up to 4 times for the common case of a single memory domain and the "first touch" policy. +The first domain selected by all allocation policies, except "first touch" in some cases, would be considered even if it was not in the allowed domains mask or had been marked as to ignore in a previous attempt with the same iterator. +After a failed first attempt and sleeping, waiting allocations would restart with the policy's first domain even if that one was still in a low memory condition. +Finally, the "interleave" policy would reset the iterator index when restarting, effectively resetting the initial domain in the round-robin phase that happens after allocation from the first domain failed. +gitref:da257e519bc0[repository=src], +gitref:83ad6d8d8eee[repository=src], +gitref:b15ff7214020[repository=src] +(Sponsored by The FreeBSD Foundation.) The local stream (AF_UNIX/SOCK_STREAM) and sequenced packet stream (AF_UNIX/SOCK_SEQPACKET) sockets have been improved for better bulk transfer and round trip times. The SOCK_SEQPACKET socket has been brought to the specification and now behaves as a true stream socket, while in previous FreeBSD releases it could exhibit features of a datagram socket. Applications that were using SOCK_SEQPACKET incorrectly and relied on old implementation bugs may need to be adjusted. gitref:d15792780760[repository=src] +The effective group ID is now stored in the new `cr_gid` field of `struct cred` and has been removed as the first element of `cr_groups[]`, which now only contains the supplementary groups. +All downstream and out-of-tree modules using `cr_groups[0]` must be fixed to use `cr_gid` instead, and surrounding code that loops on `cr_groups[]` elements excluding `cr_groups[0]`, i.e., that intends to act on supplementary groups only, also needs to be adjusted as now supplementary groups start at `&cr_groups[0]` instead of `&cr_groups[1]`. +Code that needs to be portable to both 15.0 and earlier versions can use `cr_gid`, which existed also previously as a macro, and can test the truth value of `&cr_groups[0] != &cr_gid` to know how to browse the supplementary groups adequately. +gitref:be1f7435ef218b1df35[repository=src] +(Sponsored by the FreeBSD Foundation.) + [[drivers]] == Devices and Drivers @@ -650,6 +812,18 @@ A driver is available for man:ice[4] Ethernet network controllers in the Intel E It was upgraded to version 1.43.2-k. gitref:38a1655adcb3[repository=src] (Sponsored by Intel Corporation) +man:rtw88[4]: Merge Realtek's rtw88 driver based on Linux v6.17 (gitref:c1d365f39e08[repository=src]). +A possible issue that devices cannot authenticate is still being investigated. +(Sponsored by The FreeBSD Foundation). + +man:rtw89[4]: Merge Realtek's rtw89 driver based on Linux v6.17 (gitref:b35044b38f74[repository=src]). +The driver is under-tested and may still have issues. +(Sponsored by The FreeBSD Foundation). + +man:iwlwifi[4]: Merge Intels's iwlwifi mvm/mld driver based on Linux v6.17 (gitref:69caa1cf3ce5[repository=src]). +The BE200 based chipsets will need newer firmware requiring further driver fixes which are not in this release. +(Sponsored by The FreeBSD Foundation). + Numerous stability improvements have been in the man:iwlwifi[4] driver for Intel Wi-Fi devices. (Sponsored by The FreeBSD Foundation) @@ -688,7 +862,7 @@ gitref:56f0fc0011c2[repository=src] A new wireless driver supporting some Realtek chipsets is available: man:rtw89[4]. gitref:a2d1e07f6451[repository=src] (Sponsored by The FreeBSD Foundation) -Support for Realtek 8156/8156B has been moved from from man:cdce[4] to man:ure[4] for improved performance and reliability. +Support for Realtek 8156/8156B has been moved from man:cdce[4] to man:ure[4] for improved performance and reliability. gitref:630077a84186[repository=src] (Sponsored by The FreeBSD Foundation) Support for ACPI GPIO _AEI objects has been added. @@ -713,14 +887,12 @@ man:rtw88[4]: Merge Realtek's rtw88 driver based on Linux v6.14 (gitref:8ef44245 man:rtw89[4]: Merge Realtek's rtw89 driver based on Linux v6.14 (gitref:b6e8b845aeab[repository=src]). (Sponsored by The FreeBSD Foundation). -man:iwmbtfw[4]: Add support for 9260/9560 bluetooth adaptors (gitref:8e62ae9693bd[repository=src]). +man:iwmbtfw[4]: Add support for 9260/9560 bluetooth adapters (gitref:8e62ae9693bd[repository=src]). Required firmware files are already included in to package:comms/iwmbt-firmware[] port. man:ena[4] driver version has been updated to v2.8.1 (gitref:a1685d25601e[repository=src]). (Sponsored by Amazon, Inc.) -man:ix[4]: Add support for 1000BASE-BX SFP modules x550(gitref:24491b4acce5[repository=src]). - man:bnxt[4]: Enable NPAR support on BCM57504 10/25GbE NICs. (gitref:54f842ed8897[repository=src]). @@ -732,7 +904,7 @@ man:bnxt[4]: Add support for 400G speed modules (gitref:32fdad17f060[repository= man:ix[4]: Add support for 1000BASE-BX SFP modules. Add support for 1Gbit BiDi modules. -(gitref:c34817d9aef7[repository=src]). +(gitref:89d4096950c4[repository=src]). man:igc[4]: Fix attach for I226-K and LMVP devices. The device IDs for these were in the driver's list of PCI ids to attach to, but `igc_set_mac_type()` had never been setup to set the correct mac type for these devices. @@ -749,6 +921,19 @@ gitref:edf50670e215[repository=src] Added support for Brainboxes USB-to-Serial adapters in man:uftdi[4]. (gitref:47db906375b5[repository=src]) +The man:iwx[4] driver has been added, supporting the Intel Wi-Fi 6 series of M.2 wireless network adapters. +gitref:2ad0f7e91582[repository=src] (Sponsored by The FreeBSD Foundation) + +A new cellular modem driver supports USB network devices implementing the Mobile Broadband Interface Model (MBIM): man:umb[4]. +The accompanying man:umbctl[8] tool is used to display or set MBIM cellular modem interface parameters (4G/LTE). +gitref:0f1bf1c22a0c[repository=src] (Sponsored by The FreeBSD Foundation) + +man:smbios[4] now searches for the SMBIOS v3 (64-bit) entry point first also if booted from BIOS. +This allows to detect and report the proper SMBIOS version with BIOSes that only provide the v3 table, as happens on Hetzner virtual machines. +For machines that provide both, leverage the v3 table in priority consistently with the EFI case. +gitref:bc7f6508363c[repository=src] +(Sponsored by The FreeBSD Foundation.) + [[drivers-removals]] === Deprecated and Removed Drivers @@ -794,12 +979,11 @@ gitref:ead3cd3ef628[repository=src] Document recent file handle layout changes. gitref:ca22082c01a7[repository=src] -Allow to pass `{NGROUPS_MAX} + 1` groups in man:mountd[8]. -`NGROUPS_MAX` is just the minimum maximum of the number of allowed supplementary groups. -The actual runtime value may be greater. -Allow more groups to be specified accordingly (now that, a few commits ago, man:nmount[2] has been changed similarly). -gitref:ca9614d8f64a[repository=src] -(Sponsored by The FreeBSD Foundation). +Allow to specify as many groups as configured to be supported by the system in `-maproot` or `-mapall` options in man:exports[5]. +Previously, the cap was `NGROUPS_MAX + 1`, where `NGROUPS_MAX` is just the minimum maximum of the number of allowed supplementary groups. +Now use the proper `{NGROUPS_MAX} + 1` value, with `{NGROUPS_MAX}` being fetched at runtime via man:sysconf[3]. +gitref:e87848a8150e[repository=src] +(Sponsored by The FreeBSD Foundation.) [[boot-loader]] == Boot Loader Changes @@ -832,30 +1016,24 @@ The BIOS boot loader added back support for gzip and bzip2, but removed support (The EFI boot loader is unchanged with support for all of those.) gitref:4d3b05a8530e[repository=src] (Sponsored by Netflix) -man:loader.efi[8]: Favor the v3 (64-bit) entry point in man:smbios[4]. -Be consistent with what is done with non-EFI boot (but with the difference that EFI runs in 64-bit mode on 64-bit platforms, so there is no restriction that the v3 entry point should be below 4GB). -gitref:807d51be8040[repository=src]. -(Sponsored by The FreeBSD Foundation). +The BIOS boot loader will now use the SMBIOS v3 (64-bit) entry point if its table is below 4GB. +The BIOS boot loader is compiled 32-bit as a client of BTX even on amd64, so cannot access addresses beyond 4GB. +However, the 64-bit entry point may refer to a structure table below 4GB, which can be used if the BIOS does not provide a 32-bit entry point, as happens on Hetzner virtual machines. +gitref:7f005c6699f4[repository=src] +(Sponsored by The FreeBSD Foundation.) -man:libsa[3]: Favor the v3 (64-bit) entry point on non-EFI boot in man:smbios[4]. -When both the 32-bit and 64-bit entry points are present, the SMBIOS specification says that the 64-bit entry point always has at least all the structures the 32-bit entry point refers. +The BIOS boot loader now favors the SMBIOS v3 (64-bit) entry point. +When both the 32-bit and 64-bit entry points are present, the SMBIOS specification says that the 64-bit entry point always has at least all the structures the 32-bit entry point refers to. In other words, the 32-bit entry point is provided for compatibility, so it is assumed the 64-bit one has more chances to be filled with adequate values. -gitref:93af0db0d529[repository=src] -(Sponsored by The FreeBSD Foundation). +gitref:3f744fb8b2c5[repository=src] +(Sponsored by The FreeBSD Foundation.) -man:libsa[3]: Use 64-bit entry point if table below 4GB on non-EFI boot in man:smbios[4]. -On amd64, boot blocks and the non-EFI loader are 32-bit compiled as clients of BTX, so cannot access addresses beyond 4GB. -However, the 64-bit entry point may refer to a structure table below 4GB, which can be used if the BIOS does not provide a 32-bit entry point. -The situation is similar for powerpc64. -gitref:7b0350b376c0[repository=src]. -(Sponsored by The FreeBSD Foundation). +The EFI boot loader now favors the SMBIOS v3 (64-bit) entry point. +Consistently with what is done with BIOS boot. +There is a difference though: As the EFI loader runs in 64-bit mode on 64-bit platforms, there is no restriction that the v3 entry point's structure table should be below 4GB. +gitref:96f77576e9ea[repository=src] +(Sponsored by The FreeBSD Foundation.) -Search for v3 (64-bit) entry point first on BIOS boot in man:smbios[4]. -When booted from BIOS (i.e., not EFI), also search for a 64-bit version of the SMBIOS Entry Point. -This allows to detect and report the proper SMBIOS version with BIOSes that only provide the v3 table, as happens on Hetzner virtual machines. -For machines that provide both, leverage the v3 table in priority consistently with the EFI case. -gitref:145ef4af15f0[repository=src]. -(Sponsored by The FreeBSD Foundation). [[network]] == Networking @@ -866,7 +1044,7 @@ This section describes changes that affect networking in FreeBSD. Lots of improvements to the network stack, including performance improvements and bug fixes for the man:sctp[4] stack. -Descriptors returned by man:sctp_peeloff[2] now inherit capabilities from the parent socket. +Descriptors returned by man:sctp_peeloff[2] now inherit Capsicum capability man:rights[4] from the parent socket. gitref:ae3d7e27abc9[repository=src] (Sponsored by The FreeBSD Foundation) @@ -903,15 +1081,30 @@ gitref:7f7ef494f11d[repository=src] introduced a compile time option `PF_DEFAULT While this change exposes a vnet loader tunable 'net.pf.default_to_drop' so that users can change the default rule without re-compiling the man:pf[4] module. gitref:3965be101c43[repository=src] +A new man:pf[4] route-to pool option "prefer-ipv6-nexthop" allows for routing IPv4 packets over IPv6 gateways. +gitref:65c318630123[repository=src] gitref:d2761422eb0a[repository=src] (Sponsored by InnoGames GmbH) + +man:pf[4] now supports the OpenBSD style NAT syntax. +It is possible to use "nat-to", "rdr-to" and "binat-to" on "pass" and "match" rules. The old "nat on ..." syntax can still be used. +gitref:e0fe26691fc9[repository=src] (Sponsored by InnoGames GmbH) + +The man:pfsync[4] protocol has been updated to synchronize multiple missing attributes. +This fixes synchronizing of states with route-to, af-to, rtable, dummynet, tags, and scrub options. +If synchronization with an older version of FreeBSD is needed the protocol version can be configured with `ifconfig pfsync0 version $VERSION` where $VERSION is 1301 for 13.X relases or 1400 for 14.X. +It defaults to 1500 for synchronization between hosts running FreeBSD 15.0. +gitref:99475087d63b[repository=src] (Sponsored by InnoGames GmbH) + [[wireless-networking]] === Wireless Networking The LinuxKPI 802.11 compatibility layer man:linuxkpi_wlan[4] gained support for the Galois/Counter Mode Protocol (GCMP) from man:wlan_gcmp[4]. (Sponsored by The FreeBSD Foundation) -The man:rtw88[4] driver was made to work (associate) again and a memory leak got resolved. (Sponsored by The FreeBSD Foundation) - Following other drivers man:iwlwififw[4] firmware was removed from the base system in favor of the ports based solution and man:fwget[8] support. In case of updating from earlier releases, users must install the firmware packages upfront. (Sponsored by The FreeBSD Foundation) +The man:iwlwifi[4] wireless driver supports 802.11ac (VHT) for some Intel Wi-Fi 5, and all of Intel Wi-Fi 6 and Wi-Fi 7 hardware. (Sponsored by The FreeBSD Foundation) +The man:iwx[4] wireless driver supports 802.11ac (VHT) for Intel Wi-Fi 6 harddware. (Sponsored by The FreeBSD Foundation) +The man:rtwn[4] wireless driver supports 802.11ac (VHT) for the RTL8812A and RTL8821A chipsets. + [[hardware]] == Hardware Support @@ -931,9 +1124,6 @@ gitref:f9e09dc5b1d5[repository=src] Under Hyper-V, TLB flushes are now performed using hypercalls rather than IPIs, providing up to a 40% improvement in TLB performance. gitref:7ece5993b787[repository=src] (Sponsored by Microsoft) -Several bug fixes and configuration changes collectively allow device hotplug on both x86 and arm64 ("Graviton") EC2 instances. -Users upgrading EC2 instances from earlier FreeBSD releases should set `hw.pci.intx_reroute=0` and `debug.acpi.quirks="56"` in `/boot/loader.conf`. - [[linuxulator]] === Linux Binary Compatibility @@ -941,6 +1131,9 @@ The `AT_NO_AUTOMOUNT` flag is now ignored for all Linuxulator stat() variants (a gitref:99d3ce80ba07[repository=src] (Sponsored by The FreeBSD Foundation) +The Linux man:inotify[2] system calls are now implemented in the Linuxulator. +(Sponsored by Klara, Inc.) + [[multimedia]] == Multimedia @@ -962,27 +1155,23 @@ gitref:39f92a4c4c49[repository=src] Refer to man:graid[8] and man:zfs[8] instead of man:gvinum[8] in man:ccdconfig[8]). (gitref:55cb3a33d920[repository=src]). -man:ps[1]: Document change in behavior for `-a`/`-A`. -Document the practical consequence of change gitref:93a94ce731a8[repository=src] that specifying `-a`/`-A` leads to printing all processes regardless of the presence of other process selection options (except for `-x`/`-X`, which command a filter). -gitref:eed005b57895[repository=src]. -(Sponsored by The FreeBSD Foundation). +The man:ps[1] manual page has been revamped to explain the general principles, and descriptions in there have been updated to match reality. +The preamble has been revamped to give a thorough overview of the different aspects of the man:ps[1] command. +The description of several options and some keywords have been fixed to match their actual behavior and/or expanded. +The STANDARDS and BUGS sections have been expanded. +gitref:ddf144a04b53[repository=src] +(Sponsored by The FreeBSD Foundation.) -man:ps[1]: Change in behavior for option `-U`. -gitref:4e4739dd0745[repository=src] -(Sponsored by The FreeBSD Foundation). +The man:mac_do[4] manual page has been revamped as part of adding support for multiple users and groups as single rule's targets, which lead to changing the rules syntax. +In particular, it has grown a JAIL SUPPORT and SECURITY CONSIDERATIONS sections. +gitref:bc201841d139[repository=src] +(Sponsored by The FreeBSD Foundation.) -man:ps[1]: Change of how current user's processes are matched. -gitref:7219648f60d1[repository=src]. -(Sponsored by The FreeBSD Foundation). - -man:ps[1]: Match current user's processes using effective UID. -This puts man:ps[1] of FreeBSD in conformance with POSIX. -gitref:1e8dc267ca91[repository=src]. -(Sponsored by The FreeBSD Foundation). - -man:mac_do[4]: Change of rules syntax; Provide hints and pointers. -gitref:0c3357dfa18f[repository=src]. -(Sponsored by The FreeBSD Foundation). +The existing content of the man:mdo[1] manual page has been enriched as part of documenting the new support for fully specifying all users and groups in the target credentials. +It has now a longer introduction and a new SECURITY CONSIDERATIONS section. +gitref:20ebb6ec5ac0[repository=src] +(Sponsored by The FreeBSD Foundation.) +(Sponsored by Google LLC (GSoC 2025).) man:firewire[4]: Add deprecation notice. This was originally discussed as part of FreeBSD 15 planning, but did not happen in time. @@ -994,7 +1183,7 @@ The ethernet switch controllers, man:mtkswitch[4], man:ip17x[4], man:ar40xx[4], man:mount[8] has gained an example for remounting all filesystems read/write in single-user mode. -Manual pages for the lua man:loader[8] modules have had their desctiptions reworded to optimize man:apropos[1] results. +Manual pages for the lua man:loader[8] modules have had their descriptions reworded to optimize man:apropos[1] results. The manual pages style guide, man:style.mdoc[5], has gained a section for listing supported hardware. When listed this way, the supported hardware will be listed in link:https://www.freebsd.org/releases/{localRel}R/hardware[the supported hardware notes]. @@ -1026,7 +1215,10 @@ gitref:03c07bdc8b31[repository=src] (Sponsored by The FreeBSD Foundation) [[ports-packages]] === Packaging Changes -The package:net/wifi-firmware-kmod@release[] package has been added to the DVD package set in order to provide necessary firmware for wifi drivers. +The bootonly ISO and mini-memstick image now include the package:net/wifi-firmware-iwlwifi-kmod[] and package:net/wifi-firmware-rtw88-kmod[] packages, making installations possible over a wireless connection (on systems supported by these firmware packages). +gitref:655fcdde1aff[repository=src] (Sponsored by The FreeBSD Foundation) + +The package:net/wifi-firmware-kmod@release[] package has been added to the DVD ISO, providing firmware for a broader set of Wi-Fi drivers. gitref:8c6df7ead19c[repository=src] (Sponsored by The FreeBSD Foundation) [[future-releases]] |