7 files changed, 74 insertions, 43 deletions

diff --git a/contrib/llvm-project/clang/lib/Driver/ToolChains/FreeBSD.h b/contrib/llvm-project/clang/lib/Driver/ToolChains/FreeBSD.h
index 7ab63905ed4f..7d090ba682b3 100644
--- a/contrib/llvm-project/clang/lib/Driver/ToolChains/FreeBSD.h
+++ b/contrib/llvm-project/clang/lib/Driver/ToolChains/FreeBSD.h
@@ -78,6 +78,11 @@ public:
   void AddHIPIncludeArgs(const llvm::opt::ArgList &DriverArgs,
                          llvm::opt::ArgStringList &CC1Args) const override;
 
+  bool IsAArch64OutlineAtomicsDefault(
+      const llvm::opt::ArgList &Args) const override {
+    return true;
+  }
+
   UnwindTableLevel
   getDefaultUnwindTableLevel(const llvm::opt::ArgList &Args) const override;
   bool isPIEDefault(const llvm::opt::ArgList &Args) const override;
diff --git a/contrib/llvm-project/lldb/source/Host/freebsd/Host.cpp b/contrib/llvm-project/lldb/source/Host/freebsd/Host.cpp
index 110e803b3354..0778eb320dcf 100644
--- a/contrib/llvm-project/lldb/source/Host/freebsd/Host.cpp
+++ b/contrib/llvm-project/lldb/source/Host/freebsd/Host.cpp
@@ -14,12 +14,13 @@
 #include <sys/sysctl.h>
 #include <sys/user.h>
 
-#include <machine/elf.h>
-
 #include <cstdio>
 #include <dlfcn.h>
 #include <execinfo.h>
 
+#include "llvm/Object/ELF.h"
+
+#include "lldb/Host/FileSystem.h"
 #include "lldb/Host/Host.h"
 #include "lldb/Host/HostInfo.h"
 #include "lldb/Utility/DataBufferHeap.h"
@@ -101,17 +102,33 @@ GetFreeBSDProcessArgs(const ProcessInstanceInfoMatch *match_info_ptr,
     proc_args.AppendArgument(llvm::StringRef(cstr));
   }
 
-  return true;
-}
-
-static bool GetFreeBSDProcessCPUType(ProcessInstanceInfo &process_info) {
-  if (process_info.ProcessIDIsValid()) {
-    process_info.GetArchitecture() =
-        HostInfo::GetArchitecture(HostInfo::eArchKindDefault);
+  auto buffer_sp = FileSystem::Instance().CreateDataBuffer(pathname, 0x20, 0);
+  if (!buffer_sp) {
+    process_info.Clear();
     return true;
   }
-  process_info.GetArchitecture().Clear();
-  return false;
+  uint8_t exe_class =
+      llvm::object::getElfArchType(
+          {reinterpret_cast<const char *>(buffer_sp->GetBytes()),
+           size_t(buffer_sp->GetByteSize())})
+          .first;
+
+  switch (exe_class) {
+  case llvm::ELF::ELFCLASS32:
+    process_info.SetArchitecture(
+        HostInfo::GetArchitecture(HostInfo::eArchKind32));
+    break;
+  case llvm::ELF::ELFCLASS64:
+    process_info.SetArchitecture(
+        HostInfo::GetArchitecture(HostInfo::eArchKind64));
+    break;
+  case llvm::ELF::ELFCLASSNONE:
+    process_info.SetArchitecture(
+        HostInfo::GetArchitecture(HostInfo::eArchKindDefault));
+    break;
+  }
+
+  return true;
 }
 
 static bool GetFreeBSDProcessUserAndGroup(ProcessInstanceInfo &process_info) {
@@ -218,7 +235,6 @@ uint32_t Host::FindProcessesImpl(const ProcessInstanceInfoMatch &match_info,
     // Make sure our info matches before we go fetch the name and cpu type
     if (match_info_noname.Matches(process_info) &&
         GetFreeBSDProcessArgs(&match_info, process_info)) {
-      GetFreeBSDProcessCPUType(process_info);
       if (match_info.Matches(process_info))
         process_infos.push_back(process_info);
     }
@@ -232,7 +248,6 @@ bool Host::GetProcessInfo(lldb::pid_t pid, ProcessInstanceInfo &process_info) {
 
   if (GetFreeBSDProcessArgs(NULL, process_info)) {
     // should use libprocstat instead of going right into sysctl?
-    GetFreeBSDProcessCPUType(process_info);
     GetFreeBSDProcessUserAndGroup(process_info);
     return true;
   }
diff --git a/contrib/llvm-project/lldb/source/Plugins/Process/Utility/RegisterContextFreeBSD_x86_64.cpp b/contrib/llvm-project/lldb/source/Plugins/Process/Utility/RegisterContextFreeBSD_x86_64.cpp
index e0f3971c6e27..c361b2abb726 100644
--- a/contrib/llvm-project/lldb/source/Plugins/Process/Utility/RegisterContextFreeBSD_x86_64.cpp
+++ b/contrib/llvm-project/lldb/source/Plugins/Process/Utility/RegisterContextFreeBSD_x86_64.cpp
@@ -9,6 +9,7 @@
 #include "RegisterContextFreeBSD_x86_64.h"
 #include "RegisterContextFreeBSD_i386.h"
 #include "RegisterContextPOSIX_x86.h"
+#include "llvm/Support/Threading.h"
 #include <vector>
 
 using namespace lldb_private;
@@ -69,40 +70,34 @@ struct UserArea {
 #include "RegisterInfos_x86_64.h"
 #undef DECLARE_REGISTER_INFOS_X86_64_STRUCT
 
-static std::vector<lldb_private::RegisterInfo> &GetSharedRegisterInfoVector() {
-  static std::vector<lldb_private::RegisterInfo> register_infos;
-  return register_infos;
-}
-
-static const RegisterInfo *
-GetRegisterInfo_i386(const lldb_private::ArchSpec &arch) {
-  static std::vector<lldb_private::RegisterInfo> g_register_infos(
-      GetSharedRegisterInfoVector());
-
-  // Allocate RegisterInfo only once
-  if (g_register_infos.empty()) {
-    // Copy the register information from base class
-    std::unique_ptr<RegisterContextFreeBSD_i386> reg_interface(
-        new RegisterContextFreeBSD_i386(arch));
-    const RegisterInfo *base_info = reg_interface->GetRegisterInfo();
-    g_register_infos.insert(g_register_infos.end(), &base_info[0],
-                            &base_info[k_num_registers_i386]);
+static std::vector<lldb_private::RegisterInfo> &
+GetSharedRegisterInfoVector_i386(const lldb_private::ArchSpec &arch) {
+  static std::vector<lldb_private::RegisterInfo> g_register_infos;
+  static llvm::once_flag g_initialized;
+  llvm::call_once(g_initialized, [&]() {
+    if (g_register_infos.empty()) {
+      // Copy the register information from base class
+      std::unique_ptr<RegisterContextFreeBSD_i386> reg_interface(
+          new RegisterContextFreeBSD_i386(arch));
+      const RegisterInfo *base_info = reg_interface->GetRegisterInfo();
+      g_register_infos.insert(g_register_infos.end(), &base_info[0],
+                              &base_info[k_num_registers_i386]);
 
 // Include RegisterInfos_x86_64 to update the g_register_infos structure
 //  with x86_64 offsets.
 #define UPDATE_REGISTER_INFOS_I386_STRUCT_WITH_X86_64_OFFSETS
 #include "RegisterInfos_x86_64.h"
 #undef UPDATE_REGISTER_INFOS_I386_STRUCT_WITH_X86_64_OFFSETS
-  }
-
-  return &g_register_infos[0];
+    }
+  });
+  return g_register_infos;
 }
 
 static const RegisterInfo *
 PrivateGetRegisterInfoPtr(const lldb_private::ArchSpec &target_arch) {
   switch (target_arch.GetMachine()) {
   case llvm::Triple::x86:
-    return GetRegisterInfo_i386(target_arch);
+    return &GetSharedRegisterInfoVector_i386(target_arch)[0];
   case llvm::Triple::x86_64:
     return g_register_infos_x86_64;
   default:
@@ -116,9 +111,10 @@ PrivateGetRegisterCount(const lldb_private::ArchSpec &target_arch) {
   switch (target_arch.GetMachine()) {
   case llvm::Triple::x86:
     // This vector should have already been filled.
-    assert(!GetSharedRegisterInfoVector().empty() &&
+    assert(!GetSharedRegisterInfoVector_i386(target_arch).empty() &&
            "i386 register info vector not filled.");
-    return static_cast<uint32_t>(GetSharedRegisterInfoVector().size());
+    return static_cast<uint32_t>(
+        GetSharedRegisterInfoVector_i386(target_arch).size());
   case llvm::Triple::x86_64:
     return static_cast<uint32_t>(sizeof(g_register_infos_x86_64) /
                                  sizeof(g_register_infos_x86_64[0]));
diff --git a/contrib/pam-krb5/docs/pam_krb5.pod b/contrib/pam-krb5/docs/pam_krb5.pod
index 024584dfd4cd..f352af71b553 100644
--- a/contrib/pam-krb5/docs/pam_krb5.pod
+++ b/contrib/pam-krb5/docs/pam_krb5.pod
@@ -57,12 +57,10 @@ is vulnerable to KDC spoofing, but it requires that the system have a
 local key and that the PAM module be running as a user that can read the
 keytab file (normally F</etc/krb5.keytab>.  You can point the Kerberos PAM
 module at a different keytab with the I<keytab> option.  If that keytab
-cannot be read or if no keys are found in it, the default (potentially
-insecure) behavior is to skip this check.  If you want to instead fail
-authentication if the obtained tickets cannot be checked, set
-C<verify_ap_req_nofail> to true in the [libdefaults] section of
-F</etc/krb5.conf>.  Note that this will affect applications other than
-this PAM module.
+cannot be read or if no keys are found in it, the default behavior is to
+fail authentication. If you want to skip this check, set the
+C<allow_kdc_spoof> option to true either in the [appdefaults] section of
+F</etc/krb5.conf> or in the PAM policy.
 
 By default, whenever the user is authenticated, a basic authorization
 check will also be done using krb5_kuserok().  The default behavior of
@@ -218,6 +216,11 @@ pam-krb5 in which that option was added with the current meaning.
 
 =over 4
 
+=item allow_kdc_spoof
+
+Allow authentication to succeed even if there is no host or service
+key available in a keytab to authenticate the Kerberos KDC's ticket.
+
 =item alt_auth_map=<format>
 
 [3.12] This functions similarly to the I<search_k5login> option.  The
diff --git a/contrib/pam-krb5/module/auth.c b/contrib/pam-krb5/module/auth.c
index 065ce97b6596..46f2be791000 100644
--- a/contrib/pam-krb5/module/auth.c
+++ b/contrib/pam-krb5/module/auth.c
@@ -696,6 +696,12 @@ verify_creds(struct pam_args *args, krb5_creds *creds)
         if (cursor_valid)
             krb5_kt_end_seq_get(c, keytab, &cursor);
     }
+#ifdef __FreeBSD__
+    if (args->config->allow_kdc_spoof)
+	opts.flags &= ~KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL;
+    else
+	opts.flags |= KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL;
+#endif /* __FreeBSD__ */
     retval = krb5_verify_init_creds(c, creds, princ, keytab, NULL, &opts);
     if (retval != 0)
         putil_err_krb5(args, retval, "credential verification failed");
diff --git a/contrib/pam-krb5/module/internal.h b/contrib/pam-krb5/module/internal.h
index f3ea30139815..c797f7a56cd3 100644
--- a/contrib/pam-krb5/module/internal.h
+++ b/contrib/pam-krb5/module/internal.h
@@ -62,6 +62,9 @@ struct pam_config {
     long minimum_uid;    /* Ignore users below this UID. */
     bool only_alt_auth;  /* Alt principal must be used. */
     bool search_k5login; /* Try password with each line of .k5login. */
+#ifdef __FreeBSD__
+    bool allow_kdc_spoof;/* Allow auth even if KDC cannot be verified */
+#endif /* __FreeBSD__ */
 
     /* Kerberos behavior. */
     char *fast_ccache;           /* Cache containing armor ticket. */
diff --git a/contrib/pam-krb5/module/options.c b/contrib/pam-krb5/module/options.c
index 799b3a33e168..0118fb451af6 100644
--- a/contrib/pam-krb5/module/options.c
+++ b/contrib/pam-krb5/module/options.c
@@ -30,6 +30,9 @@
 #define K(name) (#name), offsetof(struct pam_config, name)
 /* clang-format off */
 static const struct option options[] = {
+#ifdef __FreeBSD__
+    { K(allow_kdc_spoof),    true,  BOOL   (false) },
+#endif /* __FreeBSD__ */
     { K(alt_auth_map),       true,  STRING (NULL)  },
     { K(anon_fast),          true,  BOOL   (false) },
     { K(banner),             true,  STRING ("Kerberos") },