FreeBSD git weekly: 2026-05-18 to 2026-05-24

In our routing stack implementation, metric is an attribute
of the nexthop, not the route itself.
Store metric in nhop_priv which is control-plane data of
nexthop, filter the nexthops by metric and populate the mpath
slots in nexthop group with only the lowest metric nexthops
for use in the forwarding path.

`cmp_priv()` compares nhops based on priv hash.
Add metric compare logic to it and only return nexthops
with different metrics if the input nexthop's metric is
zero (wildcard).
Also, add support for metric via rtsock by introducing rmx_metric.

Finally, remove the upper 8-bit reservation of weight for
administrative distance.

Reviewed by:    adrian
Discussed with: markj
Relnotes:       yes
Differential Revision: https://reviews.freebsd.org/D56322

Reported by:  bz
Sponsored by:   The FreeBSD Foundation

tftp: Simplify URI handling

* No need to copy our argument into a new buffer; it is writeable and
  will not be reused after we return.

* Instead of constructing the string "get path" and then splitting it
  into an argument vector, just construct the vector directly.  This
  avoid potentially overrunning the buffer.

* Call settftpmode() just once, with either the default mode or the
  user-provided value we already validated.

* Use errx() instead of fprintf(stderr) + exit().

Reported by:    Moyao, Minghao Fu
MFC after:      1 week
Reviewed by:    markj
Differential Revision:  https://reviews.freebsd.org/D57070

tftp: Close files when we're done with them

Also, delete the file we created if receiving it failed.

MFC after:      1 week
Reviewed by:    markj
Differential Revision:  https://reviews.freebsd.org/D57071

tftp: Fix handling of port name or number

MFC after:      1 week
Reviewed by:    markj
Differential Revision:  https://reviews.freebsd.org/D57105

tftp: Replace fgets with getline

MFC after:      1 week
Reviewed by:    markj
Differential Revision:  https://reviews.freebsd.org/D57072

When reading from standard input with editline history enabled, increase
buffer size to accomodate long lines so that history is recorded
correctly. Cleanup el_gets() handling avoiding potentially dangerous
retention of pointers to editline buffers across calls.  Ensure struct
parsefile objects are properly zero initialised when created. Remove
push argument from setinputstring() and simplify logic as it was always
called with a value of one and as was written was potentially dangerous
if ever called with a value of zero.

This commit does not fix long lines when history is enabled but editing
is not (e.g. if there is no terminal).

MFC after:      3 weeks
Pull Request:   https://github.com/freebsd/freebsd-src/pull/2028
Signed-off-by: Kristofer Peterson <kris@tranception.com>

nlist.3: Replace a.out(5) Xref with elf(5)

ELF support was added to nlist() in 1997, and a.out support was removed
in 2020.  The man page was not updated for either of these changes.

Fixes: https://cgit.freebsd.org/src/commit/?id=77909f597881 ("Initial elf nlist support, ...")
Fixes: https://cgit.freebsd.org/src/commit/?id=86cfa7e70b2b ("nlist: retire long-obsolete aout support")
Sponsored by: The FreeBSD Foundation

nlist.3: Add stab(5) Xref

Commit 876a17321c89 removed the a.out Xref as nlist(3) no longer
supports a.out, but this left nlist(3) without a reference to a page
documenting struct nlist.

struct nlist is documented in both a.out(5) and stab(5), so add an Xref
to the latter.

Reported by:    brooks
Fixes: https://cgit.freebsd.org/src/commit/?id=876a17321c89 ("nlist.3: Replace a.out(5) Xref with elf(5)")

nlist.3: Clarify which symbol table is used

nlist() requires section headers, and currently fetches symbol names
only from SHT_SYMTAB,

Reviewed by:    kib
Sponsored by:   The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57065

nlist.3: Add discouraged use notice

It is a relic from a.out days and is poorly specified. Although ELF
support was added to nlist, there are better ways to access ELF data.

Reviewed by:    kib
Sponsored by:   The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57078

nlist.3: Move deprecation notice after intro

Its more clear and good practice for the first sentence of a description
to describe what something is, because there are a lot of different use
cases for documentation.

Fixes:          https://cgit.freebsd.org/src/commit/?id=94b7a335683a ("nlist.3: Add discouraged use notice")
Reviewed by:            emaste
Differential Revision:  https://reviews.freebsd.org/D57128

MFC after:    3 days

While here, tag spdx and sync the drivers in crypto(4)/SEE ALSO.

MFC after:              2 days (add back hifn)
Differential Revision:  https://reviews.freebsd.org/D57060

Reviewed by:  markj, oshogbo
Sponsored by:   The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57141

Add metric implementation of netlink to manual.

Reviewed by:    markj
Differential Revision: https://reviews.freebsd.org/D56324

Describe `-metric` argument in the route manual.

Discussed with: ziaee
Differential Revision: https://reviews.freebsd.org/D57025

MFC after:    1 minute
Sponsored by:   The FreeBSD Foundation

Reviewed by: ziaee, mhorne, kevans

The RETURN VALUES section used "instr" to describe the fts_set()
argument, while the SYNOPSIS and all other references use "options".
Fix the inconsistency.

MFC after:      1 week
Sponsored by:   Google LLC (GSoC 2026)
Reviewed by:    asomers
Pull Request:   https://github.com/freebsd/freebsd-src/pull/2213

Since this manual describes the mdoc syntax throughout the ecosystem,
I had to blend what we had before with what upstream is doing now.

Thanks:         adrian
MFC after:      3 days (we shipped this doc in 15.0/14.4)
Reviewed by:    ivy, mhorne, des, adrian
Discussed with: arch@
Differential Revision:  https://reviews.freebsd.org/D56153

Reviewed by:  ziaee (via IRC)
MFC after:      immediately
Differential Revision:  https://reviews.freebsd.org/D57211

Both tools support controllers from both companies, so document it.

Reviewed by:    ziaee (via IRC)
MFC after:      immediately
Differential Revision:  https://reviews.freebsd.org/D57212

Sponsored by: The FreeBSD Foundation
MFC after:      3 days
Differential revision:  https://reviews.freebsd.org/D57162

Yes this printf is for local debugging and not required at all on anything.

Pointed out by: andrew@

This returns true if a given device is a PCI device (child of a PCI
bus).

Reviewed by:    bz, kib
Sponsored by:   Chelsio Communications
Differential Revision:  https://reviews.freebsd.org/D56996

Reviewed by:  bz, imp
Sponsored by:   Chelsio Communications
Differential Revision:  https://reviews.freebsd.org/D56998

* Document what iwx_rxmq_get_signal_strength() is doing in a comment,
  noting what the firmware returns and what math is being done on it
  to turn it into a dBm value.

* Document what iwx_get_noise() is supposed to do, that we can't just
  go do math with log numbers like we're doing, but also that we're
  seeing zeros in this firmware (AX210), which may mean we're decoding
  using the wrong structs.

* Swizzle around the RSSI calculation as a function, add min/max RSSI
  values, and calculate RSSI against the noise floor.

* And handle the lowest noise floor value - it can't be -127dBm as
  that will throw things off.  Cap it at -100dBm which is a little
  lower than the thermal noise floor at 20MHz (-98dBm), but it matches
  IWX_MIN_DBM.

Differential Revision:  https://reviews.freebsd.org/D53780

Some firmware (e.g. Apple EFI on Sandy Bridge Mac hardware) programs all
HDMI/DP output pins in an association with identical sequence numbers.

The existing code disables the entire association on the first
duplicate, leaving HDMI/DP audio non-functional.

For digital output pins (HDMI/DP) with seq=0 duplicates, search for the
next free sequence slot and reassign the duplicate rather than
disabling.

The seq=0 restriction targets the known Apple firmware pattern; any
other duplicate sequence is more likely a genuine firmware error and the
association is still disabled.

Update first after reassignment so that hpredir is not left pointing at
a stale sequence. Non-digital and input associations retain the existing
disable behaviour.

MFC after:      1 week
Reviewed by:    christos
Differential Revision:  https://reviews.freebsd.org/D55473

The stale include line caused config -m to fail with an error trying
to parse the config file during make universe/tinderbox which in turn
caused universe/tinderbox to abort without building any powerpc
kernels (or subsequent architectures such as riscv64) with the error:

make[2]: freebsd/main/Makefile:767: Target architecture for powerpc/conf/MPC85XX unknown.  config(8) likely too old.
        in .for loop from freebsd/main/Makefile:761 with kernel = MPC85XX
        in make[2] in directory "freebsd/main"

make[2]: stopped making "universe_kernels" in freebsd/main
*** Error code 1

Reported by:    npn, many others
Fixes:          https://cgit.freebsd.org/src/commit/?id=fd8d34ce272b ("dpaa: Migrate from NCSW base to a home-grown driver")

The Winbond/Nuvoton W83793G system monitor chip includes many features
not currently supported by this driver.  The following are currently
supported:

* Up to 6 temperature sensors, 4 of which have 10-bit resolution
  (8.2),two with 8-bit resolution (no decimal component)
* Up to 12 fans
  - Fans 0-4 (1-5 on the datasheet) are always enabled.  The remaining 7
    fans are individually enabled.
* Multiple voltage sensors, reading up to 10 voltage sources.  Sysctls
  are labeled to match the datasheet.
* Chassis open detection.

The W83793AG is a feature-reduced version, which lacks 3 thermal diodes
and 2 voltage monitors.  Since there is no way to tell the difference
between the W83793AG and W83793G programmatically, sensors reported on
the W83793AG will report strange values.

Temperature sensors and 7 of the fans can be individually enabled on the
chip, but currently not configured by this driver.  The driver only
reports what was configured by the firmware.  Additionally, this driver
numbers the sensors and fans according to the datasheet, so even if, for
instance, fan 8 is disabled, it would skip from fan 7 to fan 9, it does
not renumber.  This makes it easier to follow for hardware debugging
purposes.

Missing features:
* Smart Fan support
* Fan PWM control
* ASF (Alert Standard Format)

Only Bank 0 registers are used at this time.

Reviewed by:    adrian
Differential Revision:  https://reviews.freebsd.org/D56776

The address range 0xfffff78000000000 - 0xfffff7bfffffffff spans exactly 256GB
(0x4000000000 bytes), not 512GB.

For a 2TB kernel map, based on the KASAN 1:8 shadow map ratio, the required
shadow map size is indeed 256GB. The current comment incorrectly states 512GB,
which can be misleading and cause confusion.

Reviewed by:    markj
MFC after:      1 week
Differential Revision:  https://reviews.freebsd.org/D57129

Approved by:  so
Security:       FreeBSD-SA-26:19.file
Security:       CVE-2026-45251

To be initially used by virtual_oss(8) loopback devices.

Sponsored by:   The FreeBSD Foundation
MFC after:      1 week
Reviewed by:    emaste
Pull-Request:   https://ron-dev.freebsd.org/FreeBSD/src/pulls/26

Drop and Add bits reset the data toggle for high-speed devices in XHCI.
The toggle bit represents the sequence number in USB 2.0 transfers. However,
a device can only recognize that the toggle bit has been reset while in
the HALT state. As a result, the host and device toggle values may
become mismatched, causing xHCI to reject the packet. This issue was
observed while testing the EZ-USB FX2 device.

The transfer may then return to the original value after a
bi-directional TD because the toggle field is only one bit wide. This
explains the reson that we can only receive packets bi-transfer in some
case. Therefore, we do not reset the toggle bit here.

Reviewed by:    adrian
MFC after:      2 weeks
Sponsored by:   The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57146

This ifdef does not do anything, SV_ABI_LINUX is a flag.

Sponsored by:   The FreeBSD Foundation
MFC after:      1 week
Reviewed by:    ivy, brooks
Pull-Request:   https://ron-dev.freebsd.org/FreeBSD/src/pulls/37

Sponsored by: The FreeBSD Foundation

Fixes:                https://cgit.freebsd.org/src/commit/?id=36b855f18925 ("amd64/vmm: Lock global PCI passthrough structures")
MFC after:      3 days
Reported by:    bz

Sponsored by: The FreeBSD Foundation
Reviewed by:    jlduran
Differential Revision: https://reviews.freebsd.org/D57053

Fixes: https://cgit.freebsd.org/src/commit/?id=2574974648c6 ("OpenSSH: Update to 10.3p1")
Sponsored by:   The FreeBSD Foundation

tcp: Make RFC 6191 support configurable

Add a default-on per-VIMAGE sysctl for RFC 6191 connection recycling.
This makes it possible to merge the change to older branches where it
can be switched off by default to minimize risk.

MFC after:      1 week
Sponsored by:   Klara, Inc.
Sponsored by:   Modirum MDPay
Reviewed by:    pouria, marius.h_lden.org, tuexen
Differential Revision:  https://reviews.freebsd.org/D57045

tcp: Fix typo in RFC 6191 sysctl

Fixes:          https://cgit.freebsd.org/src/commit/?id=2af70d7a3849 ("tcp: Make RFC 6191 support configurable")
MFC after:      1 week
Sponsored by:   Klara, Inc.
Sponsored by:   Modirum MDPay

ctld: Remove redundant call to conf::isns_schedule_update

This is already called at the end of conf::apply.

Sponsored by:   Chelsio Communications
Differential Revision:  https://reviews.freebsd.org/D56530

ctld: Mark a few more isns_* methods in the conf class private

These are only invoked from other methods in the conf class.

Sponsored by:   Chelsio Communications
Differential Revision:  https://reviews.freebsd.org/D56531

ctld: Add a dedicated conf method for shutting down

Currently the main loop creates an empty config and applies it to
force a shutdown of all of the existing configuration.  While this is
functional and does avoid duplicating some code, it is also a bit
clunky and requires a special hack in the pidfile path handling
in the conf::apply method.

Instead, use a dedicated conf::shutdown method which tears down the
CTL ports and LUNs and closes the sockets.

Sponsored by:   Chelsio Communications
Differential Revision:  https://reviews.freebsd.org/D56532

ctld: Simplify pidfile rename handling in conf::apply

Explicitly copy the pidfile path from the initial configuration file
to the kernel-derived configuration to avoid having to check if the
old path is empty as a special case in conf::apply().

Sponsored by:   Chelsio Communications
Differential Revision:  https://reviews.freebsd.org/D56533

These are the last two uses of the wk_rxmic / wk_txmic macros.
Everything should be using the accessor methods at ths point.

Reviewed by:    bz
Differential Revision:  https://reviews.freebsd.org/D54790

This is a refactor of 228c632ab3f62.  First, move compatibility one level
up, where we yet work with the full header.  Second, move this rarely
executed code outside of the inline function.  Should be no functional
change.

Reviewed by:            pouria, melifaro
Differential Revision:  https://reviews.freebsd.org/D56915

PR:                   https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295106
Submitted by:           Robert Morris <rtm@lcs.mit.edu>
Reviewed by:            pouria, melifaro
Differential Revision:  https://reviews.freebsd.org/D56916

Validate the length of the packet listed in the mbuf is the same as
the calculated packet length. If not reject the packet and bump the
bad packet stat.

PR:             https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295198
MFC after:      1 week
Differential Revision:  https://reviews.freebsd.org/D57095

ipfilter: Add NULL check for fin_dp in ICMP packet handlers

Add NULL checks for fin->fin_dp in ipf_pr_icmp6() and ipf_pr_icmp()
before dereferencing. When processing packets with IPv6 extension
headers, ipf_pr_pullup() can succeed but fin->fin_dp may still be NULL
due to extension header processing leaving insufficient data for the
protocol header.

PR:             https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=288333
MFC after:      1 week
Pull Request:   https://github.com/freebsd/freebsd-src/pull/2214
Signed-off-by:  Teddy Engel <engel.teddy@gmail.com>

ipfilter: Add NULL check for fin_m in ipf_pr_icmp6()

Add NULL check for fin->fin_m before calling M_LEN() in the ICMPv6
error handling code path. When ipf_checkicmp6matchingstate() calls
ipf_makefrip() with a synthesized fr_info_t that has fin_m set to
NULL, the subsequent call to ipf_pr_ipv6hdr() can reach ipf_pr_icmp6()
which would crash when trying to access the mbuf via M_LEN().

PR:             https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=288333
MFC after:      1 week
Pull Request:   https://github.com/freebsd/freebsd-src/pull/2214
Signed-off-by:  Teddy Engel <engel.teddy@gmail.com>

ipfilter: Fix NULL dereferences in ipf_checkicmp6matchingstate()

Add NULL checks for ic6 (the ICMPv6 header pointer from fin->fin_dp)
and oic (the inner ICMPv6 header from ofin.fin_dp after ipf_makefrip).
These pointers can be NULL when processing malformed ICMPv6 error
packets with extension headers.

Also fix the length validation: the original check (fin->fin_plen <
sizeof(ip6_t)) could never trigger because an earlier check already
ensures fin->fin_plen >= ICMP6ERR_MINPKTLEN (48). Replace with a proper
check that fin->fin_dlen contains at least ICMPERR_ICMPHLEN +
sizeof(ip6_t) bytes to ensure sufficient data exists for both the
ICMPv6 error header and the embedded IPv6 header.

PR:             https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=288333
MFC after:      1 week
Pull Request:   https://github.com/freebsd/freebsd-src/pull/2214
Signed-off-by:  Teddy Engel <engel.teddy@gmail.com>

In our routing stack implementation, metric is an attribute
of the nexthop, not the route itself.
Store metric in nhop_priv which is control-plane data of
nexthop, filter the nexthops by metric and populate the mpath
slots in nexthop group with only the lowest metric nexthops
for use in the forwarding path.

`cmp_priv()` compares nhops based on priv hash.
Add metric compare logic to it and only return nexthops
with different metrics if the input nexthop's metric is
zero (wildcard).
Also, add support for metric via rtsock by introducing rmx_metric.

Finally, remove the upper 8-bit reservation of weight for
administrative distance.

Reviewed by:    adrian
Discussed with: markj
Relnotes:       yes
Differential Revision: https://reviews.freebsd.org/D56322

* Use our new 32-bit metric for RTA_PRIORITY support.
* Update snl library for new RTA_PRIORITY support.
* return RTA_PRIORITY for both MPATH and non-MPATH routes.

Reviewed by:    glebius (previous version)
Discussed with: markj
Differential Revision: https://reviews.freebsd.org/D56323

Add metric support and show its value in wide flag and
libxo output.
Also, add metric to the description of wide flag (`-w`) in
routing display (`-r`) section of manual page.

Reviewed by:    markj (manpage)
Discussed with: markj
Differential Revision: https://reviews.freebsd.org/D57011

When checksum offloading is used, IPFW needs to fix the checksum
after libalias has done NAT. The ipfw_nat() function does so, but
only for mbufs without a receiving interface. However, if, for example,
the packet was sent inside a jail that used checksum offloading over
an epair, ipfw still needs to fix the checksum even though the mbuf
has set a receiving interface (epair).
This patch just removes the check whether a receiving interface is set.

PR:                     https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295057
Reviewed by:            tuexen
MFC after:              immediately
Differential Revision:  https://reviews.freebsd.org/D57091

We used nla_p_table for pfr_table structures, but this netlink decoder
was intended for pfioc_table and decoded an extra field, outside
of pfr_table. This allowed userspace to write (slightly) outside of
pfr_table.

Use a separate nlattr_parser for pfr_table.

PR:             https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295218
Reported by:    Robert Morris <rtm@lcs.mit.edu>
MFC after:      1 week
Sponsored by:   Rubicon Communications, LLC ("Netgate")

It is reported that micro(up)time() performs poorly in certain
virtualisation scenarios. Absolute accuracy isn't required here, so
switch to the slightly less accurate (as per the man page) get-variants.

PR:             https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295043
MFC after:      3 weeks
Sponsored by:   Rubicon Communications, LLC ("Netgate")

Reviewed by: bz, pouria
Fixes: https://cgit.freebsd.org/src/commit/?id=7e5bf68495cc ("netlink: add netlink support")
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57156

Even though it is not dereferenced, it is UB to take the address of an
out of bounds array element.

Reviewed by: pouria, bz, des, adrian
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57158

It has done nothing since commit bc7d18ae7224.  No functional change
intended.

Reviewed by:    tuexen
MFC after:      1 week
Differential Revision:  https://reviews.freebsd.org/D57101

Reviewed by: bz, glebius, pouria
Fixes: https://cgit.freebsd.org/src/commit/?id=7e5bf68495cc ("netlink: add netlink support")
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57167

Reviewed by: glebius, pouria
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57171

Taking the address of an OOB array element is UB, even if not
dereferenced.

Reviewed by: des, bz
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D57172

We already run `certctl rehash` at the end, there is no point in asking
users upgrading from 15.0 to 15.1 to manually merge the trust store.

MFC after:      3 days
Reviewed by:    cperciva
Differential Revision:  https://reviews.freebsd.org/D57028

safe_set is the routine that does all the work.

In safe_set; if we replace one=`cmd arg` or two=$(cmd arg) add quotes
around the result eg. one="_cmd arg_"
Also lines containing `` or $() are too likely to result in syntax
errors, so just delete them.

Differential Revision:  https://reviews.freebsd.org/D56795

The wlanconfig utility is not careful about handling untrusted network
names, which can contain shell metacharacters.  Factor network selection
into a subroutine and use the `set -- "$@"` trick to build up a list of
positional parameters for bsddialog without evaluating them.

Approved by:    so
Security:       FreeBSD-SA-26:23.bsdinstall
Security:       CVE-2026-45255
Reported by:    Austin Ralls
Reviewed by:    dteske, des, asiciliano
Differential Revision:  https://reviews.freebsd.org/D56973

The f_menu_wpa_scan_results() function returns a list of networks
discovered by a scan.  The untrusted network names are evaluated in
f_dialog_menu_wireless_edit.  The quoting applied in
f_menu_wpa_scan_results() protects against evaluation of something like
"$(whoami)" but one can add single quotes to defeat that.

Pass the SSID names through f_shell_escape to work around this.  Escape
single quotes in f_dialog_wireless_edit() and f_menu_wireless_configs()
too for consistency.

I note that this module doesn't seem to actually work, see e.g.,
bugzilla PR 229883.

Approved by:    so
Security:       FreeBSD-SA-26:23.bsdinstall
Security:       CVE-2026-45255
Reported by:    Austin Ralls
Reviewed by:    dteske, des
Differential Revision:  https://reviews.freebsd.org/D56974

route(8): Show metric value in get route

Reviewed by:    glebius
Differential Revision: https://reviews.freebsd.org/D56325

route(8): Show metric value in monitor route

Reviewed by:    glebius
Differential Revision: https://reviews.freebsd.org/D56326

route(8): Add metric argument

Add support for metric in route command.

Differential Revision: https://reviews.freebsd.org/D56335

pselect(2) might overflow if the desciptor number is above
FD_SETSIZE and silently corrupt the stack. Switch to ppoll(2) so
the receive socket fd is no longer constrained by FD_SETSIZE.

Reported by:    Joshua Rogers of AISLE Research Team
Reviewed by:    markj
MFC after:      7 days
Differential Revision:  https://reviews.freebsd.org/D56721

Also fix the corresponding tests.

PR:             https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263240
MFC after:      1 week
Differential Revision:  https://reviews.freebsd.org/D57010

Make sure the user is part of the audio group to avoid unintended
snooping of loopback audio by unprivileged users.

While here, retire voss_dsp_perm, since we don't use the same value
everywhere now.

Sponsored by:   The FreeBSD Foundation
MFC after:      1 week
Reviewed by:    emaste
Pull-Request:   https://ron-dev.freebsd.org/FreeBSD/src/pulls/26

The loopback device allows us to record desktop sound by reading from
it, or even use it as an input device, for example during a call.

Sponsored by:   The FreeBSD Foundation
MFC after:      1 week
Reviewed by:    emaste
Pull-Request:   https://ron-dev.freebsd.org/FreeBSD/src/pulls/16

Reviewed by:  christos
Fixes:          https://cgit.freebsd.org/src/commit/?id=70e27ecba518 (virtual_oss: Introduce virtual_oss_default_control_device rc variable)
Sponsored by:   The FreeBSD Foundation
Pull Request:   https://ron-dev.freebsd.org/FreeBSD/src/pulls/36

In send_[rw]rq(), we were using strlcpy() to avoid overflowing our
packet buffer, then failing to check the result and blithely advancing
our pointer by the full length.

Luckily, this code is only ever used by tftp(1), not tftpd(8).

MFC after:      1 week
Reviewed by:    markj
Differential Revision:  https://reviews.freebsd.org/D57075

The first argument is always the function name, for which we can simply
use __func__.  This leaves only the optional return value, so we can use
a single variadic macro instead of two nearly-identical copies.

MFC after:      1 week
Reviewed by:    markj
Differential Revision:  https://reviews.freebsd.org/D57076

nvlist_take_string_array(9) takes ownership of the array and its
strings. casper_ttymsg() freed neither, leaking memory on every
F_CONSOLE and F_TTY message. On long-running systems with high
error-rate syslog traffic routed to /dev/console, syslogd.casper grew
to hundreds of MB.

Use nvlist_get_string_array(9) to borrow the array instead. Update
casper_wallmsg() similarly.

Approved by:    src (des)
Closes:         https://github.com/freebsd/freebsd-src/pull/2222
Fixes:          https://cgit.freebsd.org/src/commit/?id=61a29eca550b ("syslogd: Log messages using libcasper")
MFC after:      3 days
MFC to:         stable/15
PR:             https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295488
Reported by:    Pat Maddox <pat@patmaddox.com>
Reviewed by:    markj
Tested by:      dch

When pxeboot gets a 0 as a port number from portmapper (indicating an
error), it currently happily sends NFS packets to the server's port 0
in an endless loop. Change this to instead bail out with a useful
message.

This happens, for example, with recent Linux NFS servers as many
distributions switched to TCP only NFS serving by default. FreeBSD's
pxeboot must have UDP. In this situation pxeboot asks the server's
portmapper for the UDP NFS port and since there is none gets 0.

Also add a hint to the manpage explaining this and how to fix it.

Reviewed by: ziaee, kevans, imp

If the old limit had family/hosts/sockaddr set, the new limit must
have them too. Before, a missing key in the new limit was treated as
"allow any", which let a caller silently extend their limits.

Reported by:    Joshua Rogers of AISLE Research Team
Reviewed by:    markj
MFC after:      1 day
Differential Revision:  https://reviews.freebsd.org/D56991

nlist: Handle multiple symbol tables

* Instead of looking for and stopping at the first SHT_SYMTAB section,
  iterate over all SHT_DYNSYM and SHT_SYMTAB sections until we've either
  found all our symbols or run out.

* Perform bounds checks on section and string table offsets and sizes
  before attempting to mmap() the string table.

* Perform bounds checks on individual symbol table entries before
  attempting to access the corresponding strings.

* Stop treating _Foo and Foo as the same symbol.

This unbreaks OpenSSH which uses nlist(3) to verify PKCS#11 providers.

PR:             https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295336
MFC after:      1 week
Fixes:          https://cgit.freebsd.org/src/commit/?id=77909f597881 ("Initial elf nlist support [...]")
Fixes:          https://cgit.freebsd.org/src/commit/?id=644b4646c7ac ("OpenSSH: Update to 10.1p1")
Reviewed by:    kib, emaste
Differential Revision:  https://reviews.freebsd.org/D57034

nlist: Decrement nent on match

PR:             https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295336
MFC after:      1 week
Fixes:          https://cgit.freebsd.org/src/commit/?id=4617a6cb82a6 ("nlist: Handle multiple symbol tables")

The previous implementation used FD_SET() on a stack-allocated fd_set,
which is an out-of-bounds write whenever the socket fd is >= FD_SETSIZE
(1024).

poll(2) takes an array indexed by slot rather than by fd value, so it
has no FD_SETSIZE limit.

Approved by:    so
Security:       FreeBSD-SA-26:22.libcasper
Security:       CVE-2026-39461
Reported by:    Joshua Rogers
Reviewed by:    markj
Differential Revision:  https://reviews.freebsd.org/D56695

On remount, we must accept all the same options as on initial mount.
For parameters which we're unable to modify on the fly, fail only if
the new value is different from the existing one.

PR:             https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295096
MFC after:      1 week
Reviewed by:    kib
Differential Revision:  https://reviews.freebsd.org/D57044

The fuse protocol requires server to respond to LISTXATTR with a
NUL-terminated string.  If they don't, report an error rather than
attempt to scan through uninitialized memory for a NUL.

Approved by:    so
Security:       FreeBSD-SA-26:20.fusefs
Security:       CVE-2026-45252
admbugs:        1039
Reported by:    Joshua Rogers
Sponsored by:   ConnectWise

Reported by:  bz
Sponsored by:   The FreeBSD Foundation

Reviewed by:  bz
Fixes:          https://cgit.freebsd.org/src/commit/?id=c41d83548b6c ("LinuxKPI: pci.h add more defines and functions")
Sponsored by:   Chelsio Communications
Differential Revision:  https://reviews.freebsd.org/D57066

sys: Use is_pci_device instead of direct comparisons to devclasses

Reviewed by:    bz
Sponsored by:   Chelsio Communications
Differential Revision:  https://reviews.freebsd.org/D56997

vnic: Add missing #include

Reported by:    bz, olivier
Fixes:          https://cgit.freebsd.org/src/commit/?id=6dc813301a17 ("sys: Use is_pci_device instead of direct comparisons to devclasses")
Sponsored by:   Chelsio Communications

arm64/iommu: Add a missing close parenthesis

Fixes:          https://cgit.freebsd.org/src/commit/?id=6dc813301a17 ("sys: Use is_pci_device instead of direct comparisons to devclasses")
Sponsored by:   Chelsio Communications

These calls are used for buddy pages at least in drm's ttm_pool, which
leads to a panic when we invoke lowmem handlers and drm tries to shrink
the pool.

Cope with numpages > 1 by traversing the contiguous pages and executing
the adjustment there, as well, as suggested by markj@.  Previous
versions have tried to use the corresponding `set_memory_*()` functions,
but it is believed that not updating `md.pat_mode` breaks subsequent
userspace mappings in ways that may result in things like screen tearing
or other artifacts when running i915kms.

This stabilized my amdgpu laptop running two VMs, chromium and a
concurrent buildworld.

Reviewed by:    bz, markj
Differential Revision:  https://reviews.freebsd.org/D57004

Sponsored by: The FreeBSD Foundation
MFC after:      1 week

The new KPI is only used in <asm/set_memory.h>, but it's provided in
linux_page.c.  The latter only includes the former indirectly by way of
<linux/io.h>, and that's only conditionally included outside of 32-bit
ARM there.

All of our archs have the necessary pmap_page_set_memattr(), so just
move the declaration into <linux/page.h> instead of trying to reason
about the usability of <asm/set_memory.h> directly in linux_page.c.

Reported by:    jenkins (via ivy)

Reviewed by:  kib (previous version), olce
Sponsored by:   Dell Inc.
Differential Revision:  https://reviews.freebsd.org/D56950

It was a placeholder for the access control for process-shared umtx
memory, which is not needed.

Reviewed by:    markj
Sponsored by:   The FreeBSD Foundation
MFC after:      3 days
Differential revision:  https://reviews.freebsd.org/D57122

After commit 853cd8723494 it became invalid for kinst_invop() to return
0: dtrace_invop_start() would convert this to a sentinel value
indicating that it did not consume the breakpoint, and so we'd just
call kdb_trap() to handle it.

Change kinst_invop() to return NOP_INSTR after handling a matching
breakpoint.  NOP_INSTR is handled by advancing the ELR, so we have to
compensate by subtracting INSTR_SIZE before returning.

Reviewed by:    christos
MFC after:      1 week
Fixes:          https://cgit.freebsd.org/src/commit/?id=853cd8723494 ("arm64: Clean up usage of the dtrace invop handler")
Differential Revision:  https://reviews.freebsd.org/D56987

"ldr <reg>, <literal>" loads a value from a literal memory address into
a register.  It's PC-relative and so cannot be directly implemented
using the trampoline mechanism.  Unfortunately, on arm64 it can't easily
be emulated either since the return-to-EL1 handler does not restore
callee-saved registers, so like adr/adrp, we simply don't handle it.
These instructions are fairly rare in an arm64 kernel.

While here, refactor the code so that all instruction decoding is done
in one place: introduce an enum type which characterizes the instruction
type, add a helper to map instructions to enum values, and store the
corresponding enum value in the probe description.

Reviewed by:    christos
MFC after:      1 week
Differential Revision:  https://reviews.freebsd.org/D56988

Otherwise they are left on a freed list after procdesc_free() is called.
This can be exploited to elevate privileges.

Remove the PDF_SELECTED micro-optimization.  doselwakeup() is a no-op if
no one ever called selrecord() on the file description, so I see no
reason to complicate the code to avoid the call.

Add some regression tests.

Approved by:    so
Security:       FreeBSD-SA-26:19.file
Security:       CVE-2026-45251
Reported by:    75Acol, Lexpl0it, fcgboy, and robinzeng2015
Reviewed by:    kib, oshogbo
Fixes:          https://cgit.freebsd.org/src/commit/?id=cfb5f7686588 ("Add experimental support for process descriptors")
Differential Revision:  https://reviews.freebsd.org/D56887

Otherwise they may be left on a freed selinfo list after the
corresponding jaildesc struct is freed.  This can be exploited to
elevate privileges.

Remove the JDF_SELECTED micro-optimization.  doselwakeup() is a no-op if
no one ever called selrecord() on the file description, so I see no
reason to complicate the code to avoid the call.

Add some regression tests.

Approved by:    so
Security:       FreeBSD-SA-26:19.file
Security:       CVE-2026-45251
Fixes:          https://cgit.freebsd.org/src/commit/?id=66d8ffe3046d ("jaildesc: add kevent support")
Reviewed by:    kib, jamie
Differential Revision:  https://reviews.freebsd.org/D56945

- Fix an off-by-one in the system call number check.  A value of
  SYS_MAXSYSCALL was permitted.
- Validate the system call number after we've dealt with
  syscall(2)/__syscall(2), since they pass the syscall number as an
  argument.
- When the syscall number is for syscall(2) or __syscall(2), we must
  make sure that nargs > 0 to avoid an underflow when shifting arguments
  down.

Add regression tests.

Approved by:    so
Security:       FreeBSD-SA-26:21.ptrace
Security:       CVE-2026-45253
Fixes:          https://cgit.freebsd.org/src/commit/?id=140ceb5d956b ("ptrace(2): add PT_SC_REMOTE remote syscall request")
Reported by:    Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai
Reviewed by:    kib, emaste
Differential Revision:  https://reviews.freebsd.org/D56978

It is not enough to check vp1 == vp2 to detect lock recursion, since
vnodes might share the locks.  This might happen for e.g. stacked
filesystems (nullfs and other), and for FFS snapshots.

Switch from checking vnode equiality to check v_vnlock equiality, and
recheck the condition after vnode relock since reclamation or otner
parallel operation might change the vnode locks under us.

Return a value (not really an error) indicating the case that vnodes
share the lock, to simplify the unlock in caller.

Reviewed by:    jah, markj
Tested by:      pho
Sponsored by:   The FreeBSD Foundation
MFC after:      1 week
Differential revision:  https://reviews.freebsd.org/D57035

Reviewed by:  jah, markj
Tested by:      pho
Sponsored by:   The FreeBSD Foundation
MFC after:      1 week
Differential revision:  https://reviews.freebsd.org/D57035

Reported by:  markj
Fixes:  https://cgit.freebsd.org/src/commit/?id=e9a5eb0e5e44 ("vop_read_pgcache_post(): report inotify IN_ACCESS same as for vop_read_post()")
Sponsored by:   The FreeBSD Foundation
MFC after:      1 week

When updating the names of the sleep types in 95b4436e989d ("power:
Rename sleep types"), I forgot to update the lengths of the buffers they
went into.

Reported by:    mhorne
Fixes:  https://cgit.freebsd.org/src/commit/?id=95b4436e989d ("power: Rename sleep types")
Sponsored by:   The FreeBSD Foundation

kernel: Enable -fstack-protector-strong by default

This extends stack canary use to all functions which define arrays on
the stack, not just those which operate on byte buffers.  This option
would have made it harder to exploit SA-26:18.setcred and
SA-26:08.rpcsec_gss.

The change bloats the amd64 kernel text by about 350KB and increases the
number of covered functions from ~1500 to ~9000 (within the kernel
itself, i.e., not counting kernel modules).

Reviewed by:    olce, olivier, emaste
MFC after:      2 weeks
Differential Revision:  https://reviews.freebsd.org/D56870

vmm/arm64: Compile vmm_nvhe.c without SSP

This file implements a set of EL2 hypercall handlers and is used to
switch between guests and the host kernel when VHE is not in use.  There
is no SSP runtime available there.

Reported by:    Jenkins
Fixes:          https://cgit.freebsd.org/src/commit/?id=8deebce931fa ("kernel: Enable -fstack-protector-strong by default")

When using SW KTLS, we must account for the headers in sf_iodone()
in terms of either freeing or enqueuing them for TLS work.
Not doing so can lead to a situation where we enqueue only
the payload, and not the header, for encryption. Rather than
leaking the header, the socket is left "hung" with the header marked
M_NOTREADY.

Sponsored by: Netflix
Reviewed by: glebius, kib
Differential Revision: https://reviews.freebsd.org/D57134
MFC After: 14 days

When we no longer need a channel context and put it back on the
reserved list, zero it for all but the vif so that we get the same
state as if it was freshly allocated.

Sponsored by:   The FreeBSD Foundation
Fixes:          https://cgit.freebsd.org/src/commit/?id=e62c92c0a5cf, https://cgit.freebsd.org/src/commit/?id=88cb1e17f471
MFC after:      3 days

Add support for automatic suspend/resume as we know it for wireless.
The problem is that the PCI driver which would normally gets the code
is the LinuxKPI PCI framework/Linux wireless driver, which we cannot
ammend or generally add extra suspend/resume code to.
A further problem is that with growing support, the LinuxKPI 802.11
(mac80211) layer also is involved in suspend/resume for WoWLAN (not
yet supported) meaning that we need to hook the suspend/resume
framework into that as well.  Unlike Linux we do not have a general
suspend/resume "hook" we can hang into and we need to tie this one
to the hardware so cannot indepedently (after the driver one) run it.

The solution for FreeBSD, in order to not mangle the Linux native
drivers and get extra maintanace overhead, is to add a bus child
which inherits the general framework and thus is 2 lines + #includes
for each driver extra to add to.

The general suspend/resume framework lives in LinuxKPI (linuxkpi_80211_pm)
and imitates the normal suspend/resume path overloading it (there is
a slight code/logic duplication from the PCI code).
Given we are passed the LinuxKPI p(ci)dev, we can go and peel out the
net80211 ic from the native bsddev and that way get access to the
wireless stack.  We then call into LinuxKPI 802.11 in order to do
the suspend/resume dance there, and, if needed also call the
official suspend/resume routine from the device driver after
(reverse for resume).
If any in this fails, suspend will be blocked as we will return the
error (no different to any native driver could do).

The LinuxKPI 802.11 suspend/resume code has the initial code for
doing a WoWLAN suspend (one could change the sysctl) but other bits
like access to ifnet flags etc. has to be sorted out before we can
go and support that.
The default code path calles into net80211 to clear everything
like native wireless drivers do.  The one thing we need to do in
addition is to remove the vif devices from the firmware and restore
them prior to net80211 resume.
We also check for a possible HW SCAN to still be runinng on resume
and warn as that may cause problems though the scan should be stopped
before suspend (we may still get a callback).  You can easily see
these problems if you suspend/resume without stopping the wlan.

Enable the PM framework for iwlwifi in the module Makefile to
be able to use all this; others can follow as tested.

In case anyone has problems with this, they can change the sysctl
back to 0 until we can figure out any further problems.
The linuxkpi_wlan.4 man page got adjusted to document this.

Sponsored by:   The FreeBSD Foundation
Tested on:      Dell XPS 13 (AX200), Lenovo TP X270 (AX210)
MFC after:      3 days
PR:             https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263632

Technically, virtio_p9fs is an emulated device that masquerades
as a p9fs mount, but it does not make sense to have two separate manual
pages.

Reviewed by:    bnovkov, dfr
MFC after:      3 days
Differential Revision:  https://reviews.freebsd.org/D57013

Otherwise failures can occur when running tests in parallel since some
tests reuse jail names.

MFC after:      1 week

This allows `make universe` or `make tinderbox`
to build from a read-only src tree.

Reviewed by:    ziaee, imp, delphij
Approved by:    lwhsu (mentor), emaste (mentor)
MFC after:      3 days
Differential Revision:  https://reviews.freebsd.org/D55566

When doing a large `make universe` build with multiple KERNCONFS,
it should not be an error when a particular target has a missing
KERNCONF.

In this example,

```
$ make universe TARGETS='arm64 riscv' KERNCONFS='QEMU VIRT'
```

Currently, arm64 does not have a QEMU conf, and riscv
does not have a VIRT conf. However, this command should still
succeed instead of failing with the following message:

```
make[2]: /usr/src/Makefile:767: Target architecture for riscv/conf/VIRT unknown.  config(8) likely too old.
        in .for loop from /usr/src/Makefile:761 with kernel = VIRT
        in make[2] in directory "/usr/src"

make[2]: stopped making "universe_kernels" in /usr/src
```

Since the opposite is true, we should build whatever confs are available
from the requested list of KERNCONFS, while making sure to still
emit warnings along the way.

Reviewed by:    imp
Approved by:    lwhsu (mentor), emaste (mentor)
MFC after:      3 days
Differential Revision:  https://reviews.freebsd.org/D55571

This has been stable in my testing, and enabling parallelism speeds up
test runs considerably.  In particular, with -v parallelism=16 in a
16-vcpu bhyve VM my test runs go from ~50m to ~40m; the exact numbers
depend on the kernel config in use.

Reviewed by:    pouria
MFC after:      2 weeks
Differential Revision:  https://reviews.freebsd.org/D57094

Add tests to make sure:
* Default metric is enforced.
* Lowest metric wins.
* Deleting routes by specifying gateway/metric works.

Reviewed by:    markj
Differential Revision: https://reviews.freebsd.org/D57016

Since we are sleeping for an indefinite period of time waiting
for the default route to appear, the expire times may be gone
past 1+ seconds, causing the Expire column to show <1800 or <600.

Fixes:  https://cgit.freebsd.org/src/commit/?id=f6bcc0925f0ea838da5183dc503f847e56d15cc8

Reviewed by:    pouria
Approved by:    lwhsu (mentor)
MFC after:      3 days
Differential Revision:  https://reviews.freebsd.org/D56712

MAC/do: Add basic tests on setting rules

MFC after:      1 minute
Sponsored by:   The FreeBSD Foundation

BSD.tests.dist: Add the new sys/mac/do directory

Without that, 'make distributeworld' fails ('make buildworld' and 'make
installworld' do not need it).

Fixes:          https://cgit.freebsd.org/src/commit/?id=cba191e291c1 ("MAC/do: Add basic tests on setting rules")
MFC after:      1 minute
Sponsored by:   The FreeBSD Foundation

Reviewed by:  kib
MFC after:      2 weeks
Differential Revision:  https://reviews.freebsd.org/D57149

Add ATF test cases covering fts_open() error conditions and
edge cases:

- invalid option bits (outside FTS_OPTIONMASK) yield EINVAL
- empty argv yields EINVAL
- empty path string yields FTS_NS with ENOENT
- nonexistent path yields FTS_NS, not open failure
- trailing slash does not crash (SVN r49851 regression)
- unreadable directory yields FTS_D then FTS_DNR, never FTS_DP
- multiple root paths are all visited left to right

Sponsored by: Google LLC (GSoC 2026)
Reviewed by:    asomers
MFC after:      1 week
Pull Request:   https://github.com/freebsd/freebsd-src/pull/2217

Add ATF test cases covering fts_children() behaviour:

- before fts_read returns root entry list
- empty directory returns NULL with errno 0
- non-empty directory returns all children in order
- called twice returns equivalent results
- FTS_NAMEONLY fills only fts_name, fts_info is FTS_NSOK
- non-directory node returns NULL with errno 0
- invalid options returns NULL with EINVAL

Sponsored by:   Google LLC (GSoC 2026)
Reviewed by:    asomers
MFC after:      1 week
Pull Request:   https://github.com/freebsd/freebsd-src/pull/2218

This adds a test case that passes a very long URL on the command line,
which would previously have resulted in a benign buffer overflow in
urihandling(), detectable only by compiling tftp with ASAN enabled.

MFC after:      1 week
Reviewed by:    markj
Differential Revision:  https://reviews.freebsd.org/D57074

Since the test assumes a 250 ms response time, there is no need to delay
for 3 seconds. Instead, delay for the minimum possible 1 second.

Also, fix some assertions in builtins/read11.0 and builtins/read12.0. If
`set -e` is in effect, `foo` in `foo && bar` is considered tested and
therefore a failure does not cause the shell to exit.

Reviewed by:    bdrewery
Differential Revision:  https://reviews.freebsd.org/D55191

This is a "new" file, but is mostly copied from if_dtsec_fdt.c, so need to
retain the original license header in addition to the new one.

Reviewed by:    ziaee
Differential Revision:  https://reviews.freebsd.org/D57123

MFC after:    1 week
Reviewed by:    markj
Differential Revision:  https://reviews.freebsd.org/D57073

MFC after:    1 week
Reviewed by:    emaste
Differential Revision:  https://reviews.freebsd.org/D57168

ldns: Update to 1.8.4

Merge commit '3dcfa5af412125cd1bad1d383ff7c18c5effbd77'

MFC after:      1 week
Reviewed by:    emaste
Differential Revision:  https://reviews.freebsd.org/D57169

ldns: Update to 1.9.0

Merge commit '5eb18e8576462f5bb33fbd60fcbd752fe5791f33'

MFC after:      1 week
Reviewed by:    emaste
Differential Revision:  https://reviews.freebsd.org/D57170

ldns: Regenerate configuration after update

MFC after:      1 week
Fixes:          https://cgit.freebsd.org/src/commit/?id=d44c9549ef31 ("ldns: Update to 1.8.4")
Fixes:          https://cgit.freebsd.org/src/commit/?id=9ed998a81bab ("ldns: Update to 1.9.0")

ldns: Fix unused variable on big-endian

MFC after:      1 week
Fixes:          https://cgit.freebsd.org/src/commit/?id=9ed998a81bab ("ldns: Update to 1.9.0")

unbound: Tweak freebsd-configure script

Regenerating the configure script is optional and can introduce noise
if the installed versions of autoconf, automake, and libtool do not
match those used upstream.  Tweak our script slightly so it will skip
this step if libtoolize is not found.

unbound: Regenerate for 1.24.1

No functional changes intended.

Fixes:          https://cgit.freebsd.org/src/commit/?id=8b29c373e6ab ("unbound: Vendor import 1.24.1")

unbound: Update to 1.24.2

Merge commit 'ec5b94f552d7cb2a9d456c67e9941bcf5e3698bf'

This is purely cosmetic as we already had the functional changes.

MFC after:      1 week

Release notes at
        https://nlnetlabs.nl/news/2026/Apr/29/unbound-1.25.0-released/

Merge commit '4dd0a17edce60370304a45f2c40251e09e193bd6'

MFC after:      1 week

Release notes at
        https://nlnetlabs.nl/news/2026/May/20/unbound-1.25.1-released/

Merge commit '22e58f330a151944c24e010d23ec3881df6681b6'

Security:       CVE-2026-33278
Security:       CVE-2026-42944
Security:       CVE-2026-42959
Security:       CVE-2026-32792
Security:       CVE-2026-40622
Security:       CVE-2026-41292
Security:       CVE-2026-42534
Security:       CVE-2026-42923
Security:       CVE-2026-42960
Security:       CVE-2026-44390
Security:       CVE-2026-44608
MFC after:      1 week

asmc: fix asmc_key_dump() page fault on T2 MMIO backend

asmc_key_dump() used I/O port macros (ASMC_DATAPORT_WRITE/READ,
asmc_command()) unconditionally. On T2 Macs, sc_ioport is NULL
(MMIO backend is used instead), causing a page fault when
ASMC_DEBUG triggers asmc_dumpall() during attach.

Add an MMIO guard at the top of asmc_key_dump(): delegate to
asmc_key_dump_by_index() + asmc_key_read() for MMIO devices,
consistent with the rest of the T2 code paths.

Reviewed by:    adrian
Differential Revision:  https://reviews.freebsd.org/D56748

Revert "asmc: fix asmc_key_dump() page fault on T2 MMIO backend"

This reverts commit 3abc07947c14f5c30e5328d56a2da8dbf8412ebf.

I'm not sure how this built locally for me but obviously failed
in CI; I'll go figure that out with the submitter and come back.

This reverts commit 2fe37927d41990abe8d1c336e75fd75873285e90.

This turns out to have been misguided.  First, clearing the
hash results in all loopback ip/ip6 traffic being hashed
to the netisr queue associated with the if_index of the loopback
interface.  Eg, it bottlenecks loopback traffic. When the
hash is kept, traffic is spread evenly among netisrs.

Also, it is safe to keep the hash here.  The clearing was only
needed when RSS core selection is enabled; we only enabled the
consistent hashing parts of RSS globally, not the cpuid mapping
stuff.  So there is no need to clear it.

Reviewed by: glebius
Sponsored by: Netflix

import ldns 1.8.3

MFC after:      1 week
Reviewed by:    emaste
Differential Revision:  https://reviews.freebsd.org/D57169

Revert "import ldns 1.8.3"

Pre-push rebase bungled the metadata

This reverts commit 2bc6aa3c41d0dc330fefa6363a23d2cfa0253f73.

import ldns 1.9.0

MFC after:      1 week
Reviewed by:    emaste
Differential Revision:  https://reviews.freebsd.org/D57170

Revert "import ldns 1.9.0"

Pre-push rebase bungled the metadata

This reverts commit 597a090ff2ab868242e4ec1cdec7469edbe41c50.