r354777 cem Nov. 16, 2019, 4:39 p.m.
The full release notes can be found on Github:

  https://github.com/facebook/zstd/releases/tag/v1.4.4

Notable changes in this release include improved decompression speed (about
10%).  See the Github release notes for more details.

MFC after:	I'm not going to, but feel free
Relnotes:	yes
ViewVC
r354776 jhibbits Nov. 16, 2019, 4:36 p.m.
save_vec_int() for SPE saves off only the high word of the register, leaving
the low word as "garbage", but really containing whatever was in the kernel
register at the time.  This leaks into core dumps, and in a near future
commit also into ptrace.  Instead, save the GPR in the low word in
save_vec_nodrop(), which is used only for core dumps and ptrace.
ViewVC
r354775 jhibbits Nov. 16, 2019, 4:27 p.m.
Modern gcc errors that "'vec[0]' is used uninitialized in this function"
without us telling it that vec is clobbered.  Neither clang nor gcc 4.2.1
error on the existing construct.

Submitted by:	bdragon
ViewVC
r354774 tuexen Nov. 16, 2019, noon
congestion control module.

Submitted by:		Richard Scheffenegger
Reviewed by:		rgrimes@
Differential Revision:	https://reviews.freebsd.org/D19118
ViewVC
r354773 tuexen Nov. 16, 2019, 11:57 a.m.
The adjustments are inspired by the Linux stack, which has had a
functionally equivalent implementation for more than a decade now.

Submitted by:		Richard Scheffenegger
Reviewed by:		Cheng Cui
Differential Revision:	https://reviews.freebsd.org/D18982
ViewVC
r354772 tuexen Nov. 16, 2019, 11:37 a.m.
This patch addresses a very common case of frequent application stalls,
where TCP runs idle and looses the state of the network.

Submitted by:		Richard Scheffenegger
Reviewed by:		Cheng Cui
Differential Revision:	https://reviews.freebsd.org/D18954
ViewVC
r354771 tuexen Nov. 16, 2019, 11:10 a.m.
I used the wrong Differential Revision, so back it out and do it right
in a follow-up commit.
ViewVC
r354766 tsoome Nov. 16, 2019, 8:16 a.m.
r354765 mhorne Nov. 16, 2019, 1:25 a.m.
RISC-V inherited this code from arm64, so implement the fix from r354712.
See the revision for the full description.

Submitted by:	kevans (arm64 version)
ViewVC
r354759 scottl Nov. 16, 2019, 12:26 a.m.
This CVE has already been announced in FreeBSD SA-19:26.mcu.

Mitigation for TAA involves either turning off TSX or turning on the
VERW mitigation used for MDS. Some CPUs will also be self-mitigating
for TAA and require no software workaround.

Control knobs are:
machdep.mitigations.taa.enable:
        0 - no software mitigation is enabled
        1 - attempt to disable TSX
        2 - use the VERW mitigation
        3 - automatically select the mitigation based on processor
	    features.

machdep.mitigations.taa.state:
        inactive        - no mitigation is active/enabled
        TSX disable     - TSX is disabled in the bare metal CPU as well as
                        - any virtualized CPUs
        VERW            - VERW instruction clears CPU buffers
	not vulnerable	- The CPU has identified itself as not being
			  vulnerable

Nothing in the base FreeBSD system uses TSX.  However, the instructions
are straight-forward to add to custom applications and require no kernel
support, so the mitigation is provided for users with untrusted
applications and tenants.

Reviewed by:	emaste, imp, kib, scottph
Sponsored by:	Intel
Differential Revision:	22374
ViewVC
r354758 bz Nov. 16, 2019, 12:17 a.m.
Burn bridges and replace the last two calls of defrouter_select() with
defrouter_select_fib().  That allows us to retire defrouter_select()
and make it more clear in the calling code that it applies to all FIBs.

Sponsored by:	Netflix
ViewVC
r354757 bz Nov. 16, 2019, 12:02 a.m.
Pull in the TAILQ_HEAD() as it is not needed outside nd6_rtr.c.
Rename the TAILQ_HEAD() struct and the nd_defrouter variable from
"nd_" to "nd6_" as they are not part of the RFC 3542 API which uses "ND_".

Ideally I'd like to also rename the struct nd_defrouter {} to "nd6_*"
but given that is used externally there is more work to do.

No functional changes.

MFC after:	3 weeks
Sponsored by:	Netflix
ViewVC
r354756 scottl Nov. 15, 2019, 11:27 p.m.
knobs and indicators for code that mitigates functional and security issues
in the architecture/platform.  Controls for regular operational policy should
still go into places security, hw, kern, etc.

The machdep root node is inherently architecture dependent, but mitigations
tend to be architecture dependent as well.  Some cases like Spectre do cross
architectural boundaries, but the mitigation code for them tends to be
architecture dependent anyways, and multiple architectures won't be active
in the same image of the kernel.

Many mitigation knobs already exist in the system, and they will be moved
with compat naming in the future.  Going forward, mitigations should collect
in machdep.mitigations.

Reviewed by:	imp, brooks, rwatson, emaste, jhb
Sponsored by:	Intel
ViewVC
r354755 bz Nov. 15, 2019, 11:12 p.m.
Adjust the logic in htable_unlink_entry() to the one in
htable_link_entry() saving a block indent and making it more clear
in which case we do not do any work.

No functional change.

MFC after:	3 weeks
Sponsored by:	Netflix
ViewVC
r354754 jhb Nov. 15, 2019, 11:01 p.m.
Reviewed by:	emaste
Tested on:	amd64 (linux64 only), i386
Sponsored by:	DARPA
Differential Revision:	https://reviews.freebsd.org/D22356
ViewVC