Ed Maste, the Director of Project Development for The FreeBSD Foundation, sent the following email in the freebsd-stable mailing list, regarding a new ZFS issue. It appears that it affects earlier versions of OpenZFS and it is not related to block cloning.
Dear FreeBSD community,
We want to bring your attention to a potential data corruption issue affecting multiple versions of OpenZFS. It was initially reported against OpenZFS 2.2.0 but also affects earlier and later versions.
This issue can be reproduced with targeted effort but it has not been observed frequently in real-world scenarios. This issue is not related to block cloning, although it is possible that enabling block cloning increases the probability of encountering the issue.
It is unclear if the issue is reproducible on the version of ZFS in FreeBSD 12.4.
A short term workaround is available for FreeBSD 14.0 and 13.2 by setting the vfs.zfs.dmu_offset_next_sync sysctl to 0:
The workaround may result in inaccurate reporting of file holes in sparse files, reintroducing OpenZFS issue 6958[1]. See the ZFS(4) man page for more information on this setting.
The workaround does not deterministically prevent the issue but does drastically reduce the likelihood of encountering it.
For more information, see OpenZFS issue 15526[2] and OpenZFS pull request 15571[3]. FreeBSD bug report PR 275308[4] is open to track the FreeBSD erratum update which will bring in the fix, after it is committed to OpenZFS. Please check the FreeBSD PR regularly if you are looking for details on the timeline of the FreeBSD erratum update.
We want to assure the FreeBSD community that we are actively monitoring the situation. Thank you for your understanding and continued support.
“On September 9, 1947, the team at Harvard University in Cambridge, Massachusetts, found that their computer, the Mark II, was delivering consistent errors. When they opened the computer’s hardware, they found … a moth.”
I forked the upstream repo under my name. I activated Actions, Workflows and gh-pages. So the greek version of the manual will be in: https://chrislongros.github.io/anki-manual/. I contacted Damien Elmes to add the link into the ankitects/anki-manual repository.
Block cloning bug in 2.2.0 results in data corruption and chunks replaced by zeros !!!
$ file /usr/lib/go/pkg/tool/linux_amd64/* | grep data /usr/lib/go/pkg/tool/linux_amd64/asm: data /usr/lib/go/pkg/tool/linux_amd64/cgo: data /usr/lib/go/pkg/tool/linux_amd64/compile: data /usr/lib/go/pkg/tool/linux_amd64/covdata: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go BuildID=xHCzRQtrkEP-Bbxql0SF/zxsofCJFlBoPlUclgwBG/TrsgK6SKiY4q6TIhyBjU/UwcISvZgqfQaEf3Kr_Tq, not stripped /usr/lib/go/pkg/tool/linux_amd64/cover: data /usr/lib/go/pkg/tool/linux_amd64/link: data /usr/lib/go/pkg/tool/linux_amd64/vet: data
The release notes for FreeBSD 14.0-RELEASE contain a summary of the changes made to the FreeBSD base system on the 14-STABLE development line. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the FreeBSD kernel and userland. Some brief remarks on upgrading are also presented.
Introduction
This document contains the release notes for FreeBSD 14.0-RELEASE. It describes recently added, changed, or deleted features of FreeBSD. It also provides some notes on upgrading from previous versions of FreeBSD.
The release distribution to which these release notes apply represents the latest point along the 14-STABLE development branch since 14-STABLE was created. Information regarding pre-built, binary release distributions along this branch can be found at https://www.FreeBSD.org/releases/.
The release distribution to which these release notes apply represents a point along the 14-STABLE development branch between 13.2-RELEASE and the future 14.1-RELEASE. Information regarding pre-built, binary release distributions along this branch can be found at https://www.FreeBSD.org/releases/.
All users are encouraged to consult the release errata before installing FreeBSD. The errata document is updated with “late-breaking” information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for FreeBSD 14.0-RELEASE can be found on the FreeBSD Web site.
This document describes the most user-visible new or changed features in FreeBSD since 13.2-RELEASE. In general, changes described here are unique to the 14-STABLE branch unless specifically marked as MERGED features.
Typical release note items document recent security advisories issued after 13.2-RELEASE, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to FreeBSD between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements.
Upgrading from Previous Releases of FreeBSD
Binary upgrades between RELEASE versions (and snapshots of the various security branches) are supported using the freebsd-update(8) utility. The binary upgrade procedure will update unmodified userland utilities, as well as unmodified GENERIC kernels distributed as a part of an official FreeBSD release. The freebsd-update(8) utility requires that the host being upgraded have Internet connectivity. Note that freebsd-update cannot be used to roll back to the previous release after updating to a new major version.
Source-based upgrades (those based on recompiling the FreeBSD base system from source code) from previous versions are supported, according to the instructions in /usr/src/UPDATING.
Note for systems that boot via EFI, using either binary or source upgrades: There are one or more copies of the boot loader on the MS-DOS EFI System Partition (ESP), used by the firmware to boot the kernel. If the root file system is ZFS, the boot loader must be able to support reading from the ZFS boot file system. After a system upgrade, but before doing a zpool upgrade, the boot loader on the ESP must be updated, or the system may become unbootable. While not mandatory, this update procedure should also be followed when using a UFS root file system. The location of the boot loader in use can be determined using the command efibootmgr -v. The value displayed for BootCurrent should be the number of the current boot configuration used to boot the system. The corresponding entry of the output should begin with a + sign, such as+Boot0000* FreeBSD HD(1,GPT,f859c46d-19ee-4e40-8975-3ad1ab00ac09,0x800,0x82000)/File(\EFI\freebsd\loader.efi) nda0p1:/EFI/freebsd/loader.efi (null)
The ESP may already be mounted on /boot/efi. Otherwise, the partition may be mounted manually, using the partition listed in the efibootmgr output (nda0p1 in this case): mount_msdosfs /dev/nda0p1 /boot/efi. See loader.efi(8) for another example.
The value in the File field in the efibootmgr -v output, \EFI\freebsd\loader.efi in this case, is the MS-DOS name for the boot loader in use on the ESP. If the mount point is /boot/efi, this file will translate to /boot/efi/efi/freebsd/loader.efi. (Case does not matter on MS-DOSFS file sytems; FreeBSD uses lower case.) Another common value for File would be \EFI\boot\bootXXX.efi, where XXX is x64 for amd64, aa64 for aarch64, or riscv64 for riscv64; this is the default bootstrap if none is configured. Both the configured and default boot loaders should be updated by copying from /boot/loader.efi to the correct path in /boot/efi.
Upgrading FreeBSD should only be attempted after backing up all data and configuration files.
Security and Errata
This section lists the various Security Advisories and Errata Notices since 13.2-RELEASE.
Security Advisories
Advisory
Date
Topic
No advisories.
Errata Notices
Errata
Date
Topic
No notices.
Significant changes merged into FreeBSD 13.1 and FreeBSD 13.2
FreeBSD 14.0 includes over two and a half years of development since the release of FreeBSD 13.0. Some of this work was cherry-picked into older development branches, and was included in FreeBSD 13 minor releases.
For 64-bit architectures, the base system is built with Position Independent Executable (PIE) support enabled by default. It may be disabled using the WITHOUT_PIE knob. 9a227a2fd642 (Sponsored by Stormshield)
There is a new zfskeysrc(8) service script, which allows for automatic decryption of ZFS datasets encrypted with ZFS native encryption during boot. The zfskeys startup script supports autoloading of keys stored on ZFS. See the rc.conf(5) manual page for more information. 33ff39796ffe, 8719e8a951b7, 97aeda224356 (Sponsored by Modirum and Klara Inc.)
The chroot facility supports unprivileged operation, and the chroot(8) program has a -n option to enable its use. a40cf4175c90 (Sponsored by EPSRC)
md5sum(1) and similar message-digest programs compatible with those on Linux were added by having the corresponding BSD programs run with the -r option if the program name ends in sum. 086feed850c3 (Sponsored by Netflix)
The use of FIDO/U2F hardware authenticators has been enabled in ssh, using the new public key types ecdsa-sk and ed25519-sk, along with corresponding certificate types. FIDO/U2F support is described in https://www.openssh.com/txt/release-8.2. e9a994639b2a (Sponsored by The FreeBSD Foundation)
The igc(4) driver for the Intel I225 Ethernet controller has been added, supporting 2.5 Gbps operation. 517904de5cca (Sponsored by Rubicon Communications, LLC (“Netgate”))
The mgb(4) network interface driver has been added, with support for Microchip devices LAN7430 PCIe Gigabit Ethernet controller with PHY and LAN7431 PCIe Gigabit Ethernet controller with RGMII interface. The driver has a number of caveats and limitations, but is functional. e0262ffbc6ae (Sponsored by The FreeBSD Foundation)
Two new daemons, rpc.tlsclntd(8) and rpc.tlsservd(8), are now built by default on amd64 and arm64. They provide support for NFS-over-TLS as described in the Internet Draft entitled “Towards Remote Procedure Call Encryption By Default”. These daemons are built when WITH_OPENSSL_KTLS is specified. They use KTLS to encrypt/decrypt all NFS RPC message traffic, and provide optional verification of machine identity via X.509 certificates. 2b9cbc85d72759f6f5e23c1a
nvme(4) error handling has been significantly improved.
The handling of the lowest address on an IPv4 (sub)net (host 0) has been changed so that packets are not sent as a broadcast unless this address has been set as the broadcast address. This makes the lowest address usable for a host. The old behavior can be restored with the net.inet.ip.broadcast_lowest sysctl. See https://datatracker.ietf.org/doc/draft-schoen-intarea-unicast-lowest-address/ for background information. fd0765933c3c
The growfs(7) startup script will now add a swap partition while expanding the root file system if possible, and if one did not previously exist. This is primarily useful when installing on an SD card using a raw image. A new rc.conf(5) variable has been added, growfs_swap_size, which can control the addition if necessary. See growfs(7) for details.
A new RC script, zpoolreguid has been added, which will assign a new GUID to one or more zpools, useful for virtualization environments when sharing datasets.
The hostid startup script will now generate a random (version 4) UUID if there is no /etc/hostid file and no valid UUID from hardware. Also, if there is no /etc/machine-id file, the hostid_save script will store a compact version of the hostid (one without hyphens) in /etc/machine-id. This file is used by libraries such as GLib. 62a149bf6219862aab6281a5baf1e9713969ecad3f5c4d92d6852eed98ed
It is now possible to add default routes for FIBs other than the primary by using the defaultrouter_fibN and ipv6_defaultrouter_fibNrc.conf(5) variables. 30659d1dcbcc (Sponsored by ScaleEngine Inc.)
The bhyve(8) utility has gained virtio-input device emulation support. This can be used to inject keyboard/mouse input events into a guest. The command line syntax is: -s <slot>,virtio-input,/dev/input/eventX. 054accac71e0
The kdump(1) utility has gained support for decoding Linux system calls.
An nproc(1) utility has been added, compatible with the Linux program of the same name.
The uuidgen(1) utility has a new option -r to generate a random UUID, version 4. f176fe8e7f63
The bhyve(8) hypervisor and kernel module vmm(4) now support more than 16 vCPUs in a guest. By default bhyve permits each guest to create the same number of vCPUs as the count of physical CPUs on the host. This limit can be adjusted via the loader tunable hw.vmm.maxcpu. ee98f99d7a68
Address Space Layout Randomization (ASLR) is enabled for 64-bit executables by default. It can be disabled as needed if applications fail unexpectedly, for example with segmentation faults. To disable for a single invocation, use the proccontrol(1) command: proccontrol -m aslr -s disable command. To disable ASLR for all invocations of a binary, use the elfctl(1) command: elfctl -e +noaslr file. Problems should be reported via the problem reporting system, https://bugs.freebsd.org, or posting to the freebsd-stable@FreeBSD.org mailing list. b014e0f15bc7 (Sponsored by Stormshield)
LLVM’s AddressSanitizer can be used in amd64 kernels. See the kasan(9) manual page for more information. 38da497a4dfc (Sponsored by The FreeBSD Foundation)
A workaround has been implemented for a hardware page invalidation problem on Intel Alder Lake (twelfth generation) and Raptor Lake (thirteenth generation) hybrid CPUs. The bug can lead to file system corruption with UFS and MSDOSFS, and probably other memory corruption. The slower cores (E-cores) automatically use a slower method of page invalidation with the workaround. cde70e312c3f (Sponsored by The FreeBSD Foundation)
In order to facilitate ABI compatibility of stable branches, the CPU affinity system calls are now more tolerant of CPU sets that are smaller than used by the kernel. This will facilitate increases to the size of the kernel set, MAXCPU. 47a57144af25f35093f8d6d8 (Sponsored by Juniper Networks, Inc.)
It is now possible to take snapshots on UFS filesystems when running with journaled soft updates. Thus it is now possible to do background dumps on live filesystems running with journaled soft updates. Background dumps are requested by using the -L flag to dump(8). (In previous releases UFS snapshots were incompatible with journaled soft updates.) 78f412987605 (Sponsored by The FreeBSD Foundation)
The kernel wg(4) WireGuard driver has been reintegrated; it provides Virtual Private Network (VPN) interfaces using the WireGuard protocol. 744bfb213144 (Sponsored by Rubicon Communications, LLC (“Netgate”) and The FreeBSD Foundation)
KTLS (the kernel TLS implementation) has added receive offload support for TLS 1.3. Receive offload is now supported for TLS 1.1 through 1.3; send offload is supported for TLS 1.0 through 1.3. 05a1d0f5d7ac (Sponsored by Netflix)
Radix tables and lookups are now supported for MAC addresses in ipfw(4). This allows MAC address tables to be constructed and used for filtering. 81cac3906eb9
Changes new to 14.0-RELEASE
Userland
This section covers changes and additions to userland applications, contributed software, and system utilities.
Userland Configuration Changes
The default shell for the root user is now sh(1), which has many new features for interactive use. d410b585b6f0
The default mail transport agent (MTA) is now the Dragonfly Mail Agent (dma(8)) rather than sendmail(8). Configuration of the MTA is done via mailer.conf(5). sendmail(8) and its configuration remain available. a67b925ff3e5
The mta_start_script configuration variable has been retired from rc.conf(5), along with the othermta startup script. 616f32ea6da7
The one-time password facility OPIE, opie(4), has been removed from the base system. If you still wish to use it, install the security/opie port. Otherwise, make sure to remove or comment out any mention of pam_opie and pam_opieaccess from your PAM policies. etcupdate(8) will normally take care of this for the stock policies. 0aa2700123e2
The SHARED_TOOLCHAIN build configuration option has been removed. Building a statically-linked toolchain is still possible using the general NO_SHARED option. 77f6be448408 (Sponsored by The FreeBSD Foundation)
Locale handing has been upgraded to CLDR 41.0 and Unicode 14.0. e87ec409fa9b
The layout configuration has been added for the new French bépo keyboard (version 1.1rc2) normalized by French national organization for standardization as “NF Z71‐300”. abdcd967dc0c
An rc.d script (see rc(8)) is now allowed to have a status method even if it does not define procname or have a PID file. 2651609fcbd7
The bhyve(8) hypervisor now has optional TPM (Trusted Platform Module) passthrough support. This is not direct access, but commands from the guest are forwarded to the physical TPM. 67c26eb2a57c
GPU passthrough has been improved in bhyve(8) for AMD and Intel GPUs. This is a work in progress; passthrough does not work in all cases, and the configuration is not yet documented.
The cpuset(1) utility has been moved from /usr/bin to /bin so that it is always available during startup processing. /usr/bin/cpuset is now a symbolic link. f05948d4e98d
The date(1) utility now has a -z option for timezone conversion. 31edf56b1571
The diff(1) utility now supports a --color option for colorized output. f38702e5a52e
freebsd-update(8) now documents that files under /var/db/freebsd-update may be deleted if an upgrade is not in progress and rollback will not be required. 80b003e81684 (Sponsored by The FreeBSD Foundation)
A new fwget(8) utility inspects the system for peripherals that need firmware, and installs the appropriate packages for them. For now, only the PCI subsystem is supported, and only video firmware for Intel and AMD GPUs is known. d198b8774d2cd198b8774d2c (Sponsored by Beckhoff Automation GmbH & Co. KG)
The usability of head(1) and tail(1) has been improved by consistently supporting the -q and -h options, allowing numbers with SI suffixes, and removing the 2^31 limit on lines for head(1). 643ac419fafb
makefs(8) now has experimental ZFS support. It can create a ZFS pool, backed by a single disk vdev, containing one or more datasets populated from the staging directory. 240afd8c1fcc (Sponsored by The FreeBSD Foundation)
The mandoc(1) utility has a workaround for lack of macro processing in list -width handling, resulting in more accurate widths for list columns. bbb2d2ce4220 (Sponsored by Dell EMC Isilon)
The mixer(8) utility no longer tries to guess whether a volume is absolute or a percent. It now accepts a percentage with % appended, otherwise a volume is absolute. 4014365e4219
The netcat utility nc(1) can now be an if_tun (tun(4)) broker. cef7ab70ff44 (Sponsored by Zenarmor) (Sponsored by OPNsense) (Sponsored by Klara, Inc.)
The netstat(1) utility now computes correct column widths with the -i option, making the -w option unnecessary. 372e3d561d82
The portsnap(8) utility has been removed. Users are encouraged to fetch the ports tree by using pkg install git and then git clone https://git.FreeBSD.org/ports.git /usr/ports. df53ae0fdd98
The pw(8) and bsdinstall(8) programs now create home directories for users in /home by default rather than /usr/home. The default symbolic link for /home, referencing /usr/home, is no longer created. bbb2d2ce4220
The sleep(1) utility now accepts units other than seconds, and accepts multiple delay values that are summed (for example, 1h 30m). 34978f7edd15be038c3afcae
The systat(1) utility has a new command, iolat, which reports I/O latencies computed by the CAM I/O scheduler. 22054f88914b (Sponsored by Netflix)
A new utility, tcpsso(8), is able to apply a socket option to an existing TCP endpoint, for example changing the congestion control module or the TCP stack. 881631a2a371 (Sponsored by Netflix)
The PROFILE option is disabled by default, thus profiled versions of system libraries are not provided. Hardware-based profiling (e.g. hwpmc(4)) is preferred. fe52b7f60ef4 (Sponsored by The FreeBSD Foundation)
Compressed debug sections in binaries are enabled by default on little-endian targets. 47363e99d3d3 (Sponsored by The FreeBSD Foundation)
Configuration has been added to produce armv7 distribution sets, which can be useful in building jails on arm64. ac099daf6742
Contributed Software
One True Awk (awk(1)) has been updated to 20210727, which is 1st edition. (2nd edition will be included in 14.1-RELEASE.) All the FreeBSD patches but one have now been either up-streamed or discarded. Notable changes include: locale is no longer used for ranges; better compatibility with gawk and mawk. Note that hex strings are interpreted as numbers as in earlier FreeBSD versions. This will change in FreeBSD 15 to agree with upstream and current POSIX standards. f39dd6a9784423f24377b1a9628bd30ab5a4
The bc(1) and dc(1) commands have been updated to version 6.6.0, which fixes a problem with line editing and complex scripts with multiple read() commands, and adds some functions to bc’s (non-standard) extended math library.
The scp(1) utility now defaults to the SFTP protocol, rather than the legacy scp/rcp protocol. This removes the need for double-quoting wildcard expansion characters. fb5aabcb990b (Sponsored by The FreeBSD Foundation)
RSA/SHA-1 signatures are now disabled by default in ssh(1). It is possible to enable them on a per-host basis in a user’s ~/.ssh/config file. 8c22023ca5e1 (Sponsored by The FreeBSD Foundation)
The VerifyHostKeyDNS option for ssh(1) now defaults to no, following the OpenSSH distribution. The X11Forwarding option also defaults to no. 41ff5ea22cb977934b7a1301 (Sponsored by The FreeBSD Foundation)
HPN option handling has been removed from OpenSSH. HPN support was deprecated long ago, but the configuration options were still accepted (and ignored) for backwards compatibility. 348bea10b6f2 (Sponsored by The FreeBSD Foundation)
The VersionAddendum option has been removed from the ssh(1) client. bffe60ead024 (Sponsored by The FreeBSD Foundation)
OpenSSL has been upgraded to version 3.0.12. This is a major upgrade from version 1.1.1, which has reached its end of life. Many components of the base system use a backward-compatible API, but will be migrated later. aa7957345732930cec16d9eeb077aed33b7b (Sponsored by The FreeBSD Foundation)
The libncursesw library (see ncurses(3X)) has been split into libtinfow and libncursesw. Linker scripts should make this transparent for consumers. pkg-config(8) files are now installed, to ease ports detecting the ncurses setup from base. 396851c20aeb
The default search path for terminfo databases in ncurses(3X) now includes /usr/local/share/terminfo, facilitating the use of a database from ports or packages. b75fb12b6827
The prototype of qsort_r(3) has been modified to match POSIX, which adopted the glibc-based interface. af3c78886fd8
The COMPAT_LIB32 build option has been implemented for aarch64 (arm64) and is enabled by default. This provides armv7 32-bit-compatible libraries and header files for arm64 systems for building and running most armv7 32-bit binaries. f1d5183124d3d5d97bed4ab6a1b675731301
Cloud Support
This section covers changes in support for cloud environments.
FreeBSD now provides arm64 as well as amd64 images for Azure. Both UFS and experimental ZFS images are available. Gen2 VMs are now supported. (Sponsored by The FreeBSD Foundation) (Sponsored by Microsoft)
The Microsoft Azure Network Adapter (MANA) VF (virtual function) is now supported. ce110ea12fce (Sponsored by Microsoft)
The Google Virtual NIC (gve(4)) is now supported. 54dfc97b0bd9 (Sponsored by Google)
Kernel
This section covers changes to kernel configurations, system tuning, and system control parameters that are not otherwise categorized.
General Kernel Changes
The SMP system now supports up to 1024 cores on amd64 and arm64. Many kernel CPU sets are now dynamically allocated to avoid consuming excessive memory. The kernel cpuset ABI has been updated to support the higher limit. 76887e84be97d1639e43c5899051987e40c5e0c6e8910898 (Sponsored by The FreeBSD Foundation)
The ACPI system now supports the _CR3 critical standby (S3) threshold. b8a0dfb17e3b
The acpi_timer_test is disabled by default, forcing the use of ACPI-fast rather than ACPI-safe, and speeding the boot process. The broken-ACPI-timers workaround can be re-enabled by setting the hw.acpi.timer_test_enabled=1 tunable. If timekeeping issues are observed, please test with hw.acpi.timer_test_enabled=1 in loader.conf(8) and report if that fixes the problem. a8b89dff6ac0
FreeBSD now reboots faster. The kern.reboot_wait_time sysctl has been added to control the delay before rebooting after printing all kernel messages on the console. It defaults to 0. Setting it to 1 restores the previous behavior (1 second delay). 84ec7df0d796 (Sponsored by https://www.patreon.com/cperciva)
A new DTrace provider, kinst, has been added; see dtrace_kinst(4). The provider allows kernel instructions to be traced, similar to the FBT (function boundary tracing) provider except that all instructions may be probed instead of just logical entry and return instructions. f0bc4ed144fc (Sponsored by Google, Inc. via GSoC 2022)
kinst was ported to arm64 and riscv. 07864a8a24662d7bb03adb43 (Sponsored by The FreeBSD Foundation)
LLVM’s MemorySanitizer can now be used in amd64 kernels. See the kmsan(9) manual page for more information. a422084abbda (Sponsored by The FreeBSD Foundation)
LLVM’s AddressSanitizer can now be used in arm64 kernels as well as amd64. See the kasan(9) manual page for more information. 89c52f9d59fa (Sponsored by Juniper Networks, Inc.) (Sponsored by Klara, Inc.)
Support for asymmetric cryptographic operations has been removed from the kernel open cryptographic framework (OCF), as they are not used by modern OpenSSL versions. 76681661be28
A native timerfd(2) facility has been added to facilitate porting Linux programs that use timerfd. Previously, timerfd was only available under Linux emulation. For programs written only for FreeBSD, the kqueue(2) EVFILT_TIMER filter is preferred for establishing arbitrary timers. af93fea71038
The process visibility policy controlled by the security.bsd.see_jail_procsysctl(8) knob was hardened by preventing unauthorized users from attempting to kill, change priority of or debug processes with same (real) UID in a sub-jail at random, which, provided the PID of such a process is guessed correctly, would succeed even if these processes are not visible to them. It was also made overridable by MAC policies, as are the other process visibility policies. 7e21c691f29563c01c18a8d3 (Sponsored by Kumacom, SAS) (Sponsored by The FreeBSD Foundation)
The process visibility policy controlled by the security.bsd.see_other_gidssysctl(8) knob was fixed to consider the real group of a process instead of its effective group when determining whether the user trying to access the process is a member of one of the process’ groups. The rationale is that some user should continue to see processes it has launched even when they acquire further privileges by virtue of the setgid bit, whereas they should not see processes launched by a privileged user that temporarily enters the user’s primary group. This new behavior is consistent with what security.bsd.see_other_uids has always been doing for user IDs (i.e., considering some process’ real user ID and not the effective ID). 26ff4836c888 (Sponsored by Kumacom, SAS) (Sponsored by The FreeBSD Foundation)
The Zenbleed bug affecting AMD Zen2 processors is now automatically mitigated (via chicken bit), preventing misbehavior and data leaks on affected machines. If needed, applying the mitigation can be manually controlled via the machdep.mitigations.zenbleed.enablesysctl(8) knob. Please consult the new mitigations(7) manual page for more information. aea76bab1416 (Sponsored by The FreeBSD Foundation)
Devices and Drivers
This section covers changes and additions to devices and device drivers since 13.2-RELEASE.
Device Drivers
The default speed for serial communication in boot loaders, kernel, and userland is now 115200 bps. Note that the early x86 BIOS bootloader (i.e., boot0sio) does not support rates above 9600 bps and is not changed. boot0sio users may set BOOT_COMCONSOLE_SPEED=9600 to use 9600 for all of the boot components, or use the standard boot0 and have the boot2 stage start with the serial port at 115200. 4722ceb7d53e (Sponsored by The FreeBSD Foundation)
The default bell tone is now 800Hz. It can be set with kbdcontrol(1) again. There is integration with devd(8) for people wishing to use their sound cards for the beep. ba48d52ca6c84ac3d08a96932533eca1c2b9 (Sponsored by Netflix)
When using the default vt(4) console, the audible bell is no longer enabled by default. It can be enabled with these commands: sysctl kern.vt.enable_bell=1 and kbdcontrol -b normal. 225639e7db68
Improvements have been made in DPAA2 (second generation Data Path Acceleration Architecture — a hardware-level networking architecture found in some NXP SoCs). It runs NXP-supplied firmware which provides DPAA2 objects as an abstraction layer, and provides a dpni network interface. Separation between DPAA2 channels has been improved significantly in order to isolate access to the DMA resources and cleanup operations, and avoid kernel panics under heavy network load (1 Gbit/s links). Other improvements include FDT/ACPI MDIO support, netboot over DPAA2 and separate command portals (DPMCP) support.
Support for the Arm Corelink DMC-620 Memory Controller, and the CMN-600 Coherent Mesh Network Controller, have been added to hwpmc(4) and libpmc. See pmc.dmc-620(3) and pmc.cmn-600(3). 1459a22787ea59191f3573f6 (Sponsored by ARM) (Sponsored by Ampere Computing)
A fix has been implemented for frame buffer addressing that affects frame buffers mapped above 4 GB physical on i386 and Book-E powerpc. a78bb831a17f
The iwlwifi(4) driver for Intel wireless interfaces has been updated to the latest version, supporting chipsets up to WiFi 6E AX411/AX211/AX210, and with preparations for upcoming BX and SC chipsets. (Sponsored by The FreeBSD Foundation)
The rtw88(4) driver for Realtek wireless PCI interfaces has been updated.
A kvm_clock driver has been added for the KVM paravirtualized clock. 6c69c6bb4c7f (Sponsored by Juniper Networks, Inc.) (Sponsored by Klara, Inc.)
There have been stability fixes and enhancements to the KPI to support Linux device drivers, along with the net80211 layer for wireless drivers. (Sponsored by The FreeBSD Foundation)
NVMe disks are now nda devices by default, for example nda0; see nda(4). Symbolic links for the previous nvd(4) device names are created in /dev. However, configuration such as fstab(5) should be updated to refer to the new device names. Options to control the use of nda devices and symbolic links are described in nda(4). bdc81eeda05d (Sponsored by Netflix)
The previous qat(4) driver has been replaced with Intel’s QAT driver. The new version provides additional interfaces to the chipset’s cryptographic and compression offload functionality. This will have no visible change for most users; however, the new driver does not support Atom C2000 chipsets. To preserve support for those chipsets, the old driver has been renamed to qat_c2xxx. Users of qat(4) on C2000 hardware will thus need to ensure that qat_c2xxx(4) is loaded instead of qat(4). 78ee8d1c4cdaf4f56ff43dbd (Sponsored by Intel Corporation)
Deprecated and Removed Drivers
The pms(4) driver, pmspcv, has been removed from the GENERIC kernel configurations for x86, as it was large and uncommonly used. It can be loaded as a module by placing pmspcv_load="YES" in loader.conf(5). 95e4f5ef7cce (Sponsored by Rubicon Communications, LLC (“Netgate”))
The VESA option has been removed from the x86 GENERIC and MINIMAL kernel configurations. It is still available as a kernel module. VESA is not used by the default console, vt(4). 777526ed8382b8cf1c5c30a5 (Sponsored by The FreeBSD Foundation)
The AHB bus front end has been removed from ath(4), as it was used only by MIPS. 37c8ee8847fa
The deprecated amr(4) driver has been removed. 60de2867c9fc (Sponsored by Netflix)
The obsolete iscsi_initiator(4) has been removed. Its replacement, iscsi(4), was introduced several major releases ago. 48cb3fee2586 (Sponsored by The FreeBSD Foundation)
The deprecated iir(4) driver has been removed. 399188a2c60c (Sponsored by Netflix)
The deprecated mn(4) sync serial driver has been removed. 0cff00ae682a (Sponsored by The FreeBSD Foundation)
The deprecated mly(4) driver has been removed. a9620045a5b9 (Sponsored by Netflix)
The deprecated nlmrsa(4) driver has been removed. 6a06b00a0d1f (Sponsored by Chelsio Communications)
The deprecated twa(4) driver has been removed. 8722e05ae149 (Sponsored by Netflix)
Storage
This section covers changes and additions to file systems and other storage subsystems, both local and networked.
General Storage
gconcat(8) and its kernel support now have the ability to append devices to the concatenated device that were not present when the gconcat device was created. d575e81fbcfa
A new gunion(8) utility tracks changes to a read-only disk on a writable disk. This can be useful for making tentative changes to the disk, such as file system repairs or software upgrades, and then either committing or reverting them. c7996ddf8000 (Sponsored by Netflix)
In the course of debugging and resolving a problem with vnode recycling in the generic file system code, sysctls for vnode-related statistics have been grouped under vfs.vnode for greater visibility. d3e647891243
NFS Changes
NFS now supports running an NFS server in a VNET jail, including nfsd(8), nfsuserd(8), mountd(8), gssd(8), and rpc.tlsservd(8). The VNET jail must be on its own file system, have the allow.nfsd jail parameter set, and enforce_statfs cannot be set to 0. Use of UDP and pNFS server configurations is not permitted. 7344856e3a6d and many others
For NFSv4 mounts, the NFS client now uses the highest minor version of NFSv4 supported by the NFS server by default instead of minor version 0. The minorversion mount option may be used to override this default. a145cf3f73c7
The FreeBSD NFS client can now be set to use a 1 Mbyte I/O size via the vfs.maxbcachebuf tunable; the Linux NFS client can also do 1 Mbyte I/O. The value of kern.ipc.maxsockbuf will need to be increased to do this. A console message will suggest a setting for it. Note that the maximum I/O size for the FreeBSD NFS server can be increased to any power of 2 up to 1 Mbyte using the sysctl vfs.nfsd.srvmaxio while nfsd(8) is not running. ee29e6f31111
The NFSv4.1/4.2 client and server will now generate console messages if sessions are broken, suggesting that users check to ensure that the values in /etc/hostid strings are unique for all NFSv4.1/4.2 clients. b875d4f5ddcb0685c73cfe88
NFSv4.1/4.2 mounts with the intr mount option are now fairly usable, although not 100% correct, so long as the nolockd mount option is used as well. See the mount_nfs(8) manual page for more information. 981ef32230b233721eb991d8
A new syskrb5 mount option is availble for Kerberized NFSv4.1/4.2 mounts. A feature of NFSv4.1/4.2 is used to provide AUTH_SYS authentication, and thus no Kerberos credential is required at mount time. See mount_nfs(8). 896516e54a8c
Support for SP4_MACH_CRED has been added in NFS mount protocol in the NFS server. That facility is used by the Linux NFSv4.1/4.2 client for Kerberized mounts. It was handled by a fallback in the past, but is now supported directly. 330aa8acdec7ff2f1f691cdb
UFS Changes
It is now possible to perform background file system checks using a snapshot on UFS file systems running with journaled soft updates. (Sponsored by The FreeBSD Foundation)
Superblocks, cylinder group maps, and inodes have had check hashes added to detect corruption. Far more extensive checks are made of the superblock (120) and cylinder groups (20) than just the magic number check done previously. (Sponsored by The FreeBSD Foundation)
The libufs(3) library has been updated to include these checks so that they are now done by all the filesystem utilities. The checks are implemented in one kernel file that is also included by libufs. Another change to libufs is that the code to find alternate superblocks has been moved from fsck_ffs(8) into the shared file so it is now available in the kernel loader as well as all the filesystem utilities. (Sponsored by The FreeBSD Foundation)
ZFS Changes
OpenZFS has been upgraded to version 2.2. New features include:
block cloning, which allows shallow copies of blocks in file copies. This is optional, and disabled by default; it can be enabled with sysctl vfs.zfs.bclone_enabled=1.
scrub error log (zpool scrub -e)
BLAKE3 checksums, which are fast, and are now the recommended secure checksums
corrective zfs receive can heal corrupted data
vdev and zpool user properties, similar to dataset user properties.
Performance improvements include:
fully adaptive ARC, a unified ARC that minimizes the need for manual tuning
zstd early abort, improving efficiency with uncompressible data
I/O prefetch improvements
general optimization.
ZFS has been enabled on 32-bit powerpc/powerpcspe. 63715498ac6b
Other Storage Changes
The msdosfs(5) file system now records available directory entries in the root directory of FAT12 and FAT16 file systems (e.g. EFI boot partitions) and reports them as inodes. c33db74b5323
The msdosfs(5) file system now correctly calculates the available and used blocks of FAT12 and FAT16 file systems, and no longer rejects mounting file systems created using valid but uncommon parameters. 0728695c63e
The synthetic file systems (devfs(5), procfs(5), etc.) now report 0 blocks used so that they are not reported as 100% full. 88a795e80c03
The tarfs(5) file system has been added, which is backed by POSIX tar archives optionally compressed with zstd(1). 69d94f4c7608 (Sponsored by Juniper Networks, Inc.) (Sponsored by Klara, Inc.)
Boot Changes
This section covers the boot loader, boot menu, and other boot-related changes.
Boot Loader Changes
The lua-flavored loader(8) will now interpret .lua files that appear in loader_conf_files as lua, and execute them in a sandbox. Existing loader environment variables are available as globals in the sandbox, and any global variable set, if not a table value, will be reflected in the loader environment upon successful execution of the configuration file. Environment variables with names that aren’t valid lua names may be accessed as indices of _ENV; e.g., _ENV['net.fibs']. 3cb2f5f369ec
This section describes changes that affect networking in FreeBSD.
General Network
carp(4) now supports configuration of the address to which carp messages are sent, allowing the use of unicast addresses. This is useful in certain virtual configurations. See carp(4) and ifconfig(8). 137818006de5
Layer 3 filtering on if_bridge(4) will do surprising things which aren’t fail-safe, so net.link.bridge.pfil_member and net.link.bridge.pfil_bridge now default to zero. 22893e584032
netlink(4) is a user/kernel communication protocol defined in RFC 3549 and used primarily for network configuration. It has been expanded, improved, and enabled by default. A number of network configuration utilities have been converted to use netlink. 3091d980f581
The deprecated NgATM (netgraph ATM support) and remaining ATM support have been removed.
The pf(4) packet filter now supports scrubbing with OpenBSD syntax and behavior. If there are no FreeBSD scrub rules, a global flag set reassemble yes | no [no-df] determines whether packet reassembly is done. Scrubbing, like setting tos, ttl, etc, can be done in match and pass rules, which also makes it stateful. Match rules are now fully supported, as on OpenBSD, not only for dummynet(4) queues. 39282ef356db (Sponsored by InnoGames GmbH)
pfsync(4) can now use IPv6 transport. 6fc7fc2dbb2b (Sponsored by InnoGames GmbH) (Sponsored by The FreeBSD Foundation)
The pfsync(4) packet format has been extended to improve support for queuing, scrubbing and route-to rules. This format is incompatible with older releases. The old format can be selected using ifconfig pfsync0 version 1301. This is especially important if members of a pfsync cluster are not upgraded simultaneously.
The 6to4 interface for IPv6 over IPv4, if_stf(4), now supports IPv6 Rapid Deployment (6rd) (RFC5969). 19dc64451179 (Sponsored by Rubicon Communications, LLC (“Netgate”))
The handling of IPv6 nodeinfo (RFC 4620) has been disabled by default. b73183d1a243 (Sponsored by The FreeBSD Foundation)
The sysctl(8) option net.inet.tcp.nolocaltimewait is now enabled by default. This prevents creation of timewait entries for TCP connections that were terminated locally. 92b3e07229ba
The default congestion control mechanism for TCP is now CUBIC. For long duration data transfers, CUBIC allocates a slightly higher fraction of the available bandwidth, when competing against NewReno. bb1d472d79f7 (Sponsored by NetApp, Inc.)
IPv4 was changed not to broadcast the lowest address on a subnet (host 0) unless it is configured as the broadcast address. This allows the lowest address on a subnet to be used for a host. fd0765933c3c
Hardware Support
This section covers general hardware support for physical machines, hypervisors, and virtualization environments, as well as hardware changes and updates that do not fit in other sections of this document.
The project no longer provides armv6 artifacts with 14.0-RELEASE.
Support for the MIPS architecture, and related hardware, has been removed. MIPS will remain supported on the 13-STABLE branch for the duration of its lifetime.
Support for the software floating point variant of the RISC-V architecture, riscv64sf, has been retired. All available hardware is supported by the regular riscv64 architecture.
Virtualization Support
Documentation
This section covers changes to manual (man(1)) pages and other documentation shipped with the base system.
Man Pages
Many tweaks and clean-ups have been made to improve the accuracy of the hier(7) page.
Many of the pages in section 9, kernel documentation, have been reviewed and updated for accuracy.
The introduction to the kernel documentation manual pages, intro(9), has been completely rewritten. 84f9f2c5cf78 (Sponsored by The FreeBSD Foundation)
The mi_switch(9) page has been rewritten and improved. 175db7b58270 (Sponsored by The FreeBSD Foundation)
This section covers changes to the FreeBSD Ports Collection, package infrastructure, and package maintenance and installation tools.
Packaging Changes
General Notes Regarding Future FreeBSD Releases
FreeBSD 15.0 is not expected to include support for 32-bit platforms other than armv7. The armv6, i386, and powerpc platforms are deprecated and will be removed. 64-bit systems will still be able to run older 32-bit binaries.
We expect to support armv7 as a Tier 2 architecture in FreeBSD 15.0 and stable/15. However, we also anticipate that armv7 may be removed in FreeBSD 16.0. We will provide an update on the status of armv7 for both 15.x and 16.x at the time of 15.0 release.
Support for executing 32-bit binaries on 64-bit platforms via the COMPAT_FREEBSD32 option will continue for at least the stable/15 and stable/16 branches. Support for compiling individual 32-bit applications via cc -m32 will also continue for at least the stable/15 branch, which includes suitable headers in /usr/include and libraries in /usr/lib32.
Ports will not include support for deprecated 32-bit platforms for FreeBSD 15.0 and later releases. These future releases will not include binary packages or support for building packages from ports for deprecated 32-bit platforms.
The FreeBSD stable/14 and earlier branches will retain existing 32-bit kernel and world support. Ports will retain existing support for building ports and packages for 32-bit systems on stable/14 and earlier branches as long as those branches are supported by the ports system. However, all 32-bit platforms are Tier-2 or Tier-3, and support for individual ports should be expected to degrade as upstreams deprecate 32-bit platforms.
With the current support schedule, stable/14 will reach end of life (EOL) 5 years after the release of FreeBSD 14.0-RELEASE. The EOL of stable/14 will mark the end of support for deprecated 32-bit platforms, including source releases, pre-built packages, and support for building applications from ports. With the release of 14.0-RELEASE in November 2023, support for deprecated 32-bit platforms will end in November 2028.
The project may choose to alter this approach when FreeBSD 15.0 is released by extending some level of support for one or more of the deprecated platforms in 15.0 or later. Any alterations will be driven by community feedback and committed efforts to support these platforms. Use FreeBSD 14.0-RELEASE and following releases, or the stable/14 branch, to migrate off 32-bit platforms.
/root 