[illumos-gate merge]

commit 5e1bbccc35c7d7d0b6abd200b510d8d5b99ae31c
    15064 vmm: unused variable 'iommu_initted'
commit d9be5d44a919e9dbfe9d1e3e7a5557d9208b1de7
    15050 SMB server mishandles some SIDs
commit 5cfb18f0d1f59686e64a1bf142efa2bf653d86a0
    15032 SMB: Can't create a file with a NULL DACL
commit 34b17f87fc4c121059d3ab4102a276cbe7ed609a
    15059 Update AMD microcode to 20220930
commit fab57d1b740f6df905ebda23c9345ef88a7a046a
    15027 The ls command should show SIDs instead of ephemeral IDs
commit 3cdfcc971afcfbc67664057ef3e59e02fb78871d
    15063 vmm: cast to smaller integer type 'boolean_t' from 'void *'
commit 13a19b244f4bf70feb407e14979f084b7cb47270
    15077 ficl: make sure the loader emulator does set console

19 files changed, 408 insertions, 65 deletions

diff --git a/exception_lists/check_rtime b/exception_lists/check_rtime
index ad7d80eae1..2d8fa710e8 100644
--- a/exception_lists/check_rtime
+++ b/exception_lists/check_rtime
@@ -28,6 +28,7 @@
 # Copyright 2018 Joyent, Inc.
 # Copyright 2020 Oxide Computer Company
 # Copyright 2022 Garrett D'Amore <garrett@damore.org>
+# Copyright 2022 Tintri by DDN, Inc. All rights reserved.
 #
 
 # This file provides exceptions to the usual rules applied to ELF objects by
@@ -233,6 +234,7 @@ FORBIDDEN_DEP   usr/lib/netsvc/yp/ypxfrd        # C++
 
 # libfakekernel is a test environment, not intended for general use
 FORBIDDEN libfakekernel\.so
+FORBIDDEN_DEP opt/smbsrv-tests/tests/smb_sid/large_sids_kern
 FORBIDDEN_DEP usr/MACH(lib)/libzpool.so.1
 FORBIDDEN_DEP usr/bin/ztest
 FORBIDDEN_DEP usr/bin/raidz_test
diff --git a/usr/src/cmd/ls/ls.c b/usr/src/cmd/ls/ls.c
index 0479e6a46c..bdcf162522 100644
--- a/usr/src/cmd/ls/ls.c
+++ b/usr/src/cmd/ls/ls.c
@@ -23,6 +23,7 @@
  * Copyright (c) 1988, 2010, Oracle and/or its affiliates. All rights reserved.
  * Copyright (c) 2012, Joyent, Inc. All rights reserved.
  * Copyright 2015 Gary Mills
+ * Copyright 2016 Nexenta Systems, Inc.  All rights reserved.
  * Copyright 2020 Peter Tribble
  */
 
@@ -233,6 +234,8 @@ static struct lbuf	**flist;	/* ptr to list of lbuf pointers */
 static struct lbuf	*gstat(char *, int, struct ditem *);
 static char		*getname(uid_t);
 static char		*getgroup(gid_t);
+static char		*getusid(uid_t);
+static char		*getgsid(gid_t);
 static char		*makename(char *, char *);
 static void		pentry(struct lbuf *);
 static void		column(void);
@@ -1279,20 +1282,36 @@ pentry(struct lbuf *ap)
 		(void) putchar(p->acl);
 		curcol++;
 
+		/*
+		 * When handling owner/group options (-o -g) note -n:
+		 * With no -n options, getname/getroup converts any
+		 * ephemeral IDs to a winname (if possible) or a SID.
+		 * With just one -n option, convert ephemeral IDs to SIDs
+		 * With two or more -n options, show the ephemeral ID
+		 * (which is a lot less helpful than the SID).
+		 */
 		curcol += printf("%3lu ", (ulong_t)p->lnl);
 		if (oflg) {
-			if (!nflg) {
+			if (nflg == 0) {
 				cp = getname(p->luid);
 				curcol += printf("%-8s ", cp);
-			} else
+			} else if (nflg == 1 && p->luid > MAXUID) {
+				cp = getusid(p->luid);
+				curcol += printf("%-8s ", cp);
+			} else {
 				curcol += printf("%-8lu ", (ulong_t)p->luid);
+			}
 		}
 		if (gflg) {
-			if (!nflg) {
+			if (nflg == 0) {
 				cp = getgroup(p->lgid);
 				curcol += printf("%-8s ", cp);
-			} else
+			} else if (nflg == 1 && p->lgid > MAXUID) {
+				cp = getgsid(p->lgid);
+				curcol += printf("%-8s ", cp);
+			} else {
 				curcol += printf("%-8lu ", (ulong_t)p->lgid);
+			}
 		}
 		if (p->ltype == 'b' || p->ltype == 'c') {
 			curcol += printf("%3u, %2u",
@@ -1427,7 +1446,16 @@ pentry(struct lbuf *ap)
 	if (vflg) {
 		new_line();
 		if (p->aclp) {
-			acl_printacl(p->aclp, num_cols, Vflg);
+			int pa_flags = 0;
+
+			if (Vflg)
+				pa_flags |= ACL_COMPACT_FMT;
+			if (nflg)
+				pa_flags |= ACL_NORESOLVE;
+			if (nflg < 2)
+				pa_flags |= ACL_SID_FMT;
+
+			acl_printacl2(p->aclp, num_cols, pa_flags);
 		}
 	}
 	/* Free extended system attribute lists */
@@ -2162,25 +2190,18 @@ makename(char *dir, char *file)
 	return (dfile);
 }
 
-
-#include <pwd.h>
-#include <grp.h>
-#include <utmpx.h>
-
-struct	utmpx utmp;
-
-#define	NMAX	(sizeof (utmp.ut_name))
-#define	SCPYN(a, b)	(void) strncpy(a, b, NMAX)
-
+#define	NMAX		256	/* The maximum size of a SID in string format */
+#define	SCPYN(a, b)	(void) strlcpy(a, b, NMAX)
 
 struct cachenode {		/* this struct must be zeroed before using */
 	struct cachenode *lesschild;	/* subtree whose entries < val */
 	struct cachenode *grtrchild;	/* subtree whose entries > val */
 	long val;			/* the uid or gid of this entry */
 	int initted;			/* name has been filled in */
-	char name[NMAX+1];		/* the string that val maps to */
+	char name[NMAX];		/* the string that val maps to */
 };
 static struct cachenode *names, *groups;
+static struct cachenode *user_sids, *group_sids;
 
 static struct cachenode *
 findincache(struct cachenode **head, long val)
@@ -2215,19 +2236,28 @@ findincache(struct cachenode **head, long val)
 /*
  * get name from cache, or passwd file for a given uid;
  * lastuid is set to uid.
+ *
+ * If an ephemeral UID (> MAXUID) try to convert to either a
+ * name or a sid.
  */
 static char *
 getname(uid_t uid)
 {
 	struct passwd *pwent;
 	struct cachenode *c;
+	char *sid;
 
 	if ((uid == lastuid) && lastuname)
 		return (lastuname);
 
 	c = findincache(&names, uid);
 	if (c->initted == 0) {
-		if ((pwent = getpwuid(uid)) != NULL) {
+		sid = NULL;
+		if (uid > MAXUID &&
+		    sid_string_by_id(uid, B_TRUE, &sid, 0) == 0) {
+			SCPYN(&c->name[0], sid);
+			free(sid);
+		} else if ((pwent = getpwuid(uid)) != NULL) {
 			SCPYN(&c->name[0], pwent->pw_name);
 		} else {
 			(void) sprintf(&c->name[0], "%-8u", (int)uid);
@@ -2242,19 +2272,28 @@ getname(uid_t uid)
 /*
  * get name from cache, or group file for a given gid;
  * lastgid is set to gid.
+ *
+ * If an ephemeral GID (> MAXUID) try to convert to either a
+ * name or a sid.
  */
 static char *
 getgroup(gid_t gid)
 {
 	struct group *grent;
 	struct cachenode *c;
+	char *sid;
 
 	if ((gid == lastgid) && lastgname)
 		return (lastgname);
 
 	c = findincache(&groups, gid);
 	if (c->initted == 0) {
-		if ((grent = getgrgid(gid)) != NULL) {
+		sid = NULL;
+		if (gid > MAXUID &&
+		    sid_string_by_id(gid, B_FALSE, &sid, 0) == 0) {
+			SCPYN(&c->name[0], sid);
+			free(sid);
+		} else if ((grent = getgrgid(gid)) != NULL) {
 			SCPYN(&c->name[0], grent->gr_name);
 		} else {
 			(void) sprintf(&c->name[0], "%-8u", (int)gid);
@@ -2266,6 +2305,60 @@ getgroup(gid_t gid)
 	return (lastgname);
 }
 
+/*
+ * get SID from cache, or from idmap for a given (ephemeral) uid;
+ *
+ * Always an ephemeral UID (> MAXUID) here.
+ * Just convert to a SID (no winname lookup)
+ */
+static char *
+getusid(uid_t uid)
+{
+	struct cachenode *c;
+	char *sid;
+
+	c = findincache(&user_sids, uid);
+	if (c->initted == 0) {
+		sid = NULL;
+		if (sid_string_by_id(uid, B_TRUE, &sid, ACL_NORESOLVE) == 0) {
+			SCPYN(&c->name[0], sid);
+			free(sid);
+		} else {
+			(void) sprintf(&c->name[0], "%-8u", (int)uid);
+		}
+		c->initted = 1;
+	}
+
+	return (&c->name[0]);
+}
+
+/*
+ * get SID from cache, or from idmap for a given (ephemeral) gid;
+ *
+ * If an ephemeral UID (> MAXUID) try to convert to a SID
+ * (no winname lookup here)
+ */
+static char *
+getgsid(gid_t gid)
+{
+	struct cachenode *c;
+	char *sid;
+
+	c = findincache(&group_sids, gid);
+	if (c->initted == 0) {
+		sid = NULL;
+		if (sid_string_by_id(gid, B_FALSE, &sid, ACL_NORESOLVE) == 0) {
+			SCPYN(&c->name[0], sid);
+			free(sid);
+		} else {
+			(void) sprintf(&c->name[0], "%-8u", (int)gid);
+		}
+		c->initted = 1;
+	}
+
+	return (&c->name[0]);
+}
+
 /* return >0 if item pointed by pp2 should appear first */
 static int
 compar(struct lbuf **pp1, struct lbuf **pp2)
diff --git a/usr/src/common/ficl/emu/loader_emu.c b/usr/src/common/ficl/emu/loader_emu.c
index 8c4b376cfd..e3a48f29da 100644
--- a/usr/src/common/ficl/emu/loader_emu.c
+++ b/usr/src/common/ficl/emu/loader_emu.c
@@ -720,6 +720,7 @@ bf_init(const char *rc, ficlOutputFunction out)
 	buf = get_currdev();
 	(void) setenv("currdev", buf, 1);
 	free(buf);
+	(void) setenv("console", "text", 1);
 
 	/* Put all private definitions in a "builtins" vocabulary */
 	rv = ficlVmEvaluate(bf_vm,
diff --git a/usr/src/common/smbsrv/smb_sid.c b/usr/src/common/smbsrv/smb_sid.c
index 9d4dc978ae..c5700b0d87 100644
--- a/usr/src/common/smbsrv/smb_sid.c
+++ b/usr/src/common/smbsrv/smb_sid.c
@@ -20,7 +20,7 @@
  */
 /*
  * Copyright (c) 2007, 2010, Oracle and/or its affiliates. All rights reserved.
- * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
+ * Copyright 2022 Tintri by DDN, Inc. All rights reserved.
  */
 
 #if !defined(_KERNEL) && !defined(_FAKE_KERNEL)
@@ -29,6 +29,7 @@
 #include <stdlib.h>
 #include <syslog.h>
 #else	/* !_KERNEL && !_FAKE_KERNEL */
+#include <sys/int_limits.h> /* Needed for _FAKE_KERNEL */
 #include <sys/types.h>
 #include <sys/systm.h>
 #include <sys/sunddi.h>
@@ -50,7 +51,7 @@ smb_sid_isvalid(smb_sid_t *sid)
 		return (B_FALSE);
 
 	return ((sid->sid_revision == NT_SID_REVISION) &&
-	    (sid->sid_subauthcnt < NT_SID_SUBAUTH_MAX));
+	    (sid->sid_subauthcnt <= NT_SID_SUBAUTH_MAX));
 }
 
 /*
@@ -317,7 +318,7 @@ smb_sid_t *
 smb_sid_fromstr(const char *sidstr)
 {
 	smb_sid_t *sid;
-	smb_sid_t *retsid;
+	smb_sid_t *retsid = NULL;
 	const char *p;
 	int size;
 	uint8_t i;
@@ -329,35 +330,47 @@ smb_sid_fromstr(const char *sidstr)
 	if (strncmp(sidstr, "S-1-", 4) != 0)
 		return (NULL);
 
+	sua = 0;
+	(void) ddi_strtoul(&sidstr[4], (char **)&p, 10, &sua);
+
+	/*
+	 * If ddi_strtoul() did the right thing, *p will point at the first '-'
+	 * after the identifier authority.
+	 * The IdentifierAuthority can be up to 2^48, but all known ones
+	 * currently fit into a uint8_t.
+	 * TODO: support IdentifierAuthorities > 255 (those over UINT32_MAX are
+	 * hex-formatted).
+	 */
+	if (sua > UINT8_MAX || (*p != '-' && *p != '\0'))
+		return (NULL);
+
 	size = sizeof (smb_sid_t) + (NT_SID_SUBAUTH_MAX * sizeof (uint32_t));
 	sid = kmem_zalloc(size, KM_SLEEP);
-
 	sid->sid_revision = NT_SID_REVISION;
-	sua = 0;
-	(void) ddi_strtoul(&sidstr[4], 0, 10, &sua);
 	sid->sid_authority[5] = (uint8_t)sua;
 
-	for (i = 0, p = &sidstr[5]; i < NT_SID_SUBAUTH_MAX && *p; ++i) {
-		while (*p && *p == '-')
+	for (i = 0; i < NT_SID_SUBAUTH_MAX && *p; ++i) {
+		while (*p == '-')
 			++p;
 
-		if (*p < '0' || *p > '9') {
-			kmem_free(sid, size);
-			return (NULL);
-		}
+		if (*p < '0' || *p > '9')
+			goto out;
 
 		sua = 0;
-		(void) ddi_strtoul(p, 0, 10, &sua);
+		(void) ddi_strtoul(p, (char **)&p, 10, &sua);
+		if (sua > UINT32_MAX)
+			goto out;
 		sid->sid_subauth[i] = (uint32_t)sua;
 
-		while (*p && *p != '-')
-			++p;
+		if (*p != '\0' && *p != '-')
+			goto out;
 	}
 
 	sid->sid_subauthcnt = i;
 	retsid = smb_sid_dup(sid);
-	kmem_free(sid, size);
 
+out:
+	kmem_free(sid, size);
 	return (retsid);
 }
 #else /* _KERNEL */
@@ -368,6 +381,7 @@ smb_sid_fromstr(const char *sidstr)
 	const char *p;
 	int size;
 	uint8_t i;
+	unsigned long sua;
 
 	if (sidstr == NULL)
 		return (NULL);
@@ -375,17 +389,29 @@ smb_sid_fromstr(const char *sidstr)
 	if (strncmp(sidstr, "S-1-", 4) != 0)
 		return (NULL);
 
+	sua = strtoul(&sidstr[4], (char **)&p, 10);
+
+	/*
+	 * If strtoul() did the right thing, *p will point at the first '-'
+	 * after the identifier authority.
+	 * The IdentifierAuthority can be up to 2^48, but all known ones
+	 * currently fit into a uint8_t.
+	 * TODO: support IdentifierAuthorities > 255 (those over UINT32_MAX are
+	 * hex-formatted).
+	 */
+	if (sua > UINT8_MAX || (*p != '-' && *p != '\0'))
+		return (NULL);
+
 	size = sizeof (smb_sid_t) + (NT_SID_SUBAUTH_MAX * sizeof (uint32_t));
 
-	if ((sid = malloc(size)) == NULL)
+	if ((sid = calloc(size, 1)) == NULL)
 		return (NULL);
 
-	bzero(sid, size);
 	sid->sid_revision = NT_SID_REVISION;
-	sid->sid_authority[5] = atoi(&sidstr[4]);
+	sid->sid_authority[5] = (uint8_t)sua;
 
-	for (i = 0, p = &sidstr[5]; i < NT_SID_SUBAUTH_MAX && *p; ++i) {
-		while (*p && *p == '-')
+	for (i = 0; i < NT_SID_SUBAUTH_MAX && *p; ++i) {
+		while (*p == '-')
 			++p;
 
 		if (*p < '0' || *p > '9') {
@@ -393,10 +419,11 @@ smb_sid_fromstr(const char *sidstr)
 			return (NULL);
 		}
 
-		sid->sid_subauth[i] = strtoul(p, NULL, 10);
-
-		while (*p && *p != '-')
-			++p;
+		sid->sid_subauth[i] = strtoul(p, (char **)&p, 10);
+		if (*p != '\0' && *p != '-') {
+			free(sid);
+			return (NULL);
+		}
 	}
 
 	sid->sid_subauthcnt = i;
diff --git a/usr/src/data/ucode/amd/A010-00 b/usr/src/data/ucode/amd/A010-00
index 48149467de..c1f2f3a162 100644
--- a/usr/src/data/ucode/amd/A010-00
+++ b/usr/src/data/ucode/amd/A010-00
diff --git a/usr/src/data/ucode/amd/A011-00 b/usr/src/data/ucode/amd/A011-00
index 2bcf1d5a65..a35b92982b 100644
--- a/usr/src/data/ucode/amd/A011-00
+++ b/usr/src/data/ucode/amd/A011-00
diff --git a/usr/src/data/ucode/amd/A012-00 b/usr/src/data/ucode/amd/A012-00
index 4536829bb5..1361159596 100644
--- a/usr/src/data/ucode/amd/A012-00
+++ b/usr/src/data/ucode/amd/A012-00
diff --git a/usr/src/data/ucode/amd/THIRDPARTYLICENSE b/usr/src/data/ucode/amd/THIRDPARTYLICENSE
index de5b29c4e4..ea47c577c7 100644
--- a/usr/src/data/ucode/amd/THIRDPARTYLICENSE
+++ b/usr/src/data/ucode/amd/THIRDPARTYLICENSE
@@ -1,4 +1,4 @@
-Copyright (C) 2010-2018 Advanced Micro Devices, Inc., All rights reserved.
+Copyright (C) 2010-2022 Advanced Micro Devices, Inc., All rights reserved.
 
 Permission is hereby granted by Advanced Micro Devices, Inc. ("AMD"),
 free of any license fees, to any person obtaining a copy of this
diff --git a/usr/src/lib/libsec/common/acltext.c b/usr/src/lib/libsec/common/acltext.c
index 42a31ad995..9c9953c896 100644
--- a/usr/src/lib/libsec/common/acltext.c
+++ b/usr/src/lib/libsec/common/acltext.c
@@ -20,7 +20,7 @@
  */
 /*
  * Copyright (c) 1993, 2010, Oracle and/or its affiliates. All rights reserved.
- * Copyright 2014 Nexenta Systems, Inc.  All rights reserved.
+ * Copyright 2016 Nexenta Systems, Inc.  All rights reserved.
  */
 
 /*LINTLIBRARY*/
@@ -172,6 +172,15 @@ getsidname(uid_t who, boolean_t user, char **sidp, boolean_t noresolve)
 	return (*sidp ? 0 : 1);
 }
 
+/*
+ * sid_string_by_id() is an exposed interface via -lsec
+ */
+int
+sid_string_by_id(uid_t who, boolean_t user, char **sidp, boolean_t noresolve)
+{
+	return (getsidname(who, user, sidp, noresolve));
+}
+
 static void
 aclent_printacl(acl_t *aclp)
 {
@@ -729,10 +738,10 @@ ace_inherit_txt(dynaclstr_t *dstr, uint32_t iflags, int flags)
 char *
 aclent_acltotext(aclent_t  *aclp, int aclcnt, int flags)
 {
-	dynaclstr_t 	*dstr;
+	dynaclstr_t	*dstr;
 	char		*aclexport = NULL;
 	int		i;
-	int 		error = 0;
+	int		error = 0;
 
 	if (aclp == NULL)
 		return (NULL);
@@ -884,7 +893,7 @@ ace_acltotext(acl_t *aceaclp, int flags)
 	int		i;
 	int		error = 0;
 	int		isdir = (aceaclp->acl_flags & ACL_IS_DIR);
-	dynaclstr_t 	*dstr;
+	dynaclstr_t	*dstr;
 	char		*aclexport = NULL;
 	char		*rawsidp = NULL;
 
@@ -1028,7 +1037,7 @@ acl_parse(const char *acltextp, acl_t **aclp)
 }
 
 static void
-ace_compact_printacl(acl_t *aclp)
+ace_compact_printacl(acl_t *aclp, int flgs)
 {
 	int cnt;
 	ace_t *acep;
@@ -1050,7 +1059,7 @@ ace_compact_printacl(acl_t *aclp)
 		dstr->d_aclexport[0] = '\0';
 		dstr->d_pos = 0;
 
-		if (ace_type_txt(dstr, acep, 0))
+		if (ace_type_txt(dstr, acep, flgs))
 			break;
 		len = strlen(&dstr->d_aclexport[0]);
 		if (ace_perm_txt(dstr, acep->a_access_mask, acep->a_flags,
@@ -1070,18 +1079,18 @@ ace_compact_printacl(acl_t *aclp)
 }
 
 static void
-ace_printacl(acl_t *aclp, int cols, int compact)
+ace_printacl(acl_t *aclp, int cols, int flgs)
 {
 	int  slot = 0;
 	char *token;
 	char *acltext;
 
-	if (compact) {
-		ace_compact_printacl(aclp);
+	if (flgs & ACL_COMPACT_FMT) {
+		ace_compact_printacl(aclp, flgs);
 		return;
 	}
 
-	acltext = acl_totext(aclp, 0);
+	acltext = acl_totext(aclp, flgs);
 
 	if (acltext == NULL)
 		return;
@@ -1111,15 +1120,33 @@ ace_printacl(acl_t *aclp, int cols, int compact)
  * print a "slot" number.
  */
 void
+acl_printacl2(acl_t *aclp, int cols, int flgs)
+{
+
+	switch (aclp->acl_type) {
+	case ACLENT_T:
+		aclent_printacl(aclp);
+		break;
+	case ACE_T:
+		ace_printacl(aclp, cols, flgs);
+		break;
+	}
+}
+
+/*
+ * Historical, compatibility version of the above.
+ */
+void
 acl_printacl(acl_t *aclp, int cols, int compact)
 {
+	int flgs = compact ? ACL_COMPACT_FMT : 0;
 
 	switch (aclp->acl_type) {
 	case ACLENT_T:
 		aclent_printacl(aclp);
 		break;
 	case ACE_T:
-		ace_printacl(aclp, cols, compact);
+		ace_printacl(aclp, cols, flgs);
 		break;
 	}
 }
diff --git a/usr/src/lib/libsec/common/aclutils.h b/usr/src/lib/libsec/common/aclutils.h
index e3e6d130f6..706d880e4b 100644
--- a/usr/src/lib/libsec/common/aclutils.h
+++ b/usr/src/lib/libsec/common/aclutils.h
@@ -22,6 +22,7 @@
  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  *
+ * Copyright 2016 Nexenta Systems, Inc.  All rights reserved.
  * Copyright 2022 RackTop Systems, Inc.
  */
 
@@ -130,6 +131,7 @@ extern int acl_addentries(acl_t *, acl_t *, int);
 extern int acl_removeentries(acl_t *, acl_t *, int, int);
 extern int acl_modifyentries(acl_t *, acl_t *, int);
 extern void acl_printacl(acl_t *, int, int);
+extern void acl_printacl2(acl_t *, int, int);
 extern char *acl_strerror(int);
 extern acl_t *acl_dup(acl_t *);
 extern int acl_type(acl_t *);
@@ -142,6 +144,7 @@ extern int yyparse(void);
 extern void yyreset(void);
 extern void yycleanup(void);
 extern acl_t *acl_to_aclp(enum acl_type, void *, int);
+extern int sid_string_by_id(uid_t, boolean_t, char **, boolean_t);
 extern int sid_to_id(char *, boolean_t, uid_t *);
 extern int sid_to_xid(char *, int *, uid_t *);
 
diff --git a/usr/src/lib/libsec/common/mapfile-vers b/usr/src/lib/libsec/common/mapfile-vers
index 87e9ea6019..3fb8b52e25 100644
--- a/usr/src/lib/libsec/common/mapfile-vers
+++ b/usr/src/lib/libsec/common/mapfile-vers
@@ -20,6 +20,7 @@
 #
 #
 # Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved.
+# Copyright 2016 Nexenta Systems, Inc.  All rights reserved.
 #
 
 #
@@ -83,10 +84,12 @@ SYMBOL_VERSION SUNWprivate_1.1 {
 	acl_modifyentries;
 	acl_parse;
 	acl_printacl;
+	acl_printacl2;
 	acl_removeentries;
 	acl_strerror;
 	acl_to_aclp;
 	acl_type;
+	sid_string_by_id;
 	sid_to_id;
     local:
 	*;
diff --git a/usr/src/man/man1/ls.1 b/usr/src/man/man1/ls.1
index 952b65c845..bbd98e7556 100644
--- a/usr/src/man/man1/ls.1
+++ b/usr/src/man/man1/ls.1
@@ -43,7 +43,7 @@
 .\" Copyright 1989 AT&T
 .\" Portions Copyright (c) 1992, X/Open Company Limited All Rights Reserved
 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved
-.\" Copyright 2014 Nexenta Systems, Inc.  All Rights Reserved.
+.\" Copyright 2016 Nexenta Systems, Inc.  All Rights Reserved.
 .\"
 .TH LS 1 "Apr 25, 2020"
 .SH NAME
@@ -1183,7 +1183,12 @@ Streams output format. Files are listed across the page, separated by commas.
 .sp .6
 .RS 4n
 The same as \fB-l\fR, except that the owner's \fBUID\fR and group's \fBGID\fR
-numbers are printed, rather than the associated character strings.
+numbers are printed, rather than the associated character strings. For files
+which owner and/or group is a Windows Security Identifier (\fBSID\fR), \fB-n\fR
+suppresses any lookups for the Windows Name string and prints only the raw SID.
+Moreover, a second instance of this flag (\fB-nn\fR) can be used to further
+suppress \fBidmapd\fR(1M) lookups of the file's owner and/or group SID, thus
+forcing \fBls\fR into printing the raw ephemeral numeric identifiers.
 .RE
 
 .sp
@@ -2829,3 +2834,9 @@ overridden by the \fBLC_COLLATE\fR environment variable. For example, if
 beginning with upper-case letters, then followed by names beginning with
 lower-case letters. But if \fBLC_COLLATE\fR equals \fBen_US.ISO8859-1\fR, then
 leading dots as well as case are ignored in determining the sort order.
+.sp
+.LP
+For additional information regarding Windows Security Identifiers, consult
+Microsoft support document, \fIWell-known security identifiers in Windows
+operating systems\fR, which can be found at Microsoft's support site:
+https://support.microsoft.com/en-us/kb/243330/.
diff --git a/usr/src/pkg/manifests/system-microcode-amd.p5m b/usr/src/pkg/manifests/system-microcode-amd.p5m
index a79641cbc4..77e52a2946 100644
--- a/usr/src/pkg/manifests/system-microcode-amd.p5m
+++ b/usr/src/pkg/manifests/system-microcode-amd.p5m
@@ -35,7 +35,7 @@
 #
 <include global_zone_only_component>
 set name=pkg.fmri \
-    value=pkg:/system/microcode/amd@20220408,$(PKGVERS_BUILTON)-$(PKGVERS_BRANCH)
+    value=pkg:/system/microcode/amd@20220930,$(PKGVERS_BUILTON)-$(PKGVERS_BRANCH)
 set name=pkg.summary value="Microcode for AMD CPUs"
 set name=pkg.description value="Microcode for AMD CPUs"
 set name=info.classification value=org.opensolaris.category.2008:System/Core
diff --git a/usr/src/pkg/manifests/system-test-smbsrvtest.p5m b/usr/src/pkg/manifests/system-test-smbsrvtest.p5m
index 109cb6ccb9..96025785e0 100644
--- a/usr/src/pkg/manifests/system-test-smbsrvtest.p5m
+++ b/usr/src/pkg/manifests/system-test-smbsrvtest.p5m
@@ -9,7 +9,7 @@
 # http://www.illumos.org/license/CDDL.
 #
 
-# Copyright 2021 Tintri by DDN, Inc.  All rights reserved.
+# Copyright 2022 Tintri by DDN, Inc.  All rights reserved.
 
 set name=pkg.fmri value=pkg:/system/test/smbsrvtest@$(PKGVERS)
 set name=pkg.summary value="SMB Server Functional Tests"
@@ -27,6 +27,9 @@ file path=opt/smbsrv-tests/include/default.cfg mode=0444
 file path=opt/smbsrv-tests/include/smbtor-excl-rpc.txt mode=0444
 file path=opt/smbsrv-tests/include/smbtor-excl-smb2.txt mode=0444
 dir  path=opt/smbsrv-tests/tests
+dir  path=opt/smbsrv-tests/tests/smb_sid
+file path=opt/smbsrv-tests/tests/smb_sid/large_sids_kern mode=0555
+file path=opt/smbsrv-tests/tests/smb_sid/large_sids_lib mode=0555
 dir  path=opt/smbsrv-tests/tests/smbtorture
 file path=opt/smbsrv-tests/tests/smbtorture/runst-rpc mode=0555
 file path=opt/smbsrv-tests/tests/smbtorture/runst-smb2 mode=0555
diff --git a/usr/src/test/smbsrv-tests/cmd/smbsrvtests.ksh b/usr/src/test/smbsrv-tests/cmd/smbsrvtests.ksh
index aab3ad0c8f..dd2053bc01 100644
--- a/usr/src/test/smbsrv-tests/cmd/smbsrvtests.ksh
+++ b/usr/src/test/smbsrv-tests/cmd/smbsrvtests.ksh
@@ -12,7 +12,7 @@
 #
 
 #
-# Copyright 2021 Tintri by DDN, Inc.  All rights reserved.
+# Copyright 2022 Tintri by DDN, Inc. All rights reserved.
 #
 
 # Run all the smbsrv-tests
@@ -49,3 +49,5 @@ set -x
 
 $SMBSRV_TESTS/tests/smbtorture/runst-smb2
 $SMBSRV_TESTS/tests/smbtorture/runst-rpc
+$SMBSRV_TESTS/tests/smb_sid/large_sids_lib
+$SMBSRV_TESTS/tests/smb_sid/large_sids_kern
diff --git a/usr/src/test/smbsrv-tests/tests/smb_sid/Makefile b/usr/src/test/smbsrv-tests/tests/smb_sid/Makefile
new file mode 100644
index 0000000000..d3e11c6ef5
--- /dev/null
+++ b/usr/src/test/smbsrv-tests/tests/smb_sid/Makefile
@@ -0,0 +1,66 @@
+#
+# This file and its contents are supplied under the terms of the
+# Common Development and Distribution License ("CDDL"), version 1.0.
+# You may only use this file in accordance with the terms of version
+# 1.0 of the CDDL.
+#
+# A full copy of the text of the CDDL should have accompanied this
+# source.  A copy of the CDDL is also available via the Internet at
+# http://www.illumos.org/license/CDDL.
+#
+
+#
+# Copyright (c) 2012, 2016 by Delphix. All rights reserved.
+# Copyright 2022 Tintri by DDN, Inc. All rights reserved.
+#
+include $(SRC)/cmd/Makefile.cmd
+include $(SRC)/test/Makefile.com
+
+PROG = large_sids_lib large_sids_kern
+KERN_OBJS = smb_sid.o
+
+large_sids_lib := LDLIBS += -L$(ROOT)/usr/lib/smbsrv -lsmb
+large_sids_lib := LDFLAGS += -R/usr/lib/smbsrv
+large_sids_kern := LDLIBS64 += -lfakekernel
+
+smb_sid.o := CPPFLAGS.first += -I $(SRC)/lib/libfakekernel/common -D_FAKE_KERNEL
+
+ROOTOPTPKG = $(ROOT)/opt/smbsrv-tests
+TESTDIR = $(ROOTOPTPKG)/tests/smb_sid
+
+CMDS = $(PROG:%=$(TESTDIR)/%)
+$(CMDS) := FILEMODE = 0555
+
+CSTD = $(CSTD_GNU99)
+
+all: $(PROG)
+
+$(TESTDIR):
+	$(INS.dir)
+
+$(TESTDIR)/%: %
+	$(INS.file)
+
+%_lib: %.c
+	$(LINK.c) -o $@ $< $(LDLIBS)
+	$(POST_PROCESS)
+
+%_kern: %.c $(KERN_OBJS)
+	$(LINK64.c) -o $@ $^ $(LDLIBS64)
+	$(POST_PROCESS)
+
+smb_sid.c: $(SRC)/common/smbsrv/smb_sid.c
+	$(CP) $^ $@
+
+%.o: %.c
+	$(COMPILE64.c) $<
+
+install: all $(CMDS)
+
+clobber: clean
+	-$(RM) $(PROG)
+
+clean:
+	-$(RM) $(KERN_OBJS)
+
+$(CMDS): $(TESTDIR) $(PROG)
diff --git a/usr/src/test/smbsrv-tests/tests/smb_sid/large_sids.c b/usr/src/test/smbsrv-tests/tests/smb_sid/large_sids.c
new file mode 100644
index 0000000000..267fdd734c
--- /dev/null
+++ b/usr/src/test/smbsrv-tests/tests/smb_sid/large_sids.c
@@ -0,0 +1,104 @@
+/*
+ * This file and its contents are supplied under the terms of the
+ * Common Development and Distribution License ("CDDL"), version 1.0.
+ * You may only use this file in accordance with the terms of version
+ * 1.0 of the CDDL.
+ *
+ * A full copy of the text of the CDDL should have accompanied this
+ * source.  A copy of the CDDL is also available via the Internet at
+ * http://www.illumos.org/license/CDDL.
+ */
+
+/*
+ * Copyright 2022 Tintri by DDN, Inc. All rights reserved.
+ */
+
+/*
+ * Test usr/src/common/smbsrv/smb_sid.c with large SIDs
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <smbsrv/smb_sid.h>
+#include <limits.h>
+
+void
+test_sid(const char *sidstr, uint8_t idauth, const uint32_t *subauths,
+    size_t subauth_cnt)
+{
+	char newstr[1024];
+	smb_sid_t *sid;
+	int i;
+
+	sid = smb_sid_fromstr(sidstr);
+	if (!smb_sid_isvalid(sid)) {
+		fprintf(stderr, "SID %s not valid: %p\n", sidstr, sid);
+		exit(1);
+	}
+
+	smb_sid_tostr(sid, newstr);
+
+	if (strncmp(sidstr, newstr, sizeof (newstr)) != 0) {
+		fprintf(stderr, "SID %s did not match decoded SID %s\n",
+		    sidstr, newstr);
+		exit(5);
+	}
+
+	if (subauths == NULL) {
+		smb_sid_free(sid);
+		return;
+	}
+
+	if (sid->sid_authority[5] != idauth) {
+		fprintf(stderr, "Wrong SID authority %u (expected %u): %s\n",
+		    sid->sid_authority, idauth, sidstr);
+		exit(2);
+	}
+
+	if (sid->sid_subauthcnt != subauth_cnt) {
+		fprintf(stderr, "Wrong subauthcnt %u (expected %u): %s\n",
+		    sid->sid_subauthcnt, subauth_cnt, sidstr);
+		exit(3);
+	}
+
+	for (i = 0; i < subauth_cnt; i++) {
+		if (sid->sid_subauth[i] != subauths[i]) {
+			fprintf(stderr,
+			    "Wrong subauthcnt %u (expected %u): %s\n",
+			    sid->sid_subauthcnt, subauth_cnt, sidstr);
+			exit(4);
+		}
+	}
+
+	smb_sid_free(sid);
+}
+
+int
+main(int argc, char *argv[])
+{
+	char sid[1024];
+	uint32_t subauths[NT_SID_SUBAUTH_MAX];
+	size_t len = sizeof (sid);
+	int off = 0;
+	int i, idauth;
+
+	if (argc > 1) {
+		test_sid(argv[1], 0, NULL, 0);
+		goto out;
+	}
+
+	for (idauth = 2; idauth <= UINT8_MAX; idauth += 11) {
+		off = snprintf(&sid[0], len, "S-1-%u", idauth);
+		for (i = 0; i < NT_SID_SUBAUTH_MAX; i++) {
+			subauths[i] = arc4random();
+			off += snprintf(&sid[off], len - off,
+			    "-%u", subauths[i]);
+		}
+		test_sid(sid, idauth, subauths, NT_SID_SUBAUTH_MAX);
+	}
+
+out:
+	printf("success!\n");
+	return (0);
+}
diff --git a/usr/src/uts/common/fs/smbsrv/smb_sd.c b/usr/src/uts/common/fs/smbsrv/smb_sd.c
index 946503fa8f..b5dc88db58 100644
--- a/usr/src/uts/common/fs/smbsrv/smb_sd.c
+++ b/usr/src/uts/common/fs/smbsrv/smb_sd.c
@@ -89,6 +89,9 @@ smb_sd_len(smb_sd_t *sd, uint32_t secinfo)
  *
  * Return the security information mask for the specified security
  * descriptor.
+ *
+ * Note: This is used for 'create-with-sd'. 'set-security-info' provides the
+ * secinfo as part of the request, but create does not, so we must infer it.
  */
 uint32_t
 smb_sd_get_secinfo(smb_sd_t *sd)
@@ -104,10 +107,10 @@ smb_sd_get_secinfo(smb_sd_t *sd)
 	if (sd->sd_group)
 		sec_info |= SMB_GROUP_SECINFO;
 
-	if (sd->sd_dacl)
+	if ((sd->sd_control & SE_DACL_PRESENT) != 0)
 		sec_info |= SMB_DACL_SECINFO;
 
-	if (sd->sd_sacl)
+	if ((sd->sd_control & SE_SACL_PRESENT) != 0)
 		sec_info |= SMB_SACL_SECINFO;
 
 	return (sec_info);
diff --git a/usr/src/uts/intel/io/vmm/io/iommu.c b/usr/src/uts/intel/io/vmm/io/iommu.c
index 8374a6da58..8d22c4901e 100644
--- a/usr/src/uts/intel/io/vmm/io/iommu.c
+++ b/usr/src/uts/intel/io/vmm/io/iommu.c
@@ -70,12 +70,10 @@ ddi_modhandle_t iommu_modhdl;
 static const struct iommu_ops *ops;
 static void *host_domain;
 
-static volatile uint_t iommu_initted;
-
 static int
 iommu_find_device(dev_info_t *dip, void *arg)
 {
-	boolean_t add = (boolean_t)arg;
+	boolean_t add = (boolean_t)(uintptr_t)arg;
 
 	if (pcie_is_pci_device(dip)) {
 		if (add)