axen(4): brush up
Align .Cd introduced in previous with the others.
Don't abuse -tag for -item. Mark up ifconfig media types.
Drop confusing parens around the sentence that says autoselect is the
default. The next sentence is the logical continuation of that
thought, and yet it was outside the parens, torn away from the
sentence it expands upon.
Avoid most 30-40 character runs of alphabet soup. A slash and an 'A'
is an especially nasty combination. Fortunately, commas are a thing.
Give remaining slashes a bit of kerning.
octeon: Add second errata syncw in membar_release
The second syncw is relevant to CN5xxx/Octeon+ for us (ERLite), we don't
currently support CN3xxx but attempt to clarify the commentary around all
this.
There is a seemingly similar detail on cnMIPS, the SYNC_PLUNGER, which is not
dealt with or changed here. This syncw is specifically to work around two
related errata in CN3xxx and CN5xxx.
The OCTEON2 path is a future breadcrumb, we don't build it yet.
Reviewed by: skrll@
axen.4: note examples of presently unsupported features
(These could go under a bugs section, but it perhaps makes more sense
to keep all this information together.)
axen.4: add and adjust examples of supported devices
Noted to work with TP-Link UE300 (those that come with ASIX chips,
apparently some come with an RTL8153) and UE306. While here, also
correct the transliteration of "Kuroutoshikou", following OpenBSD.
tcp: set initial RTO to 1s per RFC 6298
Lower TCPTV_SRTTDFLT from 3s to 1s and adjust the t_rttvar seed in
tcp_tcpcb_template() so the pre-measurement TCP_REXMTVAL() equals
TCPTV_SRTTDFLT (was 2*TCPTV_SRTTDFLT). Active opens and SYN|ACK
retransmits now start at 1s and back off 1, 2, 4, ... per RFC 6298
sections 2.1 and 5.5. Post-first-sample RTO is unchanged.
Pin tcp_msl_remote_threshold to its previous numeric default (3*PR_SLOWHZ)
so the SRTTDFLT change does not move an unrelated TIME_WAIT-shortening
tunable.
This is conceptually https://reviews.freebsd.org/D18941 which we ran at a
large CDN, modified for NetBSD's stack.
Import bind 9.20.23 (previous was 9.20.22)
Security Fixes
Limit resolver server list size. (CVE-2026-3592)
When resolving a domain with many nameservers that shared overlapping
IP addresses (e.g., 10 NS records all pointing at the same set of
addresses), BIND could previously waste time querying duplicate
addresses and build up excessively large server lists. Addresses
in the resolver's server list are now deduplicated so that each
unique IP is only queried once per resolution attempt, regardless
of how many NS records point to it. The number of addresses stored
per nameserver name is also now capped at six (combined A and AAAA),
preventing memory and CPU overhead from domains with unusually
large NS/glue sets.
ISC would like to thank Shuhan Zhang from Tsinghua University for
reporting this issue. [GL #5641]
[222 lines not shown]
PR bin/60275 discard some arriving signals
The PR is only peripherally relevant to this, but it is all much
the same problem, over a fork() trapped signals are maintained,
and sh does not really want that.
In this case, when there is a vfork() a signal arriving for a
child (whether or not it should arrive and be processed) can be
treated as if it arrived for the parent, and cause a trap action
to be executed by the parent. (Never observed to have happened,
as best I am aware, but certainly looks as if it could.)
Avoid that, by making sure that the child process never records
a signal as having occurred, when it is being a vfork child
(while the parent is sharing memory with it).
Doing this meant making one variable that was previously local
to eval.c globally visible (exposing it in eval.h), and then
because the same name is used as a parameter in many other
[17 lines not shown]
membar_ops(3): Clarify language about membar_datadep_consumer.
I must have deleted a sentence about the temptation to pair it with
membar_producer in some earlier revision; let's write a new such
sentence.
crypto(4): Nix spurious mutex_exit; add missing bounds checks.
Consistently use `foo = kmem_alloc(n * sizeof(*foo), ...)' instead of
`sizeof(struct whatever_foo_is)'. Makes it easier for a reader to
notice a discrepancy this way.
Move CRYPTODEV_OPS_MAX to cryptodev_internal.h so it can be used by
the compat ocryptodev.c shims too. I think this is waaaaaaaaaaaaay
too high, by the way. For example, it looks like qat(4) puts a limit
of 16384 on the number of sessions. Other devices like hifn(4) look
like they're limited to numbers of sessions ranging from 2 to around
256.
PR kern/60281: crypto(4): bugs in reference counting and test
crypto(4): Omit needless locking in fcrypt_dtor.
We must have exclusive access to the object for this function to work
at all, so if removing the locks appeared to cause issues, it would
necessarily happen only because there is a bug somewhere else.
PR kern/60281: crypto(4): bugs in reference counting and test
crypto(4): Disentangle initialization and attachment goo.
Lotta unnecessary boilerplate deleted here!
Disable module unloading: can't be done safely. Explain precisely
why it can't be done safely.
This also fixes annoying `crypto: unable to register devsw, error 17'
messages in rump dmesg by having exactly one path to devsw_attach.
PR kern/60281: crypto(4): bugs in reference counting and test
crypto(4): Fix missing membars on reference count release.
If two threads A and B both hold references, we need to ensure that
memory ops in thread A happen before memory free in thread B in:
thread A thread B notes
-------- -------- -----
memory ops
atomic_dec(&refcnt) goes from 2 to 1
atomic_dec(&refcnt) goes from 1 to 0
memory free
This requires a membar_release in thread A before the atomic_dec (or
atomic_dec with memory_order_release), and a membar_acquire in thread
B after the atomic_dec is found to have brought the reference count
down to zero (or atomic_dec wiht memory_order_acquire).
kern/60281: crypto(4): bugs in reference counting and test
