nfsd: Optionally enable use of M_EXTPG mbufs for read replies
A test site determined that, for a Mellanox NIC which can handle
M_EXTPG mbufs, an improvement of 5-15% for read rate could be
achieved if the read reply was in M_EXTPG mbufs.
A patch that tried to determine if the outbound NIC supported
M_EXTPG mbufs (IFCAP_MEXTPG) did not pass review.
However, it does appear that this can be useful for NFS-over-RDMA.
(Which just happen to use NICs that do support M_EXTPG mbufs.)
As such, this patch enables them is xp_extpg is set to true,
which is never for now, but might be set true for RDMA or
when vfs.nfsd.enable_mextpg is set non-zero. (It is 0 by
default, so this is never enabled by default at this time.)
Tested by: Greg Becker <becker.greg at att.net>
MFC after: 2 weeks
security/zeek: Update to 8.0.9
https://github.com/zeek/zeek/releases/tag/v8.0.9
This release fixes the following potential DoS vulnerabilities:
- The NVT, Rlogin, and RSH analyzers have received fixes to avoid
unbounded state growth. Due to the fact that these packets can
be received from remote hosts, these are considered DoS risks.
- A specially crafted WebSocket payload can cause the Spicy WebSocket
analyzer to use excessive memory when processing close, ping,
and pong frames. Due to the fact that these packets can be
received from remote hosts, these are considered a DoS risk.
- A specially crafted series of Finger packets can cause the Spicy
Finger analyzer to use excessive amounts of memory and potentially
crash Zeek. Due to the fact that these packets can be received
from remote hosts, this is considered a DoS risk.
[100 lines not shown]
security/vuxml: Mark security/zeek < 8.0.9 as vulnerable as per:
https://github.com/zeek/zeek/releases/tag/v8.0.9
This release fixes the following potential DoS vulnerabilities:
- The NVT, Rlogin, and RSH analyzers have received fixes to avoid
unbounded state growth. Due to the fact that these packets can
be received from remote hosts, these are considered DoS risks.
- A specially crafted WebSocket payload can cause the Spicy WebSocket
analyzer to use excessive memory when processing close, ping,
and pong frames. Due to the fact that these packets can be
received from remote hosts, these are considered a DoS risk.
- A specially crafted series of Finger packets can cause the Spicy
Finger analyzer to use excessive amounts of memory and potentially
crash Zeek. Due to the fact that these packets can be received
from remote hosts, this is considered a DoS risk.
[52 lines not shown]
raw ip: fix race of two connect(2)
The historical design of sockets is that on a re-connect the disconnect is
performed at the socket layer in soconnectat(). Since SMP times this is
known to be racy and the function has appopriate comment. I missed that
in the recent change. The pr_connect method should normally expect the
socket to be already disconnected, however should be able to handle a race
where socket is actually connected. Convert the check that incorrectly
tried to handle normal path of re-connect into check that handles the
race.
Reported by: markj
Fixes: ece716c5d34728a170f1dfe1b3389c267d6ddd1e
powerpc/booke(pmap): Flash-invalidate TLB on TID rollover
When the TID rolls over on a given CPU, simply flash-invalidate the
TLB instead of walking the TLB to only invalidate the repurposed TID.
Walking 256 entries is expensive, and we'll likely be inserting a bunch
new ones anyway in the new environment, since 256 really only handles
1MB of storage, so the likelihood of other mappings continuing to exist
in the TLB when their thread owner is scheduled again is very very
small.
powerpc/pmap(booke): Fix TLB TID eviction
Fix tid_set_busy() for when `pmap` is NULL. Obviously a NULL pointer
cannot be correctly used, so I'm not sure how it worked in testing on
64-bit.
git-mfc: Allow merging merge commits
In order to merge merge commits (such as vendor imports), we need to
tell git cherry-pick which of the two branches referenced in the commit
is the mainline. In our case, it is always the first.
Approved by: markj
pf: revert netlink commands back to enum
Revert pf_nl.h part of 017690e50913 and use new libsysdecode build glue
that parses enums.
Reviewed by: kp, glebius
Differential Revision: https://reviews.freebsd.org/D57866
dtrace tests: Fix finding multiple process results
When looking up self process we can use `ps -p $$` directly rather
than grep which may find other processes ending in the expected PID.
Sponsored by: Dell Inc.
Reviewed by: markj, vangyzen
Differential Revision: https://reviews.freebsd.org/D58019
acl_from_text.c: Allow negative uid/gid numbers to be handled
getfacl / acl_to_text() incorrectly prints uid/gid numbers as signed integers.
This causes uid / gid numbers larger than 2G (2147483648) to print as
negative numbers.
The libc acl_from_text() function does not handle negative numbers.
This diff adds a backwards compatiblity fix to allow negative numbers...
Reviewed by: rmacklem
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D57180