if_wg: use proper barriers around pkt->p_state
Without appropriate load-synchronization to pair with store barriers in
wg_encrypt() and wg_decrypt(), the compiler and hardware are often
allowed to reorder these loads in wg_deliver_out() and wg_deliver_in()
such that we end up with a garbage or intermediate mbuf that we try to
pass on. The issue is particularly prevalent with the weaker
memory models of !x86 platforms.
Switch from the big-hammer wmb() to more explicit acq/rel atomics to
both make it obvious what we're syncing up with, and to avoid somewhat
hefty fences on platforms that don't necessarily need this.
With this patch, my dual-iperf3 reproducer is dramatically more stable
than it is without on aarch64.
PR: 264115
Reviewed by: andrew, zlei
(cherry picked from commit 3705d679a6344c957cae7a1b6372a8bfb8c44f0e)
crypto: Advance the correct pointer in crypto_cursor_copydata()
PR: 271766
Reported by: Michael Laß <bevan at bi-co.net>
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D40468
(cherry picked from commit 9f7fdd8c1ab153104275e59b49b2d567cec95256)
opencrypto: Handle end-of-cursor conditions in crypto_cursor_segment()
Some consumers, e.g., swcr_encdec(), may call crypto_cursor_segment()
after having advanced the cursor to the end of the buffer. In this case
I believe the right behaviour is to return NULL and a length of 0.
When this occurs with a CRYPTO_BUF_VMPAGE buffer, the cc_vmpage pointer
will point past the end of the page pointer array, so
crypto_cursor_segment() ends up dereferencing a random pointer before
the function returns a length of 0. The uio-backed cursor has
a similar problem.
Address this by keeping track of the residual buffer length and
returning immediately once the length is zero.
PR: 271766
Reported by: Andrew "RhodiumToad" Gierth <andrew at tao11.riddles.org.uk>
Reviewed by: jhb
MFC after: 1 week
[4 lines not shown]
opencrypto: Respect alignment constraints in xor_and_encrypt()
Copy operands to an aligned buffer before performing operations which
require alignment. Otherwise it's possible for this code to trigger an
alignment fault on armv7.
Reviewed by: jhb
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D41211
(cherry picked from commit 96c2538121390c872f68ac48f97b35fb973c11dc)
ccr,ccp: Fix argument order to sglist_append_vmpages.
The offset comes before the byte count.
Reported by: br
Reviewed by: asomers, markj
MFC after: 1 week
Sponsored by: DARPA
Differential Revision: https://reviews.freebsd.org/D38375
(cherry picked from commit 70efe1a2fe13642732e56c7f040fe63f62bc6a6b)
ossl: Add missing labels to bsaes-armv7.S
There is a bug in the OpenSSL script which generates this file; the bug
is in the process of being fixed upstream.
Specifically, when generating the output, bsaes-armv7.pl strips some
labels that are used when the output asm is compiled with __KERNEL__
defined, resulting in a build error. As a step towards adding armv7
support to ossl(4), manually patch the generated asm. The upstream fix
will be imported later.
Reviewed by: andrew, jhb, emaste
MFC after: 1 week
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D41303
(cherry picked from commit 454c425dbed1d341025c71a8645011a980e20ccd)
irdma(4): Upgrade to 1.2.36-k
Update Intel irdma driver to version 1.2.36-k.
Notable changes:
- Start using ib_sge directly instead of irdma_sge
- Turn off flush completion generator for libirdma
- Minor formatting changes
Signed-off-by: Bartosz Sobczak <bartosz.sobczak at intel.com>
Signed-off-by: Eric Joyner <erj at FreeBSD.org>
Reviewed by: erj@
Sponsored by: Intel Corporation
Differential Revision: https://reviews.freebsd.org/D43567
(cherry picked from commit 5b5f7d0e77a9eee73eb5d596f43aef4e1a3674d8)
irdma(4): remove artificial completion generator
Removing artificial completion generator as there had been no indication
of the code being required for E810 cards. Further more it was found
that the code may have unpleasant side effects on user experience when
using ucmatose tool.
Signed-off-by: Bartosz Sobczak <bartosz.sobczak at intel.com>
Signed-off-by: Eric Joyner <erj at FreeBSD.org>
Reviewed by: erj@
Sponsored by: Intel Corporation
Differential Revision: https://reviews.freebsd.org/D41593
(cherry picked from commit ffafa6a4d157e49e6b12567958c4ab0c9151c080)
tcp: cubic - restart epoch after RTO
This is a migitation to avoid sudden extreme jumps in
cwnd, as t_epoch can be very out of date after an RTO.
Per RFC9438, sec 4.8, t_epoch is to be reset whenever
cwnd grows beyond ssthresh (CC phase transitions from
slow start to congestion avoidance), to be fixed with
the upcoming cc_cubic changes.
MFC after: 3 days
Reviewed By: cc, #transport
Sponsored by: NetApp, Inc
Differential Revision: https://reviews.freebsd.org/D44023
(cherry picked from commit 038699a8f18a0a651ee06b85fa1dbbee1eab56f1)
tcp: prevent div by zero in cc_htcp
Make sure the divident is at least one. While cwnd should
never be smaller than t_maxseg, this can happen during
Path MTU Discovery, or when TCP options are considered
in other parts of the stack.
PR: 276674
MFC after: 3 days
Reviewed By: tuexen, #transport
Sponsored by: NetApp, Inc.
Differential Revision: https://reviews.freebsd.org/D43797
(cherry picked from commit 38983d40c18ec5705dcba19ac320b86c5efe8e7e)
net80211: adjust more VHT structures/fields
Replace ieee80211_ie_vhtcap with ieee80211_vht_cap and
ieee80211_ie_vht_operation with ieee80211_vht_operation.
The "ie" version has the two bytes type/length at the beginning which
we did not actually use as such (the one place doing did just as unused
extra work).
Using the non-"ie" versions allows us to re-use them on shared code.
Using an enum helps us to not accidentally get unsuppored or unhandled
values tough we cannot use it in the struct as we need to ensure the
field width.
ieee80211_vht_operation is guarded by _KERNEL/WANT_NET80211. While the
header is supposed to be exported to user land historically, software
such as wpa bring their own structure definitions. For in-tree usage
it is only ifconfig which really cares (at least for now).
Sponsored by: The FreeBSD Foundation
[4 lines not shown]
if_re: Generate an address if there is none in the EEPROM
There exists hardware that has no ethernet address burned into
the EEPROM. Loading if_re on such a HW brings the device up
with '00:00:00:00:00:00' as the address, and that doesn't get
you too far in a real network.
PR: 262406
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/670
Signed-off-by: Evgeni Golov <evgeni at debian.org>
Differential Revision: https://reviews.freebsd.org/D34485
(cherry picked from commit 55747938b5c4c913f742fd03189f0c660ced7bef)
wg: Attempt to detect loops in netmap mode
Given a netmap application which bridges the netmap and host ring pairs
for a wg interface, it's theoretically possible for a loop to arise. In
particular, try to catch the case where an encrypted frame transmitted
from the netmap TX ring is received locally, decrypted, and placed on
the netmap RX ring. Because the packet is delivered to userspace, mbuf
tags are lost, so the existing mechanism for detecting tunnel loops
doesn't work.
Taken from: https://github.com/markjdb/freebsd/commit/046c453af8584
rc.conf: correct $ntp_leapfile_sources
IETF is no longer serving leap-seconds.list. Update to the canonical place.
This fixes "service ntpd fetch".
IERS is the source of truth for leap seconds. Their leapsecond file is
updated most quickly and is always right (unlike the IANA one which
often lags). IERS operates this public service for the express purpose
of random people downloading it. Their terms of service are compatible
with open source (we could include this in our release). Rather than
fighting with questions around this because the IANA one changed
locations or the auto update script broken, just use this.
This is in preference to the NIST ftp copy. NIST is in the process of
retiring their FTP services.
Sponsored by: Netflix
Reviewed by: philip, delphij, cy
[9 lines not shown]
periodic/daily/480.leapfile-ntpd: only attempt to refresh leap-seconds.list
when ntpd is enabled.
The leap-seconds.list is used exclusively by ntpd, therefore, do not bother
to perform the fetch when ntpd is not enabled.
PR: conf/275419
Reviewed by: cy, michaelo, imp
Differential Revision: https://reviews.freebsd.org/D42875
(cherry picked from commit 3b3195f6767b39eb33b3523134ef988931c9c86d)
(cherry picked from commit 3ef596c6e80562710da09c16558d7351749ea143)
Security: FreeBSD-EN-24:01.tzdata
Approved by: so (gordon)
jail: Fix information leak.
There is a lack of proper visibility checking in kern.ttys sysctl handler
which leads to information leak about processes outside the current jail.
This can be demonstrated with pstat -t: when called from within a jail,
it will output all terminal devices including process groups and
session leader process IDs:
jail# pstat -t | grep pts/ | head
LINE INQ CAN LIN LOW OUTQ USE LOW COL SESS PGID STATE
pts/2 1920 0 0 192 1984 0 199 0 4132 27245 Oi
pts/3 1920 0 0 192 1984 0 199 16 24890 33627 Oi
pts/5 0 0 0 0 0 0 0 25 17758 0 G
pts/16 0 0 0 0 0 0 0 0 52495 0 G
pts/15 0 0 0 0 0 0 0 25 53446 0 G
pts/17 0 0 0 0 0 0 0 6702 33230 0 G
pts/19 0 0 0 0 0 0 0 14 1116 0 G
pts/0 0 0 0 0 0 0 0 0 2241 0 G
[22 lines not shown]
bhyveload: use a dirfd to support -h
Don't allow lookups from the loader scripts, which in rare cases may be
in guest control depending on the setup, to leave the specified host
root. Open the root dir and strictly do RESOLVE_BENEATH lookups from
there.
cb_open() has been restructured a bit to work nicely with this, using
fdopendir() in the directory case and just using the fd we already
opened in the regular file case.
hostbase_open() was split out to provide an obvious place to apply
rights(4) if that's something we care to do.
Reviewed by: allanjude (earlier version), markj
Approved by: so
Security: FreeBSD-SA-24:01.bhyveload
Security: CVE-2024-25940
[2 lines not shown]
setusercontext(): Apply personal settings only on matching effective UID
Commit 35305a8dc114 (r211393) added a check on whether 'uid' was equal
to getuid() before calling setlogincontext(). Doing so still allows
a setuid program to apply resource limits and priorities specified in
a user-controlled configuration file ('~/.login_conf') where
a non-setuid program could not. Plug the hole by checking instead that
the process' effective UID is the target one (which is likely what was
meant in the initial commit).
PR: 271750
Reviewed by: kib, des
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40351
Approved by: so
Security: FreeBSD-EN-24:02.libutil
(cherry picked from commit 892654fe9b5a9115815c30a423b8db47185aebbd)
[3 lines not shown]