rtsold: Validate entries in domain search lists
Reported by: Kevin Day <kevin at your.org>
Approved by: so
Security: FreeBSD-SA-25:12.rtsold
Security: CVE-2025-14558
netmap: Fix error handling in nm_os_extmem_create()
We bump the object reference count prior to mapping it into the kernel
map, at which point the vm_map_entry owns the reference. Then, if
vm_map_wire() fails, vm_map_remove() will release the reference, so we
should avoid decrementing it in the error path.
Reported by: Ilja van Sprundel <ivansprundel at ioactive.com>
Reviewed by: vmaffione
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D53066
(cherry picked from commit dfc1041c08ba32f24b8050b4d635a0bbbfd9b767)
e1000: Don't enable ASPM L1 without L0s
Reporter noted packet loss with 82583. NVM is down level. The
errata docs mention disabling this, which should be the firmware
default, so I am not sure why we were enabling this bit. Linux and
OpenBSD have the same issue, while NetBSD got it right.
Reported by: Codin <codin at nagi.ftp.sh>
Tested by: Codin <codin at nagi.ftp.sh>
(cherry picked from commit 2ead091715dee327b3e00bc9840e1a95827b8e82)
e1000: Bump 82574/82583 PBA to 32K
The reporter contacted me with packet loss and throughput fluctuations
on a low power machine (Intel J1900) that got worse with the recent AIM
algorithm in FreeBSD 14.2+.
32K RX PBA matches Linux default. Add a conditional path since we don't
otherwise do a fixup for jumbo frames to retain space for two frames in
Tx.
With this change and an additional errata change, the throughput meets
line rate for the reporter.
Reported by: Codin <codin at nagi.ftp.sh>
Tested by: Codin <codin at nagi.ftp.sh>
(cherry picked from commit aa30bab9a92e1be230b9708bff9f33aae7d384e5)
pf: relax sctp v_tag verification
pf was too strict when validating SCTP tags. When a server receives a
retransmitted INIT it will reply with a random initiate tag every time.
However, pf saves the first initiate tag and expects every subsequent INIT_ACK
retransmission to have the same tag. This is not the case, leading to endless
INIT/INIT_ACK cycles.
Allow the tag to be updated as long as we've not gone past COOKIE_WAIT.
Add a test case to verify this.
MFC after: 2 weeks
See also: https://redmine.pfsense.org/issues/16516
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit bc3b72ff48953551e0e8bd6e5a2c718ecd973285)
irdma(4): fix potential memory leak on qhash cqp operation
It was found that in some circumstances when launching
non-waiting create qhash cqp operation the refcount on
the cqp_request may be not properly decremented leading to a memory
leak.
Signed-off-by: Bartosz Sobczak <bartosz.sobczak at intel.com>
Reviewed by: anzhu_netapp.com
Tested by: mateusz.moga_intel.com
Approved by: kbowling (mentor)
Sponsored by: Intel Corporation
Differential Revision: https://reviews.freebsd.org/D53732
(cherry picked from commit 7b6644e160ed63b633e7c68a3cacf2c71d216cd5)
pfsync: fix incorrect unlock during destroy
During pfsync_clone_destroy() we clean up pending packets. This
may involve calling pfsync_undefer() or callout_drain(). We may not
hold the bucket lock during callout_drain(), but must hold it during
pfsync_undefer().
We incorrectly always released the lock, leading to assertion failures
during cleanup if there were pending deferred packets.
MFC after: 1 week
Sponsored by: Orange Business Services
(cherry picked from commit 639e65144aa71cb03b5431861803f528308760dc)
linuxkpi: gracefully handle page lookup failure in lkpi_vmf_insert_pfn_prot_locked
Currently lkpi_vmf_insert_pfn_prot_locked will check the page iter to
find a usage of the page. If no page was found, it continues on to
try using PHYS_TO_VM_PAGE() to get a page. Currently it does not check
if a valid page was found before passing it to vm_page_busy_acquire,
which can cause a kernel page fault as vm_page_busy_acquire expects
a valid page pointer.
This can easily be triggered while starting KDE6 in wayland mode, which
many users have been reporting. With this change plasma6 starts properly
in wayland mode.
Sponsored by: NVIDIA
PR: 288565
Reviewed by: markj, kbowling (mentor)
Differential Revision: https://reviews.freebsd.org/D53412
Fixed conflicts during MFC, re-reviewed by kbowling
(cherry picked from commit 03b214a35db1ebdc7575cad8d695c65daf2817bf)
linuxkpi: add stub implementation of pm_vt_switch_(un)register
This adds empty implementations of pm_vt_switch_(un)register which
are used by nvidia-drm. We do not need to specify anything here as
a VT switch always happens on suspend/resume.
Sponsored by: NVIDIA
Reviewed by: kbowling (mentor), emaste
Differential Revision: https://reviews.freebsd.org/D53400
(cherry picked from commit 75aa13c64aba71f6f26d05e8fcf96e3862d44cde)
ipsec: Fix typos in references to IPsec's ESP
ESP is "Encapsulating Security Payload",
not "Encapsulated Security Payload".
This patch fixes all the place in the tree I could find
with `grep -i encapsulated security`.
MFC after: 3 days
Reviewed by: ae
Differential Revision: https://reviews.freebsd.org/D53769
(cherry picked from commit 15afd75e67102f81c37adbf11966e48685bd7be7)
divert: Use a jenkins hash to select the target socket
Using the pf state ID turned out to be a bad choice: we store the
big-endian representation of a global counter, so low bits are typically
zero.
divert: Define semantics for SO_REUSEPORT_LB on divert sockets
Allow SO_REUSEPORT_LB to be set on divert sockets. If set, then bind()
will add the socket to a "load-balancing group". When a divert-to rule
matches a port with an associated group, the corresponding state ID is
used to select a specific socket from the group. Packets without an
associated state are simply forwarded to the first socket in the group.
This implementation is simple but has some caveats, the main one being
that if sockets are added to the group while flows are being processed,
the size of the group will change and this changes the mapping of state
IDs to sockets. So, to get a consistent mapping, the divert socket
application must bind all of its sockets before any traffic is processed
by pf.
pf: Rationalize the ip_divert_ptr test
If a rule has a divert port set, then we can reasonably predict that
ipdivert.ko is loaded, and in particular that ip_divert_ptr is set.
Moreover, in this case, if ipdivert.ko is not loaded we should just drop
the packet instead of ignoring the divert rule.
No functional change intended.
ipdivert: Use CK_SLISTs for the divcb hash table
The hash table is accessed in ip_divert_packet(), and there the accesses
are synchronized only by the net epoch, so plain SLIST is not safe.
divert: Define semantics for SO_REUSEPORT_LB on divert sockets
Allow SO_REUSEPORT_LB to be set on divert sockets. If set, then bind()
will add the socket to a "load-balancing group". When a divert-to rule
matches a port with an associated group, the corresponding state ID is
used to select a specific socket from the group. Packets without an
associated state are simply forwarded to the first socket in the group.
This implementation is simple but has some caveats, the main one being
that if sockets are added to the group while flows are being processed,
the size of the group will change and this changes the mapping of state
IDs to sockets. So, to get a consistent mapping, the divert socket
application must bind all of its sockets before any traffic is processed
by pf.
ipdivert: Use CK_SLISTs for the divcb hash table
The hash table is accessed in ip_divert_packet(), and there the accesses
are synchronized only by the net epoch, so plain SLIST is not safe.
pf: Rationalize the ip_divert_ptr test
If a rule has a divert port set, then we can reasonably predict that
ipdivert.ko is loaded, and in particular that ip_divert_ptr is set.
Moreover, in this case, if ipdivert.ko is not loaded we should just drop
the packet instead of ignoring the divert rule.
No functional change intended.
ix(4): Add support for debug dump for E610 adapters
This is part 2 of the support for the new Intel Ethernet E610 family of devices.
Intel E610 Ethernet Controller devices feature a debug dump capability
that allows you to capture runtime register values directly from the
hardware, with assistance from the firmware. These registers are
organized into clusters based on their function, enabling targeted
debugging. This information is consolidated into a single dump file,
facilitating the debugging of complex issues encountered in the field.
The debug dump provides a snapshot of the device's current hardware
configuration, including switch tables, transmit scheduler tables, and
other relevant data. It captures the state of specified clusters and
serves as a stateless snapshot of the entire device.
This update introduces ioctl and sysctl support for the debug dump feature.
Signed-off-by: Yogesh Bhosale yogesh.bhosale at intel.com
Co-developed-by: Krzysztof Galazka krzysztof.galazka at intel.com
[7 lines not shown]
igb(4): Fix VLAN support on VFs
Virtual Functions are considered untrusted and have no control
over VLAN filtering configuration in HW. To allow using
VLANs on VF intreface driver has to assume that VLAN HW Filtering
is always enabled and pass requests for adding or removing VLAN
tags to Physical Function driver using Mailbox API.
Signed-off-by: Krzysztof Galazka <krzysztof.galazka at intel.com>
Approved by: kbowling (mentor)
Reviewed by: erj (previous version)
Tested by: gowtham.kumar.ks_intel.com
Sponsored by: Intel Corporation
Differential Revision: https://reviews.freebsd.org/D53245
(cherry picked from commit 1839526b7315cae62efbd2d1493e6243439effcb)
pf: handle divert packets
In a divert setup pf_test_state() may return PF_PASS, but not set the state
pointer. We didn't handle that, and as a result crashed immediately afterwards
trying to dereference that NULL state pointer.
Add a test case to provoke the problem.
PR: 260867
MFC after: 2 weeks
Submitted by: Phil Budne <phil.budne at gmail.com>
Sponsored by: Rubicon Communications, LLC ("Netgate")
(cherry picked from commit 66f2f1c83247f05a3a599d7e88c7e7efbedd16b5)
