Otherwise, with the default flm_debug_level of LOG_NOTICE, it's rather
easy to trigger debug messages such as:
[fib_algo] inet.0 (bsearch4#18) rebuild_fd_flm: switching algo to
radix4_lockless
Also, the "severity" of these events generally only justifies LOG_INFO
and not LOG_NOTICE.
Reviewed by: melifaro
(cherry picked from commit ed81a15517b8a8f587fd7282c3690513bb798242)
The old errno value used is specifically for Capsicum and shouldn't be
co-opted in this way. It has special handling in the generic syscall
layer (see syscallret()). OpenBSD returns ENETUNREACH in this case;
let's do the same thing.
PR: 266712
Reviewed by: kevans, imp
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D44582
(cherry picked from commit 63613e3ba1e188e9fece43e1613bd697f04b345e)
Both the mbuf length and the total packet length are signed.
While here, update a stall comment to reflect the current practice.
Reviewed by: kp
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D42390
(cherry picked from commit e7102929bf4fea4bf22855d2d6031edf6c413608)
(cherry picked from commit 4d65728d55)
Rather than reject new bridge members because they have the wrong MTU
change it to match the bridge. If that fails, reject the new interface.
PR: 264883
Different Revision: https://reviews.freebsd.org/D35597
(cherry picked from commit 1865ebfb12)
When a packet matches an existing dynamic rule for a keep-state rule,
the matching engine advances the "instruction pointer" to the action
portion of the rule skipping over the match conditions. However, the
code was merely breaking out of the switch statement rather than doing
a continue, so the remainder of the loop body after the switch was
still executed. If the first action opcode contains an F_NOT but not
an F_OR (such as an "untag" action), then match is toggled to 0, and
the code exits the inner loop via a break which aborts processing of
the actions.
To fix, just use a continue instead of a break.
PR: 276732
Reviewed by: jhb, ae
MFC after: 2 weeks
(cherry picked from commit 62b1faa3b7495de22a3225e42dabe6ce8c371e86)
It's possible for pfsync to add a plus message when one is already queued.
Append both, rather than overwriting the already pending one.
MFC after: 1 week
(cherry picked from commit caccf6d3c008d3c778986734c2705cdae849a877)
Calls to pfsync_send_plus() pass pointers to stack variables.
If pfsync_sendout() then fails it retains the pointer to these stack
variables, accesing them later.
Allocate a buffer and copy the data instead, so that we can retain the
pointer safely.
Reported by: CI KASAN, markj
MFC after: 1 week
(cherry picked from commit 81debbd60e5773e812e9227a2003ea88699580be)
We were passing all errors from wg_xmit() to netmap, which handles
if_transmit errors by retrying a transmission. However, for
non-transient errors this doesn't make sense and can result in packet
loops.
Without appropriate load-synchronization to pair with store barriers in
wg_encrypt() and wg_decrypt(), the compiler and hardware are often
allowed to reorder these loads in wg_deliver_out() and wg_deliver_in()
such that we end up with a garbage or intermediate mbuf that we try to
pass on. The issue is particularly prevalent with the weaker
memory models of !x86 platforms.
Switch from the big-hammer wmb() to more explicit acq/rel atomics to
both make it obvious what we're syncing up with, and to avoid somewhat
hefty fences on platforms that don't necessarily need this.
With this patch, my dual-iperf3 reproducer is dramatically more stable
than it is without on aarch64.
PR: 264115
Reviewed by: andrew, zlei
(cherry picked from commit 3705d679a6344c957cae7a1b6372a8bfb8c44f0e)
Some consumers, e.g., swcr_encdec(), may call crypto_cursor_segment()
after having advanced the cursor to the end of the buffer. In this case
I believe the right behaviour is to return NULL and a length of 0.
When this occurs with a CRYPTO_BUF_VMPAGE buffer, the cc_vmpage pointer
will point past the end of the page pointer array, so
crypto_cursor_segment() ends up dereferencing a random pointer before
the function returns a length of 0. The uio-backed cursor has
a similar problem.
Address this by keeping track of the residual buffer length and
returning immediately once the length is zero.
PR: 271766
Reported by: Andrew "RhodiumToad" Gierth <andrew@tao11.riddles.org.uk>
Reviewed by: jhb
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D40428
(cherry picked from commit 718d4a1d56)
Copy operands to an aligned buffer before performing operations which
require alignment. Otherwise it's possible for this code to trigger an
alignment fault on armv7.
Reviewed by: jhb
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D41211
(cherry picked from commit 96c2538121)
There is a bug in the OpenSSL script which generates this file; the bug
is in the process of being fixed upstream.
Specifically, when generating the output, bsaes-armv7.pl strips some
labels that are used when the output asm is compiled with __KERNEL__
defined, resulting in a build error. As a step towards adding armv7
support to ossl(4), manually patch the generated asm. The upstream fix
will be imported later.
Reviewed by: andrew, jhb, emaste
MFC after: 1 week
Sponsored by: Klara, Inc.
Sponsored by: Stormshield
Differential Revision: https://reviews.freebsd.org/D41303
(cherry picked from commit 454c425dbe)
Removing artificial completion generator as there had been no indication
of the code being required for E810 cards. Further more it was found
that the code may have unpleasant side effects on user experience when
using ucmatose tool.
Signed-off-by: Bartosz Sobczak <bartosz.sobczak@intel.com>
Signed-off-by: Eric Joyner <erj@FreeBSD.org>
Reviewed by: erj@
Sponsored by: Intel Corporation
Differential Revision: https://reviews.freebsd.org/D41593
(cherry picked from commit ffafa6a4d157e49e6b12567958c4ab0c9151c080)
This is a migitation to avoid sudden extreme jumps in
cwnd, as t_epoch can be very out of date after an RTO.
Per RFC9438, sec 4.8, t_epoch is to be reset whenever
cwnd grows beyond ssthresh (CC phase transitions from
slow start to congestion avoidance), to be fixed with
the upcoming cc_cubic changes.
MFC after: 3 days
Reviewed By: cc, #transport
Sponsored by: NetApp, Inc
Differential Revision: https://reviews.freebsd.org/D44023
(cherry picked from commit 038699a8f18a0a651ee06b85fa1dbbee1eab56f1)
Make sure the divident is at least one. While cwnd should
never be smaller than t_maxseg, this can happen during
Path MTU Discovery, or when TCP options are considered
in other parts of the stack.
PR: 276674
MFC after: 3 days
Reviewed By: tuexen, #transport
Sponsored by: NetApp, Inc.
Differential Revision: https://reviews.freebsd.org/D43797
(cherry picked from commit 38983d40c18ec5705dcba19ac320b86c5efe8e7e)
Replace ieee80211_ie_vhtcap with ieee80211_vht_cap and
ieee80211_ie_vht_operation with ieee80211_vht_operation.
The "ie" version has the two bytes type/length at the beginning which
we did not actually use as such (the one place doing did just as unused
extra work).
Using the non-"ie" versions allows us to re-use them on shared code.
Using an enum helps us to not accidentally get unsuppored or unhandled
values tough we cannot use it in the struct as we need to ensure the
field width.
ieee80211_vht_operation is guarded by _KERNEL/WANT_NET80211. While the
header is supposed to be exported to user land historically, software
such as wpa bring their own structure definitions. For in-tree usage
it is only ifconfig which really cares (at least for now).
Sponsored by: The FreeBSD Foundation
Reviewed by: adrian (earlier), cc
Differential Revision: https://reviews.freebsd.org/D42901
(cherry picked from commit e85eb4c8d7bd8051c351a6fc6982a8b3bcfdbb2d)
There exists hardware that has no ethernet address burned into
the EEPROM. Loading if_re on such a HW brings the device up
with '00:00:00:00:00:00' as the address, and that doesn't get
you too far in a real network.
PR: 262406
Reviewed by: imp
Pull Request: https://github.com/freebsd/freebsd-src/pull/670
Signed-off-by: Evgeni Golov <evgeni@debian.org>
Differential Revision: https://reviews.freebsd.org/D34485
(cherry picked from commit 55747938b5)
Given a netmap application which bridges the netmap and host ring pairs
for a wg interface, it's theoretically possible for a loop to arise. In
particular, try to catch the case where an encrypted frame transmitted
from the netmap TX ring is received locally, decrypted, and placed on
the netmap RX ring. Because the packet is delivered to userspace, mbuf
tags are lost, so the existing mechanism for detecting tunnel loops
doesn't work.
Taken from: https://github.com/markjdb/freebsd/commit/046c453af8584
IETF is no longer serving leap-seconds.list. Update to the canonical place.
This fixes "service ntpd fetch".
IERS is the source of truth for leap seconds. Their leapsecond file is
updated most quickly and is always right (unlike the IANA one which
often lags). IERS operates this public service for the express purpose
of random people downloading it. Their terms of service are compatible
with open source (we could include this in our release). Rather than
fighting with questions around this because the IANA one changed
locations or the auto update script broken, just use this.
This is in preference to the NIST ftp copy. NIST is in the process of
retiring their FTP services.
Sponsored by: Netflix
Reviewed by: philip, delphij, cy
Differential Revision: https://reviews.freebsd.org/D43752
(cherry picked from commit b1c95af45488bef649e9a84890e2414ff80b3a00)
(cherry picked from commit 74a8c6da4f28e691c169aa502713a5aaebc00584)
(cherry picked from commit 11da791920ba285f0832f09cb504ac81e35ff8d1)
(cherry picked from commit 0eea8292ae8c8e9119520ce54aa82cae491d83b9)
Security: FreeBSD-EN-24:01.tzdata
Approved by: so (gordon)
when ntpd is enabled.
The leap-seconds.list is used exclusively by ntpd, therefore, do not bother
to perform the fetch when ntpd is not enabled.
PR: conf/275419
Reviewed by: cy, michaelo, imp
Differential Revision: https://reviews.freebsd.org/D42875
(cherry picked from commit 3b3195f6767b39eb33b3523134ef988931c9c86d)
(cherry picked from commit 3ef596c6e80562710da09c16558d7351749ea143)
Security: FreeBSD-EN-24:01.tzdata
Approved by: so (gordon)
There is a lack of proper visibility checking in kern.ttys sysctl handler
which leads to information leak about processes outside the current jail.
This can be demonstrated with pstat -t: when called from within a jail,
it will output all terminal devices including process groups and
session leader process IDs:
jail# pstat -t | grep pts/ | head
LINE INQ CAN LIN LOW OUTQ USE LOW COL SESS PGID STATE
pts/2 1920 0 0 192 1984 0 199 0 4132 27245 Oi
pts/3 1920 0 0 192 1984 0 199 16 24890 33627 Oi
pts/5 0 0 0 0 0 0 0 25 17758 0 G
pts/16 0 0 0 0 0 0 0 0 52495 0 G
pts/15 0 0 0 0 0 0 0 25 53446 0 G
pts/17 0 0 0 0 0 0 0 6702 33230 0 G
pts/19 0 0 0 0 0 0 0 14 1116 0 G
pts/0 0 0 0 0 0 0 0 0 2241 0 G
pts/23 0 0 0 0 0 0 0 20 15639 0 G
pts/6 0 0 0 0 0 0 0 0 44062 93792 G
jail# pstat -t | grep pts/ | wc -l
85
Devfs does the filtering correctly and we get only one entry:
jail# ls /dev/pts/
2
Approved by: mzaborski, secteam
MFC after: 1 week
Sponsored by: Fudo Security
Approved by: so
Security: FreeBSD-SA-24:02.tty
Security: CVE-2024-25941
(cherry picked from commit f1d0a0cbecf2c688061f35adea85bfb29c9ec893)
(cherry picked from commit a376108029a20f4ce51476d98f2483a7008ce7b5)
(cherry picked from commit 41ac0b4ce00bae061164384f23356a4df6e0e695)
(cherry picked from commit 9bff7ec98354a76c171905ce9530f85685725ee7)
Don't allow lookups from the loader scripts, which in rare cases may be
in guest control depending on the setup, to leave the specified host
root. Open the root dir and strictly do RESOLVE_BENEATH lookups from
there.
cb_open() has been restructured a bit to work nicely with this, using
fdopendir() in the directory case and just using the fd we already
opened in the regular file case.
hostbase_open() was split out to provide an obvious place to apply
rights(4) if that's something we care to do.
Reviewed by: allanjude (earlier version), markj
Approved by: so
Security: FreeBSD-SA-24:01.bhyveload
Security: CVE-2024-25940
(cherry picked from commit 6779d44bd878e3cf4723f7386b11da6508ab5431)
(cherry picked from commit 78345dbd7a004e0a6d1b717e7dbc758ae67ca293)
Commit 35305a8dc1 (r211393) added a check on whether 'uid' was equal
to getuid() before calling setlogincontext(). Doing so still allows
a setuid program to apply resource limits and priorities specified in
a user-controlled configuration file ('~/.login_conf') where
a non-setuid program could not. Plug the hole by checking instead that
the process' effective UID is the target one (which is likely what was
meant in the initial commit).
PR: 271750
Reviewed by: kib, des
Sponsored by: Kumacom SAS
Differential Revision: https://reviews.freebsd.org/D40351
Approved by: so
Security: FreeBSD-EN-24:02.libutil
(cherry picked from commit 892654fe9b5a9115815c30a423b8db47185aebbd)
Approved by: markj (mentor)
(cherry picked from commit 9fcf54d3750e379868e51e4aa7fbf696877ab2ed)
bpfattach() is called in wg_clone_create(), but the bpfdetach() is
missing from wg_close_destroy(). Add the missing bpfdetach() to avoid
leaking both the associated bpf bits as well as the ifnet that bpf will
hold a reference to.
PR: 276526
(cherry picked from commit 43be2d7aaf25b719aec8f49aab110c0061f1edec)
These members are protected by the identity lock, so rlock it in
noise_remote_alloc() and then assert that we have it held to some extent
in noise_precompute_ss().
PR: 276392
(cherry picked from commit 7a4d1d1df0b2e369adcb32aea9ef8c180f885751)
In practice this is harmless; only keepalive packets may realistically have
p_mtu == 0, and they'll also have no payload so the math works out the same
either way. Still, let's prefer technical accuracy and calculate the amount
of padding needed rather than the padded length...
PR: 276363
(cherry picked from commit b891f61ef538a4e9b4658b4b756635c8036a5788)
Marius Strobl