Date: Wed, 19 Jun 2019 16:54:06 +0000 (UTC) From: Gordon Tetlow <gordon@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r53171 - in head/share: security/advisories security/patches/EN-19:11 security/patches/SA-19:08 xml Message-ID: <201906191654.x5JGs6mD035565@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: gordon (src committer) Date: Wed Jun 19 16:54:06 2019 New Revision: 53171 URL: https://svnweb.freebsd.org/changeset/doc/53171 Log: Add SA-19:08 and EN-19:11. Approved by: so Added: head/share/security/advisories/FreeBSD-EN-19:11.net.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-19:08.rack.asc (contents, props changed) head/share/security/patches/EN-19:11/ head/share/security/patches/EN-19:11/net.patch (contents, props changed) head/share/security/patches/EN-19:11/net.patch.asc (contents, props changed) head/share/security/patches/SA-19:08/ head/share/security/patches/SA-19:08/rack.patch (contents, props changed) head/share/security/patches/SA-19:08/rack.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml head/share/xml/notices.xml Added: head/share/security/advisories/FreeBSD-EN-19:11.net.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-EN-19:11.net.asc Wed Jun 19 16:54:06 2019 (r53171) @@ -0,0 +1,127 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-19:11.net Errata Notice + The FreeBSD Project + +Topic: Incorrect locking in networking stack + +Category: core +Module: net +Announced: 2019-06-19 +Affects: FreeBSD 12.x +Corrected: 2019-04-01 14:19:09 UTC (stable/12, 12.0-STABLE) + 2019-06-19 16:41:18 UTC (releng/12.0, 12.0-RELEASE-p6) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +Some parts of the network stack use a synchronization primitive, epoch(9), +that is new in FreeBSD 12.0. In some places where reader-writer locks were +previously used, existing KPIs were preserved and their implementations +replaced with epoch(9). + +II. Problem Description + +A pair of KPIs that were converted to epoch(9) were modified incorrectly, and +thus failed to provide the synchronization guarantees expected by their +consumers. + +III. Impact + +The bug can cause kernel memory corruption or kernel assertion failures, +depending on whether the INVARIANTS option is configured. The bug is more +likely to impact heavily loaded systems. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) Update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Afterwards, reboot the system. + +2) Update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-19:11/net.patch +# fetch https://security.FreeBSD.org/patches/EN-19:11/net.patch.asc +# gpg --verify net.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r345764 +releng/12.0/ r349198 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=236846>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:11.net.asc>; +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0KZzxfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cLg/RAAmE7CV+NRWEu3RxLjrXbxCUC6+e0McoRAeS8mKBfeWAIbyHJKN83i0G5b +1vefBZ6rsBFZWxk2MNMSFRcV3WsE+9GoUfl0Yz0xhWN9Uu9BLDAWIBtdYt1/P+YC +8Q6yteM6VEBKyYsm/4pqOviyv4HjlQTR+Skqk9kjBXJXXdEUqoS/iGQmBD8UYY6g ++bFxrHX3BiJ1X5xgqEIU6UdLyGl6N2fc0bbhj9DiEi1t7OsY0XbKR32itHtCExut +G2iYYeCYIuCLlumQbyCVU1p+vi1CnVyC4UQbZKTN3xIaALopMWG/dQqv99bZwFUR +wGHLWjQo5avzaWF0mIGk8XHgkVQndc1OfPxZ/MDi4POQlFyt+tjykrGumlMUGqJh +4GK9n7M/0u/bbDo3P5t1GkHbekFGc5aOvFHR+LjyLPY75n7mbFPKBdyAa4UnuM2w +EeQTsZhzOxHnDS752JBfiw5dVKXzmyjmbKJvhkBLdFO/tQ33lBtmMvrO1AIaPMcB +pdok94KvxbaH7Y+SzspcWBu63NLZTWOcHu75PVM8dR7CWUP55dGKLS4He24vmPNv +PBNHRbtbN0tGbaQQPaYExnryncolgi+5jK/B1AJGnDONIn3ODQkcEn7roFQoZBJT +1G3KvUCdvbESZ+1Gxif3BNop6y9fg7WLMaJSyoElHr56W4lG8u0= +=nqeJ +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-19:08.rack.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-19:08.rack.asc Wed Jun 19 16:54:06 2019 (r53171) @@ -0,0 +1,147 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-19:08.rack Security Advisory + The FreeBSD Project + +Topic: Resource exhaustion in non-default RACK TCP stack + +Category: core +Module: inet +Announced: 2019-06-19 +Credits: Jonathan Looney (Netflix) + Peter Lei (Netflix) +Affects: FreeBSD 12.0 and later +Corrected: 2019-06-19 16:25:39 UTC (stable/12, 12.0-STABLE) + 2019-06-19 16:43:05 UTC (releng/12.0, 12.0-RELEASE-p6) +CVE Name: CVE-2019-5599 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides +a connection-oriented, reliable, sequence-preserving data stream service. + +A TCP loss detection algorithm called RACK ("Recent ACKnowledgment") uses the +notion of time, in addition to packet or sequence counts, to detect losses +for modern TCP implementations that support per-packet timestamps and the +selective acknowledgment (SACK) option. + +FreeBSD ships an optional implementation of RACK. Please note this is not +included by default. If RACK was not specifically compiled, installed, and +loaded, the system is not vulnerable. + +II. Problem Description + +While processing acknowledgements, the RACK code uses several linked lists to +maintain state entries. A malicious attacker can cause the lists to grow +unbounded. This can cause an expensive list traversal on every packet being +processed, leading to resource exhaustion and a denial of service. + +III. Impact + +An attacker with the ability to send specially crafted TCP traffic to a +victim system can degrade network performance and/or consume excessive CPU by +exploiting the inefficiency of traversing the potentially very large RACK +linked lists with relatively small bandwidth cost. + +IV. Workaround + +By default RACK is not compiled or loaded into the TCP stack. To determine +if you are using RACK, check the net.inet.tcp.functions_available sysctl. +If it includes a line with "rack", the RACK stack is loaded. + +To disable RACK, unload the kernel module with: + +# kldunload tcp_rack + +Note: it may be required to use the force flag (-f) with the kldunload. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or release / +security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +Since the tcp_rack kernel module is not built by default, recompile, +reinstall, and reload the kernel module. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-19:08/rack.patch +# fetch https://security.FreeBSD.org/patches/SA-19:08/rack.patch.asc +# gpg --verify rack.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile, reinstall, and reload the tcp_rack kernel module. + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/12/ r349197 +releng/12.0/ r349199 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; + +VII. References + +<URL:https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md>; + +<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-19:08.rack.asc>; +-----BEGIN PGP SIGNATURE----- + +iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0KZy1fFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cK8ZxAAjT8bPjh+U0DGQEjnWvmzkMl7sDd2ISMTzKXh+WVGZ0wdwLuHqCHbBhHw +POAyJ4VprY9bGFK1EkoDuA5x0MPRXV4Zbk9I9eNKmzjbvj1JW92fubr/t6ITqiNp +2BAGK6iZ61saZyZNmQvTcZZzEao1ZRqylI3OEJWUwt9nomW6RJhRbRoJvbhl9oJE +Dz+ZjtZmf5oKccfkgoom8i7s4sHM1wFu+S00gYM7X/Nznv2S3B66pBYVhID30MGE +TKUqDYKdX7UbO/+WsWYVVBOA8Sp7FbdWLMGXXmk7jA9cVW+YUpir7yMYzIU5Ps6R +rLMQv4Rc593aznEDdvZkElW6AGMfLh4dpzqBKHbidKSZTv7q0KNQ52XJb18wD8n3 +1vr4L54HKai1xfl52MvLvUP7hPjLR1jW1W6QJ5Hk3qGU4aViifStY5VfJ/8J6uuT +FUi5J9szYDraT8mWlIRfZNTRnbrQX2FoLjjsouL8v9kCj+83NB92wh+vylplVzKF +vlw18g6yC6USuE90OfdY9gXFRxiUWE+/Y0R0+/aEvuqSa9mMLQfolznl3zf1RaK8 +GWX892iYmYYiTjN/HKttkdvfrQMYWLoW4COO+6h09VyNApQSpLikclERLnysi72M +EHRUquiZdZyV7nFmQGAeW779sdSE0d6gUTvS6Ak/PTzfAhy/Vj8= +=ggzB +-----END PGP SIGNATURE----- Added: head/share/security/patches/EN-19:11/net.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-19:11/net.patch Wed Jun 19 16:54:06 2019 (r53171) @@ -0,0 +1,114 @@ +--- sys/net/if.c.orig ++++ sys/net/if.c +@@ -62,6 +62,8 @@ + #include <sys/domain.h> + #include <sys/jail.h> + #include <sys/priv.h> ++#include <sys/sched.h> ++#include <sys/smp.h> + + #include <machine/stdarg.h> + #include <vm/uma.h> +@@ -1755,6 +1757,30 @@ + ifd->ifi_noproto = ifp->if_get_counter(ifp, IFCOUNTER_NOPROTO); + } + ++struct ifnet_read_lock { ++ struct mtx mtx; /* lock protecting tracker below */ ++ struct epoch_tracker et; ++}; ++ ++DPCPU_DEFINE_STATIC(struct ifnet_read_lock, ifnet_addr_read_lock); ++DPCPU_DEFINE_STATIC(struct ifnet_read_lock, ifnet_maddr_read_lock); ++ ++static void ++ifnet_read_lock_init(void __unused *arg) ++{ ++ struct ifnet_read_lock *pifrl; ++ int cpu; ++ ++ CPU_FOREACH(cpu) { ++ pifrl = DPCPU_ID_PTR(cpu, ifnet_addr_read_lock); ++ mtx_init(&pifrl->mtx, "ifnet_addr_read_lock", NULL, MTX_DEF); ++ ++ pifrl = DPCPU_ID_PTR(cpu, ifnet_maddr_read_lock); ++ mtx_init(&pifrl->mtx, "ifnet_maddr_read_lock", NULL, MTX_DEF); ++ } ++} ++SYSINIT(ifnet_read_lock_init, SI_SUB_CPU + 1, SI_ORDER_FIRST, &ifnet_read_lock_init, NULL); ++ + /* + * Wrapper functions for struct ifnet address list locking macros. These are + * used by kernel modules to avoid encoding programming interface or binary +@@ -1764,35 +1790,47 @@ + void + if_addr_rlock(struct ifnet *ifp) + { +- MPASS(*(uint64_t *)&ifp->if_addr_et == 0); +- epoch_enter_preempt(net_epoch_preempt, &ifp->if_addr_et); ++ struct ifnet_read_lock *pifrl; ++ ++ sched_pin(); ++ pifrl = DPCPU_PTR(ifnet_addr_read_lock); ++ mtx_lock(&pifrl->mtx); ++ epoch_enter_preempt(net_epoch_preempt, &pifrl->et); + } + + void + if_addr_runlock(struct ifnet *ifp) + { +- epoch_exit_preempt(net_epoch_preempt, &ifp->if_addr_et); +-#ifdef INVARIANTS +- bzero(&ifp->if_addr_et, sizeof(struct epoch_tracker)); +-#endif ++ struct ifnet_read_lock *pifrl; ++ ++ pifrl = DPCPU_PTR(ifnet_addr_read_lock); ++ ++ epoch_exit_preempt(net_epoch_preempt, &pifrl->et); ++ mtx_unlock(&pifrl->mtx); ++ sched_unpin(); + } + + void + if_maddr_rlock(if_t ifp) + { ++ struct ifnet_read_lock *pifrl; + +- MPASS(*(uint64_t *)&ifp->if_maddr_et == 0); +- epoch_enter_preempt(net_epoch_preempt, &ifp->if_maddr_et); ++ sched_pin(); ++ pifrl = DPCPU_PTR(ifnet_maddr_read_lock); ++ mtx_lock(&pifrl->mtx); ++ epoch_enter_preempt(net_epoch_preempt, &pifrl->et); + } + + void + if_maddr_runlock(if_t ifp) + { ++ struct ifnet_read_lock *pifrl; + +- epoch_exit_preempt(net_epoch_preempt, &ifp->if_maddr_et); +-#ifdef INVARIANTS +- bzero(&ifp->if_maddr_et, sizeof(struct epoch_tracker)); +-#endif ++ pifrl = DPCPU_PTR(ifnet_maddr_read_lock); ++ ++ epoch_exit_preempt(net_epoch_preempt, &pifrl->et); ++ mtx_unlock(&pifrl->mtx); ++ sched_unpin(); + } + + /* +--- sys/net/if_var.h.orig ++++ sys/net/if_var.h +@@ -381,8 +381,7 @@ + */ + struct netdump_methods *if_netdump_methods; + struct epoch_context if_epoch_ctx; +- struct epoch_tracker if_addr_et; +- struct epoch_tracker if_maddr_et; ++ void *if_unused[4]; + + /* + * Spare fields to be added before branching a stable branch, so Added: head/share/security/patches/EN-19:11/net.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/EN-19:11/net.patch.asc Wed Jun 19 16:54:06 2019 (r53171) @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0KZ0lfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cK+MQ//UXhOeoBsuv5BC6tRlXO3685gNeVBrv3AUW4P11eDNoRRKJ5zzUx4NoIs +PdGLuhJzqPHx3rBEWldhORfdNGl7207CS9LHMmf/zGLnx5h0Sveuef70QIzjBWT/ +GjIRQ/wkbsWRXH9CgLw/OgnBRvtO2EYL2+evsxpir471ehF+5/zQ2a/5jczhDYnR +v0wX9AV5gINm3RSwWBTX7vNaQfCvR1pfD4lZUu/o8fYEP8YQeCZUplf2BE1APoNc +zmKqn21aGXWLhP1+lGR0yBNRGYEZVvNLf3URhfJOQqMWf3LXIsR6XOGbYPZcUg22 +EY3oKYtLzUZINPW/hDEzKKw8mx+KXwN7fIe4r/m7IY5093QdQLKRanl8AwWhEcuE +aDxe6lv4Kg9staT5Jmy4z06dl/DOGlCvi/k1Wmiuk6svxS2BQ6SWJpoGbZDgUeLO +0mYnWRrSLr/rfy7YfYUW4UAY7I2GoGzXnWSXq54BiSQd4saB+1NYvSV+GzRmdpgU +OtD3o59rjleWtS/FboqWrL7ViVbzvJRjoKGHFPh/olc/OW0vwTleFo0xG7iXOJJK +kfAw1KVC79PF7PFec1pDEEmhSlkaBSto+QNKE2cKC7pBbSAysHHnZDwMRcZFWm48 +3zmq/jjwYNnjfmWBhRIMgqPjZdGzOiv2+KN8X53TWwiy4iio4GQ= +=kUNo +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-19:08/rack.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-19:08/rack.patch Wed Jun 19 16:54:06 2019 (r53171) @@ -0,0 +1,190 @@ +--- sys/netinet/tcp_stacks/rack.c.orig ++++ sys/netinet/tcp_stacks/rack.c +@@ -1,5 +1,5 @@ + /*- +- * Copyright (c) 2016-2018 ++ * Copyright (c) 2016-2019 + * Netflix Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without +@@ -203,6 +203,7 @@ + static int32_t rack_sack_block_limit = 128; + static int32_t rack_use_sack_filter = 1; + static int32_t rack_tlp_threshold_use = TLP_USE_TWO_ONE; ++static uint32_t rack_map_split_limit = 0; /* unlimited by default */ + + /* Rack specific counters */ + counter_u64_t rack_badfr; +@@ -228,6 +229,8 @@ + counter_u64_t rack_to_alloc; + counter_u64_t rack_to_alloc_hard; + counter_u64_t rack_to_alloc_emerg; ++counter_u64_t rack_alloc_limited_conns; ++counter_u64_t rack_split_limited; + + counter_u64_t rack_sack_proc_all; + counter_u64_t rack_sack_proc_short; +@@ -261,6 +264,8 @@ + rack_ack_received(struct tcpcb *tp, struct tcp_rack *rack, + struct tcphdr *th, uint16_t nsegs, uint16_t type, int32_t recovery); + static struct rack_sendmap *rack_alloc(struct tcp_rack *rack); ++static struct rack_sendmap *rack_alloc_limit(struct tcp_rack *rack, ++ uint8_t limit_type); + static struct rack_sendmap * + rack_check_recovery_mode(struct tcpcb *tp, + uint32_t tsused); +@@ -445,6 +450,8 @@ + counter_u64_zero(rack_sack_proc_short); + counter_u64_zero(rack_sack_proc_restart); + counter_u64_zero(rack_to_alloc); ++ counter_u64_zero(rack_alloc_limited_conns); ++ counter_u64_zero(rack_split_limited); + counter_u64_zero(rack_find_high); + counter_u64_zero(rack_runt_sacks); + counter_u64_zero(rack_used_tlpmethod); +@@ -622,6 +629,11 @@ + OID_AUTO, "pktdelay", CTLFLAG_RW, + &rack_pkt_delay, 1, + "Extra RACK time (in ms) besides reordering thresh"); ++ SYSCTL_ADD_U32(&rack_sysctl_ctx, ++ SYSCTL_CHILDREN(rack_sysctl_root), ++ OID_AUTO, "split_limit", CTLFLAG_RW, ++ &rack_map_split_limit, 0, ++ "Is there a limit on the number of map split entries (0=unlimited)"); + SYSCTL_ADD_S32(&rack_sysctl_ctx, + SYSCTL_CHILDREN(rack_sysctl_root), + OID_AUTO, "inc_var", CTLFLAG_RW, +@@ -757,7 +769,19 @@ + SYSCTL_CHILDREN(rack_sysctl_root), + OID_AUTO, "allocemerg", CTLFLAG_RD, + &rack_to_alloc_emerg, +- "Total alocations done from emergency cache"); ++ "Total allocations done from emergency cache"); ++ rack_alloc_limited_conns = counter_u64_alloc(M_WAITOK); ++ SYSCTL_ADD_COUNTER_U64(&rack_sysctl_ctx, ++ SYSCTL_CHILDREN(rack_sysctl_root), ++ OID_AUTO, "alloc_limited_conns", CTLFLAG_RD, ++ &rack_alloc_limited_conns, ++ "Connections with allocations dropped due to limit"); ++ rack_split_limited = counter_u64_alloc(M_WAITOK); ++ SYSCTL_ADD_COUNTER_U64(&rack_sysctl_ctx, ++ SYSCTL_CHILDREN(rack_sysctl_root), ++ OID_AUTO, "split_limited", CTLFLAG_RD, ++ &rack_split_limited, ++ "Split allocations dropped due to limit"); + rack_sack_proc_all = counter_u64_alloc(M_WAITOK); + SYSCTL_ADD_COUNTER_U64(&rack_sysctl_ctx, + SYSCTL_CHILDREN(rack_sysctl_root), +@@ -1121,10 +1145,11 @@ + { + struct rack_sendmap *rsm; + +- counter_u64_add(rack_to_alloc, 1); +- rack->r_ctl.rc_num_maps_alloced++; + rsm = uma_zalloc(rack_zone, M_NOWAIT); + if (rsm) { ++alloc_done: ++ counter_u64_add(rack_to_alloc, 1); ++ rack->r_ctl.rc_num_maps_alloced++; + return (rsm); + } + if (rack->rc_free_cnt) { +@@ -1132,14 +1157,46 @@ + rsm = TAILQ_FIRST(&rack->r_ctl.rc_free); + TAILQ_REMOVE(&rack->r_ctl.rc_free, rsm, r_next); + rack->rc_free_cnt--; +- return (rsm); ++ goto alloc_done; + } + return (NULL); + } + ++/* wrapper to allocate a sendmap entry, subject to a specific limit */ ++static struct rack_sendmap * ++rack_alloc_limit(struct tcp_rack *rack, uint8_t limit_type) ++{ ++ struct rack_sendmap *rsm; ++ ++ if (limit_type) { ++ /* currently there is only one limit type */ ++ if (rack_map_split_limit > 0 && ++ rack->r_ctl.rc_num_split_allocs >= rack_map_split_limit) { ++ counter_u64_add(rack_split_limited, 1); ++ if (!rack->alloc_limit_reported) { ++ rack->alloc_limit_reported = 1; ++ counter_u64_add(rack_alloc_limited_conns, 1); ++ } ++ return (NULL); ++ } ++ } ++ ++ /* allocate and mark in the limit type, if set */ ++ rsm = rack_alloc(rack); ++ if (rsm != NULL && limit_type) { ++ rsm->r_limit_type = limit_type; ++ rack->r_ctl.rc_num_split_allocs++; ++ } ++ return (rsm); ++} ++ + static void + rack_free(struct tcp_rack *rack, struct rack_sendmap *rsm) + { ++ if (rsm->r_limit_type) { ++ /* currently there is only one limit type */ ++ rack->r_ctl.rc_num_split_allocs--; ++ } + rack->r_ctl.rc_num_maps_alloced--; + if (rack->r_ctl.rc_tlpsend == rsm) + rack->r_ctl.rc_tlpsend = NULL; +@@ -3955,7 +4012,7 @@ + /* + * Need to split this in two pieces the before and after. + */ +- nrsm = rack_alloc(rack); ++ nrsm = rack_alloc_limit(rack, RACK_LIMIT_TYPE_SPLIT); + if (nrsm == NULL) { + /* + * failed XXXrrs what can we do but loose the sack +@@ -4016,7 +4073,7 @@ + goto do_rest_ofb; + } + /* Ok we need to split off this one at the tail */ +- nrsm = rack_alloc(rack); ++ nrsm = rack_alloc_limit(rack, RACK_LIMIT_TYPE_SPLIT); + if (nrsm == NULL) { + /* failed rrs what can we do but loose the sack info? */ + goto out; +--- sys/netinet/tcp_stacks/tcp_rack.h.orig ++++ sys/netinet/tcp_stacks/tcp_rack.h +@@ -55,8 +55,10 @@ + uint8_t r_sndcnt; /* Retran count, not limited by + * RACK_NUM_OF_RETRANS */ + uint8_t r_in_tmap; /* Flag to see if its in the r_tnext array */ +- uint8_t r_resv[3]; ++ uint8_t r_limit_type; /* is this entry counted against a limit? */ ++ uint8_t r_resv[2]; + }; ++#define RACK_LIMIT_TYPE_SPLIT 1 + + TAILQ_HEAD(rack_head, rack_sendmap); + +@@ -242,7 +244,7 @@ + uint32_t rc_num_maps_alloced; /* Number of map blocks (sacks) we + * have allocated */ + uint32_t rc_rcvtime; /* When we last received data */ +- uint32_t rc_notused; ++ uint32_t rc_num_split_allocs; /* num split map entries allocated */ + uint32_t rc_last_output_to; + uint32_t rc_went_idle_time; + +@@ -311,7 +313,8 @@ + uint8_t rack_tlp_threshold_use; + uint8_t rc_allow_data_af_clo: 1, + delayed_ack : 1, +- rc_avail : 6; ++ alloc_limit_reported : 1, ++ rc_avail : 5; + uint8_t r_resv[2]; /* Fill to cache line boundary */ + /* Cache line 2 0x40 */ + struct rack_control r_ctl; Added: head/share/security/patches/SA-19:08/rack.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-19:08/rack.patch.asc Wed Jun 19 16:54:06 2019 (r53171) @@ -0,0 +1,18 @@ +-----BEGIN PGP SIGNATURE----- + +iQKTBAABCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0KZ0ZfFIAAAAAALgAo +aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD +MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n +5cJOQg/+Jd8CDSaVJ+s6mB6ZWEfwPlLOn2t8eRr0Wm1+JgcWvLZyXfDKkyBmO998 +SAV8eIKveF+hvA9CRy8/ZHU+NLLERqS6PdzTtFhITMbS1Jnn7foPNzr3B45hZMmC +g08fMvQB8gbOMrBJc0KZWgQywyMmNcr9Mudo6rj+D75tYTSnimxevOny7cSfixL/ +MtASHue0cU3OcPC/Z9tDptDnsFNKpXIrK4iHKN6jO5lrn+kZnWVHAPHlB2fxC9ny +nuwfoXxABdYAhpG5Bh9IV5wfd9TEyg4WWUtR/t2LvxDRJaovlz6IT0buI4j/Ulqs +UlXQ8FHBt36b8TGzx1pZYUAYK4dZlil6UTGERs7Bxoi8+OR7kaYHCCmAq4ql0d5/ +8gPAJqb/wbsM48jCV9nvl0j8QuDrLObmEVWgXON9ZxpXwzL3RdyuI58rklIOTXoh +5Du1rkBL3CD1gXUynroTWLjCBabT4nLT97wd1xbg9OyxRclW/N1/v+PALARG4o6A +zG6YlSpTqZp/bdiAweEqTiuTCGdSJMkbJOox1jZD6MK570vojoqS2xhlWZzGPEk2 +cKlpiTZowIEVQEeWvOj3doLD9bfkShWpnjYLUnh0dAY+l9cD27JlJwHqoumMZMv4 +CHZ9CO5crPhi0TKBP+uHaLpk6QRCHETH9mZ7n5OLtjVbncFBmsk= +=5bec +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Wed Jun 19 14:50:39 2019 (r53170) +++ head/share/xml/advisories.xml Wed Jun 19 16:54:06 2019 (r53171) @@ -8,6 +8,20 @@ <name>2019</name> <month> + <name>6</name> + + <day> + <name>19</name> + + <advisory> + <name>FreeBSD-SA-19:08.rack</name> + </advisory> + + </day> + + </month> + + <month> <name>5</name> <day> Modified: head/share/xml/notices.xml ============================================================================== --- head/share/xml/notices.xml Wed Jun 19 14:50:39 2019 (r53170) +++ head/share/xml/notices.xml Wed Jun 19 16:54:06 2019 (r53171) @@ -8,6 +8,19 @@ <name>2019</name> <month> + <name>6</name> + + <day> + <name>19</name> + + <notice> + <name>FreeBSD-EN-19:11.net</name> + </notice> + + </day> + </month> + + <month> <name>5</name> <day>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201906191654.x5JGs6mD035565>