| Age | Commit message (Collapse) | Author |
|---|
|
net/if_pppx.c pointed out by jsg@
ok gnezdo@ deraadt@ jsg@ mpi@ millert@
|
|
the whole vxlan address is used for lookups in the RB tree, so any
garbage on the stack where the address sits could confuse the lookup.
it looks like i was lucky before, but if you receive vxlan over
ipsec you are less lucky.
found by and fix tested by jason tubnor.
|
|
Tweak capitalization (from jmc)
|
|
while here turn ENETRESET into 0 in the ioctl path. there's no
hardware to reset.
|
|
you should only be able to change the tunnel rdomain when the
interface is down. i was accidentally make sure you could only
change the rdomain when the interface was up.
|
|
found by bluhm@ when he ran the regress tests.
|
|
bug reported by giovanni@
OK giovanni@
|
|
consistently means we do the check in pf_rule_copyin() so both
DIOCADDRULE and DIOCCHANGERULE have the prio values checked. this in
turn prevents invalid prio values getting set on a rule via
DIOCCHANGERULE.
this was caught by a kassert in the ifq priq code firing.
Reported-by: syzbot+a8f8e24a44b441e71d93@syzkaller.appspotmail.com
ok sashan@
|
|
if an open tun (or tap) device is destroyed via the clone destroy
ioctl (eg, like what ifconfig destroy does), there is a window while
the open device is being revoked on the vfs side that a third thread
can come and open it again. this in turn triggers a kassert in the
ifconfig destroy path where it expects the
device to be closed.
fix this by having tun_dev_open check for the TUN_DEAD flag that
the destroy function sets. this still relies on the kernel lock for
serialisation.
Reported-by: syzbot+5df2ad232f5f8b671442@syzkaller.appspotmail.com
ok visa@
|
|
|
|
the big change is removing the integration with and reliance on
bridge(4) for learning vxlan endpoints. we have the etherbridge
layer now (which is used by veb, nvgre, bpe, etc) so vxlan can
operate independently of bridge(4) (or any other driver) while still
dynamically learning about other endpoints.
vxlan now uses the udp socket upcall mechanism to receive packets.
this means it actually creates and binds udp sockets to use rather
adding code in the udp layer for stealing packets from the udp
layer.
i think it's also important to note that this adds loop prevention
to the code. this stops a vxlan interface being used to transmit a
packet that was encapsulated in itself.
i want to clear this out of my tree where it's been sitting for
nearly a year. noone seems too concerned with the change either
way.
ok claudio@
|
|
OK dlg@
|
|
tun_dev_open and tun_dev_close were being optmistic.
|
|
it only works on struct ifnet data, so passing ifp makes it clearer
what's actually being manipulated. also fix tun_dev_open so
tun_link_state is called before if_put instead of immediately after.
|
|
posix requires a byte to be 8 bits
|
|
and then rounded before checking. Put the same check before the
calculations to avoid overflow.
Reported-by: syzbot+6f29d23eca959c5a9705@syzkaller.appspotmail.com
OK claudio@
|
|
This avoids verb overlap with f_modify.
|
|
OK mpi@
|
|
div-by-zero in pf_purge()
Reported-by: syzbot+e720e3bab51366d7b667@syzkaller.appspotmail.com
OK deraadt@
|
|
crash noticed by gnezdo, a seperate commit will fix the identified
cause, but being careful at this point is a good idea.
ok sashan
|
|
correct equality check.
Found by and OK jsg@
|
|
bluhm@ hit a problem while running a regress test where a packet
generated and injected via bpf ends up being consumed by the network
stack. the stack assumes that packets are aligned properly, but bpf
was lazy and put whatever was written to it at the start of an mbuf.
ethernet has a 14 byte header, so if you put that at the start the
payload will be misaligned by 2 bytes.
bpf already has handling for different link header types, so this
handling is extended a bit to align the payload after the link
header.
while here we're fixing up a few error codes. short packets produce
EINVAL instead of EPERM, and packets larger than the biggest mbuf
the kernel supports generates EMSGSIZE.
with tweaks and ok bluhm@
|
|
|
|
apostrophe.
|
|
translation. Make stricter sanity checks in pf ioctl to avoid later
crashes during packet processing.
Reported-by: syzbot+0ef9190e7d0195496d0d@syzkaller.appspotmail.com
OK sashan@
|
|
arithmetic.
found by kubsan; joint work with tobhe@; OK millert@
|
|
found by kubsan; joint work with tobhe@; OK miod@
|
|
this is consistent with other drivers when they report their
underlying device being detached.
|
|
|
|
this builds on the mpsafe kq/kevent work visa has been doing.
normally kevents are notified by calling selwakeup, but selwakeup
needs the KERNEL_LOCK. because bpf runs from all sorts of contexts
that may or may not have the kernel lock, the call to selwakeup is
deferred to the systq which already has the kernel lock. while this
avoids spinning in bpf for the kernel lock, it still adds latency
between when the buffer is ready for a program and when that program
gets notified about it. now that bpf kevents are mpsafe and bpf_wakeup
is already holding the necessary locks, we can avoid that latency.
bpf_wakeup now checks if there are waiting kevents and notifies
them immediately. if there are no other things to wake up, bpf_wakeup
avoids the task_add (and associated reference counting) to defer
the selwakeup call.
selwakeup can still try to notify waiting kevents, so this uses the
hint passed to knote() to differentiate between the notification
from bpf_wakeup and selwakeup and returns early from the latter.
ok visa@
|
|
Use bd_mtx to serialize bpf knote handling. This allows calling the
event filter without the kernel lock.
OK mpi@
|
|
The lookup should not fail because the kernel lock should prevent
simultaneous detaching on the vnode layer. However, most other device
kqfilter routines check the lookup's outcome anyway, which is maybe
a bit more forgiving.
OK mpi@
|
|
this diff lets pf_rule_copyin() to be called outside of PF_LOCK()/NET_LOCK().
OK bluhm@
|
|
OK bluhm@
|
|
interface. If this operation fails (probably due to missing firmware),
we must undo changes to the SIOCSIFXFLAGS xflags.
ok stsp.
|
|
ok deraadt@
|
|
everyone else seems to use ETHERTYPE_EAPOL, and as a bonus it also
appears to be more correct.
ok deraadt@ stsp@
|
|
trees. ipsp_ids_lookup() returns `ids' with bumped reference
counter. original diff from mvs
ok mvs
|
|
ok jmc@ reads ok tb@
|
|
ok mvs@
Reported-by: syzbot+e2d1df67f742a5a47938@syzkaller.appspotmail.com
Reported-by: syzbot+72298724beda82ec8e7f@syzkaller.appspotmail.com
|
|
points in pppacopen() and pppacclose() paths. Use the same "sc_ready"
logic we use for 'pppx_if' structure.
Reported-by: syzbot+a7ac144b48f7f471f689@syzkaller.appspotmail.com
ok anton@ dlg@
|
|
|
|
|
|
if a vlan interface is configured on a vport interface, vlan(4)
will take the packet away from ether_input before the veb bridge
input handler gets to clear M_PROTO1. this leaves the flag on the
mbuf as it goes through the l3 stacks. if it goes back out a vport
into a veb, the presence of M_PROTO1 means the packet ends up getting
dropped, which is unexpected.
this diff specialises vport handling by veb even more to avoid the
problem the flag was handling. vports get their own bridge input
handler that skips veb processing completely because a packet being
received on a vport can only occur if a veb has decided to forward
it there and has already processed it. when the stack sends a packet
out a vport interface, then we do actual veb bridge input handling.
bug reported on misc@ and the fix tested by Simon Baker
|
|
Reported-by: syzbot+7718c5f69c595f76b298@syzkaller.appspotmail.com
OK bluhm@, OK jmatthew@
|
|
This is an old issue in pf(4): whenever new interface appears
in IP stack, we must reload pf.conf to apply 'set skip on ...'
to newly plumbed network interfaces. Time has come to fix it.
The idea is to also create pfi_kif for interfaces, which are
referred by 'set skip on ...'. Such pfi_kif instances are
created/destroyed by pfi_set_flags()/pfi_clear_flags().
claudio@ dragged my attention to this in Gouveia. Also his
feedback helped me to put change into shape.
OK claudio@
|
|
dirty hacks, it is better to protect IPsec input and output with
kernel lock. Not much is lost as crypto needs the kernel lock
anyway. From here we can refine the lock later.
Note that there is no kernel lock in the SPD lockup path. Goal is
to keep that lock free to allow fast forwarding with non IPsec
traffic.
tested by Hrvoje Popovski; OK tobhe@
|
|
'tdb_data' struct became unused and was removed.
Tested by Hrvoje Popovski.
ok bluhm@
|
|
sleep. So holding the tdb_sadb_mtx() when calling walker() is not
allowed. Move the TDB from the TDB-Hash to a temporary list that
is protected by netlock. Then unlock tdb_sadb_mtx and traverse the
list to call the walker.
OK mvs@
|
|
that is less likely to overflow the int type used. A BGP fullfeed is
now so big that this calculation overflowed and then got sign extended.
The result was for example 'route -n show' failures.
Problem identified with deraadt@
OK deraadt@ (more cleanup needed but this fix is a good start)
|
