The command shows only 256 addresses at maximum even if a bridge caches more
addresses. It occurs because the kernel doesn't return an error if the command
passes a short buffer that can't store all cached addresses; the kernel fills
cached addresses as much as possible and returns it without telling that the
result is truncated.
Fix the issue by telling a required size of a buffer if a buffer passed from the
command is not enough, which lets the command retry with an enough buffer.
Reported by k-goda@IIJ
Some callers of rtrequest1(RTM_ADD) adjust rt_ifa of an rtentry created by
rtrequest1 that may change rt_ifa (in ifa_rtrequest) with another ifa that is
different from requested one. It's wasteful and even worse introduces a race
condition. rtrequest1 should just use a passed ifa as is if a caller hopes so.
1. npf unit tests. In this case only the npf subsystem is created
and dictionaries are passed directly.
2. kernel system tests (like the ipsec natt test). In this case, npf is
instantiated regularly as part of the kernel and dictionaries are
passed via ioctl.
We differentiate between the two cases by checking the "mbufops" member
which is NULL, regularly and non-NULL in the npf unit tests. Previously
this was done using an ifdef which obviously can't work for both cases.
e.g. do the following commands.
====================
# ifconfig vlan0 create
# ifconfig vlan0 vlan 100 vlanif wm0
# ifconfig vlan0 -vlanif wm0
# ifconfig vlan0 vlan 100 vlanif wm0
====================
ATF net/if_vlan do this type of test, however it cannot detect this bug.
Because the shmif(4)'s ifp->if_hwdl is always NULL as shmif(4)'s ethernet
address is set U/L bit.
See: https://nxr.netbsd.org/xref/src/sys/net/if_ethersubr.c#997
- This conversion significantly simplifies the code and moves NPF to
a binary serialisation format (replacing the XML-like format).
- Fix some memory/reference leaks and possibly use-after-free bugs.
- Bump NPF_VERSION as this change makes libnpf incompatible with the
previous versions. Also, different serialisation format means NPF
connection/config saving and loading is not compatible with the
previous versions either.
Thanks to christos@ for extra testing.
is of poor quality, and is now an obstacle to MP-ification. It was removed
ten years ago from FreeBSD for the same reason.
This retires a big user of the mbuf API, and will ease maintenance of the
kernel.
flags. bridge_enqueue() is called from bridge_output() when a packet is
spontaneous. Clear csum_flags before calling brige_enqueue() in
bridge_forward() or bridge_broadcast() instead of in the beginning of
bridge_enqueue().
Note that this change doesn't fix a problem on the following configuration:
A bridge has two or more interfaces.
An address is assigned to an bridge member interface and
some offload flags are set.
Another interface has no address and has no any offload flag.
XXX pullup-[78]
rt_free_global.enqueued can be set to true by rt_free during rt_free_work
because rt_free_work releases rt_free_global.lock. So rt_free_work must update
it once and not update after releasing the lock.
These functions are defined on unsigned int. The generic name
min/max should not silently truncate to 32 bits on 64-bit systems.
This is purely a name change -- no functional change intended.
HOWEVER! Some subsystems have
#define min(a, b) ((a) < (b) ? (a) : (b))
#define max(a, b) ((a) > (b) ? (a) : (b))
even though our standard name for that is MIN/MAX. Although these
may invite multiple evaluation bugs, these do _not_ cause integer
truncation.
To avoid `fixing' these cases, I first changed the name in libkern,
and then compile-tested every file where min/max occurred in order to
confirm that it failed -- and thus confirm that nothing shadowed
min/max -- before changing it.
I have left a handful of bootloaders that are too annoying to
compile-test, and some dead code:
cobalt ews4800mips hp300 hppa ia64 luna68k vax
acorn32/if_ie.c (not included in any kernels)
macppc/if_gm.c (superseded by gem(4))
It should be easy to fix the fallout once identified -- this way of
doing things fails safe, and the goal here, after all, is to _avoid_
silent integer truncations, not introduce them.
Maybe one day we can reintroduce min/max as type-generic things that
never silently truncate. But we should avoid doing that for a while,
so that existing code has a chance to be detected by the compiler for
conversion to uimin/uimax without changing the semantics until we can
properly audit it all. (Who knows, maybe in some cases integer
truncation is actually intended!)
0 8 16 24 32
+------+-----------+-----------+------+
| data | MSS (low) | MSS (hig) | data |
+------+-----------+-----------+------+
^ ^
old[0] old[1]
And sets new[0,1] accordingly with the new value. The MSS-clamping code
then adjusts twice the checksum on a 16bit boundary:
from old[0] to new[0]
from old[1] to new[1]
Fixes PR/53479, opened by myself. Tested with wireshark and kASan.
- Remove unused *_NAMES macros for sysctl.
- Remove unused *_MAXID for sysctls.
- Move CTL_MACHDEP sysctl definitions for m68k into m68k/include/cpu.h and
use them on all m68k machines.
ip6_undefer_csum -> in6_undefer_cksum
in6_delayed_cksum -> in6_undefer_cksum_tcpudp
The two previous names were inconsistent and misleading.
Put the two functions into in6_offload.c. Add comments to explain what
we're doing.
Same as IPv4.
filt_tunread gets called in two contexts:
- by calls to selnotify in if_tun.c (or knote, as the case may be,
but not here), in which case tp->tun_lock is held; and
- by internal logic in kevent, in which tp->tun_lock is not held.
The standard convention to discriminate between these two cases is by
setting the kernel-only NOTE_SUBMIT bit in the hint to selnotify or
knote; then in filt_*:
if (hint & NOTE_SUBMIT)
KASSERT(mutex_owned(&tp->tun_lock));
else
mutex_enter(&tp->tun_lock);
...
if (hint & NOTE_SUBMIT)
KASSERT(mutex_owned(&tp->tun_lock));
else
mutex_exit(&tp->tun_lock);
Pointed out by and patch from riastradh@
Tested by ozaki-r@ (only the former path)
filt_tunread is called with tun_lock held from tun_output (via tun_output =>
selnotify => knote), so we must not take tun_lock in filt_tunread. The bug
is triggered only if a tun is used through kqueue.
Found by k-goda@IIJ
The umb(4) driver provides support for USB MBIM (Mobile Broadband
Interface Model) devices.
MBIM devices establish connections via cellular networks such as GPRS,
UMTS, and LTE. They appear as a regular point-to-point network interface, transporting raw IP frames.
Required configuration parameters like PIN and APN have to be set with
umbctl(8), a new tool specific to this driver. The IP address is configured
automatically; the default route and DNS server information have to be set
separately.
The driver is not fully functional yet, it is therefore still marked as
experimental and disabled by default. Any help welcome to complete it!
Tested on NetBSD/amd64, with a Sierra Wireless EM7345 LTE modem on a Lenovo
ThinkPad T440s. No functional change expected otherwise.
maxv