No longer accept plaintext A-MSDU frames that start with an RFC1042
header with EtherType EAPOL. This is done by only accepting EAPOL
packets that are included in non-aggregated 802.11 frames.
Note that before this patch, FreeBSD also only accepted EAPOL frames
that are sent in a non-aggregated 802.11 frame due to bugs in
processing EAPOL packets inside A-MSDUs. In other words,
compatibility with legitimate devices remains the same.
This relates to section 6.5 in the 2021 Usenix "FragAttacks" (Fragment
and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation)
paper.
Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be)
Security: CVE-2020-26144
PR: 256120
MFC after: 7 days
Differential Revision: https://reviews.freebsd.org/D30665
Mitigate A-MSDU injection attacks by detecting if the destination address
of a subframe equals an RFC1042 (i.e., LLC/SNAP) header, and if so
dropping the complete A-MSDU frame. This mitigates known attacks,
although new (unknown) aggregation-based attacks may remain possible.
This defense works because in A-MSDU aggregation injection attacks, a
normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means
the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042
header. In other words, the destination MAC address of the first A-MSDU
subframe contains the start of an RFC1042 header during an aggregation
attack. We can detect this and thereby prevent this specific attack.
This relates to section 7.2 in the 2021 Usenix "FragAttacks" (Fragment
and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation)
paper.
Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be)
Security: CVE-2020-24588
PR: 256119
Differential Revision: https://reviews.freebsd.org/D30664
ieee80211_defrag() accepts fragmented 802.11 frames in a protected Wi-Fi
network even when some of the fragments are not encrypted.
Track whether the fragments are encrypted or not and only accept
successive ones if they match the state of the first fragment.
This relates to section 6.3 in the 2021 Usenix "FragAttacks" (Fragment
and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation)
paper.
Submitted by: Mathy Vanhoef (Mathy.Vanhoef kuleuven.be)
Security: CVE-2020-26147
PR: 256118
Differential Revision: https://reviews.freebsd.org/D30663
Looking for "tsc-tsc" in the pmu tables will fail every time. Instead,
make this an alias for the static TSC event defined in pmc_events.h.
This fixes 'pmcstat -s cycles' on Intel and AMD.
Reviewed by: emaste
MFC after: 1 week
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32197
The code would incorrectly use curthread instead of the target proc to
resolve vnodes.
Fixes: 8d03b99b9d ("fd: move vnodes out of filedesc into a dedicated structure")
PR: 258729
Noted by: Damjan Jovanovic <damjan.jov@gmail.com>
Issue: Devices wont go away after the link down.
Device lost timer functionality in ocs_fc is broken,
`is_target` flag is not set in the target database and target delete is skipped.
Fix: Remove unused flags and delete the device when timer expires.
Reported by: ken@kdm.org
Reviewed by: mav, ken
Proper error recovery depends on freezing the device queue when an
error occurs, so we can recover from an error before sending
additional commands.
The ocs_fc(4) driver was not freezing the device queue for most
SCSI errors, and that broke error recovery.
sys/dev/ocs_fc/ocs_cam.c:
In ocs_scsi_initiator_io_cb(), freeze the device queue if
we're passing back status other than CAM_REQ_CMP.
Submitted by: ken@kdm.org
Reviewed by: mav, ken
In ocs_scsi_initiator_io_cb(), if the SCSI command that is
getting completed had a residual equal to the transfer length,
it was setting the CCB status to CAM_REQ_CMP.
That breaks the expected behavior for commands like READ ATTRIBUTE.
For READ ATTRIBUTE, if the first attribute requested doesn't exist,
the command is supposed to return an error (Illegal Request,
Invalid Field in CDB). The broken behavior for READ ATTRIBUTE
caused LTFS tape formatting to fail. It looks for attribute
0x1623, and expects to see an error if the attribute isn't present.
In addition, if the residual is negative (indicating an overrun),
only set the CCB status to CAM_DATA_RUN_ERR if we have not already
reported an error. The SCSI sense data will have more detail about
what went wrong.
sys/dev/ocs_fc/ocs_cam.c:
In ocs_scsi_initiator_io_cb(), don't set the status to
CAM_REQ_CMP if the residual is equal to the transfer length.
Also, only set CAM_DATA_RUN_ERR if we didn't get SCSI
status.
Submitted by: ken@kdm.org
Reviewed by: mav, ken
Use refcounting to delay the detach rather than device_busy and/or
device_unbusy. fd/fdc is one of the few consumers of device_busy in the
tree for that, and it's not a good fit. Also, nothing is waking 'fd' and
other drivers don't loop like this. Return EBUSY if we still have active
users.
Sponsored by: Netflix
Reviewed by: mav
Differential Revision: https://reviews.freebsd.org/D31830
The ng_h4 module was disconnected 13 years ago when the tty later was
locked by Ed. It completely fails to compile, and has a number of false
positives for Giant use. Remove it for lack of interest. Bluetooth has
largely (completely?) moved on from bluetooth over UART transport.
OK'd by: emax
Sponsored by: Netflix
Differential Revision: https://reviews.freebsd.org/D31846
NAT hash tables are inverted for inbound vs outbound. Rather than spend
the time and cycles swapping them, let's simply calculate the bucket
lengths inversely.
MFC after: 1 week
It is removed from Linux since 4.11.
In FreeBSD it results in several #ifdefs in drm-kmod.
Reviewed by: emaste, hselasky, manu
Differential revision: https://reviews.freebsd.org/D32169
For now, disable backlight if brightness level is set to 0.
In the future we may implement separate knob in backlight(8).
Required by drm-kmod v5.6
Reviewed by: hselasky, manu
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D32165
from other vm_objects. This workarounds "Page already inserted" panic
in vm_page_insert routine triggered on attempt to mmap file created
with shmem_file_setup call. After introduction of "GTT mmap
interface v4" a.k.a. MMAP_OFFSET, vm_objects allocated by these calls
may try to own intersected sets of pages that leads to the assertion.
Reviewed by: kib
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D32090
Although drm-kmod contains better implementation which is able to
allocate real entries on pseudofs, this feature has never been used.
Starting from drm-kmod v5.6 old implementation began to leak entries
on each drm device close(). Now just drop pseudofs support instead of
fixing it in drm-kmod and provide stub in base.
Reviewed by: hselasky, manu
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D32069
from GEM and TTM page fault handlers and move it in to base system. This
code is tightly integrated with LKPI mmap support to belong to drm-kmod.
As this routine requires associated vm_object to be locked, it got
additional _locked suffix.
Reviewed by: hselasky, markj
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D32068
This fixes following warnings when shrinkers are invoked first time:
uma_zalloc_debug: zone "lkpicurr" with the following non-sleepable
locks held: exclusive sleep mutex lkpi-shrinker (lkpi-shrinker)
uma_zalloc_debug: zone "lkpimm" with the following non-sleepable locks
held: exclusive sleep mutex lkpi-shrinker (lkpi-shrinker)
Reviewed by: hselasky, manu
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D32066
except linux/pci.h to avoid conflicts with Linux version.
This allows to #define resource in drm-kmod globally and strip some #ifdef-s
Reviewed by: hselasky, manu
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D31673
get_file_rcu() grabs a file if the file->f_count is not zero.
Required by drm-kmod 5.6
Reviewed by: hselasky, manu (previous version)
MFC after: 2 weeks
Differential revision: https://reviews.freebsd.org/D31672
The implementation of the progress bar is simple, but duplicated for
most minidump implementations. Extract the common bits to kern_dump.c.
Ensure that the bar is reset with each subsequent dump; this was only
done on some platforms previously.
Reviewed by: markj
MFC after: 2 weeks
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D31885
The function is identical in each minidump implementation, so move it to
vm_phys.c. The only slight exception is powerpc where the function was
public, for use in moea64_scan_pmap().
Reviewed by: kib, markj, imp (earlier version)
MFC after: 2 weeks
Sponsored by: Juniper Networks, Inc.
Sponsored by: Klara, Inc.
Differential Revision: https://reviews.freebsd.org/D31884
Add the table page table attributes on arm64 and use them to add
restrictions to the block and page entries below them. This ensures
we are unable to increase the permissions in these last level entries
without also changing them in the upper levels.
Use the attributes to ensure the kernel can't execute from userspace
memory and vice versa, userspace has no access to read or write kernel
memory, and that the DMAP region is non-executable.
Reviewed by: alc, kib
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D32081
We don't need to assert we have Giant here. All machines that require
the F00F workaround are UP and interrupts are disabled. Since we are
single threaded, it's safe to allocate the IDT area with pmap_trm_alloc,
interact with the current idt table and replace the IDT table without
any Giant locking.
Sponsored by: Netflix
Reviewed by: kib, markj
Differential Revision: https://reviews.freebsd.org/D31839
Add support for ACPI device probing for SDHCI controller found on Marvell chips.
Reviewed by: mw
Sponsored by: Semihalf
Differential revision: https://reviews.freebsd.org/D31600
This patch splits driver code into two seperate files sdhci_xenon.c
and sdhci_xenon_fdt.c. This will allow future implementation of ACPI
discovery of sdhci on Xenon chips.
Reviewed by: mw
Sponsored by: Semihalf
Differential revision: https://reviews.freebsd.org/D31599
The debug register dump routine is not hooked up and is really only
useful to driver developers, so put it under an mgb-specific MGB_DEBUG
rather than general DEBUG.
MFC after: 1 week
Fixes: 8890ab7758 ("Introduce if_mgb driver...")
Sponsored by: The FreeBSD Foundation
Add a missing "static" for non-{i386,amd64,arm64} which was missed in
c39eefe715. This should ifx the builds.
Sponsored by: The FreeBSD Foundation
MFC after: 7 days
X-MFC with: c39eefe715
