upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-02-22 01:11:30 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
opnsense-src/sys
History
Roger Pau Monné 4e4e43dc9e xen: allow limiting the amount of duplicated pending xenstore watches 
Xenstore watches received are queued in a list and processed in a
deferred thread. Such queuing was done without any checking, so a
guest could potentially trigger a resource starvation against the
FreeBSD kernel if such kernel is watching any user-controlled xenstore
path.

Allowing limiting the amount of pending events a watch can accumulate
to prevent a remote guest from triggering this resource starvation
issue.

For the PV device backends and frontends this limitation is only
applied to the other end /state node, which is limited to 1 pending
event, the rest of the watched paths can still have unlimited pending
watches because they are either local or controlled by a privileged
domain.

The xenstore user-space device gets special treatment as it's not
possible for the kernel to know whether the paths being watched by
user-space processes are controlled by a guest domain. For this reason
watches set by the xenstore user-space device are limited to 1000
pending events. Note this can be modified using the
max_pending_watch_events sysctl of the device.

This is XSA-349.

Sponsored by:	Citrix Systems R&D
MFC after:	3 days
2020-12-30 11:18:26 +01:00
..
amd64 amd64 nmi handler: fix comment about %ebx 2020-12-27 12:59:33 +02:00
arm ARM: Enhance common Nvidia Tegra drivers by support for Tegra210 SoC. 2020-12-26 19:13:10 +01:00
arm64 Tegra210: Connect to GENERIC kernel. 2020-12-30 11:01:47 +01:00
bsm Expose eventfd in the native API/ABI using a new __specialfd syscall 2020-12-27 12:57:26 +02:00
cam ada(4): remove remainder of MD geometry translation support 2020-12-25 20:20:54 +01:00
cddl Check that the frame pointer is within the current stack. 2020-12-08 18:00:58 +00:00
compat Regen. 2020-12-27 12:57:27 +02:00
conf kern.mk: drop flag only patched in-tree gcc understood 2020-12-28 14:03:36 -08:00
contrib Improve error message printing in krping. 2020-12-28 14:37:09 +01:00
crypto Revert r366943. It did not work as expected. 2020-12-11 00:42:53 +00:00
ddb Add a kstack_contains() helper function. 2020-12-01 17:04:46 +00:00
dev xen: allow limiting the amount of duplicated pending xenstore watches 2020-12-30 11:18:26 +01:00
dts
fs devfs(4): defer freeing until we drop devmtx ("cdev") 2020-12-29 13:47:36 +00:00
gdb gdb(4): allow bulk write of registers 2020-12-23 14:37:05 -04:00
geom geom(4): make g_newprovider_event() return if G_P_WITHER is set 2020-12-29 14:29:59 +00:00
gnu ARM64: Port FreeBSD to Nvidia Jetson TX1 and Nano. 2020-12-28 14:12:41 +01:00
i386 gdb(4) fix x86 signal reporting 2020-12-23 15:40:14 -04:00
isa
kern cache: work around corner case of dvp == tvp in cache_fplookup_final_modifying 2020-12-28 21:38:20 +00:00
kgssapi
libkern
mips mips: fix build w/ TICK_USE_MALTA_RTC defined 2020-12-25 19:47:45 +01:00
modules Move cp(4) module enable to SOURCELESS_HOST 2020-12-28 19:36:51 -05:00
net Streamline the infiniband code according to the ethernet code. 2020-12-29 18:01:57 +01:00
net80211 net80211: fix a typo 2020-11-04 12:07:33 +00:00
netgraph Use light-weight versions of routing lookup functions in ng_netflow. 2020-12-26 11:27:38 +00:00
netinet Fix default route handling in radix4_lockless algo. 2020-12-26 22:51:02 +00:00
netinet6 Add modular fib lookup framework. 2020-12-25 11:33:17 +00:00
netipsec
netpfil pf: Use counter(9) for pf_state byte/packet tracking 2020-12-23 12:03:21 +01:00
netsmb
nfs
nfsclient
nfsserver nfs: Mark unused statistics variable as reserved 2020-11-18 04:35:49 +00:00
nlm
ofed Fix for referencing file via its vnode in ibore. 2020-11-02 10:44:29 +00:00
opencrypto Remove the cloned file descriptors for /dev/crypto. 2020-11-25 00:10:54 +00:00
powerpc Enable ROUTE_MPATH support in GENERIC kernels. 2020-12-14 22:23:08 +00:00
riscv Skip the vm.pmap.kernel_maps sysctl by default. 2020-12-18 20:41:23 +00:00
rpc Add a new "tlscertname" NFS mount option. 2020-12-23 13:42:55 -08:00
security audit: rework AUDIT_SYSCLOSE 2020-12-17 18:52:04 +00:00
sys kern: efirt: correct configuration table entry size 2020-12-29 11:38:34 -06:00
teken
tests
tools Use a template assembly file for firmware object files. 2020-12-17 20:31:17 +00:00
ufs ffs: Avoid out-of-bounds accesses in the fs_active bitmap 2020-12-23 11:16:40 -05:00
vm vm: Fix some bugs in the page busying code 2020-12-27 17:01:44 -05:00
x86 x86: stop punishing VMs with low priority for TSC timecounter 2020-12-23 12:45:15 +02:00
xdr
xen xen: allow limiting the amount of duplicated pending xenstore watches 2020-12-30 11:18:26 +01:00
Makefile