FreeBSD Errata Notices
2019-Jan-09 19:40 UTC
[FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-19:01.cc_cubic
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================FreeBSD-EN-19:01.cc_cubic Errata Notice The FreeBSD Project Topic: Connection stalls with CUBIC congestion control Category: core Module: tcp Announced: 2019-01-09 Credits: Matt Garber, Hiren Panchasara Affects: FreeBSD 12.0 Corrected: 2018-12-17 21:46:42 UTC (stable/12, 12.0-STABLE) 2019-01-09 18:38:35 UTC (releng/12.0, 12.0-RELEASE-p2) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background CUBIC is a modern congestion control algorithm for the Transmission Control Protocol (TCP), which along with its predecessor BIC TCP is specifically optimized for high bandwidth, high latency networks. It is widely implemented across a variety of operating systems, and is the default TCP implementation or enabled by default in recent versions of Linux and Microsoft Windows. CUBIC is available as an alternate congestion control algorithm since FreeBSD 9.0 using the cc_cubic module. II. Problem Description Changes to the cc_cubic module in FreeBSD 12.0 can cause network stuttering or connection stalls when loaded and enabled as default. III. Impact FreeBSD 12.0 systems loading cc_cubic and setting non-default sysctl value net.inet.tcp.cc.algorithm=cubic exhibit stuttering and complete stalls of network connections. Under certain conditions, this may cause loss of system availability over the network or service unreachability. IV. Workaround Disabling cc_cubic and selecting one of the alternate included congestion control algorithms (e.g., newreno, htcp) will restore normal network connectivity and alleviate stuttering and stalls. Note that disabling CUBIC may cause a reduction in expected performance based on specific, unique network condition characteristics and the module used as a workaround. V. Solution Perform one of the following: 1) Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. 2) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +30 "Rebooting for FreeBSD errata update" 3) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/EN-19:01/cc_cubic.patch # fetch https://security.FreeBSD.org/patches/EN-19:01/cc_cubic.patch.asc # gpg --verify cc_cubic.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/12/ r342181 releng/12.0/ r342893 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> VII. References The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:01.cc_cubic.asc> -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlw2Rb5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJGyRAAnpturBqU4XIZMdvInaVHOXA5P6KemeFuJkwz/aMtIbgefm49lvZVS4q6 RO8/GytONX1OHaoJQDdincVfRbe9x+ID+ulCJfSLuZMhjLYpxDQJo9d4NWZtvpBn 3wJNEQEXB0AjrYUOrebiT7yd3zA4f+7zSHu0Uvq4k5Tk0Xxsqxsx3/MG5ezEmdxx IWub1RnYvgmUVJBKn/C5A4v17dE12VnZtLrnfhZ4K3U3mVZYc3cJxF34wSscVqYd iAsntF786FV+hAXBX7wHa3JIqe+uXE2uemrquNmxgup+zrbVWPWPirgku2TVcvsm m9aQILNc9RvJ/XkViLV8+ypqCymBFsl3VhO3dzmOnsbL72G9rqjQtgdYWT2dp69p VyU4EWsTULXIbIBNxyrYhinT+DAqyt8bdrtyT3AhcVJaVk5B5APWnXiwjgS4mPN9 hf2mCjZw10tJgsqYYrBlTERomgHU/pyliu0Rt2sof5+iGArbe7ZhEorHrM7YhD9n Hc+3oNzA0dYDStJQpEb4rJ7dEKP/mpppwIosMhPbku6u3ViafCJVq2dIGNQpDope Mh00Kk7cY0o3Rukw2lGNc9vDbIyUSqT/jV4lBDhp4k5ilQynvkMZETLlynI+KQUH J2uOOvYzkIZLzZyXtaQfkmrkV6DxzmjxDsqwiMz5DB7o70w/M54=e8Wg -----END PGP SIGNATURE-----