-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-19:01.cc_cubic                                       Errata Notice
                                                          The FreeBSD Project

Topic:          Connection stalls with CUBIC congestion control

Category:       core
Module:         tcp
Announced:      2019-01-09
Credits:        Matt Garber, Hiren Panchasara
Affects:        FreeBSD 12.0
Corrected:      2018-12-17 21:46:42 UTC (stable/12, 12.0-STABLE)
                2019-01-09 18:38:35 UTC (releng/12.0, 12.0-RELEASE-p2)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.

I.   Background

CUBIC is a modern congestion control algorithm for the Transmission Control
Protocol (TCP), which along with its predecessor BIC TCP is specifically
optimized for high bandwidth, high latency networks.  It is widely
implemented across a variety of operating systems, and is the default TCP
implementation or enabled by default in recent versions of Linux and
Microsoft Windows.  CUBIC is available as an alternate congestion control
algorithm since FreeBSD 9.0 using the cc_cubic module.

II.  Problem Description

Changes to the cc_cubic module in FreeBSD 12.0 can cause network stuttering
or connection stalls when loaded and enabled as default.

III. Impact

FreeBSD 12.0 systems loading cc_cubic and setting non-default sysctl value
net.inet.tcp.cc.algorithm=cubic exhibit stuttering and complete stalls of
network connections.  Under certain conditions, this may cause loss of system
availability over the network or service unreachability.

IV.  Workaround

Disabling cc_cubic and selecting one of the alternate included congestion
control algorithms (e.g., newreno, htcp) will restore normal network
connectivity and alleviate stuttering and stalls.  Note that disabling CUBIC
may cause a reduction in expected performance based on specific, unique
network condition characteristics and the module used as a workaround.

V.   Solution

Perform one of the following:

1) Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and reboot the system.

2) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +30 "Rebooting for FreeBSD errata update"

3) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 12.0]
# fetch https://security.FreeBSD.org/patches/EN-19:01/cc_cubic.patch
# fetch https://security.FreeBSD.org/patches/EN-19:01/cc_cubic.patch.asc
# gpg --verify cc_cubic.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/12/                                                        r342181
releng/12.0/                                                      r342893
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>

VII. References

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-19:01.cc_cubic.asc>
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlw2Rb5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
5cJGyRAAnpturBqU4XIZMdvInaVHOXA5P6KemeFuJkwz/aMtIbgefm49lvZVS4q6
RO8/GytONX1OHaoJQDdincVfRbe9x+ID+ulCJfSLuZMhjLYpxDQJo9d4NWZtvpBn
3wJNEQEXB0AjrYUOrebiT7yd3zA4f+7zSHu0Uvq4k5Tk0Xxsqxsx3/MG5ezEmdxx
IWub1RnYvgmUVJBKn/C5A4v17dE12VnZtLrnfhZ4K3U3mVZYc3cJxF34wSscVqYd
iAsntF786FV+hAXBX7wHa3JIqe+uXE2uemrquNmxgup+zrbVWPWPirgku2TVcvsm
m9aQILNc9RvJ/XkViLV8+ypqCymBFsl3VhO3dzmOnsbL72G9rqjQtgdYWT2dp69p
VyU4EWsTULXIbIBNxyrYhinT+DAqyt8bdrtyT3AhcVJaVk5B5APWnXiwjgS4mPN9
hf2mCjZw10tJgsqYYrBlTERomgHU/pyliu0Rt2sof5+iGArbe7ZhEorHrM7YhD9n
Hc+3oNzA0dYDStJQpEb4rJ7dEKP/mpppwIosMhPbku6u3ViafCJVq2dIGNQpDope
Mh00Kk7cY0o3Rukw2lGNc9vDbIyUSqT/jV4lBDhp4k5ilQynvkMZETLlynI+KQUH
J2uOOvYzkIZLzZyXtaQfkmrkV6DxzmjxDsqwiMz5DB7o70w/M54=
=e8Wg
-----END PGP SIGNATURE-----