Merge pull request #3682 from microsoft/huanyi/2.2.2-backports

Co-authored-by: Nick Banks <[email protected]>
microsoft · Jun 9, 2023 · 901ea13 · 901ea13
2 parents 1295f72 + b540137
commit 901ea13
Show file tree

Hide file tree

Showing 19 changed files with 95 additions and 83 deletions.
diff --git a/.github/workflows/cargo.yml b/.github/workflows/cargo.yml
@@ -23,21 +23,7 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f
       with:
-        egress-policy: block
-        allowed-endpoints: >
-          api.github.com:443
-          azure.archive.ubuntu.com:80
-          crates.io:443
-          dc.services.visualstudio.com:443
-          github.com:443
-          launchpad.net:443
-          packages.microsoft.com:443
-          ppa.launchpad.net:80
-          rubygems.org:443
-          sh.rustup.rs:443
-          static.crates.io:443
-          static.rust-lang.org:443
-          www.cloudflare.com:443
+        egress-policy: audit
     - name: Checkout repository
       uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
     - name: Prepare Machine

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -28,21 +28,7 @@ jobs:
       - name: Harden Runner
         uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f
         with:
-          egress-policy: block
-          allowed-endpoints: >
-            api.github.com:443
-            auth.docker.io:443
-            boringssl.googlesource.com:443
-            ghcr.io:443
-            github.com:443
-            pkg-containers.githubusercontent.com:443
-            production.cloudflare.docker.com:443
-            registry-1.docker.io:443
-            archive.ubuntu.com:80
-            security.ubuntu.com:80
-            packages.microsoft.com:443
-            api.nuget.org:443
-            dc.services.visualstudio.com:443
+          egress-policy: audit
       - name: Checkout repository
         uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
         with:

diff --git a/.github/workflows/test-down-level.yml b/.github/workflows/test-down-level.yml
@@ -38,17 +38,7 @@ jobs:
     - name: Harden Runner
       uses: step-security/harden-runner@03bee3930647ebbf994244c21ddbc0d4933aab4f
       with:
-        egress-policy: block
-        allowed-endpoints: >
-          api.nuget.org:443
-          azure.archive.ubuntu.com:80
-          dc.services.visualstudio.com:443
-          github.com:443
-          launchpad.net:443
-          objects.githubusercontent.com:443
-          packages.microsoft.com:443
-          ppa.launchpad.net:80
-          rubygems.org:443
+        egress-policy: audit
     - name: Checkout repository
       uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
       with:

diff --git a/scripts/make-packages.sh b/scripts/make-packages.sh
@@ -146,6 +146,7 @@ if [ "$OS" == "linux" ]; then
     --name ${NAME} \
     --provides ${NAME} \
     --depends "libcrypto.so.${TLSVERSION}()(${BITS})" \
+    --depends "libnuma.so.1()(${BITS})" \
     --conflicts ${CONFLICTS} \
     --version ${VER_MAJOR}.${VER_MINOR}.${VER_PATCH} \
     --description "${DESCRIPTION}" \
@@ -182,6 +183,7 @@ if [ "$OS" == "linux" ]; then
     --provides ${NAME} \
     --conflicts ${CONFLICTS} \
     --depends "libssl${TLSVERSION}" \
+    --depends "libnuma1" \
     --version ${VER_MAJOR}.${VER_MINOR}.${VER_PATCH} \
     --description "${DESCRIPTION}" \
     --vendor "${VENDOR}" \

diff --git a/src/bin/CMakeLists.txt b/src/bin/CMakeLists.txt
@@ -15,6 +15,9 @@ if(BUILD_SHARED_LIBS)
     set_target_properties(msquic PROPERTIES OUTPUT_NAME ${QUIC_LIBRARY_NAME})
     if (NOT WIN32)
         set_target_properties(msquic PROPERTIES SOVERSION ${QUIC_MAJOR_VERSION} VERSION ${QUIC_FULL_VERSION})
+    else()
+        # Configure linker to only load from the system directory.
+        set_target_properties(msquic PROPERTIES LINK_FLAGS "/DEPENDENTLOADFLAG:0x800")
     endif()
 else()
     add_library(msquic_static STATIC static/empty.c)

diff --git a/src/core/binding.c b/src/core/binding.c
@@ -1637,7 +1637,7 @@ QuicBindingReceive(
     // connection it was delivered to.
     //
 
-    uint32_t Proc = CxPlatProcCurrentNumber();
+    uint16_t Proc = QuicLibraryGetCurrentPartition();
     uint64_t ProcShifted = ((uint64_t)Proc + 1) << 40;
 
     CXPLAT_RECV_DATA* Datagram;

diff --git a/src/core/connection.c b/src/core/connection.c
@@ -64,7 +64,7 @@ QuicConnAlloc(
     )
 {
     BOOLEAN IsServer = Datagram != NULL;
-    uint32_t CurProcIndex = CxPlatProcCurrentNumber();
+    uint16_t CurProcIndex = QuicLibraryGetCurrentPartition();
     *NewConnection = NULL;
     QUIC_STATUS Status;
 
@@ -402,7 +402,7 @@ QuicConnFree(
     if (Connection->HandshakeTP != NULL) {
         QuicCryptoTlsCleanupTransportParameters(Connection->HandshakeTP);
         CxPlatPoolFree(
-            &MsQuicLib.PerProc[CxPlatProcCurrentNumber()].TransportParamPool,
+            &QuicLibraryGetPerProc()->TransportParamPool,
             Connection->HandshakeTP);
         Connection->HandshakeTP = NULL;
     }
@@ -423,7 +423,7 @@ QuicConnFree(
         "[conn][%p] Destroyed",
         Connection);
     CxPlatPoolFree(
-        &MsQuicLib.PerProc[CxPlatProcCurrentNumber()].ConnectionPool,
+        &QuicLibraryGetPerProc()->ConnectionPool,
         Connection);
 
 #if DEBUG
@@ -1539,6 +1539,12 @@ QuicConnTryClose(
         return;
     }
 
+    if (ClosedRemotely) {
+        Connection->State.ClosedRemotely = TRUE;
+    } else {
+        Connection->State.ClosedLocally = TRUE;
+    }
+
     if (!ClosedRemotely) {
 
         if ((Flags & QUIC_CLOSE_APPLICATION) &&
@@ -1654,12 +1660,6 @@ QuicConnTryClose(
         IsFirstCloseForConnection = FALSE;
     }
 
-    if (ClosedRemotely) {
-        Connection->State.ClosedRemotely = TRUE;
-    } else {
-        Connection->State.ClosedLocally = TRUE;
-    }
-
     if (IsFirstCloseForConnection) {
         //
         // Default to the timed out state.
@@ -2283,7 +2283,7 @@ QuicConnCleanupServerResumptionState(
         if (Connection->HandshakeTP != NULL) {
             QuicCryptoTlsCleanupTransportParameters(Connection->HandshakeTP);
             CxPlatPoolFree(
-                &MsQuicLib.PerProc[CxPlatProcCurrentNumber()].TransportParamPool,
+                &MsQuicLib.PerProc[QuicLibraryGetCurrentPartition()].TransportParamPool,
                 Connection->HandshakeTP);
             Connection->HandshakeTP = NULL;
         }
@@ -7185,7 +7185,7 @@ QuicConnApplyNewSettings(
             Connection->HandshakeTP == NULL) {
             CXPLAT_DBG_ASSERT(!Connection->State.Started);
             Connection->HandshakeTP =
-                CxPlatPoolAlloc(&MsQuicLib.PerProc[CxPlatProcCurrentNumber()].TransportParamPool);
+                CxPlatPoolAlloc(&QuicLibraryGetPerProc()->TransportParamPool);
             if (Connection->HandshakeTP == NULL) {
                 QuicTraceEvent(
                     AllocFailure,

diff --git a/src/core/inline.c b/src/core/inline.c
@@ -145,6 +145,11 @@ QuicLibraryGetCurrentPartition(
     void
     );
 
+QUIC_LIBRARY_PP*
+QuicLibraryGetPerProc(
+    void
+    );
+
 _IRQL_requires_max_(DISPATCH_LEVEL)
 uint16_t
 QuicPartitionIdCreate(

diff --git a/src/core/library.c b/src/core/library.c
@@ -2319,16 +2319,16 @@ QuicLibraryGenerateStatelessResetToken(
     )
 {
     uint8_t HashOutput[CXPLAT_HASH_SHA256_SIZE];
-    uint32_t CurProcIndex = CxPlatProcCurrentNumber();
-    CxPlatLockAcquire(&MsQuicLib.PerProc[CurProcIndex].ResetTokenLock);
+    QUIC_LIBRARY_PP* PerProc = QuicLibraryGetPerProc();
+    CxPlatLockAcquire(&PerProc->ResetTokenLock);
     QUIC_STATUS Status =
         CxPlatHashCompute(
-            MsQuicLib.PerProc[CurProcIndex].ResetTokenHash,
+            PerProc->ResetTokenHash,
             CID,
             MsQuicLib.CidTotalLength,
             sizeof(HashOutput),
             HashOutput);
-    CxPlatLockRelease(&MsQuicLib.PerProc[CurProcIndex].ResetTokenLock);
+    CxPlatLockRelease(&PerProc->ResetTokenLock);
     if (QUIC_SUCCEEDED(Status)) {
         CxPlatCopyMemory(
             ResetToken,

diff --git a/src/core/library.h b/src/core/library.h
@@ -298,6 +298,16 @@ QuicLibraryGetCurrentPartition(
     return ((uint16_t)CxPlatProcCurrentNumber()) % MsQuicLib.PartitionCount;
 }
 
+_IRQL_requires_max_(DISPATCH_LEVEL)
+inline
+QUIC_LIBRARY_PP*
+QuicLibraryGetPerProc(
+    void
+    )
+{
+    return &MsQuicLib.PerProc[QuicLibraryGetCurrentPartition()];
+}
+
 _IRQL_requires_max_(DISPATCH_LEVEL)
 inline
 uint16_t
@@ -366,9 +376,7 @@ QuicPerfCounterAdd(
     )
 {
     CXPLAT_DBG_ASSERT(Type >= 0 && Type < QUIC_PERF_COUNTER_MAX);
-    uint32_t ProcIndex = CxPlatProcCurrentNumber();
-    CXPLAT_DBG_ASSERT(ProcIndex < (uint32_t)MsQuicLib.PartitionCount);
-    InterlockedExchangeAdd64(&(MsQuicLib.PerProc[ProcIndex].PerfCounters[Type]), Value);
+    InterlockedExchangeAdd64(&(QuicLibraryGetPerProc()->PerfCounters[Type]), Value);
 }
 
 #define QuicPerfCounterIncrement(Type) QuicPerfCounterAdd(Type, 1)

diff --git a/src/core/packet_builder.c b/src/core/packet_builder.c
@@ -218,7 +218,7 @@ QuicPacketBuilderPrepare(
     // the current one doesn't match, finalize it and then start a new one.
     //
 
-    uint32_t Proc = CxPlatProcCurrentNumber();
+    uint16_t Proc = QuicLibraryGetCurrentPartition();
     uint64_t ProcShifted = ((uint64_t)Proc + 1) << 40;
 
     BOOLEAN NewQuicPacket = FALSE;

diff --git a/src/core/packet_space.c b/src/core/packet_space.c
@@ -23,8 +23,7 @@ QuicPacketSpaceInitialize(
     _Out_ QUIC_PACKET_SPACE** NewPackets
     )
 {
-    uint32_t CurProcIndex = CxPlatProcCurrentNumber();
-    QUIC_PACKET_SPACE* Packets = CxPlatPoolAlloc(&MsQuicLib.PerProc[CurProcIndex].PacketSpacePool);
+    QUIC_PACKET_SPACE* Packets = CxPlatPoolAlloc(&QuicLibraryGetPerProc()->PacketSpacePool);
     if (Packets == NULL) {
         QuicTraceEvent(
             AllocFailure,
@@ -62,9 +61,7 @@ QuicPacketSpaceUninitialize(
     }
 
     QuicAckTrackerUninitialize(&Packets->AckTracker);
-
-    uint32_t CurProcIndex = CxPlatProcCurrentNumber();
-    CxPlatPoolFree(&MsQuicLib.PerProc[CurProcIndex].PacketSpacePool, Packets);
+    CxPlatPoolFree(&QuicLibraryGetPerProc()->PacketSpacePool, Packets);
 }
 
 _IRQL_requires_max_(DISPATCH_LEVEL)

diff --git a/src/core/stream.c b/src/core/stream.c
@@ -157,16 +157,17 @@ QuicStreamFree(
     QUIC_CONNECTION* Connection = Stream->Connection;
     QUIC_WORKER* Worker = Connection->Worker;
 
-    CXPLAT_TEL_ASSERT(Stream->RefCount == 0);
-    CXPLAT_TEL_ASSERT(Connection->State.ClosedLocally || Stream->Flags.ShutdownComplete);
-    CXPLAT_TEL_ASSERT(Connection->State.ClosedLocally || Stream->Flags.HandleClosed);
-    CXPLAT_TEL_ASSERT(Stream->ClosedLink.Flink == NULL);
-    CXPLAT_TEL_ASSERT(Stream->SendLink.Flink == NULL);
+    CXPLAT_DBG_ASSERT(Stream->RefCount == 0);
+    CXPLAT_DBG_ASSERT(Connection->State.ClosedLocally || Stream->Flags.ShutdownComplete);
+    CXPLAT_DBG_ASSERT(Connection->State.ClosedLocally || Stream->Flags.HandleClosed);
+    CXPLAT_DBG_ASSERT(!Stream->Flags.InStreamTable);
+    CXPLAT_DBG_ASSERT(Stream->ClosedLink.Flink == NULL);
+    CXPLAT_DBG_ASSERT(Stream->SendLink.Flink == NULL);
 
     Stream->Flags.Uninitialized = TRUE;
 
-    CXPLAT_TEL_ASSERT(Stream->ApiSendRequests == NULL);
-    CXPLAT_TEL_ASSERT(Stream->SendRequests == NULL);
+    CXPLAT_DBG_ASSERT(Stream->ApiSendRequests == NULL);
+    CXPLAT_DBG_ASSERT(Stream->SendRequests == NULL);
 
 #if DEBUG
     CxPlatDispatchLockAcquire(&Connection->Streams.AllStreamsLock);
@@ -376,14 +377,14 @@ QuicStreamClose(
                 QUIC_STREAM_SHUTDOWN_FLAG_IMMEDIATE,
             QUIC_ERROR_NO_ERROR);
 
-            if (!Stream->Flags.Started) {
-                //
-                // The stream was abandoned before it could be successfully
-                // started. Just mark it as completing the shutdown process now
-                // since nothing else can be done with it now.
-                //
-                Stream->Flags.ShutdownComplete = TRUE;
-            }
+        if (!Stream->Flags.Started) {
+            //
+            // The stream was abandoned before it could be successfully
+            // started. Just mark it as completing the shutdown process now
+            // since nothing else can be done with it now.
+            //
+            Stream->Flags.ShutdownComplete = TRUE;
+        }
     }
 
     Stream->ClientCallbackHandler = NULL;

diff --git a/src/core/stream.h b/src/core/stream.h
@@ -149,6 +149,8 @@ typedef union QUIC_STREAM_FLAGS {
         BOOLEAN ShutdownComplete        : 1;    // Both directions have been shutdown and acknowledged.
         BOOLEAN Uninitialized           : 1;    // Uninitialize started/completed. Used for Debugging.
         BOOLEAN Freed                   : 1;    // Freed after last ref count released. Used for Debugging.
+
+        BOOLEAN InStreamTable           : 1;    // The stream is currently in the connection's table.
     };
 } QUIC_STREAM_FLAGS;
 

diff --git a/src/core/stream_set.c b/src/core/stream_set.c
@@ -110,6 +110,7 @@ QuicStreamSetInsertStream(
             return FALSE;
         }
     }
+    Stream->Flags.InStreamTable = TRUE;
     CxPlatHashtableInsert(
         StreamSet->StreamTable,
         &Stream->TableEntry,
@@ -177,6 +178,11 @@ QuicStreamSetReleaseStream(
     _In_ QUIC_STREAM* Stream
     )
 {
+    if (!Stream->Flags.InStreamTable) {
+        return;
+    }
+    Stream->Flags.InStreamTable = FALSE;
+
     //
     // Remove the stream from the list of open streams.
     //

diff --git a/src/platform/datapath_raw_xdp.c b/src/platform/datapath_raw_xdp.c
@@ -1039,13 +1039,13 @@ CxPlatDpRawInitialize(
     QUIC_STATUS Status;
     const uint16_t* ProcessorList;
 
+    CxPlatListInitializeHead(&Xdp->Interfaces);
     if (QUIC_FAILED(XdpOpenApi(XDP_VERSION_PRERELEASE, &Xdp->XdpApi))) {
         Status = QUIC_STATUS_NOT_SUPPORTED;
         goto Error;
     }
 
     CxPlatXdpReadConfig(Xdp);
-    CxPlatListInitializeHead(&Xdp->Interfaces);
     Xdp->PollingIdleTimeoutUs = Config ? Config->PollingIdleTimeoutUs : 0;
 
     if (Config && Config->ProcessorCount) {

diff --git a/src/platform/tls_schannel.c b/src/platform/tls_schannel.c
@@ -2229,6 +2229,23 @@ CxPlatTlsWriteDataToSchannel(
                         &TlsContext->SchannelContext,
                         SECPKG_ATTR_SERIALIZED_REMOTE_CERT_CONTEXT_INPROC,
                         (PVOID)&(PeerCertBlob.Serialized));
+#ifdef _KERNEL_MODE
+                if (SecStatus != SEC_E_OK) {
+                    //
+                    // In certain container scenarios it is possible that a
+                    // newer kernel is matched with an older user mode schannel
+                    // that doesn't support the newer "in proc" version of the
+                    // remote cert context, so we always fallback and try the
+                    // out of proc version when we encounter an error.
+                    //
+                    PeerCertBlob.Type = QUIC_CERT_BLOB_CHAIN;
+                    SecStatus =
+                        QueryContextAttributesW(
+                            &TlsContext->SchannelContext,
+                            SECPKG_ATTR_REMOTE_CERTIFICATES,
+                            (PVOID)&PeerCertBlob.Chain);
+                }
+#endif
             } else {
 #ifdef _KERNEL_MODE
                 PeerCertBlob.Type = QUIC_CERT_BLOB_CHAIN;

diff --git a/src/plugins/dbg/quictypes.h b/src/plugins/dbg/quictypes.h
@@ -70,6 +70,8 @@ typedef union QUIC_STREAM_FLAGS {
         BOOLEAN ShutdownComplete        : 1;    // Both directions have been shutdown and acknowledged.
         BOOLEAN Uninitialized           : 1;    // Uninitialize started/completed. Used for Debugging.
         BOOLEAN Freed                   : 1;    // Freed after last ref count released. Used for Debugging.
+
+        BOOLEAN InStreamTable           : 1;    // The stream is currently in the connection's table.
     };
 } QUIC_STREAM_FLAGS;