1. 31 3月, 2018 25 次提交
  2. 30 3月, 2018 15 次提交
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next · d162190b
      David S. Miller 提交于
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter/IPVS updates for net-next
      
      The following patchset contains Netfilter/IPVS updates for your net-next
      tree. This batch comes with more input sanitization for xtables to
      address bug reports from fuzzers, preparation works to the flowtable
      infrastructure and assorted updates. In no particular order, they are:
      
      1) Make sure userspace provides a valid standard target verdict, from
         Florian Westphal.
      
      2) Sanitize error target size, also from Florian.
      
      3) Validate that last rule in basechain matches underflow/policy since
         userspace assumes this when decoding the ruleset blob that comes
         from the kernel, from Florian.
      
      4) Consolidate hook entry checks through xt_check_table_hooks(),
         patch from Florian.
      
      5) Cap ruleset allocations at 512 mbytes, 134217728 rules and reject
         very large compat offset arrays, so we have a reasonable upper limit
         and fuzzers don't exercise the oom-killer. Patches from Florian.
      
      6) Several WARN_ON checks on xtables mutex helper, from Florian.
      
      7) xt_rateest now has a hashtable per net, from Cong Wang.
      
      8) Consolidate counter allocation in xt_counters_alloc(), from Florian.
      
      9) Earlier xt_table_unlock() call in {ip,ip6,arp,eb}tables, patch
         from Xin Long.
      
      10) Set FLOW_OFFLOAD_DIR_* to IP_CT_DIR_* definitions, patch from
          Felix Fietkau.
      
      11) Consolidate code through flow_offload_fill_dir(), also from Felix.
      
      12) Inline ip6_dst_mtu_forward() just like ip_dst_mtu_maybe_forward()
          to remove a dependency with flowtable and ipv6.ko, from Felix.
      
      13) Cache mtu size in flow_offload_tuple object, this is safe for
          forwarding as f87c10a8 describes, from Felix.
      
      14) Rename nf_flow_table.c to nf_flow_table_core.o, to simplify too
          modular infrastructure, from Felix.
      
      15) Add rt0, rt2 and rt4 IPv6 routing extension support, patch from
          Ahmed Abdelsalam.
      
      16) Remove unused parameter in nf_conncount_count(), from Yi-Hung Wei.
      
      17) Support for counting only to nf_conncount infrastructure, patch
          from Yi-Hung Wei.
      
      18) Add strict NFT_CT_{SRC_IP,DST_IP,SRC_IP6,DST_IP6} key datatypes
          to nft_ct.
      
      19) Use boolean as return value from ipt_ah and from IPVS too, patch
          from Gustavo A. R. Silva.
      
      20) Remove useless parameters in nfnl_acct_overquota() and
          nf_conntrack_broadcast_help(), from Taehee Yoo.
      
      21) Use ipv6_addr_is_multicast() from xt_cluster, also from Taehee Yoo.
      
      22) Statify nf_tables_obj_lookup_byhandle, patch from Fengguang Wu.
      
      23) Fix typo in xt_limit, from Geert Uytterhoeven.
      
      24) Do no use VLAs in Netfilter code, again from Gustavo.
      
      25) Use ADD_COUNTER from ebtables, from Taehee Yoo.
      
      26) Bitshift support for CONNMARK and MARK targets, from Jack Ma.
      
      27) Use pr_*() and add pr_fmt(), from Arushi Singhal.
      
      28) Add synproxy support to ctnetlink.
      
      29) ICMP type and IGMP matching support for ebtables, patches from
          Matthias Schiffer.
      
      30) Support for the revision infrastructure to ebtables, from
          Bernie Harris.
      
      31) String match support for ebtables, also from Bernie.
      
      32) Documentation for the new flowtable infrastructure.
      
      33) Use generic comparison functions in ebt_stp, from Joe Perches.
      
      34) Demodularize filter chains in nftables.
      
      35) Register conntrack hooks in case nftables NAT chain is added.
      
      36) Merge assignments with return in a couple of spots in the
          Netfilter codebase, also from Arushi.
      
      37) Document that xtables percpu counters are stored in the same
          memory area, from Ben Hutchings.
      
      38) Revert mark_source_chains() sanity checks that break existing
          rulesets, from Florian Westphal.
      
      39) Use is_zero_ether_addr() in the ipset codebase, from Joe Perches.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d162190b
    • D
      Merge branch 'Close-race-between-un-register_netdevice_notifier-and-pernet_operations' · b9a12601
      David S. Miller 提交于
      Kirill Tkhai says:
      
      ====================
      Close race between {un, }register_netdevice_notifier and pernet_operations
      
      the problem is {,un}register_netdevice_notifier() do not take
      pernet_ops_rwsem, and they don't see network namespaces, being
      initialized in setup_net() and cleanup_net(), since at this
      time net is not hashed to net_namespace_list.
      
      This may lead to imbalance, when a notifier is called at time of
      setup_net()/net is alive, but it's not called at time of cleanup_net(),
      for the devices, hashed to the net, and vise versa. See (3/3) for
      the scheme of imbalance.
      
      This patchset fixes the problem by acquiring pernet_ops_rwsem
      at the time of {,un}register_netdevice_notifier() (3/3).
      (1-2/3) are preparations in xfrm and netfilter subsystems.
      
      The problem was introduced a long ago, but backporting won't be easy,
      since every previous kernel version may have changes in netdevice
      notifiers, and they all need review and testing. Otherwise, there
      may be more pernet_operations, which register or unregister
      netdevice notifiers, and that leads to deadlock (which is was fixed
      in 1-2/3). This patchset is for net-next.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b9a12601
    • K
      net: Close race between {un, }register_netdevice_notifier() and setup_net()/cleanup_net() · 328fbe74
      Kirill Tkhai 提交于
      {un,}register_netdevice_notifier() iterate over all net namespaces
      hashed to net_namespace_list. But pernet_operations register and
      unregister netdevices in unhashed net namespace, and they are not
      seen for netdevice notifiers. This results in asymmetry:
      
      1)Race with register_netdevice_notifier()
        pernet_operations::init(net)	...
         register_netdevice()		...
          call_netdevice_notifiers()  ...
            ... nb is not called ...
        ...				register_netdevice_notifier(nb) -> net skipped
        ...				...
        list_add_tail(&net->list, ..) ...
      
        Then, userspace stops using net, and it's destructed:
      
        pernet_operations::exit(net)
         unregister_netdevice()
          call_netdevice_notifiers()
            ... nb is called ...
      
      This always happens with net::loopback_dev, but it may be not the only device.
      
      2)Race with unregister_netdevice_notifier()
        pernet_operations::init(net)
         register_netdevice()
          call_netdevice_notifiers()
            ... nb is called ...
      
        Then, userspace stops using net, and it's destructed:
      
        list_del_rcu(&net->list)	...
        pernet_operations::exit(net)  unregister_netdevice_notifier(nb) -> net skipped
         dev_change_net_namespace()	...
          call_netdevice_notifiers()
            ... nb is not called ...
         unregister_netdevice()
          call_netdevice_notifiers()
            ... nb is not called ...
      
      This race is more danger, since dev_change_net_namespace() moves real
      network devices, which use not trivial netdevice notifiers, and if this
      will happen, the system will be left in unpredictable state.
      
      The patch closes the race. During the testing I found two places,
      where register_netdevice_notifier() is called from pernet init/exit
      methods (which led to deadlock) and fixed them (see previous patches).
      
      The review moved me to one more unusual registration place:
      raw_init() (can driver). It may be a reason of problems,
      if someone creates in-kernel CAN_RAW sockets, since they
      will be destroyed in exit method and raw_release()
      will call unregister_netdevice_notifier(). But grep over
      kernel tree does not show, someone creates such sockets
      from kernel space.
      
      Theoretically, there can be more places like this, and which are
      hidden from review, but we found them on the first bumping there
      (since there is no a race, it will be 100% reproducible).
      Signed-off-by: NKirill Tkhai <ktkhai@virtuozzo.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      328fbe74
    • K
      netfilter: Rework xt_TEE netdevice notifier · 9e2f6c5d
      Kirill Tkhai 提交于
      Register netdevice notifier for every iptable entry
      is not good, since this breaks modularity, and
      the hidden synchronization is based on rtnl_lock().
      
      This patch reworks the synchronization via new lock,
      while the rest of logic remains as it was before.
      This is required for the next patch.
      
      Tested via:
      
      while :; do
      	unshare -n iptables -t mangle -A OUTPUT -j TEE --gateway 1.1.1.2 --oif lo;
      done
      Signed-off-by: NKirill Tkhai <ktkhai@virtuozzo.com>
      Acked-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9e2f6c5d
    • K
      xfrm: Register xfrm_dev_notifier in appropriate place · e9a441b6
      Kirill Tkhai 提交于
      Currently, driver registers it from pernet_operations::init method,
      and this breaks modularity, because initialization of net namespace
      and netdevice notifiers are orthogonal actions. We don't have
      per-namespace netdevice notifiers; all of them are global for all
      devices in all namespaces.
      Signed-off-by: NKirill Tkhai <ktkhai@virtuozzo.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e9a441b6
    • D
      Merge branch 'Implement-of_get_nvmem_mac_address-helper' · caeeeda3
      David S. Miller 提交于
      Mike Looijmans says:
      
      ====================
      of_net: Implement of_get_nvmem_mac_address helper
      
      Posted this as a small set now, with an (optional) second patch that shows
      how the changes work and what I've used to test the code on a Topic Miami board.
      I've taken the liberty to add appropriate "Acked" and "Review" tags.
      
      v4: Replaced "6" with ETH_ALEN
      
      v3: Add patch that implements mac in nvmem for the Cadence MACB controller
          Remove the integrated of_get_mac_address call
      
      v2: Use of_nvmem_cell_get to avoid needing the assiciated device
          Use void* instead of char*
          Add devicetree binding doc
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      caeeeda3
    • M
      net: macb: Try to retrieve MAC addess from nvmem provider · aa076e3d
      Mike Looijmans 提交于
      Call of_get_nvmem_mac_address() to fetch the MAC address from an nvmem
      cell, if one is provided in the device tree. This allows the address to
      be stored in an I2C EEPROM device for example.
      Signed-off-by: NMike Looijmans <mike.looijmans@topic.nl>
      Acked-by: NNicolas Ferre <nicolas.ferre@microchip.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      aa076e3d
    • M
      of_net: Implement of_get_nvmem_mac_address helper · 9217e566
      Mike Looijmans 提交于
      It's common practice to store MAC addresses for network interfaces into
      nvmem devices. However the code to actually do this in the kernel lacks,
      so this patch adds of_get_nvmem_mac_address() for drivers to obtain the
      address from an nvmem cell provider.
      
      This is particulary useful on devices where the ethernet interface cannot
      be configured by the bootloader, for example because it's in an FPGA.
      Signed-off-by: NMike Looijmans <mike.looijmans@topic.nl>
      Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Reviewed-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9217e566
    • D
      Merge branch 'nfp-flower-handle-MTU-changes' · 64e828df
      David S. Miller 提交于
      Jakub Kicinski says:
      
      ====================
      nfp: flower: handle MTU changes
      
      This set improves MTU handling for flower offload.  The max MTU is
      correctly capped and physical port MTU is communicated to the FW
      (and indirectly HW).
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      64e828df
    • J
      nfp: flower: offload phys port MTU change · 29a5dcae
      John Hurley 提交于
      Trigger a port mod message to request an MTU change on the NIC when any
      physical port representor is assigned a new MTU value. The driver waits
      10 msec for an ack that the FW has set the MTU. If no ack is received the
      request is rejected and an appropriate warning flagged.
      
      Rather than maintain an MTU queue per repr, one is maintained per app.
      Because the MTU ndo is protected by the rtnl lock, there can never be
      contention here. Portmod messages from the NIC are also protected by
      rtnl so we first check if the portmod is an ack and, if so, handle outside
      rtnl and the cmsg work queue.
      
      Acks are detected by the marking of a bit in a portmod response. They are
      then verfied by checking the port number and MTU value expected by the
      app. If the expected MTU is 0 then no acks are currently expected.
      
      Also, ensure that the packet headroom reserved by the flower firmware is
      considered when accepting an MTU change on any repr.
      Signed-off-by: NJohn Hurley <john.hurley@netronome.com>
      Reviewed-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      29a5dcae
    • J
      nfp: modify app MTU setting callbacks · 167cebef
      John Hurley 提交于
      Rename the 'change_mtu' app callback to 'check_mtu'. This is called
      whenever an MTU change is requested on a netdev. It can reject the
      change but is not responsible for implementing it.
      
      Introduce a new 'repr_change_mtu' app callback that is hit when the MTU
      of a repr is to be changed. This is responsible for performing the MTU
      change and verifying it.
      Signed-off-by: NJohn Hurley <john.hurley@netronome.com>
      Reviewed-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      167cebef
    • D
      Merge branch 'phylink-API-changes' · 44465c47
      David S. Miller 提交于
      Florian Fainelli says:
      
      ====================
      phylink: API changes
      
      This patch series contains two API changes to PHYLINK which will later be used
      by DSA to migrate to PHYLINK. Because these are API changes that impact other
      outstanding work (e.g: MVPP2) I would rather get them included sooner to minimize
      conflicts.
      
      Thank you!
      
      Changes in v2:
      
      - added missing documentation to mac_link_{up,down} that the interface
        must be configured in mac_config()
      
      - added Russell's, Andrew's and my tags
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      44465c47
    • R
      sfp/phylink: move module EEPROM ethtool access into netdev core ethtool · e679c9c1
      Russell King 提交于
      Provide a pointer to the SFP bus in struct net_device, so that the
      ethtool module EEPROM methods can access the SFP directly, rather
      than needing every user to provide a hook for it.
      Reviewed-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Reviewed-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e679c9c1
    • F
      net: phy: phylink: Provide PHY interface to mac_link_{up, down} · c6ab3008
      Florian Fainelli 提交于
      In preparation for having DSA transition entirely to PHYLINK, we need to pass a
      PHY interface type to the mac_link_{up,down} callbacks because we may have to
      make decisions on that (e.g: turn on/off RGMII interfaces etc.). We do not pass
      an entire phylink_link_state because not all parameters (pause, duplex etc.) are
      defined when the link is down, only link and interface are.
      
      Update mvneta accordingly since it currently implements phylink_mac_ops.
      Acked-by: NRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Acked-by: NRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c6ab3008
    • R
      MAINTAINERS: update vmxnet3 driver maintainer · 2166dc95
      Ronak Doshi 提交于
      Shrikrishna Khare would no longer maintain the vmxnet3 driver. Taking
      over the role of vmxnet3 maintainer.
      Signed-off-by: NRonak Doshi <doshir@vmware.com>
      Signed-off-by: NShrikrishna Khare <skhare@vmware.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2166dc95