1. 31 3月, 2018 17 次提交
  2. 30 3月, 2018 23 次提交
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next · d162190b
      David S. Miller 提交于
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter/IPVS updates for net-next
      
      The following patchset contains Netfilter/IPVS updates for your net-next
      tree. This batch comes with more input sanitization for xtables to
      address bug reports from fuzzers, preparation works to the flowtable
      infrastructure and assorted updates. In no particular order, they are:
      
      1) Make sure userspace provides a valid standard target verdict, from
         Florian Westphal.
      
      2) Sanitize error target size, also from Florian.
      
      3) Validate that last rule in basechain matches underflow/policy since
         userspace assumes this when decoding the ruleset blob that comes
         from the kernel, from Florian.
      
      4) Consolidate hook entry checks through xt_check_table_hooks(),
         patch from Florian.
      
      5) Cap ruleset allocations at 512 mbytes, 134217728 rules and reject
         very large compat offset arrays, so we have a reasonable upper limit
         and fuzzers don't exercise the oom-killer. Patches from Florian.
      
      6) Several WARN_ON checks on xtables mutex helper, from Florian.
      
      7) xt_rateest now has a hashtable per net, from Cong Wang.
      
      8) Consolidate counter allocation in xt_counters_alloc(), from Florian.
      
      9) Earlier xt_table_unlock() call in {ip,ip6,arp,eb}tables, patch
         from Xin Long.
      
      10) Set FLOW_OFFLOAD_DIR_* to IP_CT_DIR_* definitions, patch from
          Felix Fietkau.
      
      11) Consolidate code through flow_offload_fill_dir(), also from Felix.
      
      12) Inline ip6_dst_mtu_forward() just like ip_dst_mtu_maybe_forward()
          to remove a dependency with flowtable and ipv6.ko, from Felix.
      
      13) Cache mtu size in flow_offload_tuple object, this is safe for
          forwarding as f87c10a8 describes, from Felix.
      
      14) Rename nf_flow_table.c to nf_flow_table_core.o, to simplify too
          modular infrastructure, from Felix.
      
      15) Add rt0, rt2 and rt4 IPv6 routing extension support, patch from
          Ahmed Abdelsalam.
      
      16) Remove unused parameter in nf_conncount_count(), from Yi-Hung Wei.
      
      17) Support for counting only to nf_conncount infrastructure, patch
          from Yi-Hung Wei.
      
      18) Add strict NFT_CT_{SRC_IP,DST_IP,SRC_IP6,DST_IP6} key datatypes
          to nft_ct.
      
      19) Use boolean as return value from ipt_ah and from IPVS too, patch
          from Gustavo A. R. Silva.
      
      20) Remove useless parameters in nfnl_acct_overquota() and
          nf_conntrack_broadcast_help(), from Taehee Yoo.
      
      21) Use ipv6_addr_is_multicast() from xt_cluster, also from Taehee Yoo.
      
      22) Statify nf_tables_obj_lookup_byhandle, patch from Fengguang Wu.
      
      23) Fix typo in xt_limit, from Geert Uytterhoeven.
      
      24) Do no use VLAs in Netfilter code, again from Gustavo.
      
      25) Use ADD_COUNTER from ebtables, from Taehee Yoo.
      
      26) Bitshift support for CONNMARK and MARK targets, from Jack Ma.
      
      27) Use pr_*() and add pr_fmt(), from Arushi Singhal.
      
      28) Add synproxy support to ctnetlink.
      
      29) ICMP type and IGMP matching support for ebtables, patches from
          Matthias Schiffer.
      
      30) Support for the revision infrastructure to ebtables, from
          Bernie Harris.
      
      31) String match support for ebtables, also from Bernie.
      
      32) Documentation for the new flowtable infrastructure.
      
      33) Use generic comparison functions in ebt_stp, from Joe Perches.
      
      34) Demodularize filter chains in nftables.
      
      35) Register conntrack hooks in case nftables NAT chain is added.
      
      36) Merge assignments with return in a couple of spots in the
          Netfilter codebase, also from Arushi.
      
      37) Document that xtables percpu counters are stored in the same
          memory area, from Ben Hutchings.
      
      38) Revert mark_source_chains() sanity checks that break existing
          rulesets, from Florian Westphal.
      
      39) Use is_zero_ether_addr() in the ipset codebase, from Joe Perches.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d162190b
    • D
      Merge branch 'Close-race-between-un-register_netdevice_notifier-and-pernet_operations' · b9a12601
      David S. Miller 提交于
      Kirill Tkhai says:
      
      ====================
      Close race between {un, }register_netdevice_notifier and pernet_operations
      
      the problem is {,un}register_netdevice_notifier() do not take
      pernet_ops_rwsem, and they don't see network namespaces, being
      initialized in setup_net() and cleanup_net(), since at this
      time net is not hashed to net_namespace_list.
      
      This may lead to imbalance, when a notifier is called at time of
      setup_net()/net is alive, but it's not called at time of cleanup_net(),
      for the devices, hashed to the net, and vise versa. See (3/3) for
      the scheme of imbalance.
      
      This patchset fixes the problem by acquiring pernet_ops_rwsem
      at the time of {,un}register_netdevice_notifier() (3/3).
      (1-2/3) are preparations in xfrm and netfilter subsystems.
      
      The problem was introduced a long ago, but backporting won't be easy,
      since every previous kernel version may have changes in netdevice
      notifiers, and they all need review and testing. Otherwise, there
      may be more pernet_operations, which register or unregister
      netdevice notifiers, and that leads to deadlock (which is was fixed
      in 1-2/3). This patchset is for net-next.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b9a12601
    • K
      net: Close race between {un, }register_netdevice_notifier() and setup_net()/cleanup_net() · 328fbe74
      Kirill Tkhai 提交于
      {un,}register_netdevice_notifier() iterate over all net namespaces
      hashed to net_namespace_list. But pernet_operations register and
      unregister netdevices in unhashed net namespace, and they are not
      seen for netdevice notifiers. This results in asymmetry:
      
      1)Race with register_netdevice_notifier()
        pernet_operations::init(net)	...
         register_netdevice()		...
          call_netdevice_notifiers()  ...
            ... nb is not called ...
        ...				register_netdevice_notifier(nb) -> net skipped
        ...				...
        list_add_tail(&net->list, ..) ...
      
        Then, userspace stops using net, and it's destructed:
      
        pernet_operations::exit(net)
         unregister_netdevice()
          call_netdevice_notifiers()
            ... nb is called ...
      
      This always happens with net::loopback_dev, but it may be not the only device.
      
      2)Race with unregister_netdevice_notifier()
        pernet_operations::init(net)
         register_netdevice()
          call_netdevice_notifiers()
            ... nb is called ...
      
        Then, userspace stops using net, and it's destructed:
      
        list_del_rcu(&net->list)	...
        pernet_operations::exit(net)  unregister_netdevice_notifier(nb) -> net skipped
         dev_change_net_namespace()	...
          call_netdevice_notifiers()
            ... nb is not called ...
         unregister_netdevice()
          call_netdevice_notifiers()
            ... nb is not called ...
      
      This race is more danger, since dev_change_net_namespace() moves real
      network devices, which use not trivial netdevice notifiers, and if this
      will happen, the system will be left in unpredictable state.
      
      The patch closes the race. During the testing I found two places,
      where register_netdevice_notifier() is called from pernet init/exit
      methods (which led to deadlock) and fixed them (see previous patches).
      
      The review moved me to one more unusual registration place:
      raw_init() (can driver). It may be a reason of problems,
      if someone creates in-kernel CAN_RAW sockets, since they
      will be destroyed in exit method and raw_release()
      will call unregister_netdevice_notifier(). But grep over
      kernel tree does not show, someone creates such sockets
      from kernel space.
      
      Theoretically, there can be more places like this, and which are
      hidden from review, but we found them on the first bumping there
      (since there is no a race, it will be 100% reproducible).
      Signed-off-by: NKirill Tkhai <ktkhai@virtuozzo.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      328fbe74
    • K
      netfilter: Rework xt_TEE netdevice notifier · 9e2f6c5d
      Kirill Tkhai 提交于
      Register netdevice notifier for every iptable entry
      is not good, since this breaks modularity, and
      the hidden synchronization is based on rtnl_lock().
      
      This patch reworks the synchronization via new lock,
      while the rest of logic remains as it was before.
      This is required for the next patch.
      
      Tested via:
      
      while :; do
      	unshare -n iptables -t mangle -A OUTPUT -j TEE --gateway 1.1.1.2 --oif lo;
      done
      Signed-off-by: NKirill Tkhai <ktkhai@virtuozzo.com>
      Acked-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9e2f6c5d
    • K
      xfrm: Register xfrm_dev_notifier in appropriate place · e9a441b6
      Kirill Tkhai 提交于
      Currently, driver registers it from pernet_operations::init method,
      and this breaks modularity, because initialization of net namespace
      and netdevice notifiers are orthogonal actions. We don't have
      per-namespace netdevice notifiers; all of them are global for all
      devices in all namespaces.
      Signed-off-by: NKirill Tkhai <ktkhai@virtuozzo.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e9a441b6
    • D
      Merge branch 'Implement-of_get_nvmem_mac_address-helper' · caeeeda3
      David S. Miller 提交于
      Mike Looijmans says:
      
      ====================
      of_net: Implement of_get_nvmem_mac_address helper
      
      Posted this as a small set now, with an (optional) second patch that shows
      how the changes work and what I've used to test the code on a Topic Miami board.
      I've taken the liberty to add appropriate "Acked" and "Review" tags.
      
      v4: Replaced "6" with ETH_ALEN
      
      v3: Add patch that implements mac in nvmem for the Cadence MACB controller
          Remove the integrated of_get_mac_address call
      
      v2: Use of_nvmem_cell_get to avoid needing the assiciated device
          Use void* instead of char*
          Add devicetree binding doc
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      caeeeda3
    • M
      net: macb: Try to retrieve MAC addess from nvmem provider · aa076e3d
      Mike Looijmans 提交于
      Call of_get_nvmem_mac_address() to fetch the MAC address from an nvmem
      cell, if one is provided in the device tree. This allows the address to
      be stored in an I2C EEPROM device for example.
      Signed-off-by: NMike Looijmans <mike.looijmans@topic.nl>
      Acked-by: NNicolas Ferre <nicolas.ferre@microchip.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      aa076e3d
    • M
      of_net: Implement of_get_nvmem_mac_address helper · 9217e566
      Mike Looijmans 提交于
      It's common practice to store MAC addresses for network interfaces into
      nvmem devices. However the code to actually do this in the kernel lacks,
      so this patch adds of_get_nvmem_mac_address() for drivers to obtain the
      address from an nvmem cell provider.
      
      This is particulary useful on devices where the ethernet interface cannot
      be configured by the bootloader, for example because it's in an FPGA.
      Signed-off-by: NMike Looijmans <mike.looijmans@topic.nl>
      Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Reviewed-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9217e566
    • D
      Merge branch 'nfp-flower-handle-MTU-changes' · 64e828df
      David S. Miller 提交于
      Jakub Kicinski says:
      
      ====================
      nfp: flower: handle MTU changes
      
      This set improves MTU handling for flower offload.  The max MTU is
      correctly capped and physical port MTU is communicated to the FW
      (and indirectly HW).
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      64e828df
    • J
      nfp: flower: offload phys port MTU change · 29a5dcae
      John Hurley 提交于
      Trigger a port mod message to request an MTU change on the NIC when any
      physical port representor is assigned a new MTU value. The driver waits
      10 msec for an ack that the FW has set the MTU. If no ack is received the
      request is rejected and an appropriate warning flagged.
      
      Rather than maintain an MTU queue per repr, one is maintained per app.
      Because the MTU ndo is protected by the rtnl lock, there can never be
      contention here. Portmod messages from the NIC are also protected by
      rtnl so we first check if the portmod is an ack and, if so, handle outside
      rtnl and the cmsg work queue.
      
      Acks are detected by the marking of a bit in a portmod response. They are
      then verfied by checking the port number and MTU value expected by the
      app. If the expected MTU is 0 then no acks are currently expected.
      
      Also, ensure that the packet headroom reserved by the flower firmware is
      considered when accepting an MTU change on any repr.
      Signed-off-by: NJohn Hurley <john.hurley@netronome.com>
      Reviewed-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      29a5dcae
    • J
      nfp: modify app MTU setting callbacks · 167cebef
      John Hurley 提交于
      Rename the 'change_mtu' app callback to 'check_mtu'. This is called
      whenever an MTU change is requested on a netdev. It can reject the
      change but is not responsible for implementing it.
      
      Introduce a new 'repr_change_mtu' app callback that is hit when the MTU
      of a repr is to be changed. This is responsible for performing the MTU
      change and verifying it.
      Signed-off-by: NJohn Hurley <john.hurley@netronome.com>
      Reviewed-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      167cebef
    • D
      Merge branch 'phylink-API-changes' · 44465c47
      David S. Miller 提交于
      Florian Fainelli says:
      
      ====================
      phylink: API changes
      
      This patch series contains two API changes to PHYLINK which will later be used
      by DSA to migrate to PHYLINK. Because these are API changes that impact other
      outstanding work (e.g: MVPP2) I would rather get them included sooner to minimize
      conflicts.
      
      Thank you!
      
      Changes in v2:
      
      - added missing documentation to mac_link_{up,down} that the interface
        must be configured in mac_config()
      
      - added Russell's, Andrew's and my tags
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      44465c47
    • R
      sfp/phylink: move module EEPROM ethtool access into netdev core ethtool · e679c9c1
      Russell King 提交于
      Provide a pointer to the SFP bus in struct net_device, so that the
      ethtool module EEPROM methods can access the SFP directly, rather
      than needing every user to provide a hook for it.
      Reviewed-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Reviewed-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e679c9c1
    • F
      net: phy: phylink: Provide PHY interface to mac_link_{up, down} · c6ab3008
      Florian Fainelli 提交于
      In preparation for having DSA transition entirely to PHYLINK, we need to pass a
      PHY interface type to the mac_link_{up,down} callbacks because we may have to
      make decisions on that (e.g: turn on/off RGMII interfaces etc.). We do not pass
      an entire phylink_link_state because not all parameters (pause, duplex etc.) are
      defined when the link is down, only link and interface are.
      
      Update mvneta accordingly since it currently implements phylink_mac_ops.
      Acked-by: NRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Acked-by: NRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c6ab3008
    • R
      MAINTAINERS: update vmxnet3 driver maintainer · 2166dc95
      Ronak Doshi 提交于
      Shrikrishna Khare would no longer maintain the vmxnet3 driver. Taking
      over the role of vmxnet3 maintainer.
      Signed-off-by: NRonak Doshi <doshir@vmware.com>
      Signed-off-by: NShrikrishna Khare <skhare@vmware.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2166dc95
    • D
      Merge branch 'net-Broadcom-drivers-coalescing-fixes' · 95e623fd
      David S. Miller 提交于
      Florian Fainelli says:
      
      ====================
      net: Broadcom drivers coalescing fixes
      
      Following Tal's review of the adaptive RX/TX coalescing feature added to the
      SYSTEMPORT and GENET driver a number of things showed up:
      
      - adaptive TX coalescing is not actually a good idea with the current way
        the estimator will program the ring, this results in a higher CPU load, NAPI
        on TX already does a reasonably good job at maintaining the interrupt count low
      
      - both SYSTEMPORT and GENET would suffer from the same issues while configuring
        coalescing parameters where the values would just not be applied correctly
        based on user settings, so we fix that too
      
      Tal, thanks again for your feedback, I would appreciate if you could review that
      the new behavior appears to be implemented correctly.
      
      Thanks!
      
      Changes in v2:
      
      - added Tal's reviewed-by to the first patch
      - split DIM initialization from coalescing parameters initialization
      - avoid duplicating the same code in bcmgenet_set_coalesce() when configuring RX rings
      - fixed the condition where default DIM parameters would be applied when
        adaptive RX coalescing would be enabled, do this only if it was disabled before
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      95e623fd
    • F
      net: bcmgenet: Fix coalescing settings handling · 5e6ce1f1
      Florian Fainelli 提交于
      There were a number of issues with setting the RX coalescing parameters:
      
      - we would not be preserving values that would have been configured
        across close/open calls, instead we would always reset to no timeout
        and 1 interrupt per packet, this would also prevent DIM from setting its
        default usec/pkts values
      
      - when adaptive RX would be turned on, we woud not be fetching the
        default parameters, we would stay with no timeout/1 packet per interrupt
        until the estimator kicks in and changes that
      
      - finally disabling adaptive RX coalescing while providing parameters
        would not be honored, and we would stay with whatever DIM had previously
        determined instead of the user requested parameters
      
      Fixes: 9f4ca058 ("net: bcmgenet: Add support for adaptive RX coalescing")
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Reviewed-by: NTal Gilboa <talgi@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5e6ce1f1
    • F
      net: systemport: Fix coalescing settings handling · a8cdfbdf
      Florian Fainelli 提交于
      There were a number of issues with setting the RX coalescing parameters:
      
      - we would not be preserving values that would have been configured
        across close/open calls, instead we would always reset to no timeout
        and 1 interrupt per packet, this would also prevent DIM from setting its
        default usec/pkts values
      
      - when adaptive RX would be turned on, we woud not be fetching the
        default parameters, we would stay with no timeout/1 packet per
        interrupt until the estimator kicks in and changes that
      
      - finally disabling adaptive RX coalescing while providing parameters
        would not be honored, and we would stay with whatever DIM had
        previously determined instead of the user requested parameters
      
      Fixes: b6e0e875 ("net: systemport: Implement adaptive interrupt coalescing")
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Reviewed-by: NTal Gilboa <talgi@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a8cdfbdf
    • F
      net: systemport: Remove adaptive TX coalescing · fd41f2bf
      Florian Fainelli 提交于
      Adaptive TX coalescing is not currently giving us any advantages and
      ends up making the CPU spin more frequently until TX completion. Deny
      and disable adaptive TX coalescing for now and rely on static
      configuration, we can always add it back later.
      Reviewed-by: NTal Gilboa <talgi@mellanox.com>
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fd41f2bf
    • G
      net: Call add/kill vid ndo on vlan filter feature toggling · 9daae9bd
      Gal Pressman 提交于
      NETIF_F_HW_VLAN_[CS]TAG_FILTER features require more than just a bit
      flip in dev->features in order to keep the driver in a consistent state.
      These features notify the driver of each added/removed vlan, but toggling
      of vlan-filter does not notify the driver accordingly for each of the
      existing vlans.
      
      This patch implements a similar solution to NETIF_F_RX_UDP_TUNNEL_PORT
      behavior (which notifies the driver about UDP ports in the same manner
      that vids are reported).
      
      Each toggling of the features propagates to the 8021q module, which
      iterates over the vlans and call add/kill ndo accordingly.
      Signed-off-by: NGal Pressman <galp@mellanox.com>
      Reviewed-by: NTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9daae9bd
    • W
      cxgb4: fix error return code in adap_init0() · 004c3cf1
      Wei Yongjun 提交于
      Fix to return a negative error code from the hash filter init error
      handling case instead of 0, as done elsewhere in this function.
      
      Fixes: 5c31254e ("cxgb4: initialize hash-filter configuration")
      Signed-off-by: NWei Yongjun <weiyongjun1@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      004c3cf1
    • J
      netfilter: ipset: Use is_zero_ether_addr instead of static and memcmp · 26c97c5d
      Joe Perches 提交于
      To make the test a bit clearer and to reduce object size a little.
      
      Miscellanea:
      
      o remove now unnecessary static const array
      
      $ size ip_set_hash_mac.o*
         text	   data	    bss	    dec	    hex	filename
        22822	   4619	     64	  27505	   6b71	ip_set_hash_mac.o.allyesconfig.new
        22932	   4683	     64	  27679	   6c1f	ip_set_hash_mac.o.allyesconfig.old
        10443	   1040	      0	  11483	   2cdb	ip_set_hash_mac.o.defconfig.new
        10507	   1040	      0	  11547	   2d1b	ip_set_hash_mac.o.defconfig.old
      Signed-off-by: NJoe Perches <joe@perches.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      26c97c5d
    • F
      Revert "netfilter: x_tables: ensure last rule in base chain matches underflow/policy" · e3b5e1ec
      Florian Westphal 提交于
      This reverts commit 0d7df906.
      
      Valdis Kletnieks reported that xtables is broken in linux-next since
      0d7df906  ("netfilter: x_tables: ensure last rule in base chain
      matches underflow/policy"), as kernel rejects the (well-formed) ruleset:
      
      [   64.402790] ip6_tables: last base chain position 1136 doesn't match underflow 1344 (hook 1)
      
      mark_source_chains is not the correct place for such a check, as it
      terminates evaluation of a chain once it sees an unconditional verdict
      (following rules are known to be unreachable). It seems preferrable to
      fix libiptc instead, so remove this check again.
      
      Fixes: 0d7df906 ("netfilter: x_tables: ensure last rule in base chain matches underflow/policy")
      Reported-by: NValdis Kletnieks <valdis.kletnieks@vt.edu>
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      e3b5e1ec