- 03 8月, 2014 12 次提交
-
-
由 Nikolay Aleksandrov 提交于
Fix a couple of functions' declaration alignments. Signed-off-by: NNikolay Aleksandrov <nikolay@redhat.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Nikolay Aleksandrov 提交于
Move the flags to an enum definion, swap FIRST_IN/LAST_IN to be in increasing order and add comments explaining each flag and the inet_frag_queue struct members. Signed-off-by: NNikolay Aleksandrov <nikolay@redhat.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Nikolay Aleksandrov 提交于
The last_in field has been used to store various flags different from first/last frag in so give it a more descriptive name: flags. Signed-off-by: NNikolay Aleksandrov <nikolay@redhat.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Nikolay Aleksandrov 提交于
Softirqs are already disabled so no need to do it again, thus let's be consistent and use the IP6_INC_STATS_BH variant. Signed-off-by: NNikolay Aleksandrov <nikolay@redhat.com> Acked-by: NHannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Dan Carpenter 提交于
The dm9000_release_board() function is called with NULL ->data_req and ->addr_req pointers if dm9000_probe() fails. Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Duan Jiong 提交于
ip_local_deliver_finish() already have a rcu_read_lock/unlock, so the rcu_read_lock/unlock is unnecessary. See the stack below: ip_local_deliver_finish | | ->icmp_rcv | | ->icmp_socket_deliver Suggested-by: NHannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: NDuan Jiong <duanj.fnst@cn.fujitsu.com> Acked-by: NHannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 David S. Miller 提交于
Alexei Starovoitov says: ==================== net: filter: split sk_filter into socket and bpf, cleanup names The main goal of the series is to split 'struct sk_filter' into socket and bpf parts and cleanup names in the following way: - everything that deals with sockets keeps 'sk_*' prefix - everything that is pure BPF is changed to 'bpf_*' prefix split 'struct sk_filter' into struct sk_filter { atomic_t refcnt; struct rcu_head rcu; struct bpf_prog *prog; }; and struct bpf_prog { u32 jited:1, len:31; struct sock_fprog_kern *orig_prog; unsigned int (*bpf_func)(const struct sk_buff *skb, const struct bpf_insn *filter); union { struct sock_filter insns[0]; struct bpf_insn insnsi[0]; struct work_struct work; }; }; so that 'struct bpf_prog' can be used independent of sockets and cleans up 'unattached' bpf use cases: isdn, ppp, team, seccomp, ptp, xt_bpf, cls_bpf, test_bpf which don't need refcnt/rcu fields. It's a follow up to the rcu cleanup started by Pablo in commit 34c5bd66 ("net: filter: don't release unattached filter through call_rcu()") Patch 1 - cleans up socket memory charging and makes it possible for functions sk(bpf)_migrate_filter(), sk(bpf)_prepare_filter() to be socket independent Patches 2-4 - trivial renames Patch 5 - sk_filter split and renames of related sk_*() functions ==================== Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Alexei Starovoitov 提交于
clean up names related to socket filtering and bpf in the following way: - everything that deals with sockets keeps 'sk_*' prefix - everything that is pure BPF is changed to 'bpf_*' prefix split 'struct sk_filter' into struct sk_filter { atomic_t refcnt; struct rcu_head rcu; struct bpf_prog *prog; }; and struct bpf_prog { u32 jited:1, len:31; struct sock_fprog_kern *orig_prog; unsigned int (*bpf_func)(const struct sk_buff *skb, const struct bpf_insn *filter); union { struct sock_filter insns[0]; struct bpf_insn insnsi[0]; struct work_struct work; }; }; so that 'struct bpf_prog' can be used independent of sockets and cleans up 'unattached' bpf use cases split SK_RUN_FILTER macro into: SK_RUN_FILTER to be used with 'struct sk_filter *' and BPF_PROG_RUN to be used with 'struct bpf_prog *' __sk_filter_release(struct sk_filter *) gains __bpf_prog_release(struct bpf_prog *) helper function also perform related renames for the functions that work with 'struct bpf_prog *', since they're on the same lines: sk_filter_size -> bpf_prog_size sk_filter_select_runtime -> bpf_prog_select_runtime sk_filter_free -> bpf_prog_free sk_unattached_filter_create -> bpf_prog_create sk_unattached_filter_destroy -> bpf_prog_destroy sk_store_orig_filter -> bpf_prog_store_orig_filter sk_release_orig_filter -> bpf_release_orig_filter __sk_migrate_filter -> bpf_migrate_filter __sk_prepare_filter -> bpf_prepare_filter API for attaching classic BPF to a socket stays the same: sk_attach_filter(prog, struct sock *)/sk_detach_filter(struct sock *) and SK_RUN_FILTER(struct sk_filter *, ctx) to execute a program which is used by sockets, tun, af_packet API for 'unattached' BPF programs becomes: bpf_prog_create(struct bpf_prog **)/bpf_prog_destroy(struct bpf_prog *) and BPF_PROG_RUN(struct bpf_prog *, ctx) to execute a program which is used by isdn, ppp, team, seccomp, ptp, xt_bpf, cls_bpf, test_bpf Signed-off-by: NAlexei Starovoitov <ast@plumgrid.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Alexei Starovoitov 提交于
to indicate that this function is converting classic BPF into eBPF and not related to sockets Signed-off-by: NAlexei Starovoitov <ast@plumgrid.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Alexei Starovoitov 提交于
trivial rename to indicate that this functions performs classic BPF checking Signed-off-by: NAlexei Starovoitov <ast@plumgrid.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Alexei Starovoitov 提交于
trivial rename to better match semantics of macro Signed-off-by: NAlexei Starovoitov <ast@plumgrid.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Alexei Starovoitov 提交于
attaching bpf program to a socket involves multiple socket memory arithmetic, since size of 'sk_filter' is changing when classic BPF is converted to eBPF. Also common path of program creation has to deal with two ways of freeing the memory. Simplify the code by delaying socket charging until program is ready and its size is known Signed-off-by: NAlexei Starovoitov <ast@plumgrid.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 01 8月, 2014 18 次提交
-
-
由 Duan Jiong 提交于
Signed-off-by: NDuan Jiong <duanj.fnst@cn.fujitsu.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Dan Carpenter 提交于
1) We don't allocate enough space for the NUL terminator so we end up corrupting one character beyond the end of the buffer. 2) The "len - 1" should just be "len". The code is trying to copy a word from a buffer up to a comma or the last word in the buffer. Say you have the buffer, "foo,bar,baz", then this code truncates the last letter off each word so you get "fo", "ba", and "ba". You would hope this kind of bug would get noticed in testing... I'm not very familiar with this code and I can't test it, but I think we should copy the final character. Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Freddy Xin 提交于
Add functions to support ethtool EEE manipulating, and the EEE is disabled in default setting to enhance the compatibility with certain switch. Signed-off-by: NFreddy Xin <freddy@asix.com.tw> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Tobias Klauser 提交于
Use PAGE_ALIGNED(...) instead of IS_ALIGNED(..., PAGE_SIZE). Signed-off-by: NTobias Klauser <tklauser@distanz.ch> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Duan Jiong 提交于
When dealing with ICMPv[46] Error Message, function icmp_socket_deliver() and icmpv6_notify() do some valid checks on packet's length, but then some protocols check packet's length redaudantly. So remove those duplicated statements, and increase counter ICMP_MIB_INERRORS/ICMP6_MIB_INERRORS in function icmp_socket_deliver() and icmpv6_notify() respectively. In addition, add missed counter in udp6/udplite6 when socket is NULL. Signed-off-by: NDuan Jiong <duanj.fnst@cn.fujitsu.com> Acked-by: NHannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Jason Gunthorpe 提交于
The SCTP socket extensions API document describes the v4mapping option as follows: 8.1.15. Set/Clear IPv4 Mapped Addresses (SCTP_I_WANT_MAPPED_V4_ADDR) This socket option is a Boolean flag which turns on or off the mapping of IPv4 addresses. If this option is turned on, then IPv4 addresses will be mapped to V6 representation. If this option is turned off, then no mapping will be done of V4 addresses and a user will receive both PF_INET6 and PF_INET type addresses on the socket. See [RFC3542] for more details on mapped V6 addresses. This description isn't really in line with what the code does though. Introduce addr_to_user (renamed addr_v4map), which should be called before any sockaddr is passed back to user space. The new function places the sockaddr into the correct format depending on the SCTP_I_WANT_MAPPED_V4_ADDR option. Audit all places that touched v4mapped and either sanely construct a v4 or v6 address then call addr_to_user, or drop the unnecessary v4mapped check entirely. Audit all places that call addr_to_user and verify they are on a sycall return path. Add a custom getname that formats the address properly. Several bugs are addressed: - SCTP_I_WANT_MAPPED_V4_ADDR=0 often returned garbage for addresses to user space - The addr_len returned from recvmsg was not correct when returning AF_INET on a v6 socket - flowlabel and scope_id were not zerod when promoting a v4 to v6 - Some syscalls like bind and connect behaved differently depending on v4mapped Tested bind, getpeername, getsockname, connect, and recvmsg for proper behaviour in v4mapped = 1 and 0 cases. Signed-off-by: NNeil Horman <nhorman@tuxdriver.com> Tested-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com> Signed-off-by: NJason Gunthorpe <jgunthorpe@obsidianresearch.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Karoly Kemeny 提交于
Net_device is a vast and important structure, but it has no kernel-doc compliant documentation. This patch extracts the comments from the structure to clean it up, and let the scripts extract documentation from it. I know that the patch is big, but it's just reordering of comments into the appropriate form, and adding a few more, for the missing members. Signed-off-by: NKaroly Kemeny <karoly.kemeny@gmail.com> Acked-by: NRandy Dunlap <rdunlap@infradead.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 David S. Miller 提交于
Vince Bridgers says: ==================== net: stmmac: Improve mcast/ucast filter for snps This patch series adds Synopsys specific bindings for the Synopsys EMAC filter characteristics since those are implementation dependent. The multicast and unicast filtering code was improved to handle different configuration variations based on device tree settings. I verified the operation of the multicast and unicast filters through Synopsys support as requested during the V1 review, and tested the GMAC configuration on an Altera Cyclone 5 SOC (which supports 256 multicast bins and 128 Unicast addresses). The 10/100 variant of this driver modification was not tested, although it was compile tested. I shared the email thread results of the investigation through Synopsys with the stmmac maintainer. V4: Remove patch from series that addressed a sparse issue from a down rev'd version of sparse that does not show up in the latest version of sparse. V3: Break up the patch into interface and functional change patches per review comments V2: Confirm with Synopsys methods to determine number of Multicast bins and Unicast address filter entries per first round review comments. ==================== Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Vince Bridgers 提交于
This patch adds and modifies code to support multiple Multicast and Unicast Synopsys MAC filter configurations. The default configuration is defined to support legacy driver behavior, which is 64 Multicast bins. The Unicast filter code previously assumed all controllers support 32 or 16 Unicast addresses based on controller version number, but this has been corrected to support a default of 1 Unicast address. The filter configuration may be specified through the devicetree using a Synopsys specific device tree entry. This information was verified with Synopsys through Synopsys Support Case #8000684337 and shared with the maintainer. Signed-off-by: NVince Bridgers <vbridgers2013@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Vince Bridgers 提交于
This patch adds socfpga Ethernet filter attributes for multicast and unicast filters per Synopsys Ethernet IP configuration chosen by Altera for the Cyclone 5 and Arria SOC FPGAs. Signed-off-by: NVince Bridgers <vbridgers2013@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Vince Bridgers 提交于
This change adds bindings for the number of multicast hash bins and perfect filter entries supported by the Synopsys EMAC. The Synopsys EMAC core is configurable at device creation time, and can be configured for a different number of multicast hash bins and a different number of perfect filter entries. The device does not provide a way to query these parameters, therefore parameters are required. The Altera Cyclone V SOC has support for 256 multicast hash bins and 128 perfect filter entries, and is different than what's currently provided in the stmmac driver. Signed-off-by: NVince Bridgers <vbridgers2013@gmail.com> Acked-by: NRob Herring <robh@kernel.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Vince Bridgers 提交于
This patch removes the check for the number of mulitcast addresses when using hash based filtering since it's not necessary. If the number of multicast addresses in the list exceeds the number of multicast hash bins, the bins will "fold" over into one of the bins configured and enabled for the particular component instance. The default number of maximum unicast addresses was changed from 32 to 1 since this number is not dependent on the component revision. The maximum number of multicast and unicast addresses is dependent on the configuration of the Synopsys EMAC configured by the SOC architect at the time the features were selected and configured for a particular component. Sadly, Synopsys does not provide a way to query the precise number supported by a particular component, so we must fall back on a devicetree entry. This configuration could vary from vendor to vendor (such as STMicro, Altera, etc). The multicast bins are set for every possible filtering case (including no entries) - previously the bits were set only if multicast filter entries were present. Signed-off-by: NVince Bridgers <vbridgers2013@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Vince Bridgers 提交于
The synopsys EMAC can be configured for different numbers of multicast hash bins and perfect filter entries at device creation time and there's no way to query this configuration information at runtime. As a result, a devicetree parameter is required in order for the driver to program these filters correctly for a particular device instance. This patch modifies the 10/100/1000 MAC software interface such that these configuration parameters can be set at initialization time. Signed-off-by: NVince Bridgers <vbridgers2013@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next由 David S. Miller 提交于
Pablo Neira Ayuso says: ==================== Netfilter updates for net-next The following patchset contains netfilter updates for net-next, they are: 1) Add the reject expression for the nf_tables bridge family, this allows us to send explicit reject (TCP RST / ICMP dest unrech) to the packets matching a rule. 2) Simplify and consolidate the nf_tables set dumping logic. This uses netlink control->data to filter out depending on the request. 3) Perform garbage collection in xt_hashlimit using a workqueue instead of a timer, which is problematic when many entries are in place in the tables, from Eric Dumazet. 4) Remove leftover code from the removed ulog target support, from Paul Bolle. 5) Dump unmodified flags in the netfilter packet accounting when resetting counters, so userspace knows that a counter was in overquota situation, from Alexey Perevalov. 6) Fix wrong usage of the bitwise functions in nfnetlink_acct, also from Alexey. 7) Fix a crash when adding new set element with an empty NFTA_SET_ELEM_LIST attribute. This patchset also includes a couple of cleanups for xt_LED from Duan Jiong and for nf_conntrack_ipv4 (using coccinelle) from Himangi Saraogi. ==================== Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Banerjee, Debabrata 提交于
commit d23ff701 (tcp: add generic netlink support for tcp_metrics) introduced netlink support for the new tcp_metrics, however it restricted getting of tcp_metrics to root user only. This is a change from how these values could have been fetched when in the old route cache. Unless there's a legitimate reason to restrict the reading of these values it would be better if normal users could fetch them. Cc: Julian Anastasov <ja@ssi.bg> Cc: linux-kernel@vger.kernel.org Signed-off-by: NDebabrata Banerjee <dbanerje@akamai.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Daniel Borkmann 提交于
Commit 34c5bd66 introduced the possibility that an uninitialized pointer on the stack (orig_fp) can call into sk_unattached_filter_destroy() when its value is non NULL. Before that commit orig_fp was only destroyed in the same block where it was assigned a valid BPF prog before. Fix it up by initializing it to NULL. Fixes: 34c5bd66 ("net: filter: don't release unattached filter through call_rcu()") Signed-off-by: NDaniel Borkmann <dborkman@redhat.com> Cc: Pablo Neira <pablo@netfilter.org> Cc: Alexei Starovoitov <ast@plumgrid.com> Cc: Jiri Pirko <jiri@resnulli.us> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Pablo Neira Ayuso 提交于
Otherwise, the kernel oopses in nla_for_each_nested when iterating over the unset attribute NFTA_SET_ELEM_LIST_ELEMENTS in the nf_tables_{new,del}setelem() path. netlink: 65524 bytes leftover after parsing attributes in process `nft'. [...] Oops: 0000 [#1] SMP [...] CPU: 2 PID: 6287 Comm: nft Not tainted 3.16.0-rc2+ #169 RIP: 0010:[<ffffffffa0526e61>] [<ffffffffa0526e61>] nf_tables_newsetelem+0x82/0xec [nf_tables] [...] Call Trace: [<ffffffffa05178c4>] nfnetlink_rcv+0x2e7/0x3d7 [nfnetlink] [<ffffffffa0517939>] ? nfnetlink_rcv+0x35c/0x3d7 [nfnetlink] [<ffffffff8137d300>] netlink_unicast+0xf8/0x17a [<ffffffff8137d6a5>] netlink_sendmsg+0x323/0x351 [...] Fix this by returning -EINVAL if this attribute is not set, which doesn't make sense at all since those commands are there to add and to delete elements from the set. Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Alexey Perevalov 提交于
Bit helper functions were used for manipulation with NFACCT_F_OVERQUOTA, but they are accepting pit position, but not a bit mask. As a result not a third bit for NFACCT_F_OVERQUOTA was set, but forth. Such behaviour was dangarous and could lead to unexpected overquota report result. Signed-off-by: NAlexey Perevalov <a.perevalov@samsung.com> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
- 31 7月, 2014 10 次提交
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next由 David S. Miller 提交于
Steffen Klassert says: ==================== pull request (net-next): ipsec-next 2014-07-30 This is the last pull request for ipsec-next before I'll be off for two weeks starting on friday. David, can you please take urgent ipsec patches directly into net/net-next during this time? 1) Error handling simplifications for vti and vti6. From Mathias Krause. 2) Remove a duplicate semicolon after a return statement. From Christoph Paasch. ==================== Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Brian Norris 提交于
Signed-off-by: NBrian Norris <computersforpeace@gmail.com> Cc: Florian Fainelli <f.fainelli@gmail.com> Cc: David S. Miller <davem@davemloft.net> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 David S. Miller 提交于
Vince Bridgers says: ==================== net: libphy: Add phy specific functions to access mmd regs This set of patches addresses a problem found with the Micrel ksz9021 phy and libphy, where the ksz9021 phy does not support mmd extended register access per the IEEE specification as assumed by libphy. The first patch adds a framework for phy specific support to specify their own function to access extended phy registers, return a failure code if not supported, or to default to libphy's IEEE defined method for accessing the mmd extended phy registers. This issue was found by using the Synopsys EMAC and a Micrel ksz9021 phy on the Altera Cyclone 5 SOC development kit. This patch was tested on the same system in both positive and negative test cases. V5: Revert name of mmd register access functions, check for phy specific driver override functions in mmd register access functions per Florian's comments to minimize source code changes V4: Correct error when formatting V3 patch - erroneous text cut from code V3: Correct formatting of function arguments, remove return statement from NULL functions, and add patch for PHY driver documentation per review comments. V2: Split the original patch submission into seperate patches for the libphy framework required for the modification and for the Micrel Phy. ==================== Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Vince Bridgers 提交于
Update the PHY library documentation to describe how a specific PHY driver can use the PAL MMD register access routines or override those routines with it's own in the event the PHY does not support the IEEE standard for reading and writing MMD phy registers. Signed-off-by: NVince Bridgers <vbridgers2013@gmail.com> Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Vince Bridgers 提交于
The Micrel ksz9021 PHY does not support standard IEEE standard MMD extended register access, therefore requires stubs to fail the read register method and do nothing for the write register method when libphy attempts to read and/or configure Energy Efficient Ethernet features in PHYS that do support those features. This problem was observed on an Altera Cyclone V SOC development kit that uses the Synopsys EMAC and the Micrel ksz9021 PHY. This patch was tested on the same board, and Energy Efficient Ethernet is now disabled as expected since the Micrel PHY does not support that feature. Signed-off-by: NVince Bridgers <vbridgers2013@gmail.com> Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Vince Bridgers 提交于
libphy was originally written assuming all phy devices support clause 45 access extensions to the mmd registers through the indirection registers located within the first 16 phy registers. This assumption is not true in all cases, and one specific example is the Micrel ksz9021 10/100/1000 Mbps phy. Using the stmmac driver, accessing the mmd registers to query and configure energy efficient Ethernet (EEE) features yielded unexpected behavior. This patch adds mmd access functions to the phy driver that can be overriden by the phy specific driver if the phy does not support this mechanism or uses it's own non-standard access mechanism. By default, the IEEE Compatible clause 45 access mechanism described in clause 22 is used. With this patch, EEE query/configure functions as expected using the stmmac and the Micrel ksz9021 phy. Signed-off-by: NVince Bridgers <vbridgers2013@gmail.com> Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Shruti Kanetkar 提交于
Signed-off-by: NShruti Kanetkar <Shruti@Freescale.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Madalin Bucur 提交于
Fix one misspelled word reported by codespell. Signed-off-by: NMadalin Bucur <madalin.bucur@freescale.com> Signed-off-by: NShruti Kanetkar <Shruti@freescale.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Pablo Neira 提交于
sk_unattached_filter_destroy() does not always need to release the filter object via rcu. Since this filter is never attached to the socket, the caller should be responsible for releasing the filter in a safe way, which may not necessarily imply rcu. This is a short summary of clients of this function: 1) xt_bpf.c and cls_bpf.c use the bpf matchers from rules, these rules are removed from the packet path before the filter is released. Thus, the framework makes sure the filter is safely removed. 2) In the ppp driver, the ppp_lock ensures serialization between the xmit and filter attachment/detachment path. This doesn't use rcu so deferred release via rcu makes no sense. 3) In the isdn/ppp driver, it is called from isdn_ppp_release() the isdn_ppp_ioctl(). This driver uses mutex and spinlocks, no rcu. Thus, deferred rcu makes no sense to me either, the deferred releases may be just masking the effects of wrong locking strategy, which should be fixed in the driver itself. 4) In the team driver, this is the only place where the rcu synchronization with unattached filter is used. Therefore, this patch introduces synchronize_rcu() which is called from the genetlink path to make sure the filter doesn't go away while packets are still walking over it. I think we can revisit this once struct bpf_prog (that only wraps specific bpf code bits) is in place, then add some specific struct rcu_head in the scope of the team driver if Jiri thinks this is needed. Deferred rcu release for unattached filters was originally introduced in 302d6637 ("filter: Allow to create sk-unattached filters"). Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Pablo Neira 提交于
This structure is not exposed to userspace, so fix this by defining struct sk_filter; so we skip the casting in kernelspace. This is safe since userspace has no way to lurk with that internal pointer. Fixes: e6f30c73 ("netfilter: x_tables: add xt_bpf match") Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org> Acked-by: NWillem de Bruijn <willemb@google.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-