1. 05 5月, 2017 1 次提交
  2. 01 5月, 2017 1 次提交
  3. 28 4月, 2017 1 次提交
  4. 26 4月, 2017 2 次提交
    • F
      ebtables: remove nf_hook_register usage · aee12a0a
      Florian Westphal 提交于
      Similar to ip_register_table, pass nf_hook_ops to ebt_register_table().
      This allows to handle hook registration also via pernet_ops and allows
      us to avoid use of legacy register_hook api.
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      aee12a0a
    • X
      bridge: move bridge multicast cleanup to ndo_uninit · b1b9d366
      Xin Long 提交于
      During removing a bridge device, if the bridge is still up, a new mdb entry
      still can be added in br_multicast_add_group() after all mdb entries are
      removed in br_multicast_dev_del(). Like the path:
      
        mld_ifc_timer_expire ->
          mld_sendpack -> ...
            br_multicast_rcv ->
              br_multicast_add_group
      
      The new mp's timer will be set up. If the timer expires after the bridge
      is freed, it may cause use-after-free panic in br_multicast_group_expired.
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000048
      IP: [<ffffffffa07ed2c8>] br_multicast_group_expired+0x28/0xb0 [bridge]
      Call Trace:
       <IRQ>
       [<ffffffff81094536>] call_timer_fn+0x36/0x110
       [<ffffffffa07ed2a0>] ? br_mdb_free+0x30/0x30 [bridge]
       [<ffffffff81096967>] run_timer_softirq+0x237/0x340
       [<ffffffff8108dcbf>] __do_softirq+0xef/0x280
       [<ffffffff8169889c>] call_softirq+0x1c/0x30
       [<ffffffff8102c275>] do_softirq+0x65/0xa0
       [<ffffffff8108e055>] irq_exit+0x115/0x120
       [<ffffffff81699515>] smp_apic_timer_interrupt+0x45/0x60
       [<ffffffff81697a5d>] apic_timer_interrupt+0x6d/0x80
      
      Nikolay also found it would cause a memory leak - the mdb hash is
      reallocated and not freed due to the mdb rehash.
      
      unreferenced object 0xffff8800540ba800 (size 2048):
        backtrace:
          [<ffffffff816e2287>] kmemleak_alloc+0x67/0xc0
          [<ffffffff81260bea>] __kmalloc+0x1ba/0x3e0
          [<ffffffffa05c60ee>] br_mdb_rehash+0x5e/0x340 [bridge]
          [<ffffffffa05c74af>] br_multicast_new_group+0x43f/0x6e0 [bridge]
          [<ffffffffa05c7aa3>] br_multicast_add_group+0x203/0x260 [bridge]
          [<ffffffffa05ca4b5>] br_multicast_rcv+0x945/0x11d0 [bridge]
          [<ffffffffa05b6b10>] br_dev_xmit+0x180/0x470 [bridge]
          [<ffffffff815c781b>] dev_hard_start_xmit+0xbb/0x3d0
          [<ffffffff815c8743>] __dev_queue_xmit+0xb13/0xc10
          [<ffffffff815c8850>] dev_queue_xmit+0x10/0x20
          [<ffffffffa02f8d7a>] ip6_finish_output2+0x5ca/0xac0 [ipv6]
          [<ffffffffa02fbfc6>] ip6_finish_output+0x126/0x2c0 [ipv6]
          [<ffffffffa02fc245>] ip6_output+0xe5/0x390 [ipv6]
          [<ffffffffa032b92c>] NF_HOOK.constprop.44+0x6c/0x240 [ipv6]
          [<ffffffffa032bd16>] mld_sendpack+0x216/0x3e0 [ipv6]
          [<ffffffffa032d5eb>] mld_ifc_timer_expire+0x18b/0x2b0 [ipv6]
      
      This could happen when ip link remove a bridge or destroy a netns with a
      bridge device inside.
      
      With Nikolay's suggestion, this patch is to clean up bridge multicast in
      ndo_uninit after bridge dev is shutdown, instead of br_dev_delete, so
      that netif_running check in br_multicast_add_group can avoid this issue.
      
      v1->v2:
        - fix this issue by moving br_multicast_dev_del to ndo_uninit, instead
          of calling dev_close in br_dev_delete.
      
      (NOTE: Depends upon b6fe0440 ("bridge: implement missing ndo_uninit()"))
      
      Fixes: e10177ab ("bridge: multicast: fix handling of temp and perm entries")
      Reported-by: NJianwen Ji <jiji@redhat.com>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Reviewed-by: NStephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: NNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b1b9d366
  5. 25 4月, 2017 1 次提交
  6. 18 4月, 2017 2 次提交
  7. 14 4月, 2017 1 次提交
  8. 12 4月, 2017 2 次提交
    • I
      bridge: netlink: register netdevice before executing changelink · 5b8d5429
      Ido Schimmel 提交于
      Peter reported a kernel oops when executing the following command:
      
      $ ip link add name test type bridge vlan_default_pvid 1
      
      [13634.939408] BUG: unable to handle kernel NULL pointer dereference at
      0000000000000190
      [13634.939436] IP: __vlan_add+0x73/0x5f0
      [...]
      [13634.939783] Call Trace:
      [13634.939791]  ? pcpu_next_unpop+0x3b/0x50
      [13634.939801]  ? pcpu_alloc+0x3d2/0x680
      [13634.939810]  ? br_vlan_add+0x135/0x1b0
      [13634.939820]  ? __br_vlan_set_default_pvid.part.28+0x204/0x2b0
      [13634.939834]  ? br_changelink+0x120/0x4e0
      [13634.939844]  ? br_dev_newlink+0x50/0x70
      [13634.939854]  ? rtnl_newlink+0x5f5/0x8a0
      [13634.939864]  ? rtnl_newlink+0x176/0x8a0
      [13634.939874]  ? mem_cgroup_commit_charge+0x7c/0x4e0
      [13634.939886]  ? rtnetlink_rcv_msg+0xe1/0x220
      [13634.939896]  ? lookup_fast+0x52/0x370
      [13634.939905]  ? rtnl_newlink+0x8a0/0x8a0
      [13634.939915]  ? netlink_rcv_skb+0xa1/0xc0
      [13634.939925]  ? rtnetlink_rcv+0x24/0x30
      [13634.939934]  ? netlink_unicast+0x177/0x220
      [13634.939944]  ? netlink_sendmsg+0x2fe/0x3b0
      [13634.939954]  ? _copy_from_user+0x39/0x40
      [13634.939964]  ? sock_sendmsg+0x30/0x40
      [13634.940159]  ? ___sys_sendmsg+0x29d/0x2b0
      [13634.940326]  ? __alloc_pages_nodemask+0xdf/0x230
      [13634.940478]  ? mem_cgroup_commit_charge+0x7c/0x4e0
      [13634.940592]  ? mem_cgroup_try_charge+0x76/0x1a0
      [13634.940701]  ? __handle_mm_fault+0xdb9/0x10b0
      [13634.940809]  ? __sys_sendmsg+0x51/0x90
      [13634.940917]  ? entry_SYSCALL_64_fastpath+0x1e/0xad
      
      The problem is that the bridge's VLAN group is created after setting the
      default PVID, when registering the netdevice and executing its
      ndo_init().
      
      Fix this by changing the order of both operations, so that
      br_changelink() is only processed after the netdevice is registered,
      when the VLAN group is already initialized.
      
      Fixes: b6677449 ("bridge: netlink: call br_changelink() during br_dev_newlink()")
      Signed-off-by: NNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: NIdo Schimmel <idosch@mellanox.com>
      Reported-by: NPeter V. Saveliev <peter@svinota.eu>
      Tested-by: NPeter V. Saveliev <peter@svinota.eu>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5b8d5429
    • I
      bridge: implement missing ndo_uninit() · b6fe0440
      Ido Schimmel 提交于
      While the bridge driver implements an ndo_init(), it was missing a
      symmetric ndo_uninit(), causing the different de-initialization
      operations to be scattered around its dellink() and destructor().
      
      Implement a symmetric ndo_uninit() and remove the overlapping operations
      from its dellink() and destructor().
      
      This is a prerequisite for the next patch, as it allows us to have a
      proper cleanup upon changelink() failure during the bridge's newlink().
      
      Fixes: b6677449 ("bridge: netlink: call br_changelink() during br_dev_newlink()")
      Signed-off-by: NNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: NIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      b6fe0440
  9. 08 4月, 2017 1 次提交
  10. 07 4月, 2017 1 次提交
  11. 29 3月, 2017 1 次提交
  12. 25 3月, 2017 2 次提交
  13. 17 3月, 2017 1 次提交
  14. 14 3月, 2017 1 次提交
  15. 13 3月, 2017 1 次提交
  16. 09 3月, 2017 1 次提交
  17. 07 3月, 2017 2 次提交
  18. 02 3月, 2017 3 次提交
  19. 28 2月, 2017 1 次提交
  20. 18 2月, 2017 2 次提交
  21. 15 2月, 2017 3 次提交
  22. 11 2月, 2017 3 次提交
  23. 09 2月, 2017 1 次提交
  24. 08 2月, 2017 4 次提交
  25. 07 2月, 2017 1 次提交