1. 25 8月, 2017 7 次提交
  2. 19 8月, 2017 7 次提交
  3. 02 8月, 2017 3 次提交
  4. 01 8月, 2017 15 次提交
  5. 24 7月, 2017 4 次提交
    • P
      netfilter: nf_tables: Attach process info to NFT_MSG_NEWGEN notifications · 784b4e61
      Phil Sutter 提交于
      This is helpful for 'nft monitor' to track which process caused a given
      change to the ruleset.
      Signed-off-by: NPhil Sutter <phil@nwl.cc>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      784b4e61
    • T
      netfilter: Remove duplicated rcu_read_lock. · 0b35f603
      Taehee Yoo 提交于
      This patch removes duplicate rcu_read_lock().
      
      1. IPVS part:
      
      According to Julian Anastasov's mention, contexts of ipvs are described
      at: http://marc.info/?l=netfilter-devel&m=149562884514072&w=2, in summary:
      
       - packet RX/TX: does not need locks because packets come from hooks.
       - sync msg RX: backup server uses RCU locks while registering new
         connections.
       - ip_vs_ctl.c: configuration get/set, RCU locks needed.
       - xt_ipvs.c: It is a netfilter match, running from hook context.
      
      As result, rcu_read_lock and rcu_read_unlock can be removed from:
      
       - ip_vs_core.c: all
       - ip_vs_ctl.c:
         - only from ip_vs_has_real_service
       - ip_vs_ftp.c: all
       - ip_vs_proto_sctp.c: all
       - ip_vs_proto_tcp.c: all
       - ip_vs_proto_udp.c: all
       - ip_vs_xmit.c: all (contains only packet processing)
      
      2. Netfilter part:
      
      There are three types of functions that are guaranteed the rcu_read_lock().
      First, as result, functions are only called by nf_hook():
      
       - nf_conntrack_broadcast_help(), pptp_expectfn(), set_expected_rtp_rtcp().
       - tcpmss_reverse_mtu(), tproxy_laddr4(), tproxy_laddr6().
       - match_lookup_rt6(), check_hlist(), hashlimit_mt_common().
       - xt_osf_match_packet().
      
      Second, functions that caller already held the rcu_read_lock().
       - destroy_conntrack(), ctnetlink_conntrack_event().
       - ctnl_timeout_find_get(), nfqnl_nf_hook_drop().
      
      Third, functions that are mixed with type1 and type2.
      
      These functions are called by nf_hook() also these are called by
      ordinary functions that already held the rcu_read_lock():
      
       - __ctnetlink_glue_build(), ctnetlink_expect_event().
       - ctnetlink_proto_size().
      
      Applied files are below:
      
      - nf_conntrack_broadcast.c, nf_conntrack_core.c, nf_conntrack_netlink.c.
      - nf_conntrack_pptp.c, nf_conntrack_sip.c, nfnetlink_cttimeout.c.
      - nfnetlink_queue.c, xt_TCPMSS.c, xt_TPROXY.c, xt_addrtype.c.
      - xt_connlimit.c, xt_hashlimit.c, xt_osf.c
      
      Detailed calltrace can be found at:
      http://marc.info/?l=netfilter-devel&m=149667610710350&w=2Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Acked-by: NJulian Anastasov <ja@ssi.bg>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      0b35f603
    • P
      netfilter: nf_tables: keep chain counters away from hot path · 9f08ea84
      Pablo Neira Ayuso 提交于
      These chain counters are only used by the iptables-compat tool, that
      allow users to use the x_tables extensions from the existing nf_tables
      framework. This patch makes nf_tables by ~5% for the general usecase,
      ie. native nft users, where no chain counters are used at all.
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      9f08ea84
    • F
      netfilter: expect: add to hash table after expect init · 56a97e70
      Florian Westphal 提交于
      assuming we have lockless readers we should make sure they can only
      see expectations that have already been initialized.
      
      hlist_add_head_rcu acts as memory barrier, move it after timer setup.
      
      Theoretically we could crash due to a del_timer() on other cpu
      seeing garbage data.
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      56a97e70
  6. 21 7月, 2017 3 次提交
    • H
      rds: Make sure updates to cp_send_gen can be observed · e623a48e
      Håkon Bugge 提交于
      cp->cp_send_gen is treated as a normal variable, although it may be
      used by different threads.
      
      This is fixed by using {READ,WRITE}_ONCE when it is incremented and
      READ_ONCE when it is read outside the {acquire,release}_in_xmit
      protection.
      
      Normative reference from the Linux-Kernel Memory Model:
      
          Loads from and stores to shared (but non-atomic) variables should
          be protected with the READ_ONCE(), WRITE_ONCE(), and
          ACCESS_ONCE().
      
      Clause 5.1.2.4/25 in the C standard is also relevant.
      Signed-off-by: NHåkon Bugge <haakon.bugge@oracle.com>
      Reviewed-by: NKnut Omang <knut.omang@oracle.com>
      Acked-by: NSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e623a48e
    • M
      ipv4: initialize fib_trie prior to register_netdev_notifier call. · 8799a221
      Mahesh Bandewar 提交于
      Net stack initialization currently initializes fib-trie after the
      first call to netdevice_notifier() call. In fact fib_trie initialization
      needs to happen before first rtnl_register(). It does not cause any problem
      since there are no devices UP at this moment, but trying to bring 'lo'
      UP at initialization would make this assumption wrong and exposes the issue.
      
      Fixes following crash
      
       Call Trace:
        ? alternate_node_alloc+0x76/0xa0
        fib_table_insert+0x1b7/0x4b0
        fib_magic.isra.17+0xea/0x120
        fib_add_ifaddr+0x7b/0x190
        fib_netdev_event+0xc0/0x130
        register_netdevice_notifier+0x1c1/0x1d0
        ip_fib_init+0x72/0x85
        ip_rt_init+0x187/0x1e9
        ip_init+0xe/0x1a
        inet_init+0x171/0x26c
        ? ipv4_offload_init+0x66/0x66
        do_one_initcall+0x43/0x160
        kernel_init_freeable+0x191/0x219
        ? rest_init+0x80/0x80
        kernel_init+0xe/0x150
        ret_from_fork+0x22/0x30
       Code: f6 46 23 04 74 86 4c 89 f7 e8 ae 45 01 00 49 89 c7 4d 85 ff 0f 85 7b ff ff ff 31 db eb 08 4c 89 ff e8 16 47 01 00 48 8b 44 24 38 <45> 8b 6e 14 4d 63 76 74 48 89 04 24 0f 1f 44 00 00 48 83 c4 08
       RIP: kmem_cache_alloc+0xcf/0x1c0 RSP: ffff9b1500017c28
       CR2: 0000000000000014
      
      Fixes: 7b1a74fd ("[NETNS]: Refactor fib initialization so it can handle multiple namespaces.")
      Fixes: 7f9b8052 ("[IPV4]: fib hash|trie initialization")
      Signed-off-by: NMahesh Bandewar <maheshb@google.com>
      Acked-by: N"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8799a221
    • W
      rtnetlink: allocate more memory for dev_set_mac_address() · 153711f9
      WANG Cong 提交于
      virtnet_set_mac_address() interprets mac address as struct
      sockaddr, but upper layer only allocates dev->addr_len
      which is ETH_ALEN + sizeof(sa_family_t) in this case.
      
      We lack a unified definition for mac address, so just fix
      the upper layer, this also allows drivers to interpret it
      to struct sockaddr freely.
      Reported-by: NDavid Ahern <dsahern@gmail.com>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      153711f9
  7. 20 7月, 2017 1 次提交