Eric Lee / linux-smarc-t335x-v3.2

18 Oct, 2011

1 commit

13 Oct, 2011

1 commit

  • ae1d48b23   IPVS netns shutdown/startup dead-lock ... Browse Code »

    ip_vs_mutext is used by both netns shutdown code and startup
    and both implicit uses sk_lock-AF_INET mutex.

    cleanup CPU-1 startup CPU-2
    ip_vs_dst_event() ip_vs_genl_set_cmd()
    sk_lock-AF_INET __ip_vs_mutex
    sk_lock-AF_INET
    __ip_vs_mutex
    * DEAD LOCK *

    A new mutex placed in ip_vs netns struct called sync_mutex is added.

    Comments from Julian and Simon added.
    This patch has been running for more than 3 month now and it seems to work.

    Ver. 3
    IP_VS_SO_GET_DAEMON in do_ip_vs_get_ctl protected by sync_mutex
    instead of __ip_vs_mutex as sugested by Julian.

    Signed-off-by: Hans Schillstrom
    Acked-by: Julian Anastasov
    Signed-off-by: Simon Horman
    Signed-off-by: Pablo Neira Ayuso

    Hans Schillstrom
     

06 Oct, 2011

1 commit

03 Oct, 2011

1 commit

31 Aug, 2011

1 commit

30 Aug, 2011

4 commits

  • bb9fc3735   netfilter: nf_ct_tcp: wrong multiplication of TCPOLEN_TSTAMP_ALIGNED in tcp_sack skips fastpath ... Browse Code »

    The wrong multiplication of TCPOLEN_TSTAMP_ALIGNED by 4 skips the fast path
    for the timestamp-only option. Bug reported by Michael M. Builov (netfilter
    bugzilla #738).

    Signed-off-by: Jozsef Kadlecsik
    Signed-off-by: Patrick McHardy

    Jozsef Kadlecsik
     
  • 4a5cc84ae   netfilter: nf_ct_tcp: fix incorrect handling of invalid TCP option ... Browse Code »

    Michael M. Builov reported that in the tcp_options and tcp_sack functions
    of netfilter TCP conntrack the incorrect handling of invalid TCP option
    with too big opsize may lead to read access beyond tcp-packet or buffer
    allocated on stack (netfilter bugzilla #738). The fix is to stop parsing
    the options at detecting the broken option.

    Signed-off-by: Jozsef Kadlecsik
    Signed-off-by: Patrick McHardy

    Jozsef Kadlecsik
     
  • 4c6e42096   netfilter: nf_ct_pptp: fix DNATed PPTP connection address translation ... Browse Code »

    When both the server and the client are NATed, the set-link-info control
    packet containing the peer's call-id field is not properly translated.

    I have verified that it was working in 2.6.16.13 kernel previously but
    due to rewrite, this scenario stopped working (Not knowing exact version
    when it stopped working).

    Signed-off-by: Sanket Shah
    Signed-off-by: Patrick McHardy

    Sanket Shah
     
  • c6675233f   netfilter: nf_queue: reject NF_STOLEN verdicts from userspace ... Browse Code »

    A userspace listener may send (bogus) NF_STOLEN verdict, which causes skb leak.

    This problem was previously fixed via
    64507fdbc29c3a622180378210ecea8659b14e40 (netfilter:
    nf_queue: fix NF_STOLEN skb leak) but this had to be reverted because
    NF_STOLEN can also be returned by a netfilter hook when iterating the
    rules in nf_reinject.

    Reject userspace NF_STOLEN verdict, as suggested by Michal Miroslaw.

    This is complementary to commit fad54440438a7c231a6ae347738423cbabc936d9
    (netfilter: avoid double free in nf_reinject).

    Cc: Julian Anastasov
    Cc: Eric Dumazet
    Signed-off-by: Florian Westphal
    Signed-off-by: Patrick McHardy

    Florian Westphal
     

08 Aug, 2011

1 commit

29 Jul, 2011

2 commits

27 Jul, 2011

1 commit

  • 60063497a   atomic: use <linux/atomic.h> ... Browse Code »

    This allows us to move duplicated code in
    (atomic_inc_not_zero() for now) to

    Signed-off-by: Arun Sharma
    Reviewed-by: Eric Dumazet
    Cc: Ingo Molnar
    Cc: David Miller
    Cc: Eric Dumazet
    Acked-by: Mike Frysinger
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Arun Sharma
     

23 Jul, 2011

1 commit

  • 0342cbcfc   Merge branch 'core-rcu-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip ... Browse Code »

    * 'core-rcu-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
    rcu: Fix wrong check in list_splice_init_rcu()
    net,rcu: Convert call_rcu(xt_rateest_free_rcu) to kfree_rcu()
    sysctl,rcu: Convert call_rcu(free_head) to kfree
    vmalloc,rcu: Convert call_rcu(rcu_free_vb) to kfree_rcu()
    vmalloc,rcu: Convert call_rcu(rcu_free_va) to kfree_rcu()
    ipc,rcu: Convert call_rcu(ipc_immediate_free) to kfree_rcu()
    ipc,rcu: Convert call_rcu(free_un) to kfree_rcu()
    security,rcu: Convert call_rcu(sel_netport_free) to kfree_rcu()
    security,rcu: Convert call_rcu(sel_netnode_free) to kfree_rcu()
    ia64,rcu: Convert call_rcu(sn_irq_info_free) to kfree_rcu()
    block,rcu: Convert call_rcu(disk_free_ptbl_rcu_cb) to kfree_rcu()
    scsi,rcu: Convert call_rcu(fc_rport_free_rcu) to kfree_rcu()
    audit_tree,rcu: Convert call_rcu(__put_tree) to kfree_rcu()
    security,rcu: Convert call_rcu(whitelist_item_free) to kfree_rcu()
    md,rcu: Convert call_rcu(free_conf) to kfree_rcu()

    Linus Torvalds
     

22 Jul, 2011

2 commits

21 Jul, 2011

2 commits

  • 89dc79b78   netfilter: ipset: hash:net,iface fixed to handle overlapping nets behind different interfaces ... Browse Code »

    If overlapping networks with different interfaces was added to
    the set, the type did not handle it properly. Example

    ipset create test hash:net,iface
    ipset add test 192.168.0.0/16,eth0
    ipset add test 192.168.0.0/24,eth1

    Now, if a packet was sent from 192.168.0.0/24,eth0, the type returned
    a match.

    In the patch the algorithm is fixed in order to correctly handle
    overlapping networks.

    Limitation: the same network cannot be stored with more than 64 different
    interfaces in a single set.

    Signed-off-by: Jozsef Kadlecsik
    Signed-off-by: Patrick McHardy

    Jozsef Kadlecsik
     
  • cefcb6020   net,rcu: Convert call_rcu(xt_rateest_free_rcu) to kfree_rcu() ... Browse Code »

    The RCU callback xt_rateest_free_rcu() just calls kfree(), so we can
    use kfree_rcu() instead of call_rcu(). This also allows us to dispense
    with an rcu_barrier() call, speeding up unloading of this module.

    Signed-off-by: Paul E. McKenney
    Cc: Patrick McHardy
    Reviewed-by: Josh Triplett

    Paul E. McKenney
     

19 Jul, 2011

2 commits

  • 97d32cf94   netfilter: nfnetlink_queue: batch verdict support ... Browse Code »

    Introduces a new nfnetlink type that applies a given
    verdict to all queued packets with an id
    Signed-off-by: Patrick McHardy

    Florian Westphal
     
  • 5863702a3   netfilter: nfnetlink_queue: assert monotonic packet ids ... Browse Code »

    Packet identifier is currently setup in nfqnl_build_packet_message(),
    using one atomic_inc_return().

    Problem is that since several cpus might concurrently call
    nfqnl_enqueue_packet() for the same queue, we can deliver packets to
    consumer in non monotonic way (packet N+1 being delivered after packet
    N)

    This patch moves the packet id setup from nfqnl_build_packet_message()
    to nfqnl_enqueue_packet() to guarantee correct delivery order.

    This also removes one atomic operation.

    Signed-off-by: Eric Dumazet
    CC: Florian Westphal
    CC: Pablo Neira Ayuso
    CC: Eric Leblond
    Signed-off-by: Patrick McHardy

    Eric Dumazet
     

18 Jul, 2011

2 commits

  • 84a797dd0   netfilter: nfnetlink_queue: provide rcu enabled callbacks ... Browse Code »

    nenetlink_queue operations on SMP are not efficent if several queues are
    used, because of nfnl_mutex contention when applications give packet
    verdict.

    Use new call_rcu field in struct nfnl_callback to advertize a callback
    that is called under rcu_read_lock instead of nfnl_mutex.

    On my 2x4x2 machine, I was able to reach 2.000.000 pps going through
    user land returning NF_ACCEPT verdicts without losses, instead of less
    than 500.000 pps before patch.

    Signed-off-by: Eric Dumazet
    CC: Florian Westphal
    CC: Eric Leblond
    Signed-off-by: Patrick McHardy

    Eric Dumazet
     
  • 6b75e3e8d   netfilter: nfnetlink: add RCU in nfnetlink_rcv_msg() ... Browse Code »

    Goal of this patch is to permit nfnetlink providers not mandate
    nfnl_mutex being held while nfnetlink_rcv_msg() calls them.

    If struct nfnl_callback contains a non NULL call_rcu(), then
    nfnetlink_rcv_msg() will use it instead of call() field, holding
    rcu_read_lock instead of nfnl_mutex

    Signed-off-by: Eric Dumazet
    CC: Florian Westphal
    CC: Eric Leblond
    Signed-off-by: Patrick McHardy

    Eric Dumazet
     

02 Jul, 2011

1 commit

  • 181b1e9ce   netfilter: Reduce switch/case indent ... Browse Code »

    Make the case labels the same indent as the switch.

    git diff -w shows miscellaneous 80 column wrapping,
    comment reflowing and a comment for a useless gcc
    warning for an otherwise unused default: case.

    Signed-off-by: Joe Perches
    Signed-off-by: David S. Miller

    Joe Perches
     

30 Jun, 2011

1 commit

  • 131ad62d8   netfilter: add SELinux context support to AUDIT target ... Browse Code »

    In this revision the conversion of secid to SELinux context and adding it
    to the audit log is moved from xt_AUDIT.c to audit.c with the aid of a
    separate helper function - audit_log_secctx - which does both the conversion
    and logging of SELinux context, thus also preventing internal secid number
    being leaked to userspace. If conversion is not successful an error is raised.

    With the introduction of this helper function the work done in xt_AUDIT.c is
    much more simplified. It also opens the possibility of this helper function
    being used by other modules (including auditd itself), if desired. With this
    addition, typical (raw auditd) output after applying the patch would be:

    type=NETFILTER_PKT msg=audit(1305852240.082:31012): action=0 hook=1 len=52 inif=? outif=eth0 saddr=10.1.1.7 daddr=10.1.2.1 ipid=16312 proto=6 sport=56150 dport=22 obj=system_u:object_r:ssh_client_packet_t:s0
    type=NETFILTER_PKT msg=audit(1306772064.079:56): action=0 hook=3 len=48 inif=eth0 outif=? smac=00:05:5d:7c:27:0b dmac=00:02:b3:0a:7f:81 macproto=0x0800 saddr=10.1.2.1 daddr=10.1.1.7 ipid=462 proto=6 sport=22 dport=3561 obj=system_u:object_r:ssh_server_packet_t:s0

    Acked-by: Eric Paris
    Signed-off-by: Mr Dash Four
    Signed-off-by: Patrick McHardy

    Mr Dash Four
     

22 Jun, 2011

2 commits

  • 56f8a75c1   ip: introduce ip_is_fragment helper inline function ... Browse Code »

    There are enough instances of this:

    iph->frag_off & htons(IP_MF | IP_OFFSET)

    that a helper function is probably warranted.

    Signed-off-by: Paul Gortmaker
    Signed-off-by: David S. Miller

    Paul Gortmaker
     
  • dec17b745   Remove redundant linux/version.h includes from net/ ... Browse Code »

    It was suggested by "make versioncheck" that the follwing includes of
    linux/version.h are redundant:

    /home/jj/src/linux-2.6/net/caif/caif_dev.c: 14 linux/version.h not needed.
    /home/jj/src/linux-2.6/net/caif/chnl_net.c: 10 linux/version.h not needed.
    /home/jj/src/linux-2.6/net/ipv4/gre.c: 19 linux/version.h not needed.
    /home/jj/src/linux-2.6/net/netfilter/ipset/ip_set_core.c: 20 linux/version.h not needed.
    /home/jj/src/linux-2.6/net/netfilter/xt_set.c: 16 linux/version.h not needed.

    and it seems that it is right.

    Beyond manually inspecting the source files I also did a few build
    tests with various configs to confirm that including the header in
    those files is indeed not needed.

    Here's a patch to remove the pointless includes.

    Signed-off-by: Jesper Juhl
    Acked-by: Jozsef Kadlecsik
    Signed-off-by: David S. Miller

    Jesper Juhl
     

21 Jun, 2011

1 commit

17 Jun, 2011

13 commits