21 Jul, 2017
1 commit
-
Pull networking fixes from David Miller:
1) BPF verifier signed/unsigned value tracking fix, from Daniel
Borkmann, Edward Cree, and Josef Bacik.2) Fix memory allocation length when setting up calls to
->ndo_set_mac_address, from Cong Wang.3) Add a new cxgb4 device ID, from Ganesh Goudar.
4) Fix FIB refcount handling, we have to set it's initial value before
the configure callback (which can bump it). From David Ahern.5) Fix double-free in qcom/emac driver, from Timur Tabi.
6) A bunch of gcc-7 string format overflow warning fixes from Arnd
Bergmann.7) Fix link level headroom tests in ip_do_fragment(), from Vasily
Averin.8) Fix chunk walking in SCTP when iterating over error and parameter
headers. From Alexander Potapenko.9) TCP BBR congestion control fixes from Neal Cardwell.
10) Fix SKB fragment handling in bcmgenet driver, from Doug Berger.
11) BPF_CGROUP_RUN_PROG_SOCK_OPS needs to check for null __sk, from Cong
Wang.12) xmit_recursion in ppp driver needs to be per-device not per-cpu,
from Gao Feng.13) Cannot release skb->dst in UDP if IP options processing needs it.
From Paolo Abeni.14) Some netdev ioctl ifr_name[] NULL termination fixes. From Alexander
Levin and myself.15) Revert some rtnetlink notification changes that are causing
regressions, from David Ahern.* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (83 commits)
net: bonding: Fix transmit load balancing in balance-alb mode
rds: Make sure updates to cp_send_gen can be observed
net: ethernet: ti: cpsw: Push the request_irq function to the end of probe
ipv4: initialize fib_trie prior to register_netdev_notifier call.
rtnetlink: allocate more memory for dev_set_mac_address()
net: dsa: b53: Add missing ARL entries for BCM53125
bpf: more tests for mixed signed and unsigned bounds checks
bpf: add test for mixed signed and unsigned bounds checks
bpf: fix up test cases with mixed signed/unsigned bounds
bpf: allow to specify log level and reduce it for test_verifier
bpf: fix mixed signed/unsigned derived min/max value bounds
ipv6: avoid overflow of offset in ip6_find_1stfragopt
net: tehuti: don't process data if it has not been copied from userspace
Revert "rtnetlink: Do not generate notifications for CHANGEADDR event"
net: dsa: mv88e6xxx: Enable CMODE config support for 6390X
dt-binding: ptp: Add SoC compatibility strings for dte ptp clock
NET: dwmac: Make dwmac reset unconditional
net: Zero terminate ifr_name in dev_ifname().
wireless: wext: terminate ifr name coming from userspace
netfilter: fix netfilter_net_init() return
...
19 Jul, 2017
1 commit
-
We accidentally return an uninitialized variable.
Fixes: cf56c2f892a8 ("netfilter: remove old pre-netns era hook api")
Signed-off-by: Dan Carpenter
Acked-by: Pablo Neira Ayuso
Signed-off-by: David S. Miller
17 Jul, 2017
4 commits
-
We crash in __nf_ct_expect_check, it calls nf_ct_remove_expect on the
uninitialised expectation instead of existing one, so del_timer chokes
on random memory address.Fixes: ec0e3f01114ad32711243 ("netfilter: nf_ct_expect: Add nf_ct_remove_expect()")
Reported-by: Sergey Kvachonok
Tested-by: Sergey Kvachonok
Cc: Gao Feng
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
When doing initial conversion to rhashtable I replaced the bucket
walk with a single rhashtable_lookup_fast().When moving to rhlist I failed to properly walk the list of identical
tuples, but that is what is needed for this to work correctly.
The table contains the original tuples, so the reply tuples are all
distinct.We currently decide that mapping is (not) in range only based on the
first entry, but in case its not we need to try the reply tuple of the
next entry until we either find an in-range mapping or we checked
all the entries.This bug makes nat core attempt collision resolution while it might be
able to use the mapping as-is.Fixes: 870190a9ec90 ("netfilter: nat: convert nat bysrc hash to rhashtable")
Reported-by: Jaco Kroon
Tested-by: Jaco Kroon
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
no more users in the tree, remove this.
The old api is racy wrt. module removal, all users have been converted
to the netns-aware api.The old api pretended we still have global hooks but that has not been
true for a long time.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
Verify that the length of the socket buffer is sufficient to cover the
nlmsghdr structure before accessing the nlh->nlmsg_len field for further
input sanitization. If the client only supplies 1-3 bytes of data in
sk_buff, then nlh->nlmsg_len remains partially uninitialized and
contains leftover memory from the corresponding kernel allocation.
Operating on such data may result in indeterminate evaluation of the
nlmsg_len < NLMSG_HDRLEN expression.The bug was discovered by a runtime instrumentation designed to detect
use of uninitialized memory in the kernel. The patch prevents this and
other similar tools (e.g. KMSAN) from flagging this behavior in the future.Signed-off-by: Mateusz Jurczyk
Signed-off-by: Pablo Neira Ayuso
13 Jul, 2017
1 commit
-
xt_alloc_table_info() basically opencodes kvmalloc() so use the library
function instead.Link: http://lkml.kernel.org/r/20170531155145.17111-4-mhocko@kernel.org
Signed-off-by: Michal Hocko
Cc: Pablo Neira Ayuso
Cc: Jozsef Kadlecsik
Cc: Florian Westphal
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
06 Jul, 2017
1 commit
-
Pablo Neira Ayuso says:
====================
Netfilter fixes for netThe following patchset contains two Netfilter fixes for your net tree,
they are:1) Fix memleak from netns release path of conntrack protocol trackers,
patch from Liping Zhang.2) Uninitialized flags field in ebt_log, that results in unpredictable
logging format in ebtables, also from Liping.
====================Signed-off-by: David S. Miller
02 Jul, 2017
3 commits
-
This patch is to remove the typedef sctp_inithdr_t, and replace
with struct sctp_inithdr in the places where it's using this
typedef.Signed-off-by: Xin Long
Signed-off-by: David S. Miller -
This patch is to remove the typedef sctp_chunkhdr_t, and replace
with struct sctp_chunkhdr in the places where it's using this
typedef.It is also to fix some indents and use sizeof(variable) instead
of sizeof(type)., especially in sctp_new.Signed-off-by: Xin Long
Signed-off-by: David S. Miller -
This patch is to remove the typedef sctp_sctphdr_t, and replace
with struct sctphdr in the places where it's using this typedef.It is also to fix some indents and use sizeof(variable) instead
of sizeof(type).Signed-off-by: Xin Long
Signed-off-by: David S. Miller
01 Jul, 2017
1 commit
-
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.This patch uses refcount_inc_not_zero() instead of
atomic_inc_not_zero_hint() due to absense of a _hint()
version of refcount API. If the hint() version must
be used, we might need to revisit API.Signed-off-by: Elena Reshetova
Signed-off-by: Hans Liljestrand
Signed-off-by: Kees Cook
Signed-off-by: David Windsor
Signed-off-by: David S. Miller
30 Jun, 2017
2 commits
-
Pablo Neira Ayuso says:
====================
Netfilter updates for net-nextThe following patchset contains Netfilter updates for your net-next
tree. This batch contains connection tracking updates for the cleanup
iteration path, patches from Florian Westphal:X) Skip unconfirmed conntracks in nf_ct_iterate_cleanup_net(), just set
dying bit to let the CPU release them.X) Add nf_ct_iterate_destroy() to be used on module removal, to kill
conntrack from all namespace.X) Restart iteration on hashtable resizing, since both may occur at
the same time.X) Use the new nf_ct_iterate_destroy() to remove conntrack with NAT
mapping on module removal.X) Use nf_ct_iterate_destroy() to remove conntrack entries helper
module removal, from Liping Zhang.X) Use nf_ct_iterate_cleanup_net() to remove the timeout extension
if user requests this, also from Liping.X) Add net_ns_barrier() and use it from FTP helper, so make sure
no concurrent namespace removal happens at the same time while
the helper module is being removed.X) Use NFPROTO_MAX in layer 3 conntrack protocol array, to reduce
module size. Same thing in nf_tables.Updates for the nf_tables infrastructure:
X) Prepare usage of the extended ACK reporting infrastructure for
nf_tables.X) Remove unnecessary forward declaration in nf_tables hash set.
X) Skip set size estimation if number of element is not specified.
X) Changes to accomodate a (faster) unresizable hash set implementation,
for anonymous sets and dynamic size fixed sets with no timeouts.X) Faster lookup function for unresizable hash table for 2 and 4
bytes key.And, finally, a bunch of asorted small updates and cleanups:
X) Do not hold reference to netdev from ipt_CLUSTER, instead subscribe
to device events and look up for index from the packet path, this
is fixing an issue that is present since the very beginning, patch
from Xin Long.X) Use nf_register_net_hook() in ipt_CLUSTER, from Florian Westphal.
X) Use ebt_invalid_target() whenever possible in the ebtables tree,
from Gao Feng.X) Calm down compilation warning in nf_dup infrastructure, patch from
stephen hemminger.X) Statify functions in nftables rt expression, also from stephen.
X) Update Makefile to use canonical method to specify nf_tables-objs.
From Jike Song.X) Use nf_conntrack_helpers_register() in amanda and H323.
X) Space cleanup for ctnetlink, from linzhang.
====================Signed-off-by: David S. Miller
-
After running the following commands for a while, kmemleak reported that
"1879 new suspected memory leaks" happened:
# while : ; do
ip netns add test
ip netns delete test
doneunreferenced object 0xffff88006342fa38 (size 1024):
comm "ip", pid 15477, jiffies 4295982857 (age 957.836s)
hex dump (first 32 bytes):
b8 b0 4d a0 ff ff ff ff c0 34 c3 59 00 88 ff ff ..M......4.Y....
04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[] kmemleak_alloc+0x4a/0xa0
[] __kmalloc_track_caller+0x150/0x300
[] kmemdup+0x20/0x50
[] dccp_init_net+0x8a/0x160 [nf_conntrack]
[] nf_ct_l4proto_pernet_register_one+0x25/0x90
...
unreferenced object 0xffff88006342da58 (size 1024):
comm "ip", pid 15477, jiffies 4295982857 (age 957.836s)
hex dump (first 32 bytes):
10 b3 4d a0 ff ff ff ff 04 35 c3 59 00 88 ff ff ..M......5.Y....
04 00 00 00 a4 01 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[] kmemleak_alloc+0x4a/0xa0
[] __kmalloc_track_caller+0x150/0x300
[] kmemdup+0x20/0x50
[] sctp_init_net+0x5d/0x130 [nf_conntrack]
[] nf_ct_l4proto_pernet_register_one+0x25/0x90
...This is because we forgot to implement the get_net_proto for sctp and
dccp, so we won't invoke the nf_ct_unregister_sysctl to free the
ctl_table when do netns cleanup. Also note, we will fail to register
the sysctl for dccp/sctp either due to the lack of get_net_proto.Fixes: c51d39010a1b ("netfilter: conntrack: built-in support for DCCP")
Fixes: a85406afeb3e ("netfilter: conntrack: built-in support for SCTP")
Cc: Davide Caratti
Signed-off-by: Liping Zhang
Acked-by: Davide Caratti
Acked-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
20 Jun, 2017
7 commits
-
Pass down struct netlink_ext_ack as parameter to all of our nfnetlink
subsystem callbacks, so we can work on follow up patches to provide
finer grain error reporting using the new infrastructure that
2d4bc93368f5 ("netlink: extended ACK reporting") provides.No functional change, just pass down this new object to callbacks.
Signed-off-by: Pablo Neira Ayuso
-
text data bss dec hex filename
old: 151590 2240 1152 154982 25d66 net/netfilter/nf_tables_api.o
new: 151666 2240 416 154322 25ad2 net/netfilter/nf_tables_api.oSigned-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
We don't support anything larger than NFPROTO_MAX, so we can shrink this a bit:
text data dec hex filename
old: 8259 1096 9355 248b net/netfilter/nf_conntrack_proto.o
new: 8259 624 8883 22b3 net/netfilter/nf_conntrack_proto.oSigned-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
amanda_helper, nf_conntrack_helper_ras and nf_conntrack_helper_q931 are
all arrays, so we can use nf_conntrack_helpers_register to register
the ct helper, this will help us to eliminate some "goto errX"
statements.Also introduce h323_helper_init/exit helper function to register the ct
helpers, this is prepared for the followup patch, which will add net
namespace support for ct helper.Signed-off-by: Liping Zhang
Acked-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
Should use ":=" instead of "+=".
Signed-off-by: Jike Song
Signed-off-by: Pablo Neira Ayuso -
Quoting Joe Stringer:
If a user loads nf_conntrack_ftp, sends FTP traffic through a network
namespace, destroys that namespace then unloads the FTP helper module,
then the kernel will crash.Events that lead to the crash:
1. conntrack is created with ftp helper in netns x
2. This netns is destroyed
3. netns destruction is scheduled
4. netns destruction wq starts, removes netns from global list
5. ftp helper is unloaded, which resets all helpers of the conntracks
via for_each_net()but because netns is already gone from list the for_each_net() loop
doesn't include it, therefore all of these conntracks are unaffected.6. helper module unload finishes
7. netns wq invokes destructor for rmmod'ed helperCC: "Eric W. Biederman"
Reported-by: Joe Stringer
Signed-off-by: Florian Westphal
Acked-by: David S. Miller
Acked-by: "Eric W. Biederman"
Signed-off-by: Pablo Neira Ayuso -
We only need to iterate & remove in case of module removal;
for netns destruction all conntracks will be removed anyway.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
16 Jun, 2017
1 commit
-
It seems like a historic accident that these return unsigned char *,
and in many places that means casts are required, more often than not.Make these functions (skb_put, __skb_put and pskb_put) return void *
and remove all the casts across the tree, adding a (u8 *) cast only
where the unsigned char pointer was used directly, all done with the
following spatch:@@
expression SKB, LEN;
typedef u8;
identifier fn = { skb_put, __skb_put };
@@
- *(fn(SKB, LEN))
+ *(u8 *)fn(SKB, LEN)@@
expression E, SKB, LEN;
identifier fn = { skb_put, __skb_put };
type T;
@@
- E = ((T *)(fn(SKB, LEN)))
+ E = fn(SKB, LEN)which actually doesn't cover pskb_put since there are only three
users overall.A handful of stragglers were converted manually, notably a macro in
drivers/isdn/i4l/isdn_bsdcomp.c and, oddly enough, one of the many
instances in net/bluetooth/hci_sock.c. In the former file, I also
had to fix one whitespace problem spatch introduced.Signed-off-by: Johannes Berg
Signed-off-by: David S. Miller
07 Jun, 2017
1 commit
-
Just some simple overlapping changes in marvell PHY driver
and the DSA core code.Signed-off-by: David S. Miller
29 May, 2017
17 commits
-
Similar to nf_conntrack_helper, we can use nf_ct_iterare_cleanup_net to
remove these copy & paste code.Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso -
When we unlink the helper objects, we will iterate the nf_conntrack_hash,
iterate the unconfirmed list, handle the hash resize situation, etc.Actually this logic is same as the nf_ct_iterate_destroy, so we can use
it to remove these copy & paste code.Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso -
This patch provides a faster variant of the lookup function for 2 and 4
byte keys. Optimizing the one byte case is not worth, as the set backend
selection will always select the bitmap set type for such case.Signed-off-by: Pablo Neira Ayuso
-
This patch adds a simple non-resizable hashtable implementation. If the
user specifies the set size, then this new faster hashtable flavour is
selected.Signed-off-by: Pablo Neira Ayuso
-
The new fixed size hashtable backend implementation may result in a
large array of buckets that would spew splats from mm. Update this code
to fall back on vmalloc in case the memory allocation order is too
costly.Signed-off-by: Pablo Neira Ayuso
-
Add nft_hash_buckets() helper function to calculate the number of
hashtable buckets based on the elements. This function can be reused
from the follow up patch to add non-resizable hashtables.Signed-off-by: Pablo Neira Ayuso
-
The new non-resizable hashtable variant needs this to calculate the
size of the bucket array.Signed-off-by: Pablo Neira Ayuso
-
This patch adds the infrastructure to support several implementations of
the same set type. This selection will be based on the set description
and the features available for this set. This allow us to select set
backend implementation that will result in better performance numbers.Signed-off-by: Pablo Neira Ayuso
-
This patch prepares the introduction of a non-resizable hashtable
implementation that is significantly faster.Signed-off-by: Pablo Neira Ayuso
-
This size estimation is ignored by the existing set backend selection
logic, since this estimation structure is stack allocated, set this to
~0 to make it easier to catch bugs in future changes.Signed-off-by: Pablo Neira Ayuso
-
Replace struct rhashtable_params forward declaration by the structure
definition itself.Signed-off-by: Pablo Neira Ayuso
-
We don't need pernetns cleanup anymore. If the netns is being
destroyed, conntrack netns exit will kill all entries in this namespace,
and neither conntrack hash table nor bysource hash are per namespace.For the rmmod case, we have to make sure we remove all entries from the
nat bysource table, so call the new nf_ct_iterate_destroy in module exit
path.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
We could some conntracks when a resize occurs in parallel.
Avoid this by sampling generation seqcnt and doing a restart if needed.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
sledgehammer to be used on module unload (to remove affected conntracks
from all namespaces).It will also flag all unconfirmed conntracks as dying, i.e. they will
not be committed to main table.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
nf_ct_iterate_cleanup_net currently calls iter() callback also for
conntracks on the unconfirmed list, but this is unsafe.Acesses to nf_conn are fine, but some users access the extension area
in the iter() callback, but that does only work reliably for confirmed
conntracks (ct->ext can be reallocated at any time for unconfirmed
conntrack).The seond issue is that there is a short window where a conntrack entry
is neither on the list nor in the table: To confirm an entry, it is first
removed from the unconfirmed list, then insert into the table.Fix this by iterating the unconfirmed list first and marking all entries
as dying, then wait for rcu grace period.This makes sure all entries that were about to be confirmed either are
in the main table, or will be dropped soon.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
There are several places where we needlesly call nf_ct_iterate_cleanup,
we should instead iterate the full table at module unload time.This is a leftover from back when the conntrack table got duplicated
per net namespace.So rename nf_ct_iterate_cleanup to nf_ct_iterate_cleanup_net.
A later patch will then add a non-net variant.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
Resolves warnings:
net/netfilter/nft_rt.c:26:6: warning: no previous prototype for ‘nft_rt_get_eval’ [-Wmissing-prototypes]
net/netfilter/nft_rt.c:75:5: warning: no previous prototype for ‘nft_rt_get_init’ [-Wmissing-prototypes]
net/netfilter/nft_rt.c:106:5: warning: no previous prototype for ‘nft_rt_get_dump’ [-Wmissing-prototypes]Signed-off-by: Stephen Hemminger
Signed-off-by: Pablo Neira Ayuso
