Eric Lee / smarc-ti-linux-kernel

13 Nov, 2014

1 commit

  • 567686443   netfilter: fix various sparse warnings ... Browse Code »

    net/bridge/br_netfilter.c:870:6: symbol 'br_netfilter_enable' was not declared. Should it be static?
    no; add include
    net/ipv4/netfilter/nft_reject_ipv4.c:22:6: symbol 'nft_reject_ipv4_eval' was not declared. Should it be static?
    yes
    net/ipv6/netfilter/nf_reject_ipv6.c:16:6: symbol 'nf_send_reset6' was not declared. Should it be static?
    no; add include
    net/ipv6/netfilter/nft_reject_ipv6.c:22:6: symbol 'nft_reject_ipv6_eval' was not declared. Should it be static?
    yes
    net/netfilter/core.c:33:32: symbol 'nf_ipv6_ops' was not declared. Should it be static?
    no; add include
    net/netfilter/xt_DSCP.c:40:57: cast truncates bits from constant value (ffffff03 becomes 3)
    net/netfilter/xt_DSCP.c:57:59: cast truncates bits from constant value (ffffff03 becomes 3)
    add __force, 3 is what we want.
    net/ipv4/netfilter/nf_log_arp.c:77:6: symbol 'nf_log_arp_packet' was not declared. Should it be static?
    yes
    net/ipv4/netfilter/nf_reject_ipv4.c:17:6: symbol 'nf_send_reset' was not declared. Should it be static?
    no; add include

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     

25 Aug, 2014

1 commit

08 Aug, 2014

1 commit

  • 7926dbfa4   netfilter: don't use mutex_lock_interruptible() ... Browse Code »

    Eric Dumazet reports that getsockopt() or setsockopt() sometimes
    returns -EINTR instead of -ENOPROTOOPT, causing headaches to
    application developers.

    This patch replaces all the mutex_lock_interruptible() by mutex_lock()
    in the netfilter tree, as there is no reason we should sleep for a
    long time there.

    Reported-by: Eric Dumazet
    Suggested-by: Patrick McHardy
    Signed-off-by: Pablo Neira Ayuso
    Acked-by: Julian Anastasov

    Pablo Neira Ayuso
     

14 Oct, 2013

1 commit

31 Jul, 2013

1 commit

06 Jun, 2013

1 commit

  • 143554ace   Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next ... Browse Code »

    Conflicts:
    net/netfilter/nf_log.c

    The conflict in nf_log.c is that in 'net' we added CONFIG_PROC_FS
    protection around foo_proc_entry() calls to fix a build failure,
    whereas in Pablo's tree a guard if() test around a call is
    remove_proc_entry() was removed. Trivially resolved.

    Pablo Neira Ayuso says:

    ====================
    The following patchset contains the first batch of
    Netfilter/IPVS updates for your net-next tree, they are:

    * Three patches with improvements and code refactorization
    for nfnetlink_queue, from Florian Westphal.

    * FTP helper now parses replies without brackets, as RFC1123
    recommends, from Jeff Mahoney.

    * Rise a warning to tell everyone about ULOG deprecation,
    NFLOG has been already in the kernel tree for long time
    and supersedes the old logging over netlink stub, from
    myself.

    * Don't panic if we fail to load netfilter core framework,
    just bail out instead, from myself.

    * Add cond_resched_rcu, used by IPVS to allow rescheduling
    while walking over big hashtables, from Simon Horman.

    * Change type of IPVS sysctl_sync_qlen_max sysctl to avoid
    possible overflow, from Zhang Yanfei.

    * Use strlcpy instead of strncpy to skip zeroing of already
    initialized area to write the extension names in ebtables,
    from Chen Gang.

    * Use already existing per-cpu notrack object from xt_CT,
    from Eric Dumazet.

    * Save explicit socket lookup in xt_socket now that we have
    early demux, also from Eric Dumazet.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     

23 May, 2013

2 commits

  • 6d11cfdba   netfilter: don't panic on error while walking through the init path ... Browse Code »

    Don't panic if we hit an error while adding the nf_log or pernet
    netfilter support, just bail out.

    Signed-off-by: Pablo Neira Ayuso
    Acked-by: Gao feng

    Pablo Neira Ayuso
     
  • 2a7851bff   netfilter: add nf_ipv6_ops hook to fix xt_addrtype with IPv6 ... Browse Code »

    Quoting https://bugzilla.netfilter.org/show_bug.cgi?id=812:

    [ ip6tables -m addrtype ]
    When I tried to use in the nat/PREROUTING it messes up the
    routing cache even if the rule didn't matched at all.
    [..]
    If I remove the --limit-iface-in from the non-working scenario, so just
    use the -m addrtype --dst-type LOCAL it works!

    This happens when LOCAL type matching is requested with --limit-iface-in,
    and the default ipv6 route is via the interface the packet we test
    arrived on.

    Because xt_addrtype uses ip6_route_output, the ipv6 routing implementation
    creates an unwanted cached entry, and the packet won't make it to the
    real/expected destination.

    Silently ignoring --limit-iface-in makes the routing work but it breaks
    rule matching (--dst-type LOCAL with limit-iface-in is supposed to only
    match if the dst address is configured on the incoming interface;
    without --limit-iface-in it will match if the address is reachable
    via lo).

    The test should call ipv6_chk_addr() instead. However, this would add
    a link-time dependency on ipv6.

    There are two possible solutions:

    1) Revert the commit that moved ipt_addrtype to xt_addrtype,
    and put ipv6 specific code into ip6t_addrtype.
    2) add new "nf_ipv6_ops" struct to register pointers to ipv6 functions.

    While the former might seem preferable, Pablo pointed out that there
    are more xt modules with link-time dependeny issues regarding ipv6,
    so lets go for 2).

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     

19 Apr, 2013

1 commit

  • f229f6ce4   netfilter: add my copyright statements ... Browse Code »

    Add copyright statements to all netfilter files which have had significant
    changes done by myself in the past.

    Some notes:

    - nf_conntrack_ecache.c was incorrectly attributed to Rusty and Netfilter
    Core Team when it got split out of nf_conntrack_core.c. The copyrights
    even state a date which lies six years before it was written. It was
    written in 2005 by Harald and myself.

    - net/ipv{4,6}/netfilter.c, net/netfitler/nf_queue.c were missing copyright
    statements. I've added the copyright statement from net/netfilter/core.c,
    where this code originated

    - for nf_conntrack_proto_tcp.c I've also added Jozsef, since I didn't want
    it to give the wrong impression

    Signed-off-by: Patrick McHardy
    Signed-off-by: Pablo Neira Ayuso

    Patrick McHardy
     

06 Apr, 2013

2 commits

03 Dec, 2012

1 commit

  • 0360ae412   netfilter: kill support for per-af queue backends ... Browse Code »

    We used to have several queueing backends, but nowadays only
    nfnetlink_queue remains.

    In light of this there doesn't seem to be a good reason to
    support per-af registering -- just hook up nfnetlink_queue on module
    load and remove it on unload.

    This means that the userspace BIND/UNBIND_PF commands are now obsolete;
    the kernel will ignore them.

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     

03 Sep, 2012

2 commits

30 Aug, 2012

1 commit

23 Aug, 2012

1 commit

22 Jun, 2012

1 commit

21 Jun, 2012

1 commit

16 Jun, 2012

1 commit

  • 9cb017665   netfilter: add glue code to integrate nfnetlink_queue and ctnetlink ... Browse Code »

    This patch allows you to include the conntrack information together
    with the packet that is sent to user-space via NFQUEUE.

    Previously, there was no integration between ctnetlink and
    nfnetlink_queue. If you wanted to access conntrack information
    from your libnetfilter_queue program, you required to query
    ctnetlink from user-space to obtain it. Thus, delaying the packet
    processing even more.

    Including the conntrack information is optional, you can set it
    via NFQA_CFG_F_CONNTRACK flag with the new NFQA_CFG_FLAGS attribute.

    Signed-off-by: Pablo Neira Ayuso

    Pablo Neira Ayuso
     

21 Apr, 2012

1 commit

24 Feb, 2012

1 commit

  • c5905afb0   static keys: Introduce 'struct static_key', static_key_true()/false() and static… ... Browse Code »

    …_key_slow_[inc|dec]()

    So here's a boot tested patch on top of Jason's series that does
    all the cleanups I talked about and turns jump labels into a
    more intuitive to use facility. It should also address the
    various misconceptions and confusions that surround jump labels.

    Typical usage scenarios:

    #include <linux/static_key.h>

    struct static_key key = STATIC_KEY_INIT_TRUE;

    if (static_key_false(&key))
    do unlikely code
    else
    do likely code

    Or:

    if (static_key_true(&key))
    do likely code
    else
    do unlikely code

    The static key is modified via:

    static_key_slow_inc(&key);
    ...
    static_key_slow_dec(&key);

    The 'slow' prefix makes it abundantly clear that this is an
    expensive operation.

    I've updated all in-kernel code to use this everywhere. Note
    that I (intentionally) have not pushed through the rename
    blindly through to the lowest levels: the actual jump-label
    patching arch facility should be named like that, so we want to
    decouple jump labels from the static-key facility a bit.

    On non-jump-label enabled architectures static keys default to
    likely()/unlikely() branches.

    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Acked-by: Jason Baron <jbaron@redhat.com>
    Acked-by: Steven Rostedt <rostedt@goodmis.org>
    Cc: a.p.zijlstra@chello.nl
    Cc: mathieu.desnoyers@efficios.com
    Cc: davem@davemloft.net
    Cc: ddaney.cavm@gmail.com
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Link: http://lkml.kernel.org/r/20120222085809.GA26397@elte.hu
    Signed-off-by: Ingo Molnar <mingo@elte.hu>

    Ingo Molnar
     

17 Dec, 2011

1 commit

22 Nov, 2011

1 commit

  • a2d7ec58a   netfilter: use jump_label for nf_hooks ... Browse Code »

    On configs where CONFIG_JUMP_LABEL=y, we can replace in fast path a
    load/compare/conditional jump by a single jump with no dcache reference.

    Jump target is modified as soon as nf_hooks[pf][hook] switches from
    empty state to non empty states. jump_label state is kept outside of
    nf_hooks array so has no cost on cpu caches.

    This patch removes the test on CONFIG_NETFILTER_DEBUG : No need to call
    nf_hook_slow() at all if nf_hooks[pf][hook] is empty, this didnt give
    useful information, but slowed down things a lot.

    Signed-off-by: Eric Dumazet
    CC: Patrick McHardy
    CC: Pablo Neira Ayuso
    Signed-off-by: David S. Miller

    Eric Dumazet
     

01 Nov, 2011

1 commit

  • 563e12326   netfilter: do not propagate nf_queue errors in nf_hook_slow ... Browse Code »

    commit f15850861860636c905b33a9a5be3dcbc2b0d56a
    (netfilter: nfnetlink_queue: return error number to caller)
    erronously assigns the return value of nf_queue() to the "ret" value.

    This can cause bogus return values if we encounter QUEUE verdict
    when bypassing is enabled, the listener does not exist and the
    next hook returns NF_STOLEN.

    In this case nf_hook_slow returned -ESRCH instead of 0.

    Signed-off-by: Florian Westphal
    Signed-off-by: Pablo Neira Ayuso

    Florian Westphal
     

02 Aug, 2011

1 commit

  • a9b3cd7f3   rcu: convert uses of rcu_assign_pointer(x, NULL) to RCU_INIT_POINTER ... Browse Code »

    When assigning a NULL value to an RCU protected pointer, no barrier
    is needed. The rcu_assign_pointer, used to handle that but will soon
    change to not handle the special case.

    Convert all rcu_assign_pointer of NULL value.

    //smpl
    @@ expression P; @@

    - rcu_assign_pointer(P, NULL)
    + RCU_INIT_POINTER(P, NULL)

    //

    Signed-off-by: Stephen Hemminger
    Acked-by: Paul E. McKenney
    Signed-off-by: David S. Miller

    Stephen Hemminger
     

20 Feb, 2011

1 commit

15 Feb, 2011

1 commit

  • de9963f0f   netfilter: nf_iterate: fix incorrect RCU usage ... Browse Code »

    As noticed by Eric, nf_iterate doesn't use RCU correctly by
    accessing the prev pointer of a RCU protected list element when
    a verdict of NF_REPEAT is issued.

    Fix by jumping backwards to the hook invocation directly instead
    of loading the previous list element before continuing the list
    iteration.

    Reported-by: Eric Dumazet
    Acked-by: Eric Dumazet
    Signed-off-by: Patrick McHardy

    Patrick McHardy
     

18 Jan, 2011

4 commits

  • 94b27cc36   netfilter: allow NFQUEUE bypass if no listener is available ... Browse Code »

    If an skb is to be NF_QUEUE'd, but no program has opened the queue, the
    packet is dropped.

    This adds a v2 target revision of xt_NFQUEUE that allows packets to
    continue through the ruleset instead.

    Because the actual queueing happens outside of the target context, the
    'bypass' flag has to be communicated back to the netfilter core.

    Unfortunately the only choice to do this without adding a new function
    argument is to use the target function return value (i.e. the verdict).

    In the NF_QUEUE case, the upper 16bit already contain the queue number
    to use. The previous patch reduced NF_VERDICT_MASK to 0xff, i.e.
    we now have extra room for a new flag.

    If a hook issued a NF_QUEUE verdict, then the netfilter core will
    continue packet processing if the queueing hook
    returns -ESRCH (== "this queue does not exist") and the new
    NF_VERDICT_FLAG_QUEUE_BYPASS flag is set in the verdict value.

    Note: If the queue exists, but userspace does not consume packets fast
    enough, the skb will still be dropped.

    Signed-off-by: Florian Westphal
    Signed-off-by: Patrick McHardy

    Florian Westphal
     
  • f615df76e   netfilter: reduce NF_VERDICT_MASK to 0xff ... Browse Code »

    NF_VERDICT_MASK is currently 0xffff. This is because the upper
    16 bits are used to store errno (for NF_DROP) or the queue number
    (NF_QUEUE verdict).

    As there are up to 0xffff different queues available, there is no more
    room to store additional flags.

    At the moment there are only 6 different verdicts, i.e. we can reduce
    NF_VERDICT_MASK to 0xff to allow storing additional flags in the 0xff00 space.

    NF_VERDICT_BITS would then be reduced to 8, but because the value is
    exported to userspace, this might cause breakage; e.g.:

    e.g. 'queuenr = (1 << NF_VERDICT_BITS) | NF_QUEUE' would now break.

    Thus, remove NF_VERDICT_BITS usage in the kernel and move the old value
    to the 'userspace compat' section.

    Signed-off-by: Florian Westphal
    Signed-off-by: Patrick McHardy

    Florian Westphal
     
  • 06cdb6349   netfilter: nfnetlink_queue: do not free skb on error ... Browse Code »

    Move free responsibility from nf_queue to caller.
    This enables more flexible error handling; we can now accept the skb
    instead of freeing it.

    Signed-off-by: Florian Westphal
    Signed-off-by: Patrick McHardy

    Florian Westphal
     
  • f15850861   netfilter: nfnetlink_queue: return error number to caller ... Browse Code »

    instead of returning -1 on error, return an error number to allow the
    caller to handle some errors differently.

    ECANCELED is used to indicate that the hook is going away and should be
    ignored.

    A followup patch will introduce more 'ignore this hook' conditions,
    (depending on queue settings) and will move kfree_skb responsibility
    to the caller.

    Signed-off-by: Florian Westphal
    Signed-off-by: Patrick McHardy

    Florian Westphal
     

13 Jan, 2011

1 commit

18 Nov, 2010

1 commit

16 Nov, 2010

1 commit

24 Oct, 2010

1 commit

  • 5f05647dd   Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 ... Browse Code »

    * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6: (1699 commits)
    bnx2/bnx2x: Unsupported Ethtool operations should return -EINVAL.
    vlan: Calling vlan_hwaccel_do_receive() is always valid.
    tproxy: use the interface primary IP address as a default value for --on-ip
    tproxy: added IPv6 support to the socket match
    cxgb3: function namespace cleanup
    tproxy: added IPv6 support to the TPROXY target
    tproxy: added IPv6 socket lookup function to nf_tproxy_core
    be2net: Changes to use only priority codes allowed by f/w
    tproxy: allow non-local binds of IPv6 sockets if IP_TRANSPARENT is enabled
    tproxy: added tproxy sockopt interface in the IPV6 layer
    tproxy: added udp6_lib_lookup function
    tproxy: added const specifiers to udp lookup functions
    tproxy: split off ipv6 defragmentation to a separate module
    l2tp: small cleanup
    nf_nat: restrict ICMP translation for embedded header
    can: mcp251x: fix generation of error frames
    can: mcp251x: fix endless loop in interrupt handler if CANINTF_MERRF is set
    can-raw: add msg_flags to distinguish local traffic
    9p: client code cleanup
    rds: make local functions/variables static
    ...

    Fix up conflicts in net/core/dev.c, drivers/net/pcmcia/smc91c92_cs.c and
    drivers/net/wireless/ath/ath9k/debug.c as per David

    Linus Torvalds
     

05 Oct, 2010

1 commit

20 Aug, 2010

1 commit

30 Mar, 2010

1 commit

  • 5a0e3ad6a   include cleanup: Update gfp.h and slab.h includes to prepare for breaking implic… ... Browse Code »

    …it slab.h inclusion from percpu.h

    percpu.h is included by sched.h and module.h and thus ends up being
    included when building most .c files. percpu.h includes slab.h which
    in turn includes gfp.h making everything defined by the two files
    universally available and complicating inclusion dependencies.

    percpu.h -> slab.h dependency is about to be removed. Prepare for
    this change by updating users of gfp and slab facilities include those
    headers directly instead of assuming availability. As this conversion
    needs to touch large number of source files, the following script is
    used as the basis of conversion.

    http://userweb.kernel.org/~tj/misc/slabh-sweep.py

    The script does the followings.

    * Scan files for gfp and slab usages and update includes such that
    only the necessary includes are there. ie. if only gfp is used,
    gfp.h, if slab is used, slab.h.

    * When the script inserts a new include, it looks at the include
    blocks and try to put the new include such that its order conforms
    to its surrounding. It's put in the include block which contains
    core kernel includes, in the same order that the rest are ordered -
    alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
    doesn't seem to be any matching order.

    * If the script can't find a place to put a new include (mostly
    because the file doesn't have fitting include block), it prints out
    an error message indicating which .h file needs to be added to the
    file.

    The conversion was done in the following steps.

    1. The initial automatic conversion of all .c files updated slightly
    over 4000 files, deleting around 700 includes and adding ~480 gfp.h
    and ~3000 slab.h inclusions. The script emitted errors for ~400
    files.

    2. Each error was manually checked. Some didn't need the inclusion,
    some needed manual addition while adding it to implementation .h or
    embedding .c file was more appropriate for others. This step added
    inclusions to around 150 files.

    3. The script was run again and the output was compared to the edits
    from #2 to make sure no file was left behind.

    4. Several build tests were done and a couple of problems were fixed.
    e.g. lib/decompress_*.c used malloc/free() wrappers around slab
    APIs requiring slab.h to be added manually.

    5. The script was run on all .h files but without automatically
    editing them as sprinkling gfp.h and slab.h inclusions around .h
    files could easily lead to inclusion dependency hell. Most gfp.h
    inclusion directives were ignored as stuff from gfp.h was usually
    wildly available and often used in preprocessor macros. Each
    slab.h inclusion directive was examined and added manually as
    necessary.

    6. percpu.h was updated not to include slab.h.

    7. Build test were done on the following configurations and failures
    were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
    distributed build env didn't work with gcov compiles) and a few
    more options had to be turned off depending on archs to make things
    build (like ipr on powerpc/64 which failed due to missing writeq).

    * x86 and x86_64 UP and SMP allmodconfig and a custom test config.
    * powerpc and powerpc64 SMP allmodconfig
    * sparc and sparc64 SMP allmodconfig
    * ia64 SMP allmodconfig
    * s390 SMP allmodconfig
    * alpha SMP allmodconfig
    * um on x86_64 SMP allmodconfig

    8. percpu.h modifications were reverted so that it could be applied as
    a separate patch and serve as bisection point.

    Given the fact that I had only a couple of failures from tests on step
    6, I'm fairly confident about the coverage of this conversion patch.
    If there is a breakage, it's likely to be something in one of the arch
    headers which should be easily discoverable easily on most builds of
    the specific arch.

    Signed-off-by: Tejun Heo <tj@kernel.org>
    Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>

    Tejun Heo
     

12 Nov, 2009

1 commit

  • f8572d8f2   sysctl net: Remove unused binary sysctl code ... Browse Code »
    2

    Now that sys_sysctl is a compatiblity wrapper around /proc/sys
    all sysctl strategy routines, and all ctl_name and strategy
    entries in the sysctl tables are unused, and can be
    revmoed.

    In addition neigh_sysctl_register has been modified to no longer
    take a strategy argument and it's callers have been modified not
    to pass one.

    Cc: "David Miller"
    Cc: Hideaki YOSHIFUJI
    Cc: netdev@vger.kernel.org
    Signed-off-by: Eric W. Biederman

    Eric W. Biederman
     

18 Feb, 2009

1 commit