- 09 Sep, 2016 6 commits
-
-
Daniel Borkmann authored
LLVM can generate code that tests for direct packet access via skb->data/data_end in a way that currently gets rejected by the verifier, example: [...] 7: (61) r3 = *(u32 *)(r6 +80) 8: (61) r9 = *(u32 *)(r6 +76) 9: (bf) r2 = r9 10: (07) r2 += 54 11: (3d) if r3 >= r2 goto pc+12 R1=inv R2=pkt(id=0,off=54,r=0) R3=pkt_end R4=inv R6=ctx R9=pkt(id=0,off=0,r=0) R10=fp 12: (18) r4 = 0xffffff7a 14: (05) goto pc+430 [...] from 11 to 24: R1=inv R2=pkt(id=0,off=54,r=0) R3=pkt_end R4=inv R6=ctx R9=pkt(id=0,off=0,r=0) R10=fp 24: (7b) *(u64 *)(r10 -40) = r1 25: (b7) r1 = 0 26: (63) *(u32 *)(r6 +56) = r1 27: (b7) r2 = 40 28: (71) r8 = *(u8 *)(r9 +20) invalid access to packet, off=20 size=1, R9(id=0,off=0,r=0) The reason why this gets rejected despite a proper test is that we currently call find_good_pkt_pointers() only in case where we detect tests like rX > pkt_end, where rX is of type pkt(id=Y,off=Z,r=0) and derived, for example, from a register of type pkt(id=Y,off=0,r=0) pointing to skb->data. find_good_pkt_pointers() then fills the range in the current branch to pkt(id=Y,off=0,r=Z) on success. For above case, we need to extend that to recognize pkt_end >= rX pattern and mark the other branch that is taken on success with the appropriate pkt(id=Y,off=0,r=Z) type via find_good_pkt_pointers(). Since eBPF operates on BPF_JGT (>) and BPF_JGE (>=), these are the only two practical options to test for from what LLVM could have generated, since there's no such thing as BPF_JLT (<) or BPF_JLE (<=) that we would need to take into account as well. After the fix: [...] 7: (61) r3 = *(u32 *)(r6 +80) 8: (61) r9 = *(u32 *)(r6 +76) 9: (bf) r2 = r9 10: (07) r2 += 54 11: (3d) if r3 >= r2 goto pc+12 R1=inv R2=pkt(id=0,off=54,r=0) R3=pkt_end R4=inv R6=ctx R9=pkt(id=0,off=0,r=0) R10=fp 12: (18) r4 = 0xffffff7a 14: (05) goto pc+430 [...] from 11 to 24: R1=inv R2=pkt(id=0,off=54,r=54) R3=pkt_end R4=inv R6=ctx R9=pkt(id=0,off=0,r=54) R10=fp 24: (7b) *(u64 *)(r10 -40) = r1 25: (b7) r1 = 0 26: (63) *(u32 *)(r6 +56) = r1 27: (b7) r2 = 40 28: (71) r8 = *(u8 *)(r9 +20) 29: (bf) r1 = r8 30: (25) if r8 > 0x3c goto pc+47 R1=inv56 R2=imm40 R3=pkt_end R4=inv R6=ctx R8=inv56 R9=pkt(id=0,off=0,r=54) R10=fp 31: (b7) r1 = 1 [...] Verifier test cases are also added in this work, one that demonstrates the mentioned example here and one that tries a bad packet access for the current/fall-through branch (the one with types pkt(id=X,off=Y,r=0), pkt(id=X,off=0,r=0)), then a case with good and bad accesses, and two with both test variants (>, >=). Fixes: 969bf05e ("bpf: direct packet access") Signed-off-by:Daniel Borkmann <daniel@iogearbox.net> Acked-by:
Alexei Starovoitov <ast@kernel.org> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Yaogong Wang authored
Over the years, TCP BDP has increased by several orders of magnitude, and some people are considering to reach the 2 Gbytes limit. Even with current window scale limit of 14, ~1 Gbytes maps to ~740,000 MSS. In presence of packet losses (or reorders), TCP stores incoming packets into an out of order queue, and number of skbs sitting there waiting for the missing packets to be received can be in the 10^5 range. Most packets are appended to the tail of this queue, and when packets can finally be transferred to receive queue, we scan the queue from its head. However, in presence of heavy losses, we might have to find an arbitrary point in this queue, involving a linear scan for every incoming packet, throwing away cpu caches. This patch converts it to a RB tree, to get bounded latencies. Yaogong wrote a preliminary patch about 2 years ago. Eric did the rebase, added ofo_last_skb cache, polishing and tests. Tested with network dropping between 1 and 10 % packets, with good success (about 30 % increase of throughput in stress tests) Next step would be to also use an RB tree for the write queue at sender side ;) Signed-off-by:
Yaogong Wang <wygivan@google.com> Signed-off-by:
Eric Dumazet <edumazet@google.com> Cc: Yuchung Cheng <ycheng@google.com> Cc: Neal Cardwell <ncardwell@google.com> Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Acked-By:
Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by:
-
David S. Miller authored
Eric Garver says: ==================== openvswitch: add 802.1ad support This series adds 802.1ad support to openvswitch. It is a continuation of the work originally started by Thomas F Herbert - hence the large rev number. The extra VLAN is implemented by using an additional level of the OVS_KEY_ATTR_ENCAP netlink attribute. In OVS flow speak, this looks like eth_type(0x88a8),vlan(vid=100),encap(eth_type(0x8100), vlan(vid=200), encap(eth_type(0x0800), ...)) The userspace counterpart has also seen recent activity on the ovs-dev mailing lists. There are some new 802.1ad OVS tests being added - also on the ovs-dev list. This patch series has been tested using the most recent version of userspace (v3) and tests (v2). v22 changes: - merge patch 4 into patch 3 - fix checkpatch.pl errors - Still some 80 char warnings for long string literals - refresh pointer after pskb_may_pull() - refactor vlan nlattr parsing to remove some double checks - introduce ovs_nla_put_vlan() - move triple VLAN check to after ethertype serialization - WARN_ON_ONCE() on triple VLAN and unexpected encap values v21 changes: - Fix (and simplify) netlink attribute parsing - re-add handling of truncated VLAN tags - fix if/else dangling assignment in {push,pop}_vlan() - simplify parse_vlan() ==================== Signed-off-by: -
Eric Garver authored
Add support for 802.1ad including the ability to push and pop double tagged vlans. Add support for 802.1ad to netlink parsing and flow conversion. Uses double nested encap attributes to represent double tagged vlan. Inner TPID encoded along with ctci in nested attributes. This is based on Thomas F Herbert's original v20 patch. I made some small clean ups and bug fixes. Signed-off-by:
Thomas F Herbert <thomasfherbert@gmail.com> Signed-off-by:
Eric Garver <e@erig.me> Acked-by:
Pravin B Shelar <pshelar@ovn.org> Signed-off-by:
-
Eric Garver authored
This is to simplify using double tagged vlans. This function allows all valid vlan ethertypes to be checked in a single function call. Also replace some instances that check for both ETH_P_8021Q and ETH_P_8021AD. Patch based on one originally by Thomas F Herbert. Signed-off-by:
-
Thomas F Herbert authored
openvswitch: Add support for 8021.AD Change the description of the VLAN tpid field. Signed-off-by:
-
- 08 Sep, 2016 22 commits
-
-
Lorenzo Colitti authored
This adds the capability for a process that has CAP_NET_ADMIN on a socket to see the socket mark in socket dumps. Commit a52e95ab ("net: diag: allow socket bytecode filters to match socket marks") recently gave privileged processes the ability to filter socket dumps based on mark. This patch is complementary: it ensures that the mark is also passed to userspace in the socket's netlink attributes. It is useful for tools like ss which display information about sockets. Tested: https://android-review.googlesource.com/270210Signed-off-by:
Lorenzo Colitti <lorenzo@google.com> Signed-off-by:
-
Zubair Lutfullah Kakakhel authored
The MIPS based xilfpga platform uses this driver. Enable it for MIPS Signed-off-by:
Zubair Lutfullah Kakakhel <Zubair.Kakakhel@imgtec.com> Signed-off-by:
-
git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-nextDavid S. Miller authored
Steffen Klassert says: ==================== ipsec-next 2016-09-08 1) Constify the xfrm_replay structures. From Julia Lawall 2) Protect xfrm state hash tables with rcu, lookups can be done now without acquiring xfrm_state_lock. From Florian Westphal. 3) Protect xfrm policy hash tables with rcu, lookups can be done now without acquiring xfrm_policy_lock. From Florian Westphal. 4) We don't need to have a garbage collector list per namespace anymore, so use a global one instead. From Florian Westphal. ==================== Signed-off-by: -
subashab@codeaurora.org authored
proc_dointvec limits the values to INT_MAX in u32 sysctl entries. proc_douintvec allows to write upto UINT_MAX. Signed-off-by:
Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> Signed-off-by:
-
David S. Miller authored
Sriharsha Basavapatna says: ==================== be2net: patch-set The following patch set contains an error recovery feature and a few bug fixes. Please consider applying this to the net-next tree. Thanks. Patch-1 Supports HW error recovery in Skyhawk/BEx adapters Patch-2 Fixes driver unload to issue function reset FW command Patch-3 Avoids issuing GET_EXT_FAT_CAPABILITIES command for VFs Patch-4 Avoids redundant addition of mac address in HW Patch-5 Fixes mac address collision in some configurations Patch-6 Updates driver version ==================== Signed-off-by: -
Sriharsha Basavapatna authored
Signed-off-by:
Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com> Signed-off-by:
-
Suresh Reddy authored
If the device mac address is updated using ndo_set_mac_address(), while the same mac address is already programmed, the driver does not detect this condition if its netdev->dev_addr has been changed. The driver tries to add the same mac address resulting in mac address collision error. This has been observed in bonding mode-5 configuration. To fix this, store the mac address configured in HW in the adapter structure. Use this to compare against the new address being updated to avoid collision. Signed-off-by:
Suresh Reddy <Suresh.Reddy@broadcom.com> Signed-off-by:
Sathya Perla <sathya.perla@broadcom.com> Signed-off-by:
-
Suresh Reddy authored
If a mac address is added to the uc_list and later the same mac address is added via ndo_set_mac_address() or vice versa, the driver does not detect this condition and tries to add it again. This results in a mac address collision error when the FW rejects it. Fix this by checking if the given mac address is present in uc_list while setting the device mac address and vice versa. Similarly skip deletion if the address is still in use in the other form. Signed-off-by:
-
Somnath Kotur authored
Driver issues OPCODE_COMMON_GET_EXT_FAT_CAPABILITIES cmd during init which when issued by VFs results in the logging of a cmd failure message since they don't have the required privilege for this cmd. Fix by checking privilege before issuing the cmd. Also fixed typo in CAPABILITIES. Signed-off-by:
Somnath Kotur <somnath.kotur@broadcom.com> Signed-off-by:
-
Somnath Kotur authored
As per SLI guideline, drivers need to issue COMMON_RESET_FUNCTION SLI cmd during driver unload to clean up any non-persistent state information. Issue this cmd only if VFs are not assigned to VMs as it is possible for PF driver to unload while it\'s VF remains functional and assigned to a VM. Signed-off-by:
-
Sriharsha Basavapatna authored
This patch supports recovery from UEs caused due to Transient Parity Errors (TPE), in BE2, BE3 and Skyhawk adapters. This change avoids system reboot when such errors occur. The driver recovers from these errors such that the adapter resumes full operational status as prior to the UE. Following is the list of changes in the driver to support this: o The driver registers its UE recoverable capability with ARM FW at init time. This also allows the driver to know if the feature is supported in the FW. o As the UE recovery requires precise time bound processing, the driver creates its own error recovery work queue with a single worker thread (per module, shared across functions). o Each function runs an error detection task at an interval of 1 second as required by the FW. The error detection logic already exists for BEx/SH, but it now runs in the context of a separate worker thread. o When an error is detected by the task, if it is recoverable, the PF0 driver instance initiates a soft reset, while other PF driver instances wait for the reset to complete and the chip to become ready. Once the chip is ready, all driver instances including PF0, resume to reinitialize the respective functions. o The PF0 driver checks for some recovery criteria, to determine if the recovery can be initiated. If the criteria is not met, the PF0 driver does not initiate a soft reset, it retains the existing behavior to stop further processing and requires a reboot to get the chip to operational state again. o To allow each function to share the workq, while also making progress in its recovery process, a per-function recovery state machine is used. The per-function tasks avoid blocking operations like msleep() while in this state machine (until reinit state) and instead reschedule for the required delay. o With these changes, the existing error recovery code for Lancer also runs in the context of the new worker thread. Signed-off-by:
-
Linus Walleij authored
On some systems (such as the Qualcomm APQ8060 Dragonboard) the RESET signal of the SMSC911x is not pulled up by a resistor (or the internal pull-up that will pull it up if the pin is not even connected) but instead connected to a GPIO line, so that the operating system must explicitly deassert RESET before use. Support this in the SMSC911x driver so this ethernet connector can be used on such targets. Notice that we request the line to go logical low (deassert) whilst the line on the actual component is active low. This is managed in the respective hardware description when specifying the GPIO line with e.g. device tree or ACPI. With device tree it looks like this in one case: reset-gpios = <&tlmm 30 GPIO_ACTIVE_LOW>; Which means that logically requesting the RESET line to be deasserted will result in the line being driven high, taking the device out of reset. Cc: Jeremy Linton <jeremy.linton@arm.com> Signed-off-by:
Linus Walleij <linus.walleij@linaro.org> Reviewed-by:
Jeremy Linton <jeremy.linton@arm.com> Signed-off-by:
-
Linus Walleij authored
This adds device tree bindings for: - An optional GPIO line for releasing the RESET signal to the SMSC911x devices - An optional PME (power management event) interrupt line that can be utilized to wake up the system on network activity. This signal exist on all the SMSC911x devices, it is just not very often routed. Both these lines are routed to the SoC on the Qualcomm APQ8060 Dragonboard and thus needs to be bound in the device tree. Cc: devicetree@vger.kernel.org Cc: Jeremy Linton <jeremy.linton@arm.com> Signed-off-by:
Arnd Bergmann <arnd@arndb.de> Signed-off-by:
-
David S. Miller authored
Tomer Tayar says: ==================== qed*: Debug data collection This patch series adds the support of debug data collection in the qed driver, and the means to extract it in the qede driver via the get_regs operation. Changes from V1: - Respin of the series after rebasing next-next. - Remove the first patch as it seems that its V1 version was already applied (commit '4102426f'). ==================== Signed-off-by:
-
Tomer Tayar authored
Signed-off-by:
Tomer Tayar <Tomer.Tayar@qlogic.com> Signed-off-by:
Yuval Mintz <Yuval.Mintz@qlogic.com> Signed-off-by:
-
Tomer Tayar authored
This patch adds the support for dumping and formatting the HW/FW debug data. Signed-off-by:
-
Oliver Neukum authored
SOme statements in the driver only served to inform which functions were entered. Ftrace can do that just as good without needing memory. Remove the statements. Signed-off-by:
Oliver Neukum <oneukum@suse.com> Signed-off-by:
-
Baoyou Xie authored
We get 4 warnings when building kernel with W=1: drivers/net/ethernet/qlogic/qed/qed_selftest.c:6:5: warning: no previous prototype for 'qed_selftest_memory' [-Wmissing-prototypes] drivers/net/ethernet/qlogic/qed/qed_selftest.c:19:5: warning: no previous prototype for 'qed_selftest_interrupt' [-Wmissing-prototypes] drivers/net/ethernet/qlogic/qed/qed_selftest.c:32:5: warning: no previous prototype for 'qed_selftest_register' [-Wmissing-prototypes] drivers/net/ethernet/qlogic/qed/qed_selftest.c:55:5: warning: no previous prototype for 'qed_selftest_clock' [-Wmissing-prototypes] In fact, these functions are declared in qed_selftest.h, so this patch add missing header dependencies. Signed-off-by:
Baoyou Xie <baoyou.xie@linaro.org> Acked-by:
-
Lorenzo Colitti authored
udp_diag_destroy does look up the IPv4 UDP hashtable for mapped addresses, but it gets the IPv4 address to look up from the beginning of the IPv6 address instead of the end. Tested: https://android-review.googlesource.com/269874 Fixes: 5d77dca8 ("net: diag: support SOCK_DESTROY for UDP sockets") Signed-off-by:
David Ahern <dsa@cumulusnetworks.com> Signed-off-by:
-
Andrey Vagin authored
This bug was detected by kmemleak: unreferenced object 0xffff8804269cc3c0 (size 64): comm "criu", pid 1042, jiffies 4294907360 (age 13.713s) hex dump (first 32 bytes): a0 32 cc 2c 04 88 ff ff 00 00 00 00 00 00 00 00 .2.,............ 00 01 00 00 00 00 ad de 00 02 00 00 00 00 ad de ................ backtrace: [<ffffffff8184dffa>] kmemleak_alloc+0x4a/0xa0 [<ffffffff8124720f>] kmem_cache_alloc_trace+0x10f/0x280 [<ffffffffa02864cc>] __netlink_diag_dump+0x26c/0x290 [netlink_diag] v2: don't remove a reference on a rhashtable_iter structure to release it from netlink_diag_dump_done Cc: Herbert Xu <herbert@gondor.apana.org.au> Fixes: ad202074 ("netlink: Use rhashtable walk interface in diag dump") Signed-off-by:Andrei Vagin <avagin@openvz.org> Acked-by:
Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:
-
David S. Miller authored
Merge tag 'rxrpc-rewrite-20160907-2' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs David Howells says: ==================== rxrpc: Local abort tracepoint Here are two patches. They need to be applied on top of the just-posted call refcount overhaul patch: (1) Fix the return value of some call completion helpers. (2) Add a tracepoint that allows local aborts to be debugged. ==================== Signed-off-by:
-
David S. Miller authored
Merge tag 'rxrpc-rewrite-20160907-1' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs David Howells says: ==================== rxrpc: Overhaul call refcounting Here's a set of mostly small patches leading up to one big one. The big patch at the end of the series overhauls how rxrpc_call refcounting is handled, making it more sane so that calls bound to user IDs are _only_ released from socket operations or kernel API functions. Further, the patch stops calls from holding refs on their parent socket - which can prevent the socket from being cleaned up. The second largest patch improves the call tracking tracepoint by providing extra information about the situation in which gets and puts occur. This allows distinctions to be drawn between refs held by the socket user ID tree, refs held by the work queue (to be implemented by a future patch) and other refs. The other patches include a couple of cleanups and some simple alterations to avoid NULL pointer dereferences in the big patch. ==================== Signed-off-by:
-
- 07 Sep, 2016 10 commits
-
-
David Howells authored
Add a tracepoint for working out where local aborts happen. Each tracepoint call is labelled with a 3-letter code so that they can be distinguished - and the DATA sequence number is added too where available. rxrpc_kernel_abort_call() also takes a 3-letter code so that AFS can indicate the circumstances when it aborts a call. Signed-off-by:David Howells <dhowells@redhat.com>
-
David Howells authored
rxrpc_set_call_completion() returns bool, not int, so the ret variable should match this. rxrpc_call_completed() and __rxrpc_call_completed() should return the value of rxrpc_set_call_completion(). Signed-off-by: -
David Howells authored
rxrpc calls shouldn't hold refs on the sock struct. This was done so that the socket wouldn't go away whilst the call was in progress, such that the call could reach the socket's queues. However, we can mark the socket as requiring an RCU release and rely on the RCU read lock. To make this work, we do: (1) rxrpc_release_call() removes the call's call user ID. This is now only called from socket operations and not from the call processor: rxrpc_accept_call() / rxrpc_kernel_accept_call() rxrpc_reject_call() / rxrpc_kernel_reject_call() rxrpc_kernel_end_call() rxrpc_release_calls_on_socket() rxrpc_recvmsg() Though it is also called in the cleanup path of rxrpc_accept_incoming_call() before we assign a user ID. (2) Pass the socket pointer into rxrpc_release_call() rather than getting it from the call so that we can get rid of uninitialised calls. (3) Fix call processor queueing to pass a ref to the work queue and to release that ref at the end of the processor function (or to pass it back to the work queue if we have to requeue). (4) Skip out of the call processor function asap if the call is complete and don't requeue it if the call is complete. (5) Clean up the call immediately that the refcount reaches 0 rather than trying to defer it. Actual deallocation is deferred to RCU, however. (6) Don't hold socket refs for allocated calls. (7) Use the RCU read lock when queueing a message on a socket and treat the call's socket pointer according to RCU rules and check it for NULL. We also need to use the RCU read lock when viewing a call through procfs. (8) Transmit the final ACK/ABORT to a client call in rxrpc_release_call() if this hasn't been done yet so that we can then disconnect the call. Once the call is disconnected, it won't have any access to the connection struct and the UDP socket for the call work processor to be able to send the ACK. Terminal retransmission will be handled by the connection processor. (9) Release all calls immediately on the closing of a socket rather than trying to defer this. Incomplete calls will be aborted. The call refcount model is much simplified. Refs are held on the call by: (1) A socket's user ID tree. (2) A socket's incoming call secureq and acceptq. (3) A kernel service that has a call in progress. (4) A queued call work processor. We have to take care to put any call that we failed to queue. (5) sk_buffs on a socket's receive queue. A future patch will get rid of this. Whilst we're at it, we can do: (1) Get rid of the RXRPC_CALL_EV_RELEASE event. Release is now done entirely from the socket routines and never from the call's processor. (2) Get rid of the RXRPC_CALL_DEAD state. Calls now end in the RXRPC_CALL_COMPLETE state. (3) Get rid of the rxrpc_call::destroyer work item. Calls are now torn down when their refcount reaches 0 and then handed over to RCU for final cleanup. (4) Get rid of the rxrpc_call::deadspan timer. Calls are cleaned up immediately they're finished with and don't hang around. Post-completion retransmission is handled by the connection processor once the call is disconnected. (5) Get rid of the dead call expiry setting as there's no longer a timer to set. (6) rxrpc_destroy_all_calls() can just check that the call list is empty. Signed-off-by: -
David Howells authored
Use rxrpc_is_service_call() rather than rxrpc_conn_is_service() if the call is available just in case call->conn is NULL. Signed-off-by: -
David Howells authored
Pass the connection pointer to rxrpc_post_packet_to_call() as the call might get disconnected whilst we're looking at it, but the connection pointer determined by rxrpc_data_read() is guaranteed by RCU for the duration of the call. Signed-off-by: -
David Howells authored
Cache the security index in the rxrpc_call struct so that we can get at it even when the call has been disconnected and the connection pointer cleared. Signed-off-by: -
David Howells authored
Use call->peer rather than call->conn->params.peer to avoid the possibility of call->conn being NULL and, whilst we're at it, check it for NULL before we access it. Signed-off-by: -
David Howells authored
Improve the call tracking tracepoint by showing more differentiation between some of the put and get events, including: (1) Getting and putting refs for the socket call user ID tree. (2) Getting and putting refs for queueing and failing to queue the call processor work item. Note that these aren't necessarily used in this patch, but will be taken advantage of in future patches. An enum is added for the event subtype numbers rather than coding them directly as decimal numbers and a table of 3-letter strings is provided rather than a sequence of ?: operators. Signed-off-by: -
David Howells authored
Delete rxrpc_kernel_free_skb() as it's unused. Signed-off-by: -
David Howells authored
Remove some whitespace. Signed-off-by:
-
- 06 Sep, 2016 2 commits
-
-
Arnd Bergmann authored
gpio_to_irq does not return NO_IRQ but instead returns a negative error code on failure. Returning NO_IRQ from the function has no negative effects as we only compare the result to the expected interrupt number, but it's better to return a proper failure code for consistency, and we should remove NO_IRQ from the kernel entirely. Signed-off-by:
Richard Cochran <richardcochran@gmail.com> Signed-off-by:
-
Bert Kenward authored
Reported-by:
Ma Yuying <yuma@redhat.com> Suggested-by:
Jarod Wilson <jarod@redhat.com> Signed-off-by:
Bert Kenward <bkenward@solarflare.com> Reviewed-by:
-
