- 20 Oct, 2017 40 commits
-
-
Chenbo Feng authored
Introduce several LSM hooks for the syscalls that will allow the userspace to access to eBPF object such as eBPF programs and eBPF maps. The security check is aimed to enforce a per object security protection for eBPF object so only processes with the right priviliges can read/write to a specific map or use a specific eBPF program. Besides that, a general security hook is added before the multiplexer of bpf syscall to check the cmd and the attribute used for the command. The actual security module can decide which command need to be checked and how the cmd should be checked. Signed-off-by:
Chenbo Feng <fengc@google.com> Acked-by:
James Morris <james.l.morris@oracle.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Chenbo Feng authored
Two related tests are added into bpf selftest to test read only map and write only map. The tests verified the read only and write only flags are working on hash maps. Signed-off-by:
Daniel Borkmann <daniel@iogearbox.net> Signed-off-by:
-
Chenbo Feng authored
Introduce the map read/write flags to the eBPF syscalls that returns the map fd. The flags is used to set up the file mode when construct a new file descriptor for bpf maps. To not break the backward capability, the f_flags is set to O_RDWR if the flag passed by syscall is 0. Otherwise it should be O_RDONLY or O_WRONLY. When the userspace want to modify or read the map content, it will check the file mode to see if it is allowed to make the change. Signed-off-by:
Alexei Starovoitov <ast@kernel.org> Acked-by:
-
Eric Dumazet authored
syzkaller got crashes at dismantle time [1] It is not correct to test (tun->flags & IFF_NAPI) in tun_napi_disable() and tun_napi_del() : Each tun_file can have different mode, depending on how they were created. Similarly I have changed tun_get_user() and tun_poll_controller() to use the new tfile->napi_enabled boolean. [ 154.331360] BUG: unable to handle kernel NULL pointer dereference at (null) [ 154.339220] IP: [<ffffffff9634cad6>] hrtimer_active+0x26/0x60 [ 154.344983] PGD 0 [ 154.347009] Oops: 0000 [#1] SMP [ 154.350680] gsmi: Log Shutdown Reason 0x03 [ 154.379572] task: ffff994719150dc0 ti: ffff99475c0ae000 task.ti: ffff99475c0ae000 [ 154.387043] RIP: 0010:[<ffffffff9634cad6>] [<ffffffff9634cad6>] hrtimer_active+0x26/0x60 [ 154.395232] RSP: 0018:ffff99475c0afce8 EFLAGS: 00010246 [ 154.400542] RAX: ffff994754850ac0 RBX: ffff994753e65408 RCX: ffff994753e65388 [ 154.407666] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff994753e65408 [ 154.414790] RBP: ffff99475c0afce8 R08: 0000000000000000 R09: 0000000000000000 [ 154.421921] R10: ffff99475f6f5910 R11: 0000000000000001 R12: 0000000000000000 [ 154.429044] R13: ffff99417deab668 R14: ffff99417deaa780 R15: ffff99475f45dde0 [ 154.436174] FS: 0000000000000000(0000) GS:ffff994767a00000(0000) knlGS:0000000000000000 [ 154.444249] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 154.449986] CR2: 0000000000000000 CR3: 00000005a8a0e000 CR4: 0000000000022670 [ 154.457110] Stack: [ 154.459120] ffff99475c0afd28 ffffffff9634d614 1000000000000000 0000000000000000 [ 154.466598] ffffe54240000000 ffff994753e65408 ffff994753e653a8 ffff99417deab668 [ 154.474067] ffff99475c0afd48 ffffffff9634d6fd ffff99474c2be678 ffff994753e65398 [ 154.481537] Call Trace: [ 154.483985] [<ffffffff9634d614>] hrtimer_try_to_cancel+0x24/0xf0 [ 154.490074] [<ffffffff9634d6fd>] hrtimer_cancel+0x1d/0x30 [ 154.495563] [<ffffffff96860b3c>] napi_disable+0x3c/0x70 [ 154.500875] [<ffffffff9678ae62>] __tun_detach+0xd2/0x360 [ 154.506272] [<ffffffff9678b117>] tun_chr_close+0x27/0x40 [ 154.511669] [<ffffffff9646ebe6>] __fput+0xd6/0x1e0 [ 154.516548] [<ffffffff9646ed3e>] ____fput+0xe/0x10 [ 154.521429] [<ffffffff963035a2>] task_work_run+0x72/0x90 [ 154.526827] [<ffffffff962e9407>] do_exit+0x317/0xb60 [ 154.531879] [<ffffffff962e9c8f>] do_group_exit+0x3f/0xa0 [ 154.537275] [<ffffffff962e9d07>] SyS_exit_group+0x17/0x20 [ 154.542769] [<ffffffff969784be>] entry_SYSCALL_64_fastpath+0x12/0x17 Fixes: 94317099 ("net-tun: enable NAPI for TUN/TAP driver") Signed-off-by:
Eric Dumazet <edumazet@google.com> Signed-off-by:
-
David Ahern authored
All of the notifier data (fib_info, tos, type and table id) are contained in the fib_alias. Pass it to the notifier instead of each data separately shortening the argument list by 3. Signed-off-by:
David Ahern <dsahern@gmail.com> Reviewed-by:
Ido Schimmel <idosch@mellanox.com> Signed-off-by:
-
Yuchung Cheng authored
New socket option TCP_FASTOPEN_KEY to allow different keys per listener. The listener by default uses the global key until the socket option is set. The key is a 16 bytes long binary data. This option has no effect on regular non-listener TCP sockets. Signed-off-by:
Yuchung Cheng <ycheng@google.com> Reviewed-by:
Christoph Paasch <cpaasch@apple.com> Signed-off-by:
-
David S. Miller authored
David Ahern says: ==================== mlxsw: spectrum_router: Add extack messages for RIF and VRF overflow Currently, exceeding the number of VRF instances or the number of router interfaces either fails with a non-intuitive EBUSY: $ ip li set swp1s1.6 vrf vrf-1s1-6 up RTNETLINK answers: Device or resource busy or fails silently (IPv6) since the checks are done in a work queue. This set adds support for the address validator notifier to spectrum which allows ext-ack based messages to be returned on failure. To make that happen the IPv6 version needs to be converted from atomic to blocking (patch 2), and then support for extack needs to be added to the notifier (patch 3). Patch 1 reworks the locking in ipv6_add_addr to work better in the atomic and non-atomic code paths. Patches 4 and 5 add the validator notifier to spectrum and then plumb the extack argument through spectrum_router. With this set, VRF overflows fail with: $ ip li set swp1s1.6 vrf vrf-1s1-6 up Error: spectrum: Exceeded number of supported VRF. and RIF overflows fail with: $ ip addr add dev swp1s2.191 10.12.191.1/24 Error: spectrum: Exceeded number of supported router interfaces. v2 -> v3 - fix surround context of patch 4 which was altered by c30f5d01 v1 -> v2 - fix error path in ipv6_add_addr: reset rt to NULL (Ido comment) and add in6_dev_put on ifa once the hold has been done RFC -> v1 - addressed various comments from Ido - refactored ipv6_add_addr to allow ifa's to be allocated with GFP_KERNEL as requested by DaveM ==================== Signed-off-by: -
David Ahern authored
Add extack argument down to mlxsw_sp_rif_create and mlxsw_sp_vr_create to set an error message on RIF or VR overflow. Now on overflow of either resource the user gets an informative message as opposed to failing with EBUSY. Signed-off-by:
-
David Ahern authored
Add support for inetaddr_validator and inet6addr_validator. The notifiers provide a means for validating ipv4 and ipv6 addresses before the addresses are installed and on failure the error is propagated back to the user. Signed-off-by:
-
David Ahern authored
Add extack to in_validator_info and in6_validator_info. Update the one user of each, ipvlan, to return an error message for failures. Only manual configuration of an address is plumbed in the IPv6 code path. Signed-off-by:
-
David Ahern authored
inet6addr_validator chain was added by commit 3ad7d246 ("Ipvlan should return an error when an address is already in use") to allow address validation before changes are committed and to be able to fail the address change with an error back to the user. The address validation is not done for addresses received from router advertisements. Handling RAs in softirq context is the only reason for the notifier chain to be atomic versus blocking. Since the only current user, ipvlan, of the validator chain ignores softirq context, the notifier can be made blocking and simply not invoked for softirq path. The blocking option is needed by spectrum for example to validate resources for an adding an address to an interface. Signed-off-by:
-
David Ahern authored
ipv6_add_addr is called in process context with rtnl lock held (e.g., manual config of an address) or during softirq processing (e.g., autoconf and address from a router advertisement). Currently, ipv6_add_addr calls rcu_read_lock_bh shortly after entry and does not call unlock until exit, minus the call around the address validator notifier. Similarly, addrconf_hash_lock is taken after the validator notifier and held until exit. This forces the allocation of inet6_ifaddr to always be atomic. Refactor ipv6_add_addr as follows: 1. add an input boolean to discriminate the call path (process context or softirq). This new flag controls whether the alloc can be done with GFP_KERNEL or GFP_ATOMIC. 2. Move the rcu_read_lock_bh and unlock calls only around functions that do rcu updates. 3. Remove the in6_dev_hold and put added by 3ad7d246 ("Ipvlan should return an error when an address is already in use."). This was done presumably because rcu_read_unlock_bh needs to be called before calling the validator. Since rcu_read_lock is not needed before the validator runs revert the hold and put added by 3ad7d246 and only do the hold when setting ifp->idev. 4. move duplicate address check and insertion of new address in the global address hash into a helper. The helper is called after an ifa is allocated and filled in. This allows the ifa for manually configured addresses to be done with GFP_KERNEL and reduces the overall amount of time with rcu_read_lock held and hash table spinlock held. Signed-off-by:
-
David S. Miller authored
Julian Wiedmann says: ==================== s390/net: updates 2017-10-18 please apply some additional robustness fixes and cleanups for 4.15. ==================== Signed-off-by: -
Julian Wiedmann authored
A few lines down, qeth_prepare_control_data() makes further changes to the control cmd buffer, and then also writes a trace entry for it. So the first entry just pollutes the trace file with intermediate data, drop it. Signed-off-by:
Julian Wiedmann <jwi@linux.vnet.ibm.com> Reviewed-by:
Ursula Braun <ubraun@linux.vnet.ibm.com> Signed-off-by:
-
Julian Wiedmann authored
Switch to napi_complete_done(), and thus enable delayed GRO flushing. The timeout is configured via /sys/class/net/<if>/gro_flush_timeout. Default timeout is 0, so no change in behaviour. Signed-off-by:
-
Julian Wiedmann authored
Current code bails out when two subsequent buffer elements hold insufficient data to contain a qeth_hdr packet descriptor. This seems reasonable, but it would be legal for quirky hardware to leave a few elements empty and then present packets in a subsequent element. These packets would currently be dropped. So make sure to check all buffer elements, until we hit the LAST_ENTRY indication. Signed-off-by:
-
Julian Wiedmann authored
Move the allocation of SG skbs into the main path. This allows for a little code sharing, and handling ENOMEM from within one place. As side effect, L2 SG skbs now get the proper amount of additional headroom (read: zero) instead of the hard-coded ETH_HLEN. Signed-off-by:
-
Julian Wiedmann authored
Replace the open-coded skb_add_rx_frag(), and use a fall-through to remove some duplicated code. Signed-off-by:
-
Julian Wiedmann authored
Instead of silently discarding VLAN registration requests on OSM, just indicate that this card type doesn't support VLAN. Signed-off-by:
-
Julian Wiedmann authored
There's no reason why l2_set_mac_address() should ever be called for a netdevice that's not owned by qeth. It's certainly not required for VLAN devices, which have their own netdev_ops. Also: 1) we don't do such validation for any of the other netdev_ops routines. 2) the code in question clearly has never been actually exercised; it's broken. After determining that the device is not owned by qeth, it would still use dev->ml_priv to write a qeth trace entry. Remove the check, and its helper that walked the global card list. Signed-off-by:
-
Julian Wiedmann authored
1. Drop the support for Token Ring, 2. use the ETH_DATA_LEN macro for the default L2 MTU, 3. handle OSM via the default case (as OSM is L2-only), and 4. document why the L3 MTU is reduced. Signed-off-by:
-
Julian Wiedmann authored
When the allocation of the addr buffer fails, we need to free our refcount on the inetdevice before returning. Signed-off-by:
-
Andy Shevchenko authored
The sysfs enabled value is a boolean, so kstrtobool() is a better fit for parsing the input string since it does the range checking for us. Signed-off-by:
Andy Shevchenko <andriy.shevchenko@linux.intel.com> Signed-off-by:
-
Julian Wiedmann authored
With commit "s390/ccwgroup: tie a ccwgroup driver to its ccw driver", the ccwgroup core now ensures that a qeth group device only consists of ccw devices which are supported by qeth. Therefore remove qeth's internal device matching, and use .driver_info to determine the card type. Signed-off-by:
-
Allen Pais authored
Use setup_timer function instead of initializing timer with the function and data fields. Signed-off-by:
Allen Pais <allen.lkml@gmail.com> Signed-off-by:
-
Julian Wiedmann authored
When recovering a device, qeth needs to re-run the IPA commands that enable all previously active HW features. Instead of duplicating qeth_set_features(), let netdev_update_features() recover the missing HW features from dev->wanted_features. Signed-off-by:
-
Or Gerlitz authored
Currently the netdevice field is not set and the egdev instance is not functional, fix that. Fixes: 3f55bdda8df ('net: sched: introduce per-egress action device callbacks') Signed-off-by:Or Gerlitz <ogerlitz@mellanox.com> Acked-by:
Jiri Pirko <jiri@mellanox.com> Signed-off-by:
-
David S. Miller authored
Rahul Lakkireddy says: ==================== cxgb4: enable more tc flower offload matches and actions This patch series enable more matches and actions for TC Flower Offload support on Chelsio adapters. Patch 1 enables matching on IP TOS. Patch 2 enables matching on VLAN TCI. Patch 3 adds support for action PASS. Patch 4 adds support for ETH-DMAC rewrite via TC-PEDIT action. Also, adds a check to assert that vlan/eth-dmac rewrite actions are valid only in combination with action egress redirect. Patch 5 introduces SMT ops for adding/removing entries from SMAC Table in HW in preparation for patch 6. Patch 6 adds support for ETH-SMAC rewrite via TC-PEDIT action. Patch 7 introduces fw_filter2_wr to support L3/L4 header rewrites in preparation for patch 8. Patch 8 adds support for rewrite on L3/L4 header fields via TC-PEDIT action. Supported fields for rewrite are: IPv4 src/dst address, IPv6 src/dst address, TCP/UDP sport/dport. ==================== Signed-off-by: -
Kumar Sanghvi authored
Adds support to rewrite L3/L4 fields via TC-PEDIT action. Supported fields for rewrite are: IPv4 src/dst address, IPv6 src/dst address, TCP/UDP sport/dport. Also, process match fields first and then process the action items. Refactor pedit action validation to separate function to avoid excessive code indentation. Signed-off-by:
Kumar Sanghvi <kumaras@chelsio.com> Signed-off-by:
Rahul Lakkireddy <rahul.lakkireddy@chelsio.com> Signed-off-by:
Ganesh Goudar <ganeshgr@chelsio.com> Signed-off-by:
-
Kumar Sanghvi authored
Update driver to use new fw_filter2_wr in order to support rewrite of L3/L4 header fields via filters. Query FW_PARAMS_PARAM_DEV_FILTER2_WR to check whether FW supports this new wr. Signed-off-by:
-
Kumar Sanghvi authored
Adds support for ETH-SMAC rewrite via TC-PEDIT action. Signed-off-by:
-
Kumar Sanghvi authored
Introduce SMT operations for allocating/removing entries from SMAC table. Make TCAM filters use the SMT ops whenever SMAC rewrite is required. Signed-off-by:
-
Kumar Sanghvi authored
Add support for ETH-DMAC Rewrite via TC-PEDIT action. Also, add check to assert that vlan/eth-dmac rewrite actions are valid only in combination with action egress redirect. Signed-off-by:
-
Kumar Sanghvi authored
Add support for tc flower action PASS. Signed-off-by:
-
Kumar Sanghvi authored
Add support for matching on vlan tci. Construct vlan tci match param based on vlan-id and vlan-pcp values supplied by tc. Signed-off-by:
-
Kumar Sanghvi authored
Add support for matching on IP TOS. Also check on ethtype value to be either IPv4 or IPv6. Signed-off-by:
-
David Ahern authored
386fd5da ("tcp: Check daddr_cache before use in tracepoint") was the second version of the tracepoint fixup patch. This patch is the delta between v2 and v3. Specifically, remove the use of inet6_sk and check sk_family as requested by Eric and add IS_ENABLED(CONFIG_IPV6) around the use of sk_v6_rcv_saddr and sk_v6_daddr as done in sock_common (noted by Cong). Signed-off-by:
Song Liu <songliubraving@fb.com> Signed-off-by:
-
Donald Sharp authored
Two things: 1) Update examples to show usage of metric 2) Discuss reasoning for using such a high metric. Signed-off-by:
Donald Sharp <sharpd@cumulusnetworks.com> Acked-by:
David Ahern <dsa@cumulusnetworks.com> Signed-off-by:
-
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fsDavid S. Miller authored
David Howells says: ==================== rxrpc: Add bits for kernel services Here are some patches that add a few things for kernel services to use: (1) Allow service upgrade to be requested and allow the resultant actual service ID to be obtained. (2) Allow the RTT time of a call to be obtained. (3) Allow a kernel service to find out if a call is still alive on a server between transmitting a request and getting the reply. (4) Allow data transmission to ignore signals if transmission progress is being made in reasonable time. This is also usable by userspace by passing MSG_WAITALL to sendmsg()[*]. [*] I'm not sure this is the right interface for this or whether a sockopt should be used instead. ==================== Signed-off-by: -
David S. Miller authored
Merge tag 'wireless-drivers-next-for-davem-2017-10-18' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next Kalle Valo says: ==================== wireless-drivers-next patches for 4.15 The first pull request for 4.15, unusually late this time but still relatively small. Also includes merge from wireless-drivers to fix conflicts in iwlwifi. Major changes: rsi * add P2P mode support * sdio suspend and resume support iwlwifi * A fix and an addition for PCI devices for the A000 family * Dump PCI registers when an error occurs, to make it easier to debug rtlwifi * add support for 64 bit DMA, enabled with a module parameter * add module parameter to enable ASPM ==================== Signed-off-by:
-
