1. 03 Jun, 2018 6 commits
  2. 02 Jun, 2018 9 commits
  3. 30 May, 2018 7 commits
  4. 29 May, 2018 4 commits
  5. 28 May, 2018 10 commits
    • Daniel Borkmann's avatar
      Merge branch 'bpf-sendmsg-hook' · f198222f
      Daniel Borkmann authored
      Andrey Ignatov says:
      
      ====================
      v3 -> v4:
      * handle static key correctly for CONFIG_CGROUP_BPF=n.
      
      v2 -> v3:
      * place BPF logic under static key in udp_sendmsg, udpv6_sendmsg;
      * rebase.
      
      v1 -> v2:
      * return ENOTSUPP if bpf_prog rewrote IPv6-only with IPv4-mapped IPv6;
      * add test for IPv4-mapped IPv6 use-case;
      * fix build for CONFIG_CGROUP_BPF=n;
      * rebase.
      
      This path set adds BPF hooks for sys_sendmsg similar to existing hooks for
      sys_bind and sys_connect.
      
      Hooks allow to override source IP (including the case when it's set via
      cmsg(3)) and destination IP:port for unconnected UDP (slow path). TCP and
      connected UDP (fast path) are not affected. This makes UDP support
      complete: connected UDP is handled by sys_connect hooks, unconnected by
      sys_sendmsg ones.
      
      Similar to sys_connect hooks, sys_sendmsg ones can be used to make system
      calls such as sendmsg(2) and sendto(2) return EPERM.
      
      Please see patch 0002 for more details.
      ====================
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      f198222f
    • Andrey Ignatov's avatar
      selftests/bpf: Selftest for sys_sendmsg hooks · 04b6ab73
      Andrey Ignatov authored
      Add selftest for BPF_CGROUP_UDP4_SENDMSG and BPF_CGROUP_UDP6_SENDMSG
      attach types.
      
      Try to sendmsg(2) to specific IP:port and test that:
      * source IP is overridden as expected.
      * remote IP:port pair is overridden as expected;
      
      Both UDPv4 and UDPv6 are tested.
      
      Output:
        # test_sock_addr.sh 2>/dev/null
        Wait for testing IPv4/IPv6 to become available ... OK
        ... pre-existing test-cases skipped ...
        Test case: sendmsg4: load prog with wrong expected attach type .. [PASS]
        Test case: sendmsg4: attach prog with wrong attach type .. [PASS]
        Test case: sendmsg4: rewrite IP & port (asm) .. [PASS]
        Test case: sendmsg4: rewrite IP & port (C) .. [PASS]
        Test case: sendmsg4: deny call .. [PASS]
        Test case: sendmsg6: load prog with wrong expected attach type .. [PASS]
        Test case: sendmsg6: attach prog with wrong attach type .. [PASS]
        Test case: sendmsg6: rewrite IP & port (asm) .. [PASS]
        Test case: sendmsg6: rewrite IP & port (C) .. [PASS]
        Test case: sendmsg6: IPv4-mapped IPv6 .. [PASS]
        Test case: sendmsg6: deny call .. [PASS]
        Summary: 27 PASSED, 0 FAILED
      Signed-off-by: default avatarAndrey Ignatov <rdna@fb.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      04b6ab73
    • Andrey Ignatov's avatar
      selftests/bpf: Prepare test_sock_addr for extension · 9be71aa6
      Andrey Ignatov authored
      test_sock_addr was not easy to extend since it was focused on sys_bind
      and sys_connect quite a bit.
      
      Reorganized it so that it'll be easier to cover new test-cases for
      `BPF_PROG_TYPE_CGROUP_SOCK_ADDR`:
      
      - decouple test-cases so that only one BPF prog is tested at a time;
      
      - check programmatically that local IP:port for sys_bind, source IP and
        destination IP:port for sys_connect are rewritten property by tested
        BPF programs.
      
      The output of new version:
        # test_sock_addr.sh 2>/dev/null
        Wait for testing IPv4/IPv6 to become available ... OK
        Test case: bind4: load prog with wrong expected attach type .. [PASS]
        Test case: bind4: attach prog with wrong attach type .. [PASS]
        Test case: bind4: rewrite IP & TCP port in .. [PASS]
        Test case: bind4: rewrite IP & UDP port in .. [PASS]
        Test case: bind6: load prog with wrong expected attach type .. [PASS]
        Test case: bind6: attach prog with wrong attach type .. [PASS]
        Test case: bind6: rewrite IP & TCP port in .. [PASS]
        Test case: bind6: rewrite IP & UDP port in .. [PASS]
        Test case: connect4: load prog with wrong expected attach type .. [PASS]
        Test case: connect4: attach prog with wrong attach type .. [PASS]
        Test case: connect4: rewrite IP & TCP port .. [PASS]
        Test case: connect4: rewrite IP & UDP port .. [PASS]
        Test case: connect6: load prog with wrong expected attach type .. [PASS]
        Test case: connect6: attach prog with wrong attach type .. [PASS]
        Test case: connect6: rewrite IP & TCP port .. [PASS]
        Test case: connect6: rewrite IP & UDP port .. [PASS]
        Summary: 16 PASSED, 0 FAILED
      
      (stderr contains errors from libbpf when testing load/attach with
      invalid arguments)
      Signed-off-by: default avatarAndrey Ignatov <rdna@fb.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      9be71aa6
    • Andrey Ignatov's avatar
      libbpf: Support guessing sendmsg{4,6} progs · 72481f39
      Andrey Ignatov authored
      libbpf can guess prog type and expected attach type based on section
      name. Add hints for "cgroup/sendmsg4" and "cgroup/sendmsg6" section
      names.
      Signed-off-by: default avatarAndrey Ignatov <rdna@fb.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      72481f39
    • Andrey Ignatov's avatar
      bpf: Sync bpf.h to tools/ · 3024cf82
      Andrey Ignatov authored
      Sync new `BPF_CGROUP_UDP4_SENDMSG` and `BPF_CGROUP_UDP6_SENDMSG`
      attach types to tools/.
      Signed-off-by: default avatarAndrey Ignatov <rdna@fb.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      3024cf82
    • Andrey Ignatov's avatar
      bpf: Hooks for sys_sendmsg · 1cedee13
      Andrey Ignatov authored
      In addition to already existing BPF hooks for sys_bind and sys_connect,
      the patch provides new hooks for sys_sendmsg.
      
      It leverages existing BPF program type `BPF_PROG_TYPE_CGROUP_SOCK_ADDR`
      that provides access to socket itlself (properties like family, type,
      protocol) and user-passed `struct sockaddr *` so that BPF program can
      override destination IP and port for system calls such as sendto(2) or
      sendmsg(2) and/or assign source IP to the socket.
      
      The hooks are implemented as two new attach types:
      `BPF_CGROUP_UDP4_SENDMSG` and `BPF_CGROUP_UDP6_SENDMSG` for UDPv4 and
      UDPv6 correspondingly.
      
      UDPv4 and UDPv6 separate attach types for same reason as sys_bind and
      sys_connect hooks, i.e. to prevent reading from / writing to e.g.
      user_ip6 fields when user passes sockaddr_in since it'd be out-of-bound.
      
      The difference with already existing hooks is sys_sendmsg are
      implemented only for unconnected UDP.
      
      For TCP it doesn't make sense to change user-provided `struct sockaddr *`
      at sendto(2)/sendmsg(2) time since socket either was already connected
      and has source/destination set or wasn't connected and call to
      sendto(2)/sendmsg(2) would lead to ENOTCONN anyway.
      
      Connected UDP is already handled by sys_connect hooks that can override
      source/destination at connect time and use fast-path later, i.e. these
      hooks don't affect UDP fast-path.
      
      Rewriting source IP is implemented differently than that in sys_connect
      hooks. When sys_sendmsg is used with unconnected UDP it doesn't work to
      just bind socket to desired local IP address since source IP can be set
      on per-packet basis by using ancillary data (cmsg(3)). So no matter if
      socket is bound or not, source IP has to be rewritten on every call to
      sys_sendmsg.
      
      To do so two new fields are added to UAPI `struct bpf_sock_addr`;
      * `msg_src_ip4` to set source IPv4 for UDPv4;
      * `msg_src_ip6` to set source IPv6 for UDPv6.
      Signed-off-by: default avatarAndrey Ignatov <rdna@fb.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      1cedee13
    • Andrey Ignatov's avatar
      bpf: Define cgroup_bpf_enabled for CONFIG_CGROUP_BPF=n · 13193b0f
      Andrey Ignatov authored
      Static key is used to enable/disable cgroup-bpf related code paths at
      run time.
      
      Though it's not defined when cgroup-bpf is disabled at compile time,
      i.e. CONFIG_CGROUP_BPF=n, and if some code wants to use it, it has to do
      this:
      
      	#ifdef CONFIG_CGROUP_BPF
      		if (cgroup_bpf_enabled) {
      			/* ... some work ... */
      		}
      	#endif
      
      This code can be simplified by setting cgroup_bpf_enabled to 0 for
      CONFIG_CGROUP_BPF=n case:
      
      	if (cgroup_bpf_enabled) {
      		/* ... some work ... */
      	}
      
      And it aligns well with existing BPF_CGROUP_RUN_PROG_* macros that
      defined for both states of CONFIG_CGROUP_BPF.
      Signed-off-by: default avatarAndrey Ignatov <rdna@fb.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      13193b0f
    • Mathieu Xhonneux's avatar
      selftests/bpf: missing headers test_lwt_seg6local · 3b296633
      Mathieu Xhonneux authored
      Previous patch "selftests/bpf: test for seg6local End.BPF action" lacks
      some UAPI headers in tools/.
      
      clang -I. -I./include/uapi -I../../../include/uapi -idirafter
      /usr/local/include -idirafter
      /data/users/yhs/work/llvm/build/install/lib/clang/7.0.0/include
      -idirafter /usr/include -Wno-compare-distinct-pointer-types \
               -O2 -target bpf -emit-llvm -c test_lwt_seg6local.c -o - |      \
      llc -march=bpf -mcpu=generic  -filetype=obj -o
      [...]/net-next/tools/testing/selftests/bpf/test_lwt_seg6local.o
      test_lwt_seg6local.c:4:10: fatal error: 'linux/seg6_local.h' file not found
               ^~~~~~~~~~~~~~~~~~~~
      1 error generated.
      make: Leaving directory
      `/data/users/yhs/work/net-next/tools/testing/selftests/bpf'
      
      v2: moving the headers to tools/include/uapi/.
      Reported-by: default avatarY Song <ys114321@gmail.com>
      Signed-off-by: default avatarMathieu Xhonneux <m.xhonneux@gmail.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      3b296633
    • Arnd Bergmann's avatar
      bpf: avoid -Wmaybe-uninitialized warning · dc3b8ae9
      Arnd Bergmann authored
      The stack_map_get_build_id_offset() function is too long for gcc to track
      whether 'work' may or may not be initialized at the end of it, leading
      to a false-positive warning:
      
      kernel/bpf/stackmap.c: In function 'stack_map_get_build_id_offset':
      kernel/bpf/stackmap.c:334:13: error: 'work' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      
      This removes the 'in_nmi_ctx' flag and uses the state of that variable
      itself to see if it got initialized.
      
      Fixes: bae77c5e ("bpf: enable stackmap with build_id in nmi context")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarSong Liu <songliubraving@fb.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      dc3b8ae9
    • Arnd Bergmann's avatar
      bpf: btf: avoid -Wreturn-type warning · 53c8036c
      Arnd Bergmann authored
      gcc warns about a noreturn function possibly returning in
      some configurations:
      
      kernel/bpf/btf.c: In function 'env_type_is_resolve_sink':
      kernel/bpf/btf.c:729:1: error: control reaches end of non-void function [-Werror=return-type]
      
      Using BUG() instead of BUG_ON() avoids that warning and otherwise
      does the exact same thing.
      
      Fixes: eb3f595d ("bpf: btf: Validate type reference")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarSong Liu <songliubraving@fb.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      53c8036c
  6. 27 May, 2018 1 commit
  7. 26 May, 2018 3 commits
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 5b79c2af
      David S. Miller authored
      Lots of easy overlapping changes in the confict
      resolutions here.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5b79c2af
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · bc2dbc54
      Linus Torvalds authored
      Merge misc fixes from Andrew Morton:
       "16 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        kasan: fix memory hotplug during boot
        kasan: free allocated shadow memory on MEM_CANCEL_ONLINE
        checkpatch: fix macro argument precedence test
        init/main.c: include <linux/mem_encrypt.h>
        kernel/sys.c: fix potential Spectre v1 issue
        mm/memory_hotplug: fix leftover use of struct page during hotplug
        proc: fix smaps and meminfo alignment
        mm: do not warn on offline nodes unless the specific node is explicitly requested
        mm, memory_hotplug: make has_unmovable_pages more robust
        mm/kasan: don't vfree() nonexistent vm_area
        MAINTAINERS: change hugetlbfs maintainer and update files
        ipc/shm: fix shmat() nil address after round-down when remapping
        Revert "ipc/shm: Fix shmat mmap nil-page protection"
        idr: fix invalid ptr dereference on item delete
        ocfs2: revert "ocfs2/o2hb: check len for bio_add_page() to avoid getting incorrect bio"
        mm: fix nr_rotate_swap leak in swapon() error case
      bc2dbc54
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 03250e10
      Linus Torvalds authored
      Pull networking fixes from David Miller:
       "Let's begin the holiday weekend with some networking fixes:
      
         1) Whoops need to restrict cfg80211 wiphy names even more to 64
            bytes. From Eric Biggers.
      
         2) Fix flags being ignored when using kernel_connect() with SCTP,
            from Xin Long.
      
         3) Use after free in DCCP, from Alexey Kodanev.
      
         4) Need to check rhltable_init() return value in ipmr code, from Eric
            Dumazet.
      
         5) XDP handling fixes in virtio_net from Jason Wang.
      
         6) Missing RTA_TABLE in rtm_ipv4_policy[], from Roopa Prabhu.
      
         7) Need to use IRQ disabling spinlocks in mlx4_qp_lookup(), from Jack
            Morgenstein.
      
         8) Prevent out-of-bounds speculation using indexes in BPF, from
            Daniel Borkmann.
      
         9) Fix regression added by AF_PACKET link layer cure, from Willem de
            Bruijn.
      
        10) Correct ENIC dma mask, from Govindarajulu Varadarajan.
      
        11) Missing config options for PMTU tests, from Stefano Brivio"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (48 commits)
        ibmvnic: Fix partial success login retries
        selftests/net: Add missing config options for PMTU tests
        mlx4_core: allocate ICM memory in page size chunks
        enic: set DMA mask to 47 bit
        ppp: remove the PPPIOCDETACH ioctl
        ipv4: remove warning in ip_recv_error
        net : sched: cls_api: deal with egdev path only if needed
        vhost: synchronize IOTLB message with dev cleanup
        packet: fix reserve calculation
        net/mlx5: IPSec, Fix a race between concurrent sandbox QP commands
        net/mlx5e: When RXFCS is set, add FCS data into checksum calculation
        bpf: properly enforce index mask to prevent out-of-bounds speculation
        net/mlx4: Fix irq-unsafe spinlock usage
        net: phy: broadcom: Fix bcm_write_exp()
        net: phy: broadcom: Fix auxiliary control register reads
        net: ipv4: add missing RTA_TABLE to rtm_ipv4_policy
        net/mlx4: fix spelling mistake: "Inrerface" -> "Interface" and rephrase message
        ibmvnic: Only do H_EOI for mobility events
        tuntap: correctly set SOCKWQ_ASYNC_NOSPACE
        virtio-net: fix leaking page for gso packet during mergeable XDP
        ...
      03250e10