1. 04 Feb, 2016 35 commits
  2. 01 Feb, 2016 2 commits
  3. 27 Jan, 2016 3 commits
    • Eric Dumazet's avatar
      ipv6: update skb->csum when CE mark is propagated · ade60294
      Eric Dumazet authored
      [ Upstream commit 34ae6a1a ]
      
      When a tunnel decapsulates the outer header, it has to comply
      with RFC 6080 and eventually propagate CE mark into inner header.
      
      It turns out IP6_ECN_set_ce() does not correctly update skb->csum
      for CHECKSUM_COMPLETE packets, triggering infamous "hw csum failure"
      messages and stack traces.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      ade60294
    • Nicolas Dichtel's avatar
      vxlan: fix test which detect duplicate vxlan iface · 50070cf8
      Nicolas Dichtel authored
      [ Upstream commit 07b9b37c ]
      
      When a vxlan interface is created, the driver checks that there is not
      another vxlan interface with the same properties. To do this, it checks
      the existing vxlan udp socket. Since commit 1c51a915, the creation of
      the vxlan socket is done only when the interface is set up, thus it breaks
      that test.
      
      Example:
      $ ip l a vxlan10 type vxlan id 10 group 239.0.0.10 dev eth0 dstport 0
      $ ip l a vxlan11 type vxlan id 10 group 239.0.0.10 dev eth0 dstport 0
      $ ip -br l | grep vxlan
      vxlan10          DOWN           f2:55:1c:6a:fb:00 <BROADCAST,MULTICAST>
      vxlan11          DOWN           7a:cb:b9:38:59:0d <BROADCAST,MULTICAST>
      
      Instead of checking sockets, let's loop over the vxlan iface list.
      
      Fixes: 1c51a915 ("vxlan: fix race caused by dropping rtnl_unlock")
      Reported-by: default avatarThomas Faivre <thomas.faivre@6wind.com>
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      50070cf8
    • Dan Streetman's avatar
      xfrm: dst_entries_init() per-net dst_ops · 69456a68
      Dan Streetman authored
      [ Upstream commit a8a572a6 ]
      
      Remove the dst_entries_init/destroy calls for xfrm4 and xfrm6 dst_ops
      templates; their dst_entries counters will never be used.  Move the
      xfrm dst_ops initialization from the common xfrm/xfrm_policy.c to
      xfrm4/xfrm4_policy.c and xfrm6/xfrm6_policy.c, and call dst_entries_init
      and dst_entries_destroy for each net namespace.
      
      The ipv4 and ipv6 xfrms each create dst_ops template, and perform
      dst_entries_init on the templates.  The template values are copied to each
      net namespace's xfrm.xfrm*_dst_ops.  The problem there is the dst_ops
      pcpuc_entries field is a percpu counter and cannot be used correctly by
      simply copying it to another object.
      
      The result of this is a very subtle bug; changes to the dst entries
      counter from one net namespace may sometimes get applied to a different
      net namespace dst entries counter.  This is because of how the percpu
      counter works; it has a main count field as well as a pointer to the
      percpu variables.  Each net namespace maintains its own main count
      variable, but all point to one set of percpu variables.  When any net
      namespace happens to change one of the percpu variables to outside its
      small batch range, its count is moved to the net namespace's main count
      variable.  So with multiple net namespaces operating concurrently, the
      dst_ops entries counter can stray from the actual value that it should
      be; if counts are consistently moved from one net namespace to another
      (which my testing showed is likely), then one net namespace winds up
      with a negative dst_ops count while another winds up with a continually
      increasing count, eventually reaching its gc_thresh limit, which causes
      all new traffic on the net namespace to fail with -ENOBUFS.
      Signed-off-by: default avatarDan Streetman <dan.streetman@canonical.com>
      Signed-off-by: default avatarDan Streetman <ddstreet@ieee.org>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
      69456a68