Currenlty nf_tables chains added in one network namespace are being
run in all network namespace. The issues are myriad with the simplest
being an unprivileged user can cause any network packets to be dropped.
Address this by simply not running nf_tables chains in the wrong
network namespace.
Cc: stable@vger.kernel.org
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Macvtap should be compatible with tuntap for
maximum number of queues.
commit 'baf71c5c1f80d82e92924050a60b5baaf97e3094 (tuntap:
Increase the number of queues in tun.)' removes
the limitations and increases number of queues in tuntap.
Now, Its safe to increase number of queues in Macvtap as well.
This patch also modifies 'macvtap_del_queues' function
to avoid extra memory allocation in stack.
Changes from v1->v2 :
Michael S. Tsirkin, Jason Wang :
Better way to use linked list to
avoid use of extra memory in stack.
Sergei Shtylyov : Specify dependent commit's summary.
Signed-off-by: Pankaj Gupta <pagupta@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
When STP is running in user-space and querier is configured, the
querier timer is not started when a port goes to a non-blocking state.
This patch unifies the user- and kernel-space stp multicast port enable
path and enables it in all states different from blocking. Note that when a
port goes in BR_STATE_DISABLED it's not enabled because that is handled
in the beginning of the port list loop.
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
This one only contains a one liner fix for a typo that I
introduced while cleaning some of the nfcmrvl patches that
were part of the 1st 4.2 pull request.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJVf7/qAAoJEIqAPN1PVmxK7u8P/A0n382vS1+Z0AYMVCMfsdAA
UuZW6wVot+iMECr+jAD2sVyikZqEKtQHFylgOQppFm/+VAjmW87tuYkOeQkZcqR/
uEDpQlo3jAO4qc+MgtRdU0gneBSgb9fkGTVSUe5fXkNyS9TpiP0bHrumPn1Gm74c
D6J/DTW0YpfhvM0iW90Kn/lpV5QWjvo+DjnDiv+Hnv6oZRMD2tfFanLMoJZxV6LJ
HxfOOTUciNvYN8tFU9eJUj2aFjBH1exrYbHtUAsuQLzrRxOSv9iyixB3JcQP8FMz
9+Lt9XOTMWF4Rvc9NMMme7xH1Uh73JHRw2x0GWg36vVCEdF8Ygu2rftMo+0P9dS1
aXW++t/zcFWK4WXAR/laaQ6hbCbbiBX7KapKgXviiWnyL3mAiV6RBetPyIIWIXue
5biV6Op0KPT4O5QvXcOhcZGEzKF4Rahgh1P251thP/PTJ299wmWLDNSfr2P8WULU
4nHysFO/6LXtZ05QnoxqRVYY38jQDXQ47EktVPvJOkaZDZXqDqqmUu87quxVtxEh
mZNqqsaqQeIQfx642MuhQA99rppSEy0ExKuOaXc3esMLT5C/GVDmedEzQ5fsMgVH
uaBSIV8rMY8U/pImw/ZtXKBTXlIphQ14Njwt5ErzQstEd+XDxZikzD2iJwvsvtJ/
EbgTJ1ZRaEuT3h5vDEp6
=4H3o
-----END PGP SIGNATURE-----
Merge tag 'nfc-next-4.2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/nfc-next
NFC 4.2 2nd pull request
This one only contains a one liner fix for a typo that I
introduced while cleaning some of the nfcmrvl patches that
were part of the 1st 4.2 pull request.
Johan Hedberg says:
====================
pull request: bluetooth-next 2015-06-18
Here's the final bluetooth-next pull request for 4.2.
- Cleanups & fixes to 802.15.4 code and related drivers
- Fix btusb driver memory leak
- New USB IDs for Atheros controllers
- Support for BCM4324B3 UART based Broadcom controller
- Fix for Bluetooth encryption key size handling
- Broadcom controller initialization fixes
- Support for Intel controller DDC parameters
- Support for multiple Bluetooth LE advertising instances
- Fix for HCI user channel cleanup path
Please let me know if there are any issues pulling. Thanks.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Actor and Partner details can be accessed via proc-fs, sys-fs
entries or netlink interface. These interfaces are world readable
at this moment. The earlier patch-series made the LACP communication
secure to avoid nuisance attack from within the same L2 domain but
it did not prevent "someone unprivileged" looking at that information
on host and perform the same act.
This patch essentially avoids spitting those entries if the user
in question does not have enough privileges.
Signed-off-by: Mahesh Bandewar <maheshb@google.com>
Signed-off-by: Andy Gospodarek <gospo@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Nicolas Ferre says:
====================
net/macb: add sama5d2 support
This series is basically the support for another flavor of the GEM IP
configuration. It ended up being a series because of some little fixes made to
the binding documentation before adding the new compatibility string.
Bye,
v2: - fix bindings
- add sama5d2 compatibility string to the binding documentation
====================
Acked-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Add the compatible string for Atmel sama5d2 SoC family as the configuration
options differ from other instances of the GEM.
Signed-off-by: Cyrille Pitchen <cyrille.pitchen@atmel.com>
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Add sama5d2 to the biding documentation for this use of the GEM IP.
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
On sama5d4, we only have a GEM IP that is configured to do 10/100 Mbits. So the
use of "Gigabit" can be confusing.
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
In the driver and the DT bindings we use the "atmel" prefix. Fix it in the
binding documentation.
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
inet_diag_dump_reqs() is called from inet_diag_dump_icsk() with BH
disabled. So no need to disable BH in inet_diag_dump_reqs().
Signed-off-by: Hiroaki Shimoda <shimoda.hiroaki@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
RTL8211F has different register definitions from RTL8211E.
Specially it needs to enable TXDLY in case of RGMII.
Signed-off-by: Shengzhou Liu <Shengzhou.Liu@freescale.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
mwifiex:
* enhancements for AP mode: support verbose information in station
dump command and also information about AP link.
* enable power save by default
brcmfmac:
* fix module reload issue for PCIe
* improving msgbuf protocol for PCIe devices
* rework .get_station() cfg80211 callback operation
* determine interface combinations upon device feature support
ath9k:
* ath9k_htc: add support of channel switch
wil6210:
* add modparam for bcast ring size
* support hidden SSID
* add per-MCS Rx stats
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEcBAABAgAGBQJVglpWAAoJEG4XJFUm622bkT0H+QE/T3i44l6SEAxHEgW6Z2JP
MsAVHFV8q2jPCGfg4oCozk3fo2WPdBKwhUy7xzAg/LfxuTn0CtIzl+KuEnhsBBsx
+cNBFgBzIvHaMwfb/vxmuLK7zUROtDgOK7Kt4HF9p/Mn/JH8yTCrRy96hpnVKnuQ
h6HFO8Qx0l0pd6lbosaSPvjM8qBPy3ZfvriEHV3BTV+AXgSPWwnFkY188G2CNK5J
yYK0C2PkEX368m/qpmcbhlYrn3ZiJviiWhFmQZMW8eXe0k/pfBidXt6QGmKA7loT
p09skJk+qQtZjK4p2Hzy/3KOLU7YGFVHzww5gXqrZSxhluyhEdbOVLvKfB5jR68=
=3lke
-----END PGP SIGNATURE-----
Merge tag 'wireless-drivers-next-for-davem-2015-06-18' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next
Kalle Valo says:
====================
Major changes:
mwifiex:
* enhancements for AP mode: support verbose information in station
dump command and also information about AP link.
* enable power save by default
brcmfmac:
* fix module reload issue for PCIe
* improving msgbuf protocol for PCIe devices
* rework .get_station() cfg80211 callback operation
* determine interface combinations upon device feature support
ath9k:
* ath9k_htc: add support of channel switch
wil6210:
* add modparam for bcast ring size
* support hidden SSID
* add per-MCS Rx stats
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Remove the filter_dev check when dumping fdb entries, otherwise dump
returns empty list. filter_dev is always passed as NULL when dumping fdbs
on SELF. We want the fdbs installed on the device to be listed in the
dump.
Signed-off-by: Scott Feldman <sfeldma@gmail.com>
Fixes: 45d4122c ("switchdev: add support for fdb add/del/dump via switchdev_port_obj ops")
Acked-by: Sridhar Samudrala <sridhar.samudrala@intel.com>
Acked-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ivan Vecera says:
====================
bna: clean-up 2
Next round of cleaning patches.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
BIT value is already unsigned so casting is not necessary.
Signed-off-by: Ivan Vecera <ivecera@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch adds NLM_F_APPEND flag to struct nlmsg_hdr->nlmsg_flags
in newroute notifications if the route add was an append.
(This is similar to how NLM_F_REPLACE is already part of new
route replace notifications today)
This helps userspace determine if the route add operation was
an append.
Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Acked-by: Scott Feldman <sfeldma@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch adds getsockopt(SOL_NETLINK, NETLINK_LIST_MEMBERSHIPS) to
retrieve all groups a socket is a member of. Currently, we have to use
getsockname() and look at the nl.nl_groups bitmask. However, this mask is
limited to 32 groups. Hence, similar to NETLINK_ADD_MEMBERSHIP and
NETLINK_DROP_MEMBERSHIP, this adds a separate sockopt to manager higher
groups IDs than 32.
This new NETLINK_LIST_MEMBERSHIPS option takes a pointer to __u32 and the
size of the array. The array is filled with the full membership-set of the
socket, and the required array size is returned in optlen. Hence,
user-space can retry with a properly sized array in case it was too small.
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
When an inet_sock is destroyed, its source port (sk_num) is set to
zero as part of the unhash procedure. In order to supply a source
port as part of the NETLINK_SOCK_DIAG socket destruction broadcasts,
the source port number must be read from inet_sport instead.
Tested: ss -E
Signed-off-by: Craig Gallek <kraig@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
USE_OF is used as intermediate Kconfig option by few
arch's (ARM, MIPS, Xtensa).
Replace instances of USE_OF outside of arch folders
with proper OF_???.
Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Struct inet_proto no longer exists, so update the
comment which is out of date.
Signed-off-by: Zhaowei Yuan <zhaowei.yuan@samsung.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Following patch contains changes in liquidio Kconfig for
selecting LIBCRC32C.
Signed-off-by: Derek Chickles <derek.chickles@caviumnetworks.com>
Signed-off-by: Satanand Burla <satananda.burla@caviumnetworks.com>
Signed-off-by: Felix Manlunas <felix.manlunas@caviumnetworks.com>
Signed-off-by: Raghu Vatsavayi <raghu.vatsavayi@caviumnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
There's no reason to perform a buffer copy for the firmware name. This
also avoids a (currently impossible with current callers) NULL dereference
if there was no matching firmware.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
The control !hlist_unhashed() in qfq_destroy_agg() is unnecessary
because already performed in hlist_del_init(), so remove it.
Signed-off-by: Andrea Parri <parri.andrea@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Append 0x to all %x in order to avoid while reading when there is other
decimal value in the log.
Also replace some of the hexadecimal print to decimal to uniformize the
format with netfront.
Signed-off-by: Julien Grall <julien.grall@citrix.com>
Cc: Wei Liu <wei.liu2@citrix.com>
Cc: Ian Campbell <ian.campbell@citrix.com>
Cc: netdev@vger.kernel.org
Acked-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The variables old_req_cons and ring_slots_used are assigned but never
used since commit 1650d5455b "xen-netback:
always fully coalesce guest Rx packets".
Signed-off-by: Julien Grall <julien.grall@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Cc: Ian Campbell <ian.campbell@citrix.com>
Cc: netdev@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
rx->status is an int16_t, print it using %d rather than %u in order to
have a meaningful value when the field is negative.
Also use %u rather than %x for rx->offset.
Signed-off-by: Julien Grall <julien.grall@citrix.com>
Reviewed-by: David Vrabel <david.vrabel@citrix.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: netdev@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch also renames sg to sglist and aligns function parameters.
See Documentation/DMA-API.txt - Part Id for scatterlist details
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Signed-off-by: David S. Miller <davem@davemloft.net>
Destruction of the po->rollover must be delayed until there are no
more packets in flight that can access it. The field is destroyed in
packet_release, before synchronize_net. Delay using rcu.
Fixes: 0648ab70af ("packet: rollover prepare: per-socket state")
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pablo Neira Ayuso says:
====================
Netfilter updates for net-next
The following patchset contains a final Netfilter pull request for net-next
4.2. This mostly addresses some fallout from the previous pull request, small
netns updates and a couple of new features for nfnetlink_log and the socket
match that didn't get in time for the previous pull request. More specifically
they are:
1) Add security context information to nfnetlink_queue, from Roman Kubiak.
2) Add support to restore the sk_mark into skb->mark through xt_socket,
from Harout Hedeshian.
3) Force alignment of 16 bytes of per cpu xt_counters, from Eric Dumazet.
4) Rename br_netfilter.c to br_netfilter_hooks.c to prepare split of IPv6 code
into a separated file.
5) Move the IPv6 code in br_netfilter into a separated file.
6) Remove unused RCV_SKB_FAIL() in nfnetlink_queue and nfetlink_log, from Eric
Biederman.
7) Two liner to simplify netns logic in em_ipset_match().
8) Add missing includes to net/net_namespace.h to avoid compilation problems
that result from not including linux/netfilter.h in netns headers.
9) Use a forward declaration instead of including linux/proc_fs.h from
netns/netfilter.h
10) Add a new linux/netfilter_defs.h to replace the linux/netfilter.h inclusion
in netns headers.
11) Remove spurious netfilter.h file included in the net tree, also from Eric
Biederman.
12) Fix x_tables compilation warnings on 32 bits platforms that resulted from
recent changes in x_tables counters, from Florian Westphal.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
On 32bit archs gcc complains due to cast from void* to u64.
Add intermediate casts to long to silence these warnings.
include/linux/netfilter/x_tables.h:376:10: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
include/linux/netfilter/x_tables.h:384:15: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
include/linux/netfilter/x_tables.h:391:23: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
include/linux/netfilter/x_tables.h:400:22: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
Fixes: 71ae0dff02 ("netfilter: xtables: use percpu rule counters")
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
While testing my netfilter changes I noticed several files where
recompiling unncessarily because they unncessarily included
netfilter.h.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This pulls the full hook netfilter definitions from all those that include
net_namespace.h.
Instead let's just include the bare minimum required in the new
linux/netfilter_defs.h file, and use it from the netfilter netns header files.
I also needed to include in.h and in6.h from linux/netfilter.h otherwise we hit
this compilation error:
In file included from include/linux/netfilter_defs.h:4:0,
from include/net/netns/netfilter.h:4,
from include/net/net_namespace.h:22,
from include/linux/netdevice.h:43,
from net/netfilter/nfnetlink_queue_core.c:23:
include/uapi/linux/netfilter.h:76:17: error: field ‘in’ has incomplete type struct in_addr in;
And also explicit include linux/netfilter.h in several spots.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
We don't need to pull the full definitions in that file, a simple forward
declaration is enough.
Moreover, include linux/procfs.h from nf_synproxy_core, otherwise this hits a
compilation error due to missing declarations, ie.
net/netfilter/nf_synproxy_core.c: In function ‘synproxy_proc_init’:
net/netfilter/nf_synproxy_core.c:326:2: error: implicit declaration of function ‘proc_create’ [-Werror=implicit-function-declaration]
if (!proc_create("synproxy", S_IRUGO, net->proc_net_stat,
^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Include linux/idr.h and linux/skbuff.h since they are required by objects that
are declared in the net structure.
struct net {
...
struct idr netns_ids;
...
struct sk_buff_head wext_nlevents;
...
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
em->net is always set and always available, use it in preference
to dev_net(skb->dev).
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This appears to have been a dead macro in both nfnetlink_log.c and
nfnetlink_queue_core.c since these pieces of code were added in 2005.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Resolve compilation breakage when CONFIG_IPV6 is not set by moving the IPv6
code into a separated br_netfilter_ipv6.c file.
Fixes: efb6de9b4b ("netfilter: bridge: forward IPv6 fragmented packets")
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Rework the logic of checking for a valid adv_instance for non-zero
cp->instance values. Without this change we may get (false positive)
warnings as follows:
>> net/bluetooth/mgmt.c:7294:29: warning: 'adv_instance' may be used
uninitialized in this function [-Wuninitialized]
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Use zallog for adv_instance allocation instead of kmalloc + memset.
This also fixes the following coccinelle warning:
>> net/bluetooth/hci_core.c:2693:17-24: WARNING: kzalloc should be
used for adv_instance, instead of kmalloc/memset
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This patch increments the management interface revision due to
introduction of new multi-advertising feature and various bug fixes.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Now that all preconditions are present for actual multi-advertising, the
number of allowed advertising instances can be larger than one. This
patch increases the number of allowed advertising instances to 5.
Signed-off-by: Florian Grandel <fgrandel@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>