1. 18 Feb, 2016 2 commits
  2. 16 Feb, 2016 1 commit
  3. 11 Feb, 2016 1 commit
    • Tycho Andersen's avatar
      openvswitch: allow management from inside user namespaces · 4a92602a
      Tycho Andersen authored
      Operations with the GENL_ADMIN_PERM flag fail permissions checks because
      this flag means we call netlink_capable, which uses the init user ns.
      
      Instead, let's introduce a new flag, GENL_UNS_ADMIN_PERM for operations
      which should be allowed inside a user namespace.
      
      The motivation for this is to be able to run openvswitch in unprivileged
      containers. I've tested this and it seems to work, but I really have no
      idea about the security consequences of this patch, so thoughts would be
      much appreciated.
      
      v2: use the GENL_UNS_ADMIN_PERM flag instead of a check in each function
      v3: use separate ifs for UNS_ADMIN_PERM and ADMIN_PERM, instead of one
          massive one
      Reported-by: default avatarJames Page <james.page@canonical.com>
      Signed-off-by: default avatarTycho Andersen <tycho.andersen@canonical.com>
      CC: Eric Biederman <ebiederm@xmission.com>
      CC: Pravin Shelar <pshelar@ovn.org>
      CC: Justin Pettit <jpettit@nicira.com>
      CC: "David S. Miller" <davem@davemloft.net>
      Acked-by: default avatarPravin B Shelar <pshelar@ovn.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4a92602a
  4. 18 Jan, 2016 1 commit
    • Hannes Frederic Sowa's avatar
      ovs: limit ovs recursions in ovs_execute_actions to not corrupt stack · b064d0d8
      Hannes Frederic Sowa authored
      It was seen that defective configurations of openvswitch could overwrite
      the STACK_END_MAGIC and cause a hard crash of the kernel because of too
      many recursions within ovs.
      
      This problem arises due to the high stack usage of openvswitch. The rest
      of the kernel is fine with the current limit of 10 (RECURSION_LIMIT).
      
      We use the already existing recursion counter in ovs_execute_actions to
      implement an upper bound of 5 recursions.
      
      Cc: Pravin Shelar <pshelar@ovn.org>
      Cc: Simon Horman <simon.horman@netronome.com>
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: Simon Horman <simon.horman@netronome.com>
      Signed-off-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b064d0d8
  5. 15 Jan, 2016 1 commit
  6. 10 Jan, 2016 3 commits
  7. 29 Dec, 2015 1 commit
    • Joe Stringer's avatar
      openvswitch: Fix template leak in error cases. · 90c7afc9
      Joe Stringer authored
      Commit 5b48bb8506c5 ("openvswitch: Fix helper reference leak") fixed a
      reference leak on helper objects, but inadvertently introduced a leak on
      the ct template.
      
      Previously, ct_info.ct->general.use was initialized to 0 by
      nf_ct_tmpl_alloc() and only incremented when ovs_ct_copy_action()
      returned successful. If an error occurred while adding the helper or
      adding the action to the actions buffer, the __ovs_ct_free_action()
      cleanup would use nf_ct_put() to free the entry; However, this relies on
      atomic_dec_and_test(ct_info.ct->general.use). This reference must be
      incremented first, or nf_ct_put() will never free it.
      
      Fix the issue by acquiring a reference to the template immediately after
      allocation.
      
      Fixes: cae3a262 ("openvswitch: Allow attaching helpers to ct action")
      Fixes: 5b48bb8506c5 ("openvswitch: Fix helper reference leak")
      Signed-off-by: default avatarJoe Stringer <joe@ovn.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      90c7afc9
  8. 18 Dec, 2015 1 commit
  9. 11 Dec, 2015 2 commits
  10. 03 Dec, 2015 3 commits
  11. 02 Dec, 2015 1 commit
  12. 24 Nov, 2015 1 commit
  13. 23 Nov, 2015 2 commits
    • Florian Westphal's avatar
      netfilter: ipv6: avoid nf_iterate recursion · daaa7d64
      Florian Westphal authored
      The previous patch changed nf_ct_frag6_gather() to morph reassembled skb
      with the previous one.
      
      This means that the return value is always NULL or the skb argument.
      So change it to an err value.
      
      Instead of invoking NF_HOOK recursively with threshold to skip already-called hooks
      we can now just return NF_ACCEPT to move on to the next hook except for
      -EINPROGRESS (which means skb has been queued for reassembly), in which case we
      return NF_STOLEN.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      daaa7d64
    • Florian Westphal's avatar
      netfilter: ipv6: nf_defrag: avoid/free clone operations · 029f7f3b
      Florian Westphal authored
      commit 6aafeef0
      ("netfilter: push reasm skb through instead of original frag skbs")
      changed ipv6 defrag to not use the original skbs anymore.
      
      So rather than keeping the original skbs around just to discard them
      afterwards just use the original skbs directly for the fraglist of
      the newly assembled skb and remove the extra clone/free operations.
      
      The skb that completes the fragment queue is morphed into a the
      reassembled one instead, just like ipv4 defrag.
      
      openvswitch doesn't need any additional skb_morph magic anymore to deal
      with this situation so just remove that.
      
      A followup patch can then also remove the NF_HOOK (re)invocation in
      the ipv6 netfilter defrag hook.
      
      Cc: Joe Stringer <joestringer@nicira.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      029f7f3b
  14. 27 Oct, 2015 2 commits
  15. 22 Oct, 2015 3 commits
  16. 21 Oct, 2015 4 commits
  17. 18 Oct, 2015 1 commit
  18. 12 Oct, 2015 2 commits
  19. 07 Oct, 2015 7 commits
  20. 05 Oct, 2015 1 commit
    • Pravin B Shelar's avatar
      openvswitch: Fix ovs_vport_get_stats() · 83ffe99f
      Pravin B Shelar authored
      Not every device has dev->tstats set. So when OVS tries to calculate
      vport stats it causes kernel panic. Following patch fixes it by
      using standard API to get net-device stats.
      
      ---8<---
      Unable to handle kernel paging request at virtual address 766b4008
      Internal error: Oops: 96000005 [#1] PREEMPT SMP
      Modules linked in: vport_vxlan vxlan ip6_udp_tunnel udp_tunnel tun bridge stp llc openvswitch ipv6
      CPU: 7 PID: 1108 Comm: ovs-vswitchd Not tainted 4.3.0-rc3+ #82
      PC is at ovs_vport_get_stats+0x150/0x1f8 [openvswitch]
      <snip>
      Call trace:
       [<ffffffbffc0859f8>] ovs_vport_get_stats+0x150/0x1f8 [openvswitch]
       [<ffffffbffc07cdb0>] ovs_vport_cmd_fill_info+0x140/0x1e0 [openvswitch]
       [<ffffffbffc07cf0c>] ovs_vport_cmd_dump+0xbc/0x138 [openvswitch]
       [<ffffffc00045a5ac>] netlink_dump+0xb8/0x258
       [<ffffffc00045ace0>] __netlink_dump_start+0x120/0x178
       [<ffffffc00045dd9c>] genl_family_rcv_msg+0x2d4/0x308
       [<ffffffc00045de58>] genl_rcv_msg+0x88/0xc4
       [<ffffffc00045cf24>] netlink_rcv_skb+0xd4/0x100
       [<ffffffc00045dab0>] genl_rcv+0x30/0x48
       [<ffffffc00045c830>] netlink_unicast+0x154/0x200
       [<ffffffc00045cc9c>] netlink_sendmsg+0x308/0x364
       [<ffffffc00041e10c>] sock_sendmsg+0x14/0x2c
       [<ffffffc000420d58>] SyS_sendto+0xbc/0xf0
      Code: aa1603e1 f94037a4 aa1303e2 aa1703e0 (f9400465)
      Reported-by: default avatarTomasz Sawicki <tomasz.sawicki@objectiveintegration.uk>
      Fixes: 8c876639 ("openvswitch: Remove vport stats.")
      Signed-off-by: default avatarPravin B Shelar <pshelar@nicira.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      83ffe99f