1. 01 Jul, 2016 1 commit
  2. 30 Jun, 2016 1 commit
  3. 23 Jun, 2016 1 commit
  4. 15 Jun, 2016 2 commits
    • Eric Dumazet's avatar
      gre: fix error handler · e582615a
      Eric Dumazet authored
      1) gre_parse_header() can be called from gre_err()
      
         At this point transport header points to ICMP header, not the inner
      header.
      
      2) We can not really change transport header as ipgre_err() will later
      assume transport header still points to ICMP header (using icmp_hdr())
      
      3) pskb_may_pull() logic in gre_parse_header() really works
        if we are interested at zone pointed by skb->data
      
      4) As Jiri explained in commit b7f8fe25 ("gre: do not pull header in
      ICMP error processing") we should not pull headers in error handler.
      
      So this fix :
      
      A) changes gre_parse_header() to use skb->data instead of
      skb_transport_header()
      
      B) Adds a nhs parameter to gre_parse_header() so that we can skip the
      not pulled IP header from error path.
        This offset is 0 for normal receive path.
      
      C) remove obsolete IPV6 includes
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Tom Herbert <tom@herbertland.com>
      Cc: Maciej Żenczykowski <maze@google.com>
      Cc: Jiri Benc <jbenc@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e582615a
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: reject loops from set element jump to chain · 8588ac09
      Pablo Neira Ayuso authored
      Liping Zhang says:
      
      "Users may add such a wrong nft rules successfully, which will cause an
      endless jump loop:
      
        # nft add rule filter test tcp dport vmap {1: jump test}
      
      This is because before we commit, the element in the current anonymous
      set is inactive, so osp->walk will skip this element and miss the
      validate check."
      
      To resolve this problem, this patch passes the generation mask to the
      walk function through the iter container structure depending on the code
      path:
      
      1) If we're dumping the elements, then we have to check if the element
         is active in the current generation. Thus, we check for the current
         bit in the genmask.
      
      2) If we're checking for loops, then we have to check if the element is
         active in the next generation, as we're in the middle of a
         transaction. Thus, we check for the next bit in the genmask.
      
      Based on original patch from Liping Zhang.
      Reported-by: default avatarLiping Zhang <liping.zhang@spreadtrum.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Tested-by: default avatarLiping Zhang <liping.zhang@spreadtrum.com>
      8588ac09
  5. 10 Jun, 2016 1 commit
  6. 07 Jun, 2016 1 commit
  7. 06 Jun, 2016 1 commit
  8. 05 Jun, 2016 1 commit
    • Marco Angaroni's avatar
      ipvs: update real-server binding of outgoing connections in SIP-pe · 3ec10d3a
      Marco Angaroni authored
      Previous patch that introduced handling of outgoing packets in SIP
      persistent-engine did not call ip_vs_check_template() in case packet was
      matching a connection template. Assumption was that real-server was
      healthy, since it was sending a packet just in that moment.
      
      There are however real-server fault conditions requiring that association
      between call-id and real-server (represented by connection template)
      gets updated. Here is an example of the sequence of events:
        1) RS1 is a back2back user agent that handled call-id1 and call-id2
        2) RS1 is down and was marked as unavailable
        3) new message from outside comes to IPVS with call-id1
        4) IPVS reschedules the message to RS2, which becomes new call handler
        5) RS2 forwards the message outside, translating call-id1 to call-id2
        6) inside pe->conn_out() IPVS matches call-id2 with existing template
        7) IPVS does not change association call-id2 <-> RS1
        8) new message comes from client with call-id2
        9) IPVS reschedules the message to a real-server potentially different
           from RS2, which is now the correct destination
      
      This patch introduces ip_vs_check_template() call in the handling of
      outgoing packets for SIP-pe. And also introduces a second optional
      argument for ip_vs_check_template() that allows to check if dest
      associated to a connection template is the same dest that was identified
      as the source of the packet. This is to change the real-server bound to a
      particular call-id independently from its availability status: the idea
      is that it's more reliable, for in->out direction (where internal
      network can be considered trusted), to always associate a call-id with
      the last real-server that used it in one of its messages. Think about
      above sequence of events where, just after step 5, RS1 returns instead
      to be available.
      
      Comparison of dests is done by simply comparing pointers to struct
      ip_vs_dest; there should be no cases where struct ip_vs_dest keeps its
      memory address, but represent a different real-server in terms of
      ip-address / port.
      
      Fixes: 39b97223 ("ipvs: handle connections started by real-servers")
      Signed-off-by: default avatarMarco Angaroni <marcoangaroni@gmail.com>
      Acked-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      3ec10d3a
  9. 29 May, 2016 1 commit
    • Arnd Bergmann's avatar
      ipv6: hide ip6_encap_hlen/ip6_tnl_encap definitions · 9791d8e7
      Arnd Bergmann authored
      A recent cleanup moved MAX_IPTUN_ENCAP_OPS along with some other
      definitions, but it is now invisible when CONFIG_INET is
      not defined, but still referenced from ip6_tunnel.h:
      
      In file included from net/xfrm/xfrm_input.c:17:0:
      include/net/ip6_tunnel.h:67:17: error: 'MAX_IPTUN_ENCAP_OPS' undeclared here (not in a function)
         ip6tun_encaps[MAX_IPTUN_ENCAP_OPS];
                       ^~~~~~~~~~~~~~~~~~~
      
      This hides the ip6_encap_hlen and ip6_tnl_encap functions inside
      of CONFIG_INET so we don't run into the the problem.
      
      Alternatively we could move the macro out of the #ifdef again to
      restore the previous behavior
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Fixes: 55c2bc14 ("net: Cleanup encap items in ip_tunnels.h")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9791d8e7
  10. 25 May, 2016 1 commit
    • Eric W. Biederman's avatar
      netfilter: nf_queue: Make the queue_handler pernet · dc3ee32e
      Eric W. Biederman authored
      Florian Weber reported:
      > Under full load (unshare() in loop -> OOM conditions) we can
      > get kernel panic:
      >
      > BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
      > IP: [<ffffffff81476c85>] nfqnl_nf_hook_drop+0x35/0x70
      > [..]
      > task: ffff88012dfa3840 ti: ffff88012dffc000 task.ti: ffff88012dffc000
      > RIP: 0010:[<ffffffff81476c85>]  [<ffffffff81476c85>] nfqnl_nf_hook_drop+0x35/0x70
      > RSP: 0000:ffff88012dfffd80  EFLAGS: 00010206
      > RAX: 0000000000000008 RBX: ffffffff81add0c0 RCX: ffff88013fd80000
      > [..]
      > Call Trace:
      >  [<ffffffff81474d98>] nf_queue_nf_hook_drop+0x18/0x20
      >  [<ffffffff814738eb>] nf_unregister_net_hook+0xdb/0x150
      >  [<ffffffff8147398f>] netfilter_net_exit+0x2f/0x60
      >  [<ffffffff8141b088>] ops_exit_list.isra.4+0x38/0x60
      >  [<ffffffff8141b652>] setup_net+0xc2/0x120
      >  [<ffffffff8141bd09>] copy_net_ns+0x79/0x120
      >  [<ffffffff8106965b>] create_new_namespaces+0x11b/0x1e0
      >  [<ffffffff810698a7>] unshare_nsproxy_namespaces+0x57/0xa0
      >  [<ffffffff8104baa2>] SyS_unshare+0x1b2/0x340
      >  [<ffffffff81608276>] entry_SYSCALL_64_fastpath+0x1e/0xa8
      > Code: 65 00 48 89 e5 41 56 41 55 41 54 53 83 e8 01 48 8b 97 70 12 00 00 48 98 49 89 f4 4c 8b 74 c2 18 4d 8d 6e 08 49 81 c6 88 00 00 00 <49> 8b 5d 00 48 85 db 74 1a 48 89 df 4c 89 e2 48 c7 c6 90 68 47
      >
      
      The simple fix for this requires a new pernet variable for struct
      nf_queue that indicates when it is safe to use the dynamically
      allocated nf_queue state.
      
      As we need a variable anyway make nf_register_queue_handler and
      nf_unregister_queue_handler pernet.  This allows the existing logic of
      when it is safe to use the state from the nfnetlink_queue module to be
      reused with no changes except for making it per net.
      
      The syncrhonize_rcu from nf_unregister_queue_handler is moved to a new
      function nfnl_queue_net_exit_batch so that the worst case of having a
      syncrhonize_rcu in the pernet exit path is not experienced in batch
      mode.
      Reported-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Acked-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      dc3ee32e
  11. 24 May, 2016 1 commit
    • Eric Dumazet's avatar
      net_sched: avoid too many hrtimer_start() calls · a9efad8b
      Eric Dumazet authored
      I found a serious performance bug in packet schedulers using hrtimers.
      
      sch_htb and sch_fq are definitely impacted by this problem.
      
      We constantly rearm high resolution timers if some packets are throttled
      in one (or more) class, and other packets are flying through qdisc on
      another (non throttled) class.
      
      hrtimer_start() does not have the mod_timer() trick of doing nothing if
      expires value does not change :
      
      	if (timer_pending(timer) &&
                  timer->expires == expires)
                      return 1;
      
      This issue is particularly visible when multiple cpus can queue/dequeue
      packets on the same qdisc, as hrtimer code has to lock a remote base.
      
      I used following fix :
      
      1) Change htb to use qdisc_watchdog_schedule_ns() instead of open-coding
      it.
      
      2) Cache watchdog prior expiration. hrtimer might provide this, but I
      prefer to not rely on some hrtimer internal.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a9efad8b
  12. 20 May, 2016 7 commits
  13. 17 May, 2016 1 commit
  14. 16 May, 2016 5 commits
  15. 12 May, 2016 5 commits
  16. 11 May, 2016 6 commits
  17. 10 May, 2016 1 commit
  18. 09 May, 2016 3 commits