GitHub/MotorolaMobilityLLC/kernel-slsi.git
7 years agonetfilter: nf_ct_ext: invoke destroy even when ext is not attached
Liping Zhang [Sat, 29 Apr 2017 13:59:49 +0000 (21:59 +0800)]
netfilter: nf_ct_ext: invoke destroy even when ext is not attached

For NF_NAT_MANIP_SRC, we will insert the ct to the nat_bysource_table,
then remove it from the nat_bysource_table via nat_extend->destroy.

But now, the nat extension is attached on demand, so if the nat extension
is not attached, we will not be notified when the ct is destroyed, i.e.
we may fail to remove ct from the nat_bysource_table.

So just keep it simple, even if the extension is not attached, we will
still invoke the related ext->destroy. And this will also preserve the
flexibility for the future extension.

Fixes: 9a08ecfe74d7 ("netfilter: don't attach a nat extension by default")
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoMerge tag 'ipvs3-for-v4.12' of http://git.kernel.org/pub/scm/linux/kernel/git/horms...
Pablo Neira Ayuso [Mon, 1 May 2017 09:45:47 +0000 (11:45 +0200)]
Merge tag 'ipvs3-for-v4.12' of git./linux/kernel/git/horms/ipvs-next

Simon Horman says:

====================
Third Round of IPVS Updates for v4.12

please consider these enhancements to IPVS for v4.12.
If it is too late for v4.12 then please consider them for v4.13.

* Remove unused function
* Correct comparison of unsigned value
====================

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: snmp: avoid stack size warning
Florian Westphal [Thu, 27 Apr 2017 14:39:43 +0000 (16:39 +0200)]
netfilter: snmp: avoid stack size warning

net/ipv4/netfilter/nf_nat_snmp_basic.c:1158:1: warning: the frame size
of 1160 bytes is larger than 1024 bytes

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: nf_queue: only call synchronize_net twice if nf_queue is active
Florian Westphal [Mon, 24 Apr 2017 13:37:41 +0000 (15:37 +0200)]
netfilter: nf_queue: only call synchronize_net twice if nf_queue is active

nf_unregister_net_hook(s) can avoid a second call to synchronize_net,
provided there is no nfqueue active in that net namespace (which is
the common case).

This also gets rid of the extra arg to nf_queue_nf_hook_drop(), normally
this gets called during netns cleanup so no packets should be queued.

For the rare case of base chain being unregistered or module removal
while nfqueue is in use the extra hiccup due to the packet drops isn't
a big deal.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: nf_log: don't call synchronize_rcu in nf_log_unset
Florian Westphal [Tue, 25 Apr 2017 08:24:03 +0000 (10:24 +0200)]
netfilter: nf_log: don't call synchronize_rcu in nf_log_unset

nf_log_unregister() (which is what gets called in the logger backends
module exit paths) does a (required, module is removed) synchronize_rcu().

But nf_log_unset() is only called from pernet exit handlers. It doesn't
free any memory so there appears to be no need to call synchronize_rcu.

v2: Liping Zhang points out that nf_log_unregister() needs to be called
after pernet unregister, else rmmod would become unsafe.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: batch synchronize_net calls during hook unregister
Florian Westphal [Mon, 24 Apr 2017 13:37:39 +0000 (15:37 +0200)]
netfilter: batch synchronize_net calls during hook unregister

synchronize_net is expensive and slows down netns cleanup a lot.

We have two APIs to unregister a hook:
nf_unregister_net_hook (which calls synchronize_net())
and
nf_unregister_net_hooks (calls nf_unregister_net_hook in a loop)

Make nf_unregister_net_hook a wapper around new helper
__nf_unregister_net_hook, which unlinks the hook but does not free it.

Then, we can call that helper in nf_unregister_net_hooks and then
call synchronize_net() only once.

Andrey Konovalov reports this change improves syzkaller fuzzing speed at
least twice.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoipvs: change comparison on sync_refresh_period
Aaron Conole [Wed, 12 Apr 2017 20:38:12 +0000 (16:38 -0400)]
ipvs: change comparison on sync_refresh_period

The sync_refresh_period variable is unsigned, so it can never be < 0.

Signed-off-by: Aaron Conole <aconole@bytheb.org>
Signed-off-by: Simon Horman <horms@verge.net.au>
7 years agoipvs: remove unused function ip_vs_set_state_timeout
Aaron Conole [Mon, 10 Apr 2017 19:50:44 +0000 (15:50 -0400)]
ipvs: remove unused function ip_vs_set_state_timeout

There are no in-tree callers of this function and it isn't exported.

Signed-off-by: Aaron Conole <aconole@bytheb.org>
Signed-off-by: Simon Horman <horms@verge.net.au>
7 years agonetfilter: don't attach a nat extension by default
Florian Westphal [Thu, 20 Apr 2017 08:11:35 +0000 (10:11 +0200)]
netfilter: don't attach a nat extension by default

nowadays the NAT extension only stores the interface index
(used to purge connections that got masqueraded when interface goes down)
and pptp nat information.

Previous patches moved nf_ct_nat_ext_add to those places that need it.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: pptp: attach nat extension when needed
Florian Westphal [Thu, 20 Apr 2017 08:11:34 +0000 (10:11 +0200)]
netfilter: pptp: attach nat extension when needed

make sure nat extension gets added if the master conntrack is subject to
NAT.  This will be required once the nat core stops adding it by default.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: masquerade: attach nat extension if not present
Florian Westphal [Thu, 20 Apr 2017 08:11:33 +0000 (10:11 +0200)]
netfilter: masquerade: attach nat extension if not present

Currently the nat extension is always attached as soon as nat module is
loaded.  However, most NAT uses do not need the nat extension anymore.

Prepare to remove the add-nat-by-default by making those places that need
it attach it if its not present yet.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: conntrack: handle initial extension alloc via krealloc
Florian Westphal [Thu, 20 Apr 2017 07:54:24 +0000 (09:54 +0200)]
netfilter: conntrack: handle initial extension alloc via krealloc

krealloc(NULL, ..) is same as kmalloc(), so we can avoid special-casing
the initial allocation after the prealloc removal (we had to use
->alloc_len as the initial allocation size).

This also means we do not zero the preallocated memory anymore; only
offsets[].  Existing code makes sure the new (used) extension space gets
zeroed out.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: conntrack: mark extension structs as const
Florian Westphal [Thu, 20 Apr 2017 07:54:23 +0000 (09:54 +0200)]
netfilter: conntrack: mark extension structs as const

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: conntrack: remove prealloc support
Florian Westphal [Thu, 20 Apr 2017 07:54:22 +0000 (09:54 +0200)]
netfilter: conntrack: remove prealloc support

It was used by the nat extension, but since commit
7c9664351980 ("netfilter: move nat hlist_head to nf_conn") its only needed
for connections that use MASQUERADE target or a nat helper.

Also it seems a lot easier to preallocate a fixed size instead.

With default settings, conntrack first adds ecache extension (sysctl
defaults to 1), so we get 40(ct extension header) + 24 (ecache) == 64 byte
on x86_64 for initial allocation.

Followup patches can constify the extension structs and avoid
the initial zeroing of the entire extension area.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: SYNPROXY: Return NF_STOLEN instead of NF_DROP during handshaking
Gao Feng [Thu, 20 Apr 2017 06:01:45 +0000 (14:01 +0800)]
netfilter: SYNPROXY: Return NF_STOLEN instead of NF_DROP during handshaking

Current SYNPROXY codes return NF_DROP during normal TCP handshaking,
it is not friendly to caller. Because the nf_hook_slow would treat
the NF_DROP as an error, and return -EPERM.
As a result, it may cause the top caller think it meets one error.

For example, the following codes are from cfv_rx_poll()
err = netif_receive_skb(skb);
if (unlikely(err)) {
++cfv->ndev->stats.rx_dropped;
} else {
++cfv->ndev->stats.rx_packets;
cfv->ndev->stats.rx_bytes += skb_len;
}
When SYNPROXY returns NF_DROP, then netif_receive_skb returns -EPERM.
As a result, the cfv driver would treat it as an error, and increase
the rx_dropped counter.

So use NF_STOLEN instead of NF_DROP now because there is no error
happened indeed, and free the skb directly.

Signed-off-by: Gao Feng <fgao@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoebtables: remove nf_hook_register usage
Florian Westphal [Wed, 19 Apr 2017 22:45:48 +0000 (00:45 +0200)]
ebtables: remove nf_hook_register usage

Similar to ip_register_table, pass nf_hook_ops to ebt_register_table().
This allows to handle hook registration also via pernet_ops and allows
us to avoid use of legacy register_hook api.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: decnet: only register hooks in init namespace
Florian Westphal [Wed, 19 Apr 2017 22:42:07 +0000 (00:42 +0200)]
netfilter: decnet: only register hooks in init namespace

looks like decnet isn't namespacified in first place, so restrict hook
registration to the initial namespace.

Prepares for eventual removal of legacy nf_register_hook() api.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoipvs: convert to use pernet nf_hook api
Florian Westphal [Wed, 19 Apr 2017 16:25:22 +0000 (18:25 +0200)]
ipvs: convert to use pernet nf_hook api

nf_(un)register_hooks has to maintain an internal hook list to add/remove
those hooks from net namespaces as they are added/deleted.

ipvs already uses pernet_ops, so we can switch to the (more recent)
pernet hook api instead.

Compile tested only.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: synproxy: only register hooks when needed
Florian Westphal [Wed, 19 Apr 2017 16:14:04 +0000 (18:14 +0200)]
netfilter: synproxy: only register hooks when needed

Defer registration of the synproxy hooks until the first SYNPROXY rule is
added.  Also means we only register hooks in namespaces that need it.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: tcp: Use TCP_MAX_WSCALE instead of literal 14
Gao Feng [Wed, 19 Apr 2017 01:23:42 +0000 (09:23 +0800)]
netfilter: tcp: Use TCP_MAX_WSCALE instead of literal 14

The window scale may be enlarged from 14 to 15 according to the itef
draft https://tools.ietf.org/html/draft-nishida-tcpm-maxwin-03.

Use the macro TCP_MAX_WSCALE to support it easily with TCP stack in
the future.

Signed-off-by: Gao Feng <fgao@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: ipvs: fix incorrect conflict resolution
Florian Westphal [Tue, 18 Apr 2017 15:49:56 +0000 (17:49 +0200)]
netfilter: ipvs: fix incorrect conflict resolution

The commit ab8bc7ed864b9c4f1fcb00a22bbe4e0f66ce8003
("netfilter: remove nf_ct_is_untracked")
changed the line
   if (ct && !nf_ct_is_untracked(ct) && nfct_nat(ct)) {
   to
   if (ct && nfct_nat(ct)) {

meanwhile, the commit 41390895e50bc4f28abe384c6b35ac27464a20ec
("netfilter: ipvs: don't check for presence of nat extension")
from ipvs-next had changed the same line to

  if (ct && !nf_ct_is_untracked(ct) && (ct->status & IPS_NAT_MASK)) {

When ipvs-next got merged into nf-next, the merge resolution took
the first version, dropping the conversion of nfct_nat().

While this doesn't cause a problem at the moment, it will once we stop
adding the nat extension by default.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonefilter: eache: reduce struct size from 32 to 24 byte
Florian Westphal [Tue, 18 Apr 2017 15:27:32 +0000 (17:27 +0200)]
nefilter: eache: reduce struct size from 32 to 24 byte

Only "cache" needs to use ulong (its used with set_bit()), missed can use
u16.  Also add build-time assertion to ensure event bits fit.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: allow early drop of assured conntracks
Florian Westphal [Sun, 16 Apr 2017 20:08:53 +0000 (22:08 +0200)]
netfilter: allow early drop of assured conntracks

If insertion of a new conntrack fails because the table is full, the kernel
searches the next buckets of the hash slot where the new connection
was supposed to be inserted at for an entry that hasn't seen traffic
in reply direction (non-assured), if it finds one, that entry is
is dropped and the new connection entry is allocated.

Allow the conntrack gc worker to also remove *assured* conntracks if
resources are low.

Do this by querying the l4 tracker, e.g. tcp connections are now dropped
if they are no longer established (e.g. in finwait).

This could be refined further, e.g. by adding 'soft' established timeout
(i.e., a timeout that is only used once we get close to resource
exhaustion).

Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: conntrack: use u8 for extension sizes again
Florian Westphal [Sat, 15 Apr 2017 23:29:19 +0000 (01:29 +0200)]
netfilter: conntrack: use u8 for extension sizes again

commit 223b02d923ecd7c84cf9780bb3686f455d279279
("netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len")
had to increase size of the extension offsets because total size of the
extensions had increased to a point where u8 did overflow.

3 years later we've managed to diet extensions a bit and we no longer
need u16.  Furthermore we can now add a compile-time assertion for this
problem.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: remove last traces of variable-sized extensions
Florian Westphal [Sat, 15 Apr 2017 23:29:18 +0000 (01:29 +0200)]
netfilter: remove last traces of variable-sized extensions

get rid of the (now unused) nf_ct_ext_add_length define and also
rename the function to plain nf_ct_ext_add().

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: helpers: remove data_len usage for inkernel helpers
Florian Westphal [Sat, 15 Apr 2017 23:29:17 +0000 (01:29 +0200)]
netfilter: helpers: remove data_len usage for inkernel helpers

No need to track this for inkernel helpers anymore as
NF_CT_HELPER_BUILD_BUG_ON checks do this now.

All inkernel helpers know what kind of structure they
stored in helper->data.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: nfnetlink_cthelper: reject too large userspace allocation requests
Florian Westphal [Sat, 15 Apr 2017 23:29:16 +0000 (01:29 +0200)]
netfilter: nfnetlink_cthelper: reject too large userspace allocation requests

Userspace should not abuse the kernel to store large amounts of data,
reject requests larger than the private area can accommodate.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: helper: add build-time asserts for helper data size
Florian Westphal [Sat, 15 Apr 2017 23:29:15 +0000 (01:29 +0200)]
netfilter: helper: add build-time asserts for helper data size

add a 32 byte scratch area in the helper struct instead of relying
on variable sized helpers plus compile-time asserts to let us know
if 32 bytes aren't enough anymore.

Not having variable sized helpers will later allow to add BUILD_BUG_ON
for the total size of conntrack extensions -- the helper extension is
the only one that doesn't have a fixed size.

The (useless!) NF_CT_HELPER_BUILD_BUG_ON(0); are added so that in case
someone adds a new helper and copy-pastes from one that doesn't store
private data at least some indication that this macro should be used
somehow is there...

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: conntrack: move helper struct to nf_conntrack_helper.h
Florian Westphal [Sat, 15 Apr 2017 23:29:14 +0000 (01:29 +0200)]
netfilter: conntrack: move helper struct to nf_conntrack_helper.h

its definition is not needed in nf_conntrack.h.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: nft_ct: allow to set ctnetlink event types of a connection
Florian Westphal [Sat, 15 Apr 2017 17:26:10 +0000 (19:26 +0200)]
netfilter: nft_ct: allow to set ctnetlink event types of a connection

By default the kernel emits all ctnetlink events for a connection.
This allows to select the types of events to generate.

This can be used to e.g. only send DESTROY events but no NEW/UPDATE ones
and will work even if sysctl net.netfilter.nf_conntrack_events is set to 0.

This was already possible via iptables' CT target, but the nft version has
the advantage that it can also be used with already-established conntracks.

The added nf_ct_is_template() check isn't a bug fix as we only support
mark and labels (and unlike ecache the conntrack core doesn't copy those).

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: remove nf_ct_is_untracked
Florian Westphal [Fri, 14 Apr 2017 18:31:09 +0000 (20:31 +0200)]
netfilter: remove nf_ct_is_untracked

This function is now obsolete and always returns false.
This change has no effect on generated code.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: kill the fake untracked conntrack objects
Florian Westphal [Fri, 14 Apr 2017 18:31:08 +0000 (20:31 +0200)]
netfilter: kill the fake untracked conntrack objects

resurrect an old patch from Pablo Neira to remove the untracked objects.

Currently, there are four possible states of an skb wrt. conntrack.

1. No conntrack attached, ct is NULL.
2. Normal (kmem cache allocated) ct attached.
3. a template (kmalloc'd), not in any hash tables at any point in time
4. the 'untracked' conntrack, a percpu nf_conn object, tagged via
   IPS_UNTRACKED_BIT in ct->status.

Untracked is supposed to be identical to case 1.  It exists only
so users can check

-m conntrack --ctstate UNTRACKED vs.
-m conntrack --ctstate INVALID

e.g. attempts to set connmark on INVALID or UNTRACKED conntracks is
supposed to be a no-op.

Thus currently we need to check
 ct == NULL || nf_ct_is_untracked(ct)

in a lot of places in order to avoid altering untracked objects.

The other consequence of the percpu untracked object is that all
-j NOTRACK (and, later, kfree_skb of such skbs) result in an atomic op
(inc/dec the untracked conntracks refcount).

This adds a new kernel-private ctinfo state, IP_CT_UNTRACKED, to
make the distinction instead.

The (few) places that care about packet invalid (ct is NULL) vs.
packet untracked now need to test ct == NULL vs. ctinfo == IP_CT_UNTRACKED,
but all other places can omit the nf_ct_is_untracked() check.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: ecache: Refine the nf_ct_deliver_cached_events
Gao Feng [Thu, 13 Apr 2017 01:35:49 +0000 (09:35 +0800)]
netfilter: ecache: Refine the nf_ct_deliver_cached_events

1. Remove single !events condition check to deliver the missed event
even though there is no new event happened.

Consider this case:
1) nf_ct_deliver_cached_events is invoked at the first time, the
event is failed to deliver, then the missed is set.
2) nf_ct_deliver_cached_events is invoked again, but there is no
any new event happened.
The missed event is lost really.

It would try to send the missed event again after remove this check.
And it is ok if there is no missed event because the latter check
!((events | missed) & e->ctmask) could avoid it.

2. Correct the return value check of notify->fcn.
When send the event successfully, it returns 0, not postive value.

Signed-off-by: Gao Feng <fgao@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: nf_nat: Fix return NF_DROP in nfnetlink_parse_nat_setup
Gao Feng [Wed, 12 Apr 2017 10:33:03 +0000 (18:33 +0800)]
netfilter: nf_nat: Fix return NF_DROP in nfnetlink_parse_nat_setup

The __nf_nat_alloc_null_binding invokes nf_nat_setup_info which may
return NF_DROP when memory is exhausted, so convert NF_DROP to -ENOMEM
to make ctnetlink happy. Or ctnetlink_setup_nat treats it as a success
when one error NF_DROP happens actully.

Signed-off-by: Gao Feng <fgao@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoMerge tag 'ipvs2-for-v4.12' of https://git.kernel.org/pub/scm/linux/kernel/git/horms...
Pablo Neira Ayuso [Sat, 15 Apr 2017 08:54:40 +0000 (10:54 +0200)]
Merge tag 'ipvs2-for-v4.12' of https://git./linux/kernel/git/horms/ipvs-next

Simon Horman says:

====================
Second Round of IPVS Updates for v4.12

please consider these clean-ups and enhancements to IPVS for v4.12.

* Removal unused variable
* Use kzalloc where appropriate
* More efficient detection of presence of NAT extension
====================

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Conflicts:
net/netfilter/ipvs/ip_vs_ftp.c

7 years agoipset: remove unused function __ip_set_get_netlink
Aaron Conole [Mon, 10 Apr 2017 19:52:37 +0000 (15:52 -0400)]
ipset: remove unused function __ip_set_get_netlink

There are no in-tree callers.

Signed-off-by: Aaron Conole <aconole@bytheb.org>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: nf_conntrack: remove double assignment
Aaron Conole [Wed, 12 Apr 2017 20:32:54 +0000 (16:32 -0400)]
netfilter: nf_conntrack: remove double assignment

The protonet pointer will unconditionally be rewritten, so just do the
needed assignment first.

Signed-off-by: Aaron Conole <aconole@bytheb.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: nf_tables: remove double return statement
Aaron Conole [Wed, 12 Apr 2017 20:12:28 +0000 (16:12 -0400)]
netfilter: nf_tables: remove double return statement

Signed-off-by: Aaron Conole <aconole@bytheb.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: nat: remove rcu_read_lock in __nf_nat_decode_session.
Taehee Yoo [Mon, 27 Mar 2017 15:28:50 +0000 (00:28 +0900)]
netfilter: nat: remove rcu_read_lock in __nf_nat_decode_session.

__nf_nat_decode_session is called from nf_nat_decode_session as decodefn.
before calling decodefn, it already set rcu_read_lock. so rcu_read_lock in
__nf_nat_decode_session can be removed.

Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: udplite: Remove duplicated udplite4/6 declaration
Gao Feng [Wed, 5 Apr 2017 01:57:04 +0000 (09:57 +0800)]
netfilter: udplite: Remove duplicated udplite4/6 declaration

There are two nf_conntrack_l4proto_udp4 declarations in the head file
nf_conntrack_ipv4/6.h. Now remove one which is not enbraced by the macro
CONFIG_NF_CT_PROTO_UDPLITE.

Signed-off-by: Gao Feng <fgao@ikuai8.com>
7 years agonetfilter: ip6_tables: Remove unneccessary comments
Arushi Singhal [Sat, 8 Apr 2017 15:49:30 +0000 (21:19 +0530)]
netfilter: ip6_tables: Remove unneccessary comments

This comments are obsolete and should go, as there are no set of rules
per CPU anymore.

Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com>
7 years agonetfilter: Remove exceptional & on function name
Arushi Singhal [Sun, 2 Apr 2017 09:22:12 +0000 (14:52 +0530)]
netfilter: Remove exceptional & on function name

Remove & from function pointers to conform to the style found elsewhere
in the file. Done using the following semantic patch

// <smpl>
@r@
identifier f;
@@

f(...) { ... }
@@
identifier r.f;
@@

- &f
+ f
// </smpl>

Signed-off-by: Arushi Singhal <arushisinghal19971997@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonet: netfilter: Use list_{next/prev}_entry instead of list_entry
simran singhal [Wed, 29 Mar 2017 05:45:40 +0000 (11:15 +0530)]
net: netfilter: Use list_{next/prev}_entry instead of list_entry

This patch replace list_entry with list_prev_entry as it makes the
code more clear to read.

Signed-off-by: simran singhal <singhalsimran0@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: Use seq_puts()/seq_putc() where possible
simran singhal [Tue, 28 Mar 2017 21:55:17 +0000 (03:25 +0530)]
netfilter: Use seq_puts()/seq_putc() where possible

For string without format specifiers, use seq_puts(). For
seq_printf("\n"), use seq_putc('\n').

Signed-off-by: simran singhal <singhalsimran0@gmail.com>
Acked-by: Simon Horman <horms+renesas@verge.net.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: Remove unnecessary cast on void pointer
simran singhal [Tue, 28 Mar 2017 19:05:16 +0000 (00:35 +0530)]
netfilter: Remove unnecessary cast on void pointer

The following Coccinelle script was used to detect this:
@r@
expression x;
void* e;
type T;
identifier f;
@@
(
  *((T *)e)
|
  ((T *)x)[...]
|
  ((T*)x)->f
|

- (T*)
  e
)

Unnecessary parantheses are also remove.

Signed-off-by: simran singhal <singhalsimran0@gmail.com>
Reviewed-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: Add nfnl_msg_type() helper function
Pablo Neira Ayuso [Tue, 28 Mar 2017 16:57:32 +0000 (22:27 +0530)]
netfilter: Add nfnl_msg_type() helper function

Add and use nfnl_msg_type() function to replace opencoded nfnetlink
message type. I suggested this change, Arushi Singhal made an initial
patch to address this but was missing several spots.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: ctnetlink: Expectations must have a conntrack helper area
Gao Feng [Tue, 28 Mar 2017 01:52:52 +0000 (09:52 +0800)]
netfilter: ctnetlink: Expectations must have a conntrack helper area

The expect check function __nf_ct_expect_check() asks the master_help is
necessary. So it is unnecessary to go ahead in ctnetlink_alloc_expect
when there is no help.

Actually the commit bc01befdcf3e ("netfilter: ctnetlink: add support for
user-space expectation helpers") permits ctnetlink create one expect
even though there is no master help. But the latter commit 3d058d7bc2c5
("netfilter: rework user-space expectation helper support") disables it
again.

Signed-off-by: Gao Feng <fgao@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: nat: avoid use of nf_conn_nat extension
Florian Westphal [Tue, 28 Mar 2017 08:31:03 +0000 (10:31 +0200)]
netfilter: nat: avoid use of nf_conn_nat extension

successful insert into the bysource hash sets IPS_SRC_NAT_DONE status bit
so we can check that instead of presence of nat extension which requires
extra deref.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: nat: nf_nat_mangle_{udp,tcp}_packet returns boolean
Gao Feng [Mon, 27 Mar 2017 15:12:08 +0000 (23:12 +0800)]
netfilter: nat: nf_nat_mangle_{udp,tcp}_packet returns boolean

nf_nat_mangle_{udp,tcp}_packet() returns int. However, it is used as
bool type in many spots. Fix this by consistently handle this return
value as a boolean.

Signed-off-by: Gao Feng <fgao@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: nf_ct_expect: Add nf_ct_remove_expect()
Gao Feng [Mon, 27 Mar 2017 02:31:26 +0000 (10:31 +0800)]
netfilter: nf_ct_expect: Add nf_ct_remove_expect()

When remove one expect, it needs three statements. And there are
multiple duplicated codes in current code. So add one common function
nf_ct_remove_expect to consolidate this.

Signed-off-by: Gao Feng <fgao@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: expect: Make sure the max_expected limit is effective
Gao Feng [Fri, 24 Mar 2017 13:32:19 +0000 (21:32 +0800)]
netfilter: expect: Make sure the max_expected limit is effective

Because the type of expecting, the member of nf_conn_help, is u8, it
would overflow after reach U8_MAX(255). So it doesn't work when we
configure the max_expected exceeds 255 with expect policy.

Now add the check for max_expected. Return the -EINVAL when it exceeds
the limit.

Signed-off-by: Gao Feng <fgao@ikuai8.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agonetfilter: nf_tables: add nft_is_base_chain() helper
Pablo Neira Ayuso [Mon, 20 Mar 2017 17:10:29 +0000 (18:10 +0100)]
netfilter: nf_tables: add nft_is_base_chain() helper

This new helper function allows us to check if this is a basechain.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
7 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
David S. Miller [Thu, 6 Apr 2017 14:25:07 +0000 (07:25 -0700)]
Merge git://git./linux/kernel/git/davem/net

Mostly simple cases of overlapping changes (adding code nearby,
a function whose name changes, for example).

Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Linus Torvalds [Thu, 6 Apr 2017 03:17:38 +0000 (20:17 -0700)]
Merge git://git./linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) Reject invalid updates to netfilter expectation policies, from Pablo
    Neira Ayuso.

 2) Fix memory leak in nfnl_cthelper, from Jeffy Chen.

 3) Don't do stupid things if we get a neigh_probe() on a neigh entry
    whose ops lack a solicit method. From Eric Dumazet.

 4) Don't transmit packets in r8152 driver when the carrier is off, from
    Hayes Wang.

 5) Fix ipv6 packet type detection in aquantia driver, from Pavel
    Belous.

 6) Don't write uninitialized data into hw registers in bna driver, from
    Arnd Bergmann.

 7) Fix locking in ping_unhash(), from Eric Dumazet.

 8) Make BPF verifier range checks able to understand certain sequences
    emitted by LLVM, from Alexei Starovoitov.

 9) Fix use after free in ipconfig, from Mark Rutland.

10) Fix refcount leak on force commit in openvswitch, from Jarno
    Rajahalme.

11) Fix various overflow checks in AF_PACKET, from Andrey Konovalov.

12) Fix endianness bug in be2net driver, from Suresh Reddy.

13) Don't forget to wake TX queues when processing a timeout, from
    Grygorii Strashko.

14) ARP header on-stack storage is wrong in flow dissector, from Simon
    Horman.

15) Lost retransmit and reordering SNMP stats in TCP can be
    underreported. From Yuchung Cheng.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (82 commits)
  nfp: fix potential use after free on xdp prog
  tcp: fix reordering SNMP under-counting
  tcp: fix lost retransmit SNMP under-counting
  sctp: get sock from transport in sctp_transport_update_pmtu
  net: ethernet: ti: cpsw: fix race condition during open()
  l2tp: fix PPP pseudo-wire auto-loading
  bnx2x: fix spelling mistake in macros HW_INTERRUT_ASSERT_SET_*
  l2tp: take reference on sessions being dumped
  tcp: minimize false-positives on TCP/GRO check
  sctp: check for dst and pathmtu update in sctp_packet_config
  flow dissector: correct size of storage for ARP
  net: ethernet: ti: cpsw: wake tx queues on ndo_tx_timeout
  l2tp: take a reference on sessions used in genetlink handlers
  l2tp: hold session while sending creation notifications
  l2tp: fix duplicate session creation
  l2tp: ensure session can't get removed during pppol2tp_session_ioctl()
  l2tp: fix race in l2tp_recv_common()
  sctp: use right in and out stream cnt
  bpf: add various verifier test cases for self-tests
  bpf, verifier: fix rejection of unaligned access checks for map_value_adj
  ...

7 years agonfp: fix potential use after free on xdp prog
Jakub Kicinski [Tue, 4 Apr 2017 22:56:55 +0000 (15:56 -0700)]
nfp: fix potential use after free on xdp prog

We should unregister the net_device first, before we give back
our reference on xdp_prog.  Otherwise xdp_prog may be freed
before .ndo_stop() disabled the datapath.  Found by code inspection.

Fixes: ecd63a0217d5 ("nfp: add XDP support in the driver")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agobonding: attempt to better support longer hw addresses
Jarod Wilson [Tue, 4 Apr 2017 21:32:42 +0000 (17:32 -0400)]
bonding: attempt to better support longer hw addresses

People are using bonding over Infiniband IPoIB connections, and who knows
what else. Infiniband has a hardware address length of 20 octets
(INFINIBAND_ALEN), and the network core defines a MAX_ADDR_LEN of 32.
Various places in the bonding code are currently hard-wired to 6 octets
(ETH_ALEN), such as the 3ad code, which I've left untouched here. Besides,
only alb is currently possible on Infiniband links right now anyway, due
to commit 1533e7731522, so the alb code is where most of the changes are.

One major component of this change is the addition of a bond_hw_addr_copy
function that takes a length argument, instead of using ether_addr_copy
everywhere that hardware addresses need to be copied about. The other
major component of this change is converting the bonding code from using
struct sockaddr for address storage to struct sockaddr_storage, as the
former has an address storage space of only 14, while the latter is 128
minus a few, which is necessary to support bonding over device with up to
MAX_ADDR_LEN octet hardware addresses. Additionally, this probably fixes
up some memory corruption issues with the current code, where it's
possible to write an infiniband hardware address into a sockaddr declared
on the stack.

Lightly tested on a dual mlx4 IPoIB setup, which properly shows a 20-octet
hardware address now:

$ cat /proc/net/bonding/bond0
Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)

Bonding Mode: fault-tolerance (active-backup) (fail_over_mac active)
Primary Slave: mlx4_ib0 (primary_reselect always)
Currently Active Slave: mlx4_ib0
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 100
Down Delay (ms): 100

Slave Interface: mlx4_ib0
MII Status: up
Speed: Unknown
Duplex: Unknown
Link Failure Count: 0
Permanent HW addr:
80:00:02:08:fe:80:00:00:00:00:00:00:e4:1d:2d:03:00:1d:67:01
Slave queue ID: 0

Slave Interface: mlx4_ib1
MII Status: up
Speed: Unknown
Duplex: Unknown
Link Failure Count: 0
Permanent HW addr:
80:00:02:09:fe:80:00:00:00:00:00:01:e4:1d:2d:03:00:1d:67:02
Slave queue ID: 0

Also tested with a standard 1Gbps NIC bonding setup (with a mix of
e1000 and e1000e cards), running LNST's bonding tests.

CC: Jay Vosburgh <j.vosburgh@gmail.com>
CC: Veaceslav Falico <vfalico@gmail.com>
CC: Andy Gospodarek <andy@greyhouse.net>
CC: netdev@vger.kernel.org
Signed-off-by: Jarod Wilson <jarod@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agotcp: fix reordering SNMP under-counting
Yuchung Cheng [Tue, 4 Apr 2017 21:15:40 +0000 (14:15 -0700)]
tcp: fix reordering SNMP under-counting

Currently the reordering SNMP counters only increase if a connection
sees a higher degree then it has previously seen. It ignores if the
reordering degree is not greater than the default system threshold.
This significantly under-counts the number of reordering events
and falsely convey that reordering is rare on the network.

This patch properly and faithfully records the number of reordering
events detected by the TCP stack, just like the comment says "this
exciting event is worth to be remembered". Note that even so TCP
still under-estimate the actual reordering events because TCP
requires TS options or certain packet sequences to detect reordering
(i.e. ACKing never-retransmitted sequence in recovery or disordered
 state).

Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agotcp: fix lost retransmit SNMP under-counting
Yuchung Cheng [Tue, 4 Apr 2017 21:15:39 +0000 (14:15 -0700)]
tcp: fix lost retransmit SNMP under-counting

The lost retransmit SNMP stat is under-counting retransmission
that uses segment offloading. This patch fixes that so all
retransmission related SNMP counters are consistent.

Fixes: 10d3be569243 ("tcp-tso: do not split TSO packets at retransmit time")
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agosfc: don't insert mc_list on low-latency firmware if it's too long
Edward Cree [Tue, 4 Apr 2017 16:02:49 +0000 (17:02 +0100)]
sfc: don't insert mc_list on low-latency firmware if it's too long

If the mc_list is longer than 256 addresses, we enter mc_promisc mode.
If we're in mc_promisc mode and the firmware doesn't support cascaded
 multicast, normally we also insert our mc_list, to prevent stealing by
 another VI.  However, if the mc_list was too long, this isn't really
 helpful - the MC groups that didn't fit in the list can still get
 stolen, and having only some of them stealable will probably cause
 more confusing behaviour than having them all stealable.  Since
 inserting 256 multicast filters takes a long time and can lead to MCDI
 state machine timeouts, just skip the mc_list insert in this overflow
 condition.

Signed-off-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoMerge branch 'nfp-ksettings'
David S. Miller [Wed, 5 Apr 2017 17:49:14 +0000 (10:49 -0700)]
Merge branch 'nfp-ksettings'

Jakub Kicinski says:

====================
nfp: ethtool link settings

This series adds support for getting and setting link settings
via the (moderately) new ethtool ksettings ops.

First patch introduces minimal speed and duplex reporting using
the information directly provided in PCI BAR0 memory.

Next few changes deal with the need to refresh port state read
from the service process and patch 6 finally uses that information
to provide link speed and duplex.  Patches 7 and 8 add auto
negotiation and port type reporting.

Remaining changes provide the set support for speed and auto
negotiation.  An upcoming series will also add port splitting
support via devlink.

Quite a bit of churn in this series is caused by the fact that
currently port speed and split changes will usually require a
reboot to take effect.  Current service process code is not capable
of performing MAC reinitialization after chip has been passing
traffic.  To make sure user is aware of this limitation we refuse
the configuration unless netdev is down, print warning to the logs
and if configuration was performed but did take effect we unregister
the netdev.  Service process has a "reboot needed" sticky bit, so
reloading the driver will not bring the netdev back.

Note that there is a helper in patch 13 which is marked as
__always_inline, because the FIELD_* macros require the parameters
to be known at compilation time.  I hope that is OK.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonfp: add support for .set_link_ksettings()
Jakub Kicinski [Tue, 4 Apr 2017 23:12:35 +0000 (16:12 -0700)]
nfp: add support for .set_link_ksettings()

Support setting link speed and autonegotiation through
set_link_ksettings() ethtool op.  If the port is reconfigured
in incompatible way and reboot is required the netdev will get
unregistered and not come back until user reboots the system.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonfp: NSP backend for link configuration operations
Jakub Kicinski [Tue, 4 Apr 2017 23:12:34 +0000 (16:12 -0700)]
nfp: NSP backend for link configuration operations

Add NSP backend for upcoming link configuration operations.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonfp: add extended error messages
Jakub Kicinski [Tue, 4 Apr 2017 23:12:33 +0000 (16:12 -0700)]
nfp: add extended error messages

Allow NSP to set option code even when error is reported.  This provides
a way for NSP to give user more precise information about why command
failed.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonfp: turn NSP port entry into a union
Jakub Kicinski [Tue, 4 Apr 2017 23:12:32 +0000 (16:12 -0700)]
nfp: turn NSP port entry into a union

Make NSP port structure a union to simplify accessing the fields
from generic macros.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonfp: allow multi-stage NSP configuration
Jakub Kicinski [Tue, 4 Apr 2017 23:12:31 +0000 (16:12 -0700)]
nfp: allow multi-stage NSP configuration

NSP commands may be slow to respond, we should try to avoid doing
a command-per-item when user requested to change multiple parameters
for instance with an ethtool .set_settings() command.

Introduce a way of internal NSP code to carry state in NSP structure
and add start/finish calls to perform the initialization and kick off
of the configuration request, with potentially many parameters being
modified in between.

nfp_eth_set_mod_enable() will make use of the new code internally,
other "set" functions to follow.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonfp: separate high level and low level NSP headers
Jakub Kicinski [Tue, 4 Apr 2017 23:12:30 +0000 (16:12 -0700)]
nfp: separate high level and low level NSP headers

We will soon add more NSP commands and structure definitions.
Move all high-level NSP header contents to a common nfp_nsp.h file.
Right now it mostly boils down to renaming nfp_nsp_eth.h and
moving some functions from nfp.h there.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonfp: report port type in ethtool
Jakub Kicinski [Tue, 4 Apr 2017 23:12:29 +0000 (16:12 -0700)]
nfp: report port type in ethtool

Service process firmware provides us with information about media
and interface (SFP module) plugged in, translate that to Linux's
PORT_* defines and report via ethtool.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonfp: report auto-negotiation in ethtool
Jakub Kicinski [Tue, 4 Apr 2017 23:12:28 +0000 (16:12 -0700)]
nfp: report auto-negotiation in ethtool

NSP ABI version 0.17 is exposing the autonegotiation settings.
Report whether autoneg is on via ethtool.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonfp: report link speed from NSP
Jakub Kicinski [Tue, 4 Apr 2017 23:12:27 +0000 (16:12 -0700)]
nfp: report link speed from NSP

On the PF prefer the link speed value provided by the NSP.
Refresh port table if needed.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonfp: add port state refresh
Jakub Kicinski [Tue, 4 Apr 2017 23:12:26 +0000 (16:12 -0700)]
nfp: add port state refresh

We will need a way of refreshing port state for link settings
get/set.  For get we need to refresh port speed and type.

When settings are changed the reconfiguration may require
reboot before it's effective.  Unregister netdevs affected
by reconfiguration from a workqueue.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonfp: track link state changes
Jakub Kicinski [Tue, 4 Apr 2017 23:12:25 +0000 (16:12 -0700)]
nfp: track link state changes

For caching link settings - remember if we have seen link events
since the last time the eth_port information was refreshed.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonfp: add mutex protection for the port list
Jakub Kicinski [Tue, 4 Apr 2017 23:12:24 +0000 (16:12 -0700)]
nfp: add mutex protection for the port list

We will want to unregister netdevs after their port got reconfigured.
For that we need to make sure manipulations of port list from the
port reconfiguration flow will not race with driver's .remove()
callback.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonfp: don't spawn netdevs for reconfigured ports
Jakub Kicinski [Tue, 4 Apr 2017 23:12:23 +0000 (16:12 -0700)]
nfp: don't spawn netdevs for reconfigured ports

After port reconfiguration (port split, media type change)
firmware will continue to report old configuration until
reboot.  NSP will inform us that reconfiguration is pending.
To avoid user confusion refuse to spawn netdevs until the
new configuration is applied (reboot).

We need to split the netdev to eth_table port matching from
MAC search and move it earlier in the probe() flow.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonfp: add support for .get_link_ksettings()
Jakub Kicinski [Tue, 4 Apr 2017 23:12:22 +0000 (16:12 -0700)]
nfp: add support for .get_link_ksettings()

Read link speed from the BAR.  This provides very basic information
and works for both PFs and VFs.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoMerge tag 'linux-can-next-for-4.13-20170404' of git://git.kernel.org/pub/scm/linux...
David S. Miller [Wed, 5 Apr 2017 16:56:22 +0000 (09:56 -0700)]
Merge tag 'linux-can-next-for-4.13-20170404' of git://git./linux/kernel/git/mkl/linux-can-next

Marc Kleine-Budde says:

====================
pull-request: can-next 2017-03-03

this is a pull request of 5 patches for net-next/master.

There are two patches by Yegor Yefremov which convert the ti_hecc
driver into a DT only driver, as there is no in-tree user of the old
platform driver interface anymore. The next patch by Mario Kicherer
adds network namespace support to the can subsystem. The last two
patches by Akshay Bhat add support for the holt_hi311x SPI CAN driver.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoMerge tag 'mfd-fixes-4.11' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd
Linus Torvalds [Wed, 5 Apr 2017 16:04:26 +0000 (09:04 -0700)]
Merge tag 'mfd-fixes-4.11' of git://git./linux/kernel/git/lee/mfd

Pull MFD bug fix from Lee Jones:
 "Increase buffer size om cros-ec to allow for SPI messages"

* tag 'mfd-fixes-4.11' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd:
  mfd: cros-ec: Fix host command buffer size

7 years agoMerge tag 'kbuild-fixes-v4.11' of git://git.kernel.org/pub/scm/linux/kernel/git/masah...
Linus Torvalds [Wed, 5 Apr 2017 15:37:28 +0000 (08:37 -0700)]
Merge tag 'kbuild-fixes-v4.11' of git://git./linux/kernel/git/masahiroy/linux-kbuild

Pull Kbuild fixes from Masahiro Yamada:

 - hand-off primary maintainership of Kbuild

 - fix build warnings

 - fix build error when GCOV is enabled with old compiler

 - fix HAVE_ASM_GOTO check when GCC plugin is enabled

* tag 'kbuild-fixes-v4.11' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
  gconfig: remove misleading parentheses around a condition
  jump label: fix passing kbuild_cflags when checking for asm goto support
  Kbuild: use cc-disable-warning consistently for maybe-uninitialized
  kbuild: external module build warnings when KBUILD_OUTPUT set and W=1
  MAINTAINERS: add Masahiro Yamada as a Kbuild maintainer

7 years agoselftests: add a generic testsuite for ethernet device
LABBE Corentin [Tue, 4 Apr 2017 13:32:47 +0000 (15:32 +0200)]
selftests: add a generic testsuite for ethernet device

This patch add a generic testsuite for testing ethernet network device driver.

Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Tested-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoMerge branch 'rtnetlink-event-type'
David S. Miller [Wed, 5 Apr 2017 15:14:14 +0000 (08:14 -0700)]
Merge branch 'rtnetlink-event-type'

Vladislav Yasevich says:

====================
rtnetlink: Updates to rtnetlink_event()

This series came out of the conversation that started as a result
my first attempt to add netdevice event info to netlink messages.

This series converts event processing to a 'white list', where
we explicitely permit events to generate netlink messages.  This
is meant to make people take a closer look and determine wheter
these events should really trigger netlink messages.

I am also adding a V2 of my patch to add event type to the netlink
message.  This version supports all events that we currently generate.

I will also update my patch to iproute that will show this data
through 'ip monitor'.

I actually need the ability to trap NETDEV_NOTIFY_PEERS event
(as well as possible NETDEV_RESEND_IGMP) to support hanlding of
macvtap on top of bonding.  I hope others will also find this info usefull.

V2: Added missed events (from David Ahern)
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agortnl: Add support for netdev event to link messages
Vlad Yasevich [Tue, 4 Apr 2017 13:23:42 +0000 (09:23 -0400)]
rtnl: Add support for netdev event to link messages

When netdev events happen, a rtnetlink_event() handler will send
messages for every event in it's white list.  These messages contain
current information about a particular device, but they do not include
the iformation about which event just happened.  The consumer of
the message has to try to infer this information.  In some cases
(ex: NETDEV_NOTIFY_PEERS), that is not possible.

This patch adds a new extension to RTM_NEWLINK message called IFLA_EVENT
that would have an encoding of the which event triggered this
message.  This would allow the the message consumer to easily determine
if it is interested in a particular event or not.

Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agortnetlink: Convert rtnetlink_event to white list
Vlad Yasevich [Tue, 4 Apr 2017 13:23:41 +0000 (09:23 -0400)]
rtnetlink: Convert rtnetlink_event to white list

The rtnetlink_event currently functions as a blacklist where
we block cerntain netdev events from being sent to user space.
As a result, events have been added to the system that userspace
probably doesn't care about.

This patch converts the implementation to the white list so that
newly events would have to be specifically added to the list to
be sent to userspace.  This would force new event implementers to
consider whether a given event is usefull to user space or if it's
just a kernel event.

Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: tcp: Define the TCP_MAX_WSCALE instead of literal number 14
Gao Feng [Tue, 4 Apr 2017 13:09:48 +0000 (21:09 +0800)]
net: tcp: Define the TCP_MAX_WSCALE instead of literal number 14

Define one new macro TCP_MAX_WSCALE instead of literal number '14',
and use U16_MAX instead of 65535 as the max value of TCP window.
There is another minor change, use rounddown(space, mss) instead of
(space / mss) * mss;

Signed-off-by: Gao Feng <fgao@ikuai8.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: ibm: emac: remove unused sysrq handler for 'c' key
Eric Biggers [Tue, 4 Apr 2017 05:50:20 +0000 (22:50 -0700)]
net: ibm: emac: remove unused sysrq handler for 'c' key

Since commit d6580a9f1523 ("kexec: sysrq: simplify sysrq-c handler"),
the sysrq handler for the 'c' key has been sysrq_crash_op.  Debugging
code in the ibm_emac driver also tries to register a handler for the 'c'
key, but this has no effect because register_sysrq_key() doesn't replace
existing handlers.  Since evidently no one has cared enough to fix this
in the last 8 years, and it's very rare for drivers to register sysrq
handlers (for good reason), just remove the dead code.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agosctp: get sock from transport in sctp_transport_update_pmtu
Xin Long [Tue, 4 Apr 2017 05:39:55 +0000 (13:39 +0800)]
sctp: get sock from transport in sctp_transport_update_pmtu

This patch is almost to revert commit 02f3d4ce9e81 ("sctp: Adjust PMTU
updates to accomodate route invalidation."). As t->asoc can't be NULL
in sctp_transport_update_pmtu, it could get sk from asoc, and no need
to pass sk into that function.

It is also to remove some duplicated codes from that function.

Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agobonding: fix active-backup transition
Mahesh Bandewar [Tue, 4 Apr 2017 01:38:39 +0000 (18:38 -0700)]
bonding: fix active-backup transition

Earlier patch c4adfc822bf5 ("bonding: make speed, duplex setting
consistent with link state") made an attempt to keep slave state
consistent with speed and duplex settings. Unfortunately link-state
transition is used to change the active link especially when used
in conjunction with mii-mon. The above mentioned patch broke that
logic. Also when speed and duplex settings for a link are updated
during a link-event, the link-status should not be changed to
invoke correct transition logic.

This patch fixes this issue by moving the link-state update outside
of the bond_update_speed_duplex() fn and to the places where this fn
is called and update link-state selectively.

Fixes: c4adfc822bf5 ("bonding: make speed, duplex setting consistent
with link state")
Signed-off-by: Mahesh Bandewar <maheshb@google.com>
Reviewed-by: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonetlink/diag: report flags for netlink sockets
Andrey Vagin [Tue, 4 Apr 2017 01:13:32 +0000 (18:13 -0700)]
netlink/diag: report flags for netlink sockets

cb_running is reported in /proc/self/net/netlink and it is reported by
the ss tool, when it gets information from the proc files.

sock_diag is a new interface which is used instead of proc files, so it
looks reasonable that this interface has to report no less information
about sockets than proc files.

We use these flags to dump and restore netlink sockets.

Signed-off-by: Andrei Vagin <avagin@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoqed: Add a missing error code
Dan Carpenter [Mon, 3 Apr 2017 18:25:22 +0000 (21:25 +0300)]
qed: Add a missing error code

We should be returning -ENOMEM if qed_mcp_cmd_add_elem() fails.  The
current code returns success.

Fixes: 4ed1eea82a21 ("qed: Revise MFW command locking")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Tomer Tayar <Tomer.Tayar@cavium.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: sched: choke: remove some dead code
Dan Carpenter [Mon, 3 Apr 2017 18:18:41 +0000 (21:18 +0300)]
net: sched: choke: remove some dead code

We accidentally left this dead code behind after commit 5952fde10c35
("net: sched: choke: remove dead filter classify code").

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoliquidio: clear the correct memory
Dan Carpenter [Mon, 3 Apr 2017 18:18:27 +0000 (21:18 +0300)]
liquidio: clear the correct memory

There is a cut and paste bug here so we accidentally clear the first
few bytes of "resp" a second time instead clearing "ctx".

Fixes: 50c0add534d2 ("liquidio: refactor interrupt moderation code")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Felix Manlunas <felix.manlunas@cavium.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: stmmac: rx queue to dma channel mapping fix
Joao Pinto [Mon, 3 Apr 2017 15:34:04 +0000 (16:34 +0100)]
net: stmmac: rx queue to dma channel mapping fix

In hardware configurations where multiple queues are active,
the rx queue needs to be mapped into a dma channel, even if
a single rx queue is used.

Signed-off-by: Joao Pinto <jpinto@synopsys.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agophy/ethtool: Add missing SPEED_<foo> strings
Joe Perches [Sun, 2 Apr 2017 21:30:06 +0000 (14:30 -0700)]
phy/ethtool: Add missing SPEED_<foo> strings

Add all the currently available SPEED_<foo> strings.

Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoMerge branch 'bnxt_en-WoL-selftest-XDP_TX-optimize'
David S. Miller [Wed, 5 Apr 2017 13:24:28 +0000 (06:24 -0700)]
Merge branch 'bnxt_en-WoL-selftest-XDP_TX-optimize'

Michael Chan says:

====================
bnxt_en: Updates for net-next.

Main changes are to add WoL and selftest features, optimize XDP_TX by
using short BDs, and to cap the usage of MSIX.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agobnxt_en: Cap the msix vector with the max completion rings.
Michael Chan [Tue, 4 Apr 2017 22:14:17 +0000 (18:14 -0400)]
bnxt_en: Cap the msix vector with the max completion rings.

The current code enables up to the maximum MSIX vectors in the PCIE
config space without considering the max completion rings available.
An MSIX vector is only useful when it has an associated completion
ring, so it is better to cap it.

Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agobnxt_en: Use short TX BDs for the XDP TX ring.
Michael Chan [Tue, 4 Apr 2017 22:14:16 +0000 (18:14 -0400)]
bnxt_en: Use short TX BDs for the XDP TX ring.

No offload is performed on the XDP_TX ring so we can use the short TX
BDs.  This has the effect of doubling the size of the XDP TX ring so
that it now matches the size of the rx ring by default.

Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agobnxt_en: Add interrupt test to ethtool -t selftest.
Michael Chan [Tue, 4 Apr 2017 22:14:15 +0000 (18:14 -0400)]
bnxt_en: Add interrupt test to ethtool -t selftest.

Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agobnxt_en: Add PHY loopback to ethtool self-test.
Michael Chan [Tue, 4 Apr 2017 22:14:14 +0000 (18:14 -0400)]
bnxt_en: Add PHY loopback to ethtool self-test.

It is necessary to disable autoneg before enabling PHY loopback,
otherwise link won't come up.

Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agobnxt_en: Add ethtool mac loopback self test.
Michael Chan [Tue, 4 Apr 2017 22:14:13 +0000 (18:14 -0400)]
bnxt_en: Add ethtool mac loopback self test.

The mac loopback self test operates in polling mode.  To support that,
we need to add functions to open and close the NIC half way.  The half
open mode allows the rings to operate without IRQ and NAPI.  We
use the XDP transmit function to send the loopback packet.

Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agobnxt_en: Add basic ethtool -t selftest support.
Michael Chan [Tue, 4 Apr 2017 22:14:12 +0000 (18:14 -0400)]
bnxt_en: Add basic ethtool -t selftest support.

Add the basic infrastructure and only firmware tests initially.

Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agobnxt_en: Add suspend/resume callbacks.
Michael Chan [Tue, 4 Apr 2017 22:14:11 +0000 (18:14 -0400)]
bnxt_en: Add suspend/resume callbacks.

Add suspend/resume callbacks using the newer dev_pm_ops method.

Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agobnxt_en: Add ethtool set_wol method.
Michael Chan [Tue, 4 Apr 2017 22:14:10 +0000 (18:14 -0400)]
bnxt_en: Add ethtool set_wol method.

And add functions to set and free magic packet filter.

Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>