GitHub/LineageOS/G12/android_kernel_amlogic_linux-4.9.git
10 years agonetfilter: conntrack: disable generic tracking for known protocols
Florian Westphal [Fri, 26 Sep 2014 09:35:42 +0000 (11:35 +0200)]
netfilter: conntrack: disable generic tracking for known protocols

Given following iptables ruleset:

-P FORWARD DROP
-A FORWARD -m sctp --dport 9 -j ACCEPT
-A FORWARD -p tcp --dport 80 -j ACCEPT
-A FORWARD -p tcp -m conntrack -m state ESTABLISHED,RELATED -j ACCEPT

One would assume that this allows SCTP on port 9 and TCP on port 80.
Unfortunately, if the SCTP conntrack module is not loaded, this allows
*all* SCTP communication, to pass though, i.e. -p sctp -j ACCEPT,
which we think is a security issue.

This is because on the first SCTP packet on port 9, we create a dummy
"generic l4" conntrack entry without any port information (since
conntrack doesn't know how to extract this information).

All subsequent packets that are unknown will then be in established
state since they will fallback to proto_generic and will match the
'generic' entry.

Our originally proposed version [1] completely disabled generic protocol
tracking, but Jozsef suggests to not track protocols for which a more
suitable helper is available, hence we now mitigate the issue for in
tree known ct protocol helpers only, so that at least NAT and direction
information will still be preserved for others.

 [1] http://www.spinics.net/lists/netfilter-devel/msg33430.html

Joint work with Daniel Borkmann.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agonetfilter: nf_tables: store and dump set policy
Arturo Borrero [Tue, 23 Sep 2014 11:30:41 +0000 (13:30 +0200)]
netfilter: nf_tables: store and dump set policy

We want to know in which cases the user explicitly sets the policy
options. In that case, we also want to dump back the info.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agonetfilter: bridge: move br_netfilter out of the core
Pablo Neira Ayuso [Thu, 18 Sep 2014 09:29:03 +0000 (11:29 +0200)]
netfilter: bridge: move br_netfilter out of the core

Jesper reported that br_netfilter always registers the hooks since
this is part of the bridge core. This harms performance for people that
don't need this.

This patch modularizes br_netfilter so it can be rmmod'ed, thus,
the hooks can be unregistered. I think the bridge netfilter should have
been a separated module since the beginning, Patrick agreed on that.

Note that this is breaking compatibility for users that expect that
bridge netfilter is going to be available after explicitly 'modprobe
bridge' or via automatic load through brctl.

However, the damage can be easily undone by modprobing br_netfilter.
The bridge core also spots a message to provide a clue to people that
didn't notice that this has been deprecated.

On top of that, the plan is that nftables will not rely on this software
layer, but integrate the connection tracking into the bridge layer to
enable stateful filtering and NAT, which is was bridge netfilter users
seem to require.

This patch still keeps the fake_dst_ops in the bridge core, since this
is required by when the bridge port is initialized. So we can safely
modprobe/rmmod br_netfilter anytime.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Florian Westphal <fw@strlen.de>
10 years agonetfilter: bridge: nf_bridge_copy_header as static inline in header
Pablo Neira Ayuso [Mon, 22 Sep 2014 11:28:16 +0000 (13:28 +0200)]
netfilter: bridge: nf_bridge_copy_header as static inline in header

Move nf_bridge_copy_header() as static inline in netfilter_bridge.h
header file. This patch prepares the modularization of the br_netfilter
code.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agonet/netfilter/x_tables.c: use __seq_open_private()
Rob Jones [Fri, 19 Sep 2014 10:27:51 +0000 (11:27 +0100)]
net/netfilter/x_tables.c: use __seq_open_private()

Reduce boilerplate code by using __seq_open_private() instead of seq_open()
in xt_match_open() and xt_target_open().

Signed-off-by: Rob Jones <rob.jones@codethink.co.uk>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agonetfilter: nf_tables: export rule-set generation ID
Pablo Neira Ayuso [Thu, 4 Sep 2014 12:30:22 +0000 (14:30 +0200)]
netfilter: nf_tables: export rule-set generation ID

This patch exposes the ruleset generation ID in three ways:

1) The new command NFT_MSG_GETGEN that exposes the 32-bits ruleset
   generation ID. This ID is incremented in every commit and it
   should be large enough to avoid wraparound problems.

2) The less significant 16-bits of the generation ID are exposed through
   the nfgenmsg->res_id header field. This allows us to quickly catch
   if the ruleset has change between two consecutive list dumps from
   different object lists (in this specific case I think the risk of
   wraparound is unlikely).

3) Userspace subscribers may receive notifications of new rule-set
   generation after every commit. This also provides an alternative
   way to monitor the generation ID. If the events are lost, the
   userspace process hits a overrun error, so it knows that it is
   working with a stale ruleset anyway.

Patrick spotted that rule-set transformations in userspace may take
quite some time. In that case, it annotates the 32-bits generation ID
before fetching the rule-set, then:

1) it compares it to what we obtain after the transformation to
   make sure it is not working with a stale rule-set and no wraparound
   has ocurred.

2) it subscribes to ruleset notifications, so it can watch for new
   generation ID.

This is complementary to the NLM_F_DUMP_INTR approach, which allows
us to detect an interference in the middle one single list dumping.
There is no way to explicitly check that an interference has occurred
between two list dumps from the kernel, since it doesn't know how
many lists the userspace client is actually going to dump.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agonetfilter: nfnetlink: use original skbuff when committing/aborting
Pablo Neira Ayuso [Thu, 11 Sep 2014 12:53:17 +0000 (14:53 +0200)]
netfilter: nfnetlink: use original skbuff when committing/aborting

This allows us to access the original content of the batch from
the commit and the abort paths.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoMerge branch 'ipvs-next'
Pablo Neira Ayuso [Thu, 18 Sep 2014 08:57:46 +0000 (10:57 +0200)]
Merge branch 'ipvs-next'

Simon Horman says:

====================
This pull requests makes the following changes:

* Add simple weighted fail-over scheduler.
  - Unlike other IPVS schedulers this offers fail-over rather than load
    balancing. Connections are directed to the appropriate server based
    solely on highest weight value and server availability.
  - Thanks to Kenny Mathis

* Support IPv6 real servers in IPv4 virtual-services and vice versa
  - This feature is supported in conjunction with the tunnel (IPIP)
    forwarding mechanism. That is, IPv4 may be forwarded in IPv6 and
    vice versa.
  - The motivation for this is to allow more flexibility in the
    choice of IP version offered by both virtual-servers and
    real-servers as they no longer need to match: An IPv4 connection from an
    end-user may be forwarded to a real-server using IPv6 and vice versa.
  - Further work need to be done to support this feature in conjunction
    with connection synchronisation. For now such configurations are
    not allowed.
  - This change includes update to netlink protocol, adding a new
    destination address family attribute. And the necessary changes
    to plumb this information throughout IPVS.
  - Thanks to Alex Gartrell and Julian Anastasov
====================

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agoipvs: Allow heterogeneous pools now that we support them
Alex Gartrell [Tue, 9 Sep 2014 23:40:39 +0000 (16:40 -0700)]
ipvs: Allow heterogeneous pools now that we support them

Remove the temporary consistency check and add a case statement to only
allow ipip mixed dests.

Signed-off-by: Alex Gartrell <agartrell@fb.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
10 years agoipvs: use the new dest addr family field
Julian Anastasov [Tue, 9 Sep 2014 23:40:38 +0000 (16:40 -0700)]
ipvs: use the new dest addr family field

Use the new address family field cp->daf when printing
cp->daddr in logs or connection listing.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Alex Gartrell <agartrell@fb.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
10 years agoipvs: use correct address family in scheduler logs
Julian Anastasov [Tue, 16 Sep 2014 21:09:00 +0000 (00:09 +0300)]
ipvs: use correct address family in scheduler logs

Needed to support svc->af != dest->af.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Alex Gartrell <agartrell@fb.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
10 years agoipvs: address family of LBLCR entry depends on svc family
Julian Anastasov [Tue, 9 Sep 2014 23:40:30 +0000 (16:40 -0700)]
ipvs: address family of LBLCR entry depends on svc family

The LBLCR entries should use svc->af, not dest->af.
Needed to support svc->af != dest->af.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Alex Gartrell <agartrell@fb.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
10 years agoipvs: address family of LBLC entry depends on svc family
Julian Anastasov [Tue, 9 Sep 2014 23:40:29 +0000 (16:40 -0700)]
ipvs: address family of LBLC entry depends on svc family

The LBLC entries should use svc->af, not dest->af.
Needed to support svc->af != dest->af.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Alex Gartrell <agartrell@fb.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
10 years agoipvs: support ipv4 in ipv6 and ipv6 in ipv4 tunnel forwarding
Alex Gartrell [Tue, 9 Sep 2014 23:40:28 +0000 (16:40 -0700)]
ipvs: support ipv4 in ipv6 and ipv6 in ipv4 tunnel forwarding

Pull the common logic for preparing an skb to prepend the header into a
single function and then set fields such that they can be used in either
case (generalize tos and tclass to dscp, hop_limit and ttl to ttl, etc)

Signed-off-by: Alex Gartrell <agartrell@fb.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
10 years agoipvs: Add generic ensure_mtu_is_adequate to handle mixed pools
Alex Gartrell [Tue, 9 Sep 2014 23:40:27 +0000 (16:40 -0700)]
ipvs: Add generic ensure_mtu_is_adequate to handle mixed pools

The out_rt functions check to see if the mtu is large enough for the packet
and, if not, send icmp messages (TOOBIG or DEST_UNREACH) to the source and
bail out.  We needed the ability to send ICMP from the out_rt_v6 function
and DEST_UNREACH from the out_rt function, so we just pulled it out into a
common function.

Signed-off-by: Alex Gartrell <agartrell@fb.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
10 years agoipvs: Pull out update_pmtu code
Alex Gartrell [Tue, 9 Sep 2014 23:40:26 +0000 (16:40 -0700)]
ipvs: Pull out update_pmtu code

Another step toward heterogeneous pools, this removes another piece of
functionality currently specific to each address family type.

Signed-off-by: Alex Gartrell <agartrell@fb.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
10 years agoipvs: Pull out crosses_local_route_boundary logic
Alex Gartrell [Tue, 9 Sep 2014 23:40:25 +0000 (16:40 -0700)]
ipvs: Pull out crosses_local_route_boundary logic

This logic is repeated in both out_rt functions so it was redundant.
Additionally, we'll need to be able to do checks to route v4 to v6 and vice
versa in order to deal with heterogeneous pools.

This patch also updates the callsites to add an additional parameter to the
out route functions.

Signed-off-by: Alex Gartrell <agartrell@fb.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
10 years agoipvs: prevent mixing heterogeneous pools and synchronization
Alex Gartrell [Tue, 9 Sep 2014 23:40:24 +0000 (16:40 -0700)]
ipvs: prevent mixing heterogeneous pools and synchronization

The synchronization protocol is not compatible with heterogeneous pools, so
we need to verify that we're not turning both on at the same time.

Signed-off-by: Alex Gartrell <agartrell@fb.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
10 years agoipvs: Supply destination address family to ip_vs_conn_new
Alex Gartrell [Tue, 9 Sep 2014 23:40:23 +0000 (16:40 -0700)]
ipvs: Supply destination address family to ip_vs_conn_new

The assumption that dest af is equal to service af is now unreliable, so we
must specify it manually so as not to copy just the first 4 bytes of a v6
address or doing an illegal read of 16 butes on a v6 address.

We "lie" in two places: for synchronization (which we will explicitly
disallow from happening when we have heterogeneous pools) and for black
hole addresses where there's no real dest.

Signed-off-by: Alex Gartrell <agartrell@fb.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
10 years agoipvs: Pass destination address family to ip_vs_trash_get_dest
Alex Gartrell [Tue, 9 Sep 2014 23:40:22 +0000 (16:40 -0700)]
ipvs: Pass destination address family to ip_vs_trash_get_dest

Part of a series of diffs to tease out destination family from virtual
family.  This diff just adds a parameter to ip_vs_trash_get and then uses
it for comparison rather than svc->af.

Signed-off-by: Alex Gartrell <agartrell@fb.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
10 years agoipvs: Supply destination addr family to ip_vs_{lookup_dest,find_dest}
Alex Gartrell [Tue, 9 Sep 2014 23:40:21 +0000 (16:40 -0700)]
ipvs: Supply destination addr family to ip_vs_{lookup_dest,find_dest}

We need to remove the assumption that virtual address family is the same as
real address family in order to support heterogeneous services (that is,
services with v4 vips and v6 backends or the opposite).

Signed-off-by: Alex Gartrell <agartrell@fb.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
10 years agoipvs: Add destination address family to netlink interface
Alex Gartrell [Tue, 9 Sep 2014 23:40:20 +0000 (16:40 -0700)]
ipvs: Add destination address family to netlink interface

This is necessary to support heterogeneous pools.  For example, if you have
an ipv6 addressed network, you'll want to be able to forward ipv4 traffic
into it.

This patch enforces that destination address family is the same as service
family, as none of the forwarding mechanisms support anything else.

For the old setsockopt mechanism, we simply set the dest address family to
AF_INET as we do with the service.

Signed-off-by: Alex Gartrell <agartrell@fb.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
10 years agoipvs: Add simple weighted failover scheduler
Kenny Mathis [Tue, 9 Sep 2014 13:20:15 +0000 (09:20 -0400)]
ipvs: Add simple weighted failover scheduler

Add simple weighted IPVS failover support to the Linux kernel. All
other scheduling modules implement some form of load balancing, while
this offers a simple failover solution. Connections are directed to
the appropriate server based solely on highest weight value and server
availability. Tested functionality with keepalived.

Signed-off-by: Kenny Mathis <kmathis@chokepoint.net>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
10 years agonetfilter: ipset: hash:mac type added to ipset
Jozsef Kadlecsik [Mon, 15 Sep 2014 15:36:06 +0000 (17:36 +0200)]
netfilter: ipset: hash:mac type added to ipset

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
10 years agonetfilter: ipset: send nonzero skbinfo extensions only
Jozsef Kadlecsik [Mon, 15 Sep 2014 15:30:54 +0000 (17:30 +0200)]
netfilter: ipset: send nonzero skbinfo extensions only

Do not send zero valued skbinfo extensions to userspace at listing.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
10 years agonetfilter: ipset: Add skbinfo extension support to SET target.
Anton Danilov [Tue, 2 Sep 2014 10:21:20 +0000 (14:21 +0400)]
netfilter: ipset: Add skbinfo extension support to SET target.

Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
10 years agonetfilter: ipset: Add skbinfo extension kernel support for the list set type.
Anton Danilov [Thu, 28 Aug 2014 06:11:30 +0000 (10:11 +0400)]
netfilter: ipset: Add skbinfo extension kernel support for the list set type.

Add skbinfo extension kernel support for the list set type.
Introduce the new revision of the list set type.

Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
10 years agonetfilter: ipset: Add skbinfo extension kernel support for the hash set types.
Anton Danilov [Thu, 28 Aug 2014 06:11:29 +0000 (10:11 +0400)]
netfilter: ipset: Add skbinfo extension kernel support for the hash set types.

Add skbinfo extension kernel support for the hash set types.
Inroduce the new revisions of all hash set types.

Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
10 years agonetfilter: ipset: Add skbinfo extension kernel support for the bitmap set types.
Anton Danilov [Thu, 28 Aug 2014 06:11:28 +0000 (10:11 +0400)]
netfilter: ipset: Add skbinfo extension kernel support for the bitmap set types.

Add skbinfo extension kernel support for the bitmap set types.
Inroduce the new revisions of bitmap_ip, bitmap_ipmac and bitmap_port set types.

Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
10 years agonetfilter: ipset: Add skbinfo extension kernel support in the ipset core.
Anton Danilov [Thu, 28 Aug 2014 06:11:27 +0000 (10:11 +0400)]
netfilter: ipset: Add skbinfo extension kernel support in the ipset core.

Skbinfo extension provides mapping of metainformation with lookup in the ipset tables.
This patch defines the flags, the constants, the functions and the structures
for the data type independent support of the extension.
Note the firewall mark stores in the kernel structures as two 32bit values,
but transfered through netlink as one 64bit value.

Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
10 years agonetfilter: ipset: Fix static checker warning in ip_set_core.c
Jozsef Kadlecsik [Mon, 15 Sep 2014 18:48:26 +0000 (20:48 +0200)]
netfilter: ipset: Fix static checker warning in ip_set_core.c

Dan Carpenter reported the following static checker warning:

        net/netfilter/ipset/ip_set_core.c:1414 call_ad()
        error: 'nlh->nlmsg_len' from user is not capped properly

The payload size is limited now by the max size of size_t.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
10 years agonetfilter: masquerading needs to be independent of x_tables in Kconfig
Pablo Neira Ayuso [Thu, 11 Sep 2014 15:51:27 +0000 (17:51 +0200)]
netfilter: masquerading needs to be independent of x_tables in Kconfig

Users are starting to test nf_tables with no x_tables support. Therefore,
masquerading needs to be indenpendent of it from Kconfig.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agonetfilter: NFT_CHAIN_NAT_IPV* is independent of NFT_NAT
Pablo Neira Ayuso [Thu, 11 Sep 2014 15:42:00 +0000 (17:42 +0200)]
netfilter: NFT_CHAIN_NAT_IPV* is independent of NFT_NAT

Now that we have masquerading support in nf_tables, the NAT chain can
be use with it, not only for SNAT/DNAT. So make this chain type
independent of it.

While at it, move it inside the scope of 'if NF_NAT_IPV*' to simplify
dependencies.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agonetfilter: nf_tables: add NFTA_MASQ_UNSPEC to nft_masq_attributes
Pablo Neira Ayuso [Thu, 11 Sep 2014 09:02:39 +0000 (11:02 +0200)]
netfilter: nf_tables: add NFTA_MASQ_UNSPEC to nft_masq_attributes

To keep this consistent with other nft_*_attributes.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agonetfilter: fix compilation of masquerading without IP_NF_TARGET_MASQUERADE
Pablo Neira Ayuso [Thu, 11 Sep 2014 14:55:04 +0000 (16:55 +0200)]
netfilter: fix compilation of masquerading without IP_NF_TARGET_MASQUERADE

 CONFIG_NF_NAT_MASQUERADE_IPV6=m
 # CONFIG_IP6_NF_TARGET_MASQUERADE is not set

results in:

net/ipv6/netfilter/nf_nat_masquerade_ipv6.c: In function â€˜nf_nat_masquerade_ipv6’:
net/ipv6/netfilter/nf_nat_masquerade_ipv6.c:41:14: error: â€˜struct nf_conn_nat’ has no member named â€˜masq_index’
  nfct_nat(ct)->masq_index = out->ifindex;
              ^
net/ipv6/netfilter/nf_nat_masquerade_ipv6.c: In function â€˜device_cmp’:
net/ipv6/netfilter/nf_nat_masquerade_ipv6.c:61:12: error: â€˜const struct nf_conn_nat’ has no member named â€˜masq_index’
  return nat->masq_index == (int)(long)ifindex;
            ^
net/ipv6/netfilter/nf_nat_masquerade_ipv6.c:62:1: warning: control
reaches end of non-void function [-Wreturn-type]
 }
 ^
make[3]: *** [net/ipv6/netfilter/nf_nat_masquerade_ipv6.o] Error 1

Fix this by using the new NF_NAT_MASQUERADE_IPV4 and _IPV6 symbols
in include/net/netfilter/nf_nat.h.

Reported-by: Jim Davis <jim.epost@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agonet: bpf: only build bpf_jit_binary_{alloc, free}() when jit selected
Daniel Borkmann [Wed, 10 Sep 2014 13:01:02 +0000 (15:01 +0200)]
net: bpf: only build bpf_jit_binary_{alloc, free}() when jit selected

Since BPF JIT depends on the availability of module_alloc() and
module_free() helpers (HAVE_BPF_JIT and MODULES), we better build
that code only in case we have BPF_JIT in our config enabled, just
like with other JIT code. Fixes builds for arm/marzen_defconfig
and sh/rsk7269_defconfig.

====================
kernel/built-in.o: In function `bpf_jit_binary_alloc':
/home/cwang/linux/kernel/bpf/core.c:144: undefined reference to `module_alloc'
kernel/built-in.o: In function `bpf_jit_binary_free':
/home/cwang/linux/kernel/bpf/core.c:164: undefined reference to `module_free'
make: *** [vmlinux] Error 1
====================

Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Fixes: 738cbe72adc5 ("net: bpf: consolidate JIT binary allocator")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoMerge branch 'cxgb4-next'
David S. Miller [Wed, 10 Sep 2014 21:02:37 +0000 (14:02 -0700)]
Merge branch 'cxgb4-next'

Hariprasad Shenai says:

====================
cxgb4: Allow FW size upto 1MB, support for S25FL032P flash and misc. fixes

This patch series adds support to allow FW size upto 1MB, support for S25FL032P
flash. Fix t4_flash_erase_sectors to throw an error, when erase sector aren't in
the flash and also warning message when adapters have flashes less than 2Mb.
Adds device id of new adapter and removes device id of debug adapter.

The patches series is created against 'net-next' tree.
And includes patches on cxgb4 driver and cxgb4vf driver.

We have included all the maintainers of respective drivers. Kindly review the
change and let us know in case of any review comments.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agocxgb4/cxgb4vf: Add device ID for new adapter and remove for dbg adapter
Hariprasad Shenai [Wed, 10 Sep 2014 12:14:31 +0000 (17:44 +0530)]
cxgb4/cxgb4vf: Add device ID for new adapter and remove for dbg adapter

Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agocxgb4: Add warning msg when attaching to adapters which have FLASHes smaller than 2Mb
Hariprasad Shenai [Wed, 10 Sep 2014 12:14:30 +0000 (17:44 +0530)]
cxgb4: Add warning msg when attaching to adapters which have FLASHes smaller than 2Mb

Based on original work by Casey Leedom <leedom@chelsio.com>

Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agocxgb4: Fix t4_flash_erase_sectors() to throw an error when requested to erase sectors...
Hariprasad Shenai [Wed, 10 Sep 2014 12:14:29 +0000 (17:44 +0530)]
cxgb4: Fix t4_flash_erase_sectors() to throw an error when requested to erase sectors which aren't in the FLASH

Based on original work by Casey Leedom <leedom@chelsio.com>

Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agocxgb4: Add support to S25FL032P flash
Hariprasad Shenai [Wed, 10 Sep 2014 12:14:28 +0000 (17:44 +0530)]
cxgb4: Add support to S25FL032P flash

Add support for Spansion S25FL032P flash
Based on original work by Dimitris Michailidis

Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agocxgb4: Allow T4/T5 firmware sizes up to 1MB
Hariprasad Shenai [Wed, 10 Sep 2014 12:14:27 +0000 (17:44 +0530)]
cxgb4: Allow T4/T5 firmware sizes up to 1MB

Based on original work by Casey Leedom <leedom@chelsio.com>

Signed-off-by: Hariprasad Shenai <hariprasad@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agotipc: fix sparse warnings
Erik Hugne [Wed, 10 Sep 2014 12:02:50 +0000 (14:02 +0200)]
tipc: fix sparse warnings

This fixes the following sparse warnings:
sparse: symbol 'tipc_update_nametbl' was not declared. Should it be static?
Also, the function is changed to return bool upon success, rather than a
potentially freed pointer.

Signed-off-by: Erik Hugne <erik.hugne@ericsson.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agonet: ethernet: arc: Don't free Rockchip resources before disconnect from phy
Romain Perier [Wed, 10 Sep 2014 07:51:13 +0000 (07:51 +0000)]
net: ethernet: arc: Don't free Rockchip resources before disconnect from phy

Free resources before being disconnected from phy and calling core driver is
wrong and should not happen. It avoids a delay of 4-5s caused by the timeout of
phy_disconnect().

Signed-off-by: Romain Perier <romain.perier@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
David S. Miller [Wed, 10 Sep 2014 19:46:32 +0000 (12:46 -0700)]
Merge git://git./linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says:

====================
nf-next pull request

The following patchset contains Netfilter/IPVS updates for your
net-next tree. Regarding nf_tables, most updates focus on consolidating
the NAT infrastructure and adding support for masquerading. More
specifically, they are:

1) use __u8 instead of u_int8_t in arptables header, from
   Mike Frysinger.

2) Add support to match by skb->pkttype to the meta expression, from
   Ana Rey.

3) Add support to match by cpu to the meta expression, also from
   Ana Rey.

4) A smatch warning about IPSET_ATTR_MARKMASK validation, patch from
   Vytas Dauksa.

5) Fix netnet and netportnet hash types the range support for IPv4,
   from Sergey Popovich.

6) Fix missing-field-initializer warnings resolved, from Mark Rustad.

7) Dan Carperter reported possible integer overflows in ipset, from
   Jozsef Kadlecsick.

8) Filter out accounting objects in nfacct by type, so you can
   selectively reset quotas, from Alexey Perevalov.

9) Move specific NAT IPv4 functions to the core so x_tables and
   nf_tables can share the same NAT IPv4 engine.

10) Use the new NAT IPv4 functions from nft_chain_nat_ipv4.

11) Move specific NAT IPv6 functions to the core so x_tables and
    nf_tables can share the same NAT IPv4 engine.

12) Use the new NAT IPv6 functions from nft_chain_nat_ipv6.

13) Refactor code to add nft_delrule(), which can be reused in the
    enhancement of the NFT_MSG_DELTABLE to remove a table and its
    content, from Arturo Borrero.

14) Add a helper function to unregister chain hooks, from
    Arturo Borrero.

15) A cleanup to rename to nft_delrule_by_chain for consistency with
    the new nft_*() functions, also from Arturo.

16) Add support to match devgroup to the meta expression, from Ana Rey.

17) Reduce stack usage for IPVS socket option, from Julian Anastasov.

18) Remove unnecessary textsearch state initialization in xt_string,
    from Bojan Prtvar.

19) Add several helper functions to nf_tables, more work to prepare
    the enhancement of NFT_MSG_DELTABLE, again from Arturo Borrero.

20) Enhance NFT_MSG_DELTABLE to delete a table and its content, from
    Arturo Borrero.

21) Support NAT flags in the nat expression to indicate the flavour,
    eg. random fully, from Arturo.

22) Add missing audit code to ebtables when replacing tables, from
    Nicolas Dichtel.

23) Generalize the IPv4 masquerading code to allow its re-use from
    nf_tables, from Arturo.

24) Generalize the IPv6 masquerading code, also from Arturo.

25) Add the new masq expression to support IPv4/IPv6 masquerading
    from nf_tables, also from Arturo.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agonetfilter: Convert pr_warning to pr_warn
Joe Perches [Wed, 10 Sep 2014 04:17:32 +0000 (21:17 -0700)]
netfilter: Convert pr_warning to pr_warn

Use the more common pr_warn.

Other miscellanea:

o Coalesce formats
o Realign arguments

Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoiucv: Convert pr_warning to pr_warn
Joe Perches [Wed, 10 Sep 2014 04:17:31 +0000 (21:17 -0700)]
iucv: Convert pr_warning to pr_warn

Use the more common pr_warn.
Coalesce formats.
Realign arguments.

Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agopktgen: Convert pr_warning to pr_warn
Joe Perches [Wed, 10 Sep 2014 04:17:30 +0000 (21:17 -0700)]
pktgen: Convert pr_warning to pr_warn

Use the more common pr_warn.
Realign arguments.

Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoatm: Convert pr_warning to pr_warn
Joe Perches [Wed, 10 Sep 2014 04:17:28 +0000 (21:17 -0700)]
atm: Convert pr_warning to pr_warn

Use the more common pr_warn.

Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoMerge branch 'ipip_sit_gro'
David S. Miller [Wed, 10 Sep 2014 04:29:50 +0000 (21:29 -0700)]
Merge branch 'ipip_sit_gro'

Tom Herbert says:

====================
net: enable GRO for IPIP and SIT

This patch sets populates the IPIP and SIT offload structures with
gro_receive and gro_complete functions. This enables use of GRO
for these. Also, fixed a problem in IPv6 where we were not properly
initializing flush_id.

Peformance results are below. Note that these tests were done on bnx2x
which doesn't provide RX checksum offload of IPIP or SIT (i.e. does
not give CHEKCSUM_COMPLETE). Also, we don't get 4-tuple hash for RSS
only 2-tuple in this case so all the packets between two hosts are
winding up on the same queue. Net result is the interrupting CPU is
the bottleneck in GRO (checksumming every packet there).

Testing:

netperf TCP_STREAM between two hosts using bnx2x.

* Before fix

IPIP
  1 connection
    6.53% CPU utilization
    6544.71 Mbps
  20 connections
    13.79% CPU utilization
    9284.54 Mbps

SIT
  1 connection
    6.68% CPU utilization
    5653.36 Mbps
  20 connections
    18.88% CPU utilization
    9154.61 Mbps

* After fix

IPIP
  1 connection
    5.73% CPU utilization
    9279.53 Mbps
  20 connections
    7.14% CPU utilization
    7279.35 Mbps

SIT
  1 connection
    2.95% CPU utilization
    9143.36 Mbps
  20 connections
    7.09% CPU utilization
    6255.3 Mbps
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agosit: Add gro callbacks to sit_offload
Tom Herbert [Tue, 9 Sep 2014 18:23:16 +0000 (11:23 -0700)]
sit: Add gro callbacks to sit_offload

Add ipv6_gro_receive and ipv6_gro_complete to sit_offload to
support GRO.

Signed-off-by: Tom Herbert <therbert@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoipip: Add gro callbacks to ipip offload
Tom Herbert [Tue, 9 Sep 2014 18:23:15 +0000 (11:23 -0700)]
ipip: Add gro callbacks to ipip offload

Add inet_gro_receive and inet_gro_complete to ipip_offload to
support GRO.

Signed-off-by: Tom Herbert <therbert@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoipv6: Clear flush_id to make GRO work
Tom Herbert [Tue, 9 Sep 2014 18:23:14 +0000 (11:23 -0700)]
ipv6: Clear flush_id to make GRO work

In TCP gro we check flush_id which is derived from the IP identifier.
In IPv4 gro path the flush_id is set with the expectation that every
matched packet increments IP identifier. In IPv6, the flush_id is
never set and thus is uinitialized. What's worse is that in IPv6
over IPv4 encapsulation, the IP identifier is taken from the outer
header which is currently not incremented on every packet for Linux
stack, so GRO in this case never matches packets (identifier is
not increasing).

This patch clears flush_id for every time for a matched packet in
IPv6 gro_receive. We need to do this each time to overwrite the
setting that would be done in IPv4 gro_receive per the outer
header in IPv6 over Ipv4 encapsulation.

Signed-off-by: Tom Herbert <therbert@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agodrivers/net: Convert remaining uses of pr_warning to pr_warn
Joe Perches [Wed, 10 Sep 2014 03:27:44 +0000 (20:27 -0700)]
drivers/net: Convert remaining uses of pr_warning to pr_warn

Use the much more common pr_warn instead of pr_warning.

Other miscellanea:

o Typo fixes submiting/submitting
o Coalesce formats
o Realign arguments
o Add missing terminating '\n' to formats

Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agonet: use kfree_skb_list() helper in more places
Florian Westphal [Tue, 9 Sep 2014 23:08:46 +0000 (01:08 +0200)]
net: use kfree_skb_list() helper in more places

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoipv4: udp4_gro_complete() is static
Eric Dumazet [Tue, 9 Sep 2014 15:29:12 +0000 (08:29 -0700)]
ipv4: udp4_gro_complete() is static

net/ipv4/udp_offload.c:339:5: warning: symbol 'udp4_gro_complete' was
not declared. Should it be static?

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Tom Herbert <therbert@google.com>
Fixes: 57c67ff4bd92 ("udp: additional GRO support")
Acked-by: Tom Herbert <therbert@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agonetns: remove one sparse warning
Eric Dumazet [Tue, 9 Sep 2014 15:24:53 +0000 (08:24 -0700)]
netns: remove one sparse warning

net/core/net_namespace.c:227:18: warning: incorrect type in argument 1
(different address spaces)
net/core/net_namespace.c:227:18:    expected void const *<noident>
net/core/net_namespace.c:227:18:    got struct net_generic [noderef]
<asn:4>*gen

We can use rcu_access_pointer() here as read-side access to the pointer
was removed at least one grace period ago.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoipv6: udp6_gro_complete() is static
Eric Dumazet [Tue, 9 Sep 2014 15:16:17 +0000 (08:16 -0700)]
ipv6: udp6_gro_complete() is static

net/ipv6/udp_offload.c:159:5: warning: symbol 'udp6_gro_complete' was
not declared. Should it be static?

Signed-off-by: Eric Dumazet <edumazet@google.com>
Fixes: 57c67ff4bd92 ("udp: additional GRO support")
Cc: Tom Herbert <therbert@google.com>
Acked-by: Tom Herbert <therbert@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoipv4: rcu cleanup in ip_ra_control()
Eric Dumazet [Tue, 9 Sep 2014 15:11:41 +0000 (08:11 -0700)]
ipv4: rcu cleanup in ip_ra_control()

Remove one sparse warning :
net/ipv4/ip_sockglue.c:328:22: warning: incorrect type in assignment (different address spaces)
net/ipv4/ip_sockglue.c:328:22:    expected struct ip_ra_chain [noderef] <asn:4>*next
net/ipv4/ip_sockglue.c:328:22:    got struct ip_ra_chain *[assigned] ra

And replace one rcu_assign_ptr() by RCU_INIT_POINTER() where applicable.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoipv6: mcast: remove dead debugging defines
Daniel Borkmann [Tue, 9 Sep 2014 11:07:32 +0000 (13:07 +0200)]
ipv6: mcast: remove dead debugging defines

It's not used anywhere, so just remove these.

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoirda: vlsi_ir: use %*ph specifier
Andy Shevchenko [Tue, 9 Sep 2014 08:48:29 +0000 (11:48 +0300)]
irda: vlsi_ir: use %*ph specifier

Instead of looping in the code let's use kernel extension to dump small
buffers.

Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agor8152: use usleep_range
hayeswang [Tue, 9 Sep 2014 03:40:28 +0000 (11:40 +0800)]
r8152: use usleep_range

Replace mdelay with usleep_range to avoid busy loop.

Signed-off-by: Hayes Wang <hayeswang@realtek.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agonet-timestamp: optimize sock_tx_timestamp default path
Willem de Bruijn [Mon, 8 Sep 2014 23:58:58 +0000 (19:58 -0400)]
net-timestamp: optimize sock_tx_timestamp default path

Few packets have timestamping enabled. Exit sock_tx_timestamp quickly
in this common case.

Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agonet_sched: sfq: remove unused macro
Florian Westphal [Mon, 8 Sep 2014 21:33:01 +0000 (23:33 +0200)]
net_sched: sfq: remove unused macro

not used anymore since ddecf0f
(net_sched: sfq: add optional RED on top of SFQ).

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agosfc: Convert the normal transmit complete path to dev_consume_skb_any()
Rick Jones [Tue, 9 Sep 2014 21:43:27 +0000 (14:43 -0700)]
sfc: Convert the normal transmit complete path to dev_consume_skb_any()

Convert the normal transmit completion path from dev_kfree_skb_any()
to dev_consume_skb_any() to help keep dropped packet profiling
meaningful.

Signed-off-by: Rick Jones <rick.jones2@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoMerge branch 'bond_lock_removal'
David S. Miller [Wed, 10 Sep 2014 00:31:43 +0000 (17:31 -0700)]
Merge branch 'bond_lock_removal'

Nikolay Aleksandrov says:

====================
bonding: get rid of bond->lock

This patch-set removes the last users of bond->lock and converts the places
that needed it for sync to use curr_slave_lock or RCU as appropriate.
I've run this with lockdep and have stress-tested it via loading/unloading
and enslaving/releasing in parallel while outputting bond's proc, I didn't
see any issues. Please pay special attention to the procfs change, I've
done about an hour of stress-testing on it and have checked that the event
that causes the bonding to delete its proc entry (NETDEV_UNREGISTER) is
called before ndo_uninit() and the freeing of the dev so any readers will
sync with that. Also ran sparse checks and there were no splats.

v2: Add patch 0001/cxgb4 bond->lock removal, RTNL should be held in the
    notifier call, the other patches are the same. Also tested with
    allmodconfig to make sure there're no more users of bond->lock.
Changes from the RFC:
 use RCU in procfs instead of RTNL since RTNL might lead to a deadlock with
 unloading and also is much slower. The bond destruction syncs with proc
 via the proc locks. There's one new patch that converts primary_slave to
 use RCU as it was necessary to fix a longstanding bugs in sysfs and
 procfs and to make it easy to migrate bond's procfs to RCU. And of course
 rebased on top of net-next current.

This is the first patch-set in a series that should simplify the bond's
locking requirements and will make it easier to define the locking
conditions necessary for the various paths. The goal is to rely on RTNL
and rcu alone, an extra lock would be needed in a few special cases that
would be documented very well.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agobonding: remove last users of bond->lock and bond->lock itself
Nikolay Aleksandrov [Tue, 9 Sep 2014 21:17:03 +0000 (23:17 +0200)]
bonding: remove last users of bond->lock and bond->lock itself

The usage of bond->lock in bond_main.c was completely unnecessary as it
didn't help to sync with anything, most of the spots already had RTNL.
Since there're no more users of bond->lock, remove it.

Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agobonding: options: remove bond->lock usage
Nikolay Aleksandrov [Tue, 9 Sep 2014 21:17:02 +0000 (23:17 +0200)]
bonding: options: remove bond->lock usage

We're safe to remove the bond->lock use from the arp targets because
arp_rcv_probe no longer acquires bond->lock, only rcu_read_lock.
Also setting the primary slave is safe because noone uses the bond->lock
as a syncing mechanism for that anymore.

Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agobonding: procfs: clean bond->lock usage and use RCU
Nikolay Aleksandrov [Tue, 9 Sep 2014 21:17:01 +0000 (23:17 +0200)]
bonding: procfs: clean bond->lock usage and use RCU

Use RCU to protect against slave release, the proc show function will sync
with the bond destruction by the proc locks and the fact that the bond is
released after NETDEV_UNREGISTER which causes the bonding to remove the
proc entry.

Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agobonding: convert primary_slave to use RCU
Nikolay Aleksandrov [Tue, 9 Sep 2014 21:17:00 +0000 (23:17 +0200)]
bonding: convert primary_slave to use RCU

This is necessary mainly for two bonding call sites: procfs and
sysfs as it was dereferenced without any real protection.

Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agobonding: alb: clean bond->lock
Nikolay Aleksandrov [Tue, 9 Sep 2014 21:16:59 +0000 (23:16 +0200)]
bonding: alb: clean bond->lock

We can remove the lock/unlock as it's no longer necessary since
RTNL should be held while calling bond_alb_set_mac_address().

Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agobonding: 3ad: use curr_slave_lock instead of bond->lock
Nikolay Aleksandrov [Tue, 9 Sep 2014 21:16:58 +0000 (23:16 +0200)]
bonding: 3ad: use curr_slave_lock instead of bond->lock

In 3ad mode the only syncing needed by bond->lock is for the wq
and the recv handler, so change them to use curr_slave_lock.
There're no locking dependencies here as 3ad doesn't use
curr_slave_lock at all.

Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agocxgb4: remove bond->lock
Nikolay Aleksandrov [Tue, 9 Sep 2014 21:16:57 +0000 (23:16 +0200)]
cxgb4: remove bond->lock

RTNL should be already held in the notifier call so the slave list can
be traversed without a problem, remove the unnecessary bond->lock.

CC: Hariprasad S <hariprasad@chelsio.com>
Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoARM: dts: Enable emac node on the rk3188-radxarock boards
Romain Perier [Mon, 8 Sep 2014 17:14:50 +0000 (17:14 +0000)]
ARM: dts: Enable emac node on the rk3188-radxarock boards

This enables EMAC Rockchip support on radxa rock boards.

Signed-off-by: Romain Perier <romain.perier@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoARM: dts: Add emac nodes to the rk3188 device tree
Romain Perier [Mon, 8 Sep 2014 17:14:49 +0000 (17:14 +0000)]
ARM: dts: Add emac nodes to the rk3188 device tree

This adds support for EMAC Rockchip driver on RK3188 SoCs.

Signed-off-by: Romain Perier <romain.perier@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agodt-bindings: Document EMAC Rockchip
Romain Perier [Mon, 8 Sep 2014 17:14:48 +0000 (17:14 +0000)]
dt-bindings: Document EMAC Rockchip

This adds the necessary binding documentation for the EMAC Rockchip platform
driver found in RK3066 and RK3188 SoCs.

Signed-off-by: Romain Perier <romain.perier@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoethernet: arc: Add support for Rockchip SoC layer device tree bindings
Romain Perier [Mon, 8 Sep 2014 17:14:47 +0000 (17:14 +0000)]
ethernet: arc: Add support for Rockchip SoC layer device tree bindings

This patch defines a platform glue layer for Rockchip SoCs which
support arc-emac driver. It ensures that regulator for the rmii is on
before trying to connect to the ethernet controller. It applies right
speed and mode changes to the grf when ethernet settings change.

Signed-off-by: Romain Perier <romain.perier@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoMerge branch 'bpf-next'
David S. Miller [Tue, 9 Sep 2014 23:59:03 +0000 (16:59 -0700)]
Merge branch 'bpf-next'

Daniel Borkmann says:

====================
BPF updates

[ Set applies on top of current net-next but also on top of
  Alexei's latest patches. Please see individual patches for
  more details. ]

Changelog:
 v1->v2:
  - Removed paragraph in 1st commit message
  - Rest stays the same
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agonet: bpf: be friendly to kmemcheck
Daniel Borkmann [Mon, 8 Sep 2014 06:04:49 +0000 (08:04 +0200)]
net: bpf: be friendly to kmemcheck

Reported by Mikulas Patocka, kmemcheck currently barks out a
false positive since we don't have special kmemcheck annotation
for bitfields used in bpf_prog structure.

We currently have jited:1, len:31 and thus when accessing len
while CONFIG_KMEMCHECK enabled, kmemcheck throws a warning that
we're reading uninitialized memory.

As we don't need the whole bit universe for pages member, we
can just split it to u16 and use a bool flag for jited instead
of a bitfield.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agonet: bpf: arm: address randomize and write protect JIT code
Daniel Borkmann [Mon, 8 Sep 2014 06:04:48 +0000 (08:04 +0200)]
net: bpf: arm: address randomize and write protect JIT code

This is the ARM variant for 314beb9bcab ("x86: bpf_jit_comp: secure bpf
jit against spraying attacks").

It is now possible to implement it due to commits 75374ad47c64 ("ARM: mm:
Define set_memory_* functions for ARM") and dca9aa92fc7c ("ARM: add
DEBUG_SET_MODULE_RONX option to Kconfig") which added infrastructure for
this facility.

Thus, this patch makes sure the BPF generated JIT code is marked RO, as
other kernel text sections, and also lets the generated JIT code start
at a pseudo random offset instead on a page boundary. The holes are filled
with illegal instructions.

JIT tested on armv7hl with BPF test suite.

Reference: http://mainisusuallyafunction.blogspot.com/2012/11/attacking-hardened-linux-systems-with.html
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Acked-by: Mircea Gherzan <mgherzan@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agonet: bpf: consolidate JIT binary allocator
Daniel Borkmann [Mon, 8 Sep 2014 06:04:47 +0000 (08:04 +0200)]
net: bpf: consolidate JIT binary allocator

Introduced in commit 314beb9bcabf ("x86: bpf_jit_comp: secure bpf jit
against spraying attacks") and later on replicated in aa2d2c73c21f
("s390/bpf,jit: address randomize and write protect jit code") for
s390 architecture, write protection for BPF JIT images got added and
a random start address of the JIT code, so that it's not on a page
boundary anymore.

Since both use a very similar allocator for the BPF binary header,
we can consolidate this code into the BPF core as it's mostly JIT
independant anyway.

This will also allow for future archs that support DEBUG_SET_MODULE_RONX
to just reuse instead of reimplementing it.

JIT tested on x86_64 and s390x with BPF test suite.

Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Alexei Starovoitov <ast@plumgrid.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agotcp: remove dst refcount false sharing for prequeue mode
Eric Dumazet [Mon, 8 Sep 2014 15:06:07 +0000 (08:06 -0700)]
tcp: remove dst refcount false sharing for prequeue mode

Alexander Duyck reported high false sharing on dst refcount in tcp stack
when prequeue is used. prequeue is the mechanism used when a thread is
blocked in recvmsg()/read() on a TCP socket, using a blocking model
rather than select()/poll()/epoll() non blocking one.

We already try to use RCU in input path as much as possible, but we were
forced to take a refcount on the dst when skb escaped RCU protected
region. When/if the user thread runs on different cpu, dst_release()
will then touch dst refcount again.

Commit 093162553c33 (tcp: force a dst refcount when prequeue packet)
was an example of a race fix.

It turns out the only remaining usage of skb->dst for a packet stored
in a TCP socket prequeue is IP early demux.

We can add a logic to detect when IP early demux is probably going
to use skb->dst. Because we do an optimistic check rather than duplicate
existing logic, we need to guard inet_sk_rx_dst_set() and
inet6_sk_rx_dst_set() from using a NULL dst.

Many thanks to Alexander for providing a nice bug report, git bisection,
and reproducer.

Tested using Alexander script on a 40Gb NIC, 8 RX queues.
Hosts have 24 cores, 48 hyper threads.

echo 0 >/proc/sys/net/ipv4/tcp_autocorking

for i in `seq 0 47`
do
  for j in `seq 0 2`
  do
     netperf -H $DEST -t TCP_STREAM -l 1000 \
             -c -C -T $i,$i -P 0 -- \
             -m 64 -s 64K -D &
  done
done

Before patch : ~6Mpps and ~95% cpu usage on receiver
After patch : ~9Mpps and ~35% cpu usage on receiver.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Alexander Duyck <alexander.h.duyck@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoath5k: Add missing vmalloc.h include.
Stephen Rothwell [Tue, 9 Sep 2014 23:37:11 +0000 (16:37 -0700)]
ath5k: Add missing vmalloc.h include.

After merging the wireless-next tree, today's linux-next build (powerpc
allyesconfig) failed like this:

drivers/net/wireless/ath/ath5k/debug.c: In function 'open_file_eeprom':
drivers/net/wireless/ath/ath5k/debug.c:933:2: error: implicit declaration of function 'vmalloc' [-Werror=implicit-function-declaration]
  buf = vmalloc(eesize);
  ^
drivers/net/wireless/ath/ath5k/debug.c:933:6: warning: assignment makes pointer from integer without a cast
  buf = vmalloc(eesize);
      ^
drivers/net/wireless/ath/ath5k/debug.c:960:2: error: implicit declaration of function 'vfree' [-Werror=implicit-function-declaration]
  vfree(buf);
  ^

Caused by commit db906eb2101b ("ath5k: added debugfs file for dumping
eeprom").  Also reported by Guenter Roeck.

I have used Geert Uytterhoeven's suggested fix of including vmalloc.h
and so added this patch for today:

From: Stephen Rothwell <sfr@canb.auug.org.au>
Date: Mon, 8 Sep 2014 18:39:23 +1000
Subject: [PATCH] ath5k: fix debugfs addition

Reported-by: Guenter Roeck <linux@roeck-us.net>
Suggested-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoethernet: ti: remove unwanted THIS_MODULE macro
Varka Bhadram [Mon, 8 Sep 2014 03:58:19 +0000 (09:28 +0530)]
ethernet: ti: remove unwanted THIS_MODULE macro

It removes the owner field updation of driver structure.
It will be automatically updated by module_platform_driver()

Signed-off-by: Varka Bhadram <varkab@cdac.in>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoopenvswitch: change the data type of error status to atomic_long_t
Li RongQing [Sat, 6 Sep 2014 11:06:11 +0000 (19:06 +0800)]
openvswitch: change the data type of error status to atomic_long_t

Change the date type of error status from u64 to atomic_long_t, and use atomic
operation, then remove the lock which is used to protect the error status.

The operation of atomic maybe faster than spin lock.

Cc: Pravin Shelar <pshelar@nicira.com>
Signed-off-by: Li RongQing <roy.qing.li@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agobridge: Cleanup of unncessary check.
Rami Rosen [Sat, 6 Sep 2014 10:08:08 +0000 (13:08 +0300)]
bridge: Cleanup of unncessary check.

This patch removes an unncessary check in the br_afspec() method of
br_netlink.c.

Signed-off-by: Rami Rosen <ramirose@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoMerge branch 'bridge_rtnl_link'
David S. Miller [Tue, 9 Sep 2014 18:30:05 +0000 (11:30 -0700)]
Merge branch 'bridge_rtnl_link'

Jiri Pirko says:

====================
bridge: implement rtnl_link options for getting and setting bridge options

So far, only sysfs is complete interface for getting and setting bridge
options. This patchset follows-up on the similar bonding code and
allows userspace to get/set bridge master/port options using Netlink
IFLA_INFO_DATA/IFLA_INFO_SLAVE_DATA attr.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agobridge: implement rtnl_link_ops->changelink
Jiri Pirko [Fri, 5 Sep 2014 13:51:32 +0000 (15:51 +0200)]
bridge: implement rtnl_link_ops->changelink

Allow rtnetlink users to set bridge master info via IFLA_INFO_DATA attr
This initial part implements forward_delay, hello_time, max_age options.

Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agobridge: implement rtnl_link_ops->get_size and rtnl_link_ops->fill_info
Jiri Pirko [Fri, 5 Sep 2014 13:51:31 +0000 (15:51 +0200)]
bridge: implement rtnl_link_ops->get_size and rtnl_link_ops->fill_info

Allow rtnetlink users to get bridge master info in IFLA_INFO_DATA attr
This initial part implements forward_delay, hello_time, max_age options.

Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agobridge: implement rtnl_link_ops->slave_changelink
Jiri Pirko [Fri, 5 Sep 2014 13:51:30 +0000 (15:51 +0200)]
bridge: implement rtnl_link_ops->slave_changelink

Allow rtnetlink users to set port info via IFLA_INFO_SLAVE_DATA attr

Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agobridge: implement rtnl_link_ops->get_slave_size and rtnl_link_ops->fill_slave_info
Jiri Pirko [Fri, 5 Sep 2014 13:51:29 +0000 (15:51 +0200)]
bridge: implement rtnl_link_ops->get_slave_size and rtnl_link_ops->fill_slave_info

Allow rtnetlink users to get port info in IFLA_INFO_SLAVE_DATA attr

Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agobridge: switch order of rx_handler reg and upper dev link
Jiri Pirko [Fri, 5 Sep 2014 13:51:28 +0000 (15:51 +0200)]
bridge: switch order of rx_handler reg and upper dev link

The thing is that netdev_master_upper_dev_link calls
call_netdevice_notifiers(NETDEV_CHANGEUPPER, dev). That generates rtnl
link message and during that, rtnl_link_ops->fill_slave_info is called.
But with current ordering, rx_handler and IFF_BRIDGE_PORT are not set
yet so there would have to be check for that in fill_slave_info callback.

Resolve this by reordering to similar what bonding and team does to
avoid the check.

Also add removal of IFF_BRIDGE_PORT flag into error path.

Signed-off-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agonet/ipv4: bind ip_nonlocal_bind to current netns
Vincent Bernat [Fri, 5 Sep 2014 13:09:03 +0000 (15:09 +0200)]
net/ipv4: bind ip_nonlocal_bind to current netns

net.ipv4.ip_nonlocal_bind sysctl was global to all network
namespaces. This patch allows to set a different value for each
network namespace.

Signed-off-by: Vincent Bernat <vincent@bernat.im>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agoMerge branch 'ebpf'
David S. Miller [Tue, 9 Sep 2014 17:27:22 +0000 (10:27 -0700)]
Merge branch 'ebpf'

Alexei Starovoitov says:

====================
load imm64 insn and uapi/linux/bpf.h

V9->V10
- no changes, added Daniel's ack

Note they're on top of Hannes's patch in the same area [1]

V8 thread with 'why' reasoning and end goal [2]

Original set [3] of ~28 patches I'm planning to present in 4 stages:

  I. this 2 patches to fork off llvm upstreaming
 II. bpf syscall with manpage and map implementation
III. bpf program load/unload with verifier testsuite (1st user of
     instruction macros from bpf.h and 1st user of load imm64 insn)
 IV. tracing, etc

[1] http://patchwork.ozlabs.org/patch/385266/
[2] https://lkml.org/lkml/2014/8/27/628
[3] https://lkml.org/lkml/2014/8/26/859
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agonet: filter: split filter.h and expose eBPF to user space
Alexei Starovoitov [Fri, 5 Sep 2014 05:17:18 +0000 (22:17 -0700)]
net: filter: split filter.h and expose eBPF to user space

allow user space to generate eBPF programs

uapi/linux/bpf.h: eBPF instruction set definition

linux/filter.h: the rest

This patch only moves macro definitions, but practically it freezes existing
eBPF instruction set, though new instructions can still be added in the future.

These eBPF definitions cannot go into uapi/linux/filter.h, since the names
may conflict with existing applications.

Full eBPF ISA description is in Documentation/networking/filter.txt

Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Acked-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agonet: filter: add "load 64-bit immediate" eBPF instruction
Alexei Starovoitov [Fri, 5 Sep 2014 05:17:17 +0000 (22:17 -0700)]
net: filter: add "load 64-bit immediate" eBPF instruction

add BPF_LD_IMM64 instruction to load 64-bit immediate value into a register.
All previous instructions were 8-byte. This is first 16-byte instruction.
Two consecutive 'struct bpf_insn' blocks are interpreted as single instruction:
insn[0].code = BPF_LD | BPF_DW | BPF_IMM
insn[0].dst_reg = destination register
insn[0].imm = lower 32-bit
insn[1].code = 0
insn[1].imm = upper 32-bit
All unused fields must be zero.

Classic BPF has similar instruction: BPF_LD | BPF_W | BPF_IMM
which loads 32-bit immediate value into a register.

x64 JITs it as single 'movabsq %rax, imm64'
arm64 may JIT as sequence of four 'movk x0, #imm16, lsl #shift' insn

Note that old eBPF programs are binary compatible with new interpreter.

It helps eBPF programs load 64-bit constant into a register with one
instruction instead of using two registers and 4 instructions:
BPF_MOV32_IMM(R1, imm32)
BPF_ALU64_IMM(BPF_LSH, R1, 32)
BPF_MOV32_IMM(R2, imm32)
BPF_ALU64_REG(BPF_OR, R1, R2)

User space generated programs will use this instruction to load constants only.

To tell kernel that user space needs a pointer the _pseudo_ variant of
this instruction may be added later, which will use extra bits of encoding
to indicate what type of pointer user space is asking kernel to provide.
For example 'off' or 'src_reg' fields can be used for such purpose.
src_reg = 1 could mean that user space is asking kernel to validate and
load in-kernel map pointer.
src_reg = 2 could mean that user space needs readonly data section pointer
src_reg = 3 could mean that user space needs a pointer to per-cpu local data
All such future pseudo instructions will not be carrying the actual pointer
as part of the instruction, but rather will be treated as a request to kernel
to provide one. The kernel will verify the request_for_a_pointer, then
will drop _pseudo_ marking and will store actual internal pointer inside
the instruction, so the end result is the interpreter and JITs never
see pseudo BPF_LD_IMM64 insns and only operate on generic BPF_LD_IMM64 that
loads 64-bit immediate into a register. User space never operates on direct
pointers and verifier can easily recognize request_for_pointer vs other
instructions.

Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
10 years agonetfilter: nf_tables: add new nft_masq expression
Arturo Borrero [Mon, 8 Sep 2014 11:45:00 +0000 (13:45 +0200)]
netfilter: nf_tables: add new nft_masq expression

The nft_masq expression is intended to perform NAT in the masquerade flavour.

We decided to have the masquerade functionality in a separated expression other
than nft_nat.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agonetfilter: nf_nat: generalize IPv6 masquerading support for nf_tables
Arturo Borrero [Thu, 4 Sep 2014 12:06:49 +0000 (14:06 +0200)]
netfilter: nf_nat: generalize IPv6 masquerading support for nf_tables

Let's refactor the code so we can reach the masquerade functionality
from outside the xt context (ie. nftables).

The patch includes the addition of an atomic counter to the masquerade
notifier: the stuff to be done by the notifier is the same for xt and
nftables. Therefore, only one notification handler is needed.

This factorization only involves IPv6; a similar patch exists to
handle IPv4.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agonetfilter: nf_nat: generalize IPv4 masquerading support for nf_tables
Arturo Borrero [Thu, 4 Sep 2014 12:06:33 +0000 (14:06 +0200)]
netfilter: nf_nat: generalize IPv4 masquerading support for nf_tables

Let's refactor the code so we can reach the masquerade functionality
from outside the xt context (ie. nftables).

The patch includes the addition of an atomic counter to the masquerade
notifier: the stuff to be done by the notifier is the same for xt and
nftables. Therefore, only one notification handler is needed.

This factorization only involves IPv4; a similar patch follows to
handle IPv6.

Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
10 years agonetfilter: ebtables: create audit records for replaces
Nicolas Dichtel [Mon, 8 Sep 2014 12:11:45 +0000 (14:11 +0200)]
netfilter: ebtables: create audit records for replaces

This is already done for x_tables (family AF_INET and AF_INET6), let's
do it for AF_BRIDGE also.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>