1. 19 Jan, 2018 6 commits
  2. 16 Jan, 2018 5 commits
    • Arnd Bergmann's avatar
      netfilter: nf_defrag: move NF_CONNTRACK bits into #ifdef · 41e4b391
      Arnd Bergmann authored
      We cannot access the skb->_nfct field when CONFIG_NF_CONNTRACK is
      disabled:
      
      net/ipv4/netfilter/nf_defrag_ipv4.c: In function 'ipv4_conntrack_defrag':
      net/ipv4/netfilter/nf_defrag_ipv4.c:83:9: error: 'struct sk_buff' has no member named '_nfct'
      net/ipv6/netfilter/nf_defrag_ipv6_hooks.c: In function 'ipv6_defrag':
      net/ipv6/netfilter/nf_defrag_ipv6_hooks.c:68:9: error: 'struct sk_buff' has no member named '_nfct'
      
      Both functions already have an #ifdef for this, so let's move the
      check in there.
      
      Fixes: 902d6a4c ("netfilter: nf_defrag: Skip defrag if NOTRACK is set")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      41e4b391
    • Arnd Bergmann's avatar
      netfilter: nf_defrag: mark xt_table structures 'const' again · b069b37a
      Arnd Bergmann authored
      As a side-effect of adding the module option, we now get a section
      mismatch warning:
      
      WARNING: net/ipv4/netfilter/iptable_raw.o(.data+0x1c): Section mismatch in reference from the variable packet_raw to the function .init.text:iptable_raw_table_init()
      The variable packet_raw references
      the function __init iptable_raw_table_init()
      If the reference is valid then annotate the
      variable with __init* or __refdata (see linux/init.h) or name the variable:
      *_template, *_timer, *_sht, *_ops, *_probe, *_probe_one, *_console
      
      Apparently it's ok to link to a __net_init function from .rodata but not
      from .data. We can address this by rearranging the logic so that the
      structure is read-only again. Instead of writing to the .priority field
      later, we have an extra copies of the structure with that flag. An added
      advantage is that that we don't have writable function pointers with this
      approach.
      
      Fixes: 902d6a4c ("netfilter: nf_defrag: Skip defrag if NOTRACK is set")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      b069b37a
    • Subash Abhinov Kasiviswanathan's avatar
      netfilter: ipv6: nf_defrag: Pass on packets to stack per RFC2460 · 83f1999c
      Subash Abhinov Kasiviswanathan authored
      ipv6_defrag pulls network headers before fragment header. In case of
      an error, the netfilter layer is currently dropping these packets.
      This results in failure of some IPv6 standards tests which passed on
      older kernels due to the netfilter framework using cloning.
      
      The test case run here is a check for ICMPv6 error message replies
      when some invalid IPv6 fragments are sent. This specific test case is
      listed in https://www.ipv6ready.org/docs/Core_Conformance_Latest.pdf
      in the Extension Header Processing Order section.
      
      A packet with unrecognized option Type 11 is sent and the test expects
      an ICMP error in line with RFC2460 section 4.2 -
      
      11 - discard the packet and, only if the packet's Destination
           Address was not a multicast address, send an ICMP Parameter
           Problem, Code 2, message to the packet's Source Address,
           pointing to the unrecognized Option Type.
      
      Since netfilter layer now drops all invalid IPv6 frag packets, we no
      longer see the ICMP error message and fail the test case.
      
      To fix this, save the transport header. If defrag is unable to process
      the packet due to RFC2460, restore the transport header and allow packet
      to be processed by stack. There is no change for other packet
      processing paths.
      
      Tested by confirming that stack sends an ICMP error when it receives
      these packets. Also tested that fragmented ICMP pings succeed.
      
      v1->v2: Instead of cloning always, save the transport_header and
      restore it in case of this specific error. Update the title and
      commit message accordingly.
      Signed-off-by: default avatarSubash Abhinov Kasiviswanathan <subashab@codeaurora.org>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      83f1999c
    • Florian Westphal's avatar
      netfilter: x_tables: don't return garbage pointer on modprobe failure · e3eeacba
      Florian Westphal authored
      request_module may return a positive error result from modprobe,
      if we cast this to ERR_PTR this returns a garbage result (it passes
      IS_ERR checks).
      
      Fix it by ignoring modprobe return values entirely, just retry the
      table lookup instead.
      
      Reported-by: syzbot+980925dbfbc7f93bc2ef@syzkaller.appspotmail.com
      Fixes: 03d13b68 ("netfilter: xtables: add and use xt_request_find_table_lock")
      Fixes: 20651cef ("netfilter: x_tables: unbreak module auto loading")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      e3eeacba
    • Arnd Bergmann's avatar
      netfilter: nf_tables: flow_offload depends on flow_table · 9be9d04b
      Arnd Bergmann authored
      Without CONFIG_NF_FLOW_TABLE, the new nft_flow_offload module produces
      a link error:
      
      net/netfilter/nft_flow_offload.o: In function `nft_flow_offload_iterate_cleanup':
      nft_flow_offload.c:(.text+0xb0): undefined reference to `nf_flow_table_iterate'
      net/netfilter/nft_flow_offload.o: In function `flow_offload_iterate_cleanup':
      nft_flow_offload.c:(.text+0x160): undefined reference to `flow_offload_dead'
      net/netfilter/nft_flow_offload.o: In function `nft_flow_offload_eval':
      nft_flow_offload.c:(.text+0xc4c): undefined reference to `flow_offload_alloc'
      nft_flow_offload.c:(.text+0xc64): undefined reference to `flow_offload_add'
      nft_flow_offload.c:(.text+0xc94): undefined reference to `flow_offload_free'
      
      This adds a Kconfig dependency for it.
      
      Fixes: a3c90f7a ("netfilter: nf_tables: flow offload expression")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      9be9d04b
  3. 11 Jan, 2018 2 commits
  4. 10 Jan, 2018 14 commits
  5. 09 Jan, 2018 13 commits
    • David S. Miller's avatar
      Merge branch 'r8169-improve-runtime-pm' · 61ad6408
      David S. Miller authored
      Heiner Kallweit says:
      
      ====================
      r8169: improve runtime pm
      
      On my system with two network ports I found that runtime PM didn't
      suspend the unused port. Therefore I checked runtime pm in this driver
      in somewhat more detail and this series improves runtime pm in general
      and solves the mentioned issue.
      
      Tested on a system with RTL8168evl (MAC version 34).
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      61ad6408
    • Heiner Kallweit's avatar
      r8169: improve runtime pm in general and suspend unused ports · a92a0849
      Heiner Kallweit authored
      So far rpm doesn't cover cases like unused ports which are never
      brought up. If they are active at probe time they remain in this state.
      Included in this patch:
      
      - Let the idle notification check whether we can suspend and let it
        schedule the suspend. This way we don't need to have calls to
        pm_schedule_suspend in different places.
      
      - At the end of rtl_open and rtl_init_one send an idle notification
        to allow suspending if the link is down. If a cable is plugged in
        aneg is finished before the suspend timer expires and the suspend
        request is cancelled.
      
      - Change rtl8169_runtime_suspend to power down the chip if the
        interface is down.
      
      Successfully tested on a RTL8168evl (mac version 34).
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a92a0849
    • Heiner Kallweit's avatar
      r8169: improve runtime pm in rtl8169_check_link_status · ef4d5fcc
      Heiner Kallweit authored
      This patch partially reverts commit e4fbce74 "r8169: Fix runtime
      power management" from 2010. At that time the suspend delay was 100ms
      and therefore suspending happened during initial aneg. Currently
      suspend delay is 5s, so suspend starts after aneg and the issue
      doesn't exist any longer. On my system aneg takes almost 3s, to be on
      the safe side let's increase the suspend delay to 10s.
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ef4d5fcc
    • Heiner Kallweit's avatar
      r8169: remove unneeded rpm ops in rtl_shutdown · b9aa1c75
      Heiner Kallweit authored
      This patch reverts commit 2a15cd2f "r8169: runtime resume before
      shutdown" from 2012. Few months after this change the underlying issue
      was solved in the PCI core with commit 3ff2de9b "PCI/PM: Resume
      device before shutdown".
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b9aa1c75
    • David S. Miller's avatar
      Merge branch 'tipc-improvements-to-group-messaging' · fdb533c3
      David S. Miller authored
      Jon Maloy says:
      
      ====================
      tipc: improvements to group messaging
      
      We make a number of simplifications and improvements to the group
      messaging service. They aim at readability/maintainability of the code
      as well as scalability.
      
      The series is based on commit f9c935db ("tipc: fix problems with
      multipoint-to-point flow control) which has been applied to 'net' but
      not yet to 'net-next'.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fdb533c3
    • Jon Maloy's avatar
      tipc: improve poll() for group member socket · eb929a91
      Jon Maloy authored
      The current criteria for returning POLLOUT from a group member socket is
      too simplistic. It basically returns POLLOUT as soon as the group has
      external destinations, something obviously leading to a lot of spinning
      during destination congestion situations. At the same time, the internal
      congestion handling is unnecessarily complex.
      
      We now change this as follows.
      
      - We introduce an 'open' flag in  struct tipc_group. This flag is used
        only to help poll() get the setting of POLLOUT right, and *not* for
        congeston handling as such. This means that a user can choose to
        ignore an  EAGAIN for a destination and go on sending messages to
        other destinations in the group if he wants to.
      
      - The flag is set to false every time we return EAGAIN on a send call.
      
      - The flag is set to true every time any member, i.e., not necessarily
        the member that caused EAGAIN, is removed from the small_win list.
      
      - We remove the group member 'usr_pending' flag. The size of the send
        window and presence in the 'small_win' list is sufficient criteria
        for recognizing congestion.
      
      This solution seems to be a reasonable compromise between 'anycast',
      which is normally not waiting for POLLOUT for a specific destination,
      and the other three send modes, which are.
      Acked-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      eb929a91
    • Jon Maloy's avatar
      tipc: improve groupcast scope handling · 232d07b7
      Jon Maloy authored
      When a member joins a group, it also indicates a binding scope. This
      makes it possible to create both node local groups, invisible to other
      nodes, as well as cluster global groups, visible everywhere.
      
      In order to avoid that different members end up having permanently
      differing views of group size and memberhip, we must inhibit locally
      and globally bound members from joining the same group.
      
      We do this by using the binding scope as an additional separator between
      groups. I.e., a member must ignore all membership events from sockets
      using a different scope than itself, and all lookups for message
      destinations must require an exact match between the message's lookup
      scope and the potential target's binding scope.
      
      Apart from making it possible to create local groups using the same
      identity on different nodes, a side effect of this is that it now also
      becomes possible to create a cluster global group with the same identity
      across the same nodes, without interfering with the local groups.
      Acked-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      232d07b7
    • Jon Maloy's avatar
      tipc: add option to suppress PUBLISH events for pre-existing publications · 8348500f
      Jon Maloy authored
      Currently, when a user is subscribing for binding table publications,
      he will receive a PUBLISH event for all already existing matching items
      in the binding table.
      
      However, a group socket making a subscriptions doesn't need this initial
      status update from the binding table, because it has already scanned it
      during the join operation. Worse, the multiplicatory effect of issuing
      mutual events for dozens or hundreds group members within a short time
      frame put a heavy load on the topology server, with the end result that
      scale out operations on a big group tend to take much longer than needed.
      
      We now add a new filter option, TIPC_SUB_NO_STATUS, for topology server
      subscriptions, so that this initial avalanche of events is suppressed.
      This change, along with the previous commit, significantly improves the
      range and speed of group scale out operations.
      
      We keep the new option internal for the tipc driver, at least for now.
      Acked-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8348500f
    • Jon Maloy's avatar
      tipc: send out join messages as soon as new member is discovered · d12d2e12
      Jon Maloy authored
      When a socket is joining a group, we look up in the binding table to
      find if there are already other members of the group present. This is
      used for being able to return EAGAIN instead of EHOSTUNREACH if the
      user proceeds directly to a send attempt.
      
      However, the information in the binding table can be used to directly
      set the created member in state MBR_PUBLISHED and send a JOIN message
      to the peer, instead of waiting for a topology PUBLISH event to do this.
      When there are many members in a group, the propagation time for such
      events can be significant, and we can save time during the join
      operation if we use the initial lookup result fully.
      
      In this commit, we eliminate the member state MBR_DISCOVERED which has
      been the result of the initial lookup, and do instead go directly to
      MBR_PUBLISHED, which initiates the setup.
      
      After this change, the tipc_member FSM looks as follows:
      
           +-----------+
      ---->| PUBLISHED |-----------------------------------------------+
      PUB- +-----------+                                 LEAVE/WITHRAW |
      LISH       |JOIN                                                 |
                 |     +-------------------------------------------+   |
                 |     |                            LEAVE/WITHDRAW |   |
                 |     |                +------------+             |   |
                 |     |   +----------->|  PENDING   |---------+   |   |
                 |     |   |msg/maxactv +-+---+------+  LEAVE/ |   |   |
                 |     |   |              |   |       WITHDRAW |   |   |
                 |     |   |   +----------+   |                |   |   |
                 |     |   |   |revert/maxactv|                |   |   |
                 |     |   |   V              V                V   V   V
                 |   +----------+  msg  +------------+       +-----------+
                 +-->|  JOINED  |------>|   ACTIVE   |------>|  LEAVING  |--->
                 |   +----------+       +--- -+------+ LEAVE/+-----------+DOWN
                 |        A   A               |      WITHDRAW A   A    A   EVT
                 |        |   |               |RECLAIM        |   |    |
                 |        |   |REMIT          V               |   |    |
                 |        |   |== adv   +------------+        |   |    |
                 |        |   +---------| RECLAIMING |--------+   |    |
                 |        |             +-----+------+  LEAVE/    |    |
                 |        |                   |REMIT   WITHDRAW   |    |
                 |        |                   |< adv              |    |
                 |        |msg/               V            LEAVE/ |    |
                 |        |adv==ADV_IDLE+------------+   WITHDRAW |    |
                 |        +-------------|  REMITTED  |------------+    |
                 |                      +------------+                 |
                 |PUBLISH                                              |
      JOIN +-----------+                                LEAVE/WITHDRAW |
      ---->|  JOINING  |-----------------------------------------------+
           +-----------+
      Acked-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d12d2e12
    • Jon Maloy's avatar
      tipc: simplify group LEAVE sequence · c2b22bcf
      Jon Maloy authored
      After the changes in the previous commit the group LEAVE sequence
      can be simplified.
      
      We now let the arrival of a LEAVE message unconditionally issue a group
      DOWN event to the user. When a topology WITHDRAW event is received, the
      member, if it still there, is set to state LEAVING, but we only issue a
      group DOWN event when the link to the peer node is gone, so that no
      LEAVE message is to be expected.
      Acked-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c2b22bcf
    • Jon Maloy's avatar
      tipc: create group member event messages when they are needed · 7ad32bcb
      Jon Maloy authored
      In the current implementation, a group socket receiving topology
      events about other members just converts the topology event message
      into a group event message and stores it until it reaches the right
      state to issue it to the user. This complicates the code unnecessarily,
      and becomes impractical when we in the coming commits will need to
      create and issue membership events independently.
      
      In this commit, we change this so that we just notice the type and
      origin of the incoming topology event, and then drop the buffer. Only
      when it is time to actually send a group event to the user do we
      explicitly create a new message and send it upwards.
      Acked-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7ad32bcb
    • Jon Maloy's avatar
      tipc: adjustment to group member FSM · 0233493a
      Jon Maloy authored
      Analysis reveals that the member state MBR_QURANTINED in reality is
      unnecessary, and can be replaced by the state MBR_JOINING at all
      occurrencs.
      Acked-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0233493a
    • Jon Maloy's avatar
      tipc: let group member stay in JOINED mode if unable to reclaim · 4ea5dab5
      Jon Maloy authored
      We handle a corner case in the function tipc_group_update_rcv_win().
      During extreme pessure it might happen that a message receiver has all
      its active senders in RECLAIMING or REMITTED mode, meaning that there
      is nobody to reclaim advertisements from if an additional sender tries
      to go active.
      
      Currently we just set the new sender to ACTIVE anyway, hence at least
      theoretically opening up for a receiver queue overflow by exceeding the
      MAX_ACTIVE limit. The correct solution to this is to instead add the
      member to the pending queue, while letting the oldest member in that
      queue revert to JOINED state.
      
      In this commit we refactor the code for handling message arrival from
      a JOINED member, both to make it more comprehensible and to cover the
      case described above.
      Acked-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4ea5dab5