1. 24 Feb, 2022 35 commits
  2. 23 Feb, 2022 5 commits
    • Xin Long's avatar
      Revert "vlan: move dev_put into vlan_dev_uninit" · 6a47cdc3
      Xin Long authored
      This reverts commit d6ff94af.
      
      Since commit faab39f6 ("net: allow out-of-order netdev unregistration")
      fixed the issue in a better way, this patch is to revert the previous fix,
      as it might bring back the old problem fixed by commit 563bcbae ("net:
      vlan: fix a UAF in vlan_dev_real_dev()").
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Link: https://lore.kernel.org/r/563c0a6e48510ccbff9ef4715de37209695e9fc4.1645592097.git.lucien.xin@gmail.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      6a47cdc3
    • Sebastian Andrzej Siewior's avatar
      net: Correct wrong BH disable in hard-interrupt. · 167053f8
      Sebastian Andrzej Siewior authored
      I missed the obvious case where netif_ix() is invoked from hard-IRQ
      context.
      
      Disabling bottom halves is only needed in process context. This ensures
      that the code remains on the current CPU and that the soft-interrupts
      are processed at local_bh_enable() time.
      In hard- and soft-interrupt context this is already the case and the
      soft-interrupts will be processed once the context is left (at irq-exit
      time).
      
      Disable bottom halves if neither hard-interrupts nor soft-interrupts are
      disabled. Update the kernel-doc, mention that interrupts must be enabled
      if invoked from process context.
      
      Fixes: baebdf48 ("net: dev: Makes sure netif_rx() can be invoked in any context.")
      Reported-by: default avatarMarek Szyprowski <m.szyprowski@samsung.com>
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Tested-by: default avatarMarek Szyprowski <m.szyprowski@samsung.com>
      Tested-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Link: https://lore.kernel.org/r/Yg05duINKBqvnxUc@linutronix.deSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      167053f8
    • David S. Miller's avatar
      Merge branch 'locked-bridge-ports' · 6ce71687
      David S. Miller authored
      Hans Schultz says:
      
      ====================
      Add support for locked bridge ports (for 802.1X)
      
      This series starts by adding support for SA filtering to the bridge,
      which is then allowed to be offloaded to switchdev devices. Furthermore
      an offloading implementation is supplied for the mv88e6xxx driver.
      
      Public Local Area Networks are often deployed such that there is a
      risk of unauthorized or unattended clients getting access to the LAN.
      To prevent such access we introduce SA filtering, such that ports
      designated as secure ports are set in locked mode, so that only
      authorized source MAC addresses are given access by adding them to
      the bridges forwarding database. Incoming packets with source MAC
      addresses that are not in the forwarding database of the bridge are
      discarded. It is then the task of user space daemons to populate the
      bridge's forwarding database with static entries of authorized entities.
      
      The most common approach is to use the IEEE 802.1X protocol to take
      care of the authorization of allowed users to gain access by opening
      for the source address of the authorized host.
      
      With the current use of the bridge parameter in hostapd, there is
      a limitation in using this for IEEE 802.1X port authentication. It
      depends on hostapd attaching the port on which it has a successful
      authentication to the bridge, but that only allows for a single
      authentication per port. This patch set allows for the use of
      IEEE 802.1X port authentication in a more general network context with
      multiple 802.1X aware hosts behind a single port as depicted, which is
      a commonly used commercial use-case, as it is only the number of
      available entries in the forwarding database that limits the number of
      authenticated clients.
      
            +--------------------------------+
            |                                |
            |      Bridge/Authenticator      |
            |                                |
            +-------------+------------------+
             802.1X port  |
                          |
                          |
                   +------+-------+
                   |              |
                   |  Hub/Switch  |
                   |              |
                   +-+----------+-+
                     |          |
                  +--+--+    +--+--+
                  |     |    |     |
          Hosts   |  a  |    |  b  |   . . .
                  |     |    |     |
                  +-----+    +-----+
      
      The 802.1X standard involves three different components, a Supplicant
      (Host), an Authenticator (Network Access Point) and an Authentication
      Server which is typically a Radius server. This patch set thus enables
      the bridge module together with an authenticator application to serve
      as an Authenticator on designated ports.
      
      For the bridge to become an IEEE 802.1X Authenticator, a solution using
      hostapd with the bridge driver can be found at
      https://github.com/westermo/hostapd/tree/bridge_driver .
      
      The relevant components work transparently in relation to if it is the
      bridge module or the offloaded switchcore case that is in use.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6ce71687
    • Hans Schultz's avatar
      selftests: forwarding: tests of locked port feature · b2b681a4
      Hans Schultz authored
      These tests check that the basic locked port feature works, so that
      no 'host' can communicate (ping) through a locked port unless the
      MAC address of the 'host' interface is in the forwarding database of
      the bridge.
      Signed-off-by: default avatarHans Schultz <schultz.hans+netdev@gmail.com>
      Acked-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b2b681a4
    • Hans Schultz's avatar
      net: dsa: mv88e6xxx: Add support for bridge port locked mode · 34ea415f
      Hans Schultz authored
      Supporting bridge ports in locked mode using the drop on lock
      feature in Marvell mv88e6xxx switchcores is described in the
      '88E6096/88E6097/88E6097F Datasheet', sections 4.4.6, 4.4.7 and
      5.1.2.1 (Drop on Lock).
      
      This feature is implemented here facilitated by the locked port flag.
      Signed-off-by: default avatarHans Schultz <schultz.hans+netdev@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      34ea415f