1. 20 Jan, 2018 2 commits
    • Daniel Borkmann's avatar
      bpf, verifier: detect misconfigured mem, size argument pair · 90133415
      Daniel Borkmann authored
      I've seen two patch proposals now for helper additions that used
      ARG_PTR_TO_MEM or similar in reg_X but no corresponding ARG_CONST_SIZE
      in reg_X+1. Verifier won't complain in such case, but it will omit
      verifying the memory passed to the helper thus ending up badly.
      Detect such buggy helper function signature and bail out during
      verification rather than finding them through review.
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      90133415
    • Jesper Dangaard Brouer's avatar
      samples/bpf: xdp_monitor include cpumap tracepoints in monitoring · 417f1d9f
      Jesper Dangaard Brouer authored
      The xdp_redirect_cpu sample have some "builtin" monitoring of the
      tracepoints for xdp_cpumap_*, but it is practical to have an external
      tool that can monitor these transpoint as an easy way to troubleshoot
      an application using XDP + cpumap.
      
      Specifically I need such external tool when working on Suricata and
      XDP cpumap redirect. Extend the xdp_monitor tool sample with
      monitoring of these xdp_cpumap_* tracepoints.  Model the output format
      like xdp_redirect_cpu.
      
      Given I needed to handle per CPU decoding for cpumap, this patch also
      add per CPU info on the existing monitor events.  This resembles part
      of the builtin monitoring output from sample xdp_rxq_info.  Thus, also
      covering part of that sample in an external monitoring tool.
      
      Performance wise, the cpumap tracepoints uses bulking, which cause
      them to have very little overhead.  Thus, they are enabled by default.
      Signed-off-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      417f1d9f
  2. 19 Jan, 2018 5 commits
  3. 18 Jan, 2018 21 commits
  4. 17 Jan, 2018 12 commits
    • David S. Miller's avatar
      Merge tag 'linux-can-next-for-4.16-20180116' of... · 4f7d5851
      David S. Miller authored
      Merge tag 'linux-can-next-for-4.16-20180116' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can-next
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can-next 2018-01-16
      
      this is a pull request for net-next/master consisting of 9 patches.
      
      This is a series of patches, some of them initially by Franklin S Cooper
      Jr, which was picked up by Faiz Abbas. Faiz Abbas added some patches
      while working on this series, I contributed one as well.
      
      The first two patches add support to CAN device infrastructure to limit
      the bitrate of a CAN adapter if the used CAN-transceiver has a certain
      maximum bitrate.
      
      The remaining patches improve the m_can driver. They add support for
      bitrate limiting to the driver, clean up the driver and add support for
      runtime PM.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4f7d5851
    • Luis de Bethencourt's avatar
      vxlan: Fix trailing semicolon · 5ef7e0ba
      Luis de Bethencourt authored
      The trailing semicolon is an empty statement that does no operation.
      It is completely stripped out by the compiler. Removing it since it doesn't do
      anything.
      
      Fixes: 5f35227e ("net: Generalize ndo_gso_check to ndo_features_check")
      Signed-off-by: default avatarLuis de Bethencourt <luisbg@kernel.org>
      Acked-by: default avatarStephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5ef7e0ba
    • Ganesh Goudar's avatar
      cxgb4: restructure VF mgmt code · baf50868
      Ganesh Goudar authored
      restructure the code which adds support for configuring
      PCIe VF via mgmt netdevice. which was added by
      commit 7829451c ("cxgb4: Add control net_device for
      configuring PCIe VF")
      
      Original work by: Casey Leedom <leedom@chelsio.com>
      Signed-off-by: default avatarGanesh Goudar <ganeshgr@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      baf50868
    • Kirill Tkhai's avatar
      net: Remove spinlock from get_net_ns_by_id() · 42157277
      Kirill Tkhai authored
      idr_find() is safe under rcu_read_lock() and
      maybe_get_net() guarantees that net is alive.
      Signed-off-by: default avatarKirill Tkhai <ktkhai@virtuozzo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      42157277
    • Kirill Tkhai's avatar
      net: Fix possible race in peernet2id_alloc() · 0c06bea9
      Kirill Tkhai authored
      peernet2id_alloc() is racy without rtnl_lock() as refcount_read(&peer->count)
      under net->nsid_lock does not guarantee, peer is alive:
      
      rcu_read_lock()
      peernet2id_alloc()                            ..
        spin_lock_bh(&net->nsid_lock)               ..
        refcount_read(&peer->count) (!= 0)          ..
        ..                                          put_net()
        ..                                            cleanup_net()
        ..                                              for_each_net(tmp)
        ..                                                spin_lock_bh(&tmp->nsid_lock)
        ..                                                __peernet2id(tmp, net) == -1
        ..                                                    ..
        ..                                                    ..
          __peernet2id_alloc(alloc == true)                   ..
        ..                                                    ..
      rcu_read_unlock()                                       ..
      ..                                                synchronize_rcu()
      ..                                                kmem_cache_free(net)
      
      After the above situation, net::netns_id contains id pointing to freed memory,
      and any other dereferencing by the id will operate with this freed memory.
      
      Currently, peernet2id_alloc() is used under rtnl_lock() everywhere except
      ovs_vport_cmd_fill_info(), and this race can't occur. But peernet2id_alloc()
      is generic interface, and better we fix it before someone really starts
      use it in wrong context.
      
      v2: Don't place refcount_read(&net->count) under net->nsid_lock
          as suggested by Eric W. Biederman <ebiederm@xmission.com>
      v3: Rebase on top of net-next
      Signed-off-by: default avatarKirill Tkhai <ktkhai@virtuozzo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0c06bea9
    • David S. Miller's avatar
      Merge branch 'tun-allow-to-attach-eBPF-filter' · a29ae44c
      David S. Miller authored
      Jason Wang says:
      
      ====================
      tun: allow to attach eBPF filter
      
      This series tries to implement eBPF socket filter for tun. This could
      be used for implementing efficient virtio-net receive filter for
      vhost-net.
      
      Changes from V2:
      - fix typo
      - remove unnecessary double check
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a29ae44c
    • Jason Wang's avatar
      tun: allow to attach ebpf socket filter · aff3d70a
      Jason Wang authored
      This patch allows userspace to attach eBPF filter to tun. This will
      allow to implement VM dataplane filtering in a more efficient way
      compared to cBPF filter by allowing either qemu or libvirt to
      attach eBPF filter to tun.
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      aff3d70a
    • Jason Wang's avatar
      tuntap: rename struct tun_steering_prog to struct tun_prog · cd5681d7
      Jason Wang authored
      To be reused by other eBPF program other than queue selection.
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cd5681d7
    • David S. Miller's avatar
      Merge branch 'net-sched-allow-qdiscs-to-share-filter-block-instances' · ca46abd6
      David S. Miller authored
      Jiri Pirko says:
      
      ====================
      net: sched: allow qdiscs to share filter block instances
      
      Currently the filters added to qdiscs are independent. So for example if you
      have 2 netdevices and you create ingress qdisc on both and you want to add
      identical filter rules both, you need to add them twice. This patchset
      makes this easier and mainly saves resources allowing to share all filters
      within a qdisc - I call it a "filter block". Also this helps to save
      resources when we do offload to hw for example to expensive TCAM.
      
      So back to the example. First, we create 2 qdiscs. Both will share
      block number 22. "22" is just an identification:
      $ tc qdisc add dev ens7 ingress_block 22 ingress
                              ^^^^^^^^^^^^^^^^
      $ tc qdisc add dev ens8 ingress_block 22 ingress
                              ^^^^^^^^^^^^^^^^
      
      If we don't specify "block" command line option, no shared block would
      be created:
      $ tc qdisc add dev ens9 ingress
      
      Now if we list the qdiscs, we will see the block index in the output:
      
      $ tc qdisc
      qdisc ingress ffff: dev ens7 parent ffff:fff1 ingress_block 22
      qdisc ingress ffff: dev ens8 parent ffff:fff1 ingress_block 22
      qdisc ingress ffff: dev ens9 parent ffff:fff1
      
      To make is more visual, the situation looks like this:
      
         ens7 ingress qdisc                 ens7 ingress qdisc
                |                                  |
                |                                  |
                +---------->  block 22  <----------+
      
      Unlimited number of qdiscs may share the same block.
      
      Note that this patchset introduces block sharing support also for clsact
      qdisc:
      $ tc qdisc add dev ens10 ingress_block 23 egress_block 24 clsact
      $ tc qdisc show dev ens10
      qdisc clsact ffff: dev ens10 parent ffff:fff1 ingress_block 23 egress_block 24
      
      We can add filter using the block index:
      
      $ tc filter add block 22 protocol ip pref 25 flower dst_ip 192.168.0.0/16 action drop
      
      Note we cannot use the qdisc for filter manipulations of shared blocks:
      
      $ tc filter add dev ens8 ingress protocol ip pref 1 flower dst_ip 192.168.100.2 action drop
      Error: This filter block is shared. Please use the block index to manipulate the filters.
      
      We will see the same output if we list filters for ingress qdisc of
      ens7 and ens8, also for the block 22:
      
      $ tc filter show block 22
      filter block 22 protocol ip pref 25 flower chain 0
      filter block 22 protocol ip pref 25 flower chain 0 handle 0x1
      ...
      
      $ tc filter show dev ens7 ingress
      filter block 22 protocol ip pref 25 flower chain 0
      filter block 22 protocol ip pref 25 flower chain 0 handle 0x1
      ...
      
      $ tc filter show dev ens8 ingress
      filter block 22 protocol ip pref 25 flower chain 0
      filter block 22 protocol ip pref 25 flower chain 0 handle 0x1
      ...
      
      ---
      v10->v11:
      - patch 2:
       - fixed error path when register_pernet_subsys fails pointed out by Cong
      - patch 9:
       - rebased on top of the current net-next
      
      v9->v10:
      - patch 7:
       - fixed ifindex magic in the patch description
      - userspace patches:
       - added manpages and patch descriptions
      
      v8->v9:
      - patch "net: sched: add rt netlink message type for block get" was
        removed, userspace check filter existence using qdisc dump
      
      v7->v8:
      - patch 7:
       - added comment to ifindex block magic
      - patch 9:
       - new patch
      - patch 10:
       - base this on the patch that introduces qdisc-generic block index
         attributes parsing/dumping
      - patch 13:
       - rebased on top of current net-next
      
      v6->v7:
      - patch 1:
       - unsquashed shared block patch that was previously squashed by mistake
       - fixed error path in block create - freeing chain 0
      - patch 2:
       - new patch - splitted from the previous one as it got accidentaly
         squashed in the rebasing process in the past
       - converted to idr extended
       - removed auto-generating of block indexes. Callers have to explicily
         tell that the block is shared by passing non-zero block index
       - fixed error path in block get ext - freeing chain 0
      - patch 7:
       - changed extack message for block index handle as suggested by DaveA
       - added extack message when block index does not exist
       - the block ifindex magic is in define and change to 0xffffffff
         as suggested by Jamal
      - patch 8:
       - new patch implementing RTM_GETBLOCK in order to query if the block
         with some index exists
      - patch 9:
       - adjust to the core changes and check block index attributes for being 0
      
      v5->v6:
      - added patch 6 that introduces block handle
      
      v4->v5:
      - patch 5:
       - add tracking of binding of devs that are unable to offload and check
         that before block cbs call.
      
      v3->v4:
      - patch 1:
       - rebased on top of the current net-next
       - added some extack strings
      - patch 3:
       - rebased on top of the current net-next
      - patch 5:
       - propagate netdev_ops->ndo_setup_tc error up to tcf_block_offload_bind
         caller
      - patch 7:
       - rebased on top of the current net-next
      
      v2->v3:
      - removed original patch 1, removing tp->q cls_bpf dependency. Fixed by
        Jakub in the meantime.
      - patch 1:
       - rebased on top of the current net-next
      - patch 5:
       - new patch
      - patch 8:
       - removed "p_" prefix from block index function args
      - patch 10:
       - add tc offload feature handling
      ====================
      Acked-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ca46abd6
    • Jiri Pirko's avatar
      mlxsw: spectrum_acl: Pass mlxsw_sp_port down to ruleset bind/unbind ops · 4b23258d
      Jiri Pirko authored
      No need to convert from mlxsw_sp_port to net_device and back again.
      Signed-off-by: default avatarJiri Pirko <jiri@mellanox.com>
      Acked-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4b23258d
    • Jiri Pirko's avatar
      mlxsw: spectrum_acl: Implement TC block sharing · 3aaff323
      Jiri Pirko authored
      Benefit from the prepared TC and in-driver ACL infrastructure and
      introduce block sharing offload. For that, a new struct "block" is
      introduced in spectrum_acl in order to hold a list of specific
      block-port bindings.
      Signed-off-by: default avatarJiri Pirko <jiri@mellanox.com>
      Acked-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3aaff323
    • Jiri Pirko's avatar
      mlxsw: spectrum_acl: Don't store netdev and ingress for ruleset unbind · 02caf499
      Jiri Pirko authored
      Instead, pass netdev and ingress flag to ruleset unbind op.
      Signed-off-by: default avatarJiri Pirko <jiri@mellanox.com>
      Acked-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      02caf499