* Re: [PATCH] pch_gbe: compilation warning in pch_gbe_setup_rctl() fixed
From: David Miller @ 2011-10-19 3:28 UTC (permalink / raw)
To: vvs; +Cc: netdev, toshiharu-linux, vvs
In-Reply-To: <1317974359-20548-1-git-send-email-vvs@parallels.com>
From: Vasily Averin <vvs@parallels.com>
Date: Fri, 7 Oct 2011 11:59:19 +0400
> From: Vasily Averin <vvs@sw.ru>
>
> compilation warning fixed
> drivers/net/pch_gbe/pch_gbe_main.c: In function ‘pch_gbe_setup_rctl’:
> drivers/net/pch_gbe/pch_gbe_main.c:701:21: warning: unused variable ‘netdev’
>
> Signed-off-by: Vasily Averin <vvs@sw.ru>
This patch is not appropriate for the 'net' tree, and in the
'net-next' tree not only is the driver in a completely different
directory but also this warning is already fixed.
^ permalink raw reply
* Re: [PATCH] bridge: fix hang on removal of bridge via netlink
From: David Miller @ 2011-10-19 3:24 UTC (permalink / raw)
To: sri; +Cc: shemminger, netdev
In-Reply-To: <1317942169.6433.17.camel@w-sridhar.beaverton.ibm.com>
From: Sridhar Samudrala <sri@us.ibm.com>
Date: Thu, 06 Oct 2011 16:02:49 -0700
> On Thu, 2011-10-06 at 14:19 -0700, Stephen Hemminger wrote:
>> Need to cleanup bridge device timers and ports when being bridge
>> device is being removed via netlink.
>>
>> This fixes the problem of observed when doing:
>> ip link add br0 type bridge
>> ip link set dev eth1 master br0
>> ip link set br0 up
>> ip link del br0
>>
>> which would cause br0 to hang in unregister_netdev because
>> of leftover reference count.
>>
>> Reported-by: Sridhar Samudrala <sri@us.ibm.com>
>> Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
>
> Acked-by: Sridhar Samudrala <sri@us.ibm.com>
Applied to 'net' and queued up for -stable, thanks.
^ permalink raw reply
* Re: [PATCH net-next] macvlan: handle fragmented multicast frames
From: David Miller @ 2011-10-19 3:22 UTC (permalink / raw)
To: eric.dumazet; +Cc: greearb, netdev
In-Reply-To: <1317932911.3457.31.camel@edumazet-laptop>
From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Thu, 06 Oct 2011 22:28:31 +0200
> [PATCH net-next] macvlan: handle fragmented multicast frames
>
> Fragmented multicast frames are delivered to a single macvlan port,
> because ip defrag logic considers other samples are redundant.
>
> Implement a defrag step before trying to send the multicast frame.
>
> Reported-by: Ben Greear <greearb@candelatech.com>
> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Applied to net-next, thanks.
^ permalink raw reply
* Re: [PATCH net] vlan:make mtu of vlan equal to physical dev
From: Ben Greear @ 2011-10-19 2:51 UTC (permalink / raw)
To: WeipingPan; +Cc: herbert, open list:NETWORKING [GENERAL]
In-Reply-To: <4E9E30B8.5030904@gmail.com>
On 10/18/2011 07:06 PM, WeipingPan wrote:
> Hi, Herbert,
>
> What do you think of this patch ?
>
> thanks
> Weiping Pan
> On 10/08/2011 06:12 PM, Weiping Pan wrote:
>> Default mtu of vlan device is the same with mtu of physical device,
>> for example 1500, but when change physics mtu to 1600,
>> VLAN device's mtu is still 1500.
>> Certainly, you can change vlan device's mtu to 1600 manually,
>> but I think when you change physics device's mtu, VLAN's mtu should be changed
>> automatically instead of by manually.
I don't like the idea. It's perfectly valid to have the physical dev with 9000 MTU
and have vlans with 1500 MTU.
>> Steps to Reproduce:
>> 1.vconfig add eth4 3
>> 2.ifconfig eth4 mtu 1600
>> 3.check mtu on eth4.3
>>
>> And what's worse is that if you decrease mtu of pyhsical device,
>> and when you want to increase it, the mtu of vlan device won't be changed.
That *might* be worth fixing, but even so, some NICs might handle that
just fine, so my opinion is that this should not change either.
Thanks,
Ben
>>
>> Steps to Reproduce:
>> 1.vconfig add eth4 3
>> 2.ifconfig eth4 mtu 100
>> 3.ifconfig eth4 mtu 1500
>> 4.the mtu of eth4.3 is still 100
>>
>> This bug is reported by Liang Zheng(lzheng@redhat.com).
>>
>> Signed-off-by: Weiping Pan<panweiping3@gmail.com>
>> ---
>> net/8021q/vlan.c | 3 ---
>> 1 files changed, 0 insertions(+), 3 deletions(-)
>>
>> diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
>> index 8970ba1..f6072b4 100644
>> --- a/net/8021q/vlan.c
>> +++ b/net/8021q/vlan.c
>> @@ -417,9 +417,6 @@ static int vlan_device_event(struct notifier_block *unused, unsigned long event,
>> if (!vlandev)
>> continue;
>>
>> - if (vlandev->mtu<= dev->mtu)
>> - continue;
>> -
>> dev_set_mtu(vlandev, dev->mtu);
>> }
>> break;
>
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Ben Greear <greearb@candelatech.com>
Candela Technologies Inc http://www.candelatech.com
^ permalink raw reply
* Re: [PATCH] route:ip_rt_frag_needed always return unzero
From: Gao feng @ 2011-10-19 2:33 UTC (permalink / raw)
To: Eric Dumazet; +Cc: davem, kuznet, jmorris, netdev
In-Reply-To: <4E9E2929.7070701@cn.fujitsu.com>
于 2011年10月19日 09:34, Gao feng 写道:
> 2011.10.18 17:23, Eric Dumazet wrote:
>> Le mardi 18 octobre 2011 à 15:04 +0800, Gao feng a écrit :
>>> int function ip_rt_frag_need,if peer is null,
>>> there is no need to do ipprot->err_handler.
>>> I am right?
>>>
>>> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
>>> ---
>>> net/ipv4/route.c | 2 +-
>>> 1 files changed, 1 insertions(+), 1 deletions(-)
>>>
>>> diff --git a/net/ipv4/route.c b/net/ipv4/route.c
>>> index 075212e..6cde0fa 100644
>>> --- a/net/ipv4/route.c
>>> +++ b/net/ipv4/route.c
>>> @@ -1574,7 +1574,7 @@ unsigned short ip_rt_frag_needed(struct net *net, const struct iphdr *iph,
>>>
>>> atomic_inc(&__rt_peer_genid);
>>> }
>>> - return est_mtu ? : new_mtu;
>>> + return est_mtu;
>>> }
>>>
>>> static void check_peer_pmtu(struct dst_entry *dst, struct inet_peer *peer)
>>
>> No idea why you want this, your changelog is a bit cryptic :)
>>
>> Wont this bypass the raw_icmp_error(skb, protocol, info);
>> call in icmp_unreach() as well ?
>>
>>
>
> thanks Eric!
>
> I mean that the pmtu is update by inet_peer->pmtu_learned as I know.
> so in function ip_rt_frag_needed,
> if inet_peer is null or someting else make the setting of inet_peer->pmtu_learned failed.
> there is no need to call function tcp_v4_err.
>
> the call stack is
> icmp_unreach
> |
> |--->ip_rt_frag_needed(fill inet_peer)
> |
> |--->raw_icmp_error()
> |
> |--->ipprot->err_handler(tcp_v4_err or something else)
> |
> |--->tcp_v4_err(frag need icmp is triggered by tcp packet)
> |
> |--->do_pmtu_discovery
> (in this function both __sk_dst_check or dst->ops->update_pmtu
> need struct inet_peer to update pmtu)
>
> so,I think when set inet_peer->pmtu_learned failed,
> in func icmp_unreach we should goto out immediately.
>
> And it's confuse me that why func ping_err and udp_err not update the pmtu?
> What I miss?
> --
And move atomic_inc(&__rt_peer_genid) just like func ip_rt_update_pmtu?
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 6cde0fa..3e1aa5c 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1568,11 +1568,12 @@ unsigned short ip_rt_frag_needed(struct net *net, const
est_mtu = mtu;
peer->pmtu_learned = mtu;
peer->pmtu_expires = pmtu_expires;
+
+ atomic_inc(&__rt_peer_genid);
}
inet_putpeer(peer);
- atomic_inc(&__rt_peer_genid);
}
return est_mtu;
}
^ permalink raw reply related
* [PATCH 9/9] make net/core/scm.c uid comparisons user namespace aware (v2)
From: Serge E. Hallyn @ 2011-10-19 2:25 UTC (permalink / raw)
To: Serge E. Hallyn
Cc: Joe Perches, linux-kernel, ebiederm, akpm, oleg, richard, mikevs,
segoon, gregkh, dhowells, eparis, netdev
In-Reply-To: <20111018232242.GA22950@hallyn.com>
(Thanks for the suggestions, Joe.)
Currently uids are compared without regard for the user namespace.
Fix that to prevent tasks in a different user namespace from
wrongly matching on SCM_CREDENTIALS.
In the past, either your uids had to match, or you had to have
CAP_SETXID. In a namespaced world, you must either (both be in the
same user namespace and have your uids match), or you must have
CAP_SETXID targeted at the other user namespace. The latter can
happen for instance if uid 500 created a new user namespace and
now interacts with uid 0 in it.
Changelog: Oct 18:
Per Joe Perches: don't mark uidequiv and gidequiv fns inline
(let the compiler do that if appropriate), and change the flow
of id comparisons to make it clearer.
Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Joe Perches <joe@perches.com>
---
net/core/scm.c | 43 ++++++++++++++++++++++++++++++++++++-------
1 files changed, 36 insertions(+), 7 deletions(-)
diff --git a/net/core/scm.c b/net/core/scm.c
index 811b53f..2261607 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -43,17 +43,46 @@
* setu(g)id.
*/
-static __inline__ int scm_check_creds(struct ucred *creds)
+static bool uidequiv(const struct cred *src, struct ucred *tgt,
+ struct user_namespace *ns)
+{
+ if (src->user_ns != ns)
+ goto check_capable;
+ if (tgt->uid == src->uid ||
+ tgt->uid == src->euid ||
+ tgt->uid == src->suid)
+ return true;
+check_capable:
+ if (ns_capable(ns, CAP_SETUID))
+ return true;
+ return false;
+}
+
+static bool gidequiv(const struct cred *src, struct ucred *tgt,
+ struct user_namespace *ns)
+{
+ if (src->user_ns != ns)
+ goto check_capable;
+ if (tgt->gid == src->gid ||
+ tgt->gid == src->egid ||
+ tgt->gid == src->sgid)
+ return true;
+check_capable:
+ if (ns_capable(ns, CAP_SETGID))
+ return true;
+ return false;
+}
+
+static int scm_check_creds(struct ucred *creds, struct socket *sock)
{
const struct cred *cred = current_cred();
+ struct user_namespace *ns = sock_net(sock->sk)->user_ns;
- if ((creds->pid == task_tgid_vnr(current) || capable(CAP_SYS_ADMIN)) &&
- ((creds->uid == cred->uid || creds->uid == cred->euid ||
- creds->uid == cred->suid) || capable(CAP_SETUID)) &&
- ((creds->gid == cred->gid || creds->gid == cred->egid ||
- creds->gid == cred->sgid) || capable(CAP_SETGID))) {
+ if ((creds->pid == task_tgid_vnr(current) || ns_capable(ns, CAP_SYS_ADMIN)) &&
+ uidequiv(cred, creds, ns) && gidequiv(cred, creds, ns)) {
return 0;
}
+
return -EPERM;
}
@@ -169,7 +198,7 @@ int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred)))
goto error;
memcpy(&p->creds, CMSG_DATA(cmsg), sizeof(struct ucred));
- err = scm_check_creds(&p->creds);
+ err = scm_check_creds(&p->creds, sock);
if (err)
goto error;
--
1.7.5.4
^ permalink raw reply related
* Re: [PATCH net] vlan:make mtu of vlan equal to physical dev
From: WeipingPan @ 2011-10-19 2:06 UTC (permalink / raw)
To: herbert; +Cc: open list:NETWORKING [GENERAL]
In-Reply-To: <bc33a6142ce48b71b9c232a9154ed76f6048f0cb.1318068629.git.panweiping3@gmail.com>
Hi, Herbert,
What do you think of this patch ?
thanks
Weiping Pan
On 10/08/2011 06:12 PM, Weiping Pan wrote:
> Default mtu of vlan device is the same with mtu of physical device,
> for example 1500, but when change physics mtu to 1600,
> VLAN device's mtu is still 1500.
> Certainly, you can change vlan device's mtu to 1600 manually,
> but I think when you change physics device's mtu, VLAN's mtu should be changed
> automatically instead of by manually.
>
> Steps to Reproduce:
> 1.vconfig add eth4 3
> 2.ifconfig eth4 mtu 1600
> 3.check mtu on eth4.3
>
> And what's worse is that if you decrease mtu of pyhsical device,
> and when you want to increase it, the mtu of vlan device won't be changed.
>
> Steps to Reproduce:
> 1.vconfig add eth4 3
> 2.ifconfig eth4 mtu 100
> 3.ifconfig eth4 mtu 1500
> 4.the mtu of eth4.3 is still 100
>
> This bug is reported by Liang Zheng(lzheng@redhat.com).
>
> Signed-off-by: Weiping Pan<panweiping3@gmail.com>
> ---
> net/8021q/vlan.c | 3 ---
> 1 files changed, 0 insertions(+), 3 deletions(-)
>
> diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
> index 8970ba1..f6072b4 100644
> --- a/net/8021q/vlan.c
> +++ b/net/8021q/vlan.c
> @@ -417,9 +417,6 @@ static int vlan_device_event(struct notifier_block *unused, unsigned long event,
> if (!vlandev)
> continue;
>
> - if (vlandev->mtu<= dev->mtu)
> - continue;
> -
> dev_set_mtu(vlandev, dev->mtu);
> }
> break;
^ permalink raw reply
* Re: [PATCH] route:ip_rt_frag_needed always return unzero
From: Gao feng @ 2011-10-19 1:34 UTC (permalink / raw)
To: Eric Dumazet; +Cc: davem, kuznet, jmorris, netdev
In-Reply-To: <1318929797.2657.21.camel@edumazet-HP-Compaq-6005-Pro-SFF-PC>
2011.10.18 17:23, Eric Dumazet wrote:
> Le mardi 18 octobre 2011 à 15:04 +0800, Gao feng a écrit :
>> int function ip_rt_frag_need,if peer is null,
>> there is no need to do ipprot->err_handler.
>> I am right?
>>
>> Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
>> ---
>> net/ipv4/route.c | 2 +-
>> 1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/net/ipv4/route.c b/net/ipv4/route.c
>> index 075212e..6cde0fa 100644
>> --- a/net/ipv4/route.c
>> +++ b/net/ipv4/route.c
>> @@ -1574,7 +1574,7 @@ unsigned short ip_rt_frag_needed(struct net *net, const struct iphdr *iph,
>>
>> atomic_inc(&__rt_peer_genid);
>> }
>> - return est_mtu ? : new_mtu;
>> + return est_mtu;
>> }
>>
>> static void check_peer_pmtu(struct dst_entry *dst, struct inet_peer *peer)
>
> No idea why you want this, your changelog is a bit cryptic :)
>
> Wont this bypass the raw_icmp_error(skb, protocol, info);
> call in icmp_unreach() as well ?
>
>
thanks Eric!
I mean that the pmtu is update by inet_peer->pmtu_learned as I know.
so in function ip_rt_frag_needed,
if inet_peer is null or someting else make the setting of inet_peer->pmtu_learned failed.
there is no need to call function tcp_v4_err.
the call stack is
icmp_unreach
|
|--->ip_rt_frag_needed(fill inet_peer)
|
|--->raw_icmp_error()
|
|--->ipprot->err_handler(tcp_v4_err or something else)
|
|--->tcp_v4_err(frag need icmp is triggered by tcp packet)
|
|--->do_pmtu_discovery
(in this function both __sk_dst_check or dst->ops->update_pmtu
need struct inet_peer to update pmtu)
so,I think when set inet_peer->pmtu_learned failed,
in func icmp_unreach we should goto out immediately.
And it's confuse me that why func ping_err and udp_err not update the pmtu?
What I miss?
^ permalink raw reply
* Re: [RESEND] [PATCH] ll_temac: Add support for ethtool
From: Ben Hutchings @ 2011-10-18 23:29 UTC (permalink / raw)
To: Ricardo Ribalda Delgado
Cc: davem, grant.likely, sfr, u.kleine-koenig, netdev, linux-kernel
In-Reply-To: <1318960501-3544-1-git-send-email-ricardo.ribalda@gmail.com>
On Tue, 2011-10-18 at 19:55 +0200, Ricardo Ribalda Delgado wrote:
> This patch enables the ethtool interface. The implementation is done
> using the libphy helper functions.
All Ethernet drivers have been moved in net-next. This driver is now
under drivers/net/ethernet/xilinx.
> Reviewed-by: Grant Likely <grant.likely@secretlab.ca>
> Signed-off-by: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
> ---
> drivers/net/ll_temac_main.c | 27 +++++++++++++++++++++++++++
> 1 files changed, 27 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/net/ll_temac_main.c b/drivers/net/ll_temac_main.c
> index 728fe41..91a9804 100644
> --- a/drivers/net/ll_temac_main.c
> +++ b/drivers/net/ll_temac_main.c
> @@ -957,6 +957,32 @@ static const struct attribute_group temac_attr_group = {
> .attrs = temac_device_attrs,
> };
>
> +/* ethtool support */
> +static int temac_get_settings(struct net_device *ndev, struct ethtool_cmd *cmd)
> +{
> + struct temac_local *lp = netdev_priv(ndev);
> + return phy_ethtool_gset(lp->phy_dev, cmd);
> +}
> +
> +static int temac_set_settings(struct net_device *ndev, struct ethtool_cmd *cmd)
> +{
> + struct temac_local *lp = netdev_priv(ndev);
> + return phy_ethtool_sset(lp->phy_dev, cmd);
> +}
> +
> +static int temac_nway_reset(struct net_device *ndev)
> +{
> + struct temac_local *lp = netdev_priv(ndev);
> + return phy_start_aneg(lp->phy_dev);
> +}
> +
> +static const struct ethtool_ops temac_ethtool_ops = {
> + .get_settings = temac_get_settings,
> + .set_settings = temac_set_settings,
> + .nway_reset = temac_nway_reset,
> + .get_link = ethtool_op_get_link,
> +};
> +
> static int __devinit temac_of_probe(struct platform_device *op)
> {
> struct device_node *np;
> @@ -978,6 +1004,7 @@ static int __devinit temac_of_probe(struct platform_device *op)
> ndev->flags &= ~IFF_MULTICAST; /* clear multicast */
> ndev->features = NETIF_F_SG | NETIF_F_FRAGLIST;
> ndev->netdev_ops = &temac_netdev_ops;
> + ndev->ethtool_ops= &temac_ethtool_ops;
Missing space before '='.
Ben.
> #if 0
> ndev->features |= NETIF_F_IP_CSUM; /* Can checksum TCP/UDP over IPv4. */
> ndev->features |= NETIF_F_HW_CSUM; /* Can checksum all the packets. */
--
Ben Hutchings, Staff Engineer, Solarflare
Not speaking for my employer; that's the marketing department's job.
They asked us to note that Solarflare product names are trademarked.
^ permalink raw reply
* Re: [PATCH 9/9] make net/core/scm.c uid comparisons user namespace aware
From: Serge E. Hallyn @ 2011-10-18 23:22 UTC (permalink / raw)
To: Joe Perches
Cc: linux-kernel, ebiederm, akpm, oleg, richard, mikevs, segoon,
gregkh, dhowells, eparis, Serge E. Hallyn, netdev
In-Reply-To: <1318976049.2273.7.camel@Joe-Laptop>
Quoting Joe Perches (joe@perches.com):
> On Tue, 2011-10-18 at 21:54 +0000, Serge Hallyn wrote:
> > From: "Serge E. Hallyn" <serge.hallyn@canonical.com>
>
> Hi Serge.
>
> Just some trivial style notes.
>
> > Currently uids are compared without regard for the user namespace.
> > Fix that to prevent tasks in a different user namespace from
> > wrongly matching on SCM_CREDENTIALS.
> []
> > diff --git a/net/core/scm.c b/net/core/scm.c
>
> > -static __inline__ int scm_check_creds(struct ucred *creds)
> > +static __inline__ bool uidequiv(const struct cred *src, struct ucred *tgt,
> > + struct user_namespace *ns)
>
> Perhaps inline is better than __inline__ and do these
> functions really need to be marked inline at all?
Dunno, I was just sticking with the current style.
> > +{
> > + if (src->user_ns != ns)
> > + goto check_capable;
> > + if (src->uid == tgt->uid || src->euid == tgt->uid ||
> > + src->suid == tgt->uid)
>
> Perhaps this is less prone to typo errors and are a bit
> more readable as:
>
> if (tgt->uid == src->uid ||
> tgt->uid == src->euid ||
> tgt->uid == src->suid)
I do like that better.
thanks,
-serge
^ permalink raw reply
* Re: Comment on nf_queue NF_STOLEN patch
From: Jim Sansing @ 2011-10-18 21:34 UTC (permalink / raw)
To: Eric Dumazet; +Cc: Linux Network Development list
In-Reply-To: <1318973032.19139.5.camel@edumazet-laptop>
Eric Dumazet wrote:
> Le mardi 18 octobre 2011 à 15:08 -0400, Jim Sansing a écrit :
>
>> I have been working on a kernel module that registers with netfilter,
>> and I noticed that a patch was added to nf_queue that changed the
>> handling of return code NF_FILTER from 'do nothing' to 'free the skb'.
>> I'm not sure which kernel version this went in, but the date of the
>> patch is Feb, 19, 2010.
>>
>> Everything I have read about netfilter states that it is up to the
>> netfilter hook to free the skb if NF_STOLEN is returned. The
>> implications of this patch from a hook programming perspective are:
>>
>> 1) If the skb is used after the return from the hook, it must be cloned.
>> 2) The original skb must not be freed.
>>
>> I suggest that a comment be added to include/linux/netfilter.h that says
>> explicitly the skb will be freed if NF_STOLEN is returned.
>>
>
> But its not true. Just read the code.
>
> If you are working on this stuff I recommend you take a look at
> commits :
>
> c6675233f9015d3c0460c8aab53ed9b99d915c64
> (netfilter: nf_queue: reject NF_STOLEN verdicts from userspace)
>
> fad54440438a7c231a6ae347738423cbabc936d9
> (netfilter: avoid double free in nf_reinject)
>
> 64507fdbc29c3a622180378210ecea8659b14e40
> (netfilter: nf_queue: fix NF_STOLEN skb leak)
>
> 3bc38712e3a6e0596ccb6f8299043a826f983701
> ([NETFILTER]: nf_queue: handle NF_STOP and unknown verdicts in
> nf_reinject)
>
>
I see that fad54440438a7c231a6ae347738423cbabc936d9 (netfilter: avoid
double free in nf_reinject) returns the switch case for NF_STOLEN back
to the original state, but I just downloaded 3.0.4, and the skb is still
freed. So for some versions of the kernel, the situation exists.
Hopefully anyone who runs into it will find this thread.
Later . . . Jim
^ permalink raw reply
* Re: [PATCH 9/9] make net/core/scm.c uid comparisons user namespace aware
From: Joe Perches @ 2011-10-18 22:14 UTC (permalink / raw)
To: Serge Hallyn
Cc: linux-kernel, ebiederm, akpm, oleg, richard, mikevs, segoon,
gregkh, dhowells, eparis, Serge E. Hallyn, netdev
In-Reply-To: <1318974898-21431-10-git-send-email-serge@hallyn.com>
On Tue, 2011-10-18 at 21:54 +0000, Serge Hallyn wrote:
> From: "Serge E. Hallyn" <serge.hallyn@canonical.com>
Hi Serge.
Just some trivial style notes.
> Currently uids are compared without regard for the user namespace.
> Fix that to prevent tasks in a different user namespace from
> wrongly matching on SCM_CREDENTIALS.
[]
> diff --git a/net/core/scm.c b/net/core/scm.c
> -static __inline__ int scm_check_creds(struct ucred *creds)
> +static __inline__ bool uidequiv(const struct cred *src, struct ucred *tgt,
> + struct user_namespace *ns)
Perhaps inline is better than __inline__ and do these
functions really need to be marked inline at all?
> +{
> + if (src->user_ns != ns)
> + goto check_capable;
> + if (src->uid == tgt->uid || src->euid == tgt->uid ||
> + src->suid == tgt->uid)
Perhaps this is less prone to typo errors and are a bit
more readable as:
if (tgt->uid == src->uid ||
tgt->uid == src->euid ||
tgt->uid == src->suid)
^ permalink raw reply
* Re: [PATCH] tc: fix parallel build file with lex/yacc
From: Stephen Hemminger @ 2011-10-18 22:02 UTC (permalink / raw)
To: Mike Frysinger; +Cc: stephen.hemminger, netdev
In-Reply-To: <1318973888-29496-1-git-send-email-vapier@gentoo.org>
On Tue, 18 Oct 2011 17:38:08 -0400
Mike Frysinger <vapier@gentoo.org> wrote:
> Building iproute2 in parallel might hit the race failure:
> emp_ematch.l:2:30: fatal error: emp_ematch.yacc.h:
> No such file or directory
> make[1]: *** [emp_ematch.lex.o] Error 1
>
> This is because we currently allow the yacc/lex files to generate and
> compile in parallel. So add a simple dependency to make sure yacc has
> finished before we attempt to compile the lex output.
>
> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
applied
^ permalink raw reply
* [PATCH 9/9] make net/core/scm.c uid comparisons user namespace aware
From: Serge Hallyn @ 2011-10-18 21:54 UTC (permalink / raw)
To: linux-kernel
Cc: ebiederm, akpm, oleg, richard, mikevs, segoon, gregkh, dhowells,
eparis, Serge E. Hallyn, netdev
In-Reply-To: <1318974898-21431-1-git-send-email-serge@hallyn.com>
From: "Serge E. Hallyn" <serge.hallyn@canonical.com>
Currently uids are compared without regard for the user namespace.
Fix that to prevent tasks in a different user namespace from
wrongly matching on SCM_CREDENTIALS.
In the past, either your uids had to match, or you had to have
CAP_SETXID. In a namespaced world, you must either (both be in the
same user namespace and have your uids match), or you must have
CAP_SETXID targeted at the other user namespace. The latter can
happen for instance if uid 500 created a new user namespace and
now interacts with uid 0 in it.
Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: netdev@vger.kernel.org
---
net/core/scm.c | 41 ++++++++++++++++++++++++++++++++++-------
1 files changed, 34 insertions(+), 7 deletions(-)
diff --git a/net/core/scm.c b/net/core/scm.c
index 811b53f..4f376bf 100644
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -43,17 +43,44 @@
* setu(g)id.
*/
-static __inline__ int scm_check_creds(struct ucred *creds)
+static __inline__ bool uidequiv(const struct cred *src, struct ucred *tgt,
+ struct user_namespace *ns)
+{
+ if (src->user_ns != ns)
+ goto check_capable;
+ if (src->uid == tgt->uid || src->euid == tgt->uid ||
+ src->suid == tgt->uid)
+ return true;
+check_capable:
+ if (ns_capable(ns, CAP_SETUID))
+ return true;
+ return false;
+}
+
+static __inline__ bool gidequiv(const struct cred *src, struct ucred *tgt,
+ struct user_namespace *ns)
+{
+ if (src->user_ns != ns)
+ goto check_capable;
+ if (src->gid == tgt->gid || src->egid == tgt->gid ||
+ src->sgid == tgt->gid)
+ return true;
+check_capable:
+ if (ns_capable(ns, CAP_SETGID))
+ return true;
+ return false;
+}
+
+static __inline__ int scm_check_creds(struct ucred *creds, struct socket *sock)
{
const struct cred *cred = current_cred();
+ struct user_namespace *ns = sock_net(sock->sk)->user_ns;
- if ((creds->pid == task_tgid_vnr(current) || capable(CAP_SYS_ADMIN)) &&
- ((creds->uid == cred->uid || creds->uid == cred->euid ||
- creds->uid == cred->suid) || capable(CAP_SETUID)) &&
- ((creds->gid == cred->gid || creds->gid == cred->egid ||
- creds->gid == cred->sgid) || capable(CAP_SETGID))) {
+ if ((creds->pid == task_tgid_vnr(current) || ns_capable(ns, CAP_SYS_ADMIN)) &&
+ uidequiv(cred, creds, ns) && gidequiv(cred, creds, ns)) {
return 0;
}
+
return -EPERM;
}
@@ -169,7 +196,7 @@ int __scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *p)
if (cmsg->cmsg_len != CMSG_LEN(sizeof(struct ucred)))
goto error;
memcpy(&p->creds, CMSG_DATA(cmsg), sizeof(struct ucred));
- err = scm_check_creds(&p->creds);
+ err = scm_check_creds(&p->creds, sock);
if (err)
goto error;
--
1.7.5.4
^ permalink raw reply related
* [PATCH 8/9] protect cap_netlink_recv from user namespaces
From: Serge Hallyn @ 2011-10-18 21:54 UTC (permalink / raw)
To: linux-kernel
Cc: ebiederm, akpm, oleg, richard, mikevs, segoon, gregkh, dhowells,
eparis, Serge E. Hallyn, netdev
In-Reply-To: <1318974898-21431-1-git-send-email-serge@hallyn.com>
From: "Serge E. Hallyn" <serge.hallyn@canonical.com>
cap_netlink_recv() was granting privilege if a capability is in
current_cap(), regardless of the user namespace. Fix that by
targeting the capability check against the user namespace which
owns the skb.
Caller passes the user ns down because sock_net is static inline defined in
net/sock.h, which we'd rather not #include at the cap_netlink_recv function.
Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: netdev@vger.kernel.org
---
drivers/scsi/scsi_netlink.c | 3 ++-
include/linux/security.h | 14 +++++++++-----
kernel/audit.c | 6 ++++--
net/core/rtnetlink.c | 3 ++-
net/decnet/netfilter/dn_rtmsg.c | 3 ++-
net/ipv4/netfilter/ip_queue.c | 3 ++-
net/ipv6/netfilter/ip6_queue.c | 3 ++-
net/netfilter/nfnetlink.c | 2 +-
net/netlink/genetlink.c | 2 +-
net/xfrm/xfrm_user.c | 2 +-
security/commoncap.c | 6 ++----
security/security.c | 4 ++--
security/selinux/hooks.c | 5 +++--
13 files changed, 33 insertions(+), 23 deletions(-)
diff --git a/drivers/scsi/scsi_netlink.c b/drivers/scsi/scsi_netlink.c
index 26a8a45..0aa2e57 100644
--- a/drivers/scsi/scsi_netlink.c
+++ b/drivers/scsi/scsi_netlink.c
@@ -111,7 +111,8 @@ scsi_nl_rcv_msg(struct sk_buff *skb)
goto next_msg;
}
- if (security_netlink_recv(skb, CAP_SYS_ADMIN)) {
+ if (security_netlink_recv(skb, CAP_SYS_ADMIN,
+ sock_net(skb->sk)->user_ns)) {
err = -EPERM;
goto next_msg;
}
diff --git a/include/linux/security.h b/include/linux/security.h
index ebd2a53..cfa1f47 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -95,7 +95,8 @@ struct xfrm_user_sec_ctx;
struct seq_file;
extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb);
-extern int cap_netlink_recv(struct sk_buff *skb, int cap);
+extern int cap_netlink_recv(struct sk_buff *skb, int cap,
+ struct user_namespace *ns);
void reset_security_ops(void);
@@ -797,6 +798,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
* @skb.
* @skb contains the sk_buff structure for the netlink message.
* @cap indicates the capability required
+ * @ns is the user namespace which owns skb
* Return 0 if permission is granted.
*
* Security hooks for Unix domain networking.
@@ -1557,7 +1559,8 @@ struct security_operations {
struct sembuf *sops, unsigned nsops, int alter);
int (*netlink_send) (struct sock *sk, struct sk_buff *skb);
- int (*netlink_recv) (struct sk_buff *skb, int cap);
+ int (*netlink_recv) (struct sk_buff *skb, int cap,
+ struct user_namespace *ns);
void (*d_instantiate) (struct dentry *dentry, struct inode *inode);
@@ -1806,7 +1809,7 @@ void security_d_instantiate(struct dentry *dentry, struct inode *inode);
int security_getprocattr(struct task_struct *p, char *name, char **value);
int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size);
int security_netlink_send(struct sock *sk, struct sk_buff *skb);
-int security_netlink_recv(struct sk_buff *skb, int cap);
+int security_netlink_recv(struct sk_buff *skb, int cap, struct user_namespace *ns);
int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
void security_release_secctx(char *secdata, u32 seclen);
@@ -2498,9 +2501,10 @@ static inline int security_netlink_send(struct sock *sk, struct sk_buff *skb)
return cap_netlink_send(sk, skb);
}
-static inline int security_netlink_recv(struct sk_buff *skb, int cap)
+static inline int security_netlink_recv(struct sk_buff *skb, int cap,
+ struct user_namespace *ns)
{
- return cap_netlink_recv(skb, cap);
+ return cap_netlink_recv(skb, cap, ns);
}
static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
diff --git a/kernel/audit.c b/kernel/audit.c
index 0a1355c..48144c4 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -601,13 +601,15 @@ static int audit_netlink_ok(struct sk_buff *skb, u16 msg_type)
case AUDIT_TTY_SET:
case AUDIT_TRIM:
case AUDIT_MAKE_EQUIV:
- if (security_netlink_recv(skb, CAP_AUDIT_CONTROL))
+ if (security_netlink_recv(skb, CAP_AUDIT_CONTROL,
+ sock_net(skb->sk)->user_ns))
err = -EPERM;
break;
case AUDIT_USER:
case AUDIT_FIRST_USER_MSG ... AUDIT_LAST_USER_MSG:
case AUDIT_FIRST_USER_MSG2 ... AUDIT_LAST_USER_MSG2:
- if (security_netlink_recv(skb, CAP_AUDIT_WRITE))
+ if (security_netlink_recv(skb, CAP_AUDIT_WRITE,
+ sock_net(skb->sk)->user_ns))
err = -EPERM;
break;
default: /* bad msg */
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 99d9e95..4a444de 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -1931,7 +1931,8 @@ static int rtnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
sz_idx = type>>2;
kind = type&3;
- if (kind != 2 && security_netlink_recv(skb, CAP_NET_ADMIN))
+ if (kind != 2 && security_netlink_recv(skb, CAP_NET_ADMIN,
+ net->user_ns))
return -EPERM;
if (kind == 2 && nlh->nlmsg_flags&NLM_F_DUMP) {
diff --git a/net/decnet/netfilter/dn_rtmsg.c b/net/decnet/netfilter/dn_rtmsg.c
index 69975e0..2d052ab 100644
--- a/net/decnet/netfilter/dn_rtmsg.c
+++ b/net/decnet/netfilter/dn_rtmsg.c
@@ -108,7 +108,8 @@ static inline void dnrmg_receive_user_skb(struct sk_buff *skb)
if (nlh->nlmsg_len < sizeof(*nlh) || skb->len < nlh->nlmsg_len)
return;
- if (security_netlink_recv(skb, CAP_NET_ADMIN))
+ if (security_netlink_recv(skb, CAP_NET_ADMIN,
+ sock_net(skb->sk)->user_ns))
RCV_SKB_FAIL(-EPERM);
/* Eventually we might send routing messages too */
diff --git a/net/ipv4/netfilter/ip_queue.c b/net/ipv4/netfilter/ip_queue.c
index e59aabd..d20bede 100644
--- a/net/ipv4/netfilter/ip_queue.c
+++ b/net/ipv4/netfilter/ip_queue.c
@@ -430,7 +430,8 @@ __ipq_rcv_skb(struct sk_buff *skb)
if (type <= IPQM_BASE)
return;
- if (security_netlink_recv(skb, CAP_NET_ADMIN))
+ if (security_netlink_recv(skb, CAP_NET_ADMIN,
+ sock_net(skb->sk)->user_ns))
RCV_SKB_FAIL(-EPERM);
spin_lock_bh(&queue_lock);
diff --git a/net/ipv6/netfilter/ip6_queue.c b/net/ipv6/netfilter/ip6_queue.c
index e63c397..09db01c 100644
--- a/net/ipv6/netfilter/ip6_queue.c
+++ b/net/ipv6/netfilter/ip6_queue.c
@@ -431,7 +431,8 @@ __ipq_rcv_skb(struct sk_buff *skb)
if (type <= IPQM_BASE)
return;
- if (security_netlink_recv(skb, CAP_NET_ADMIN))
+ if (security_netlink_recv(skb, CAP_NET_ADMIN,
+ sock_net(skb->sk)->user_ns))
RCV_SKB_FAIL(-EPERM);
spin_lock_bh(&queue_lock);
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 1905976..bcaff9d 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -130,7 +130,7 @@ static int nfnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
const struct nfnetlink_subsystem *ss;
int type, err;
- if (security_netlink_recv(skb, CAP_NET_ADMIN))
+ if (security_netlink_recv(skb, CAP_NET_ADMIN, net->user_ns))
return -EPERM;
/* All the messages must at least contain nfgenmsg */
diff --git a/net/netlink/genetlink.c b/net/netlink/genetlink.c
index 482fa57..00a101c 100644
--- a/net/netlink/genetlink.c
+++ b/net/netlink/genetlink.c
@@ -516,7 +516,7 @@ static int genl_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
return -EOPNOTSUPP;
if ((ops->flags & GENL_ADMIN_PERM) &&
- security_netlink_recv(skb, CAP_NET_ADMIN))
+ security_netlink_recv(skb, CAP_NET_ADMIN, net->user_ns))
return -EPERM;
if (nlh->nlmsg_flags & NLM_F_DUMP) {
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 0256b8a..1808e1e 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2290,7 +2290,7 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
link = &xfrm_dispatch[type];
/* All operations require privileges, even GET */
- if (security_netlink_recv(skb, CAP_NET_ADMIN))
+ if (security_netlink_recv(skb, CAP_NET_ADMIN, net->user_ns))
return -EPERM;
if ((type == (XFRM_MSG_GETSA - XFRM_MSG_BASE) ||
diff --git a/security/commoncap.c b/security/commoncap.c
index a93b3b7..1e48e6a 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -56,11 +56,9 @@ int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
return 0;
}
-int cap_netlink_recv(struct sk_buff *skb, int cap)
+int cap_netlink_recv(struct sk_buff *skb, int cap, struct user_namespace *ns)
{
- if (!cap_raised(current_cap(), cap))
- return -EPERM;
- return 0;
+ return security_capable(ns, current_cred(), cap);
}
EXPORT_SYMBOL(cap_netlink_recv);
diff --git a/security/security.c b/security/security.c
index 0e4fccf..0a1453e 100644
--- a/security/security.c
+++ b/security/security.c
@@ -941,9 +941,9 @@ int security_netlink_send(struct sock *sk, struct sk_buff *skb)
return security_ops->netlink_send(sk, skb);
}
-int security_netlink_recv(struct sk_buff *skb, int cap)
+int security_netlink_recv(struct sk_buff *skb, int cap, struct user_namespace *ns)
{
- return security_ops->netlink_recv(skb, cap);
+ return security_ops->netlink_recv(skb, cap, ns);
}
EXPORT_SYMBOL(security_netlink_recv);
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 266a229..fe290bb 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4723,13 +4723,14 @@ static int selinux_netlink_send(struct sock *sk, struct sk_buff *skb)
return selinux_nlmsg_perm(sk, skb);
}
-static int selinux_netlink_recv(struct sk_buff *skb, int capability)
+static int selinux_netlink_recv(struct sk_buff *skb, int capability,
+ struct user_namespace *ns)
{
int err;
struct common_audit_data ad;
u32 sid;
- err = cap_netlink_recv(skb, capability);
+ err = cap_netlink_recv(skb, capability, ns);
if (err)
return err;
--
1.7.5.4
^ permalink raw reply related
* [PATCH 7/9] user namespace: make each net (net_ns) belong to a user_ns
From: Serge Hallyn @ 2011-10-18 21:54 UTC (permalink / raw)
To: linux-kernel
Cc: ebiederm, akpm, oleg, richard, mikevs, segoon, gregkh, dhowells,
eparis, Serge E. Hallyn, netdev
In-Reply-To: <1318974898-21431-1-git-send-email-serge@hallyn.com>
From: "Serge E. Hallyn" <serge.hallyn@canonical.com>
The user namespace which creates a new network namespace owns that
namespace and all resources created in it. This way we can target
capability checks for privileged operations against network resources to
the user_ns which created the network namespace in which the resource
lives. Privilege to the user namespace which owns the network
namespace, or any parent user namespace thereof, provides the same
privilege to the network resource.
Changelog:
jul 8: nsproxy: don't assign netns->userns if not cloning.
Signed-off-by: Serge E. Hallyn <serge.hallyn@canonical.com>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: netdev@vger.kernel.org
---
include/net/net_namespace.h | 2 ++
kernel/nsproxy.c | 2 ++
net/core/net_namespace.c | 3 +++
3 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index 3bb6fa0..d91fe5f 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -29,6 +29,7 @@ struct ctl_table_header;
struct net_generic;
struct sock;
struct netns_ipvs;
+struct user_namespace;
#define NETDEV_HASHBITS 8
@@ -101,6 +102,7 @@ struct net {
struct netns_xfrm xfrm;
#endif
struct netns_ipvs *ipvs;
+ struct user_namespace *user_ns;
};
diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c
index 9aeab4b..0d5bf8d 100644
--- a/kernel/nsproxy.c
+++ b/kernel/nsproxy.c
@@ -95,6 +95,8 @@ static struct nsproxy *create_new_namespaces(unsigned long flags,
err = PTR_ERR(new_nsp->net_ns);
goto out_net;
}
+ if (flags & CLONE_NEWNET)
+ new_nsp->net_ns->user_ns = get_user_ns(task_cred_xxx(tsk, user_ns));
return new_nsp;
diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
index 5bbdbf0..791c19c 100644
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -10,6 +10,7 @@
#include <linux/nsproxy.h>
#include <linux/proc_fs.h>
#include <linux/file.h>
+#include <linux/user_namespace.h>
#include <net/net_namespace.h>
#include <net/netns/generic.h>
@@ -209,6 +210,7 @@ static void net_free(struct net *net)
}
#endif
kfree(net->gen);
+ put_user_ns(net->user_ns);
kmem_cache_free(net_cachep, net);
}
@@ -389,6 +391,7 @@ static int __init net_ns_init(void)
rcu_assign_pointer(init_net.gen, ng);
mutex_lock(&net_mutex);
+ init_net.user_ns = &init_user_ns;
if (setup_net(&init_net))
panic("Could not setup the initial network namespace");
--
1.7.5.4
^ permalink raw reply related
* [PATCH] tc: fix parallel build file with lex/yacc
From: Mike Frysinger @ 2011-10-18 21:38 UTC (permalink / raw)
To: stephen.hemminger, netdev
Building iproute2 in parallel might hit the race failure:
emp_ematch.l:2:30: fatal error: emp_ematch.yacc.h:
No such file or directory
make[1]: *** [emp_ematch.lex.o] Error 1
This is because we currently allow the yacc/lex files to generate and
compile in parallel. So add a simple dependency to make sure yacc has
finished before we attempt to compile the lex output.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
---
tc/Makefile | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/tc/Makefile b/tc/Makefile
index 08aa4ce..b2ca165 100644
--- a/tc/Makefile
+++ b/tc/Makefile
@@ -136,6 +136,11 @@ m_xt_old.so: m_xt_old.c
%.lex.c: %.l
$(LEX) $(LEXFLAGS) -o$@ $<
+# our lexer includes the header from yacc, so make sure
+# we don't attempt to compile it before the header has
+# been generated as part of the yacc step.
+emp_ematch.lex.o: emp_ematch.yacc.c
+
ifneq ($(SHARED_LIBS),y)
tc: static-syms.o
--
1.7.6.1
^ permalink raw reply related
* Re: Comment on nf_queue NF_STOLEN patch
From: Eric Dumazet @ 2011-10-18 21:23 UTC (permalink / raw)
To: Jim Sansing; +Cc: Linux Network Development list
In-Reply-To: <4E9DCEAD.7070603@verizon.net>
Le mardi 18 octobre 2011 à 15:08 -0400, Jim Sansing a écrit :
> I have been working on a kernel module that registers with netfilter,
> and I noticed that a patch was added to nf_queue that changed the
> handling of return code NF_FILTER from 'do nothing' to 'free the skb'.
> I'm not sure which kernel version this went in, but the date of the
> patch is Feb, 19, 2010.
>
> Everything I have read about netfilter states that it is up to the
> netfilter hook to free the skb if NF_STOLEN is returned. The
> implications of this patch from a hook programming perspective are:
>
> 1) If the skb is used after the return from the hook, it must be cloned.
> 2) The original skb must not be freed.
>
> I suggest that a comment be added to include/linux/netfilter.h that says
> explicitly the skb will be freed if NF_STOLEN is returned.
But its not true. Just read the code.
If you are working on this stuff I recommend you take a look at
commits :
c6675233f9015d3c0460c8aab53ed9b99d915c64
(netfilter: nf_queue: reject NF_STOLEN verdicts from userspace)
fad54440438a7c231a6ae347738423cbabc936d9
(netfilter: avoid double free in nf_reinject)
64507fdbc29c3a622180378210ecea8659b14e40
(netfilter: nf_queue: fix NF_STOLEN skb leak)
3bc38712e3a6e0596ccb6f8299043a826f983701
([NETFILTER]: nf_queue: handle NF_STOP and unknown verdicts in
nf_reinject)
^ permalink raw reply
* [PATCH 2/2] batman-adv: correctly set the data field in the TT_REPONSE packet
From: Marek Lindner @ 2011-10-18 21:01 UTC (permalink / raw)
To: davem; +Cc: netdev, b.a.t.m.a.n, Antonio Quartulli, Marek Lindner
In-Reply-To: <1318971669-941-1-git-send-email-lindner_marek@yahoo.de>
From: Antonio Quartulli <ordex@autistici.org>
In the TT_RESPONSE packet, the number of carried entries is not correctly set.
This leads to a wrong interpretation of the packet payload on the receiver side
causing random entries to be added to the global translation table. Therefore
the latter gets always corrupted, triggering a table recovery all the time.
Signed-off-by: Antonio Quartulli <ordex@autistici.org>
Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
---
net/batman-adv/translation-table.c | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index f599db9..ef1acfd 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -999,7 +999,6 @@ static struct sk_buff *tt_response_fill_table(uint16_t tt_len, uint8_t ttvn,
tt_response = (struct tt_query_packet *)skb_put(skb,
tt_query_size + tt_len);
tt_response->ttvn = ttvn;
- tt_response->tt_data = htons(tt_tot);
tt_change = (struct tt_change *)(skb->data + tt_query_size);
tt_count = 0;
@@ -1025,6 +1024,10 @@ static struct sk_buff *tt_response_fill_table(uint16_t tt_len, uint8_t ttvn,
}
rcu_read_unlock();
+ /* store in the message the number of entries we have successfully
+ * copied */
+ tt_response->tt_data = htons(tt_count);
+
out:
return skb;
}
--
1.7.5.4
^ permalink raw reply related
* [PATCH 1/2] batman-adv: fix tt_local_reset_flags() function
From: Marek Lindner @ 2011-10-18 21:01 UTC (permalink / raw)
To: davem-fT/PcQaiUtIeIZ0/mPfg9Q
Cc: netdev-u79uwXL29TY76Z2rM5mHXA,
b.a.t.m.a.n-ZwoEplunGu2X36UT3dwllkB+6BGkLq7r, Marek Lindner
In-Reply-To: <1318971669-941-1-git-send-email-lindner_marek-LWAfsSFWpa4@public.gmane.org>
From: Antonio Quartulli <ordex-GaUfNO9RBHfsrOwW+9ziJQ@public.gmane.org>
Currently the counter of tt_local_entry structures (tt_local_num) is incremented
each time the tt_local_reset_flags() is invoked causing the node to send wrong
TT_REPONSE packets containing a copy of non-initialised memory thus corrupting
other nodes global translation table and making higher level communication
impossible.
Reported-by: Junkeun Song <jun361-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Signed-off-by: Antonio Quartulli <ordex-GaUfNO9RBHfsrOwW+9ziJQ@public.gmane.org>
Acked-by: Junkeun Song <jun361-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Signed-off-by: Marek Lindner <lindner_marek-LWAfsSFWpa4@public.gmane.org>
---
net/batman-adv/translation-table.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index fb6931d..f599db9 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -1668,6 +1668,8 @@ static void tt_local_reset_flags(struct bat_priv *bat_priv, uint16_t flags)
rcu_read_lock();
hlist_for_each_entry_rcu(tt_local_entry, node,
head, hash_entry) {
+ if (!(tt_local_entry->flags & flags))
+ continue;
tt_local_entry->flags &= ~flags;
atomic_inc(&bat_priv->num_local_tt);
}
--
1.7.5.4
^ permalink raw reply related
* pull request: batman-adv 2011-10-18 (more regression fixes)
From: Marek Lindner @ 2011-10-18 21:01 UTC (permalink / raw)
To: davem-fT/PcQaiUtIeIZ0/mPfg9Q
Cc: netdev-u79uwXL29TY76Z2rM5mHXA,
b.a.t.m.a.n-ZwoEplunGu2X36UT3dwllkB+6BGkLq7r
Hi David,
we have identified and fixed 2 more critical bugs in the linux-3.1
code base. We are somewhat late in the 3.1 release cycle but hoped
to take advantage of the delayed release to get these patches
included before the final version is out. If not I will have to
send these patches to stable@ and would like to see these patches
applied to net-next-2.6/3.2. No merge conflicts are to be expected.
Let us know what works best for you.
Thanks,
Marek
The following changes since commit 8b267b312df9343fea3bd679c509b36214b5a854:
batman-adv: do_bcast has to be true for broadcast packets only (2011-09-22 20:27:10 +0200)
are available in the git repository at:
git://git.open-mesh.org/linux-merge.git batman-adv/maint
Antonio Quartulli (2):
batman-adv: fix tt_local_reset_flags() function
batman-adv: correctly set the data field in the TT_REPONSE packet
net/batman-adv/translation-table.c | 7 ++++++-
1 files changed, 6 insertions(+), 1 deletions(-)
^ permalink raw reply
* Comment on nf_queue NF_STOLEN patch
From: Jim Sansing @ 2011-10-18 19:08 UTC (permalink / raw)
To: Linux Network Development list
In-Reply-To: <CAEuXFEy89F_=J_PJMSbQ1fDcOEkkpz2vucq3LcToi7rTcZHcDA@mail.gmail.com>
I have been working on a kernel module that registers with netfilter,
and I noticed that a patch was added to nf_queue that changed the
handling of return code NF_FILTER from 'do nothing' to 'free the skb'.
I'm not sure which kernel version this went in, but the date of the
patch is Feb, 19, 2010.
Everything I have read about netfilter states that it is up to the
netfilter hook to free the skb if NF_STOLEN is returned. The
implications of this patch from a hook programming perspective are:
1) If the skb is used after the return from the hook, it must be cloned.
2) The original skb must not be freed.
I suggest that a comment be added to include/linux/netfilter.h that says
explicitly the skb will be freed if NF_STOLEN is returned.
Later . . . Jim
^ permalink raw reply
* Re: [PATCH] tproxy: copy transparent flag when creating a time wait
From: David Miller @ 2011-10-18 20:48 UTC (permalink / raw)
To: hidden; +Cc: pablo, netfilter-devel, netdev
In-Reply-To: <1318969055.2959.7.camel@nessa.odu>
From: KOVACS Krisztian <hidden@balabit.hu>
Date: Tue, 18 Oct 2011 22:17:35 +0200
> The transparent socket option setting was not copied to the time wait
> socket when an inet socket was being replaced by a time wait socket. This
> broke the --transparent option of the socket match and may have caused
> that FIN packets belonging to sockets in FIN_WAIT2 or TIME_WAIT state
> were being dropped by the packet filter.
>
> Signed-off-by: KOVACS Krisztian <hidden@balabit.hu>
I can't believe such a fundamental bug went unspotted for so long :-)
I'll apply this, thanks.
^ permalink raw reply
* [PATCH] tproxy: copy transparent flag when creating a time wait
From: KOVACS Krisztian @ 2011-10-18 20:17 UTC (permalink / raw)
To: Pablo Neira Ayuso, netfilter-devel, netdev
The transparent socket option setting was not copied to the time wait
socket when an inet socket was being replaced by a time wait socket. This
broke the --transparent option of the socket match and may have caused
that FIN packets belonging to sockets in FIN_WAIT2 or TIME_WAIT state
were being dropped by the packet filter.
Signed-off-by: KOVACS Krisztian <hidden@balabit.hu>
---
net/ipv4/tcp_minisocks.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index d2fe4e0..0ce3d06 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -328,6 +328,7 @@ void tcp_time_wait(struct sock *sk, int state, int timeo)
struct tcp_timewait_sock *tcptw = tcp_twsk((struct sock *)tw);
const int rto = (icsk->icsk_rto << 2) - (icsk->icsk_rto >> 1);
+ tw->tw_transparent = inet_sk(sk)->transparent;
tw->tw_rcv_wscale = tp->rx_opt.rcv_wscale;
tcptw->tw_rcv_nxt = tp->rcv_nxt;
tcptw->tw_snd_nxt = tp->snd_nxt;
--
1.7.7
^ permalink raw reply related
* [PATCH] ipvs: Remove unused variable "cs" from ip_vs_leave function.
From: Krzysztof Wilczynski @ 2011-10-18 19:59 UTC (permalink / raw)
To: Simon Horman; +Cc: Patrick McHardy, netdev
This is to address the following warning during compilation time:
net/netfilter/ipvs/ip_vs_core.c: In function ‘ip_vs_leave’:
net/netfilter/ipvs/ip_vs_core.c:532: warning: unused variable ‘cs’
This variable is indeed no longer in use.
Signed-off-by: Krzysztof Wilczynski <krzysztof.wilczynski@linux.com>
---
net/netfilter/ipvs/ip_vs_core.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 00ea1ad..4f7d89d 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -529,7 +529,7 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
a cache_bypass connection entry */
ipvs = net_ipvs(net);
if (ipvs->sysctl_cache_bypass && svc->fwmark && unicast) {
- int ret, cs;
+ int ret;
struct ip_vs_conn *cp;
unsigned int flags = (svc->flags & IP_VS_SVC_F_ONEPACKET &&
iph.protocol == IPPROTO_UDP)?
--
1.7.7
^ permalink raw reply related
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox