* [PATCH] p54usb: fix leak at failure path in p54u_load_firmware()
From: Alexey Khoroshilov @ 2013-09-17 20:57 UTC (permalink / raw)
To: Christian Lamparter
Cc: Alexey Khoroshilov, John W. Linville, linux-wireless, netdev,
linux-kernel, ldv-project
If request_firmware_nowait() fails in p54u_load_firmware(),
p54u_load_firmware_cb is not called and no one decrements usb_dev refcnt.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
---
drivers/net/wireless/p54/p54usb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/p54/p54usb.c b/drivers/net/wireless/p54/p54usb.c
index b9deef6..7fa81d1 100644
--- a/drivers/net/wireless/p54/p54usb.c
+++ b/drivers/net/wireless/p54/p54usb.c
@@ -979,6 +979,7 @@ static int p54u_load_firmware(struct ieee80211_hw *dev,
if (err) {
dev_err(&priv->udev->dev, "(p54usb) cannot load firmware %s "
"(%d)!\n", p54u_fwlist[i].fw, err);
+ usb_put_dev(udev);
}
return err;
--
1.8.1.2
^ permalink raw reply related
* ath9k: remove self-assignment in ath9k_eeprom_request
From: Dave Jones @ 2013-09-17 21:35 UTC (permalink / raw)
To: netdev; +Cc: mcgrof, linville
Assigning a variable to itself is pointless, moreso when it's overwritten immediately.
Introduced in ab5c4f71d8c7add173a2d32e5beefdaaf1b7cbbc
("ath9k: allow to load EEPROM content via firmware API")
Signed-off-by: Dave Jones <davej@fedoraproject.org>
diff --git a/drivers/net/wireless/ath/ath9k/init.c b/drivers/net/wireless/ath/ath9k/init.c
index 9a1f349..0cb3f2d 100644
--- a/drivers/net/wireless/ath/ath9k/init.c
+++ b/drivers/net/wireless/ath/ath9k/init.c
@@ -572,7 +572,7 @@ static void ath9k_eeprom_request_cb(const struct firmware *eeprom_blob,
static int ath9k_eeprom_request(struct ath_softc *sc, const char *name)
{
struct ath9k_eeprom_ctx ec;
- struct ath_hw *ah = ah = sc->sc_ah;
+ struct ath_hw *ah = sc->sc_ah;
int err;
/* try to load the EEPROM content asynchronously */
^ permalink raw reply related
* [PATCH 1/7] netfilter: nf_conntrack: use RCU safe kfree for conntrack extensions
From: Pablo Neira Ayuso @ 2013-09-17 22:07 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
In-Reply-To: <1379455654-3905-1-git-send-email-pablo@netfilter.org>
From: Michal Kubeček <mkubecek@suse.cz>
Commit 68b80f11 (netfilter: nf_nat: fix RCU races) introduced
RCU protection for freeing extension data when reallocation
moves them to a new location. We need the same protection when
freeing them in nf_ct_ext_free() in order to prevent a
use-after-free by other threads referencing a NAT extension data
via bysource list.
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_conntrack_extend.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h
index ff95434..88a1d40 100644
--- a/include/net/netfilter/nf_conntrack_extend.h
+++ b/include/net/netfilter/nf_conntrack_extend.h
@@ -86,7 +86,7 @@ static inline void nf_ct_ext_destroy(struct nf_conn *ct)
static inline void nf_ct_ext_free(struct nf_conn *ct)
{
if (ct->ext)
- kfree(ct->ext);
+ kfree_rcu(ct->ext, rcu);
}
/* Add this type, returns pointer to data or NULL. */
--
1.7.10.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related
* [PATCH 3/7] netfilter: ipset: Skip really non-first fragments for IPv6 when getting port/protocol
From: Pablo Neira Ayuso @ 2013-09-17 22:07 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
In-Reply-To: <1379455654-3905-1-git-send-email-pablo@netfilter.org>
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
net/netfilter/ipset/ip_set_getport.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_getport.c b/net/netfilter/ipset/ip_set_getport.c
index 6fdf88a..dac156f 100644
--- a/net/netfilter/ipset/ip_set_getport.c
+++ b/net/netfilter/ipset/ip_set_getport.c
@@ -116,12 +116,12 @@ ip_set_get_ip6_port(const struct sk_buff *skb, bool src,
{
int protoff;
u8 nexthdr;
- __be16 frag_off;
+ __be16 frag_off = 0;
nexthdr = ipv6_hdr(skb)->nexthdr;
protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr,
&frag_off);
- if (protoff < 0)
+ if (protoff < 0 || (frag_off & htons(~0x7)) != 0)
return false;
return get_port(skb, nexthdr, protoff, src, port, proto);
--
1.7.10.4
^ permalink raw reply related
* [PATCH 7/7] netfilter: nfnetlink_queue: use network skb for sequence adjustment
From: Pablo Neira Ayuso @ 2013-09-17 22:07 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
In-Reply-To: <1379455654-3905-1-git-send-email-pablo@netfilter.org>
From: Gao feng <gaofeng@cn.fujitsu.com>
Instead of the netlink skb.
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nfnetlink_queue_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index 95a98c8..ae2e5c1 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -1009,7 +1009,7 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb,
verdict = NF_DROP;
if (ct)
- nfqnl_ct_seq_adjust(skb, ct, ctinfo, diff);
+ nfqnl_ct_seq_adjust(entry->skb, ct, ctinfo, diff);
}
if (nfqa[NFQA_MARK])
--
1.7.10.4
^ permalink raw reply related
* [PATCH 5/7] netfilter: ipset: Validate the set family and not the set type family at swapping
From: Pablo Neira Ayuso @ 2013-09-17 22:07 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
In-Reply-To: <1379455654-3905-1-git-send-email-pablo@netfilter.org>
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
This closes netfilter bugzilla #843, reported by Quentin Armitage.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
net/netfilter/ipset/ip_set_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index c8c303c..f2e30fb 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1052,7 +1052,7 @@ ip_set_swap(struct sock *ctnl, struct sk_buff *skb,
* Not an artificial restriction anymore, as we must prevent
* possible loops created by swapping in setlist type of sets. */
if (!(from->type->features == to->type->features &&
- from->type->family == to->type->family))
+ from->family == to->family))
return -IPSET_ERR_TYPE_MISMATCH;
strncpy(from_name, from->name, IPSET_MAXNAMELEN);
--
1.7.10.4
^ permalink raw reply related
* [PATCH 6/7] netfilter: ipset: Fix serious failure in CIDR tracking
From: Pablo Neira Ayuso @ 2013-09-17 22:07 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
In-Reply-To: <1379455654-3905-1-git-send-email-pablo@netfilter.org>
From: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
This fixes a serious bug affecting all hash types with a net element -
specifically, if a CIDR value is deleted such that none of the same size
exist any more, all larger (less-specific) values will then fail to
match. Adding back any prefix with a CIDR equal to or more specific than
the one deleted will fix it.
Steps to reproduce:
ipset -N test hash:net
ipset -A test 1.1.0.0/16
ipset -A test 2.2.2.0/24
ipset -T test 1.1.1.1 #1.1.1.1 IS in set
ipset -D test 2.2.2.0/24
ipset -T test 1.1.1.1 #1.1.1.1 IS NOT in set
This is due to the fact that the nets counter was unconditionally
decremented prior to the iteration that shifts up the entries. Now, we
first check if there is a proceeding entry and if not, decrement it and
return. Otherwise, we proceed to iterate and then zero the last element,
which, in most cases, will already be zero.
Signed-off-by: Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
net/netfilter/ipset/ip_set_hash_gen.h | 28 ++++++++++++++++------------
1 file changed, 16 insertions(+), 12 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
index 57beb17..707bc52 100644
--- a/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -325,18 +325,22 @@ mtype_add_cidr(struct htype *h, u8 cidr, u8 nets_length)
static void
mtype_del_cidr(struct htype *h, u8 cidr, u8 nets_length)
{
- u8 i, j;
-
- for (i = 0; i < nets_length - 1 && h->nets[i].cidr != cidr; i++)
- ;
- h->nets[i].nets--;
-
- if (h->nets[i].nets != 0)
- return;
-
- for (j = i; j < nets_length - 1 && h->nets[j].nets; j++) {
- h->nets[j].cidr = h->nets[j + 1].cidr;
- h->nets[j].nets = h->nets[j + 1].nets;
+ u8 i, j, net_end = nets_length - 1;
+
+ for (i = 0; i < nets_length; i++) {
+ if (h->nets[i].cidr != cidr)
+ continue;
+ if (h->nets[i].nets > 1 || i == net_end ||
+ h->nets[i + 1].nets == 0) {
+ h->nets[i].nets--;
+ return;
+ }
+ for (j = i; j < net_end && h->nets[j].nets; j++) {
+ h->nets[j].cidr = h->nets[j + 1].cidr;
+ h->nets[j].nets = h->nets[j + 1].nets;
+ }
+ h->nets[j].nets = 0;
+ return;
}
}
#endif
--
1.7.10.4
^ permalink raw reply related
* [PATCH 2/7] netfilter: nf_nat_proto_icmpv6:: fix wrong comparison in icmpv6_manip_pkt
From: Pablo Neira Ayuso @ 2013-09-17 22:07 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
In-Reply-To: <1379455654-3905-1-git-send-email-pablo@netfilter.org>
From: Phil Oester <kernel@linuxace.com>
In commit 58a317f1 (netfilter: ipv6: add IPv6 NAT support), icmpv6_manip_pkt
was added with an incorrect comparison of ICMP codes to types. This causes
problems when using NAT rules with the --random option. Correct the
comparison.
This closes netfilter bugzilla #851, reported by Alexander Neumann.
Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/ipv6/netfilter/nf_nat_proto_icmpv6.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv6/netfilter/nf_nat_proto_icmpv6.c b/net/ipv6/netfilter/nf_nat_proto_icmpv6.c
index 61aaf70..2205e8e 100644
--- a/net/ipv6/netfilter/nf_nat_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_nat_proto_icmpv6.c
@@ -69,8 +69,8 @@ icmpv6_manip_pkt(struct sk_buff *skb,
hdr = (struct icmp6hdr *)(skb->data + hdroff);
l3proto->csum_update(skb, iphdroff, &hdr->icmp6_cksum,
tuple, maniptype);
- if (hdr->icmp6_code == ICMPV6_ECHO_REQUEST ||
- hdr->icmp6_code == ICMPV6_ECHO_REPLY) {
+ if (hdr->icmp6_type == ICMPV6_ECHO_REQUEST ||
+ hdr->icmp6_type == ICMPV6_ECHO_REPLY) {
inet_proto_csum_replace2(&hdr->icmp6_cksum, skb,
hdr->icmp6_identifier,
tuple->src.u.icmp.id, 0);
--
1.7.10.4
^ permalink raw reply related
* [PATCH 4/7] netfilter: ipset: Consistent userspace testing with nomatch flag
From: Pablo Neira Ayuso @ 2013-09-17 22:07 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
In-Reply-To: <1379455654-3905-1-git-send-email-pablo@netfilter.org>
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
The "nomatch" commandline flag should invert the matching at testing,
similarly to the --return-nomatch flag of the "set" match of iptables.
Until now it worked with the elements with "nomatch" flag only. From
now on it works with elements without the flag too, i.e:
# ipset n test hash:net
# ipset a test 10.0.0.0/24 nomatch
# ipset t test 10.0.0.1
10.0.0.1 is NOT in set test.
# ipset t test 10.0.0.1 nomatch
10.0.0.1 is in set test.
# ipset a test 192.168.0.0/24
# ipset t test 192.168.0.1
192.168.0.1 is in set test.
# ipset t test 192.168.0.1 nomatch
192.168.0.1 is NOT in set test.
Before the patch the results were
...
# ipset t test 192.168.0.1
192.168.0.1 is in set test.
# ipset t test 192.168.0.1 nomatch
192.168.0.1 is in set test.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---
include/linux/netfilter/ipset/ip_set.h | 6 ++++--
net/netfilter/ipset/ip_set_core.c | 3 +--
net/netfilter/ipset/ip_set_hash_ipportnet.c | 4 ++--
net/netfilter/ipset/ip_set_hash_net.c | 4 ++--
net/netfilter/ipset/ip_set_hash_netiface.c | 4 ++--
net/netfilter/ipset/ip_set_hash_netport.c | 4 ++--
6 files changed, 13 insertions(+), 12 deletions(-)
diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h
index d80e275..9ac9fbd 100644
--- a/include/linux/netfilter/ipset/ip_set.h
+++ b/include/linux/netfilter/ipset/ip_set.h
@@ -296,10 +296,12 @@ ip_set_eexist(int ret, u32 flags)
/* Match elements marked with nomatch */
static inline bool
-ip_set_enomatch(int ret, u32 flags, enum ipset_adt adt)
+ip_set_enomatch(int ret, u32 flags, enum ipset_adt adt, struct ip_set *set)
{
return adt == IPSET_TEST &&
- ret == -ENOTEMPTY && ((flags >> 16) & IPSET_FLAG_NOMATCH);
+ (set->type->features & IPSET_TYPE_NOMATCH) &&
+ ((flags >> 16) & IPSET_FLAG_NOMATCH) &&
+ (ret > 0 || ret == -ENOTEMPTY);
}
/* Check the NLA_F_NET_BYTEORDER flag */
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index f771390..c8c303c 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -1489,8 +1489,7 @@ ip_set_utest(struct sock *ctnl, struct sk_buff *skb,
if (ret == -EAGAIN)
ret = 1;
- return (ret < 0 && ret != -ENOTEMPTY) ? ret :
- ret > 0 ? 0 : -IPSET_ERR_EXIST;
+ return ret > 0 ? 0 : -IPSET_ERR_EXIST;
}
/* Get headed data of a set */
diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c
index c6a5253..f15f3e2 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -260,7 +260,7 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
e.ip = htonl(ip);
e.ip2 = htonl(ip2_from & ip_set_hostmask(e.cidr + 1));
ret = adtfn(set, &e, &ext, &ext, flags);
- return ip_set_enomatch(ret, flags, adt) ? 1 :
+ return ip_set_enomatch(ret, flags, adt, set) ? -ret :
ip_set_eexist(ret, flags) ? 0 : ret;
}
@@ -544,7 +544,7 @@ hash_ipportnet6_uadt(struct ip_set *set, struct nlattr *tb[],
if (adt == IPSET_TEST || !with_ports || !tb[IPSET_ATTR_PORT_TO]) {
ret = adtfn(set, &e, &ext, &ext, flags);
- return ip_set_enomatch(ret, flags, adt) ? 1 :
+ return ip_set_enomatch(ret, flags, adt, set) ? -ret :
ip_set_eexist(ret, flags) ? 0 : ret;
}
diff --git a/net/netfilter/ipset/ip_set_hash_net.c b/net/netfilter/ipset/ip_set_hash_net.c
index da740ce..223e9f5 100644
--- a/net/netfilter/ipset/ip_set_hash_net.c
+++ b/net/netfilter/ipset/ip_set_hash_net.c
@@ -199,7 +199,7 @@ hash_net4_uadt(struct ip_set *set, struct nlattr *tb[],
if (adt == IPSET_TEST || !tb[IPSET_ATTR_IP_TO]) {
e.ip = htonl(ip & ip_set_hostmask(e.cidr));
ret = adtfn(set, &e, &ext, &ext, flags);
- return ip_set_enomatch(ret, flags, adt) ? 1 :
+ return ip_set_enomatch(ret, flags, adt, set) ? -ret:
ip_set_eexist(ret, flags) ? 0 : ret;
}
@@ -396,7 +396,7 @@ hash_net6_uadt(struct ip_set *set, struct nlattr *tb[],
ret = adtfn(set, &e, &ext, &ext, flags);
- return ip_set_enomatch(ret, flags, adt) ? 1 :
+ return ip_set_enomatch(ret, flags, adt, set) ? -ret :
ip_set_eexist(ret, flags) ? 0 : ret;
}
diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c
index 84ae6f6..7d798d5 100644
--- a/net/netfilter/ipset/ip_set_hash_netiface.c
+++ b/net/netfilter/ipset/ip_set_hash_netiface.c
@@ -368,7 +368,7 @@ hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
if (adt == IPSET_TEST || !tb[IPSET_ATTR_IP_TO]) {
e.ip = htonl(ip & ip_set_hostmask(e.cidr));
ret = adtfn(set, &e, &ext, &ext, flags);
- return ip_set_enomatch(ret, flags, adt) ? 1 :
+ return ip_set_enomatch(ret, flags, adt, set) ? -ret :
ip_set_eexist(ret, flags) ? 0 : ret;
}
@@ -634,7 +634,7 @@ hash_netiface6_uadt(struct ip_set *set, struct nlattr *tb[],
ret = adtfn(set, &e, &ext, &ext, flags);
- return ip_set_enomatch(ret, flags, adt) ? 1 :
+ return ip_set_enomatch(ret, flags, adt, set) ? -ret :
ip_set_eexist(ret, flags) ? 0 : ret;
}
diff --git a/net/netfilter/ipset/ip_set_hash_netport.c b/net/netfilter/ipset/ip_set_hash_netport.c
index 9a08698..09d6690 100644
--- a/net/netfilter/ipset/ip_set_hash_netport.c
+++ b/net/netfilter/ipset/ip_set_hash_netport.c
@@ -244,7 +244,7 @@ hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[],
if (adt == IPSET_TEST || !(with_ports || tb[IPSET_ATTR_IP_TO])) {
e.ip = htonl(ip & ip_set_hostmask(e.cidr + 1));
ret = adtfn(set, &e, &ext, &ext, flags);
- return ip_set_enomatch(ret, flags, adt) ? 1 :
+ return ip_set_enomatch(ret, flags, adt, set) ? -ret :
ip_set_eexist(ret, flags) ? 0 : ret;
}
@@ -489,7 +489,7 @@ hash_netport6_uadt(struct ip_set *set, struct nlattr *tb[],
if (adt == IPSET_TEST || !with_ports || !tb[IPSET_ATTR_PORT_TO]) {
ret = adtfn(set, &e, &ext, &ext, flags);
- return ip_set_enomatch(ret, flags, adt) ? 1 :
+ return ip_set_enomatch(ret, flags, adt, set) ? -ret :
ip_set_eexist(ret, flags) ? 0 : ret;
}
--
1.7.10.4
^ permalink raw reply related
* [PATCH 0/7] netfilter fixes for net
From: Pablo Neira Ayuso @ 2013-09-17 22:07 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for you net tree,
they are:
* Fix ICMPv6 NAT due to wrong comparison, code instead of type, from
Phil Oester.
* Fix RCU race in conntrack extensions release path, from Michal Kubecek.
* Fix missing inversion in the userspace ipset test command match if
the nomatch option is specified, from Jozsef Kadlecsik.
* Skip layer 4 protocol matching in ipset in case of IPv6 fragments,
also from Jozsef Kadlecsik.
* Fix sequence adjustment in nfnetlink_queue due to using the netlink
skb instead of the network skb, from Gao feng.
* Make sure we cannot swap of sets with different layer 3 family in
ipset, from Jozsef Kadlecsik.
* Fix possible bogus matching in ipset if hash sets with net elements
are used, from Oliver Smith.
Gao feng (1):
netfilter: nfnetlink_queue: use network skb for sequence adjustment
Jozsef Kadlecsik (3):
netfilter: ipset: Skip really non-first fragments for IPv6 when getting port/protocol
netfilter: ipset: Consistent userspace testing with nomatch flag
netfilter: ipset: Validate the set family and not the set type family at swapping
Michal Kubeček (1):
netfilter: nf_conntrack: use RCU safe kfree for conntrack extensions
Oliver Smith (1):
netfilter: ipset: Fix serious failure in CIDR tracking
Phil Oester (1):
netfilter: nf_nat_proto_icmpv6:: fix wrong comparison in icmpv6_manip_pkt
include/linux/netfilter/ipset/ip_set.h | 6 ++++--
include/net/netfilter/nf_conntrack_extend.h | 2 +-
net/ipv6/netfilter/nf_nat_proto_icmpv6.c | 4 ++--
net/netfilter/ipset/ip_set_core.c | 5 ++---
net/netfilter/ipset/ip_set_getport.c | 4 ++--
net/netfilter/ipset/ip_set_hash_gen.h | 28 +++++++++++++++------------
net/netfilter/ipset/ip_set_hash_ipportnet.c | 4 ++--
net/netfilter/ipset/ip_set_hash_net.c | 4 ++--
net/netfilter/ipset/ip_set_hash_netiface.c | 4 ++--
net/netfilter/ipset/ip_set_hash_netport.c | 4 ++--
net/netfilter/nfnetlink_queue_core.c | 2 +-
11 files changed, 36 insertions(+), 31 deletions(-)
--
1.7.10.4
^ permalink raw reply
* [PATCH 0/7] netfilter fixes for net
From: Pablo Neira Ayuso @ 2013-09-17 22:21 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Resending pull request email, previous one was missing the pull request
information itself, sorry.
--
Hi David,
The following patchset contains Netfilter fixes for you net tree,
mostly targeted to ipset, they are:
* Fix ICMPv6 NAT due to wrong comparison, code instead of type, from
Phil Oester.
* Fix RCU race in conntrack extensions release path, from Michal Kubecek.
* Fix missing inversion in the userspace ipset test command match if
the nomatch option is specified, from Jozsef Kadlecsik.
* Skip layer 4 protocol matching in ipset in case of IPv6 fragments,
also from Jozsef Kadlecsik.
* Fix sequence adjustment in nfnetlink_queue due to using the netlink
skb instead of the network skb, from Gao feng.
* Make sure we cannot swap of sets with different layer 3 family in
ipset, from Jozsef Kadlecsik.
* Fix possible bogus matching in ipset if hash sets with net elements
are used, from Oliver Smith.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
Thanks!
----------------------------------------------------------------
The following changes since commit c19d65c95c6d472d69829fea7d473228493d5245:
bnx2x: Fix configuration of doorbell block (2013-09-09 17:06:14 -0400)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
for you to fetch changes up to 0a0d80eb39aa465b7bdf6f7754d0ba687eb3d2a7:
netfilter: nfnetlink_queue: use network skb for sequence adjustment (2013-09-17 13:05:12 +0200)
----------------------------------------------------------------
Gao feng (1):
netfilter: nfnetlink_queue: use network skb for sequence adjustment
Jozsef Kadlecsik (3):
netfilter: ipset: Skip really non-first fragments for IPv6 when getting port/protocol
netfilter: ipset: Consistent userspace testing with nomatch flag
netfilter: ipset: Validate the set family and not the set type family at swapping
Michal Kubeček (1):
netfilter: nf_conntrack: use RCU safe kfree for conntrack extensions
Oliver Smith (1):
netfilter: ipset: Fix serious failure in CIDR tracking
Phil Oester (1):
netfilter: nf_nat_proto_icmpv6:: fix wrong comparison in icmpv6_manip_pkt
include/linux/netfilter/ipset/ip_set.h | 6 ++++--
include/net/netfilter/nf_conntrack_extend.h | 2 +-
net/ipv6/netfilter/nf_nat_proto_icmpv6.c | 4 ++--
net/netfilter/ipset/ip_set_core.c | 5 ++---
net/netfilter/ipset/ip_set_getport.c | 4 ++--
net/netfilter/ipset/ip_set_hash_gen.h | 28 +++++++++++++++------------
net/netfilter/ipset/ip_set_hash_ipportnet.c | 4 ++--
net/netfilter/ipset/ip_set_hash_net.c | 4 ++--
net/netfilter/ipset/ip_set_hash_netiface.c | 4 ++--
net/netfilter/ipset/ip_set_hash_netport.c | 4 ++--
net/netfilter/nfnetlink_queue_core.c | 2 +-
11 files changed, 36 insertions(+), 31 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply
* add ip to interface as primary ip address, not secondary ip when there is alreadly primary ip?
From: Vincent Li @ 2013-09-17 22:31 UTC (permalink / raw)
To: netdev@vger.kernel.org
Hi,
we need to add more than one ip address to one interface, but want to
be able to specify which ip address to be primary and which to be
secondary (be deterministic) , what we have found out is that the
first ip address added to the interface will be always the primary ip
address, the primary or secondary is depending on which ip get added
to the interface first.
we could also delete an existing primary ip address, then the
secondary ip will be promoted to primary.
ideally though, we would like to have the capability in
kernel/userspace to specify a flag or something to add any ip as
primary even if there is already existing primary ip address (could
downgrade the existing primary to secondary ip). does this make sense
?
Vincent
^ permalink raw reply
* [PATCH net] ip: generate unique IP identificator if local fragmentation is allowed
From: Ansis Atteka @ 2013-09-17 22:25 UTC (permalink / raw)
To: netdev; +Cc: Ansis Atteka
If local fragmentation is allowed, then ip_select_ident() and
ip_select_ident_more() need to generate unique IDs to ensure
correct defragmentation on the peer.
For example, if IPsec (tunnel mode) has to encrypt large skbs
that have local_df bit set, then all IP fragments that belonged
to different ESP datagrams would have used the same identificator.
If one of these IP fragments would get lost or reordered, then
peer could possibly stitch together wrong IP fragments that did
not belong to the same datagram. This would lead to a packet loss
or data corruption.
Signed-off-by: Ansis Atteka <aatteka@nicira.com>
---
drivers/net/ppp/pptp.c | 2 +-
include/net/ip.h | 12 ++++++++----
net/ipv4/igmp.c | 4 ++--
net/ipv4/inetpeer.c | 4 ++--
net/ipv4/ip_output.c | 7 ++++---
net/ipv4/ipmr.c | 2 +-
net/ipv4/raw.c | 2 +-
net/ipv4/xfrm4_mode_tunnel.c | 2 +-
net/netfilter/ipvs/ip_vs_xmit.c | 2 +-
9 files changed, 21 insertions(+), 16 deletions(-)
diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
index 6fa5ae0..0180531 100644
--- a/drivers/net/ppp/pptp.c
+++ b/drivers/net/ppp/pptp.c
@@ -281,7 +281,7 @@ static int pptp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
nf_reset(skb);
skb->ip_summed = CHECKSUM_NONE;
- ip_select_ident(iph, &rt->dst, NULL);
+ ip_select_ident(skb, &rt->dst, NULL);
ip_send_check(iph);
ip_local_out(skb);
diff --git a/include/net/ip.h b/include/net/ip.h
index 48f5597..5e52688 100644
--- a/include/net/ip.h
+++ b/include/net/ip.h
@@ -264,9 +264,11 @@ int ip_dont_fragment(struct sock *sk, struct dst_entry *dst)
extern void __ip_select_ident(struct iphdr *iph, struct dst_entry *dst, int more);
-static inline void ip_select_ident(struct iphdr *iph, struct dst_entry *dst, struct sock *sk)
+static inline void ip_select_ident(struct sk_buff *skb, struct dst_entry *dst, struct sock *sk)
{
- if (iph->frag_off & htons(IP_DF)) {
+ struct iphdr *iph = ip_hdr(skb);
+
+ if ((iph->frag_off & htons(IP_DF)) && !skb->local_df) {
/* This is only to work around buggy Windows95/2000
* VJ compression implementations. If the ID field
* does not change, they drop every other packet in
@@ -278,9 +280,11 @@ static inline void ip_select_ident(struct iphdr *iph, struct dst_entry *dst, str
__ip_select_ident(iph, dst, 0);
}
-static inline void ip_select_ident_more(struct iphdr *iph, struct dst_entry *dst, struct sock *sk, int more)
+static inline void ip_select_ident_more(struct sk_buff *skb, struct dst_entry *dst, struct sock *sk, int more)
{
- if (iph->frag_off & htons(IP_DF)) {
+ struct iphdr *iph = ip_hdr(skb);
+
+ if ((iph->frag_off & htons(IP_DF)) && !skb->local_df) {
if (sk && inet_sk(sk)->inet_daddr) {
iph->id = htons(inet_sk(sk)->inet_id);
inet_sk(sk)->inet_id += 1 + more;
diff --git a/net/ipv4/igmp.c b/net/ipv4/igmp.c
index d6c0e64..dace87f 100644
--- a/net/ipv4/igmp.c
+++ b/net/ipv4/igmp.c
@@ -369,7 +369,7 @@ static struct sk_buff *igmpv3_newpack(struct net_device *dev, int size)
pip->saddr = fl4.saddr;
pip->protocol = IPPROTO_IGMP;
pip->tot_len = 0; /* filled in later */
- ip_select_ident(pip, &rt->dst, NULL);
+ ip_select_ident(skb, &rt->dst, NULL);
((u8 *)&pip[1])[0] = IPOPT_RA;
((u8 *)&pip[1])[1] = 4;
((u8 *)&pip[1])[2] = 0;
@@ -714,7 +714,7 @@ static int igmp_send_report(struct in_device *in_dev, struct ip_mc_list *pmc,
iph->daddr = dst;
iph->saddr = fl4.saddr;
iph->protocol = IPPROTO_IGMP;
- ip_select_ident(iph, &rt->dst, NULL);
+ ip_select_ident(skb, &rt->dst, NULL);
((u8 *)&iph[1])[0] = IPOPT_RA;
((u8 *)&iph[1])[1] = 4;
((u8 *)&iph[1])[2] = 0;
diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
index 000e3d2..33d5537 100644
--- a/net/ipv4/inetpeer.c
+++ b/net/ipv4/inetpeer.c
@@ -32,8 +32,8 @@
* At the moment of writing this notes identifier of IP packets is generated
* to be unpredictable using this code only for packets subjected
* (actually or potentially) to defragmentation. I.e. DF packets less than
- * PMTU in size uses a constant ID and do not use this code (see
- * ip_select_ident() in include/net/ip.h).
+ * PMTU in size when local fragmentation is disabled use a constant ID and do
+ * not use this code (see ip_select_ident() in include/net/ip.h).
*
* Route cache entries hold references to our nodes.
* New cache entries get references via lookup by destination IP address in
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 9ee17e3..f9c4fbb 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -148,7 +148,7 @@ int ip_build_and_send_pkt(struct sk_buff *skb, struct sock *sk,
iph->daddr = (opt && opt->opt.srr ? opt->opt.faddr : daddr);
iph->saddr = saddr;
iph->protocol = sk->sk_protocol;
- ip_select_ident(iph, &rt->dst, sk);
+ ip_select_ident(skb, &rt->dst, sk);
if (opt && opt->opt.optlen) {
iph->ihl += opt->opt.optlen>>2;
@@ -386,7 +386,7 @@ packet_routed:
ip_options_build(skb, &inet_opt->opt, inet->inet_daddr, rt, 0);
}
- ip_select_ident_more(iph, &rt->dst, sk,
+ ip_select_ident_more(skb, &rt->dst, sk,
(skb_shinfo(skb)->gso_segs ?: 1) - 1);
skb->priority = sk->sk_priority;
@@ -1317,6 +1317,7 @@ struct sk_buff *__ip_make_skb(struct sock *sk,
ttl = ip_select_ttl(inet, &rt->dst);
iph = (struct iphdr *)skb->data;
+
iph->version = 4;
iph->ihl = 5;
iph->tos = inet->tos;
@@ -1324,7 +1325,7 @@ struct sk_buff *__ip_make_skb(struct sock *sk,
iph->ttl = ttl;
iph->protocol = sk->sk_protocol;
ip_copy_addrs(iph, fl4);
- ip_select_ident(iph, &rt->dst, sk);
+ ip_select_ident(skb, &rt->dst, sk);
if (opt) {
iph->ihl += opt->optlen>>2;
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 9ae54b0..62212c7 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -1658,7 +1658,7 @@ static void ip_encap(struct sk_buff *skb, __be32 saddr, __be32 daddr)
iph->protocol = IPPROTO_IPIP;
iph->ihl = 5;
iph->tot_len = htons(skb->len);
- ip_select_ident(iph, skb_dst(skb), NULL);
+ ip_select_ident(skb, skb_dst(skb), NULL);
ip_send_check(iph);
memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index a86c7ae..bfec521 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -387,7 +387,7 @@ static int raw_send_hdrinc(struct sock *sk, struct flowi4 *fl4,
iph->check = 0;
iph->tot_len = htons(length);
if (!iph->id)
- ip_select_ident(iph, &rt->dst, NULL);
+ ip_select_ident(skb, &rt->dst, NULL);
iph->check = ip_fast_csum((unsigned char *)iph, iph->ihl);
}
diff --git a/net/ipv4/xfrm4_mode_tunnel.c b/net/ipv4/xfrm4_mode_tunnel.c
index eb1dd4d..b5663c3 100644
--- a/net/ipv4/xfrm4_mode_tunnel.c
+++ b/net/ipv4/xfrm4_mode_tunnel.c
@@ -117,7 +117,7 @@ static int xfrm4_mode_tunnel_output(struct xfrm_state *x, struct sk_buff *skb)
top_iph->frag_off = (flags & XFRM_STATE_NOPMTUDISC) ?
0 : (XFRM_MODE_SKB_CB(skb)->frag_off & htons(IP_DF));
- ip_select_ident(top_iph, dst->child, NULL);
+ ip_select_ident(skb, dst->child, NULL);
top_iph->ttl = ip4_dst_hoplimit(dst->child);
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index b75ff64..c47444e 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -883,7 +883,7 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
iph->daddr = cp->daddr.ip;
iph->saddr = saddr;
iph->ttl = old_iph->ttl;
- ip_select_ident(iph, &rt->dst, NULL);
+ ip_select_ident(skb, &rt->dst, NULL);
/* Another hack: avoid icmp_send in ip_fragment */
skb->local_df = 1;
--
1.7.9.5
^ permalink raw reply related
* Re: Potential out-of-bounds access in ip6_finish_output2
From: Hannes Frederic Sowa @ 2013-09-17 22:48 UTC (permalink / raw)
To: Dmitry Vyukov
Cc: yoshfuji, netdev, Paul Turner, Andrey Konovalov,
Kostya Serebryany, Tom Herbert
In-Reply-To: <CACT4Y+ZXqoixvCyN5703+sVhCV4ND-vNwash2Z1vSDoLgKNyVg@mail.gmail.com>
On Mon, Sep 16, 2013 at 10:13:10PM -0700, Dmitry Vyukov wrote:
> Hi,
>
> I am working on AddressSanitizer -- a tool that detects use-after-free
> and out-of-bounds bugs
> (https://code.google.com/p/address-sanitizer/wiki/AddressSanitizerForKernel).
>
> I've got a dozen of reports in ip6_finish_output2. Below are 2 of
> them. They are always followed by kernel crash. Unfortunately I don't
> have a reproducer because I am using trinity fuzzer. I would
> appreciate if somebody familiar with the code look at sources and
> maybe spot the bug.
Thanks for the report!
I tried reproducing the bug and hit some other bugs nearby. I'll try to fix
them, but this could take some time.
Greetings,
Hannes
^ permalink raw reply
* Re: [PATCH net-next] net loopback: Set loopback_dev to NULL when freed
From: David Miller @ 2013-09-17 23:05 UTC (permalink / raw)
To: ebiederm
Cc: eric.dumazet, edumazet, jiri, alexander.h.duyck, amwang, netdev,
fruggeri
In-Reply-To: <87k3igcizo.fsf@xmission.com>
From: ebiederm@xmission.com (Eric W. Biederman)
Date: Mon, 16 Sep 2013 18:52:27 -0700
> Eric Dumazet <eric.dumazet@gmail.com> writes:
>
>> On Mon, 2013-09-16 at 21:34 -0400, David Miller wrote:
>>> From: Eric Dumazet <eric.dumazet@gmail.com>
>>> Date: Mon, 16 Sep 2013 17:50:51 -0700
>>>
>>> > On Mon, 2013-09-16 at 16:52 -0700, Eric W. Biederman wrote:
>>> >> It has recently turned up that we have a number of long standing bugs
>>> >> in the network stack cleanup code with use of the loopback device
>>> >> after it has been freed that have not turned up because in most cases
>>> >> the storage allocated to the loopback device is not reused, when those
>>> >> accesses happen.
>>> >>
>>> >> Set looback_dev to NULL to trigger oopses instead of silent data corrupt
>>> >> when we hit this class of bug.
>>> >>
>>> >> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
>>> >> ---
>>> >
>>> > Acked-by: Eric Dumazet <edumazet@google.com>
>>>
>>> I'd like to apply this to 'net', any objections?
>>
>> No objections from me.
>
> No objects from me I just hadn't seen it as a bug fix, but I guess it
> sort of is.
Ok, done.
^ permalink raw reply
* Re: [PATCH 4/4] drivers: net: phy: cicada.c: clears warning Use #include <linux/io.h> instead of <asm/io.h>
From: David Miller @ 2013-09-17 23:07 UTC (permalink / raw)
To: avi.kp.137; +Cc: netdev, linux-kernel
In-Reply-To: <1379347781-7145-1-git-send-email-avi.kp.137@gmail.com>
From: Avinash Kumar <avi.kp.137@gmail.com>
Date: Mon, 16 Sep 2013 21:39:41 +0530
> clears following warnings :
> WARNING: Use include <linux/io.h> instead of <asm/io.h>
> WARNING: Use include <linux/uaccess.h> instead of <asm/uaccess.h>
>
> Signed-off-by: Avinash Kumar <avi.kp.137@gmail.com>
Applied, thanks.
^ permalink raw reply
* Re: [PATCH net] tcp: fix RTO calculated from cached RTT
From: David Miller @ 2013-09-17 23:08 UTC (permalink / raw)
To: ycheng; +Cc: ncardwell, netdev, edumazet
In-Reply-To: <CAK6E8=f5uMe6LQ5StCtaWt7D7PfaM2it0muxiW+gAZ4ngQwVbw@mail.gmail.com>
From: Yuchung Cheng <ycheng@google.com>
Date: Tue, 17 Sep 2013 07:32:38 -0700
> On Mon, Sep 16, 2013 at 6:44 PM, Neal Cardwell <ncardwell@google.com> wrote:
>> Commit 1b7fdd2ab5852 ("tcp: do not use cached RTT for RTT estimation")
>> did not correctly account for the fact that crtt is the RTT shifted
>> left 3 bits. Fix the calculation to consistently reflect this fact.
>>
>> Signed-off-by: Neal Cardwell <ncardwell@google.com>
>> Cc: Eric Dumazet <edumazet@google.com>
>> Cc: Yuchung Cheng <ycheng@google.com>
>> ---
>> net/ipv4/tcp_metrics.c | 4 +++-
>> 1 file changed, 3 insertions(+), 1 deletion(-)
> Acked-By: Yuchung Cheng <ycheng@google.com>
>
> Thanks for discovering and fixing it!
Applied, thanks everyone.
^ permalink raw reply
* Re: [CFT][PATCH] net: Delay default_device_exit_batch until no devices are unregistering
From: David Miller @ 2013-09-17 23:21 UTC (permalink / raw)
To: ebiederm; +Cc: fruggeri, edumazet, jiri, alexander.h.duyck, amwang, netdev
In-Reply-To: <87mwncaz04.fsf_-_@xmission.com>
From: ebiederm@xmission.com (Eric W. Biederman)
Date: Mon, 16 Sep 2013 20:49:31 -0700
> /* Delayed registration/unregisteration */
> static LIST_HEAD(net_todo_list);
> +static atomic_t netdev_unregistering = ATOMIC_INIT(0);
> +static DECLARE_WAIT_QUEUE_HEAD(netdev_unregistering_wait);
I think you don't need this atomic.
Something like this should work and seems much simpler:
1) Still use the netdev_unregistering_wait queue, that's fine.
2) In netdev_run_todo(), unconditionally wake it up at the end of
the while() loop.
3) In default_device_exit_batch() use the same retry logic but
your tests are on list_empty(&net_todo_list() rather than the
new atomic count.
I think with this simplification I'm fine to apply this patch after
it has been tested properly.
Long term I'd like to see a per-namespace todo list, as seems to
have been suggested and discussed already.
Thanks.
^ permalink raw reply
* Re: [CFT][PATCH] net: Delay default_device_exit_batch until no devices are unregistering
From: Eric W. Biederman @ 2013-09-17 23:41 UTC (permalink / raw)
To: David Miller; +Cc: fruggeri, edumazet, jiri, alexander.h.duyck, amwang, netdev
In-Reply-To: <20130917.192158.941189471705765317.davem@davemloft.net>
David Miller <davem@davemloft.net> wrote:
>From: ebiederm@xmission.com (Eric W. Biederman)
>Date: Mon, 16 Sep 2013 20:49:31 -0700
>
>> /* Delayed registration/unregisteration */
>> static LIST_HEAD(net_todo_list);
>> +static atomic_t netdev_unregistering = ATOMIC_INIT(0);
>> +static DECLARE_WAIT_QUEUE_HEAD(netdev_unregistering_wait);
>
>I think you don't need this atomic.
>
>Something like this should work and seems much simpler:
>
>1) Still use the netdev_unregistering_wait queue, that's fine.
>
>2) In netdev_run_todo(), unconditionally wake it up at the end of
> the while() loop.
>
>3) In default_device_exit_batch() use the same retry logic but
> your tests are on list_empty(&net_todo_list() rather than the
> new atomic count.
List/count I don't much care but currently we don't have a list of all of the devices that are unregistering.
The problem with this is that netdev_run_todo moves all of the devices to a local list, so they are only visible from a list_head on the stack. Which makes sense as we run this all in the context of rtnl_unlock.
>I think with this simplification I'm fine to apply this patch after
>it has been tested properly.
I wish we could make that simplication.
>Long term I'd like to see a per-namespace todo list, as seems to
>have been suggested and discussed already.
Eric
^ permalink raw reply
* Re: [PATCH v2.39 7/7] datapath: Add basic MPLS support to kernel
From: Simon Horman @ 2013-09-17 23:47 UTC (permalink / raw)
To: Ben Pfaff
Cc: Jesse Gross, Pravin Shelar, dev@openvswitch.org, netdev, Ravi K,
Isaku Yamahata, Joe Stringer
In-Reply-To: <20130916204619.GE20037@nicira.com>
On Mon, Sep 16, 2013 at 01:46:19PM -0700, Ben Pfaff wrote:
> On Mon, Sep 16, 2013 at 03:38:21PM -0500, Jesse Gross wrote:
> > - Ben, do you want to take over for the userspace portions of the
> > series on the assumption that the above comments can be fixed fairly
> > easily?
>
> Yes, that's fine. Simon, I guess that you are looking at Jesse's
> comments about mpls_depth from earlier?
Yes, I have a solution to that problem and I will post it after testing
further. I don't think it will affect the other user-space patches
in a material way. So I think you can review them as-is.
^ permalink raw reply
* Re: [PATCH v2.39 7/7] datapath: Add basic MPLS support to kernel
From: Ben Pfaff @ 2013-09-18 0:05 UTC (permalink / raw)
To: Simon Horman
Cc: Jesse Gross, Pravin Shelar, dev@openvswitch.org, netdev, Ravi K,
Isaku Yamahata, Joe Stringer
In-Reply-To: <20130917234717.GA3675@verge.net.au>
On Tue, Sep 17, 2013 at 06:47:22PM -0500, Simon Horman wrote:
> On Mon, Sep 16, 2013 at 01:46:19PM -0700, Ben Pfaff wrote:
> > On Mon, Sep 16, 2013 at 03:38:21PM -0500, Jesse Gross wrote:
> > > - Ben, do you want to take over for the userspace portions of the
> > > series on the assumption that the above comments can be fixed fairly
> > > easily?
> >
> > Yes, that's fine. Simon, I guess that you are looking at Jesse's
> > comments about mpls_depth from earlier?
>
> Yes, I have a solution to that problem and I will post it after testing
> further. I don't think it will affect the other user-space patches
> in a material way. So I think you can review them as-is.
That sounds good, thanks.
^ permalink raw reply
* Re: [CFT][PATCH] net: Delay default_device_exit_batch until no devices are unregistering
From: David Miller @ 2013-09-18 0:15 UTC (permalink / raw)
To: ebiederm; +Cc: fruggeri, edumazet, jiri, alexander.h.duyck, amwang, netdev
In-Reply-To: <e652a11e-b23d-4a83-aaac-00c469a416f1@email.android.com>
From: "Eric W. Biederman" <ebiederm@xmission.com>
Date: Tue, 17 Sep 2013 16:41:37 -0700
> List/count I don't much care but currently we don't have a list of
> all of the devices that are unregistering.
>
> The problem with this is that netdev_run_todo moves all of the
> devices to a local list, so they are only visible from a list_head
> on the stack. Which makes sense as we run this all in the context
> of rtnl_unlock.
And when that local list is processed (the while loop completes and
has iterated over the entire list), either the global todo list is
empty, or it is not empty.
And the waked up code will check for this.
I really don't see what the problem is.
^ permalink raw reply
* Re: [PATCH] vxlan: Avoid creating fdb entry with NULL destination
From: David Miller @ 2013-09-18 0:20 UTC (permalink / raw)
To: sri; +Cc: netdev, stephen, mike.rapoport
In-Reply-To: <1379445160.21109.29.camel@sridhar.usor.ibm.com>
From: Sridhar Samudrala <sri@us.ibm.com>
Date: Tue, 17 Sep 2013 12:12:40 -0700
> Commit afbd8bae9c798c5cdbe4439d3a50536b5438247c
> vxlan: add implicit fdb entry for default destination
> creates an implicit fdb entry for default destination. This results
> in an invalid fdb entry if default destination is not specified.
> For ex:
> ip link add vxlan1 type vxlan id 100
> creates the following fdb entry
> 00:00:00:00:00:00 dev vxlan1 dst 0.0.0.0 self permanent
>
> This patch fixes this issue by creating an fdb entry only if a
> valid default destination is specified.
>
> Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Looks reasonable, applied, thanks.
^ permalink raw reply
* Re: [PATCH 0/7] netfilter fixes for net
From: David Miller @ 2013-09-18 0:23 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
In-Reply-To: <1379456519-4317-1-git-send-email-pablo@netfilter.org>
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 18 Sep 2013 00:21:59 +0200
> The following patchset contains Netfilter fixes for you net tree,
> mostly targeted to ipset, they are:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
Looks good, pulled, thanks a lot.
^ permalink raw reply
* Re: [PATCH v2 6/6] ipv6: Do route updating for redirect in ndisc layer
From: David Miller @ 2013-09-18 0:29 UTC (permalink / raw)
To: duanj.fnst; +Cc: netdev, hannes
In-Reply-To: <5232806B.6050601@cn.fujitsu.com>
From: Duan Jiong <duanj.fnst@cn.fujitsu.com>
Date: Fri, 13 Sep 2013 11:03:07 +0800
> From: Duan Jiong <duanj.fnst@cn.fujitsu.com>
>
> Do the whole verification and route updating in ndisc
> lay and then just call into icmpv6_notify() to notify
> the upper protocols.
>
> Signed-off-by: Duan Jiong <duanj.fnst@cn.fujitsu.com>
This is completely broken, and I believe your patch set fundamentally
is too.
We absolutely _must_ handle the redirect at the socket level when
we are able to, otherwise we cannot specify the mark properly and
the mark is an essential part of the key used to find the correct
route to work with.
I am not applying this patch series until you deal with this
deficiency. I am not willing to consider changes which stop using the
more precise keying information available from a socket.
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox