* Re: [PATCH 1/3] ipv6: Select fragment id during UFO/GSO segmentation if not set.
From: Michael S. Tsirkin @ 2015-01-28 16:48 UTC (permalink / raw)
To: Hannes Frederic Sowa
Cc: netdev, Vladislav Yasevich, virtualization, edumazet,
Ben Hutchings
In-Reply-To: <1422461749.4678.110.camel@stressinduktion.org>
On Wed, Jan 28, 2015 at 05:15:49PM +0100, Hannes Frederic Sowa wrote:
> Hi,
>
> On Mi, 2015-01-28 at 18:00 +0200, Michael S. Tsirkin wrote:
> > On Wed, Jan 28, 2015 at 11:34:02AM +0100, Hannes Frederic Sowa wrote:
> > > Hi,
> > >
> > > On Mi, 2015-01-28 at 11:46 +0200, Michael S. Tsirkin wrote:
> > > > On Wed, Jan 28, 2015 at 09:25:08AM +0100, Hannes Frederic Sowa wrote:
> > > > > Hello,
> > > > >
> > > > > On Di, 2015-01-27 at 18:08 +0200, Michael S. Tsirkin wrote:
> > > > > > On Tue, Jan 27, 2015 at 05:02:31PM +0100, Hannes Frederic Sowa wrote:
> > > > > > > On Di, 2015-01-27 at 09:26 -0500, Vlad Yasevich wrote:
> > > > > > > > On 01/27/2015 08:47 AM, Hannes Frederic Sowa wrote:
> > > > > > > > > On Di, 2015-01-27 at 10:42 +0200, Michael S. Tsirkin wrote:
> > > > > > > > >> On Tue, Jan 27, 2015 at 02:47:54AM +0000, Ben Hutchings wrote:
> > > > > > > > >>> On Mon, 2015-01-26 at 09:37 -0500, Vladislav Yasevich wrote:
> > > > > > > > >>>> If the IPv6 fragment id has not been set and we perform
> > > > > > > > >>>> fragmentation due to UFO, select a new fragment id.
> > > > > > > > >>>> When we store the fragment id into skb_shinfo, set the bit
> > > > > > > > >>>> in the skb so we can re-use the selected id.
> > > > > > > > >>>> This preserves the behavior of UFO packets generated on the
> > > > > > > > >>>> host and solves the issue of id generation for packet sockets
> > > > > > > > >>>> and tap/macvtap devices.
> > > > > > > > >>>>
> > > > > > > > >>>> This patch moves ipv6_select_ident() back in to the header file.
> > > > > > > > >>>> It also provides the helper function that sets skb_shinfo() frag
> > > > > > > > >>>> id and sets the bit.
> > > > > > > > >>>>
> > > > > > > > >>>> It also makes sure that we select the fragment id when doing
> > > > > > > > >>>> just gso validation, since it's possible for the packet to
> > > > > > > > >>>> come from an untrusted source (VM) and be forwarded through
> > > > > > > > >>>> a UFO enabled device which will expect the fragment id.
> > > > > > > > >>>>
> > > > > > > > >>>> CC: Eric Dumazet <edumazet@google.com>
> > > > > > > > >>>> Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
> > > > > > > > >>>> ---
> > > > > > > > >>>> include/linux/skbuff.h | 3 ++-
> > > > > > > > >>>> include/net/ipv6.h | 2 ++
> > > > > > > > >>>> net/ipv6/ip6_output.c | 4 ++--
> > > > > > > > >>>> net/ipv6/output_core.c | 9 ++++++++-
> > > > > > > > >>>> net/ipv6/udp_offload.c | 10 +++++++++-
> > > > > > > > >>>> 5 files changed, 23 insertions(+), 5 deletions(-)
> > > > > > > > >>>>
> > > > > > > > >>>> diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
> > > > > > > > >>>> index 85ab7d7..3ad5203 100644
> > > > > > > > >>>> --- a/include/linux/skbuff.h
> > > > > > > > >>>> +++ b/include/linux/skbuff.h
> > > > > > > > >>>> @@ -605,7 +605,8 @@ struct sk_buff {
> > > > > > > > >>>> __u8 ipvs_property:1;
> > > > > > > > >>>> __u8 inner_protocol_type:1;
> > > > > > > > >>>> __u8 remcsum_offload:1;
> > > > > > > > >>>> - /* 3 or 5 bit hole */
> > > > > > > > >>>> + __u8 ufo_fragid_set:1;
> > > > > > > > >>> [...]
> > > > > > > > >>>
> > > > > > > > >>> Doesn't the flag belong in struct skb_shared_info, rather than struct
> > > > > > > > >>> sk_buff? Otherwise this looks fine.
> > > > > > > > >>>
> > > > > > > > >>> Ben.
> > > > > > > > >>
> > > > > > > > >> Hmm we seem to be out of tx flags.
> > > > > > > > >> Maybe ip6_frag_id == 0 should mean "not set".
> > > > > > > > >
> > > > > > > > > Maybe that is the best idea. Definitely the ufo_fragid_set bit should
> > > > > > > > > move into the skb_shared_info area.
> > > > > > > >
> > > > > > > > That's what I originally wanted to do, but had to move and grow txflags thus
> > > > > > > > skb_shinfo ended up growing. I wanted to avoid that, so stole an skb flag.
> > > > > > > >
> > > > > > > > I considered treating fragid == 0 as unset, but a 0 fragid is perfectly valid
> > > > > > > > from the protocol perspective and could actually be generated by the id generator
> > > > > > > > functions. This may cause us to call the id generation multiple times.
> > > > > > >
> > > > > > > Are there plans in the long run to let virtio_net transmit auxiliary
> > > > > > > data to the other end so we can clean all of this this up one day?
> > > > > > >
> > > > > > > I don't like the whole situation: looking into the virtio_net headers
> > > > > > > just adding a field for ipv6 fragmentation ids to those small structs
> > > > > > > seems bloated, not doing it feels incorrect. :/
> > > > > > >
> > > > > > > Thoughts?
> > > > > > >
> > > > > > > Bye,
> > > > > > > Hannes
> > > > > >
> > > > > > I'm not sure - what will be achieved by generating the IDs guest side as
> > > > > > opposed to host side? It's certainly harder to get hold of entropy
> > > > > > guest-side.
> > > > >
> > > > > It is not only about entropy but about uniqueness. Also fragmentation
> > > > > ids should not be discoverable,
> > > >
> > > > I belive "predictable" is the language used by the IETF draft.
> > > >
> > > > > so there are several aspects:
> > > > >
> > > > > I see fragmentation id generation still as security critical:
> > > > > When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP
> > > > > identifiers less predictable") I could patch my kernels and use the
> > > > > patch regardless of the machine being virtualized or not. It was not
> > > > > dependent on the hypervisor.
> > > >
> > > > And now it's even easier - just patch the hypervisor, and all VMs
> > > > automatically benefit.
> > >
> > > Sometimes the hypervisor is not under my control.
> >
> > In that case doing things like extending virtio
> > is out of the question too, isn't it?
> > It needs hypervisor changes.
>
> Sure, but I would like to have the fragmentation id generator to reside
> inside the end-host kernel. Hypervisor needs to carry the frag id along,
> sure, and needs to be changed accordingly.
>
> So in either case we need to change both kernels. ;)
>
> >
> > > You would need to
> > > patch both kernels in your case - non gso frames would still get the
> > > fragmentation id generated in the host kernel.
> > >
> > > > > I think that is the same reasoning why we
> > > > > don't support TOE.
> > > > > If we use one generator in the hypervisor in an openstack alike setting,
> > > > > the host deals with quite a lot of overlay networks. A lot of default
> > > > > configurations use the same addresses internally, so on the hypervisor
> > > > > the frag id generators would interfere by design.
> > > > > I could come up with an attack scenario for DNS servers (again :) ):
> > > > >
> > > > > You are sitting next to a DNS server on the same hypervisor and can send
> > > > > packets without source validation (because that is handled later on in
> > > > > case of openvswitch when the packet is put into the corresponding
> > > > > overlay network). You emit a gso packet with the same source and
> > > > > destination addresses as the DNS server would do and would get an
> > > > > fragmentation id which is linearly (+ time delta) incremented depending
> > > > > on the source and destination address. With such a leak you could start
> > > > > trying attack and spoof DNS responses (fragmentation attacks etc.).
> > > > > See also details on such kind of attacks in the description of commit
> > > > > 04ca6973f7c1a0d.
> > > > >
> > > > > AFAIK IETF tried with IPv6 to push fragmentation id generation to the
> > > > > end hosts, that's also the reason for the introduction of atomic
> > > > > fragments (which are now being rolled back ;) ).
> > > > >
> > > > > Still it is better to generate a frag id on the hypervisor than just
> > > > > sending a 0, so I am ok with this change, albeit not happy.
> > > > >
> > > > > Thanks,
> > > > > Hannes
> > > > >
> > > >
> > > > OK so to summarize, identifiers are only re-randomized once per jiffy,
> > > > so you worry that within this window, an external observer can discover
> > > > past fragment ID values and so predict the future ones.
> > > > All that's required is that two paths go through the same box performing
> > > > fragmentation.
> > > >
> > > > Is that a fair summary?
> >
> > No answer here?
>
> Ups, sorry.
>
> It is not re-randomized but only biased by a time delta (note the
> prandom_u32_max). So even after such an increment happens you can still
> guess the range of the current fragmentation ids for a longer time.
>
> Otherwise it is a fair summary.
>
> >
> > > > If yes, we can make this a bit harder by mixing in some
> > > > data per input and/or output devices.
> > > >
> > > > For example, just to give you the idea:
> > > >
> > > > diff --git a/net/core/dev.c b/net/core/dev.c
> > > > index 683d493..4faa7ef 100644
> > > > --- a/net/core/dev.c
> > > > +++ b/net/core/dev.c
> > > > @@ -3625,6 +3625,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc)
> > > > trace_netif_receive_skb(skb);
> > > >
> > > > orig_dev = skb->dev;
> > > > + skb_shinfo(skb)->ip6_frag_id = skb->dev->ifindex;
> > > >
> > > > skb_reset_network_header(skb);
> > > > if (!skb_transport_header_was_set(skb))
> > > > diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
> > > > index ce69a12..819a821 100644
> > > > --- a/net/ipv6/ip6_output.c
> > > > +++ b/net/ipv6/ip6_output.c
> > > > @@ -1092,7 +1092,8 @@ static inline int ip6_ufo_append_data(struct sock *sk,
> > > > sizeof(struct frag_hdr)) & ~7;
> > > > skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
> > > > ipv6_select_ident(&fhdr, rt);
> > > > - skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
> > > > + skb_shinfo(skb)->ip6_frag_id = jhash_1word(skb_shinfo(skb)->ip6_frag_id,
> > > > + fhdr.identification);
> > > >
> > > > append:
> > > > return skb_append_datato_frags(sk, skb, getfrag, from,
> > > >
> > >
> > > I thought about mixing in the incoming interface identifier into the
> > > frag id generation, but that could hurt us badly as soon as a VM has
> > > more than one interface to the outside world and uses e.g. ECMP.
> > > We need
> > > to make sure that those frag ids are unique and the kernel needs to be
> > > better than just using a random number generator.
> > >
> > > Bye,
> > > Hannes
> >
> > OK then. Like this:
> >
> > diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
> > index 679e6e9..1ee9a3a 100644
> > --- a/include/linux/netdevice.h
> > +++ b/include/linux/netdevice.h
> > @@ -1508,6 +1508,9 @@ struct net_device {
> > * part of the usual set specified in Space.c.
> > */
> >
> > + /* Extra hash to mix into IPv6 frag ID on packets received from here. */
> > + unsigned int frag_id_hash;
> > +
> > unsigned long state;
> >
> > struct list_head dev_list;
> > diff --git a/net/core/dev.c b/net/core/dev.c
> > index 683d493..56f1898 100644
> > --- a/net/core/dev.c
> > +++ b/net/core/dev.c
> > @@ -3625,6 +3625,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc)
> > trace_netif_receive_skb(skb);
> >
> > orig_dev = skb->dev;
> > + skb_shinfo(skb)->ip6_frag_id = skb->dev->frag_id_hash;
> >
> > skb_reset_network_header(skb);
> > if (!skb_transport_header_was_set(skb))
> > diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
> > index ce69a12..819a821 100644
> > --- a/net/ipv6/ip6_output.c
> > +++ b/net/ipv6/ip6_output.c
> > @@ -1092,7 +1092,8 @@ static inline int ip6_ufo_append_data(struct sock *sk,
> > sizeof(struct frag_hdr)) & ~7;
> > skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
> > ipv6_select_ident(&fhdr, rt);
> > - skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
> > + skb_shinfo(skb)->ip6_frag_id = jhash_1word(skb_shinfo(skb)->ip6_frag_id,
> > + fhdr.identification);
> >
> > append:
> > return skb_append_datato_frags(sk, skb, getfrag, from,
> >
> >
> > Add to this a netlink/sysfs API to set the frag_id_hash for
> > devices.
> >
> > Now, user can set identical frag id hash for all devices
> > for a given VM.
> >
> > We can even expose this to guests: each guest would generate
> > the ID on boot and send it to host, host would set it
> > in sysfs.
>
> jhash_1word shouldn't be a bijection, so we are randomizing here and are
> increasing the probability of collisions.
> Instead of jhash_1word you
> would need to take a simple block cipher with the hash as key.
>
> Bye,
> Hannes
fhdr.identification is coming from jhash_3word itself, how is this
different?
^ permalink raw reply
* Re: [PATCH v2 linux-trace 4/8] samples: bpf: simple tracing example in C
From: Alexei Starovoitov @ 2015-01-28 16:42 UTC (permalink / raw)
To: Arnaldo Carvalho de Melo
Cc: Steven Rostedt, Ingo Molnar, Namhyung Kim, Jiri Olsa,
Masami Hiramatsu, Linux API, Network Development, LKML
In-Reply-To: <20150128162557.GP7220-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
On Wed, Jan 28, 2015 at 8:25 AM, Arnaldo Carvalho de Melo
<acme-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
> Em Wed, Jan 28, 2015 at 01:24:15PM -0300, Arnaldo Carvalho de Melo escreveu:
>> Em Tue, Jan 27, 2015 at 08:06:09PM -0800, Alexei Starovoitov escreveu:
>> > diff --git a/samples/bpf/tracex1_kern.c b/samples/bpf/tracex1_kern.c
>> > new file mode 100644
>> > index 000000000000..7849ceb4bce6
>> > --- /dev/null
>> > +++ b/samples/bpf/tracex1_kern.c
>> > @@ -0,0 +1,28 @@
>> > +#include <linux/skbuff.h>
>> > +#include <linux/netdevice.h>
>> > +#include <uapi/linux/bpf.h>
>> > +#include <trace/bpf_trace.h>
>> > +#include "bpf_helpers.h"
>> > +
>> > +SEC("events/net/netif_receive_skb")
>> > +int bpf_prog1(struct bpf_context *ctx)
>> > +{
>> > + /*
>> > + * attaches to /sys/kernel/debug/tracing/events/net/netif_receive_skb
>> > + * prints events for loobpack device only
>> > + */
>> > + char devname[] = "lo";
>> > + struct net_device *dev;
>> > + struct sk_buff *skb = 0;
>> > +
>> > + skb = (struct sk_buff *) ctx->arg1;
>> > + dev = bpf_fetch_ptr(&skb->dev);
>> > + if (bpf_memcmp(dev->name, devname, 2) == 0)
>>
>> I'm only starting to look at all this, so bear with me... But why do we
>> need to have it as "bpf_memcmp"? Can't we simply use it as "memcmp" and
>> have it use the right function?
>>
>> Less typing, perhaps we would need to have a:
>>
>> #define memcmp bpf_memcmp(s1, s2, n) bpf_memcmp(s1, s2, n)
>
> Argh, like this:
>
> #define memcmp(s1, s2, n) bpf_memcmp(s1, s2, n)
>
>> in bpf_helpers.h to have it work?
yes, that will work just fine.
Since it's an example I made it explicit that bpf_memcmp()
has memcmp() semantics, but little bit different:
int bpf_memcmp(void *unsafe_ptr, void *safe_ptr, int size)
meaning that one of the pointers can point anywhere and
the function will be doing probe_kernel_read() underneath
similar to bpf_fetch_*() helpers.
If it was plain memcmp() it would give a wrong impression
that vanilla memcmp() can be used.
In general the programs cannot use any library functions
outside of helpers defined in uapi/linux/bpf.h
bpf_fetch_*() helpers are also explicit in examples.
If one need to do a lot of pointer walking, then macro like
#define D(P) ((typeof(P))bpf_fetch_ptr(&P))
would be easier to use: p = D(D(skb->dev)->ifalias)
multiple pointer derefs would look more natural...
^ permalink raw reply
* Re: [PATCH net-next v1 01/18] net: ethtool: propagate get_settings error
From: Ben Hutchings @ 2015-01-28 16:30 UTC (permalink / raw)
To: David Decotigny
Cc: David S. Miller, Amir Vadai, linux-kernel, netdev, linux-api,
Eric Dumazet, Eugenia Emantayev, Or Gerlitz, Ido Shamay,
Joe Perches, Saeed Mahameed, Govindarajulu Varadarajan,
Venkata Duvvuru, Jeff Kirsher, Eyal Perry, Pravin B Shelar,
Ed Swierk, David Decotigny
In-Reply-To: <1422322574-6188-2-git-send-email-ddecotig@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 942 bytes --]
On Mon, 2015-01-26 at 17:35 -0800, David Decotigny wrote:
> From: David Decotigny <decot@googlers.com>
>
> Signed-off-by: David Decotigny <decot@googlers.com>
> ---
> net/core/ethtool.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/core/ethtool.c b/net/core/ethtool.c
> index 91f74f3..52efb7e 100644
> --- a/net/core/ethtool.c
> +++ b/net/core/ethtool.c
> @@ -364,7 +364,7 @@ static int ethtool_get_settings(struct net_device *dev, void __user *useraddr)
>
> if (copy_to_user(useraddr, &cmd, sizeof(cmd)))
> return -EFAULT;
> - return 0;
> + return err;
err cannnot be negative at this point (and if it's positive, that's a
bug in the get_settings implementation which we happen to fix up).
Ben.
> }
>
> static int ethtool_set_settings(struct net_device *dev, void __user *useraddr)
--
Ben Hutchings
Teamwork is essential - it allows you to blame someone else.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 811 bytes --]
^ permalink raw reply
* Re: [PATCH v2 linux-trace 4/8] samples: bpf: simple tracing example in C
From: Arnaldo Carvalho de Melo @ 2015-01-28 16:25 UTC (permalink / raw)
To: Alexei Starovoitov
Cc: Steven Rostedt, Ingo Molnar, Namhyung Kim, Jiri Olsa,
Masami Hiramatsu, linux-api, netdev, linux-kernel
In-Reply-To: <20150128162415.GO7220@kernel.org>
Em Wed, Jan 28, 2015 at 01:24:15PM -0300, Arnaldo Carvalho de Melo escreveu:
> Em Tue, Jan 27, 2015 at 08:06:09PM -0800, Alexei Starovoitov escreveu:
> > diff --git a/samples/bpf/tracex1_kern.c b/samples/bpf/tracex1_kern.c
> > new file mode 100644
> > index 000000000000..7849ceb4bce6
> > --- /dev/null
> > +++ b/samples/bpf/tracex1_kern.c
> > @@ -0,0 +1,28 @@
> > +#include <linux/skbuff.h>
> > +#include <linux/netdevice.h>
> > +#include <uapi/linux/bpf.h>
> > +#include <trace/bpf_trace.h>
> > +#include "bpf_helpers.h"
> > +
> > +SEC("events/net/netif_receive_skb")
> > +int bpf_prog1(struct bpf_context *ctx)
> > +{
> > + /*
> > + * attaches to /sys/kernel/debug/tracing/events/net/netif_receive_skb
> > + * prints events for loobpack device only
> > + */
> > + char devname[] = "lo";
> > + struct net_device *dev;
> > + struct sk_buff *skb = 0;
> > +
> > + skb = (struct sk_buff *) ctx->arg1;
> > + dev = bpf_fetch_ptr(&skb->dev);
> > + if (bpf_memcmp(dev->name, devname, 2) == 0)
>
> I'm only starting to look at all this, so bear with me... But why do we
> need to have it as "bpf_memcmp"? Can't we simply use it as "memcmp" and
> have it use the right function?
>
> Less typing, perhaps we would need to have a:
>
> #define memcmp bpf_memcmp(s1, s2, n) bpf_memcmp(s1, s2, n)
Argh, like this:
#define memcmp(s1, s2, n) bpf_memcmp(s1, s2, n)
> in bpf_helpers.h to have it work?
>
> - Arnaldo
>
> > + /* print event using default tracepoint format */
> > + return 1;
> > +
> > + /* drop event */
> > + return 0;
> > +}
^ permalink raw reply
* Re: [PATCH 2/4] net: wan: add missing virt_to_bus dependencies
From: Jan Kasprzak @ 2015-01-28 16:19 UTC (permalink / raw)
To: Arnd Bergmann
Cc: netdev, linux-pcmcia, davem, linux-arm-kernel, jeffrey.t.kirsher
In-Reply-To: <1422454504-439085-3-git-send-email-arnd@arndb.de>
Arnd Bergmann wrote:
: The cosa driver is rather outdated and does not get built on most
: platforms because it requires the ISA_DMA_API symbol. However
: there are some ARM platforms that have ISA_DMA_API but no virt_to_bus,
: and they get this build error when enabling the ltpc driver.
:
: drivers/net/wan/cosa.c: In function 'tx_interrupt':
: drivers/net/wan/cosa.c:1768:3: error: implicit declaration of function 'virt_to_bus'
: unsigned long addr = virt_to_bus(cosa->txbuf);
: ^
:
: The same problem exists for the Hostess SV-11 and Sealevel Systems 4021
: drivers.
Hello,
as for COSA, it is OK. Although I would like to know whether there still is
at least one COSA card in use somewhere :-)
Acked-By: Jan "Yenya" Kasprzak <kas@fi.muni.cz>
Thanks,
-Yenya
:
: This adds another dependency in Kconfig to avoid that configuration.
:
: Signed-off-by: Arnd Bergmann <arnd@arndb.de>
: ---
: drivers/net/wan/Kconfig | 6 +++---
: 1 file changed, 3 insertions(+), 3 deletions(-)
:
: diff --git a/drivers/net/wan/Kconfig b/drivers/net/wan/Kconfig
: index 94e234975c61..a2fdd15f285a 100644
: --- a/drivers/net/wan/Kconfig
: +++ b/drivers/net/wan/Kconfig
: @@ -25,7 +25,7 @@ if WAN
: # There is no way to detect a comtrol sv11 - force it modular for now.
: config HOSTESS_SV11
: tristate "Comtrol Hostess SV-11 support"
: - depends on ISA && m && ISA_DMA_API && INET && HDLC
: + depends on ISA && m && ISA_DMA_API && INET && HDLC && VIRT_TO_BUS
: help
: Driver for Comtrol Hostess SV-11 network card which
: operates on low speed synchronous serial links at up to
: @@ -37,7 +37,7 @@ config HOSTESS_SV11
: # The COSA/SRP driver has not been tested as non-modular yet.
: config COSA
: tristate "COSA/SRP sync serial boards support"
: - depends on ISA && m && ISA_DMA_API && HDLC
: + depends on ISA && m && ISA_DMA_API && HDLC && VIRT_TO_BUS
: ---help---
: Driver for COSA and SRP synchronous serial boards.
:
: @@ -87,7 +87,7 @@ config LANMEDIA
: # There is no way to detect a Sealevel board. Force it modular
: config SEALEVEL_4021
: tristate "Sealevel Systems 4021 support"
: - depends on ISA && m && ISA_DMA_API && INET && HDLC
: + depends on ISA && m && ISA_DMA_API && INET && HDLC && VIRT_TO_BUS
: help
: This is a driver for the Sealevel Systems ACB 56 serial I/O adapter.
:
: --
: 2.1.0.rc2
--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| New GPG 4096R/A45477D5 -- see http://www.fi.muni.cz/~kas/pgp-rollover.txt |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
||| "New and improved" is only really improved if it also takes backwards |||
||| compatibility into account, rather than saying "now everybody must do |||
||| things the new and improved - and different - way" --Linus Torvalds |||
^ permalink raw reply
* Re: [PATCH 1/3] ipv6: Select fragment id during UFO/GSO segmentation if not set.
From: Hannes Frederic Sowa @ 2015-01-28 16:15 UTC (permalink / raw)
To: Michael S. Tsirkin
Cc: netdev, Vladislav Yasevich, virtualization, edumazet,
Ben Hutchings
In-Reply-To: <20150128160054.GB32439@redhat.com>
Hi,
On Mi, 2015-01-28 at 18:00 +0200, Michael S. Tsirkin wrote:
> On Wed, Jan 28, 2015 at 11:34:02AM +0100, Hannes Frederic Sowa wrote:
> > Hi,
> >
> > On Mi, 2015-01-28 at 11:46 +0200, Michael S. Tsirkin wrote:
> > > On Wed, Jan 28, 2015 at 09:25:08AM +0100, Hannes Frederic Sowa wrote:
> > > > Hello,
> > > >
> > > > On Di, 2015-01-27 at 18:08 +0200, Michael S. Tsirkin wrote:
> > > > > On Tue, Jan 27, 2015 at 05:02:31PM +0100, Hannes Frederic Sowa wrote:
> > > > > > On Di, 2015-01-27 at 09:26 -0500, Vlad Yasevich wrote:
> > > > > > > On 01/27/2015 08:47 AM, Hannes Frederic Sowa wrote:
> > > > > > > > On Di, 2015-01-27 at 10:42 +0200, Michael S. Tsirkin wrote:
> > > > > > > >> On Tue, Jan 27, 2015 at 02:47:54AM +0000, Ben Hutchings wrote:
> > > > > > > >>> On Mon, 2015-01-26 at 09:37 -0500, Vladislav Yasevich wrote:
> > > > > > > >>>> If the IPv6 fragment id has not been set and we perform
> > > > > > > >>>> fragmentation due to UFO, select a new fragment id.
> > > > > > > >>>> When we store the fragment id into skb_shinfo, set the bit
> > > > > > > >>>> in the skb so we can re-use the selected id.
> > > > > > > >>>> This preserves the behavior of UFO packets generated on the
> > > > > > > >>>> host and solves the issue of id generation for packet sockets
> > > > > > > >>>> and tap/macvtap devices.
> > > > > > > >>>>
> > > > > > > >>>> This patch moves ipv6_select_ident() back in to the header file.
> > > > > > > >>>> It also provides the helper function that sets skb_shinfo() frag
> > > > > > > >>>> id and sets the bit.
> > > > > > > >>>>
> > > > > > > >>>> It also makes sure that we select the fragment id when doing
> > > > > > > >>>> just gso validation, since it's possible for the packet to
> > > > > > > >>>> come from an untrusted source (VM) and be forwarded through
> > > > > > > >>>> a UFO enabled device which will expect the fragment id.
> > > > > > > >>>>
> > > > > > > >>>> CC: Eric Dumazet <edumazet@google.com>
> > > > > > > >>>> Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
> > > > > > > >>>> ---
> > > > > > > >>>> include/linux/skbuff.h | 3 ++-
> > > > > > > >>>> include/net/ipv6.h | 2 ++
> > > > > > > >>>> net/ipv6/ip6_output.c | 4 ++--
> > > > > > > >>>> net/ipv6/output_core.c | 9 ++++++++-
> > > > > > > >>>> net/ipv6/udp_offload.c | 10 +++++++++-
> > > > > > > >>>> 5 files changed, 23 insertions(+), 5 deletions(-)
> > > > > > > >>>>
> > > > > > > >>>> diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
> > > > > > > >>>> index 85ab7d7..3ad5203 100644
> > > > > > > >>>> --- a/include/linux/skbuff.h
> > > > > > > >>>> +++ b/include/linux/skbuff.h
> > > > > > > >>>> @@ -605,7 +605,8 @@ struct sk_buff {
> > > > > > > >>>> __u8 ipvs_property:1;
> > > > > > > >>>> __u8 inner_protocol_type:1;
> > > > > > > >>>> __u8 remcsum_offload:1;
> > > > > > > >>>> - /* 3 or 5 bit hole */
> > > > > > > >>>> + __u8 ufo_fragid_set:1;
> > > > > > > >>> [...]
> > > > > > > >>>
> > > > > > > >>> Doesn't the flag belong in struct skb_shared_info, rather than struct
> > > > > > > >>> sk_buff? Otherwise this looks fine.
> > > > > > > >>>
> > > > > > > >>> Ben.
> > > > > > > >>
> > > > > > > >> Hmm we seem to be out of tx flags.
> > > > > > > >> Maybe ip6_frag_id == 0 should mean "not set".
> > > > > > > >
> > > > > > > > Maybe that is the best idea. Definitely the ufo_fragid_set bit should
> > > > > > > > move into the skb_shared_info area.
> > > > > > >
> > > > > > > That's what I originally wanted to do, but had to move and grow txflags thus
> > > > > > > skb_shinfo ended up growing. I wanted to avoid that, so stole an skb flag.
> > > > > > >
> > > > > > > I considered treating fragid == 0 as unset, but a 0 fragid is perfectly valid
> > > > > > > from the protocol perspective and could actually be generated by the id generator
> > > > > > > functions. This may cause us to call the id generation multiple times.
> > > > > >
> > > > > > Are there plans in the long run to let virtio_net transmit auxiliary
> > > > > > data to the other end so we can clean all of this this up one day?
> > > > > >
> > > > > > I don't like the whole situation: looking into the virtio_net headers
> > > > > > just adding a field for ipv6 fragmentation ids to those small structs
> > > > > > seems bloated, not doing it feels incorrect. :/
> > > > > >
> > > > > > Thoughts?
> > > > > >
> > > > > > Bye,
> > > > > > Hannes
> > > > >
> > > > > I'm not sure - what will be achieved by generating the IDs guest side as
> > > > > opposed to host side? It's certainly harder to get hold of entropy
> > > > > guest-side.
> > > >
> > > > It is not only about entropy but about uniqueness. Also fragmentation
> > > > ids should not be discoverable,
> > >
> > > I belive "predictable" is the language used by the IETF draft.
> > >
> > > > so there are several aspects:
> > > >
> > > > I see fragmentation id generation still as security critical:
> > > > When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP
> > > > identifiers less predictable") I could patch my kernels and use the
> > > > patch regardless of the machine being virtualized or not. It was not
> > > > dependent on the hypervisor.
> > >
> > > And now it's even easier - just patch the hypervisor, and all VMs
> > > automatically benefit.
> >
> > Sometimes the hypervisor is not under my control.
>
> In that case doing things like extending virtio
> is out of the question too, isn't it?
> It needs hypervisor changes.
Sure, but I would like to have the fragmentation id generator to reside
inside the end-host kernel. Hypervisor needs to carry the frag id along,
sure, and needs to be changed accordingly.
So in either case we need to change both kernels. ;)
>
> > You would need to
> > patch both kernels in your case - non gso frames would still get the
> > fragmentation id generated in the host kernel.
> >
> > > > I think that is the same reasoning why we
> > > > don't support TOE.
> > > > If we use one generator in the hypervisor in an openstack alike setting,
> > > > the host deals with quite a lot of overlay networks. A lot of default
> > > > configurations use the same addresses internally, so on the hypervisor
> > > > the frag id generators would interfere by design.
> > > > I could come up with an attack scenario for DNS servers (again :) ):
> > > >
> > > > You are sitting next to a DNS server on the same hypervisor and can send
> > > > packets without source validation (because that is handled later on in
> > > > case of openvswitch when the packet is put into the corresponding
> > > > overlay network). You emit a gso packet with the same source and
> > > > destination addresses as the DNS server would do and would get an
> > > > fragmentation id which is linearly (+ time delta) incremented depending
> > > > on the source and destination address. With such a leak you could start
> > > > trying attack and spoof DNS responses (fragmentation attacks etc.).
> > > > See also details on such kind of attacks in the description of commit
> > > > 04ca6973f7c1a0d.
> > > >
> > > > AFAIK IETF tried with IPv6 to push fragmentation id generation to the
> > > > end hosts, that's also the reason for the introduction of atomic
> > > > fragments (which are now being rolled back ;) ).
> > > >
> > > > Still it is better to generate a frag id on the hypervisor than just
> > > > sending a 0, so I am ok with this change, albeit not happy.
> > > >
> > > > Thanks,
> > > > Hannes
> > > >
> > >
> > > OK so to summarize, identifiers are only re-randomized once per jiffy,
> > > so you worry that within this window, an external observer can discover
> > > past fragment ID values and so predict the future ones.
> > > All that's required is that two paths go through the same box performing
> > > fragmentation.
> > >
> > > Is that a fair summary?
>
> No answer here?
Ups, sorry.
It is not re-randomized but only biased by a time delta (note the
prandom_u32_max). So even after such an increment happens you can still
guess the range of the current fragmentation ids for a longer time.
Otherwise it is a fair summary.
>
> > > If yes, we can make this a bit harder by mixing in some
> > > data per input and/or output devices.
> > >
> > > For example, just to give you the idea:
> > >
> > > diff --git a/net/core/dev.c b/net/core/dev.c
> > > index 683d493..4faa7ef 100644
> > > --- a/net/core/dev.c
> > > +++ b/net/core/dev.c
> > > @@ -3625,6 +3625,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc)
> > > trace_netif_receive_skb(skb);
> > >
> > > orig_dev = skb->dev;
> > > + skb_shinfo(skb)->ip6_frag_id = skb->dev->ifindex;
> > >
> > > skb_reset_network_header(skb);
> > > if (!skb_transport_header_was_set(skb))
> > > diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
> > > index ce69a12..819a821 100644
> > > --- a/net/ipv6/ip6_output.c
> > > +++ b/net/ipv6/ip6_output.c
> > > @@ -1092,7 +1092,8 @@ static inline int ip6_ufo_append_data(struct sock *sk,
> > > sizeof(struct frag_hdr)) & ~7;
> > > skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
> > > ipv6_select_ident(&fhdr, rt);
> > > - skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
> > > + skb_shinfo(skb)->ip6_frag_id = jhash_1word(skb_shinfo(skb)->ip6_frag_id,
> > > + fhdr.identification);
> > >
> > > append:
> > > return skb_append_datato_frags(sk, skb, getfrag, from,
> > >
> >
> > I thought about mixing in the incoming interface identifier into the
> > frag id generation, but that could hurt us badly as soon as a VM has
> > more than one interface to the outside world and uses e.g. ECMP.
> > We need
> > to make sure that those frag ids are unique and the kernel needs to be
> > better than just using a random number generator.
> >
> > Bye,
> > Hannes
>
> OK then. Like this:
>
> diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
> index 679e6e9..1ee9a3a 100644
> --- a/include/linux/netdevice.h
> +++ b/include/linux/netdevice.h
> @@ -1508,6 +1508,9 @@ struct net_device {
> * part of the usual set specified in Space.c.
> */
>
> + /* Extra hash to mix into IPv6 frag ID on packets received from here. */
> + unsigned int frag_id_hash;
> +
> unsigned long state;
>
> struct list_head dev_list;
> diff --git a/net/core/dev.c b/net/core/dev.c
> index 683d493..56f1898 100644
> --- a/net/core/dev.c
> +++ b/net/core/dev.c
> @@ -3625,6 +3625,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc)
> trace_netif_receive_skb(skb);
>
> orig_dev = skb->dev;
> + skb_shinfo(skb)->ip6_frag_id = skb->dev->frag_id_hash;
>
> skb_reset_network_header(skb);
> if (!skb_transport_header_was_set(skb))
> diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
> index ce69a12..819a821 100644
> --- a/net/ipv6/ip6_output.c
> +++ b/net/ipv6/ip6_output.c
> @@ -1092,7 +1092,8 @@ static inline int ip6_ufo_append_data(struct sock *sk,
> sizeof(struct frag_hdr)) & ~7;
> skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
> ipv6_select_ident(&fhdr, rt);
> - skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
> + skb_shinfo(skb)->ip6_frag_id = jhash_1word(skb_shinfo(skb)->ip6_frag_id,
> + fhdr.identification);
>
> append:
> return skb_append_datato_frags(sk, skb, getfrag, from,
>
>
> Add to this a netlink/sysfs API to set the frag_id_hash for
> devices.
>
> Now, user can set identical frag id hash for all devices
> for a given VM.
>
> We can even expose this to guests: each guest would generate
> the ID on boot and send it to host, host would set it
> in sysfs.
jhash_1word shouldn't be a bijection, so we are randomizing here and are
increasing the probability of collisions. Instead of jhash_1word you
would need to take a simple block cipher with the hash as key.
Bye,
Hannes
^ permalink raw reply
* Re: [PATCH 1/3] ipv6: Select fragment id during UFO/GSO segmentation if not set.
From: Michael S. Tsirkin @ 2015-01-28 16:00 UTC (permalink / raw)
To: Hannes Frederic Sowa
Cc: netdev, Vladislav Yasevich, virtualization, edumazet,
Ben Hutchings
In-Reply-To: <1422441242.4678.32.camel@stressinduktion.org>
On Wed, Jan 28, 2015 at 11:34:02AM +0100, Hannes Frederic Sowa wrote:
> Hi,
>
> On Mi, 2015-01-28 at 11:46 +0200, Michael S. Tsirkin wrote:
> > On Wed, Jan 28, 2015 at 09:25:08AM +0100, Hannes Frederic Sowa wrote:
> > > Hello,
> > >
> > > On Di, 2015-01-27 at 18:08 +0200, Michael S. Tsirkin wrote:
> > > > On Tue, Jan 27, 2015 at 05:02:31PM +0100, Hannes Frederic Sowa wrote:
> > > > > On Di, 2015-01-27 at 09:26 -0500, Vlad Yasevich wrote:
> > > > > > On 01/27/2015 08:47 AM, Hannes Frederic Sowa wrote:
> > > > > > > On Di, 2015-01-27 at 10:42 +0200, Michael S. Tsirkin wrote:
> > > > > > >> On Tue, Jan 27, 2015 at 02:47:54AM +0000, Ben Hutchings wrote:
> > > > > > >>> On Mon, 2015-01-26 at 09:37 -0500, Vladislav Yasevich wrote:
> > > > > > >>>> If the IPv6 fragment id has not been set and we perform
> > > > > > >>>> fragmentation due to UFO, select a new fragment id.
> > > > > > >>>> When we store the fragment id into skb_shinfo, set the bit
> > > > > > >>>> in the skb so we can re-use the selected id.
> > > > > > >>>> This preserves the behavior of UFO packets generated on the
> > > > > > >>>> host and solves the issue of id generation for packet sockets
> > > > > > >>>> and tap/macvtap devices.
> > > > > > >>>>
> > > > > > >>>> This patch moves ipv6_select_ident() back in to the header file.
> > > > > > >>>> It also provides the helper function that sets skb_shinfo() frag
> > > > > > >>>> id and sets the bit.
> > > > > > >>>>
> > > > > > >>>> It also makes sure that we select the fragment id when doing
> > > > > > >>>> just gso validation, since it's possible for the packet to
> > > > > > >>>> come from an untrusted source (VM) and be forwarded through
> > > > > > >>>> a UFO enabled device which will expect the fragment id.
> > > > > > >>>>
> > > > > > >>>> CC: Eric Dumazet <edumazet@google.com>
> > > > > > >>>> Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
> > > > > > >>>> ---
> > > > > > >>>> include/linux/skbuff.h | 3 ++-
> > > > > > >>>> include/net/ipv6.h | 2 ++
> > > > > > >>>> net/ipv6/ip6_output.c | 4 ++--
> > > > > > >>>> net/ipv6/output_core.c | 9 ++++++++-
> > > > > > >>>> net/ipv6/udp_offload.c | 10 +++++++++-
> > > > > > >>>> 5 files changed, 23 insertions(+), 5 deletions(-)
> > > > > > >>>>
> > > > > > >>>> diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
> > > > > > >>>> index 85ab7d7..3ad5203 100644
> > > > > > >>>> --- a/include/linux/skbuff.h
> > > > > > >>>> +++ b/include/linux/skbuff.h
> > > > > > >>>> @@ -605,7 +605,8 @@ struct sk_buff {
> > > > > > >>>> __u8 ipvs_property:1;
> > > > > > >>>> __u8 inner_protocol_type:1;
> > > > > > >>>> __u8 remcsum_offload:1;
> > > > > > >>>> - /* 3 or 5 bit hole */
> > > > > > >>>> + __u8 ufo_fragid_set:1;
> > > > > > >>> [...]
> > > > > > >>>
> > > > > > >>> Doesn't the flag belong in struct skb_shared_info, rather than struct
> > > > > > >>> sk_buff? Otherwise this looks fine.
> > > > > > >>>
> > > > > > >>> Ben.
> > > > > > >>
> > > > > > >> Hmm we seem to be out of tx flags.
> > > > > > >> Maybe ip6_frag_id == 0 should mean "not set".
> > > > > > >
> > > > > > > Maybe that is the best idea. Definitely the ufo_fragid_set bit should
> > > > > > > move into the skb_shared_info area.
> > > > > >
> > > > > > That's what I originally wanted to do, but had to move and grow txflags thus
> > > > > > skb_shinfo ended up growing. I wanted to avoid that, so stole an skb flag.
> > > > > >
> > > > > > I considered treating fragid == 0 as unset, but a 0 fragid is perfectly valid
> > > > > > from the protocol perspective and could actually be generated by the id generator
> > > > > > functions. This may cause us to call the id generation multiple times.
> > > > >
> > > > > Are there plans in the long run to let virtio_net transmit auxiliary
> > > > > data to the other end so we can clean all of this this up one day?
> > > > >
> > > > > I don't like the whole situation: looking into the virtio_net headers
> > > > > just adding a field for ipv6 fragmentation ids to those small structs
> > > > > seems bloated, not doing it feels incorrect. :/
> > > > >
> > > > > Thoughts?
> > > > >
> > > > > Bye,
> > > > > Hannes
> > > >
> > > > I'm not sure - what will be achieved by generating the IDs guest side as
> > > > opposed to host side? It's certainly harder to get hold of entropy
> > > > guest-side.
> > >
> > > It is not only about entropy but about uniqueness. Also fragmentation
> > > ids should not be discoverable,
> >
> > I belive "predictable" is the language used by the IETF draft.
> >
> > > so there are several aspects:
> > >
> > > I see fragmentation id generation still as security critical:
> > > When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP
> > > identifiers less predictable") I could patch my kernels and use the
> > > patch regardless of the machine being virtualized or not. It was not
> > > dependent on the hypervisor.
> >
> > And now it's even easier - just patch the hypervisor, and all VMs
> > automatically benefit.
>
> Sometimes the hypervisor is not under my control.
In that case doing things like extending virtio
is out of the question too, isn't it?
It needs hypervisor changes.
> You would need to
> patch both kernels in your case - non gso frames would still get the
> fragmentation id generated in the host kernel.
>
> > > I think that is the same reasoning why we
> > > don't support TOE.
> > > If we use one generator in the hypervisor in an openstack alike setting,
> > > the host deals with quite a lot of overlay networks. A lot of default
> > > configurations use the same addresses internally, so on the hypervisor
> > > the frag id generators would interfere by design.
> > > I could come up with an attack scenario for DNS servers (again :) ):
> > >
> > > You are sitting next to a DNS server on the same hypervisor and can send
> > > packets without source validation (because that is handled later on in
> > > case of openvswitch when the packet is put into the corresponding
> > > overlay network). You emit a gso packet with the same source and
> > > destination addresses as the DNS server would do and would get an
> > > fragmentation id which is linearly (+ time delta) incremented depending
> > > on the source and destination address. With such a leak you could start
> > > trying attack and spoof DNS responses (fragmentation attacks etc.).
> > > See also details on such kind of attacks in the description of commit
> > > 04ca6973f7c1a0d.
> > >
> > > AFAIK IETF tried with IPv6 to push fragmentation id generation to the
> > > end hosts, that's also the reason for the introduction of atomic
> > > fragments (which are now being rolled back ;) ).
> > >
> > > Still it is better to generate a frag id on the hypervisor than just
> > > sending a 0, so I am ok with this change, albeit not happy.
> > >
> > > Thanks,
> > > Hannes
> > >
> >
> > OK so to summarize, identifiers are only re-randomized once per jiffy,
> > so you worry that within this window, an external observer can discover
> > past fragment ID values and so predict the future ones.
> > All that's required is that two paths go through the same box performing
> > fragmentation.
> >
> > Is that a fair summary?
No answer here?
> > If yes, we can make this a bit harder by mixing in some
> > data per input and/or output devices.
> >
> > For example, just to give you the idea:
> >
> > diff --git a/net/core/dev.c b/net/core/dev.c
> > index 683d493..4faa7ef 100644
> > --- a/net/core/dev.c
> > +++ b/net/core/dev.c
> > @@ -3625,6 +3625,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc)
> > trace_netif_receive_skb(skb);
> >
> > orig_dev = skb->dev;
> > + skb_shinfo(skb)->ip6_frag_id = skb->dev->ifindex;
> >
> > skb_reset_network_header(skb);
> > if (!skb_transport_header_was_set(skb))
> > diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
> > index ce69a12..819a821 100644
> > --- a/net/ipv6/ip6_output.c
> > +++ b/net/ipv6/ip6_output.c
> > @@ -1092,7 +1092,8 @@ static inline int ip6_ufo_append_data(struct sock *sk,
> > sizeof(struct frag_hdr)) & ~7;
> > skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
> > ipv6_select_ident(&fhdr, rt);
> > - skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
> > + skb_shinfo(skb)->ip6_frag_id = jhash_1word(skb_shinfo(skb)->ip6_frag_id,
> > + fhdr.identification);
> >
> > append:
> > return skb_append_datato_frags(sk, skb, getfrag, from,
> >
>
> I thought about mixing in the incoming interface identifier into the
> frag id generation, but that could hurt us badly as soon as a VM has
> more than one interface to the outside world and uses e.g. ECMP.
> We need
> to make sure that those frag ids are unique and the kernel needs to be
> better than just using a random number generator.
>
> Bye,
> Hannes
OK then. Like this:
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 679e6e9..1ee9a3a 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -1508,6 +1508,9 @@ struct net_device {
* part of the usual set specified in Space.c.
*/
+ /* Extra hash to mix into IPv6 frag ID on packets received from here. */
+ unsigned int frag_id_hash;
+
unsigned long state;
struct list_head dev_list;
diff --git a/net/core/dev.c b/net/core/dev.c
index 683d493..56f1898 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3625,6 +3625,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc)
trace_netif_receive_skb(skb);
orig_dev = skb->dev;
+ skb_shinfo(skb)->ip6_frag_id = skb->dev->frag_id_hash;
skb_reset_network_header(skb);
if (!skb_transport_header_was_set(skb))
diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
index ce69a12..819a821 100644
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1092,7 +1092,8 @@ static inline int ip6_ufo_append_data(struct sock *sk,
sizeof(struct frag_hdr)) & ~7;
skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
ipv6_select_ident(&fhdr, rt);
- skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
+ skb_shinfo(skb)->ip6_frag_id = jhash_1word(skb_shinfo(skb)->ip6_frag_id,
+ fhdr.identification);
append:
return skb_append_datato_frags(sk, skb, getfrag, from,
Add to this a netlink/sysfs API to set the frag_id_hash for
devices.
Now, user can set identical frag id hash for all devices
for a given VM.
We can even expose this to guests: each guest would generate
the ID on boot and send it to host, host would set it
in sysfs.
--
MST
^ permalink raw reply related
* Re: [PATCH 1/3] ipv6: Select fragment id during UFO/GSO segmentation if not set.
From: Michael S. Tsirkin @ 2015-01-28 15:49 UTC (permalink / raw)
To: Vlad Yasevich
Cc: netdev, Vladislav Yasevich, virtualization, edumazet,
Hannes Frederic Sowa, Ben Hutchings
In-Reply-To: <54C8FFF3.7050800@redhat.com>
On Wed, Jan 28, 2015 at 10:27:47AM -0500, Vlad Yasevich wrote:
> On 01/28/2015 09:45 AM, Hannes Frederic Sowa wrote:
> > Hi,
> >
> > On Mi, 2015-01-28 at 09:16 -0500, Vlad Yasevich wrote:
> >> On 01/28/2015 05:34 AM, Hannes Frederic Sowa wrote:
> >>> Hi,
> >>>
> >>> On Mi, 2015-01-28 at 11:46 +0200, Michael S. Tsirkin wrote:
> >>>> On Wed, Jan 28, 2015 at 09:25:08AM +0100, Hannes Frederic Sowa wrote:
> >>>>> Hello,
> >>>>>
> >>>>> On Di, 2015-01-27 at 18:08 +0200, Michael S. Tsirkin wrote:
> >>>>>> On Tue, Jan 27, 2015 at 05:02:31PM +0100, Hannes Frederic Sowa wrote:
> >>>>>>> On Di, 2015-01-27 at 09:26 -0500, Vlad Yasevich wrote:
> >>>>>>>> On 01/27/2015 08:47 AM, Hannes Frederic Sowa wrote:
> >>>>>>>>> On Di, 2015-01-27 at 10:42 +0200, Michael S. Tsirkin wrote:
> >>>>>>>>>> On Tue, Jan 27, 2015 at 02:47:54AM +0000, Ben Hutchings wrote:
> >>>>>>>>>>> On Mon, 2015-01-26 at 09:37 -0500, Vladislav Yasevich wrote:
> >>>>>>>>>>>> If the IPv6 fragment id has not been set and we perform
> >>>>>>>>>>>> fragmentation due to UFO, select a new fragment id.
> >>>>>>>>>>>> When we store the fragment id into skb_shinfo, set the bit
> >>>>>>>>>>>> in the skb so we can re-use the selected id.
> >>>>>>>>>>>> This preserves the behavior of UFO packets generated on the
> >>>>>>>>>>>> host and solves the issue of id generation for packet sockets
> >>>>>>>>>>>> and tap/macvtap devices.
> >>>>>>>>>>>>
> >>>>>>>>>>>> This patch moves ipv6_select_ident() back in to the header file.
> >>>>>>>>>>>> It also provides the helper function that sets skb_shinfo() frag
> >>>>>>>>>>>> id and sets the bit.
> >>>>>>>>>>>>
> >>>>>>>>>>>> It also makes sure that we select the fragment id when doing
> >>>>>>>>>>>> just gso validation, since it's possible for the packet to
> >>>>>>>>>>>> come from an untrusted source (VM) and be forwarded through
> >>>>>>>>>>>> a UFO enabled device which will expect the fragment id.
> >>>>>>>>>>>>
> >>>>>>>>>>>> CC: Eric Dumazet <edumazet@google.com>
> >>>>>>>>>>>> Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
> >>>>>>>>>>>> ---
> >>>>>>>>>>>> include/linux/skbuff.h | 3 ++-
> >>>>>>>>>>>> include/net/ipv6.h | 2 ++
> >>>>>>>>>>>> net/ipv6/ip6_output.c | 4 ++--
> >>>>>>>>>>>> net/ipv6/output_core.c | 9 ++++++++-
> >>>>>>>>>>>> net/ipv6/udp_offload.c | 10 +++++++++-
> >>>>>>>>>>>> 5 files changed, 23 insertions(+), 5 deletions(-)
> >>>>>>>>>>>>
> >>>>>>>>>>>> diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
> >>>>>>>>>>>> index 85ab7d7..3ad5203 100644
> >>>>>>>>>>>> --- a/include/linux/skbuff.h
> >>>>>>>>>>>> +++ b/include/linux/skbuff.h
> >>>>>>>>>>>> @@ -605,7 +605,8 @@ struct sk_buff {
> >>>>>>>>>>>> __u8 ipvs_property:1;
> >>>>>>>>>>>> __u8 inner_protocol_type:1;
> >>>>>>>>>>>> __u8 remcsum_offload:1;
> >>>>>>>>>>>> - /* 3 or 5 bit hole */
> >>>>>>>>>>>> + __u8 ufo_fragid_set:1;
> >>>>>>>>>>> [...]
> >>>>>>>>>>>
> >>>>>>>>>>> Doesn't the flag belong in struct skb_shared_info, rather than struct
> >>>>>>>>>>> sk_buff? Otherwise this looks fine.
> >>>>>>>>>>>
> >>>>>>>>>>> Ben.
> >>>>>>>>>>
> >>>>>>>>>> Hmm we seem to be out of tx flags.
> >>>>>>>>>> Maybe ip6_frag_id == 0 should mean "not set".
> >>>>>>>>>
> >>>>>>>>> Maybe that is the best idea. Definitely the ufo_fragid_set bit should
> >>>>>>>>> move into the skb_shared_info area.
> >>>>>>>>
> >>>>>>>> That's what I originally wanted to do, but had to move and grow txflags thus
> >>>>>>>> skb_shinfo ended up growing. I wanted to avoid that, so stole an skb flag.
> >>>>>>>>
> >>>>>>>> I considered treating fragid == 0 as unset, but a 0 fragid is perfectly valid
> >>>>>>>> from the protocol perspective and could actually be generated by the id generator
> >>>>>>>> functions. This may cause us to call the id generation multiple times.
> >>>>>>>
> >>>>>>> Are there plans in the long run to let virtio_net transmit auxiliary
> >>>>>>> data to the other end so we can clean all of this this up one day?
> >>>>>>>
> >>>>>>> I don't like the whole situation: looking into the virtio_net headers
> >>>>>>> just adding a field for ipv6 fragmentation ids to those small structs
> >>>>>>> seems bloated, not doing it feels incorrect. :/
> >>>>>>>
> >>>>>>> Thoughts?
> >>>>>>>
> >>>>>>> Bye,
> >>>>>>> Hannes
> >>>>>>
> >>>>>> I'm not sure - what will be achieved by generating the IDs guest side as
> >>>>>> opposed to host side? It's certainly harder to get hold of entropy
> >>>>>> guest-side.
> >>>>>
> >>>>> It is not only about entropy but about uniqueness. Also fragmentation
> >>>>> ids should not be discoverable,
> >>>>
> >>>> I belive "predictable" is the language used by the IETF draft.
> >>>>
> >>>>> so there are several aspects:
> >>>>>
> >>>>> I see fragmentation id generation still as security critical:
> >>>>> When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP
> >>>>> identifiers less predictable") I could patch my kernels and use the
> >>>>> patch regardless of the machine being virtualized or not. It was not
> >>>>> dependent on the hypervisor.
> >>>>
> >>>> And now it's even easier - just patch the hypervisor, and all VMs
> >>>> automatically benefit.
> >>>
> >>> Sometimes the hypervisor is not under my control. You would need to
> >>> patch both kernels in your case - non gso frames would still get the
> >>> fragmentation id generated in the host kernel.
> >>
> >> Why would non-gso frames need a frag id? We are talking only UDP IPv6
> >> here, so there is no frag id generation if the packet does't need to
> >> be fragmented.
> >
> > E.g. raw sockets still can generate fragments locally. It is also a
> > valid setup to have multiple interfaces in one machine, one that is UFO
> > enabled and one that isn't. In that case, fragmentation id generation
> > happens on different hosts which I want to avoid.
>
> OK, so you are concerned about both host and guest generating fragment
> ids. Host would do it for GSO frames and guest would do it for fragmented
> frames. Yes, there is room for collision,
collision is not a problem. It is in fact unavoidable.
> which is why we are aiming to
> fix this with fragment id passing through virtio_net. However, I am still
> trying to figure the best way to do this as it extends the virtio_net header
> and we want to do it right.
>
> >
> > I haven't looked closely but mismatch of MTUs on interfaces seems like
> > it could lead to unwanted fragmentation, e.g. see is_skb_forwardable
> > which is mostly always true for gso frames, so we never stop them on
> > bridges etc.
>
> Yes, this is one of the cases that gets triggered with VMs.
>
> >
> >>>>> I think that is the same reasoning why we
> >>>>> don't support TOE.
> >>>>> If we use one generator in the hypervisor in an openstack alike setting,
> >>>>> the host deals with quite a lot of overlay networks. A lot of default
> >>>>> configurations use the same addresses internally, so on the hypervisor
> >>>>> the frag id generators would interfere by design.
> >>>>> I could come up with an attack scenario for DNS servers (again :) ):
> >>>>>
> >>>>> You are sitting next to a DNS server on the same hypervisor and can send
> >>>>> packets without source validation (because that is handled later on in
> >>>>> case of openvswitch when the packet is put into the corresponding
> >>>>> overlay network). You emit a gso packet with the same source and
> >>>>> destination addresses as the DNS server would do and would get an
> >>>>> fragmentation id which is linearly (+ time delta) incremented depending
> >>>>> on the source and destination address. With such a leak you could start
> >>>>> trying attack and spoof DNS responses (fragmentation attacks etc.).
> >>>>> See also details on such kind of attacks in the description of commit
> >>>>> 04ca6973f7c1a0d.
> >>>>>
> >>>>> AFAIK IETF tried with IPv6 to push fragmentation id generation to the
> >>>>> end hosts, that's also the reason for the introduction of atomic
> >>>>> fragments (which are now being rolled back ;) ).
> >>>>>
> >>>>> Still it is better to generate a frag id on the hypervisor than just
> >>>>> sending a 0, so I am ok with this change, albeit not happy.
> >>>>>
> >>>>> Thanks,
> >>>>> Hannes
> >>>>>
> >>>>
> >>>> OK so to summarize, identifiers are only re-randomized once per jiffy,
> >>>> so you worry that within this window, an external observer can discover
> >>>> past fragment ID values and so predict the future ones.
> >>>> All that's required is that two paths go through the same box performing
> >>>> fragmentation.
> >>>>
> >>>> Is that a fair summary?
> >>>>
> >>>> If yes, we can make this a bit harder by mixing in some
> >>>> data per input and/or output devices.
> >>>>
> >>>> For example, just to give you the idea:
> >>>>
> >>>> diff --git a/net/core/dev.c b/net/core/dev.c
> >>>> index 683d493..4faa7ef 100644
> >>>> --- a/net/core/dev.c
> >>>> +++ b/net/core/dev.c
> >>>> @@ -3625,6 +3625,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc)
> >>>> trace_netif_receive_skb(skb);
> >>>>
> >>>> orig_dev = skb->dev;
> >>>> + skb_shinfo(skb)->ip6_frag_id = skb->dev->ifindex;
> >>>>
> >>>> skb_reset_network_header(skb);
> >>>> if (!skb_transport_header_was_set(skb))
> >>>> diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
> >>>> index ce69a12..819a821 100644
> >>>> --- a/net/ipv6/ip6_output.c
> >>>> +++ b/net/ipv6/ip6_output.c
> >>>> @@ -1092,7 +1092,8 @@ static inline int ip6_ufo_append_data(struct sock *sk,
> >>>> sizeof(struct frag_hdr)) & ~7;
> >>>> skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
> >>>> ipv6_select_ident(&fhdr, rt);
> >>>> - skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
> >>>> + skb_shinfo(skb)->ip6_frag_id = jhash_1word(skb_shinfo(skb)->ip6_frag_id,
> >>>> + fhdr.identification);
> >>>>
> >>>> append:
> >>>> return skb_append_datato_frags(sk, skb, getfrag, from,
> >>>>
> >>>
> >>> I thought about mixing in the incoming interface identifier into the
> >>> frag id generation, but that could hurt us badly as soon as a VM has
> >>> more than one interface to the outside world and uses e.g. ECMP. We need
> >>> to make sure that those frag ids are unique and the kernel needs to be
> >>> better than just using a random number generator.
> >>>
> >>
> >> So the goal behind this series of patches is to restore VM functionality to
> >> pre-916e4cf46d0204 ("ipv6: reuse ip6_frag_id from ip6_ufo_append_data").
> >
> > I understand (the patch fixed a NULL ptr deref btw.).
> >
> > As I said, I don't want to stop this series (hopefully the flag can be
> > moved into skb_shared_info etc.), would look after that IMHO
> > (skb flags/IPCB and skb_shared_info have different semantics on
> > __skb_clone).
> >
> > I think it is very much worth to try to move the fragmentation id
> > generation back to the end host and only use this as a fallback.
>
> I think we are in agreement here.
>
> -vlad
> >
> > Bye,
> > Hannes
> >
> >
^ permalink raw reply
* Re: [PATCH 1/3] ipv6: Select fragment id during UFO/GSO segmentation if not set.
From: Vlad Yasevich @ 2015-01-28 15:27 UTC (permalink / raw)
To: Hannes Frederic Sowa
Cc: Michael S. Tsirkin, netdev, Vladislav Yasevich, virtualization,
edumazet, Ben Hutchings
In-Reply-To: <1422456339.4678.85.camel@stressinduktion.org>
On 01/28/2015 09:45 AM, Hannes Frederic Sowa wrote:
> Hi,
>
> On Mi, 2015-01-28 at 09:16 -0500, Vlad Yasevich wrote:
>> On 01/28/2015 05:34 AM, Hannes Frederic Sowa wrote:
>>> Hi,
>>>
>>> On Mi, 2015-01-28 at 11:46 +0200, Michael S. Tsirkin wrote:
>>>> On Wed, Jan 28, 2015 at 09:25:08AM +0100, Hannes Frederic Sowa wrote:
>>>>> Hello,
>>>>>
>>>>> On Di, 2015-01-27 at 18:08 +0200, Michael S. Tsirkin wrote:
>>>>>> On Tue, Jan 27, 2015 at 05:02:31PM +0100, Hannes Frederic Sowa wrote:
>>>>>>> On Di, 2015-01-27 at 09:26 -0500, Vlad Yasevich wrote:
>>>>>>>> On 01/27/2015 08:47 AM, Hannes Frederic Sowa wrote:
>>>>>>>>> On Di, 2015-01-27 at 10:42 +0200, Michael S. Tsirkin wrote:
>>>>>>>>>> On Tue, Jan 27, 2015 at 02:47:54AM +0000, Ben Hutchings wrote:
>>>>>>>>>>> On Mon, 2015-01-26 at 09:37 -0500, Vladislav Yasevich wrote:
>>>>>>>>>>>> If the IPv6 fragment id has not been set and we perform
>>>>>>>>>>>> fragmentation due to UFO, select a new fragment id.
>>>>>>>>>>>> When we store the fragment id into skb_shinfo, set the bit
>>>>>>>>>>>> in the skb so we can re-use the selected id.
>>>>>>>>>>>> This preserves the behavior of UFO packets generated on the
>>>>>>>>>>>> host and solves the issue of id generation for packet sockets
>>>>>>>>>>>> and tap/macvtap devices.
>>>>>>>>>>>>
>>>>>>>>>>>> This patch moves ipv6_select_ident() back in to the header file.
>>>>>>>>>>>> It also provides the helper function that sets skb_shinfo() frag
>>>>>>>>>>>> id and sets the bit.
>>>>>>>>>>>>
>>>>>>>>>>>> It also makes sure that we select the fragment id when doing
>>>>>>>>>>>> just gso validation, since it's possible for the packet to
>>>>>>>>>>>> come from an untrusted source (VM) and be forwarded through
>>>>>>>>>>>> a UFO enabled device which will expect the fragment id.
>>>>>>>>>>>>
>>>>>>>>>>>> CC: Eric Dumazet <edumazet@google.com>
>>>>>>>>>>>> Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
>>>>>>>>>>>> ---
>>>>>>>>>>>> include/linux/skbuff.h | 3 ++-
>>>>>>>>>>>> include/net/ipv6.h | 2 ++
>>>>>>>>>>>> net/ipv6/ip6_output.c | 4 ++--
>>>>>>>>>>>> net/ipv6/output_core.c | 9 ++++++++-
>>>>>>>>>>>> net/ipv6/udp_offload.c | 10 +++++++++-
>>>>>>>>>>>> 5 files changed, 23 insertions(+), 5 deletions(-)
>>>>>>>>>>>>
>>>>>>>>>>>> diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
>>>>>>>>>>>> index 85ab7d7..3ad5203 100644
>>>>>>>>>>>> --- a/include/linux/skbuff.h
>>>>>>>>>>>> +++ b/include/linux/skbuff.h
>>>>>>>>>>>> @@ -605,7 +605,8 @@ struct sk_buff {
>>>>>>>>>>>> __u8 ipvs_property:1;
>>>>>>>>>>>> __u8 inner_protocol_type:1;
>>>>>>>>>>>> __u8 remcsum_offload:1;
>>>>>>>>>>>> - /* 3 or 5 bit hole */
>>>>>>>>>>>> + __u8 ufo_fragid_set:1;
>>>>>>>>>>> [...]
>>>>>>>>>>>
>>>>>>>>>>> Doesn't the flag belong in struct skb_shared_info, rather than struct
>>>>>>>>>>> sk_buff? Otherwise this looks fine.
>>>>>>>>>>>
>>>>>>>>>>> Ben.
>>>>>>>>>>
>>>>>>>>>> Hmm we seem to be out of tx flags.
>>>>>>>>>> Maybe ip6_frag_id == 0 should mean "not set".
>>>>>>>>>
>>>>>>>>> Maybe that is the best idea. Definitely the ufo_fragid_set bit should
>>>>>>>>> move into the skb_shared_info area.
>>>>>>>>
>>>>>>>> That's what I originally wanted to do, but had to move and grow txflags thus
>>>>>>>> skb_shinfo ended up growing. I wanted to avoid that, so stole an skb flag.
>>>>>>>>
>>>>>>>> I considered treating fragid == 0 as unset, but a 0 fragid is perfectly valid
>>>>>>>> from the protocol perspective and could actually be generated by the id generator
>>>>>>>> functions. This may cause us to call the id generation multiple times.
>>>>>>>
>>>>>>> Are there plans in the long run to let virtio_net transmit auxiliary
>>>>>>> data to the other end so we can clean all of this this up one day?
>>>>>>>
>>>>>>> I don't like the whole situation: looking into the virtio_net headers
>>>>>>> just adding a field for ipv6 fragmentation ids to those small structs
>>>>>>> seems bloated, not doing it feels incorrect. :/
>>>>>>>
>>>>>>> Thoughts?
>>>>>>>
>>>>>>> Bye,
>>>>>>> Hannes
>>>>>>
>>>>>> I'm not sure - what will be achieved by generating the IDs guest side as
>>>>>> opposed to host side? It's certainly harder to get hold of entropy
>>>>>> guest-side.
>>>>>
>>>>> It is not only about entropy but about uniqueness. Also fragmentation
>>>>> ids should not be discoverable,
>>>>
>>>> I belive "predictable" is the language used by the IETF draft.
>>>>
>>>>> so there are several aspects:
>>>>>
>>>>> I see fragmentation id generation still as security critical:
>>>>> When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP
>>>>> identifiers less predictable") I could patch my kernels and use the
>>>>> patch regardless of the machine being virtualized or not. It was not
>>>>> dependent on the hypervisor.
>>>>
>>>> And now it's even easier - just patch the hypervisor, and all VMs
>>>> automatically benefit.
>>>
>>> Sometimes the hypervisor is not under my control. You would need to
>>> patch both kernels in your case - non gso frames would still get the
>>> fragmentation id generated in the host kernel.
>>
>> Why would non-gso frames need a frag id? We are talking only UDP IPv6
>> here, so there is no frag id generation if the packet does't need to
>> be fragmented.
>
> E.g. raw sockets still can generate fragments locally. It is also a
> valid setup to have multiple interfaces in one machine, one that is UFO
> enabled and one that isn't. In that case, fragmentation id generation
> happens on different hosts which I want to avoid.
OK, so you are concerned about both host and guest generating fragment
ids. Host would do it for GSO frames and guest would do it for fragmented
frames. Yes, there is room for collision, which is why we are aiming to
fix this with fragment id passing through virtio_net. However, I am still
trying to figure the best way to do this as it extends the virtio_net header
and we want to do it right.
>
> I haven't looked closely but mismatch of MTUs on interfaces seems like
> it could lead to unwanted fragmentation, e.g. see is_skb_forwardable
> which is mostly always true for gso frames, so we never stop them on
> bridges etc.
Yes, this is one of the cases that gets triggered with VMs.
>
>>>>> I think that is the same reasoning why we
>>>>> don't support TOE.
>>>>> If we use one generator in the hypervisor in an openstack alike setting,
>>>>> the host deals with quite a lot of overlay networks. A lot of default
>>>>> configurations use the same addresses internally, so on the hypervisor
>>>>> the frag id generators would interfere by design.
>>>>> I could come up with an attack scenario for DNS servers (again :) ):
>>>>>
>>>>> You are sitting next to a DNS server on the same hypervisor and can send
>>>>> packets without source validation (because that is handled later on in
>>>>> case of openvswitch when the packet is put into the corresponding
>>>>> overlay network). You emit a gso packet with the same source and
>>>>> destination addresses as the DNS server would do and would get an
>>>>> fragmentation id which is linearly (+ time delta) incremented depending
>>>>> on the source and destination address. With such a leak you could start
>>>>> trying attack and spoof DNS responses (fragmentation attacks etc.).
>>>>> See also details on such kind of attacks in the description of commit
>>>>> 04ca6973f7c1a0d.
>>>>>
>>>>> AFAIK IETF tried with IPv6 to push fragmentation id generation to the
>>>>> end hosts, that's also the reason for the introduction of atomic
>>>>> fragments (which are now being rolled back ;) ).
>>>>>
>>>>> Still it is better to generate a frag id on the hypervisor than just
>>>>> sending a 0, so I am ok with this change, albeit not happy.
>>>>>
>>>>> Thanks,
>>>>> Hannes
>>>>>
>>>>
>>>> OK so to summarize, identifiers are only re-randomized once per jiffy,
>>>> so you worry that within this window, an external observer can discover
>>>> past fragment ID values and so predict the future ones.
>>>> All that's required is that two paths go through the same box performing
>>>> fragmentation.
>>>>
>>>> Is that a fair summary?
>>>>
>>>> If yes, we can make this a bit harder by mixing in some
>>>> data per input and/or output devices.
>>>>
>>>> For example, just to give you the idea:
>>>>
>>>> diff --git a/net/core/dev.c b/net/core/dev.c
>>>> index 683d493..4faa7ef 100644
>>>> --- a/net/core/dev.c
>>>> +++ b/net/core/dev.c
>>>> @@ -3625,6 +3625,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc)
>>>> trace_netif_receive_skb(skb);
>>>>
>>>> orig_dev = skb->dev;
>>>> + skb_shinfo(skb)->ip6_frag_id = skb->dev->ifindex;
>>>>
>>>> skb_reset_network_header(skb);
>>>> if (!skb_transport_header_was_set(skb))
>>>> diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
>>>> index ce69a12..819a821 100644
>>>> --- a/net/ipv6/ip6_output.c
>>>> +++ b/net/ipv6/ip6_output.c
>>>> @@ -1092,7 +1092,8 @@ static inline int ip6_ufo_append_data(struct sock *sk,
>>>> sizeof(struct frag_hdr)) & ~7;
>>>> skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
>>>> ipv6_select_ident(&fhdr, rt);
>>>> - skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
>>>> + skb_shinfo(skb)->ip6_frag_id = jhash_1word(skb_shinfo(skb)->ip6_frag_id,
>>>> + fhdr.identification);
>>>>
>>>> append:
>>>> return skb_append_datato_frags(sk, skb, getfrag, from,
>>>>
>>>
>>> I thought about mixing in the incoming interface identifier into the
>>> frag id generation, but that could hurt us badly as soon as a VM has
>>> more than one interface to the outside world and uses e.g. ECMP. We need
>>> to make sure that those frag ids are unique and the kernel needs to be
>>> better than just using a random number generator.
>>>
>>
>> So the goal behind this series of patches is to restore VM functionality to
>> pre-916e4cf46d0204 ("ipv6: reuse ip6_frag_id from ip6_ufo_append_data").
>
> I understand (the patch fixed a NULL ptr deref btw.).
>
> As I said, I don't want to stop this series (hopefully the flag can be
> moved into skb_shared_info etc.), would look after that IMHO
> (skb flags/IPCB and skb_shared_info have different semantics on
> __skb_clone).
>
> I think it is very much worth to try to move the fragmentation id
> generation back to the end host and only use this as a fallback.
I think we are in agreement here.
-vlad
>
> Bye,
> Hannes
>
>
^ permalink raw reply
* RE: [PATCH v5] can: Convert to runtime_pm
From: Appana Durga Kedareswara Rao @ 2015-01-28 15:19 UTC (permalink / raw)
To: Marc Kleine-Budde, wg@grandegger.com, Michal Simek,
Soren Brinkmann, grant.likely@linaro.org, robh+dt@kernel.org
Cc: netdev@vger.kernel.org, devicetree@vger.kernel.org,
linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org, linux-can@vger.kernel.org
In-Reply-To: <54C8F62D.6090909@pengutronix.de>
Hi Marc,
> -----Original Message-----
> From: Marc Kleine-Budde [mailto:mkl@pengutronix.de]
> Sent: Wednesday, January 28, 2015 8:16 PM
> To: Appana Durga Kedareswara Rao; wg@grandegger.com; Michal Simek;
> Soren Brinkmann; grant.likely@linaro.org; robh+dt@kernel.org
> Cc: linux-can@vger.kernel.org; netdev@vger.kernel.org; linux-arm-
> kernel@lists.infradead.org; linux-kernel@vger.kernel.org;
> devicetree@vger.kernel.org; Appana Durga Kedareswara Rao
> Subject: Re: [PATCH v5] can: Convert to runtime_pm
>
> On 01/12/2015 04:04 PM, Kedareswara rao Appana wrote:
> > Instead of enabling/disabling clocks at several locations in the
> > driver, Use the runtime_pm framework. This consolidates the actions
> > for runtime PM In the appropriate callbacks and makes the driver more
> readable and mantainable.
> >
> > Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
> > Signed-off-by: Kedareswara rao Appana <appanad@xilinx.com>
> > ---
> > Changes for v5:
> > - Updated with the review comments.
> > Updated the remove fuction to use runtime_pm.
> > Chnages for v4:
> > - Updated with the review comments.
> > Changes for v3:
> > - Converted the driver to use runtime_pm.
> > Changes for v2:
> > - Removed the struct platform_device* from suspend/resume
> > as suggest by Lothar.
>
> Any plans to submit a v6?
I was on vacation till yesterday just came to office today only. Will look into it and will send v6 at the earliest.
Regards,
Kedar.
>
> Marc
> --
> Pengutronix e.K. | Marc Kleine-Budde |
> Industrial Linux Solutions | Phone: +49-231-2826-924 |
> Vertretung West/Dortmund | Fax: +49-5121-206917-5555 |
> Amtsgericht Hildesheim, HRA 2686 | http://www.pengutronix.de |
This email and any attachments are intended for the sole use of the named recipient(s) and contain(s) confidential information that may be proprietary, privileged or copyrighted under applicable law. If you are not the intended recipient, do not read, copy, or forward this email message or any attachments. Delete this email message and any attachments immediately.
^ permalink raw reply
* Re: [PATCH 2/2] string_helpers: Change semantics of string_escape_mem
From: Andy Shevchenko @ 2015-01-28 15:05 UTC (permalink / raw)
To: Rasmus Villemoes
Cc: Andrew Morton, Trond Myklebust, J. Bruce Fields, David S. Miller,
linux-kernel, linux-nfs, netdev
In-Reply-To: <1422451543-12401-3-git-send-email-linux@rasmusvillemoes.dk>
On Wed, 2015-01-28 at 14:25 +0100, Rasmus Villemoes wrote:
> The current semantics of string_escape_mem are inadequate for one of
> its two current users, vsnprintf(). If that is to honour its contract,
> it must know how much space would be needed for the entire escaped
> buffer, and string_escape_mem provides no way of obtaining that (short
> of allocating a large enough buffer (~4 times input string) to let it
> play with, and that's definitely a big no-no inside vsnprintf).
>
> So change the semantics for string_escape_mem to be more
> snprintf-like: Return the size of the output that would be generated
> if the destination buffer was big enough, but of course still only
> write to the part of dst it is allowed to, and don't do
> '\0'-termination. It is then up to the caller to detect whether output
> was truncated and to append a '\0' if desired.
>
> This also fixes a bug in the escaped_string() helper function, which
> used to unconditionally pass a length of "end-buf" to
> string_escape_mem(); since the latter doesn't check osz for being
> insanely large, it would happily write to dst. For example,
> kasprintf(GFP_KERNEL, "something and then %pE", ...); is an easy way
> to trigger an oops.
> The patch is somewhat larger than I'd like, but I couldn't find a way
> of splitting it into smaller pieces. Implementation-wise, I changed
> the various escape_* helpers to return true if they handled the
> character, updating dst appropriately, false otherwise. Maybe there's
> a more elegant way, but this seems to work.
Can we split this to at least two parts: internal API changes to
string_escape_mem() and the rest?
> In test-string_helpers.c, I removed the now meaningless -ENOMEM test,
> and replaced it with testing for getting the expected return value
> even if the buffer is too small. Also ensure that nothing is written
> when osz==0.
>
> In net/sunrpc/cache.c, I think qword_add still has the same
> semantics. Someone should definitely double-check this.
--
Andy Shevchenko <andriy.shevchenko@intel.com>
Intel Finland Oy
^ permalink raw reply
* Re: [PATCH v5] can: Convert to runtime_pm
From: Marc Kleine-Budde @ 2015-01-28 14:46 UTC (permalink / raw)
To: Kedareswara rao Appana, wg, michal.simek, soren.brinkmann,
grant.likely, robh+dt
Cc: devicetree, netdev, linux-kernel, linux-can,
Kedareswara rao Appana, linux-arm-kernel
In-Reply-To: <baf987c11c0242c2bf87b81f9396b09d@BN1BFFO11FD018.protection.gbl>
[-- Attachment #1.1: Type: text/plain, Size: 1088 bytes --]
On 01/12/2015 04:04 PM, Kedareswara rao Appana wrote:
> Instead of enabling/disabling clocks at several locations in the driver,
> Use the runtime_pm framework. This consolidates the actions for runtime PM
> In the appropriate callbacks and makes the driver more readable and mantainable.
>
> Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com>
> Signed-off-by: Kedareswara rao Appana <appanad@xilinx.com>
> ---
> Changes for v5:
> - Updated with the review comments.
> Updated the remove fuction to use runtime_pm.
> Chnages for v4:
> - Updated with the review comments.
> Changes for v3:
> - Converted the driver to use runtime_pm.
> Changes for v2:
> - Removed the struct platform_device* from suspend/resume
> as suggest by Lothar.
Any plans to submit a v6?
Marc
--
Pengutronix e.K. | Marc Kleine-Budde |
Industrial Linux Solutions | Phone: +49-231-2826-924 |
Vertretung West/Dortmund | Fax: +49-5121-206917-5555 |
Amtsgericht Hildesheim, HRA 2686 | http://www.pengutronix.de |
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
[-- Attachment #2: Type: text/plain, Size: 176 bytes --]
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply
* Re: [PATCH 1/3] ipv6: Select fragment id during UFO/GSO segmentation if not set.
From: Hannes Frederic Sowa @ 2015-01-28 14:45 UTC (permalink / raw)
To: vyasevic
Cc: Michael S. Tsirkin, netdev, Vladislav Yasevich, virtualization,
edumazet, Ben Hutchings
In-Reply-To: <54C8EF25.1030302@redhat.com>
Hi,
On Mi, 2015-01-28 at 09:16 -0500, Vlad Yasevich wrote:
> On 01/28/2015 05:34 AM, Hannes Frederic Sowa wrote:
> > Hi,
> >
> > On Mi, 2015-01-28 at 11:46 +0200, Michael S. Tsirkin wrote:
> >> On Wed, Jan 28, 2015 at 09:25:08AM +0100, Hannes Frederic Sowa wrote:
> >>> Hello,
> >>>
> >>> On Di, 2015-01-27 at 18:08 +0200, Michael S. Tsirkin wrote:
> >>>> On Tue, Jan 27, 2015 at 05:02:31PM +0100, Hannes Frederic Sowa wrote:
> >>>>> On Di, 2015-01-27 at 09:26 -0500, Vlad Yasevich wrote:
> >>>>>> On 01/27/2015 08:47 AM, Hannes Frederic Sowa wrote:
> >>>>>>> On Di, 2015-01-27 at 10:42 +0200, Michael S. Tsirkin wrote:
> >>>>>>>> On Tue, Jan 27, 2015 at 02:47:54AM +0000, Ben Hutchings wrote:
> >>>>>>>>> On Mon, 2015-01-26 at 09:37 -0500, Vladislav Yasevich wrote:
> >>>>>>>>>> If the IPv6 fragment id has not been set and we perform
> >>>>>>>>>> fragmentation due to UFO, select a new fragment id.
> >>>>>>>>>> When we store the fragment id into skb_shinfo, set the bit
> >>>>>>>>>> in the skb so we can re-use the selected id.
> >>>>>>>>>> This preserves the behavior of UFO packets generated on the
> >>>>>>>>>> host and solves the issue of id generation for packet sockets
> >>>>>>>>>> and tap/macvtap devices.
> >>>>>>>>>>
> >>>>>>>>>> This patch moves ipv6_select_ident() back in to the header file.
> >>>>>>>>>> It also provides the helper function that sets skb_shinfo() frag
> >>>>>>>>>> id and sets the bit.
> >>>>>>>>>>
> >>>>>>>>>> It also makes sure that we select the fragment id when doing
> >>>>>>>>>> just gso validation, since it's possible for the packet to
> >>>>>>>>>> come from an untrusted source (VM) and be forwarded through
> >>>>>>>>>> a UFO enabled device which will expect the fragment id.
> >>>>>>>>>>
> >>>>>>>>>> CC: Eric Dumazet <edumazet@google.com>
> >>>>>>>>>> Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
> >>>>>>>>>> ---
> >>>>>>>>>> include/linux/skbuff.h | 3 ++-
> >>>>>>>>>> include/net/ipv6.h | 2 ++
> >>>>>>>>>> net/ipv6/ip6_output.c | 4 ++--
> >>>>>>>>>> net/ipv6/output_core.c | 9 ++++++++-
> >>>>>>>>>> net/ipv6/udp_offload.c | 10 +++++++++-
> >>>>>>>>>> 5 files changed, 23 insertions(+), 5 deletions(-)
> >>>>>>>>>>
> >>>>>>>>>> diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
> >>>>>>>>>> index 85ab7d7..3ad5203 100644
> >>>>>>>>>> --- a/include/linux/skbuff.h
> >>>>>>>>>> +++ b/include/linux/skbuff.h
> >>>>>>>>>> @@ -605,7 +605,8 @@ struct sk_buff {
> >>>>>>>>>> __u8 ipvs_property:1;
> >>>>>>>>>> __u8 inner_protocol_type:1;
> >>>>>>>>>> __u8 remcsum_offload:1;
> >>>>>>>>>> - /* 3 or 5 bit hole */
> >>>>>>>>>> + __u8 ufo_fragid_set:1;
> >>>>>>>>> [...]
> >>>>>>>>>
> >>>>>>>>> Doesn't the flag belong in struct skb_shared_info, rather than struct
> >>>>>>>>> sk_buff? Otherwise this looks fine.
> >>>>>>>>>
> >>>>>>>>> Ben.
> >>>>>>>>
> >>>>>>>> Hmm we seem to be out of tx flags.
> >>>>>>>> Maybe ip6_frag_id == 0 should mean "not set".
> >>>>>>>
> >>>>>>> Maybe that is the best idea. Definitely the ufo_fragid_set bit should
> >>>>>>> move into the skb_shared_info area.
> >>>>>>
> >>>>>> That's what I originally wanted to do, but had to move and grow txflags thus
> >>>>>> skb_shinfo ended up growing. I wanted to avoid that, so stole an skb flag.
> >>>>>>
> >>>>>> I considered treating fragid == 0 as unset, but a 0 fragid is perfectly valid
> >>>>>> from the protocol perspective and could actually be generated by the id generator
> >>>>>> functions. This may cause us to call the id generation multiple times.
> >>>>>
> >>>>> Are there plans in the long run to let virtio_net transmit auxiliary
> >>>>> data to the other end so we can clean all of this this up one day?
> >>>>>
> >>>>> I don't like the whole situation: looking into the virtio_net headers
> >>>>> just adding a field for ipv6 fragmentation ids to those small structs
> >>>>> seems bloated, not doing it feels incorrect. :/
> >>>>>
> >>>>> Thoughts?
> >>>>>
> >>>>> Bye,
> >>>>> Hannes
> >>>>
> >>>> I'm not sure - what will be achieved by generating the IDs guest side as
> >>>> opposed to host side? It's certainly harder to get hold of entropy
> >>>> guest-side.
> >>>
> >>> It is not only about entropy but about uniqueness. Also fragmentation
> >>> ids should not be discoverable,
> >>
> >> I belive "predictable" is the language used by the IETF draft.
> >>
> >>> so there are several aspects:
> >>>
> >>> I see fragmentation id generation still as security critical:
> >>> When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP
> >>> identifiers less predictable") I could patch my kernels and use the
> >>> patch regardless of the machine being virtualized or not. It was not
> >>> dependent on the hypervisor.
> >>
> >> And now it's even easier - just patch the hypervisor, and all VMs
> >> automatically benefit.
> >
> > Sometimes the hypervisor is not under my control. You would need to
> > patch both kernels in your case - non gso frames would still get the
> > fragmentation id generated in the host kernel.
>
> Why would non-gso frames need a frag id? We are talking only UDP IPv6
> here, so there is no frag id generation if the packet does't need to
> be fragmented.
E.g. raw sockets still can generate fragments locally. It is also a
valid setup to have multiple interfaces in one machine, one that is UFO
enabled and one that isn't. In that case, fragmentation id generation
happens on different hosts which I want to avoid.
I haven't looked closely but mismatch of MTUs on interfaces seems like
it could lead to unwanted fragmentation, e.g. see is_skb_forwardable
which is mostly always true for gso frames, so we never stop them on
bridges etc.
> >>> I think that is the same reasoning why we
> >>> don't support TOE.
> >>> If we use one generator in the hypervisor in an openstack alike setting,
> >>> the host deals with quite a lot of overlay networks. A lot of default
> >>> configurations use the same addresses internally, so on the hypervisor
> >>> the frag id generators would interfere by design.
> >>> I could come up with an attack scenario for DNS servers (again :) ):
> >>>
> >>> You are sitting next to a DNS server on the same hypervisor and can send
> >>> packets without source validation (because that is handled later on in
> >>> case of openvswitch when the packet is put into the corresponding
> >>> overlay network). You emit a gso packet with the same source and
> >>> destination addresses as the DNS server would do and would get an
> >>> fragmentation id which is linearly (+ time delta) incremented depending
> >>> on the source and destination address. With such a leak you could start
> >>> trying attack and spoof DNS responses (fragmentation attacks etc.).
> >>> See also details on such kind of attacks in the description of commit
> >>> 04ca6973f7c1a0d.
> >>>
> >>> AFAIK IETF tried with IPv6 to push fragmentation id generation to the
> >>> end hosts, that's also the reason for the introduction of atomic
> >>> fragments (which are now being rolled back ;) ).
> >>>
> >>> Still it is better to generate a frag id on the hypervisor than just
> >>> sending a 0, so I am ok with this change, albeit not happy.
> >>>
> >>> Thanks,
> >>> Hannes
> >>>
> >>
> >> OK so to summarize, identifiers are only re-randomized once per jiffy,
> >> so you worry that within this window, an external observer can discover
> >> past fragment ID values and so predict the future ones.
> >> All that's required is that two paths go through the same box performing
> >> fragmentation.
> >>
> >> Is that a fair summary?
> >>
> >> If yes, we can make this a bit harder by mixing in some
> >> data per input and/or output devices.
> >>
> >> For example, just to give you the idea:
> >>
> >> diff --git a/net/core/dev.c b/net/core/dev.c
> >> index 683d493..4faa7ef 100644
> >> --- a/net/core/dev.c
> >> +++ b/net/core/dev.c
> >> @@ -3625,6 +3625,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc)
> >> trace_netif_receive_skb(skb);
> >>
> >> orig_dev = skb->dev;
> >> + skb_shinfo(skb)->ip6_frag_id = skb->dev->ifindex;
> >>
> >> skb_reset_network_header(skb);
> >> if (!skb_transport_header_was_set(skb))
> >> diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
> >> index ce69a12..819a821 100644
> >> --- a/net/ipv6/ip6_output.c
> >> +++ b/net/ipv6/ip6_output.c
> >> @@ -1092,7 +1092,8 @@ static inline int ip6_ufo_append_data(struct sock *sk,
> >> sizeof(struct frag_hdr)) & ~7;
> >> skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
> >> ipv6_select_ident(&fhdr, rt);
> >> - skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
> >> + skb_shinfo(skb)->ip6_frag_id = jhash_1word(skb_shinfo(skb)->ip6_frag_id,
> >> + fhdr.identification);
> >>
> >> append:
> >> return skb_append_datato_frags(sk, skb, getfrag, from,
> >>
> >
> > I thought about mixing in the incoming interface identifier into the
> > frag id generation, but that could hurt us badly as soon as a VM has
> > more than one interface to the outside world and uses e.g. ECMP. We need
> > to make sure that those frag ids are unique and the kernel needs to be
> > better than just using a random number generator.
> >
>
> So the goal behind this series of patches is to restore VM functionality to
> pre-916e4cf46d0204 ("ipv6: reuse ip6_frag_id from ip6_ufo_append_data").
I understand (the patch fixed a NULL ptr deref btw.).
As I said, I don't want to stop this series (hopefully the flag can be
moved into skb_shared_info etc.), would look after that IMHO
(skb flags/IPCB and skb_shared_info have different semantics on
__skb_clone).
I think it is very much worth to try to move the fragmentation id
generation back to the end host and only use this as a fallback.
Bye,
Hannes
^ permalink raw reply
* Re: [PATCH 1/3] ipv6: Select fragment id during UFO/GSO segmentation if not set.
From: Hannes Frederic Sowa @ 2015-01-28 14:17 UTC (permalink / raw)
To: Michael S. Tsirkin
Cc: netdev, Vladislav Yasevich, virtualization, edumazet,
Ben Hutchings
In-Reply-To: <20150128134335.GA31959@redhat.com>
On Mi, 2015-01-28 at 15:43 +0200, Michael S. Tsirkin wrote:
> On Wed, Jan 28, 2015 at 11:34:02AM +0100, Hannes Frederic Sowa wrote:
> > Hi,
> >
> > On Mi, 2015-01-28 at 11:46 +0200, Michael S. Tsirkin wrote:
> > > On Wed, Jan 28, 2015 at 09:25:08AM +0100, Hannes Frederic Sowa wrote:
> > > > Hello,
> > > >
> > > > On Di, 2015-01-27 at 18:08 +0200, Michael S. Tsirkin wrote:
> > > > > On Tue, Jan 27, 2015 at 05:02:31PM +0100, Hannes Frederic Sowa wrote:
> > > > > > On Di, 2015-01-27 at 09:26 -0500, Vlad Yasevich wrote:
> > > > > > > On 01/27/2015 08:47 AM, Hannes Frederic Sowa wrote:
> > > > > > > > On Di, 2015-01-27 at 10:42 +0200, Michael S. Tsirkin wrote:
> > > > > > > >> On Tue, Jan 27, 2015 at 02:47:54AM +0000, Ben Hutchings wrote:
> > > > > > > >>> On Mon, 2015-01-26 at 09:37 -0500, Vladislav Yasevich wrote:
> > > > > > > >>>> If the IPv6 fragment id has not been set and we perform
> > > > > > > >>>> fragmentation due to UFO, select a new fragment id.
> > > > > > > >>>> When we store the fragment id into skb_shinfo, set the bit
> > > > > > > >>>> in the skb so we can re-use the selected id.
> > > > > > > >>>> This preserves the behavior of UFO packets generated on the
> > > > > > > >>>> host and solves the issue of id generation for packet sockets
> > > > > > > >>>> and tap/macvtap devices.
> > > > > > > >>>>
> > > > > > > >>>> This patch moves ipv6_select_ident() back in to the header file.
> > > > > > > >>>> It also provides the helper function that sets skb_shinfo() fragd have to patch both kernels *in your case*.
If it's all done by host, then it's in a single place, on host.
> > > > > > > >>>> id and sets the bit.
> > > > > > > >>>>
> > > > > > > >>>> It also makes sure that we select the fragment id when doing
> > > > > > > >>>> just gso validation, since it's possible for the packet to
> > > > > > > >>>> come from an untrusted source (VM) and be forwarded through
> > > > > > > >>>> a UFO enabled device which will expect the fragment id.
> > > > > > > >>>>
> > > > > > > >>>> CC: Eric Dumazet <edumazet@google.com>
> > > > > > > >>>> Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
> > > > > > > >>>> ---
> > > > > > > >>>> include/linux/skbuff.h | 3 ++-
> > > > > > > >>>> include/net/ipv6.h | 2 ++
> > > > > > > >>>> net/ipv6/ip6_output.c | 4 ++--
> > > > > > > >>>> net/ipv6/output_core.c | 9 ++++++++-
> > > > > > > >>>> net/ipv6/udp_offload.c | 10 +++++++++-
> > > > > > > >>>> 5 files changed, 23 insertions(+), 5 deletions(-)
> > > > > > > >>>>
> > > > > > > >>>> diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
> > > > > > > >>>> index 85ab7d7..3ad5203 100644
> > > > > > > >>>> --- a/include/linux/skbuff.h
> > > > > > > >>>> +++ b/include/linux/skbuff.h
> > > > > > > >>>> @@ -605,7 +605,8 @@ struct sk_buff {
> > > > > > > >>>> __u8 ipvs_property:1;
> > > > > > > >>>> __u8 inner_protocol_type:1;
> > > > > > > >>>> __u8 remcsum_offload:1;
> > > > > > > >>>> - /* 3 or 5 bit hole */
> > > > > > > >>>> + __u8 ufo_fragid_set:1;
> > > > > > > >>> [...]
> > > > > > > >>>
> > > > > > > >>> Doesn't the flag belong in struct skb_shared_info, rather than struct
> > > > > > > >>> sk_buff? Otherwise this looks fine.
> > > > > > > >>>
> > > > > > > >>> Ben.
> > > > > > > >>
> > > > > > > >> Hmm we seem to be out of tx flags.
> > > > > > > >> Maybe ip6_frag_id == 0 should mean "not set".
> > > > > > > >
> > > > > > > > Maybe that is the best idea. Definitely the ufo_fragid_set bit should
> > > > > > > > move into the skb_shared_info area.
> > > > > > >
> > > > > > > That's what I originally wanted to do, but had to move and grow txflags thus
> > > > > > > skb_shinfo ended up growing. I wanted to avoid that, so stole an skb flag.
> > > > > > >
> > > > > > > I considered treating fragid == 0 as unset, but a 0 fragid is perfectly valid
> > > > > > > from the protocol perspective and could actually be generated by the id generator
> > > > > > > functions. This may cause us to call the id generation multiple times.
> > > > > >
> > > > > > Are there plans in the long run to let virtio_net transmit auxiliary
> > > > > > data to the other end so we can clean all of this this up one day?
> > > > > >
> > > > > > I don't like the whole situation: looking into the virtio_net headers
> > > > > > just adding a field for ipv6 fragmentation ids to those small structs
> > > > > > seems bloated, not doing it feels incorrect. :/
> > > > > >
> > > > > > Thoughts?
> > > > > >
> > > > > > Bye,
> > > > > > Hannes
> > > > >
> > > > > I'm not sure - what will be achieved by generating the IDs guest side as
> > > > > opposed to host side? It's certainly harder to get hold of entropy
> > > > > guest-side.
> > > >
> > > > It is not only about entropy but about uniqueness. Also fragmentation
> > > > ids should not be discoverable,
> > >
> > > I belive "predictable" is the language used by the IETF draft.
> > >
> > > > so there are several aspects:
> > > >
> > > > I see fragmentation id generation still as security critical:
> > > > When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP
> > > > identifiers less predictable") I could patch my kernels and use the
> > > > patch regardless of the machine being virtualized or not. It was not
> > > > dependent on the hypervisor.
> > >
> > > And now it's even easier - just patch the hypervisor, and all VMs
> > > automatically benefit.
> >
> > Sometimes the hypervisor is not under my control. You would need to
> > patch both kernels in your case - non gso frames would still get the
> > fragmentation id generated in the host kernel.
>
> Confused. You would have to patch both kernels *in your case*.
> If it's all done by host, then it's in a single place, on host.
host is the hypervisor?
Anyway, we would have to patch both kernels now anyway. :)
We still have a working ipv6_fragment routine in the virtualized kernel
which can embed fragmentation extension headers in frames, thus
generating the fragmentation id in the virtualized kernel.
> > > > I think that is the same reasoning why we
> > > > don't support TOE.
> > > > If we use one generator in the hypervisor in an openstack alike setting,
> > > > the host deals with quite a lot of overlay networks. A lot of default
> > > > configurations use the same addresses internally, so on the hypervisor
> > > > the frag id generators would interfere by design.
> > > > I could come up with an attack scenario for DNS servers (again :) ):
> > > >
> > > > You are sitting next to a DNS server on the same hypervisor and can send
> > > > packets without source validation (because that is handled later on in
> > > > case of openvswitch when the packet is put into the corresponding
> > > > overlay network). You emit a gso packet with the same source and
> > > > destination addresses as the DNS server would do and would get an
> > > > fragmentation id which is linearly (+ time delta) incremented depending
> > > > on the source and destination address. With such a leak you could start
> > > > trying attack and spoof DNS responses (fragmentation attacks etc.).
> > > > See also details on such kind of attacks in the description of commit
> > > > 04ca6973f7c1a0d.
> > > >
> > > > AFAIK IETF tried with IPv6 to push fragmentation id generation to the
> > > > end hosts, that's also the reason for the introduction of atomic
> > > > fragments (which are now being rolled back ;) ).
> > > >
> > > > Still it is better to generate a frag id on the hypervisor than just
> > > > sending a 0, so I am ok with this change, albeit not happy.
> > > >
> > > > Thanks,
> > > > Hannes
> > > >
> > >
> > > OK so to summarize, identifiers are only re-randomized once per jiffy,
> > > so you worry that within this window, an external observer can discover
> > > past fragment ID values and so predict the future ones.
> > > All that's required is that two paths go through the same box performing
> > > fragmentation.
> > >
> > > Is that a fair summary?
> > >
> > > If yes, we can make this a bit harder by mixing in some
> > > data per input and/or output devices.
> > >
> > > For example, just to give you the idea:
> > >
> > > diff --git a/net/core/dev.c b/net/core/dev.c
> > > index 683d493..4faa7ef 100644
> > > --- a/net/core/dev.c
> > > +++ b/net/core/dev.c
> > > @@ -3625,6 +3625,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc)
> > > trace_netif_receive_skb(skb);
> > >
> > > orig_dev = skb->dev;
> > > + skb_shinfo(skb)->ip6_frag_id = skb->dev->ifindex;
> > >
> > > skb_reset_network_header(skb);
> > > if (!skb_transport_header_was_set(skb))
> > > diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
> > > index ce69a12..819a821 100644
> > > --- a/net/ipv6/ip6_output.c
> > > +++ b/net/ipv6/ip6_output.c
> > > @@ -1092,7 +1092,8 @@ static inline int ip6_ufo_append_data(struct sock *sk,
> > > sizeof(struct frag_hdr)) & ~7;
> > > skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
> > > ipv6_select_ident(&fhdr, rt);
> > > - skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
> > > + skb_shinfo(skb)->ip6_frag_id = jhash_1word(skb_shinfo(skb)->ip6_frag_id,
> > > + fhdr.identification);
> > >
> > > append:
> > > return skb_append_datato_frags(sk, skb, getfrag, from,
> > >
> >
> > I thought about mixing in the incoming interface identifier into the
> > frag id generation, but that could hurt us badly as soon as a VM has
> > more than one interface to the outside world and uses e.g. ECMP.
>
> I don't understand. Fragmentation is done after routing,
> isn't it? So all fragments always go out on the same device.
It is the other way around:
(Source, Dest) is the key to lookup the next fragmentation id. We send
two fragments and use (Source, Dest, ifindex) as key, then the first
packet leaves the host on ifindex 1 with fragid x (because it was a big
gso packet it got segments), second packet leaves host on ifindex 2 with
same Source and Dest and results in fragid y. Ideally both those packets
should use the same bucket to improve uniqueness. Without ifindex we
would have y = x+<number segments>, otherwise it would be (I guess)
random.
> > We need
> > to make sure that those frag ids are unique and the kernel needs to be
> > better than just using a random number generator.
> >
> > Bye,
> > Hannes
>
> 32 bit numbers can't be unique. They just shouldn't be discoverable
> by an off-path observer.
No, they can't. But they should be reasonable unique and, as you said,
not discoverable.
Bye,
Hannes
^ permalink raw reply
* Re: [PATCH 1/3] ipv6: Select fragment id during UFO/GSO segmentation if not set.
From: Vlad Yasevich @ 2015-01-28 14:16 UTC (permalink / raw)
To: Hannes Frederic Sowa, Michael S. Tsirkin
Cc: netdev, Vladislav Yasevich, Ben Hutchings, edumazet,
virtualization
In-Reply-To: <1422441242.4678.32.camel@stressinduktion.org>
On 01/28/2015 05:34 AM, Hannes Frederic Sowa wrote:
> Hi,
>
> On Mi, 2015-01-28 at 11:46 +0200, Michael S. Tsirkin wrote:
>> On Wed, Jan 28, 2015 at 09:25:08AM +0100, Hannes Frederic Sowa wrote:
>>> Hello,
>>>
>>> On Di, 2015-01-27 at 18:08 +0200, Michael S. Tsirkin wrote:
>>>> On Tue, Jan 27, 2015 at 05:02:31PM +0100, Hannes Frederic Sowa wrote:
>>>>> On Di, 2015-01-27 at 09:26 -0500, Vlad Yasevich wrote:
>>>>>> On 01/27/2015 08:47 AM, Hannes Frederic Sowa wrote:
>>>>>>> On Di, 2015-01-27 at 10:42 +0200, Michael S. Tsirkin wrote:
>>>>>>>> On Tue, Jan 27, 2015 at 02:47:54AM +0000, Ben Hutchings wrote:
>>>>>>>>> On Mon, 2015-01-26 at 09:37 -0500, Vladislav Yasevich wrote:
>>>>>>>>>> If the IPv6 fragment id has not been set and we perform
>>>>>>>>>> fragmentation due to UFO, select a new fragment id.
>>>>>>>>>> When we store the fragment id into skb_shinfo, set the bit
>>>>>>>>>> in the skb so we can re-use the selected id.
>>>>>>>>>> This preserves the behavior of UFO packets generated on the
>>>>>>>>>> host and solves the issue of id generation for packet sockets
>>>>>>>>>> and tap/macvtap devices.
>>>>>>>>>>
>>>>>>>>>> This patch moves ipv6_select_ident() back in to the header file.
>>>>>>>>>> It also provides the helper function that sets skb_shinfo() frag
>>>>>>>>>> id and sets the bit.
>>>>>>>>>>
>>>>>>>>>> It also makes sure that we select the fragment id when doing
>>>>>>>>>> just gso validation, since it's possible for the packet to
>>>>>>>>>> come from an untrusted source (VM) and be forwarded through
>>>>>>>>>> a UFO enabled device which will expect the fragment id.
>>>>>>>>>>
>>>>>>>>>> CC: Eric Dumazet <edumazet@google.com>
>>>>>>>>>> Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
>>>>>>>>>> ---
>>>>>>>>>> include/linux/skbuff.h | 3 ++-
>>>>>>>>>> include/net/ipv6.h | 2 ++
>>>>>>>>>> net/ipv6/ip6_output.c | 4 ++--
>>>>>>>>>> net/ipv6/output_core.c | 9 ++++++++-
>>>>>>>>>> net/ipv6/udp_offload.c | 10 +++++++++-
>>>>>>>>>> 5 files changed, 23 insertions(+), 5 deletions(-)
>>>>>>>>>>
>>>>>>>>>> diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
>>>>>>>>>> index 85ab7d7..3ad5203 100644
>>>>>>>>>> --- a/include/linux/skbuff.h
>>>>>>>>>> +++ b/include/linux/skbuff.h
>>>>>>>>>> @@ -605,7 +605,8 @@ struct sk_buff {
>>>>>>>>>> __u8 ipvs_property:1;
>>>>>>>>>> __u8 inner_protocol_type:1;
>>>>>>>>>> __u8 remcsum_offload:1;
>>>>>>>>>> - /* 3 or 5 bit hole */
>>>>>>>>>> + __u8 ufo_fragid_set:1;
>>>>>>>>> [...]
>>>>>>>>>
>>>>>>>>> Doesn't the flag belong in struct skb_shared_info, rather than struct
>>>>>>>>> sk_buff? Otherwise this looks fine.
>>>>>>>>>
>>>>>>>>> Ben.
>>>>>>>>
>>>>>>>> Hmm we seem to be out of tx flags.
>>>>>>>> Maybe ip6_frag_id == 0 should mean "not set".
>>>>>>>
>>>>>>> Maybe that is the best idea. Definitely the ufo_fragid_set bit should
>>>>>>> move into the skb_shared_info area.
>>>>>>
>>>>>> That's what I originally wanted to do, but had to move and grow txflags thus
>>>>>> skb_shinfo ended up growing. I wanted to avoid that, so stole an skb flag.
>>>>>>
>>>>>> I considered treating fragid == 0 as unset, but a 0 fragid is perfectly valid
>>>>>> from the protocol perspective and could actually be generated by the id generator
>>>>>> functions. This may cause us to call the id generation multiple times.
>>>>>
>>>>> Are there plans in the long run to let virtio_net transmit auxiliary
>>>>> data to the other end so we can clean all of this this up one day?
>>>>>
>>>>> I don't like the whole situation: looking into the virtio_net headers
>>>>> just adding a field for ipv6 fragmentation ids to those small structs
>>>>> seems bloated, not doing it feels incorrect. :/
>>>>>
>>>>> Thoughts?
>>>>>
>>>>> Bye,
>>>>> Hannes
>>>>
>>>> I'm not sure - what will be achieved by generating the IDs guest side as
>>>> opposed to host side? It's certainly harder to get hold of entropy
>>>> guest-side.
>>>
>>> It is not only about entropy but about uniqueness. Also fragmentation
>>> ids should not be discoverable,
>>
>> I belive "predictable" is the language used by the IETF draft.
>>
>>> so there are several aspects:
>>>
>>> I see fragmentation id generation still as security critical:
>>> When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP
>>> identifiers less predictable") I could patch my kernels and use the
>>> patch regardless of the machine being virtualized or not. It was not
>>> dependent on the hypervisor.
>>
>> And now it's even easier - just patch the hypervisor, and all VMs
>> automatically benefit.
>
> Sometimes the hypervisor is not under my control. You would need to
> patch both kernels in your case - non gso frames would still get the
> fragmentation id generated in the host kernel.
Why would non-gso frames need a frag id? We are talking only UDP IPv6
here, so there is no frag id generation if the packet does't need to
be fragmented.
>
>>> I think that is the same reasoning why we
>>> don't support TOE.
>>> If we use one generator in the hypervisor in an openstack alike setting,
>>> the host deals with quite a lot of overlay networks. A lot of default
>>> configurations use the same addresses internally, so on the hypervisor
>>> the frag id generators would interfere by design.
>>> I could come up with an attack scenario for DNS servers (again :) ):
>>>
>>> You are sitting next to a DNS server on the same hypervisor and can send
>>> packets without source validation (because that is handled later on in
>>> case of openvswitch when the packet is put into the corresponding
>>> overlay network). You emit a gso packet with the same source and
>>> destination addresses as the DNS server would do and would get an
>>> fragmentation id which is linearly (+ time delta) incremented depending
>>> on the source and destination address. With such a leak you could start
>>> trying attack and spoof DNS responses (fragmentation attacks etc.).
>>> See also details on such kind of attacks in the description of commit
>>> 04ca6973f7c1a0d.
>>>
>>> AFAIK IETF tried with IPv6 to push fragmentation id generation to the
>>> end hosts, that's also the reason for the introduction of atomic
>>> fragments (which are now being rolled back ;) ).
>>>
>>> Still it is better to generate a frag id on the hypervisor than just
>>> sending a 0, so I am ok with this change, albeit not happy.
>>>
>>> Thanks,
>>> Hannes
>>>
>>
>> OK so to summarize, identifiers are only re-randomized once per jiffy,
>> so you worry that within this window, an external observer can discover
>> past fragment ID values and so predict the future ones.
>> All that's required is that two paths go through the same box performing
>> fragmentation.
>>
>> Is that a fair summary?
>>
>> If yes, we can make this a bit harder by mixing in some
>> data per input and/or output devices.
>>
>> For example, just to give you the idea:
>>
>> diff --git a/net/core/dev.c b/net/core/dev.c
>> index 683d493..4faa7ef 100644
>> --- a/net/core/dev.c
>> +++ b/net/core/dev.c
>> @@ -3625,6 +3625,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc)
>> trace_netif_receive_skb(skb);
>>
>> orig_dev = skb->dev;
>> + skb_shinfo(skb)->ip6_frag_id = skb->dev->ifindex;
>>
>> skb_reset_network_header(skb);
>> if (!skb_transport_header_was_set(skb))
>> diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
>> index ce69a12..819a821 100644
>> --- a/net/ipv6/ip6_output.c
>> +++ b/net/ipv6/ip6_output.c
>> @@ -1092,7 +1092,8 @@ static inline int ip6_ufo_append_data(struct sock *sk,
>> sizeof(struct frag_hdr)) & ~7;
>> skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
>> ipv6_select_ident(&fhdr, rt);
>> - skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
>> + skb_shinfo(skb)->ip6_frag_id = jhash_1word(skb_shinfo(skb)->ip6_frag_id,
>> + fhdr.identification);
>>
>> append:
>> return skb_append_datato_frags(sk, skb, getfrag, from,
>>
>
> I thought about mixing in the incoming interface identifier into the
> frag id generation, but that could hurt us badly as soon as a VM has
> more than one interface to the outside world and uses e.g. ECMP. We need
> to make sure that those frag ids are unique and the kernel needs to be
> better than just using a random number generator.
>
So the goal behind this series of patches is to restore VM functionality to
pre-916e4cf46d0204 ("ipv6: reuse ip6_frag_id from ip6_ufo_append_data").
-vlad
> Bye,
> Hannes
>
>
^ permalink raw reply
* [PATCH 4/4] net: am2150: fix nmclan_cs.c shared interrupt handling
From: Arnd Bergmann @ 2015-01-28 14:15 UTC (permalink / raw)
To: netdev
Cc: Arnd Bergmann, linux-pcmcia, jeffrey.t.kirsher, kas, davem,
linux-arm-kernel
In-Reply-To: <1422454504-439085-1-git-send-email-arnd@arndb.de>
A recent patch tried to work around a valid warning for the use of a
deprecated interface by blindly changing from the old
pcmcia_request_exclusive_irq() interface to pcmcia_request_irq().
This driver has an interrupt handler that is not currently aware
of shared interrupts, but can be easily converted to be.
At the moment, the driver reads the interrupt status register
repeatedly until it contains only zeroes in the interesting bits,
and handles each bit individually.
This patch adds the missing part of returning IRQ_NONE in case none
of the bits are set to start with, so we can move on to the next
interrupt source.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: 5f5316fcd08ef7 ("am2150: Update nmclan_cs.c to use update PCMCIA API")
---
drivers/net/ethernet/amd/nmclan_cs.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/amd/nmclan_cs.c b/drivers/net/ethernet/amd/nmclan_cs.c
index 5b22764ba88d..27245efe9f50 100644
--- a/drivers/net/ethernet/amd/nmclan_cs.c
+++ b/drivers/net/ethernet/amd/nmclan_cs.c
@@ -952,6 +952,8 @@ static irqreturn_t mace_interrupt(int irq, void *dev_id)
do {
/* WARNING: MACE_IR is a READ/CLEAR port! */
status = inb(ioaddr + AM2150_MACE_BASE + MACE_IR);
+ if (!(status & ~MACE_IMR_DEFAULT) && IntrCnt == MACE_MAX_IR_ITERATIONS)
+ return IRQ_NONE;
pr_debug("mace_interrupt: irq 0x%X status 0x%X.\n", irq, status);
--
2.1.0.rc2
^ permalink raw reply related
* [PATCH 3/4] net: lance,ni64: don't build for ARM
From: Arnd Bergmann @ 2015-01-28 14:15 UTC (permalink / raw)
To: netdev
Cc: Arnd Bergmann, linux-pcmcia, jeffrey.t.kirsher, kas, davem,
linux-arm-kernel
In-Reply-To: <1422454504-439085-1-git-send-email-arnd@arndb.de>
The ni65 and lance ethernet drivers manually program the ISA DMA
controller that is only available on x86 PCs and a few compatible
systems. Trying to build it on ARM results in this error:
ni65.c: In function 'ni65_probe1':
ni65.c:496:62: error: 'DMA1_STAT_REG' undeclared (first use in this function)
((inb(DMA1_STAT_REG) >> 4) & 0x0f)
^
ni65.c:496:62: note: each undeclared identifier is reported only once for each function it appears in
ni65.c:497:63: error: 'DMA2_STAT_REG' undeclared (first use in this function)
| (inb(DMA2_STAT_REG) & 0xf0);
The DMA1_STAT_REG and DMA2_STAT_REG registers are only defined for
alpha, mips, parisc, powerpc and x86, although it is not clear
which subarchitectures actually have them at the correct location.
This patch for now just disables it for ARM, to avoid randconfig
build errors. We could also decide to limit it to the set of
architectures on which it does compile, but that might look more
deliberate than guessing based on where the drivers build.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
drivers/net/ethernet/amd/Kconfig | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/amd/Kconfig b/drivers/net/ethernet/amd/Kconfig
index 5d3b5202327c..c638c85f3954 100644
--- a/drivers/net/ethernet/amd/Kconfig
+++ b/drivers/net/ethernet/amd/Kconfig
@@ -45,7 +45,7 @@ config AMD8111_ETH
config LANCE
tristate "AMD LANCE and PCnet (AT1500 and NE2100) support"
- depends on ISA && ISA_DMA_API
+ depends on ISA && ISA_DMA_API && !ARM
---help---
If you have a network (Ethernet) card of this type, say Y and read
the Ethernet-HOWTO, available from
@@ -142,7 +142,7 @@ config PCMCIA_NMCLAN
config NI65
tristate "NI6510 support"
- depends on ISA && ISA_DMA_API
+ depends on ISA && ISA_DMA_API && !ARM
---help---
If you have a network (Ethernet) card of this type, say Y and read
the Ethernet-HOWTO, available from
--
2.1.0.rc2
^ permalink raw reply related
* [PATCH 2/4] net: wan: add missing virt_to_bus dependencies
From: Arnd Bergmann @ 2015-01-28 14:15 UTC (permalink / raw)
To: netdev
Cc: Arnd Bergmann, linux-pcmcia, jeffrey.t.kirsher, kas, davem,
linux-arm-kernel
In-Reply-To: <1422454504-439085-1-git-send-email-arnd@arndb.de>
The cosa driver is rather outdated and does not get built on most
platforms because it requires the ISA_DMA_API symbol. However
there are some ARM platforms that have ISA_DMA_API but no virt_to_bus,
and they get this build error when enabling the ltpc driver.
drivers/net/wan/cosa.c: In function 'tx_interrupt':
drivers/net/wan/cosa.c:1768:3: error: implicit declaration of function 'virt_to_bus'
unsigned long addr = virt_to_bus(cosa->txbuf);
^
The same problem exists for the Hostess SV-11 and Sealevel Systems 4021
drivers.
This adds another dependency in Kconfig to avoid that configuration.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
drivers/net/wan/Kconfig | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wan/Kconfig b/drivers/net/wan/Kconfig
index 94e234975c61..a2fdd15f285a 100644
--- a/drivers/net/wan/Kconfig
+++ b/drivers/net/wan/Kconfig
@@ -25,7 +25,7 @@ if WAN
# There is no way to detect a comtrol sv11 - force it modular for now.
config HOSTESS_SV11
tristate "Comtrol Hostess SV-11 support"
- depends on ISA && m && ISA_DMA_API && INET && HDLC
+ depends on ISA && m && ISA_DMA_API && INET && HDLC && VIRT_TO_BUS
help
Driver for Comtrol Hostess SV-11 network card which
operates on low speed synchronous serial links at up to
@@ -37,7 +37,7 @@ config HOSTESS_SV11
# The COSA/SRP driver has not been tested as non-modular yet.
config COSA
tristate "COSA/SRP sync serial boards support"
- depends on ISA && m && ISA_DMA_API && HDLC
+ depends on ISA && m && ISA_DMA_API && HDLC && VIRT_TO_BUS
---help---
Driver for COSA and SRP synchronous serial boards.
@@ -87,7 +87,7 @@ config LANMEDIA
# There is no way to detect a Sealevel board. Force it modular
config SEALEVEL_4021
tristate "Sealevel Systems 4021 support"
- depends on ISA && m && ISA_DMA_API && INET && HDLC
+ depends on ISA && m && ISA_DMA_API && INET && HDLC && VIRT_TO_BUS
help
This is a driver for the Sealevel Systems ACB 56 serial I/O adapter.
--
2.1.0.rc2
^ permalink raw reply related
* [PATCH 1/4] net: cs89x0: always build platform code if !HAS_IOPORT_MAP
From: Arnd Bergmann @ 2015-01-28 14:15 UTC (permalink / raw)
To: netdev
Cc: Arnd Bergmann, linux-pcmcia, jeffrey.t.kirsher, kas, davem,
linux-arm-kernel
In-Reply-To: <1422454504-439085-1-git-send-email-arnd@arndb.de>
The cs89x0 driver can either be built as an ISA driver or a platform
driver, the choice is controlled by the CS89x0_PLATFORM Kconfig
symbol. Building the ISA driver on a system that does not have
a way to map I/O ports fails with this error:
drivers/built-in.o: In function `cs89x0_ioport_probe.constprop.1':
:(.init.text+0x4794): undefined reference to `ioport_map'
:(.init.text+0x4830): undefined reference to `ioport_unmap'
This changes the Kconfig logic to take that option away and
always force building the platform variant of this driver if
CONFIG_HAS_IOPORT_MAP is not set. This is the only correct
choice in this case, and it avoids the build error.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
drivers/net/ethernet/cirrus/Kconfig | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/cirrus/Kconfig b/drivers/net/ethernet/cirrus/Kconfig
index 7403dff8f14a..905ac5f5d9a6 100644
--- a/drivers/net/ethernet/cirrus/Kconfig
+++ b/drivers/net/ethernet/cirrus/Kconfig
@@ -32,7 +32,8 @@ config CS89x0
will be called cs89x0.
config CS89x0_PLATFORM
- bool "CS89x0 platform driver support"
+ bool "CS89x0 platform driver support" if HAS_IOPORT_MAP
+ default !HAS_IOPORT_MAP
depends on CS89x0
help
Say Y to compile the cs89x0 driver as a platform driver. This
--
2.1.0.rc2
^ permalink raw reply related
* [PATCH 0/4] net: driver fixes from arm randconfig builds
From: Arnd Bergmann @ 2015-01-28 14:15 UTC (permalink / raw)
To: netdev
Cc: Arnd Bergmann, linux-pcmcia, jeffrey.t.kirsher, kas, davem,
linux-arm-kernel
These four patches are fallout from test builds on ARM. I have a
few more of them in my backlog but have not yet confirmed them
to still be valid.
The first three patches are about incomplete dependencies on
old drivers. One could backport them to the beginning of time
in theory, but there is little value since nobody would run into
these problems.
The final patch is one I had submitted before together with the
respective pcmcia patch but forgot to follow up on that. It's
still a valid but relatively theoretical bug, because the previous
behavior of the driver was just as broken as what we have in
mainline.
Please apply,
Arnd
Arnd Bergmann (4):
net: cs89x0: always build platform code if !HAS_IOPORT_MAP
net: wan: add missing virt_to_bus dependencies
net: lance,ni64: don't build for ARM
net: am2150: fix nmclan_cs.c shared interrupt handling
drivers/net/ethernet/amd/Kconfig | 4 ++--
drivers/net/ethernet/amd/nmclan_cs.c | 2 ++
drivers/net/ethernet/cirrus/Kconfig | 3 ++-
drivers/net/wan/Kconfig | 6 +++---
4 files changed, 9 insertions(+), 6 deletions(-)
--
2.1.0.rc2
^ permalink raw reply
* pull-request: can-next 2015-28-01
From: Marc Kleine-Budde @ 2015-01-28 13:58 UTC (permalink / raw)
To: netdev; +Cc: David Miller, kernel@pengutronix.de, linux-can@vger.kernel.org
[-- Attachment #1: Type: text/plain, Size: 3014 bytes --]
Hello David,
this is a pull request of 12 patches for net-next/master.
There are 3 patches by Ahmed S. Darwish, which update the kvaser_usb
driver and add support for the USBcan-II based adapters. Stéphane
Grosjean contributes 7 patches for the peak_usb driver, which add
support for the CANFD USB adapters. I contribute 2 patches which clean
up the peak_usb driver structure a bit.
Marc
---
The following changes since commit ff660f75be36e6db75d45dc742a4a468c5a9c20d:
Merge branch 'stmmac-pci' (2015-01-27 21:08:13 -0800)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can-next.git tags/linux-can-next-for-3.20-20150128
for you to fetch changes up to 0a25e1f4f18566b750ebd3ae995af64e23111e63:
can: peak_usb: add support for PEAK new CANFD USB adapters (2015-01-28 14:47:06 +0100)
----------------------------------------------------------------
linux-can-next-for-3.20-20150128
----------------------------------------------------------------
Ahmed S. Darwish (3):
can: kvaser_usb: Update interface state before exiting on OOM
can: kvaser_usb: Consolidate and unify state change handling
can: kvaser_usb: Add support for the USBcan-II family
Marc Kleine-Budde (2):
can: peak_usb: use ARRAY_SIZE instead of NULL termination for peak_usb_adapters_list
can: peak_usb: constify struct peak_usb_adapter
Stephane Grosjean (7):
can: peak_usb: export ctrlmode_supported to adapter specific definition
can: peak_usb: add adapter BEC callback definition
can: peak_usb: upgrade core to data bittiming specs
can: peak_usb: upgrade core to new struct canfd_frame
can: peak_usb: export pcan_usb_pro functions
can: peak_usb: add peak_usb_netif_rx() new function
can: peak_usb: add support for PEAK new CANFD USB adapters
drivers/net/can/usb/Kconfig | 22 +-
drivers/net/can/usb/kvaser_usb.c | 722 ++++++++++++-----
drivers/net/can/usb/peak_usb/Makefile | 2 +-
drivers/net/can/usb/peak_usb/pcan_ucan.h | 222 ++++++
drivers/net/can/usb/peak_usb/pcan_usb.c | 3 +-
drivers/net/can/usb/peak_usb/pcan_usb_core.c | 83 +-
drivers/net/can/usb/peak_usb/pcan_usb_core.h | 26 +-
drivers/net/can/usb/peak_usb/pcan_usb_fd.c | 1095 ++++++++++++++++++++++++++
drivers/net/can/usb/peak_usb/pcan_usb_pro.c | 19 +-
drivers/net/can/usb/peak_usb/pcan_usb_pro.h | 13 +
10 files changed, 1981 insertions(+), 226 deletions(-)
create mode 100644 drivers/net/can/usb/peak_usb/pcan_ucan.h
create mode 100644 drivers/net/can/usb/peak_usb/pcan_usb_fd.c
--
Pengutronix e.K. | Marc Kleine-Budde |
Industrial Linux Solutions | Phone: +49-231-2826-924 |
Vertretung West/Dortmund | Fax: +49-5121-206917-5555 |
Amtsgericht Hildesheim, HRA 2686 | http://www.pengutronix.de |
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
^ permalink raw reply
* Re: [PATCH 1/3] ipv6: Select fragment id during UFO/GSO segmentation if not set.
From: Michael S. Tsirkin @ 2015-01-28 13:43 UTC (permalink / raw)
To: Hannes Frederic Sowa
Cc: netdev, Vladislav Yasevich, virtualization, edumazet,
Ben Hutchings
In-Reply-To: <1422441242.4678.32.camel@stressinduktion.org>
On Wed, Jan 28, 2015 at 11:34:02AM +0100, Hannes Frederic Sowa wrote:
> Hi,
>
> On Mi, 2015-01-28 at 11:46 +0200, Michael S. Tsirkin wrote:
> > On Wed, Jan 28, 2015 at 09:25:08AM +0100, Hannes Frederic Sowa wrote:
> > > Hello,
> > >
> > > On Di, 2015-01-27 at 18:08 +0200, Michael S. Tsirkin wrote:
> > > > On Tue, Jan 27, 2015 at 05:02:31PM +0100, Hannes Frederic Sowa wrote:
> > > > > On Di, 2015-01-27 at 09:26 -0500, Vlad Yasevich wrote:
> > > > > > On 01/27/2015 08:47 AM, Hannes Frederic Sowa wrote:
> > > > > > > On Di, 2015-01-27 at 10:42 +0200, Michael S. Tsirkin wrote:
> > > > > > >> On Tue, Jan 27, 2015 at 02:47:54AM +0000, Ben Hutchings wrote:
> > > > > > >>> On Mon, 2015-01-26 at 09:37 -0500, Vladislav Yasevich wrote:
> > > > > > >>>> If the IPv6 fragment id has not been set and we perform
> > > > > > >>>> fragmentation due to UFO, select a new fragment id.
> > > > > > >>>> When we store the fragment id into skb_shinfo, set the bit
> > > > > > >>>> in the skb so we can re-use the selected id.
> > > > > > >>>> This preserves the behavior of UFO packets generated on the
> > > > > > >>>> host and solves the issue of id generation for packet sockets
> > > > > > >>>> and tap/macvtap devices.
> > > > > > >>>>
> > > > > > >>>> This patch moves ipv6_select_ident() back in to the header file.
> > > > > > >>>> It also provides the helper function that sets skb_shinfo() frag
> > > > > > >>>> id and sets the bit.
> > > > > > >>>>
> > > > > > >>>> It also makes sure that we select the fragment id when doing
> > > > > > >>>> just gso validation, since it's possible for the packet to
> > > > > > >>>> come from an untrusted source (VM) and be forwarded through
> > > > > > >>>> a UFO enabled device which will expect the fragment id.
> > > > > > >>>>
> > > > > > >>>> CC: Eric Dumazet <edumazet@google.com>
> > > > > > >>>> Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
> > > > > > >>>> ---
> > > > > > >>>> include/linux/skbuff.h | 3 ++-
> > > > > > >>>> include/net/ipv6.h | 2 ++
> > > > > > >>>> net/ipv6/ip6_output.c | 4 ++--
> > > > > > >>>> net/ipv6/output_core.c | 9 ++++++++-
> > > > > > >>>> net/ipv6/udp_offload.c | 10 +++++++++-
> > > > > > >>>> 5 files changed, 23 insertions(+), 5 deletions(-)
> > > > > > >>>>
> > > > > > >>>> diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
> > > > > > >>>> index 85ab7d7..3ad5203 100644
> > > > > > >>>> --- a/include/linux/skbuff.h
> > > > > > >>>> +++ b/include/linux/skbuff.h
> > > > > > >>>> @@ -605,7 +605,8 @@ struct sk_buff {
> > > > > > >>>> __u8 ipvs_property:1;
> > > > > > >>>> __u8 inner_protocol_type:1;
> > > > > > >>>> __u8 remcsum_offload:1;
> > > > > > >>>> - /* 3 or 5 bit hole */
> > > > > > >>>> + __u8 ufo_fragid_set:1;
> > > > > > >>> [...]
> > > > > > >>>
> > > > > > >>> Doesn't the flag belong in struct skb_shared_info, rather than struct
> > > > > > >>> sk_buff? Otherwise this looks fine.
> > > > > > >>>
> > > > > > >>> Ben.
> > > > > > >>
> > > > > > >> Hmm we seem to be out of tx flags.
> > > > > > >> Maybe ip6_frag_id == 0 should mean "not set".
> > > > > > >
> > > > > > > Maybe that is the best idea. Definitely the ufo_fragid_set bit should
> > > > > > > move into the skb_shared_info area.
> > > > > >
> > > > > > That's what I originally wanted to do, but had to move and grow txflags thus
> > > > > > skb_shinfo ended up growing. I wanted to avoid that, so stole an skb flag.
> > > > > >
> > > > > > I considered treating fragid == 0 as unset, but a 0 fragid is perfectly valid
> > > > > > from the protocol perspective and could actually be generated by the id generator
> > > > > > functions. This may cause us to call the id generation multiple times.
> > > > >
> > > > > Are there plans in the long run to let virtio_net transmit auxiliary
> > > > > data to the other end so we can clean all of this this up one day?
> > > > >
> > > > > I don't like the whole situation: looking into the virtio_net headers
> > > > > just adding a field for ipv6 fragmentation ids to those small structs
> > > > > seems bloated, not doing it feels incorrect. :/
> > > > >
> > > > > Thoughts?
> > > > >
> > > > > Bye,
> > > > > Hannes
> > > >
> > > > I'm not sure - what will be achieved by generating the IDs guest side as
> > > > opposed to host side? It's certainly harder to get hold of entropy
> > > > guest-side.
> > >
> > > It is not only about entropy but about uniqueness. Also fragmentation
> > > ids should not be discoverable,
> >
> > I belive "predictable" is the language used by the IETF draft.
> >
> > > so there are several aspects:
> > >
> > > I see fragmentation id generation still as security critical:
> > > When Eric patched the frag id generator in 04ca6973f7c1a0d ("ip: make IP
> > > identifiers less predictable") I could patch my kernels and use the
> > > patch regardless of the machine being virtualized or not. It was not
> > > dependent on the hypervisor.
> >
> > And now it's even easier - just patch the hypervisor, and all VMs
> > automatically benefit.
>
> Sometimes the hypervisor is not under my control. You would need to
> patch both kernels in your case - non gso frames would still get the
> fragmentation id generated in the host kernel.
Confused. You would have to patch both kernels *in your case*.
If it's all done by host, then it's in a single place, on host.
> > > I think that is the same reasoning why we
> > > don't support TOE.
> > > If we use one generator in the hypervisor in an openstack alike setting,
> > > the host deals with quite a lot of overlay networks. A lot of default
> > > configurations use the same addresses internally, so on the hypervisor
> > > the frag id generators would interfere by design.
> > > I could come up with an attack scenario for DNS servers (again :) ):
> > >
> > > You are sitting next to a DNS server on the same hypervisor and can send
> > > packets without source validation (because that is handled later on in
> > > case of openvswitch when the packet is put into the corresponding
> > > overlay network). You emit a gso packet with the same source and
> > > destination addresses as the DNS server would do and would get an
> > > fragmentation id which is linearly (+ time delta) incremented depending
> > > on the source and destination address. With such a leak you could start
> > > trying attack and spoof DNS responses (fragmentation attacks etc.).
> > > See also details on such kind of attacks in the description of commit
> > > 04ca6973f7c1a0d.
> > >
> > > AFAIK IETF tried with IPv6 to push fragmentation id generation to the
> > > end hosts, that's also the reason for the introduction of atomic
> > > fragments (which are now being rolled back ;) ).
> > >
> > > Still it is better to generate a frag id on the hypervisor than just
> > > sending a 0, so I am ok with this change, albeit not happy.
> > >
> > > Thanks,
> > > Hannes
> > >
> >
> > OK so to summarize, identifiers are only re-randomized once per jiffy,
> > so you worry that within this window, an external observer can discover
> > past fragment ID values and so predict the future ones.
> > All that's required is that two paths go through the same box performing
> > fragmentation.
> >
> > Is that a fair summary?
> >
> > If yes, we can make this a bit harder by mixing in some
> > data per input and/or output devices.
> >
> > For example, just to give you the idea:
> >
> > diff --git a/net/core/dev.c b/net/core/dev.c
> > index 683d493..4faa7ef 100644
> > --- a/net/core/dev.c
> > +++ b/net/core/dev.c
> > @@ -3625,6 +3625,7 @@ static int __netif_receive_skb_core(struct sk_buff *skb, bool pfmemalloc)
> > trace_netif_receive_skb(skb);
> >
> > orig_dev = skb->dev;
> > + skb_shinfo(skb)->ip6_frag_id = skb->dev->ifindex;
> >
> > skb_reset_network_header(skb);
> > if (!skb_transport_header_was_set(skb))
> > diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
> > index ce69a12..819a821 100644
> > --- a/net/ipv6/ip6_output.c
> > +++ b/net/ipv6/ip6_output.c
> > @@ -1092,7 +1092,8 @@ static inline int ip6_ufo_append_data(struct sock *sk,
> > sizeof(struct frag_hdr)) & ~7;
> > skb_shinfo(skb)->gso_type = SKB_GSO_UDP;
> > ipv6_select_ident(&fhdr, rt);
> > - skb_shinfo(skb)->ip6_frag_id = fhdr.identification;
> > + skb_shinfo(skb)->ip6_frag_id = jhash_1word(skb_shinfo(skb)->ip6_frag_id,
> > + fhdr.identification);
> >
> > append:
> > return skb_append_datato_frags(sk, skb, getfrag, from,
> >
>
> I thought about mixing in the incoming interface identifier into the
> frag id generation, but that could hurt us badly as soon as a VM has
> more than one interface to the outside world and uses e.g. ECMP.
I don't understand. Fragmentation is done after routing,
isn't it? So all fragments always go out on the same device.
> We need
> to make sure that those frag ids are unique and the kernel needs to be
> better than just using a random number generator.
>
> Bye,
> Hannes
32 bit numbers can't be unique. They just shouldn't be discoverable
by an off-path observer.
--
MST
^ permalink raw reply
* [PATCH 0/2] Two printf fixes
From: Rasmus Villemoes @ 2015-01-28 13:25 UTC (permalink / raw)
To: Andy Shevchenko, Andrew Morton, Trond Myklebust, J. Bruce Fields,
David S. Miller
Cc: Rasmus Villemoes, linux-kernel, linux-nfs, netdev
Both %pE and %ph are unusable in kasprintf(), since the occurrence of
either will trigger an oops during the first vsnprintf call where
kasprintf tries to find the correct size to allocate. These oopses
could be papered over with somewhat smaller patches than these, but
then the return value from vsnprintf would still not reflect the
actual size needed. For %pE, this requires a change of semantics of
string_escape_mem and hence an annoyingly large diffstat.
Whether this is 3.20, 3.21 and/or -stable material (or /dev/null
material, for that matter ;-)) I'll leave to others to decide.
Rasmus Villemoes (2):
lib/vsprintf.c: Fix potential NULL deref in hex_string
string_helpers: Change semantics of string_escape_mem
include/linux/string_helpers.h | 10 +--
lib/string_helpers.c | 195 ++++++++++++++++-------------------------
lib/test-string_helpers.c | 37 ++++----
lib/vsprintf.c | 25 ++++--
net/sunrpc/cache.c | 8 +-
5 files changed, 119 insertions(+), 156 deletions(-)
--
2.1.3
^ permalink raw reply
* Re: [PATCH v2] lib/checksum.c: fix carry in csum_tcpudp_nofold
From: Eric Dumazet @ 2015-01-28 13:04 UTC (permalink / raw)
To: Karl Beldan
Cc: Karl Beldan, Al Viro, Arnd Bergmann, Mike Frysinger, netdev,
linux-kernel, stable
In-Reply-To: <1422439091-31413-1-git-send-email-karl.beldan@rivierawaves.com>
On Wed, 2015-01-28 at 10:58 +0100, Karl Beldan wrote:
> The carry from the 64->32bits folding was dropped, e.g with:
> saddr=0xFFFFFFFF daddr=0xFF0000FF len=0xFFFF proto=0 sum=1,
> csum_tcpudp_nofold returned 0 instead of 1.
>
> Signed-off-by: Karl Beldan <karl.beldan@rivierawaves.com>
> Cc: Al Viro <viro@ZenIV.linux.org.uk>
> Cc: Eric Dumazet <eric.dumazet@gmail.com>
> Cc: Arnd Bergmann <arnd@arndb.de>
> Cc: Mike Frysinger <vapier@gentoo.org>
> Cc: netdev@vger.kernel.org
> Cc: linux-kernel@vger.kernel.org
> Cc: stable@vger.kernel.org
> ---
> lib/checksum.c | 12 ++++++++++--
> 1 file changed, 10 insertions(+), 2 deletions(-)
Signed-off-by: Eric Dumazet <edumazet@google.com>
Thanks !
^ permalink raw reply
* Re: [PATCH 1/3] ipv6: Select fragment id during UFO/GSO segmentation if not set.
From: Hannes Frederic Sowa @ 2015-01-28 10:39 UTC (permalink / raw)
To: Michael S. Tsirkin
Cc: netdev, Vladislav Yasevich, virtualization, edumazet,
Ben Hutchings
In-Reply-To: <1422441242.4678.32.camel@stressinduktion.org>
On Mi, 2015-01-28 at 11:34 +0100, Hannes Frederic Sowa wrote:
>
> > And now it's even easier - just patch the hypervisor, and all VMs
> > automatically benefit.
>
> Sometimes the hypervisor is not under my control. You would need to
> patch both kernels in your case - non gso frames would still get the
> fragmentation id generated in the host kernel.
Actually this now became my biggest concern. :/
Bye,
Hannes
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox