* [patch net-next 2/6] net: bridge: Notify on bridge device mrouter state changes
From: Jiri Pirko @ 2017-10-05 10:36 UTC (permalink / raw)
To: netdev
Cc: davem, yotamg, idosch, nogahf, mlxsw, ivecera, nikolay, andrew,
stephen, nbd, roopa
In-Reply-To: <20171005103642.1414-1-jiri@resnulli.us>
From: Yotam Gigi <yotamg@mellanox.com>
Add the SWITCHDEV_ATTR_ID_BRIDGE_MROUTER switchdev notification type, used
to indicate whether the bridge is or isn't mrouter. Notify when the bridge
changes its state, similarly to the already existing bridged port mrouter
notifications.
The notification uses the switchdev_attr.u.mrouter boolean flag to indicate
the current bridge mrouter status. Thus, it only indicates whether the
bridge is currently used as an mrouter or not, and does not indicate the
exact mrouter state of the bridge (learning, permanent, etc.).
Signed-off-by: Yotam Gigi <yotamg@mellanox.com>
Reviewed-by: Nogah Frankel <nogahf@mellanox.com>
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
---
include/net/switchdev.h | 1 +
net/bridge/br_multicast.c | 21 ++++++++++++++++++++-
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/include/net/switchdev.h b/include/net/switchdev.h
index d767b79..d756fbe 100644
--- a/include/net/switchdev.h
+++ b/include/net/switchdev.h
@@ -51,6 +51,7 @@ enum switchdev_attr_id {
SWITCHDEV_ATTR_ID_BRIDGE_AGEING_TIME,
SWITCHDEV_ATTR_ID_BRIDGE_VLAN_FILTERING,
SWITCHDEV_ATTR_ID_BRIDGE_MC_DISABLED,
+ SWITCHDEV_ATTR_ID_BRIDGE_MROUTER,
};
struct switchdev_attr {
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index b86307b..4d4fcb5 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -859,6 +859,19 @@ static void br_multicast_router_expired(unsigned long data)
spin_unlock(&br->multicast_lock);
}
+static void br_mc_router_state_change(struct net_bridge *p,
+ bool is_mc_router)
+{
+ struct switchdev_attr attr = {
+ .orig_dev = p->dev,
+ .id = SWITCHDEV_ATTR_ID_BRIDGE_MROUTER,
+ .flags = SWITCHDEV_F_DEFER,
+ .u.mrouter = is_mc_router,
+ };
+
+ switchdev_port_attr_set(p->dev, &attr);
+}
+
static void br_multicast_local_router_expired(unsigned long data)
{
struct net_bridge *br = (struct net_bridge *) data;
@@ -869,6 +882,7 @@ static void br_multicast_local_router_expired(unsigned long data)
timer_pending(&br->multicast_router_timer))
goto out;
+ br_mc_router_state_change(br, false);
br->multicast_router = MDB_RTR_TYPE_TEMP_QUERY;
out:
spin_unlock(&br->multicast_lock);
@@ -1379,6 +1393,8 @@ static void br_multicast_mark_router(struct net_bridge *br,
br->multicast_router == MDB_RTR_TYPE_TEMP) {
mod_timer(&br->multicast_router_timer,
now + br->multicast_querier_interval);
+ if (br->multicast_router == MDB_RTR_TYPE_TEMP_QUERY)
+ br_mc_router_state_change(br, true);
br->multicast_router = MDB_RTR_TYPE_TEMP;
}
return;
@@ -2056,13 +2072,16 @@ int br_multicast_set_router(struct net_bridge *br, unsigned long val)
switch (val) {
case MDB_RTR_TYPE_DISABLED:
case MDB_RTR_TYPE_PERM:
+ br_mc_router_state_change(br, val == MDB_RTR_TYPE_PERM);
del_timer(&br->multicast_router_timer);
br->multicast_router = val;
err = 0;
break;
case MDB_RTR_TYPE_TEMP_QUERY:
- if (br->multicast_router != MDB_RTR_TYPE_TEMP)
+ if (br->multicast_router != MDB_RTR_TYPE_TEMP) {
+ br_mc_router_state_change(br, false);
br->multicast_router = val;
+ }
err = 0;
break;
}
--
2.9.5
^ permalink raw reply related
* [patch net-next 3/6] net: bridge: Export bridge multicast router state
From: Jiri Pirko @ 2017-10-05 10:36 UTC (permalink / raw)
To: netdev
Cc: davem, yotamg, idosch, nogahf, mlxsw, ivecera, nikolay, andrew,
stephen, nbd, roopa
In-Reply-To: <20171005103642.1414-1-jiri@resnulli.us>
From: Yotam Gigi <yotamg@mellanox.com>
Add an access function that, given a bridge netdevice, returns whether the
bridge device is currently an mrouter or not. The function uses the already
existing br_multicast_is_router function to check that.
This function is needed in order to allow ports that join an already
existing bridge to know the current mrouter state of the bridge device.
Together with the bridge device mrouter ports switchdev notifications, it
is possible to have full offloading of the semantics of the bridge device
mcast router state.
Due to the fact that the bridge multicast router status can change in
packet RX path, take the multicast_router bridge spinlock to protect the
read.
Signed-off-by: Yotam Gigi <yotamg@mellanox.com>
Reviewed-by: Nogah Frankel <nogahf@mellanox.com>
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
---
include/linux/if_bridge.h | 5 +++++
net/bridge/br_multicast.c | 12 ++++++++++++
2 files changed, 17 insertions(+)
diff --git a/include/linux/if_bridge.h b/include/linux/if_bridge.h
index 3cd18ac..283a9be 100644
--- a/include/linux/if_bridge.h
+++ b/include/linux/if_bridge.h
@@ -63,6 +63,7 @@ int br_multicast_list_adjacent(struct net_device *dev,
bool br_multicast_has_querier_anywhere(struct net_device *dev, int proto);
bool br_multicast_has_querier_adjacent(struct net_device *dev, int proto);
bool br_multicast_enabled(const struct net_device *dev);
+bool br_multicast_router(const struct net_device *dev);
#else
static inline int br_multicast_list_adjacent(struct net_device *dev,
struct list_head *br_ip_list)
@@ -83,6 +84,10 @@ static inline bool br_multicast_enabled(const struct net_device *dev)
{
return false;
}
+static inline bool br_multicast_router(const struct net_device *dev)
+{
+ return false;
+}
#endif
#if IS_ENABLED(CONFIG_BRIDGE) && IS_ENABLED(CONFIG_BRIDGE_VLAN_FILTERING)
diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 4d4fcb5..b4c98a3 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -2220,6 +2220,18 @@ bool br_multicast_enabled(const struct net_device *dev)
}
EXPORT_SYMBOL_GPL(br_multicast_enabled);
+bool br_multicast_router(const struct net_device *dev)
+{
+ struct net_bridge *br = netdev_priv(dev);
+ bool is_router;
+
+ spin_lock_bh(&br->multicast_lock);
+ is_router = br_multicast_is_router(br);
+ spin_unlock_bh(&br->multicast_lock);
+ return is_router;
+}
+EXPORT_SYMBOL_GPL(br_multicast_router);
+
int br_multicast_set_querier(struct net_bridge *br, unsigned long val)
{
unsigned long max_delay;
--
2.9.5
^ permalink raw reply related
* [patch net-next 4/6] mlxsw: spectrum: router: Export the mlxsw_sp_router_port function
From: Jiri Pirko @ 2017-10-05 10:36 UTC (permalink / raw)
To: netdev
Cc: davem, yotamg, idosch, nogahf, mlxsw, ivecera, nikolay, andrew,
stephen, nbd, roopa
In-Reply-To: <20171005103642.1414-1-jiri@resnulli.us>
From: Yotam Gigi <yotamg@mellanox.com>
In Spectrum hardware, the router port is a virtual port that is the gateway
to the routing mechanism. Hence, in order for a packet to be L3 forwarded,
it must first be L2 forwarded to the router port inside the hardware.
Further patches in this patchset are going to introduce support in bridge
device used as an mrouter port. In this case, the router port index will be
needed in order to update the MDB entries to include the router port. Thus,
export the mlxsw_sp_router_port function, which returns the index of the
Spectrum router port.
Signed-off-by: Yotam Gigi <yotamg@mellanox.com>
Reviewed-by: Nogah Frankel <nogahf@mellanox.com>
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
---
drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 2 +-
drivers/net/ethernet/mellanox/mlxsw/spectrum_router.h | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
index 58bc04c..58adb23 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c
@@ -5947,7 +5947,7 @@ static int mlxsw_sp_rif_vlan_fid_op(struct mlxsw_sp_rif *rif,
return mlxsw_reg_write(mlxsw_sp->core, MLXSW_REG(ritr), ritr_pl);
}
-static u8 mlxsw_sp_router_port(const struct mlxsw_sp *mlxsw_sp)
+u8 mlxsw_sp_router_port(const struct mlxsw_sp *mlxsw_sp)
{
return mlxsw_core_max_ports(mlxsw_sp->core) + 1;
}
diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.h b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.h
index 3d44918..3f2d840 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.h
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_router.h
@@ -70,6 +70,7 @@ u16 mlxsw_sp_rif_index(const struct mlxsw_sp_rif *rif);
u16 mlxsw_sp_ipip_lb_rif_index(const struct mlxsw_sp_rif_ipip_lb *rif);
u16 mlxsw_sp_ipip_lb_ul_vr_id(const struct mlxsw_sp_rif_ipip_lb *rif);
int mlxsw_sp_rif_dev_ifindex(const struct mlxsw_sp_rif *rif);
+u8 mlxsw_sp_router_port(const struct mlxsw_sp *mlxsw_sp);
const struct net_device *mlxsw_sp_rif_dev(const struct mlxsw_sp_rif *rif);
int mlxsw_sp_rif_counter_value_get(struct mlxsw_sp *mlxsw_sp,
struct mlxsw_sp_rif *rif,
--
2.9.5
^ permalink raw reply related
* [patch net-next 5/6] mlxsw: spectrum_switchdev: Add support for router port in SMID entries
From: Jiri Pirko @ 2017-10-05 10:36 UTC (permalink / raw)
To: netdev
Cc: davem, yotamg, idosch, nogahf, mlxsw, ivecera, nikolay, andrew,
stephen, nbd, roopa
In-Reply-To: <20171005103642.1414-1-jiri@resnulli.us>
From: Yotam Gigi <yotamg@mellanox.com>
In Spectrum, MDB entries point to MID entries, that indicate which ports a
packet should be forwarded to. Add the support in creating MID entries that
forward the packet to the Spectrum router port.
This will be later used to handle the bridge mrouter port switchdev
notifications.
Signed-off-by: Yotam Gigi <yotamg@mellanox.com>
Reviewed-by: Nogah Frankel <nogahf@mellanox.com>
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
---
drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
index 0f9eac5..092231a 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
@@ -48,6 +48,7 @@
#include <linux/rtnetlink.h>
#include <net/switchdev.h>
+#include "spectrum_router.h"
#include "spectrum.h"
#include "core.h"
#include "reg.h"
@@ -1241,7 +1242,8 @@ static int mlxsw_sp_port_mdb_op(struct mlxsw_sp *mlxsw_sp, const char *addr,
}
static int mlxsw_sp_port_smid_full_entry(struct mlxsw_sp *mlxsw_sp, u16 mid_idx,
- long *ports_bitmap)
+ long *ports_bitmap,
+ bool set_router_port)
{
char *smid_pl;
int err, i;
@@ -1256,9 +1258,15 @@ static int mlxsw_sp_port_smid_full_entry(struct mlxsw_sp *mlxsw_sp, u16 mid_idx,
mlxsw_reg_smid_port_mask_set(smid_pl, i, 1);
}
+ mlxsw_reg_smid_port_mask_set(smid_pl,
+ mlxsw_sp_router_port(mlxsw_sp), 1);
+
for_each_set_bit(i, ports_bitmap, mlxsw_core_max_ports(mlxsw_sp->core))
mlxsw_reg_smid_port_set(smid_pl, i, 1);
+ mlxsw_reg_smid_port_set(smid_pl, mlxsw_sp_router_port(mlxsw_sp),
+ set_router_port);
+
err = mlxsw_reg_write(mlxsw_sp->core, MLXSW_REG(smid), smid_pl);
kfree(smid_pl);
return err;
@@ -1362,7 +1370,8 @@ mlxsw_sp_mc_write_mdb_entry(struct mlxsw_sp *mlxsw_sp,
mlxsw_sp_mc_get_mrouters_bitmap(flood_bitmap, bridge_device, mlxsw_sp);
mid->mid = mid_idx;
- err = mlxsw_sp_port_smid_full_entry(mlxsw_sp, mid_idx, flood_bitmap);
+ err = mlxsw_sp_port_smid_full_entry(mlxsw_sp, mid_idx, flood_bitmap,
+ false);
kfree(flood_bitmap);
if (err)
return false;
--
2.9.5
^ permalink raw reply related
* Re: [PATCH net-next v6 0/4] bpf: add two helpers to read perf event enabled/running time
From: Daniel Borkmann @ 2017-10-05 10:36 UTC (permalink / raw)
To: Peter Zijlstra, David Miller; +Cc: yhs, rostedt, ast, netdev, kernel-team
In-Reply-To: <20171005083437.v3yfluazdy5du7pi@hirez.programming.kicks-ass.net>
On 10/05/2017 10:34 AM, Peter Zijlstra wrote:
> On Wed, Oct 04, 2017 at 04:00:56PM -0700, David Miller wrote:
>> From: Yonghong Song <yhs@fb.com>
>> Date: Mon, 2 Oct 2017 15:42:14 -0700
>>
>>> [Dave, Peter,
>>>
>>> Previous communcation shows that this patch may potentially have
>>> merge conflict with upcoming tip changes in the next merge window.
>>>
>>> Could you advise how this patch should proceed?
>>>
>>> Thanks!
>>> ]
>>
>> Indeed, Peter how do you want to handle this?
>
> I think Alexei suggested that we merge the one patch in two branches and
> let git sort it out. I _think_ I've done something similar before and it
> worked.
Sounds good, we did something like this in the past as well I recall,
so lets make first patch isolated to only touch perf event area so
it can go into both trees, and the remaining pieces only for BPF bits
for net-next.
^ permalink raw reply
* [patch net-next 6/6] mlxsw: spectrum_switchdev: Support bridge mrouter notifications
From: Jiri Pirko @ 2017-10-05 10:36 UTC (permalink / raw)
To: netdev
Cc: davem, yotamg, idosch, nogahf, mlxsw, ivecera, nikolay, andrew,
stephen, nbd, roopa
In-Reply-To: <20171005103642.1414-1-jiri@resnulli.us>
From: Yotam Gigi <yotamg@mellanox.com>
Support the SWITCHDEV_ATTR_ID_BRIDGE_MROUTER port attribute switchdev
notification.
To do that, add the mrouter flag to struct mlxsw_sp_bridge_device, which
indicates whether the bridge device was set to be mrouter port. This field
is set when:
- A new bridge is created, where the value is taken from the kernel
bridge value.
- A switchdev SWITCHDEV_ATTR_ID_BRIDGE_MROUTER notification is sent.
In addition, change the bridge MID entries to include the router port when
the bridge device is configured to be mrouter port. The MID entries are
updated in the following cases:
- When a new MID entry is created, update the router port according to the
bridge mrouter state.
- When a SWITCHDEV_ATTR_ID_BRIDGE_MROUTER notification is sent, update all
the bridge's MID entries.
This is aligned with the case where a bridge slave is configured to be
mrouter port.
Signed-off-by: Yotam Gigi <yotamg@mellanox.com>
Reviewed-by: Nogah Frankel <nogahf@mellanox.com>
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
---
.../ethernet/mellanox/mlxsw/spectrum_switchdev.c | 65 +++++++++++++++++++++-
1 file changed, 63 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
index 092231a..15bb5f9 100644
--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c
@@ -79,7 +79,8 @@ struct mlxsw_sp_bridge_device {
struct list_head ports_list;
struct list_head mids_list;
u8 vlan_enabled:1,
- multicast_enabled:1;
+ multicast_enabled:1,
+ mrouter:1;
const struct mlxsw_sp_bridge_ops *ops;
};
@@ -169,6 +170,7 @@ mlxsw_sp_bridge_device_create(struct mlxsw_sp_bridge *bridge,
bridge_device->dev = br_dev;
bridge_device->vlan_enabled = vlan_enabled;
bridge_device->multicast_enabled = br_multicast_enabled(br_dev);
+ bridge_device->mrouter = br_multicast_router(br_dev);
INIT_LIST_HEAD(&bridge_device->ports_list);
if (vlan_enabled) {
bridge->vlan_enabled_exists = true;
@@ -811,6 +813,60 @@ static int mlxsw_sp_port_mc_disabled_set(struct mlxsw_sp_port *mlxsw_sp_port,
return 0;
}
+static int mlxsw_sp_smid_router_port_set(struct mlxsw_sp *mlxsw_sp,
+ u16 mid_idx, bool add)
+{
+ char *smid_pl;
+ int err;
+
+ smid_pl = kmalloc(MLXSW_REG_SMID_LEN, GFP_KERNEL);
+ if (!smid_pl)
+ return -ENOMEM;
+
+ mlxsw_reg_smid_pack(smid_pl, mid_idx,
+ mlxsw_sp_router_port(mlxsw_sp), add);
+ err = mlxsw_reg_write(mlxsw_sp->core, MLXSW_REG(smid), smid_pl);
+ kfree(smid_pl);
+ return err;
+}
+
+static void
+mlxsw_sp_bridge_mrouter_update_mdb(struct mlxsw_sp *mlxsw_sp,
+ struct mlxsw_sp_bridge_device *bridge_device,
+ bool add)
+{
+ struct mlxsw_sp_mid *mid;
+
+ list_for_each_entry(mid, &bridge_device->mids_list, list)
+ mlxsw_sp_smid_router_port_set(mlxsw_sp, mid->mid, add);
+}
+
+static int
+mlxsw_sp_port_attr_br_mrouter_set(struct mlxsw_sp_port *mlxsw_sp_port,
+ struct switchdev_trans *trans,
+ struct net_device *orig_dev,
+ bool is_mrouter)
+{
+ struct mlxsw_sp *mlxsw_sp = mlxsw_sp_port->mlxsw_sp;
+ struct mlxsw_sp_bridge_device *bridge_device;
+
+ if (switchdev_trans_ph_prepare(trans))
+ return 0;
+
+ /* It's possible we failed to enslave the port, yet this
+ * operation is executed due to it being deferred.
+ */
+ bridge_device = mlxsw_sp_bridge_device_find(mlxsw_sp->bridge, orig_dev);
+ if (!bridge_device)
+ return 0;
+
+ if (bridge_device->mrouter != is_mrouter)
+ mlxsw_sp_bridge_mrouter_update_mdb(mlxsw_sp, bridge_device,
+ is_mrouter);
+ bridge_device->mrouter = is_mrouter;
+ return 0;
+}
+
static int mlxsw_sp_port_attr_set(struct net_device *dev,
const struct switchdev_attr *attr,
struct switchdev_trans *trans)
@@ -848,6 +904,11 @@ static int mlxsw_sp_port_attr_set(struct net_device *dev,
attr->orig_dev,
attr->u.mc_disabled);
break;
+ case SWITCHDEV_ATTR_ID_BRIDGE_MROUTER:
+ err = mlxsw_sp_port_attr_br_mrouter_set(mlxsw_sp_port, trans,
+ attr->orig_dev,
+ attr->u.mrouter);
+ break;
default:
err = -EOPNOTSUPP;
break;
@@ -1371,7 +1432,7 @@ mlxsw_sp_mc_write_mdb_entry(struct mlxsw_sp *mlxsw_sp,
mid->mid = mid_idx;
err = mlxsw_sp_port_smid_full_entry(mlxsw_sp, mid_idx, flood_bitmap,
- false);
+ bridge_device->mrouter);
kfree(flood_bitmap);
if (err)
return false;
--
2.9.5
^ permalink raw reply related
* Re: [PATCH 3/7] crypto:gf128mul: The x8_ble multiplication functions
From: Harsh Jain @ 2017-10-05 11:20 UTC (permalink / raw)
To: David Laight, herbert@gondor.apana.org.au,
linux-crypto@vger.kernel.org, netdev@vger.kernel.org
In-Reply-To: <063D6719AE5E284EB5DD2968C1650D6DD0088A2B@AcuExch.aculab.com>
On 03-10-2017 20:28, David Laight wrote:
> From: Harsh Jain
>> Sent: 03 October 2017 07:46
>> It multiply GF(2^128) elements in the ble format.
>> It will be used by chelsio driver to fasten gf multiplication.
> ^ speed up ??
It should be speed up. Will fix the same in V2. Thanks
>
> David
>
^ permalink raw reply
* [PATCH] rsi: fix integer overflow warning
From: Arnd Bergmann @ 2017-10-05 12:05 UTC (permalink / raw)
To: Kalle Valo, Prameela Rani Garnepudi, Amitkumar Karwar
Cc: Arnd Bergmann, Pavani Muthyala, Karun Eagalapati, linux-wireless,
netdev, linux-kernel
gcc produces a harmless warning about a recently introduced
signed integer overflow:
drivers/net/wireless/rsi/rsi_91x_hal.c: In function 'rsi_prepare_mgmt_desc':
include/uapi/linux/swab.h:13:15: error: integer overflow in expression [-Werror=overflow]
(((__u16)(x) & (__u16)0x00ffU) << 8) | \
~~~~~~~~~~~~^~~~~~~~~~~~~~~~~
include/uapi/linux/swab.h:104:2: note: in expansion of macro '___constant_swab16'
___constant_swab16(x) : \
^~~~~~~~~~~~~~~~~~
include/uapi/linux/byteorder/big_endian.h:34:43: note: in expansion of macro '__swab16'
#define __cpu_to_le16(x) ((__force __le16)__swab16((x)))
^~~~~~~~
include/linux/byteorder/generic.h:89:21: note: in expansion of macro '__cpu_to_le16'
#define cpu_to_le16 __cpu_to_le16
^~~~~~~~~~~~~
drivers/net/wireless/rsi/rsi_91x_hal.c:136:3: note: in expansion of macro 'cpu_to_le16'
cpu_to_le16((tx_params->vap_id << RSI_DESC_VAP_ID_OFST) &
^~~~~~~~~~~
The problem is that the 'mask' value is a signed integer that gets
turned into a negative number when truncated to 16 bits. Making it
an unsigned constant avoids this.
Fixes: eac4eed3224b ("rsi: tx and rx path enhancements for p2p mode")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
drivers/net/wireless/rsi/rsi_mgmt.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/rsi/rsi_mgmt.h b/drivers/net/wireless/rsi/rsi_mgmt.h
index b9d0802c1b0f..e21723013f8d 100644
--- a/drivers/net/wireless/rsi/rsi_mgmt.h
+++ b/drivers/net/wireless/rsi/rsi_mgmt.h
@@ -189,7 +189,7 @@
IEEE80211_WMM_IE_STA_QOSINFO_AC_BE | \
IEEE80211_WMM_IE_STA_QOSINFO_AC_BK)
-#define RSI_DESC_VAP_ID_MASK 0xC000
+#define RSI_DESC_VAP_ID_MASK 0xC000u
#define RSI_DESC_VAP_ID_OFST 14
#define RSI_DATA_DESC_MAC_BBP_INFO BIT(0)
#define RSI_DATA_DESC_NO_ACK_IND BIT(9)
--
2.9.0
^ permalink raw reply related
* Re: [patch net-next 1/6] net: bridge: Use the MDB_RTR_TYPE_TEMP on bridge device too
From: Nikolay Aleksandrov @ 2017-10-05 12:09 UTC (permalink / raw)
To: Jiri Pirko, netdev
Cc: davem, yotamg, idosch, nogahf, mlxsw, ivecera, andrew, stephen,
nbd, roopa
In-Reply-To: <20171005103642.1414-2-jiri@resnulli.us>
On 05/10/17 13:36, Jiri Pirko wrote:
> From: Yotam Gigi <yotamg@mellanox.com>
>
> Every bridge port is in one of four mcast router port states:
> - MDB_RTR_TYPE_PERM - the port is set by the user to be an mrouter port
> regardless of IGMP queries.
> - MDB_RTR_TYPE_DISABLED - the port is set by the user to not be an mrouter
> port regardless of IGMP queries.
> - MDB_RTR_TYPE_TEMP - the port is set by the user to be in mcast router
> learning state, but currently it is not an mrouter port as no IGMP query
> has been received by it for the last multicast_querier_interval.
> - MDB_RTR_TYPE_TEMP_QUERY - the port is set by the user to be in mcast
> router learning state, and currently it is an mrouter port due to an
> IGMP query that has been received by it during the passed
> multicast_querier_interval.
I think you got the last two partially mixed up, MDB_RTR_TYPE_TEMP marks the port as a router
regardless if there were any igmp queries, while TYPE_TEMP_QUERY means it's in learning
state. It is the timer (armed vs not) that defines if currently the port is a router
when one of the TEMP/TEMP_QUERY are set. In the _TEMP case it is always armed as it
is refreshed by user or igmp queries which was the point of that mode.
So this means in br_multicast_router() just check for the timer_pending or perm mode.
In the port code you have the following transitions:
_TEMP -> TEMP_QUERY (on timer fire or user-set val, port becomes learning only)
_TEMP -> _TEMP (noop on user refresh or igmp query, timer refreshes)
_TEMP_QUERY -> _TEMP_QUERY (on igmp query the timer is armed, port becomes router)
you never have _TEMP_QUERY -> _TEMP, which you're using here to denote the timer
getting armed and the bridge becoming a router.
>
> The bridge device (brX) itself can also be configured by the user to be
> either fixed, disabled or learning mrouter port states, but currently there
> is no distinction between the MDB_RTR_TYPE_TEMP_QUERY and MDB_RTR_TYPE_TEMP
> in the bridge internal state. Due to that, when an IGMP query is received,
> it is not straightforward to tell whether it changes the bridge device
> mrouter port status or not.
But before this patch the bridge device could not get that set.
>
> Further patches in this patch-set will introduce notifications upon the
> bridge device mrouter port state. In order to prevent resending bridge
> mrouter notification when it is not needed, such distinction is necessary.
>
Granted the bridge device hasn't got a way to clearly distinguish the transitions
without the chance for a race and if using the timer one could get an unnecessary
notification but that seems like a corner case when the timer fires exactly at the
same time as the igmp query is received. Can't it be handled by just checking if
the new state is different in the notification receiver ?
If it can't and is a problem then I'd prefer to add a new boolean to denote that
router on/off transition rather than doing this.
> Hence, add the distinction between MDB_RTR_TYPE_TEMP and
> MDB_RTR_TYPE_TEMP_QUERY states for the bridge device, similarly to any
> other bridge port.
>
This does not add proper MDB_RTR_TYPE_TEMP support for the bridge device
but seems to abuse it to distinguish the timer state, and changes
the meaning of MDB_RTR_TYPE_TEMP. Can't you just use the timer instead ?
I think it will simplify the set and avoid all of this.
> In order to not break the current kernel-user API, don't propagate the new
> state to the user and use it only in the bridge internal state. Thus, if
> the user reads (either via sysfs or netlink) the bridge device mrouter
> state, he will get the MDB_RTR_TYPE_TEMP_QUERY state even if the current
> bridge state is MDB_RTR_TYPE_TEMP.
>
> Signed-off-by: Yotam Gigi <yotamg@mellanox.com>
> Reviewed-by: Nogah Frankel <nogahf@mellanox.com>
> Signed-off-by: Jiri Pirko <jiri@mellanox.com>
> ---
> net/bridge/br_multicast.c | 25 +++++++++++++++++++++----
> net/bridge/br_netlink.c | 3 ++-
> net/bridge/br_private.h | 13 ++++++++++---
> net/bridge/br_sysfs_br.c | 3 ++-
> 4 files changed, 35 insertions(+), 9 deletions(-)
>
> diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
> index 8dc5c8d..b86307b 100644
> --- a/net/bridge/br_multicast.c
> +++ b/net/bridge/br_multicast.c
> @@ -861,6 +861,17 @@ static void br_multicast_router_expired(unsigned long data)
>
> static void br_multicast_local_router_expired(unsigned long data)
> {
> + struct net_bridge *br = (struct net_bridge *) data;
> +
> + spin_lock(&br->multicast_lock);
> + if (br->multicast_router == MDB_RTR_TYPE_DISABLED ||
> + br->multicast_router == MDB_RTR_TYPE_PERM ||
> + timer_pending(&br->multicast_router_timer))
> + goto out;
> +
> + br->multicast_router = MDB_RTR_TYPE_TEMP_QUERY;
> +out:
> + spin_unlock(&br->multicast_lock);
> }
>
> static void br_multicast_querier_expired(struct net_bridge *br,
> @@ -1364,9 +1375,12 @@ static void br_multicast_mark_router(struct net_bridge *br,
> unsigned long now = jiffies;
>
> if (!port) {
> - if (br->multicast_router == MDB_RTR_TYPE_TEMP_QUERY)
> + if (br->multicast_router == MDB_RTR_TYPE_TEMP_QUERY ||
> + br->multicast_router == MDB_RTR_TYPE_TEMP) {
> mod_timer(&br->multicast_router_timer,
> now + br->multicast_querier_interval);
> + br->multicast_router = MDB_RTR_TYPE_TEMP;
> + }
> return;
> }
>
> @@ -1952,7 +1966,7 @@ void br_multicast_init(struct net_bridge *br)
>
> spin_lock_init(&br->multicast_lock);
> setup_timer(&br->multicast_router_timer,
> - br_multicast_local_router_expired, 0);
> + br_multicast_local_router_expired, (unsigned long)br);
> setup_timer(&br->ip4_other_query.timer,
> br_ip4_multicast_querier_expired, (unsigned long)br);
> setup_timer(&br->ip4_own_query.timer, br_ip4_multicast_query_expired,
> @@ -2043,11 +2057,14 @@ int br_multicast_set_router(struct net_bridge *br, unsigned long val)
> case MDB_RTR_TYPE_DISABLED:
> case MDB_RTR_TYPE_PERM:
> del_timer(&br->multicast_router_timer);
> - /* fall through */
> - case MDB_RTR_TYPE_TEMP_QUERY:
> br->multicast_router = val;
> err = 0;
> break;
> + case MDB_RTR_TYPE_TEMP_QUERY:
> + if (br->multicast_router != MDB_RTR_TYPE_TEMP)
> + br->multicast_router = val;
> + err = 0;
> + break;
> }
>
> spin_unlock_bh(&br->multicast_lock);
> diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
> index dea88a2..cee5016 100644
> --- a/net/bridge/br_netlink.c
> +++ b/net/bridge/br_netlink.c
> @@ -1357,7 +1357,8 @@ static int br_fill_info(struct sk_buff *skb, const struct net_device *brdev)
> return -EMSGSIZE;
> #endif
> #ifdef CONFIG_BRIDGE_IGMP_SNOOPING
> - if (nla_put_u8(skb, IFLA_BR_MCAST_ROUTER, br->multicast_router) ||
> + if (nla_put_u8(skb, IFLA_BR_MCAST_ROUTER,
> + br_multicast_router_translate(br->multicast_router)) ||
> nla_put_u8(skb, IFLA_BR_MCAST_SNOOPING, !br->multicast_disabled) ||
> nla_put_u8(skb, IFLA_BR_MCAST_QUERY_USE_IFADDR,
> br->multicast_query_use_ifaddr) ||
> diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
> index ab4df24..e6e3fec 100644
> --- a/net/bridge/br_private.h
> +++ b/net/bridge/br_private.h
> @@ -649,9 +649,8 @@ void br_multicast_get_stats(const struct net_bridge *br,
>
> static inline bool br_multicast_is_router(struct net_bridge *br)
> {
> - return br->multicast_router == 2 ||
> - (br->multicast_router == 1 &&
> - timer_pending(&br->multicast_router_timer));
> + return br->multicast_router == MDB_RTR_TYPE_PERM ||
> + br->multicast_router == MDB_RTR_TYPE_TEMP;
> }
>
> static inline bool
> @@ -790,6 +789,14 @@ static inline int br_multicast_igmp_type(const struct sk_buff *skb)
> }
> #endif
>
> +static inline unsigned char
u8
> +br_multicast_router_translate(unsigned char multicast_router)
u8, if need be change the type of the struct member
> +{
> + if (multicast_router == MDB_RTR_TYPE_TEMP)
> + return MDB_RTR_TYPE_TEMP_QUERY;
> + return multicast_router;
> +}
> +
> /* br_vlan.c */
> #ifdef CONFIG_BRIDGE_VLAN_FILTERING
> bool br_allowed_ingress(const struct net_bridge *br,
> diff --git a/net/bridge/br_sysfs_br.c b/net/bridge/br_sysfs_br.c
> index 723f25e..9b9c597 100644
> --- a/net/bridge/br_sysfs_br.c
> +++ b/net/bridge/br_sysfs_br.c
> @@ -340,7 +340,8 @@ static ssize_t multicast_router_show(struct device *d,
> struct device_attribute *attr, char *buf)
> {
> struct net_bridge *br = to_bridge(d);
> - return sprintf(buf, "%d\n", br->multicast_router);
> + return sprintf(buf, "%d\n",
> + br_multicast_router_translate(br->multicast_router));
> }
>
> static ssize_t multicast_router_store(struct device *d,
>
^ permalink raw reply
* Re: [patch net-next 1/6] net: bridge: Use the MDB_RTR_TYPE_TEMP on bridge device too
From: Nikolay Aleksandrov @ 2017-10-05 12:12 UTC (permalink / raw)
To: Jiri Pirko, netdev
Cc: davem, yotamg, idosch, nogahf, mlxsw, ivecera, andrew, stephen,
nbd, roopa
In-Reply-To: <b9cfcf9f-bb3a-6649-5b6a-39be0a957550@cumulusnetworks.com>
On 05/10/17 15:09, Nikolay Aleksandrov wrote:
> On 05/10/17 13:36, Jiri Pirko wrote:
>> From: Yotam Gigi <yotamg@mellanox.com>
>>
>> Every bridge port is in one of four mcast router port states:
>> - MDB_RTR_TYPE_PERM - the port is set by the user to be an mrouter port
>> regardless of IGMP queries.
>> - MDB_RTR_TYPE_DISABLED - the port is set by the user to not be an mrouter
>> port regardless of IGMP queries.
>> - MDB_RTR_TYPE_TEMP - the port is set by the user to be in mcast router
>> learning state, but currently it is not an mrouter port as no IGMP query
>> has been received by it for the last multicast_querier_interval.
>> - MDB_RTR_TYPE_TEMP_QUERY - the port is set by the user to be in mcast
>> router learning state, and currently it is an mrouter port due to an
>> IGMP query that has been received by it during the passed
>> multicast_querier_interval.
>
> I think you got the last two partially mixed up, MDB_RTR_TYPE_TEMP marks the port as a router
> regardless if there were any igmp queries, while TYPE_TEMP_QUERY means it's in learning
> state. It is the timer (armed vs not) that defines if currently the port is a router
> when one of the TEMP/TEMP_QUERY are set. In the _TEMP case it is always armed as it
> is refreshed by user or igmp queries which was the point of that mode.
> So this means in br_multicast_router() just check for the timer_pending or perm mode.
>
> In the port code you have the following transitions:
> _TEMP -> TEMP_QUERY (on timer fire or user-set val, port becomes learning only)
> _TEMP -> _TEMP (noop on user refresh or igmp query, timer refreshes)
> _TEMP_QUERY -> _TEMP_QUERY (on igmp query the timer is armed, port becomes router)
>
> you never have _TEMP_QUERY -> _TEMP, which you're using here to denote the timer
> getting armed and the bridge becoming a router.
Okay, technically the user can change the mode in such way manually. But it is not done
automatically is what I was trying to say.
>
>>
>> The bridge device (brX) itself can also be configured by the user to be
>> either fixed, disabled or learning mrouter port states, but currently there
>> is no distinction between the MDB_RTR_TYPE_TEMP_QUERY and MDB_RTR_TYPE_TEMP
>> in the bridge internal state. Due to that, when an IGMP query is received,
>> it is not straightforward to tell whether it changes the bridge device
>> mrouter port status or not.
>
> But before this patch the bridge device could not get that set.
>
>>
>> Further patches in this patch-set will introduce notifications upon the
>> bridge device mrouter port state. In order to prevent resending bridge
>> mrouter notification when it is not needed, such distinction is necessary.
>>
>
> Granted the bridge device hasn't got a way to clearly distinguish the transitions
> without the chance for a race and if using the timer one could get an unnecessary
> notification but that seems like a corner case when the timer fires exactly at the
> same time as the igmp query is received. Can't it be handled by just checking if
> the new state is different in the notification receiver ?
> If it can't and is a problem then I'd prefer to add a new boolean to denote that
> router on/off transition rather than doing this.
>
>> Hence, add the distinction between MDB_RTR_TYPE_TEMP and
>> MDB_RTR_TYPE_TEMP_QUERY states for the bridge device, similarly to any
>> other bridge port.
>>
>
> This does not add proper MDB_RTR_TYPE_TEMP support for the bridge device
> but seems to abuse it to distinguish the timer state, and changes
> the meaning of MDB_RTR_TYPE_TEMP. Can't you just use the timer instead ?
> I think it will simplify the set and avoid all of this.
>
>> In order to not break the current kernel-user API, don't propagate the new
>> state to the user and use it only in the bridge internal state. Thus, if
>> the user reads (either via sysfs or netlink) the bridge device mrouter
>> state, he will get the MDB_RTR_TYPE_TEMP_QUERY state even if the current
>> bridge state is MDB_RTR_TYPE_TEMP.
>>
>> Signed-off-by: Yotam Gigi <yotamg@mellanox.com>
>> Reviewed-by: Nogah Frankel <nogahf@mellanox.com>
>> Signed-off-by: Jiri Pirko <jiri@mellanox.com>
>> ---
>> net/bridge/br_multicast.c | 25 +++++++++++++++++++++----
>> net/bridge/br_netlink.c | 3 ++-
>> net/bridge/br_private.h | 13 ++++++++++---
>> net/bridge/br_sysfs_br.c | 3 ++-
>> 4 files changed, 35 insertions(+), 9 deletions(-)
>>
>> diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
>> index 8dc5c8d..b86307b 100644
>> --- a/net/bridge/br_multicast.c
>> +++ b/net/bridge/br_multicast.c
>> @@ -861,6 +861,17 @@ static void br_multicast_router_expired(unsigned long data)
>>
>> static void br_multicast_local_router_expired(unsigned long data)
>> {
>> + struct net_bridge *br = (struct net_bridge *) data;
>> +
>> + spin_lock(&br->multicast_lock);
>> + if (br->multicast_router == MDB_RTR_TYPE_DISABLED ||
>> + br->multicast_router == MDB_RTR_TYPE_PERM ||
>> + timer_pending(&br->multicast_router_timer))
>> + goto out;
>> +
>> + br->multicast_router = MDB_RTR_TYPE_TEMP_QUERY;
>> +out:
>> + spin_unlock(&br->multicast_lock);
>> }
>>
>> static void br_multicast_querier_expired(struct net_bridge *br,
>> @@ -1364,9 +1375,12 @@ static void br_multicast_mark_router(struct net_bridge *br,
>> unsigned long now = jiffies;
>>
>> if (!port) {
>> - if (br->multicast_router == MDB_RTR_TYPE_TEMP_QUERY)
>> + if (br->multicast_router == MDB_RTR_TYPE_TEMP_QUERY ||
>> + br->multicast_router == MDB_RTR_TYPE_TEMP) {
>> mod_timer(&br->multicast_router_timer,
>> now + br->multicast_querier_interval);
>> + br->multicast_router = MDB_RTR_TYPE_TEMP;
>> + }
>> return;
>> }
>>
>> @@ -1952,7 +1966,7 @@ void br_multicast_init(struct net_bridge *br)
>>
>> spin_lock_init(&br->multicast_lock);
>> setup_timer(&br->multicast_router_timer,
>> - br_multicast_local_router_expired, 0);
>> + br_multicast_local_router_expired, (unsigned long)br);
>> setup_timer(&br->ip4_other_query.timer,
>> br_ip4_multicast_querier_expired, (unsigned long)br);
>> setup_timer(&br->ip4_own_query.timer, br_ip4_multicast_query_expired,
>> @@ -2043,11 +2057,14 @@ int br_multicast_set_router(struct net_bridge *br, unsigned long val)
>> case MDB_RTR_TYPE_DISABLED:
>> case MDB_RTR_TYPE_PERM:
>> del_timer(&br->multicast_router_timer);
>> - /* fall through */
>> - case MDB_RTR_TYPE_TEMP_QUERY:
>> br->multicast_router = val;
>> err = 0;
>> break;
>> + case MDB_RTR_TYPE_TEMP_QUERY:
>> + if (br->multicast_router != MDB_RTR_TYPE_TEMP)
>> + br->multicast_router = val;
>> + err = 0;
>> + break;
>> }
>>
>> spin_unlock_bh(&br->multicast_lock);
>> diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
>> index dea88a2..cee5016 100644
>> --- a/net/bridge/br_netlink.c
>> +++ b/net/bridge/br_netlink.c
>> @@ -1357,7 +1357,8 @@ static int br_fill_info(struct sk_buff *skb, const struct net_device *brdev)
>> return -EMSGSIZE;
>> #endif
>> #ifdef CONFIG_BRIDGE_IGMP_SNOOPING
>> - if (nla_put_u8(skb, IFLA_BR_MCAST_ROUTER, br->multicast_router) ||
>> + if (nla_put_u8(skb, IFLA_BR_MCAST_ROUTER,
>> + br_multicast_router_translate(br->multicast_router)) ||
>> nla_put_u8(skb, IFLA_BR_MCAST_SNOOPING, !br->multicast_disabled) ||
>> nla_put_u8(skb, IFLA_BR_MCAST_QUERY_USE_IFADDR,
>> br->multicast_query_use_ifaddr) ||
>> diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
>> index ab4df24..e6e3fec 100644
>> --- a/net/bridge/br_private.h
>> +++ b/net/bridge/br_private.h
>> @@ -649,9 +649,8 @@ void br_multicast_get_stats(const struct net_bridge *br,
>>
>> static inline bool br_multicast_is_router(struct net_bridge *br)
>> {
>> - return br->multicast_router == 2 ||
>> - (br->multicast_router == 1 &&
>> - timer_pending(&br->multicast_router_timer));
>> + return br->multicast_router == MDB_RTR_TYPE_PERM ||
>> + br->multicast_router == MDB_RTR_TYPE_TEMP;
>> }
>>
>> static inline bool
>> @@ -790,6 +789,14 @@ static inline int br_multicast_igmp_type(const struct sk_buff *skb)
>> }
>> #endif
>>
>> +static inline unsigned char
>
> u8
>
>> +br_multicast_router_translate(unsigned char multicast_router)
>
> u8, if need be change the type of the struct member
>
>> +{
>> + if (multicast_router == MDB_RTR_TYPE_TEMP)
>> + return MDB_RTR_TYPE_TEMP_QUERY;
>> + return multicast_router;
>> +}
>> +
>> /* br_vlan.c */
>> #ifdef CONFIG_BRIDGE_VLAN_FILTERING
>> bool br_allowed_ingress(const struct net_bridge *br,
>> diff --git a/net/bridge/br_sysfs_br.c b/net/bridge/br_sysfs_br.c
>> index 723f25e..9b9c597 100644
>> --- a/net/bridge/br_sysfs_br.c
>> +++ b/net/bridge/br_sysfs_br.c
>> @@ -340,7 +340,8 @@ static ssize_t multicast_router_show(struct device *d,
>> struct device_attribute *attr, char *buf)
>> {
>> struct net_bridge *br = to_bridge(d);
>> - return sprintf(buf, "%d\n", br->multicast_router);
>> + return sprintf(buf, "%d\n",
>> + br_multicast_router_translate(br->multicast_router));
>> }
>>
>> static ssize_t multicast_router_store(struct device *d,
>>
>
^ permalink raw reply
* Re: [PATCH] rsi: fix integer overflow warning
From: Joe Perches @ 2017-10-05 12:19 UTC (permalink / raw)
To: Arnd Bergmann, Kalle Valo, Prameela Rani Garnepudi,
Amitkumar Karwar
Cc: Pavani Muthyala, Karun Eagalapati, linux-wireless, netdev,
linux-kernel
In-Reply-To: <20171005120547.328687-1-arnd@arndb.de>
On Thu, 2017-10-05 at 14:05 +0200, Arnd Bergmann wrote:
> gcc produces a harmless warning about a recently introduced
> signed integer overflow:
>
> drivers/net/wireless/rsi/rsi_91x_hal.c: In function 'rsi_prepare_mgmt_desc':
> include/uapi/linux/swab.h:13:15: error: integer overflow in expression [-Werror=overflow]
> (((__u16)(x) & (__u16)0x00ffU) << 8) | \
> ~~~~~~~~~~~~^~~~~~~~~~~~~~~~~
> include/uapi/linux/swab.h:104:2: note: in expansion of macro '___constant_swab16'
> ___constant_swab16(x) : \
> ^~~~~~~~~~~~~~~~~~
> include/uapi/linux/byteorder/big_endian.h:34:43: note: in expansion of macro '__swab16'
> #define __cpu_to_le16(x) ((__force __le16)__swab16((x)))
[]
> The problem is that the 'mask' value is a signed integer that gets
> turned into a negative number when truncated to 16 bits. Making it
> an unsigned constant avoids this.
I would expect there are more of these.
Perhaps this define in include/uapi/linux/swab.h:
#define __swab16(x) \
(__builtin_constant_p((__u16)(x)) ? \
___constant_swab16(x) : \
__fswab16(x))
should be
#define __swab16(x) \
(__builtin_c
onstant_p((__u16)(x)) ? \
___constant_swab16((__u16)(x)) :
\
__fswab16((__u16)(x)))
^ permalink raw reply
* Apply
From: Capital Finance @ 2017-10-05 12:23 UTC (permalink / raw)
To: Recipients
UNSECURED BUSINESS/PERSONAL LOAN BY LOAN CAPITAL FINANCE
- NO COLLATERAL
- MINIMUM DOCUMENTATION
- BUSINESS LOAN UP TO FIVE(5) MILLION US DOLLARS
CONTACT US TODAY VIA EMAIL: financeloan04@hotmail.com
^ permalink raw reply
* Re: [PATCH v2 net-next 0/2] net/sched: support tunnel options in cls_flower and act_tunnel_key
From: Jiri Benc @ 2017-10-05 12:51 UTC (permalink / raw)
To: Simon Horman; +Cc: David Miller, jiri, jhs, xiyou.wangcong, netdev, oss-drivers
In-Reply-To: <20171002075013.GA22179@netronome.com>
On Mon, 2 Oct 2017 09:50:15 +0200, Simon Horman wrote:
> I believe that in order to avoid per-packet overhead and at the same time
> code complexity the TLVs should be described in-order. So matching on
> TLV-A,TLV-B,TLV-C would be a different match to TLV-C,TLV-A,TLV-B. An
> order-independent match could be added if desired in future.
Although better than the binary format, I doubt that it would be
useful. I can't imagine a real use case where you would want such match.
Instead, what you want is a match on a particular TLV, wherever it is
in the data. For start, we can support just a single TLV.
I.e. when matching on TLV-A, all of these would match:
TLV-A,TLV-B,TLV-C; TLV-B,TLV-A,TLV-C; TLV-B,TLV-C,TLV-A. And this one
won't match: TLV-B,TLV-C,TLV-D.
Jiri
^ permalink raw reply
* Re: [patch net-next 1/6] net: bridge: Use the MDB_RTR_TYPE_TEMP on bridge device too
From: Nikolay Aleksandrov @ 2017-10-05 12:52 UTC (permalink / raw)
To: Jiri Pirko, netdev
Cc: davem, yotamg, idosch, nogahf, mlxsw, ivecera, andrew, stephen,
nbd, roopa
In-Reply-To: <b9cfcf9f-bb3a-6649-5b6a-39be0a957550@cumulusnetworks.com>
On 05/10/17 15:09, Nikolay Aleksandrov wrote:
> On 05/10/17 13:36, Jiri Pirko wrote:
>> From: Yotam Gigi <yotamg@mellanox.com>
>>
>> Every bridge port is in one of four mcast router port states:
>> - MDB_RTR_TYPE_PERM - the port is set by the user to be an mrouter port
>> regardless of IGMP queries.
>> - MDB_RTR_TYPE_DISABLED - the port is set by the user to not be an mrouter
>> port regardless of IGMP queries.
>> - MDB_RTR_TYPE_TEMP - the port is set by the user to be in mcast router
>> learning state, but currently it is not an mrouter port as no IGMP query
>> has been received by it for the last multicast_querier_interval.
>> - MDB_RTR_TYPE_TEMP_QUERY - the port is set by the user to be in mcast
>> router learning state, and currently it is an mrouter port due to an
>> IGMP query that has been received by it during the passed
>> multicast_querier_interval.
>
> I think you got the last two partially mixed up, MDB_RTR_TYPE_TEMP marks the port as a router
> regardless if there were any igmp queries, while TYPE_TEMP_QUERY means it's in learning
> state. It is the timer (armed vs not) that defines if currently the port is a router
> when one of the TEMP/TEMP_QUERY are set. In the _TEMP case it is always armed as it
> is refreshed by user or igmp queries which was the point of that mode.
> So this means in br_multicast_router() just check for the timer_pending or perm mode.
>
> In the port code you have the following transitions:
> _TEMP -> TEMP_QUERY (on timer fire or user-set val, port becomes learning only)
> _TEMP -> _TEMP (noop on user refresh or igmp query, timer refreshes)
> _TEMP_QUERY -> _TEMP_QUERY (on igmp query the timer is armed, port becomes router)
>
> you never have _TEMP_QUERY -> _TEMP, which you're using here to denote the timer
> getting armed and the bridge becoming a router.
>
>>
>> The bridge device (brX) itself can also be configured by the user to be
>> either fixed, disabled or learning mrouter port states, but currently there
>> is no distinction between the MDB_RTR_TYPE_TEMP_QUERY and MDB_RTR_TYPE_TEMP
>> in the bridge internal state. Due to that, when an IGMP query is received,
>> it is not straightforward to tell whether it changes the bridge device
>> mrouter port status or not.
>
> But before this patch the bridge device could not get that set.
>
>>
>> Further patches in this patch-set will introduce notifications upon the
>> bridge device mrouter port state. In order to prevent resending bridge
>> mrouter notification when it is not needed, such distinction is necessary.
>>
>
> Granted the bridge device hasn't got a way to clearly distinguish the transitions
> without the chance for a race and if using the timer one could get an unnecessary
> notification but that seems like a corner case when the timer fires exactly at the
> same time as the igmp query is received. Can't it be handled by just checking if
> the new state is different in the notification receiver ?
Scratch the sentence below, on a second thought I'd prefer to stick with this
version if it's a problem. :-)
> If it can't and is a problem then I'd prefer to add a new boolean to denote that
> router on/off transition rather than doing this.
>
>> Hence, add the distinction between MDB_RTR_TYPE_TEMP and
>> MDB_RTR_TYPE_TEMP_QUERY states for the bridge device, similarly to any
>> other bridge port.
>>
>
> This does not add proper MDB_RTR_TYPE_TEMP support for the bridge device
> but seems to abuse it to distinguish the timer state, and changes
> the meaning of MDB_RTR_TYPE_TEMP. Can't you just use the timer instead ?
> I think it will simplify the set and avoid all of this.
>
>> In order to not break the current kernel-user API, don't propagate the new
>> state to the user and use it only in the bridge internal state. Thus, if
>> the user reads (either via sysfs or netlink) the bridge device mrouter
>> state, he will get the MDB_RTR_TYPE_TEMP_QUERY state even if the current
>> bridge state is MDB_RTR_TYPE_TEMP.
>>
[snip]
^ permalink raw reply
* [PATCH net] selftests/net: rxtimestamp: Fix an off by one
From: Dan Carpenter @ 2017-10-05 12:53 UTC (permalink / raw)
To: Shuah Khan, Mike Maloney
Cc: Willem de Bruijn, David S. Miller, linux-kselftest, netdev,
kernel-janitors
The > should be >= so that we don't write one element beyond the end of
the array.
Fixes: 16e781224198 ("selftests/net: Add a test to validate behavior of rx timestamps")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/tools/testing/selftests/networking/timestamping/rxtimestamp.c b/tools/testing/selftests/networking/timestamping/rxtimestamp.c
index 00f286661dcd..dd4162fc0419 100644
--- a/tools/testing/selftests/networking/timestamping/rxtimestamp.c
+++ b/tools/testing/selftests/networking/timestamping/rxtimestamp.c
@@ -341,7 +341,7 @@ int main(int argc, char **argv)
return 0;
case 'n':
t = atoi(optarg);
- if (t > ARRAY_SIZE(test_cases))
+ if (t >= ARRAY_SIZE(test_cases))
error(1, 0, "Invalid test case: %d", t);
all_tests = false;
test_cases[t].enabled = true;
^ permalink raw reply related
* [PATCH 3/3] xen/9pfs: don't inclide rwlock.h directly.
From: Sebastian Andrzej Siewior @ 2017-10-05 12:56 UTC (permalink / raw)
To: linux-kernel
Cc: tglx, Sebastian Andrzej Siewior, Eric Van Hensbergen, Ron Minnich,
Latchesar Ionkov, David S. Miller, v9fs-developer, netdev
In-Reply-To: <20171005125655.12373-1-bigeasy@linutronix.de>
rwlock.h should not be included directly. Instead linux/splinlock.h
should be included. One thing it does is to break the RT build.
Cc: Eric Van Hensbergen <ericvh@gmail.com>
Cc: Ron Minnich <rminnich@sandia.gov>
Cc: Latchesar Ionkov <lucho@ionkov.net>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: v9fs-developer@lists.sourceforge.net
Cc: netdev@vger.kernel.org
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
---
net/9p/trans_xen.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
index 6ad3e043c617..02c6c467a99c 100644
--- a/net/9p/trans_xen.c
+++ b/net/9p/trans_xen.c
@@ -38,7 +38,6 @@
#include <linux/module.h>
#include <linux/spinlock.h>
-#include <linux/rwlock.h>
#include <net/9p/9p.h>
#include <net/9p/client.h>
#include <net/9p/transport.h>
--
2.14.2
^ permalink raw reply related
* Re: [patch net-next 3/6] net: bridge: Export bridge multicast router state
From: Nikolay Aleksandrov @ 2017-10-05 13:09 UTC (permalink / raw)
To: Jiri Pirko, netdev
Cc: davem, yotamg, idosch, nogahf, mlxsw, ivecera, andrew, stephen,
nbd, roopa
In-Reply-To: <20171005103642.1414-4-jiri@resnulli.us>
On 05/10/17 13:36, Jiri Pirko wrote:
> From: Yotam Gigi <yotamg@mellanox.com>
>
> Add an access function that, given a bridge netdevice, returns whether the
> bridge device is currently an mrouter or not. The function uses the already
> existing br_multicast_is_router function to check that.
>
> This function is needed in order to allow ports that join an already
> existing bridge to know the current mrouter state of the bridge device.
> Together with the bridge device mrouter ports switchdev notifications, it
> is possible to have full offloading of the semantics of the bridge device
> mcast router state.
>
> Due to the fact that the bridge multicast router status can change in
> packet RX path, take the multicast_router bridge spinlock to protect the
> read.
>
> Signed-off-by: Yotam Gigi <yotamg@mellanox.com>
> Reviewed-by: Nogah Frankel <nogahf@mellanox.com>
> Signed-off-by: Jiri Pirko <jiri@mellanox.com>
> ---
> include/linux/if_bridge.h | 5 +++++
> net/bridge/br_multicast.c | 12 ++++++++++++
> 2 files changed, 17 insertions(+)
>
Reviewed-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
^ permalink raw reply
* Re: [patch net-next 2/6] net: bridge: Notify on bridge device mrouter state changes
From: Nikolay Aleksandrov @ 2017-10-05 13:11 UTC (permalink / raw)
To: Jiri Pirko, netdev
Cc: davem, yotamg, idosch, nogahf, mlxsw, ivecera, andrew, stephen,
nbd, roopa
In-Reply-To: <20171005103642.1414-3-jiri@resnulli.us>
On 05/10/17 13:36, Jiri Pirko wrote:
> From: Yotam Gigi <yotamg@mellanox.com>
>
> Add the SWITCHDEV_ATTR_ID_BRIDGE_MROUTER switchdev notification type, used
> to indicate whether the bridge is or isn't mrouter. Notify when the bridge
> changes its state, similarly to the already existing bridged port mrouter
> notifications.
>
> The notification uses the switchdev_attr.u.mrouter boolean flag to indicate
> the current bridge mrouter status. Thus, it only indicates whether the
> bridge is currently used as an mrouter or not, and does not indicate the
> exact mrouter state of the bridge (learning, permanent, etc.).
>
> Signed-off-by: Yotam Gigi <yotamg@mellanox.com>
> Reviewed-by: Nogah Frankel <nogahf@mellanox.com>
> Signed-off-by: Jiri Pirko <jiri@mellanox.com>
> ---
> include/net/switchdev.h | 1 +
> net/bridge/br_multicast.c | 21 ++++++++++++++++++++-
> 2 files changed, 21 insertions(+), 1 deletion(-)
>
LGTM, but if we switch to using the timer state it will need some adjustment.
Anyway for this version,
Reviewed-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
^ permalink raw reply
* Re: [PATCH V2] Fix a sleep-in-atomic bug in shash_setkey_unaligned
From: Herbert Xu @ 2017-10-05 13:16 UTC (permalink / raw)
To: David Miller
Cc: marcelo.leitner-Re5JQEeQqe8AvxtiuMwx3w,
luto-DgEjT+Ai2ygdnm+yROfE0A, baijiaju1990-9Onoh4P/yGk,
nhorman-2XuSBdqkA4R54TAoqtyWWQ, vyasevich-Re5JQEeQqe8AvxtiuMwx3w,
kvalo-sgV2jX0FEOL9JmXXK+q4OQ, linux-crypto-u79uwXL29TY76Z2rM5mHXA,
netdev-u79uwXL29TY76Z2rM5mHXA, linux-sctp-u79uwXL29TY76Z2rM5mHXA,
linux-wireless-u79uwXL29TY76Z2rM5mHXA
In-Reply-To: <20171005101620.GA1246-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q@public.gmane.org>
On Thu, Oct 05, 2017 at 06:16:20PM +0800, Herbert Xu wrote:
>
> That was my point. Functions like sctp_pack_cookie shouldn't be
> setting the key in the first place. The setkey should happen at
> the point when the key is generated. That's sctp_endpoint_init
> which AFAICS only gets called in GFP_KERNEL context.
>
> Or is there a code-path where sctp_endpoint_init is called in
> softirq context?
OK, there are indeed code paths where the key is derived in softirq
context. Notably sctp_auth_calculate_hmac.
So I think this patch is the correct fix and I will push it upstream
as well as back to stable.
Thanks,
--
Email: Herbert Xu <herbert-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q@public.gmane.org>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
^ permalink raw reply
* Re: [PATCH net-next 0/3] A own subdirectory for shared TCP code
From: Richard Siegfried @ 2017-10-05 13:17 UTC (permalink / raw)
To: Andrew Lunn; +Cc: netdev
In-Reply-To: <20171004202749.GB13247@lunn.ch>
[-- Attachment #1.1: Type: text/plain, Size: 539 bytes --]
On 04/10/17 22:27, Andrew Lunn wrote:
> Hi Richard
>
> It is generally unwanted.
>
> Have you tried back porting patches when the directory structure has
> changed? Files have moved around? It makes it a lot harder to
> do. Meaning patches are going to be back ported less often. Fixes
> which could be security relevant might not get back ported, etc.
>
> Kernel 4.4 is going to be supported until 2022. So moving files around
> is going to make Greg Kroah-Hartman life more difficult for the next 5
> years.
Ok, I see
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 529 bytes --]
^ permalink raw reply
* Re: [PATCH 03/13] timer: Remove init_timer_on_stack() in favor of timer_setup_on_stack()
From: Rafael J. Wysocki @ 2017-10-05 13:18 UTC (permalink / raw)
To: Kees Cook
Cc: Thomas Gleixner, Rafael J. Wysocki, Pavel Machek, Len Brown,
Greg Kroah-Hartman, Stefan Richter, Sudip Mukherjee,
Martin Schwidefsky, Heiko Carstens, Julian Wiedmann, Ursula Braun,
Michael Reed, James E.J. Bottomley, Martin K. Petersen, Linux PM,
linux1394-devel, linux-s390, open list:TARGET SUBSYSTEM,
Andrew Morton
In-Reply-To: <1507159627-127660-4-git-send-email-keescook@chromium.org>
On Thu, Oct 5, 2017 at 1:26 AM, Kees Cook <keescook@chromium.org> wrote:
> Remove uses of init_timer_on_stack() with open-coded function and data
> assignments that could be expressed using timer_setup_on_stack(). Several
> were removed from the stack entirely since there was a one-to-one mapping
> of parent structure to timer, those are switched to using timer_setup()
> instead. All related callbacks were adjusted to use from_timer().
>
> Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
> Cc: Pavel Machek <pavel@ucw.cz>
> Cc: Len Brown <len.brown@intel.com>
> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Cc: Stefan Richter <stefanr@s5r6.in-berlin.de>
> Cc: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
> Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
> Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
> Cc: Julian Wiedmann <jwi@linux.vnet.ibm.com>
> Cc: Ursula Braun <ubraun@linux.vnet.ibm.com>
> Cc: Michael Reed <mdr@sgi.com>
> Cc: "James E.J. Bottomley" <jejb@linux.vnet.ibm.com>
> Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
> Cc: Thomas Gleixner <tglx@linutronix.de>
> Cc: linux-pm@vger.kernel.org
> Cc: linux1394-devel@lists.sourceforge.net
> Cc: linux-s390@vger.kernel.org
> Cc: linux-scsi@vger.kernel.org
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> drivers/base/power/main.c | 8 +++-----
> drivers/firewire/core-transaction.c | 10 +++++-----
> drivers/parport/ieee1284.c | 21 +++++++--------------
> drivers/s390/char/tape.h | 1 +
> drivers/s390/char/tape_std.c | 18 ++++++------------
> drivers/s390/net/lcs.c | 16 ++++++----------
> drivers/s390/net/lcs.h | 1 +
> drivers/scsi/qla1280.c | 14 +++++---------
> drivers/scsi/qla1280.h | 1 +
> include/linux/parport.h | 1 +
> include/linux/timer.h | 2 --
> 11 files changed, 36 insertions(+), 57 deletions(-)
>
> diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c
> index 770b1539a083..ae47b2ec84b4 100644
> --- a/drivers/base/power/main.c
> +++ b/drivers/base/power/main.c
> @@ -478,9 +478,9 @@ struct dpm_watchdog {
> * There's not much we can do here to recover so panic() to
> * capture a crash-dump in pstore.
> */
> -static void dpm_watchdog_handler(unsigned long data)
> +static void dpm_watchdog_handler(struct timer_list *t)
> {
> - struct dpm_watchdog *wd = (void *)data;
> + struct dpm_watchdog *wd = from_timer(wd, t, timer);
>
> dev_emerg(wd->dev, "**** DPM device timeout ****\n");
> show_stack(wd->tsk, NULL);
> @@ -500,11 +500,9 @@ static void dpm_watchdog_set(struct dpm_watchdog *wd, struct device *dev)
> wd->dev = dev;
> wd->tsk = current;
>
> - init_timer_on_stack(timer);
> + timer_setup_on_stack(timer, dpm_watchdog_handler, 0);
> /* use same timeout value for both suspend and resume */
> timer->expires = jiffies + HZ * CONFIG_DPM_WATCHDOG_TIMEOUT;
> - timer->function = dpm_watchdog_handler;
> - timer->data = (unsigned long)wd;
> add_timer(timer);
> }
For the above:
Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
^ permalink raw reply
* Re: [PATCH net-next 3/4] selinux: bpf: Add selinux check for eBPF syscall operations
From: Stephen Smalley @ 2017-10-05 13:28 UTC (permalink / raw)
To: Chenbo Feng, netdev, SELinux, linux-security-module
Cc: Chenbo Feng, Alexei Starovoitov, Daniel Borkmann, Lorenzo Colitti
In-Reply-To: <20171004182932.140028-4-chenbofeng.kernel@gmail.com>
On Wed, 2017-10-04 at 11:29 -0700, Chenbo Feng wrote:
> From: Chenbo Feng <fengc@google.com>
>
> Implement the actual checks introduced to eBPF related syscalls. This
> implementation use the security field inside bpf object to store a
> sid that
> identify the bpf object. And when processes try to access the object,
> selinux will check if processes have the right privileges. The
> creation
> of eBPF object are also checked at the general bpf check hook and new
> cmd introduced to eBPF domain can also be checked there.
>
> Signed-off-by: Chenbo Feng <fengc@google.com>
> Acked-by: Alexei Starovoitov <ast@kernel.org>
> ---
> security/selinux/hooks.c | 111
> ++++++++++++++++++++++++++++++++++++
> security/selinux/include/classmap.h | 2 +
> security/selinux/include/objsec.h | 4 ++
> 3 files changed, 117 insertions(+)
>
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index f5d304736852..41aba4e3d57c 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -85,6 +85,7 @@
> #include <linux/export.h>
> #include <linux/msg.h>
> #include <linux/shm.h>
> +#include <linux/bpf.h>
>
> #include "avc.h"
> #include "objsec.h"
> @@ -6252,6 +6253,106 @@ static void selinux_ib_free_security(void
> *ib_sec)
> }
> #endif
>
> +#ifdef CONFIG_BPF_SYSCALL
> +static int selinux_bpf(int cmd, union bpf_attr *attr,
> + unsigned int size)
> +{
> + u32 sid = current_sid();
> + int ret;
> +
> + switch (cmd) {
> + case BPF_MAP_CREATE:
> + ret = avc_has_perm(sid, sid, SECCLASS_BPF_MAP,
> BPF_MAP__CREATE,
> + NULL);
> + break;
> + case BPF_PROG_LOAD:
> + ret = avc_has_perm(sid, sid, SECCLASS_BPF_PROG,
> BPF_PROG__LOAD,
> + NULL);
> + break;
> + default:
> + ret = 0;
> + break;
> + }
> +
> + return ret;
> +}
> +
> +static u32 bpf_map_fmode_to_av(fmode_t fmode)
> +{
> + u32 av = 0;
> +
> + if (f_mode & FMODE_READ)
> + av |= BPF_MAP__READ;
> + if (f_mode & FMODE_WRITE)
> + av |= BPF_MAP__WRITE;
> + return av;
> +}
> +
> +static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
> +{
> + u32 sid = current_sid();
> + struct bpf_security_struct *bpfsec;
> +
> + bpfsec = map->security;
> + return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF_MAP,
> + bpf_map_fmode_to_av(fmode), NULL);
> +}
> +
> +static int selinux_bpf_prog(struct bpf_prog *prog)
> +{
> + u32 sid = current_sid();
> + struct bpf_security_struct *bpfsec;
> +
> + bpfsec = prog->aux->security;
I haven't looked closely at the bpf code, but is it guaranteed that
prog->aux cannot be NULL here? What's the difference in lifecycle for
bpf_prog vs bpf_prog_aux? Could the aux field be shared across progs
created by different processes?
> + return avc_has_perm(sid, bpfsec->sid, SECCLASS_BPF_PROG,
> + BPF_PROG__USE, NULL);
> +}
> +
> +static int selinux_bpf_map_alloc(struct bpf_map *map)
> +{
> + struct bpf_security_struct *bpfsec;
> +
> + bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
> + if (!bpfsec)
> + return -ENOMEM;
> +
> + bpfsec->sid = current_sid();
> + map->security = bpfsec;
> +
> + return 0;
> +}
> +
> +static void selinux_bpf_map_free(struct bpf_map *map)
> +{
> + struct bpf_security_struct *bpfsec = map->security;
> +
> + map->security = NULL;
> + kfree(bpfsec);
> +}
> +
> +static int selinux_bpf_prog_alloc(struct bpf_prog_aux *aux)
> +{
> + struct bpf_security_struct *bpfsec;
> +
> + bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
> + if (!bpfsec)
> + return -ENOMEM;
> +
> + bpfsec->sid = current_sid();
> + aux->security = bpfsec;
> +
> + return 0;
> +}
> +
> +static void selinux_bpf_prog_free(struct bpf_prog_aux *aux)
> +{
> + struct bpf_security_struct *bpfsec = aux->security;
> +
> + aux->security = NULL;
> + kfree(bpfsec);
> +}
> +#endif
> +
> static struct security_hook_list selinux_hooks[] __lsm_ro_after_init
> = {
> LSM_HOOK_INIT(binder_set_context_mgr,
> selinux_binder_set_context_mgr),
> LSM_HOOK_INIT(binder_transaction,
> selinux_binder_transaction),
> @@ -6471,6 +6572,16 @@ static struct security_hook_list
> selinux_hooks[] __lsm_ro_after_init = {
> LSM_HOOK_INIT(audit_rule_match, selinux_audit_rule_match),
> LSM_HOOK_INIT(audit_rule_free, selinux_audit_rule_free),
> #endif
> +
> +#ifdef CONFIG_BPF_SYSCALL
> + LSM_HOOK_INIT(bpf, selinux_bpf),
> + LSM_HOOK_INIT(bpf_map, selinux_bpf_map),
> + LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
> + LSM_HOOK_INIT(bpf_map_alloc_security,
> selinux_bpf_map_alloc),
> + LSM_HOOK_INIT(bpf_prog_alloc_security,
> selinux_bpf_prog_alloc),
> + LSM_HOOK_INIT(bpf_map_free_security, selinux_bpf_map_free),
> + LSM_HOOK_INIT(bpf_prog_free_security,
> selinux_bpf_prog_free),
> +#endif
> };
>
> static __init int selinux_init(void)
> diff --git a/security/selinux/include/classmap.h
> b/security/selinux/include/classmap.h
> index 35ffb29a69cb..7253c5eea59c 100644
> --- a/security/selinux/include/classmap.h
> +++ b/security/selinux/include/classmap.h
> @@ -237,6 +237,8 @@ struct security_class_mapping secclass_map[] = {
> { "access", NULL } },
> { "infiniband_endport",
> { "manage_subnet", NULL } },
> + { "bpf_map", {"create", "read", "write"} },
> + { "bpf_prog", {"load", "use"} },
Alternatively, assuming that one usually allows access to bpf_map and
bpf_prog together, these could be coalesced into a single class and
only distinguish by permission, e.g.
{ "bpf", { "create_map", "read_map", "write_map", "prog_load",
"prog_use" } },
and then allow A self:bpf { create_map read_map write_map prog_load
prog_use }; would be stored in a single policy avtab rule, and be
cached in a single AVC entry.
> { NULL }
> };
>
> diff --git a/security/selinux/include/objsec.h
> b/security/selinux/include/objsec.h
> index 1649cd18eb0b..3d54468ce334 100644
> --- a/security/selinux/include/objsec.h
> +++ b/security/selinux/include/objsec.h
> @@ -150,6 +150,10 @@ struct pkey_security_struct {
> u32 sid; /* SID of pkey */
> };
>
> +struct bpf_security_struct {
> + u32 sid; /*SID of bpf obj creater*/
> +};
> +
> extern unsigned int selinux_checkreqprot;
>
> #endif /* _SELINUX_OBJSEC_H_ */
^ permalink raw reply
* Re: [PATCH net-next 4/4] selinux: bpf: Add addtional check for bpf object file receive
From: Stephen Smalley @ 2017-10-05 13:37 UTC (permalink / raw)
To: Chenbo Feng, netdev, SELinux, linux-security-module
Cc: Chenbo Feng, Alexei Starovoitov, Daniel Borkmann, Lorenzo Colitti
In-Reply-To: <20171004182932.140028-5-chenbofeng.kernel@gmail.com>
On Wed, 2017-10-04 at 11:29 -0700, Chenbo Feng wrote:
> From: Chenbo Feng <fengc@google.com>
>
> Introduce a bpf object related check when sending and receiving files
> through unix domain socket as well as binder. It checks if the
> receiving
> process have privilege to read/write the bpf map or use the bpf
> program.
> This check is necessary because the bpf maps and programs are using a
> anonymous inode as their shared inode so the normal way of checking
> the
> files and sockets when passing between processes cannot work properly
> on
> eBPF object. This check only works when the BPF_SYSCALL is
> configured.
>
> Signed-off-by: Chenbo Feng <fengc@google.com>
> ---
> include/linux/bpf.h | 3 +++
> kernel/bpf/syscall.c | 4 ++--
> security/selinux/hooks.c | 57
> +++++++++++++++++++++++++++++++++++++++++++++++-
> 3 files changed, 61 insertions(+), 3 deletions(-)
>
> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> index d757ea3f2228..ac8428a36d56 100644
> --- a/include/linux/bpf.h
> +++ b/include/linux/bpf.h
> @@ -250,6 +250,9 @@ int bpf_prog_test_run_skb(struct bpf_prog *prog,
> const union bpf_attr *kattr,
> #ifdef CONFIG_BPF_SYSCALL
> DECLARE_PER_CPU(int, bpf_prog_active);
>
> +extern const struct file_operations bpf_map_fops;
> +extern const struct file_operations bpf_prog_fops;
> +
> #define BPF_PROG_TYPE(_id, _ops) \
> extern const struct bpf_verifier_ops _ops;
> #define BPF_MAP_TYPE(_id, _ops) \
> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> index 58ff769d58ab..5789a5359f0a 100644
> --- a/kernel/bpf/syscall.c
> +++ b/kernel/bpf/syscall.c
> @@ -313,7 +313,7 @@ static ssize_t bpf_dummy_write(struct file *filp,
> const char __user *buf,
> return -EINVAL;
> }
>
> -static const struct file_operations bpf_map_fops = {
> +const struct file_operations bpf_map_fops = {
> #ifdef CONFIG_PROC_FS
> .show_fdinfo = bpf_map_show_fdinfo,
> #endif
> @@ -965,7 +965,7 @@ static void bpf_prog_show_fdinfo(struct seq_file
> *m, struct file *filp)
> }
> #endif
>
> -static const struct file_operations bpf_prog_fops = {
> +const struct file_operations bpf_prog_fops = {
> #ifdef CONFIG_PROC_FS
> .show_fdinfo = bpf_prog_show_fdinfo,
> #endif
> diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
> index 41aba4e3d57c..381474ce3216 100644
> --- a/security/selinux/hooks.c
> +++ b/security/selinux/hooks.c
> @@ -1847,6 +1847,7 @@ static int file_has_perm(const struct cred
> *cred,
>
> /* av is zero if only checking access to the descriptor. */
> rc = 0;
> +
> if (av)
> rc = inode_has_perm(cred, inode, av, &ad);
>
> @@ -2142,6 +2143,10 @@ static int
> selinux_binder_transfer_binder(struct task_struct *from,
> NULL);
> }
>
> +#ifdef CONFIG_BPF_SYSCALL
> +static int bpf_fd_pass(struct file *file, u32 sid);
> +#endif
> +
> static int selinux_binder_transfer_file(struct task_struct *from,
> struct task_struct *to,
> struct file *file)
> @@ -2165,6 +2170,12 @@ static int selinux_binder_transfer_file(struct
> task_struct *from,
> return rc;
> }
>
> +#ifdef CONFIG_BPF_SYSCALL
> + rc = bpf_fd_pass(file, sid);
> + if (rc)
> + return rc;
> +#endif
> +
> if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
> return 0;
>
> @@ -3735,8 +3746,18 @@ static int selinux_file_send_sigiotask(struct
> task_struct *tsk,
> static int selinux_file_receive(struct file *file)
> {
> const struct cred *cred = current_cred();
> + int rc;
> +
> + rc = file_has_perm(cred, file, file_to_av(file));
> + if (rc)
> + goto out;
> +
> +#ifdef CONFIG_BPF_SYSCALL
> + rc = bpf_fd_pass(file, cred_sid(sid));
> +#endif
>
> - return file_has_perm(cred, file, file_to_av(file));
> +out:
> + return rc;
> }
>
> static int selinux_file_open(struct file *file, const struct cred
> *cred)
> @@ -6288,6 +6309,40 @@ static u32 bpf_map_fmode_to_av(fmode_t fmode)
> return av;
> }
>
> +/* This function will check the file pass through unix socket or
> binder to see
> + * if it is a bpf related object. And apply correspinding checks on
> the bpf
> + * object based on the type. The bpf maps and programs, not like
> other files and
> + * socket, are using a shared anonymous inode inside the kernel as
> their inode.
> + * So checking that inode cannot identify if the process have
> privilege to
> + * access the bpf object and that's why we have to add this
> additional check in
> + * selinux_file_receive and selinux_binder_transfer_files.
> + */
> +static int bpf_fd_pass(struct file *file, u32 sid)
> +{
> + struct bpf_security_struct *bpfsec;
> + u32 sid = cred_sid(cred);
> + struct bpf_prog *prog;
> + struct bpf_map *map;
> + int ret;
> +
> + if (file->f_op == &bpf_map_fops) {
> + map = file->private_data;
> + bpfsec = map->security;
> + ret = avc_has_perm(sid, bpfsec->sid,
> SECCLASS_BPF_MAP,
> + bpf_map_fmode_to_av(file-
> >f_mode), NULL);
> + if (ret)
> + return ret;
> + } else if (file->f_op == &bpf_prog_fops) {
> + prog = file->private_data;
> + bpfsec = prog->aux->security;
> + ret = avc_has_perm(sid, bpfsec->sid,
> SECCLASS_BPF_PROG,
> + BPF_PROG__USE, NULL);
> + if (ret)
> + return ret;
> + }
> + return 0;
> +}
When the struct file is allocated for the bpf map and/or prog, you
could call a hook at that time passing both, and note the fact that it
is a bpf map/prog in the file_security_struct. Then, on
file_receive/binder_transfer_file, you could apply the appropriate
checking. Further, if we know that the file is always allocated at the
same point as the bpf map/prog, then they should have the same SID (i.e
fsec->sid should be the same as bpfsec->sid), so we shouldn't even need
to dereference the bpf map/prog. Unless I'm missing something.
Also, are we concerned about doing the same in
flush_unauthorized_files(), for inheriting descriptors across a
context-changing execve? Should this checking actually go into
file_has_perm() itself so it is always applied on any use of the struct
file?
Lastly, do we need/want these checks if sid == bpfsec->sid? We skip
FD__USE in the case where sid == fsec->sid, for example.
> +
> static int selinux_bpf_map(struct bpf_map *map, fmode_t fmode)
> {
> u32 sid = current_sid();
^ permalink raw reply
* Re: [PATCH 3/3] ARM: dts: gr-peach: Add ETHER pin group
From: Andrew Lunn @ 2017-10-05 13:43 UTC (permalink / raw)
To: jacopo mondi; +Cc: Geert Uytterhoeven, Chris Brandt, f.fainelli, netdev
In-Reply-To: <20171005093915.GP4037@w540>
On Thu, Oct 05, 2017 at 11:39:15AM +0200, jacopo mondi wrote:
> Hi Geert
>
> On Thu, Oct 05, 2017 at 11:09:40AM +0200, Geert Uytterhoeven wrote:
> > Hi Jacopo,
> >
> > On Thu, Oct 5, 2017 at 10:58 AM, Jacopo Mondi <jacopo+renesas@jmondi.org> wrote:
> > > Add pin configuration subnode for ETHER pin group and enable the interface.
> > >
> > > Signed-off-by: Jacopo Mondi <jacopo+renesas@jmondi.org>
> >
> > Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
> >
> > > --- a/arch/arm/boot/dts/r7s72100-gr-peach.dts
> > > +++ b/arch/arm/boot/dts/r7s72100-gr-peach.dts
> >
> > > @@ -88,3 +110,19 @@
> > >
> > > status = "okay";
> > > };
> > > +
> > > +ðer {
> > > + pinctrl-names = "default";
> > > + pinctrl-0 = <ðer_pins>;
> > > +
> > > + status = "okay";
> > > +
> > > + reset-gpios = <&port4 2 GPIO_ACTIVE_LOW>;
> > > + reset-delay-us = <5>;
> >
> > I'm afraid the PHY people (not CCed ;-) will want you to move these reset
> > properties to the phy subnode these days, despite
> > Documentation/devicetree/bindings/net/mdio.txt...
Hi Jocopo
So what is this reset resetting?
The MAC?
The PHY?
Andrew
^ permalink raw reply
* Re: [PATCH] netfilter: ipset: Convert timers to use timer_setup()
From: Jozsef Kadlecsik @ 2017-10-05 13:58 UTC (permalink / raw)
To: Kees Cook
Cc: linux-kernel, Pablo Neira Ayuso, Florian Westphal,
David S. Miller, Stephen Hemminger, simran singhal,
Muhammad Falak R Wani, netfilter-devel, coreteam, netdev,
Thomas Gleixner
In-Reply-To: <20171005005221.GA23584@beast>
Hi,
On Wed, 4 Oct 2017, Kees Cook wrote:
> In preparation for unconditionally passing the struct timer_list pointer
> to all timer callbacks, switch to using the new timer_setup() and
> from_timer() to pass the timer pointer explicitly. This introduces a
> pointer back to the struct ip_set, which is used instead of the struct
> timer_list .data field.
Please add the same changes to net/netfilter/ipset/ip_set_list.c too, in
order to handle all ipset modules in a single patch. I don't see a way
either to avoid the introduction of the new pointer.
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Best regards,
Jozsef
> Cc: Pablo Neira Ayuso <pablo@netfilter.org>
> Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> Cc: Florian Westphal <fw@strlen.de>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Stephen Hemminger <stephen@networkplumber.org>
> Cc: simran singhal <singhalsimran0@gmail.com>
> Cc: Muhammad Falak R Wani <falakreyaz@gmail.com>
> Cc: netfilter-devel@vger.kernel.org
> Cc: coreteam@netfilter.org
> Cc: netdev@vger.kernel.org
> Cc: Thomas Gleixner <tglx@linutronix.de>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> This requires commit 686fef928bba ("timer: Prepare to change timer
> callback argument type") in v4.14-rc3, but should be otherwise
> stand-alone.
> ---
> net/netfilter/ipset/ip_set_bitmap_gen.h | 10 +++++-----
> net/netfilter/ipset/ip_set_bitmap_ip.c | 2 ++
> net/netfilter/ipset/ip_set_bitmap_ipmac.c | 2 ++
> net/netfilter/ipset/ip_set_bitmap_port.c | 2 ++
> net/netfilter/ipset/ip_set_hash_gen.h | 12 +++++++-----
> 5 files changed, 18 insertions(+), 10 deletions(-)
>
> diff --git a/net/netfilter/ipset/ip_set_bitmap_gen.h b/net/netfilter/ipset/ip_set_bitmap_gen.h
> index 8ad2b52a0b32..5ca18f07683b 100644
> --- a/net/netfilter/ipset/ip_set_bitmap_gen.h
> +++ b/net/netfilter/ipset/ip_set_bitmap_gen.h
> @@ -37,11 +37,11 @@
> #define get_ext(set, map, id) ((map)->extensions + ((set)->dsize * (id)))
>
> static void
> -mtype_gc_init(struct ip_set *set, void (*gc)(unsigned long ul_set))
> +mtype_gc_init(struct ip_set *set, void (*gc)(struct timer_list *t))
> {
> struct mtype *map = set->data;
>
> - setup_timer(&map->gc, gc, (unsigned long)set);
> + timer_setup(&map->gc, gc, 0);
> mod_timer(&map->gc, jiffies + IPSET_GC_PERIOD(set->timeout) * HZ);
> }
>
> @@ -272,10 +272,10 @@ mtype_list(const struct ip_set *set,
> }
>
> static void
> -mtype_gc(unsigned long ul_set)
> +mtype_gc(struct timer_list *t)
> {
> - struct ip_set *set = (struct ip_set *)ul_set;
> - struct mtype *map = set->data;
> + struct mtype *map = from_timer(map, t, gc);
> + struct ip_set *set = map->set;
> void *x;
> u32 id;
>
> diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c
> index 4783efff0bde..d8975a0b4282 100644
> --- a/net/netfilter/ipset/ip_set_bitmap_ip.c
> +++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
> @@ -48,6 +48,7 @@ struct bitmap_ip {
> size_t memsize; /* members size */
> u8 netmask; /* subnet netmask */
> struct timer_list gc; /* garbage collection */
> + struct ip_set *set; /* attached to this ip_set */
> unsigned char extensions[0] /* data extensions */
> __aligned(__alignof__(u64));
> };
> @@ -232,6 +233,7 @@ init_map_ip(struct ip_set *set, struct bitmap_ip *map,
> map->netmask = netmask;
> set->timeout = IPSET_NO_TIMEOUT;
>
> + map->set = set;
> set->data = map;
> set->family = NFPROTO_IPV4;
>
> diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
> index 9a065f672d3a..4c279fbd2d5d 100644
> --- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
> +++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
> @@ -52,6 +52,7 @@ struct bitmap_ipmac {
> u32 elements; /* number of max elements in the set */
> size_t memsize; /* members size */
> struct timer_list gc; /* garbage collector */
> + struct ip_set *set; /* attached to this ip_set */
> unsigned char extensions[0] /* MAC + data extensions */
> __aligned(__alignof__(u64));
> };
> @@ -307,6 +308,7 @@ init_map_ipmac(struct ip_set *set, struct bitmap_ipmac *map,
> map->elements = elements;
> set->timeout = IPSET_NO_TIMEOUT;
>
> + map->set = set;
> set->data = map;
> set->family = NFPROTO_IPV4;
>
> diff --git a/net/netfilter/ipset/ip_set_bitmap_port.c b/net/netfilter/ipset/ip_set_bitmap_port.c
> index 7f0c733358a4..7f9bbd7c98b5 100644
> --- a/net/netfilter/ipset/ip_set_bitmap_port.c
> +++ b/net/netfilter/ipset/ip_set_bitmap_port.c
> @@ -40,6 +40,7 @@ struct bitmap_port {
> u32 elements; /* number of max elements in the set */
> size_t memsize; /* members size */
> struct timer_list gc; /* garbage collection */
> + struct ip_set *set; /* attached to this ip_set */
> unsigned char extensions[0] /* data extensions */
> __aligned(__alignof__(u64));
> };
> @@ -214,6 +215,7 @@ init_map_port(struct ip_set *set, struct bitmap_port *map,
> map->last_port = last_port;
> set->timeout = IPSET_NO_TIMEOUT;
>
> + map->set = set;
> set->data = map;
> set->family = NFPROTO_UNSPEC;
>
> diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
> index 51063d9ed0f7..efffc8eabafe 100644
> --- a/net/netfilter/ipset/ip_set_hash_gen.h
> +++ b/net/netfilter/ipset/ip_set_hash_gen.h
> @@ -280,6 +280,7 @@ htable_bits(u32 hashsize)
> struct htype {
> struct htable __rcu *table; /* the hash table */
> struct timer_list gc; /* garbage collection when timeout enabled */
> + struct ip_set *set; /* attached to this ip_set */
> u32 maxelem; /* max elements in the hash */
> u32 initval; /* random jhash init value */
> #ifdef IP_SET_HASH_WITH_MARKMASK
> @@ -429,11 +430,11 @@ mtype_destroy(struct ip_set *set)
> }
>
> static void
> -mtype_gc_init(struct ip_set *set, void (*gc)(unsigned long ul_set))
> +mtype_gc_init(struct ip_set *set, void (*gc)(struct timer_list *t))
> {
> struct htype *h = set->data;
>
> - setup_timer(&h->gc, gc, (unsigned long)set);
> + timer_setup(&h->gc, gc, 0);
> mod_timer(&h->gc, jiffies + IPSET_GC_PERIOD(set->timeout) * HZ);
> pr_debug("gc initialized, run in every %u\n",
> IPSET_GC_PERIOD(set->timeout));
> @@ -526,10 +527,10 @@ mtype_expire(struct ip_set *set, struct htype *h)
> }
>
> static void
> -mtype_gc(unsigned long ul_set)
> +mtype_gc(struct timer_list *t)
> {
> - struct ip_set *set = (struct ip_set *)ul_set;
> - struct htype *h = set->data;
> + struct htype *h = from_timer(h, t, gc);
> + struct ip_set *set = h->set;
>
> pr_debug("called\n");
> spin_lock_bh(&set->lock);
> @@ -1314,6 +1315,7 @@ IPSET_TOKEN(HTYPE, _create)(struct net *net, struct ip_set *set,
> t->htable_bits = hbits;
> RCU_INIT_POINTER(h->table, t);
>
> + h->set = set;
> set->data = h;
> #ifndef IP_SET_PROTO_UNDEF
> if (set->family == NFPROTO_IPV4) {
> --
> 2.7.4
>
>
> --
> Kees Cook
> Pixel Security
>
-
E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox