Netdev List
 help / color / mirror / Atom feed
* Re: [net-next V8 PATCH 1/5] bpf: introduce new bpf cpu map type BPF_MAP_TYPE_CPUMAP
From: Daniel Borkmann @ 2017-10-17 14:00 UTC (permalink / raw)
  To: Jesper Dangaard Brouer, Alexei Starovoitov
  Cc: netdev, jakub.kicinski, Michael S. Tsirkin, pavel.odintsov,
	Jason Wang, mchan, John Fastabend, peter.waskiewicz.jr, ast,
	Daniel Borkmann, Andy Gospodarek
In-Reply-To: <20171017124729.59e45c74@redhat.com>

On 10/17/2017 12:47 PM, Jesper Dangaard Brouer wrote:
> On Mon, 16 Oct 2017 14:49:53 -0700
> Alexei Starovoitov <alexei.starovoitov@gmail.com> wrote:
>
>> On Mon, Oct 16, 2017 at 12:19:28PM +0200, Jesper Dangaard Brouer wrote:
>>> The 'cpumap' is primarily used as a backend map for XDP BPF helper
>>> call bpf_redirect_map() and XDP_REDIRECT action, like 'devmap'.
>>>
>>> This patch implement the main part of the map.  It is not connected to
>>> the XDP redirect system yet, and no SKB allocation are done yet.
>>>
>>> The main concern in this patch is to ensure the datapath can run
>>> without any locking.  This adds complexity to the setup and tear-down
>>> procedure, which assumptions are extra carefully documented in the
>>> code comments.
>>>
>>> V2:
>>>   - make sure array isn't larger than NR_CPUS
>>>   - make sure CPUs added is a valid possible CPU
>>>
>>> V3: fix nitpicks from Jakub Kicinski <kubakici@wp.pl>
>>>
>>> V5:
>>>   - Restrict map allocation to root / CAP_SYS_ADMIN
>>>   - WARN_ON_ONCE if queue is not empty on tear-down
>>>   - Return -EPERM on memlock limit instead of -ENOMEM
>>>   - Error code in __cpu_map_entry_alloc() also handle ptr_ring_cleanup()
>>>   - Moved cpu_map_enqueue() to next patch
>>>
>>> V6: all notice by Daniel Borkmann
>>>   - Fix err return code in cpu_map_alloc() introduced in V5
>>>   - Move cpu_possible() check after max_entries boundary check
>>>   - Forbid usage initially in check_map_func_compatibility()
>>>
>>> V7:
>>>   - Fix alloc error path spotted by Daniel Borkmann
>>>   - Did stress test adding+removing CPUs from the map concurrently
>>>   - Fixed refcnt issue on cpu_map_entry, kthread started too soon
>>>   - Make sure packets are flushed during tear-down, involved use of
>>>     rcu_barrier() and kthread_run only exit after queue is empty
>>>   - Fix alloc error path in __cpu_map_entry_alloc() for ptr_ring
>>>
>>> V8:
>>>   - Nitpicking comments and gramma by Edward Cree
>>>   - Fix missing semi-colon introduced in V7 due to rebasing
>>>   - Move struct bpf_cpu_map_entry members cpu+map_id to tracepoint patch
>>>
>>> Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
>>> ---
>>>   include/linux/bpf_types.h      |    1
>>>   include/uapi/linux/bpf.h       |    1
>>>   kernel/bpf/Makefile            |    1
>>>   kernel/bpf/cpumap.c            |  560 ++++++++++++++++++++++++++++++++++++++++
>>>   kernel/bpf/syscall.c           |    8 +
>>>   kernel/bpf/verifier.c          |    5
>>>   tools/include/uapi/linux/bpf.h |    1
>>>   7 files changed, 576 insertions(+), 1 deletion(-)
>>>   create mode 100644 kernel/bpf/cpumap.c
>>
>> Looks good to me
>> I like the idea of running networking stack from kthread
>> and hope adding GRO won't change the api.
>> Acked-by: Alexei Starovoitov <ast@kernel.org>
>
> Thanks!
>
> I think adding GRO is still safe API-wise after this patchset.  I
> imagine that the GRO API will be tied to how we implement/expose the
> RX-hash to the eBPF program.  Thus, the API will be the eBPF prog can
> change the RX-hash, to influence the GRO aggregation/partial-sort. If
> the map need to behave differently for GRO then we have the map_flags
> to adjust this behavior (but I assume this would not be needed).

+1, this should happen transparent to the user. But would it mean that
the cpumap threads get a fake napi_struct for napi_gro_receive() or
would it require larger refactoring/splitting of gro engine internals?
Would be good to have a clearer picture on that before uapi freezes.

Thanks,
Daniel

^ permalink raw reply

* [RFC PATCH 5/5] selinux: Add SCTP support
From: Richard Haines @ 2017-10-17 13:59 UTC (permalink / raw)
  To: selinux, netdev, linux-sctp, linux-security-module
  Cc: paul, vyasevich, nhorman, sds, eparis, marcelo.leitner,
	Richard Haines

The SELinux SCTP implementation is explained in:
Documentation/security/SELinux-sctp.txt

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 Documentation/security/SELinux-sctp.txt | 108 +++++++++++++
 security/selinux/hooks.c                | 268 ++++++++++++++++++++++++++++++--
 security/selinux/include/classmap.h     |   3 +-
 security/selinux/include/netlabel.h     |   9 +-
 security/selinux/include/objsec.h       |   5 +
 security/selinux/netlabel.c             |  52 ++++++-
 6 files changed, 427 insertions(+), 18 deletions(-)
 create mode 100644 Documentation/security/SELinux-sctp.txt

diff --git a/Documentation/security/SELinux-sctp.txt b/Documentation/security/SELinux-sctp.txt
new file mode 100644
index 0000000..32e0255
--- /dev/null
+++ b/Documentation/security/SELinux-sctp.txt
@@ -0,0 +1,108 @@
+                               SCTP SELinux Support
+                              ======================
+
+Security Hooks
+===============
+
+The Documentation/security/LSM-sctp.txt document describes how the following
+sctp security hooks are utilised:
+    security_sctp_assoc_request()
+    security_sctp_bind_connect()
+    security_sctp_sk_clone()
+
+    security_inet_conn_established()
+
+
+Policy Statements
+==================
+The following class and permissions to support SCTP are available within the
+kernel:
+    class sctp_socket inherits socket { node_bind }
+
+whenever the following policy capability is enabled:
+    policycap extended_socket_class;
+
+The SELinux SCTP support adds the additional permissions that are explained
+in the sections below:
+    association bindx connectx
+
+If userspace tools have been updated, SCTP will support the portcon
+statement as shown in the following example:
+    portcon sctp 1024-1036 system_u:object_r:sctp_ports_t:s0
+
+
+SCTP Bind, Connect and ASCONF Chunk Parameter Permission Checks
+================================================================
+The hook security_sctp_bind_connect() is called by SCTP to check permissions
+required for ipv4/ipv6 addresses based on the @optname as follows:
+
+  ------------------------------------------------------------------
+  |                      BINDX Permission Check                    |
+  |       @optname             |         @address contains         |
+  |----------------------------|-----------------------------------|
+  | SCTP_SOCKOPT_BINDX_ADD     | One or more ipv4 / ipv6 addresses |
+  ------------------------------------------------------------------
+
+  ------------------------------------------------------------------
+  |                  BIND Permission Checks                        |
+  |       @optname             |         @address contains         |
+  |----------------------------|-----------------------------------|
+  | SCTP_PRIMARY_ADDR          | Single ipv4 or ipv6 address       |
+  | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address       |
+  ------------------------------------------------------------------
+
+  ------------------------------------------------------------------
+  |                 CONNECTX Permission Check                      |
+  |       @optname             |         @address contains         |
+  |----------------------------|-----------------------------------|
+  | SCTP_SOCKOPT_CONNECTX      | One or more ipv4 / ipv6 addresses |
+  ------------------------------------------------------------------
+
+  ------------------------------------------------------------------
+  |                 CONNECT Permission Checks                      |
+  |       @optname             |         @address contains         |
+  |----------------------------|-----------------------------------|
+  | SCTP_SENDMSG_CONNECT       | Single ipv4 or ipv6 address       |
+  | SCTP_PARAM_ADD_IP          | One or more ipv4 / ipv6 addresses |
+  | SCTP_PARAM_SET_PRIMARY     | Single ipv4 or ipv6 address       |
+  ------------------------------------------------------------------
+
+SCTP Peer Labeling
+===================
+An SCTP socket will only have one peer label assigned to it. This will be
+assigned during the establishment of the first association. Once the peer
+label has been assigned, any new associations will have the "association"
+permission validated by checking the socket peer sid against the received
+packets peer sid to determine whether the association should be allowed or
+denied.
+
+NOTES:
+   1) If peer labeling is not enabled, then the peer context will always be
+      SECINITSID_UNLABELED (unlabeled_t in Reference Policy).
+
+   2) As SCTP supports multiple endpoints with multi-homing on a single socket
+      it is recommended that peer labels are consistent.
+
+   3) getpeercon(3) may be used by userspace to retrieve the sockets peer
+       context.
+
+   4) If using NetLabel be aware that if a label is assigned to a specific
+      interface, and that interface 'goes down', then the NetLabel service
+      will remove the entry. Therefore ensure that the network startup scripts
+      call netlabelctl(8) to set the required label (see netlabel-config(8)
+      helper script for details).
+
+   5) The NetLabel SCTP peer labeling rules apply as discussed in the following
+      set of posts tagged "netlabel" at: http://www.paul-moore.com/blog/t.
+
+   6) CIPSO is only supported for IPv4 addressing: socket(AF_INET, ...)
+      CALIPSO is only supported for IPv6 addressing: socket(AF_INET6, ...)
+
+      Note the following when testing CIPSO/CALIPSO:
+         a) CIPSO will send an ICMP packet if an SCTP packet cannot be
+            delivered because of an invalid label.
+         b) CALIPSO does not send an ICMP packet, just silently discards it.
+
+   7) IPSEC is not supported as rfc3554 - sctp/ipsec support has not been
+      implemented in userspace (racoon(8) or ipsec_pluto(8)), although the
+      kernel supports SCTP/IPSEC.
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 33fd061..c3e9600 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -67,6 +67,8 @@
 #include <linux/tcp.h>
 #include <linux/udp.h>
 #include <linux/dccp.h>
+#include <linux/sctp.h>
+#include <net/sctp/structs.h>
 #include <linux/quota.h>
 #include <linux/un.h>		/* for Unix socket types */
 #include <net/af_unix.h>	/* for Unix socket types */
@@ -4119,6 +4121,23 @@ static int selinux_parse_skb_ipv4(struct sk_buff *skb,
 		break;
 	}
 
+#if IS_ENABLED(CONFIG_IP_SCTP)
+	case IPPROTO_SCTP: {
+		struct sctphdr _sctph, *sh;
+
+		if (ntohs(ih->frag_off) & IP_OFFSET)
+			break;
+
+		offset += ihlen;
+		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
+		if (sh == NULL)
+			break;
+
+		ad->u.net->sport = sh->source;
+		ad->u.net->dport = sh->dest;
+		break;
+	}
+#endif
 	default:
 		break;
 	}
@@ -4192,6 +4211,19 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb,
 		break;
 	}
 
+#if IS_ENABLED(CONFIG_IP_SCTP)
+	case IPPROTO_SCTP: {
+		struct sctphdr _sctph, *sh;
+
+		sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
+		if (sh == NULL)
+			break;
+
+		ad->u.net->sport = sh->source;
+		ad->u.net->dport = sh->dest;
+		break;
+	}
+#endif
 	/* includes fragments */
 	default:
 		break;
@@ -4381,6 +4413,10 @@ static int selinux_socket_post_create(struct socket *sock, int family,
 		sksec = sock->sk->sk_security;
 		sksec->sclass = sclass;
 		sksec->sid = sid;
+		/* Allows detection of the first association on this socket */
+		if (sksec->sclass == SECCLASS_SCTP_SOCKET)
+			sksec->sctp_assoc_state = SCTP_ASSOC_UNSET;
+
 		err = selinux_netlbl_socket_post_create(sock->sk, family);
 	}
 
@@ -4401,11 +4437,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
 	if (err)
 		goto out;
 
-	/*
-	 * If PF_INET or PF_INET6, check name_bind permission for the port.
-	 * Multiple address binding for SCTP is not supported yet: we just
-	 * check the first address now.
-	 */
+	/* If PF_INET or PF_INET6, check name_bind permission for the port. */
 	family = sk->sk_family;
 	if (family == PF_INET || family == PF_INET6) {
 		char *addrp;
@@ -4417,7 +4449,13 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
 		unsigned short snum;
 		u32 sid, node_perm;
 
-		if (family == PF_INET) {
+		/*
+		 * sctp_bindx(3) calls via selinux_sctp_bind_connect()
+		 * that validates multiple binding addresses. Because of this
+		 * need to check address->sa_family as it is possible to have
+		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
+		 */
+		if (family == PF_INET || address->sa_family == AF_INET) {
 			if (addrlen < sizeof(struct sockaddr_in)) {
 				err = -EINVAL;
 				goto out;
@@ -4471,6 +4509,10 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
 			node_perm = DCCP_SOCKET__NODE_BIND;
 			break;
 
+		case SECCLASS_SCTP_SOCKET:
+			node_perm = SCTP_SOCKET__NODE_BIND;
+			break;
+
 		default:
 			node_perm = RAWIP_SOCKET__NODE_BIND;
 			break;
@@ -4485,7 +4527,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
 		ad.u.net->sport = htons(snum);
 		ad.u.net->family = family;
 
-		if (family == PF_INET)
+		if (family == PF_INET || address->sa_family == AF_INET)
 			ad.u.net->v4info.saddr = addr4->sin_addr.s_addr;
 		else
 			ad.u.net->v6info.saddr = addr6->sin6_addr;
@@ -4510,10 +4552,12 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
 		return err;
 
 	/*
-	 * If a TCP or DCCP socket, check name_connect permission for the port.
+	 * If a TCP, DCCP or SCTP socket, check name_connect permission
+	 * for the port.
 	 */
 	if (sksec->sclass == SECCLASS_TCP_SOCKET ||
-	    sksec->sclass == SECCLASS_DCCP_SOCKET) {
+	    sksec->sclass == SECCLASS_DCCP_SOCKET ||
+	    sksec->sclass == SECCLASS_SCTP_SOCKET) {
 		struct common_audit_data ad;
 		struct lsm_network_audit net = {0,};
 		struct sockaddr_in *addr4 = NULL;
@@ -4521,7 +4565,14 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
 		unsigned short snum;
 		u32 sid, perm;
 
-		if (sk->sk_family == PF_INET) {
+		/* sctp_connectx(3) calls via
+		 *selinux_sctp_bind_connect() that validates multiple
+		 * connect addresses. Because of this need to check
+		 * address->sa_family as it is possible to have
+		 * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET.
+		 */
+		if (sk->sk_family == PF_INET ||
+					address->sa_family == AF_INET) {
 			addr4 = (struct sockaddr_in *)address;
 			if (addrlen < sizeof(struct sockaddr_in))
 				return -EINVAL;
@@ -4534,11 +4585,21 @@ static int selinux_socket_connect(struct socket *sock, struct sockaddr *address,
 		}
 
 		err = sel_netport_sid(sk->sk_protocol, snum, &sid);
+
 		if (err)
 			goto out;
 
-		perm = (sksec->sclass == SECCLASS_TCP_SOCKET) ?
-		       TCP_SOCKET__NAME_CONNECT : DCCP_SOCKET__NAME_CONNECT;
+		switch (sksec->sclass) {
+		case SECCLASS_TCP_SOCKET:
+			perm = TCP_SOCKET__NAME_CONNECT;
+			break;
+		case SECCLASS_DCCP_SOCKET:
+			perm = DCCP_SOCKET__NAME_CONNECT;
+			break;
+		case SECCLASS_SCTP_SOCKET:
+			perm = SCTP_SOCKET__NAME_CONNECT;
+			break;
+		}
 
 		ad.type = LSM_AUDIT_DATA_NET;
 		ad.u.net = &net;
@@ -4815,7 +4876,8 @@ static int selinux_socket_getpeersec_stream(struct socket *sock, char __user *op
 	u32 peer_sid = SECSID_NULL;
 
 	if (sksec->sclass == SECCLASS_UNIX_STREAM_SOCKET ||
-	    sksec->sclass == SECCLASS_TCP_SOCKET)
+	    sksec->sclass == SECCLASS_TCP_SOCKET ||
+	    sksec->sclass == SECCLASS_SCTP_SOCKET)
 		peer_sid = sksec->peer_sid;
 	if (peer_sid == SECSID_NULL)
 		return -ENOPROTOOPT;
@@ -4928,6 +4990,183 @@ static void selinux_sock_graft(struct sock *sk, struct socket *parent)
 	sksec->sclass = isec->sclass;
 }
 
+/* Called whenever SCTP receives an INIT or INIT_ACK chunk */
+static int selinux_sctp_assoc_request(struct sctp_endpoint *ep,
+				      struct sk_buff *skb,
+				      int sctp_cid)
+{
+	struct sk_security_struct *sksec = ep->base.sk->sk_security;
+	struct common_audit_data ad;
+	struct lsm_network_audit net = {0,};
+	u8 peerlbl_active;
+	u32 peer_sid = SECINITSID_UNLABELED;
+	u32 conn_sid;
+	int err;
+
+	if (!selinux_policycap_extsockclass)
+		return 0;
+
+	peerlbl_active = selinux_peerlbl_enabled();
+
+	if (peerlbl_active) {
+		/* This will return peer_sid = SECSID_NULL if there are
+		 * no peer labels, see security_net_peersid_resolve().
+		 */
+		err = selinux_skb_peerlbl_sid(skb, ep->base.sk->sk_family,
+					      &peer_sid);
+
+		if (err)
+			return err;
+
+		if (peer_sid == SECSID_NULL)
+			peer_sid = SECINITSID_UNLABELED;
+	}
+
+	if (sksec->sctp_assoc_state == SCTP_ASSOC_UNSET) {
+		sksec->sctp_assoc_state = SCTP_ASSOC_SET;
+
+		/* Here as first association on socket. As the peer SID
+		 * was allowed by peer recv (and the netif/node checks),
+		 * then it is approved by policy and used as the primary
+		 * peer SID for getpeercon(3).
+		 */
+		sksec->peer_sid = peer_sid;
+	} else if  (sksec->peer_sid != peer_sid) {
+		/* Other association peer SIDs are checked to enforce
+		 * consistency among the peer SIDs.
+		 */
+		ad.type = LSM_AUDIT_DATA_NET;
+		ad.u.net = &net;
+		ad.u.net->sk = ep->base.sk;
+		err = avc_has_perm(sksec->peer_sid, peer_sid, sksec->sclass,
+				   SCTP_SOCKET__ASSOCIATION, &ad);
+		if (err)
+			return err;
+	}
+
+	if (sctp_cid == SCTP_CID_INIT) {
+		/* Have INIT when incoming connect(2), sctp_connectx(3)
+		 * or sctp_sendmsg(3) (with no association already present),
+		 * so compute the MLS component for the connection and store
+		 * the information in ep. This will be used by SCTP TCP type
+		 * sockets and peeled off connections as they cause a new
+		 * socket to be generated. selinux_sctp_sk_clone() will then
+		 * plug this into the new socket.
+		 */
+		err = selinux_conn_sid(sksec->sid, peer_sid, &conn_sid);
+		if (err)
+			return err;
+
+		ep->secid = conn_sid;
+		ep->peer_secid = peer_sid;
+
+		/* Set any NetLabel labels including CIPSO/CALIPSO options. */
+		return selinux_netlbl_sctp_assoc_request(ep, skb);
+	}
+
+	return 0;
+}
+
+/*
+ * Check if sctp IPv4/IPv6 addresses are valid for binding or connecting
+ * based on their @optname.
+ */
+static int selinux_sctp_bind_connect(struct sock *sk, int optname,
+				     struct sockaddr *address,
+				     int addrlen)
+{
+	int len, err = 0, walk_size = 0;
+	void *addr_buf;
+	struct sockaddr *addr;
+	struct socket *sock;
+
+	if (!selinux_policycap_extsockclass)
+		return 0;
+
+	switch (optname) {
+	case SCTP_SOCKOPT_BINDX_ADD:
+		err = sock_has_perm(sk, SCTP_SOCKET__BINDX);
+		break;
+	case SCTP_SOCKOPT_CONNECTX:
+		err = sock_has_perm(sk, SCTP_SOCKET__CONNECTX);
+		break;
+	/* These need SOCKET__BIND or SOCKET__CONNECT permissions that will
+	 * be checked later.
+	 */
+	case SCTP_PRIMARY_ADDR:
+	case SCTP_SET_PEER_PRIMARY_ADDR:
+	case SCTP_PARAM_SET_PRIMARY:
+	case SCTP_PARAM_ADD_IP:
+	case SCTP_SENDMSG_CONNECT:
+		break;
+	default:
+		err = -EINVAL;
+	}
+	if (err)
+		return err;
+
+	/* Process one or more addresses that may be IPv4 or IPv6 */
+	sock = sk->sk_socket;
+	addr_buf = address;
+
+	while (walk_size < addrlen) {
+		addr = addr_buf;
+		switch (addr->sa_family) {
+		case AF_INET:
+			len = sizeof(struct sockaddr_in);
+			break;
+		case AF_INET6:
+			len = sizeof(struct sockaddr_in6);
+			break;
+		default:
+			return -EAFNOSUPPORT;
+		}
+
+		err = -EINVAL;
+		switch (optname) {
+		/* Bind checks */
+		case SCTP_PRIMARY_ADDR:
+		case SCTP_SET_PEER_PRIMARY_ADDR:
+		case SCTP_SOCKOPT_BINDX_ADD:
+			err = selinux_socket_bind(sock, addr, len);
+			break;
+		/* Connect checks */
+		case SCTP_SOCKOPT_CONNECTX:
+		case SCTP_PARAM_SET_PRIMARY:
+		case SCTP_PARAM_ADD_IP:
+		case SCTP_SENDMSG_CONNECT:
+			err = selinux_socket_connect(sock, addr, len);
+			break;
+		}
+
+		if (err)
+			return err;
+
+		addr_buf += len;
+		walk_size += len;
+	}
+	return 0;
+}
+
+/* Called whenever a new socket is created by accept(2) or sctp_peeloff(3). */
+static void selinux_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
+				  struct sock *newsk)
+{
+	struct sk_security_struct *sksec = sk->sk_security;
+	struct sk_security_struct *newsksec = newsk->sk_security;
+
+	/* If policy does not support SECCLASS_SCTP_SOCKET then call
+	 * the non-sctp clone version.
+	 */
+	if (!selinux_policycap_extsockclass)
+		return selinux_sk_clone_security(sk, newsk);
+
+	newsksec->sid = ep->secid;
+	newsksec->peer_sid = ep->peer_secid;
+	newsksec->sclass = sksec->sclass;
+	newsksec->nlbl_state = sksec->nlbl_state;
+}
+
 static int selinux_inet_conn_request(struct sock *sk, struct sk_buff *skb,
 				     struct request_sock *req)
 {
@@ -6416,6 +6655,9 @@ static struct security_hook_list selinux_hooks[] __lsm_ro_after_init = {
 	LSM_HOOK_INIT(sk_clone_security, selinux_sk_clone_security),
 	LSM_HOOK_INIT(sk_getsecid, selinux_sk_getsecid),
 	LSM_HOOK_INIT(sock_graft, selinux_sock_graft),
+	LSM_HOOK_INIT(sctp_assoc_request, selinux_sctp_assoc_request),
+	LSM_HOOK_INIT(sctp_sk_clone, selinux_sctp_sk_clone),
+	LSM_HOOK_INIT(sctp_bind_connect, selinux_sctp_bind_connect),
 	LSM_HOOK_INIT(inet_conn_request, selinux_inet_conn_request),
 	LSM_HOOK_INIT(inet_csk_clone, selinux_inet_csk_clone),
 	LSM_HOOK_INIT(inet_conn_established, selinux_inet_conn_established),
diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h
index b9fe343..b4b10da 100644
--- a/security/selinux/include/classmap.h
+++ b/security/selinux/include/classmap.h
@@ -173,7 +173,8 @@ struct security_class_mapping secclass_map[] = {
 	  { COMMON_CAP2_PERMS, NULL } },
 	{ "sctp_socket",
 	  { COMMON_SOCK_PERMS,
-	    "node_bind", NULL } },
+	    "node_bind", "name_connect", "association", "bindx",
+	    "connectx", NULL } },
 	{ "icmp_socket",
 	  { COMMON_SOCK_PERMS,
 	    "node_bind", NULL } },
diff --git a/security/selinux/include/netlabel.h b/security/selinux/include/netlabel.h
index 75686d5..835a0d6 100644
--- a/security/selinux/include/netlabel.h
+++ b/security/selinux/include/netlabel.h
@@ -33,6 +33,7 @@
 #include <linux/skbuff.h>
 #include <net/sock.h>
 #include <net/request_sock.h>
+#include <net/sctp/structs.h>
 
 #include "avc.h"
 #include "objsec.h"
@@ -53,7 +54,8 @@ int selinux_netlbl_skbuff_getsid(struct sk_buff *skb,
 int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
 				 u16 family,
 				 u32 sid);
-
+int selinux_netlbl_sctp_assoc_request(struct sctp_endpoint *ep,
+				     struct sk_buff *skb);
 int selinux_netlbl_inet_conn_request(struct request_sock *req, u16 family);
 void selinux_netlbl_inet_csk_clone(struct sock *sk, u16 family);
 int selinux_netlbl_socket_post_create(struct sock *sk, u16 family);
@@ -114,6 +116,11 @@ static inline int selinux_netlbl_conn_setsid(struct sock *sk,
 	return 0;
 }
 
+static inline int selinux_netlbl_sctp_assoc_request(struct sctp_endpoint *ep,
+						    struct sk_buff *skb)
+{
+	return 0;
+}
 static inline int selinux_netlbl_inet_conn_request(struct request_sock *req,
 						   u16 family)
 {
diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h
index 6ebc61e..660f270 100644
--- a/security/selinux/include/objsec.h
+++ b/security/selinux/include/objsec.h
@@ -130,6 +130,11 @@ struct sk_security_struct {
 	u32 sid;			/* SID of this object */
 	u32 peer_sid;			/* SID of peer */
 	u16 sclass;			/* sock security class */
+
+	enum {				/* SCTP association state */
+		SCTP_ASSOC_UNSET = 0,
+		SCTP_ASSOC_SET,
+	} sctp_assoc_state;
 };
 
 struct tun_security_struct {
diff --git a/security/selinux/netlabel.c b/security/selinux/netlabel.c
index aaba667..7d5aa15 100644
--- a/security/selinux/netlabel.c
+++ b/security/selinux/netlabel.c
@@ -250,6 +250,7 @@ int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
 	sk = skb_to_full_sk(skb);
 	if (sk != NULL) {
 		struct sk_security_struct *sksec = sk->sk_security;
+
 		if (sksec->nlbl_state != NLBL_REQSKB)
 			return 0;
 		secattr = selinux_netlbl_sock_getattr(sk, sid);
@@ -271,6 +272,41 @@ int selinux_netlbl_skbuff_setsid(struct sk_buff *skb,
 }
 
 /**
+ * selinux_netlbl_sctp_assoc_request - Label an incoming sctp association.
+ * @ep: incoming association endpoint.
+ * @skb: the packet.
+ *
+ * Description:
+ * A new incoming connection is represented by @ep, ......
+ * Returns zero on success, negative values on failure.
+ *
+ */
+int selinux_netlbl_sctp_assoc_request(struct sctp_endpoint *ep,
+				     struct sk_buff *skb)
+{
+	int rc;
+	struct netlbl_lsm_secattr secattr;
+	struct sk_security_struct *sksec = ep->base.sk->sk_security;
+
+	if (ep->base.sk->sk_family != PF_INET &&
+				ep->base.sk->sk_family != PF_INET6)
+		return 0;
+
+	netlbl_secattr_init(&secattr);
+	rc = security_netlbl_sid_to_secattr(ep->secid, &secattr);
+	if (rc != 0)
+		goto assoc_request_return;
+
+	rc = netlbl_sctp_setattr(ep->base.sk, skb, &secattr);
+	if (rc == 0)
+		sksec->nlbl_state = NLBL_LABELED;
+
+assoc_request_return:
+	netlbl_secattr_destroy(&secattr);
+	return rc;
+}
+
+/**
  * selinux_netlbl_inet_conn_request - Label an incoming stream connection
  * @req: incoming connection request socket
  *
@@ -481,7 +517,7 @@ int selinux_netlbl_socket_setsockopt(struct socket *sock,
  */
 int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
 {
-	int rc;
+	int rc, already_owned_by_user = 0;
 	struct sk_security_struct *sksec = sk->sk_security;
 	struct netlbl_lsm_secattr *secattr;
 
@@ -489,7 +525,16 @@ int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
 	    sksec->nlbl_state != NLBL_CONNLABELED)
 		return 0;
 
-	lock_sock(sk);
+	/* Note: When called via connect(2) this happens before the socket
+	 * protocol layer connect operation and @sk is not locked, HOWEVER,
+	 * when called by the SCTP protocol layer via sctp_connectx(3),
+	 * sctp_sendmsg(3) or sendmsg(2), @sk is locked. Therefore check if
+	 * @sk owned already.
+	 */
+	if (sock_owned_by_user(sk) && sksec->sclass == SECCLASS_SCTP_SOCKET)
+		already_owned_by_user = 1;
+	else
+		lock_sock(sk);
 
 	/* connected sockets are allowed to disconnect when the address family
 	 * is set to AF_UNSPEC, if that is what is happening we want to reset
@@ -510,6 +555,7 @@ int selinux_netlbl_socket_connect(struct sock *sk, struct sockaddr *addr)
 		sksec->nlbl_state = NLBL_CONNLABELED;
 
 socket_connect_return:
-	release_sock(sk);
+	if (!already_owned_by_user)
+		release_sock(sk);
 	return rc;
 }
-- 
2.13.6

^ permalink raw reply related

* [RFC PATCH 4/5] netlabel: Add SCTP support
From: Richard Haines @ 2017-10-17 13:58 UTC (permalink / raw)
  To: selinux, netdev, linux-sctp, linux-security-module
  Cc: paul, vyasevich, nhorman, sds, eparis, marcelo.leitner,
	Richard Haines

Add support to label SCTP associations and cater for a situation where
family = PF_INET6 with an ip_hdr(skb)->version = 4.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 include/net/netlabel.h            |  3 ++
 net/netlabel/netlabel_kapi.c      | 80 +++++++++++++++++++++++++++++++++++++++
 net/netlabel/netlabel_unlabeled.c | 10 +++++
 3 files changed, 93 insertions(+)

diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 72d6435..7348966 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -494,6 +494,9 @@ int netlbl_conn_setattr(struct sock *sk,
 			const struct netlbl_lsm_secattr *secattr);
 int netlbl_req_setattr(struct request_sock *req,
 		       const struct netlbl_lsm_secattr *secattr);
+int netlbl_sctp_setattr(struct sock *sk,
+			struct sk_buff *skb,
+			const struct netlbl_lsm_secattr *secattr);
 void netlbl_req_delattr(struct request_sock *req);
 int netlbl_skbuff_setattr(struct sk_buff *skb,
 			  u16 family,
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index ea7c670..1c82bbe 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -1121,6 +1121,7 @@ int netlbl_conn_setattr(struct sock *sk,
 	switch (addr->sa_family) {
 	case AF_INET:
 		addr4 = (struct sockaddr_in *)addr;
+
 		entry = netlbl_domhsh_getentry_af4(secattr->domain,
 						   addr4->sin_addr.s_addr);
 		if (entry == NULL) {
@@ -1177,6 +1178,85 @@ int netlbl_conn_setattr(struct sock *sk,
 }
 
 /**
+ * netlbl_sctp_setattr - Label an incoming sctp association socket using
+ * the correct protocol
+ * @sk: the socket to label
+ * @skb: the packet
+ * @secattr: the security attributes
+ *
+ * Description:
+ * Attach the correct label to the given socket using the security attributes
+ * specified in @secattr.  Returns zero on success, negative values on failure.
+ *
+ */
+int netlbl_sctp_setattr(struct sock *sk,
+			struct sk_buff *skb,
+			const struct netlbl_lsm_secattr *secattr)
+{
+	int ret_val = -EINVAL;
+	struct netlbl_dommap_def *entry;
+	struct iphdr *hdr4;
+#if IS_ENABLED(CONFIG_IPV6)
+	struct ipv6hdr *hdr6;
+#endif
+
+	rcu_read_lock();
+	switch (sk->sk_family) {
+	case AF_INET:
+		hdr4 = ip_hdr(skb);
+
+		entry = netlbl_domhsh_getentry_af4(secattr->domain,
+						   hdr4->saddr);
+		if (entry == NULL) {
+			ret_val = -ENOENT;
+			goto sctp_setattr_return;
+		}
+		switch (entry->type) {
+		case NETLBL_NLTYPE_CIPSOV4:
+			ret_val = cipso_v4_sock_setattr(sk, entry->cipso,
+							secattr);
+			break;
+		case NETLBL_NLTYPE_UNLABELED:
+			netlbl_sock_delattr(sk);
+			ret_val = 0;
+			break;
+		default:
+			ret_val = -ENOENT;
+		}
+		break;
+#if IS_ENABLED(CONFIG_IPV6)
+	case AF_INET6:
+		hdr6 = ipv6_hdr(skb);
+		entry = netlbl_domhsh_getentry_af6(secattr->domain,
+						   &hdr6->saddr);
+		if (entry == NULL) {
+			ret_val = -ENOENT;
+			goto sctp_setattr_return;
+		}
+		switch (entry->type) {
+		case NETLBL_NLTYPE_CALIPSO:
+			ret_val = calipso_sock_setattr(sk, entry->calipso,
+						       secattr);
+			break;
+		case NETLBL_NLTYPE_UNLABELED:
+			netlbl_sock_delattr(sk);
+			ret_val = 0;
+			break;
+		default:
+			ret_val = -ENOENT;
+		}
+		break;
+#endif /* IPv6 */
+	default:
+		ret_val = -EPROTONOSUPPORT;
+	}
+
+sctp_setattr_return:
+	rcu_read_unlock();
+	return ret_val;
+}
+
+/**
  * netlbl_req_setattr - Label a request socket using the correct protocol
  * @req: the request socket to label
  * @secattr: the security attributes
diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
index 22dc1b9..c070dfc 100644
--- a/net/netlabel/netlabel_unlabeled.c
+++ b/net/netlabel/netlabel_unlabeled.c
@@ -1472,6 +1472,16 @@ int netlbl_unlabel_getattr(const struct sk_buff *skb,
 		iface = rcu_dereference(netlbl_unlhsh_def);
 	if (iface == NULL || !iface->valid)
 		goto unlabel_getattr_nolabel;
+
+#if IS_ENABLED(CONFIG_IPV6)
+	/* When resolving a fallback label, check the sk_buff version as
+	 * it is possible (e.g. SCTP) to have family = PF_INET6 while
+	 * receiving ip_hdr(skb)->version = 4.
+	 */
+	if (family == PF_INET6 && ip_hdr(skb)->version == 4)
+		family = PF_INET;
+#endif /* IPv6 */
+
 	switch (family) {
 	case PF_INET: {
 		struct iphdr *hdr4;
-- 
2.13.6


^ permalink raw reply related

* [RFC PATCH 0/5] Add SELinux SCTP protocol support
From: Richard Haines @ 2017-10-17 13:53 UTC (permalink / raw)
  To: selinux, netdev, linux-sctp, linux-security-module
  Cc: paul, vyasevich, nhorman, sds, eparis, marcelo.leitner,
	Richard Haines

This patch set adds SELinux support to SCTP and incorporates all the
comments received from my previous attemps (thanks to all who responded).
There are also other changes mainly supporting ip options so that CIPSO
and CALIPSO work over SCTP.

The kernel patches have been built on Fedora 26 with kernel 4.13.4 plus the
following userspace patches to enable testing:

1) Updates to libsepol 2.7 to support the sctp portcon statement.
   The patch is available from:
         http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
         selinux-Add-support-for-the-SCTP-portcon-keyword.patch

2) Updates to the SELinux Test Suite adding SCTP tests. Please read the
   selinux-testsuite/README.sctp for details. The patch is available from:
         http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
         selinux-testsuite-Add-SCTP-test-support.patch

3) Updates to lksctp-tools that show SELinux info in sctp_darn and
   sctp_test. It also contains a minor patch for test_1_to_1_connect.c
   as when CIPSO/CALIPSO configured, NetLabel returns a different error
   code for illegal addresses in test 5. The patch is available from:
         http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
         lksctp-tools-Add-SELinux-support-to-sctp_test-and-sc.patch

All SCTP lksctp-tools/src/func_tests run correctly in enforcing mode.

All SCTP regression tests "./sctp-tests run" run correctly in enforcing
mode. These tests are obtained from: https://github.com/sctp/sctp-tests

The selinux-testsuite patch also adds remote tests (that need some manual
configuration). These are useful for testing CIPSO/CALIPSO over a network
with a number of categories to produce large ip option fields with various
message sizes forcing fragmentation etc..


Richard Haines (5):
  security: Add support for SCTP security hooks
  sctp: Add ip option support
  sctp: Add LSM hooks
  netlabel: Add SCTP support
  selinux: Add SCTP support

 Documentation/security/LSM-sctp.txt     | 212 +++++++++++++++++++++++++
 Documentation/security/SELinux-sctp.txt | 108 +++++++++++++
 include/linux/lsm_hooks.h               |  37 +++++
 include/linux/security.h                |  27 ++++
 include/net/netlabel.h                  |   3 +
 include/net/sctp/structs.h              |  12 ++
 include/uapi/linux/sctp.h               |   1 +
 net/netlabel/netlabel_kapi.c            |  80 ++++++++++
 net/netlabel/netlabel_unlabeled.c       |  10 ++
 net/sctp/chunk.c                        |   7 +-
 net/sctp/ipv6.c                         |  37 ++++-
 net/sctp/output.c                       |   3 +-
 net/sctp/protocol.c                     |  36 +++++
 net/sctp/sm_make_chunk.c                |  12 ++
 net/sctp/sm_statefuns.c                 |  14 +-
 net/sctp/socket.c                       |  66 +++++++-
 security/security.c                     |  23 +++
 security/selinux/hooks.c                | 268 ++++++++++++++++++++++++++++++--
 security/selinux/include/classmap.h     |   3 +-
 security/selinux/include/netlabel.h     |   9 +-
 security/selinux/include/objsec.h       |   5 +
 security/selinux/netlabel.c             |  52 ++++++-
 22 files changed, 993 insertions(+), 32 deletions(-)
 create mode 100644 Documentation/security/LSM-sctp.txt
 create mode 100644 Documentation/security/SELinux-sctp.txt

-- 
2.13.6


^ permalink raw reply

* elo
From: chinaaddoll @ 2017-10-17 13:46 UTC (permalink / raw)


Hi.  I'M LIEUTENANT GENERAL chinaaddoll ,please reply me

^ permalink raw reply

* [RFC] sctp: suspicious rcu_read_lock() in sctp_packet_config()
From: Eric Dumazet @ 2017-10-17 13:45 UTC (permalink / raw)
  To: Vlad Yasevich, Neil Horman, Xin Long, Marcelo Ricardo Leitner
  Cc: netdev, Wei Wang, edumazet

SCTP experts.

syszkaller reported a few crashes in sctp_packet_config() with invalid
access to a deleted dst.

The rcu_read_lock() in sctp_packet_config() is suspect.

It does not protect anything at the moment.

If we expect tp->dst to be manipulated/changed by another cpu/thread,
then we need proper rcu protection.

Following patch to show what would be a minimal change (but obviously
bigger changes are needed, like sctp_transport_pmtu_check() and
sctp_transport_dst_check(), and proper sparse annotations)


BTW, sparse throws a lot of errors, any volunteer to clean this mess ?

make C=2 M=net/sctp

Thanks.

diff --git a/net/sctp/output.c b/net/sctp/output.c
index 4a865cd06d76cd5b2aa417de618da3203f7b53e4..d7f320f5acc271189ec9474795b6ececed7ad2b9 100644
--- a/net/sctp/output.c
+++ b/net/sctp/output.c
@@ -86,6 +86,7 @@ void sctp_packet_config(struct sctp_packet *packet, __u32 vtag,
 {
 	struct sctp_transport *tp = packet->transport;
 	struct sctp_association *asoc = tp->asoc;
+	struct dst_entry *dst;
 	struct sock *sk;
 
 	pr_debug("%s: packet:%p vtag:0x%x\n", __func__, packet, vtag);
@@ -121,17 +122,15 @@ void sctp_packet_config(struct sctp_packet *packet, __u32 vtag,
 			sctp_packet_append_chunk(packet, chunk);
 	}
 
-	if (!tp->dst)
-		return;
-
 	/* set packet max_size with gso_max_size if gso is enabled*/
 	rcu_read_lock();
-	if (__sk_dst_get(sk) != tp->dst) {
-		dst_hold(tp->dst);
-		sk_setup_caps(sk, tp->dst);
+	dst = rcu_dereference(tp->dst);
+	if (dst) {
+		if (__sk_dst_get(sk) != dst && dst_hold_safe(dst))
+			sk_setup_caps(sk, dst);
+		packet->max_size = sk_can_gso(sk) ? dst->dev->gso_max_size
+						  : asoc->pathmtu;
 	}
-	packet->max_size = sk_can_gso(sk) ? tp->dst->dev->gso_max_size
-					  : asoc->pathmtu;
 	rcu_read_unlock();
 }
 

^ permalink raw reply related

* Re: [PATCH 2/2 net-next] thunderbolt: Right shifting to zero bug in tbnet_handle_packet()
From: Bernat, Yehezkel @ 2017-10-17 13:17 UTC (permalink / raw)
  To: dan.carpenter@oracle.com, Jamet, Michael, Levy, Amir (Jer)
  Cc: mika.westerberg@linux.intel.com, netdev@vger.kernel.org,
	davem@davemloft.net, kernel-janitors@vger.kernel.org
In-Reply-To: <20171017123301.z6heqexdlo6lc52b@mwanda>

On Tue, 2017-10-17 at 15:33 +0300, Dan Carpenter wrote:
> There is a problem when we do:
> 
> 	sequence = pkg->hdr.length_sn & TBIP_HDR_SN_MASK;
> 	sequence >>= TBIP_HDR_SN_SHIFT;
> 
> TBIP_HDR_SN_SHIFT is 27, and right shifting a u8 27 bits is always
> going to result in zero.  The fix is to declare these variables as
> u32.
> 
> Fixes: e69b6c02b4c3 ("net: Add support for networking over
> Thunderbolt cable")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> 
> diff --git a/drivers/net/thunderbolt.c b/drivers/net/thunderbolt.c
> index 1a7bc0bf4598..435854688a7a 100644
> --- a/drivers/net/thunderbolt.c
> +++ b/drivers/net/thunderbolt.c
> @@ -394,7 +394,7 @@ static int tbnet_handle_packet(const void *buf,
> size_t size, void *data)
>  	struct tbnet *net = data;
>  	u32 command_id;
>  	int ret = 0;
> -	u8 sequence;
> +	u32 sequence;
>  	u64 route;
>  
>  	/* Make sure the packet is for us */

Acked-by: Yehezkel Bernat <yehezkel.bernat@intel.com>

Thanks!

^ permalink raw reply

* Re: [PATCH v9 00/20] simplify crypto wait for async op
From: Herbert Xu @ 2017-10-17 13:09 UTC (permalink / raw)
  To: Gilad Ben-Yossef
  Cc: David S. Miller, Jonathan Corbet, David Howells, Tom Lendacky,
	Gary Hook, Boris Brezillon, Arnaud Ebalard, Matthias Brugger,
	Alasdair Kergon, Mike Snitzer, device-mapper development,
	Steve French, Theodore Y. Ts'o, Jaegeuk Kim, Steffen Klassert,
	Alexey Kuznetsov, Hideaki YOSHIFUJI, Mimi Zohar, Dmitry Kasatkin
In-Reply-To: <CAOtvUMeESbKKaEvpW_MKrRaCxwQWnBa00m4v4F1jNZ_+Xq7pWA@mail.gmail.com>

On Tue, Oct 17, 2017 at 02:55:21PM +0300, Gilad Ben-Yossef wrote:
>
> Would you mind if we used ENOSPC instead of E2BIG?
> 
> "No space left on device" seems more appropriate than
> "Argument list too long".

It's fine by me.

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply

* [PATCH iproute2 net-next] ip: bridge_slave: add neigh_suppress to the type help and man pages
From: Nikolay Aleksandrov @ 2017-10-17 13:11 UTC (permalink / raw)
  To: netdev; +Cc: roopa, stephen, Nikolay Aleksandrov

Add neigh_suppress to the type help and document it in ip-link's man page.

Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
---
 ip/iplink_bridge_slave.c | 1 +
 man/man8/ip-link.8.in    | 7 ++++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/ip/iplink_bridge_slave.c b/ip/iplink_bridge_slave.c
index 25eccf0cb4f9..0d5a01145d9e 100644
--- a/ip/iplink_bridge_slave.c
+++ b/ip/iplink_bridge_slave.c
@@ -38,6 +38,7 @@ static void print_explain(FILE *f)
 		"                        [ mcast_fast_leave {on | off} ]\n"
 		"                        [ mcast_flood {on | off} ]\n"
 		"                        [ group_fwd_mask MASK ]\n"
+		"                        [ neigh_suppress {on | off} ]\n"
 	);
 }
 
diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in
index f0f350eb1998..153665cac679 100644
--- a/man/man8/ip-link.8.in
+++ b/man/man8/ip-link.8.in
@@ -1747,7 +1747,9 @@ the following additional arguments are supported:
 ] [
 .BR mcast_flood " { " on " | " off " }"
 ] [
-.BR group_fwd_mask " MASK ]"
+.BR group_fwd_mask " MASK"
+] [
+.BR neigh_suppress " { " on " | " off " } ]"
 
 .in +8
 .sp
@@ -1825,6 +1827,9 @@ option above.
 .BI group_fwd_mask " MASK "
 - set the group forward mask. This is the bitmask that is applied to decide whether to forward incoming frames destined to link-local addresses, ie addresses of the form 01:80:C2:00:00:0X (defaults to 0, ie the bridge does not forward any link-local frames coming on this port).
 
+.BR neigh_suppress " { " on " | " off " }"
+- controls whether neigh discovery (arp and nd) proxy and suppression is enabled on the port. By default this flag is off.
+
 .in -8
 
 .TP
-- 
2.1.4

^ permalink raw reply related

* Re: linux-next: manual merge of the net-next tree with the net tree
From: Mark Brown @ 2017-10-17 13:01 UTC (permalink / raw)
  To: Sergei Shtylyov
  Cc: David Miller, Networking, Vivien Didelot, Linux-Next Mailing List,
	Linux Kernel Mailing List
In-Reply-To: <dbf0a501-7dcf-82ff-6fbf-000d66a68e18@cogentembedded.com>

[-- Attachment #1: Type: text/plain, Size: 294 bytes --]

On Tue, Oct 17, 2017 at 02:30:29PM +0300, Sergei Shtylyov wrote:

> > diff --cc drivers/net/dsa/mv88e6060.c
> > index f123ed57630d,6173be889d95..000000000000
> > --- a/drivers/net/dsa/mv88e6060.c
> > +++ b/drivers/net/dsa/mv88e6060.c

>    Your mail ends here.

Yes, that's the resulting diff.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply

* Re: [patch net-next 27/34] nfp: bpf: Convert ndo_setup_tc offloads to block callbacks
From: Jiri Pirko @ 2017-10-17 12:48 UTC (permalink / raw)
  To: Jakub Kicinski; +Cc: netdev, Daniel Borkmann
In-Reply-To: <20171012180824.1e76eac1@cakuba.netronome.com>

Fri, Oct 13, 2017 at 03:08:24AM CEST, jakub.kicinski@netronome.com wrote:
>On Thu, 12 Oct 2017 19:18:16 +0200, Jiri Pirko wrote:
>> diff --git a/drivers/net/ethernet/netronome/nfp/bpf/offload.c b/drivers/net/ethernet/netronome/nfp/bpf/offload.c
>> index a88bb5b..9e9af88 100644
>> --- a/drivers/net/ethernet/netronome/nfp/bpf/offload.c
>> +++ b/drivers/net/ethernet/netronome/nfp/bpf/offload.c
>> @@ -246,6 +246,10 @@ int nfp_net_bpf_offload(struct nfp_net *nn, struct tc_cls_bpf_offload *cls_bpf)
>>  	void *code;
>>  	int err;
>>  
>> +	if (cls_bpf->common.protocol != htons(ETH_P_ALL) ||
>> +	    cls_bpf->common.chain_index)
>> +		return -EOPNOTSUPP;
>> +
>>  	max_instr = nn_readw(nn, NFP_NET_CFG_BPF_MAX_LEN);
>>  
>>  	switch (cls_bpf->command) {
>
>It is certainly very ugly but I send a fake struct tc_cls_bpf_offload
>here for XDP.  Refactoring this mess is pretty high on my priority list
>but one way or the other this function will be called from XDP so TC
>checks must stay in the TC handler... :(

Okay. But currently, why is it a problem? You don't need the checks for
xdp path.

^ permalink raw reply

* [PATCH 2/2 net-next] thunderbolt: Right shifting to zero bug in tbnet_handle_packet()
From: Dan Carpenter @ 2017-10-17 12:33 UTC (permalink / raw)
  To: Michael Jamet, Amir Levy
  Cc: Mika Westerberg, Yehezkel Bernat, netdev, kernel-janitors
In-Reply-To: <20171013112959.sc2pwazrpk7fxbtw@mwanda>

There is a problem when we do:

	sequence = pkg->hdr.length_sn & TBIP_HDR_SN_MASK;
	sequence >>= TBIP_HDR_SN_SHIFT;

TBIP_HDR_SN_SHIFT is 27, and right shifting a u8 27 bits is always
going to result in zero.  The fix is to declare these variables as u32.

Fixes: e69b6c02b4c3 ("net: Add support for networking over Thunderbolt cable")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/net/thunderbolt.c b/drivers/net/thunderbolt.c
index 1a7bc0bf4598..435854688a7a 100644
--- a/drivers/net/thunderbolt.c
+++ b/drivers/net/thunderbolt.c
@@ -394,7 +394,7 @@ static int tbnet_handle_packet(const void *buf, size_t size, void *data)
 	struct tbnet *net = data;
 	u32 command_id;
 	int ret = 0;
-	u8 sequence;
+	u32 sequence;
 	u64 route;
 
 	/* Make sure the packet is for us */

^ permalink raw reply related

* [PATCH 1/2 v2 net-next] thunderbolt: Fix a couple right shifting to zero bugs
From: Dan Carpenter @ 2017-10-17 12:32 UTC (permalink / raw)
  To: Andreas Noever
  Cc: Michael Jamet, Mika Westerberg, Yehezkel Bernat, netdev,
	kernel-janitors
In-Reply-To: <20171013112959.sc2pwazrpk7fxbtw@mwanda>

The problematic code looks like this:

	res_seq = res_hdr->xd_hdr.length_sn & TB_XDOMAIN_SN_MASK;
	res_seq >>= TB_XDOMAIN_SN_SHIFT;

TB_XDOMAIN_SN_SHIFT is 27, and right shifting a u8 27 bits is always
going to result in zero.  The fix is to declare these variables as u32.

Fixes: d1ff70241a27 ("thunderbolt: Add support for XDomain discovery protocol")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
v2: I accidentally sent this through the wrong list, so I'm resending to
    netdev.  Also Mika asked me to split it up because the Fixes tags
    are different for these patches.

diff --git a/drivers/thunderbolt/xdomain.c b/drivers/thunderbolt/xdomain.c
index 138027537d29..ff8d91189e99 100644
--- a/drivers/thunderbolt/xdomain.c
+++ b/drivers/thunderbolt/xdomain.c
@@ -56,7 +56,7 @@ static bool tb_xdomain_match(const struct tb_cfg_request *req,
 	case TB_CFG_PKG_XDOMAIN_RESP: {
 		const struct tb_xdp_header *res_hdr = pkg->buffer;
 		const struct tb_xdp_header *req_hdr = req->request;
-		u8 req_seq, res_seq;
+		u32 req_seq, res_seq;
 
 		if (pkg->frame.size < req->response_size / 4)
 			return false;
@@ -476,7 +476,7 @@ static void tb_xdp_handle_request(struct work_struct *work)
 	struct tb_ctl *ctl = tb->ctl;
 	const uuid_t *uuid;
 	int ret = 0;
-	u8 sequence;
+	u32 sequence;
 	u64 route;
 
 	route = ((u64)xhdr->route_hi << 32 | xhdr->route_lo) & ~BIT_ULL(63);

^ permalink raw reply related

* Re: RFC(v2): Audit Kernel Container IDs
From: Simo Sorce @ 2017-10-17 12:31 UTC (permalink / raw)
  To: Steve Grubb, linux-audit
  Cc: Richard Guy Briggs, Casey Schaufler, mszeredi, Eric W. Biederman,
	jlayton, Carlos O'Donell, Linux API, Linux Containers,
	Linux Kernel, Eric Paris, David Howells, Al Viro, Andy Lutomirski,
	Linux Network Development, Linux FS Devel, cgroups,
	Serge E. Hallyn, trondmy
In-Reply-To: <2319693.5l3M4ZINGd@x2>

On Mon, 2017-10-16 at 21:42 -0400, Steve Grubb wrote:
> On Monday, October 16, 2017 8:33:40 PM EDT Richard Guy Briggs wrote:

> > There is such a thing, but the kernel doesn't know about it
> > yet.  This same situation exists for loginuid and sessionid which
> > are userspace concepts that the kernel tracks for the convenience
> > of userspace.  As for its name, I'm not particularly picky, so if
> > you don't like CAP_CONTAINER_* then I'm fine with
> > CAP_AUDIT_CONTAINERID.  It really needs to be distinct from
> > CAP_AUDIT_WRITE and CAP_AUDIT_CONTROL since we don't want to give
> > the ability to set a containerID to any process that is able to do
> > audit logging (such as vsftpd) and similarly we don't want to give
> > the orchestrator the ability to control the setup of the audit
> > daemon.
> 
> A long time ago, we were debating what should guard against rouge
> processes from setting the loginuid. Casey argued that the ability to
> set the loginuid means they have the ability to control the audit
> trail. That means that it should be guarded by CAP_AUDIT_CONTROL. I
> think the same logic applies today. 

The difference is that with loginuid you needed to give processes able
to audit also the ability to change it. You do not want to tie the
ability to change container ids to the ability to audit. You want to be
able to do audit stuff (within the container) without allowing it to
change the container id.
Of course if we made container id a write-once property maybe there is
no need for controls at all, but I'm pretty sure there will be
situations where write-once may not be usable in practice.

> The ability to arbitrarily set a container ID means the process has
> the ability to indirectly control the audit trail.

The container Id can be used also for authorization purposes (by other
processes on the host), not just audit, I think this is why a separate
control has been proposed.

Simo.

-- 
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc

^ permalink raw reply

* [PATCH] netfilter: ip6_tables: remove redundant assignment to e
From: Colin King @ 2017-10-17 12:02 UTC (permalink / raw)
  To: Pablo Neira Ayuso, Jozsef Kadlecsik, Florian Westphal,
	David S . Miller, Alexey Kuznetsov, Hideaki YOSHIFUJI,
	netfilter-devel, coreteam, netdev
  Cc: kernel-janitors, linux-kernel

From: Colin Ian King <colin.king@canonical.com>

The assignment to variable e is redundant since the same assignment
occurs just a few lines later, hence it can be removed.  Cleans up
clang warning: warning: Value stored to 'e' is never read

Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 net/ipv6/netfilter/ip6_tables.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 01bd3ee5ebc6..702e483d38b0 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -458,7 +458,6 @@ mark_source_chains(const struct xt_table_info *newinfo,
 					if (!xt_find_jump_offset(offsets, newpos,
 								 newinfo->number))
 						return 0;
-					e = entry0 + newpos;
 				} else {
 					/* ... this is a fallthru */
 					newpos = pos + e->next_offset;
-- 
2.14.1


^ permalink raw reply related

* Re: [PATCH v9 00/20] simplify crypto wait for async op
From: Gilad Ben-Yossef @ 2017-10-17 11:55 UTC (permalink / raw)
  To: Herbert Xu
  Cc: David S. Miller, Jonathan Corbet, David Howells, Tom Lendacky,
	Gary Hook, Boris Brezillon, Arnaud Ebalard, Matthias Brugger,
	Alasdair Kergon, Mike Snitzer, device-mapper development,
	Steve French, Theodore Y. Ts'o, Jaegeuk Kim, Steffen Klassert,
	Alexey Kuznetsov, Hideaki YOSHIFUJI, Mimi Zohar, Dmitry Kasatkin
In-Reply-To: <20171015153831.GA22867-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q@public.gmane.org>

On Sun, Oct 15, 2017 at 6:38 PM, Herbert Xu <herbert-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q@public.gmane.org> wrote:
>
> On Sun, Oct 15, 2017 at 10:19:45AM +0100, Gilad Ben-Yossef wrote:
> >
> > Changes from v8:
> > - Remove the translation of EAGAIN return code to the
> >   previous return code of EBUSY for the user space
> >   interface of algif as no one seems to rely on it as
> >   requested by Herbert Xu.
>
> Sorry, but I forgot to mention that EAGAIN is not a good value
> to use because it's used by the network system calls for other
> meanings (interrupted by a signal).
>
> So if we stop doing the translation then we also need to pick
> a different value, perhaps E2BIG or something similar that have
> no current use within the crypto API or network API.

Yes, I see what you mean. With a netlink based interface this can
be confusing to debug.

Would you mind if we used ENOSPC instead of E2BIG?

"No space left on device" seems more appropriate than
"Argument list too long".

Thanks,
Gilad




-- 
Gilad Ben-Yossef
Chief Coffee Drinker

"If you take a class in large-scale robotics, can you end up in a
situation where the homework eats your dog?"
 -- Jean-Baptiste Queru

^ permalink raw reply

* Re: Linux 4.12+ memory leak on router with i40e NICs
From: Paweł Staszewski @ 2017-10-17 11:52 UTC (permalink / raw)
  To: Alexander Duyck
  Cc: Pavlos Parissis, Anders K. Pedersen | Cohaesio,
	netdev@vger.kernel.org, intel-wired-lan@lists.osuosl.org,
	alexander.h.duyck@intel.com
In-Reply-To: <99eba19f-327e-e01f-4f4a-87540b176e40@itcare.pl>



W dniu 2017-10-17 o 13:05, Paweł Staszewski pisze:
>
>
> W dniu 2017-10-17 o 12:59, Paweł Staszewski pisze:
>>
>>
>> W dniu 2017-10-17 o 12:51, Paweł Staszewski pisze:
>>>
>>>
>>> W dniu 2017-10-17 o 12:20, Paweł Staszewski pisze:
>>>>
>>>>
>>>> W dniu 2017-10-17 o 11:48, Paweł Staszewski pisze:
>>>>>
>>>>>
>>>>> W dniu 2017-10-17 o 02:44, Paweł Staszewski pisze:
>>>>>>
>>>>>>
>>>>>> W dniu 2017-10-17 o 01:56, Alexander Duyck pisze:
>>>>>>> On Mon, Oct 16, 2017 at 4:34 PM, Paweł Staszewski 
>>>>>>> <pstaszewski@itcare.pl> wrote:
>>>>>>>>
>>>>>>>> W dniu 2017-10-16 o 18:26, Paweł Staszewski pisze:
>>>>>>>>
>>>>>>>>>
>>>>>>>>> W dniu 2017-10-16 o 13:20, Pavlos Parissis pisze:
>>>>>>>>>> On 15/10/2017 02:58 πμ, Alexander Duyck wrote:
>>>>>>>>>>> Hi Pawel,
>>>>>>>>>>>
>>>>>>>>>>> To clarify is that Dave Miller's tree or Linus's that you 
>>>>>>>>>>> are talking
>>>>>>>>>>> about? If it is Dave's tree how long ago was it you pulled 
>>>>>>>>>>> it since I
>>>>>>>>>>> think the fix was just pushed by Jeff Kirsher a few days ago.
>>>>>>>>>>>
>>>>>>>>>>> The issue should be fixed in the following commit:
>>>>>>>>>>>
>>>>>>>>>>> https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/commit/drivers/net/ethernet/intel/i40e/i40e_txrx.c?id=2b9478ffc550f17c6cd8c69057234e91150f5972 
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> Do you know when it is going to be available on net-next and 
>>>>>>>>>> linux-stable
>>>>>>>>>> repos?
>>>>>>>>>>
>>>>>>>>>> Cheers,
>>>>>>>>>> Pavlos
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> I will make some tests today night with "net" git tree where 
>>>>>>>>> this patch is
>>>>>>>>> included.
>>>>>>>>> Starting from 0:00 CET
>>>>>>>>> :)
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Upgraded and looks like problem is not solved with that patch
>>>>>>>> Currently running system with
>>>>>>>> https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/
>>>>>>>> kernel
>>>>>>>>
>>>>>>>> Still about 0.5GB of memory is leaking somewhere
>>>>>>>>
>>>>>>>> Also can confirm that the latest kernel where memory is not 
>>>>>>>> leaking (with
>>>>>>>> use i40e driver intel 710 cards) is 4.11.12
>>>>>>>> With kernel 4.11.12 - after hour no change in memory usage.
>>>>>>>>
>>>>>>>> also checked that with ixgbe instead of i40e with same net.git 
>>>>>>>> kernel there
>>>>>>>> is no memleak - after hour same memory usage - so for 100% this 
>>>>>>>> is i40e
>>>>>>>> driver problem.
>>>>>>> So how long was the run to get the .5GB of memory leaking?
>>>>>> 1 hour
>>>>>>
>>>>>>>
>>>>>>> Also is there any chance of you being able to bisect to determine
>>>>>>> where the memory leak was introduced since as you pointed out it
>>>>>>> didn't exist in 4.11.12 so odds are it was introduced somewhere
>>>>>>> between 4.11 and the latest kernel release.
>>>>>> Can be hard cause currently need to back to 4.11.12 - this is 
>>>>>> production host/router
>>>>>> Will try to find some free/test router for tests/bicects with 
>>>>>> i40e driver (intel 710 cards)
>>>>>>
>>>>>>>
>>>>>>> Thanks.
>>>>>>>
>>>>>>> - Alex
>>>>>>>
>>>>>>
>>>>>>
>>>>> Also forgoto to add errors for i40e when driver initialize:
>>>>> [   15.760569] i40e 0000:02:00.1: Error I40E_AQ_RC_ENOSPC adding 
>>>>> RX filters on PF, promiscuous mode forced on
>>>>> [   16.365587] i40e 0000:03:00.3: Error I40E_AQ_RC_ENOSPC adding 
>>>>> RX filters on PF, promiscuous mode forced on
>>>>> [   16.367686] i40e 0000:02:00.2: Error I40E_AQ_RC_ENOSPC adding 
>>>>> RX filters on PF, promiscuous mode forced on
>>>>> [   16.368816] i40e 0000:03:00.0: Error I40E_AQ_RC_ENOSPC adding 
>>>>> RX filters on PF, promiscuous mode forced on
>>>>> [   16.369877] i40e 0000:03:00.2: Error I40E_AQ_RC_ENOSPC adding 
>>>>> RX filters on PF, promiscuous mode forced on
>>>>> [   16.370941] i40e 0000:02:00.3: Error I40E_AQ_RC_ENOSPC adding 
>>>>> RX filters on PF, promiscuous mode forced on
>>>>> [   16.372005] i40e 0000:02:00.0: Error I40E_AQ_RC_ENOSPC adding 
>>>>> RX filters on PF, promiscuous mode forced on
>>>>> [   16.373029] i40e 0000:03:00.1: Error I40E_AQ_RC_ENOSPC adding 
>>>>> RX filters on PF, promiscuous mode forced on
>>>>>
>>>>> some params that are set for this nic's
>>>>>         ip link set up dev $i
>>>>>         ethtool -A $i autoneg off rx off tx off
>>>>>         ethtool -G $i rx 1024 tx 2048
>>>>>         ip link set $i txqueuelen 1000
>>>>>         ethtool -C $i adaptive-rx off adaptive-tx off rx-usecs 512 
>>>>> tx-usecs 128
>>>>>         ethtool -L $i combined 6
>>>>>         #ethtool -N $i rx-flow-hash udp4 sdfn
>>>>>         ethtool -K $i ntuple on
>>>>>         ethtool -K $i gro off
>>>>>         ethtool -K $i tso off
>>>>>
>>>>>
>>>>>
>>>>>
>>>> Also after TSO/GRO on there is memory usage change - and leaking 
>>>> faster
>>>> Below image from memory usage before change with TSO/GRO OFF and 
>>>> after enabling TSO/GRO
>>>>
>>>> https://ibb.co/dTqBY6
>>>>
>>>>
>>>> Thanks
>>>> Pawel
>>>>
>>>>
>>>>
>>> With settings like this:
>>> ifc='enp2s0f0 enp2s0f1 enp2s0f2 enp2s0f3 enp3s0f0 enp3s0f1 enp3s0f2 
>>> enp3s0f3'
>>> for i in $ifc
>>>         do
>>>         ethtool -C $i adaptive-rx off adaptive-tx off rx-usecs 512 
>>> tx-usecs 128
>>>         ethtool -K $i gro on
>>>         ethtool -K $i tso on
>>>
>>>         done
>>>
>>> Server is leaking about 4-6MB per each 10 seconds
>>> MEMLEAK:
>>> 5  MB/10sec
>>> 6  MB/10sec
>>> 4  MB/10sec
>>> 4  MB/10sec
>>>
>>>
>>> Other settings TSO/GRO off
>>> ifc='enp2s0f0 enp2s0f1 enp2s0f2 enp2s0f3 enp3s0f0 enp3s0f1 enp3s0f2 
>>> enp3s0f3'
>>> for i in $ifc
>>>         do
>>>         ethtool -C $i adaptive-rx off adaptive-tx off rx-usecs 512 
>>> tx-usecs 128
>>>         ethtool -K $i gro off
>>>         ethtool -K $i tso off
>>>
>>>         done
>>>
>>> Same leak about 5MB per 10 seconds
>>> MEMLEAK:
>>> 5  MB/10sec
>>> 5  MB/10sec
>>> 5  MB/10sec
>>>
>>>
>>> Other settings rx-usecs change from 512 to 1024:
>>> ifc='enp2s0f0 enp2s0f1 enp2s0f2 enp2s0f3 enp3s0f0 enp3s0f1 enp3s0f2 
>>> enp3s0f3'
>>> for i in $ifc
>>>         do
>>>         ethtool -C $i adaptive-rx off adaptive-tx off rx-usecs 1024 
>>> tx-usecs 128
>>>         ethtool -K $i gro off
>>>         ethtool -K $i tso off
>>>
>>>         done
>>>
>>> MEMLEAK:
>>> 4  MB/10sec
>>> 3  MB/10sec
>>> 4  MB/10sec
>>> 4  MB/10sec
>>>
>>>
>>> So memleak have something to do with rx-usecs (less interrupts but 
>>> bigger latency for traffic)
>>>
>>>
>>> But also enabling TSO/GRO making leak about 1MB bigger for each 10 
>>> seconds
>>>
>>>
>>>
>> So far best config is:
>> ifc='enp2s0f0 enp2s0f1 enp2s0f2 enp2s0f3 enp3s0f0 enp3s0f1 enp3s0f2 
>> enp3s0f3'
>> for i in $ifc
>>         do
>>         ethtool -C $i adaptive-rx off adaptive-tx off rx-usecs 64 
>> tx-usecs 512
>>         ethtool -K $i gro off
>>         ethtool -K $i tso on
>>
>>         done
>>
>> MEMLEAK - about 2MB/10secs
>> 2  MB/10sec
>> 2  MB/10sec
>> 2  MB/10sec
>>
>>
>> With - rx-usecs set to 256 (about 7-9MB/10secs memleak)
>> ifc='enp2s0f0 enp2s0f1 enp2s0f2 enp2s0f3 enp3s0f0 enp3s0f1 enp3s0f2 
>> enp3s0f3'
>> for i in $ifc
>>         do
>>         ethtool -C $i adaptive-rx off adaptive-tx off rx-usecs 256 
>> tx-usecs 512
>>         ethtool -K $i gro off
>>         ethtool -K $i tso on
>>
>>         done
>>
>> MEMLEAK:
>> 7  MB/10sec
>> 7  MB/10sec
>> 8  MB/10sec
>> 9  MB/10sec
>>
>>
>
> And even less memleak with rx-usecs set to 32
> ifc='enp2s0f0 enp2s0f1 enp2s0f2 enp2s0f3 enp3s0f0 enp3s0f1 enp3s0f2 
> enp3s0f3'
> for i in $ifc
>         do
>         ethtool -C $i adaptive-rx off adaptive-tx off rx-usecs 32 
> tx-usecs 512
>         ethtool -K $i gro off
>         ethtool -K $i tso on
>
>         done
>
>
> MEMLEAK - about 0-2MB for each 10 seconds
> 0  MB/10sec
> 1  MB/10sec
> 0  MB/10sec
> 2  MB/10sec
> 1  MB/10sec
>
>
>


So best settings - to have as less leak as possible for now (rx-usecs 
set to 16):
ifc='enp2s0f0 enp2s0f1 enp2s0f2 enp2s0f3 enp3s0f0 enp3s0f1 enp3s0f2 
enp3s0f3'
for i in $ifc
         do
         ethtool -C $i adaptive-rx off adaptive-tx off rx-usecs 16 
tx-usecs 768
         ethtool -K $i gro on
         ethtool -K $i tso on

         done


MEMLEAK: (0-1MB/10seconds)
0  MB/10sec
0  MB/10sec
0  MB/10sec
1  MB/10sec
1  MB/10sec
-1  MB/10sec
1  MB/10sec
1  MB/10sec
0  MB/10sec

(there are some memory recycles - so this is good :) )



Compared to(rx-usecs 512):

ifc='enp2s0f0 enp2s0f1 enp2s0f2 enp2s0f3 enp3s0f0 enp3s0f1 enp3s0f2 
enp3s0f3'
for i in $ifc
         do
         ethtool -C $i adaptive-rx off adaptive-tx off rx-usecs 512 
tx-usecs 128
         ethtool -K $i gro on
         ethtool -K $i tso on

         done

Server is leaking about 4-6MB per each 10 seconds
MEMLEAK:
5  MB/10sec
6  MB/10sec
4  MB/10sec
4  MB/10sec

^ permalink raw reply

* Re: [PATCH net] sock_diag: request _diag module only when the family or proto has been registered
From: Marcelo Ricardo Leitner @ 2017-10-17 11:39 UTC (permalink / raw)
  To: Xin Long; +Cc: network dev, davem, Sabrina Dubroca
In-Reply-To: <69c0824505548e733f2f7be3ff288f2c4e461afa.1508217236.git.lucien.xin@gmail.com>

On Tue, Oct 17, 2017 at 01:13:56PM +0800, Xin Long wrote:
> Now when using 'ss' in iproute, kernel would try to load all _diag
> modules. It causes the corresponding family or proto modules to be
> loaded as well.
> 
> Like after 'ss -a', sctp, dccp, af_packet(if it works as a moudle)
> will be loaded.
> 
> As these family or proto modules are loaded unexpectly, this might
> have some security implications.
> 
> This patch is to introduce sock_diag_request_module() in which we
> only request the _diag module when it's corresponding family or
> proto has been registered.
> 
> Note that we can't just load _diag module without the family or
> proto loaded, as some symbols in _diag module are from the family
> or proto moudle.
> 
> Reported-by: Sabrina Dubroca <sd@queasysnail.net>
> Signed-off-by: Xin Long <lucien.xin@gmail.com>

Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>

> ---
>  include/linux/net.h       |  1 +
>  include/linux/sock_diag.h |  1 +
>  net/core/sock_diag.c      | 32 ++++++++++++++++++++++++--------
>  net/ipv4/inet_diag.c      |  3 +--
>  net/socket.c              |  5 +++++
>  5 files changed, 32 insertions(+), 10 deletions(-)
> 
> diff --git a/include/linux/net.h b/include/linux/net.h
> index d97d80d..6c7cf09 100644
> --- a/include/linux/net.h
> +++ b/include/linux/net.h
> @@ -225,6 +225,7 @@ enum {
>  int sock_wake_async(struct socket_wq *sk_wq, int how, int band);
>  int sock_register(const struct net_proto_family *fam);
>  void sock_unregister(int family);
> +bool sock_is_registered(int family);
>  int __sock_create(struct net *net, int family, int type, int proto,
>  		  struct socket **res, int kern);
>  int sock_create(int family, int type, int proto, struct socket **res);
> diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h
> index a2f8109..e9a1b8d 100644
> --- a/include/linux/sock_diag.h
> +++ b/include/linux/sock_diag.h
> @@ -77,4 +77,5 @@ bool sock_diag_has_destroy_listeners(const struct sock *sk)
>  void sock_diag_broadcast_destroy(struct sock *sk);
>  
>  int sock_diag_destroy(struct sock *sk, int err);
> +int sock_diag_request_module(int family, int protocol);
>  #endif
> diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
> index 217f4e3..caad6b6 100644
> --- a/net/core/sock_diag.c
> +++ b/net/core/sock_diag.c
> @@ -7,6 +7,7 @@
>  #include <net/net_namespace.h>
>  #include <linux/module.h>
>  #include <net/sock.h>
> +#include <net/protocol.h>
>  #include <linux/kernel.h>
>  #include <linux/tcp.h>
>  #include <linux/workqueue.h>
> @@ -207,6 +208,25 @@ void sock_diag_unregister(const struct sock_diag_handler *hnld)
>  }
>  EXPORT_SYMBOL_GPL(sock_diag_unregister);
>  
> +int sock_diag_request_module(int family, int protocol)
> +{
> +	if (!protocol) {
> +		if (!sock_is_registered(family))
> +			return -ENOENT;
> +
> +		return request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK,
> +				      NETLINK_SOCK_DIAG, family);
> +	}
> +
> +	if (family == AF_INET &&
> +	    !rcu_access_pointer(inet_protos[protocol]))
> +		return -ENOENT;
> +
> +	return request_module("net-pf-%d-proto-%d-type-%d-%d", PF_NETLINK,
> +			      NETLINK_SOCK_DIAG, family, protocol);
> +}
> +EXPORT_SYMBOL_GPL(sock_diag_request_module);
> +
>  static int __sock_diag_cmd(struct sk_buff *skb, struct nlmsghdr *nlh)
>  {
>  	int err;
> @@ -220,8 +240,7 @@ static int __sock_diag_cmd(struct sk_buff *skb, struct nlmsghdr *nlh)
>  		return -EINVAL;
>  
>  	if (sock_diag_handlers[req->sdiag_family] == NULL)
> -		request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK,
> -				NETLINK_SOCK_DIAG, req->sdiag_family);
> +		sock_diag_request_module(req->sdiag_family, 0);
>  
>  	mutex_lock(&sock_diag_table_mutex);
>  	hndl = sock_diag_handlers[req->sdiag_family];
> @@ -247,8 +266,7 @@ static int sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
>  	case TCPDIAG_GETSOCK:
>  	case DCCPDIAG_GETSOCK:
>  		if (inet_rcv_compat == NULL)
> -			request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK,
> -					NETLINK_SOCK_DIAG, AF_INET);
> +			sock_diag_request_module(AF_INET, 0);
>  
>  		mutex_lock(&sock_diag_table_mutex);
>  		if (inet_rcv_compat != NULL)
> @@ -281,14 +299,12 @@ static int sock_diag_bind(struct net *net, int group)
>  	case SKNLGRP_INET_TCP_DESTROY:
>  	case SKNLGRP_INET_UDP_DESTROY:
>  		if (!sock_diag_handlers[AF_INET])
> -			request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK,
> -				       NETLINK_SOCK_DIAG, AF_INET);
> +			sock_diag_request_module(AF_INET, 0);
>  		break;
>  	case SKNLGRP_INET6_TCP_DESTROY:
>  	case SKNLGRP_INET6_UDP_DESTROY:
>  		if (!sock_diag_handlers[AF_INET6])
> -			request_module("net-pf-%d-proto-%d-type-%d", PF_NETLINK,
> -				       NETLINK_SOCK_DIAG, AF_INET);
> +			sock_diag_request_module(AF_INET, 0);
>  		break;
>  	}
>  	return 0;
> diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
> index c9c35b6..d10c8fa 100644
> --- a/net/ipv4/inet_diag.c
> +++ b/net/ipv4/inet_diag.c
> @@ -53,8 +53,7 @@ static DEFINE_MUTEX(inet_diag_table_mutex);
>  static const struct inet_diag_handler *inet_diag_lock_handler(int proto)
>  {
>  	if (!inet_diag_table[proto])
> -		request_module("net-pf-%d-proto-%d-type-%d-%d", PF_NETLINK,
> -			       NETLINK_SOCK_DIAG, AF_INET, proto);
> +		sock_diag_request_module(AF_INET, proto);
>  
>  	mutex_lock(&inet_diag_table_mutex);
>  	if (!inet_diag_table[proto])
> diff --git a/net/socket.c b/net/socket.c
> index c729625..733d657 100644
> --- a/net/socket.c
> +++ b/net/socket.c
> @@ -2590,6 +2590,11 @@ void sock_unregister(int family)
>  }
>  EXPORT_SYMBOL(sock_unregister);
>  
> +bool sock_is_registered(int family)
> +{
> +	return family < NPROTO && rcu_access_pointer(net_families[family]);
> +}
> +
>  static int __init sock_init(void)
>  {
>  	int err;
> -- 
> 2.1.0
> 

^ permalink raw reply

* Re: [next-queue PATCH v9 0/6] TSN: Add qdisc based config interface for CBS
From: Henrik Austad @ 2017-10-17 11:35 UTC (permalink / raw)
  To: Vinicius Costa Gomes
  Cc: netdev, intel-wired-lan, jhs, xiyou.wangcong, jiri, andre.guedes,
	ivan.briano, jesus.sanchez-palencia, boon.leong.ong,
	richardcochran, levipearson, rodney.cummings
In-Reply-To: <20171017010128.22141-1-vinicius.gomes@intel.com>

[-- Attachment #1: Type: text/plain, Size: 967 bytes --]

On Mon, Oct 16, 2017 at 06:01:22PM -0700, Vinicius Costa Gomes wrote:
> Hi,

Vinicius; this looks really good to me, testing shows no errors and 
behavior is as expected. I see some differences in received bw for 
offload=1 and 0 though

Just using tsn_talker and tsn_listener:
tc qdisc add dev eth2 parent 8001:1 cbs idleslope 20000 sendslope -980000 \
hicredit 30 locredit -1470 offload 1

with offload=1 (20Mbps BW)
Receiving data rate: 19420 kbps
Receiving data rate: 19410 kbps

Similarly, but with offload=0 (SW, 20Mbps BW)
Receiving data rate: 19980 kbps
Receiving data rate: 20170 kbps

So slightly higer variance in rate when doing SW, which is as expected.

I plan to run this through some more tests tomorrow and measure variance on the 
receiver etc, I'll keep you posted on my findings.

Feel free to add a tested-by though

Tested-by: Henrik Austad <henrik@austad.us>

and a Vehemently-supported-by: Henrik .. :)

-Henrik

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

^ permalink raw reply

* Re: [PATCH net] sock_diag: request _diag module only when the family or proto has been registered
From: Eric Dumazet @ 2017-10-17 11:35 UTC (permalink / raw)
  To: Xin Long; +Cc: network dev, davem, Marcelo Ricardo Leitner, Sabrina Dubroca
In-Reply-To: <1508238974.31614.91.camel@edumazet-glaptop3.roam.corp.google.com>

On Tue, 2017-10-17 at 04:16 -0700, Eric Dumazet wrote:
> On Tue, 2017-10-17 at 13:13 +0800, Xin Long wrote:
> 
> > +bool sock_is_registered(int family)
> > +{
> > +	return family < NPROTO && rcu_access_pointer(net_families[family]);
> > +}
> 
> EXPORT_SYMBOL() ?

I take this back. Since there is one single user in vmlinux, no need yet

Reviewed-by: Eric Dumazet <edumazet@google.com>

^ permalink raw reply

* Re: linux-next: manual merge of the net-next tree with the net tree
From: Sergei Shtylyov @ 2017-10-17 11:30 UTC (permalink / raw)
  To: Mark Brown, David Miller, Networking, Vivien Didelot
  Cc: Linux-Next Mailing List, Linux Kernel Mailing List
In-Reply-To: <20171016093635.zxyyq2px4hdewse3@sirena.co.uk>

Hello!

On 10/16/2017 12:36 PM, Mark Brown wrote:

> Today's linux-next merge of the net-next tree got a conflict in:
> 
>    drivers/net/dsa/mv88e6060.c
> 
> between commit:
> 
>    3efc93c2bc243 ("net: dsa: mv88e6060: fix switch MAC address")
> 
> from the net tree and commit:
> 
>    56c3ff9bf23e1 ("net: dsa: mv88e6060: setup random mac address")
> 
> from the net-next tree.
> 
> I fixed it up (see below, the relevant code was deleted in net-next) and
> can carry the fix as necessary. This is now fixed as far as linux-next
> is concerned, but any non trivial conflicts should be mentioned to your
> upstream maintainer when your tree is submitted for merging.  You may
> also want to consider cooperating with the maintainer of the conflicting
> tree to minimise any particularly complex conflicts.
> 
> diff --cc drivers/net/dsa/mv88e6060.c
> index f123ed57630d,6173be889d95..000000000000
> --- a/drivers/net/dsa/mv88e6060.c
> +++ b/drivers/net/dsa/mv88e6060.c

    Your mail ends here.

MBR, Sergei

^ permalink raw reply

* Re: [PATCH net] net/sched: cls_flower: Set egress_dev mark when calling into the HW driver
From: Sergei Shtylyov @ 2017-10-17 11:29 UTC (permalink / raw)
  To: Or Gerlitz, David S. Miller; +Cc: Jiri Pirko, netdev, mlxsw, Roi Dayan
In-Reply-To: <1508145588-29959-1-git-send-email-ogerlitz@mellanox.com>

Hello!

On 10/16/2017 12:19 PM, Or Gerlitz wrote:

> Commit 7091d8c '(net/sched: cls_flower: Add offload support using egress

    At least 12 digits are needed.

> Hardware device') made sure (when fl_hw_replace_filter is called) to put
> the egress_dev mark on persisent structure instance. Hence, following calls

    Persistent.

> into the HW driver for stats and deletion will note it and act accordingly.
> 
> With commit de4784ca030f this property is lost and hence when called,
> the HW driver failes to operate (stats, delete) on the offloaded flow.

    Fails.

> Fix it by setting the egress_dev flag whenever the ingress device is
> different from the hw device since this is exactly the condition under
> which we're calling into the HW driver through the egress port net-device.
> 
> Fixes: de4784ca030f ('net: sched: get rid of struct tc_to_netdev')
> Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
> Signed-off-by: Roi Dayan <roid@mellanox.com>
[...]

MBR, Sergei

^ permalink raw reply

* Re: [PATCH net] sock_diag: request _diag module only when the family or proto has been registered
From: Eric Dumazet @ 2017-10-17 11:24 UTC (permalink / raw)
  To: Xin Long; +Cc: network dev, davem, Marcelo Ricardo Leitner, Sabrina Dubroca
In-Reply-To: <1508238974.31614.91.camel@edumazet-glaptop3.roam.corp.google.com>

On Tue, 2017-10-17 at 04:16 -0700, Eric Dumazet wrote:
> On Tue, 2017-10-17 at 13:13 +0800, Xin Long wrote:
> 
> > +bool sock_is_registered(int family)
> > +{
> > +	return family < NPROTO && rcu_access_pointer(net_families[family]);
> > +}
> 
> EXPORT_SYMBOL() ?
> 

Or move it in net/core/sock_diag.c so that it can be static.

^ permalink raw reply

* Re: [PATCH] net: export netdev_txq_to_tc to allow sch_mqprio to compile as module
From: Eric Dumazet @ 2017-10-17 11:21 UTC (permalink / raw)
  To: Henrik Austad
  Cc: netdev, David S . Miller, Daniel Borkmann, David Ahern,
	Alexander Duyck, Willem de Bruijn, John Fastabend, tcharding,
	LKML, Henrik Austad, Jesus Sanchez-Palencia
In-Reply-To: <1508235010-4056-1-git-send-email-haustad@cisco.com>

On Tue, Oct 17, 2017 at 3:10 AM, Henrik Austad <henrik@austad.us> wrote:
> In commit 32302902ff09 ("mqprio: Reserve last 32 classid values for HW
> traffic classes and misc IDs") sch_mqprio started using netdev_txq_to_tc
> to find the correct tc instead of dev->tc_to_txq[]
>
> However, when mqprio is compiled as a module, it cannot resolve the
> symbol, leading to this error:
>
>      ERROR: "netdev_txq_to_tc" [net/sched/sch_mqprio.ko] undefined!
>
> This adds an EXPORT_SYMBOL() since the other user in the kernel
> (netif_set_xps_queue) is also EXPORT_SYMBOL() (and not _GPL) or in a
> sysfs-callback.
>
> Cc: Alexander Duyck <alexander.h.duyck@intel.com>
> Cc: Jesus Sanchez-Palencia <jesus.sanchez-palencia@intel.com>
> Cc: David S. Miller <davem@davemloft.net>
> Signed-off-by: Henrik Austad <haustad@cisco.com>


Reviewed-by: Eric Dumazet <edumazet@google.com>

^ permalink raw reply

* Re: [PATCH net] sock_diag: request _diag module only when the family or proto has been registered
From: Eric Dumazet @ 2017-10-17 11:16 UTC (permalink / raw)
  To: Xin Long; +Cc: network dev, davem, Marcelo Ricardo Leitner, Sabrina Dubroca
In-Reply-To: <69c0824505548e733f2f7be3ff288f2c4e461afa.1508217236.git.lucien.xin@gmail.com>

On Tue, 2017-10-17 at 13:13 +0800, Xin Long wrote:

> +bool sock_is_registered(int family)
> +{
> +	return family < NPROTO && rcu_access_pointer(net_families[family]);
> +}

EXPORT_SYMBOL() ?

^ permalink raw reply


This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox