Adjusting of data pointers in net/netfilter/nf_conntrack_frag6_*
sysctl table for other namespaces points to wrong netns_frags
structure and has reversed order of entries.
Problem introduced by commit c038a767cd69 in 3.7-rc1
Signed-off-by: Michal Kubecek mkube...@suse.cz
---
net/ipv6/netfilter
or adjusting to new hardware or protocol versions. And
when the code doesn't change too often, the urge to fix its style is
rather low. But presence of old badly styled code doesn't justify
introducing more badly styled code.
Michal Kubecek
in UP
state with ARP monitor (and MII monitor not relying on
curr_active_slave being NULL if there is no slave up).
Signed-off-by: Michal Kubecek mkube...@suse.cz
---
drivers/net/bonding/bond_main.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/bonding
On Fri, May 10, 2013 at 03:13:24PM +0300, Imre Deak wrote:
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -1751,7 +1751,7 @@ int bond_enslave(struct net_device *bond_dev, struct
net_device *slave_dev)
read_lock(bond-lock);
new_slave-last_arp_rx
edianity. Perhaps u32 is better?
If they are known to be in network byte ordering, they do (as NBO is the
same as BE).
Michal Kubecek
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message
offloading mismatch warning when vlan is
created on top of a bond consisting of slaves supporting IP/IPv6
checksumming but not vlan Tx offloading.
Signed-off-by: Michal Kubecek mkube...@suse.cz
---
net/core/dev.c | 16 +++-
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git
offloading mismatch warning when vlan is
created on top of a bond consisting of slaves supporting IP/IPv6
checksumming but not vlan Tx offloading.
Signed-off-by: Michal Kubecek mkube...@suse.cz
---
net/core/dev.c | 15 ++-
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git
On Wed, Oct 08, 2014 at 09:10:23AM +, David Laight wrote:
From: Hannes Frederic Sowa
I think David's concern was whether if 0 == false in all situations. It
is pretty clear that static memory is initialized to 0.
I'm not 100% sure about that.
static pointers may be required to be
or any stacked combination of those
- bonding
- teaming
In the bonding and teaming case, it is necessary to disable LRO not only
on slaves when dev_disable_lro() is called but also on any slave (port)
added later.
Michal Kubecek (3):
net: handle more general stacking in dev_disable_lro()
team
Add flag IFF_TEAM_MASTER to recognize a team master and helper
netif_is_team_master() to check it.
Signed-off-by: Michal Kubecek mkube...@suse.cz
---
drivers/net/team/team.c | 3 ++-
include/linux/netdevice.h | 7 +++
2 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers
is disabled for
a bond/team master, we also need to make sure to disable it for newly
added slaves.
Signed-off-by: Michal Kubecek mkube...@suse.cz
---
drivers/net/bonding/bond_main.c | 3 +++
drivers/net/team/team.c | 3 +++
net/core/dev.c | 8
3 files changed, 14
Current dev_disable_lro() code passing LRO disabling to lower device
handles vlan on top of a macvlan but not the opposite. Repeat the test
until the device is neither vlan nor macvlan.
Signed-off-by: Michal Kubecek mkube...@suse.cz
---
net/core/dev.c | 23 ++-
1 file changed
On Tue, Nov 11, 2014 at 10:05:22AM +0100, Veaceslav Falico wrote:
On Tue, Nov 11, 2014 at 09:21:30AM +0100, Michal Kubecek wrote:
Large receive offloading is known to cause problems if received packets
are passed to other host. Therefore the kernel disables it by calling
dev_disable_lro
)?
Michal Kubecek
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org
itself.
For bonding and teaming devices, it is necessary to disable LRO not only
on current slaves at the moment when dev_disable_lro() is called but
also on any slave (port) added later.
v2: use lower device links for all devices (including vlan and macvlan)
Signed-off-by: Michal Kubecek mkube
creation
Signed-off-by: Michal Kubecek mkube...@suse.cz
---
drivers/net/macvlan.c | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
index 9538674..10604db 100644
--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
quite
well (even if they are a bit too terse sometimes). On the other hand,
route --help doesn't even tell me how to add a simple route.
Michal Kubecek
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body
On Mon, Mar 23, 2015 at 06:49:02AM -0700, Eric Dumazet wrote:
On Mon, 2015-03-23 at 09:27 +0100, Michal Kubecek wrote:
On s390x, gcc 4.8 compiles this part of tcp_v6_early_demux()
struct dst_entry *dst = sk-sk_rx_dst;
if (dst)
dst = dst_check(dst
)
Signed-off-by: Michal Kubecek mkube...@suse.cz
---
net/ipv4/tcp_ipv4.c | 2 +-
net/ipv6/tcp_ipv6.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 5a2dfed..f1756ee 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1518,7
disallowing UFO for packets from SOCK_DGRAM seems to be the best option.
Signed-off-by: Michal Kubecek mkube...@suse.cz
---
net/ipv4/ip_output.c | 3 ++-
net/ipv6/ip6_output.c | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index
)
Signed-off-by: Michal Kubecek mkube...@suse.cz
---
net/ipv4/tcp_ipv4.c | 2 +-
net/ipv6/tcp_ipv6.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 5a2dfed..3d42b45 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
, then (with a trivial refresh
for the comment added in 3.13).
Michal Kubecek
And odds are, if I didn't apply it there, it was either
because it didn't apply, or it broke the build.
a. [x] rcu_note_context_switch(cpu) - rcu_note_context_switch()
From
-existing routes if it fails.
(2) Attempt to replace a multipath route results in a broken siblings
linked list. Following commands (like ip route del) can then either
follow a link into freed memory or end in an infinite loop (if the slab
object has been reused).
Michal Kubecek (2):
ipv6: do
(ECMP))
Signed-off-by: Michal Kubecek mkube...@suse.cz
---
net/ipv6/ip6_fib.c | 17 ++---
net/ipv6/route.c | 8 +---
2 files changed, 19 insertions(+), 6 deletions(-)
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index 96db5a24..abf4e4e5bdab 100644
--- a/net/ipv6
multipath (ECMP))
Signed-off-by: Michal Kubecek mkube...@suse.cz
---
net/ipv6/route.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index d355f097..18b92c05b541 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -2536,6 +2536,7 @@ beginning
On Wed, May 13, 2015 at 02:28:57PM +0200, Nicolas Dichtel wrote:
Le 13/05/2015 11:50, Michal Kubecek a écrit :
If adding a nexthop of an IPv6 multipath route fails, comment in
ip6_route_multipath() says we are going to delete all nexthops already
added. However, current implementation deletes
On Thu, May 14, 2015 at 11:49:07PM +0200, Michal Kubecek wrote:
On Thu, May 14, 2015 at 08:58:59PM +0200, Nicolas Dichtel wrote:
Le 13/05/2015 21:59, Michal Kubecek a écrit :
When replacing an IPv6 multipath route with ip route replace, i.e.
NLM_F_CREATE | NLM_F_REPLACE, fib6_add_rt2node
-existing routes if it fails.
(2) Attempt to replace a multipath route results in a broken siblings
linked list. Following commands (like ip route del) can then either
follow a link into freed memory or end in an infinite loop (if the slab
object has been reused).
Michal Kubecek (2):
ipv6: do
.
Michal Kubecek
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org
multipath (ECMP))
Signed-off-by: Michal Kubecek mkube...@suse.cz
---
net/ipv6/route.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index d355f097..3821a3517478 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -2504,9 +2504,9
(ECMP))
Signed-off-by: Michal Kubecek mkube...@suse.cz
---
net/ipv6/ip6_fib.c | 17 ++---
net/ipv6/route.c | 8 +---
2 files changed, 19 insertions(+), 6 deletions(-)
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index 96db5a24..abf4e4e5bdab 100644
--- a/net/ipv6
On Thu, May 14, 2015 at 08:58:59PM +0200, Nicolas Dichtel wrote:
Le 13/05/2015 21:59, Michal Kubecek a écrit :
When replacing an IPv6 multipath route with ip route replace, i.e.
NLM_F_CREATE | NLM_F_REPLACE, fib6_add_rt2node() replaces only first
matching route without fixing its siblings
On Fri, May 15, 2015 at 12:12:12PM -0400, David Miller wrote:
From: Michal Kubecek mkube...@suse.cz
Date: Fri, 15 May 2015 10:51:52 +0200
But I still rather feel like replacing all existing matching routes
would better reflect what I expect replace to do.
What does IPV4 do?
Apparently
?
Michal Kubecek
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
multipath (ECMP))
Signed-off-by: Michal Kubecek mkube...@suse.cz
Acked-by: Nicolas Dichtel nicolas.dich...@6wind.com
---
net/ipv6/route.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index d355f097..3821a3517478 100644
--- a/net/ipv6
route(s) by first nexthop of an ECMP route so that each subsequent
nexthop does not replace previous one.
Fixes: 51ebd3181572 (ipv6: add support of equal cost multipath (ECMP))
Signed-off-by: Michal Kubecek mkube...@suse.cz
---
net/ipv6/ip6_fib.c | 39 +--
net
patch
v3: change the semantics of replace operation to better match IPv4
Michal Kubecek (2):
ipv6: do not delete previously existing ECMP routes if add fails
ipv6: fix ECMP route replacement
net/ipv6/ip6_fib.c | 39 +--
net/ipv6/route.c | 14
When replacing an IPv4 route, tb_id member of the new fib_alias
structure is not set in the replace code path so that the new route is
ignored.
Fixes: 0ddcf43d5d4a (ipv4: FIB Local/MAIN table collapse)
Signed-off-by: Michal Kubecek mkube...@suse.cz
---
net/ipv4/fib_trie.c | 1 +
1 file changed
would stop keeping the state information whether dev_disable_lro()
was called for it or not (we must not reenable LRO if it was).
Michal Kubecek
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body
a rwlock (even for reading) as someone else could call
write_lock() on the same rwlock on the same CPU in the meantime and
would end up spinning indefinitely while waiting for you to release it.
Michal Kubecek
--
To unsubscribe from this list
for a bond to mean there is at least one LRO capable slave, you would
need a new flag for the LRO should be disabled for all lower devices
state. I don't think it's worth the effort.
Michal Kubecek
--
To unsubscribe from this list: send
be used in the context BUILD_BUG_ON() uses it in.
There is a BUILD_BUG_ON_NOT_POWER_OF_2() macro you could use.
Michal Kubecek
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord
(hb_interval * path_max_retry + max_rto)
(We cannot expect to see the shutdown sequence so that, unlike
ESTABLISHED, the HEARTBEAT_ACKED timeout shouldn't be too long.)
Signed-off-by: Michal Kubecek mkube...@suse.cz
---
v2:
- add new timeouts to nla policy interface
- explain vtag handling in the commit
for new states are
HB_SENT: 30 seconds (default hb_interval)
HB_ACKED: 210 seconds (hb_interval * path_max_retry + max_rto)
(We cannot expect to see the shutdown sequence so that the HB_ACKED
timeout shouldn't be too long.)
Signed-off-by: Michal Kubecek mkube...@suse.cz
---
include/uapi/linux
On Tue, Jul 14, 2015 at 03:42:03PM +0200, Florian Westphal wrote:
Michal Kubecek mkube...@suse.cz wrote:
+ case SCTP_CID_HEARTBEAT:
+ pr_debug(SCTP_CID_HEARTBEAT);
+ i = 9;
+ break;
+ case SCTP_CID_HEARTBEAT_ACK:
+ pr_debug
On Tue, Jul 14, 2015 at 05:38:47PM +0200, Pablo Neira Ayuso wrote:
On Tue, Jul 14, 2015 at 02:23:11PM +0200, Michal Kubecek wrote:
@@ -658,6 +696,18 @@ static struct ctl_table sctp_sysctl_table[] = {
.mode = 0644,
.proc_handler = proc_dointvec_jiffies
On Wed, Jul 15, 2015 at 05:35:08PM -0300, Marcelo Ricardo Leitner wrote:
Hi,
On Tue, Jul 14, 2015 at 06:42:25PM +0200, Michal Kubecek wrote:
On Tue, Jul 14, 2015 at 03:42:03PM +0200, Florian Westphal wrote:
Michal Kubecek mkube...@suse.cz wrote:
+ case SCTP_CID_HEARTBEAT
On Thu, Jul 16, 2015 at 10:50:59AM -0300, Marcelo Ricardo Leitner wrote:
On Tue, Jul 14, 2015 at 02:23:11PM +0200, Michal Kubecek wrote:
@@ -278,6 +292,14 @@ static int sctp_new_state(enum ip_conntrack_dir dir,
pr_debug(SCTP_CID_SHUTDOWN_COMPLETE\n);
i = 8
data-path unusable.
This is already the case since commit fbe168ba91f7 ("net: generic
dev_disable_lro() stacked device handling"). That commit makes sure
dev_disable_lro() is propagated down the stack and also makes sure new
slaves added to a bond/team with LRO disabled have it disabled t
embedded in it.
Fixes: 73d605d1abbd ("[IPSEC]: changing API of xfrm6_tunnel_register")
Signed-off-by: Michal Kubecek <mkube...@suse.cz>
---
net/ipv6/tunnel6.c | 12 +++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/tunnel6.c b/net/ipv6/tunnel6.c
in
lro() stacked device handling").
Michal Kubecek
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
> [< none >] sock_sendmsg+0xca/0x110 net/socket.c:620
> [< none >] sock_write_iter+0x216/0x3a0 net/socket.c:819
> [< inline >] new_sync_write fs/read_write.c:478
> [< none >] __vfs_write+0x2ed/0x3d0 fs/read_write.c:491
> [< n
possible other people or third-party
vendors working with stable/LTS kernels (Android?) may run into it.
How about
- It must fix a real bug that bothers people (not a, This could be a
problem... type thing).
in Documentation/stable_kernel_rules.txt?
Michal Kubecek
--
To unsubscribe from
he code which adds the "asymmetric peer" to monitor its queue
state. More precisely, the asymmetricity check has been added by
ec0d215f9420 ("af_unix: fix 'poll for write'/connected DGRAM sockets")
shortly after that.
The __netdev_find_adj() helper does not use its first argument, only the
device to find and list to walk through.
Signed-off-by: Michal Kubecek <mkube...@suse.cz>
---
net/core/dev.c | 15 +++
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/net/core/dev.c b/ne
submitted by Yoshifuji Hideaki in
http://patchwork.ozlabs.org/patch/220979/
but got lost and forgotten for some reason.
Signed-off-by: Michal Kubecek <mkube...@suse.cz>
---
include/net/ipv6.h | 1 +
net/ipv6/netfilter/nf_conntrack_reasm.c | 5 +++--
net/i
anging its value
so that even with high_thresh set to 0, fragmented packets can be still
reassembled and processed.
Add explicit check preventing reassembly if high threshold is zero.
Signed-off-by: Michal Kubecek <mkube...@suse.cz>
---
net/ipv4/inet_fragment.c | 2 +-
1 file changed, 1
all of them are already assigned to one
real server (or few), resulting in highly unbalanced distribution.
Address this by counting the "pre-established" states as "active".
Signed-off-by: Michal Kubecek <mkube...@suse.cz>
---
net/netfilter/ipvs/ip_vs_proto_tcp.c |
On Mon, Mar 07, 2016 at 04:28:26PM -0800, Cong Wang wrote:
> On Mon, Mar 7, 2016 at 4:26 PM, Cong Wang <xiyou.wangc...@gmail.com> wrote:
> > On Fri, Mar 4, 2016 at 2:59 AM, Michal Kubecek <mkube...@suse.cz> wrote:
> >> static void ipv6_route_seq_setup_wal
On Tue, Mar 08, 2016 at 08:05:44AM +0100, Michal Kubecek wrote:
> On Mon, Mar 07, 2016 at 04:28:26PM -0800, Cong Wang wrote:
> > On Mon, Mar 7, 2016 at 4:26 PM, Cong Wang <xiyou.wangc...@gmail.com> wrote:
> > > On Fri, Mar 4, 2016 at 2:59 AM, Michal Kubecek <mkube...@sus
each its own
lock).
Signed-off-by: Michal Kubecek <mkube...@suse.cz>
---
v2: get rid of ifdef in ipv6_route_seq_setup_walk(), pass net from
callers instead
---
include/net/netns/ipv6.h | 2 ++
net/ipv6/ip6_fib.c | 68 +---
2 files chang
he walkers infrastructure and garbage
collector so that they work independently in network namespaces.
v2: get rid of ifdef in ipv6_route_seq_setup_walk(), pass net from
callers instead
Michal Kubecek (3):
ipv6: replace global gc_args with local variable
ipv6: per netns fib6 walkers
ipv6: per netns F
for instances of fib6_run_gc() in different namespaces blocking each
other. There is still a call to icmp6_dst_gc() which operates on shared
data but this function is protected by its own shared lock.
Signed-off-by: Michal Kubecek <mkube...@suse.cz>
---
include/net/netns/ipv6.h | 1 +
net/ipv6/ip6
collector are allowed.
Signed-off-by: Michal Kubecek <mkube...@suse.cz>
---
net/ipv6/ip6_fib.c | 14 --
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index 0c7e276c230e..d7c715accac9 100644
--- a/net/ipv6/ip6_fib.c
+++ b/ne
and give each its own
lock.
Signed-off-by: Michal Kubecek <mkube...@suse.cz>
---
include/net/netns/ipv6.h | 2 ++
net/ipv6/ip6_fib.c | 67 +++-
2 files changed, 40 insertions(+), 29 deletions(-)
diff --git a/include/net/netns/ipv6.h b/include/net
for instances of fib6_run_gc() in different namespaces blocking each
other. There is still a call to icmp6_dst_gc() which operates on shared
data but this function is protected by its own shared lock.
Signed-off-by: Michal Kubecek <mkube...@suse.cz>
---
include/net/netns/ipv6.h | 1 +
net/ipv6/ip6
collector are allowed.
Signed-off-by: Michal Kubecek <mkube...@suse.cz>
---
net/ipv6/ip6_fib.c | 14 --
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index 0c7e276c230e..d7c715accac9 100644
--- a/net/ipv6/ip6_fib.c
+++ b/ne
he walkers infrastructure and garbage
collector so that they work independently in network namespaces.
Michal Kubecek (3):
ipv6: replace global gc_args with local variable
ipv6: per netns fib6 walkers
ipv6: per netns FIB garbage collection
include/net/netns/ipv6.h | 3 ++
net/ipv6/ip6_fib.c
On Wed, Mar 30, 2016 at 01:33:44PM +0200, Daniel Borkmann wrote:
> On 03/30/2016 11:42 AM, Michal Kubecek wrote:
> >
> >I'm just not sure checking if we hold the right lock depending on caller
> >is worth the extra complexity. After all, what is really needed is to
> >ho
sock_owned_by_user(sk));
> + filter = rcu_dereference_protected(sk->sk_filter, locked);
> if (filter) {
> RCU_INIT_POINTER(sk->sk_filter, NULL);
> sk_filter_uncharge(sk, filter);
> @@ -2463,7 +2467,12 @@ int sk_detach_filter(struct sock *sk)
>
> return ret;
> }
> -EXPORT_SYMBOL_GPL(sk_detach_filter);
> +EXPORT_SYMBOL_GPL(__sk_detach_filter);
> +
> +int sk_detach_filter(struct sock *sk)
> +{
> + return __sk_detach_filter(sk, sock_owned_by_user(sk));
> +}
>
> int sk_get_filter(struct sock *sk, struct sock_filter __user *ubuf,
> unsigned int len)
> --
> 1.9.3
Looks good to me.
I'm just not sure checking if we hold the right lock depending on caller
is worth the extra complexity. After all, what is really needed is to
hold _some_ lock guaranteeing sk_attach_prog() and sk_detach_filter()
are safe so that just changing the condition in both to
sock_owned_by_user(sk) || lockdep_rtnl_is_held()
could suffice.
Michal Kubecek
On Mon, Feb 22, 2016 at 10:31:33AM -0500, Sasha Levin wrote:
>
> I've hit the following warning while fuzzing with trinity inside a kvmtool
> guest
> running the latest -next kernel:
>
> [ 1343.104588] ===
> [ 1343.104591] [ INFO: suspicious RCU usage. ]
> [
On Thu, May 12, 2016 at 11:57:26AM +0200, Pablo Neira Ayuso wrote:
> Hi Michal,
>
> On Wed, Apr 27, 2016 at 02:48:02PM +0200, Michal Kubecek wrote:
> > Commit 69b34fb996b2 ("netfilter: xt_LOG: add net namespace support for
> > xt_LOG") disabled logging packets usi
a nonzero value. This sysctl is only accessible from init_net so that
one cannot switch the behaviour from inside a container.
Signed-off-by: Michal Kubecek <mkube...@suse.cz>
---
Documentation/networking/netfilter-sysctl.txt | 10 ++
include/net/netfilter/nf_log.h| 3
On pondělí 25. července 2016 8:41 Florian Westphal wrote:
> Michal Kubecek <mkube...@suse.cz> wrote:
> > On Thu, Jul 21, 2016 at 09:00:33PM +0200, Jiri Slaby wrote:
> > > On 07/21/2016, 08:56 PM, Greg KH wrote:
> > > > On Thu, Jul 21, 2016 at 08:36:18AM +0200,
On Tue, Jul 26, 2016 at 07:09:41AM +, Dexuan Cui wrote:
> If you meant https://lkml.org/lkml/2016/7/13/382, I don't think Michal
> Kubecek was suggesting I build my code using the existing AF_VSOCK
> code(?) I think he was only asking me to clarify the way I used to write
&
: because of a shared lock which is held for all this time,
this allows (on kernel >= 3.8) an unprivileged user to block similar
operation in all network namespaces including init_net.
While a partial DoS like this is certainly better than allowing to crash
the system, it could still be considered a security issue.
Michal Kubecek
ry
few people use that syntax (the "+" or "-" variants come handy at times,
though).
Michal Kubecek
int protocol, int kern)
> +{
> + struct sock *sk;
> +
> + if (!capable(CAP_SYS_ADMIN) && !capable(CAP_NET_ADMIN))
> + return -EPERM;
Looks like any application wanting to use hyper-v sockets will need
rather high privileges. It would make sense if these sockets were
reserved for privileged tasks like VM management. But according to the
commit message, hv_sock is supposed to be used for regular application
to application communication. Requiring CAP_{SYS,NET}_ADMIN looks like
an overkill to me.
> +
> + if (protocol != 0 && protocol != SHV_PROTO_RAW)
> + return -EPROTONOSUPPORT;
> +
> + switch (sock->type) {
> + case SOCK_STREAM:
> + sock->ops = _ops;
> + break;
> + default:
> + return -ESOCKTNOSUPPORT;
> + }
> +
> + sock->state = SS_UNCONNECTED;
> +
> + sk = hvsock_create(net, sock, GFP_KERNEL, 0);
> + return sk ? 0 : -ENOMEM;
> +}
Michal Kubecek
e
are not going to use AF_VSOCK". I would understand if you pointed out
features important for you that are missing in AF_VSOCK but this kind of
reasoning sounds strange to me.
Michal Kubecek
ach(iter1, entry1, newinfo->size) {
> - if (i-- == 0)
> - break;
> - cleanup_entry(iter1);
> - }
> - xt_free_table_info(newinfo);
> - return ret;
> + for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
> + repl.hook_entry[i] = newinfo->hook_entry[i];
> + repl.underflow[i] = newinfo->underflow[i];
> }
>
> - /* And one copy for every other CPU */
> - for_each_possible_cpu(i)
> - if (newinfo->entries[i] && newinfo->entries[i] != entry1)
> - memcpy(newinfo->entries[i], entry1, newinfo->size);
These four lines should be preserved, IMHO, as 3.12 doesn't have commit
482cfc318559 ("netfilter: xtables: avoid percpu ruleset duplication")
(introduced in 4.2) which removed the need for per-cpu copies.
The same applies to the other two instances of translate_compat_table()
in net/ipv4/netfilter/ip_tables.c and net/ipv6/netfilter/ip6_tables.c
Florian, do you agree?
Michal Kubecek
On Tue, Jul 19, 2016 at 11:13:12AM +0200, Florian Westphal wrote:
> Florian Westphal <f...@strlen.de> wrote:
> > Michal Kubecek <mkube...@suse.cz> wrote:
> > > > - /* And one copy for every other CPU */
> > > > - for_each_possible_cpu(i)
&
e problem addressed by
http://article.gmane.org/gmane.linux.network/422215
Michal Kubecek
was reported as CVE-2016-6162. For a reproducer, see
http://seclists.org/oss-sec/2016/q3/8
Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing")
Reported-by: Marco Grassi <marco@gmail.com>
Signed-off-by: Michal Kubecek <mkube...@suse.cz>
---
net/ipv4/
On Sat, Jul 09, 2016 at 11:48:49AM +0200, Daniel Borkmann wrote:
> On 07/09/2016 02:20 AM, Alexei Starovoitov wrote:
> >On Sat, Jul 09, 2016 at 01:31:40AM +0200, Eric Dumazet wrote:
> >>On Fri, 2016-07-08 at 17:52 +0200, Michal Kubecek wrote:
> >>>If socket filter
On Tue, Aug 02, 2016 at 06:14:22PM +0200, Thomas Voegtle wrote:
> On Wed, 20 Jul 2016, Michal Kubecek wrote:
>
> >On Fri, Jul 15, 2016 at 03:04:48PM +0200, Thomas Voegtle wrote:
> >>And that one?
> >>Happens while trying to start a firewall script with iptables-r
twork namespace netfilter hooks.")
Signed-off-by: Michal Kubecek <mkube...@suse.cz>
---
net/netfilter/core.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index f39276d1c2d7..860978c9f82e 100644
--- a/net/netfilter/core.c
+++ b/net/
On Mon, May 16, 2016 at 08:43:16AM +0200, Michal Kubecek wrote:
> On Thu, May 12, 2016 at 11:57:26AM +0200, Pablo Neira Ayuso wrote:
> > On Wed, Apr 27, 2016 at 02:48:02PM +0200, Michal Kubecek wrote:
> > > Commit 69b34fb996b2 ("netfilter: xt_LOG: add net namespace s
a nonzero value. This sysctl is only accessible from init_net so that
one cannot switch the behaviour from inside a container.
Signed-off-by: Michal Kubecek <mkube...@suse.cz>
---
v2: fix leak on net/netfilter/nf_log registration failure
---
Documentation/networking/netfilter-sysctl.txt | 10 +++
issue discussed here:
https://marc.info/?l=netfilter-devel=146980917627262=2
Could it be (partly) the same race condition?
Michal Kubecek
On Thu, Dec 01, 2016 at 04:11:18PM +, Ben Hutchings wrote:
> On Thu, 2016-12-01 at 12:02 +0100, Michal Kubecek wrote:
> [...]
> > +/* check if device MTU is sufficient for tipc headers */
> > +static inline bool tipc_check_mtu(struct net_device *dev, unsigne
overflow when calculating bearer MTU.
Fixes: b97bf3fd8f6a ("[TIPC] Initial merge")
Signed-off-by: Michal Kubecek <mkube...@suse.cz>
Reported-by: Qian Zhang (张谦) <zhangqia...@360.cn>
---
changes v2 to v3:
- rename tipc_check_mtu() helper to tipc_mtu_bad() and make the comment
a
overflow when calculating bearer MTU.
Fixes: b97bf3fd8f6a ("[TIPC] Initial merge")
Signed-off-by: Michal Kubecek <mkube...@suse.cz>
Reported-by: Qian Zhang (张谦) <zhangqia...@360.cn>
---
net/tipc/bearer.c| 9 +++--
net/tipc/bearer.h| 13 +
net/tipc/udp
On Wed, Nov 30, 2016 at 10:57:02AM +0100, Michal Kubecek wrote:
> Qian Zhang (张谦) reported a potential socket buffer overflow in
> tipc_msg_build() which is also known as CVE-2016-8632: due to
> insufficient checks, a buffer overflow can occur if MTU is too short for
> even tipc header
hanged
> after bearer is enabled.
I should admit I'm not that familiar with tipc. Do you mean updating
b->mtu in response to PMTU updates of the route used for ub->ubsock?
The way I understand it, it would be certainly useful but it's not
directly related to the security issue this patch addresses as if there
are no updates, b->mtu cannot get too low and there is no risk of
a buffer overflow. In other words, reflecting PMTU updates is something
that can be IMHO left for later.
Michal Kubecek
overflow when calculating bearer MTU.
Fixes: b97bf3fd8f6a ("[TIPC] Initial merge")
Signed-off-by: Michal Kubecek <mkube...@suse.cz>
Reported-by: Qian Zhang (张谦) <zhangqia...@360.cn>
---
changes v1 to v2:
- add missing "static" to tipc_check_mtu() helper declaration
-
he first segment so that
> we have to use headersize (length of the first IPv6 header) rather than
> fragheaderlen (length of IPv6 header of further fragments) for skb == NULL.
>
> Fixes: e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach")
> Fixes: e4c5e13aa45c (&q
Hello,
commit 0fb44559ffd6 ("af_unix: move unix_mknod() out of bindlock") moves
the special file creation in unix_bind() before u->bindlock is taken in
order to avoid an ABBA deadlock with do_splice(). As a side effect, it
also moves the check for existence of the special file (which would
result
oblem, handle NAPI_GRO_FREE_STOLEN_HEAD in napi_frags_finish()
the same way it's done in napi_skb_finish().
Fixes: d7e8883cfcf4 ("net: make GRO aware of skb->head_frag")
Signed-off-by: Michal Kubecek <mkube...@suse.cz>
---
net/core/dev.c | 24 +---
1 file change
)
> + RTL_W16_F(IntrMask, rtl8139_intr_mask);
> spin_unlock_irqrestore(>lock, flags);
> }
> spin_unlock(>rx_lock);
Eric,
we have a bugreport of what seems to be the same problem:
https://bugzilla.suse.com/show_bug.cgi?id=1042208
Do you plan to submit the patch above or is the conclusion that this is
rather a hardware problem?
Michal Kubecek
BUG_ON is defined only on powerpc and mips. It makes
good sense, you don't want to BUG_ON() on a condition unless it's
extremely unlikely. (Except for debugging purpose but even then you
don't really care about fine optimization when you are going to oops.)
Michal Kubecek
1 - 100 of 544 matches
Mail list logo