fields
lack the proper __rcu annotation.
Signed-off-by: Florian Westphal
---
include/linux/inetdevice.h | 10 +-
net/ipv4/devinet.c | 31 ---
2 files changed, 25 insertions(+), 16 deletions(-)
diff --git a/include/linux/inetdevice.h b/include/linux
inet_ifa_byprefix().
I do not understand why they should ignore secondary addresses.
Why would a secondary address not be considered 'on link'?
When matching a prefix, why ignore a matching secondary address?
Other places get converted as well, but gain "->flags & SECONDARY" che
ifa_list is protected by rcu, yet code doesn't reflect this.
Add the __rcu annotations and fix up all places that are now reported by
sparse.
I've done this in the same commit to not add intermediate patches that
result in new warnings.
Reported-by: Eric Dumazet
Signed-off-by: Floria
ate a temporary buffer needlessly
and pass an always-false bool argument.
So fold this into the calling function and fill dst buffer directly.
Compile tested only.
Cc: David Howells
Cc: linux-...@lists.infradead.org
Signed-off-by: Florian Westphal
---
fs/afs/Makefile | 1 -
fs/afs/cmserv
rcu use to free ifa_list
predates the git era.
Florian Westphal (7):
net: inetdevice: provide replacement iterators for in_ifaddr walk
devinet: use in_dev_for_each_ifa_rcu in more places
afs: switch to in_dev_for_each_ifa_rcu
netfilter: use in_dev_for_each_ifa_rcu
Netfilter hooks are always running under rcu read lock, use
the new iterator macro so sparse won't complain once we add
proper __rcu annotations.
Signed-off-by: Florian Westphal
---
net/ipv4/netfilter/nf_tproxy_ipv4.c| 9 +++--
net/netfilter/nf_conntrack_broadcast.c | 9 +++--
Use in_dev_for_each_ifa_rcu/rtnl instead.
This prevents sparse warnings once proper __rcu annotations are added.
Signed-off-by: Florian Westphal
t di# Last commands done (6 commands done):
---
net/ipv4/fib_frontend.c | 24 +---
net/ipv4/igmp.c | 5 +++--
net/ipv6
Like previous patches, use the new iterator macros to avoid sparse
warnings once proper __rcu annotations are added.
Compile tested only.
Signed-off-by: Florian Westphal
---
drivers/infiniband/core/roce_gid_mgmt.c | 5 +++--
drivers/infiniband/hw/cxgb4/cm.c
David Howells wrote:
> Actually, whilst thanks are due for doing the work - it looks nicer now - I'm
> told that there's not really any point populating the list. Current OpenAFS
> ignores it, as does AuriStor - and IBM AFS 3.6 will do the right thing.
[..]
> On that basis, feel free to make it
seem to be urgent to fix this -- rcu use to free ifa_list
predates the git era.
Florian Westphal (7):
afs: do not send list of client addresses
net: inetdevice: provide replacement iterators for in_ifaddr walk
devinet: use in_dev_for_each_ifa_rcu in more places
netfil
parse warnings once the proper __rcu
annotations get added in struct in_device later.
But, in light of the above, just remove afs_get_ipv4_interfaces.
Compile tested only.
Cc: David Howells
Cc: linux-...@lists.infradead.org
Signed-off-by: Florian Westphal
---
fs/afs/Makefile |
inet_ifa_byprefix().
I do not understand why they should ignore secondary addresses.
Why would a secondary address not be considered 'on link'?
When matching a prefix, why ignore a matching secondary address?
Other places get converted as well, but gain "->flags & SECONDARY" che
Netfilter hooks are always running under rcu read lock, use
the new iterator macro so sparse won't complain once we add
proper __rcu annotations.
Signed-off-by: Florian Westphal
---
net/ipv4/netfilter/nf_tproxy_ipv4.c| 9 +++--
net/netfilter/nf_conntrack_broadcast.c | 9 +++--
ifa_list is protected by rcu, yet code doesn't reflect this.
Add the __rcu annotations and fix up all places that are now reported by
sparse.
I've done this in the same commit to not add intermediate patches that
result in new warnings.
Reported-by: Eric Dumazet
Signed-off-by: Floria
Like previous patches, use the new iterator macros to avoid sparse
warnings once proper __rcu annotations are added.
Compile tested only.
Signed-off-by: Florian Westphal
---
drivers/infiniband/core/roce_gid_mgmt.c | 5 +++--
drivers/infiniband/hw/cxgb4/cm.c
Use in_dev_for_each_ifa_rcu/rtnl instead.
This prevents sparse warnings once proper __rcu annotations are added.
Signed-off-by: Florian Westphal
t di# Last commands done (6 commands done):
---
net/ipv4/fib_frontend.c | 24 +---
net/ipv4/igmp.c | 5 +++--
net/ipv6
fields
lack the proper __rcu annotation.
Signed-off-by: Florian Westphal
---
include/linux/inetdevice.h | 10 +-
net/ipv4/devinet.c | 31 ---
2 files changed, 25 insertions(+), 16 deletions(-)
diff --git a/include/linux/inetdevice.h b/include/linux
ery long time (2004), so it doesn't
seem to be urgent to fix this -- rcu use to free ifa_list
predates the git era.
Florian Westphal (7):
afs: do not send list of client addresses
net: inetdevice: provide replacement iterators for in_ifaddr walk
devi
parse warnings once the proper __rcu
annotations get added in struct in_device later.
But, in light of the above, just remove afs_get_ipv4_interfaces.
Compile tested only.
Cc: David Howells
Cc: linux-...@lists.infradead.org
Signed-off-by: Florian Westphal
Tested-by: David Howells
---
fs/a
inet_ifa_byprefix().
I do not understand why they should ignore secondary addresses.
Why would a secondary address not be considered 'on link'?
When matching a prefix, why ignore a matching secondary address?
Other places get converted as well, but gain "->flags & SECONDARY" che
Netfilter hooks are always running under rcu read lock, use
the new iterator macro so sparse won't complain once we add
proper __rcu annotations.
Signed-off-by: Florian Westphal
---
net/ipv4/netfilter/nf_tproxy_ipv4.c| 9 +++--
net/netfilter/nf_conntrack_broadcast.c | 9 +++--
Like previous patches, use the new iterator macros to avoid sparse
warnings once proper __rcu annotations are added.
Compile tested only.
Signed-off-by: Florian Westphal
---
drivers/infiniband/core/roce_gid_mgmt.c | 5 +++--
drivers/infiniband/hw/cxgb4/cm.c
Use in_dev_for_each_ifa_rcu/rtnl instead.
This prevents sparse warnings once proper __rcu annotations are added.
Signed-off-by: Florian Westphal
t di# Last commands done (6 commands done):
---
net/ipv4/fib_frontend.c | 24 +---
net/ipv4/igmp.c | 5 +++--
net/ipv6
fields
lack the proper __rcu annotation.
Signed-off-by: Florian Westphal
---
include/linux/inetdevice.h | 10 +-
net/ipv4/devinet.c | 31 ---
2 files changed, 25 insertions(+), 16 deletions(-)
diff --git a/include/linux/inetdevice.h b/include/linux
ifa_list is protected by rcu, yet code doesn't reflect this.
Add the __rcu annotations and fix up all places that are now reported by
sparse.
I've done this in the same commit to not add intermediate patches that
result in new warnings.
Reported-by: Eric Dumazet
Signed-off-by: Floria
David Howells wrote:
> Florian Westphal wrote:
>
> > David Howell says:
>
> "Howells"
My bad.
> Apart from that:
>
> Tested-by: David Howells
Thanks, a lot, I've re-submitted this as v3 retaining your tested-by.
Pablo Neira Ayuso wrote:
> > » iph = skb_header_pointer(skb, *offset, sizeof(_iph), &_iph);
> > » if (!iph || skb->protocol != htons(ETH_P_IP))
> > » » return -EBADMSG;
>
> I mean, you make this check upfront from the _eval() path, ie.
>
> static void nft_exthdr_ipv4_eval
Pablo Neira Ayuso wrote:
> > > if (skb->protocol != htons(ETH_P_IP))
> > > goto err;
> >
> > Wouldn't it be preferable to just use nft_pf() != NFPROTO_IPV4?
>
> Then IPv4 options extension won't work from bridge and netdev families
> too, right?
Ah, right.
+bad6e32808a3a97b1...@syzkaller.appspotmail.com
Fixes: 2638eb8b50cf ("net: ipv4: provide __rcu annotation for ifa_list")
Signed-off-by: Florian Westphal
---
net/ipv4/devinet.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/devinet.c b/net/ipv4/devin
kbuild test robot wrote:
> tree:
> https://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next.git
> testing
> head: ca78a3eaad69bd08ba41c144c21881dc694d4a32
> commit: 8dc6e3891a4be64c0cca5e8fe2c3ad33bc06543e [4/6] xfrm: remove state and
> template sort indirections from xfrm_state_
Steffen Klassert wrote:
> On Wed, Jun 05, 2019 at 02:40:45PM +0200, Florian Westphal wrote:
> >
> > Steffen, as this is still only in your testing branch, I suggest you
> > squash this snipped into commit 8dc6e3891a4be64c0cca5e8fe2c3ad33bc06543e
> > ("xfrm
John Hurley wrote:
> TC hooks allow the application of filters and actions to packets at both
> ingress and egress of the network stack. It is possible, with poor
> configuration, that this can produce loops whereby an ingress hook calls
> a mirred egress action that has an egress hook that redire
John Hurley wrote:
> On Thu, Jun 6, 2019 at 1:58 PM Florian Westphal wrote:
> > I dislike this, why can't we just use a pcpu counter?
> >
> > The only problem is with recursion/nesting; whenever we
> > hit something that queues the skb for later we're saf
David Miller wrote:
> From: Florian Westphal
> Date: Thu, 6 Jun 2019 14:58:18 +0200
>
> >> @@ -827,6 +828,7 @@ struct sk_buff {
> >>__u8tc_at_ingress:1;
> >>__u8tc_redirected:1;
> >>__u8
we...@ucloud.cn wrote:
> From: wenxu
>
> nft add rule bridge firewall rule-100-ingress ip protocol icmp drop
nft --debug=netlink add rule bridge firewall rule-100-ingress ip protocol icmp
drop
bridge firewall rule-100-ingress
[ payload load 2b @ link header + 12 => reg 1 ]
[ cmp eq reg 1 0
michael-...@fami-braun.de wrote:
> From: "M. Braun"
>
> Given the following bridge rules:
> 1. ip protocol icmp accept
> 2. ether type vlan vlan type ip ip protocol icmp accept
>
> The are currently both dumped by "nft list ruleset" as
> 1. ip protocol icmp accept
> 2. ip protocol icmp accept
f a proper alternative to filtering such traffic.
PREROUTING would work, but at that point we lack the
"packet will be forwarded from ppp0 to ppp0" information that
we only have available in FORWARD.
Compile tested only.
Cc: Jason Muskat
Signed-off-by: Florian Westphal
---
net/ip
we...@ucloud.cn wrote:
> From: wenxu
>
> move tc indirect block to flow_offload.c. The nf_tables
> can use the indr block architecture.
... to do what? Can you please illustrate how this is going to be
used/useful?
we...@ucloud.cn wrote:
> From: wenxu
>
> It provide a callback to find the tcf block in
> the flow_indr_block_dev_get
Can you explain why you're making this change?
This will help us understand the concept/idea of your series.
The above describes what the patch does, but it should
explain why
d be extended in the future if need be, as
> more scenarios would probably benefit from it.
No objections from my side, so:
Acked-by: Florian Westphal
e5f6972910...@syzkaller.appspotmail.com
Signed-off-by: Florian Westphal
---
net/xfrm/xfrm_policy.c | 6 --
tools/testing/selftests/net/xfrm_policy.sh | 7 +++
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_poli
; byte counts from the kernel.
Please send netfilter patches to netfilter-de...@vger.kernel.org .
Fixes: d72133e628803 ("netfilter: ebtables: use ADD_COUNTER macro")
Acked-by: Florian Westphal
menglong8.d...@gmail.com wrote:
> From: Menglong Dong
>
> For now, sysctl_wmem_max and sysctl_rmem_max are globally unified.
> It's not convenient in some case. For example, when we use docker
> and try to control the default udp socket receive buffer for each
> container.
>
> For that reason,
Linus Torvalds wrote:
> On Tue, Dec 22, 2020 at 6:44 AM syzbot
> wrote:
> >
> > The issue was bisected to:
> >
> > commit 2f78788b55ba ("ilog2: improve ilog2 for constant arguments")
>
> That looks unlikely, although possibly some constant folding
> improvement might make the fortify code notice
sed.
Reported-by: syzbot+e86f7c428c8c50db6...@syzkaller.appspotmail.com
Fixes: 5859034d7eb8793 ("[NETFILTER]: x_tables: add RATEEST target")
Signed-off-by: Florian Westphal
---
RATEEST test in iptables.git still passes, syzbot repro setsockopt
fails with -ENAMETOOLONG.
diff --git a/
Linus Torvalds wrote:
> On Tue, Dec 22, 2020 at 2:24 PM Florian Westphal wrote:
> >
> > strlcpy assumes src is a c-string. Check info->name before its used.
>
> If strlcpy is the only problem, then the fix is to use strscpy(),
> which doesn't have the design mis
At the moment MPTCP can detect an invalid join request (invalid token,
max number of subflows reached, and so on) right away but cannot reject
the connection until the 3WHS has completed.
Instead the connection will complete and the subflow is reset afterwards.
To send the reset most information i
lso possible to add a const qualifier to
security_inet_conn_request instead.
Signed-off-by: Florian Westphal
---
The code churn is unfortunate. Alternative would be to change
the function signature of ->route_req:
struct dst_entry *(*route_req)(struct sock *sk, ...
[ i.e., drop 'const'
b
to the merged function at the same time.
'send reset on unknown mptcp join token' is added in next patch.
Suggested-by: Paolo Abeni
Cc: Eric Dumazet
Signed-off-by: Florian Westphal
---
include/net/tcp.h| 9 -
net/ipv4/tcp_input.c | 9 ++---
net/ipv4/tcp_ipv4.c |
) with an
"MPTCP specific error" reason code.
mptcp-next doesn't support MP_TCPRST yet, this can be added in another
change.
Signed-off-by: Florian Westphal
---
net/mptcp/subflow.c | 47 ++---
1 file changed, 36 insertions(+), 11 deletions(-
Gong, Sishuai wrote:
> Hi,
>
> We found a data race in linux kernel 5.3.11 that we are able to reproduce in
> x86 under specific interleavings. We are not sure about the consequence of
> this race now but it seems that the two memcpy() can lead to some
> inconsistency. We also noticed that bot
Jianguo Wu wrote:
> From: Jianguo Wu
A brief explanation would have helped.
This is for net tree.
> Signed-off-by: Jianguo Wu
Fixes: fc518953bc9c8d7d ("mptcp: add and use MIB counter infrastructure")
Acked-by: Florian Westphal
Pablo Neira Ayuso wrote:
> +#define NET_DEVICE_PATH_STACK_MAX5
> +
> +struct net_device_path_stack {
> + int num_paths;
> + struct net_device_path path[NET_DEVICE_PATH_STACK_MAX];
> +};
[..]
> +int dev_fill_forward_path(const struct net_device *dev, const u8 *dad
Pablo Neira Ayuso wrote:
> - if (unlikely(dst_xfrm(&rt->dst))) {
> + rt = (struct rtable *)tuplehash->tuple.dst_cache;
> +
> + if (unlikely(tuplehash->tuple.xmit_type == FLOW_OFFLOAD_XMIT_XFRM)) {
> memset(skb->cb, 0, sizeof(struct inet_skb_parm));
> IPCB(sk
Eric Dumazet wrote:
> From: Eric Dumazet
>
> syzbot found that we are not validating user input properly
> before copying 16 bytes [1].
> Using NLA_BINARY in ipaddr_policy[] for IPv6 address is not correct,
> since it ensures at most 16 bytes were provided.
Thanks Eric. Looks like this is the o
Ramsay, Lincoln wrote:
> The build_skb path fails to allow for an SKB header, but the hardware
> buffer it is built around won't allow for this anyway.
What problem is being resolved here?
Ramsay, Lincoln wrote:
> > Ramsay, Lincoln wrote:
> > > The build_skb path fails to allow for an SKB header, but the hardware
> > > buffer it is built around won't allow for this anyway.
> >
> > What problem is being resolved here?
>
> Sorry... Do I need to re-post the context? (I thought the r
Ramsay, Lincoln wrote:
> When performing IPv6 forwarding, there is an expectation that SKBs
> will have some headroom. When forwarding a packet from the aquantia
> driver, this does not always happen, triggering a kernel warning.
>
> The build_skb path fails to allow for an SKB header, but the ha
Ramsay, Lincoln wrote:
[ patch looks good to me, I have no further comments ]
> > For build_skb path to work the buffer scheme would need to be changed
> > to reserve headroom, so yes, I think that the proposed patch is the
> > most convenient solution.
>
> I don't know about benefits/feasibili
hich
> > sets this flag for both the directions of the nf_conn.
> >
> > Suggested-by: Florian Westphal
> > Signed-off-by: Numan Siddique
>
> Florian, LGTY?
Sorry, this one sailed past me.
Acked-by: Florian Westphal
Gustavo A. R. Silva wrote:
> In preparation to enable -Wimplicit-fallthrough for Clang, fix multiple
> warnings by explicitly adding multiple break statements instead of just
> letting the code fall through to the next case.
Acked-by: Florian Westphal
Feel free to carry this in next
Gustavo A. R. Silva wrote:
> In preparation to enable -Wimplicit-fallthrough for Clang, fix a warning
> by explicitly adding a break statement instead of letting the code fall
> through to the next case.
Acked-by: Florian Westphal
Ido Schimmel wrote:
> On Thu, Oct 29, 2020 at 05:36:19PM +, Aleksandr Nogikh wrote:
> > From: Aleksandr Nogikh
> >
> > Remote KCOV coverage collection enables coverage-guided fuzzing of the
> > code that is not reachable during normal system call execution. It is
> > especially helpful for f
Cong Wang wrote:
> From: Cong Wang
>
> NF_HOOK_LIST() uses list_del() to remove skb from the linked list,
> however, it is not sufficient as skb->next still points to other
> skb. We should just call skb_list_del_init() to clear skb->next,
> like the rest places which using skb list.
>
> This h
PACKET_HOST
> and returns early).
>
> If the comment is right and no one cares about the value of
> skb->pkt_type after br_dev_queue_push_xmit (which isn't true), resetting
> it to its original value should be safe.
That comment is 18 years old, safe bet noone thought of
ipv6-in-tunnel-interface-added-as-bridge-port back then.
Reviewed-by: Florian Westphal
mptcp_sk_clone+0x33/0x1a0
[..] subflow_syn_recv_sock+0x2b1/0x690 [..]
Fixes: e16163b6e2b7 ("mptcp: refactor shutdown and close")
Cc: Paolo Abeni
Cc: Davide Caratti
Signed-off-by: Florian Westphal
---
net/mptcp/protocol.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/ne
Marco Elver wrote:
[..]
> v6:
> * Revert usage of skb extensions due to potential memory leak. Patch 2/3 is
> now
> idential to that in v2.
> * Patches 1/3 and 3/3 are otherwise identical to v5.
The earlier series was already applied to net-next, so you need to
rebase on top of net-next and i
Jakub Kicinski wrote:
> On Mon, 23 Nov 2020 19:32:53 +0100 Florian Westphal wrote:
> > That comment is 18 years old, safe bet noone thought of
> > ipv6-in-tunnel-interface-added-as-bridge-port back then.
> >
> > Reviewed-by: Florian Westphal
>
> Sounds like
of
> tcp_in_window() check error or because it doesn't belong to an
> existing connection.
>
> An earlier attempt (see the link) tried to solve this problem for
> openvswitch in a different way. Florian Westphal instead suggested
> to be liberal in openvswitch for tcp packets
Numan Siddique wrote:
> On Tue, Nov 10, 2020 at 3:06 AM Florian Westphal wrote:
> Thanks for the comments. I actually tried this approach first, but it
> doesn't seem to work.
> I noticed that for the committed connections, the ct tcp flag -
> IP_CT_TCP_FLAG_BE_LIBER
Numan Siddique wrote:
> On Tue, Nov 10, 2020 at 5:55 PM Florian Westphal wrote:
> >
> > Numan Siddique wrote:
> > > On Tue, Nov 10, 2020 at 3:06 AM Florian Westphal wrote:
> > > Thanks for the comments. I actually tried this approach first, but it
> >
Matthieu Baerts wrote:
> > --- linux-next-20201113.orig/include/linux/skbuff.h
> > +++ linux-next-20201113/include/linux/skbuff.h
> > @@ -4137,7 +4137,6 @@ static inline void skb_set_nfct(struct s
> > #endif
> > }
> > -#ifdef CONFIG_SKB_EXTENSIONS
> > enum skb_ext_id {
> > #if IS_ENABLED(C
Randy Dunlap wrote:
> On 11/16/20 7:30 AM, Jakub Kicinski wrote:
> > On Mon, 16 Nov 2020 15:31:21 +0100 Florian Westphal wrote:
> >>>> @@ -4151,12 +4150,11 @@ enum skb_ext_id {
> >>>> #if IS_ENABLED(CONFIG_MPTCP)
> >>>> SKB_EXT_MPT
in the header file.
Thanks Randy.
Acked-by: Florian Westphal
Visa Hankala wrote:
> Use three-way comparison for address elements to avoid integer
> wraparound in the result of xfrm_policy_addr_delta().
>
> This ensures that the search trees are built and traversed correctly
> when the difference between compared address elements is larger
> than INT_MAX.
Visa Hankala wrote:
> On Tue, Dec 29, 2020 at 05:01:27PM +0100, Florian Westphal wrote:
> > This is suspicious. Is prefixlen == 0 impossible?
> >
> > If not, then after patch
> > mask = ~0U << 32;
> >
> > ... and function returns 0.
>
> With
o $?
> 0
>
> This is because the $lret in check_xfrm() is not a local variable.
Acked-by: Florian Westphal
0.
> Prefix /0 has only one equivalence class.
Acked-by: Florian Westphal
stack then sends an error to itself because the packet exceeds
the device MTU.
Fixes: 23a3647bc4f93 ("ip_tunnels: Use skb-len to PMTU check.")
Cc: Stefano Brivio
Signed-off-by: Florian Westphal
---
net/ipv4/ip_tunnel.c | 11 +--
1 file changed, 5 insertions(+), 6 deletions(-)
dif
Christian Perle reported a PMTU blackhole due to unexpected interaction
between the ip defragmentation that comes with connection tracking and
ip tunnels.
Unfortunately setting 'nopmtudisc' on the tunnel breaks the test
scenario even without netfilter.
Christinas setup looks like this:
+
t")
Reported-by: Christian Perle
Signed-off-by: Florian Westphal
---
net/ipv4/ip_output.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 89fff5f59eea..2ed0b01f72f0 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_outpu
Convert Christians bug description into a reproducer.
Cc: Shuah Khan
Cc: Pablo Neira Ayuso
Reported-by: Christian Perle
Signed-off-by: Florian Westphal
---
tools/testing/selftests/netfilter/Makefile| 3 +-
.../selftests/netfilter/ipip-conntrack-mtu.sh | 206 ++
2 files
Jakub Kicinski wrote:
> > Got it. But a question: why tcp_tw_recycle can be removed totally?
> > it is also part of uAPI
>
> Good question, perhaps with tcp_tw_recycle we wanted to make sure users
> who depended on it notice removal, since the feature was broken by
> design?
>
> tcp_low_latency
Ben Greear wrote:
> I noticed my system has a hung process trying to 'rmmod nf_conntrack'.
>
> I've generally been doing the script that calls rmmod forever,
> but only extensively tested on 5.4 kernel and earlier.
>
> If anyone has any ideas, please let me know. This is from 'sysrq t'. I
> d
esults in
> sysctl net/netfilter/nf_conntrack_buckets shows the wrong value when users
> update via the old way.
Oh, right!
Acked-by: Florian Westphal
Dinghao Liu wrote:
> When register_pernet_subsys() fails, nf_nat_bysource
> should be freed just like when nf_ct_extend_register()
> fails.
Acked-by: Florian Westphal
ceives the sk as part of its normal
> functionality. So we make sure to plumb state->sk through the various
> route_me_harder functions, and then make correct use of it following the
> example of __ip_queue_xmit().
Reviewed-by: Florian Westphal
syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch and the reproducer did not trigger any
> issue:
>
> Reported-and-tested-by: syzbot+b53bbea2ad64f9cf8...@syzkaller.appspotmail.com
#syz-fix: mptcp: reset last_snd on subflow close
[ This patch is currently in mptcp-next ]
Yang Li wrote:
> Fix the following sparse warnings:
> net/xfrm/xfrm_policy.c:1303:22: warning: incorrect type in assignment
> (different address spaces)
> Reported-by: Abaci Robot
> Signed-off-by: Yang Li
> ---
> net/xfrm/xfrm_policy.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
Colin King wrote:
> From: Colin Ian King
>
> Currently the call to nf_log_register is returning an error code that
> is not being assigned to ret and yet ret is being checked. Fix this by
> adding in the missing assignment.
Thanks for catching this.
Acked-by: Florian Westphal
subflow aware release function")
> Signed-off-by: Paolo Abeni
Paolo, thanks for passing this to -net.
Acked-by: Florian Westphal
Maciej Żenczykowski wrote:
> From: Maciej Żenczykowski
>
> The code is relying on the identical layout of the beginning
> of the v0 and v1 structs, but this can easily lead to code bugs
> if one were to try to extend this further...
What is the concern? These structs are part of ABI, they
cann
DCCP is virtually never used, so no need to use space in struct net for it.
Put the pernet ipv4/v6 socket in the dccp ipv4/ipv6 modules instead.
Signed-off-by: Florian Westphal
---
include/net/net_namespace.h | 4
include/net/netns/dccp.h| 12
net/dccp/ipv4.c
Michal Soltys wrote:
> On 3/29/21 10:52 PM, Ido Schimmel wrote:
> >
> > ip_route_me_harder() does not set source / destination port in the
> > flow key, so it explains why fib rules that use them are not hit after
> > mangling the packet. These keys were added in 4.17, but I
> > don't think this
Stephen Rothwell wrote:
> net/bridge/netfilter/ebtables.c:1248:33: error: 'struct netns_xt' has no
> member named 'tables'
> 1248 | list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) {
> | ^
> include/linux/list.h:619:20: note: in definition of m
Cole Dishington wrote:
> Introduce changes to add ESP connection tracking helper to netfilter
> conntrack. The connection tracking of ESP is based on IPsec SPIs. The
> underlying motivation for this patch was to allow multiple VPN ESP
> clients to be distinguished when using NAT.
>
> Added config
This function is called during boot, from ipv4 stack, there is no need
to set the pointer to NULL (static storage duration, so already NULL).
No need for the synchronize_rcu either. Remove both.
Signed-off-by: Florian Westphal
---
net/xfrm/xfrm_policy.c | 3 ---
1 file changed, 3 deletions
xfrm session decode ipv4 path (but not ipv6) sets this, but there are no
consumers. Remove it.
Signed-off-by: Florian Westphal
---
include/net/flow.h | 3 ---
net/xfrm/xfrm_policy.c | 39 ---
2 files changed, 42 deletions(-)
diff --git a/include/net
.
Third patch avoids a synchronize_rcu during netns destruction.
Florian Westphal (3):
flow: remove spi key from flowi struct
xfrm: remove stray synchronize_rcu from xfrm_init
xfrm: avoid synchronize_rcu during netns destruction
include/net/flow.h | 3 ---
net/xfrm/xfrm_policy.c | 42
Use the new exit_pre hook to NULL the netlink socket.
The net namespace core will do a synchronize_rcu() between the exit_pre
and exit/exit_batch handlers.
Signed-off-by: Florian Westphal
---
net/xfrm/xfrm_user.c | 10 +++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/net
1 - 100 of 1338 matches
Mail list logo