Re: [PATCH net 1/2] ipv6: do not delete previously existing ECMP routes if add fails

2015-05-13 Thread Michal Kubecek
. Michal Kubecek -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH] Experimental new bonding driver mode=batman

2015-05-19 Thread Michal Kubecek
the bond is created. One general note: the patch breaks kernel coding style in a lot of points. Running checkpatch.pl on it, I got total: 562 errors, 466 warnings, 5 checks, 585 lines checked The script isn't perfect but this is too much. Michal

please queue commit ac37e2515c1a for stable 3.12 - 3.18

2015-06-04 Thread Michal Kubecek
) present in these branches (3.12 and 3.14 as a backport, 3.18 from mainline). The patch applies cleanly to all three and I tested that it fixes the issue in 3.12. Michal Kubecek -- To unsubscribe from this list: send the line unsubscribe netdev

[PATCH net] ipv4: fill in table id when replacing a route

2015-05-22 Thread Michal Kubecek
When replacing an IPv4 route, tb_id member of the new fib_alias structure is not set in the replace code path so that the new route is ignored. Fixes: 0ddcf43d5d4a (ipv4: FIB Local/MAIN table collapse) Signed-off-by: Michal Kubecek mkube...@suse.cz --- net/ipv4/fib_trie.c | 1 + 1 file changed

Re: [PATCH iproute2] include: add copy of tipc.h

2015-07-07 Thread Michal Kubecek
On Mon, Jul 06, 2015 at 02:46:49PM -0700, Stephen Hemminger wrote: On Mon, 29 Jun 2015 10:53:15 +0200 (CEST) Michal Kubecek mkube...@suse.cz wrote: Copy of kernel include/uapi/linux/tipc.h is needed to build on systems with pre-3.16 kernel headers. Signed-off-by: Michal Kubecek mkube

Re: [PATCH] bridge: Enable configuration of ageing interval for bridges and switch devices.

2015-08-18 Thread Michal Kubecek
as requested by http://www.spinics.net/lists/netdev/msg315236.html Michal Kubecek -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/6] net/bonding: enable LRO if one device supports it

2015-08-18 Thread Michal Kubecek
would stop keeping the state information whether dev_disable_lro() was called for it or not (we must not reenable LRO if it was). Michal Kubecek -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message

Re: DEBUG_LOCKS_WARN_ON(in_interrupt()) triggering in socket code

2015-08-21 Thread Michal Kubecek
a rwlock (even for reading) as someone else could call write_lock() on the same rwlock on the same CPU in the meantime and would end up spinning indefinitely while waiting for you to release it. Michal Kubecek -- To unsubscribe from this list

Re: [PATCH] bridge: Enable configuration of ageing interval for bridges and switch devices.

2015-08-20 Thread Michal Kubecek
? Michal Kubecek -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH] bridge: Enable configuration of ageing interval for bridges and switch devices.

2015-08-20 Thread Michal Kubecek
On Thu, Aug 20, 2015 at 06:40:01AM +, Premkumar Jonnala wrote: From: Michal Kubecek [mailto:mkube...@suse.cz] This would break existing scripts using ip to set the parameter. Is the possibility to use any of the two really that bad? There was another email on this thread where

[PATCH iproute2] include: add copy of tipc.h

2015-06-29 Thread Michal Kubecek
Copy of kernel include/uapi/linux/tipc.h is needed to build on systems with pre-3.16 kernel headers. Signed-off-by: Michal Kubecek mkube...@suse.cz --- include/linux/tipc.h | 232 +++ 1 file changed, 232 insertions(+) create mode 100644 include

Re: [RFC PATCH 1/1] net/ipv4: Enable flow-based ECMP

2015-07-28 Thread Michal Kubecek
. Michal Kubecek -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [RFC PATCH 1/1] net/ipv4: Enable flow-based ECMP

2015-07-29 Thread Michal Kubecek
, of course. Michal Kubecek -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH] iproute2: Extend bridge command to configure ageing interval on bridge devices.

2015-08-14 Thread Michal Kubecek
on a kernel patch which is still under review (in particular, adding these new message types was objected to). I would suggest to wait with submission of the iproute2 patch until relevant kernel changes are accepted. Michal Kubecek -- To unsubscribe

Re: [PATCH 1/6] net/bonding: enable LRO if one device supports it

2015-08-14 Thread Michal Kubecek
for a bond to mean there is at least one LRO capable slave, you would need a new flag for the LRO should be disabled for all lower devices state. I don't think it's worth the effort. Michal Kubecek -- To unsubscribe from this list: send

Re: GCOV_PROFILE_ALL breaks BUILD_BUG_ON(!is_power_of_2(8))

2015-08-14 Thread Michal Kubecek
be used in the context BUILD_BUG_ON() uses it in. There is a BUILD_BUG_ON_NOT_POWER_OF_2() macro you could use. Michal Kubecek -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to majord

[PATCH nf-next v2] netfilter: nf_ct_sctp: minimal multihoming support

2015-07-17 Thread Michal Kubecek
(hb_interval * path_max_retry + max_rto) (We cannot expect to see the shutdown sequence so that, unlike ESTABLISHED, the HEARTBEAT_ACKED timeout shouldn't be too long.) Signed-off-by: Michal Kubecek mkube...@suse.cz --- v2: - add new timeouts to nla policy interface - explain vtag handling in the commit

[PATCH nf-next] netfilter: nf_ct_sctp: minimal multihoming support

2015-07-14 Thread Michal Kubecek
for new states are HB_SENT: 30 seconds (default hb_interval) HB_ACKED: 210 seconds (hb_interval * path_max_retry + max_rto) (We cannot expect to see the shutdown sequence so that the HB_ACKED timeout shouldn't be too long.) Signed-off-by: Michal Kubecek mkube...@suse.cz --- include/uapi/linux

Re: [PATCH nf-next] netfilter: nf_ct_sctp: minimal multihoming support

2015-07-14 Thread Michal Kubecek
On Tue, Jul 14, 2015 at 05:38:47PM +0200, Pablo Neira Ayuso wrote: On Tue, Jul 14, 2015 at 02:23:11PM +0200, Michal Kubecek wrote: @@ -658,6 +696,18 @@ static struct ctl_table sctp_sysctl_table[] = { .mode = 0644, .proc_handler = proc_dointvec_jiffies

Re: [PATCH nf-next] netfilter: nf_ct_sctp: minimal multihoming support

2015-07-14 Thread Michal Kubecek
On Tue, Jul 14, 2015 at 03:42:03PM +0200, Florian Westphal wrote: Michal Kubecek mkube...@suse.cz wrote: + case SCTP_CID_HEARTBEAT: + pr_debug(SCTP_CID_HEARTBEAT); + i = 9; + break; + case SCTP_CID_HEARTBEAT_ACK: + pr_debug

Re: [PATCH nf-next] netfilter: nf_ct_sctp: minimal multihoming support

2015-07-16 Thread Michal Kubecek
On Wed, Jul 15, 2015 at 05:35:08PM -0300, Marcelo Ricardo Leitner wrote: Hi, On Tue, Jul 14, 2015 at 06:42:25PM +0200, Michal Kubecek wrote: On Tue, Jul 14, 2015 at 03:42:03PM +0200, Florian Westphal wrote: Michal Kubecek mkube...@suse.cz wrote: + case SCTP_CID_HEARTBEAT

Re: [PATCH nf-next] netfilter: nf_ct_sctp: minimal multihoming support

2015-07-16 Thread Michal Kubecek
On Thu, Jul 16, 2015 at 10:50:59AM -0300, Marcelo Ricardo Leitner wrote: On Tue, Jul 14, 2015 at 02:23:11PM +0200, Michal Kubecek wrote: @@ -278,6 +292,14 @@ static int sctp_new_state(enum ip_conntrack_dir dir, pr_debug(SCTP_CID_SHUTDOWN_COMPLETE\n); i = 8

[PATCH stable<3.19] net: handle null iovec pointer in skb_copy_and_csum_datagram_iovec()

2015-10-23 Thread Michal Kubecek
e null iov parameter and always dereferences iov->iov_len. This is especially harmful when udp_recvmsg() is called in kernel context, e.g. from kernel nfsd. Band-aid skb_copy_and_csum_datagram_iovec() by testing iov for null and only checking the checksum in this case. Signed-off-by: Michal Ku

Re: [PATCH stable<3.19] net: handle null iovec pointer in skb_copy_and_csum_datagram_iovec()

2015-10-23 Thread Michal Kubecek
On Fri, Oct 23, 2015 at 11:22:19AM +0200, Sabrina Dubroca wrote: > Hello Michal, > > 2015-10-23, 10:46:09 +0200, Michal Kubecek wrote: > > Mainline commit 89c22d8c3b27 ("net: Fix skb csum races when peeking") > > backport into pre-3.19 stable kernels introduce

Re: [RFC PATCH net-next] net/core: initial support for stacked dev feature toggles

2015-10-26 Thread Michal Kubecek
data-path unusable. This is already the case since commit fbe168ba91f7 ("net: generic dev_disable_lro() stacked device handling"). That commit makes sure dev_disable_lro() is propagated down the stack and also makes sure new slaves added to a bond/team with LRO disabled have it disa

Re: 4.4-rc1 errors on bridge/macvtap interfaces (maybe commit 0bc05d58 switchdev: allow caller to exp...).

2015-11-16 Thread Michal Kubecek
On Mon, Nov 16, 2015 at 02:00:32PM +0100, Christian Borntraeger wrote: > > on 4.4-rc1 running on an s390x box (so qeth OSA network cards as real NICs) I > get errors like: > > [ 10.940523] Ebtables v2.0 registered > [ 11.685609] bridge: automatic filtering via arp/ip/ip6tables has been >

[PATCH net] ipv6: fix tunnel error handling

2015-11-03 Thread Michal Kubecek
embedded in it. Fixes: 73d605d1abbd ("[IPSEC]: changing API of xfrm6_tunnel_register") Signed-off-by: Michal Kubecek <mkube...@suse.cz> --- net/ipv6/tunnel6.c | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/net/ipv6/tunnel6.c b/net/ipv6/tunnel6.c in

Re: [PATCH net-next] net/core: ensure features get disabled on new lower devs

2015-11-03 Thread Michal Kubecek
lro() stacked device handling"). Michal Kubecek -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Use-after-free in ep_remove_wait_queue

2015-10-12 Thread Michal Kubecek
> [< none >] sock_sendmsg+0xca/0x110 net/socket.c:620 > [< none >] sock_write_iter+0x216/0x3a0 net/socket.c:819 > [< inline >] new_sync_write fs/read_write.c:478 > [< none >] __vfs_write+0x2ed/0x3d0 fs/read_write.c:491 > [< no

Re: IPv6 routing/fragmentation panic

2015-09-15 Thread Michal Kubecek
ed packet and the original fragments are kept. Reassembled packet is used for connection tracking and (since 3.13) netfilter rule matching, the original fragments are then forwarded on (if it passes the rules). Michal Kubecek -- To unsubscribe from

Re: [PATCH net] ipv6: include NLM_F_REPLACE in route replace notifications

2015-09-14 Thread Michal Kubecek
Signed-off-by: Roopa Prabhu <ro...@cumulusnetworks.com> Reviewed-by: Michal Kubecek <mkube...@suse.cz> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: List corruption on epoll_ctl(EPOLL_CTL_DEL) an AF_UNIX socket

2015-09-30 Thread Michal Kubecek
he code which adds the "asymmetric peer" to monitor its queue state. More precisely, the asymmetricity check has been added by ec0d215f9420 ("af_unix: fix 'poll for write'/connected DGRAM sockets") shortly after that.

[PATCH net-next] net: remove unused argument of __netdev_find_adj()

2015-09-24 Thread Michal Kubecek
The __netdev_find_adj() helper does not use its first argument, only the device to find and list to walk through. Signed-off-by: Michal Kubecek <mkube...@suse.cz> --- net/core/dev.c | 15 +++ 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/net/core/dev.c b/ne

Re: [PATCH 1/1] bonding: restrict up state in 802.3ad mode

2016-01-07 Thread Michal Kubecek
10-100 messages and admins certainly would hate that). Michal Kubecek -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: WARN trace - skb_warn_bad_offload - vxlan - large udp packet - udp checksum disabled

2016-01-06 Thread Michal Kubecek
the check (sk->sk_type == SOCK_DGRAM) added by this commit to (sk->sk_type == SOCK_DGRAM) && !sk->sk_no_check_tx should fix the problem (and it should be done even if the issue reported here is caused by something else).

Re: [PATCH 1/1] bonding: restrict up state in 802.3ad mode

2015-12-28 Thread Michal Kubecek
ng able to detect speed/duplex and driver not notifying when speed/duplex becomes available) with netxen cards earlier. But it was eventually fixed in the driver by commit 9d01412ae76f ("netxen: Fix link event handling.") so this example rather supports what you said.

[PATCH stable-3.2 stable-3.12] net: fix checksum check in skb_copy_and_csum_datagram_iovec()

2015-12-28 Thread Michal Kubecek
gram which is invalid and wouldn't be returned by an actual read. Signed-off-by: Michal Kubecek <mkube...@suse.cz> --- net/core/datagram.c | 26 +- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/net/core/datagram.c b/net/core/datagram.c in

Re: [PATCH stable-3.2 stable-3.12] net: fix checksum check in skb_copy_and_csum_datagram_iovec()

2015-12-28 Thread Michal Kubecek
On Mon, Dec 28, 2015 at 03:29:42PM +0100, Sabrina Dubroca wrote: > 2015-12-28, 15:01:57 +0100, Michal Kubecek wrote: > > Recent fix "net: add length argument to > > skb_copy_and_csum_datagram_iovec" added to some pre-3.19 stable > > branches, namely > > &g

[PATCH net] ipv6: distinguish frag queues by device for multicast and link-local packets

2015-11-24 Thread Michal Kubecek
submitted by Yoshifuji Hideaki in http://patchwork.ozlabs.org/patch/220979/ but got lost and forgotten for some reason. Signed-off-by: Michal Kubecek <mkube...@suse.cz> --- include/net/ipv6.h | 1 + net/ipv6/netfilter/nf_conntrack_reasm.c | 5 +++-- net/i

[PATCH net-next] net: disable fragment reassembly if high_thresh is zero

2016-06-02 Thread Michal Kubecek
anging its value so that even with high_thresh set to 0, fragmented packets can be still reassembled and processed. Add explicit check preventing reassembly if high threshold is zero. Signed-off-by: Michal Kubecek <mkube...@suse.cz> --- net/ipv4/inet_fragment.c | 2 +- 1 file changed, 1

[PATCH ipvs-next] ipvs: count pre-established TCP states as active

2016-06-03 Thread Michal Kubecek
all of them are already assigned to one real server (or few), resulting in highly unbalanced distribution. Address this by counting the "pre-established" states as "active". Signed-off-by: Michal Kubecek <mkube...@suse.cz> --- net/netfilter/ipvs/ip_vs_proto_tcp.c |

Re: [PATCH 1/2 net v3.16]r8169: Not enable/disable bus mastering when is enabled on BIOS

2016-03-14 Thread Michal Kubecek
9.c > @@ -754,6 +754,7 @@ struct rtl8169_private { > struct timer_list timer; > u16 cp_cmd; > bool pcie; > + bool bios_support; You shouldn't base your patches on earlier patches that haven't been accepted yet (unless they are part of the same series). Michal Kubecek

Re: [PATCH net] tun, bpf: fix suspicious RCU usage in tun_{attach,detach}_filter

2016-03-30 Thread Michal Kubecek
--- > > 3 files changed, 30 insertions(+), 15 deletions(-) > > kinda heavy patch to shut up lockdep. > Can we do > old_fp = rcu_dereference_protected(sk->sk_filter, > sock_owned_by_user(sk) || > lockdep_rtnl_is_held()); > and it always be correct? > I think right now tun is the only such user, but if it's correct for tun, > it's correct for future users too. If not correct then not correct for tun > either. > Or I'm missing something? Already discussed here: http://thread.gmane.org/gmane.linux.kernel/2158069/focus=405853 Michal Kubecek

Re: [PATCH net] tun, bpf: fix suspicious RCU usage in tun_{attach,detach}_filter

2016-03-30 Thread Michal Kubecek
On Wed, Mar 30, 2016 at 10:08:10PM -0700, Alexei Starovoitov wrote: > On Thu, Mar 31, 2016 at 07:01:15AM +0200, Michal Kubecek wrote: > > On Wed, Mar 30, 2016 at 06:18:42PM -0700, Alexei Starovoitov wrote: > > > > > > kinda heavy patch to shut up lockdep. &

Re: [PATCH net-next 2/3] ipv6: per netns fib6 walkers

2016-03-07 Thread Michal Kubecek
On Mon, Mar 07, 2016 at 04:28:26PM -0800, Cong Wang wrote: > On Mon, Mar 7, 2016 at 4:26 PM, Cong Wang <xiyou.wangc...@gmail.com> wrote: > > On Fri, Mar 4, 2016 at 2:59 AM, Michal Kubecek <mkube...@suse.cz> wrote: > >> static void ipv6_route_seq_setup_wal

Re: [PATCH net-next 2/3] ipv6: per netns fib6 walkers

2016-03-08 Thread Michal Kubecek
On Tue, Mar 08, 2016 at 08:05:44AM +0100, Michal Kubecek wrote: > On Mon, Mar 07, 2016 at 04:28:26PM -0800, Cong Wang wrote: > > On Mon, Mar 7, 2016 at 4:26 PM, Cong Wang <xiyou.wangc...@gmail.com> wrote: > > > On Fri, Mar 4, 2016 at 2:59 AM, Michal Kubecek <mkube...@sus

[PATCH net-next v2 3/3] ipv6: per netns FIB garbage collection

2016-03-08 Thread Michal Kubecek
for instances of fib6_run_gc() in different namespaces blocking each other. There is still a call to icmp6_dst_gc() which operates on shared data but this function is protected by its own shared lock. Signed-off-by: Michal Kubecek <mkube...@suse.cz> --- include/net/netns/ipv6.h | 1 + net/ipv6/ip6

[PATCH net-next v2 2/3] ipv6: per netns fib6 walkers

2016-03-08 Thread Michal Kubecek
each its own lock). Signed-off-by: Michal Kubecek <mkube...@suse.cz> --- v2: get rid of ifdef in ipv6_route_seq_setup_walk(), pass net from callers instead --- include/net/netns/ipv6.h | 2 ++ net/ipv6/ip6_fib.c | 68 +--- 2 files chang

[PATCH net-next v2 0/3] ipv6: per netns FIB6 walkers and garbage collector

2016-03-08 Thread Michal Kubecek
he walkers infrastructure and garbage collector so that they work independently in network namespaces. v2: get rid of ifdef in ipv6_route_seq_setup_walk(), pass net from callers instead Michal Kubecek (3): ipv6: replace global gc_args with local variable ipv6: per netns fib6 walkers ipv6: per netns F

[PATCH net-next v2 1/3] ipv6: replace global gc_args with local variable

2016-03-08 Thread Michal Kubecek
collector are allowed. Signed-off-by: Michal Kubecek <mkube...@suse.cz> --- net/ipv6/ip6_fib.c | 14 -- 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c index 0c7e276c230e..d7c715accac9 100644 --- a/net/ipv6/ip6_fib.c +++ b/ne

[PATCH net-next 3/3] ipv6: per netns FIB garbage collection

2016-03-04 Thread Michal Kubecek
for instances of fib6_run_gc() in different namespaces blocking each other. There is still a call to icmp6_dst_gc() which operates on shared data but this function is protected by its own shared lock. Signed-off-by: Michal Kubecek <mkube...@suse.cz> --- include/net/netns/ipv6.h | 1 + net/ipv6/ip6

[PATCH net-next 1/3] ipv6: replace global gc_args with local variable

2016-03-04 Thread Michal Kubecek
collector are allowed. Signed-off-by: Michal Kubecek <mkube...@suse.cz> --- net/ipv6/ip6_fib.c | 14 -- 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c index 0c7e276c230e..d7c715accac9 100644 --- a/net/ipv6/ip6_fib.c +++ b/ne

[PATCH net-next 2/3] ipv6: per netns fib6 walkers

2016-03-04 Thread Michal Kubecek
and give each its own lock. Signed-off-by: Michal Kubecek <mkube...@suse.cz> --- include/net/netns/ipv6.h | 2 ++ net/ipv6/ip6_fib.c | 67 +++- 2 files changed, 40 insertions(+), 29 deletions(-) diff --git a/include/net/netns/ipv6.h b/include/net

[PATCH net-next 0/3] ipv6: per netns FIB6 walkers and garbage collector

2016-03-04 Thread Michal Kubecek
he walkers infrastructure and garbage collector so that they work independently in network namespaces. Michal Kubecek (3): ipv6: replace global gc_args with local variable ipv6: per netns fib6 walkers ipv6: per netns FIB garbage collection include/net/netns/ipv6.h | 3 ++ net/ipv6/ip6_fib.c

Re: bpf: net/core/filter.c:2115 suspicious rcu_dereference_protected() usage!

2016-03-30 Thread Michal Kubecek
On Wed, Mar 30, 2016 at 01:33:44PM +0200, Daniel Borkmann wrote: > On 03/30/2016 11:42 AM, Michal Kubecek wrote: > > > >I'm just not sure checking if we hold the right lock depending on caller > >is worth the extra complexity. After all, what is really needed is to > >ho

Re: bpf: net/core/filter.c:2115 suspicious rcu_dereference_protected() usage!

2016-03-30 Thread Michal Kubecek
sock_owned_by_user(sk)); > + filter = rcu_dereference_protected(sk->sk_filter, locked); > if (filter) { > RCU_INIT_POINTER(sk->sk_filter, NULL); > sk_filter_uncharge(sk, filter); > @@ -2463,7 +2467,12 @@ int sk_detach_filter(struct sock *sk) > > return ret; > } > -EXPORT_SYMBOL_GPL(sk_detach_filter); > +EXPORT_SYMBOL_GPL(__sk_detach_filter); > + > +int sk_detach_filter(struct sock *sk) > +{ > + return __sk_detach_filter(sk, sock_owned_by_user(sk)); > +} > > int sk_get_filter(struct sock *sk, struct sock_filter __user *ubuf, > unsigned int len) > -- > 1.9.3 Looks good to me. I'm just not sure checking if we hold the right lock depending on caller is worth the extra complexity. After all, what is really needed is to hold _some_ lock guaranteeing sk_attach_prog() and sk_detach_filter() are safe so that just changing the condition in both to sock_owned_by_user(sk) || lockdep_rtnl_is_held() could suffice. Michal Kubecek

Re: bpf: net/core/filter.c:2115 suspicious rcu_dereference_protected() usage!

2016-03-29 Thread Michal Kubecek
On Mon, Feb 22, 2016 at 10:31:33AM -0500, Sasha Levin wrote: > > I've hit the following warning while fuzzing with trinity inside a kvmtool > guest > running the latest -next kernel: > > [ 1343.104588] === > [ 1343.104591] [ INFO: suspicious RCU usage. ] > [

Re: [PATCH nf-next] netfilter: allow logging from non-init namespaces

2016-05-16 Thread Michal Kubecek
On Thu, May 12, 2016 at 11:57:26AM +0200, Pablo Neira Ayuso wrote: > Hi Michal, > > On Wed, Apr 27, 2016 at 02:48:02PM +0200, Michal Kubecek wrote: > > Commit 69b34fb996b2 ("netfilter: xt_LOG: add net namespace support for > > xt_LOG") disabled logging packets usi

Re: [PATCH net v2] vlan: Propagate MAC address to VLANs unless explicitly set

2016-05-04 Thread Michal Kubecek
break; > > case NETDEV_CHANGEMTU: The commit message says "unless explicitly changed for the VLAN" but what you really check is "if it is the same as real device MAC address". This, in general, is not the same. (I believe this is what David tries to explain from the start.) Michal Kubecek

[PATCH nf-next] netfilter: allow logging from non-init namespaces

2016-04-28 Thread Michal Kubecek
a nonzero value. This sysctl is only accessible from init_net so that one cannot switch the behaviour from inside a container. Signed-off-by: Michal Kubecek <mkube...@suse.cz> --- Documentation/networking/netfilter-sysctl.txt | 10 ++ include/net/netfilter/nf_log.h| 3

Re: [PATCH net v4] vlan: Propagate MAC address to VLANs

2016-05-09 Thread Michal Kubecek
ddr)) > + if (is_zero_ether_addr(dev->dev_addr)) { > eth_hw_addr_inherit(dev, real_dev); > + dev->addr_assign_type = NET_ADDR_STOLEN; You might want to replace eth_hw_addr_inherit() with ether_addr_copy() here as they only differ in the former copying addr_assign_typ

Re: [PATCH v18 net-next 1/1] hv_sock: introduce Hyper-V Sockets

2016-07-26 Thread Michal Kubecek
On Tue, Jul 26, 2016 at 07:09:41AM +, Dexuan Cui wrote: > If you meant https://lkml.org/lkml/2016/7/13/382, I don't think Michal > Kubecek was suggesting I build my code using the existing AF_VSOCK > code(?) I think he was only asking me to clarify the way I used to write &

Re: [PATCH v16 net-next 1/1] hv_sock: introduce Hyper-V Sockets

2016-07-13 Thread Michal Kubecek
int protocol, int kern) > +{ > + struct sock *sk; > + > + if (!capable(CAP_SYS_ADMIN) && !capable(CAP_NET_ADMIN)) > + return -EPERM; Looks like any application wanting to use hyper-v sockets will need rather high privileges. It would make sense if these sockets were reserved for privileged tasks like VM management. But according to the commit message, hv_sock is supposed to be used for regular application to application communication. Requiring CAP_{SYS,NET}_ADMIN looks like an overkill to me. > + > + if (protocol != 0 && protocol != SHV_PROTO_RAW) > + return -EPROTONOSUPPORT; > + > + switch (sock->type) { > + case SOCK_STREAM: > + sock->ops = _ops; > + break; > + default: > + return -ESOCKTNOSUPPORT; > + } > + > + sock->state = SS_UNCONNECTED; > + > + sk = hvsock_create(net, sock, GFP_KERNEL, 0); > + return sk ? 0 : -ENOMEM; > +} Michal Kubecek

Re: [PATCH v16 net-next 0/1] introduce Hyper-V VM Sockets(hv_sock)

2016-07-13 Thread Michal Kubecek
e are not going to use AF_VSOCK". I would understand if you pointed out features important for you that are missing in AF_VSOCK but this kind of reasoning sounds strange to me. Michal Kubecek

[PATCH stable-4.1] netfilter: x_tables: fix stable backport

2016-07-19 Thread Michal Kubecek
ilter: x_tables: validate targets of jumps") Fixes: af815d264b7e ("netfilter: x_tables: do compat validation via translate_table") Signed-off-by: Michal Kubecek <mkube...@suse.cz> --- net/ipv4/netfilter/arp_tables.c | 10 -- net/ipv4/netfilter/ip_tables.c | 13 +-

[PATCH stable-4.1 v2] netfilter: x_tables: fix stable backport

2016-07-19 Thread Michal Kubecek
s still a per-cpu array in find_jump_target(). Use the same fix as e.g. stable-3.14 backport. Fixes: 8163327a3a92 ("netfilter: x_tables: validate targets of jumps") Signed-off-by: Michal Kubecek <mkube...@suse.cz> --- net/ipv4/netfilter/arp_tables.c | 5 +++-- net/ipv4/netfilter/ip_

[PATCH net] udp: prevent bugcheck if filter truncates packet too much

2016-07-08 Thread Michal Kubecek
was reported as CVE-2016-6162. For a reproducer, see http://seclists.org/oss-sec/2016/q3/8 Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing") Reported-by: Marco Grassi <marco@gmail.com> Signed-off-by: Michal Kubecek <mkube...@suse.cz> --- net/ipv4/

Re: [PATCH net] udp: prevent bugcheck if filter truncates packet too much

2016-07-09 Thread Michal Kubecek
On Sat, Jul 09, 2016 at 11:48:49AM +0200, Daniel Borkmann wrote: > On 07/09/2016 02:20 AM, Alexei Starovoitov wrote: > >On Sat, Jul 09, 2016 at 01:31:40AM +0200, Eric Dumazet wrote: > >>On Fri, 2016-07-08 at 17:52 +0200, Michal Kubecek wrote: > >>>If socket filter

[PATCH RESEND nf] netfilter: avoid a race between nf_register_hook() and cleanup_net()

2016-07-29 Thread Michal Kubecek
twork namespace netfilter hooks.") Signed-off-by: Michal Kubecek <mkube...@suse.cz> --- net/netfilter/core.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/net/netfilter/core.c b/net/netfilter/core.c index f39276d1c2d7..860978c9f82e 100644 --- a/net/netfilter/core.c +++ b/net/

Re: [PATCH nf-next] netfilter: allow logging from non-init namespaces

2016-08-16 Thread Michal Kubecek
On Mon, May 16, 2016 at 08:43:16AM +0200, Michal Kubecek wrote: > On Thu, May 12, 2016 at 11:57:26AM +0200, Pablo Neira Ayuso wrote: > > On Wed, Apr 27, 2016 at 02:48:02PM +0200, Michal Kubecek wrote: > > > Commit 69b34fb996b2 ("netfilter: xt_LOG: add net namespace s

Re: Pseudo-Interface is returning wrong mac address

2017-02-06 Thread Michal Kubecek
observe similar effect whenever you connect two interfaces to the same segment. By default, linux kernel responds to an ARP query for any local address on any interface (sometimes called "ARP flux"). This behaviour can be changed via sysctl, see arp_ignore and arp_filter in Documentation/networking/ip-sysctl.txt Michal Kubecek

Re: [PATCH bug-fix] iproute: fix documentation for ip rule scan order

2016-09-08 Thread Michal Kubecek
blem is that both versions are equally confusing as the word "priority" can be understood in two different senses. How about more explicit formulation, e.g. ... in order of decreasing logical priority (i.e. increasing numeric values). Would that be better? Michal Kubecek

Re: [PATCH bug-fix] iproute: fix documentation for ip rule scan order

2016-09-08 Thread Michal Kubecek
On Thu, Sep 08, 2016 at 12:33:03PM +0200, Phil Sutter wrote: > On Thu, Sep 08, 2016 at 11:59:55AM +0200, Michal Kubecek wrote: > > > > I'm sorry I didn't notice before but this just reverts the change done > > by commit 49572501664d ("iproute2: clarification of vari

Re: [PATCH] iproute: disallow ip rule del without parameters

2016-08-30 Thread Michal Kubecek
... > Actually ip rule delete without arguments deletes all rules. > Which could be a bug or feature depending on the user. > I can imagine somebody is doing something like deleting all rules > and putting in new ones for PBR. We have "ip rule flush" for that, don't we? Michal Kubecek

Re: slab corruption with current -git

2016-10-11 Thread Michal Kubecek
issue discussed here: https://marc.info/?l=netfilter-devel=146980917627262=2 Could it be (partly) the same race condition? Michal Kubecek

Re: [PATCH net v2] tipc: check minimum bearer MTU

2016-12-01 Thread Michal Kubecek
On Thu, Dec 01, 2016 at 04:11:18PM +, Ben Hutchings wrote: > On Thu, 2016-12-01 at 12:02 +0100, Michal Kubecek wrote: > [...]  > > +/* check if device MTU is sufficient for tipc headers */ > > +static inline bool tipc_check_mtu(struct net_device *dev, unsigne

[PATCH net v3] tipc: check minimum bearer MTU

2016-12-02 Thread Michal Kubecek
overflow when calculating bearer MTU. Fixes: b97bf3fd8f6a ("[TIPC] Initial merge") Signed-off-by: Michal Kubecek <mkube...@suse.cz> Reported-by: Qian Zhang (张谦) <zhangqia...@360.cn> --- changes v2 to v3: - rename tipc_check_mtu() helper to tipc_mtu_bad() and make the comment a

[PATCH net] tipc: check minimum bearer MTU

2016-11-30 Thread Michal Kubecek
overflow when calculating bearer MTU. Fixes: b97bf3fd8f6a ("[TIPC] Initial merge") Signed-off-by: Michal Kubecek <mkube...@suse.cz> Reported-by: Qian Zhang (张谦) <zhangqia...@360.cn> --- net/tipc/bearer.c| 9 +++-- net/tipc/bearer.h| 13 + net/tipc/udp

Re: [PATCH net] tipc: check minimum bearer MTU

2016-11-30 Thread Michal Kubecek
On Wed, Nov 30, 2016 at 10:57:02AM +0100, Michal Kubecek wrote: > Qian Zhang (张谦) reported a potential socket buffer overflow in > tipc_msg_build() which is also known as CVE-2016-8632: due to > insufficient checks, a buffer overflow can occur if MTU is too short for > even tipc header

Re: [PATCH net] tipc: check minimum bearer MTU

2016-11-30 Thread Michal Kubecek
hanged > after bearer is enabled. I should admit I'm not that familiar with tipc. Do you mean updating b->mtu in response to PMTU updates of the route used for ub->ubsock? The way I understand it, it would be certainly useful but it's not directly related to the security issue this patch addresses as if there are no updates, b->mtu cannot get too low and there is no risk of a buffer overflow. In other words, reflecting PMTU updates is something that can be IMHO left for later. Michal Kubecek

[PATCH net v2] tipc: check minimum bearer MTU

2016-12-01 Thread Michal Kubecek
overflow when calculating bearer MTU. Fixes: b97bf3fd8f6a ("[TIPC] Initial merge") Signed-off-by: Michal Kubecek <mkube...@suse.cz> Reported-by: Qian Zhang (张谦) <zhangqia...@360.cn> --- changes v1 to v2: - add missing "static" to tipc_check_mtu() helper declaration -

Re: vlan tagging problem

2017-04-12 Thread Michal Kubecek
n information was passed in metadata rather than as a tag in packet itself (which is usually the case when outgoing/incoming device supports hardware vlan tagging/stripping). Make sure this is not your case. Michal Kubecek

Re: [PATCH V2 net] netdevice: Include NETIF_F_HW_CSUM when intersecting features

2017-04-20 Thread Michal Kubecek
t does, it's a trap that someone might one day fall in. Michal Kubecek

blocking ops when !TASK_RUNNING in vsock_stream_sendmsg() (again)

2017-04-21 Thread Michal Kubecek
th the original fix); IMHO the right way to resolve the issue would be rewriting the vmci queue pair code to allow performing the has_space() check without taking a mutex. Michal Kubecek

Re: [PATCH net] netdevice: Prefer NETIF_F_HW_CSUM when intersecting features

2017-04-20 Thread Michal Kubecek
e can avoid nested ifs now: if ((f1 ^ f2) & NETIF_F_HW_CSUM) { f1 |= NETIF_F_HW_CSUM; f2 |= NETIF_F_HW_CSUM; } Michal Kubecek

Re: [PATCH net] ipv6: make ECMP route replacement less greedy

2017-03-13 Thread Michal Kubecek
break; > if (rt6_qualify_for_ecmp(iter)) { > *ins = iter->dst.rt6_next; > fib6_purge_rt(iter, fn, info->nl_net); > -- > 2.12.0 > Good catch, thank you. The metric comparison could be merged into the cycle condition but this way it doesn't seem any worse. Reviewed-by: Michal Kubecek <mkube...@suse.cz>

Re: [PATCH v2 RFC 0/13] Remove UDP Fragmentation Offload support

2017-07-07 Thread Michal Kubecek
- if nothing else, the ever growing list of exceptions in ip{,6}_append_data() is getting out of hands. Michal Kubecek

RFC: changed error code when binding unix socket twice

2017-06-30 Thread Michal Kubecek
Hello, commit 0fb44559ffd6 ("af_unix: move unix_mknod() out of bindlock") moves the special file creation in unix_bind() before u->bindlock is taken in order to avoid an ABBA deadlock with do_splice(). As a side effect, it also moves the check for existence of the special file (which would result

[PATCH net] net: handle NAPI_GRO_FREE_STOLEN_HEAD case also in napi_frags_finish()

2017-06-29 Thread Michal Kubecek
oblem, handle NAPI_GRO_FREE_STOLEN_HEAD in napi_frags_finish() the same way it's done in napi_skb_finish(). Fixes: d7e8883cfcf4 ("net: make GRO aware of skb->head_frag") Signed-off-by: Michal Kubecek <mkube...@suse.cz> --- net/core/dev.c | 24 +--- 1 file change

[PATCH iproute2] routel: fix infinite loop in line parser

2017-04-27 Thread Michal Kubecek
(currently) known keywords without value This is still far from perfect (and certainly not future proof) but to fully fix the script, one would probably have to rewrite the logic completely (and I'm not sure it's worth the effort). Signed-off-by: Michal Kubecek <mkube...@suse.cz> --- ip/ro

Re: [PATCH iproute2] routel: fix infinite loop in line parser

2017-04-28 Thread Michal Kubecek
Agreed, parsing the output of ip command is certainly not the right way. I must admit that I had no idea this script exists until the bug report landed on my table (and I had to use "rpm -qf" to learn that it's part of iproute2 package). And I suspect I may not be the only one. Michal Kubecek

Re: [regression v4.11] 617f01211baf ("8139too: use napi_complete_done()")

2017-06-19 Thread Michal Kubecek
) > + RTL_W16_F(IntrMask, rtl8139_intr_mask); > spin_unlock_irqrestore(>lock, flags); > } > spin_unlock(>rx_lock); Eric, we have a bugreport of what seems to be the same problem: https://bugzilla.suse.com/show_bug.cgi?id=1042208 Do you plan to submit the patch above or is the conclusion that this is rather a hardware problem? Michal Kubecek

Re: [PATCH] Convert BUG_ON to WARN_ON in bond_options.c

2017-06-22 Thread Michal Kubecek
BUG_ON is defined only on powerpc and mips. It makes good sense, you don't want to BUG_ON() on a condition unless it's extremely unlikely. (Except for debugging purpose but even then you don't really care about fine optimization when you are going to oops.) Michal Kubecek

Re: Repeatable inet6_dump_fib crash in stock 4.12.0-rc4+

2017-06-20 Thread Michal Kubecek
ntf in the kernel either. It > must change the timing too much to trigger the bug. You might try trace_printk() which should have less impact (don't forget to enable /proc/sys/kernel/ftrace_dump_on_oops). Michal Kubecek

[PATCH net] net: account for current skb length when deciding about UFO

2017-06-19 Thread Michal Kubecek
agment between __ip6_append_data and ip6_finish_output") Signed-off-by: Michal Kubecek <mkube...@suse.cz> --- net/ipv4/ip_output.c | 3 ++- net/ipv6/ip6_output.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index 7a3fd

Re: [PATCHv2 iproute2 1/2] lib/libnetlink: re malloc buff if size is not enough

2017-09-19 Thread Michal Kubecek
On Tue, Sep 19, 2017 at 11:05:20AM +0800, Hangbin Liu wrote: > On Mon, Sep 18, 2017 at 09:55:05AM +0200, Michal Kubecek wrote: > > > @@ -471,19 +516,23 @@ int rtnl_dump_filter_l(struct rtnl_handle *rth, > > > > > > if

Re: [PATCHv3 iproute2 1/2] lib/libnetlink: re malloc buff if size is not enough

2017-09-21 Thread Michal Kubecek
hink? I will have to check but IIRC it might be possible to use zero length for the peek to only check the length which could help you to avoid both the reallocation and copying the same data from kernel to userspace twice. Michal Kubecek

Re: [PATCHv2 iproute2 1/2] lib/libnetlink: re malloc buff if size is not enough

2017-09-18 Thread Michal Kubecek
On Wed, Sep 13, 2017 at 05:59:39PM +0800, Hangbin Liu wrote: > With commit 72b365e8e0fd ("libnetlink: Double the dump buffer size") > we doubled the buffer size to support more VFs. But the VFs number is > increasing all the time. Some customers even use more than 200 VFs now. > > We could not

Re: [PATCH iproute2 1/2] lib/libnetlink: re malloc buff if size is not enough

2017-09-08 Thread Michal Kubecek
if (errno == EINTR || errno == EAGAIN) > > - continue; > > - fprintf(stderr, "netlink receive error %s (%d)\n", > > - strerror(errno), errno); > > - return -1; > > - } > > - > > - if (status == 0) { > > - fprintf(stderr, "EOF on netlink\n"); > > - return -1; > > - } > > + status = rtnl_recvmsg(rth->fd, , ); > > + if (status < 0) > > + return status; > > + else if (status == 0) > > + continue; > > When retrying inside rtnl_recvmsg(), it won't return 0 anymore. I > believe the whole 'while (1)' loop could go away then. Doesn't this loop also handle the response divided into multiple packets? Michal Kubecek

Re: [PATCH iproute2 0/2] malloc correct buff at run time

2017-09-08 Thread Michal Kubecek
e. (I didn't really like the idea of a 32KB buffer on stack but with malloc() it's OK, I would say.) Michal Kubecek

  1   2   3   >