Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'net-6.4-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Pull networking fixes from Paolo Abeni:
"Including fixes from ipsec, bpf, mptcp and netfilter.
Current release - regressions:
- netfilter: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain
- eth: mlx5e:
- fix scheduling of IPsec ASO query while in atomic
- free IRQ rmap and notifier on kernel shutdown
Current release - new code bugs:
- phy: manual remove LEDs to ensure correct ordering
Previous releases - regressions:
- mptcp: fix possible divide by zero in recvmsg()
- dsa: revert "net: phy: dp83867: perform soft reset and retain
established link"
Previous releases - always broken:
- sched: netem: acquire qdisc lock in netem_change()
- bpf:
- fix verifier id tracking of scalars on spill
- fix NULL dereference on exceptions
- accept function names that contain dots
- netfilter: disallow element updates of bound anonymous sets
- mptcp: ensure listener is unhashed before updating the sk status
- xfrm:
- add missed call to delete offloaded policies
- fix inbound ipv4/udp/esp packets to UDPv6 dualstack sockets
- selftests: fixes for FIPS mode
- dsa: mt7530: fix multiple CPU ports, BPDU and LLDP handling
- eth: sfc: use budget for TX completions
Misc:
- wifi: iwlwifi: add support for SO-F device with PCI id 0x7AF0"
* tag 'net-6.4-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (74 commits)
revert "net: align SO_RCVMARK required privileges with SO_MARK"
net: wwan: iosm: Convert single instance struct member to flexible array
sch_netem: acquire qdisc lock in netem_change()
selftests: forwarding: Fix race condition in mirror installation
wifi: mac80211: report all unusable beacon frames
mptcp: ensure listener is unhashed before updating the sk status
mptcp: drop legacy code around RX EOF
mptcp: consolidate fallback and non fallback state machine
mptcp: fix possible list corruption on passive MPJ
mptcp: fix possible divide by zero in recvmsg()
mptcp: handle correctly disconnect() failures
bpf: Force kprobe multi expected_attach_type for kprobe_multi link
bpf/btf: Accept function names that contain dots
Revert "net: phy: dp83867: perform soft reset and retain established link"
net: mdio: fix the wrong parameters
netfilter: nf_tables: Fix for deleting base chains with payload
netfilter: nfnetlink_osf: fix module autoload
netfilter: nf_tables: drop module reference after updating chain
netfilter: nf_tables: disallow timeout for anonymous sets
netfilter: nf_tables: disallow updates of anonymous sets
...
+1178
-351
+6
-4
MAINTAINERS
+6
-4
MAINTAINERS
···
9972
9972
L: linux-wpan@vger.kernel.org
9973
9973
S: Maintained
9974
9974
W: https://linux-wpan.org/
9975
-
T: git git://git.kernel.org/pub/scm/linux/kernel/git/sschmidt/wpan.git
9976
-
T: git git://git.kernel.org/pub/scm/linux/kernel/git/sschmidt/wpan-next.git
9975
+
Q: https://patchwork.kernel.org/project/linux-wpan/list/
9976
+
T: git git://git.kernel.org/pub/scm/linux/kernel/git/wpan/wpan.git
9977
+
T: git git://git.kernel.org/pub/scm/linux/kernel/git/wpan/wpan-next.git
9977
9978
F: Documentation/networking/ieee802154.rst
9978
9979
F: drivers/net/ieee802154/
9979
9980
F: include/linux/ieee802154.h
···
13270
13269
F: include/soc/mediatek/smi.h
13271
13270
13272
13271
MEDIATEK SWITCH DRIVER
13273
-
M: Sean Wang <sean.wang@mediatek.com>
13272
+
M: Arınç ÜNAL <arinc.unal@arinc9.com>
13273
+
M: Daniel Golle <daniel@makrotopia.org>
13274
13274
M: Landen Chao <Landen.Chao@mediatek.com>
13275
13275
M: DENG Qingfang <dqfext@gmail.com>
13276
-
M: Daniel Golle <daniel@makrotopia.org>
13276
+
M: Sean Wang <sean.wang@mediatek.com>
13277
13277
L: netdev@vger.kernel.org
13278
13278
S: Maintained
13279
13279
F: drivers/net/dsa/mt7530-mdio.c
+1
-1
arch/x86/net/bpf_jit_comp.c
+1
-1
arch/x86/net/bpf_jit_comp.c
+38
-10
drivers/net/dsa/mt7530.c
+38
-10
drivers/net/dsa/mt7530.c
···
399
399
core_set(priv, CORE_TRGMII_GSW_CLK_CG, REG_GSWCK_EN);
400
400
}
401
401
402
+
/* If port 6 is available as a CPU port, always prefer that as the default,
403
+
* otherwise don't care.
404
+
*/
405
+
static struct dsa_port *
406
+
mt753x_preferred_default_local_cpu_port(struct dsa_switch *ds)
407
+
{
408
+
struct dsa_port *cpu_dp = dsa_to_port(ds, 6);
409
+
410
+
if (dsa_port_is_cpu(cpu_dp))
411
+
return cpu_dp;
412
+
413
+
return NULL;
414
+
}
415
+
402
416
/* Setup port 6 interface mode and TRGMII TX circuit */
403
417
static int
404
418
mt7530_pad_clk_setup(struct dsa_switch *ds, phy_interface_t interface)
···
999
985
mutex_unlock(&priv->reg_mutex);
1000
986
}
1001
987
988
+
static void
989
+
mt753x_trap_frames(struct mt7530_priv *priv)
990
+
{
991
+
/* Trap BPDUs to the CPU port(s) */
992
+
mt7530_rmw(priv, MT753X_BPC, MT753X_BPDU_PORT_FW_MASK,
993
+
MT753X_BPDU_CPU_ONLY);
994
+
995
+
/* Trap LLDP frames with :0E MAC DA to the CPU port(s) */
996
+
mt7530_rmw(priv, MT753X_RGAC2, MT753X_R0E_PORT_FW_MASK,
997
+
MT753X_R0E_PORT_FW(MT753X_BPDU_CPU_ONLY));
998
+
}
999
+
1002
1000
static int
1003
1001
mt753x_cpu_port_enable(struct dsa_switch *ds, int port)
1004
1002
{
···
1033
1007
UNU_FFP(BIT(port)));
1034
1008
1035
1009
/* Set CPU port number */
1036
-
if (priv->id == ID_MT7621)
1010
+
if (priv->id == ID_MT7530 || priv->id == ID_MT7621)
1037
1011
mt7530_rmw(priv, MT7530_MFC, CPU_MASK, CPU_EN | CPU_PORT(port));
1012
+
1013
+
/* Add the CPU port to the CPU port bitmap for MT7531 and the switch on
1014
+
* the MT7988 SoC. Trapped frames will be forwarded to the CPU port that
1015
+
* is affine to the inbound user port.
1016
+
*/
1017
+
if (priv->id == ID_MT7531 || priv->id == ID_MT7988)
1018
+
mt7530_set(priv, MT7531_CFC, MT7531_CPU_PMAP(BIT(port)));
1038
1019
1039
1020
/* CPU port gets connected to all user ports of
1040
1021
* the switch.
···
2288
2255
2289
2256
priv->p6_interface = PHY_INTERFACE_MODE_NA;
2290
2257
2258
+
mt753x_trap_frames(priv);
2259
+
2291
2260
/* Enable and reset MIB counters */
2292
2261
mt7530_mib_reset(ds);
2293
2262
···
2387
2352
mt7531_setup_common(struct dsa_switch *ds)
2388
2353
{
2389
2354
struct mt7530_priv *priv = ds->priv;
2390
-
struct dsa_port *cpu_dp;
2391
2355
int ret, i;
2392
2356
2393
-
/* BPDU to CPU port */
2394
-
dsa_switch_for_each_cpu_port(cpu_dp, ds) {
2395
-
mt7530_rmw(priv, MT7531_CFC, MT7531_CPU_PMAP_MASK,
2396
-
BIT(cpu_dp->index));
2397
-
break;
2398
-
}
2399
-
mt7530_rmw(priv, MT753X_BPC, MT753X_BPDU_PORT_FW_MASK,
2400
-
MT753X_BPDU_CPU_ONLY);
2357
+
mt753x_trap_frames(priv);
2401
2358
2402
2359
/* Enable and reset MIB counters */
2403
2360
mt7530_mib_reset(ds);
···
3112
3085
const struct dsa_switch_ops mt7530_switch_ops = {
3113
3086
.get_tag_protocol = mtk_get_tag_protocol,
3114
3087
.setup = mt753x_setup,
3088
+
.preferred_default_local_cpu_port = mt753x_preferred_default_local_cpu_port,
3115
3089
.get_strings = mt7530_get_strings,
3116
3090
.get_ethtool_stats = mt7530_get_ethtool_stats,
3117
3091
.get_sset_count = mt7530_get_sset_count,
+6
drivers/net/dsa/mt7530.h
+6
drivers/net/dsa/mt7530.h
···
54
54
#define MT7531_MIRROR_PORT_GET(x) (((x) >> 16) & MIRROR_MASK)
55
55
#define MT7531_MIRROR_PORT_SET(x) (((x) & MIRROR_MASK) << 16)
56
56
#define MT7531_CPU_PMAP_MASK GENMASK(7, 0)
57
+
#define MT7531_CPU_PMAP(x) FIELD_PREP(MT7531_CPU_PMAP_MASK, x)
57
58
58
59
#define MT753X_MIRROR_REG(id) ((((id) == ID_MT7531) || ((id) == ID_MT7988)) ? \
59
60
MT7531_CFC : MT7530_MFC)
···
66
65
/* Registers for BPDU and PAE frame control*/
67
66
#define MT753X_BPC 0x24
68
67
#define MT753X_BPDU_PORT_FW_MASK GENMASK(2, 0)
68
+
69
+
/* Register for :03 and :0E MAC DA frame control */
70
+
#define MT753X_RGAC2 0x2c
71
+
#define MT753X_R0E_PORT_FW_MASK GENMASK(18, 16)
72
+
#define MT753X_R0E_PORT_FW(x) FIELD_PREP(MT753X_R0E_PORT_FW_MASK, x)
69
73
70
74
enum mt753x_bpdu_port_fw {
71
75
MT753X_BPDU_FOLLOW_MFC,
+2
-2
drivers/net/ethernet/emulex/benet/be_main.c
+2
-2
drivers/net/ethernet/emulex/benet/be_main.c
···
1135
1135
eth_hdr_len = ntohs(skb->protocol) == ETH_P_8021Q ?
1136
1136
VLAN_ETH_HLEN : ETH_HLEN;
1137
1137
if (skb->len <= 60 &&
1138
-
(lancer_chip(adapter) || skb_vlan_tag_present(skb)) &&
1139
-
is_ipv4_pkt(skb)) {
1138
+
(lancer_chip(adapter) || BE3_chip(adapter) ||
1139
+
skb_vlan_tag_present(skb)) && is_ipv4_pkt(skb)) {
1140
1140
ip = (struct iphdr *)ip_hdr(skb);
1141
1141
pskb_trim(skb, eth_hdr_len + ntohs(ip->tot_len));
1142
1142
}
+6
-1
drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c
+6
-1
drivers/net/ethernet/freescale/dpaa2/dpaa2-mac.c
···
54
54
case DPMAC_ETH_IF_XFI:
55
55
*if_mode = PHY_INTERFACE_MODE_10GBASER;
56
56
break;
57
+
case DPMAC_ETH_IF_CAUI:
58
+
*if_mode = PHY_INTERFACE_MODE_25GBASER;
59
+
break;
57
60
default:
58
61
return -EINVAL;
59
62
}
···
82
79
return DPMAC_ETH_IF_XFI;
83
80
case PHY_INTERFACE_MODE_1000BASEX:
84
81
return DPMAC_ETH_IF_1000BASEX;
82
+
case PHY_INTERFACE_MODE_25GBASER:
83
+
return DPMAC_ETH_IF_CAUI;
85
84
default:
86
85
return DPMAC_ETH_IF_MII;
87
86
}
···
423
418
424
419
mac->phylink_config.mac_capabilities = MAC_SYM_PAUSE | MAC_ASYM_PAUSE |
425
420
MAC_10FD | MAC_100FD | MAC_1000FD | MAC_2500FD | MAC_5000FD |
426
-
MAC_10000FD;
421
+
MAC_10000FD | MAC_25000FD;
427
422
428
423
dpaa2_mac_set_supported_interfaces(mac);
429
424
+6
-2
drivers/net/ethernet/mellanox/mlx5/core/en/params.c
+6
-2
drivers/net/ethernet/mellanox/mlx5/core/en/params.c
···
732
732
static int mlx5e_build_rq_frags_info(struct mlx5_core_dev *mdev,
733
733
struct mlx5e_params *params,
734
734
struct mlx5e_xsk_param *xsk,
735
-
struct mlx5e_rq_frags_info *info)
735
+
struct mlx5e_rq_frags_info *info,
736
+
u32 *xdp_frag_size)
736
737
{
737
738
u32 byte_count = MLX5E_SW2HW_MTU(params, params->sw_mtu);
738
739
int frag_size_max = DEFAULT_FRAG_SIZE;
···
845
844
__func__, info->wqe_bulk, info->refill_unit);
846
845
847
846
info->log_num_frags = order_base_2(info->num_frags);
847
+
848
+
*xdp_frag_size = info->num_frags > 1 && params->xdp_prog ? PAGE_SIZE : 0;
848
849
849
850
return 0;
850
851
}
···
992
989
}
993
990
default: /* MLX5_WQ_TYPE_CYCLIC */
994
991
MLX5_SET(wq, wq, log_wq_sz, params->log_rq_mtu_frames);
995
-
err = mlx5e_build_rq_frags_info(mdev, params, xsk, ¶m->frags_info);
992
+
err = mlx5e_build_rq_frags_info(mdev, params, xsk, ¶m->frags_info,
993
+
¶m->xdp_frag_size);
996
994
if (err)
997
995
return err;
998
996
ndsegs = param->frags_info.num_frags;
+1
drivers/net/ethernet/mellanox/mlx5/core/en/params.h
+1
drivers/net/ethernet/mellanox/mlx5/core/en/params.h
+2
drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c
+2
drivers/net/ethernet/mellanox/mlx5/core/en/tc_ct.c
···
2021
2021
mlx5_tc_ct_delete_flow(struct mlx5_tc_ct_priv *priv,
2022
2022
struct mlx5_flow_attr *attr)
2023
2023
{
2024
+
if (!attr->ct_attr.ft) /* no ct action, return */
2025
+
return;
2024
2026
if (!attr->ct_attr.nf_ft) /* means only ct clear action, and not ct_clear,ct() */
2025
2027
return;
2026
2028
+1
-1
drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c
+1
-1
drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c
+16
-6
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+16
-6
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
···
61
61
struct mlx5e_ipsec_sa_entry *sa_entry = dwork->sa_entry;
62
62
struct xfrm_state *x = sa_entry->x;
63
63
64
-
spin_lock(&x->lock);
64
+
if (sa_entry->attrs.drop)
65
+
return;
66
+
67
+
spin_lock_bh(&x->lock);
65
68
xfrm_state_check_expire(x);
66
69
if (x->km.state == XFRM_STATE_EXPIRED) {
67
70
sa_entry->attrs.drop = true;
68
-
mlx5e_accel_ipsec_fs_modify(sa_entry);
69
-
}
70
-
spin_unlock(&x->lock);
71
+
spin_unlock_bh(&x->lock);
71
72
72
-
if (sa_entry->attrs.drop)
73
+
mlx5e_accel_ipsec_fs_modify(sa_entry);
73
74
return;
75
+
}
76
+
spin_unlock_bh(&x->lock);
74
77
75
78
queue_delayed_work(sa_entry->ipsec->wq, &dwork->dwork,
76
79
MLX5_IPSEC_RESCHED);
···
1043
1040
return err;
1044
1041
}
1045
1042
1046
-
static void mlx5e_xfrm_free_policy(struct xfrm_policy *x)
1043
+
static void mlx5e_xfrm_del_policy(struct xfrm_policy *x)
1047
1044
{
1048
1045
struct mlx5e_ipsec_pol_entry *pol_entry = to_ipsec_pol_entry(x);
1049
1046
1050
1047
mlx5e_accel_ipsec_fs_del_pol(pol_entry);
1048
+
}
1049
+
1050
+
static void mlx5e_xfrm_free_policy(struct xfrm_policy *x)
1051
+
{
1052
+
struct mlx5e_ipsec_pol_entry *pol_entry = to_ipsec_pol_entry(x);
1053
+
1051
1054
kfree(pol_entry);
1052
1055
}
1053
1056
···
1074
1065
1075
1066
.xdo_dev_state_update_curlft = mlx5e_xfrm_update_curlft,
1076
1067
.xdo_dev_policy_add = mlx5e_xfrm_add_policy,
1068
+
.xdo_dev_policy_delete = mlx5e_xfrm_del_policy,
1077
1069
.xdo_dev_policy_free = mlx5e_xfrm_free_policy,
1078
1070
};
1079
1071
+14
-3
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
+14
-3
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec_offload.c
···
305
305
}
306
306
307
307
mlx5e_ipsec_build_accel_xfrm_attrs(sa_entry, &attrs);
308
+
309
+
/* It is safe to execute the modify below unlocked since the only flows
310
+
* that could affect this HW object, are create, destroy and this work.
311
+
*
312
+
* Creation flow can't co-exist with this modify work, the destruction
313
+
* flow would cancel this work, and this work is a single entity that
314
+
* can't conflict with it self.
315
+
*/
316
+
spin_unlock_bh(&sa_entry->x->lock);
308
317
mlx5_accel_esp_modify_xfrm(sa_entry, &attrs);
318
+
spin_lock_bh(&sa_entry->x->lock);
309
319
310
320
data.data_offset_condition_operand =
311
321
MLX5_IPSEC_ASO_REMOVE_FLOW_PKT_CNT_OFFSET;
···
441
431
aso = sa_entry->ipsec->aso;
442
432
attrs = &sa_entry->attrs;
443
433
444
-
spin_lock(&sa_entry->x->lock);
434
+
spin_lock_bh(&sa_entry->x->lock);
445
435
ret = mlx5e_ipsec_aso_query(sa_entry, NULL);
446
436
if (ret)
447
437
goto unlock;
···
457
447
mlx5e_ipsec_handle_limits(sa_entry);
458
448
459
449
unlock:
460
-
spin_unlock(&sa_entry->x->lock);
450
+
spin_unlock_bh(&sa_entry->x->lock);
461
451
kfree(work);
462
452
}
463
453
···
606
596
do {
607
597
ret = mlx5_aso_poll_cq(aso->aso, false);
608
598
if (ret)
609
-
usleep_range(2, 10);
599
+
/* We are in atomic context */
600
+
udelay(10);
610
601
} while (ret && time_is_after_jiffies(expires));
611
602
spin_unlock_bh(&aso->lock);
612
603
return ret;
+4
-3
drivers/net/ethernet/mellanox/mlx5/core/en_main.c
+4
-3
drivers/net/ethernet/mellanox/mlx5/core/en_main.c
···
641
641
}
642
642
643
643
static int mlx5e_init_rxq_rq(struct mlx5e_channel *c, struct mlx5e_params *params,
644
-
struct mlx5e_rq *rq)
644
+
u32 xdp_frag_size, struct mlx5e_rq *rq)
645
645
{
646
646
struct mlx5_core_dev *mdev = c->mdev;
647
647
int err;
···
665
665
if (err)
666
666
return err;
667
667
668
-
return xdp_rxq_info_reg(&rq->xdp_rxq, rq->netdev, rq->ix, c->napi.napi_id);
668
+
return __xdp_rxq_info_reg(&rq->xdp_rxq, rq->netdev, rq->ix, c->napi.napi_id,
669
+
xdp_frag_size);
669
670
}
670
671
671
672
static int mlx5_rq_shampo_alloc(struct mlx5_core_dev *mdev,
···
2241
2240
{
2242
2241
int err;
2243
2242
2244
-
err = mlx5e_init_rxq_rq(c, params, &c->rq);
2243
+
err = mlx5e_init_rxq_rq(c, params, rq_params->xdp_frag_size, &c->rq);
2245
2244
if (err)
2246
2245
return err;
2247
2246
+1
drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+1
drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+37
-13
drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c
+37
-13
drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c
···
511
511
struct mlx5_flow_rule *dst;
512
512
void *in_flow_context, *vlan;
513
513
void *in_match_value;
514
+
int reformat_id = 0;
514
515
unsigned int inlen;
515
516
int dst_cnt_size;
517
+
u32 *in, action;
516
518
void *in_dests;
517
-
u32 *in;
518
519
int err;
519
520
520
521
if (mlx5_set_extended_dest(dev, fte, &extended_dest))
···
554
553
555
554
MLX5_SET(flow_context, in_flow_context, extended_destination,
556
555
extended_dest);
557
-
if (extended_dest) {
558
-
u32 action;
559
556
560
-
action = fte->action.action &
561
-
~MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT;
562
-
MLX5_SET(flow_context, in_flow_context, action, action);
563
-
} else {
564
-
MLX5_SET(flow_context, in_flow_context, action,
565
-
fte->action.action);
566
-
if (fte->action.pkt_reformat)
567
-
MLX5_SET(flow_context, in_flow_context, packet_reformat_id,
568
-
fte->action.pkt_reformat->id);
557
+
action = fte->action.action;
558
+
if (extended_dest)
559
+
action &= ~MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT;
560
+
561
+
MLX5_SET(flow_context, in_flow_context, action, action);
562
+
563
+
if (!extended_dest && fte->action.pkt_reformat) {
564
+
struct mlx5_pkt_reformat *pkt_reformat = fte->action.pkt_reformat;
565
+
566
+
if (pkt_reformat->owner == MLX5_FLOW_RESOURCE_OWNER_SW) {
567
+
reformat_id = mlx5_fs_dr_action_get_pkt_reformat_id(pkt_reformat);
568
+
if (reformat_id < 0) {
569
+
mlx5_core_err(dev,
570
+
"Unsupported SW-owned pkt_reformat type (%d) in FW-owned table\n",
571
+
pkt_reformat->reformat_type);
572
+
err = reformat_id;
573
+
goto err_out;
574
+
}
575
+
} else {
576
+
reformat_id = fte->action.pkt_reformat->id;
577
+
}
569
578
}
570
-
if (fte->action.modify_hdr)
579
+
580
+
MLX5_SET(flow_context, in_flow_context, packet_reformat_id, (u32)reformat_id);
581
+
582
+
if (fte->action.modify_hdr) {
583
+
if (fte->action.modify_hdr->owner == MLX5_FLOW_RESOURCE_OWNER_SW) {
584
+
mlx5_core_err(dev, "Can't use SW-owned modify_hdr in FW-owned table\n");
585
+
err = -EOPNOTSUPP;
586
+
goto err_out;
587
+
}
588
+
571
589
MLX5_SET(flow_context, in_flow_context, modify_header_id,
572
590
fte->action.modify_hdr->id);
591
+
}
573
592
574
593
MLX5_SET(flow_context, in_flow_context, encrypt_decrypt_type,
575
594
fte->action.crypto.type);
···
906
885
907
886
pkt_reformat->id = MLX5_GET(alloc_packet_reformat_context_out,
908
887
out, packet_reformat_id);
888
+
pkt_reformat->owner = MLX5_FLOW_RESOURCE_OWNER_FW;
889
+
909
890
kfree(in);
910
891
return err;
911
892
}
···
992
969
err = mlx5_cmd_exec(dev, in, inlen, out, sizeof(out));
993
970
994
971
modify_hdr->id = MLX5_GET(alloc_modify_header_context_out, out, modify_header_id);
972
+
modify_hdr->owner = MLX5_FLOW_RESOURCE_OWNER_FW;
995
973
kfree(in);
996
974
return err;
997
975
}
+7
drivers/net/ethernet/mellanox/mlx5/core/fs_core.h
+7
drivers/net/ethernet/mellanox/mlx5/core/fs_core.h
···
54
54
u32 id;
55
55
};
56
56
57
+
enum mlx5_flow_resource_owner {
58
+
MLX5_FLOW_RESOURCE_OWNER_FW,
59
+
MLX5_FLOW_RESOURCE_OWNER_SW,
60
+
};
61
+
57
62
struct mlx5_modify_hdr {
58
63
enum mlx5_flow_namespace_type ns_type;
64
+
enum mlx5_flow_resource_owner owner;
59
65
union {
60
66
struct mlx5_fs_dr_action action;
61
67
u32 id;
···
71
65
struct mlx5_pkt_reformat {
72
66
enum mlx5_flow_namespace_type ns_type;
73
67
int reformat_type; /* from mlx5_ifc */
68
+
enum mlx5_flow_resource_owner owner;
74
69
union {
75
70
struct mlx5_fs_dr_action action;
76
71
u32 id;
+28
-5
drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c
+28
-5
drivers/net/ethernet/mellanox/mlx5/core/pci_irq.c
···
126
126
return ret;
127
127
}
128
128
129
-
static void irq_release(struct mlx5_irq *irq)
129
+
/* mlx5_system_free_irq - Free an IRQ
130
+
* @irq: IRQ to free
131
+
*
132
+
* Free the IRQ and other resources such as rmap from the system.
133
+
* BUT doesn't free or remove reference from mlx5.
134
+
* This function is very important for the shutdown flow, where we need to
135
+
* cleanup system resoruces but keep mlx5 objects alive,
136
+
* see mlx5_irq_table_free_irqs().
137
+
*/
138
+
static void mlx5_system_free_irq(struct mlx5_irq *irq)
130
139
{
131
140
struct mlx5_irq_pool *pool = irq->pool;
132
141
#ifdef CONFIG_RFS_ACCEL
133
142
struct cpu_rmap *rmap;
134
143
#endif
135
144
136
-
xa_erase(&pool->irqs, irq->pool_index);
137
145
/* free_irq requires that affinity_hint and rmap will be cleared before
138
146
* calling it. To satisfy this requirement, we call
139
147
* irq_cpu_rmap_remove() to remove the notifier
···
153
145
irq_cpu_rmap_remove(rmap, irq->map.virq);
154
146
#endif
155
147
156
-
free_cpumask_var(irq->mask);
157
148
free_irq(irq->map.virq, &irq->nh);
158
149
if (irq->map.index && pci_msix_can_alloc_dyn(pool->dev->pdev))
159
150
pci_msix_free_irq(pool->dev->pdev, irq->map);
151
+
}
152
+
153
+
static void irq_release(struct mlx5_irq *irq)
154
+
{
155
+
struct mlx5_irq_pool *pool = irq->pool;
156
+
157
+
xa_erase(&pool->irqs, irq->pool_index);
158
+
mlx5_system_free_irq(irq);
159
+
free_cpumask_var(irq->mask);
160
160
kfree(irq);
161
161
}
162
162
···
581
565
int mlx5_irqs_request_vectors(struct mlx5_core_dev *dev, u16 *cpus, int nirqs,
582
566
struct mlx5_irq **irqs, struct cpu_rmap **rmap)
583
567
{
568
+
struct mlx5_irq_table *table = mlx5_irq_table_get(dev);
569
+
struct mlx5_irq_pool *pool = table->pcif_pool;
584
570
struct irq_affinity_desc af_desc;
585
571
struct mlx5_irq *irq;
572
+
int offset = 1;
586
573
int i;
574
+
575
+
if (!pool->xa_num_irqs.max)
576
+
offset = 0;
587
577
588
578
af_desc.is_managed = false;
589
579
for (i = 0; i < nirqs; i++) {
590
580
cpumask_clear(&af_desc.mask);
591
581
cpumask_set_cpu(cpus[i], &af_desc.mask);
592
-
irq = mlx5_irq_request(dev, i + 1, &af_desc, rmap);
582
+
irq = mlx5_irq_request(dev, i + offset, &af_desc, rmap);
593
583
if (IS_ERR(irq))
594
584
break;
595
585
irqs[i] = irq;
···
721
699
unsigned long index;
722
700
723
701
xa_for_each(&pool->irqs, index, irq)
724
-
free_irq(irq->map.virq, &irq->nh);
702
+
mlx5_system_free_irq(irq);
703
+
725
704
}
726
705
727
706
static void mlx5_irq_pools_free_irqs(struct mlx5_irq_table *table)
+12
-1
drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c
+12
-1
drivers/net/ethernet/mellanox/mlx5/core/steering/dr_action.c
···
1421
1421
}
1422
1422
case DR_ACTION_TYP_TNL_L3_TO_L2:
1423
1423
{
1424
-
u8 hw_actions[DR_ACTION_CACHE_LINE_SIZE] = {};
1424
+
u8 *hw_actions;
1425
1425
int ret;
1426
+
1427
+
hw_actions = kzalloc(DR_ACTION_CACHE_LINE_SIZE, GFP_KERNEL);
1428
+
if (!hw_actions)
1429
+
return -ENOMEM;
1426
1430
1427
1431
ret = mlx5dr_ste_set_action_decap_l3_list(dmn->ste_ctx,
1428
1432
data, data_sz,
···
1435
1431
&action->rewrite->num_of_actions);
1436
1432
if (ret) {
1437
1433
mlx5dr_dbg(dmn, "Failed creating decap l3 action list\n");
1434
+
kfree(hw_actions);
1438
1435
return ret;
1439
1436
}
1440
1437
···
1445
1440
ret = mlx5dr_ste_alloc_modify_hdr(action);
1446
1441
if (ret) {
1447
1442
mlx5dr_dbg(dmn, "Failed preparing reformat data\n");
1443
+
kfree(hw_actions);
1448
1444
return ret;
1449
1445
}
1450
1446
return 0;
···
2133
2127
refcount_inc(&dmn->refcount);
2134
2128
2135
2129
return action;
2130
+
}
2131
+
2132
+
u32 mlx5dr_action_get_pkt_reformat_id(struct mlx5dr_action *action)
2133
+
{
2134
+
return action->reformat->id;
2136
2135
}
2137
2136
2138
2137
int mlx5dr_action_destroy(struct mlx5dr_action *action)
+25
-2
drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c
+25
-2
drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.c
···
331
331
}
332
332
333
333
if (fte->action.action & MLX5_FLOW_CONTEXT_ACTION_PACKET_REFORMAT) {
334
-
bool is_decap = fte->action.pkt_reformat->reformat_type ==
335
-
MLX5_REFORMAT_TYPE_L3_TUNNEL_TO_L2;
334
+
bool is_decap;
335
+
336
+
if (fte->action.pkt_reformat->owner == MLX5_FLOW_RESOURCE_OWNER_FW) {
337
+
err = -EINVAL;
338
+
mlx5dr_err(domain, "FW-owned reformat can't be used in SW rule\n");
339
+
goto free_actions;
340
+
}
341
+
342
+
is_decap = fte->action.pkt_reformat->reformat_type ==
343
+
MLX5_REFORMAT_TYPE_L3_TUNNEL_TO_L2;
336
344
337
345
if (is_decap)
338
346
actions[num_actions++] =
···
669
661
return -EINVAL;
670
662
}
671
663
664
+
pkt_reformat->owner = MLX5_FLOW_RESOURCE_OWNER_SW;
672
665
pkt_reformat->action.dr_action = action;
673
666
674
667
return 0;
···
700
691
return -EINVAL;
701
692
}
702
693
694
+
modify_hdr->owner = MLX5_FLOW_RESOURCE_OWNER_SW;
703
695
modify_hdr->action.dr_action = action;
704
696
705
697
return 0;
···
824
814
steering_caps |= MLX5_FLOW_STEERING_CAP_MATCH_RANGES;
825
815
826
816
return steering_caps;
817
+
}
818
+
819
+
int mlx5_fs_dr_action_get_pkt_reformat_id(struct mlx5_pkt_reformat *pkt_reformat)
820
+
{
821
+
switch (pkt_reformat->reformat_type) {
822
+
case MLX5_REFORMAT_TYPE_L2_TO_VXLAN:
823
+
case MLX5_REFORMAT_TYPE_L2_TO_NVGRE:
824
+
case MLX5_REFORMAT_TYPE_L2_TO_L2_TUNNEL:
825
+
case MLX5_REFORMAT_TYPE_L2_TO_L3_TUNNEL:
826
+
case MLX5_REFORMAT_TYPE_INSERT_HDR:
827
+
return mlx5dr_action_get_pkt_reformat_id(pkt_reformat->action.dr_action);
828
+
}
829
+
return -EOPNOTSUPP;
827
830
}
828
831
829
832
bool mlx5_fs_dr_is_supported(struct mlx5_core_dev *dev)
+7
drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.h
+7
drivers/net/ethernet/mellanox/mlx5/core/steering/fs_dr.h
···
38
38
39
39
bool mlx5_fs_dr_is_supported(struct mlx5_core_dev *dev);
40
40
41
+
int mlx5_fs_dr_action_get_pkt_reformat_id(struct mlx5_pkt_reformat *pkt_reformat);
42
+
41
43
const struct mlx5_flow_cmds *mlx5_fs_cmd_get_dr_cmds(void);
42
44
43
45
#else
···
47
45
static inline const struct mlx5_flow_cmds *mlx5_fs_cmd_get_dr_cmds(void)
48
46
{
49
47
return NULL;
48
+
}
49
+
50
+
static inline u32 mlx5_fs_dr_action_get_pkt_reformat_id(struct mlx5_pkt_reformat *pkt_reformat)
51
+
{
52
+
return 0;
50
53
}
51
54
52
55
static inline bool mlx5_fs_dr_is_supported(struct mlx5_core_dev *dev)
+2
drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5dr.h
+2
drivers/net/ethernet/mellanox/mlx5/core/steering/mlx5dr.h
···
150
150
151
151
int mlx5dr_action_destroy(struct mlx5dr_action *action);
152
152
153
+
u32 mlx5dr_action_get_pkt_reformat_id(struct mlx5dr_action *action);
154
+
153
155
int mlx5dr_definer_get(struct mlx5dr_domain *dmn, u16 format_id,
154
156
u8 *dw_selectors, u8 *byte_selectors,
155
157
u8 *match_mask, u32 *definer_id);
+1
-2
drivers/net/ethernet/qualcomm/qca_spi.c
+1
-2
drivers/net/ethernet/qualcomm/qca_spi.c
···
582
582
while (!kthread_should_stop()) {
583
583
set_current_state(TASK_INTERRUPTIBLE);
584
584
if ((qca->intr_req == qca->intr_svc) &&
585
-
(qca->txr.skb[qca->txr.head] == NULL) &&
586
-
(qca->sync == QCASPI_SYNC_READY))
585
+
!qca->txr.skb[qca->txr.head])
587
586
schedule();
588
587
589
588
set_current_state(TASK_RUNNING);
+18
-7
drivers/net/ethernet/sfc/ef10.c
+18
-7
drivers/net/ethernet/sfc/ef10.c
···
2950
2950
return tstamp;
2951
2951
}
2952
2952
2953
-
static void
2953
+
static int
2954
2954
efx_ef10_handle_tx_event(struct efx_channel *channel, efx_qword_t *event)
2955
2955
{
2956
2956
struct efx_nic *efx = channel->efx;
···
2958
2958
unsigned int tx_ev_desc_ptr;
2959
2959
unsigned int tx_ev_q_label;
2960
2960
unsigned int tx_ev_type;
2961
+
int work_done;
2961
2962
u64 ts_part;
2962
2963
2963
2964
if (unlikely(READ_ONCE(efx->reset_pending)))
2964
-
return;
2965
+
return 0;
2965
2966
2966
2967
if (unlikely(EFX_QWORD_FIELD(*event, ESF_DZ_TX_DROP_EVENT)))
2967
-
return;
2968
+
return 0;
2968
2969
2969
2970
/* Get the transmit queue */
2970
2971
tx_ev_q_label = EFX_QWORD_FIELD(*event, ESF_DZ_TX_QLABEL);
···
2974
2973
if (!tx_queue->timestamping) {
2975
2974
/* Transmit completion */
2976
2975
tx_ev_desc_ptr = EFX_QWORD_FIELD(*event, ESF_DZ_TX_DESCR_INDX);
2977
-
efx_xmit_done(tx_queue, tx_ev_desc_ptr & tx_queue->ptr_mask);
2978
-
return;
2976
+
return efx_xmit_done(tx_queue, tx_ev_desc_ptr & tx_queue->ptr_mask);
2979
2977
}
2980
2978
2981
2979
/* Transmit timestamps are only available for 8XXX series. They result
···
3000
3000
* fields in the event.
3001
3001
*/
3002
3002
tx_ev_type = EFX_QWORD_FIELD(*event, ESF_EZ_TX_SOFT1);
3003
+
work_done = 0;
3003
3004
3004
3005
switch (tx_ev_type) {
3005
3006
case TX_TIMESTAMP_EVENT_TX_EV_COMPLETION:
···
3017
3016
tx_queue->completed_timestamp_major = ts_part;
3018
3017
3019
3018
efx_xmit_done_single(tx_queue);
3019
+
work_done = 1;
3020
3020
break;
3021
3021
3022
3022
default:
···
3028
3026
EFX_QWORD_VAL(*event));
3029
3027
break;
3030
3028
}
3029
+
3030
+
return work_done;
3031
3031
}
3032
3032
3033
3033
static void
···
3085
3081
}
3086
3082
}
3087
3083
3084
+
#define EFX_NAPI_MAX_TX 512
3085
+
3088
3086
static int efx_ef10_ev_process(struct efx_channel *channel, int quota)
3089
3087
{
3090
3088
struct efx_nic *efx = channel->efx;
3091
3089
efx_qword_t event, *p_event;
3092
3090
unsigned int read_ptr;
3093
-
int ev_code;
3091
+
int spent_tx = 0;
3094
3092
int spent = 0;
3093
+
int ev_code;
3095
3094
3096
3095
if (quota <= 0)
3097
3096
return spent;
···
3133
3126
}
3134
3127
break;
3135
3128
case ESE_DZ_EV_CODE_TX_EV:
3136
-
efx_ef10_handle_tx_event(channel, &event);
3129
+
spent_tx += efx_ef10_handle_tx_event(channel, &event);
3130
+
if (spent_tx >= EFX_NAPI_MAX_TX) {
3131
+
spent = quota;
3132
+
goto out;
3133
+
}
3137
3134
break;
3138
3135
case ESE_DZ_EV_CODE_DRIVER_EV:
3139
3136
efx_ef10_handle_driver_event(channel, &event);
+6
-1
drivers/net/ethernet/sfc/ef100_nic.c
+6
-1
drivers/net/ethernet/sfc/ef100_nic.c
···
253
253
efx_reg(channel->efx, ER_GZ_EVQ_INT_PRIME));
254
254
}
255
255
256
+
#define EFX_NAPI_MAX_TX 512
257
+
256
258
static int ef100_ev_process(struct efx_channel *channel, int quota)
257
259
{
258
260
struct efx_nic *efx = channel->efx;
···
262
260
bool evq_phase, old_evq_phase;
263
261
unsigned int read_ptr;
264
262
efx_qword_t *p_event;
263
+
int spent_tx = 0;
265
264
int spent = 0;
266
265
bool ev_phase;
267
266
int ev_type;
···
298
295
efx_mcdi_process_event(channel, p_event);
299
296
break;
300
297
case ESE_GZ_EF100_EV_TX_COMPLETION:
301
-
ef100_ev_tx(channel, p_event);
298
+
spent_tx += ef100_ev_tx(channel, p_event);
299
+
if (spent_tx >= EFX_NAPI_MAX_TX)
300
+
spent = quota;
302
301
break;
303
302
case ESE_GZ_EF100_EV_DRIVER:
304
303
netif_info(efx, drv, efx->net_dev,
+2
-2
drivers/net/ethernet/sfc/ef100_tx.c
+2
-2
drivers/net/ethernet/sfc/ef100_tx.c
···
346
346
ef100_tx_push_buffers(tx_queue);
347
347
}
348
348
349
-
void ef100_ev_tx(struct efx_channel *channel, const efx_qword_t *p_event)
349
+
int ef100_ev_tx(struct efx_channel *channel, const efx_qword_t *p_event)
350
350
{
351
351
unsigned int tx_done =
352
352
EFX_QWORD_FIELD(*p_event, ESF_GZ_EV_TXCMPL_NUM_DESC);
···
357
357
unsigned int tx_index = (tx_queue->read_count + tx_done - 1) &
358
358
tx_queue->ptr_mask;
359
359
360
-
efx_xmit_done(tx_queue, tx_index);
360
+
return efx_xmit_done(tx_queue, tx_index);
361
361
}
362
362
363
363
/* Add a socket buffer to a TX queue
+1
-1
drivers/net/ethernet/sfc/ef100_tx.h
+1
-1
drivers/net/ethernet/sfc/ef100_tx.h
···
20
20
void ef100_tx_write(struct efx_tx_queue *tx_queue);
21
21
unsigned int ef100_tx_max_skb_descs(struct efx_nic *efx);
22
22
23
-
void ef100_ev_tx(struct efx_channel *channel, const efx_qword_t *p_event);
23
+
int ef100_ev_tx(struct efx_channel *channel, const efx_qword_t *p_event);
24
24
25
25
netdev_tx_t ef100_enqueue_skb(struct efx_tx_queue *tx_queue, struct sk_buff *skb);
26
26
int __ef100_enqueue_skb(struct efx_tx_queue *tx_queue, struct sk_buff *skb,
+3
-1
drivers/net/ethernet/sfc/tx_common.c
+3
-1
drivers/net/ethernet/sfc/tx_common.c
···
249
249
}
250
250
}
251
251
252
-
void efx_xmit_done(struct efx_tx_queue *tx_queue, unsigned int index)
252
+
int efx_xmit_done(struct efx_tx_queue *tx_queue, unsigned int index)
253
253
{
254
254
unsigned int fill_level, pkts_compl = 0, bytes_compl = 0;
255
255
unsigned int efv_pkts_compl = 0;
···
279
279
}
280
280
281
281
efx_xmit_done_check_empty(tx_queue);
282
+
283
+
return pkts_compl + efv_pkts_compl;
282
284
}
283
285
284
286
/* Remove buffers put into a tx_queue for the current packet.
+1
-1
drivers/net/ethernet/sfc/tx_common.h
+1
-1
drivers/net/ethernet/sfc/tx_common.h
···
28
28
}
29
29
30
30
void efx_xmit_done_check_empty(struct efx_tx_queue *tx_queue);
31
-
void efx_xmit_done(struct efx_tx_queue *tx_queue, unsigned int index);
31
+
int efx_xmit_done(struct efx_tx_queue *tx_queue, unsigned int index);
32
32
33
33
void efx_enqueue_unwind(struct efx_tx_queue *tx_queue,
34
34
unsigned int insert_count);
+2
drivers/net/ieee802154/adf7242.c
+2
drivers/net/ieee802154/adf7242.c
+4
-2
drivers/net/ieee802154/mac802154_hwsim.c
+4
-2
drivers/net/ieee802154/mac802154_hwsim.c
···
685
685
static int hwsim_set_edge_lqi(struct sk_buff *msg, struct genl_info *info)
686
686
{
687
687
struct nlattr *edge_attrs[MAC802154_HWSIM_EDGE_ATTR_MAX + 1];
688
-
struct hwsim_edge_info *einfo;
688
+
struct hwsim_edge_info *einfo, *einfo_old;
689
689
struct hwsim_phy *phy_v0;
690
690
struct hwsim_edge *e;
691
691
u32 v0, v1;
···
723
723
list_for_each_entry_rcu(e, &phy_v0->edges, list) {
724
724
if (e->endpoint->idx == v1) {
725
725
einfo->lqi = lqi;
726
-
rcu_assign_pointer(e->info, einfo);
726
+
einfo_old = rcu_replace_pointer(e->info, einfo,
727
+
lockdep_is_held(&hwsim_phys_lock));
727
728
rcu_read_unlock();
729
+
kfree_rcu(einfo_old, rcu);
728
730
mutex_unlock(&hwsim_phys_lock);
729
731
return 0;
730
732
}
+1
-1
drivers/net/phy/dp83867.c
+1
-1
drivers/net/phy/dp83867.c
+1
-1
drivers/net/phy/mdio_bus.c
+1
-1
drivers/net/phy/mdio_bus.c
···
1287
1287
* @mask: bit mask of bits to clear
1288
1288
* @set: bit mask of bits to set
1289
1289
*/
1290
-
int mdiobus_c45_modify_changed(struct mii_bus *bus, int devad, int addr,
1290
+
int mdiobus_c45_modify_changed(struct mii_bus *bus, int addr, int devad,
1291
1291
u32 regnum, u16 mask, u16 set)
1292
1292
{
1293
1293
int err;
+14
-1
drivers/net/phy/phy_device.c
+14
-1
drivers/net/phy/phy_device.c
···
3021
3021
return err;
3022
3022
}
3023
3023
3024
+
static void phy_leds_unregister(struct phy_device *phydev)
3025
+
{
3026
+
struct phy_led *phyled;
3027
+
3028
+
list_for_each_entry(phyled, &phydev->leds, list) {
3029
+
led_classdev_unregister(&phyled->led_cdev);
3030
+
}
3031
+
}
3032
+
3024
3033
static int of_phy_led(struct phy_device *phydev,
3025
3034
struct device_node *led)
3026
3035
{
···
3063
3054
init_data.fwnode = of_fwnode_handle(led);
3064
3055
init_data.devname_mandatory = true;
3065
3056
3066
-
err = devm_led_classdev_register_ext(dev, cdev, &init_data);
3057
+
err = led_classdev_register_ext(dev, cdev, &init_data);
3067
3058
if (err)
3068
3059
return err;
3069
3060
···
3092
3083
err = of_phy_led(phydev, led);
3093
3084
if (err) {
3094
3085
of_node_put(led);
3086
+
phy_leds_unregister(phydev);
3095
3087
return err;
3096
3088
}
3097
3089
}
···
3314
3304
struct phy_device *phydev = to_phy_device(dev);
3315
3305
3316
3306
cancel_delayed_work_sync(&phydev->state_queue);
3307
+
3308
+
if (IS_ENABLED(CONFIG_PHYLIB_LEDS))
3309
+
phy_leds_unregister(phydev);
3317
3310
3318
3311
phydev->state = PHY_DOWN;
3319
3312
+2
drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+2
drivers/net/wireless/intel/iwlwifi/pcie/drv.c
···
548
548
IWL_DEV_INFO(0x54F0, 0x1692, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690i_name),
549
549
IWL_DEV_INFO(0x7A70, 0x1691, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690s_name),
550
550
IWL_DEV_INFO(0x7A70, 0x1692, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690i_name),
551
+
IWL_DEV_INFO(0x7AF0, 0x1691, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690s_name),
552
+
IWL_DEV_INFO(0x7AF0, 0x1692, iwlax411_2ax_cfg_so_gf4_a0, iwl_ax411_killer_1690i_name),
551
553
552
554
IWL_DEV_INFO(0x271C, 0x0214, iwl9260_2ac_cfg, iwl9260_1_name),
553
555
IWL_DEV_INFO(0x7E40, 0x1691, iwl_cfg_ma_a0_gf4_a0, iwl_ax411_killer_1690s_name),
+6
-9
drivers/net/wwan/iosm/iosm_ipc_mux_codec.c
+6
-9
drivers/net/wwan/iosm/iosm_ipc_mux_codec.c
···
626
626
if (adth->signature != cpu_to_le32(IOSM_AGGR_MUX_SIG_ADTH))
627
627
goto adb_decode_err;
628
628
629
-
if (le16_to_cpu(adth->table_length) < (sizeof(struct mux_adth) -
630
-
sizeof(struct mux_adth_dg)))
629
+
if (le16_to_cpu(adth->table_length) < sizeof(struct mux_adth))
631
630
goto adb_decode_err;
632
631
633
632
/* Calculate the number of datagrams. */
634
633
nr_of_dg = (le16_to_cpu(adth->table_length) -
635
-
sizeof(struct mux_adth) +
636
-
sizeof(struct mux_adth_dg)) /
634
+
sizeof(struct mux_adth)) /
637
635
sizeof(struct mux_adth_dg);
638
636
639
637
/* Is the datagram table empty ? */
···
647
649
}
648
650
649
651
/* New aggregated datagram table. */
650
-
dg = &adth->dg;
652
+
dg = adth->dg;
651
653
if (mux_dl_process_dg(ipc_mux, adbh, dg, skb, if_id,
652
654
nr_of_dg) < 0)
653
655
goto adb_decode_err;
···
847
849
adth->if_id = i;
848
850
adth->table_length = cpu_to_le16(adth_dg_size);
849
851
adth_dg_size -= offsetof(struct mux_adth, dg);
850
-
memcpy(&adth->dg, ul_adb->dg[i], adth_dg_size);
852
+
memcpy(adth->dg, ul_adb->dg[i], adth_dg_size);
851
853
ul_adb->if_cnt++;
852
854
}
853
855
···
1424
1426
1425
1427
if (adth->signature == cpu_to_le32(IOSM_AGGR_MUX_SIG_ADTH)) {
1426
1428
nr_of_dg = (le16_to_cpu(adth->table_length) -
1427
-
sizeof(struct mux_adth) +
1428
-
sizeof(struct mux_adth_dg)) /
1429
+
sizeof(struct mux_adth)) /
1429
1430
sizeof(struct mux_adth_dg);
1430
1431
1431
1432
if (nr_of_dg <= 0)
1432
1433
return payload_size;
1433
1434
1434
-
dg = &adth->dg;
1435
+
dg = adth->dg;
1435
1436
1436
1437
for (i = 0; i < nr_of_dg; i++, dg++) {
1437
1438
if (le32_to_cpu(dg->datagram_index) <
+1
-1
drivers/net/wwan/iosm/iosm_ipc_mux_codec.h
+1
-1
drivers/net/wwan/iosm/iosm_ipc_mux_codec.h
+3
drivers/nfc/fdp/fdp.c
+3
drivers/nfc/fdp/fdp.c
+8
include/net/dsa.h
+8
include/net/dsa.h
···
959
959
void (*port_disable)(struct dsa_switch *ds, int port);
960
960
961
961
/*
962
+
* Compatibility between device trees defining multiple CPU ports and
963
+
* drivers which are not OK to use by default the numerically smallest
964
+
* CPU port of a switch for its local ports. This can return NULL,
965
+
* meaning "don't know/don't care".
966
+
*/
967
+
struct dsa_port *(*preferred_default_local_cpu_port)(struct dsa_switch *ds);
968
+
969
+
/*
962
970
* Port's MAC EEE settings
963
971
*/
964
972
int (*set_mac_eee)(struct dsa_switch *ds, int port,
+29
-2
include/net/netfilter/nf_tables.h
+29
-2
include/net/netfilter/nf_tables.h
···
472
472
int (*init)(const struct nft_set *set,
473
473
const struct nft_set_desc *desc,
474
474
const struct nlattr * const nla[]);
475
-
void (*destroy)(const struct nft_set *set);
475
+
void (*destroy)(const struct nft_ctx *ctx,
476
+
const struct nft_set *set);
476
477
void (*gc_init)(const struct nft_set *set);
477
478
478
479
unsigned int elemsize;
···
810
809
struct nft_expr *expr_array[]);
811
810
void nft_set_elem_destroy(const struct nft_set *set, void *elem,
812
811
bool destroy_expr);
812
+
void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
813
+
const struct nft_set *set, void *elem);
813
814
814
815
/**
815
816
* struct nft_set_gc_batch_head - nf_tables set garbage collection batch
···
904
901
905
902
enum nft_trans_phase {
906
903
NFT_TRANS_PREPARE,
904
+
NFT_TRANS_PREPARE_ERROR,
907
905
NFT_TRANS_ABORT,
908
906
NFT_TRANS_COMMIT,
909
907
NFT_TRANS_RELEASE
···
1013
1009
return (void *)&rule->data[rule->dlen];
1014
1010
}
1015
1011
1016
-
void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule);
1012
+
void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule);
1013
+
void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule,
1014
+
enum nft_trans_phase phase);
1015
+
void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule);
1017
1016
1018
1017
static inline void nft_set_elem_update_expr(const struct nft_set_ext *ext,
1019
1018
struct nft_regs *regs,
···
1111
1104
const struct nft_set_iter *iter,
1112
1105
struct nft_set_elem *elem);
1113
1106
int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set);
1107
+
int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain);
1108
+
void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain);
1114
1109
1115
1110
enum nft_chain_types {
1116
1111
NFT_CHAIN_T_DEFAULT = 0,
···
1149
1140
int nft_chain_validate_hooks(const struct nft_chain *chain,
1150
1141
unsigned int hook_flags);
1151
1142
1143
+
static inline bool nft_chain_binding(const struct nft_chain *chain)
1144
+
{
1145
+
return chain->flags & NFT_CHAIN_BINDING;
1146
+
}
1147
+
1152
1148
static inline bool nft_chain_is_bound(struct nft_chain *chain)
1153
1149
{
1154
1150
return (chain->flags & NFT_CHAIN_BINDING) && chain->bound;
1155
1151
}
1156
1152
1153
+
int nft_chain_add(struct nft_table *table, struct nft_chain *chain);
1157
1154
void nft_chain_del(struct nft_chain *chain);
1158
1155
void nf_tables_chain_destroy(struct nft_ctx *ctx);
1159
1156
···
1573
1558
* struct nft_trans - nf_tables object update in transaction
1574
1559
*
1575
1560
* @list: used internally
1561
+
* @binding_list: list of objects with possible bindings
1576
1562
* @msg_type: message type
1577
1563
* @put_net: ctx->net needs to be put
1578
1564
* @ctx: transaction context
···
1581
1565
*/
1582
1566
struct nft_trans {
1583
1567
struct list_head list;
1568
+
struct list_head binding_list;
1584
1569
int msg_type;
1585
1570
bool put_net;
1586
1571
struct nft_ctx ctx;
···
1592
1575
struct nft_rule *rule;
1593
1576
struct nft_flow_rule *flow;
1594
1577
u32 rule_id;
1578
+
bool bound;
1595
1579
};
1596
1580
1597
1581
#define nft_trans_rule(trans) \
···
1601
1583
(((struct nft_trans_rule *)trans->data)->flow)
1602
1584
#define nft_trans_rule_id(trans) \
1603
1585
(((struct nft_trans_rule *)trans->data)->rule_id)
1586
+
#define nft_trans_rule_bound(trans) \
1587
+
(((struct nft_trans_rule *)trans->data)->bound)
1604
1588
1605
1589
struct nft_trans_set {
1606
1590
struct nft_set *set;
···
1627
1607
(((struct nft_trans_set *)trans->data)->gc_int)
1628
1608
1629
1609
struct nft_trans_chain {
1610
+
struct nft_chain *chain;
1630
1611
bool update;
1631
1612
char *name;
1632
1613
struct nft_stats __percpu *stats;
1633
1614
u8 policy;
1615
+
bool bound;
1634
1616
u32 chain_id;
1635
1617
struct nft_base_chain *basechain;
1636
1618
struct list_head hook_list;
1637
1619
};
1638
1620
1621
+
#define nft_trans_chain(trans) \
1622
+
(((struct nft_trans_chain *)trans->data)->chain)
1639
1623
#define nft_trans_chain_update(trans) \
1640
1624
(((struct nft_trans_chain *)trans->data)->update)
1641
1625
#define nft_trans_chain_name(trans) \
···
1648
1624
(((struct nft_trans_chain *)trans->data)->stats)
1649
1625
#define nft_trans_chain_policy(trans) \
1650
1626
(((struct nft_trans_chain *)trans->data)->policy)
1627
+
#define nft_trans_chain_bound(trans) \
1628
+
(((struct nft_trans_chain *)trans->data)->bound)
1651
1629
#define nft_trans_chain_id(trans) \
1652
1630
(((struct nft_trans_chain *)trans->data)->chain_id)
1653
1631
#define nft_trans_basechain(trans) \
···
1726
1700
struct nftables_pernet {
1727
1701
struct list_head tables;
1728
1702
struct list_head commit_list;
1703
+
struct list_head binding_list;
1729
1704
struct list_head module_list;
1730
1705
struct list_head notify_list;
1731
1706
struct mutex commit_mutex;
+1
include/net/xfrm.h
+1
include/net/xfrm.h
+8
-12
kernel/bpf/btf.c
+8
-12
kernel/bpf/btf.c
···
744
744
return offset < btf->hdr.str_len;
745
745
}
746
746
747
-
static bool __btf_name_char_ok(char c, bool first, bool dot_ok)
747
+
static bool __btf_name_char_ok(char c, bool first)
748
748
{
749
749
if ((first ? !isalpha(c) :
750
750
!isalnum(c)) &&
751
751
c != '_' &&
752
-
((c == '.' && !dot_ok) ||
753
-
c != '.'))
752
+
c != '.')
754
753
return false;
755
754
return true;
756
755
}
···
766
767
return NULL;
767
768
}
768
769
769
-
static bool __btf_name_valid(const struct btf *btf, u32 offset, bool dot_ok)
770
+
static bool __btf_name_valid(const struct btf *btf, u32 offset)
770
771
{
771
772
/* offset must be valid */
772
773
const char *src = btf_str_by_offset(btf, offset);
773
774
const char *src_limit;
774
775
775
-
if (!__btf_name_char_ok(*src, true, dot_ok))
776
+
if (!__btf_name_char_ok(*src, true))
776
777
return false;
777
778
778
779
/* set a limit on identifier length */
779
780
src_limit = src + KSYM_NAME_LEN;
780
781
src++;
781
782
while (*src && src < src_limit) {
782
-
if (!__btf_name_char_ok(*src, false, dot_ok))
783
+
if (!__btf_name_char_ok(*src, false))
783
784
return false;
784
785
src++;
785
786
}
···
787
788
return !*src;
788
789
}
789
790
790
-
/* Only C-style identifier is permitted. This can be relaxed if
791
-
* necessary.
792
-
*/
793
791
static bool btf_name_valid_identifier(const struct btf *btf, u32 offset)
794
792
{
795
-
return __btf_name_valid(btf, offset, false);
793
+
return __btf_name_valid(btf, offset);
796
794
}
797
795
798
796
static bool btf_name_valid_section(const struct btf *btf, u32 offset)
799
797
{
800
-
return __btf_name_valid(btf, offset, true);
798
+
return __btf_name_valid(btf, offset);
801
799
}
802
800
803
801
static const char *__btf_name_by_offset(const struct btf *btf, u32 offset)
···
4418
4422
}
4419
4423
4420
4424
if (!t->name_off ||
4421
-
!__btf_name_valid(env->btf, t->name_off, true)) {
4425
+
!__btf_name_valid(env->btf, t->name_off)) {
4422
4426
btf_verifier_log_type(env, t, "Invalid name");
4423
4427
return -EINVAL;
4424
4428
}
+5
kernel/bpf/syscall.c
+5
kernel/bpf/syscall.c
···
3440
3440
return prog->enforce_expected_attach_type &&
3441
3441
prog->expected_attach_type != attach_type ?
3442
3442
-EINVAL : 0;
3443
+
case BPF_PROG_TYPE_KPROBE:
3444
+
if (prog->expected_attach_type == BPF_TRACE_KPROBE_MULTI &&
3445
+
attach_type != BPF_TRACE_KPROBE_MULTI)
3446
+
return -EINVAL;
3447
+
return 0;
3443
3448
default:
3444
3449
return 0;
3445
3450
}
+8
-2
kernel/bpf/verifier.c
+8
-2
kernel/bpf/verifier.c
···
3868
3868
return err;
3869
3869
}
3870
3870
save_register_state(state, spi, reg, size);
3871
+
/* Break the relation on a narrowing spill. */
3872
+
if (fls64(reg->umax_value) > BITS_PER_BYTE * size)
3873
+
state->stack[spi].spilled_ptr.id = 0;
3871
3874
} else if (!reg && !(off % BPF_REG_SIZE) && is_bpf_st_mem(insn) &&
3872
3875
insn->imm != 0 && env->bpf_capable) {
3873
3876
struct bpf_reg_state fake_reg = {};
···
17217
17214
}
17218
17215
17219
17216
/* finally lock prog and jit images for all functions and
17220
-
* populate kallsysm
17217
+
* populate kallsysm. Begin at the first subprogram, since
17218
+
* bpf_prog_load will add the kallsyms for the main program.
17221
17219
*/
17222
-
for (i = 0; i < env->subprog_cnt; i++) {
17220
+
for (i = 1; i < env->subprog_cnt; i++) {
17223
17221
bpf_prog_lock_ro(func[i]);
17224
17222
bpf_prog_kallsyms_add(func[i]);
17225
17223
}
···
17246
17242
prog->jited = 1;
17247
17243
prog->bpf_func = func[0]->bpf_func;
17248
17244
prog->jited_len = func[0]->jited_len;
17245
+
prog->aux->extable = func[0]->aux->extable;
17246
+
prog->aux->num_exentries = func[0]->aux->num_exentries;
17249
17247
prog->aux->func = func;
17250
17248
prog->aux->func_cnt = env->subprog_cnt;
17251
17249
bpf_prog_jit_attempt_done(prog);
-6
net/core/sock.c
-6
net/core/sock.c
···
1362
1362
__sock_set_mark(sk, val);
1363
1363
break;
1364
1364
case SO_RCVMARK:
1365
-
if (!sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_RAW) &&
1366
-
!sockopt_ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) {
1367
-
ret = -EPERM;
1368
-
break;
1369
-
}
1370
-
1371
1365
sock_valbool_flag(sk, SOCK_RCVMARK, valbool);
1372
1366
break;
1373
1367
+23
-1
net/dsa/dsa.c
+23
-1
net/dsa/dsa.c
···
403
403
return 0;
404
404
}
405
405
406
+
static struct dsa_port *
407
+
dsa_switch_preferred_default_local_cpu_port(struct dsa_switch *ds)
408
+
{
409
+
struct dsa_port *cpu_dp;
410
+
411
+
if (!ds->ops->preferred_default_local_cpu_port)
412
+
return NULL;
413
+
414
+
cpu_dp = ds->ops->preferred_default_local_cpu_port(ds);
415
+
if (!cpu_dp)
416
+
return NULL;
417
+
418
+
if (WARN_ON(!dsa_port_is_cpu(cpu_dp) || cpu_dp->ds != ds))
419
+
return NULL;
420
+
421
+
return cpu_dp;
422
+
}
423
+
406
424
/* Perform initial assignment of CPU ports to user ports and DSA links in the
407
425
* fabric, giving preference to CPU ports local to each switch. Default to
408
426
* using the first CPU port in the switch tree if the port does not have a CPU
···
428
410
*/
429
411
static int dsa_tree_setup_cpu_ports(struct dsa_switch_tree *dst)
430
412
{
431
-
struct dsa_port *cpu_dp, *dp;
413
+
struct dsa_port *preferred_cpu_dp, *cpu_dp, *dp;
432
414
433
415
list_for_each_entry(cpu_dp, &dst->ports, list) {
434
416
if (!dsa_port_is_cpu(cpu_dp))
417
+
continue;
418
+
419
+
preferred_cpu_dp = dsa_switch_preferred_default_local_cpu_port(cpu_dp->ds);
420
+
if (preferred_cpu_dp && preferred_cpu_dp != cpu_dp)
435
421
continue;
436
422
437
423
/* Prefer a local CPU port */
+1
-1
net/ieee802154/trace.h
+1
-1
net/ieee802154/trace.h
···
13
13
14
14
#define MAXNAME 32
15
15
#define WPAN_PHY_ENTRY __array(char, wpan_phy_name, MAXNAME)
16
-
#define WPAN_PHY_ASSIGN strlcpy(__entry->wpan_phy_name, \
16
+
#define WPAN_PHY_ASSIGN strscpy(__entry->wpan_phy_name, \
17
17
wpan_phy_name(wpan_phy), \
18
18
MAXNAME)
19
19
#define WPAN_PHY_PR_FMT "%s"
+3
net/ipv4/esp4_offload.c
+3
net/ipv4/esp4_offload.c
+1
net/ipv4/xfrm4_input.c
+1
net/ipv4/xfrm4_input.c
+3
net/ipv6/esp6_offload.c
+3
net/ipv6/esp6_offload.c
+3
net/ipv6/xfrm6_input.c
+3
net/ipv6/xfrm6_input.c
+1
-1
net/mac80211/rx.c
+1
-1
net/mac80211/rx.c
···
2110
2110
/* either the frame has been decrypted or will be dropped */
2111
2111
status->flag |= RX_FLAG_DECRYPTED;
2112
2112
2113
-
if (unlikely(ieee80211_is_beacon(fc) && result == RX_DROP_UNUSABLE &&
2113
+
if (unlikely(ieee80211_is_beacon(fc) && (result & RX_DROP_UNUSABLE) &&
2114
2114
rx->sdata->dev))
2115
2115
cfg80211_rx_unprot_mlme_mgmt(rx->sdata->dev,
2116
2116
skb->data, skb->len);
+1
-1
net/mac802154/trace.h
+1
-1
net/mac802154/trace.h
···
14
14
15
15
#define MAXNAME 32
16
16
#define LOCAL_ENTRY __array(char, wpan_phy_name, MAXNAME)
17
-
#define LOCAL_ASSIGN strlcpy(__entry->wpan_phy_name, \
17
+
#define LOCAL_ASSIGN strscpy(__entry->wpan_phy_name, \
18
18
wpan_phy_name(local->hw.phy), MAXNAME)
19
19
#define LOCAL_PR_FMT "%s"
20
20
#define LOCAL_PR_ARG __entry->wpan_phy_name
+1
net/mptcp/pm_netlink.c
+1
net/mptcp/pm_netlink.c
+64
-96
net/mptcp/protocol.c
+64
-96
net/mptcp/protocol.c
···
44
44
static struct percpu_counter mptcp_sockets_allocated ____cacheline_aligned_in_smp;
45
45
46
46
static void __mptcp_destroy_sock(struct sock *sk);
47
-
static void __mptcp_check_send_data_fin(struct sock *sk);
47
+
static void mptcp_check_send_data_fin(struct sock *sk);
48
48
49
49
DEFINE_PER_CPU(struct mptcp_delegated_action, mptcp_delegated_actions);
50
50
static struct net_device mptcp_napi_dev;
···
424
424
{
425
425
struct mptcp_sock *msk = mptcp_sk(sk);
426
426
427
-
return !__mptcp_check_fallback(msk) &&
428
-
((1 << sk->sk_state) &
427
+
return ((1 << sk->sk_state) &
429
428
(TCPF_FIN_WAIT1 | TCPF_CLOSING | TCPF_LAST_ACK)) &&
430
429
msk->write_seq == READ_ONCE(msk->snd_una);
431
430
}
···
582
583
u64 rcv_data_fin_seq;
583
584
bool ret = false;
584
585
585
-
if (__mptcp_check_fallback(msk))
586
-
return ret;
587
-
588
586
/* Need to ack a DATA_FIN received from a peer while this side
589
587
* of the connection is in ESTABLISHED, FIN_WAIT1, or FIN_WAIT2.
590
588
* msk->rcv_data_fin was set when parsing the incoming options
···
619
623
}
620
624
621
625
ret = true;
622
-
mptcp_send_ack(msk);
626
+
if (!__mptcp_check_fallback(msk))
627
+
mptcp_send_ack(msk);
623
628
mptcp_close_wake_up(sk);
624
629
}
625
630
return ret;
···
847
850
return true;
848
851
}
849
852
850
-
static void __mptcp_flush_join_list(struct sock *sk)
853
+
static void __mptcp_flush_join_list(struct sock *sk, struct list_head *join_list)
851
854
{
852
855
struct mptcp_subflow_context *tmp, *subflow;
853
856
struct mptcp_sock *msk = mptcp_sk(sk);
854
857
855
-
list_for_each_entry_safe(subflow, tmp, &msk->join_list, node) {
858
+
list_for_each_entry_safe(subflow, tmp, join_list, node) {
856
859
struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
857
860
bool slow = lock_sock_fast(ssk);
858
861
···
892
895
return true;
893
896
}
894
897
return false;
895
-
}
896
-
897
-
void mptcp_subflow_eof(struct sock *sk)
898
-
{
899
-
if (!test_and_set_bit(MPTCP_WORK_EOF, &mptcp_sk(sk)->flags))
900
-
mptcp_schedule_work(sk);
901
-
}
902
-
903
-
static void mptcp_check_for_eof(struct mptcp_sock *msk)
904
-
{
905
-
struct mptcp_subflow_context *subflow;
906
-
struct sock *sk = (struct sock *)msk;
907
-
int receivers = 0;
908
-
909
-
mptcp_for_each_subflow(msk, subflow)
910
-
receivers += !subflow->rx_eof;
911
-
if (receivers)
912
-
return;
913
-
914
-
if (!(sk->sk_shutdown & RCV_SHUTDOWN)) {
915
-
/* hopefully temporary hack: propagate shutdown status
916
-
* to msk, when all subflows agree on it
917
-
*/
918
-
WRITE_ONCE(sk->sk_shutdown, sk->sk_shutdown | RCV_SHUTDOWN);
919
-
920
-
smp_mb__before_atomic(); /* SHUTDOWN must be visible first */
921
-
sk->sk_data_ready(sk);
922
-
}
923
-
924
-
switch (sk->sk_state) {
925
-
case TCP_ESTABLISHED:
926
-
inet_sk_state_store(sk, TCP_CLOSE_WAIT);
927
-
break;
928
-
case TCP_FIN_WAIT1:
929
-
inet_sk_state_store(sk, TCP_CLOSING);
930
-
break;
931
-
case TCP_FIN_WAIT2:
932
-
inet_sk_state_store(sk, TCP_CLOSE);
933
-
break;
934
-
default:
935
-
return;
936
-
}
937
-
mptcp_close_wake_up(sk);
938
898
}
939
899
940
900
static struct sock *mptcp_subflow_recv_lookup(const struct mptcp_sock *msk)
···
1563
1609
if (!mptcp_timer_pending(sk))
1564
1610
mptcp_reset_timer(sk);
1565
1611
if (do_check_data_fin)
1566
-
__mptcp_check_send_data_fin(sk);
1612
+
mptcp_check_send_data_fin(sk);
1567
1613
}
1568
1614
1569
1615
static void __mptcp_subflow_push_pending(struct sock *sk, struct sock *ssk, bool first)
···
1681
1727
if (ret && ret != -EINPROGRESS && ret != -ERESTARTSYS && ret != -EINTR)
1682
1728
*copied_syn = 0;
1683
1729
} else if (ret && ret != -EINPROGRESS) {
1684
-
mptcp_disconnect(sk, 0);
1730
+
/* The disconnect() op called by tcp_sendmsg_fastopen()/
1731
+
* __inet_stream_connect() can fail, due to looking check,
1732
+
* see mptcp_disconnect().
1733
+
* Attempt it again outside the problematic scope.
1734
+
*/
1735
+
if (!mptcp_disconnect(sk, 0))
1736
+
sk->sk_socket->state = SS_UNCONNECTED;
1685
1737
}
1686
1738
inet_sk(sk)->defer_connect = 0;
1687
1739
···
2118
2158
break;
2119
2159
}
2120
2160
2121
-
if (test_and_clear_bit(MPTCP_WORK_EOF, &msk->flags))
2122
-
mptcp_check_for_eof(msk);
2123
-
2124
2161
if (sk->sk_shutdown & RCV_SHUTDOWN) {
2125
2162
/* race breaker: the shutdown could be after the
2126
2163
* previous receive queue check
···
2346
2389
2347
2390
need_push = (flags & MPTCP_CF_PUSH) && __mptcp_retransmit_pending_data(sk);
2348
2391
if (!dispose_it) {
2349
-
tcp_disconnect(ssk, 0);
2392
+
/* The MPTCP code never wait on the subflow sockets, TCP-level
2393
+
* disconnect should never fail
2394
+
*/
2395
+
WARN_ON_ONCE(tcp_disconnect(ssk, 0));
2350
2396
msk->subflow->state = SS_UNCONNECTED;
2351
2397
mptcp_subflow_ctx_reset(subflow);
2352
2398
release_sock(ssk);
···
2368
2408
kfree_rcu(subflow, rcu);
2369
2409
} else {
2370
2410
/* otherwise tcp will dispose of the ssk and subflow ctx */
2371
-
if (ssk->sk_state == TCP_LISTEN) {
2372
-
tcp_set_state(ssk, TCP_CLOSE);
2373
-
mptcp_subflow_queue_clean(sk, ssk);
2374
-
inet_csk_listen_stop(ssk);
2375
-
mptcp_event_pm_listener(ssk, MPTCP_EVENT_LISTENER_CLOSED);
2376
-
}
2377
-
2378
2411
__tcp_close(ssk, 0);
2379
2412
2380
2413
/* close acquired an extra ref */
···
2624
2671
if (unlikely((1 << state) & (TCPF_CLOSE | TCPF_LISTEN)))
2625
2672
goto unlock;
2626
2673
2627
-
mptcp_check_data_fin_ack(sk);
2628
-
2629
2674
mptcp_check_fastclose(msk);
2630
2675
2631
2676
mptcp_pm_nl_work(msk);
2632
2677
2633
-
if (test_and_clear_bit(MPTCP_WORK_EOF, &msk->flags))
2634
-
mptcp_check_for_eof(msk);
2635
-
2636
-
__mptcp_check_send_data_fin(sk);
2678
+
mptcp_check_send_data_fin(sk);
2679
+
mptcp_check_data_fin_ack(sk);
2637
2680
mptcp_check_data_fin(sk);
2638
2681
2639
2682
if (test_and_clear_bit(MPTCP_WORK_CLOSE_SUBFLOW, &msk->flags))
···
2761
2812
break;
2762
2813
fallthrough;
2763
2814
case TCP_SYN_SENT:
2764
-
tcp_disconnect(ssk, O_NONBLOCK);
2815
+
WARN_ON_ONCE(tcp_disconnect(ssk, O_NONBLOCK));
2765
2816
break;
2766
2817
default:
2767
2818
if (__mptcp_check_fallback(mptcp_sk(sk))) {
2768
2819
pr_debug("Fallback");
2769
2820
ssk->sk_shutdown |= how;
2770
2821
tcp_shutdown(ssk, how);
2822
+
2823
+
/* simulate the data_fin ack reception to let the state
2824
+
* machine move forward
2825
+
*/
2826
+
WRITE_ONCE(mptcp_sk(sk)->snd_una, mptcp_sk(sk)->snd_nxt);
2827
+
mptcp_schedule_work(sk);
2771
2828
} else {
2772
2829
pr_debug("Sending DATA_FIN on subflow %p", ssk);
2773
2830
tcp_send_ack(ssk);
···
2813
2858
return next & TCP_ACTION_FIN;
2814
2859
}
2815
2860
2816
-
static void __mptcp_check_send_data_fin(struct sock *sk)
2861
+
static void mptcp_check_send_data_fin(struct sock *sk)
2817
2862
{
2818
2863
struct mptcp_subflow_context *subflow;
2819
2864
struct mptcp_sock *msk = mptcp_sk(sk);
···
2830
2875
return;
2831
2876
2832
2877
WRITE_ONCE(msk->snd_nxt, msk->write_seq);
2833
-
2834
-
/* fallback socket will not get data_fin/ack, can move to the next
2835
-
* state now
2836
-
*/
2837
-
if (__mptcp_check_fallback(msk)) {
2838
-
WRITE_ONCE(msk->snd_una, msk->write_seq);
2839
-
if ((1 << sk->sk_state) & (TCPF_CLOSING | TCPF_LAST_ACK)) {
2840
-
inet_sk_state_store(sk, TCP_CLOSE);
2841
-
mptcp_close_wake_up(sk);
2842
-
} else if (sk->sk_state == TCP_FIN_WAIT1) {
2843
-
inet_sk_state_store(sk, TCP_FIN_WAIT2);
2844
-
}
2845
-
}
2846
2878
2847
2879
mptcp_for_each_subflow(msk, subflow) {
2848
2880
struct sock *tcp_sk = mptcp_subflow_tcp_sock(subflow);
···
2850
2908
WRITE_ONCE(msk->write_seq, msk->write_seq + 1);
2851
2909
WRITE_ONCE(msk->snd_data_fin_enable, 1);
2852
2910
2853
-
__mptcp_check_send_data_fin(sk);
2911
+
mptcp_check_send_data_fin(sk);
2854
2912
}
2855
2913
2856
2914
static void __mptcp_destroy_sock(struct sock *sk)
···
2895
2953
return EPOLLIN | EPOLLRDNORM;
2896
2954
}
2897
2955
2898
-
static void mptcp_listen_inuse_dec(struct sock *sk)
2956
+
static void mptcp_check_listen_stop(struct sock *sk)
2899
2957
{
2900
-
if (inet_sk_state_load(sk) == TCP_LISTEN)
2901
-
sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
2958
+
struct sock *ssk;
2959
+
2960
+
if (inet_sk_state_load(sk) != TCP_LISTEN)
2961
+
return;
2962
+
2963
+
sock_prot_inuse_add(sock_net(sk), sk->sk_prot, -1);
2964
+
ssk = mptcp_sk(sk)->first;
2965
+
if (WARN_ON_ONCE(!ssk || inet_sk_state_load(ssk) != TCP_LISTEN))
2966
+
return;
2967
+
2968
+
lock_sock_nested(ssk, SINGLE_DEPTH_NESTING);
2969
+
mptcp_subflow_queue_clean(sk, ssk);
2970
+
inet_csk_listen_stop(ssk);
2971
+
mptcp_event_pm_listener(ssk, MPTCP_EVENT_LISTENER_CLOSED);
2972
+
tcp_set_state(ssk, TCP_CLOSE);
2973
+
release_sock(ssk);
2902
2974
}
2903
2975
2904
2976
bool __mptcp_close(struct sock *sk, long timeout)
···
2925
2969
WRITE_ONCE(sk->sk_shutdown, SHUTDOWN_MASK);
2926
2970
2927
2971
if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE)) {
2928
-
mptcp_listen_inuse_dec(sk);
2972
+
mptcp_check_listen_stop(sk);
2929
2973
inet_sk_state_store(sk, TCP_CLOSE);
2930
2974
goto cleanup;
2931
2975
}
···
3029
3073
{
3030
3074
struct mptcp_sock *msk = mptcp_sk(sk);
3031
3075
3076
+
/* Deny disconnect if other threads are blocked in sk_wait_event()
3077
+
* or inet_wait_for_connect().
3078
+
*/
3079
+
if (sk->sk_wait_pending)
3080
+
return -EBUSY;
3081
+
3032
3082
/* We are on the fastopen error path. We can't call straight into the
3033
3083
* subflows cleanup code due to lock nesting (we are already under
3034
-
* msk->firstsocket lock). Do nothing and leave the cleanup to the
3035
-
* caller.
3084
+
* msk->firstsocket lock).
3036
3085
*/
3037
3086
if (msk->fastopening)
3038
-
return 0;
3087
+
return -EBUSY;
3039
3088
3040
-
mptcp_listen_inuse_dec(sk);
3089
+
mptcp_check_listen_stop(sk);
3041
3090
inet_sk_state_store(sk, TCP_CLOSE);
3042
3091
3043
3092
mptcp_stop_timer(sk);
···
3101
3140
inet_sk(nsk)->pinet6 = mptcp_inet6_sk(nsk);
3102
3141
#endif
3103
3142
3143
+
nsk->sk_wait_pending = 0;
3104
3144
__mptcp_init_sock(nsk);
3105
3145
3106
3146
msk = mptcp_sk(nsk);
···
3289
3327
for (;;) {
3290
3328
unsigned long flags = (msk->cb_flags & MPTCP_FLAGS_PROCESS_CTX_NEED) |
3291
3329
msk->push_pending;
3330
+
struct list_head join_list;
3331
+
3292
3332
if (!flags)
3293
3333
break;
3334
+
3335
+
INIT_LIST_HEAD(&join_list);
3336
+
list_splice_init(&msk->join_list, &join_list);
3294
3337
3295
3338
/* the following actions acquire the subflow socket lock
3296
3339
*
···
3307
3340
msk->push_pending = 0;
3308
3341
msk->cb_flags &= ~flags;
3309
3342
spin_unlock_bh(&sk->sk_lock.slock);
3343
+
3310
3344
if (flags & BIT(MPTCP_FLUSH_JOIN_LIST))
3311
-
__mptcp_flush_join_list(sk);
3345
+
__mptcp_flush_join_list(sk, &join_list);
3312
3346
if (flags & BIT(MPTCP_PUSH_PENDING))
3313
3347
__mptcp_push_pending(sk, 0);
3314
3348
if (flags & BIT(MPTCP_RETRANSMIT))
+1
-4
net/mptcp/protocol.h
+1
-4
net/mptcp/protocol.h
···
113
113
/* MPTCP socket atomic flags */
114
114
#define MPTCP_NOSPACE 1
115
115
#define MPTCP_WORK_RTX 2
116
-
#define MPTCP_WORK_EOF 3
117
116
#define MPTCP_FALLBACK_DONE 4
118
117
#define MPTCP_WORK_CLOSE_SUBFLOW 5
119
118
···
475
476
send_mp_fail : 1,
476
477
send_fastclose : 1,
477
478
send_infinite_map : 1,
478
-
rx_eof : 1,
479
479
remote_key_valid : 1, /* received the peer key from */
480
480
disposable : 1, /* ctx can be free at ulp release time */
481
481
stale : 1, /* unable to snd/rcv data, do not use for xmit */
482
482
local_id_valid : 1, /* local_id is correctly initialized */
483
483
valid_csum_seen : 1, /* at least one csum validated */
484
484
is_mptfo : 1, /* subflow is doing TFO */
485
-
__unused : 8;
485
+
__unused : 9;
486
486
enum mptcp_data_avail data_avail;
487
487
u32 remote_nonce;
488
488
u64 thmac;
···
718
720
void __mptcp_check_push(struct sock *sk, struct sock *ssk);
719
721
void __mptcp_data_acked(struct sock *sk);
720
722
void __mptcp_error_report(struct sock *sk);
721
-
void mptcp_subflow_eof(struct sock *sk);
722
723
bool mptcp_update_rcv_data_fin(struct mptcp_sock *msk, u64 data_fin_seq, bool use_64bit);
723
724
static inline bool mptcp_data_fin_enabled(const struct mptcp_sock *msk)
724
725
{
+10
-7
net/mptcp/subflow.c
+10
-7
net/mptcp/subflow.c
···
1749
1749
{
1750
1750
struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
1751
1751
struct sock *parent = subflow->conn;
1752
+
struct mptcp_sock *msk;
1752
1753
1753
1754
__subflow_state_change(sk);
1754
1755
1756
+
msk = mptcp_sk(parent);
1755
1757
if (subflow_simultaneous_connect(sk)) {
1756
1758
mptcp_propagate_sndbuf(parent, sk);
1757
1759
mptcp_do_fallback(sk);
1758
-
mptcp_rcv_space_init(mptcp_sk(parent), sk);
1759
-
pr_fallback(mptcp_sk(parent));
1760
+
mptcp_rcv_space_init(msk, sk);
1761
+
pr_fallback(msk);
1760
1762
subflow->conn_finished = 1;
1761
1763
mptcp_set_connected(parent);
1762
1764
}
···
1774
1772
1775
1773
subflow_sched_work_if_closed(mptcp_sk(parent), sk);
1776
1774
1777
-
if (__mptcp_check_fallback(mptcp_sk(parent)) &&
1778
-
!subflow->rx_eof && subflow_is_done(sk)) {
1779
-
subflow->rx_eof = 1;
1780
-
mptcp_subflow_eof(parent);
1781
-
}
1775
+
/* when the fallback subflow closes the rx side, trigger a 'dummy'
1776
+
* ingress data fin, so that the msk state will follow along
1777
+
*/
1778
+
if (__mptcp_check_fallback(msk) && subflow_is_done(sk) && msk->first == sk &&
1779
+
mptcp_update_rcv_data_fin(msk, READ_ONCE(msk->ack_seq), true))
1780
+
mptcp_schedule_work(parent);
1782
1781
}
1783
1782
1784
1783
void mptcp_subflow_queue_clean(struct sock *listener_sk, struct sock *listener_ssk)
+2
net/netfilter/ipvs/ip_vs_xmit.c
+2
net/netfilter/ipvs/ip_vs_xmit.c
···
1207
1207
skb->transport_header = skb->network_header;
1208
1208
1209
1209
skb_set_inner_ipproto(skb, next_protocol);
1210
+
skb_set_inner_mac_header(skb, skb_inner_network_offset(skb));
1210
1211
1211
1212
if (tun_type == IP_VS_CONN_F_TUNNEL_TYPE_GUE) {
1212
1213
bool check = false;
···
1350
1349
skb->transport_header = skb->network_header;
1351
1350
1352
1351
skb_set_inner_ipproto(skb, next_protocol);
1352
+
skb_set_inner_mac_header(skb, skb_inner_network_offset(skb));
1353
1353
1354
1354
if (tun_type == IP_VS_CONN_F_TUNNEL_TYPE_GUE) {
1355
1355
bool check = false;
+295
-71
net/netfilter/nf_tables_api.c
+295
-71
net/netfilter/nf_tables_api.c
···
151
151
return NULL;
152
152
153
153
INIT_LIST_HEAD(&trans->list);
154
+
INIT_LIST_HEAD(&trans->binding_list);
154
155
trans->msg_type = msg_type;
155
156
trans->ctx = *ctx;
156
157
···
164
163
return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
165
164
}
166
165
167
-
static void nft_trans_destroy(struct nft_trans *trans)
166
+
static void nft_trans_list_del(struct nft_trans *trans)
168
167
{
169
168
list_del(&trans->list);
169
+
list_del(&trans->binding_list);
170
+
}
171
+
172
+
static void nft_trans_destroy(struct nft_trans *trans)
173
+
{
174
+
nft_trans_list_del(trans);
170
175
kfree(trans);
171
176
}
172
177
173
-
static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
178
+
static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set,
179
+
bool bind)
174
180
{
175
181
struct nftables_pernet *nft_net;
176
182
struct net *net = ctx->net;
···
191
183
switch (trans->msg_type) {
192
184
case NFT_MSG_NEWSET:
193
185
if (nft_trans_set(trans) == set)
194
-
nft_trans_set_bound(trans) = true;
186
+
nft_trans_set_bound(trans) = bind;
195
187
break;
196
188
case NFT_MSG_NEWSETELEM:
197
189
if (nft_trans_elem_set(trans) == set)
198
-
nft_trans_elem_set_bound(trans) = true;
190
+
nft_trans_elem_set_bound(trans) = bind;
199
191
break;
200
192
}
201
193
}
194
+
}
195
+
196
+
static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)
197
+
{
198
+
return __nft_set_trans_bind(ctx, set, true);
199
+
}
200
+
201
+
static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set)
202
+
{
203
+
return __nft_set_trans_bind(ctx, set, false);
204
+
}
205
+
206
+
static void __nft_chain_trans_bind(const struct nft_ctx *ctx,
207
+
struct nft_chain *chain, bool bind)
208
+
{
209
+
struct nftables_pernet *nft_net;
210
+
struct net *net = ctx->net;
211
+
struct nft_trans *trans;
212
+
213
+
if (!nft_chain_binding(chain))
214
+
return;
215
+
216
+
nft_net = nft_pernet(net);
217
+
list_for_each_entry_reverse(trans, &nft_net->commit_list, list) {
218
+
switch (trans->msg_type) {
219
+
case NFT_MSG_NEWCHAIN:
220
+
if (nft_trans_chain(trans) == chain)
221
+
nft_trans_chain_bound(trans) = bind;
222
+
break;
223
+
case NFT_MSG_NEWRULE:
224
+
if (trans->ctx.chain == chain)
225
+
nft_trans_rule_bound(trans) = bind;
226
+
break;
227
+
}
228
+
}
229
+
}
230
+
231
+
static void nft_chain_trans_bind(const struct nft_ctx *ctx,
232
+
struct nft_chain *chain)
233
+
{
234
+
__nft_chain_trans_bind(ctx, chain, true);
235
+
}
236
+
237
+
int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
238
+
{
239
+
if (!nft_chain_binding(chain))
240
+
return 0;
241
+
242
+
if (nft_chain_binding(ctx->chain))
243
+
return -EOPNOTSUPP;
244
+
245
+
if (chain->bound)
246
+
return -EBUSY;
247
+
248
+
chain->bound = true;
249
+
chain->use++;
250
+
nft_chain_trans_bind(ctx, chain);
251
+
252
+
return 0;
253
+
}
254
+
255
+
void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain)
256
+
{
257
+
__nft_chain_trans_bind(ctx, chain, false);
202
258
}
203
259
204
260
static int nft_netdev_register_hooks(struct net *net,
···
364
292
{
365
293
struct nftables_pernet *nft_net = nft_pernet(net);
366
294
295
+
switch (trans->msg_type) {
296
+
case NFT_MSG_NEWSET:
297
+
if (!nft_trans_set_update(trans) &&
298
+
nft_set_is_anonymous(nft_trans_set(trans)))
299
+
list_add_tail(&trans->binding_list, &nft_net->binding_list);
300
+
break;
301
+
case NFT_MSG_NEWCHAIN:
302
+
if (!nft_trans_chain_update(trans) &&
303
+
nft_chain_binding(nft_trans_chain(trans)))
304
+
list_add_tail(&trans->binding_list, &nft_net->binding_list);
305
+
break;
306
+
}
307
+
367
308
list_add_tail(&trans->list, &nft_net->commit_list);
368
309
}
369
310
···
423
338
ntohl(nla_get_be32(ctx->nla[NFTA_CHAIN_ID]));
424
339
}
425
340
}
426
-
341
+
nft_trans_chain(trans) = ctx->chain;
427
342
nft_trans_commit_list_add_tail(ctx->net, trans);
343
+
428
344
return trans;
429
345
}
430
346
···
443
357
return 0;
444
358
}
445
359
446
-
static void nft_rule_expr_activate(const struct nft_ctx *ctx,
447
-
struct nft_rule *rule)
360
+
void nft_rule_expr_activate(const struct nft_ctx *ctx, struct nft_rule *rule)
448
361
{
449
362
struct nft_expr *expr;
450
363
···
456
371
}
457
372
}
458
373
459
-
static void nft_rule_expr_deactivate(const struct nft_ctx *ctx,
460
-
struct nft_rule *rule,
461
-
enum nft_trans_phase phase)
374
+
void nft_rule_expr_deactivate(const struct nft_ctx *ctx, struct nft_rule *rule,
375
+
enum nft_trans_phase phase)
462
376
{
463
377
struct nft_expr *expr;
464
378
···
579
495
return __nft_trans_set_add(ctx, msg_type, set, NULL);
580
496
}
581
497
498
+
static void nft_setelem_data_deactivate(const struct net *net,
499
+
const struct nft_set *set,
500
+
struct nft_set_elem *elem);
501
+
502
+
static int nft_mapelem_deactivate(const struct nft_ctx *ctx,
503
+
struct nft_set *set,
504
+
const struct nft_set_iter *iter,
505
+
struct nft_set_elem *elem)
506
+
{
507
+
nft_setelem_data_deactivate(ctx->net, set, elem);
508
+
509
+
return 0;
510
+
}
511
+
512
+
struct nft_set_elem_catchall {
513
+
struct list_head list;
514
+
struct rcu_head rcu;
515
+
void *elem;
516
+
};
517
+
518
+
static void nft_map_catchall_deactivate(const struct nft_ctx *ctx,
519
+
struct nft_set *set)
520
+
{
521
+
u8 genmask = nft_genmask_next(ctx->net);
522
+
struct nft_set_elem_catchall *catchall;
523
+
struct nft_set_elem elem;
524
+
struct nft_set_ext *ext;
525
+
526
+
list_for_each_entry(catchall, &set->catchall_list, list) {
527
+
ext = nft_set_elem_ext(set, catchall->elem);
528
+
if (!nft_set_elem_active(ext, genmask))
529
+
continue;
530
+
531
+
elem.priv = catchall->elem;
532
+
nft_setelem_data_deactivate(ctx->net, set, &elem);
533
+
break;
534
+
}
535
+
}
536
+
537
+
static void nft_map_deactivate(const struct nft_ctx *ctx, struct nft_set *set)
538
+
{
539
+
struct nft_set_iter iter = {
540
+
.genmask = nft_genmask_next(ctx->net),
541
+
.fn = nft_mapelem_deactivate,
542
+
};
543
+
544
+
set->ops->walk(ctx, set, &iter);
545
+
WARN_ON_ONCE(iter.err);
546
+
547
+
nft_map_catchall_deactivate(ctx, set);
548
+
}
549
+
582
550
static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set)
583
551
{
584
552
int err;
···
638
502
err = nft_trans_set_add(ctx, NFT_MSG_DELSET, set);
639
503
if (err < 0)
640
504
return err;
505
+
506
+
if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
507
+
nft_map_deactivate(ctx, set);
641
508
642
509
nft_deactivate_next(ctx->net, set);
643
510
ctx->table->use--;
···
2365
2226
return 0;
2366
2227
}
2367
2228
2368
-
static int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
2229
+
int nft_chain_add(struct nft_table *table, struct nft_chain *chain)
2369
2230
{
2370
2231
int err;
2371
2232
···
2667
2528
nft_trans_basechain(trans) = basechain;
2668
2529
INIT_LIST_HEAD(&nft_trans_chain_hooks(trans));
2669
2530
list_splice(&hook.list, &nft_trans_chain_hooks(trans));
2531
+
if (nla[NFTA_CHAIN_HOOK])
2532
+
module_put(hook.type->owner);
2670
2533
2671
2534
nft_trans_commit_list_add_tail(ctx->net, trans);
2672
2535
···
2811
2670
return nf_tables_addchain(&ctx, family, genmask, policy, flags, extack);
2812
2671
}
2813
2672
2814
-
static int nft_delchain_hook(struct nft_ctx *ctx, struct nft_chain *chain,
2673
+
static int nft_delchain_hook(struct nft_ctx *ctx,
2674
+
struct nft_base_chain *basechain,
2815
2675
struct netlink_ext_ack *extack)
2816
2676
{
2677
+
const struct nft_chain *chain = &basechain->chain;
2817
2678
const struct nlattr * const *nla = ctx->nla;
2818
2679
struct nft_chain_hook chain_hook = {};
2819
-
struct nft_base_chain *basechain;
2820
2680
struct nft_hook *this, *hook;
2821
2681
LIST_HEAD(chain_del_list);
2822
2682
struct nft_trans *trans;
2823
2683
int err;
2824
2684
2825
-
if (!nft_is_base_chain(chain))
2826
-
return -EOPNOTSUPP;
2827
-
2828
-
basechain = nft_base_chain(chain);
2829
2685
err = nft_chain_parse_hook(ctx->net, basechain, nla, &chain_hook,
2830
2686
ctx->family, chain->flags, extack);
2831
2687
if (err < 0)
···
2907
2769
if (chain->flags & NFT_CHAIN_HW_OFFLOAD)
2908
2770
return -EOPNOTSUPP;
2909
2771
2910
-
return nft_delchain_hook(&ctx, chain, extack);
2772
+
if (nft_is_base_chain(chain)) {
2773
+
struct nft_base_chain *basechain = nft_base_chain(chain);
2774
+
2775
+
if (nft_base_chain_netdev(table->family, basechain->ops.hooknum))
2776
+
return nft_delchain_hook(&ctx, basechain, extack);
2777
+
}
2911
2778
}
2912
2779
2913
2780
if (info->nlh->nlmsg_flags & NLM_F_NONREC &&
···
3633
3490
return err;
3634
3491
}
3635
3492
3636
-
static void nf_tables_rule_destroy(const struct nft_ctx *ctx,
3637
-
struct nft_rule *rule)
3493
+
void nf_tables_rule_destroy(const struct nft_ctx *ctx, struct nft_rule *rule)
3638
3494
{
3639
3495
struct nft_expr *expr, *next;
3640
3496
···
3650
3508
kfree(rule);
3651
3509
}
3652
3510
3653
-
void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3511
+
static void nf_tables_rule_release(const struct nft_ctx *ctx, struct nft_rule *rule)
3654
3512
{
3655
3513
nft_rule_expr_deactivate(ctx, rule, NFT_TRANS_RELEASE);
3656
3514
nf_tables_rule_destroy(ctx, rule);
···
3737
3595
3738
3596
return 0;
3739
3597
}
3740
-
3741
-
struct nft_set_elem_catchall {
3742
-
struct list_head list;
3743
-
struct rcu_head rcu;
3744
-
void *elem;
3745
-
};
3746
3598
3747
3599
int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set)
3748
3600
{
···
3980
3844
if (flow)
3981
3845
nft_flow_rule_destroy(flow);
3982
3846
err_release_rule:
3983
-
nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE);
3847
+
nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR);
3984
3848
nf_tables_rule_destroy(&ctx, rule);
3985
3849
err_release_expr:
3986
3850
for (i = 0; i < n; i++) {
···
4913
4777
if (!(flags & NFT_SET_TIMEOUT))
4914
4778
return -EINVAL;
4915
4779
4780
+
if (flags & NFT_SET_ANONYMOUS)
4781
+
return -EOPNOTSUPP;
4782
+
4916
4783
err = nf_msecs_to_jiffies64(nla[NFTA_SET_TIMEOUT], &desc.timeout);
4917
4784
if (err)
4918
4785
return err;
···
4924
4785
if (nla[NFTA_SET_GC_INTERVAL] != NULL) {
4925
4786
if (!(flags & NFT_SET_TIMEOUT))
4926
4787
return -EINVAL;
4788
+
4789
+
if (flags & NFT_SET_ANONYMOUS)
4790
+
return -EOPNOTSUPP;
4791
+
4927
4792
desc.gc_int = ntohl(nla_get_be32(nla[NFTA_SET_GC_INTERVAL]));
4928
4793
}
4929
4794
···
4972
4829
return -EEXIST;
4973
4830
}
4974
4831
if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
4832
+
return -EOPNOTSUPP;
4833
+
4834
+
if (nft_set_is_anonymous(set))
4975
4835
return -EOPNOTSUPP;
4976
4836
4977
4837
err = nft_set_expr_alloc(&ctx, set, nla, exprs, &num_exprs, flags);
···
5080
4934
for (i = 0; i < set->num_exprs; i++)
5081
4935
nft_expr_destroy(&ctx, set->exprs[i]);
5082
4936
err_set_destroy:
5083
-
ops->destroy(set);
4937
+
ops->destroy(&ctx, set);
5084
4938
err_set_init:
5085
4939
kfree(set->name);
5086
4940
err_set_name:
···
5095
4949
5096
4950
list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
5097
4951
list_del_rcu(&catchall->list);
5098
-
nft_set_elem_destroy(set, catchall->elem, true);
4952
+
nf_tables_set_elem_destroy(ctx, set, catchall->elem);
5099
4953
kfree_rcu(catchall, rcu);
5100
4954
}
5101
4955
}
···
5110
4964
for (i = 0; i < set->num_exprs; i++)
5111
4965
nft_expr_destroy(ctx, set->exprs[i]);
5112
4966
5113
-
set->ops->destroy(set);
4967
+
set->ops->destroy(ctx, set);
5114
4968
nft_set_catchall_destroy(ctx, set);
5115
4969
kfree(set->name);
5116
4970
kvfree(set);
···
5275
5129
}
5276
5130
}
5277
5131
5132
+
static void nft_setelem_data_activate(const struct net *net,
5133
+
const struct nft_set *set,
5134
+
struct nft_set_elem *elem);
5135
+
5136
+
static int nft_mapelem_activate(const struct nft_ctx *ctx,
5137
+
struct nft_set *set,
5138
+
const struct nft_set_iter *iter,
5139
+
struct nft_set_elem *elem)
5140
+
{
5141
+
nft_setelem_data_activate(ctx->net, set, elem);
5142
+
5143
+
return 0;
5144
+
}
5145
+
5146
+
static void nft_map_catchall_activate(const struct nft_ctx *ctx,
5147
+
struct nft_set *set)
5148
+
{
5149
+
u8 genmask = nft_genmask_next(ctx->net);
5150
+
struct nft_set_elem_catchall *catchall;
5151
+
struct nft_set_elem elem;
5152
+
struct nft_set_ext *ext;
5153
+
5154
+
list_for_each_entry(catchall, &set->catchall_list, list) {
5155
+
ext = nft_set_elem_ext(set, catchall->elem);
5156
+
if (!nft_set_elem_active(ext, genmask))
5157
+
continue;
5158
+
5159
+
elem.priv = catchall->elem;
5160
+
nft_setelem_data_activate(ctx->net, set, &elem);
5161
+
break;
5162
+
}
5163
+
}
5164
+
5165
+
static void nft_map_activate(const struct nft_ctx *ctx, struct nft_set *set)
5166
+
{
5167
+
struct nft_set_iter iter = {
5168
+
.genmask = nft_genmask_next(ctx->net),
5169
+
.fn = nft_mapelem_activate,
5170
+
};
5171
+
5172
+
set->ops->walk(ctx, set, &iter);
5173
+
WARN_ON_ONCE(iter.err);
5174
+
5175
+
nft_map_catchall_activate(ctx, set);
5176
+
}
5177
+
5278
5178
void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set)
5279
5179
{
5280
-
if (nft_set_is_anonymous(set))
5180
+
if (nft_set_is_anonymous(set)) {
5181
+
if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5182
+
nft_map_activate(ctx, set);
5183
+
5281
5184
nft_clear(ctx->net, set);
5185
+
}
5282
5186
5283
5187
set->use++;
5284
5188
}
···
5339
5143
enum nft_trans_phase phase)
5340
5144
{
5341
5145
switch (phase) {
5342
-
case NFT_TRANS_PREPARE:
5146
+
case NFT_TRANS_PREPARE_ERROR:
5147
+
nft_set_trans_unbind(ctx, set);
5343
5148
if (nft_set_is_anonymous(set))
5344
5149
nft_deactivate_next(ctx->net, set);
5345
5150
5346
5151
set->use--;
5152
+
break;
5153
+
case NFT_TRANS_PREPARE:
5154
+
if (nft_set_is_anonymous(set)) {
5155
+
if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5156
+
nft_map_deactivate(ctx, set);
5157
+
5158
+
nft_deactivate_next(ctx->net, set);
5159
+
}
5160
+
set->use--;
5347
5161
return;
5348
5162
case NFT_TRANS_ABORT:
5349
5163
case NFT_TRANS_RELEASE:
5164
+
if (nft_set_is_anonymous(set) &&
5165
+
set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
5166
+
nft_map_deactivate(ctx, set);
5167
+
5350
5168
set->use--;
5351
5169
fallthrough;
5352
5170
default:
···
6113
5903
__nft_set_elem_expr_destroy(ctx, expr);
6114
5904
}
6115
5905
5906
+
/* Drop references and destroy. Called from gc, dynset and abort path. */
6116
5907
void nft_set_elem_destroy(const struct nft_set *set, void *elem,
6117
5908
bool destroy_expr)
6118
5909
{
···
6135
5924
}
6136
5925
EXPORT_SYMBOL_GPL(nft_set_elem_destroy);
6137
5926
6138
-
/* Only called from commit path, nft_setelem_data_deactivate() already deals
6139
-
* with the refcounting from the preparation phase.
5927
+
/* Destroy element. References have been already dropped in the preparation
5928
+
* path via nft_setelem_data_deactivate().
6140
5929
*/
6141
-
static void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
6142
-
const struct nft_set *set, void *elem)
5930
+
void nf_tables_set_elem_destroy(const struct nft_ctx *ctx,
5931
+
const struct nft_set *set, void *elem)
6143
5932
{
6144
5933
struct nft_set_ext *ext = nft_set_elem_ext(set, elem);
6145
5934
···
6702
6491
if (flags)
6703
6492
*nft_set_ext_flags(ext) = flags;
6704
6493
6494
+
if (obj) {
6495
+
*nft_set_ext_obj(ext) = obj;
6496
+
obj->use++;
6497
+
}
6705
6498
if (ulen > 0) {
6706
6499
if (nft_set_ext_check(&tmpl, NFT_SET_EXT_USERDATA, ulen) < 0) {
6707
6500
err = -EINVAL;
6708
-
goto err_elem_userdata;
6501
+
goto err_elem_free;
6709
6502
}
6710
6503
udata = nft_set_ext_userdata(ext);
6711
6504
udata->len = ulen - 1;
6712
6505
nla_memcpy(&udata->data, nla[NFTA_SET_ELEM_USERDATA], ulen);
6713
-
}
6714
-
if (obj) {
6715
-
*nft_set_ext_obj(ext) = obj;
6716
-
obj->use++;
6717
6506
}
6718
6507
err = nft_set_elem_expr_setup(ctx, &tmpl, ext, expr_array, num_exprs);
6719
6508
if (err < 0)
···
6769
6558
err_element_clash:
6770
6559
kfree(trans);
6771
6560
err_elem_free:
6772
-
if (obj)
6773
-
obj->use--;
6774
-
err_elem_userdata:
6775
-
nf_tables_set_elem_destroy(ctx, set, elem.priv);
6561
+
nft_set_elem_destroy(set, elem.priv, true);
6776
6562
err_parse_data:
6777
6563
if (nla[NFTA_SET_ELEM_DATA] != NULL)
6778
6564
nft_data_release(&elem.data.val, desc.type);
···
6813
6605
if (IS_ERR(set))
6814
6606
return PTR_ERR(set);
6815
6607
6816
-
if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
6608
+
if (!list_empty(&set->bindings) &&
6609
+
(set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
6817
6610
return -EBUSY;
6818
6611
6819
6612
nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
···
6847
6638
void nft_data_hold(const struct nft_data *data, enum nft_data_types type)
6848
6639
{
6849
6640
struct nft_chain *chain;
6850
-
struct nft_rule *rule;
6851
6641
6852
6642
if (type == NFT_DATA_VERDICT) {
6853
6643
switch (data->verdict.code) {
···
6854
6646
case NFT_GOTO:
6855
6647
chain = data->verdict.chain;
6856
6648
chain->use++;
6857
-
6858
-
if (!nft_chain_is_bound(chain))
6859
-
break;
6860
-
6861
-
chain->table->use++;
6862
-
list_for_each_entry(rule, &chain->rules, list)
6863
-
chain->use++;
6864
-
6865
-
nft_chain_add(chain->table, chain);
6866
6649
break;
6867
6650
}
6868
6651
}
···
7088
6889
set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask);
7089
6890
if (IS_ERR(set))
7090
6891
return PTR_ERR(set);
7091
-
if (!list_empty(&set->bindings) && set->flags & NFT_SET_CONSTANT)
6892
+
6893
+
if (!list_empty(&set->bindings) &&
6894
+
(set->flags & (NFT_SET_CONSTANT | NFT_SET_ANONYMOUS)))
7092
6895
return -EBUSY;
7093
6896
7094
6897
nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
···
7872
7671
enum nft_trans_phase phase)
7873
7672
{
7874
7673
switch (phase) {
7674
+
case NFT_TRANS_PREPARE_ERROR:
7875
7675
case NFT_TRANS_PREPARE:
7876
7676
case NFT_TRANS_ABORT:
7877
7677
case NFT_TRANS_RELEASE:
···
9145
8943
synchronize_rcu();
9146
8944
9147
8945
list_for_each_entry_safe(trans, next, &head, list) {
9148
-
list_del(&trans->list);
8946
+
nft_trans_list_del(trans);
9149
8947
nft_commit_release(trans);
9150
8948
}
9151
8949
}
···
9508
9306
if (list_empty(&nft_net->commit_list)) {
9509
9307
mutex_unlock(&nft_net->commit_mutex);
9510
9308
return 0;
9309
+
}
9310
+
9311
+
list_for_each_entry(trans, &nft_net->binding_list, binding_list) {
9312
+
switch (trans->msg_type) {
9313
+
case NFT_MSG_NEWSET:
9314
+
if (!nft_trans_set_update(trans) &&
9315
+
nft_set_is_anonymous(nft_trans_set(trans)) &&
9316
+
!nft_trans_set_bound(trans)) {
9317
+
pr_warn_once("nftables ruleset with unbound set\n");
9318
+
return -EINVAL;
9319
+
}
9320
+
break;
9321
+
case NFT_MSG_NEWCHAIN:
9322
+
if (!nft_trans_chain_update(trans) &&
9323
+
nft_chain_binding(nft_trans_chain(trans)) &&
9324
+
!nft_trans_chain_bound(trans)) {
9325
+
pr_warn_once("nftables ruleset with unbound chain\n");
9326
+
return -EINVAL;
9327
+
}
9328
+
break;
9329
+
}
9511
9330
}
9512
9331
9513
9332
/* 0. Validate ruleset, otherwise roll back for error reporting. */
···
9900
9677
kfree(nft_trans_chain_name(trans));
9901
9678
nft_trans_destroy(trans);
9902
9679
} else {
9903
-
if (nft_chain_is_bound(trans->ctx.chain)) {
9680
+
if (nft_trans_chain_bound(trans)) {
9904
9681
nft_trans_destroy(trans);
9905
9682
break;
9906
9683
}
···
9923
9700
nft_trans_destroy(trans);
9924
9701
break;
9925
9702
case NFT_MSG_NEWRULE:
9703
+
if (nft_trans_rule_bound(trans)) {
9704
+
nft_trans_destroy(trans);
9705
+
break;
9706
+
}
9926
9707
trans->ctx.chain->use--;
9927
9708
list_del_rcu(&nft_trans_rule(trans)->list);
9928
9709
nft_rule_expr_deactivate(&trans->ctx,
···
9961
9734
case NFT_MSG_DESTROYSET:
9962
9735
trans->ctx.table->use++;
9963
9736
nft_clear(trans->ctx.net, nft_trans_set(trans));
9737
+
if (nft_trans_set(trans)->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
9738
+
nft_map_activate(&trans->ctx, nft_trans_set(trans));
9739
+
9964
9740
nft_trans_destroy(trans);
9965
9741
break;
9966
9742
case NFT_MSG_NEWSETELEM:
···
10044
9814
10045
9815
list_for_each_entry_safe_reverse(trans, next,
10046
9816
&nft_net->commit_list, list) {
10047
-
list_del(&trans->list);
9817
+
nft_trans_list_del(trans);
10048
9818
nf_tables_abort_release(trans);
10049
9819
}
10050
9820
···
10493
10263
static void nft_verdict_uninit(const struct nft_data *data)
10494
10264
{
10495
10265
struct nft_chain *chain;
10496
-
struct nft_rule *rule;
10497
10266
10498
10267
switch (data->verdict.code) {
10499
10268
case NFT_JUMP:
10500
10269
case NFT_GOTO:
10501
10270
chain = data->verdict.chain;
10502
10271
chain->use--;
10503
-
10504
-
if (!nft_chain_is_bound(chain))
10505
-
break;
10506
-
10507
-
chain->table->use--;
10508
-
list_for_each_entry(rule, &chain->rules, list)
10509
-
chain->use--;
10510
-
10511
-
nft_chain_del(chain);
10512
10272
break;
10513
10273
}
10514
10274
}
···
10733
10513
list_for_each_entry_safe(set, ns, &table->sets, list) {
10734
10514
list_del(&set->list);
10735
10515
table->use--;
10516
+
if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT))
10517
+
nft_map_deactivate(&ctx, set);
10518
+
10736
10519
nft_set_destroy(&ctx, set);
10737
10520
}
10738
10521
list_for_each_entry_safe(obj, ne, &table->objects, list) {
···
10820
10597
10821
10598
INIT_LIST_HEAD(&nft_net->tables);
10822
10599
INIT_LIST_HEAD(&nft_net->commit_list);
10600
+
INIT_LIST_HEAD(&nft_net->binding_list);
10823
10601
INIT_LIST_HEAD(&nft_net->module_list);
10824
10602
INIT_LIST_HEAD(&nft_net->notify_list);
10825
10603
mutex_init(&nft_net->commit_mutex);
+1
net/netfilter/nfnetlink_osf.c
+1
net/netfilter/nfnetlink_osf.c
+81
-9
net/netfilter/nft_immediate.c
+81
-9
net/netfilter/nft_immediate.c
···
76
76
switch (priv->data.verdict.code) {
77
77
case NFT_JUMP:
78
78
case NFT_GOTO:
79
-
if (nft_chain_is_bound(chain)) {
80
-
err = -EBUSY;
81
-
goto err1;
82
-
}
83
-
chain->bound = true;
79
+
err = nf_tables_bind_chain(ctx, chain);
80
+
if (err < 0)
81
+
return err;
84
82
break;
85
83
default:
86
84
break;
···
96
98
const struct nft_expr *expr)
97
99
{
98
100
const struct nft_immediate_expr *priv = nft_expr_priv(expr);
101
+
const struct nft_data *data = &priv->data;
102
+
struct nft_ctx chain_ctx;
103
+
struct nft_chain *chain;
104
+
struct nft_rule *rule;
105
+
106
+
if (priv->dreg == NFT_REG_VERDICT) {
107
+
switch (data->verdict.code) {
108
+
case NFT_JUMP:
109
+
case NFT_GOTO:
110
+
chain = data->verdict.chain;
111
+
if (!nft_chain_binding(chain))
112
+
break;
113
+
114
+
chain_ctx = *ctx;
115
+
chain_ctx.chain = chain;
116
+
117
+
list_for_each_entry(rule, &chain->rules, list)
118
+
nft_rule_expr_activate(&chain_ctx, rule);
119
+
120
+
nft_clear(ctx->net, chain);
121
+
break;
122
+
default:
123
+
break;
124
+
}
125
+
}
99
126
100
127
return nft_data_hold(&priv->data, nft_dreg_to_type(priv->dreg));
101
128
}
···
130
107
enum nft_trans_phase phase)
131
108
{
132
109
const struct nft_immediate_expr *priv = nft_expr_priv(expr);
110
+
const struct nft_data *data = &priv->data;
111
+
struct nft_ctx chain_ctx;
112
+
struct nft_chain *chain;
113
+
struct nft_rule *rule;
114
+
115
+
if (priv->dreg == NFT_REG_VERDICT) {
116
+
switch (data->verdict.code) {
117
+
case NFT_JUMP:
118
+
case NFT_GOTO:
119
+
chain = data->verdict.chain;
120
+
if (!nft_chain_binding(chain))
121
+
break;
122
+
123
+
chain_ctx = *ctx;
124
+
chain_ctx.chain = chain;
125
+
126
+
list_for_each_entry(rule, &chain->rules, list)
127
+
nft_rule_expr_deactivate(&chain_ctx, rule, phase);
128
+
129
+
switch (phase) {
130
+
case NFT_TRANS_PREPARE_ERROR:
131
+
nf_tables_unbind_chain(ctx, chain);
132
+
fallthrough;
133
+
case NFT_TRANS_PREPARE:
134
+
nft_deactivate_next(ctx->net, chain);
135
+
break;
136
+
default:
137
+
nft_chain_del(chain);
138
+
chain->bound = false;
139
+
chain->table->use--;
140
+
break;
141
+
}
142
+
break;
143
+
default:
144
+
break;
145
+
}
146
+
}
133
147
134
148
if (phase == NFT_TRANS_COMMIT)
135
149
return;
···
191
131
case NFT_GOTO:
192
132
chain = data->verdict.chain;
193
133
194
-
if (!nft_chain_is_bound(chain))
134
+
if (!nft_chain_binding(chain))
195
135
break;
196
136
137
+
/* Rule construction failed, but chain is already bound:
138
+
* let the transaction records release this chain and its rules.
139
+
*/
140
+
if (chain->bound) {
141
+
chain->use--;
142
+
break;
143
+
}
144
+
145
+
/* Rule has been deleted, release chain and its rules. */
197
146
chain_ctx = *ctx;
198
147
chain_ctx.chain = chain;
199
148
200
-
list_for_each_entry_safe(rule, n, &chain->rules, list)
201
-
nf_tables_rule_release(&chain_ctx, rule);
202
-
149
+
chain->use--;
150
+
list_for_each_entry_safe(rule, n, &chain->rules, list) {
151
+
chain->use--;
152
+
list_del(&rule->list);
153
+
nf_tables_rule_destroy(&chain_ctx, rule);
154
+
}
203
155
nf_tables_chain_destroy(&chain_ctx);
204
156
break;
205
157
default:
+3
-2
net/netfilter/nft_set_bitmap.c
+3
-2
net/netfilter/nft_set_bitmap.c
···
271
271
return 0;
272
272
}
273
273
274
-
static void nft_bitmap_destroy(const struct nft_set *set)
274
+
static void nft_bitmap_destroy(const struct nft_ctx *ctx,
275
+
const struct nft_set *set)
275
276
{
276
277
struct nft_bitmap *priv = nft_set_priv(set);
277
278
struct nft_bitmap_elem *be, *n;
278
279
279
280
list_for_each_entry_safe(be, n, &priv->list, head)
280
-
nft_set_elem_destroy(set, be, true);
281
+
nf_tables_set_elem_destroy(ctx, set, be);
281
282
}
282
283
283
284
static bool nft_bitmap_estimate(const struct nft_set_desc *desc, u32 features,
+18
-5
net/netfilter/nft_set_hash.c
+18
-5
net/netfilter/nft_set_hash.c
···
400
400
return 0;
401
401
}
402
402
403
+
struct nft_rhash_ctx {
404
+
const struct nft_ctx ctx;
405
+
const struct nft_set *set;
406
+
};
407
+
403
408
static void nft_rhash_elem_destroy(void *ptr, void *arg)
404
409
{
405
-
nft_set_elem_destroy(arg, ptr, true);
410
+
struct nft_rhash_ctx *rhash_ctx = arg;
411
+
412
+
nf_tables_set_elem_destroy(&rhash_ctx->ctx, rhash_ctx->set, ptr);
406
413
}
407
414
408
-
static void nft_rhash_destroy(const struct nft_set *set)
415
+
static void nft_rhash_destroy(const struct nft_ctx *ctx,
416
+
const struct nft_set *set)
409
417
{
410
418
struct nft_rhash *priv = nft_set_priv(set);
419
+
struct nft_rhash_ctx rhash_ctx = {
420
+
.ctx = *ctx,
421
+
.set = set,
422
+
};
411
423
412
424
cancel_delayed_work_sync(&priv->gc_work);
413
425
rcu_barrier();
414
426
rhashtable_free_and_destroy(&priv->ht, nft_rhash_elem_destroy,
415
-
(void *)set);
427
+
(void *)&rhash_ctx);
416
428
}
417
429
418
430
/* Number of buckets is stored in u32, so cap our result to 1U<<31 */
···
655
643
return 0;
656
644
}
657
645
658
-
static void nft_hash_destroy(const struct nft_set *set)
646
+
static void nft_hash_destroy(const struct nft_ctx *ctx,
647
+
const struct nft_set *set)
659
648
{
660
649
struct nft_hash *priv = nft_set_priv(set);
661
650
struct nft_hash_elem *he;
···
666
653
for (i = 0; i < priv->buckets; i++) {
667
654
hlist_for_each_entry_safe(he, next, &priv->table[i], node) {
668
655
hlist_del_rcu(&he->node);
669
-
nft_set_elem_destroy(set, he, true);
656
+
nf_tables_set_elem_destroy(ctx, set, he);
670
657
}
671
658
}
672
659
}
+14
-6
net/netfilter/nft_set_pipapo.c
+14
-6
net/netfilter/nft_set_pipapo.c
···
1974
1974
struct nft_set_iter *iter)
1975
1975
{
1976
1976
struct nft_pipapo *priv = nft_set_priv(set);
1977
+
struct net *net = read_pnet(&set->net);
1977
1978
struct nft_pipapo_match *m;
1978
1979
struct nft_pipapo_field *f;
1979
1980
int i, r;
1980
1981
1981
1982
rcu_read_lock();
1982
-
m = rcu_dereference(priv->match);
1983
+
if (iter->genmask == nft_genmask_cur(net))
1984
+
m = rcu_dereference(priv->match);
1985
+
else
1986
+
m = priv->clone;
1983
1987
1984
1988
if (unlikely(!m))
1985
1989
goto out;
···
2152
2148
2153
2149
/**
2154
2150
* nft_set_pipapo_match_destroy() - Destroy elements from key mapping array
2151
+
* @ctx: context
2155
2152
* @set: nftables API set representation
2156
2153
* @m: matching data pointing to key mapping array
2157
2154
*/
2158
-
static void nft_set_pipapo_match_destroy(const struct nft_set *set,
2155
+
static void nft_set_pipapo_match_destroy(const struct nft_ctx *ctx,
2156
+
const struct nft_set *set,
2159
2157
struct nft_pipapo_match *m)
2160
2158
{
2161
2159
struct nft_pipapo_field *f;
···
2174
2168
2175
2169
e = f->mt[r].e;
2176
2170
2177
-
nft_set_elem_destroy(set, e, true);
2171
+
nf_tables_set_elem_destroy(ctx, set, e);
2178
2172
}
2179
2173
}
2180
2174
2181
2175
/**
2182
2176
* nft_pipapo_destroy() - Free private data for set and all committed elements
2177
+
* @ctx: context
2183
2178
* @set: nftables API set representation
2184
2179
*/
2185
-
static void nft_pipapo_destroy(const struct nft_set *set)
2180
+
static void nft_pipapo_destroy(const struct nft_ctx *ctx,
2181
+
const struct nft_set *set)
2186
2182
{
2187
2183
struct nft_pipapo *priv = nft_set_priv(set);
2188
2184
struct nft_pipapo_match *m;
···
2194
2186
if (m) {
2195
2187
rcu_barrier();
2196
2188
2197
-
nft_set_pipapo_match_destroy(set, m);
2189
+
nft_set_pipapo_match_destroy(ctx, set, m);
2198
2190
2199
2191
#ifdef NFT_PIPAPO_ALIGN
2200
2192
free_percpu(m->scratch_aligned);
···
2211
2203
m = priv->clone;
2212
2204
2213
2205
if (priv->dirty)
2214
-
nft_set_pipapo_match_destroy(set, m);
2206
+
nft_set_pipapo_match_destroy(ctx, set, m);
2215
2207
2216
2208
#ifdef NFT_PIPAPO_ALIGN
2217
2209
free_percpu(priv->clone->scratch_aligned);
+3
-2
net/netfilter/nft_set_rbtree.c
+3
-2
net/netfilter/nft_set_rbtree.c
···
664
664
return 0;
665
665
}
666
666
667
-
static void nft_rbtree_destroy(const struct nft_set *set)
667
+
static void nft_rbtree_destroy(const struct nft_ctx *ctx,
668
+
const struct nft_set *set)
668
669
{
669
670
struct nft_rbtree *priv = nft_set_priv(set);
670
671
struct nft_rbtree_elem *rbe;
···
676
675
while ((node = priv->root.rb_node) != NULL) {
677
676
rb_erase(node, &priv->root);
678
677
rbe = rb_entry(node, struct nft_rbtree_elem, node);
679
-
nft_set_elem_destroy(set, rbe, true);
678
+
nf_tables_set_elem_destroy(ctx, set, rbe);
680
679
}
681
680
}
682
681
-1
net/netfilter/xt_osf.c
-1
net/netfilter/xt_osf.c
+6
-2
net/sched/sch_netem.c
+6
-2
net/sched/sch_netem.c
···
966
966
if (ret < 0)
967
967
return ret;
968
968
969
+
sch_tree_lock(sch);
969
970
/* backup q->clg and q->loss_model */
970
971
old_clg = q->clg;
971
972
old_loss_model = q->loss_model;
···
975
974
ret = get_loss_clg(q, tb[TCA_NETEM_LOSS]);
976
975
if (ret) {
977
976
q->loss_model = old_loss_model;
978
-
return ret;
977
+
goto unlock;
979
978
}
980
979
} else {
981
980
q->loss_model = CLG_RANDOM;
···
1042
1041
/* capping jitter to the range acceptable by tabledist() */
1043
1042
q->jitter = min_t(s64, abs(q->jitter), INT_MAX);
1044
1043
1044
+
unlock:
1045
+
sch_tree_unlock(sch);
1045
1046
return ret;
1046
1047
1047
1048
get_table_failure:
···
1053
1050
*/
1054
1051
q->clg = old_clg;
1055
1052
q->loss_model = old_loss_model;
1056
-
return ret;
1053
+
1054
+
goto unlock;
1057
1055
}
1058
1056
1059
1057
static int netem_init(struct Qdisc *sch, struct nlattr *opt,
+4
-4
net/xfrm/xfrm_input.c
+4
-4
net/xfrm/xfrm_input.c
···
131
131
memset(sp->ovec, 0, sizeof(sp->ovec));
132
132
sp->olen = 0;
133
133
sp->len = 0;
134
+
sp->verified_cnt = 0;
134
135
135
136
return sp;
136
137
}
···
331
330
{
332
331
switch (x->props.mode) {
333
332
case XFRM_MODE_BEET:
334
-
switch (XFRM_MODE_SKB_CB(skb)->protocol) {
335
-
case IPPROTO_IPIP:
336
-
case IPPROTO_BEETPH:
333
+
switch (x->sel.family) {
334
+
case AF_INET:
337
335
return xfrm4_remove_beet_encap(x, skb);
338
-
case IPPROTO_IPV6:
336
+
case AF_INET6:
339
337
return xfrm6_remove_beet_encap(x, skb);
340
338
}
341
339
break;
+50
-4
net/xfrm/xfrm_interface_core.c
+50
-4
net/xfrm/xfrm_interface_core.c
···
310
310
skb->mark = 0;
311
311
}
312
312
313
+
static int xfrmi_input(struct sk_buff *skb, int nexthdr, __be32 spi,
314
+
int encap_type, unsigned short family)
315
+
{
316
+
struct sec_path *sp;
317
+
318
+
sp = skb_sec_path(skb);
319
+
if (sp && (sp->len || sp->olen) &&
320
+
!xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family))
321
+
goto discard;
322
+
323
+
XFRM_SPI_SKB_CB(skb)->family = family;
324
+
if (family == AF_INET) {
325
+
XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
326
+
XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL;
327
+
} else {
328
+
XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct ipv6hdr, daddr);
329
+
XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = NULL;
330
+
}
331
+
332
+
return xfrm_input(skb, nexthdr, spi, encap_type);
333
+
discard:
334
+
kfree_skb(skb);
335
+
return 0;
336
+
}
337
+
338
+
static int xfrmi4_rcv(struct sk_buff *skb)
339
+
{
340
+
return xfrmi_input(skb, ip_hdr(skb)->protocol, 0, 0, AF_INET);
341
+
}
342
+
343
+
static int xfrmi6_rcv(struct sk_buff *skb)
344
+
{
345
+
return xfrmi_input(skb, skb_network_header(skb)[IP6CB(skb)->nhoff],
346
+
0, 0, AF_INET6);
347
+
}
348
+
349
+
static int xfrmi4_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
350
+
{
351
+
return xfrmi_input(skb, nexthdr, spi, encap_type, AF_INET);
352
+
}
353
+
354
+
static int xfrmi6_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
355
+
{
356
+
return xfrmi_input(skb, nexthdr, spi, encap_type, AF_INET6);
357
+
}
358
+
313
359
static int xfrmi_rcv_cb(struct sk_buff *skb, int err)
314
360
{
315
361
const struct xfrm_mode *inner_mode;
···
991
945
};
992
946
993
947
static struct xfrm6_protocol xfrmi_esp6_protocol __read_mostly = {
994
-
.handler = xfrm6_rcv,
995
-
.input_handler = xfrm_input,
948
+
.handler = xfrmi6_rcv,
949
+
.input_handler = xfrmi6_input,
996
950
.cb_handler = xfrmi_rcv_cb,
997
951
.err_handler = xfrmi6_err,
998
952
.priority = 10,
···
1042
996
#endif
1043
997
1044
998
static struct xfrm4_protocol xfrmi_esp4_protocol __read_mostly = {
1045
-
.handler = xfrm4_rcv,
1046
-
.input_handler = xfrm_input,
999
+
.handler = xfrmi4_rcv,
1000
+
.input_handler = xfrmi4_input,
1047
1001
.cb_handler = xfrmi_rcv_cb,
1048
1002
.err_handler = xfrmi4_err,
1049
1003
.priority = 10,
+14
net/xfrm/xfrm_policy.c
+14
net/xfrm/xfrm_policy.c
···
1831
1831
1832
1832
__xfrm_policy_unlink(pol, dir);
1833
1833
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
1834
+
xfrm_dev_policy_delete(pol);
1834
1835
cnt++;
1835
1836
xfrm_audit_policy_delete(pol, 1, task_valid);
1836
1837
xfrm_policy_kill(pol);
···
1870
1869
1871
1870
__xfrm_policy_unlink(pol, dir);
1872
1871
spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
1872
+
xfrm_dev_policy_delete(pol);
1873
1873
cnt++;
1874
1874
xfrm_audit_policy_delete(pol, 1, task_valid);
1875
1875
xfrm_policy_kill(pol);
···
3351
3349
if (xfrm_state_ok(tmpl, sp->xvec[idx], family, if_id))
3352
3350
return ++idx;
3353
3351
if (sp->xvec[idx]->props.mode != XFRM_MODE_TRANSPORT) {
3352
+
if (idx < sp->verified_cnt) {
3353
+
/* Secpath entry previously verified, consider optional and
3354
+
* continue searching
3355
+
*/
3356
+
continue;
3357
+
}
3358
+
3354
3359
if (start == -1)
3355
3360
start = -2-idx;
3356
3361
break;
···
3732
3723
* Order is _important_. Later we will implement
3733
3724
* some barriers, but at the moment barriers
3734
3725
* are implied between each two transformations.
3726
+
* Upon success, marks secpath entries as having been
3727
+
* verified to allow them to be skipped in future policy
3728
+
* checks (e.g. nested tunnels).
3735
3729
*/
3736
3730
for (i = xfrm_nr-1, k = 0; i >= 0; i--) {
3737
3731
k = xfrm_policy_ok(tpp[i], sp, k, family, if_id);
···
3753
3741
}
3754
3742
3755
3743
xfrm_pols_put(pols, npols);
3744
+
sp->verified_cnt = k;
3745
+
3756
3746
return 1;
3757
3747
}
3758
3748
XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLBLOCK);
+29
tools/testing/selftests/bpf/prog_tests/subprogs_extable.c
+29
tools/testing/selftests/bpf/prog_tests/subprogs_extable.c
···
1
+
// SPDX-License-Identifier: GPL-2.0
2
+
3
+
#include <test_progs.h>
4
+
#include "test_subprogs_extable.skel.h"
5
+
6
+
void test_subprogs_extable(void)
7
+
{
8
+
const int read_sz = 456;
9
+
struct test_subprogs_extable *skel;
10
+
int err;
11
+
12
+
skel = test_subprogs_extable__open_and_load();
13
+
if (!ASSERT_OK_PTR(skel, "skel_open_and_load"))
14
+
return;
15
+
16
+
err = test_subprogs_extable__attach(skel);
17
+
if (!ASSERT_OK(err, "skel_attach"))
18
+
goto cleanup;
19
+
20
+
/* trigger tracepoint */
21
+
ASSERT_OK(trigger_module_test_read(read_sz), "trigger_read");
22
+
23
+
ASSERT_NEQ(skel->bss->triggered, 0, "verify at least one program ran");
24
+
25
+
test_subprogs_extable__detach(skel);
26
+
27
+
cleanup:
28
+
test_subprogs_extable__destroy(skel);
29
+
}
+51
tools/testing/selftests/bpf/progs/test_subprogs_extable.c
+51
tools/testing/selftests/bpf/progs/test_subprogs_extable.c
···
1
+
// SPDX-License-Identifier: GPL-2.0
2
+
3
+
#include "vmlinux.h"
4
+
#include <bpf/bpf_helpers.h>
5
+
#include <bpf/bpf_tracing.h>
6
+
7
+
struct {
8
+
__uint(type, BPF_MAP_TYPE_ARRAY);
9
+
__uint(max_entries, 8);
10
+
__type(key, __u32);
11
+
__type(value, __u64);
12
+
} test_array SEC(".maps");
13
+
14
+
unsigned int triggered;
15
+
16
+
static __u64 test_cb(struct bpf_map *map, __u32 *key, __u64 *val, void *data)
17
+
{
18
+
return 1;
19
+
}
20
+
21
+
SEC("fexit/bpf_testmod_return_ptr")
22
+
int BPF_PROG(handle_fexit_ret_subprogs, int arg, struct file *ret)
23
+
{
24
+
*(volatile long *)ret;
25
+
*(volatile int *)&ret->f_mode;
26
+
bpf_for_each_map_elem(&test_array, test_cb, NULL, 0);
27
+
triggered++;
28
+
return 0;
29
+
}
30
+
31
+
SEC("fexit/bpf_testmod_return_ptr")
32
+
int BPF_PROG(handle_fexit_ret_subprogs2, int arg, struct file *ret)
33
+
{
34
+
*(volatile long *)ret;
35
+
*(volatile int *)&ret->f_mode;
36
+
bpf_for_each_map_elem(&test_array, test_cb, NULL, 0);
37
+
triggered++;
38
+
return 0;
39
+
}
40
+
41
+
SEC("fexit/bpf_testmod_return_ptr")
42
+
int BPF_PROG(handle_fexit_ret_subprogs3, int arg, struct file *ret)
43
+
{
44
+
*(volatile long *)ret;
45
+
*(volatile int *)&ret->f_mode;
46
+
bpf_for_each_map_elem(&test_array, test_cb, NULL, 0);
47
+
triggered++;
48
+
return 0;
49
+
}
50
+
51
+
char _license[] SEC("license") = "GPL";
+79
tools/testing/selftests/bpf/progs/verifier_spill_fill.c
+79
tools/testing/selftests/bpf/progs/verifier_spill_fill.c
···
371
371
" ::: __clobber_all);
372
372
}
373
373
374
+
SEC("xdp")
375
+
__description("32-bit spill of 64-bit reg should clear ID")
376
+
__failure __msg("math between ctx pointer and 4294967295 is not allowed")
377
+
__naked void spill_32bit_of_64bit_fail(void)
378
+
{
379
+
asm volatile (" \
380
+
r6 = r1; \
381
+
/* Roll one bit to force the verifier to track both branches. */\
382
+
call %[bpf_get_prandom_u32]; \
383
+
r0 &= 0x8; \
384
+
/* Put a large number into r1. */ \
385
+
r1 = 0xffffffff; \
386
+
r1 <<= 32; \
387
+
r1 += r0; \
388
+
/* Assign an ID to r1. */ \
389
+
r2 = r1; \
390
+
/* 32-bit spill r1 to stack - should clear the ID! */\
391
+
*(u32*)(r10 - 8) = r1; \
392
+
/* 32-bit fill r2 from stack. */ \
393
+
r2 = *(u32*)(r10 - 8); \
394
+
/* Compare r2 with another register to trigger find_equal_scalars.\
395
+
* Having one random bit is important here, otherwise the verifier cuts\
396
+
* the corners. If the ID was mistakenly preserved on spill, this would\
397
+
* cause the verifier to think that r1 is also equal to zero in one of\
398
+
* the branches, and equal to eight on the other branch.\
399
+
*/ \
400
+
r3 = 0; \
401
+
if r2 != r3 goto l0_%=; \
402
+
l0_%=: r1 >>= 32; \
403
+
/* At this point, if the verifier thinks that r1 is 0, an out-of-bounds\
404
+
* read will happen, because it actually contains 0xffffffff.\
405
+
*/ \
406
+
r6 += r1; \
407
+
r0 = *(u32*)(r6 + 0); \
408
+
exit; \
409
+
" :
410
+
: __imm(bpf_get_prandom_u32)
411
+
: __clobber_all);
412
+
}
413
+
414
+
SEC("xdp")
415
+
__description("16-bit spill of 32-bit reg should clear ID")
416
+
__failure __msg("dereference of modified ctx ptr R6 off=65535 disallowed")
417
+
__naked void spill_16bit_of_32bit_fail(void)
418
+
{
419
+
asm volatile (" \
420
+
r6 = r1; \
421
+
/* Roll one bit to force the verifier to track both branches. */\
422
+
call %[bpf_get_prandom_u32]; \
423
+
r0 &= 0x8; \
424
+
/* Put a large number into r1. */ \
425
+
w1 = 0xffff0000; \
426
+
r1 += r0; \
427
+
/* Assign an ID to r1. */ \
428
+
r2 = r1; \
429
+
/* 16-bit spill r1 to stack - should clear the ID! */\
430
+
*(u16*)(r10 - 8) = r1; \
431
+
/* 16-bit fill r2 from stack. */ \
432
+
r2 = *(u16*)(r10 - 8); \
433
+
/* Compare r2 with another register to trigger find_equal_scalars.\
434
+
* Having one random bit is important here, otherwise the verifier cuts\
435
+
* the corners. If the ID was mistakenly preserved on spill, this would\
436
+
* cause the verifier to think that r1 is also equal to zero in one of\
437
+
* the branches, and equal to eight on the other branch.\
438
+
*/ \
439
+
r3 = 0; \
440
+
if r2 != r3 goto l0_%=; \
441
+
l0_%=: r1 >>= 16; \
442
+
/* At this point, if the verifier thinks that r1 is 0, an out-of-bounds\
443
+
* read will happen, because it actually contains 0xffff.\
444
+
*/ \
445
+
r6 += r1; \
446
+
r0 = *(u32*)(r6 + 0); \
447
+
exit; \
448
+
" :
449
+
: __imm(bpf_get_prandom_u32)
450
+
: __clobber_all);
451
+
}
452
+
374
453
char _license[] SEC("license") = "GPL";
+3
-3
tools/testing/selftests/kselftest_harness.h
+3
-3
tools/testing/selftests/kselftest_harness.h
···
249
249
250
250
/**
251
251
* FIXTURE_SETUP() - Prepares the setup function for the fixture.
252
-
* *_metadata* is included so that EXPECT_* and ASSERT_* work correctly.
252
+
* *_metadata* is included so that EXPECT_*, ASSERT_* etc. work correctly.
253
253
*
254
254
* @fixture_name: fixture name
255
255
*
···
275
275
276
276
/**
277
277
* FIXTURE_TEARDOWN()
278
-
* *_metadata* is included so that EXPECT_* and ASSERT_* work correctly.
278
+
* *_metadata* is included so that EXPECT_*, ASSERT_* etc. work correctly.
279
279
*
280
280
* @fixture_name: fixture name
281
281
*
···
388
388
if (setjmp(_metadata->env) == 0) { \
389
389
fixture_name##_setup(_metadata, &self, variant->data); \
390
390
/* Let setup failure terminate early. */ \
391
-
if (!_metadata->passed) \
391
+
if (!_metadata->passed || _metadata->skip) \
392
392
return; \
393
393
_metadata->setup_completed = true; \
394
394
fixture_name##_##test_name(_metadata, &self, variant->data); \
+19
-8
tools/testing/selftests/net/fcnal-test.sh
+19
-8
tools/testing/selftests/net/fcnal-test.sh
···
92
92
93
93
which ping6 > /dev/null 2>&1 && ping6=$(which ping6) || ping6=$(which ping)
94
94
95
+
# Check if FIPS mode is enabled
96
+
if [ -f /proc/sys/crypto/fips_enabled ]; then
97
+
fips_enabled=`cat /proc/sys/crypto/fips_enabled`
98
+
else
99
+
fips_enabled=0
100
+
fi
101
+
95
102
################################################################################
96
103
# utilities
97
104
···
1223
1216
run_cmd nettest -d ${NSA_DEV} -r ${a}
1224
1217
log_test_addr ${a} $? 1 "No server, device client, local conn"
1225
1218
1226
-
ipv4_tcp_md5_novrf
1219
+
[ "$fips_enabled" = "1" ] || ipv4_tcp_md5_novrf
1227
1220
}
1228
1221
1229
1222
ipv4_tcp_vrf()
···
1277
1270
log_test_addr ${a} $? 1 "Global server, local connection"
1278
1271
1279
1272
# run MD5 tests
1280
-
setup_vrf_dup
1281
-
ipv4_tcp_md5
1282
-
cleanup_vrf_dup
1273
+
if [ "$fips_enabled" = "0" ]; then
1274
+
setup_vrf_dup
1275
+
ipv4_tcp_md5
1276
+
cleanup_vrf_dup
1277
+
fi
1283
1278
1284
1279
#
1285
1280
# enable VRF global server
···
2781
2772
log_test_addr ${a} $? 1 "No server, device client, local conn"
2782
2773
done
2783
2774
2784
-
ipv6_tcp_md5_novrf
2775
+
[ "$fips_enabled" = "1" ] || ipv6_tcp_md5_novrf
2785
2776
}
2786
2777
2787
2778
ipv6_tcp_vrf()
···
2851
2842
log_test_addr ${a} $? 1 "Global server, local connection"
2852
2843
2853
2844
# run MD5 tests
2854
-
setup_vrf_dup
2855
-
ipv6_tcp_md5
2856
-
cleanup_vrf_dup
2845
+
if [ "$fips_enabled" = "0" ]; then
2846
+
setup_vrf_dup
2847
+
ipv6_tcp_md5
2848
+
cleanup_vrf_dup
2849
+
fi
2857
2850
2858
2851
#
2859
2852
# enable VRF global server
+4
tools/testing/selftests/net/forwarding/mirror_gre_bridge_1d.sh
+4
tools/testing/selftests/net/forwarding/mirror_gre_bridge_1d.sh
···
93
93
94
94
test_gretap()
95
95
{
96
+
ip neigh replace 192.0.2.130 lladdr $(mac_get $h3) \
97
+
nud permanent dev br2
96
98
full_test_span_gre_dir gt4 ingress 8 0 "mirror to gretap"
97
99
full_test_span_gre_dir gt4 egress 0 8 "mirror to gretap"
98
100
}
99
101
100
102
test_ip6gretap()
101
103
{
104
+
ip neigh replace 2001:db8:2::2 lladdr $(mac_get $h3) \
105
+
nud permanent dev br2
102
106
full_test_span_gre_dir gt6 ingress 8 0 "mirror to ip6gretap"
103
107
full_test_span_gre_dir gt6 egress 0 8 "mirror to ip6gretap"
104
108
}
+4
tools/testing/selftests/net/forwarding/mirror_gre_bridge_1q.sh
+4
tools/testing/selftests/net/forwarding/mirror_gre_bridge_1q.sh
···
90
90
91
91
test_gretap()
92
92
{
93
+
ip neigh replace 192.0.2.130 lladdr $(mac_get $h3) \
94
+
nud permanent dev br1
93
95
full_test_span_gre_dir gt4 ingress 8 0 "mirror to gretap"
94
96
full_test_span_gre_dir gt4 egress 0 8 "mirror to gretap"
95
97
}
96
98
97
99
test_ip6gretap()
98
100
{
101
+
ip neigh replace 2001:db8:2::2 lladdr $(mac_get $h3) \
102
+
nud permanent dev br1
99
103
full_test_span_gre_dir gt6 ingress 8 0 "mirror to ip6gretap"
100
104
full_test_span_gre_dir gt6 egress 0 8 "mirror to ip6gretap"
101
105
}
+23
-1
tools/testing/selftests/net/tls.c
+23
-1
tools/testing/selftests/net/tls.c
···
25
25
#define TLS_PAYLOAD_MAX_LEN 16384
26
26
#define SOL_TLS 282
27
27
28
+
static int fips_enabled;
29
+
28
30
struct tls_crypto_info_keys {
29
31
union {
30
32
struct tls12_crypto_info_aes_gcm_128 aes128;
···
237
235
{
238
236
uint16_t tls_version;
239
237
uint16_t cipher_type;
240
-
bool nopad;
238
+
bool nopad, fips_non_compliant;
241
239
};
242
240
243
241
FIXTURE_VARIANT_ADD(tls, 12_aes_gcm)
···
256
254
{
257
255
.tls_version = TLS_1_2_VERSION,
258
256
.cipher_type = TLS_CIPHER_CHACHA20_POLY1305,
257
+
.fips_non_compliant = true,
259
258
};
260
259
261
260
FIXTURE_VARIANT_ADD(tls, 13_chacha)
262
261
{
263
262
.tls_version = TLS_1_3_VERSION,
264
263
.cipher_type = TLS_CIPHER_CHACHA20_POLY1305,
264
+
.fips_non_compliant = true,
265
265
};
266
266
267
267
FIXTURE_VARIANT_ADD(tls, 13_sm4_gcm)
268
268
{
269
269
.tls_version = TLS_1_3_VERSION,
270
270
.cipher_type = TLS_CIPHER_SM4_GCM,
271
+
.fips_non_compliant = true,
271
272
};
272
273
273
274
FIXTURE_VARIANT_ADD(tls, 13_sm4_ccm)
274
275
{
275
276
.tls_version = TLS_1_3_VERSION,
276
277
.cipher_type = TLS_CIPHER_SM4_CCM,
278
+
.fips_non_compliant = true,
277
279
};
278
280
279
281
FIXTURE_VARIANT_ADD(tls, 12_aes_ccm)
···
316
310
struct tls_crypto_info_keys tls12;
317
311
int one = 1;
318
312
int ret;
313
+
314
+
if (fips_enabled && variant->fips_non_compliant)
315
+
SKIP(return, "Unsupported cipher in FIPS mode");
319
316
320
317
tls_crypto_info_init(variant->tls_version, variant->cipher_type,
321
318
&tls12);
···
1872
1863
1873
1864
close(fd);
1874
1865
close(cfd);
1866
+
}
1867
+
1868
+
static void __attribute__((constructor)) fips_check(void) {
1869
+
int res;
1870
+
FILE *f;
1871
+
1872
+
f = fopen("/proc/sys/crypto/fips_enabled", "r");
1873
+
if (f) {
1874
+
res = fscanf(f, "%d", &fips_enabled);
1875
+
if (res != 1)
1876
+
ksft_print_msg("ERROR: Couldn't read /proc/sys/crypto/fips_enabled\n");
1877
+
fclose(f);
1878
+
}
1875
1879
}
1876
1880
1877
1881
TEST_HARNESS_MAIN
+16
-16
tools/testing/selftests/net/vrf-xfrm-tests.sh
+16
-16
tools/testing/selftests/net/vrf-xfrm-tests.sh
···
264
264
ip -netns host1 xfrm state add src ${HOST1_4} dst ${HOST2_4} \
265
265
proto esp spi ${SPI_1} reqid 0 mode tunnel \
266
266
replay-window 4 replay-oseq 0x4 \
267
-
auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
268
-
enc 'cbc(des3_ede)' ${ENC_1} \
267
+
auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
268
+
enc 'cbc(aes)' ${ENC_1} \
269
269
sel src ${h1_4} dst ${h2_4} ${devarg}
270
270
271
271
ip -netns host2 xfrm state add src ${HOST1_4} dst ${HOST2_4} \
272
272
proto esp spi ${SPI_1} reqid 0 mode tunnel \
273
273
replay-window 4 replay-oseq 0x4 \
274
-
auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
275
-
enc 'cbc(des3_ede)' ${ENC_1} \
274
+
auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
275
+
enc 'cbc(aes)' ${ENC_1} \
276
276
sel src ${h1_4} dst ${h2_4}
277
277
278
278
279
279
ip -netns host1 xfrm state add src ${HOST2_4} dst ${HOST1_4} \
280
280
proto esp spi ${SPI_2} reqid 0 mode tunnel \
281
281
replay-window 4 replay-oseq 0x4 \
282
-
auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
283
-
enc 'cbc(des3_ede)' ${ENC_2} \
282
+
auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
283
+
enc 'cbc(aes)' ${ENC_2} \
284
284
sel src ${h2_4} dst ${h1_4} ${devarg}
285
285
286
286
ip -netns host2 xfrm state add src ${HOST2_4} dst ${HOST1_4} \
287
287
proto esp spi ${SPI_2} reqid 0 mode tunnel \
288
288
replay-window 4 replay-oseq 0x4 \
289
-
auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
290
-
enc 'cbc(des3_ede)' ${ENC_2} \
289
+
auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
290
+
enc 'cbc(aes)' ${ENC_2} \
291
291
sel src ${h2_4} dst ${h1_4}
292
292
293
293
294
294
ip -6 -netns host1 xfrm state add src ${HOST1_6} dst ${HOST2_6} \
295
295
proto esp spi ${SPI_1} reqid 0 mode tunnel \
296
296
replay-window 4 replay-oseq 0x4 \
297
-
auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
298
-
enc 'cbc(des3_ede)' ${ENC_1} \
297
+
auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
298
+
enc 'cbc(aes)' ${ENC_1} \
299
299
sel src ${h1_6} dst ${h2_6} ${devarg}
300
300
301
301
ip -6 -netns host2 xfrm state add src ${HOST1_6} dst ${HOST2_6} \
302
302
proto esp spi ${SPI_1} reqid 0 mode tunnel \
303
303
replay-window 4 replay-oseq 0x4 \
304
-
auth-trunc 'hmac(md5)' ${AUTH_1} 96 \
305
-
enc 'cbc(des3_ede)' ${ENC_1} \
304
+
auth-trunc 'hmac(sha1)' ${AUTH_1} 96 \
305
+
enc 'cbc(aes)' ${ENC_1} \
306
306
sel src ${h1_6} dst ${h2_6}
307
307
308
308
309
309
ip -6 -netns host1 xfrm state add src ${HOST2_6} dst ${HOST1_6} \
310
310
proto esp spi ${SPI_2} reqid 0 mode tunnel \
311
311
replay-window 4 replay-oseq 0x4 \
312
-
auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
313
-
enc 'cbc(des3_ede)' ${ENC_2} \
312
+
auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
313
+
enc 'cbc(aes)' ${ENC_2} \
314
314
sel src ${h2_6} dst ${h1_6} ${devarg}
315
315
316
316
ip -6 -netns host2 xfrm state add src ${HOST2_6} dst ${HOST1_6} \
317
317
proto esp spi ${SPI_2} reqid 0 mode tunnel \
318
318
replay-window 4 replay-oseq 0x4 \
319
-
auth-trunc 'hmac(md5)' ${AUTH_2} 96 \
320
-
enc 'cbc(des3_ede)' ${ENC_2} \
319
+
auth-trunc 'hmac(sha1)' ${AUTH_2} 96 \
320
+
enc 'cbc(aes)' ${ENC_2} \
321
321
sel src ${h2_6} dst ${h1_6}
322
322
}
323
323