1. 10 Feb, 2024 4 commits
  2. 09 Feb, 2024 27 commits
  3. 08 Feb, 2024 9 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 1f719a2f
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from WiFi and netfilter.
      
        Current release - regressions:
      
         - nic: intel: fix old compiler regressions
      
         - netfilter: ipset: missing gc cancellations fixed
      
        Current release - new code bugs:
      
         - netfilter: ctnetlink: fix filtering for zone 0
      
        Previous releases - regressions:
      
         - core: fix from address in memcpy_to_iter_csum()
      
         - netfilter: nfnetlink_queue: un-break NF_REPEAT
      
         - af_unix: fix memory leak for dead unix_(sk)->oob_skb in GC.
      
         - devlink: avoid potential loop in devlink_rel_nested_in_notify_work()
      
         - iwlwifi:
             - mvm: fix a battery life regression
             - fix double-free bug
      
         - mac80211: fix waiting for beacons logic
      
         - nic: nfp: flower: prevent re-adding mac index for bonded port
      
        Previous releases - always broken:
      
         - rxrpc: fix generation of serial numbers to skip zero
      
         - tipc: check the bearer type before calling tipc_udp_nl_bearer_add()
      
         - tunnels: fix out of bounds access when building IPv6 PMTU error
      
         - nic: hv_netvsc: register VF in netvsc_probe if NET_DEVICE_REGISTER
           missed
      
         - nic: atlantic: fix DMA mapping for PTP hwts ring
      
        Misc:
      
         - selftests: more fixes to deal with very slow hosts"
      
      * tag 'net-6.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (80 commits)
        netfilter: nft_set_pipapo: remove scratch_aligned pointer
        netfilter: nft_set_pipapo: add helper to release pcpu scratch area
        netfilter: nft_set_pipapo: store index in scratch maps
        netfilter: nft_set_rbtree: skip end interval element from gc
        netfilter: nfnetlink_queue: un-break NF_REPEAT
        netfilter: nf_tables: use timestamp to check for set element timeout
        netfilter: nft_ct: reject direction for ct id
        netfilter: ctnetlink: fix filtering for zone 0
        s390/qeth: Fix potential loss of L3-IP@ in case of network issues
        netfilter: ipset: Missing gc cancellations fixed
        octeontx2-af: Initialize maps.
        net: ethernet: ti: cpsw: enable mac_managed_pm to fix mdio
        net: ethernet: ti: cpsw_new: enable mac_managed_pm to fix mdio
        netfilter: nft_set_pipapo: remove static in nft_pipapo_get()
        netfilter: nft_compat: restrict match/target protocol to u16
        netfilter: nft_compat: reject unused compat flag
        netfilter: nft_compat: narrow down revision to unsigned 8-bits
        net: intel: fix old compiler regressions
        MAINTAINERS: Maintainer change for rds
        selftests: cmsg_ipv6: repeat the exact packet
        ...
      1f719a2f
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v6.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · b0d5d0f7
      Linus Torvalds authored
      Pull pinctrl fix from Linus Walleij:
       "A single fix for the AMD driver which affects developer laptops, the
        pinctrl/GPIO driver won't probe on some systems"
      
      * tag 'pinctrl-v6.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: amd: Add IRQF_ONESHOT to the interrupt request
      b0d5d0f7
    • Paolo Abeni's avatar
      Merge tag 'nf-24-02-08' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · 63e4b9d6
      Paolo Abeni authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Narrow down target/match revision to u8 in nft_compat.
      
      2) Bail out with unused flags in nft_compat.
      
      3) Restrict layer 4 protocol to u16 in nft_compat.
      
      4) Remove static in pipapo get command that slipped through when
         reducing set memory footprint.
      
      5) Follow up incremental fix for the ipset performance regression,
         this includes the missing gc cancellation, from Jozsef Kadlecsik.
      
      6) Allow to filter by zone 0 in ctnetlink, do not interpret zone 0
         as no filtering, from Felix Huettner.
      
      7) Reject direction for NFT_CT_ID.
      
      8) Use timestamp to check for set element expiration while transaction
         is handled to prevent garbage collection from removing set elements
         that were just added by this transaction. Packet path and netlink
         dump/get path still use current time to check for expiration.
      
      9) Restore NF_REPEAT in nfnetlink_queue, from Florian Westphal.
      
      10) map_index needs to be percpu and per-set, not just percpu.
          At this time its possible for a pipapo set to fill the all-zero part
          with ones and take the 'might have bits set' as 'start-from-zero' area.
          From Florian Westphal. This includes three patches:
      
          - Change scratchpad area to a structure that provides space for a
            per-set-and-cpu toggle and uses it of the percpu one.
      
          - Add a new free helper to prepare for the next patch.
      
          - Remove the scratch_aligned pointer and makes AVX2 implementation
            use the exact same memory addresses for read/store of the matching
            state.
      
      netfilter pull request 24-02-08
      
      * tag 'nf-24-02-08' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        netfilter: nft_set_pipapo: remove scratch_aligned pointer
        netfilter: nft_set_pipapo: add helper to release pcpu scratch area
        netfilter: nft_set_pipapo: store index in scratch maps
        netfilter: nft_set_rbtree: skip end interval element from gc
        netfilter: nfnetlink_queue: un-break NF_REPEAT
        netfilter: nf_tables: use timestamp to check for set element timeout
        netfilter: nft_ct: reject direction for ct id
        netfilter: ctnetlink: fix filtering for zone 0
        netfilter: ipset: Missing gc cancellations fixed
        netfilter: nft_set_pipapo: remove static in nft_pipapo_get()
        netfilter: nft_compat: restrict match/target protocol to u16
        netfilter: nft_compat: reject unused compat flag
        netfilter: nft_compat: narrow down revision to unsigned 8-bits
      ====================
      
      Link: https://lore.kernel.org/r/20240208112834.1433-1-pablo@netfilter.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      63e4b9d6
    • Florian Westphal's avatar
      netfilter: nft_set_pipapo: remove scratch_aligned pointer · 5a8cdf6f
      Florian Westphal authored
      use ->scratch for both avx2 and the generic implementation.
      
      After previous change the scratch->map member is always aligned properly
      for AVX2, so we can just use scratch->map in AVX2 too.
      
      The alignoff delta is stored in the scratchpad so we can reconstruct
      the correct address to free the area again.
      
      Fixes: 7400b063 ("nft_set_pipapo: Introduce AVX2-based lookup implementation")
      Reviewed-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      5a8cdf6f
    • Florian Westphal's avatar
      netfilter: nft_set_pipapo: add helper to release pcpu scratch area · 47b1c03c
      Florian Westphal authored
      After next patch simple kfree() is not enough anymore, so add
      a helper for it.
      Reviewed-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      47b1c03c
    • Florian Westphal's avatar
      netfilter: nft_set_pipapo: store index in scratch maps · 76313d1a
      Florian Westphal authored
      Pipapo needs a scratchpad area to keep state during matching.
      This state can be large and thus cannot reside on stack.
      
      Each set preallocates percpu areas for this.
      
      On each match stage, one scratchpad half starts with all-zero and the other
      is inited to all-ones.
      
      At the end of each stage, the half that starts with all-ones is
      always zero.  Before next field is tested, pointers to the two halves
      are swapped, i.e.  resmap pointer turns into fill pointer and vice versa.
      
      After the last field has been processed, pipapo stashes the
      index toggle in a percpu variable, with assumption that next packet
      will start with the all-zero half and sets all bits in the other to 1.
      
      This isn't reliable.
      
      There can be multiple sets and we can't be sure that the upper
      and lower half of all set scratch map is always in sync (lookups
      can be conditional), so one set might have swapped, but other might
      not have been queried.
      
      Thus we need to keep the index per-set-and-cpu, just like the
      scratchpad.
      
      Note that this bug fix is incomplete, there is a related issue.
      
      avx2 and normal implementation might use slightly different areas of the
      map array space due to the avx2 alignment requirements, so
      m->scratch (generic/fallback implementation) and ->scratch_aligned
      (avx) may partially overlap. scratch and scratch_aligned are not distinct
      objects, the latter is just the aligned address of the former.
      
      After this change, write to scratch_align->map_index may write to
      scratch->map, so this issue becomes more prominent, we can set to 1
      a bit in the supposedly-all-zero area of scratch->map[].
      
      A followup patch will remove the scratch_aligned and makes generic and
      avx code use the same (aligned) area.
      
      Its done in a separate change to ease review.
      
      Fixes: 3c4287f6 ("nf_tables: Add set type for arbitrary concatenation of ranges")
      Reviewed-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      76313d1a
    • Pablo Neira Ayuso's avatar
      netfilter: nft_set_rbtree: skip end interval element from gc · 60c0c230
      Pablo Neira Ayuso authored
      rbtree lazy gc on insert might collect an end interval element that has
      been just added in this transactions, skip end interval elements that
      are not yet active.
      
      Fixes: f718863a ("netfilter: nft_set_rbtree: fix overlap expiration walk")
      Cc: stable@vger.kernel.org
      Reported-by: default avatarlonial con <kongln9170@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      60c0c230
    • Florian Westphal's avatar
      netfilter: nfnetlink_queue: un-break NF_REPEAT · f82777e8
      Florian Westphal authored
      Only override userspace verdict if the ct hook returns something
      other than ACCEPT.
      
      Else, this replaces NF_REPEAT (run all hooks again) with NF_ACCEPT
      (move to next hook).
      
      Fixes: 6291b3a6 ("netfilter: conntrack: convert nf_conntrack_update to netfilter verdicts")
      Reported-by: l.6diay@passmail.com
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      f82777e8
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: use timestamp to check for set element timeout · 7395dfac
      Pablo Neira Ayuso authored
      Add a timestamp field at the beginning of the transaction, store it
      in the nftables per-netns area.
      
      Update set backend .insert, .deactivate and sync gc path to use the
      timestamp, this avoids that an element expires while control plane
      transaction is still unfinished.
      
      .lookup and .update, which are used from packet path, still use the
      current time to check if the element has expired. And .get path and dump
      also since this runs lockless under rcu read size lock. Then, there is
      async gc which also needs to check the current time since it runs
      asynchronously from a workqueue.
      
      Fixes: c3e1b005 ("netfilter: nf_tables: add set element timeout support")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      7395dfac