1. 06 Aug, 2018 2 commits
  2. 05 Aug, 2018 13 commits
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next · 074fb880
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter updates for net-next
      
      The following patchset contains Netfilter updates for your net-next tree:
      
      1) Support for transparent proxying for nf_tables, from Mate Eckl.
      
      2) Patchset to add OS passive fingerprint recognition for nf_tables,
         from Fernando Fernandez. This takes common code from xt_osf and
         place it into the new nfnetlink_osf module for codebase sharing.
      
      3) Lightweight tunneling support for nf_tables.
      
      4) meta and lookup are likely going to be used in rulesets, make them
         direct calls. From Florian Westphal.
      
      A bunch of incremental updates:
      
      5) use PTR_ERR_OR_ZERO() from nft_numgen, from YueHaibing.
      
      6) Use kvmalloc_array() to allocate hashtables, from Li RongQing.
      
      7) Explicit dependencies between nfnetlink_cttimeout and conntrack
         timeout extensions, from Harsha Sharma.
      
      8) Simplify NLM_F_CREATE handling in nf_tables.
      
      9) Removed unused variable in the get element command, from
         YueHaibing.
      
      10) Expose bridge hook priorities through uapi, from Mate Eckl.
      
      And a few fixes for previous Netfilter batch for net-next:
      
      11) Use per-netns mutex from flowtable event, from Florian Westphal.
      
      12) Remove explicit dependency on iptables CT target from conntrack
          zones, from Florian.
      
      13) Fix use-after-free in rmmod nf_conntrack path, also from Florian.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      074fb880
    • David S. Miller's avatar
      Merge ra.kernel.org:/pub/scm/linux/kernel/git/davem/net · c1c8626f
      David S. Miller authored
      Lots of overlapping changes, mostly trivial in nature.
      
      The mlxsw conflict was resolving using the example
      resolution at:
      
      https://github.com/jpirko/linux_mlxsw/blob/combined_queue/drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_actions.cSigned-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c1c8626f
    • Linus Torvalds's avatar
      Linux 4.18-rc8 · 1ffaddd0
      Linus Torvalds authored
      1ffaddd0
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · a8c19920
      Linus Torvalds authored
      Pull x86 fix from Thomas Gleixner:
       "A single fix, which addresses boot failures on machines which do not
        report EBDA correctly, which can place the trampoline into reserved
        memory regions. Validating against E820 prevents that"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/boot/compressed/64: Validate trampoline placement against E820
      a8c19920
    • Linus Torvalds's avatar
      Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 2f3672cb
      Linus Torvalds authored
      Pull timer fixes from Thomas Gleixner:
       "Two oneliners addressing NOHZ failures:
      
         - Use a bitmask to check for the pending timer softirq and not the
           bit number. The existing code using the bit number checked for
           the wrong bit, which caused timers to either expire late or stop
           completely.
      
         - Make the nohz evaluation on interrupt exit more robust. The
           existing code did not re-arm the hardware when interrupting a
           running softirq in task context (ksoftirqd or tail of
           local_bh_enable()), which caused timers to either expire late
           or stop completely"
      
      * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        nohz: Fix missing tick reprogram when interrupting an inline softirq
        nohz: Fix local_timer_softirq_pending()
      2f3672cb
    • Linus Torvalds's avatar
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 0cdf6d46
      Linus Torvalds authored
      Pull perf fixes from Thomas Gleixner:
       "A set of fixes for perf:
      
        Kernel side:
      
         - Fix the hardcoded index of extra PCI devices on Broadwell which
           caused a resource conflict and triggered warnings on CPU hotplug.
      
        Tooling:
      
         - Update the tools copy of several files, including perf_event.h,
           powerpc's asm/unistd.h (new io_pgetevents syscall), bpf.h and x86's
           memcpy_64.s (used in 'perf bench mem'), silencing the respective
           warnings during the perf tools build.
      
         - Fix the build on the alpine:edge distro"
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf/x86/intel/uncore: Fix hardcoded index of Broadwell extra PCI devices
        perf tools: Fix the build on the alpine:edge distro
        tools arch: Update arch/x86/lib/memcpy_64.S copy used in 'perf bench mem memcpy'
        tools headers uapi: Refresh linux/bpf.h copy
        tools headers powerpc: Update asm/unistd.h copy to pick new
        tools headers uapi: Update tools's copy of linux/perf_event.h
      0cdf6d46
    • Linus Torvalds's avatar
      Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · b9fb1fc7
      Linus Torvalds authored
      Pull irq fix from Thomas Gleixner:
       "A single bugfix for the irq core to prevent silent data corruption and
        malfunction of threaded interrupts under certain conditions"
      
      * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        genirq: Make force irq threading setup more robust
      b9fb1fc7
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 212dab05
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Handle frames in error situations properly in AF_XDP, from Jakub
          Kicinski.
      
       2) tcp_mmap test case only tests ipv6 due to a thinko, fix from
          Maninder Singh.
      
       3) Session refcnt fix in l2tp_ppp, from Guillaume Nault.
      
       4) Fix regression in netlink bind handling of multicast gruops, from
          Dmitry Safonov.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
        netlink: Don't shift on 64 for ngroups
        net/smc: no cursor update send in state SMC_INIT
        l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl()
        mlxsw: core_acl_flex_actions: Remove redundant mirror resource destruction
        mlxsw: core_acl_flex_actions: Remove redundant counter destruction
        mlxsw: core_acl_flex_actions: Remove redundant resource destruction
        mlxsw: core_acl_flex_actions: Return error for conflicting actions
        selftests/bpf: update test_lwt_seg6local.sh according to iproute2
        drivers: net: lmc: fix case value for target abort error
        selftest/net: fix protocol family to work for IPv4.
        net: xsk: don't return frames via the allocator on error
        tools/bpftool: fix a percpu_array map dump problem
      212dab05
    • Linus Torvalds's avatar
      Merge tag 'usercopy-fix-v4.18-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · 60f5a217
      Linus Torvalds authored
      Pull usercopy whitelisting fix from Kees Cook:
       "Bart Massey discovered that the usercopy whitelist for JFS was
        incomplete: the inline inode data may intentionally "overflow" into
        the neighboring "extended area", so the size of the whitelist needed
        to be raised to include the neighboring field"
      
      * tag 'usercopy-fix-v4.18-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        jfs: Fix usercopy whitelist for inline inode data
      60f5a217
    • Linus Torvalds's avatar
      Merge tag 'xfs-4.18-fixes-5' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · f639bef5
      Linus Torvalds authored
      Pull xfs bugfix from Darrick Wong:
       "One more patch for 4.18 to fix a coding error in the iomap_bmap()
        function introduced in -rc1: fix incorrect shifting"
      
      * tag 'xfs-4.18-fixes-5' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        fs: fix iomap_bmap position calculation
      f639bef5
    • Linus Torvalds's avatar
      Partially revert "block: fail op_is_write() requests to read-only partitions" · a32e236e
      Linus Torvalds authored
      It turns out that commit 721c7fc7 ("block: fail op_is_write()
      requests to read-only partitions"), while obviously correct, causes
      problems for some older lvm2 installations.
      
      The reason is that the lvm snapshotting will continue to write to the
      snapshow COW volume, even after the volume has been marked read-only.
      End result: snapshot failure.
      
      This has actually been fixed in newer version of the lvm2 tool, but the
      old tools still exist, and the breakage was reported both in the kernel
      bugzilla and in the Debian bugzilla:
      
        https://bugzilla.kernel.org/show_bug.cgi?id=200439
        https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900442
      
      The lvm2 fix is here
      
        https://sourceware.org/git/?p=lvm2.git;a=commit;h=a6fdb9d9d70f51c49ad11a87ab4243344e6701a3
      
      but until everybody has updated to recent versions, we'll have to weaken
      the "never write to read-only partitions" check.  It now allows the
      write to happen, but causes a warning, something like this:
      
        generic_make_request: Trying to write to read-only block-device dm-3 (partno X)
        Modules linked in: nf_tables xt_cgroup xt_owner kvm_intel iwlmvm kvm irqbypass iwlwifi
        CPU: 1 PID: 77 Comm: kworker/1:1 Not tainted 4.17.9-gentoo #3
        Hardware name: LENOVO 20B6A019RT/20B6A019RT, BIOS GJET91WW (2.41 ) 09/21/2016
        Workqueue: ksnaphd do_metadata
        RIP: 0010:generic_make_request_checks+0x4ac/0x600
        ...
        Call Trace:
         generic_make_request+0x64/0x400
         submit_bio+0x6c/0x140
         dispatch_io+0x287/0x430
         sync_io+0xc3/0x120
         dm_io+0x1f8/0x220
         do_metadata+0x1d/0x30
         process_one_work+0x1b9/0x3e0
         worker_thread+0x2b/0x3c0
         kthread+0x113/0x130
         ret_from_fork+0x35/0x40
      
      Note that this is a "revert" in behavior only.  I'm leaving alone the
      actual code cleanups in commit 721c7fc7, but letting the previously
      uncaught request go through with a warning instead of stopping it.
      
      Fixes: 721c7fc7 ("block: fail op_is_write() requests to read-only partitions")
      Reported-and-tested-by: default avatarWGH <wgh@torlan.ru>
      Acked-by: default avatarMike Snitzer <snitzer@redhat.com>
      Cc: Sagi Grimberg <sagi@grimberg.me>
      Cc: Ilya Dryomov <idryomov@gmail.com>
      Cc: Jens Axboe <axboe@kernel.dk>
      Cc: Zdenek Kabelac <zkabelac@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a32e236e
    • Dmitry Safonov's avatar
      netlink: Don't shift on 64 for ngroups · 91874ecf
      Dmitry Safonov authored
      It's legal to have 64 groups for netlink_sock.
      
      As user-supplied nladdr->nl_groups is __u32, it's possible to subscribe
      only to first 32 groups.
      
      The check for correctness of .bind() userspace supplied parameter
      is done by applying mask made from ngroups shift. Which broke Android
      as they have 64 groups and the shift for mask resulted in an overflow.
      
      Fixes: 61f4b237 ("netlink: Don't shift with UB on nlk->ngroups")
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Cc: netdev@vger.kernel.org
      Cc: stable@vger.kernel.org
      Reported-and-Tested-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarDmitry Safonov <dima@arista.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      91874ecf
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 5dbfb6ec
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2018-08-05
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) Fix bpftool percpu_array dump by using correct roundup to next
         multiple of 8 for the value size, from Yonghong.
      
      2) Fix in AF_XDP's __xsk_rcv_zc() to not returning frames back to
         allocator since driver will recycle frame anyway in case of an
         error, from Jakub.
      
      3) Fix up BPF test_lwt_seg6local test cases to final iproute2
         syntax, from Mathieu.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5dbfb6ec
  3. 04 Aug, 2018 9 commits
  4. 03 Aug, 2018 16 commits
    • YueHaibing's avatar
      tcp: remove unneeded variable 'err' · a01512b1
      YueHaibing authored
      variable 'err' is unmodified after initalization,
      so simply cleans up it and returns 0.
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a01512b1
    • Jason Baron's avatar
      af_unix: ensure POLLOUT on remote close() for connected dgram socket · 51f7e951
      Jason Baron authored
      Applications use -ECONNREFUSED as returned from write() in order to
      determine that a socket should be closed. However, when using connected
      dgram unix sockets in a poll/write loop, a final POLLOUT event can be
      missed when the remote end closes. Thus, the poll is stuck forever:
      
                thread 1 (client)                   thread 2 (server)
      
      connect() to server
      write() returns -EAGAIN
      unix_dgram_poll()
       -> unix_recvq_full() is true
                                             close()
                                              ->unix_release_sock()
                                               ->wake_up_interruptible_all()
      unix_dgram_poll() (due to the
           wake_up_interruptible_all)
       -> unix_recvq_full() still is true
                                               ->free all skbs
      
      Now thread 1 is stuck and will not receive anymore wakeups. In this
      case, when thread 1 gets the -EAGAIN, it has not queued any skbs
      otherwise the 'free all skbs' step would in fact cause a wakeup and
      a POLLOUT return. So the race here is probably fairly rare because
      it means there are no skbs that thread 1 queued and that thread 1
      schedules before the 'free all skbs' step.
      
      This issue was reported as a hang when /dev/log is closed.
      
      The fix is to signal POLLOUT if the socket is marked as SOCK_DEAD, which
      means a subsequent write() will get -ECONNREFUSED.
      Reported-by: default avatarIan Lance Taylor <iant@golang.org>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Rainer Weikusat <rweikusat@mobileactivedefense.com>
      Cc: Eric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarJason Baron <jbaron@akamai.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      51f7e951
    • Pablo Neira Ayuso's avatar
      netfilter: nft_tunnel: fix sparse errors · 483f3fdc
      Pablo Neira Ayuso authored
      [...]
      net/netfilter/nft_tunnel.c:117:25:    expected unsigned int [unsigned] [usertype] flags
      net/netfilter/nft_tunnel.c:117:25:    got restricted __be16 [usertype] <noident>
      [...]
      net/netfilter/nft_tunnel.c:246:33:    expected restricted __be16 [addressable] [assigned] [usertype] tp_dst
      net/netfilter/nft_tunnel.c:246:33:    got int
      
      Fixes: af308b94 ("netfilter: nf_tables: add tunnel support")
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      483f3fdc
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 0b5b1f9a
      Linus Torvalds authored
      Pull KVM fixes from Paolo Bonzini:
       "Two vmx bugfixes"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        kvm: x86: vmx: fix vpid leak
        KVM: vmx: use local variable for current_vmptr when emulating VMPTRST
      0b5b1f9a
    • Kees Cook's avatar
      ppp: mppe: Remove VLA usage · a394b3af
      Kees Cook authored
      In the quest to remove all stack VLA usage from the kernel[1], this
      removes the discouraged use of AHASH_REQUEST_ON_STACK (and associated
      VLA) by switching to shash directly and keeping the associated descriptor
      allocated with the regular state on the heap.
      
      [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.comSigned-off-by: default avatarKees Cook <keescook@chromium.org>
      Acked-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a394b3af
    • David Howells's avatar
      rxrpc: Push iov_iter up from rxrpc_kernel_recv_data() to caller · eb9950eb
      David Howells authored
      Push iov_iter up from rxrpc_kernel_recv_data() to its caller to allow
      non-contiguous iovs to be passed down, thereby permitting file reading to
      be simplified in the AFS filesystem in a future patch.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      eb9950eb
    • Guillaume Nault's avatar
      l2tp: fix missing refcount drop in pppol2tp_tunnel_ioctl() · f664e37d
      Guillaume Nault authored
      If 'session' is not NULL and is not a PPP pseudo-wire, then we fail to
      drop the reference taken by l2tp_session_get().
      
      Fixes: ecd012e4 ("l2tp: filter out non-PPP sessions in pppol2tp_tunnel_ioctl()")
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f664e37d
    • David S. Miller's avatar
      Merge branch 'mlxsw-Fix-ACL-actions-error-condition-handling' · 60a01828
      David S. Miller authored
      Ido Schimmel says:
      
      ====================
      mlxsw: Fix ACL actions error condition handling
      
      Nir says:
      
      Two issues were lately noticed within mlxsw ACL actions error condition
      handling. The first patch deals with conflicting actions such as:
      
       # tc filter add dev swp49 parent ffff: \
         protocol ip pref 10 flower skip_sw dst_ip 192.168.101.1 \
         action goto chain 100 \
         action mirred egress redirect dev swp4
      
      The second action will never execute, however SW model allows this
      configuration, while the mlxsw driver cannot allow for it as it
      implements actions in sets of up to three actions per set with a single
      termination marking. Conflicting actions create a contradiction over
      this single marking and thus cannot be configured. The fix replaces a
      misplaced warning with an error code to be returned.
      
      Patches 2-4 fix a condition of duplicate destruction of resources. Some
      actions require allocation of specific resource prior to setting the
      action itself. On error condition this resource was destroyed twice,
      leading to a crash when using mirror action, and to a redundant
      destruction in other cases, since for error condition rule destruction
      also takes care of resource destruction. In order to fix this state a
      symmetry in behavior is added and resource destruction also takes care
      of removing the resource from rule's resource list.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      60a01828
    • Nir Dotan's avatar
      mlxsw: core_acl_flex_actions: Remove redundant mirror resource destruction · caebd1b3
      Nir Dotan authored
      In previous patch mlxsw_afa_resource_del() was added to avoid a duplicate
      resource detruction scenario.
      For mirror actions, such duplicate destruction leads to a crash as in:
      
       # tc qdisc add dev swp49 ingress
       # tc filter add dev swp49 parent ffff: \
         protocol ip chain 100 pref 10 \
         flower skip_sw dst_ip 192.168.101.1 action drop
       # tc filter add dev swp49 parent ffff: \
         protocol ip pref 10 \
         flower skip_sw dst_ip 192.168.101.1 action goto chain 100 \
         action mirred egress mirror dev swp4
      
      Therefore add a call to mlxsw_afa_resource_del() in
      mlxsw_afa_mirror_destroy() in order to clear that resource
      from rule's resources.
      
      Fixes: d0d13c18 ("mlxsw: spectrum_acl: Add support for mirror action")
      Signed-off-by: default avatarNir Dotan <nird@mellanox.com>
      Reviewed-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      caebd1b3
    • Nir Dotan's avatar
      mlxsw: core_acl_flex_actions: Remove redundant counter destruction · 7cc61694
      Nir Dotan authored
      Each tc flower rule uses a hidden count action. As counter resource may
      not be available due to limited HW resources, update _counter_create()
      and _counter_destroy() pair to follow previously introduced symmetric
      error condition handling, add a call to mlxsw_afa_resource_del() as part
      of the counter resource destruction.
      
      Fixes: c18c1e18 ("mlxsw: core: Make counter index allocated inside the action append")
      Signed-off-by: default avatarNir Dotan <nird@mellanox.com>
      Reviewed-by: default avatarPetr Machata <petrm@mellanox.com>
      Reviewed-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7cc61694
    • Nir Dotan's avatar
      mlxsw: core_acl_flex_actions: Remove redundant resource destruction · dda0a3a3
      Nir Dotan authored
      Some ACL actions require the allocation of a separate resource
      prior to applying the action itself. When facing an error condition
      during the setup phase of the action, resource should be destroyed.
      For such actions the destruction was done twice which is dangerous
      and lead to a potential crash.
      The destruction took place first upon error on action setup phase
      and then as the rule was destroyed.
      
      The following sequence generated a crash:
      
       # tc qdisc add dev swp49 ingress
       # tc filter add dev swp49 parent ffff: \
         protocol ip chain 100 pref 10 \
         flower skip_sw dst_ip 192.168.101.1 action drop
       # tc filter add dev swp49 parent ffff: \
         protocol ip pref 10 \
         flower skip_sw dst_ip 192.168.101.1 action goto chain 100 \
         action mirred egress mirror dev swp4
      
      Therefore add mlxsw_afa_resource_del() as a complement of
      mlxsw_afa_resource_add() to add symmetry to resource_list membership
      handling. Call this from mlxsw_afa_fwd_entry_ref_destroy() to make the
      _fwd_entry_ref_create() and _fwd_entry_ref_destroy() pair of calls a
      NOP.
      
      Fixes: 140ce421 ("mlxsw: core: Convert fwd_entry_ref list to be generic per-block resource list")
      Signed-off-by: default avatarNir Dotan <nird@mellanox.com>
      Reviewed-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dda0a3a3
    • Nir Dotan's avatar
      mlxsw: core_acl_flex_actions: Return error for conflicting actions · 3757b255
      Nir Dotan authored
      Spectrum switch ACL action set is built in groups of three actions
      which may point to additional actions. A group holds a single record
      which can be set as goto record for pointing at a following group
      or can be set to mark the termination of the lookup. This is perfectly
      adequate for handling a series of actions to be executed on a packet.
      While the SW model allows configuration of conflicting actions
      where it is clear that some actions will never execute, the mlxsw
      driver must block such configurations as it creates a conflict
      over the single terminate/goto record value.
      
      For a conflicting actions configuration such as:
      
       # tc filter add dev swp49 parent ffff: \
         protocol ip pref 10 \
         flower skip_sw dst_ip 192.168.101.1 \
         action goto chain 100 \
         action mirred egress mirror dev swp4
      
      Where it is clear that the last action will never execute, the
      mlxsw driver was issuing a warning instead of returning an error.
      Therefore replace that warning with an error for this specific
      case.
      
      Fixes: 4cda7d8d ("mlxsw: core: Introduce flexible actions support")
      Signed-off-by: default avatarNir Dotan <nird@mellanox.com>
      Reviewed-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3757b255
    • Florian Westphal's avatar
      netfilter: conntrack: avoid use-after free on rmmod · 020f6cc5
      Florian Westphal authored
      When the conntrack module is removed, we call nf_ct_iterate_destroy via
      nf_ct_l4proto_unregister().
      
      Problem is that nf_conntrack_proto_fini() gets called after the
      conntrack hash table has already been freed.
      
      Just remove the l4proto unregister call, its unecessary as the
      nf_ct_protos[] array gets free'd right after anyway.
      
      v2: add comment wrt. missing unreg call.
      
      Fixes: a0ae2562 ("netfilter: conntrack: remove l3proto abstraction")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      020f6cc5
    • Florian Westphal's avatar
      netfilter: kconfig: remove ct zone/label dependencies · 7bdfcea8
      Florian Westphal authored
      connection tracking zones currently depend on the xtables CT target.
      The reasoning was that it makes no sense to support zones if they can't
      be configured (which needed CT target).
      
      Nowadays zones can also be used by OVS and configured via nftables,
      so remove the dependency.
      
      connection tracking labels are handled via hidden dependency that gets
      auto-selected by the connlabel match.
      Make it a visible knob, as labels can be attached via ctnetlink
      or via nftables rules (nft_ct expression) too.
      
      This allows to use conntrack labels and zones with nftables-only build.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      7bdfcea8
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: simplify NLM_F_CREATE handling · 445509eb
      Pablo Neira Ayuso authored
      * From nf_tables_newchain(), codepath provides context that allows us to
        infer if we are updating a chain (in that case, no module autoload is
        required) or adding a new one (then, module autoload is indeed
        needed).
      * We only need it in one single spot in nf_tables_newrule().
      * Not needed for nf_tables_newset() at all.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      445509eb
    • Máté Eckl's avatar
      netfilter: bridge: Expose nf_tables bridge hook priorities through uapi · 94276fa8
      Máté Eckl authored
      Netfilter exposes standard hook priorities in case of ipv4, ipv6 and
      arp but not in case of bridge.
      
      This patch exposes the hook priority values of the bridge family (which are
      different from the formerly mentioned) via uapi so that they can be used by
      user-space applications just like the others.
      Signed-off-by: default avatarMáté Eckl <ecklm94@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      94276fa8