[PATCH 01/02 V2] net/ipv6: seperate sit driver to extra module
This is the changed version of the patch making the sit driver configurable as a seperate module. Changes: - spelling fixes in Kconfig - changed If unsure, say N to If unsure, say Y for consistency diff -upr -X linux-2.6.18/Documentation/dontdiff linux-2.6.18-vanilla/net/ipv6/af_inet6.c linux-2.6.18/net/ipv6/af_inet6.c --- linux-2.6.18-vanilla/net/ipv6/af_inet6.c2006-09-20 05:42:06.0 +0200 +++ linux-2.6.18/net/ipv6/af_inet6.c2006-10-05 16:55:02.0 +0200 @@ -849,7 +849,6 @@ static int __init inet6_init(void) err = addrconf_init(); if (err) goto addrconf_fail; - sit_init(); /* Init v6 extension headers. */ ipv6_rthdr_init(); @@ -920,7 +919,6 @@ static void __exit inet6_exit(void) raw6_proc_exit(); #endif /* Cleanup code parts. */ - sit_cleanup(); ip6_flowlabel_cleanup(); addrconf_cleanup(); ip6_route_cleanup(); diff -upr -X linux-2.6.18/Documentation/dontdiff linux-2.6.18-vanilla/net/ipv6/Kconfig linux-2.6.18/net/ipv6/Kconfig --- linux-2.6.18-vanilla/net/ipv6/Kconfig 2006-09-20 05:42:06.0 +0200 +++ linux-2.6.18/net/ipv6/Kconfig 2006-10-09 11:16:37.0 +0200 @@ -126,6 +126,19 @@ config INET6_XFRM_MODE_TUNNEL If unsure, say Y. +config IPV6_SIT + tristate IPv6: IPv6-in-IPv4 tunnel (SIT driver) + depends on IPV6 + default y + ---help--- + Tunneling means encapsulating data of one protocol type within + another protocol and sending it over a channel that understands the + encapsulating protocol. This driver implements encapsulation of IPv6 + into IPv4 packets. This is useful if you want to connect two IPv6 + networks over an IPv4-only path. + + Saying M here will produce a module called sit.ko. If unsure, say Y. + config IPV6_TUNNEL tristate IPv6: IPv6-in-IPv6 tunnel select INET6_TUNNEL diff -upr -X linux-2.6.18/Documentation/dontdiff linux-2.6.18-vanilla/net/ipv6/Makefile linux-2.6.18/net/ipv6/Makefile --- linux-2.6.18-vanilla/net/ipv6/Makefile 2006-09-20 05:42:06.0 +0200 +++ linux-2.6.18/net/ipv6/Makefile 2006-10-05 17:10:42.0 +0200 @@ -4,7 +4,7 @@ obj-$(CONFIG_IPV6) += ipv6.o -ipv6-objs := af_inet6.o anycast.o ip6_output.o ip6_input.o addrconf.o sit.o \ +ipv6-objs := af_inet6.o anycast.o ip6_output.o ip6_input.o addrconf.o \ route.o ip6_fib.o ipv6_sockglue.o ndisc.o udp.o raw.o \ protocol.o icmp.o mcast.o reassembly.o tcp_ipv6.o \ exthdrs.o sysctl_net_ipv6.o datagram.o proc.o \ @@ -24,6 +24,7 @@ obj-$(CONFIG_INET6_XFRM_MODE_TRANSPORT) obj-$(CONFIG_INET6_XFRM_MODE_TUNNEL) += xfrm6_mode_tunnel.o obj-$(CONFIG_NETFILTER)+= netfilter/ +obj-$(CONFIG_IPV6_SIT) += sit.o obj-$(CONFIG_IPV6_TUNNEL) += ip6_tunnel.o obj-y += exthdrs_core.o diff -upr -X linux-2.6.18/Documentation/dontdiff linux-2.6.18-vanilla/net/ipv6/sit.c linux-2.6.18/net/ipv6/sit.c --- linux-2.6.18-vanilla/net/ipv6/sit.c 2006-09-20 05:42:06.0 +0200 +++ linux-2.6.18/net/ipv6/sit.c 2006-10-05 16:55:02.0 +0200 @@ -850,3 +850,6 @@ int __init sit_init(void) inet_del_protocol(sit_protocol, IPPROTO_IPV6); goto out; } + +module_init(sit_init); +module_exit(sit_cleanup);
[PATCH 02/02 V2] net/ipv6: seperate sit driver to extra module (addrconf.c changes)
Decond part of the patch. It contains changes to to net/ipv6/addrconf.c to remove sit specific code if the sit driver it not selected. There are no changes to previous sumbit. This patch is resubmitted for completeness. diff -upr -X linux-2.6.18/Documentation/dontdiff linux-2.6.18-vanilla/net/ipv6/addrconf.c linux-2.6.18/net/ipv6/addrconf.c --- linux-2.6.18-vanilla/net/ipv6/addrconf.c2006-09-20 05:42:06.0 +0200 +++ linux-2.6.18/net/ipv6/addrconf.c2006-10-06 11:04:04.0 +0200 @@ -389,8 +389,10 @@ static struct inet6_dev * ipv6_add_dev(s ndev-regen_timer.data = (unsigned long) ndev; if ((dev-flagsIFF_LOOPBACK) || dev-type == ARPHRD_TUNNEL || - dev-type == ARPHRD_NONE || - dev-type == ARPHRD_SIT) { +#if defined(CONFIG_IPV6_SIT) || defined(CONFIG_IPV6_SIT_MODULE) + dev-type == ARPHRD_SIT || +#endif + dev-type == ARPHRD_NONE) { printk(KERN_INFO %s: Disabled Privacy Extensions\n, dev-name); @@ -1522,8 +1524,10 @@ addrconf_prefix_route(struct in6_addr *p This thing is done here expecting that the whole class of non-broadcast devices need not cloning. */ +#if defined(CONFIG_IPV6_SIT) || defined(CONFIG_IPV6_SIT_MODULE) if (dev-type == ARPHRD_SIT (dev-flagsIFF_POINTOPOINT)) rtmsg.rtmsg_flags |= RTF_NONEXTHOP; +#endif ip6_route_add(rtmsg, NULL, NULL, NULL); } @@ -1545,6 +1549,7 @@ static void addrconf_add_mroute(struct n ip6_route_add(rtmsg, NULL, NULL, NULL); } +#if defined(CONFIG_IPV6_SIT) || defined(CONFIG_IPV6_SIT_MODULE) static void sit_route_add(struct net_device *dev) { struct in6_rtmsg rtmsg; @@ -1561,6 +1566,7 @@ static void sit_route_add(struct net_dev ip6_route_add(rtmsg, NULL, NULL, NULL); } +#endif static void addrconf_add_lroute(struct net_device *dev) { @@ -1831,6 +1837,7 @@ int addrconf_set_dstaddr(void __user *ar if (dev == NULL) goto err_exit; +#if defined(CONFIG_IPV6_SIT) || defined(CONFIG_IPV6_SIT_MODULE) if (dev-type == ARPHRD_SIT) { struct ifreq ifr; mm_segment_toldfs; @@ -1860,6 +1867,7 @@ int addrconf_set_dstaddr(void __user *ar err = dev_open(dev); } } +#endif err_exit: rtnl_unlock(); @@ -1993,6 +2001,7 @@ int addrconf_del_ifaddr(void __user *arg return err; } +#if defined(CONFIG_IPV6_SIT) || defined(CONFIG_IPV6_SIT_MODULE) static void sit_add_v4_addrs(struct inet6_dev *idev) { struct inet6_ifaddr * ifp; @@ -2061,6 +2070,7 @@ static void sit_add_v4_addrs(struct inet } } } +#endif static void init_loopback(struct net_device *dev) { @@ -2124,6 +2134,7 @@ static void addrconf_dev_config(struct n addrconf_add_linklocal(idev, addr); } +#if defined(CONFIG_IPV6_SIT) || defined(CONFIG_IPV6_SIT_MODULE) static void addrconf_sit_config(struct net_device *dev) { struct inet6_dev *idev; @@ -2149,6 +2160,7 @@ static void addrconf_sit_config(struct n } else sit_route_add(dev); } +#endif static inline int ipv6_inherit_linklocal(struct inet6_dev *idev, struct net_device *link_dev) @@ -2243,9 +2255,11 @@ static int addrconf_notify(struct notifi } switch(dev-type) { +#if defined(CONFIG_IPV6_SIT) || defined(CONFIG_IPV6_SIT_MODULE) case ARPHRD_SIT: addrconf_sit_config(dev); break; +#endif case ARPHRD_TUNNEL6: addrconf_ip6_tnl_config(dev); break;
Re: 2.6.18-mm2 boot failure on x86-64
On Fri, 6 Oct 2006, Vivek Goyal wrote: On Fri, Oct 06, 2006 at 01:03:50PM -0500, Steve Fox wrote: On Fri, 2006-10-06 at 18:11 +0100, Mel Gorman wrote: On (06/10/06 11:36), Vivek Goyal didst pronounce: Where is bss placed in physical memory? I guess bss_start and bss_stop from System.map will tell us. That will confirm that above memset step is stomping over bss. Then we have to just find that somewhere probably we allocated wrong physical memory area for bootmem allocator map. BSS is at 0x643000 - 0x777BC4 init_bootmem wipes from 0x777000 - 0x8F7000 So the BSS bytes from 0x777000 -0x777BC4 (which looks very suspiciously pile a page alignment of addr PAGE_MASK) gets set to 0xFF. One possible fix is below. It adds a check in bad_addr() to see if the BSS section is about to be used for bootmap. It Seems To Work For Me (tm) and illustrates the source of the problem even if it's not the 100% correct fix. I was able to boot the machine with Mel's patch applied on top of -git22. Please have a look at the attached patch. Does it make some sense. It makes some sense. As you state, it wastes memory but that is better than breaking. Steve, can you please give this patch a try if it fixes the problem? I boottested the patch on the same machine as Steve was using and it completed successfully. Thanks Vivek o Currently some code pieces assume that address returned by find_e820_area() are page aligned. But looks like find_e820_area() had no such intention and hence one might end up stomping over some of the data. One such case is bootmem allocator initialization code stomped over bss. o This patch modified find_e820_area() to return page aligned address. This might be little wasteful of memory but at the same time probably it is easier to handle page aligned memory. Signed-off-by: Vivek Goyal [EMAIL PROTECTED] --- arch/x86_64/kernel/e820.c | 14 +++--- 1 file changed, 7 insertions(+), 7 deletions(-) diff -puN arch/x86_64/kernel/e820.c~x86_64-return-page-aligned-phy-addr-from-find-e820-area arch/x86_64/kernel/e820.c --- linux-2.6.19-rc1-1M/arch/x86_64/kernel/e820.c~x86_64-return-page-aligned-phy-addr-from-find-e820-area 2006-10-06 15:28:13.0 -0400 +++ linux-2.6.19-rc1-1M-root/arch/x86_64/kernel/e820.c 2006-10-06 15:44:45.0 -0400 @@ -54,13 +54,13 @@ static inline int bad_addr(unsigned long /* various gunk below that needed for SMP startup */ if (addr 0x8000) { - *addrp = 0x8000; + *addrp = PAGE_ALIGN(0x8000); return 1; } /* direct mapping tables of the kernel */ if (last = table_startPAGE_SHIFT addr table_endPAGE_SHIFT) { - *addrp = table_end PAGE_SHIFT; + *addrp = PAGE_ALIGN(table_end PAGE_SHIFT); return 1; } @@ -68,18 +68,18 @@ static inline int bad_addr(unsigned long #ifdef CONFIG_BLK_DEV_INITRD if (LOADER_TYPE INITRD_START last = INITRD_START addr INITRD_START+INITRD_SIZE) { - *addrp = INITRD_START + INITRD_SIZE; + *addrp = PAGE_ALIGN(INITRD_START + INITRD_SIZE); return 1; } #endif /* kernel code */ - if (last = __pa_symbol(_text) last __pa_symbol(_end)) { - *addrp = __pa_symbol(_end); + if (last = __pa_symbol(_text) addr __pa_symbol(_end)) { + *addrp = PAGE_ALIGN(__pa_symbol(_end)); return 1; } if (last = ebda_addr addr ebda_addr + ebda_size) { - *addrp = ebda_addr + ebda_size; + *addrp = PAGE_ALIGN(ebda_addr + ebda_size); return 1; } @@ -152,7 +152,7 @@ unsigned long __init find_e820_area(unsi continue; while (bad_addr(addr, size) addr+size = ei-addr+ei-size) ; - last = addr + size; + last = PAGE_ALIGN(addr) + size; if (last ei-addr + ei-size) continue; if (last end) _ -- Mel Gorman Part-time Phd Student Linux Technology Center University of Limerick IBM Dublin Software Lab - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Bug ? IF_RUNNING/routing table updates
Hi, We appear to have encountered a bug with kernel routing table updates. If an interface (+ associated IP network) loses its IF_RUNNING flag, it is still used for routing. More details below: Flavour: Debian Quagga: ii quagga 0.96.5-11 Unoff. successor of the Zebra BGP/OSPF/RIP r Specific kernel is: 2.4.27-2-386 but noticed the same on 2.6.* release. :02:06.0 Ethernet controller: Intel Corp. 82557/8/9 [Ethernet Pro 100] (rev 0d) :02:07.0 Ethernet controller: Intel Corp. 82557/8/9 [Ethernet Pro 100] (rev 0d) Basically when operating any of the dynamic routing protocols under Quagga (or the older Zebra), a niggling problem keeps surfacing which curtails the operation of routing protocols in multihomed server environments under certain circumstances. Similar reports of the problem appear to be littered around various lists, but to date I can see no solution and it remains a problem, hence the post. Whilst the nature of my specific topology is rather complex, I can define the problem generally as: An interface (+ connected IP network) which loses its IF_RUNNING flag (ie unusable for routing) persists in the routing table as a kernel route. Thus rather than responding to a dynamically announced route to this connected network (the connected being unreachable due to the interface being down, but the dynamic offering an alternate path), the box insists on trying to route it out of the broken interface via this ?kernel? sourced route. See below example: -- # ifconfig eth0 Link encap:Ethernet HWaddr 00:20:ED:35:D4:C8 inet addr:192.168.0.143 Bcast:192.168.0.191 Mask:255.255.255.192 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 eth1 Link encap:Ethernet HWaddr 00:20:ED:35:D4:C9 inet addr:192.168.0.207 Bcast:192.168.0.255 Mask:255.255.255.192 UP BROADCAST MULTICAST MTU:1500 Metric:1 # ip route show 192.168.0.128/26 dev eth0 proto kernel scope link src 192.168.0.143 192.168.0.192/26 dev eth1 proto kernel scope link src 192.168.0.207 192.168.0.192/26 via 192.168.0.130 dev eth0 proto zebra metric 60 equalize # ping {anything on 192.168.0.192} zilch The path for 192.168.0.192 is learned via 192.168.0.130 (current ospf dr - irrelevant), but it'll never use it presumably (from Cisco experience) because of the kernel sourced directly connected route still sitting in there. Furthermore, if I then IFDOWN eth1, everything is fine but I don't want to do this manually everytime there's an interface problem because that's why we run ospf ! =:D Not sure whether this is a driver tells the kernel or a kernel checks the driver at {n} intervals issue - I would suggest the former would be more correct, but it is a problem regardless. Maybe it's just these Intel drivers ? :/ Thanks for your time, Shaun Kemp. - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: cfg80211 take 7
Am Freitag, 6. Oktober 2006 16:59 schrieben Sie: anyway, it's getting large, so... straight from quilt: http://johannes.sipsolutions.net/files/cfg80211/ nice work! Is there any possibility to limit the card to a specific band (e.g. 802.11 a/b/g) using cfg80211? I'm asking because I haven't seen code to accomplish this in cfg80211, but I maybe wrong. Many drivers implement this feature as an iwpriv, and I consider it useful enough (especially when association and roaming is kernel controlled) to justify a generic configuration element. Thoughts? Stefan - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] drivers/net/depca.c: Replacing yield with a better function
The change removes the 'manual' schedule_timeout and replaces it with schedule_timeout_uninterruptible Tested compile only with allmodconfig Signed-off-by: Amol Lad [EMAIL PROTECTED] --- depca.c |6 ++ 1 files changed, 2 insertions(+), 4 deletions(-) --- --- linux-2.6.19-rc1-orig/drivers/net/depca.c 2006-10-05 14:00:47.0 +0530 +++ linux-2.6.19-rc1/drivers/net/depca.c2006-10-09 16:37:13.0 +0530 @@ -738,7 +738,7 @@ static int __init depca_hw_init (struct interrupts. For now we will always get a DMA error. */ if (dev-irq 2) { unsigned char irqnum; - unsigned long irq_mask, delay; + unsigned long irq_mask; irq_mask = probe_irq_on(); @@ -767,9 +767,7 @@ static int __init depca_hw_init (struct /* Trigger an initialization just for the interrupt. */ outw(INEA | INIT, DEPCA_DATA); - delay = jiffies + HZ/50; - while (time_before(jiffies, delay)) - yield(); + schedule_timeout_uninterruptible(jiffies + HZ/50); irqnum = probe_irq_off(irq_mask); - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: cfg80211 take 7
On Mon, 2006-10-09 at 13:22 +0200, Stefan Rompf wrote: nice work! Is there any possibility to limit the card to a specific band (e.g. 802.11 a/b/g) using cfg80211? I'm asking because I haven't seen code to accomplish this in cfg80211, but I maybe wrong. Never really thought about that, so the answer for now is no :) Should be easy to add though if we figure out what exactly we want/need. Many drivers implement this feature as an iwpriv, and I consider it useful enough (especially when association and roaming is kernel controlled) to justify a generic configuration element. Yeah, probably makes sense. Though, maybe not just the band but a set of channels instead? johannes - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: cfg80211 take 7
Am Montag, 9. Oktober 2006 13:49 schrieb Johannes Berg: Yeah, probably makes sense. Though, maybe not just the band but a set of channels instead? Yes, this would allow us to keep the definition of a band out of kernel. But to distinguish between 802.11 b and g, we'd need a set of channels and allowed modulations. I haven't looked at Larry's regulatory domain stuff yet, but maybe band selection could use the same data structure. cfg80211 would then just calculate the intersection of user supplied set and set permitted by regulations. Hopefully there is no country that forbids the user *NOT* to scan a specific channel ;) Stefan - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC] [PATCH 3/3] enable IP multicast when bonding IPoIB devices
Jay Vosburgh wrote: After some reflection, I suspect it wouldn't be all that awful. The main concern is going to be whether or not the existing ifenslave binaries supplied with distros will run with the new version of bonding. Since the new version of bonding that you're proposing is really just relaxing the rules (rather than imposing a different, incompatible set of rules), that's probably not a really big deal. I don't think it would require a revision change to the bonding ifenslave API. Indeed, makes sense, the modified bonding driver would work with old ifenslave binaries. Yes, the long term direction is to have the initscripts configure bonding via sysfs, either directly or via the step of converting ifenslave to a script that uses sysfs. I personally find ifenslave to be more convenient to use than repeated echo whatever /sys/this/that/the/other, but there's no reason that ifenslave couldn't do the various echo things itself under the covers. One drawback to sysfs is that there's no real-time error reporting; you have to look at dmesg to see if your request succeeded or not. I'm not sure offhand if, e.g., adding a sysfs file to bonding for last-request-status is a kosher sysfs thing to do; if it is, then an ifenslave script could check such a thing to figure out error returns. Can you check that with someone around? It seems more logical to me to embed all of the bonding sysfs magic stuff into a separate script, but the maintainers of initscipts or sysconfig may see things differently. The main advantage to either of these (initscripts/sysconfig and/or ifenslave converted to sysfs) is that it eliminates the need to load the bonding driver module multiple times to have more than one bonding device with differing module parameters (because the sysfs interface can create any number of bonding interfaces with arbitrary settings). I will look into the current methods used by sysconfig to configure bonding and see if i can come up with sketch of how to do it with sysfs. It's probably easier to first convert ifenslave to a sysfs-using script that the existing initscripts can use. This allows the changes to be published in stages, rather than requiring a single flag day changeover. The first stage changes the bonding driver itself to permit enslavement with the master down (insuring that existing ifenslave binaries supplied with reasonably current distros continue to function). Next, ifenslave is changed to use sysfs (simultaneously removing the adjustment of the master or slave's up/down state during enslavement). The next stage either changes the initscripts/sysconfig to use sysfs directly or change its use of ifenslave to not do multiple loads of the bonding driver. This plan makes much sense! however, this way or another (ie whether sysconfig tools are modified to use sysfs or ifenslave becomes a script that uses sysfs) there should be a change to sysconfig tools (specifically /sbin/ifup) in the place where it first makes the bonding interface UP and only later enslave the slave devices (eg the quote below from /sbin/ifup of sysconfig-0.50.9-13.8 that comes with SLES10) correct? # get up the bonding device before enslaving # if ! is_iface_up $INTERFACE; then ip link set $INTERFACE up 21 # fi # enslave available slave devices; if there is none - hard break and log MESSAGE=`/sbin/ifenslave $BONDING_OPTIONS $INTERFACE $BSINTERFACES 21` So this becomes the forth step on the plan. And the most fragile aspect of the plan is the fact that ***two*** packages need to be changed as /sbin/ifenslave is not part of sysconfig but rather of (eg on SLES10) iputils-ss021109-167.2 Or. - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: cfg80211 take 7
Stefan Rompf wrote: Am Montag, 9. Oktober 2006 13:49 schrieb Johannes Berg: Yeah, probably makes sense. Though, maybe not just the band but a set of channels instead? Yes, this would allow us to keep the definition of a band out of kernel. But to distinguish between 802.11 b and g, we'd need a set of channels and allowed modulations. I haven't looked at Larry's regulatory domain stuff yet, but maybe band selection could use the same data structure. cfg80211 would then just calculate the intersection of user supplied set and set permitted by regulations. Hopefully there is no country that forbids the user *NOT* to scan a specific channel ;) Passive scanning is always allowed, AFAIK. Active scanning is a different matter. In the US, no one is allowed to active scan channels 12-14. In addition, there are a number of countries where the regulations prohibit active scanning in some or all of the 5 GHz bands. Larry - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: 2.6.19-rc1: known regressions (v2) - xfrm_register_mode
On Sat, 2006-10-07 at 23:46 +0200, Adrian Bunk wrote: Subject: oops in xfrm_register_mode References : http://lkml.org/lkml/2006/10/4/170 Submitter : Steve Fox [EMAIL PROTECTED] Status : unknown Status: Vivek and Mel have both created patches which fix the boot issue, but it is not clear to me if either of these are acceptable fixes. -- Steve Fox IBM Linux Technology Center - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Exact meaning of rx_bytes and tx_bytes
Hi all, I am wondering what exactly the rx_bytes and tx_bytes values exported under statistics/ in sysfs are supposed to represent. Most popular ethernet drivers (8139too, e100, 3c59x) count the bytes in software, so they only take into account the bytes they actually send and receive. This excludes the 4-byte ethernet CRC if I understand correctly. Other drivers, on the other hand, get the transfered bytes statistics from hardware registers, and these appear to include the 4-byte CRC in the total count. This is the case of sk98lin and e1000, for example. So my question is, which drivers are right? Are we counting the emitted and received bytes at software level or at hardware level? Or do we just not care about the 4-byte/packet difference and both are acceptable? Thanks, -- Jean Delvare Suse L3 - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
RE: [PATCH 0/3] Fix for IPsec leakage with SELinux enabled - V.03
My apologies. The second one is also numbered 1, but has the following distinct subject line: [PATCH 1/3] Fix for IPsec leakage with SELinux enabled - V.03: Fix xfrm code I definitely deleted one of them, since I usually get N copies of very single patch posting and two of them looked identical:) I guess this is probably the reason why I don't see the fix in net-2.6.git yet :) I will resend the patchset with the subject titles fixed up since it needs to be in 2.6.19. - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 0/3] Fix for IPsec leakage with SELinux enabled - V.04
This is a bug fix for the MLSXFRM patchset already queued for 2.6.19. This version is just a repost of V.03 with the subject titles fixed up, and the patches ported to davem's net-2.6.git as of today. include/linux/security.h| 24 ++- include/net/flow.h |2 include/net/xfrm.h |3 net/core/flow.c | 42 net/ipv4/xfrm4_policy.c |2 net/ipv6/xfrm6_policy.c |2 net/key/af_key.c|5 - net/xfrm/xfrm_policy.c | 101 ++ net/xfrm/xfrm_user.c|9 -- security/dummy.c|3 security/selinux/include/xfrm.h |3 security/selinux/xfrm.c | 53 --- 12 files changed, 162 insertions(+), 87 deletions(-) - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 3/3] Fix for IPsec leakage with SELinux enabled - V.04: Process security errors for scket policies also
This treats the security errors encountered in the case of socket policy matching, the same as how these are treated in the case of main/sub policies, which is to return a full lookup failure. Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED] --- net/xfrm/xfrm_policy.c | 26 ++ 1 file changed, 18 insertions(+), 8 deletions(-) --- net-2.6.leak2/net/xfrm/xfrm_policy.c2006-10-09 10:50:32.0 -0500 +++ net-2.6.leak3/net/xfrm/xfrm_policy.c2006-10-09 10:51:01.0 -0500 @@ -1016,12 +1016,16 @@ static struct xfrm_policy *xfrm_sk_polic sk-sk_family); int err = 0; - if (match) - err = security_xfrm_policy_lookup(pol, fl-secid, policy_to_flow_dir(dir)); - - if (match !err) - xfrm_pol_hold(pol); - else + if (match) { + err = security_xfrm_policy_lookup(pol, fl-secid, + policy_to_flow_dir(dir)); + if (!err) + xfrm_pol_hold(pol); + else if (err == -ESRCH) + pol = NULL; + else + pol = ERR_PTR(err); + } else pol = NULL; } read_unlock_bh(xfrm_policy_lock); @@ -1313,8 +1317,11 @@ restart: pol_dead = 0; xfrm_nr = 0; - if (sk sk-sk_policy[1]) + if (sk sk-sk_policy[1]) { policy = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl); + if (IS_ERR(policy)) + return PTR_ERR(policy); + } if (!policy) { /* To accelerate a bit... */ @@ -1607,8 +1614,11 @@ int __xfrm_policy_check(struct sock *sk, } pol = NULL; - if (sk sk-sk_policy[dir]) + if (sk sk-sk_policy[dir]) { pol = xfrm_sk_policy_lookup(sk, dir, fl); + if (IS_ERR(pol)) + return 0; + } if (!pol) pol = flow_cache_lookup(fl, family, fl_dir, - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 0/3] Fix for IPsec leakage with SELinux enabled - V.04
On Mon, 9 Oct 2006, Venkat Yekkirala wrote: This is a bug fix for the MLSXFRM patchset already queued for 2.6.19. This version is just a repost of V.03 with the subject titles fixed up, and the patches ported to davem's net-2.6.git as of today. These are already queued here: http://git.infradead.org/?p=users/jmorris/selinux-2.6.git;a=summary - James -- James Morris [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 1/3] Fix for IPsec leakage with SELinux enabled - V.04: Fix selinux code
Currently when an IPSec policy rule doesn't specify a security context, it is assumed to be unlabeled by SELinux, and so the IPSec policy rule fails to match to a flow that it would otherwise match to, unless one has explicitly added an SELinux policy rule allowing the flow to polmatch to the unlabeled IPSec policy rules. In the absence of such an explicitly added SELinux policy rule, the IPSec policy rule fails to match and so the packet(s) flow in clear text without the otherwise applicable xfrm(s) applied. The above SELinux behavior violates the SELinux security notion of deny by default which should actually translate to encrypt by default in the above case. This was first reported by Evgeniy Polyakov and the way James Morris was seeing the problem was when connecting via IPsec to a confined service on an SELinux box (vsftpd), which did not have the appropriate SELinux policy permissions to send packets via IPsec. With this patch applied, SELinux polmatching of flows Vs. IPSec policy rules will only come into play when there's a explicit context specified for the IPSec policy rule (which also means there's corresponding SELinux policy allowing appropriate domains/flows to polmatch to this context). Secondly, when a security module is loaded (in this case, SELinux), the security_xfrm_policy_lookup() hook can return errors other than access denied, such as -EINVAL. We were not handling that correctly, and in fact inverting the return logic and propagating a false ok back up to xfrm_lookup(), which then allowed packets to pass as if they were not associated with an xfrm policy. The solution for this is to first ensure that errno values are correctly propagated all the way back up through the various call chains from security_xfrm_policy_lookup(), and handled correctly. Then, flow_cache_lookup() is modified, so that if the policy resolver fails (typically a permission denied via the security module), the flow cache entry is killed rather than having a null policy assigned (which indicates that the packet can pass freely). This also forces any future lookups for the same flow to consult the security module (e.g. SELinux) for current security policy (rather than, say, caching the error on the flow cache entry). This patch: Fix the selinux side of things. This makes sure SELinux polmatching of flow contexts to IPSec policy rules comes into play only when an explicit context is associated with the IPSec policy rule. Also, this no longer defaults the context of a socket policy to the context of the socket since the no explicit context case is now handled properly. Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED] --- include/linux/security.h| 24 + include/net/xfrm.h |3 + net/ipv4/xfrm4_policy.c |2 - net/ipv6/xfrm6_policy.c |2 - net/key/af_key.c|5 -- net/xfrm/xfrm_policy.c |7 ++- net/xfrm/xfrm_user.c|9 - security/dummy.c|3 + security/selinux/include/xfrm.h |3 + security/selinux/xfrm.c | 53 +++--- 10 files changed, 62 insertions(+), 49 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 9b5fea8..b200b98 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -882,7 +882,8 @@ #ifdef CONFIG_SECURITY * Check permission when a flow selects a xfrm_policy for processing * XFRMs on a packet. The hook is called when selecting either a * per-socket policy or a generic xfrm policy. - * Return 0 if permission is granted. + * Return 0 if permission is granted, -ESRCH otherwise, or -errno + * on other errors. * @xfrm_state_pol_flow_match: * @x contains the state to match. * @xp contains the policy to check for a match. @@ -891,6 +892,7 @@ #ifdef CONFIG_SECURITY * @xfrm_flow_state_match: * @fl contains the flow key to match. * @xfrm points to the xfrm_state to match. + * @xp points to the xfrm_policy to match. * Return 1 if there is a match. * @xfrm_decode_session: * @skb points to skb to decode. @@ -1388,7 +1390,8 @@ #ifdef CONFIG_SECURITY_NETWORK_XFRM int (*xfrm_policy_lookup)(struct xfrm_policy *xp, u32 fl_secid, u8 dir); int (*xfrm_state_pol_flow_match)(struct xfrm_state *x, struct xfrm_policy *xp, struct flowi *fl); - int (*xfrm_flow_state_match)(struct flowi *fl, struct xfrm_state *xfrm); + int (*xfrm_flow_state_match)(struct flowi *fl, struct xfrm_state *xfrm, + struct xfrm_policy *xp); int (*xfrm_decode_session)(struct sk_buff *skb, u32 *secid, int ckall); #endif /* CONFIG_SECURITY_NETWORK_XFRM */ @@ -3120,11 +3123,6 @@ static inline int security_xfrm_policy_a return security_ops-xfrm_policy_alloc_security(xp, sec_ctx, NULL); } -static inline int security_xfrm_sock_policy_alloc(struct
[PATCH 2/3] Fix for IPsec leakage with SELinux enabled - V.04: Fix xfrm code
From: James Morris [EMAIL PROTECTED] When a security module is loaded (in this case, SELinux), the security_xfrm_policy_lookup() hook can return an access denied permission (or other error). We were not handling that correctly, and in fact inverting the return logic and propagating a false ok back up to xfrm_lookup(), which then allowed packets to pass as if they were not associated with an xfrm policy. The way I was seeing the problem was when connecting via IPsec to a confined service on an SELinux box (vsftpd), which did not have the appropriate SELinux policy permissions to send packets via IPsec. The first SYNACK would be blocked, because of an uncached lookup via flow_cache_lookup(), which would fail to resolve an xfrm policy because the SELinux policy is checked at that point via the resolver. However, retransmitted SYNACKs would then find a cached flow entry when calling into flow_cache_lookup() with a null xfrm policy, which is interpreted by xfrm_lookup() as the packet not having any associated policy and similarly to the first case, allowing it to pass without transformation. The solution presented here is to first ensure that errno values are correctly propagated all the way back up through the various call chains from security_xfrm_policy_lookup(), and handled correctly. Then, flow_cache_lookup() is modified, so that if the policy resolver fails (typically a permission denied via the security module), the flow cache entry is killed rather than having a null policy assigned (which indicates that the packet can pass freely). This also forces any future lookups for the same flow to consult the security module (e.g. SELinux) for current security policy (rather than, say, caching the error on the flow cache entry). Signed-off-by: James Morris [EMAIL PROTECTED] --- include/net/flow.h |2 - net/core/flow.c| 42 net/xfrm/xfrm_policy.c | 68 ++- 3 files changed, 82 insertions(+), 30 deletions(-) --- net-2.6.leak1/include/net/flow.h2006-10-09 08:54:39.0 -0500 +++ net-2.6.leak2/include/net/flow.h2006-10-09 10:50:32.0 -0500 @@ -97,7 +97,7 @@ struct flowi { #define FLOW_DIR_FWD 2 struct sock; -typedef void (*flow_resolve_t)(struct flowi *key, u16 family, u8 dir, +typedef int (*flow_resolve_t)(struct flowi *key, u16 family, u8 dir, void **objp, atomic_t **obj_refp); extern void *flow_cache_lookup(struct flowi *key, u16 family, u8 dir, --- net-2.6.leak1/net/core/flow.c 2006-10-09 08:54:40.0 -0500 +++ net-2.6.leak2/net/core/flow.c 2006-10-09 10:50:32.0 -0500 @@ -85,6 +85,14 @@ static void flow_cache_new_hashrnd(unsig add_timer(flow_hash_rnd_timer); } +static void flow_entry_kill(int cpu, struct flow_cache_entry *fle) +{ + if (fle-object) + atomic_dec(fle-object_ref); + kmem_cache_free(flow_cachep, fle); + flow_count(cpu)--; +} + static void __flow_cache_shrink(int cpu, int shrink_to) { struct flow_cache_entry *fle, **flp; @@ -100,10 +108,7 @@ static void __flow_cache_shrink(int cpu, } while ((fle = *flp) != NULL) { *flp = fle-next; - if (fle-object) - atomic_dec(fle-object_ref); - kmem_cache_free(flow_cachep, fle); - flow_count(cpu)--; + flow_entry_kill(cpu, fle); } } } @@ -220,24 +225,33 @@ void *flow_cache_lookup(struct flowi *ke nocache: { + int err; void *obj; atomic_t *obj_ref; - resolver(key, family, dir, obj, obj_ref); + err = resolver(key, family, dir, obj, obj_ref); if (fle) { - fle-genid = atomic_read(flow_cache_genid); - - if (fle-object) - atomic_dec(fle-object_ref); - - fle-object = obj; - fle-object_ref = obj_ref; - if (obj) - atomic_inc(fle-object_ref); + if (err) { + /* Force security policy check on next lookup */ + *head = fle-next; + flow_entry_kill(cpu, fle); + } else { + fle-genid = atomic_read(flow_cache_genid); + + if (fle-object) + atomic_dec(fle-object_ref); + + fle-object = obj; + fle-object_ref = obj_ref; + if (obj) +
Re: Marvell 88E8001 - WoL - GigaBitSwitch
On Mon, 9 Oct 2006 15:27:32 +0200 TiVi [EMAIL PROTECTED] wrote: Hello Stephen, thanks for response. Sorry for lag in posting. I was ill. Short description of my problem: My machine has an onboard NIC (Marvell 88E8001). I am running Debian Sarge (Kernel 2.6.16). skge is loaded. I use ethtool to set WoL by MagicPacket. Unfortunately, the machine is not waking up if it is connected to my gigabit switch. BTW, I could do some testing with three different gigabit switches. Using direct, old 10MBit Hub or 10/100 MBit Switch connection, the machine always wakes up. If I shutdown the machine using WinXP, the machine is waking up although it is connected to the gigabit switch. Could not test sk98lin driver. Not easy to me. If needed I will try. Regards, Per WOL is not working yet with skge. I would try sk98lin to see if that works. Tell me if it does, that will help in fixing skge. -- Stephen Hemminger [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[patch 1/3] d80211: use FCS_LEN instead of hardcoded number.
Signed-off-by: David Kimdon [EMAIL PROTECTED] Index: wireless-dev/net/d80211/ieee80211.c === --- wireless-dev.orig/net/d80211/ieee80211.c +++ wireless-dev/net/d80211/ieee80211.c @@ -451,7 +451,7 @@ ieee80211_tx_h_fragment(struct ieee80211 hdrlen = ieee80211_get_hdrlen(tx-fc); payload_len = first-len - hdrlen; - per_fragm = frag_threshold - hdrlen - 4 /* FCS */; + per_fragm = frag_threshold - hdrlen - FCS_LEN; num_fragm = (payload_len + per_fragm - 1) / per_fragm; frags = kzalloc(num_fragm * sizeof(struct sk_buff *), GFP_ATOMIC); @@ -1103,7 +1103,7 @@ __ieee80211_tx_prepare(struct ieee80211_ control-no_ack = is_multicast_ether_addr(hdr-addr1); tx-fragmented = local-fragmentation_threshold IEEE80211_MAX_FRAG_THRESHOLD tx-u.tx.unicast - skb-len + 4 /* FCS */ local-fragmentation_threshold + skb-len + FCS_LEN local-fragmentation_threshold (!local-hw-set_frag_threshold); if (!tx-sta) control-clear_dst_mask = 1; -- - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [GIT PATCH] NET: Fixes for net-2.6.19
On Fri, 29 Sep 2006 10:59:45 +0900 Masahide NAKAMURA [EMAIL PROTECTED] wrote: David Miller wrote: commit 0844565fb8a9418f5a860aa480c1aef70319c9a2 Author: Thomas Graf [EMAIL PROTECTED] Date: Fri Aug 4 23:05:56 2006 -0700 [NET]: Move netlink interface bits to linux/if.h Signed-off-by: Thomas Graf [EMAIL PROTECTED] Signed-off-by: David S. Miller [EMAIL PROTECTED] Stephen, we just removed the troublesome bits from linux/if.h when I put in Yoshifuji's patches last night, it should explicitly remove this problem. You will thus see that linux/rtnetlink.h no longer includes linux/if.h, which is why your errors were completely perplexing to me. Instead, it includes linux/if_link.h It's been in my tree since last night, and if you had used the rtnetlink.h from my current tree you wouldn't have seen the error. Yes, as David mentioned you need to copy the latest rtnetlink.h at first. It is also required to be added if_{link,addr}.h, neighbour.h to iproute2 tree. Some macros may be needed for libnetlink.h, too. I'll send the patch to you if you haven't started on it. Regards, Since the rtnetlink changes for 2.6.19, broke the GLIBC build, I am going to wait until that gets straightened out first. -- Stephen Hemminger [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: Exact meaning of rx_bytes and tx_bytes
On Mon, 9 Oct 2006 17:39:02 +0200 Jean Delvare [EMAIL PROTECTED] wrote: Hi all, I am wondering what exactly the rx_bytes and tx_bytes values exported under statistics/ in sysfs are supposed to represent. Most popular ethernet drivers (8139too, e100, 3c59x) count the bytes in software, so they only take into account the bytes they actually send and receive. This excludes the 4-byte ethernet CRC if I understand correctly. Other drivers, on the other hand, get the transfered bytes statistics from hardware registers, and these appear to include the 4-byte CRC in the total count. This is the case of sk98lin and e1000, for example. So my question is, which drivers are right? Are we counting the emitted and received bytes at software level or at hardware level? Or do we just not care about the 4-byte/packet difference and both are acceptable? Thanks, Does it really mater that much, unless you are charging people per byte. -- Stephen Hemminger [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: 2.6.19-rc1: known regressions (v2) - xfrm_register_mode
On Mon, 9 Oct 2006, Steve Fox wrote: On Sat, 2006-10-07 at 23:46 +0200, Adrian Bunk wrote: Subject: oops in xfrm_register_mode References : http://lkml.org/lkml/2006/10/4/170 Submitter : Steve Fox [EMAIL PROTECTED] Status : unknown Status: Vivek and Mel have both created patches which fix the boot issue, but it is not clear to me if either of these are acceptable fixes. I suggest taking Vivek's. -- Mel Gorman Part-time Phd Student Linux Technology Center University of Limerick IBM Dublin Software Lab - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: cfg80211 take 7
FYI, all three patches mentioned as possibly required by the nl80211 patchset in the header of nl80211.patch are already in wireless-dev: http://marc.theaimsgroup.com/?l=linux-netdevm=115625436628696w=2 (Introduces NLA_NUL_STRING) http://marc.theaimsgroup.com/?l=linux-netdevm=115625168405439w=2 (Convert existing NLA_STRING attributes to use the new validation features) http://marc.theaimsgroup.com/?l=linux-netdevm=115650333420169w=2 (remove value argument from NLA_PUT_FLAG) I also updated the patchset a bit to apply to current wireless-dev. I will send that to Johannes directly. On Fri, Oct 06, 2006 at 04:59:50PM +0200, Johannes Berg wrote: Hah, take 6 was eaten by netdev (even the announcement) but it did reach some people (and before those who did get it wonder: I resent to netdev, the original mail was accidentally not addressed to netdev, so it's not that I simply didn't send it). anyway, it's getting large, so... straight from quilt: http://johannes.sipsolutions.net/files/cfg80211/ order is: nl80211.patch move-wext.patch wext-compat.patch johannes - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 02/11] secid reconciliation: Add LSM hooks
From: Venkat Yekkirala [EMAIL PROTECTED] Add skb_policy_check and skb_netfilter_check hooks to LSM to enable reconciliation of the various security identifiers as well as enforce flow control on inbound (PREROUTING/INPUT) and outbound (OUTPUT/FORWARD/POSTROUTING) traffic. Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED] --- include/linux/security.h | 41 - security/dummy.c | 13 + 2 files changed, 53 insertions(+), 1 deletion(-) Index: net-2.6_secidfinal/include/linux/security.h === --- net-2.6_secidfinal.orig/include/linux/security.h +++ net-2.6_secidfinal/include/linux/security.h @@ -828,6 +828,15 @@ struct request_sock; * Sets the new child socket's sid to the openreq sid. * @req_classify_flow: * Sets the flow's sid to the openreq sid. + * @skb_flow_in: + * Checks to see if security policy would allow skb into the system + * while also reconciling the xfrm secid, cipso, etc, if any, and + * relabeling the skb with the reconciled secid. + * Returns 1 if skb allowed into system, 0 otherwise. + * @skb_flow_out: + * Checks to see if security policy would allow skb to go out of system. + * Returns 1 if skb allowed out of system, 0 if not, and -ENOENT if there's + * no hook defined. * * Security hooks for XFRM operations. * @@ -1372,6 +1381,8 @@ struct security_operations { struct request_sock *req); void (*inet_csk_clone)(struct sock *newsk, const struct request_sock *req); void (*req_classify_flow)(const struct request_sock *req, struct flowi *fl); + int (*skb_flow_in)(struct sk_buff *skb, unsigned short family); + int (*skb_flow_out)(struct sk_buff *skb, u32 nf_secid); #endif /* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_NETWORK_XFRM @@ -2947,6 +2958,18 @@ static inline void security_req_classify security_ops-req_classify_flow(req, fl); } +static inline int security_skb_flow_in(struct sk_buff *skb, + unsigned short family) +{ + return security_ops-skb_flow_in(skb, family); +} + +static inline int security_skb_flow_out(struct sk_buff *skb, + u32 nf_secid) +{ + return security_ops-skb_flow_out(skb, nf_secid); +} + static inline void security_sock_graft(struct sock* sk, struct socket *parent) { security_ops-sock_graft(sk, parent); @@ -3098,6 +3121,18 @@ static inline void security_req_classify { } +static inline int security_skb_flow_in(struct sk_buff *skb, + unsigned short family) +{ + return 1; +} + +static inline int security_skb_flow_out(struct sk_buff *skb, + u32 nf_secid) +{ + return -ENOENT; +} + static inline void security_sock_graft(struct sock* sk, struct socket *parent) { } @@ -3151,7 +3186,11 @@ static inline int security_xfrm_state_al { if (!polsec) return 0; - return security_ops-xfrm_state_alloc_security(x, NULL, polsec, secid); + /* +* No need to pass polsec along since we want the context to be +* taken from secid which is usually from the sock. +*/ + return security_ops-xfrm_state_alloc_security(x, NULL, NULL, secid); } static inline int security_xfrm_state_delete(struct xfrm_state *x) Index: net-2.6_secidfinal/security/dummy.c === --- net-2.6_secidfinal.orig/security/dummy.c +++ net-2.6_secidfinal/security/dummy.c @@ -832,6 +832,17 @@ static inline void dummy_req_classify_fl struct flowi *fl) { } + +static inline int dummy_skb_flow_in(struct sk_buff *skb, + unsigned short family) +{ + return -ENOENT; +} + +static inline int dummy_skb_flow_out(struct sk_buff *skb, u32 nf_secid) +{ + return -ENOENT; +} #endif /* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_NETWORK_XFRM @@ -1108,6 +1119,8 @@ void security_fixup_ops (struct security set_to_dummy_if_null(ops, inet_conn_request); set_to_dummy_if_null(ops, inet_csk_clone); set_to_dummy_if_null(ops, req_classify_flow); + set_to_dummy_if_null(ops, skb_flow_in); + set_to_dummy_if_null(ops, skb_flow_out); #endif/* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_NETWORK_XFRM set_to_dummy_if_null(ops, xfrm_policy_alloc_security); -- paul moore linux security @ hp - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 04/11] secid reconciliation: Invoke LSM hook for outbound traffic
From: Venkat Yekkirala [EMAIL PROTECTED] Invoke the skb_flow_out LSM hook for outbound traffic for secid reconciliation and flow control. Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED] --- net/netfilter/xt_CONNSECMARK.c | 72 --- net/netfilter/xt_SECMARK.c | 45 ++- 2 files changed, 100 insertions(+), 17 deletions(-) diff --git a/net/netfilter/xt_CONNSECMARK.c b/net/netfilter/xt_CONNSECMARK.c index 4673862..cca4a0c 100644 --- a/net/netfilter/xt_CONNSECMARK.c +++ b/net/netfilter/xt_CONNSECMARK.c @@ -17,6 +17,8 @@ */ #include linux/module.h #include linux/skbuff.h +#include linux/security.h +#include linux/netfilter_ipv6.h #include linux/netfilter/x_tables.h #include linux/netfilter/xt_CONNSECMARK.h #include net/netfilter/nf_conntrack_compat.h @@ -29,38 +31,78 @@ MODULE_DESCRIPTION(ip[6]tables CONNSECM MODULE_ALIAS(ipt_CONNSECMARK); MODULE_ALIAS(ip6t_CONNSECMARK); +static inline int outbound(unsigned short family, unsigned int hooknum) +{ + if ((family == AF_INET + (hooknum == NF_IP_POST_ROUTING || +hooknum == NF_IP_LOCAL_OUT || +hooknum == NF_IP_FORWARD)) || + (family == AF_INET6 + (hooknum == NF_IP6_POST_ROUTING || +hooknum == NF_IP6_LOCAL_OUT || +hooknum == NF_IP6_FORWARD))) + return 1; + else + return 0; +} + /* * If the packet has a security mark and the connection does not, copy * the security mark from the packet to the connection. */ -static void secmark_save(struct sk_buff *skb) +static void secmark_save(struct sk_buff *skb, unsigned int hooknum) { if (skb-secmark) { u32 *connsecmark; enum ip_conntrack_info ctinfo; connsecmark = nf_ct_get_secmark(skb, ctinfo); - if (connsecmark !*connsecmark) + if (connsecmark) if (*connsecmark != skb-secmark) *connsecmark = skb-secmark; } } /* - * If packet has no security mark, and the connection does, restore the - * security mark from the connection to the packet. + * On the inbound, restore the security mark from the connection to the packet. + * On the outbound, filter based on the current secmark. */ -static void secmark_restore(struct sk_buff *skb) +static unsigned int secmark_restore(struct sk_buff *skb, unsigned int hooknum, + const struct net_device *in, unsigned short family) { - if (!skb-secmark) { - u32 *connsecmark; - enum ip_conntrack_info ctinfo; - - connsecmark = nf_ct_get_secmark(skb, ctinfo); - if (connsecmark *connsecmark) - if (skb-secmark != *connsecmark) - skb-secmark = *connsecmark; + u32 *psecmark; + enum ip_conntrack_info ctinfo; + + psecmark = nf_ct_get_secmark(skb, ctinfo); + + if (psecmark *psecmark) { + + /* Set secmark on inbound and filter it on outbound */ + if (outbound(family, hooknum)) { + int err; + + err = security_skb_flow_out(skb, *psecmark); + if (!err) + return NF_DROP; + } else + /* +* inbound: +* loopback traffic should already be labeled +* and any filtering on outbound should suffice +*/ + if (in == loopback_dev) + goto out; + + /* +* inbound or done with outbound check or no LSM hook +* for outbound +*/ + if (skb-secmark != *psecmark) + skb-secmark = *psecmark; } + +out: + return XT_CONTINUE; } static unsigned int target(struct sk_buff **pskb, const struct net_device *in, @@ -73,11 +115,11 @@ static unsigned int target(struct sk_buf switch (info-mode) { case CONNSECMARK_SAVE: - secmark_save(skb); + secmark_save(skb, hooknum); break; case CONNSECMARK_RESTORE: - secmark_restore(skb); + return secmark_restore(skb, hooknum, in, target-family); break; default: diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c index add7521..9ecce66 100644 --- a/net/netfilter/xt_SECMARK.c +++ b/net/netfilter/xt_SECMARK.c @@ -15,8 +15,10 @@ #include linux/module.h #include linux/skbuff.h #include linux/selinux.h +#include linux/security.h #include linux/netfilter/x_tables.h #include linux/netfilter/xt_SECMARK.h +#include linux/netfilter_ipv6.h MODULE_LICENSE(GPL); MODULE_AUTHOR(James Morris [EMAIL PROTECTED]); @@ -28,6 +30,21 @@ #define PFX
[PATCH 03/11] secid reconciliation: Invoke LSM hook for inbound traffic
From: Venkat Yekkirala [EMAIL PROTECTED] Invoke the skb_flow_in LSM hook for inbound traffic for secid reconciliation and flow control. Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED] --- include/net/xfrm.h | 45 +-- 1 file changed, 22 insertions(+), 23 deletions(-) diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 11e0b1d..8f9c184 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h @@ -675,22 +675,18 @@ extern int __xfrm_policy_check(struct so static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family) { - if (sk sk-sk_policy[XFRM_POLICY_IN]) - return __xfrm_policy_check(sk, dir, skb, family); - - return (!xfrm_policy_count[dir] !skb-sp) || - (skb-dst-flags DST_NOPOLICY) || - __xfrm_policy_check(sk, dir, skb, family); -} - -static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb) -{ - return xfrm_policy_check(sk, dir, skb, AF_INET); -} + int ret; -static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb) -{ - return xfrm_policy_check(sk, dir, skb, AF_INET6); + if (sk sk-sk_policy[XFRM_POLICY_IN]) + ret = __xfrm_policy_check(sk, dir, skb, family); + else + ret = (!xfrm_policy_count[dir] !skb-sp) || + (skb-dst-flags DST_NOPOLICY) || + __xfrm_policy_check(sk, dir, skb, family); + + if (ret) + ret = security_skb_flow_in(skb, family); + return ret; } extern int xfrm_decode_session(struct sk_buff *skb, struct flowi *fl, unsigned short family); @@ -742,19 +738,22 @@ static inline void xfrm_sk_free_policy(s static inline int xfrm_sk_clone_policy(struct sock *sk) { return 0; } static inline int xfrm6_route_forward(struct sk_buff *skb) { return 1; } static inline int xfrm4_route_forward(struct sk_buff *skb) { return 1; } -static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb) -{ - return 1; -} +static inline int xfrm_policy_check(struct sock *sk, int dir, + struct sk_buff *skb, unsigned short family) +{ + return security_skb_flow_in(skb, family); +} +#endif + static inline int xfrm4_policy_check(struct sock *sk, int dir, struct sk_buff *skb) { - return 1; + return xfrm_policy_check(sk, dir, skb, AF_INET); } -static inline int xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, unsigned short family) + +static inline int xfrm6_policy_check(struct sock *sk, int dir, struct sk_buff *skb) { - return 1; + return xfrm_policy_check(sk, dir, skb, AF_INET6); } -#endif static __inline__ xfrm_address_t *xfrm_flowi_daddr(struct flowi *fl, unsigned short family) -- paul moore linux security @ hp - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 11/11] secid reconciliation: support for NetLabel
From: Paul Moore [EMAIL PROTECTED] This patch provides the missing NetLabel support to the secid reconciliation patchset. This includes a change to the security_skb_flow_in() LSM hook to indicate if the hook is in the forwarding path and a change to netlbl_skbuff_err() to carry the forwarding information to the lower protocol level. This was required to meet the CIPSO specifications regarding handling permission denied errors. Signed-off-by: Paul Moore [EMAIL PROTECTED] --- include/linux/security.h| 10 +- include/net/netlabel.h |6 - include/net/xfrm.h |4 net/netlabel/netlabel_kapi.c|5 - security/dummy.c|3 security/selinux/hooks.c| 139 +++- security/selinux/include/objsec.h |1 security/selinux/include/selinux_netlabel.h | 34 ++ security/selinux/ss/services.c | 124 9 files changed, 153 insertions(+), 173 deletions(-) Index: net-2.6_secidfinal/include/linux/security.h === --- net-2.6_secidfinal.orig/include/linux/security.h +++ net-2.6_secidfinal/include/linux/security.h @@ -1385,7 +1385,7 @@ struct security_operations { void (*inet_csk_clone)(struct sock *newsk, const struct request_sock *req); void (*inet_conn_established)(struct sock *sk, struct sk_buff *skb); void (*igmp_classify_skb)(struct sk_buff *skb); - int (*skb_flow_in)(struct sk_buff *skb, unsigned short family); + int (*skb_flow_in)(struct sk_buff *skb, unsigned short family, u32 fwd); int (*skb_flow_out)(struct sk_buff *skb, u32 nf_secid, const struct net_device *out, unsigned short family); #endif /* CONFIG_SECURITY_NETWORK */ @@ -2964,9 +2964,10 @@ static inline void security_igmp_classif } static inline int security_skb_flow_in(struct sk_buff *skb, - unsigned short family) + unsigned short family, + u32 fwd) { - return security_ops-skb_flow_in(skb, family); + return security_ops-skb_flow_in(skb, family, fwd); } static inline int security_skb_flow_out(struct sk_buff *skb, @@ -3134,7 +3135,8 @@ static inline void security_igmp_classif } static inline int security_skb_flow_in(struct sk_buff *skb, - unsigned short family) + unsigned short family, + u32 fwd) { return 1; } Index: net-2.6_secidfinal/include/net/netlabel.h === --- net-2.6_secidfinal.orig/include/net/netlabel.h +++ net-2.6_secidfinal/include/net/netlabel.h @@ -237,7 +237,7 @@ int netlbl_socket_getattr(const struct s struct netlbl_lsm_secattr *secattr); int netlbl_skbuff_getattr(const struct sk_buff *skb, struct netlbl_lsm_secattr *secattr); -void netlbl_skbuff_err(struct sk_buff *skb, int error); +void netlbl_skbuff_err(struct sk_buff *skb, int error, u32 gateway); #else static inline int netlbl_socket_setattr(const struct socket *sock, const struct netlbl_lsm_secattr *secattr) @@ -263,7 +263,9 @@ static inline int netlbl_skbuff_getattr( return -ENOSYS; } -static inline void netlbl_skbuff_err(struct sk_buff *skb, int error) +static inline void netlbl_skbuff_err(struct sk_buff *skb, +int error, +u32 gateway) { return; } Index: net-2.6_secidfinal/include/net/xfrm.h === --- net-2.6_secidfinal.orig/include/net/xfrm.h +++ net-2.6_secidfinal/include/net/xfrm.h @@ -685,7 +685,9 @@ static inline int xfrm_policy_check(stru __xfrm_policy_check(sk, dir, skb, family); if (ret) - ret = security_skb_flow_in(skb, family); + ret = security_skb_flow_in(skb, + family, + dir == XFRM_POLICY_FWD ? 1 : 0); return ret; } Index: net-2.6_secidfinal/net/netlabel/netlabel_kapi.c === --- net-2.6_secidfinal.orig/net/netlabel/netlabel_kapi.c +++ net-2.6_secidfinal/net/netlabel/netlabel_kapi.c @@ -159,6 +159,7 @@ int netlbl_skbuff_getattr(const struct s * netlbl_skbuff_err - Handle a LSM error on a sk_buff * @skb: the packet * @error: the error code + * @gateway: true if the packet is being forwarded and not consumed locally * * Description: * Deal with a LSM problem when handling the packet in @skb, typically this is @@ -166,10 +167,10 @@ int
[PATCH 01/11] secid reconciliation: new SELinux flask definitions
From: Venkat Yekkirala [EMAIL PROTECTED] This patchset helps with leveraging secmark in defining fine-grained security check points with support for a. a default place holder domain defined using secmark for each of the check points and b. flow control and reconciliation of domains entering/leaving the system. The reconciliation steps for SELinux are explained in the Labeled Networking document at: http://marc.theaimsgroup.com/?l=linux-netdevm=115136637800361w=2 Also please refer to the discussion at: http://marc.theaimsgroup.com/?l=selinuxm=115885031311565w=2 The following are the identifiers handled here: 1. secmark on the skb 2. xfrm security identifier associated with the skb if it used any xfrms, a zero secid otherwise. The following features are included: - Retain secmark (from the originating socket/flow) on loopback traffic; this traffic is now flow controlled on the outbound only. - When multiple iptables labeling rules are present (e.g.: both on PREROUTING and INPUT) INBOUND: The label in the last rule will prevail. OUTBOUND: secmark (from the originating socket) is flow-controlled against the label on the first rule, and, if it passes, the label on the first rule overrides the secmark (from the originating socket). This secmark is flow controlled against labels on the subsequent rules, each time, overridden by those labels. - Forwarded packets: The FORWARD chain is treated as an outbound chain for flow control purposes. e.g: label with PREROUTING and flow-control with FORWARD or POSTROUTING. - SELinux postroute_last hook: unfortunately, the secmark Vs. UNLABELED SID check will be done for ALL traffic (couldn't figure out a way to except traffic already processed by (CONN)SECMARK outbound rules). This patch: Add new flask definitions to SELinux Adds a new avperm flow_in to arbitrate among the identifiers on the inbound (input/forward). Also adds a new avperm flow_out to enable flow control checks on the outbound (output/forward), addressed in this patch as well. Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED] --- security/selinux/include/av_perm_to_string.h |2 ++ security/selinux/include/av_permissions.h|2 ++ 2 files changed, 4 insertions(+) diff --git a/security/selinux/include/av_perm_to_string.h b/security/selinux/include/av_perm_to_string.h index 09fc8a2..1e65d28 100644 --- a/security/selinux/include/av_perm_to_string.h +++ b/security/selinux/include/av_perm_to_string.h @@ -245,6 +245,8 @@ S_(SECCLASS_PACKET, PACKET__SEND, send) S_(SECCLASS_PACKET, PACKET__RECV, recv) S_(SECCLASS_PACKET, PACKET__RELABELTO, relabelto) + S_(SECCLASS_PACKET, PACKET__FLOW_IN, flow_in) + S_(SECCLASS_PACKET, PACKET__FLOW_OUT, flow_out) S_(SECCLASS_KEY, KEY__VIEW, view) S_(SECCLASS_KEY, KEY__READ, read) S_(SECCLASS_KEY, KEY__WRITE, write) diff --git a/security/selinux/include/av_permissions.h b/security/selinux/include/av_permissions.h index 81f4f52..2faf3d8 100644 --- a/security/selinux/include/av_permissions.h +++ b/security/selinux/include/av_permissions.h @@ -962,6 +962,8 @@ #define APPLETALK_SOCKET__NAME_BIND #define PACKET__SEND 0x0001UL #define PACKET__RECV 0x0002UL #define PACKET__RELABELTO 0x0004UL +#define PACKET__FLOW_IN 0x0008UL +#define PACKET__FLOW_OUT 0x0010UL #define KEY__VIEW 0x0001UL #define KEY__READ 0x0002UL -- paul moore linux security @ hp - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 09/11] secid reconciliation: Track peersecid at connection establishment
From: Venkat Yekkirala [EMAIL PROTECTED] This tracks the peer's secid at connection establishment time for clients, for later retrieval using SO_PEERSEC. Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED] --- include/linux/security.h | 14 ++ net/ipv4/tcp_input.c |2 ++ security/dummy.c |6 ++ security/selinux/hooks.c |9 + 4 files changed, 31 insertions(+) Index: net-2.6_secidfinal/include/linux/security.h === --- net-2.6_secidfinal.orig/include/linux/security.h +++ net-2.6_secidfinal/include/linux/security.h @@ -826,6 +826,8 @@ struct request_sock; * Sets the openreq's sid to socket's sid with MLS portion taken from peer sid. * @inet_csk_clone: * Sets the new child socket's sid to the openreq sid. + * @inet_conn_established: + * Sets the connection's peersid to the secmark on skb. * @req_classify_flow: * Sets the flow's sid to the openreq sid. * @skb_flow_in: @@ -1380,6 +1382,7 @@ struct security_operations { int (*inet_conn_request)(struct sock *sk, struct sk_buff *skb, struct request_sock *req); void (*inet_csk_clone)(struct sock *newsk, const struct request_sock *req); + void (*inet_conn_established)(struct sock *sk, struct sk_buff *skb); void (*req_classify_flow)(const struct request_sock *req, struct flowi *fl); int (*skb_flow_in)(struct sk_buff *skb, unsigned short family); int (*skb_flow_out)(struct sk_buff *skb, u32 nf_secid); @@ -2986,6 +2989,12 @@ static inline void security_inet_csk_clo { security_ops-inet_csk_clone(newsk, req); } + +static inline void security_inet_conn_established(struct sock *sk, + struct sk_buff *skb) +{ + security_ops-inet_conn_established(sk, skb); +} #else /* CONFIG_SECURITY_NETWORK */ static inline int security_unix_stream_connect(struct socket * sock, struct socket * other, @@ -3147,6 +3156,11 @@ static inline void security_inet_csk_clo const struct request_sock *req) { } + +static inline void security_inet_conn_established(struct sock *sk, + struct sk_buff *skb) +{ +} #endif /* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_NETWORK_XFRM Index: net-2.6_secidfinal/net/ipv4/tcp_input.c === --- net-2.6_secidfinal.orig/net/ipv4/tcp_input.c +++ net-2.6_secidfinal/net/ipv4/tcp_input.c @@ -4230,6 +4230,8 @@ static int tcp_rcv_synsent_state_process mb(); tcp_set_state(sk, TCP_ESTABLISHED); + security_inet_conn_established(sk, skb); + /* Make sure socket is routed, for correct metrics. */ icsk-icsk_af_ops-rebuild_header(sk); Index: net-2.6_secidfinal/security/dummy.c === --- net-2.6_secidfinal.orig/security/dummy.c +++ net-2.6_secidfinal/security/dummy.c @@ -828,6 +828,11 @@ static inline void dummy_inet_csk_clone( { } +static inline void dummy_inet_conn_established(struct sock *sk, + struct sk_buff *skb) +{ +} + static inline void dummy_req_classify_flow(const struct request_sock *req, struct flowi *fl) { @@ -1118,6 +1123,7 @@ void security_fixup_ops (struct security set_to_dummy_if_null(ops, sock_graft); set_to_dummy_if_null(ops, inet_conn_request); set_to_dummy_if_null(ops, inet_csk_clone); + set_to_dummy_if_null(ops, inet_conn_established); set_to_dummy_if_null(ops, req_classify_flow); set_to_dummy_if_null(ops, skb_flow_in); set_to_dummy_if_null(ops, skb_flow_out); Index: net-2.6_secidfinal/security/selinux/hooks.c === --- net-2.6_secidfinal.orig/security/selinux/hooks.c +++ net-2.6_secidfinal/security/selinux/hooks.c @@ -3683,6 +3683,14 @@ static void selinux_inet_csk_clone(struc selinux_netlbl_sk_security_init(newsksec, req-rsk_ops-family); } +static void selinux_inet_conn_established(struct sock *sk, + struct sk_buff *skb) +{ + struct sk_security_struct *sksec = sk-sk_security; + + sksec-peer_sid = skb-secmark; +} + static void selinux_req_classify_flow(const struct request_sock *req, struct flowi *fl) { @@ -4815,6 +4823,7 @@ static struct security_operations selinu .sock_graft = selinux_sock_graft, .inet_conn_request =selinux_inet_conn_request, .inet_csk_clone = selinux_inet_csk_clone, + .inet_conn_established =selinux_inet_conn_established, .req_classify_flow =selinux_req_classify_flow,
[PATCH 07/11] secid reconciliation: Enforcement for SELinux
From: Venkat Yekkirala [EMAIL PROTECTED] This defines SELinux enforcement of the 2 new LSM hooks as well as related changes elsewhere in the SELinux code. This also now keeps track of the peersid thru the establishment of a connection on the server (tracking peersid on the client is covered later in this patch set). Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED] --- security/selinux/hooks.c| 151 +++- security/selinux/include/xfrm.h | 11 +- security/selinux/xfrm.c | 66 +++-- 3 files changed, 152 insertions(+), 76 deletions(-) Index: net-2.6_secidfinal/security/selinux/hooks.c === --- net-2.6_secidfinal.orig/security/selinux/hooks.c +++ net-2.6_secidfinal/security/selinux/hooks.c @@ -3461,8 +3461,12 @@ static int selinux_sock_rcv_skb_compat(s err = avc_has_perm(sock_sid, port_sid, sock_class, recv_perm, ad); + if (err) + goto out; } + err = selinux_xfrm_sock_rcv_skb(sock_sid, skb, ad); + out: return err; } @@ -3501,10 +3505,6 @@ static int selinux_socket_sock_rcv_skb(s goto out; err = selinux_netlbl_sock_rcv_skb(sksec, skb, ad); - if (err) - goto out; - - err = selinux_xfrm_sock_rcv_skb(sksec-sid, skb, ad); out: return err; } @@ -3517,7 +3517,7 @@ static int selinux_socket_getpeersec_str u32 scontext_len; struct sk_security_struct *ssec; struct inode_security_struct *isec; - u32 peer_sid = 0; + u32 peer_sid; isec = SOCK_INODE(sock)-i_security; @@ -3528,8 +3528,10 @@ static int selinux_socket_getpeersec_str } else if (isec-sclass == SECCLASS_TCP_SOCKET) { peer_sid = selinux_netlbl_socket_getpeersec_stream(sock); - if (peer_sid == SECSID_NULL) - peer_sid = selinux_socket_getpeer_stream(sock-sk); + if (peer_sid == SECSID_NULL) { + ssec = sock-sk-sk_security; + peer_sid = ssec-peer_sid; + } if (peer_sid == SECSID_NULL) { err = -ENOPROTOOPT; goto out; @@ -3562,7 +3564,8 @@ out: return err; } -static int selinux_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) +static int selinux_socket_getpeersec_dgram(struct socket *sock, + struct sk_buff *skb, u32 *secid) { u32 peer_secid = SECSID_NULL; int err = 0; @@ -3571,8 +3574,12 @@ static int selinux_socket_getpeersec_dgr selinux_get_inode_sid(SOCK_INODE(sock), peer_secid); else if (skb) { peer_secid = selinux_netlbl_socket_getpeersec_dgram(skb); - if (peer_secid == SECSID_NULL) - peer_secid = selinux_socket_getpeer_dgram(skb); + if (peer_secid == SECSID_NULL) { + if (selinux_compat_net) + peer_secid = selinux_socket_getpeer_dgram(skb); + else + peer_secid = skb-secmark; + } } if (peer_secid == SECSID_NULL) @@ -3640,19 +3647,24 @@ static int selinux_inet_conn_request(str return 0; } - err = selinux_xfrm_decode_session(skb, peersid, 0); - BUG_ON(err); - - if (peersid == SECSID_NULL) { - req-secid = sksec-sid; - return 0; - } + if (selinux_compat_net) { + err = selinux_xfrm_decode_session(skb, peersid, 0); + BUG_ON(err); + + if (peersid == SECSID_NULL) { + req-secid = sksec-sid; + req-peer_secid = 0; + return 0; + } + } else + peersid = skb-secmark; err = security_sid_mls_copy(sksec-sid, peersid, newsid); if (err) return err; req-secid = newsid; + req-peer_secid = peersid; return 0; } @@ -3662,6 +3674,7 @@ static void selinux_inet_csk_clone(struc struct sk_security_struct *newsksec = newsk-sk_security; newsksec-sid = req-secid; + newsksec-peer_sid = req-peer_secid; /* NOTE: Ideally, we should also get the isec-sid for the new socket in sync, but we don't have the isec available yet. So we will wait until sock_graft to do it, by which @@ -3676,6 +3689,67 @@ static void selinux_req_classify_flow(co fl-secid = req-secid; } +static int selinux_skb_flow_in(struct sk_buff *skb, unsigned short family) +{ + u32 xfrm_sid; + int err; + + if (selinux_compat_net) + return 1; + + /* +* loopback traffic already
[PATCH 08/11] secid reconciliation: Use secmark when classifying flow using skb
From: Venkat Yekkirala [EMAIL PROTECTED] This beings secmark into the picture when classifying flows using an skb. Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED] --- include/linux/security.h | 10 -- include/linux/skbuff.h | 20 2 files changed, 20 insertions(+), 10 deletions(-) Index: net-2.6_secidfinal/include/linux/security.h === --- net-2.6_secidfinal.orig/include/linux/security.h +++ net-2.6_secidfinal/include/linux/security.h @@ -3224,12 +3224,6 @@ static inline int security_xfrm_decode_s return security_ops-xfrm_decode_session(skb, secid, 1); } -static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl) -{ - int rc = security_ops-xfrm_decode_session(skb, fl-secid, 0); - - BUG_ON(rc); -} #else /* CONFIG_SECURITY_NETWORK_XFRM */ static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx) { @@ -3298,10 +3292,6 @@ static inline int security_xfrm_decode_s return 0; } -static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl) -{ -} - #endif /* CONFIG_SECURITY_NETWORK_XFRM */ #ifdef CONFIG_KEYS Index: net-2.6_secidfinal/include/linux/skbuff.h === --- net-2.6_secidfinal.orig/include/linux/skbuff.h +++ net-2.6_secidfinal/include/linux/skbuff.h @@ -30,6 +30,7 @@ #include net/checksum.h #include linux/dmaengine.h #include net/flow.h +#include linux/security.h #define HAVE_ALLOC_SKB /* For the drivers to know */ #define HAVE_ALIGNABLE_SKB /* Ditto 8)*/ @@ -1514,6 +1515,20 @@ static inline void security_flow_classif skb-secmark = fl-secid; } +static inline void security_skb_classify_flow(struct sk_buff *skb, + struct flowi *fl) +{ + /* +* We need to check for xfrm label here since secid reconciliation +* may or may not have happened yet and we want the +* flow to use the best available label. +*/ + int rc = security_xfrm_decode_session(skb, fl-secid); + + if (rc || !fl-secid) + fl-secid = skb-secmark; +} + #else static inline void security_skb_classify_skb(struct sk_buff *from, @@ -1526,6 +1541,11 @@ static inline void security_flow_classif { } +static inline void security_skb_classify_flow(struct sk_buff *skb, + struct flowi *fl) +{ +} + #endif /* CONFIG_SECURITY_NETWORK */ #endif /* __KERNEL__ */ -- paul moore linux security @ hp - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 05/11] secid reconciliation: Label locally generated IPv6 traffic
From: Venkat Yekkirala [EMAIL PROTECTED] This labels the skb(s) for locally generated IPv6 traffic. This will be used in pertinent flow control checks on the outbound later in the LSM hook. NOTE: Forwarded traffic is already labeled with the reconciled secmark on the inbound. Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED] --- include/linux/skbuff.h | 29 + net/ipv6/ip6_output.c|5 + net/ipv6/netfilter/ip6t_REJECT.c |2 ++ 3 files changed, 36 insertions(+) diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 85577a4..18967f2 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -29,6 +29,7 @@ #include linux/net.h #include linux/textsearch.h #include net/checksum.h #include linux/dmaengine.h +#include net/flow.h #define HAVE_ALLOC_SKB /* For the drivers to know */ #define HAVE_ALIGNABLE_SKB /* Ditto 8)*/ @@ -1499,5 +1500,33 @@ static inline int skb_is_gso(const struc return skb_shinfo(skb)-gso_size; } +#ifdef CONFIG_SECURITY_NETWORK + +static inline void security_skb_classify_skb(struct sk_buff *from, + struct sk_buff *skb) +{ + skb-secmark = from-secmark; +} + +static inline void security_flow_classify_skb(struct flowi *fl, + struct sk_buff *skb) +{ + skb-secmark = fl-secid; +} + +#else + +static inline void security_skb_classify_skb(struct sk_buff *from, + struct sk_buff *skb) +{ +} + +static inline void security_flow_classify_skb(struct flowi *fl, + struct sk_buff *skb) +{ +} + +#endif /* CONFIG_SECURITY_NETWORK */ + #endif /* __KERNEL__ */ #endif /* _LINUX_SKBUFF_H */ diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c index 6671691..6648eb3 100644 --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -170,6 +170,8 @@ int ip6_xmit(struct sock *sk, struct sk_ int hlimit, tclass; u32 mtu; + security_flow_classify_skb(fl, skb); + if (opt) { int head_room; @@ -1150,6 +1152,9 @@ alloc_new_skb: } if (skb == NULL) goto error; + + security_flow_classify_skb(fl, skb); + /* * Fill in the control structures */ diff --git a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c index 311eae8..0508c30 100644 --- a/net/ipv6/netfilter/ip6t_REJECT.c +++ b/net/ipv6/netfilter/ip6t_REJECT.c @@ -128,6 +128,8 @@ static void send_reset(struct sk_buff *o ipv6_addr_copy(ip6h-saddr, oip6h-daddr); ipv6_addr_copy(ip6h-daddr, oip6h-saddr); + security_skb_classify_skb(oldskb, nskb); + tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr)); /* Truncate to length (no data) */ tcph-doff = sizeof(struct tcphdr)/4; -- paul moore linux security @ hp - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 10/11] secid reconciliation: various fixes
From: Venkat Yekkirala [EMAIL PROTECTED] This fixes the secid reconciliation code in the following ways: 1. Null-out secmark on an outgoing packet after we are done with all the checks. This has been necessitated by the fact that some packets sent to a multicast address could arrive back on a non-loopback interface but with the secmark intact. This would result in the current flow_out control logic to use it as a security point context when no explicit security points have been defined for the inbound packet. 2. Label udp/raw packets with the label of the socket. 3. Label igmp traffic with the igmp_packet initial context. 4. Limit flow-controlling of loopback traffic to the socket.recv permission check. This means that packet.flow_in/flow_out checks are no longer applicable to loopback traffic. This is because of current implementation constraints. DOCUMENTATION OF SECID RECONCILIATION AND FLOW CONTROL FOR POLICY WRITERS: ON INBOUND: 1. PACKETS ENTERING SYSTEM FROM A NON-LOOPBACK DEVICE: Can a packet carrying external domain label x_t flow_in thru the security point with the peer domain label p_d_t? NOTE: a. x_t defaults to unlabeled_t, if no external label. b. p_d_t defaults to network_t in the absence of any applicable [conn]secmark rules for the packet. If there are multiple secmark rules applicable to a packet, the context on the LAST rule will apply. NO: Drop packet. YES: If no external label, let packet carry p_d_t. 2. INPUT ONLY: Can a socket recv a packet from domain p_d_t? NO: Drop packet. YES: If setting up a tcp connection, set peer context to p_d_t. ON OUTBOUND: 1. Let packet carry the originating socket domain label. 2. IPSEC Handling: LABELED IPSEC: If packet polmatches to an otherwise applicable and labeled SPD entry, choose a Security Association (SA) with the SAME context as the domain label being carried by packet. NOTE: If no such SA present, call into IKE with context on packet. NON-LABELED (PLAIN/TRADITIONAL) IPSEC: If there's an applicable SPD entry that does NOT have an explicit context associated with it, an applicable SA that does NOT have an explicit context associated with it is chosen. NOTE: If no such SA present, call into IKE, but with NO context. 3. PACKETS DESTINED FOR NON-LOOPBACK DEVICE: a. IPTABLES Processing: As EACH applicable iptables [CONN]SECMARK rule with domain p_d_t is encountered, do the following: Can a packet carrying domain label a_t flow_out of the security point with the domain label p_d_t? NO: Drop packet. YES: Replace the domain label a_t on the packet with the security point label p_d_t. b. Before a packet is let out of the system: Can a packet with domain label p_d_t flow_out into the network domain network_t? NO: Drop packet. YES: Let packet out. NOTE: Ideally this check should be applicable only to packets that didn't go thru [conn]secmark checks for outbound, but there's currently no way to know this due to implementation constrains. Hence a blanket check for ALL packets leaving the system. FORWARDED TRAFFIC: Forwarded Traffic will undergo the following: 1. Step 1 under ON INBOUND. 2. Steps 2 and 3 under ON OUTBOUND. Signed-off-by: Venkat Yekkirala [EMAIL PROTECTED] --- include/linux/security.h | 24 +--- include/net/ip.h | 13 include/net/request_sock.h | 11 +++ net/ipv4/igmp.c|4 ++ net/ipv4/raw.c |2 + net/ipv4/udp.c |2 + net/netfilter/xt_CONNSECMARK.c | 21 ++ net/netfilter/xt_SECMARK.c | 16 -- security/dummy.c |8 ++--- security/selinux/hooks.c | 61 + 10 files changed, 129 insertions(+), 33 deletions(-) Index: net-2.6_secidfinal/include/linux/security.h === --- net-2.6_secidfinal.orig/include/linux/security.h +++ net-2.6_secidfinal/include/linux/security.h @@ -67,6 +67,7 @@ struct xfrm_selector; struct xfrm_policy; struct xfrm_state; struct xfrm_user_sec_ctx; +struct net_device; extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb); extern int cap_netlink_recv(struct sk_buff *skb, int cap); @@ -828,8 +829,8 @@ struct request_sock; * Sets the new child socket's sid to the openreq sid. * @inet_conn_established: * Sets the connection's peersid to the secmark on skb. - * @req_classify_flow: - * Sets the flow's sid to the openreq sid. + * @igmp_classify_skb: + * Classifies an skb representing an igmp packet. * @skb_flow_in: * Checks to see if security policy would allow skb into the system * while also reconciling the xfrm
Re: [patch 3/3] d80211: silence sparse warning: bad constant expression
Update to use ARRAY_SIZE, based on comment from Joe Perches. d80211: silence sparse warning: 'bad constant expression' Sparse does not figure out that algs[] isn't really a variable length array. The message is: net/d80211/ieee80211_sta.c:934:12: error: bad constant expression This switches algs[] to be obviously a constant array, and derives the value of num_algs algs[]. The code is correct and equivalent with or without this change. Signed-off-by: David Kimdon [EMAIL PROTECTED] Index: wireless-dev/net/d80211/ieee80211_sta.c === --- wireless-dev.orig/net/d80211/ieee80211_sta.c +++ wireless-dev/net/d80211/ieee80211_sta.c @@ -930,8 +930,8 @@ static void ieee80211_rx_mgmt_auth(struc printk(KERN_DEBUG %s: AP denied authentication (auth_alg=%d code=%d)\n, dev-name, ifsta-auth_alg, status_code); if (status_code == WLAN_STATUS_NOT_SUPPORTED_AUTH_ALG) { - const int num_algs = 3; - u8 algs[num_algs]; + u8 algs[3]; + const int num_algs = ARRAY_SIZE(algs); int i, pos; algs[0] = algs[1] = algs[2] = 0xff; if (ifsta-auth_algs IEEE80211_AUTH_ALG_OPEN) - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 00/11] The _entire_ secid reconciliation patchset (tada!)
On Mon, 9 Oct 2006, [EMAIL PROTECTED] wrote: Please consider this for inclusion into 2.6.20. If it's too soon to be thinking of 2.6.20 let me know and I'll rebase/resend this patchset once I see notice of David's net-2.6.20 git tree. From an initial review of this patchset, it doesn't look quite ready to queue for 2.6.20 (which I plan to to via git once it is). Outstanding items include resolving the igmp skb hook issue generally, testing to verify both the design and implementation, and ensuring that all the related policy changes are merged upstream first. - James -- James Morris [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Pull request for 'jg-20061009-00' tag
Please pull from tag 'jg-20061009-00' in repository git://electric-eye.fr.zoreil.com/home/romieu/linux-2.6.git jg-20061009-00 to get the changes below. Distance from 'upstream-fixes' - $ git rev-list 2f614fe04f4463ff22234133319067d7361f54e5..jg-20061009-00 91a6ba7162852092080b0e710dc0ba0f35496308 73f5e28b336772c4b08ee82e5bf28ab872898ee1 Diffstat drivers/net/forcedeth.c | 43 +++ drivers/net/r8169.c |1 + 2 files changed, 44 insertions(+), 0 deletions(-) Shortlog Andrew Morton: r8169: PCI ID for Corega Gigabit network card Francois Romieu: forcedeth: restore network after swsup/resume or ACPI S3 Patch - diff --git a/drivers/net/forcedeth.c b/drivers/net/forcedeth.c index 35467e0..c41a886 100644 --- a/drivers/net/forcedeth.c +++ b/drivers/net/forcedeth.c @@ -4603,6 +4603,47 @@ static void __devexit nv_remove(struct p pci_set_drvdata(pci_dev, NULL); } + +static int nv_suspend(struct pci_dev *pdev, pm_message_t state) +{ + struct net_device *dev = pci_get_drvdata(pdev); + struct fe_priv *np = netdev_priv(dev); + int rc = 0; + + if (!netif_running(dev)) + goto out; + + netif_device_detach(dev); + + /* Gross. */ + rc = nv_close(dev); + + pci_save_state(pdev); + pci_enable_wake(pdev, pci_choose_state(pdev, state), np-wolenabled); + pci_set_power_state(pdev, pci_choose_state(pdev, state)); +out: + return rc; +} + +static int nv_resume(struct pci_dev *pdev) +{ + struct net_device *dev = pci_get_drvdata(pdev); + int rc = 0; + + if (!netif_running(dev)) + goto out; + + netif_device_attach(dev); + + pci_set_power_state(pdev, PCI_D0); + pci_restore_state(pdev); + pci_enable_wake(pdev, PCI_D0, 0); + + rc = nv_open(dev); +out: + return rc; +} + static struct pci_device_id pci_tbl[] = { { /* nForce Ethernet Controller */ PCI_DEVICE(PCI_VENDOR_ID_NVIDIA, PCI_DEVICE_ID_NVIDIA_NVENET_1), @@ -4704,6 +4745,8 @@ static struct pci_driver driver = { .id_table = pci_tbl, .probe = nv_probe, .remove = __devexit_p(nv_remove), + .suspend = nv_suspend, + .resume = nv_resume, }; diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c index 4c47c5b..c7309e9 100644 --- a/drivers/net/r8169.c +++ b/drivers/net/r8169.c @@ -214,6 +214,7 @@ static struct pci_device_id rtl8169_pci_ { PCI_DEVICE(PCI_VENDOR_ID_REALTEK, 0x8168), 0, 0, RTL_CFG_2 }, { PCI_DEVICE(PCI_VENDOR_ID_REALTEK, 0x8169), 0, 0, RTL_CFG_0 }, { PCI_DEVICE(PCI_VENDOR_ID_DLINK, 0x4300), 0, 0, RTL_CFG_0 }, + { PCI_DEVICE(0x1259,0xc107), 0, 0, RTL_CFG_0 }, { PCI_DEVICE(0x16ec,0x0116), 0, 0, RTL_CFG_0 }, { PCI_VENDOR_ID_LINKSYS,0x1032, PCI_ANY_ID, 0x0024, 0, 0, RTL_CFG_0 }, -- Ueimor - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 00/11] The _entire_ secid reconciliation patchset (tada!)
James Morris wrote: On Mon, 9 Oct 2006, [EMAIL PROTECTED] wrote: Please consider this for inclusion into 2.6.20. If it's too soon to be thinking of 2.6.20 let me know and I'll rebase/resend this patchset once I see notice of David's net-2.6.20 git tree. From an initial review of this patchset, it doesn't look quite ready to queue for 2.6.20 (which I plan to to via git once it is). Outstanding items include resolving the igmp skb hook issue generally, testing to verify both the design and implementation, and ensuring that all the related policy changes are merged upstream first. I'll keep the patchset up to date and keep tracking the secid patches (I know there has been discussion around the IGMP hook this morning). Once everything looks okay I'll resend the patchset (with any updates/corrections/etc.) again. -- paul moore linux security @ hp - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 00/11] The _entire_ secid reconciliation patchset (tada!)
On Mon, 9 Oct 2006, Paul Moore wrote: I'll keep the patchset up to date and keep tracking the secid patches (I know there has been discussion around the IGMP hook this morning). Once everything looks okay I'll resend the patchset (with any updates/corrections/etc.) again. Thanks. I think we're pretty close to finalizing this now, and once merged, we can focus on making it useful to normal people :-) - James -- James Morris [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] sky2: revert pci express extensions
The pci express error handling extensions don't work unless PCI access is via mmconfig. Otherwise, all accesses to pci config registers greater than 256 fail. Since the sky2 driver has other ways of getting to PCI config space, it works around this short coming, but the pci_find_ext_capablity doesn't work. This backs out commit 91aeb3edbcf4e6ed72d138ac8c22fd68e6d717c3 Go back to hardcoding, since we know where the error registers are anyway. Fixes http://bugzilla.kernel.org/show_bug.cgi?id=7222 Signed-off-by: Stephen Hemminger [EMAIL PROTECTED] --- drivers/net/sky2.c | 30 -- drivers/net/sky2.h | 45 +++-- 2 files changed, 51 insertions(+), 24 deletions(-) --- sky2.orig/drivers/net/sky2.c2006-10-09 14:35:06.0 -0700 +++ sky2/drivers/net/sky2.c 2006-10-09 14:37:26.0 -0700 @@ -2220,8 +2220,7 @@ /* PCI-Express uncorrectable Error occurred */ u32 pex_err; - pex_err = sky2_pci_read32(hw, - hw-err_cap + PCI_ERR_UNCOR_STATUS); + pex_err = sky2_pci_read32(hw, PEX_UNC_ERR_STAT); if (net_ratelimit()) printk(KERN_ERR PFX %s: pci express error (0x%x)\n, @@ -2229,20 +2228,15 @@ /* clear the interrupt */ sky2_write32(hw, B2_TST_CTRL1, TST_CFG_WRITE_ON); - sky2_pci_write32(hw, -hw-err_cap + PCI_ERR_UNCOR_STATUS, -0xUL); + sky2_pci_write32(hw, PEX_UNC_ERR_STAT, + 0xUL); sky2_write32(hw, B2_TST_CTRL1, TST_CFG_WRITE_OFF); - - /* In case of fatal error mask off to keep from getting stuck */ - if (pex_err (PCI_ERR_UNC_POISON_TLP | PCI_ERR_UNC_FCP - | PCI_ERR_UNC_DLP)) { + if (pex_err PEX_FATAL_ERRORS) { u32 hwmsk = sky2_read32(hw, B0_HWE_IMSK); hwmsk = ~Y2_IS_PCI_EXP; sky2_write32(hw, B0_HWE_IMSK, hwmsk); } - } if (status Y2_HWE_L1_MASK) @@ -2423,7 +2417,6 @@ u16 status; u8 t8; int i; - u32 msk; sky2_write8(hw, B0_CTST, CS_RST_CLR); @@ -2464,13 +2457,9 @@ sky2_write8(hw, B0_CTST, CS_MRST_CLR); /* clear any PEX errors */ - if (pci_find_capability(hw-pdev, PCI_CAP_ID_EXP)) { - hw-err_cap = pci_find_ext_capability(hw-pdev, PCI_EXT_CAP_ID_ERR); - if (hw-err_cap) - sky2_pci_write32(hw, -hw-err_cap + PCI_ERR_UNCOR_STATUS, -0xUL); - } + if (pci_find_capability(hw-pdev, PCI_CAP_ID_EXP)) + sky2_pci_write32(hw, PEX_UNC_ERR_STAT, 0xUL); + hw-pmd_type = sky2_read8(hw, B2_PMD_TYP); hw-ports = 1; @@ -2527,10 +2516,7 @@ sky2_write8(hw, RAM_BUFFER(i, B3_RI_RTO_XS2), SK_RI_TO_53); } - msk = Y2_HWE_ALL_MASK; - if (!hw-err_cap) - msk = ~Y2_IS_PCI_EXP; - sky2_write32(hw, B0_HWE_IMSK, msk); + sky2_write32(hw, B0_HWE_IMSK, Y2_HWE_ALL_MASK); for (i = 0; i hw-ports; i++) sky2_gmac_reset(hw, i); --- sky2.orig/drivers/net/sky2.h2006-10-09 14:35:06.0 -0700 +++ sky2/drivers/net/sky2.h 2006-10-09 14:35:09.0 -0700 @@ -6,15 +6,24 @@ #define ETH_JUMBO_MTU 9000/* Maximum MTU supported */ -/* PCI device specific config registers */ +/* PCI config registers */ enum { PCI_DEV_REG1= 0x40, PCI_DEV_REG2= 0x44, + PCI_DEV_STATUS = 0x7c, PCI_DEV_REG3= 0x80, PCI_DEV_REG4= 0x84, PCI_DEV_REG5= 0x88, }; +enum { + PEX_DEV_CAP = 0xe4, + PEX_DEV_CTRL= 0xe8, + PEX_DEV_STA = 0xea, + PEX_LNK_STAT= 0xf2, + PEX_UNC_ERR_STAT= 0x104, +}; + /* Yukon-2 */ enum pci_dev_reg_1 { PCI_Y2_PIG_ENA = 131, /* Enable Plug-in-Go (YUKON-2) */ @@ -63,6 +72,39 @@ PCI_STATUS_REC_MASTER_ABORT | \ PCI_STATUS_REC_TARGET_ABORT | \ PCI_STATUS_PARITY) + +enum pex_dev_ctrl { + PEX_DC_MAX_RRS_MSK = 712, /* Bit 14..12: Max. Read Request Size */ + PEX_DC_EN_NO_SNOOP = 111,/* Enable No Snoop */ + PEX_DC_EN_AUX_POW = 110,/* Enable AUX Power */ + PEX_DC_EN_PHANTOM = 19, /* Enable Phantom Functions */ + PEX_DC_EN_EXT_TAG = 18, /* Enable Extended Tag Field */ + PEX_DC_MAX_PLS_MSK = 75, /* Bit 7.. 5: Max. Payload Size Mask */ + PEX_DC_EN_REL_ORD = 14, /* Enable Relaxed Ordering */ + PEX_DC_EN_UNS_RQ_RP
Re: cfg80211 take 7
On Mon, 2006-10-09 at 11:38 -0700, David Kimdon wrote: FYI, all three patches mentioned as possibly required by the nl80211 patchset in the header of nl80211.patch are already in wireless-dev: Oh, nice, I must have missed the merge :) I also updated the patchset a bit to apply to current wireless-dev. I will send that to Johannes directly. Cool, thanks. johannes signature.asc Description: This is a digitally signed message part
[PATCH] sky2: set lower pause threshold to prevent overrun
Adjust the pause threshold on slower systems to keep from getting overrun. Since FIFO is 2K bytes, don't send XON pause until there is space for a full frame. --- drivers/net/sky2.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- sky2.orig/drivers/net/sky2.c2006-10-09 15:43:51.0 -0700 +++ sky2/drivers/net/sky2.c 2006-10-09 15:43:52.0 -0700 @@ -683,7 +683,7 @@ sky2_write16(hw, SK_REG(port, TX_GMF_CTRL_T), GMF_OPER_ON); if (hw-chip_id == CHIP_ID_YUKON_EC_U) { - sky2_write8(hw, SK_REG(port, RX_GMF_LP_THR), 768/8); + sky2_write8(hw, SK_REG(port, RX_GMF_LP_THR), 512/8); sky2_write8(hw, SK_REG(port, RX_GMF_UP_THR), 1024/8); if (hw-dev[port]-mtu ETH_DATA_LEN) { /* set Tx GMAC FIFO Almost Empty Threshold */ - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 3/4] 8390 cleanup - etherh iomem annotations
Signed-off-by: Al Viro [EMAIL PROTECTED] --- drivers/net/arm/etherh.c | 20 ++-- 1 files changed, 10 insertions(+), 10 deletions(-) diff --git a/drivers/net/arm/etherh.c b/drivers/net/arm/etherh.c index 747a71f..f3faa4f 100644 --- a/drivers/net/arm/etherh.c +++ b/drivers/net/arm/etherh.c @@ -54,10 +54,10 @@ #include asm/io.h #define EI_SHIFT(x)(ei_local-reg_offset[x]) -#define ei_inb(_p) readb(_p) -#define ei_outb(_v,_p) writeb(_v,_p) -#define ei_inb_p(_p)readb(_p) -#define ei_outb_p(_v,_p) writeb(_v,_p) +#define ei_inb(_p) readb((void __iomem *)_p) +#define ei_outb(_v,_p) writeb(_v,(void __iomem *)_p) +#define ei_inb_p(_p)readb((void __iomem *)_p) +#define ei_outb_p(_v,_p) writeb(_v,(void __iomem *)_p) #define NET_DEBUG 0 #define DEBUG_INIT 2 @@ -184,7 +184,7 @@ etherh_setif(struct net_device *dev) switch (etherh_priv(dev)-id) { case PROD_I3_ETHERLAN600: case PROD_I3_ETHERLAN600A: - addr = (void *)dev-base_addr + EN0_RCNTHI; + addr = (void __iomem *)dev-base_addr + EN0_RCNTHI; switch (dev-if_port) { case IF_PORT_10BASE2: @@ -225,7 +225,7 @@ etherh_getifstat(struct net_device *dev) switch (etherh_priv(dev)-id) { case PROD_I3_ETHERLAN600: case PROD_I3_ETHERLAN600A: - addr = (void *)dev-base_addr + EN0_RCNTHI; + addr = (void __iomem *)dev-base_addr + EN0_RCNTHI; switch (dev-if_port) { case IF_PORT_10BASE2: stat = 1; @@ -288,7 +288,7 @@ static void etherh_reset(struct net_device *dev) { struct ei_device *ei_local = netdev_priv(dev); - void __iomem *addr = (void *)dev-base_addr; + void __iomem *addr = (void __iomem *)dev-base_addr; writeb(E8390_NODMA+E8390_PAGE0+E8390_STOP, addr); @@ -334,7 +334,7 @@ etherh_block_output (struct net_device * ei_local-dmaing = 1; - addr = (void *)dev-base_addr; + addr = (void __iomem *)dev-base_addr; dma_base = etherh_priv(dev)-dma_base; count = (count + 1) ~1; @@ -394,7 +394,7 @@ etherh_block_input (struct net_device *d ei_local-dmaing = 1; - addr = (void *)dev-base_addr; + addr = (void __iomem *)dev-base_addr; dma_base = etherh_priv(dev)-dma_base; buf = skb-data; @@ -434,7 +434,7 @@ etherh_get_header (struct net_device *de ei_local-dmaing = 1; - addr = (void *)dev-base_addr; + addr = (void __iomem *)dev-base_addr; dma_base = etherh_priv(dev)-dma_base; writeb (E8390_NODMA | E8390_PAGE0 | E8390_START, addr + E8390_CMD); -- 1.4.2.GIT - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 4/4] 8390 fixes - the final chunk (h8300)
The rest of 8390 conversions; ifdef cascade in 8390.h is gone now. Signed-off-by: Al Viro [EMAIL PROTECTED] --- drivers/net/8390.h |4 drivers/net/Makefile |2 +- drivers/net/ne-h8300.c | 23 +++ 3 files changed, 16 insertions(+), 13 deletions(-) diff --git a/drivers/net/8390.h b/drivers/net/8390.h index b8991fc..414de5b 100644 --- a/drivers/net/8390.h +++ b/drivers/net/8390.h @@ -107,10 +107,6 @@ #define E8390_PAGE20x80/* Page 3 is in * - removed AMIGA_PCMCIA from this list, handled as ISA io now */ -#if defined(CONFIG_NE_H8300) || defined(CONFIG_NE_H8300_MODULE) -#define EI_SHIFT(x)(ei_local-reg_offset[x]) -#endif - #ifndef ei_inb #define ei_inb(_p) inb(_p) #define ei_outb(_v,_p) outb(_v,_p) diff --git a/drivers/net/Makefile b/drivers/net/Makefile index 42bf31e..7d36184 100644 --- a/drivers/net/Makefile +++ b/drivers/net/Makefile @@ -106,7 +106,7 @@ obj-$(CONFIG_NE3210) += ne3210.o 8390.o obj-$(CONFIG_NET_SB1250_MAC) += sb1250-mac.o obj-$(CONFIG_B44) += b44.o obj-$(CONFIG_FORCEDETH) += forcedeth.o -obj-$(CONFIG_NE_H8300) += ne-h8300.o 8390.o +obj-$(CONFIG_NE_H8300) += ne-h8300.o obj-$(CONFIG_MV643XX_ETH) += mv643xx_eth.o obj-$(CONFIG_QLA3XXX) += qla3xxx.o diff --git a/drivers/net/ne-h8300.c b/drivers/net/ne-h8300.c index eb893d7..38fd525 100644 --- a/drivers/net/ne-h8300.c +++ b/drivers/net/ne-h8300.c @@ -33,6 +33,8 @@ #include asm/system.h #include asm/io.h #include asm/irq.h +#define EI_SHIFT(x)(ei_local-reg_offset[x]) + #include 8390.h #define DRV_NAME ne-h8300 @@ -52,6 +54,11 @@ #define DRV_NAME ne-h8300 /* No user-serviceable parts below */ +static const char version[] = +8390.c:v1.10cvs 9/23/94 Donald Becker ([EMAIL PROTECTED])\n; + +#include lib8390.c + #define NE_BASE (dev-base_addr) #define NE_CMD 0x00 #define NE_DATAPORT(ei_status.word16?0x20:0x10)/* NatSemi-defined port window offset. */ @@ -162,7 +169,7 @@ static void cleanup_card(struct net_devi #ifndef MODULE struct net_device * __init ne_probe(int unit) { - struct net_device *dev = alloc_ei_netdev(); + struct net_device *dev = alloc_ei_netdev(0); int err; if (!dev) @@ -283,7 +290,7 @@ static int __init ne_probe1(struct net_d /* Snarf the interrupt now. There's no point in waiting since we cannot share and the board will usually be enabled. */ - ret = request_irq(dev-irq, ei_interrupt, 0, name, dev); + ret = request_irq(dev-irq, __ei_interrupt, 0, name, dev); if (ret) { printk ( unable to get IRQ %d (errno=%d).\n, dev-irq, ret); goto err_out; @@ -318,9 +325,9 @@ #endif dev-open = ne_open; dev-stop = ne_close; #ifdef CONFIG_NET_POLL_CONTROLLER - dev-poll_controller = ei_poll; + dev-poll_controller = __ei_poll; #endif - NS8390_init(dev, 0); + __NS8390_init(dev, 0); ret = register_netdev(dev); if (ret) @@ -335,7 +342,7 @@ err_out: static int ne_open(struct net_device *dev) { - ei_open(dev); + __ei_open(dev); return 0; } @@ -343,7 +350,7 @@ static int ne_close(struct net_device *d { if (ei_debug 1) printk(KERN_DEBUG %s: Shutting down ethercard.\n, dev-name); - ei_close(dev); + __ei_close(dev); return 0; } @@ -584,7 +591,7 @@ #endif if (time_after(jiffies, dma_start + 2*HZ/100)) { /* 20ms */ printk(KERN_WARNING %s: timeout waiting for Tx RDC.\n, dev-name); ne_reset_8390(dev); - NS8390_init(dev,1); + __NS8390_init(dev,1); break; } @@ -620,7 +627,7 @@ int init_module(void) int err; for (this_dev = 0; this_dev MAX_NE_CARDS; this_dev++) { - struct net_device *dev = alloc_ei_netdev(); + struct net_device *dev = alloc_ei_netdev(0); if (!dev) break; if (io[this_dev]) { -- 1.4.2.GIT - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 2/4] 8390 fixes - m68k oddballs
more 8390 conversions - mac8390, zorro8390 and hydra got the same treatment as arm etherh; one more case in 8390.h ifdef cascade is gone. Signed-off-by: Al Viro [EMAIL PROTECTED] --- drivers/net/8390.h | 16 +--- drivers/net/Makefile|6 +++--- drivers/net/hydra.c | 23 --- drivers/net/mac8390.c | 26 -- drivers/net/zorro8390.c | 24 5 files changed, 52 insertions(+), 43 deletions(-) diff --git a/drivers/net/8390.h b/drivers/net/8390.h index fae4aa9..b8991fc 100644 --- a/drivers/net/8390.h +++ b/drivers/net/8390.h @@ -107,21 +107,7 @@ #define E8390_PAGE20x80/* Page 3 is in * - removed AMIGA_PCMCIA from this list, handled as ISA io now */ -#if defined(CONFIG_MAC) || \ -defined(CONFIG_ZORRO8390) || defined(CONFIG_ZORRO8390_MODULE) || \ -defined(CONFIG_HYDRA) || defined(CONFIG_HYDRA_MODULE) -#define EI_SHIFT(x)(ei_local-reg_offset[x]) -#undef inb -#undef inb_p -#undef outb -#undef outb_p - -#define ei_inb(port) in_8(port) -#define ei_outb(val,port) out_8(port,val) -#define ei_inb_p(port) in_8(port) -#define ei_outb_p(val,port) out_8(port,val) - -#elif defined(CONFIG_NE_H8300) || defined(CONFIG_NE_H8300_MODULE) +#if defined(CONFIG_NE_H8300) || defined(CONFIG_NE_H8300_MODULE) #define EI_SHIFT(x)(ei_local-reg_offset[x]) #endif diff --git a/drivers/net/Makefile b/drivers/net/Makefile index 53ccc33..42bf31e 100644 --- a/drivers/net/Makefile +++ b/drivers/net/Makefile @@ -82,7 +82,7 @@ obj-$(CONFIG_HAMACHI) += hamachi.o obj-$(CONFIG_NET) += Space.o loopback.o obj-$(CONFIG_SEEQ8005) += seeq8005.o obj-$(CONFIG_NET_SB1000) += sb1000.o -obj-$(CONFIG_MAC8390) += mac8390.o 8390.o +obj-$(CONFIG_MAC8390) += mac8390.o obj-$(CONFIG_APNE) += apne.o 8390.o obj-$(CONFIG_PCMCIA_PCNET) += 8390.o obj-$(CONFIG_SHAPER) += shaper.o @@ -164,7 +164,7 @@ # This is also a 82596 and should probab obj-$(CONFIG_LP486E) += lp486e.o obj-$(CONFIG_ETH16I) += eth16i.o -obj-$(CONFIG_ZORRO8390) += zorro8390.o 8390.o +obj-$(CONFIG_ZORRO8390) += zorro8390.o obj-$(CONFIG_HPLANCE) += hplance.o 7990.o obj-$(CONFIG_MVME147_NET) += mvme147.o 7990.o obj-$(CONFIG_EQUALIZER) += eql.o @@ -177,7 +177,7 @@ obj-$(CONFIG_ATARILANCE) += atarilance.o obj-$(CONFIG_ATARI_BIONET) += atari_bionet.o obj-$(CONFIG_ATARI_PAMSNET) += atari_pamsnet.o obj-$(CONFIG_A2065) += a2065.o -obj-$(CONFIG_HYDRA) += hydra.o 8390.o +obj-$(CONFIG_HYDRA) += hydra.o obj-$(CONFIG_ARIADNE) += ariadne.o obj-$(CONFIG_CS89x0) += cs89x0.o obj-$(CONFIG_MACSONIC) += macsonic.o diff --git a/drivers/net/hydra.c b/drivers/net/hydra.c index 91326ea..f970bfb 100644 --- a/drivers/net/hydra.c +++ b/drivers/net/hydra.c @@ -31,7 +31,16 @@ #include asm/amigaints.h #include asm/amigahw.h #include linux/zorro.h -#include 8390.h +#define EI_SHIFT(x)(ei_local-reg_offset[x]) +#define ei_inb(port) in_8(port) +#define ei_outb(val,port) out_8(port,val) +#define ei_inb_p(port) in_8(port) +#define ei_outb_p(val,port) out_8(port,val) + +static const char version[] = +8390.c:v1.10cvs 9/23/94 Donald Becker ([EMAIL PROTECTED])\n; + +#include lib8390.c #define NE_EN0_DCFG (0x0e*2) @@ -100,7 +109,7 @@ static int __devinit hydra_init(struct z 0x10, 0x12, 0x14, 0x16, 0x18, 0x1a, 0x1c, 0x1e, }; -dev = alloc_ei_netdev(); +dev = alloc_ei_netdev(0); if (!dev) return -ENOMEM; SET_MODULE_OWNER(dev); @@ -117,7 +126,7 @@ static int __devinit hydra_init(struct z dev-irq = IRQ_AMIGA_PORTS; /* Install the Interrupt handler */ -if (request_irq(IRQ_AMIGA_PORTS, ei_interrupt, IRQF_SHARED, Hydra Ethernet, +if (request_irq(IRQ_AMIGA_PORTS, __ei_interrupt, IRQF_SHARED, Hydra Ethernet, dev)) { free_netdev(dev); return -EAGAIN; @@ -139,10 +148,10 @@ static int __devinit hydra_init(struct z dev-open = hydra_open; dev-stop = hydra_close; #ifdef CONFIG_NET_POLL_CONTROLLER -dev-poll_controller = ei_poll; +dev-poll_controller = __ei_poll; #endif -NS8390_init(dev, 0); +__NS8390_init(dev, 0); err = register_netdev(dev); if (err) { @@ -164,7 +173,7 @@ #endif static int hydra_open(struct net_device *dev) { -ei_open(dev); +__ei_open(dev); return 0; } @@ -172,7 +181,7 @@ static int hydra_close(struct net_device { if (ei_debug 1) printk(KERN_DEBUG %s: Shutting down ethercard.\n, dev-name); -ei_close(dev); +__ei_close(dev); return 0; } diff --git a/drivers/net/mac8390.c b/drivers/net/mac8390.c index ade6ff8..a12bb64 100644 --- a/drivers/net/mac8390.c +++ b/drivers/net/mac8390.c @@ -39,7 +39,16 @@ #include asm/dma.h #include asm/hwtest.h #include asm/macints.h -#include 8390.h +static char version[] = + mac8390.c: v0.4 2001-05-15 David Huggins-Daines [EMAIL PROTECTED] and others\n; + +#define EI_SHIFT(x)(ei_local-reg_offset[x]) +#define
Re: [PATCH] sky2: revert pci express extensions
Hello Stephen, Am Montag, den 09.10.2006, 14:40 -0700 schrieb Stephen Hemminger: The pci express error handling extensions don't work unless PCI access is via mmconfig. Otherwise, all accesses to pci config registers greater than 256 fail. Since the sky2 driver has other ways of getting to PCI config space, it works around this short coming, but the pci_find_ext_capablity doesn't work. This backs out commit 91aeb3edbcf4e6ed72d138ac8c22fd68e6d717c3 Go back to hardcoding, since we know where the error registers are anyway. Fixes http://bugzilla.kernel.org/show_bug.cgi?id=7222 Signed-off-by: Stephen Hemminger [EMAIL PROTECTED] [...] thanks a lot for that one. Works perfectly fine and the annoying error-messages are gone. -- Matthias 'CoreDump' Hentges My OS: Debian SID. Geek by Nature, Linux by Choice signature.asc Description: Dies ist ein digital signierter Nachrichtenteil
Dropping NETIF_F_SG since no checksum feature.
Hi! I'm trying to build a network device driver supporting a very large MTU (around 64K) on top of an infiniband connection, and I've hit a couple of issues I'd appreciate some feedback on: 1. On the send side, I've set NETIF_F_SG, but hardware does not support checksum offloading, and I see dropping NETIF_F_SG since no checksum feature warning, and I seem to be getting large packets all in one chunk. The reason I've set NETIF_F_SG, is because I'm concerned that under real life stress Linux won't be able to allocate 64K of continuous memory. Is this concern of mine valid? I saw in-tree drivers allocating at least 8K. What's the best way to enable S/G on send side? Is checksum offloading really required for S/G? 2. On the receive side, what's the best/right way to create an skb that is larger than PAGE_SIZE? Do I allocate with alloc_page and fill in nr_frags with skb_fill_page_desc? Some drivers seem to fill in frag_list - which is better? I see than even skb_put only works properly on linear skb. What are the helpers legal for fragmented skb? Suggestions would be appreciated. Thanks, -- MST - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: Dropping NETIF_F_SG since no checksum feature.
On Mon, 9 Oct 2006 19:47:05 +0200 Michael S. Tsirkin [EMAIL PROTECTED] wrote: Hi! I'm trying to build a network device driver supporting a very large MTU (around 64K) on top of an infiniband connection, and I've hit a couple of issues I'd appreciate some feedback on: 1. On the send side, I've set NETIF_F_SG, but hardware does not support checksum offloading, and I see dropping NETIF_F_SG since no checksum feature warning, and I seem to be getting large packets all in one chunk. The reason I've set NETIF_F_SG, is because I'm concerned that under real life stress Linux won't be able to allocate 64K of continuous memory. Is this concern of mine valid? I saw in-tree drivers allocating at least 8K. What's the best way to enable S/G on send side? Is checksum offloading really required for S/G? Yes, in the current implementation, Linux needs checksum offload. But there is no reason, your driver can't compute the checksum in software. 2. On the receive side, what's the best/right way to create an skb that is larger than PAGE_SIZE? Do I allocate with alloc_page and fill in nr_frags with skb_fill_page_desc? Some drivers seem to fill in frag_list - which is better? I see than even skb_put only works properly on linear skb. Allocating large buffers is problematic on busy systems. See lastest e1000 or sky2 that use frag_list. What are the helpers legal for fragmented skb? Read the source. Setting up fragmented buffers has less helper functions, but isn't that hard. -- Stephen Hemminger [EMAIL PROTECTED] - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: sky2 (was Re: 2.6.18-mm2)
Le Sun, 8 Oct 2006 09:20:01 -0700, Stephen Hemminger [EMAIL PROTECTED] a écrit : On Sun, 08 Oct 2006 15:41:45 +0200 Matthias Hentges [EMAIL PROTECTED] wrote: Hi Stephen, I believe I have identified the problem. The freeze only happens when your debug patch to work around sky2 PCIe error messages is applied. Without your patch (attached) I get _tons_ of error messages and the NIC dies every few seconds / minutes (reproduceable!), but the system recovers just fine from a NIC crash. I have verified this behavior (works fine w/o debug patch, freezes with patch applied) with: - 2.6.19-rc1-git4 - 2.6.18-git something - 2.6.18-mm3 Does 2.6.18 work? What is the PCI config of the device (lspci -vvvx)? What is the chip version (dmesg | grep sky2)? I've got the same issue here since a while (See Message-ID: [EMAIL PROTECTED] from 18 Apr 2006) I steel get freeze (with non tainted kernel) and getting these messages at boot : ~ % dmesg | grep -i sky sky2 v1.7 addr 0xff3fc000 irq 233 Yukon-EC (0xb6) rev 2 sky2 eth0: addr 00:15:f2:a9:6a:65 sky2 :02:00.0: No interrupt was generated using MSI, switching to INTx mode. Please report this failure to the PCI maintainer and include system chipset information. sky2 eth0: enabling interface sky2 eth0: disabling interface lspci -vvvx attached -- Beber - E-Mail / Jabber (+GMail) : beber_AT_meleeweb.net http://www.meleeweb.net 00:00.0 RAM memory: nVidia Corporation C51 Host Bridge (rev a2) Subsystem: ASUSTeK Computer Inc. Unknown device 81d2 Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR+ FastB2B- Status: Cap+ 66MHz+ UDF- FastB2B+ ParErr- DEVSEL=fast TAbort- TAbort- MAbort- SERR- PERR- Latency: 0 Capabilities: access denied 00: de 10 f4 02 06 01 b0 00 a2 00 00 05 00 00 80 00 10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20: 00 00 00 00 00 00 00 00 00 00 00 00 43 10 d2 81 30: 00 00 00 00 44 00 00 00 00 00 00 00 ff 00 00 00 00:00.1 RAM memory: nVidia Corporation C51 Memory Controller 0 (rev a2) Subsystem: ASUSTeK Computer Inc. Unknown device 81d2 Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR+ FastB2B- Status: Cap- 66MHz+ UDF- FastB2B- ParErr- DEVSEL=fast TAbort- TAbort- MAbort- SERR- PERR- 00: de 10 fa 02 00 01 20 00 a2 00 00 05 00 00 80 00 10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20: 00 00 00 00 00 00 00 00 00 00 00 00 43 10 d2 81 30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00:00.2 RAM memory: nVidia Corporation C51 Memory Controller 1 (rev a2) Subsystem: ASUSTeK Computer Inc. Unknown device 81d2 Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- Status: Cap- 66MHz+ UDF- FastB2B- ParErr- DEVSEL=fast TAbort- TAbort- MAbort- SERR- PERR- 00: de 10 fe 02 00 00 20 00 a2 00 00 05 00 00 80 00 10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20: 00 00 00 00 00 00 00 00 00 00 00 00 43 10 d2 81 30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00:00.3 RAM memory: nVidia Corporation C51 Memory Controller 5 (rev a2) Subsystem: ASUSTeK Computer Inc. Unknown device 81d2 Control: I/O- Mem- BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR+ FastB2B- Status: Cap- 66MHz+ UDF- FastB2B+ ParErr- DEVSEL=fast TAbort- TAbort- MAbort- SERR- PERR- 00: de 10 f8 02 00 01 a0 00 a2 00 00 05 00 00 80 00 10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20: 00 00 00 00 00 00 00 00 00 00 00 00 43 10 d2 81 30: 00 00 00 00 00 00 00 00 00 00 00 00 ff 00 00 00 00:00.4 RAM memory: nVidia Corporation C51 Memory Controller 4 (rev a2) Subsystem: ASUSTeK Computer Inc. Unknown device 81d2 Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR+ FastB2B- Status: Cap- 66MHz+ UDF- FastB2B+ ParErr- DEVSEL=fast TAbort- TAbort- MAbort- SERR- PERR- Latency: 0 00: de 10 f9 02 06 01 a0 00 a2 00 00 05 00 00 00 00 10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20: 00 00 00 00 00 00 00 00 00 00 00 00 43 10 d2 81 30: 00 00 00 00 00 00 00 00 00 00 00 00 ff 00 00 00 00:00.5 RAM memory: nVidia Corporation C51 Host Bridge (rev a2) Subsystem: ASUSTeK Computer Inc. Unknown device 81d2 Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR+ FastB2B- Status: Cap+ 66MHz+ UDF- FastB2B+ ParErr- DEVSEL=fast TAbort- TAbort- MAbort- SERR- PERR- Latency: 0 Capabilities: access denied 00: de 10 ff 02 06 01 b0 00 a2 00 00 05 00 00 80 00 10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20: 00 00 00 00 00 00 00 00 00 00 00 00 43 10 d2 81 30: 00 00 00 00 44 00 00 00 00 00 00 00 ff 00 00 00 00:00.6 RAM memory: nVidia Corporation C51 Memory Controller 3 (rev a2) Subsystem: ASUSTeK Computer Inc. Unknown device 81d2 Control: I/O- Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR+ FastB2B- Status: Cap- 66MHz+ UDF- FastB2B- ParErr- DEVSEL=fast TAbort- TAbort- MAbort- SERR- PERR- 00: de 10 7f 02 02 01 20 00 a2 00 00 05 00 00 80 00 10:
[PATCH 2/2][SCTP]: Fix the RX queue size shown in /proc/net/sctp/assocs output.
[SCTP]: Fix the RX queue size shown in /proc/net/sctp/assocs output. Show the true receive buffer usage. Signed-off-by: Vlad Yasevich [EMAIL PROTECTED] Signed-off-by: Sridhar Samudrala [EMAIL PROTECTED] --- net/sctp/proc.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/net/sctp/proc.c b/net/sctp/proc.c index a356d8d..7f49e76 100644 --- a/net/sctp/proc.c +++ b/net/sctp/proc.c @@ -344,7 +344,7 @@ static int sctp_assocs_seq_show(struct s assoc, sk, sctp_sk(sk)-type, sk-sk_state, assoc-state, hash, assoc-assoc_id, assoc-sndbuf_used, - (sk-sk_rcvbuf - assoc-rwnd), + atomic_read(assoc-rmem_alloc), sock_i_uid(sk), sock_i_ino(sk), epb-bind_addr.port, assoc-peer.port); - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 1/2][SCTP]: Fix receive buffer accounting.
Dave, Please consider the following 2 SCTP bug fixes for 2.6.19. Thanks Sridhar [SCTP]: Fix receive buffer accounting. When doing receiver buffer accounting, we always used skb-truesize. This is problematic when processing bundled DATA chunks because for every DATA chunk that could be small part of one large skb, we would charge the size of the entire skb. The new approach is to store the size of the DATA chunk we are accounting for in the sctp_ulpevent structure and use that stored value for accounting. Signed-off-by: Vlad Yasevich [EMAIL PROTECTED] Signed-off-by: Sridhar Samudrala [EMAIL PROTECTED] --- include/net/sctp/sctp.h | 14 ++ include/net/sctp/ulpevent.h |1 + net/sctp/socket.c | 22 ++ net/sctp/ulpevent.c | 25 +++-- net/sctp/ulpqueue.c |2 +- 5 files changed, 49 insertions(+), 15 deletions(-) diff --git a/include/net/sctp/sctp.h b/include/net/sctp/sctp.h index ee68a31..764e3af 100644 --- a/include/net/sctp/sctp.h +++ b/include/net/sctp/sctp.h @@ -139,6 +139,7 @@ int sctp_inet_listen(struct socket *sock void sctp_write_space(struct sock *sk); unsigned int sctp_poll(struct file *file, struct socket *sock, poll_table *wait); +void sctp_sock_rfree(struct sk_buff *skb); /* * sctp/primitive.c @@ -444,6 +445,19 @@ static inline struct list_head *sctp_lis return result; } +/* SCTP version of skb_set_owner_r. We need this one because + * of the way we have to do receive buffer accounting on bundled + * chunks. + */ +static inline void sctp_skb_set_owner_r(struct sk_buff *skb, struct sock *sk) +{ + struct sctp_ulpevent *event = sctp_skb2event(skb); + + skb-sk = sk; + skb-destructor = sctp_sock_rfree; + atomic_add(event-rmem_len, sk-sk_rmem_alloc); +} + /* Tests if the list has one and only one entry. */ static inline int sctp_list_single_entry(struct list_head *head) { diff --git a/include/net/sctp/ulpevent.h b/include/net/sctp/ulpevent.h index 6c40cfc..1a4ddc1 100644 --- a/include/net/sctp/ulpevent.h +++ b/include/net/sctp/ulpevent.h @@ -63,6 +63,7 @@ struct sctp_ulpevent { __u32 cumtsn; int msg_flags; int iif; + unsigned int rmem_len; }; /* Retrieve the skb this event sits inside of. */ diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 3fe906d..9deec43 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -5362,6 +5362,20 @@ static void sctp_wfree(struct sk_buff *s sctp_association_put(asoc); } +/* Do accounting for the receive space on the socket. + * Accounting for the association is done in ulpevent.c + * We set this as a destructor for the cloned data skbs so that + * accounting is done at the correct time. + */ +void sctp_sock_rfree(struct sk_buff *skb) +{ + struct sock *sk = skb-sk; + struct sctp_ulpevent *event = sctp_skb2event(skb); + + atomic_sub(event-rmem_len, sk-sk_rmem_alloc); +} + + /* Helper function to wait for space in the sndbuf. */ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p, size_t msg_len) @@ -5634,10 +5648,10 @@ static void sctp_sock_migrate(struct soc sctp_skb_for_each(skb, oldsk-sk_receive_queue, tmp) { event = sctp_skb2event(skb); if (event-asoc == assoc) { - sock_rfree(skb); + sctp_sock_rfree(skb); __skb_unlink(skb, oldsk-sk_receive_queue); __skb_queue_tail(newsk-sk_receive_queue, skb); - skb_set_owner_r(skb, newsk); + sctp_skb_set_owner_r(skb, newsk); } } @@ -5665,10 +5679,10 @@ static void sctp_sock_migrate(struct soc sctp_skb_for_each(skb, oldsp-pd_lobby, tmp) { event = sctp_skb2event(skb); if (event-asoc == assoc) { - sock_rfree(skb); + sctp_sock_rfree(skb); __skb_unlink(skb, oldsp-pd_lobby); __skb_queue_tail(queue, skb); - skb_set_owner_r(skb, newsk); + sctp_skb_set_owner_r(skb, newsk); } } diff --git a/net/sctp/ulpevent.c b/net/sctp/ulpevent.c index ee23678..a015283 100644 --- a/net/sctp/ulpevent.c +++ b/net/sctp/ulpevent.c @@ -55,10 +55,13 @@ static void sctp_ulpevent_release_frag_d /* Initialize an ULP event from an given skb. */ -SCTP_STATIC void sctp_ulpevent_init(struct sctp_ulpevent *event, int msg_flags) +SCTP_STATIC void sctp_ulpevent_init(struct sctp_ulpevent *event, + int msg_flags, + unsigned int len) { memset(event, 0, sizeof(struct sctp_ulpevent)); event-msg_flags = msg_flags; +
Re: [BUG 2.6.18] unaligned access in ipvv6_rcv, nf_ip6_checksum, tcp_error, __ipv6_addr_type, fib6_lookup_1
From: Harald Welte [EMAIL PROTECTED] Date: Sat, 30 Sep 2006 22:20:40 +0200 Kernel unaligned access at TPC[10022cf0] ipv6_rcv+0xb8/0x320 [ipv6] Kernel unaligned access at TPC[10023800] __ipv6_addr_type+0x8/0x140 [ipv6] Kernel unaligned access at TPC[1002fd64] fib6_lookup_1+0x2c/0x120 [ipv6] Kernel unaligned access at TPC[10093878] tcp_error+0x40/0x2c0 [nf_conntrack] Kernel unaligned access at TPC[1004ce54] nf_ip6_checksum+0x13c/0x1c0 [ipv6] Kernel unaligned access at TPC[1004ce58] nf_ip6_checksum+0x140/0x1c0 [ipv6] Kernel unaligned access at TPC[1004ce60] nf_ip6_checksum+0x148/0x1c0 [ipv6] I think for all of these cases the IPv6 header is not 4-byte aligned in the SKB. The first case is simply ipv6_hdr-version which GCC turns into a load of the first 4 byte word of the headers, then a mask+compare. And this is fine becasue due to the struct in6_addr, gcc may assume that the ipv6 header struct is at least 4 bytes aligned since in6_addr contains an array of u32[]'s. What kind of input path is this packet coming from? Is it using some kind of encapsulation? It's odd for it to not be 4 byte aligned, you would get the same kind of unaligned accesses for an ipv4 header if it were misaligned like this. - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
bcm43xx scan oops!!!
(gdb) list *bcm43xx_dma_handle_xmitstatus+0xbd 0x3ad is in bcm43xx_dma_handle_xmitstatus (include/asm/dma-mapping.h:91). 86static inline void 87dma_unmap_single(struct device *dev, dma_addr_t addr,size_t size, 88 int direction) 89{ 90BUG_ON(!valid_dma_direction(direction)); 91dma_ops-unmap_single(dev, addr, size, direction); 92} 93 94#define dma_map_page(dev,page,offset,size,dir) \ 95dma_map_single((dev), page_address(page)+(offset), (size), (dir)) http://home.nctv.com/anarchy/dscape-clean.jpg bcm43xx causes kernel oops on 4318 with latest wireless-dev git. Jory - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/2][SCTP]: Fix receive buffer accounting.
From: Sridhar Samudrala [EMAIL PROTECTED] Date: Mon, 09 Oct 2006 17:43:09 -0700 [SCTP]: Fix receive buffer accounting. When doing receiver buffer accounting, we always used skb-truesize. This is problematic when processing bundled DATA chunks because for every DATA chunk that could be small part of one large skb, we would charge the size of the entire skb. The new approach is to store the size of the DATA chunk we are accounting for in the sctp_ulpevent structure and use that stored value for accounting. Signed-off-by: Vlad Yasevich [EMAIL PROTECTED] Signed-off-by: Sridhar Samudrala [EMAIL PROTECTED] Applied. - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 2/2][SCTP]: Fix the RX queue size shown in /proc/net/sctp/assocs output.
From: Sridhar Samudrala [EMAIL PROTECTED] Date: Mon, 09 Oct 2006 17:43:12 -0700 [SCTP]: Fix the RX queue size shown in /proc/net/sctp/assocs output. Show the true receive buffer usage. Signed-off-by: Vlad Yasevich [EMAIL PROTECTED] Signed-off-by: Sridhar Samudrala [EMAIL PROTECTED] Also applied, thanks a lot. - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] file descriptor loss while receiving SCM_RIGHTS
From: Miklos Szeredi [EMAIL PROTECTED] Date: Sun, 08 Oct 2006 12:53:11 +0200 If more than one file descriptor was sent with an SCM_RIGHTS message, and on the receiving end, after installing a nonzero (but not all) file descritpors the process runs out of fds, then the already installed fds will be lost (userspace will have no way of knowing about them). The following patch makes sure, that at least the already installed fds are sent to userspace. It doesn't solve the issue of losing file descriptors in case of an EFAULT on the userspace buffer. Signed-off-by: Miklos Szeredi [EMAIL PROTECTED] Looks good. Applied, thanks Miklos. - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 01/02 V2] net/ipv6: seperate sit driver to extra module
From: Joerg Roedel [EMAIL PROTECTED] Date: Mon, 9 Oct 2006 11:34:16 +0200 This is the changed version of the patch making the sit driver configurable as a seperate module. Changes: - spelling fixes in Kconfig - changed If unsure, say N to If unsure, say Y for consistency Joerg, when you make resubmissions, please always restate the full changelog and all signed-off-by lines. If you want to say Changed since last version do that seperately at the top of the email, right before the main changelog entry and the patch itself. I wanted to apply this latest version of these two patches, but I cannot because the full changelog isn't here. Please get this into a mergable form for me. Thanks a lot. - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] irda: donauboe fixes, cleanups
- fix: toshoboe_invalid_dev() was recently removed, but not all callers were updated, causing the obvious linker error. Remove caller, because the check (like the one removed) isn't used. - fix: propagate request_irq() return value - cleanup: remove void* casts - cleanup: remove impossible ASSERTs Signed-off-by: Jeff Garzik [EMAIL PROTECTED] --- drivers/net/irda/donauboe.c | 20 +++- 1 file changed, 7 insertions(+), 13 deletions(-) diff --git a/drivers/net/irda/donauboe.c b/drivers/net/irda/donauboe.c index 636d063..16620bd 100644 --- a/drivers/net/irda/donauboe.c +++ b/drivers/net/irda/donauboe.c @@ -1154,13 +1154,10 @@ #endif static irqreturn_t toshoboe_interrupt (int irq, void *dev_id) { - struct toshoboe_cb *self = (struct toshoboe_cb *) dev_id; + struct toshoboe_cb *self = dev_id; __u8 irqstat; struct sk_buff *skb = NULL; - if (self == NULL toshoboe_invalid_dev(irq)) -return IRQ_NONE; - irqstat = INB (OBOE_ISR); /* was it us */ @@ -1348,13 +1345,11 @@ toshoboe_net_open (struct net_device *de { struct toshoboe_cb *self; unsigned long flags; + int rc; IRDA_DEBUG (4, %s()\n, __FUNCTION__); - IRDA_ASSERT (dev != NULL, return -1; ); - self = (struct toshoboe_cb *) dev-priv; - - IRDA_ASSERT (self != NULL, return 0; ); + self = netdev_priv(dev); if (self-async) return -EBUSY; @@ -1362,11 +1357,10 @@ toshoboe_net_open (struct net_device *de if (self-stopped) return 0; - if (request_irq (self-io.irq, toshoboe_interrupt, - IRQF_SHARED | IRQF_DISABLED, dev-name, (void *) self)) -{ - return -EAGAIN; -} + rc = request_irq (self-io.irq, toshoboe_interrupt, +IRQF_SHARED | IRQF_DISABLED, dev-name, self); + if (rc) + return rc; spin_lock_irqsave(self-spinlock, flags); toshoboe_startchip (self); - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html