Hosts the 0x221E linux distro kernel. https://universe.0xinfinity.dev/distro/kernel/atom?h=linux-5.1.y 2019-03-29T00:00:45Z 2019-03-29T00:00:45Z Eric Dumazet edumazet@google.com 2019-03-27T15:21:30Z urn:sha1:355b98553789b646ed97ad801a619ff898471b92 net_hash_mix() currently uses kernel address of a struct net, and is used in many places that could be used to reveal this address to a patient attacker, thus defeating KASLR, for the typical case (initial net namespace, &init_net is not dynamically allocated) I believe the original implementation tried to avoid spending too many cycles in this function, but security comes first. Also provide entropy regardless of CONFIG_NET_NS. Fixes: 0b4419162aa6 ("netns: introduce the net_hash_mix "salt" for hashes") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Amit Klein <aksecurity@gmail.com> Reported-by: Benny Pinkas <benny@pinkas.net> Cc: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net> 2019-01-25T00:50:03Z Björn Töpel bjorn.topel@intel.com 2019-01-24T18:59:37Z urn:sha1:1d0dc06930a917eaca4156193c6c49f798b95ce7 Track each AF_XDP socket in a per-netns list. This will be used later by the sock_diag interface for querying sockets from userspace. Signed-off-by: Björn Töpel <bjorn.topel@intel.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> 2018-09-14T19:04:33Z Petar Penkov ppenkov@google.com 2018-09-14T14:46:18Z urn:sha1:d58e468b1112dcd1d5193c0a89ff9f98b5a3e8b9 Adds a hook for programs of type BPF_PROG_TYPE_FLOW_DISSECTOR and attach type BPF_FLOW_DISSECTOR that is executed in the flow dissector path. The BPF program is per-network namespace. Signed-off-by: Petar Penkov <ppenkov@google.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> 2018-07-21T06:44:36Z Tyler Hicks tyhicks@canonical.com 2018-07-20T21:56:53Z urn:sha1:fbdeaed408cf2728c62640c10848ddb1b67e63d3 Make net_ns_get_ownership() reusable by networking code outside of core. This is useful, for example, to allow bridge related sysfs files to be owned by container root. Add a function comment since this is a potentially dangerous function to use given the way that kobject_get_ownership() works by initializing uid and gid before calling .get_ownership(). Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2018-06-18T12:13:25Z Eric Dumazet edumazet@google.com 2018-06-13T17:11:56Z urn:sha1:9ce7bc036ae4cfe3393232c86e9e1fea2153c237 It is a waste of memory to use a full "struct netns_sysctl_ipv6" while only one pointer is really used, considering netns_sysctl_ipv6 keeps growing. Also, since "struct netns_frags" has cache line alignment, it is better to move the frags_hdr pointer outside, otherwise we spend a full cache line for this pointer. This saves 192 bytes of memory per netns. Fixes: c038a767cd69 ("ipv6: add a new namespace for nf_conntrack_reasm") Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2018-03-29T17:47:53Z Kirill Tkhai ktkhai@virtuozzo.com 2018-03-29T16:20:32Z urn:sha1:f0b07bb151b098d291fd1fd71ef7a2df56fb124a rtnl_lock() is used everywhere, and contention is very high. When someone wants to iterate over alive net namespaces, he/she has no a possibility to do that without exclusive lock. But the exclusive rtnl_lock() in such places is overkill, and it just increases the contention. Yes, there is already for_each_net_rcu() in kernel, but it requires rcu_read_lock(), and this can't be sleepable. Also, sometimes it may be need really prevent net_namespace_list growth, so for_each_net_rcu() is not fit there. This patch introduces new rw_semaphore, which will be used instead of rtnl_mutex to protect net_namespace_list. It is sleepable and allows not-exclusive iterations over net namespaces list. It allows to stop using rtnl_lock() in several places (what is made in next patches) and makes less the time, we keep rtnl_mutex. Here we just add new lock, while the explanation of we can remove rtnl_lock() there are in next patches. Fine grained locks generally are better, then one big lock, so let's do that with net_namespace_list, while the situation allows that. Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2018-03-27T17:18:09Z Kirill Tkhai ktkhai@virtuozzo.com 2018-03-27T15:02:32Z urn:sha1:8518e9bb98b602eca0717d5aaad63ccbe56539d2 This adds comments to different places to improve readability. Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2018-03-27T17:18:09Z Kirill Tkhai ktkhai@virtuozzo.com 2018-03-27T15:02:23Z urn:sha1:4420bf21fb6c0306e36ad58ade1e741fba57ce65 net_sem is some undefined area name, so it will be better to make the area more defined. Rename it to pernet_ops_rwsem for better readability and better intelligibility. Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2018-03-27T17:18:09Z Kirill Tkhai ktkhai@virtuozzo.com 2018-03-27T15:02:13Z urn:sha1:2f635ceeb22ba13c307236d69795fbb29cfa3e7c Synchronous pernet_operations are not allowed anymore. All are asynchronous. So, drop the structure member. Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2018-03-22T15:16:42Z Christian Brauner christian.brauner@ubuntu.com 2018-03-19T12:17:30Z urn:sha1:94e5e3087a67c765be98592b36d8d187566478d5 This commit adds struct uevent_sock to struct net. Since struct uevent_sock records the position of the uevent socket in the uevent socket list we can trivially remove it from the uevent socket list during cleanup. This speeds up the old removal codepath. Note, list_del() will hit __list_del_entry_valid() in its call chain which will validate that the element is a member of the list. If it isn't it will take care that the list is not modified. Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com> Signed-off-by: David S. Miller <davem@davemloft.net>