Implement a new "fail-open" mode where packets are not dropped
upon queue-full condition. This mode can be enabled/disabled per
queue using netlink NFQA_CFG_FLAGS & NFQA_CFG_MASK attributes.
Change-Id: Ibe58610239603d0080fabab640b142d6c15f257e
Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com>
Signed-off-by: Vivek Kashyap <vivk@us.ibm.com>
Signed-off-by: Sridhar Samudrala <samudrala@us.ibm.com>
It was scheduled to be removed.
Change-Id: I8ad3a555a10f2159d8bc7bd658e43aaa5ebfc519
Cc: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch addresses two issues:
a) Fix usage of u32 and __be32 that causes endianess warnings via sparse.
b) Ensure consistent hashing in a cluster that is composed of big and
little endian systems. Thus, we obtain the same hash mark in an
heterogeneous cluster.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Hans Schillstrom <hans@schillstrom.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Change-Id: I34dc3aec1d437097ce73fac64e4c4e8e02efd1a8
nf_conntrack_l4proto.h is included twice.
Signed-off-by: Eldad Zack <eldad@fogrefinery.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Change-Id: Ie187dbb40294216188d9b03a78376209b0f15757
Use:
((u64)(HASH_VAL * HASH_SIZE)) >> 32
as suggested by David S. Miller.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Change-Id: Ic24e8221499b767fb7200b7c83017f573fd4bc4d
There is a typo in the error checking and "&&" was used instead of "||".
If skb_header_pointer() returns NULL then it leads to a NULL
dereference.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Hans Schillstrom <hans.schillstrom@ericsson.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Change-Id: I6663bf06e012a5b338e0bf8faafea445a5247b7f
The target allows you to create rules in the "raw" and "mangle" tables
which set the skbuff mark by means of hash calculation within a given
range. The nfmark can influence the routing method (see "Use netfilter
MARK value as routing key") and can also be used by other subsystems to
change their behaviour.
[ Part of this patch has been refactorized and modified by Pablo Neira Ayuso ]
Signed-off-by: Hans Schillstrom <hans.schillstrom@ericsson.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Change-Id: I4ab0fcff9b5d4637f480e1146e5bc4100cf2cf7b
This patch adds the flags parameter to ipv6_find_hdr. This flags
allows us to:
* know if this is a fragment.
* stop at the AH header, so the information contained in that header
can be used for some specific packet handling.
This patch also adds the offset parameter for inspection of one
inner IPv6 header that is contained in error messages.
Change-Id: I8aa13399597dcb72c73084bcd7f8ca4156326357
Signed-off-by: Hans Schillstrom <hans.schillstrom@ericsson.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This patch removes ip_queue support which was marked as obsolete
years ago. The nfnetlink_queue modules provides more advanced
user-space packet queueing mechanism.
This patch also removes capability code included in SELinux that
refers to ip_queue. Otherwise, we break compilation.
Several warning has been sent regarding this to the mailing list
in the past month without anyone rising the hand to stop this
with some strong argument.
Change-Id: I62ab355af31e708b3c1000f2252c8196fb8ba428
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Explicit helper attachment via the CT target is broken with NAT
if non-standard ports are used. This problem was hidden behind
the automatic helper assignment routine. Thus, it becomes more
noticeable now that we can disable the automatic helper assignment
with Eric Leblond's:
9e8ac5a netfilter: nf_ct_helper: allow to disable automatic helper assignment
Basically, nf_conntrack_alter_reply asks for looking up the helper
up if NAT is enabled. Unfortunately, we don't have the conntrack
template at that point anymore.
Since we don't want to rely on the automatic helper assignment,
we can skip the second look-up and stick to the helper that was
attached by iptables. With the CT target, the user is in full
control of helper attachment, thus, the policy is to trust what
the user explicitly configures via iptables (no automatic magic
anymore).
Interestingly, this bug was hidden by the automatic helper look-up
code. But it can be easily trigger if you attach the helper in
a non-standard port, eg.
iptables -I PREROUTING -t raw -p tcp --dport 8888 \
-j CT --helper ftp
And you disabled the automatic helper assignment.
I added the IPS_HELPER_BIT that allows us to differenciate between
a helper that has been explicitly attached and those that have been
automatically assigned. I didn't come up with a better solution
(having backward compatibility in mind).
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Change-Id: Iff14005c0627ce7e76c9fa3b0b6c95b892901ca3
This refreshes the "timeout" attribute in existing expectations if one is
given.
The use case for this would be for userspace helpers to extend the lifetime
of the expectation when requested, as this is not possible right now
without deleting/recreating the expectation.
I use this specifically for forwarding DCERPC traffic through:
DCERPC has a port mapper daemon that chooses a (seemingly) random port for
future traffic to go to. We expect this traffic (with a reasonable
timeout), but sometimes the port mapper will tell the client to continue
using the same port. This allows us to extend the expectation accordingly.
Signed-off-by: Kelvie Wong <kelvie@ieee.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Change-Id: I1b4f4479aaef63103a665ee7cb1ff70001912756
This patch allows you to disable automatic conntrack helper
lookup based on TCP/UDP ports, eg.
echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper
[ Note: flows that already got a helper will keep using it even
if automatic helper assignment has been disabled ]
Once this behaviour has been disabled, you have to explicitly
use the iptables CT target to attach helper to flows.
There are good reasons to stop supporting automatic helper
assignment, for further information, please read:
http://www.netfilter.org/news.html#2012-04-03
This patch also adds one message to inform that automatic helper
assignment is deprecated and it will be removed soon (this is
spotted only once, with the first flow that gets a helper attached
to make it as less annoying as possible).
Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Change-Id: Ie1356fa575971063d579cf943ac0354d1513cfc3
In certain 802.11 wireless deployments, there will be NA proxies
that use knowledge of the network to correctly answer requests.
To prevent unsolicitd advertisements on the shared medium from
being a problem, on such deployments wireless needs to drop them.
Enable this by providing an option called "drop_unsolicited_na".
Change-Id: I2567a9973e72165a8e546f3638b509fbd1c95298
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
In order to solve a problem with 802.11, the so-called hole-196 attack,
add an option (sysctl) called "drop_unicast_in_l2_multicast" which, if
enabled, causes the stack to drop IPv6 unicast packets encapsulated in
link-layer multi- or broadcast frames. Such frames can (as an attack)
be created by any member of the same wireless network and transmitted
as valid encrypted frames since the symmetric key for broadcast frames
is shared between all stations.
Change-Id: I8a0b45fbd533236fbd785e6e8aa20fb780aa1397
Reviewed-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
In certain 802.11 wireless deployments, there will be ARP proxies
that use knowledge of the network to correctly answer requests.
To prevent gratuitous ARP frames on the shared medium from being
a problem, on such deployments wireless needs to drop them.
Enable this by providing an option called "drop_gratuitous_arp".
Change-Id: Ic0ed4c7e520b1d973eb1ae206af0f882badc21ce
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
In order to solve a problem with 802.11, the so-called hole-196 attack,
add an option (sysctl) called "drop_unicast_in_l2_multicast" which, if
enabled, causes the stack to drop IPv4 unicast packets encapsulated in
link-layer multi- or broadcast frames. Such frames can (as an attack)
be created by any member of the same wireless network and transmitted
as valid encrypted frames since the symmetric key for broadcast frames
is shared between all stations.
Additionally, enabling this option provides compliance with a SHOULD
clause of RFC 1122.
Change-Id: Ib0c44d9e36d879be4f073db1936a986003390b78
Reviewed-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
As suggested by Julian:
Simply, flowi4_iif must not contain 0, it does not
look logical to ignore all ip rules with specified iif.
because in fib_rule_match() we do:
if (rule->iifindex && (rule->iifindex != fl->flowi_iif))
goto out;
flowi4_iif should be LOOPBACK_IFINDEX by default.
We need to move LOOPBACK_IFINDEX to include/net/flow.h:
1) It is mostly used by flowi_iif
2) Fix the following compile error if we use it in flow.h
by the patches latter:
In file included from include/linux/netfilter.h:277:0,
from include/net/netns/netfilter.h:5,
from include/net/net_namespace.h:21,
from include/linux/netdevice.h:43,
from include/linux/icmpv6.h:12,
from include/linux/ipv6.h:61,
from include/net/ipv6.h:16,
from include/linux/sunrpc/clnt.h:27,
from include/linux/nfs_fs.h:30,
from init/do_mounts.c:32:
include/net/flow.h: In function ‘flowi4_init_output’:
include/net/flow.h:84:32: error: ‘LOOPBACK_IFINDEX’ undeclared (first use in this function)
[Backport of net-next 6a662719c9]
Change-Id: Ib7a0a08d78c03800488afa1b2c170cb70e34cfd9
Cc: Eric Biederman <ebiederm@xmission.com>
Cc: Julian Anastasov <ja@ssi.bg>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Cong Wang <cwang@twopensource.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Alex Efros reported rpfilter module doesn't match following packets:
IN=br.qemu SRC=192.168.2.1 DST=192.168.2.255 [ .. ]
(netfilter bugzilla #814).
Problem is that network stack arranges for the locally generated broadcasts
to appear on the interface they were sent out, so the IFF_LOOPBACK check
doesn't trigger.
As -m rpfilter is restricted to PREROUTING, we can check for existing
rtable instead, it catches locally-generated broad/multicast case, too.
Change-Id: I2d921ac4d53e5b1ca9a5249e489c33e4fa4a4b3a
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
As pointed out, there are places, that access net->loopback_dev->ifindex
and after ifindex generation is made per-net this value becomes constant
equals 1. So go ahead and introduce the LOOPBACK_IFINDEX constant and use
it where appropriate.
Change-Id: I29fd08fa01a9522240ab654d436b02a577bb610c
Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Add support for flexible period size and count for audio playback path.
Change-Id: Ide5b504054e9eee5c1ffee60b889446919aeb7f4
Signed-off-by: Honghao Liu <honghaol@codeaurora.org>
Check if pcm samples to be copied is greater than
the kernel buffer size.
Change-Id: Ieddd3a3299640ebea0225985d13952045d5dc5c9
CRs-fixed: 813448
Signed-off-by: Kuirong Wang <kuirongw@codeaurora.org>
wait_event_timeout returns zero when there is a timeout.
Change fixes the condition check to handle timeouts.
Change-Id: I01184cce0c98a82bb205023b07dd4dd2d91b42ad
CRs-Fixed: 487821
Signed-off-by: Asish Bhattacharya <asishb@codeaurora.org>
Signed-off-by: Sridhar Gujje <sgujje@codeaurora.org>
Advance hardware pointer by period size even if the packet
coming from qdsp6 is of less size. QDSP6 sometimes
(for rapid device switches) gives packets worth less
than period size and this results in hw_ptr appl_ptr mismatch.
CRs-Fixed: 486276
CRs-Fixed: 488449
Change-Id: I893f9a52e4cd507fd72e4a7aba3c5fa76527d1bf
Signed-off-by: Sidipotu Ashok <sashok@codeaurora.org>
It is found that during device switch from one backend
with one sample rate to another backend with another sample rate,
the command to QDSP6 ADM which maps audio stream session to a
particular backend would not get carried out until pending
data of audio stream session from previous backend is either
read out or flushed. This scenario occurs when application
stops providing more buffers to retrieve captured data.
Remedy is to flush upon detection of rate mismatching
Change-Id: I2c01c036d9bb71f938a6795337f08948bd986553
CRs-fixed: 422205
Signed-off-by: Patrick Lai <plai@codeaurora.org>
Signed-off-by: Joonwoo Park <joonwoop@codeaurora.org>
In pcm recording, if buffers are not requested from dsp at real
time then dsp drops the buffers and sends partial buffers. This
is causing record failures. Pcm record platform driver has two
periods. If system is loaded, read request will not be at real
time. Add flexible period count to pcm record platform driver
so client can configure the period count.
CRs-Fixed: 467746
Change-Id: Iadd47979f7b29a01fb8e6479383094a2ed1d93c5
Signed-off-by: Krishnankutty Kolathappilly <kkolat@codeaurora.org>
Add a new header file that lists all supported
HDMI resolution modes and the associated timing
information.
CRs-Fixed: 470335
Change-Id: I971422ddb97e3b219cc682032eb67212b434daab
Signed-off-by: Aravind Venkateswaran <aravindh@codeaurora.org>
Signed-off-by: Manoj Rao <manojraj@codeaurora.org>
Even though cancel_delayed_work should cancel the worker thread
in some race condition it can fail and get scheduled.
To avoid this situation use cancel_delayed_work_sync.
Also rotator_lock mutex need not be unlocked while waiting for isr
as isr does not aquire this mutex for doing its operations.
It is after this unlock of mutex sometimes in race condition rotator
clock is getting disabled via the msm_rotator_rot_clk_work_f
Change-Id: I574aec489fe51ec0e5f7c215c9aba9bb0ec66ffa
Signed-off-by: Justin Philip <jphili@codeaurora.org>
Hide kernel pointers from unprivileged users by using %pk format-specifier
instead of %p. This respects the kptr_restrict sysctl setting which is by
default on. So by default %pk will print zeroes as address. echo 1 to
kptr_restrict to print proper kernel address.
Change-Id: Ia300e3e38b8662afac15edda28959564b05c9367
Signed-off-by: Satyajit Desai <sadesai@codeaurora.org>
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
Check for failed allocations and return error code if allocation
failed. Also checking for NULL function pointer before calling
the function pointer.
Change-Id: I264f81ca43c731dd4abdb0036b3c6bf0b4b11167
Signed-off-by: Edward Lee <eleekimk@codeaurora.org>
Deletion of extra file added previously with
commit: d987cbedc3e69076c25e59ad08658d1d014f84dc
Change-Id: Ie4c125cf6b1c36bf9825456da93ea3747fc586ad
Signed-off-by: Pradosh Das <prados@codeaurora.org>
In ion_debug_heap_show we're iterating over an rb tree (dev->clients)
that could change while we're iterating. Fix this by taking the lock
that is used to control access to this tree.
Change-Id: I6832e1e98e2d2a69fc653451d3752d43ec3ef269
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
There are a few places in Ion where we are iterating over volatile rb
trees without proper locking. In some places the proper locking cannot
be added since it would require us to take locks in a different order
than they are taken in other places in Ion. Fix this by re-working some
of the debug code so that we can take locks in an allowed order.
One side-effect of the re-work is that the memory maps will now show
every client that has a handle to a particular region of memory, rather
than just showing the first one that we encounter. This will allow for
more accurate accounting and will give better insight as to who is
actually using the memory.
Change-Id: Ia43e4dbc412cd480c828173f8c20b5095d87d858
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
Currently we use an rb tree to store information about the memory map
which gets passed to the heap print_debug functions. The reason for
using a tree instead of a simple list is to maintain sortedness as we
build the memory map. However, it can be necessary to store multiple
entries for the same address in the memory map since there can be
multiple clients with handles to the same buffer. This information is
interesting and useful but we currently can't store and display it since
the rb tree requires that the key used for sorting (the physical address
in this case) be unique. Fix this by replacing the rb tree with a linked
list. In order to maintain sorted output of the print_debug functions,
sort the list by physical address after fully building the list.
This also has the positive side-effect of simplifying the code and
making future print_debug methods less error-prone.
Change-Id: I5b129fd809fb53c66042eab10d096238a34c2b20
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
Removes contention for lock between allocate and free by reducing
the length of time the lock is held for. Split out a seperate
lock to protect the list of heaps and replace it with a rwsem since
the list will most likely only be updated during initialization.
Change-Id: Id10464dfe0d60cdcd64f29edfc94317d8e5ee251
Signed-off-by: Rebecca Schultz Zavin <rebecca@android.com>
Git-commit: 675a52aa0d89e8b6c0c05849627381d8a64b2b2b
Git-repo: https://android.googlesource.com/kernel/common
[lauraa@codeaurora.org: Context differences due to debugfs
differences. Need to adjust locking on MSM specific extensions]
Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
Clients may take dma_bufs directly. Add an API to go from
dma_bufs to Ion handles where appropriate.
Change-Id: Ieb2786629dfbbe30aa2778d6ee16113035bce115
Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
Currently ion can only share buffers with dma buf fd's. Fd's can not be
used inside the kernel as they are process specific so support for
sharing buffers with dma buf kernel handles is needed to support kernel
only use cases. An example use case could be a GPU driver using ion
that wants to share its output buffers with a 3d party display
controller driver supporting dma buf.
Change-Id: I74388160ad65ee5380b87dbb20521a97ddf6727a
Signed-off-by: Johan Mossberg <johan.mossberg@stericsson.com>
Git-commit: 1a6c74e0d58f6ca028f36c3d794fecff8543bbfb
Git-repo: https://android.googlesource.com/kernel/common
[lauraa@codeaurora.org: update callers of function]
Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
When an sgtable is allocated with sg_alloc_table, the table needs
to be destroyed in addition to being freed. Destroy the sgtable
when freeing the associated memory.
Change-Id: Iedba81146ba453070790f071848f86826f7eec9c
Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
Video decoder release calls vid_dec_close_client which calls vcd_stop.
If vcd_stop notification fails, then there is a long wait. This patch
is limiting the same
Change-Id: Ibdf33e3882826429bf8c49a5888b8c9908e2e62d
Signed-off-by: Rahul Sharma <sharah@codeaurora.org>
"level" has an option of FATAL, ERROR, HIGH, MED, LOW.
>>usage for all levels: adb shell "echo 0xF > /d/vidc/vidc_debug_level"
"out" has an option of printk or trace_printk.
>>usage for terminal window: adb shell "echo 1 > /d/vidc/vidc_debug_out"
Change-Id: I0ea3ed2999cc80e691ea86667401eff6c1bf88a8
Signed-off-by: wyun@codeaurora.org
This patch adds POC type support for video core that
enables low-latency encoding.
Change-Id: I1fe8ea38c7ed8d203a3ef99febb4001165a856fe
Signed-off-by: Shiju Mathew <shijum@codeaurora.org>
