2012-05-16 23:58:40 +04:00
# define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
2007-09-12 13:50:50 +04:00
# include <linux/workqueue.h>
# include <linux/rtnetlink.h>
# include <linux/cache.h>
# include <linux/slab.h>
# include <linux/list.h>
# include <linux/delay.h>
2007-09-27 09:04:26 +04:00
# include <linux/sched.h>
2008-04-15 11:35:23 +04:00
# include <linux/idr.h>
2009-07-10 13:51:33 +04:00
# include <linux/rculist.h>
2009-07-10 13:51:35 +04:00
# include <linux/nsproxy.h>
2013-04-12 04:50:06 +04:00
# include <linux/fs.h>
# include <linux/proc_ns.h>
2011-05-05 04:51:50 +04:00
# include <linux/file.h>
2011-07-15 19:47:34 +04:00
# include <linux/export.h>
2012-06-14 13:31:10 +04:00
# include <linux/user_namespace.h>
2015-01-15 17:11:15 +03:00
# include <linux/net_namespace.h>
2017-02-06 12:57:33 +03:00
# include <linux/sched/task.h>
2015-01-15 17:11:15 +03:00
# include <net/sock.h>
# include <net/netlink.h>
2007-09-12 13:50:50 +04:00
# include <net/net_namespace.h>
2008-04-15 11:36:08 +04:00
# include <net/netns/generic.h>
2007-09-12 13:50:50 +04:00
/*
* Our network namespace constructor / destructor lists
*/
static LIST_HEAD ( pernet_list ) ;
static struct list_head * first_device = & pernet_list ;
2014-05-13 02:11:20 +04:00
DEFINE_MUTEX ( net_mutex ) ;
2007-09-12 13:50:50 +04:00
LIST_HEAD ( net_namespace_list ) ;
2008-10-08 13:35:06 +04:00
EXPORT_SYMBOL_GPL ( net_namespace_list ) ;
2007-09-12 13:50:50 +04:00
2012-07-18 13:06:07 +04:00
struct net init_net = {
2018-01-12 18:28:31 +03:00
. count = REFCOUNT_INIT ( 1 ) ,
2017-04-28 00:40:23 +03:00
. dev_base_head = LIST_HEAD_INIT ( init_net . dev_base_head ) ,
2012-07-18 13:06:07 +04:00
} ;
2008-01-23 09:05:33 +03:00
EXPORT_SYMBOL ( init_net ) ;
2007-09-12 13:50:50 +04:00
2016-08-11 00:36:00 +03:00
static bool init_net_initialized ;
2016-12-02 04:21:32 +03:00
# define MIN_PERNET_OPS_ID \
( ( sizeof ( struct net_generic ) + sizeof ( void * ) - 1 ) / sizeof ( void * ) )
2008-04-15 11:36:08 +04:00
# define INITIAL_NET_GEN_PTRS 13 /* +1 for len +2 for rcu_head */
2012-01-26 04:41:38 +04:00
static unsigned int max_gen_ptrs = INITIAL_NET_GEN_PTRS ;
static struct net_generic * net_alloc_generic ( void )
{
struct net_generic * ng ;
2016-12-02 04:21:32 +03:00
unsigned int generic_size = offsetof ( struct net_generic , ptr [ max_gen_ptrs ] ) ;
2012-01-26 04:41:38 +04:00
ng = kzalloc ( generic_size , GFP_KERNEL ) ;
if ( ng )
2016-12-02 04:12:58 +03:00
ng - > s . len = max_gen_ptrs ;
2012-01-26 04:41:38 +04:00
return ng ;
}
netns: make struct pernet_operations::id unsigned int
Make struct pernet_operations::id unsigned.
There are 2 reasons to do so:
1)
This field is really an index into an zero based array and
thus is unsigned entity. Using negative value is out-of-bound
access by definition.
2)
On x86_64 unsigned 32-bit data which are mixed with pointers
via array indexing or offsets added or subtracted to pointers
are preffered to signed 32-bit data.
"int" being used as an array index needs to be sign-extended
to 64-bit before being used.
void f(long *p, int i)
{
g(p[i]);
}
roughly translates to
movsx rsi, esi
mov rdi, [rsi+...]
call g
MOVSX is 3 byte instruction which isn't necessary if the variable is
unsigned because x86_64 is zero extending by default.
Now, there is net_generic() function which, you guessed it right, uses
"int" as an array index:
static inline void *net_generic(const struct net *net, int id)
{
...
ptr = ng->ptr[id - 1];
...
}
And this function is used a lot, so those sign extensions add up.
Patch snipes ~1730 bytes on allyesconfig kernel (without all junk
messing with code generation):
add/remove: 0/0 grow/shrink: 70/598 up/down: 396/-2126 (-1730)
Unfortunately some functions actually grow bigger.
This is a semmingly random artefact of code generation with register
allocator being used differently. gcc decides that some variable
needs to live in new r8+ registers and every access now requires REX
prefix. Or it is shifted into r12, so [r12+0] addressing mode has to be
used which is longer than [r8]
However, overall balance is in negative direction:
add/remove: 0/0 grow/shrink: 70/598 up/down: 396/-2126 (-1730)
function old new delta
nfsd4_lock 3886 3959 +73
tipc_link_build_proto_msg 1096 1140 +44
mac80211_hwsim_new_radio 2776 2808 +32
tipc_mon_rcv 1032 1058 +26
svcauth_gss_legacy_init 1413 1429 +16
tipc_bcbase_select_primary 379 392 +13
nfsd4_exchange_id 1247 1260 +13
nfsd4_setclientid_confirm 782 793 +11
...
put_client_renew_locked 494 480 -14
ip_set_sockfn_get 730 716 -14
geneve_sock_add 829 813 -16
nfsd4_sequence_done 721 703 -18
nlmclnt_lookup_host 708 686 -22
nfsd4_lockt 1085 1063 -22
nfs_get_client 1077 1050 -27
tcf_bpf_init 1106 1076 -30
nfsd4_encode_fattr 5997 5930 -67
Total: Before=154856051, After=154854321, chg -0.00%
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-11-17 04:58:21 +03:00
static int net_assign_generic ( struct net * net , unsigned int id , void * data )
2010-04-23 05:40:47 +04:00
{
struct net_generic * ng , * old_ng ;
BUG_ON ( ! mutex_is_locked ( & net_mutex ) ) ;
2016-12-02 04:21:32 +03:00
BUG_ON ( id < MIN_PERNET_OPS_ID ) ;
2010-04-23 05:40:47 +04:00
2010-10-25 07:20:11 +04:00
old_ng = rcu_dereference_protected ( net - > gen ,
lockdep_is_held ( & net_mutex ) ) ;
2016-12-02 04:21:32 +03:00
if ( old_ng - > s . len > id ) {
old_ng - > ptr [ id ] = data ;
2016-12-02 04:11:34 +03:00
return 0 ;
}
2010-04-23 05:40:47 +04:00
2012-01-26 04:41:38 +04:00
ng = net_alloc_generic ( ) ;
2010-04-23 05:40:47 +04:00
if ( ng = = NULL )
return - ENOMEM ;
/*
* Some synchronisation notes :
*
* The net_generic explores the net - > gen array inside rcu
* read section . Besides once set the net - > gen - > ptr [ x ]
* pointer never changes ( see rules in netns / generic . h ) .
*
* That said , we simply duplicate this array and schedule
* the old copy for kfree after a grace period .
*/
2016-12-02 04:21:32 +03:00
memcpy ( & ng - > ptr [ MIN_PERNET_OPS_ID ] , & old_ng - > ptr [ MIN_PERNET_OPS_ID ] ,
( old_ng - > s . len - MIN_PERNET_OPS_ID ) * sizeof ( void * ) ) ;
ng - > ptr [ id ] = data ;
2010-04-23 05:40:47 +04:00
rcu_assign_pointer ( net - > gen , ng ) ;
2016-12-02 04:12:58 +03:00
kfree_rcu ( old_ng , s . rcu ) ;
2010-04-23 05:40:47 +04:00
return 0 ;
}
2009-11-30 01:25:28 +03:00
static int ops_init ( const struct pernet_operations * ops , struct net * net )
{
2012-04-16 08:43:15 +04:00
int err = - ENOMEM ;
void * data = NULL ;
2009-11-30 01:25:28 +03:00
if ( ops - > id & & ops - > size ) {
2012-04-16 08:43:15 +04:00
data = kzalloc ( ops - > size , GFP_KERNEL ) ;
2009-11-30 01:25:28 +03:00
if ( ! data )
2012-04-16 08:43:15 +04:00
goto out ;
2009-11-30 01:25:28 +03:00
err = net_assign_generic ( net , * ops - > id , data ) ;
2012-04-16 08:43:15 +04:00
if ( err )
goto cleanup ;
2009-11-30 01:25:28 +03:00
}
2012-04-16 08:43:15 +04:00
err = 0 ;
2009-11-30 01:25:28 +03:00
if ( ops - > init )
2012-04-16 08:43:15 +04:00
err = ops - > init ( net ) ;
if ( ! err )
return 0 ;
cleanup :
kfree ( data ) ;
out :
return err ;
2009-11-30 01:25:28 +03:00
}
static void ops_free ( const struct pernet_operations * ops , struct net * net )
{
if ( ops - > id & & ops - > size ) {
netns: make struct pernet_operations::id unsigned int
Make struct pernet_operations::id unsigned.
There are 2 reasons to do so:
1)
This field is really an index into an zero based array and
thus is unsigned entity. Using negative value is out-of-bound
access by definition.
2)
On x86_64 unsigned 32-bit data which are mixed with pointers
via array indexing or offsets added or subtracted to pointers
are preffered to signed 32-bit data.
"int" being used as an array index needs to be sign-extended
to 64-bit before being used.
void f(long *p, int i)
{
g(p[i]);
}
roughly translates to
movsx rsi, esi
mov rdi, [rsi+...]
call g
MOVSX is 3 byte instruction which isn't necessary if the variable is
unsigned because x86_64 is zero extending by default.
Now, there is net_generic() function which, you guessed it right, uses
"int" as an array index:
static inline void *net_generic(const struct net *net, int id)
{
...
ptr = ng->ptr[id - 1];
...
}
And this function is used a lot, so those sign extensions add up.
Patch snipes ~1730 bytes on allyesconfig kernel (without all junk
messing with code generation):
add/remove: 0/0 grow/shrink: 70/598 up/down: 396/-2126 (-1730)
Unfortunately some functions actually grow bigger.
This is a semmingly random artefact of code generation with register
allocator being used differently. gcc decides that some variable
needs to live in new r8+ registers and every access now requires REX
prefix. Or it is shifted into r12, so [r12+0] addressing mode has to be
used which is longer than [r8]
However, overall balance is in negative direction:
add/remove: 0/0 grow/shrink: 70/598 up/down: 396/-2126 (-1730)
function old new delta
nfsd4_lock 3886 3959 +73
tipc_link_build_proto_msg 1096 1140 +44
mac80211_hwsim_new_radio 2776 2808 +32
tipc_mon_rcv 1032 1058 +26
svcauth_gss_legacy_init 1413 1429 +16
tipc_bcbase_select_primary 379 392 +13
nfsd4_exchange_id 1247 1260 +13
nfsd4_setclientid_confirm 782 793 +11
...
put_client_renew_locked 494 480 -14
ip_set_sockfn_get 730 716 -14
geneve_sock_add 829 813 -16
nfsd4_sequence_done 721 703 -18
nlmclnt_lookup_host 708 686 -22
nfsd4_lockt 1085 1063 -22
nfs_get_client 1077 1050 -27
tcf_bpf_init 1106 1076 -30
nfsd4_encode_fattr 5997 5930 -67
Total: Before=154856051, After=154854321, chg -0.00%
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-11-17 04:58:21 +03:00
kfree ( net_generic ( net , * ops - > id ) ) ;
2009-11-30 01:25:28 +03:00
}
}
2009-12-03 05:29:03 +03:00
static void ops_exit_list ( const struct pernet_operations * ops ,
struct list_head * net_exit_list )
{
struct net * net ;
if ( ops - > exit ) {
list_for_each_entry ( net , net_exit_list , exit_list )
ops - > exit ( net ) ;
}
if ( ops - > exit_batch )
ops - > exit_batch ( net_exit_list ) ;
}
static void ops_free_list ( const struct pernet_operations * ops ,
struct list_head * net_exit_list )
{
struct net * net ;
if ( ops - > size & & ops - > id ) {
list_for_each_entry ( net , net_exit_list , exit_list )
ops_free ( ops , net ) ;
}
}
2015-05-07 12:02:51 +03:00
/* should be called with nsid_lock held */
2015-01-15 17:11:15 +03:00
static int alloc_netid ( struct net * net , struct net * peer , int reqid )
{
2015-05-07 12:02:50 +03:00
int min = 0 , max = 0 ;
2015-01-15 17:11:15 +03:00
if ( reqid > = 0 ) {
min = reqid ;
max = reqid + 1 ;
}
2015-05-07 12:02:51 +03:00
return idr_alloc ( & net - > netns_ids , peer , min , max , GFP_ATOMIC ) ;
2015-01-15 17:11:15 +03:00
}
/* This function is used by idr_for_each(). If net is equal to peer, the
* function returns the id so that idr_for_each ( ) stops . Because we cannot
* returns the id 0 ( idr_for_each ( ) will not stop ) , we return the magic value
* NET_ID_ZERO ( - 1 ) for it .
*/
# define NET_ID_ZERO -1
static int net_eq_idr ( int id , void * net , void * peer )
{
if ( net_eq ( net , peer ) )
return id ? : NET_ID_ZERO ;
return 0 ;
}
2015-05-07 12:02:51 +03:00
/* Should be called with nsid_lock held. If a new id is assigned, the bool alloc
* is set to true , thus the caller knows that the new id must be notified via
* rtnl .
*/
2015-05-07 12:02:50 +03:00
static int __peernet2id_alloc ( struct net * net , struct net * peer , bool * alloc )
2015-01-15 17:11:15 +03:00
{
int id = idr_for_each ( & net - > netns_ids , net_eq_idr , peer ) ;
2015-05-07 12:02:50 +03:00
bool alloc_it = * alloc ;
2015-01-15 17:11:15 +03:00
2015-05-07 12:02:50 +03:00
* alloc = false ;
2015-01-15 17:11:15 +03:00
/* Magic value for id 0. */
if ( id = = NET_ID_ZERO )
return 0 ;
if ( id > 0 )
return id ;
2015-05-07 12:02:50 +03:00
if ( alloc_it ) {
2015-05-07 12:02:47 +03:00
id = alloc_netid ( net , peer , - 1 ) ;
2015-05-07 12:02:50 +03:00
* alloc = true ;
2015-05-07 12:02:47 +03:00
return id > = 0 ? id : NETNSA_NSID_NOT_ASSIGNED ;
}
2015-01-15 17:11:15 +03:00
2015-05-07 12:02:47 +03:00
return NETNSA_NSID_NOT_ASSIGNED ;
2015-01-15 17:11:15 +03:00
}
2015-05-07 12:02:51 +03:00
/* should be called with nsid_lock held */
2015-05-07 12:02:50 +03:00
static int __peernet2id ( struct net * net , struct net * peer )
{
bool no = false ;
return __peernet2id_alloc ( net , peer , & no ) ;
}
static void rtnl_net_notifyid ( struct net * net , int cmd , int id ) ;
2015-01-15 17:11:15 +03:00
/* This function returns the id of a peer netns. If no id is assigned, one will
* be allocated and returned .
*/
2015-05-07 12:02:49 +03:00
int peernet2id_alloc ( struct net * net , struct net * peer )
2015-01-15 17:11:15 +03:00
{
2018-01-16 12:31:41 +03:00
bool alloc = false , alive = false ;
2015-05-07 12:02:50 +03:00
int id ;
2015-01-15 17:11:15 +03:00
2018-01-12 18:28:31 +03:00
if ( refcount_read ( & net - > count ) = = 0 )
2016-11-16 21:27:02 +03:00
return NETNSA_NSID_NOT_ASSIGNED ;
2016-11-30 00:57:48 +03:00
spin_lock_bh ( & net - > nsid_lock ) ;
2018-01-16 12:31:41 +03:00
/*
* When peer is obtained from RCU lists , we may race with
* its cleanup . Check whether it ' s alive , and this guarantees
* we never hash a peer back to net - > netns_ids , after it has
* just been idr_remove ( ) ' d from there in cleanup_net ( ) .
*/
if ( maybe_get_net ( peer ) )
alive = alloc = true ;
2015-05-07 12:02:50 +03:00
id = __peernet2id_alloc ( net , peer , & alloc ) ;
2016-11-30 00:57:48 +03:00
spin_unlock_bh ( & net - > nsid_lock ) ;
2015-05-07 12:02:50 +03:00
if ( alloc & & id > = 0 )
rtnl_net_notifyid ( net , RTM_NEWNSID , id ) ;
2018-01-16 12:31:41 +03:00
if ( alive )
put_net ( peer ) ;
2015-05-07 12:02:50 +03:00
return id ;
2015-01-15 17:11:15 +03:00
}
2017-11-02 22:04:36 +03:00
EXPORT_SYMBOL_GPL ( peernet2id_alloc ) ;
2015-01-15 17:11:15 +03:00
2015-05-07 12:02:51 +03:00
/* This function returns, if assigned, the id of a peer netns. */
2015-05-07 12:02:53 +03:00
int peernet2id ( struct net * net , struct net * peer )
2015-05-07 12:02:51 +03:00
{
int id ;
2016-11-30 00:57:48 +03:00
spin_lock_bh ( & net - > nsid_lock ) ;
2015-05-07 12:02:51 +03:00
id = __peernet2id ( net , peer ) ;
2016-11-30 00:57:48 +03:00
spin_unlock_bh ( & net - > nsid_lock ) ;
2015-05-07 12:02:51 +03:00
return id ;
}
2016-09-02 07:53:44 +03:00
EXPORT_SYMBOL ( peernet2id ) ;
2015-05-07 12:02:51 +03:00
2015-05-07 12:02:53 +03:00
/* This function returns true is the peer netns has an id assigned into the
* current netns .
*/
bool peernet_has_id ( struct net * net , struct net * peer )
{
return peernet2id ( net , peer ) > = 0 ;
}
2015-01-15 17:11:15 +03:00
struct net * get_net_ns_by_id ( struct net * net , int id )
{
struct net * peer ;
if ( id < 0 )
return NULL ;
rcu_read_lock ( ) ;
peer = idr_find ( & net - > netns_ids , id ) ;
if ( peer )
net: Fix double free and memory corruption in get_net_ns_by_id()
(I can trivially verify that that idr_remove in cleanup_net happens
after the network namespace count has dropped to zero --EWB)
Function get_net_ns_by_id() does not check for net::count
after it has found a peer in netns_ids idr.
It may dereference a peer, after its count has already been
finaly decremented. This leads to double free and memory
corruption:
put_net(peer) rtnl_lock()
atomic_dec_and_test(&peer->count) [count=0] ...
__put_net(peer) get_net_ns_by_id(net, id)
spin_lock(&cleanup_list_lock)
list_add(&net->cleanup_list, &cleanup_list)
spin_unlock(&cleanup_list_lock)
queue_work() peer = idr_find(&net->netns_ids, id)
| get_net(peer) [count=1]
| ...
| (use after final put)
v ...
cleanup_net() ...
spin_lock(&cleanup_list_lock) ...
list_replace_init(&cleanup_list, ..) ...
spin_unlock(&cleanup_list_lock) ...
... ...
... put_net(peer)
... atomic_dec_and_test(&peer->count) [count=0]
... spin_lock(&cleanup_list_lock)
... list_add(&net->cleanup_list, &cleanup_list)
... spin_unlock(&cleanup_list_lock)
... queue_work()
... rtnl_unlock()
rtnl_lock() ...
for_each_net(tmp) { ...
id = __peernet2id(tmp, peer) ...
spin_lock_irq(&tmp->nsid_lock) ...
idr_remove(&tmp->netns_ids, id) ...
... ...
net_drop_ns() ...
net_free(peer) ...
} ...
|
v
cleanup_net()
...
(Second free of peer)
Also, put_net() on the right cpu may reorder with left's cpu
list_replace_init(&cleanup_list, ..), and then cleanup_list
will be corrupted.
Since cleanup_net() is executed in worker thread, while
put_net(peer) can happen everywhere, there should be
enough time for concurrent get_net_ns_by_id() to pick
the peer up, and the race does not seem to be unlikely.
The patch fixes the problem in standard way.
(Also, there is possible problem in peernet2id_alloc(), which requires
check for net::count under nsid_lock and maybe_get_net(peer), but
in current stable kernel it's used under rtnl_lock() and it has to be
safe. Openswitch begun to use peernet2id_alloc(), and possibly it should
be fixed too. While this is not in stable kernel yet, so I'll send
a separate message to netdev@ later).
Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Fixes: 0c7aecd4bde4 "netns: add rtnl cmd to add and get peer netns ids"
Reviewed-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-19 20:27:56 +03:00
peer = maybe_get_net ( peer ) ;
2015-01-15 17:11:15 +03:00
rcu_read_unlock ( ) ;
return peer ;
}
2007-09-12 13:50:50 +04:00
/*
* setup_net runs the initializers for the network namespace object .
*/
2012-06-14 13:31:10 +04:00
static __net_init int setup_net ( struct net * net , struct user_namespace * user_ns )
2007-09-12 13:50:50 +04:00
{
/* Must be called with net_mutex held */
2009-11-30 01:25:28 +03:00
const struct pernet_operations * ops , * saved_ops ;
2009-02-22 11:07:53 +03:00
int error = 0 ;
2009-12-03 05:29:03 +03:00
LIST_HEAD ( net_exit_list ) ;
2007-09-12 13:50:50 +04:00
2018-01-12 18:28:31 +03:00
refcount_set ( & net - > count , 1 ) ;
2017-06-30 13:08:08 +03:00
refcount_set ( & net - > passive , 1 ) ;
2011-06-21 07:11:20 +04:00
net - > dev_base_seq = 1 ;
2012-06-14 13:31:10 +04:00
net - > user_ns = user_ns ;
2015-01-15 17:11:15 +03:00
idr_init ( & net - > netns_ids ) ;
2015-05-16 00:47:32 +03:00
spin_lock_init ( & net - > nsid_lock ) ;
2009-02-22 11:07:53 +03:00
2007-09-19 00:20:41 +04:00
list_for_each_entry ( ops , & pernet_list , list ) {
2009-11-30 01:25:28 +03:00
error = ops_init ( ops , net ) ;
if ( error < 0 )
goto out_undo ;
2007-09-12 13:50:50 +04:00
}
out :
return error ;
2007-09-19 00:20:41 +04:00
2007-09-12 13:50:50 +04:00
out_undo :
/* Walk through the list backwards calling the exit functions
* for the pernet modules whose init functions did not fail .
*/
2009-12-03 05:29:03 +03:00
list_add ( & net - > exit_list , & net_exit_list ) ;
2009-11-30 01:25:28 +03:00
saved_ops = ops ;
2009-12-03 05:29:03 +03:00
list_for_each_entry_continue_reverse ( ops , & pernet_list , list )
ops_exit_list ( ops , & net_exit_list ) ;
2009-11-30 01:25:28 +03:00
ops = saved_ops ;
list_for_each_entry_continue_reverse ( ops , & pernet_list , list )
2009-12-03 05:29:03 +03:00
ops_free_list ( ops , & net_exit_list ) ;
2007-10-31 01:38:57 +03:00
rcu_barrier ( ) ;
2007-09-12 13:50:50 +04:00
goto out ;
}
2017-05-24 11:22:22 +03:00
static int __net_init net_defaults_init_net ( struct net * net )
{
net - > core . sysctl_somaxconn = SOMAXCONN ;
return 0 ;
}
static struct pernet_operations net_defaults_ops = {
. init = net_defaults_init_net ,
} ;
static __init int net_defaults_init ( void )
{
if ( register_pernet_subsys ( & net_defaults_ops ) )
panic ( " Cannot initialize net default settings " ) ;
return 0 ;
}
core_initcall ( net_defaults_init ) ;
2007-11-01 10:44:50 +03:00
2009-02-24 02:37:35 +03:00
# ifdef CONFIG_NET_NS
2016-09-23 19:06:12 +03:00
static struct ucounts * inc_net_namespaces ( struct user_namespace * ns )
{
return inc_ucount ( ns , current_euid ( ) , UCOUNT_NET_NAMESPACES ) ;
}
static void dec_net_namespaces ( struct ucounts * ucounts )
{
dec_ucount ( ucounts , UCOUNT_NET_NAMESPACES ) ;
}
2009-02-24 02:37:35 +03:00
static struct kmem_cache * net_cachep ;
static struct workqueue_struct * netns_wq ;
2009-02-22 11:07:53 +03:00
static struct net * net_alloc ( void )
2007-11-07 12:30:30 +03:00
{
2009-02-22 11:07:53 +03:00
struct net * net = NULL ;
struct net_generic * ng ;
ng = net_alloc_generic ( ) ;
if ( ! ng )
goto out ;
net = kmem_cache_zalloc ( net_cachep , GFP_KERNEL ) ;
2007-11-07 12:30:30 +03:00
if ( ! net )
2009-02-22 11:07:53 +03:00
goto out_free ;
2007-11-07 12:30:30 +03:00
2009-02-22 11:07:53 +03:00
rcu_assign_pointer ( net - > gen , ng ) ;
out :
return net ;
out_free :
kfree ( ng ) ;
goto out ;
}
static void net_free ( struct net * net )
{
2014-09-09 19:24:53 +04:00
kfree ( rcu_access_pointer ( net - > gen ) ) ;
2007-11-07 12:30:30 +03:00
kmem_cache_free ( net_cachep , net ) ;
}
2011-06-09 05:13:01 +04:00
void net_drop_ns ( void * p )
{
struct net * ns = p ;
2017-06-30 13:08:08 +03:00
if ( ns & & refcount_dec_and_test ( & ns - > passive ) )
2011-06-09 05:13:01 +04:00
net_free ( ns ) ;
}
2012-06-14 13:31:10 +04:00
struct net * copy_net_ns ( unsigned long flags ,
struct user_namespace * user_ns , struct net * old_net )
2007-09-27 09:04:26 +04:00
{
2016-08-08 22:33:23 +03:00
struct ucounts * ucounts ;
2009-05-04 22:12:14 +04:00
struct net * net ;
int rv ;
2007-09-27 09:04:26 +04:00
2011-04-15 06:26:25 +04:00
if ( ! ( flags & CLONE_NEWNET ) )
return get_net ( old_net ) ;
2016-08-08 22:33:23 +03:00
ucounts = inc_net_namespaces ( user_ns ) ;
if ( ! ucounts )
2016-09-22 21:08:36 +03:00
return ERR_PTR ( - ENOSPC ) ;
2016-08-08 22:33:23 +03:00
2009-05-04 22:12:14 +04:00
net = net_alloc ( ) ;
2016-08-08 22:33:23 +03:00
if ( ! net ) {
dec_net_namespaces ( ucounts ) ;
2009-05-04 22:12:14 +04:00
return ERR_PTR ( - ENOMEM ) ;
2016-08-08 22:33:23 +03:00
}
2012-06-14 13:31:10 +04:00
get_user_ns ( user_ns ) ;
2016-10-21 05:45:43 +03:00
rv = mutex_lock_killable ( & net_mutex ) ;
if ( rv < 0 ) {
net_free ( net ) ;
dec_net_namespaces ( ucounts ) ;
put_user_ns ( user_ns ) ;
return ERR_PTR ( rv ) ;
}
2016-08-08 22:33:23 +03:00
net - > ucounts = ucounts ;
2012-06-14 13:31:10 +04:00
rv = setup_net ( net , user_ns ) ;
2009-05-04 22:12:14 +04:00
if ( rv = = 0 ) {
2009-02-22 11:07:53 +03:00
rtnl_lock ( ) ;
2009-07-10 13:51:33 +04:00
list_add_tail_rcu ( & net - > list , & net_namespace_list ) ;
2009-02-22 11:07:53 +03:00
rtnl_unlock ( ) ;
}
2007-09-27 09:04:26 +04:00
mutex_unlock ( & net_mutex ) ;
2009-05-04 22:12:14 +04:00
if ( rv < 0 ) {
2016-08-08 22:33:23 +03:00
dec_net_namespaces ( ucounts ) ;
2012-06-14 13:31:10 +04:00
put_user_ns ( user_ns ) ;
2011-06-09 05:13:01 +04:00
net_drop_ns ( net ) ;
2009-05-04 22:12:14 +04:00
return ERR_PTR ( rv ) ;
}
return net ;
}
2009-02-22 11:07:53 +03:00
net: Move net:netns_ids destruction out of rtnl_lock() and document locking scheme
Currently, we unhash a dying net from netns_ids lists
under rtnl_lock(). It's a leftover from the time when
net::netns_ids was introduced. There was no net::nsid_lock,
and rtnl_lock() was mostly need to order modification
of alive nets nsid idr, i.e. for:
for_each_net(tmp) {
...
id = __peernet2id(tmp, net);
idr_remove(&tmp->netns_ids, id);
...
}
Since we have net::nsid_lock, the modifications are
protected by this local lock, and now we may introduce
better scheme of netns_ids destruction.
Let's look at the functions peernet2id_alloc() and
get_net_ns_by_id(). Previous commits taught these
functions to work well with dying net acquired from
rtnl unlocked lists. And they are the only functions
which can hash a net to netns_ids or obtain from there.
And as easy to check, other netns_ids operating functions
works with id, not with net pointers. So, we do not
need rtnl_lock to synchronize cleanup_net() with all them.
The another property, which is used in the patch,
is that net is unhashed from net_namespace_list
in the only place and by the only process. So,
we avoid excess rcu_read_lock() or rtnl_lock(),
when we'are iterating over the list in unhash_nsid().
All the above makes possible to keep rtnl_lock() locked
only for net->list deletion, and completely avoid it
for netns_ids unhashing and destruction. As these two
doings may take long time (e.g., memory allocation
to send skb), the patch should positively act on
the scalability and signify decrease the time, which
rtnl_lock() is held in cleanup_net().
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-01-19 19:14:53 +03:00
static void unhash_nsid ( struct net * net , struct net * last )
{
struct net * tmp ;
/* This function is only called from cleanup_net() work,
* and this work is the only process , that may delete
* a net from net_namespace_list . So , when the below
* is executing , the list may only grow . Thus , we do not
* use for_each_net_rcu ( ) or rtnl_lock ( ) .
*/
for_each_net ( tmp ) {
int id ;
spin_lock_bh ( & tmp - > nsid_lock ) ;
id = __peernet2id ( tmp , net ) ;
if ( id > = 0 )
idr_remove ( & tmp - > netns_ids , id ) ;
spin_unlock_bh ( & tmp - > nsid_lock ) ;
if ( id > = 0 )
rtnl_net_notifyid ( tmp , RTM_DELNSID , id ) ;
if ( tmp = = last )
break ;
}
spin_lock_bh ( & net - > nsid_lock ) ;
idr_destroy ( & net - > netns_ids ) ;
spin_unlock_bh ( & net - > nsid_lock ) ;
}
2009-11-30 01:25:27 +03:00
static DEFINE_SPINLOCK ( cleanup_list_lock ) ;
static LIST_HEAD ( cleanup_list ) ; /* Must hold cleanup_list_lock to touch */
2007-11-01 10:44:50 +03:00
static void cleanup_net ( struct work_struct * work )
{
2009-11-30 01:25:28 +03:00
const struct pernet_operations * ops ;
net: Move net:netns_ids destruction out of rtnl_lock() and document locking scheme
Currently, we unhash a dying net from netns_ids lists
under rtnl_lock(). It's a leftover from the time when
net::netns_ids was introduced. There was no net::nsid_lock,
and rtnl_lock() was mostly need to order modification
of alive nets nsid idr, i.e. for:
for_each_net(tmp) {
...
id = __peernet2id(tmp, net);
idr_remove(&tmp->netns_ids, id);
...
}
Since we have net::nsid_lock, the modifications are
protected by this local lock, and now we may introduce
better scheme of netns_ids destruction.
Let's look at the functions peernet2id_alloc() and
get_net_ns_by_id(). Previous commits taught these
functions to work well with dying net acquired from
rtnl unlocked lists. And they are the only functions
which can hash a net to netns_ids or obtain from there.
And as easy to check, other netns_ids operating functions
works with id, not with net pointers. So, we do not
need rtnl_lock to synchronize cleanup_net() with all them.
The another property, which is used in the patch,
is that net is unhashed from net_namespace_list
in the only place and by the only process. So,
we avoid excess rcu_read_lock() or rtnl_lock(),
when we'are iterating over the list in unhash_nsid().
All the above makes possible to keep rtnl_lock() locked
only for net->list deletion, and completely avoid it
for netns_ids unhashing and destruction. As these two
doings may take long time (e.g., memory allocation
to send skb), the patch should positively act on
the scalability and signify decrease the time, which
rtnl_lock() is held in cleanup_net().
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-01-19 19:14:53 +03:00
struct net * net , * tmp , * last ;
2014-04-25 04:50:54 +04:00
struct list_head net_kill_list ;
2009-12-03 05:29:03 +03:00
LIST_HEAD ( net_exit_list ) ;
2007-11-01 10:44:50 +03:00
2009-11-30 01:25:27 +03:00
/* Atomically snapshot the list of namespaces to cleanup */
spin_lock_irq ( & cleanup_list_lock ) ;
list_replace_init ( & cleanup_list , & net_kill_list ) ;
spin_unlock_irq ( & cleanup_list_lock ) ;
2007-11-01 10:44:50 +03:00
mutex_lock ( & net_mutex ) ;
/* Don't let anyone else find us. */
rtnl_lock ( ) ;
net: Move net:netns_ids destruction out of rtnl_lock() and document locking scheme
Currently, we unhash a dying net from netns_ids lists
under rtnl_lock(). It's a leftover from the time when
net::netns_ids was introduced. There was no net::nsid_lock,
and rtnl_lock() was mostly need to order modification
of alive nets nsid idr, i.e. for:
for_each_net(tmp) {
...
id = __peernet2id(tmp, net);
idr_remove(&tmp->netns_ids, id);
...
}
Since we have net::nsid_lock, the modifications are
protected by this local lock, and now we may introduce
better scheme of netns_ids destruction.
Let's look at the functions peernet2id_alloc() and
get_net_ns_by_id(). Previous commits taught these
functions to work well with dying net acquired from
rtnl unlocked lists. And they are the only functions
which can hash a net to netns_ids or obtain from there.
And as easy to check, other netns_ids operating functions
works with id, not with net pointers. So, we do not
need rtnl_lock to synchronize cleanup_net() with all them.
The another property, which is used in the patch,
is that net is unhashed from net_namespace_list
in the only place and by the only process. So,
we avoid excess rcu_read_lock() or rtnl_lock(),
when we'are iterating over the list in unhash_nsid().
All the above makes possible to keep rtnl_lock() locked
only for net->list deletion, and completely avoid it
for netns_ids unhashing and destruction. As these two
doings may take long time (e.g., memory allocation
to send skb), the patch should positively act on
the scalability and signify decrease the time, which
rtnl_lock() is held in cleanup_net().
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-01-19 19:14:53 +03:00
list_for_each_entry ( net , & net_kill_list , cleanup_list )
2009-11-30 01:25:27 +03:00
list_del_rcu ( & net - > list ) ;
net: Move net:netns_ids destruction out of rtnl_lock() and document locking scheme
Currently, we unhash a dying net from netns_ids lists
under rtnl_lock(). It's a leftover from the time when
net::netns_ids was introduced. There was no net::nsid_lock,
and rtnl_lock() was mostly need to order modification
of alive nets nsid idr, i.e. for:
for_each_net(tmp) {
...
id = __peernet2id(tmp, net);
idr_remove(&tmp->netns_ids, id);
...
}
Since we have net::nsid_lock, the modifications are
protected by this local lock, and now we may introduce
better scheme of netns_ids destruction.
Let's look at the functions peernet2id_alloc() and
get_net_ns_by_id(). Previous commits taught these
functions to work well with dying net acquired from
rtnl unlocked lists. And they are the only functions
which can hash a net to netns_ids or obtain from there.
And as easy to check, other netns_ids operating functions
works with id, not with net pointers. So, we do not
need rtnl_lock to synchronize cleanup_net() with all them.
The another property, which is used in the patch,
is that net is unhashed from net_namespace_list
in the only place and by the only process. So,
we avoid excess rcu_read_lock() or rtnl_lock(),
when we'are iterating over the list in unhash_nsid().
All the above makes possible to keep rtnl_lock() locked
only for net->list deletion, and completely avoid it
for netns_ids unhashing and destruction. As these two
doings may take long time (e.g., memory allocation
to send skb), the patch should positively act on
the scalability and signify decrease the time, which
rtnl_lock() is held in cleanup_net().
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-01-19 19:14:53 +03:00
/* Cache last net. After we unlock rtnl, no one new net
* added to net_namespace_list can assign nsid pointer
* to a net from net_kill_list ( see peernet2id_alloc ( ) ) .
* So , we skip them in unhash_nsid ( ) .
*
* Note , that unhash_nsid ( ) does not delete nsid links
* between net_kill_list ' s nets , as they ' ve already
* deleted from net_namespace_list . But , this would be
* useless anyway , as netns_ids are destroyed there .
*/
last = list_last_entry ( & net_namespace_list , struct net , list ) ;
rtnl_unlock ( ) ;
2015-04-03 13:02:36 +03:00
net: Move net:netns_ids destruction out of rtnl_lock() and document locking scheme
Currently, we unhash a dying net from netns_ids lists
under rtnl_lock(). It's a leftover from the time when
net::netns_ids was introduced. There was no net::nsid_lock,
and rtnl_lock() was mostly need to order modification
of alive nets nsid idr, i.e. for:
for_each_net(tmp) {
...
id = __peernet2id(tmp, net);
idr_remove(&tmp->netns_ids, id);
...
}
Since we have net::nsid_lock, the modifications are
protected by this local lock, and now we may introduce
better scheme of netns_ids destruction.
Let's look at the functions peernet2id_alloc() and
get_net_ns_by_id(). Previous commits taught these
functions to work well with dying net acquired from
rtnl unlocked lists. And they are the only functions
which can hash a net to netns_ids or obtain from there.
And as easy to check, other netns_ids operating functions
works with id, not with net pointers. So, we do not
need rtnl_lock to synchronize cleanup_net() with all them.
The another property, which is used in the patch,
is that net is unhashed from net_namespace_list
in the only place and by the only process. So,
we avoid excess rcu_read_lock() or rtnl_lock(),
when we'are iterating over the list in unhash_nsid().
All the above makes possible to keep rtnl_lock() locked
only for net->list deletion, and completely avoid it
for netns_ids unhashing and destruction. As these two
doings may take long time (e.g., memory allocation
to send skb), the patch should positively act on
the scalability and signify decrease the time, which
rtnl_lock() is held in cleanup_net().
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-01-19 19:14:53 +03:00
list_for_each_entry ( net , & net_kill_list , cleanup_list ) {
unhash_nsid ( net , last ) ;
list_add_tail ( & net - > exit_list , & net_exit_list ) ;
2009-12-03 05:29:03 +03:00
}
2007-11-01 10:44:50 +03:00
2009-07-10 13:51:33 +04:00
/*
* Another CPU might be rcu - iterating the list , wait for it .
* This needs to be before calling the exit ( ) notifiers , so
* the rcu_barrier ( ) below isn ' t sufficient alone .
*/
synchronize_rcu ( ) ;
2007-11-01 10:44:50 +03:00
/* Run all of the network namespace exit methods */
2009-12-03 05:29:03 +03:00
list_for_each_entry_reverse ( ops , & pernet_list , list )
ops_exit_list ( ops , & net_exit_list ) ;
2009-11-30 01:25:28 +03:00
/* Free the net generic variables */
2009-12-03 05:29:03 +03:00
list_for_each_entry_reverse ( ops , & pernet_list , list )
ops_free_list ( ops , & net_exit_list ) ;
2007-11-01 10:44:50 +03:00
mutex_unlock ( & net_mutex ) ;
/* Ensure there are no outstanding rcu callbacks using this
* network namespace .
*/
rcu_barrier ( ) ;
/* Finally it is safe to free my network namespace structure */
2009-12-03 05:29:03 +03:00
list_for_each_entry_safe ( net , tmp , & net_exit_list , exit_list ) {
list_del_init ( & net - > exit_list ) ;
2016-08-08 22:33:23 +03:00
dec_net_namespaces ( net - > ucounts ) ;
2012-06-14 13:31:10 +04:00
put_user_ns ( net - > user_ns ) ;
2011-06-09 05:13:01 +04:00
net_drop_ns ( net ) ;
2009-11-30 01:25:27 +03:00
}
2007-11-01 10:44:50 +03:00
}
2017-05-30 12:38:12 +03:00
/**
* net_ns_barrier - wait until concurrent net_cleanup_work is done
*
* cleanup_net runs from work queue and will first remove namespaces
* from the global list , then run net exit functions .
*
* Call this in module exit path to make sure that all netns
* - > exit ops have been invoked before the function is removed .
*/
void net_ns_barrier ( void )
{
mutex_lock ( & net_mutex ) ;
mutex_unlock ( & net_mutex ) ;
}
EXPORT_SYMBOL ( net_ns_barrier ) ;
2009-11-30 01:25:27 +03:00
static DECLARE_WORK ( net_cleanup_work , cleanup_net ) ;
2007-11-01 10:44:50 +03:00
void __put_net ( struct net * net )
{
/* Cleanup the network namespace in process context */
2009-11-30 01:25:27 +03:00
unsigned long flags ;
spin_lock_irqsave ( & cleanup_list_lock , flags ) ;
list_add ( & net - > cleanup_list , & cleanup_list ) ;
spin_unlock_irqrestore ( & cleanup_list_lock , flags ) ;
queue_work ( netns_wq , & net_cleanup_work ) ;
2007-11-01 10:44:50 +03:00
}
EXPORT_SYMBOL_GPL ( __put_net ) ;
2011-05-12 07:51:13 +04:00
struct net * get_net_ns_by_fd ( int fd )
{
struct file * file ;
2014-11-01 09:32:53 +03:00
struct ns_common * ns ;
2011-05-12 07:51:13 +04:00
struct net * net ;
file = proc_ns_fget ( fd ) ;
2011-06-05 04:37:35 +04:00
if ( IS_ERR ( file ) )
return ERR_CAST ( file ) ;
2011-05-12 07:51:13 +04:00
2014-11-01 10:13:17 +03:00
ns = get_proc_ns ( file_inode ( file ) ) ;
2014-11-01 09:32:53 +03:00
if ( ns - > ops = = & netns_operations )
net = get_net ( container_of ( ns , struct net , ns ) ) ;
2011-06-05 04:37:35 +04:00
else
net = ERR_PTR ( - EINVAL ) ;
2011-05-12 07:51:13 +04:00
2011-06-05 04:37:35 +04:00
fput ( file ) ;
2011-05-12 07:51:13 +04:00
return net ;
}
2007-11-01 10:44:50 +03:00
# else
2011-05-12 07:51:13 +04:00
struct net * get_net_ns_by_fd ( int fd )
{
return ERR_PTR ( - EINVAL ) ;
}
2007-11-01 10:44:50 +03:00
# endif
2015-01-12 17:34:05 +03:00
EXPORT_SYMBOL_GPL ( get_net_ns_by_fd ) ;
2007-11-01 10:44:50 +03:00
2009-07-10 13:51:35 +04:00
struct net * get_net_ns_by_pid ( pid_t pid )
{
struct task_struct * tsk ;
struct net * net ;
/* Lookup the network namespace */
net = ERR_PTR ( - ESRCH ) ;
rcu_read_lock ( ) ;
tsk = find_task_by_vpid ( pid ) ;
if ( tsk ) {
struct nsproxy * nsproxy ;
2014-02-04 07:13:49 +04:00
task_lock ( tsk ) ;
nsproxy = tsk - > nsproxy ;
2009-07-10 13:51:35 +04:00
if ( nsproxy )
net = get_net ( nsproxy - > net_ns ) ;
2014-02-04 07:13:49 +04:00
task_unlock ( tsk ) ;
2009-07-10 13:51:35 +04:00
}
rcu_read_unlock ( ) ;
return net ;
}
EXPORT_SYMBOL_GPL ( get_net_ns_by_pid ) ;
2011-06-15 21:21:48 +04:00
static __net_init int net_ns_net_init ( struct net * net )
{
2014-11-01 09:32:53 +03:00
# ifdef CONFIG_NET_NS
net - > ns . ops = & netns_operations ;
# endif
2014-11-01 07:45:45 +03:00
return ns_alloc_inum ( & net - > ns ) ;
2011-06-15 21:21:48 +04:00
}
static __net_exit void net_ns_net_exit ( struct net * net )
{
2014-11-01 07:45:45 +03:00
ns_free_inum ( & net - > ns ) ;
2011-06-15 21:21:48 +04:00
}
static struct pernet_operations __net_initdata net_ns_ops = {
. init = net_ns_net_init ,
. exit = net_ns_net_exit ,
} ;
2016-09-01 01:17:49 +03:00
static const struct nla_policy rtnl_net_policy [ NETNSA_MAX + 1 ] = {
2015-01-15 17:11:15 +03:00
[ NETNSA_NONE ] = { . type = NLA_UNSPEC } ,
[ NETNSA_NSID ] = { . type = NLA_S32 } ,
[ NETNSA_PID ] = { . type = NLA_U32 } ,
[ NETNSA_FD ] = { . type = NLA_U32 } ,
} ;
2017-04-16 19:48:24 +03:00
static int rtnl_net_newid ( struct sk_buff * skb , struct nlmsghdr * nlh ,
struct netlink_ext_ack * extack )
2015-01-15 17:11:15 +03:00
{
struct net * net = sock_net ( skb - > sk ) ;
struct nlattr * tb [ NETNSA_MAX + 1 ] ;
2017-06-09 15:41:56 +03:00
struct nlattr * nla ;
2015-01-15 17:11:15 +03:00
struct net * peer ;
int nsid , err ;
err = nlmsg_parse ( nlh , sizeof ( struct rtgenmsg ) , tb , NETNSA_MAX ,
2017-04-16 19:48:24 +03:00
rtnl_net_policy , extack ) ;
2015-01-15 17:11:15 +03:00
if ( err < 0 )
return err ;
2017-06-09 15:41:56 +03:00
if ( ! tb [ NETNSA_NSID ] ) {
NL_SET_ERR_MSG ( extack , " nsid is missing " ) ;
2015-01-15 17:11:15 +03:00
return - EINVAL ;
2017-06-09 15:41:56 +03:00
}
2015-01-15 17:11:15 +03:00
nsid = nla_get_s32 ( tb [ NETNSA_NSID ] ) ;
2017-06-09 15:41:56 +03:00
if ( tb [ NETNSA_PID ] ) {
2015-01-15 17:11:15 +03:00
peer = get_net_ns_by_pid ( nla_get_u32 ( tb [ NETNSA_PID ] ) ) ;
2017-06-09 15:41:56 +03:00
nla = tb [ NETNSA_PID ] ;
} else if ( tb [ NETNSA_FD ] ) {
2015-01-15 17:11:15 +03:00
peer = get_net_ns_by_fd ( nla_get_u32 ( tb [ NETNSA_FD ] ) ) ;
2017-06-09 15:41:56 +03:00
nla = tb [ NETNSA_FD ] ;
} else {
NL_SET_ERR_MSG ( extack , " Peer netns reference is missing " ) ;
2015-01-15 17:11:15 +03:00
return - EINVAL ;
2017-06-09 15:41:56 +03:00
}
if ( IS_ERR ( peer ) ) {
NL_SET_BAD_ATTR ( extack , nla ) ;
NL_SET_ERR_MSG ( extack , " Peer netns reference is invalid " ) ;
2015-01-15 17:11:15 +03:00
return PTR_ERR ( peer ) ;
2017-06-09 15:41:56 +03:00
}
2015-01-15 17:11:15 +03:00
2016-11-30 00:57:48 +03:00
spin_lock_bh ( & net - > nsid_lock ) ;
2015-05-07 12:02:50 +03:00
if ( __peernet2id ( net , peer ) > = 0 ) {
2016-11-30 00:57:48 +03:00
spin_unlock_bh ( & net - > nsid_lock ) ;
2015-01-15 17:11:15 +03:00
err = - EEXIST ;
2017-06-09 15:41:56 +03:00
NL_SET_BAD_ATTR ( extack , nla ) ;
NL_SET_ERR_MSG ( extack ,
" Peer netns already has a nsid assigned " ) ;
2015-01-15 17:11:15 +03:00
goto out ;
}
err = alloc_netid ( net , peer , nsid ) ;
2016-11-30 00:57:48 +03:00
spin_unlock_bh ( & net - > nsid_lock ) ;
2015-05-07 12:02:50 +03:00
if ( err > = 0 ) {
rtnl_net_notifyid ( net , RTM_NEWNSID , err ) ;
2015-01-15 17:11:15 +03:00
err = 0 ;
2017-06-09 15:41:56 +03:00
} else if ( err = = - ENOSPC & & nsid > = 0 ) {
2017-06-09 15:41:57 +03:00
err = - EEXIST ;
2017-06-09 15:41:56 +03:00
NL_SET_BAD_ATTR ( extack , tb [ NETNSA_NSID ] ) ;
NL_SET_ERR_MSG ( extack , " The specified nsid is already used " ) ;
2015-05-07 12:02:50 +03:00
}
2015-01-15 17:11:15 +03:00
out :
put_net ( peer ) ;
return err ;
}
static int rtnl_net_get_size ( void )
{
return NLMSG_ALIGN ( sizeof ( struct rtgenmsg ) )
+ nla_total_size ( sizeof ( s32 ) ) /* NETNSA_NSID */
;
}
static int rtnl_net_fill ( struct sk_buff * skb , u32 portid , u32 seq , int flags ,
2015-05-07 12:02:48 +03:00
int cmd , struct net * net , int nsid )
2015-01-15 17:11:15 +03:00
{
struct nlmsghdr * nlh ;
struct rtgenmsg * rth ;
nlh = nlmsg_put ( skb , portid , seq , cmd , sizeof ( * rth ) , flags ) ;
if ( ! nlh )
return - EMSGSIZE ;
rth = nlmsg_data ( nlh ) ;
rth - > rtgen_family = AF_UNSPEC ;
2015-05-07 12:02:48 +03:00
if ( nla_put_s32 ( skb , NETNSA_NSID , nsid ) )
2015-01-15 17:11:15 +03:00
goto nla_put_failure ;
nlmsg_end ( skb , nlh ) ;
return 0 ;
nla_put_failure :
nlmsg_cancel ( skb , nlh ) ;
return - EMSGSIZE ;
}
2017-04-16 19:48:24 +03:00
static int rtnl_net_getid ( struct sk_buff * skb , struct nlmsghdr * nlh ,
struct netlink_ext_ack * extack )
2015-01-15 17:11:15 +03:00
{
struct net * net = sock_net ( skb - > sk ) ;
struct nlattr * tb [ NETNSA_MAX + 1 ] ;
2017-06-09 15:41:56 +03:00
struct nlattr * nla ;
2015-01-15 17:11:15 +03:00
struct sk_buff * msg ;
struct net * peer ;
2015-05-07 12:02:48 +03:00
int err , id ;
2015-01-15 17:11:15 +03:00
err = nlmsg_parse ( nlh , sizeof ( struct rtgenmsg ) , tb , NETNSA_MAX ,
2017-04-16 19:48:24 +03:00
rtnl_net_policy , extack ) ;
2015-01-15 17:11:15 +03:00
if ( err < 0 )
return err ;
2017-06-09 15:41:56 +03:00
if ( tb [ NETNSA_PID ] ) {
2015-01-15 17:11:15 +03:00
peer = get_net_ns_by_pid ( nla_get_u32 ( tb [ NETNSA_PID ] ) ) ;
2017-06-09 15:41:56 +03:00
nla = tb [ NETNSA_PID ] ;
} else if ( tb [ NETNSA_FD ] ) {
2015-01-15 17:11:15 +03:00
peer = get_net_ns_by_fd ( nla_get_u32 ( tb [ NETNSA_FD ] ) ) ;
2017-06-09 15:41:56 +03:00
nla = tb [ NETNSA_FD ] ;
} else {
NL_SET_ERR_MSG ( extack , " Peer netns reference is missing " ) ;
2015-01-15 17:11:15 +03:00
return - EINVAL ;
2017-06-09 15:41:56 +03:00
}
2015-01-15 17:11:15 +03:00
2017-06-09 15:41:56 +03:00
if ( IS_ERR ( peer ) ) {
NL_SET_BAD_ATTR ( extack , nla ) ;
NL_SET_ERR_MSG ( extack , " Peer netns reference is invalid " ) ;
2015-01-15 17:11:15 +03:00
return PTR_ERR ( peer ) ;
2017-06-09 15:41:56 +03:00
}
2015-01-15 17:11:15 +03:00
msg = nlmsg_new ( rtnl_net_get_size ( ) , GFP_KERNEL ) ;
if ( ! msg ) {
err = - ENOMEM ;
goto out ;
}
2015-05-07 12:02:51 +03:00
id = peernet2id ( net , peer ) ;
2015-01-15 17:11:15 +03:00
err = rtnl_net_fill ( msg , NETLINK_CB ( skb ) . portid , nlh - > nlmsg_seq , 0 ,
2015-05-13 21:31:43 +03:00
RTM_NEWNSID , net , id ) ;
2015-01-15 17:11:15 +03:00
if ( err < 0 )
goto err_out ;
err = rtnl_unicast ( msg , net , NETLINK_CB ( skb ) . portid ) ;
goto out ;
err_out :
nlmsg_free ( msg ) ;
out :
put_net ( peer ) ;
return err ;
}
2015-04-07 12:51:54 +03:00
struct rtnl_net_dump_cb {
struct net * net ;
struct sk_buff * skb ;
struct netlink_callback * cb ;
int idx ;
int s_idx ;
} ;
static int rtnl_net_dumpid_one ( int id , void * peer , void * data )
{
struct rtnl_net_dump_cb * net_cb = ( struct rtnl_net_dump_cb * ) data ;
int ret ;
if ( net_cb - > idx < net_cb - > s_idx )
goto cont ;
ret = rtnl_net_fill ( net_cb - > skb , NETLINK_CB ( net_cb - > cb - > skb ) . portid ,
net_cb - > cb - > nlh - > nlmsg_seq , NLM_F_MULTI ,
2015-05-07 12:02:48 +03:00
RTM_NEWNSID , net_cb - > net , id ) ;
2015-04-07 12:51:54 +03:00
if ( ret < 0 )
return ret ;
cont :
net_cb - > idx + + ;
return 0 ;
}
static int rtnl_net_dumpid ( struct sk_buff * skb , struct netlink_callback * cb )
{
struct net * net = sock_net ( skb - > sk ) ;
struct rtnl_net_dump_cb net_cb = {
. net = net ,
. skb = skb ,
. cb = cb ,
. idx = 0 ,
. s_idx = cb - > args [ 0 ] ,
} ;
2016-11-30 00:57:48 +03:00
spin_lock_bh ( & net - > nsid_lock ) ;
2015-04-07 12:51:54 +03:00
idr_for_each ( & net - > netns_ids , rtnl_net_dumpid_one , & net_cb ) ;
2016-11-30 00:57:48 +03:00
spin_unlock_bh ( & net - > nsid_lock ) ;
2015-04-07 12:51:54 +03:00
cb - > args [ 0 ] = net_cb . idx ;
return skb - > len ;
}
2015-05-07 12:02:48 +03:00
static void rtnl_net_notifyid ( struct net * net , int cmd , int id )
2015-04-07 12:51:53 +03:00
{
struct sk_buff * msg ;
int err = - ENOMEM ;
msg = nlmsg_new ( rtnl_net_get_size ( ) , GFP_KERNEL ) ;
if ( ! msg )
goto out ;
2015-05-07 12:02:48 +03:00
err = rtnl_net_fill ( msg , 0 , 0 , 0 , cmd , net , id ) ;
2015-04-07 12:51:53 +03:00
if ( err < 0 )
goto err_out ;
rtnl_notify ( msg , net , 0 , RTNLGRP_NSID , NULL , 0 ) ;
return ;
err_out :
nlmsg_free ( msg ) ;
out :
rtnl_set_sk_err ( net , RTNLGRP_NSID , err ) ;
}
2007-09-12 13:50:50 +04:00
static int __init net_ns_init ( void )
{
2009-02-22 11:07:53 +03:00
struct net_generic * ng ;
2007-09-12 13:50:50 +04:00
2007-11-01 10:46:50 +03:00
# ifdef CONFIG_NET_NS
2007-09-12 13:50:50 +04:00
net_cachep = kmem_cache_create ( " net_namespace " , sizeof ( struct net ) ,
SMP_CACHE_BYTES ,
SLAB_PANIC , NULL ) ;
2007-11-20 10:18:16 +03:00
/* Create workqueue for cleanup */
netns_wq = create_singlethread_workqueue ( " netns " ) ;
if ( ! netns_wq )
panic ( " Could not create netns workq " ) ;
2007-11-01 10:46:50 +03:00
# endif
2007-11-20 10:18:16 +03:00
2009-02-22 11:07:53 +03:00
ng = net_alloc_generic ( ) ;
if ( ! ng )
panic ( " Could not allocate generic netns " ) ;
rcu_assign_pointer ( init_net . gen , ng ) ;
2007-09-12 13:50:50 +04:00
mutex_lock ( & net_mutex ) ;
2012-06-14 13:31:10 +04:00
if ( setup_net ( & init_net , & init_user_ns ) )
2009-05-22 02:10:31 +04:00
panic ( " Could not setup the initial network namespace " ) ;
2007-09-12 13:50:50 +04:00
2016-08-11 00:36:00 +03:00
init_net_initialized = true ;
2007-09-27 09:40:08 +04:00
rtnl_lock ( ) ;
2009-07-10 13:51:33 +04:00
list_add_tail_rcu ( & init_net . list , & net_namespace_list ) ;
2007-09-27 09:40:08 +04:00
rtnl_unlock ( ) ;
2007-09-12 13:50:50 +04:00
mutex_unlock ( & net_mutex ) ;
2011-06-15 21:21:48 +04:00
register_pernet_subsys ( & net_ns_ops ) ;
2017-08-09 21:41:53 +03:00
rtnl_register ( PF_UNSPEC , RTM_NEWNSID , rtnl_net_newid , NULL ,
RTNL_FLAG_DOIT_UNLOCKED ) ;
2015-04-07 12:51:54 +03:00
rtnl_register ( PF_UNSPEC , RTM_GETNSID , rtnl_net_getid , rtnl_net_dumpid ,
2017-08-09 21:41:53 +03:00
RTNL_FLAG_DOIT_UNLOCKED ) ;
2015-01-15 17:11:15 +03:00
2007-09-12 13:50:50 +04:00
return 0 ;
}
pure_initcall ( net_ns_init ) ;
2007-11-13 14:23:21 +03:00
# ifdef CONFIG_NET_NS
2009-11-30 01:25:28 +03:00
static int __register_pernet_operations ( struct list_head * list ,
struct pernet_operations * ops )
2007-09-12 13:50:50 +04:00
{
2009-12-03 05:29:03 +03:00
struct net * net ;
2007-09-12 13:50:50 +04:00
int error ;
2009-12-03 05:29:03 +03:00
LIST_HEAD ( net_exit_list ) ;
2007-09-12 13:50:50 +04:00
list_add_tail ( & ops - > list , list ) ;
2009-11-30 01:25:28 +03:00
if ( ops - > init | | ( ops - > id & & ops - > size ) ) {
2007-11-01 10:42:43 +03:00
for_each_net ( net ) {
2009-11-30 01:25:28 +03:00
error = ops_init ( ops , net ) ;
2007-09-12 13:50:50 +04:00
if ( error )
goto out_undo ;
2009-12-03 05:29:03 +03:00
list_add_tail ( & net - > exit_list , & net_exit_list ) ;
2007-09-12 13:50:50 +04:00
}
}
2007-11-01 10:42:43 +03:00
return 0 ;
2007-09-12 13:50:50 +04:00
out_undo :
/* If I have an error cleanup all namespaces I initialized */
list_del ( & ops - > list ) ;
2009-12-03 05:29:03 +03:00
ops_exit_list ( ops , & net_exit_list ) ;
ops_free_list ( ops , & net_exit_list ) ;
2007-11-01 10:42:43 +03:00
return error ;
2007-09-12 13:50:50 +04:00
}
2009-11-30 01:25:28 +03:00
static void __unregister_pernet_operations ( struct pernet_operations * ops )
2007-09-12 13:50:50 +04:00
{
struct net * net ;
2009-12-03 05:29:03 +03:00
LIST_HEAD ( net_exit_list ) ;
2007-09-12 13:50:50 +04:00
list_del ( & ops - > list ) ;
2009-12-03 05:29:03 +03:00
for_each_net ( net )
list_add_tail ( & net - > exit_list , & net_exit_list ) ;
ops_exit_list ( ops , & net_exit_list ) ;
ops_free_list ( ops , & net_exit_list ) ;
2007-09-12 13:50:50 +04:00
}
2007-11-13 14:23:21 +03:00
# else
2009-11-30 01:25:28 +03:00
static int __register_pernet_operations ( struct list_head * list ,
struct pernet_operations * ops )
2007-11-13 14:23:21 +03:00
{
2016-08-11 00:36:00 +03:00
if ( ! init_net_initialized ) {
list_add_tail ( & ops - > list , list ) ;
return 0 ;
}
2012-04-16 08:43:15 +04:00
return ops_init ( ops , & init_net ) ;
2007-11-13 14:23:21 +03:00
}
2009-11-30 01:25:28 +03:00
static void __unregister_pernet_operations ( struct pernet_operations * ops )
2007-11-13 14:23:21 +03:00
{
2016-08-11 00:36:00 +03:00
if ( ! init_net_initialized ) {
list_del ( & ops - > list ) ;
} else {
LIST_HEAD ( net_exit_list ) ;
list_add ( & init_net . exit_list , & net_exit_list ) ;
ops_exit_list ( ops , & net_exit_list ) ;
ops_free_list ( ops , & net_exit_list ) ;
}
2007-11-13 14:23:21 +03:00
}
2009-11-30 01:25:28 +03:00
# endif /* CONFIG_NET_NS */
2007-11-13 14:23:21 +03:00
2008-04-15 11:35:23 +04:00
static DEFINE_IDA ( net_generic_ids ) ;
2009-11-30 01:25:28 +03:00
static int register_pernet_operations ( struct list_head * list ,
struct pernet_operations * ops )
{
int error ;
if ( ops - > id ) {
again :
2016-12-02 04:21:32 +03:00
error = ida_get_new_above ( & net_generic_ids , MIN_PERNET_OPS_ID , ops - > id ) ;
2009-11-30 01:25:28 +03:00
if ( error < 0 ) {
if ( error = = - EAGAIN ) {
ida_pre_get ( & net_generic_ids , GFP_KERNEL ) ;
goto again ;
}
return error ;
}
2016-12-02 04:21:32 +03:00
max_gen_ptrs = max ( max_gen_ptrs , * ops - > id + 1 ) ;
2009-11-30 01:25:28 +03:00
}
error = __register_pernet_operations ( list , ops ) ;
2009-12-03 05:29:06 +03:00
if ( error ) {
rcu_barrier ( ) ;
if ( ops - > id )
ida_remove ( & net_generic_ids , * ops - > id ) ;
}
2009-11-30 01:25:28 +03:00
return error ;
}
static void unregister_pernet_operations ( struct pernet_operations * ops )
{
__unregister_pernet_operations ( ops ) ;
2009-12-03 05:29:06 +03:00
rcu_barrier ( ) ;
2009-11-30 01:25:28 +03:00
if ( ops - > id )
ida_remove ( & net_generic_ids , * ops - > id ) ;
}
2007-09-12 13:50:50 +04:00
/**
* register_pernet_subsys - register a network namespace subsystem
* @ ops : pernet operations structure for the subsystem
*
* Register a subsystem which has init and exit functions
* that are called when network namespaces are created and
* destroyed respectively .
*
* When registered all network namespace init functions are
* called for every existing network namespace . Allowing kernel
* modules to have a race free view of the set of network namespaces .
*
* When a new network namespace is created all of the init
* methods are called in the order in which they were registered .
*
* When a network namespace is destroyed all of the exit methods
* are called in the reverse of the order with which they were
* registered .
*/
int register_pernet_subsys ( struct pernet_operations * ops )
{
int error ;
mutex_lock ( & net_mutex ) ;
error = register_pernet_operations ( first_device , ops ) ;
mutex_unlock ( & net_mutex ) ;
return error ;
}
EXPORT_SYMBOL_GPL ( register_pernet_subsys ) ;
/**
* unregister_pernet_subsys - unregister a network namespace subsystem
* @ ops : pernet operations structure to manipulate
*
* Remove the pernet operations structure from the list to be
2008-02-03 18:56:48 +03:00
* used when network namespaces are created or destroyed . In
2007-09-12 13:50:50 +04:00
* addition run the exit method for all existing network
* namespaces .
*/
2010-04-25 11:49:56 +04:00
void unregister_pernet_subsys ( struct pernet_operations * ops )
2007-09-12 13:50:50 +04:00
{
mutex_lock ( & net_mutex ) ;
2010-04-25 11:49:56 +04:00
unregister_pernet_operations ( ops ) ;
2007-09-12 13:50:50 +04:00
mutex_unlock ( & net_mutex ) ;
}
EXPORT_SYMBOL_GPL ( unregister_pernet_subsys ) ;
/**
* register_pernet_device - register a network namespace device
* @ ops : pernet operations structure for the subsystem
*
* Register a device which has init and exit functions
* that are called when network namespaces are created and
* destroyed respectively .
*
* When registered all network namespace init functions are
* called for every existing network namespace . Allowing kernel
* modules to have a race free view of the set of network namespaces .
*
* When a new network namespace is created all of the init
* methods are called in the order in which they were registered .
*
* When a network namespace is destroyed all of the exit methods
* are called in the reverse of the order with which they were
* registered .
*/
int register_pernet_device ( struct pernet_operations * ops )
{
int error ;
mutex_lock ( & net_mutex ) ;
error = register_pernet_operations ( & pernet_list , ops ) ;
if ( ! error & & ( first_device = = & pernet_list ) )
first_device = & ops - > list ;
mutex_unlock ( & net_mutex ) ;
return error ;
}
EXPORT_SYMBOL_GPL ( register_pernet_device ) ;
/**
* unregister_pernet_device - unregister a network namespace netdevice
* @ ops : pernet operations structure to manipulate
*
* Remove the pernet operations structure from the list to be
2008-02-03 18:56:48 +03:00
* used when network namespaces are created or destroyed . In
2007-09-12 13:50:50 +04:00
* addition run the exit method for all existing network
* namespaces .
*/
void unregister_pernet_device ( struct pernet_operations * ops )
{
mutex_lock ( & net_mutex ) ;
if ( & ops - > list = = first_device )
first_device = first_device - > next ;
unregister_pernet_operations ( ops ) ;
mutex_unlock ( & net_mutex ) ;
}
EXPORT_SYMBOL_GPL ( unregister_pernet_device ) ;
2010-03-08 05:14:23 +03:00
# ifdef CONFIG_NET_NS
2014-11-01 07:37:32 +03:00
static struct ns_common * netns_get ( struct task_struct * task )
2010-03-08 05:14:23 +03:00
{
2011-05-05 04:51:50 +04:00
struct net * net = NULL ;
struct nsproxy * nsproxy ;
2014-02-04 07:13:49 +04:00
task_lock ( task ) ;
nsproxy = task - > nsproxy ;
2011-05-05 04:51:50 +04:00
if ( nsproxy )
net = get_net ( nsproxy - > net_ns ) ;
2014-02-04 07:13:49 +04:00
task_unlock ( task ) ;
2011-05-05 04:51:50 +04:00
2014-11-01 07:10:50 +03:00
return net ? & net - > ns : NULL ;
}
static inline struct net * to_net_ns ( struct ns_common * ns )
{
return container_of ( ns , struct net , ns ) ;
2010-03-08 05:14:23 +03:00
}
2014-11-01 07:37:32 +03:00
static void netns_put ( struct ns_common * ns )
2010-03-08 05:14:23 +03:00
{
2014-11-01 07:10:50 +03:00
put_net ( to_net_ns ( ns ) ) ;
2010-03-08 05:14:23 +03:00
}
2014-11-01 07:37:32 +03:00
static int netns_install ( struct nsproxy * nsproxy , struct ns_common * ns )
2010-03-08 05:14:23 +03:00
{
2014-11-01 07:10:50 +03:00
struct net * net = to_net_ns ( ns ) ;
2012-07-26 12:13:20 +04:00
2012-12-14 19:55:36 +04:00
if ( ! ns_capable ( net - > user_ns , CAP_SYS_ADMIN ) | |
2013-03-20 23:49:49 +04:00
! ns_capable ( current_user_ns ( ) , CAP_SYS_ADMIN ) )
2012-07-26 12:13:20 +04:00
return - EPERM ;
2010-03-08 05:14:23 +03:00
put_net ( nsproxy - > net_ns ) ;
2012-07-26 12:13:20 +04:00
nsproxy - > net_ns = get_net ( net ) ;
2010-03-08 05:14:23 +03:00
return 0 ;
}
2016-09-06 10:47:13 +03:00
static struct user_namespace * netns_owner ( struct ns_common * ns )
{
return to_net_ns ( ns ) - > user_ns ;
}
2010-03-08 05:14:23 +03:00
const struct proc_ns_operations netns_operations = {
. name = " net " ,
. type = CLONE_NEWNET ,
. get = netns_get ,
. put = netns_put ,
. install = netns_install ,
2016-09-06 10:47:13 +03:00
. owner = netns_owner ,
2010-03-08 05:14:23 +03:00
} ;
# endif