Eric Lee / smarc-fsl-linux-kernel

11 Oct, 2007

19 commits

14 Aug, 2007

1 commit

02 Aug, 2007

1 commit

31 Jul, 2007

2 commits

  • 48b8d7831   [XFRM]: State selection update to use inner addresses. ... Browse Code »

    This patch modifies the xfrm state selection logic to use the inner
    addresses where the outer have been (incorrectly) used. This is
    required for beet mode in general and interfamily setups in both
    tunnel and beet mode.

    Signed-off-by: Joakim Koskela
    Signed-off-by: Herbert Xu
    Signed-off-by: Diego Beltrami
    Signed-off-by: Miika Komu
    Acked-by: Patrick McHardy
    Signed-off-by: David S. Miller

    Joakim Koskela
     
  • 196b00362   [IPSEC]: Ensure that state inner family is set ... Browse Code »

    Similar to the issue we had with template families which
    specified the inner families of policies, we need to set
    the inner families of states as the main xfrm user Openswan
    leaves it as zero.

    af_key is unaffected because the inner family is set by it
    and not the KM.

    Signed-off-by: Herbert Xu
    Signed-off-by: David S. Miller

    Herbert Xu
     

20 Jul, 2007

1 commit

  • 20c2df83d   mm: Remove slab destructors from kmem_cache_create(). ... Browse Code »

    Slab destructors were no longer supported after Christoph's
    c59def9f222d44bb7e2f0a559f2906191a0862d7 change. They've been
    BUGs for both slab and slub, and slob never supported them
    either.

    This rips out support for the dtor pointer from kmem_cache_create()
    completely and fixes up every single callsite in the kernel (there were
    about 224, not including the slab allocator definitions themselves,
    or the documentation references).

    Signed-off-by: Paul Mundt

    Paul Mundt
     

19 Jul, 2007

1 commit

18 Jul, 2007

1 commit

11 Jul, 2007

1 commit

19 Jun, 2007

1 commit

  • 281216177   [XFRM]: Fix MTU calculation for non-ESP SAs ... Browse Code »

    My IPsec MTU optimization patch introduced a regression in MTU calculation
    for non-ESP SAs, the SA's header_len needs to be subtracted from the MTU if
    the transform doesn't provide a ->get_mtu() function.

    Reported-and-tested-by: Marco Berizzi

    Signed-off-by: Patrick McHardy
    Signed-off-by: David S. Miller

    Patrick McHardy
     

08 Jun, 2007

1 commit

  • 4aa2e62c4   xfrm: Add security check before flushing SAD/SPD ... Browse Code »

    Currently we check for permission before deleting entries from SAD and
    SPD, (see security_xfrm_policy_delete() security_xfrm_state_delete())
    However we are not checking for authorization when flushing the SPD and
    the SAD completely. It was perhaps missed in the original security hooks
    patch.

    This patch adds a security check when flushing entries from the SAD and
    SPD. It runs the entire database and checks each entry for a denial.
    If the process attempting the flush is unable to remove all of the
    entries a denial is logged the the flush function returns an error
    without removing anything.

    This is particularly useful when a process may need to create or delete
    its own xfrm entries used for things like labeled networking but that
    same process should not be able to delete other entries or flush the
    entire database.

    Signed-off-by: Joy Latten
    Signed-off-by: Eric Paris
    Signed-off-by: James Morris

    Joy Latten
     

31 May, 2007

2 commits

25 May, 2007

1 commit

  • 14e50e57a   [XFRM]: Allow packet drops during larval state resolution. ... Browse Code »

    The current IPSEC rule resolution behavior we have does not work for a
    lot of people, even though technically it's an improvement from the
    -EAGAIN buisness we had before.

    Right now we'll block until the key manager resolves the route. That
    works for simple cases, but many folks would rather packets get
    silently dropped until the key manager resolves the IPSEC rules.

    We can't tell these folks to "set the socket non-blocking" because
    they don't have control over the non-block setting of things like the
    sockets used to resolve DNS deep inside of the resolver libraries in
    libc.

    With that in mind I coded up the patch below with some help from
    Herbert Xu which provides packet-drop behavior during larval state
    resolution, controllable via sysctl and off by default.

    This lays the framework to either:

    1) Make this default at some point or...

    2) Move this logic into xfrm{4,6}_policy.c and implement the
    ARP-like resolution queue we've all been dreaming of.
    The idea would be to queue packets to the policy, then
    once the larval state is resolved by the key manager we
    re-resolve the route and push the packets out. The
    packets would timeout if the rule didn't get resolved
    in a certain amount of time.

    Signed-off-by: David S. Miller

    David S. Miller
     

23 May, 2007

1 commit

20 May, 2007

1 commit

  • c92b3a2f1   [IPSEC] pfkey: Load specific algorithm in pfkey_add rather than all ... Browse Code »

    This is a natural extension of the changeset

    [XFRM]: Probe selected algorithm only.

    which only removed the probe call for xfrm_user. This patch does exactly
    the same thing for af_key. In other words, we load the algorithm requested
    by the user rather than everything when adding xfrm states in af_key.

    Signed-off-by: Herbert Xu
    Signed-off-by: David S. Miller

    Herbert Xu
     

14 May, 2007

2 commits

  • 6253db055   [IPSEC]: Don't warn if high-order hash resize fails ... Browse Code »

    Multi-page allocations are always likely to fail. Since such failures
    are expected and non-critical in xfrm_hash_alloc, we shouldn't warn about
    them.

    Signed-off-by: Herbert Xu
    Signed-off-by: David S. Miller

    Herbert Xu
     
  • b5505c6e1   [IPSEC]: Check validity of direction in xfrm_policy_byid ... Browse Code »

    The function xfrm_policy_byid takes a dir argument but finds the policy
    using the index instead. We only use the dir argument to update the
    policy count for that direction. Since the user can supply any value
    for dir, this can corrupt our policy count.

    I know this is the problem because a few days ago I was deleting
    policies by hand using indicies and accidentally typed in the wrong
    direction. It still deleted the policy and at the time I thought
    that was cool. In retrospect it isn't such a good idea :)

    I decided against letting it delete the policy anyway just in case
    we ever remove the connection between indicies and direction.

    Signed-off-by: Herbert Xu
    Signed-off-by: David S. Miller

    Herbert Xu
     

05 May, 2007

2 commits

30 Apr, 2007

1 commit

  • 157bfc250   [XFRM]: Restrict upper layer information by bundle. ... Browse Code »

    On MIPv6 usage, XFRM sub policy is enabled.
    When main (IPsec) and sub (MIPv6) policy selectors have the same
    address set but different upper layer information (i.e. protocol
    number and its ports or type/code), multiple bundle should be created.
    However, currently we have issue to use the same bundle created for
    the first time with all flows covered by the case.

    It is useful for the bundle to have the upper layer information
    to be restructured correctly if it does not match with the flow.

    1. Bundle was created by two policies
    Selector from another policy is added to xfrm_dst.
    If the flow does not match the selector, it goes to slow path to
    restructure new bundle by single policy.

    2. Bundle was created by one policy
    Flow cache is added to xfrm_dst as originated one. If the flow does
    not match the cache, it goes to slow path to try searching another
    policy.

    Signed-off-by: Masahide NAKAMURA
    Signed-off-by: David S. Miller

    Masahide NAKAMURA
     

29 Apr, 2007

1 commit