10 Sep, 2008
4 commits
-
Otherwise entries stay on the GC todo list forever, even after we free
them.Signed-off-by: David S. Miller
-
Now that we save states within a walk we need synchronisation
so that the list the saved state is on doesn't disappear from
under us.As it stands this is done by keeping the state on the list which
is bad because it gets in the way of the management of the state
life-cycle.An alternative is to make our own pseudo-RCU system where we use
counters to indicate which state can't be freed immediately as
it may be referenced by an ongoing walk when that resumes.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
The previous default behavior is definitely the least user
friendly. Hanging there forever just because the keying
daemon is wedged or the refreshing of the policy can't move
forward is anti-social to say the least.Signed-off-by: David S. Miller
09 Sep, 2008
1 commit
-
The commit commit 4c563f7669c10a12354b72b518c2287ffc6ebfb3 ("[XFRM]:
Speed up xfrm_policy and xfrm_state walking") inadvertently removed
larval states and socket policies from netlink dumps. This patch
restores them.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
03 Sep, 2008
2 commits
-
Ever since commit 4c563f7669c10a12354b72b518c2287ffc6ebfb3
("[XFRM]: Speed up xfrm_policy and xfrm_state walking") it is
illegal to call __xfrm_state_destroy (and thus xfrm_state_put())
with xfrm_state_lock held. If we do, we'll deadlock since we
have the lock already and __xfrm_state_destroy() tries to take
it again.Fix this by pushing the xfrm_state_put() calls after the lock
is dropped.Signed-off-by: David S. Miller
-
In case of error, the function xfrm_bundle_create returns an ERR
pointer, but never returns a NULL pointer. So a NULL test that comes
after an IS_ERR test should be deleted.The semantic match that finds this problem is as follows:
(http://www.emn.fr/x-info/coccinelle/)//
@match_bad_null_test@
expression x, E;
statement S1,S2;
@@
x = xfrm_bundle_create(...)
... when != x = E
* if (x != NULL)
S1 else S2
//Signed-off-by: Julien Brunel
Signed-off-by: Julia Lawall
Signed-off-by: David S. Miller
14 Aug, 2008
1 commit
-
Small fix removing an unnecessary intermediate variable.
Signed-off-by: Jean-Christophe DUBOIS
Signed-off-by: David S. Miller
26 Jul, 2008
1 commit
-
Removes legacy reinvent-the-wheel type thing. The generic
machinery integrates much better to automated debugging aids
such as kerneloops.org (and others), and is unambiguous due to
better naming. Non-intuively BUG_TRAP() is actually equal to
WARN_ON() rather than BUG_ON() though some might actually be
promoted to BUG_ON() but I left that to future.I could make at least one BUILD_BUG_ON conversion.
Signed-off-by: Ilpo Järvinen
Signed-off-by: David S. Miller
25 Jul, 2008
2 commits
-
When decompressing extremely large packets allocating them through
kmalloc is prone to failure. Therefore it's better to use page
frags instead.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
This patch merges the IPv4/IPv6 IPComp implementations since most
of the code is identical. As a result future enhancements will no
longer need to be duplicated.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
20 Jul, 2008
1 commit
-
Without CONFIG_NET_NS, namespace is always &init_net.
Compiler will be able to omit namespace comparisons with this patch.Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller
11 Jul, 2008
1 commit
-
Add a XFRM_STATE_AF_UNSPEC flag to handle the AF_UNSPEC behavior for
the selector family. Userspace applications can set this flag to leave
the selector family of the xfrm_state unspecified. This can be used
to to handle inter family tunnels if the selector is not set from
userspace.Signed-off-by: Steffen Klassert
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
05 Jun, 2008
1 commit
-
This patch fixes the usage of RIPEMD-160 in xfrm_algo which in turn
allows hmac(rmd160) to be used as authentication mechanism in IPsec
ESP and AH (see RFC 2857).Signed-off-by: Adrian-Ken Rueegsegger
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
22 May, 2008
1 commit
-
The crypto layer will determine whether that is valid
or not.Suggested by Herbert Xu, based upon a report and patch
by Martin Willi.Signed-off-by: David S. Miller
Acked-by: Herbert Xu
13 May, 2008
1 commit
-
This patch adds needed_headroom/needed_tailroom members to struct
net_device and updates many places that allocate sbks to use them. Not
all of them can be converted though, and I'm sure I missed some (I
mostly grepped for LL_RESERVED_SPACE)Signed-off-by: Johannes Berg
Signed-off-by: David S. Miller
30 Apr, 2008
1 commit
-
* 'audit.b50' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current:
[PATCH] new predicate - AUDIT_FILETYPE
[patch 2/2] Use find_task_by_vpid in audit code
[patch 1/2] audit: let userspace fully control TTY input auditing
[PATCH 2/2] audit: fix sparse shadowed variable warnings
[PATCH 1/2] audit: move extern declarations to audit.h
Audit: MAINTAINERS update
Audit: increase the maximum length of the key field
Audit: standardize string audit interfaces
Audit: stop deadlock from signals under load
Audit: save audit_backlog_limit audit messages in case auditd comes back
Audit: collect sessionid in netlink messages
Audit: end printk with newline
29 Apr, 2008
1 commit
-
Some drivers have duplicated unlikely() macros. IS_ERR() already has
unlikely() in itself.This patch cleans up such pointless code.
Signed-off-by: Hirofumi Nakagawa
Acked-by: David S. Miller
Acked-by: Jeff Garzik
Cc: Paul Clements
Cc: Richard Purdie
Cc: Alessandro Zummo
Cc: David Brownell
Cc: James Bottomley
Cc: Michael Halcrow
Cc: Anton Altaparmakov
Cc: Al Viro
Cc: Carsten Otte
Cc: Patrick McHardy
Cc: Paul Mundt
Cc: Jaroslav Kysela
Cc: Takashi Iwai
Acked-by: Mike Frysinger
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
28 Apr, 2008
3 commits
-
Previously I added sessionid output to all audit messages where it was
available but we still didn't know the sessionid of the sender of
netlink messages. This patch adds that information to netlink messages
so we can audit who sent netlink messages.Signed-off-by: Eric Paris
Signed-off-by: Al Viro -
Previously digest_null had no setkey function which meant that
we used hmac(digest_null) for IPsec since IPsec always calls
setkey. Now that digest_null has a setkey we no longer need to
do that.In fact when only confidentiality is specified for ESP we already
use digest_null directly. However, when the null algorithm is
explicitly specified by the user we still opt for hmac(digest_null).This patch removes this discrepancy. I have not added a new compat
name for it because by chance it wasn't actualy possible for the user
to specify the name hmac(digest_null) due to a key length check in
xfrm_user (which I found out when testing that compat name :)Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
Flowlabel text format was not correct and thus ambiguous.
For example, 0x00123 or 0x01203 are formatted as 0x123.
This is not what audit tools want.Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller
22 Apr, 2008
1 commit
-
As it stands it's impossible to use any authentication algorithms
with an ID above 31 portably. It just happens to work on x86 but
fails miserably on ppc64.The reason is that we're using a bit mask to check the algorithm
ID but the mask is only 32 bits wide.After looking at how this is used in the field, I have concluded
that in the long term we should phase out state matching by IDs
because this is made superfluous by the reqid feature. For current
applications, the best solution IMHO is to allow all algorithms when
the bit masks are all ~0.The following patch does exactly that.
This bug was identified by IBM when testing on the ppc64 platform
using the NULL authentication algorithm which has an ID of 251.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
15 Apr, 2008
1 commit
-
When CONFIG_SECURITY_NETWORK_XFRM is undefined the following warnings appears:
net/xfrm/xfrm_user.c: In function 'xfrm_add_pol_expire':
net/xfrm/xfrm_user.c:1576: warning: 'ctx' may be used uninitialized in this function
net/xfrm/xfrm_user.c: In function 'xfrm_get_policy':
net/xfrm/xfrm_user.c:1340: warning: 'ctx' may be used uninitialized in this function
(security_xfrm_policy_alloc is noop for the case).It seems that they are result of the commit
03e1ad7b5d871d4189b1da3125c2f12d1b5f7d0b ("LSM: Make the Labeled IPsec
hooks more stack friendly")Signed-off-by: Denis V. Lunev
Signed-off-by: David S. Miller
14 Apr, 2008
1 commit
-
Conflicts:
drivers/net/ehea/ehea_main.c
drivers/net/wireless/iwlwifi/Kconfig
drivers/net/wireless/rt2x00/rt61pci.c
net/ipv4/inet_timewait_sock.c
net/ipv6/raw.c
net/mac80211/ieee80211_sta.c
13 Apr, 2008
1 commit
-
The xfrm_get_policy() and xfrm_add_pol_expire() put some rather large structs
on the stack to work around the LSM API. This patch attempts to fix that
problem by changing the LSM API to require only the relevant "security"
pointers instead of the entire SPD entry; we do this for all of the
security_xfrm_policy*() functions to keep things consistent.Signed-off-by: Paul Moore
Acked-by: James Morris
Signed-off-by: David S. Miller
10 Apr, 2008
1 commit
-
Commit df9dcb45 ([IPSEC]: Fix inter address family IPsec tunnel handling)
broke openswan by removing the selector initialization for tunnel mode
in case it is uninitialized.This patch restores the initialization, fixing openswan, but probably
breaking inter-family tunnels again (unknown since the patch author
disappeared). The correct thing for inter-family tunnels is probably
to simply initialize the selector family explicitly.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
28 Mar, 2008
1 commit
-
Conflicts:
drivers/net/usb/rndis_host.c
drivers/net/wireless/b43/dma.c
net/ipv6/ndisc.c
26 Mar, 2008
1 commit
-
Introduce per-net_device inlines: dev_net(), dev_net_set().
Without CONFIG_NET_NS, no namespace other than &init_net exists.
Let's explicitly define them to help compiler optimizations.Signed-off-by: YOSHIFUJI Hideaki
25 Mar, 2008
2 commits
-
Each MIPv6 XFRM state (DSTOPT/RH2) holds either destination or source
address to be mangled in the IPv6 header (that is "CoA").
On Inter-MN communication after both nodes binds each other,
they use route optimized traffic two MIPv6 states applied, and
both source and destination address in the IPv6 header
are replaced by the states respectively.
The packet format is correct, however, next-hop routing search
are not.
This patch fixes it by remembering address pairs for later states.Based on patch from Masahide NAKAMURA .
Signed-off-by: Masahide NAKAMURA
Signed-off-by: YOSHIFUJI Hideaki -
Signed-off-by: Kazunori MIYAZAWA
Signed-off-by: David S. Miller
29 Feb, 2008
1 commit
-
Change xfrm_policy and xfrm_state walking algorithm from O(n^2) to O(n).
This is achieved adding the entries to one more list which is used
solely for walking the entries.This also fixes some races where the dump can have duplicate or missing
entries when the SPD/SADB is modified during an ongoing dump.Dumping SADB with 20000 entries using "time ip xfrm state" the sys
time dropped from 1.012s to 0.080s.Signed-off-by: Timo Teras
Signed-off-by: David S. Miller
18 Feb, 2008
1 commit
-
Keep ordering of policy entries with same selector in
xfrm_dst_hash_transfer().Issue should not appear in usual cases because multiple policy entries
with same selector are basically not allowed so far. Bug was pointed
out by Sebastien Decugis .We could convert bydst from hlist to list and use list_add_tail()
instead.Signed-off-by: YOSHIFUJI Hideaki
Acked-by: Sebastien Decugis
Signed-off-by: David S. Miller
15 Feb, 2008
2 commits
-
From: YOSHIFUJI Hideaki
When we destory a new policy entry, we need to tell
xfrm_policy_destroy() explicitly that the entry is not
alive yet.Signed-off-by: David S. Miller
-
net/built-in.o: In function `xfrm_policy_init':
/home/pmundt/devel/git/sh-2.6.25/net/xfrm/xfrm_policy.c:2338: undefined reference to `snmp_mib_init'snmp_mib_init() is only built in if CONFIG_INET is set.
Signed-off-by: Paul Mundt
Signed-off-by: Andrew Morton
Signed-off-by: David S. Miller
13 Feb, 2008
1 commit
-
Al Viro spotted a bogus use of u64 on the input sequence number which
is big-endian. This patch fixes it by giving the input sequence number
its own member in the xfrm_skb_cb structure.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
08 Feb, 2008
1 commit
-
The below patch allows IPsec to use CTR mode with AES encryption
algorithm. Tested this using setkey in ipsec-tools.Signed-off-by: Joy Latten
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
02 Feb, 2008
1 commit
-
all callers pass something->audit_context
Signed-off-by: Al Viro
01 Feb, 2008
3 commits
-
o Outbound sequence number overflow error status
is counted as XfrmOutStateSeqError.
o Additionaly, it changes inbound sequence number replay
error name from XfrmInSeqOutOfWindow to XfrmInStateSeqError
to apply name scheme above.
o Inbound IPv4 UDP encapsuling type mismatch error is wrongly
mapped to XfrmInStateInvalid then this patch fiex the error
to XfrmInStateMismatch.Signed-off-by: Masahide NAKAMURA
Signed-off-by: David S. Miller -
This patch removes the following no longer used EXPORT_SYMBOL's:
- xfrm_input.c: xfrm_parse_spi
- xfrm_state.c: xfrm_replay_check
- xfrm_state.c: xfrm_replay_advanceSigned-off-by: Adrian Bunk
Signed-off-by: David S. Miller -
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
