Eric Lee / smarc-fsl-linux-kernel

01 Jun, 2013

1 commit

  • e4c172164   xfrm: force a garbage collection after deleting a policy ... Browse Code »

    In some cases after deleting a policy from the SPD the policy would
    remain in the dst/flow/route cache for an extended period of time
    which caused problems for SELinux as its dynamic network access
    controls key off of the number of XFRM policy and state entries.
    This patch corrects this problem by forcing a XFRM garbage collection
    whenever a policy is sucessfully removed.

    Reported-by: Ondrej Moris
    Signed-off-by: Paul Moore
    Signed-off-by: David S. Miller

    Paul Moore
     

23 May, 2013

1 commit

  • 497574c72   xfrm: properly handle invalid states as an error ... Browse Code »

    The error exit path needs err explicitly set. Otherwise it
    returns success and the only caller, xfrm_output_resume(),
    would oops in skb_dst(skb)->ops derefence as skb_dst(skb) is
    NULL.

    Bug introduced in commit bb65a9cb (xfrm: removes a superfluous
    check and add a statistic).

    Signed-off-by: Timo Teräs
    Cc: Li RongQing
    Cc: Steffen Klassert
    Signed-off-by: David S. Miller

    Timo Teräs
     

03 May, 2013

1 commit

  • 797994f81   Merge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 ... Browse Code »

    Pull crypto update from Herbert Xu:

    - XTS mode optimisation for twofish/cast6/camellia/aes on x86

    - AVX2/x86_64 implementation for blowfish/twofish/serpent/camellia

    - SSSE3/AVX/AVX2 optimisations for sha256/sha512

    - Added driver for SAHARA2 crypto accelerator

    - Fix for GMAC when used in non-IPsec secnarios

    - Added generic CMAC implementation (including IPsec glue)

    - IP update for crypto/atmel

    - Support for more than one device in hwrng/timeriomem

    - Added Broadcom BCM2835 RNG driver

    - Misc fixes

    * git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (59 commits)
    crypto: caam - fix job ring cleanup code
    crypto: camellia - add AVX2/AES-NI/x86_64 assembler implementation of camellia cipher
    crypto: serpent - add AVX2/x86_64 assembler implementation of serpent cipher
    crypto: twofish - add AVX2/x86_64 assembler implementation of twofish cipher
    crypto: blowfish - add AVX2/x86_64 implementation of blowfish cipher
    crypto: tcrypt - add async cipher speed tests for blowfish
    crypto: testmgr - extend camellia test-vectors for camellia-aesni/avx2
    crypto: aesni_intel - fix Kconfig problem with CRYPTO_GLUE_HELPER_X86
    crypto: aesni_intel - add more optimized XTS mode for x86-64
    crypto: x86/camellia-aesni-avx - add more optimized XTS code
    crypto: cast6-avx: use new optimized XTS code
    crypto: x86/twofish-avx - use optimized XTS code
    crypto: x86 - add more optimized XTS-mode for serpent-avx
    xfrm: add rfc4494 AES-CMAC-96 support
    crypto: add CMAC support to CryptoAPI
    crypto: testmgr - add empty test vectors for null ciphers
    crypto: testmgr - add AES GMAC test vectors
    crypto: gcm - fix rfc4543 to handle async crypto correctly
    crypto: gcm - make GMAC work when dst and src are different
    hwrng: timeriomem - added devicetree hooks
    ...

    Linus Torvalds
     

25 Apr, 2013

1 commit

12 Apr, 2013

1 commit

02 Apr, 2013

1 commit

28 Mar, 2013

1 commit

  • 0fb031f03   Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec ... Browse Code »

    Steffen Klassert says:

    ====================
    1) Initialize the satype field in key_notify_policy_flush(),
    this was left uninitialized. From Nicolas Dichtel.

    2) The sequence number difference for replay notifications
    was misscalculated on ESN sequence number wrap. We need
    a separate replay notify function for esn.

    3) Fix an off by one in the esn replay notify function.
    From Mathias Krause.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     

25 Mar, 2013

1 commit

20 Mar, 2013

1 commit

  • 0017c0b57   xfrm: Fix replay notification for esn. ... Browse Code »

    We may miscalculate the sequence number difference from the
    last time we send a notification if a sequence number wrap
    occured in the meantime. We fix this by adding a separate
    replay notify function for esn. Here we take the high bits
    of the sequence number into account to calculate the
    difference.

    Signed-off-by: Steffen Klassert

    Steffen Klassert
     

19 Mar, 2013

1 commit

  • b5fb82c48   xfrm: use xfrm direction when lookup policy ... Browse Code »

    because xfrm policy direction has same value with corresponding
    flow direction, so this problem is covered.

    In xfrm_lookup and __xfrm_policy_check, flow_cache_lookup is used to
    accelerate the lookup.

    Flow direction is given to flow_cache_lookup by policy_to_flow_dir.

    When the flow cache is mismatched, callback 'resolver' is called.

    'resolver' requires xfrm direction,
    so convert direction back to xfrm direction.

    Signed-off-by: Baker Zhang
    Signed-off-by: David S. Miller

    Baker Zhang
     

06 Mar, 2013

2 commits

  • 05600a799   xfrm_user: constify netlink dispatch table ... Browse Code »

    There is no need to modify the netlink dispatch table at runtime.

    Signed-off-by: Mathias Krause
    Signed-off-by: Steffen Klassert

    Mathias Krause
     
  • a947b0a93   xfrm: allow to avoid copying DSCP during encapsulation ... Browse Code »

    By default, DSCP is copying during encapsulation.
    Copying the DSCP in IPsec tunneling may be a bit dangerous because packets with
    different DSCP may get reordered relative to each other in the network and then
    dropped by the remote IPsec GW if the reordering becomes too big compared to the
    replay window.

    It is possible to avoid this copy with netfilter rules, but it's very convenient
    to be able to configure it for each SA directly.

    This patch adds a toogle for this purpose. By default, it's not set to maintain
    backward compatibility.

    Field flags in struct xfrm_usersa_info is full, hence I add a new attribute.

    Signed-off-by: Nicolas Dichtel
    Signed-off-by: Steffen Klassert

    Nicolas Dichtel
     

28 Feb, 2013

1 commit

  • b67bfe0d4   hlist: drop the node parameter from iterators ... Browse Code »

    I'm not sure why, but the hlist for each entry iterators were conceived

    list_for_each_entry(pos, head, member)

    The hlist ones were greedy and wanted an extra parameter:

    hlist_for_each_entry(tpos, pos, head, member)

    Why did they need an extra pos parameter? I'm not quite sure. Not only
    they don't really need it, it also prevents the iterator from looking
    exactly like the list iterator, which is unfortunate.

    Besides the semantic patch, there was some manual work required:

    - Fix up the actual hlist iterators in linux/list.h
    - Fix up the declaration of other iterators based on the hlist ones.
    - A very small amount of places were using the 'node' parameter, this
    was modified to use 'obj->member' instead.
    - Coccinelle didn't handle the hlist_for_each_entry_safe iterator
    properly, so those had to be fixed up manually.

    The semantic patch which is mostly the work of Peter Senna Tschudin is here:

    @@
    iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;

    type T;
    expression a,c,d,e;
    identifier b;
    statement S;
    @@

    -T b;

    [akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
    [akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
    [akpm@linux-foundation.org: checkpatch fixes]
    [akpm@linux-foundation.org: fix warnings]
    [akpm@linux-foudnation.org: redo intrusive kvm changes]
    Tested-by: Peter Senna Tschudin
    Acked-by: Paul E. McKenney
    Signed-off-by: Sasha Levin
    Cc: Wu Fengguang
    Cc: Marcelo Tosatti
    Cc: Gleb Natapov
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Sasha Levin
     

22 Feb, 2013

1 commit

  • 06991c28f   Merge tag 'driver-core-3.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core ... Browse Code »

    Pull driver core patches from Greg Kroah-Hartman:
    "Here is the big driver core merge for 3.9-rc1

    There are two major series here, both of which touch lots of drivers
    all over the kernel, and will cause you some merge conflicts:

    - add a new function called devm_ioremap_resource() to properly be
    able to check return values.

    - remove CONFIG_EXPERIMENTAL

    Other than those patches, there's not much here, some minor fixes and
    updates"

    Fix up trivial conflicts

    * tag 'driver-core-3.9-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: (221 commits)
    base: memory: fix soft/hard_offline_page permissions
    drivercore: Fix ordering between deferred_probe and exiting initcalls
    backlight: fix class_find_device() arguments
    TTY: mark tty_get_device call with the proper const values
    driver-core: constify data for class_find_device()
    firmware: Ignore abort check when no user-helper is used
    firmware: Reduce ifdef CONFIG_FW_LOADER_USER_HELPER
    firmware: Make user-mode helper optional
    firmware: Refactoring for splitting user-mode helper code
    Driver core: treat unregistered bus_types as having no devices
    watchdog: Convert to devm_ioremap_resource()
    thermal: Convert to devm_ioremap_resource()
    spi: Convert to devm_ioremap_resource()
    power: Convert to devm_ioremap_resource()
    mtd: Convert to devm_ioremap_resource()
    mmc: Convert to devm_ioremap_resource()
    mfd: Convert to devm_ioremap_resource()
    media: Convert to devm_ioremap_resource()
    iommu: Convert to devm_ioremap_resource()
    drm: Convert to devm_ioremap_resource()
    ...

    Linus Torvalds
     

19 Feb, 2013

2 commits

  • ece31ffd5   net: proc: change proc_net_remove to remove_proc_entry ... Browse Code »

    proc_net_remove is only used to remove proc entries
    that under /proc/net,it's not a general function for
    removing proc entries of netns. if we want to remove
    some proc entries which under /proc/net/stat/, we still
    need to call remove_proc_entry.

    this patch use remove_proc_entry to replace proc_net_remove.
    we can remove proc_net_remove after this patch.

    Signed-off-by: Gao feng
    Signed-off-by: David S. Miller

    Gao feng
     
  • d4beaa66a   net: proc: change proc_net_fops_create to proc_create ... Browse Code »

    Right now, some modules such as bonding use proc_create
    to create proc entries under /proc/net/, and other modules
    such as ipv4 use proc_net_fops_create.

    It looks a little chaos.this patch changes all of
    proc_net_fops_create to proc_create. we can remove
    proc_net_fops_create after this patch.

    Signed-off-by: Gao feng
    Signed-off-by: David S. Miller

    Gao feng
     

15 Feb, 2013

1 commit

  • e0376d004   Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next ... Browse Code »

    Steffen Klassert says:

    ====================
    1) Remove a duplicated call to skb_orphan() in pf_key, from Cong Wang.

    2) Prepare xfrm and pf_key for algorithms without pf_key support,
    from Jussi Kivilinna.

    3) Fix an unbalanced lock in xfrm_output_one(), from Li RongQing.

    4) Add an IPsec state resolution packet queue to handle
    packets that are send before the states are resolved.

    5) xfrm4_policy_fini() is unused since 2.6.11, time to remove it.
    From Michal Kubecek.

    6) The xfrm gc threshold was configurable just in the initial
    namespace, make it configurable in all namespaces. From
    Michal Kubecek.

    7) We currently can not insert policies with mark and mask
    such that some flows would be matched from both policies.
    Allow this if the priorities of these policies are different,
    the one with the higher priority is used in this case.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     

11 Feb, 2013

1 commit

06 Feb, 2013

1 commit

  • a0073fe18   xfrm: Add a state resolution packet queue ... Browse Code »

    As the default, we blackhole packets until the key manager resolves
    the states. This patch implements a packet queue where IPsec packets
    are queued until the states are resolved. We generate a dummy xfrm
    bundle, the output routine of the returned route enqueues the packet
    to a per policy queue and arms a timer that checks for state resolution
    when dst_output() is called. Once the states are resolved, the packets
    are sent out of the queue. If the states are not resolved after some
    time, the queue is flushed.

    This patch keeps the defaut behaviour to blackhole packets as long
    as we have no states. To enable the packet queue the sysctl
    xfrm_larval_drop must be switched off.

    Signed-off-by: Steffen Klassert

    Steffen Klassert
     

01 Feb, 2013

2 commits

30 Jan, 2013

2 commits

21 Jan, 2013

1 commit

  • 5b653b2a1   xfrm: fix freed block size calculation in xfrm_policy_fini() ... Browse Code »

    Missing multiplication of block size by sizeof(struct hlist_head)
    can cause xfrm_hash_free() to be called with wrong second argument
    so that kfree() is called on a block allocated with vzalloc() or
    __get_free_pages() or free_pages() is called with wrong order when
    a namespace with enough policies is removed.

    Bug introduced by commit a35f6c5d, i.e. versions >= 2.6.29 are
    affected.

    Signed-off-by: Michal Kubecek
    Signed-off-by: Steffen Klassert

    Michal Kubecek
     

18 Jan, 2013

1 commit

  • e2f672591   net/xfrm/xfrm_replay: avoid division by zero ... Browse Code »

    All of the xfrm_replay->advance functions in xfrm_replay.c check if
    x->replay_esn->replay_window is zero (and return if so). However,
    one of them, xfrm_replay_advance_bmp(), divides by that value (in the
    '%' operator) before doing the check, which can potentially trigger
    a divide-by-zero exception. Some compilers will also assume that the
    earlier division means the value cannot be zero later, and thus will
    eliminate the subsequent zero check as dead code.

    This patch moves the division to after the check.

    Signed-off-by: Nickolai Zeldovich
    Signed-off-by: Steffen Klassert

    Nickolai Zeldovich
     

17 Jan, 2013

1 commit

16 Jan, 2013

2 commits

12 Jan, 2013

1 commit

  • f215bf48c   net/xfrm: remove depends on CONFIG_EXPERIMENTAL ... Browse Code »

    The CONFIG_EXPERIMENTAL config item has not carried much meaning for a
    while now and is almost always enabled by default. As agreed during the
    Linux kernel summit, remove it from any "depends on" lines in Kconfigs.

    CC: "David S. Miller"
    CC: Jan Beulich
    Signed-off-by: Kees Cook
    Acked-by: David S. Miller

    Kees Cook
     

08 Jan, 2013

1 commit

  • 71331da50   xfrm_algo: probe asynchronous block ciphers instead of synchronous ... Browse Code »

    IPSEC uses block ciphers asynchronous, but probes only for synchronous block
    ciphers and makes ealg entries only available if synchronous block cipher is
    found. So with setup, where hardware crypto driver registers asynchronous
    block ciphers and software crypto module is not build, ealg is not marked
    as being available.

    Use crypto_has_ablkcipher instead and remove ASYNC mask.

    Signed-off-by: Jussi Kivilinna
    Signed-off-by: Steffen Klassert

    Jussi Kivilinna
     

07 Jan, 2013

1 commit

  • bb65a9cb9   xfrm: removes a superfluous check and add a statistic ... Browse Code »

    Remove the check if x->km.state equal to XFRM_STATE_VALID in
    xfrm_state_check_expire(), which will be done before call
    xfrm_state_check_expire().

    add a LINUX_MIB_XFRMOUTSTATEINVALID statistic to record the
    outbound error due to invalid xfrm state.

    Signed-off-by: Li RongQing
    Signed-off-by: Steffen Klassert

    Li RongQing
     

23 Nov, 2012

1 commit

  • 242a18d13   Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next ... Browse Code »

    Steffen Klassert says:

    ====================
    This pull request is intended for net-next and contains the following changes:

    1) Remove a redundant check when initializing the xfrm replay functions,
    from Ulrich Weber.
    2) Use a faster per-cpu helper when allocating ipcomt transforms,
    from Shan Wei.
    3) Use a static gc threshold value for ipv6, simmilar to what we do
    for ipv4 now.
    4) Remove a commented out function call.
    ====================

    Signed-off-by: David S. Miller

    David S. Miller
     

19 Nov, 2012

2 commits

  • df008c91f   net: Allow userns root to control llc, netfilter, netlink, packet, and xfrm ... Browse Code »

    Allow an unpriviled user who has created a user namespace, and then
    created a network namespace to effectively use the new network
    namespace, by reducing capable(CAP_NET_ADMIN) and
    capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns,
    CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls.

    Allow creation of af_key sockets.
    Allow creation of llc sockets.
    Allow creation of af_packet sockets.

    Allow sending xfrm netlink control messages.

    Allow binding to netlink multicast groups.
    Allow sending to netlink multicast groups.
    Allow adding and dropping netlink multicast groups.
    Allow sending to all netlink multicast groups and port ids.

    Allow reading the netfilter SO_IP_SET socket option.
    Allow sending netfilter netlink messages.
    Allow setting and getting ip_vs netfilter socket options.

    Signed-off-by: "Eric W. Biederman"
    Signed-off-by: David S. Miller

    Eric W. Biederman
     
  • 464dc801c   net: Don't export sysctls to unprivileged users ... Browse Code »

    In preparation for supporting the creation of network namespaces
    by unprivileged users, modify all of the per net sysctl exports
    and refuse to allow them to unprivileged users.

    This makes it safe for unprivileged users in general to access
    per net sysctls, and allows sysctls to be exported to unprivileged
    users on an individual basis as they are deemed safe.

    Signed-off-by: "Eric W. Biederman"
    Signed-off-by: David S. Miller

    Eric W. Biederman
     

13 Nov, 2012

1 commit

  • f7c83bcbf   net: xfrm: use __this_cpu_read per-cpu helper ... Browse Code »

    this_cpu_ptr/this_cpu_read is faster than per_cpu_ptr(p, smp_processor_id())
    and can reduce memory accesses.
    The latter helper needs to find the offset for current cpu,
    and needs more assembler instructions which objdump shows in following.

    this_cpu_ptr relocates and address. this_cpu_read() relocates the address
    and performs the fetch. this_cpu_read() saves you more instructions
    since it can do the relocation and the fetch in one instruction.

    per_cpu_ptr(p, smp_processor_id()):
    1e: 65 8b 04 25 00 00 00 00 mov %gs:0x0,%eax
    26: 48 98 cltq
    28: 31 f6 xor %esi,%esi
    2a: 48 c7 c7 00 00 00 00 mov $0x0,%rdi
    31: 48 8b 04 c5 00 00 00 00 mov 0x0(,%rax,8),%rax
    39: c7 44 10 04 14 00 00 00 movl $0x14,0x4(%rax,%rdx,1)

    this_cpu_ptr(p)
    1e: 65 48 03 14 25 00 00 00 00 add %gs:0x0,%rdx
    27: 31 f6 xor %esi,%esi
    29: c7 42 04 14 00 00 00 movl $0x14,0x4(%rdx)
    30: 48 c7 c7 00 00 00 00 mov $0x0,%rdi

    Signed-off-by: Shan Wei
    Signed-off-by: Steffen Klassert

    Shan Wei
     

08 Nov, 2012

1 commit

03 Oct, 2012

2 commits

  • aecdc33e1   Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next ... Browse Code »

    Pull networking changes from David Miller:

    1) GRE now works over ipv6, from Dmitry Kozlov.

    2) Make SCTP more network namespace aware, from Eric Biederman.

    3) TEAM driver now works with non-ethernet devices, from Jiri Pirko.

    4) Make openvswitch network namespace aware, from Pravin B Shelar.

    5) IPV6 NAT implementation, from Patrick McHardy.

    6) Server side support for TCP Fast Open, from Jerry Chu and others.

    7) Packet BPF filter supports MOD and XOR, from Eric Dumazet and Daniel
    Borkmann.

    8) Increate the loopback default MTU to 64K, from Eric Dumazet.

    9) Use a per-task rather than per-socket page fragment allocator for
    outgoing networking traffic. This benefits processes that have very
    many mostly idle sockets, which is quite common.

    From Eric Dumazet.

    10) Use up to 32K for page fragment allocations, with fallbacks to
    smaller sizes when higher order page allocations fail. Benefits are
    a) less segments for driver to process b) less calls to page
    allocator c) less waste of space.

    From Eric Dumazet.

    11) Allow GRO to be used on GRE tunnels, from Eric Dumazet.

    12) VXLAN device driver, one way to handle VLAN issues such as the
    limitation of 4096 VLAN IDs yet still have some level of isolation.
    From Stephen Hemminger.

    13) As usual there is a large boatload of driver changes, with the scale
    perhaps tilted towards the wireless side this time around.

    Fix up various fairly trivial conflicts, mostly caused by the user
    namespace changes.

    * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next: (1012 commits)
    hyperv: Add buffer for extended info after the RNDIS response message.
    hyperv: Report actual status in receive completion packet
    hyperv: Remove extra allocated space for recv_pkt_list elements
    hyperv: Fix page buffer handling in rndis_filter_send_request()
    hyperv: Fix the missing return value in rndis_filter_set_packet_filter()
    hyperv: Fix the max_xfer_size in RNDIS initialization
    vxlan: put UDP socket in correct namespace
    vxlan: Depend on CONFIG_INET
    sfc: Fix the reported priorities of different filter types
    sfc: Remove EFX_FILTER_FLAG_RX_OVERRIDE_IP
    sfc: Fix loopback self-test with separate_tx_channels=1
    sfc: Fix MCDI structure field lookup
    sfc: Add parentheses around use of bitfield macro arguments
    sfc: Fix null function pointer in efx_sriov_channel_type
    vxlan: virtual extensible lan
    igmp: export symbol ip_mc_leave_group
    netlink: add attributes to fdb interface
    tg3: unconditionally select HWMON support when tg3 is enabled.
    Revert "net: ti cpsw ethernet: allow reading phy interface mode from DT"
    gre: fix sparse warning
    ...

    Linus Torvalds
     
  • 437589a74   Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace ... Browse Code »

    Pull user namespace changes from Eric Biederman:
    "This is a mostly modest set of changes to enable basic user namespace
    support. This allows the code to code to compile with user namespaces
    enabled and removes the assumption there is only the initial user
    namespace. Everything is converted except for the most complex of the
    filesystems: autofs4, 9p, afs, ceph, cifs, coda, fuse, gfs2, ncpfs,
    nfs, ocfs2 and xfs as those patches need a bit more review.

    The strategy is to push kuid_t and kgid_t values are far down into
    subsystems and filesystems as reasonable. Leaving the make_kuid and
    from_kuid operations to happen at the edge of userspace, as the values
    come off the disk, and as the values come in from the network.
    Letting compile type incompatible compile errors (present when user
    namespaces are enabled) guide me to find the issues.

    The most tricky areas have been the places where we had an implicit
    union of uid and gid values and were storing them in an unsigned int.
    Those places were converted into explicit unions. I made certain to
    handle those places with simple trivial patches.

    Out of that work I discovered we have generic interfaces for storing
    quota by projid. I had never heard of the project identifiers before.
    Adding full user namespace support for project identifiers accounts
    for most of the code size growth in my git tree.

    Ultimately there will be work to relax privlige checks from
    "capable(FOO)" to "ns_capable(user_ns, FOO)" where it is safe allowing
    root in a user names to do those things that today we only forbid to
    non-root users because it will confuse suid root applications.

    While I was pushing kuid_t and kgid_t changes deep into the audit code
    I made a few other cleanups. I capitalized on the fact we process
    netlink messages in the context of the message sender. I removed
    usage of NETLINK_CRED, and started directly using current->tty.

    Some of these patches have also made it into maintainer trees, with no
    problems from identical code from different trees showing up in
    linux-next.

    After reading through all of this code I feel like I might be able to
    win a game of kernel trivial pursuit."

    Fix up some fairly trivial conflicts in netfilter uid/git logging code.

    * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: (107 commits)
    userns: Convert the ufs filesystem to use kuid/kgid where appropriate
    userns: Convert the udf filesystem to use kuid/kgid where appropriate
    userns: Convert ubifs to use kuid/kgid
    userns: Convert squashfs to use kuid/kgid where appropriate
    userns: Convert reiserfs to use kuid and kgid where appropriate
    userns: Convert jfs to use kuid/kgid where appropriate
    userns: Convert jffs2 to use kuid and kgid where appropriate
    userns: Convert hpfs to use kuid and kgid where appropriate
    userns: Convert btrfs to use kuid/kgid where appropriate
    userns: Convert bfs to use kuid/kgid where appropriate
    userns: Convert affs to use kuid/kgid wherwe appropriate
    userns: On alpha modify linux_to_osf_stat to use convert from kuids and kgids
    userns: On ia64 deal with current_uid and current_gid being kuid and kgid
    userns: On ppc convert current_uid from a kuid before printing.
    userns: Convert s390 getting uid and gid system calls to use kuid and kgid
    userns: Convert s390 hypfs to use kuid and kgid where appropriate
    userns: Convert binder ipc to use kuids
    userns: Teach security_path_chown to take kuids and kgids
    userns: Add user namespace support to IMA
    userns: Convert EVM to deal with kuids and kgids in it's hmac computation
    ...

    Linus Torvalds
     

29 Sep, 2012

1 commit

  • 6a06e5e1b   Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net ... Browse Code »

    Conflicts:
    drivers/net/team/team.c
    drivers/net/usb/qmi_wwan.c
    net/batman-adv/bat_iv_ogm.c
    net/ipv4/fib_frontend.c
    net/ipv4/route.c
    net/l2tp/l2tp_netlink.c

    The team, fib_frontend, route, and l2tp_netlink conflicts were simply
    overlapping changes.

    qmi_wwan and bat_iv_ogm were of the "use HEAD" variety.

    With help from Antonio Quartulli.

    Signed-off-by: David S. Miller

    David S. Miller
     

21 Sep, 2012

1 commit