Eric Lee / smarc-fsl-linux-kernel

14 Nov, 2018

1 commit

  • 1d982ccf0   net/ipv4: defensive cipso option parsing ... Browse Code »

    commit 076ed3da0c9b2f88d9157dbe7044a45641ae369e upstream.

    commit 40413955ee26 ("Cipso: cipso_v4_optptr enter infinite loop") fixed
    a possible infinite loop in the IP option parsing of CIPSO. The fix
    assumes that ip_options_compile filtered out all zero length options and
    that no other one-byte options beside IPOPT_END and IPOPT_NOOP exist.
    While this assumption currently holds true, add explicit checks for zero
    length and invalid length options to be safe for the future. Even though
    ip_options_compile should have validated the options, the introduction of
    new one-byte options can still confuse this code without the additional
    checks.

    Signed-off-by: Stefan Nuernberger
    Cc: David Woodhouse
    Cc: Simon Veith
    Cc: stable@vger.kernel.org
    Acked-by: Paul Moore
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Stefan Nuernberger
     

21 Oct, 2017

1 commit

  • c92e8c02f   tcp/dccp: fix ireq->opt races ... Browse Code »

    syzkaller found another bug in DCCP/TCP stacks [1]

    For the reasons explained in commit ce1050089c96 ("tcp/dccp: fix
    ireq->pktopts race"), we need to make sure we do not access
    ireq->opt unless we own the request sock.

    Note the opt field is renamed to ireq_opt to ease grep games.

    [1]
    BUG: KASAN: use-after-free in ip_queue_xmit+0x1687/0x18e0 net/ipv4/ip_output.c:474
    Read of size 1 at addr ffff8801c951039c by task syz-executor5/3295

    CPU: 1 PID: 3295 Comm: syz-executor5 Not tainted 4.14.0-rc4+ #80
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
    __dump_stack lib/dump_stack.c:16 [inline]
    dump_stack+0x194/0x257 lib/dump_stack.c:52
    print_address_description+0x73/0x250 mm/kasan/report.c:252
    kasan_report_error mm/kasan/report.c:351 [inline]
    kasan_report+0x25b/0x340 mm/kasan/report.c:409
    __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427
    ip_queue_xmit+0x1687/0x18e0 net/ipv4/ip_output.c:474
    tcp_transmit_skb+0x1ab7/0x3840 net/ipv4/tcp_output.c:1135
    tcp_send_ack.part.37+0x3bb/0x650 net/ipv4/tcp_output.c:3587
    tcp_send_ack+0x49/0x60 net/ipv4/tcp_output.c:3557
    __tcp_ack_snd_check+0x2c6/0x4b0 net/ipv4/tcp_input.c:5072
    tcp_ack_snd_check net/ipv4/tcp_input.c:5085 [inline]
    tcp_rcv_state_process+0x2eff/0x4850 net/ipv4/tcp_input.c:6071
    tcp_child_process+0x342/0x990 net/ipv4/tcp_minisocks.c:816
    tcp_v4_rcv+0x1827/0x2f80 net/ipv4/tcp_ipv4.c:1682
    ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216
    NF_HOOK include/linux/netfilter.h:249 [inline]
    ip_local_deliver+0x1ce/0x6e0 net/ipv4/ip_input.c:257
    dst_input include/net/dst.h:464 [inline]
    ip_rcv_finish+0x887/0x19a0 net/ipv4/ip_input.c:397
    NF_HOOK include/linux/netfilter.h:249 [inline]
    ip_rcv+0xc3f/0x1820 net/ipv4/ip_input.c:493
    __netif_receive_skb_core+0x1a3e/0x34b0 net/core/dev.c:4476
    __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4514
    netif_receive_skb_internal+0x10b/0x670 net/core/dev.c:4587
    netif_receive_skb+0xae/0x390 net/core/dev.c:4611
    tun_rx_batched.isra.50+0x5ed/0x860 drivers/net/tun.c:1372
    tun_get_user+0x249c/0x36d0 drivers/net/tun.c:1766
    tun_chr_write_iter+0xbf/0x160 drivers/net/tun.c:1792
    call_write_iter include/linux/fs.h:1770 [inline]
    new_sync_write fs/read_write.c:468 [inline]
    __vfs_write+0x68a/0x970 fs/read_write.c:481
    vfs_write+0x18f/0x510 fs/read_write.c:543
    SYSC_write fs/read_write.c:588 [inline]
    SyS_write+0xef/0x220 fs/read_write.c:580
    entry_SYSCALL_64_fastpath+0x1f/0xbe
    RIP: 0033:0x40c341
    RSP: 002b:00007f469523ec10 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
    RAX: ffffffffffffffda RBX: 0000000000718000 RCX: 000000000040c341
    RDX: 0000000000000037 RSI: 0000000020004000 RDI: 0000000000000015
    RBP: 0000000000000086 R08: 0000000000000000 R09: 0000000000000000
    R10: 00000000000f4240 R11: 0000000000000293 R12: 00000000004b7fd1
    R13: 00000000ffffffff R14: 0000000020000000 R15: 0000000000025000

    Allocated by task 3295:
    save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
    save_stack+0x43/0xd0 mm/kasan/kasan.c:447
    set_track mm/kasan/kasan.c:459 [inline]
    kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
    __do_kmalloc mm/slab.c:3725 [inline]
    __kmalloc+0x162/0x760 mm/slab.c:3734
    kmalloc include/linux/slab.h:498 [inline]
    tcp_v4_save_options include/net/tcp.h:1962 [inline]
    tcp_v4_init_req+0x2d3/0x3e0 net/ipv4/tcp_ipv4.c:1271
    tcp_conn_request+0xf6d/0x3410 net/ipv4/tcp_input.c:6283
    tcp_v4_conn_request+0x157/0x210 net/ipv4/tcp_ipv4.c:1313
    tcp_rcv_state_process+0x8ea/0x4850 net/ipv4/tcp_input.c:5857
    tcp_v4_do_rcv+0x55c/0x7d0 net/ipv4/tcp_ipv4.c:1482
    tcp_v4_rcv+0x2d10/0x2f80 net/ipv4/tcp_ipv4.c:1711
    ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216
    NF_HOOK include/linux/netfilter.h:249 [inline]
    ip_local_deliver+0x1ce/0x6e0 net/ipv4/ip_input.c:257
    dst_input include/net/dst.h:464 [inline]
    ip_rcv_finish+0x887/0x19a0 net/ipv4/ip_input.c:397
    NF_HOOK include/linux/netfilter.h:249 [inline]
    ip_rcv+0xc3f/0x1820 net/ipv4/ip_input.c:493
    __netif_receive_skb_core+0x1a3e/0x34b0 net/core/dev.c:4476
    __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4514
    netif_receive_skb_internal+0x10b/0x670 net/core/dev.c:4587
    netif_receive_skb+0xae/0x390 net/core/dev.c:4611
    tun_rx_batched.isra.50+0x5ed/0x860 drivers/net/tun.c:1372
    tun_get_user+0x249c/0x36d0 drivers/net/tun.c:1766
    tun_chr_write_iter+0xbf/0x160 drivers/net/tun.c:1792
    call_write_iter include/linux/fs.h:1770 [inline]
    new_sync_write fs/read_write.c:468 [inline]
    __vfs_write+0x68a/0x970 fs/read_write.c:481
    vfs_write+0x18f/0x510 fs/read_write.c:543
    SYSC_write fs/read_write.c:588 [inline]
    SyS_write+0xef/0x220 fs/read_write.c:580
    entry_SYSCALL_64_fastpath+0x1f/0xbe

    Freed by task 3306:
    save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
    save_stack+0x43/0xd0 mm/kasan/kasan.c:447
    set_track mm/kasan/kasan.c:459 [inline]
    kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
    __cache_free mm/slab.c:3503 [inline]
    kfree+0xca/0x250 mm/slab.c:3820
    inet_sock_destruct+0x59d/0x950 net/ipv4/af_inet.c:157
    __sk_destruct+0xfd/0x910 net/core/sock.c:1560
    sk_destruct+0x47/0x80 net/core/sock.c:1595
    __sk_free+0x57/0x230 net/core/sock.c:1603
    sk_free+0x2a/0x40 net/core/sock.c:1614
    sock_put include/net/sock.h:1652 [inline]
    inet_csk_complete_hashdance+0xd5/0xf0 net/ipv4/inet_connection_sock.c:959
    tcp_check_req+0xf4d/0x1620 net/ipv4/tcp_minisocks.c:765
    tcp_v4_rcv+0x17f6/0x2f80 net/ipv4/tcp_ipv4.c:1675
    ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216
    NF_HOOK include/linux/netfilter.h:249 [inline]
    ip_local_deliver+0x1ce/0x6e0 net/ipv4/ip_input.c:257
    dst_input include/net/dst.h:464 [inline]
    ip_rcv_finish+0x887/0x19a0 net/ipv4/ip_input.c:397
    NF_HOOK include/linux/netfilter.h:249 [inline]
    ip_rcv+0xc3f/0x1820 net/ipv4/ip_input.c:493
    __netif_receive_skb_core+0x1a3e/0x34b0 net/core/dev.c:4476
    __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4514
    netif_receive_skb_internal+0x10b/0x670 net/core/dev.c:4587
    netif_receive_skb+0xae/0x390 net/core/dev.c:4611
    tun_rx_batched.isra.50+0x5ed/0x860 drivers/net/tun.c:1372
    tun_get_user+0x249c/0x36d0 drivers/net/tun.c:1766
    tun_chr_write_iter+0xbf/0x160 drivers/net/tun.c:1792
    call_write_iter include/linux/fs.h:1770 [inline]
    new_sync_write fs/read_write.c:468 [inline]
    __vfs_write+0x68a/0x970 fs/read_write.c:481
    vfs_write+0x18f/0x510 fs/read_write.c:543
    SYSC_write fs/read_write.c:588 [inline]
    SyS_write+0xef/0x220 fs/read_write.c:580
    entry_SYSCALL_64_fastpath+0x1f/0xbe

    Fixes: e994b2f0fb92 ("tcp: do not lock listener to process SYN packets")
    Fixes: 079096f103fa ("tcp/dccp: install syn_recv requests into ehash table")
    Signed-off-by: Eric Dumazet
    Signed-off-by: David S. Miller

    Eric Dumazet
     

02 Aug, 2017

1 commit

  • 40413955e   Cipso: cipso_v4_optptr enter infinite loop ... Browse Code »

    in for(),if((optlen > 0) && (optptr[1] == 0)), enter infinite loop.

    Test: receive a packet which the ip length > 20 and the first byte of ip option is 0, produce this issue

    Signed-off-by: yujuan.qi
    Acked-by: Paul Moore
    Signed-off-by: David S. Miller

    yujuan.qi
     

04 Jul, 2017

1 commit

01 Jul, 2017

1 commit

  • b4217b828   net: convert netlbl_lsm_cache.refcount from atomic_t to refcount_t ... Browse Code »

    refcount_t type and corresponding API should be
    used instead of atomic_t when the variable is used as
    a reference counter. This allows to avoid accidental
    refcounter overflows that might lead to use-after-free
    situations.

    Signed-off-by: Elena Reshetova
    Signed-off-by: Hans Liljestrand
    Signed-off-by: Kees Cook
    Signed-off-by: David Windsor
    Signed-off-by: David S. Miller

    Reshetova, Elena
     

05 Feb, 2017

1 commit

  • d71b78968   netlabel: out of bound access in cipso_v4_validate() ... Browse Code »

    syzkaller found another out of bound access in ip_options_compile(),
    or more exactly in cipso_v4_validate()

    Fixes: 20e2a8648596 ("cipso: handle CIPSO options correctly when NetLabel is disabled")
    Fixes: 446fda4f2682 ("[NetLabel]: CIPSOv4 engine")
    Signed-off-by: Eric Dumazet
    Reported-by: Dmitry Vyukov
    Cc: Paul Moore
    Acked-by: Paul Moore
    Signed-off-by: David S. Miller

    Eric Dumazet
     

07 Jul, 2016

1 commit

28 Jun, 2016

1 commit

08 Apr, 2016

1 commit

04 Apr, 2015

2 commits

  • 00db41243   ipv4: coding style: comparison for inequality with NULL ... Browse Code »

    The ipv4 code uses a mixture of coding styles. In some instances check
    for non-NULL pointer is done as x != NULL and sometimes as x. x is
    preferred according to checkpatch and this patch makes the code
    consistent by adopting the latter form.

    No changes detected by objdiff.

    Signed-off-by: Ian Morris
    Signed-off-by: David S. Miller

    Ian Morris
     
  • 51456b291   ipv4: coding style: comparison for equality with NULL ... Browse Code »

    The ipv4 code uses a mixture of coding styles. In some instances check
    for NULL pointer is done as x == NULL and sometimes as !x. !x is
    preferred according to checkpatch and this patch makes the code
    consistent by adopting the latter form.

    No changes detected by objdiff.

    Signed-off-by: Ian Morris
    Signed-off-by: David S. Miller

    Ian Morris
     

12 Feb, 2015

1 commit

  • 04f81f015   cipso: don't use IPCB() to locate the CIPSO IP option ... Browse Code »

    Using the IPCB() macro to get the IPv4 options is convenient, but
    unfortunately NetLabel often needs to examine the CIPSO option outside
    of the scope of the IP layer in the stack. While historically IPCB()
    worked above the IP layer, due to the inclusion of the inet_skb_param
    struct at the head of the {tcp,udp}_skb_cb structs, recent commit
    971f10ec ("tcp: better TCP_SKB_CB layout to reduce cache line misses")
    reordered the tcp_skb_cb struct and invalidated this IPCB() trick.

    This patch fixes the problem by creating a new function,
    cipso_v4_optptr(), which locates the CIPSO option inside the IP header
    without calling IPCB(). Unfortunately, this isn't as fast as a simple
    lookup so some additional tweaks were made to limit the use of this
    new function.

    Cc: # 3.18
    Reported-by: Casey Schaufler
    Signed-off-by: Paul Moore
    Tested-by: Casey Schaufler

    Paul Moore
     

05 Nov, 2014

3 commits

02 Oct, 2014

1 commit

01 Aug, 2014

3 commits

  • 4fbe63d1c   netlabel: shorter names for the NetLabel catmap funcs/structs ... Browse Code »

    Historically the NetLabel LSM secattr catmap functions and data
    structures have had very long names which makes a mess of the NetLabel
    code and anyone who uses NetLabel. This patch renames the catmap
    functions and structures from "*_secattr_catmap_*" to just "*_catmap_*"
    which improves things greatly.

    There are no substantial code or logic changes in this patch.

    Signed-off-by: Paul Moore
    Tested-by: Casey Schaufler

    Paul Moore
     
  • 4b8feff25   netlabel: fix the horribly broken catmap functions ... Browse Code »

    The NetLabel secattr catmap functions, and the SELinux import/export
    glue routines, were broken in many horrible ways and the SELinux glue
    code fiddled with the NetLabel catmap structures in ways that we
    probably shouldn't allow. At some point this "worked", but that was
    likely due to a bit of dumb luck and sub-par testing (both inflicted
    by yours truly). This patch corrects these problems by basically
    gutting the code in favor of something less obtuse and restoring the
    NetLabel abstractions in the SELinux catmap glue code.

    Everything is working now, and if it decides to break itself in the
    future this code will be much easier to debug than the code it
    replaces.

    One noteworthy side effect of the changes is that it is no longer
    necessary to allocate a NetLabel catmap before calling one of the
    NetLabel APIs to set a bit in the catmap. NetLabel will automatically
    allocate the catmap nodes when needed, resulting in less allocations
    when the lowest bit is greater than 255 and less code in the LSMs.

    Cc: stable@vger.kernel.org
    Reported-by: Christian Evans
    Signed-off-by: Paul Moore
    Tested-by: Casey Schaufler

    Paul Moore
     
  • 41c3bd203   netlabel: fix a problem when setting bits below the previously lowest bit ... Browse Code »

    The NetLabel category (catmap) functions have a problem in that they
    assume categories will be set in an increasing manner, e.g. the next
    category set will always be larger than the last. Unfortunately, this
    is not a valid assumption and could result in problems when attempting
    to set categories less than the startbit in the lowest catmap node.
    In some cases kernel panics and other nasties can result.

    This patch corrects the problem by checking for this and allocating a
    new catmap node instance and placing it at the front of the list.

    Cc: stable@vger.kernel.org
    Reported-by: Christian Evans
    Signed-off-by: Paul Moore
    Tested-by: Casey Schaufler

    Paul Moore
     

27 Dec, 2013

1 commit

07 Dec, 2013

1 commit

  • a99421d9b   ipv4/ipv6: Fix FSF address in file headers ... Browse Code »

    Several files refer to an old address for the Free Software Foundation
    in the file header comment. Resolve by replacing the address with
    the URL so that we do not have to keep
    updating the header comments anytime the address changes.

    CC: Alexey Kuznetsov
    CC: James Morris
    CC: Hideaki YOSHIFUJI
    CC: Patrick McHardy
    Signed-off-by: Jeff Kirsher
    Signed-off-by: David S. Miller

    Jeff Kirsher
     

19 Jul, 2012

1 commit

  • 89d7ae34c   cipso: don't follow a NULL pointer when setsockopt() is called ... Browse Code »

    As reported by Alan Cox, and verified by Lin Ming, when a user
    attempts to add a CIPSO option to a socket using the CIPSO_V4_TAG_LOCAL
    tag the kernel dies a terrible death when it attempts to follow a NULL
    pointer (the skb argument to cipso_v4_validate() is NULL when called via
    the setsockopt() syscall).

    This patch fixes this by first checking to ensure that the skb is
    non-NULL before using it to find the incoming network interface. In
    the unlikely case where the skb is NULL and the user attempts to add
    a CIPSO option with the _TAG_LOCAL tag we return an error as this is
    not something we want to allow.

    A simple reproducer, kindly supplied by Lin Ming, although you must
    have the CIPSO DOI #3 configure on the system first or you will be
    caught early in cipso_v4_validate():

    #include
    #include
    #include
    #include
    #include

    struct local_tag {
    char type;
    char length;
    char info[4];
    };

    struct cipso {
    char type;
    char length;
    char doi[4];
    struct local_tag local;
    };

    int main(int argc, char **argv)
    {
    int sockfd;
    struct cipso cipso = {
    .type = IPOPT_CIPSO,
    .length = sizeof(struct cipso),
    .local = {
    .type = 128,
    .length = sizeof(struct local_tag),
    },
    };

    memset(cipso.doi, 0, 4);
    cipso.doi[3] = 3;

    sockfd = socket(AF_INET, SOCK_DGRAM, 0);
    #define SOL_IP 0
    setsockopt(sockfd, SOL_IP, IP_OPTIONS,
    &cipso, sizeof(struct cipso));

    return 0;
    }

    CC: Lin Ming
    Reported-by: Alan Cox
    Signed-off-by: Paul Moore
    Signed-off-by: David S. Miller

    Paul Moore
     

22 Feb, 2012

1 commit

  • 4f9c8c1b0   ipv4: Convert call_rcu() to kfree_rcu(), drop opt_kfree_rcu() ... Browse Code »

    Because opt_kfree_rcu() just calls kfree(), all call_rcu() uses of it
    may be converted to kfree_rcu(). This permits opt_kfree_rcu() to
    be eliminated.

    Signed-off-by: Paul E. McKenney
    Signed-off-by: Paul E. McKenney
    Acked-by: David S. Miller
    Cc: Alexey Kuznetsov
    Cc: James Morris
    Cc: Hideaki YOSHIFUJI
    Cc: Patrick McHardy
    Cc: netdev@vger.kernel.org

    Paul E. McKenney
     

12 Oct, 2011

1 commit

27 Jul, 2011

1 commit

  • 60063497a   atomic: use <linux/atomic.h> ... Browse Code »

    This allows us to move duplicated code in
    (atomic_inc_not_zero() for now) to

    Signed-off-by: Arun Sharma
    Reviewed-by: Eric Dumazet
    Cc: Ingo Molnar
    Cc: David Miller
    Cc: Eric Dumazet
    Acked-by: Mike Frysinger
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    Arun Sharma
     

29 Apr, 2011

1 commit

  • f6d8bd051   inet: add RCU protection to inet->opt ... Browse Code »

    We lack proper synchronization to manipulate inet->opt ip_options

    Problem is ip_make_skb() calls ip_setup_cork() and
    ip_setup_cork() possibly makes a copy of ipc->opt (struct ip_options),
    without any protection against another thread manipulating inet->opt.

    Another thread can change inet->opt pointer and free old one under us.

    Use RCU to protect inet->opt (changed to inet->inet_opt).

    Instead of handling atomic refcounts, just copy ip_options when
    necessary, to avoid cache line dirtying.

    We cant insert an rcu_head in struct ip_options since its included in
    skb->cb[], so this patch is large because I had to introduce a new
    ip_options_rcu structure.

    Signed-off-by: Eric Dumazet
    Cc: Herbert Xu
    Signed-off-by: David S. Miller

    Eric Dumazet
     

31 Mar, 2011

1 commit

18 Oct, 2010

1 commit

  • 631dd1a88   Update broken web addresses in the kernel. ... Browse Code »

    The patch below updates broken web addresses in the kernel

    Signed-off-by: Justin P. Mattock
    Cc: Maciej W. Rozycki
    Cc: Geert Uytterhoeven
    Cc: Finn Thain
    Cc: Randy Dunlap
    Cc: Matt Turner
    Cc: Dimitry Torokhov
    Cc: Mike Frysinger
    Acked-by: Ben Pfaff
    Acked-by: Hans J. Koch
    Reviewed-by: Finn Thain
    Signed-off-by: Jiri Kosina

    Justin P. Mattock
     

18 May, 2010

1 commit

  • 3fa21e07e   net: Remove unnecessary returns from void function()s ... Browse Code »

    This patch removes from net/ (but not any netfilter files)
    all the unnecessary return; statements that precede the
    last closing brace of void functions.

    It does not remove the returns that are immediately
    preceded by a label as gcc doesn't like that.

    Done via:
    $ grep -rP --include=*.[ch] -l "return;\n}" net/ | \
    xargs perl -i -e 'local $/ ; while (<>) { s/\n[ \t\n]+return;\n}/\n}/g; print; }'

    Signed-off-by: Joe Perches
    Signed-off-by: David S. Miller

    Joe Perches
     

30 Mar, 2010

1 commit

  • 5a0e3ad6a   include cleanup: Update gfp.h and slab.h includes to prepare for breaking implic… ... Browse Code »

    …it slab.h inclusion from percpu.h

    percpu.h is included by sched.h and module.h and thus ends up being
    included when building most .c files. percpu.h includes slab.h which
    in turn includes gfp.h making everything defined by the two files
    universally available and complicating inclusion dependencies.

    percpu.h -> slab.h dependency is about to be removed. Prepare for
    this change by updating users of gfp and slab facilities include those
    headers directly instead of assuming availability. As this conversion
    needs to touch large number of source files, the following script is
    used as the basis of conversion.

    http://userweb.kernel.org/~tj/misc/slabh-sweep.py

    The script does the followings.

    * Scan files for gfp and slab usages and update includes such that
    only the necessary includes are there. ie. if only gfp is used,
    gfp.h, if slab is used, slab.h.

    * When the script inserts a new include, it looks at the include
    blocks and try to put the new include such that its order conforms
    to its surrounding. It's put in the include block which contains
    core kernel includes, in the same order that the rest are ordered -
    alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
    doesn't seem to be any matching order.

    * If the script can't find a place to put a new include (mostly
    because the file doesn't have fitting include block), it prints out
    an error message indicating which .h file needs to be added to the
    file.

    The conversion was done in the following steps.

    1. The initial automatic conversion of all .c files updated slightly
    over 4000 files, deleting around 700 includes and adding ~480 gfp.h
    and ~3000 slab.h inclusions. The script emitted errors for ~400
    files.

    2. Each error was manually checked. Some didn't need the inclusion,
    some needed manual addition while adding it to implementation .h or
    embedding .c file was more appropriate for others. This step added
    inclusions to around 150 files.

    3. The script was run again and the output was compared to the edits
    from #2 to make sure no file was left behind.

    4. Several build tests were done and a couple of problems were fixed.
    e.g. lib/decompress_*.c used malloc/free() wrappers around slab
    APIs requiring slab.h to be added manually.

    5. The script was run on all .h files but without automatically
    editing them as sprinkling gfp.h and slab.h inclusions around .h
    files could easily lead to inclusion dependency hell. Most gfp.h
    inclusion directives were ignored as stuff from gfp.h was usually
    wildly available and often used in preprocessor macros. Each
    slab.h inclusion directive was examined and added manually as
    necessary.

    6. percpu.h was updated not to include slab.h.

    7. Build test were done on the following configurations and failures
    were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
    distributed build env didn't work with gcov compiles) and a few
    more options had to be turned off depending on archs to make things
    build (like ipr on powerpc/64 which failed due to missing writeq).

    * x86 and x86_64 UP and SMP allmodconfig and a custom test config.
    * powerpc and powerpc64 SMP allmodconfig
    * sparc and sparc64 SMP allmodconfig
    * ia64 SMP allmodconfig
    * s390 SMP allmodconfig
    * alpha SMP allmodconfig
    * um on x86_64 SMP allmodconfig

    8. percpu.h modifications were reverted so that it could be applied as
    a separate patch and serve as bisection point.

    Given the fact that I had only a couple of failures from tests on step
    6, I'm fairly confident about the coverage of this conversion patch.
    If there is a breakage, it's likely to be something in one of the arch
    headers which should be easily discoverable easily on most builds of
    the specific arch.

    Signed-off-by: Tejun Heo <tj@kernel.org>
    Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
    Cc: Ingo Molnar <mingo@redhat.com>
    Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>

    Tejun Heo
     

08 Oct, 2009

1 commit

28 Mar, 2009

1 commit

  • 389fb800a   netlabel: Label incoming TCP connections correctly in SELinux ... Browse Code »

    The current NetLabel/SELinux behavior for incoming TCP connections works but
    only through a series of happy coincidences that rely on the limited nature of
    standard CIPSO (only able to convey MLS attributes) and the write equality
    imposed by the SELinux MLS constraints. The problem is that network sockets
    created as the result of an incoming TCP connection were not on-the-wire
    labeled based on the security attributes of the parent socket but rather based
    on the wire label of the remote peer. The issue had to do with how IP options
    were managed as part of the network stack and where the LSM hooks were in
    relation to the code which set the IP options on these newly created child
    sockets. While NetLabel/SELinux did correctly set the socket's on-the-wire
    label it was promptly cleared by the network stack and reset based on the IP
    options of the remote peer.

    This patch, in conjunction with a prior patch that adjusted the LSM hook
    locations, works to set the correct on-the-wire label format for new incoming
    connections through the security_inet_conn_request() hook. Besides the
    correct behavior there are many advantages to this change, the most significant
    is that all of the NetLabel socket labeling code in SELinux now lives in hooks
    which can return error codes to the core stack which allows us to finally get
    ride of the selinux_netlbl_inode_permission() logic which greatly simplfies
    the NetLabel/SELinux glue code. In the process of developing this patch I
    also ran into a small handful of AF_INET6 cleanliness issues that have been
    fixed which should make the code safer and easier to extend in the future.

    Signed-off-by: Paul Moore
    Acked-by: Casey Schaufler
    Signed-off-by: James Morris

    Paul Moore
     

23 Feb, 2009

1 commit

  • 586c25003   cipso: Fix documentation comment ... Browse Code »

    The CIPSO protocol engine incorrectly stated that the FIPS-188 specification
    could be found in the kernel's Documentation directory. This patch corrects
    that by removing the comment and directing users to the FIPS-188 documented
    hosted online. For the sake of completeness I've also included a link to the
    CIPSO draft specification on the NetLabel website.

    Thanks to Randy Dunlap for spotting the error and letting me know.

    Signed-off-by: Paul Moore
    Signed-off-by: James Morris

    Paul Moore
     

01 Jan, 2009

1 commit

31 Oct, 2008

1 commit

30 Oct, 2008

1 commit

29 Oct, 2008

1 commit

  • 93adcc80f   net: don't use INIT_RCU_HEAD ... Browse Code »

    call_rcu() will unconditionally rewrite RCU head anyway.
    Applies to
    struct neigh_parms
    struct neigh_table
    struct net
    struct cipso_v4_doi
    struct in_ifaddr
    struct in_device
    rt->u.dst

    Signed-off-by: Alexey Dobriyan
    Acked-by: Paul E. McKenney
    Signed-off-by: David S. Miller

    Alexey Dobriyan
     

10 Oct, 2008

3 commits

  • 15c45f7b2   cipso: Add support for native local labeling and fixup mapping names ... Browse Code »

    This patch accomplishes three minor tasks: add a new tag type for local
    labeling, rename the CIPSO_V4_MAP_STD define to CIPSO_V4_MAP_TRANS and
    replace some of the CIPSO "magic numbers" with constants from the header
    file. The first change allows CIPSO to support full LSM labels/contexts,
    not just MLS attributes. The second change brings the mapping names inline
    with what userspace is using, compatibility is preserved since we don't
    actually change the value. The last change is to aid readability and help
    prevent mistakes.

    Signed-off-by: Paul Moore

    Paul Moore
     
  • 014ab19a6   selinux: Set socket NetLabel based on connection endpoint ... Browse Code »

    Previous work enabled the use of address based NetLabel selectors, which while
    highly useful, brought the potential for additional per-packet overhead when
    used. This patch attempts to solve that by applying NetLabel socket labels
    when sockets are connect()'d. This should alleviate the per-packet NetLabel
    labeling for all connected sockets (yes, it even works for connected DGRAM
    sockets).

    Signed-off-by: Paul Moore
    Reviewed-by: James Morris

    Paul Moore
     
  • 948bf85c1   netlabel: Add functionality to set the security attributes of a packet ... Browse Code »

    This patch builds upon the new NetLabel address selector functionality by
    providing the NetLabel KAPI and CIPSO engine support needed to enable the
    new packet-based labeling. The only new addition to the NetLabel KAPI at
    this point is shown below:

    * int netlbl_skbuff_setattr(skb, family, secattr)

    ... and is designed to be called from a Netfilter hook after the packet's
    IP header has been populated such as in the FORWARD or LOCAL_OUT hooks.

    This patch also provides the necessary SELinux hooks to support this new
    functionality. Smack support is not currently included due to uncertainty
    regarding the permissions needed to expand the Smack network access controls.

    Signed-off-by: Paul Moore
    Reviewed-by: James Morris

    Paul Moore