1. 16 Jan, 2013 17 commits
  2. 15 Jan, 2013 14 commits
  3. 14 Jan, 2013 9 commits
    • David S. Miller's avatar
      Merge branch 'master' of git://1984.lsi.us.es/nf · 47fb3a26
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      The following patchset contains netfilter fixes for 3.8-rc3,
      they are:
      
      * fix possible BUG_ON if several netns are in use and the nf_conntrack
        module is removed, initial patch from Gao feng, final patch from myself.
      
      * fix unset return value if conntrack zone are disabled at
        compile-time, reported by Borislav Petkov, fix from myself.
      
      * fix display error message via dmesg for arp_tables, from Jan Engelhardt.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      47fb3a26
    • Paul Moore's avatar
      tun: fix LSM/SELinux labeling of tun/tap devices · 5dbbaf2d
      Paul Moore authored
      This patch corrects some problems with LSM/SELinux that were introduced
      with the multiqueue patchset.  The problem stems from the fact that the
      multiqueue work changed the relationship between the tun device and its
      associated socket; before the socket persisted for the life of the
      device, however after the multiqueue changes the socket only persisted
      for the life of the userspace connection (fd open).  For non-persistent
      devices this is not an issue, but for persistent devices this can cause
      the tun device to lose its SELinux label.
      
      We correct this problem by adding an opaque LSM security blob to the
      tun device struct which allows us to have the LSM security state, e.g.
      SELinux labeling information, persist for the lifetime of the tun
      device.  In the process we tweak the LSM hooks to work with this new
      approach to TUN device/socket labeling and introduce a new LSM hook,
      security_tun_dev_attach_queue(), to approve requests to attach to a
      TUN queue via TUNSETQUEUE.
      
      The SELinux code has been adjusted to match the new LSM hooks, the
      other LSMs do not make use of the LSM TUN controls.  This patch makes
      use of the recently added "tun_socket:attach_queue" permission to
      restrict access to the TUNSETQUEUE operation.  On older SELinux
      policies which do not define the "tun_socket:attach_queue" permission
      the access control decision for TUNSETQUEUE will be handled according
      to the SELinux policy's unknown permission setting.
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Acked-by: default avatarEric Paris <eparis@parisplace.org>
      Tested-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5dbbaf2d
    • Paul Moore's avatar
      selinux: add the "attach_queue" permission to the "tun_socket" class · 6f96c142
      Paul Moore authored
      Add a new permission to align with the new TUN multiqueue support,
      "tun_socket:attach_queue".
      
      The corresponding SELinux reference policy patch is show below:
      
       diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
       index 28802c5..a0664a1 100644
       --- a/policy/flask/access_vectors
       +++ b/policy/flask/access_vectors
       @@ -827,6 +827,9 @@ class kernel_service
      
        class tun_socket
        inherits socket
       +{
       +       attach_queue
       +}
      
        class x_pointer
        inherits x_device
      Signed-off-by: default avatarPaul Moore <pmoore@redhat.com>
      Acked-by: default avatarEric Paris <eparis@parisplace.org>
      Tested-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6f96c142
    • Eric Dumazet's avatar
      tcp: fix a panic on UP machines in reqsk_fastopen_remove · cce894bb
      Eric Dumazet authored
      spin_is_locked() on a non !SMP build is kind of useless.
      
      BUG_ON(!spin_is_locked(xx)) is guaranteed to crash.
      
      Just remove this check in reqsk_fastopen_remove() as
      the callers do hold the socket lock.
      Reported-by: default avatarKetan Kulkarni <ketkulka@gmail.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Jerry Chu <hkchu@google.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: Dave Taht <dave.taht@gmail.com>
      Acked-by: default avatarH.K. Jerry Chu <hkchu@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cce894bb
    • Linus Torvalds's avatar
      Merge tag 'dt-fixes-for-3.8' of git://sources.calxeda.com/kernel/linux · 3152ba0f
      Linus Torvalds authored
      Pull devicetree fixes from Rob Herring:
       "Two fixes to prevent unconditional re-compile of dts files on arm and
        arm64."
      
      * tag 'dt-fixes-for-3.8' of git://sources.calxeda.com/kernel/linux:
        ARM: dts: prevent *.dtb from always being rebuilt
        arm64: dts: prevent *.dtb from always being rebuilt
      3152ba0f
    • Linus Torvalds's avatar
      vfs: add missing virtual cache flush after editing partial pages · 6d283dba
      Linus Torvalds authored
      Andrew Morton pointed this out a month ago, and then I completely forgot
      about it.
      
      If we read a partial last page of a block device, we will zero out the
      end of the page, but since that page can then be mapped into user space,
      we should also make sure to flush the cache on architectures that have
      virtual caches.  We have the flush_dcache_page() function for this, so
      use it.
      
      Now, in practice this really never matters, because nobody sane uses
      virtual caches to begin with, and they largely exist on old broken RISC
      arhitectures.
      
      And even if you did run on one of those obsolete CPU's, the whole "mmap
      and access the last partial page of a block device" behavior probably
      doesn't actually exist.  The normal IO functions (read/write) will never
      see the zeroed-out part of the page that migth not be coherent in the
      cache, because they honor the size of the device.
      
      So I'm marking this for stable (3.7 only), but I'm not sure anybody will
      ever care.
      Pointed-out-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Cc: stable@vger.kernel.org  # 3.7
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      6d283dba
    • Eric Dumazet's avatar
      ifb: dont hard code inet_net use · 73bf0d0e
      Eric Dumazet authored
      ifb should lookup devices in the appropriate namespace.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Cc: Benjamin LaHaise <bcrl@kvack.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      73bf0d0e
    • Florian Fainelli's avatar
      net: phy: remove flags argument from phy_{attach, connect, connect_direct} · f9a8f83b
      Florian Fainelli authored
      The flags argument of the phy_{attach,connect,connect_direct} functions
      is then used to assign a struct phy_device dev_flags with its value.
      All callers but the tg3 driver pass the flag 0, which results in the
      underlying PHY drivers in drivers/net/phy/ not being able to actually
      use any of the flags they would set in dev_flags. This patch gets rid of
      the flags argument, and passes phydev->dev_flags to the internal PHY
      library call phy_attach_direct() such that drivers which actually modify
      a phy device dev_flags get the value preserved for use by the underlying
      phy driver.
      Acked-by: default avatarKosta Zertsekel <konszert@marvell.com>
      Signed-off-by: default avatarFlorian Fainelli <florian@openwrt.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f9a8f83b
    • Benjamin LaHaise's avatar
      pkt_sched: namespace aware act_mirred · c1b52739
      Benjamin LaHaise authored
      Eric Dumazet pointed out that act_mirred needs to find the current net_ns,
      and struct net pointer is not provided in the call chain.  His original
      patch made use of current->nsproxy->net_ns to find the network namespace,
      but this fails to work correctly for userspace code that makes use of
      netlink sockets in different network namespaces.  Instead, pass the
      "struct net *" down along the call chain to where it is needed.
      
      This version removes the ifb changes as Eric has submitted that patch
      separately, but is otherwise identical to the previous version.
      Signed-off-by: default avatarBenjamin LaHaise <bcrl@kvack.org>
      Tested-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Acked-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c1b52739