)]}' { "log": [ { "commit": "4da5105687e0993a3bbdcffd89b2b94d9377faab", "tree": "bd6a67ec275f11f633224aa683e4102437a2d646", "parents": [ "d8ac48d4cbae0cc59b7784399292fbda3e231be3" ], "author": { "name": "Kazunori MIYAZAWA", "email": "kazunori@miyazawa.org", "time": "Wed May 21 13:26:11 2008 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed May 21 13:26:11 2008 -0700" }, "message": "af_key: Fix selector family initialization.\n\nThis propagates the xfrm_user fix made in commit\nbcf0dda8d2408fe1c1040cdec5a98e5fcad2ac72 (\"[XFRM]: xfrm_user: fix\nselector family initialization\")\n\nBased upon a bug report from, and tested by, Alan Swanson.\n\nSigned-off-by: Kazunori MIYAZAWA \u003ckazunori@miyazawa.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n\n" }, { "commit": "2532386f480eefbdd67b48be55fb4fb3e5a6081c", "tree": "dd6a5a3c4116a67380a1336319c16632f04f80f9", "parents": [ "436c405c7d19455a71f42c9bec5fd5e028f1eb4e" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Fri Apr 18 10:09:25 2008 -0400" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Mon Apr 28 06:18:03 2008 -0400" }, "message": "Audit: collect sessionid in netlink messages\n\nPreviously I added sessionid output to all audit messages where it was\navailable but we still didn\u0027t know the sessionid of the sender of\nnetlink messages. This patch adds that information to netlink messages\nso we can audit who sent netlink messages.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "2db3e47e7080fde2a43d6312190d8229826b8e42", "tree": "a9f03b52cce1501c32a8d24d657d3d5bc1888fae", "parents": [ "9edb74cc6ccb3a893c3d40727b7003c3c16f85a0" ], "author": { "name": "Brian Haley", "email": "brian.haley@hp.com", "time": "Thu Apr 24 20:38:31 2008 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Thu Apr 24 20:38:31 2008 -0700" }, "message": "af_key: Fix af_key.c compiler warning\n\nnet/key/af_key.c: In function ‘pfkey_spddelete’:\nnet/key/af_key.c:2359: warning: ‘pol_ctx’ may be used uninitialized in \nthis function\n\nWhen CONFIG_SECURITY_NETWORK_XFRM isn\u0027t set, \nsecurity_xfrm_policy_alloc() is an inline that doesn\u0027t set pol_ctx, so \nthis seemed like the easiest fix short of using *uninitialized_var(pol_ctx).\n\nSigned-off-by: Brian Haley \u003cbrian.haley@hp.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "c5d18e984a313adf5a1a4ae69e0b1d93cf410229", "tree": "2922514a388759b999757eec49b7a5bd9f290e3c", "parents": [ "7c3f944e29c02d71e13442e977cf4cec19c39e98" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Tue Apr 22 00:46:42 2008 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Apr 22 00:46:42 2008 -0700" }, "message": "[IPSEC]: Fix catch-22 with algorithm IDs above 31\n\nAs it stands it\u0027s impossible to use any authentication algorithms\nwith an ID above 31 portably. It just happens to work on x86 but\nfails miserably on ppc64.\n\nThe reason is that we\u0027re using a bit mask to check the algorithm\nID but the mask is only 32 bits wide.\n\nAfter looking at how this is used in the field, I have concluded\nthat in the long term we should phase out state matching by IDs\nbecause this is made superfluous by the reqid feature. For current\napplications, the best solution IMHO is to allow all algorithms when\nthe bit masks are all ~0.\n\nThe following patch does exactly that.\n\nThis bug was identified by IBM when testing on the ppc64 platform\nusing the NULL authentication algorithm which has an ID of 251.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "03e1ad7b5d871d4189b1da3125c2f12d1b5f7d0b", "tree": "1e7f291ac6bd0c1f3a95e8252c32fcce7ff47ea7", "parents": [ "00447872a643787411c2c0cb1df6169dda8b0c47" ], "author": { "name": "Paul Moore", "email": "paul.moore@hp.com", "time": "Sat Apr 12 19:07:52 2008 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Apr 12 19:07:52 2008 -0700" }, "message": "LSM: Make the Labeled IPsec hooks more stack friendly\n\nThe xfrm_get_policy() and xfrm_add_pol_expire() put some rather large structs\non the stack to work around the LSM API. This patch attempts to fix that\nproblem by changing the LSM API to require only the relevant \"security\"\npointers instead of the entire SPD entry; we do this for all of the\nsecurity_xfrm_policy*() functions to keep things consistent.\n\nSigned-off-by: Paul Moore \u003cpaul.moore@hp.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "8e8e43843ba3ced0c657cbc0fdb10644ec60f772", "tree": "e64954326ced9c365c52c256f01b5f9fb1bcae66", "parents": [ "ed85f2c3b2b72bd20f617ac749f5c22be8d0f66e", "50fd4407b8bfbde7c1a0bfe4f24de7df37164342" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Thu Mar 27 18:48:56 2008 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Thu Mar 27 18:48:56 2008 -0700" }, "message": "Merge branch \u0027master\u0027 of git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6\n\nConflicts:\n\n\tdrivers/net/usb/rndis_host.c\n\tdrivers/net/wireless/b43/dma.c\n\tnet/ipv6/ndisc.c\n" }, { "commit": "df9dcb4588aca9cc243cf1f3f454361a84e1cbdb", "tree": "53dabed7cffee752109808cbea2f812e0a6d7faf", "parents": [ "fa86d322d89995fef1bfb5cc768b89d8c22ea0d9" ], "author": { "name": "Kazunori MIYAZAWA", "email": "kazunori@miyazawa.org", "time": "Mon Mar 24 14:51:51 2008 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 24 14:51:51 2008 -0700" }, "message": "[IPSEC]: Fix inter address family IPsec tunnel handling.\n\nSigned-off-by: Kazunori MIYAZAWA \u003ckazunori@miyazawa.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "83321d6b9872b94604e481a79dc2c8acbe4ece31", "tree": "7ea6bad51b21b2dd5abaaab75df2fc546f623441", "parents": [ "26bad2c05eef400d9af16979bd96e301902ebd13" ], "author": { "name": "Timo Teras", "email": "timo.teras@iki.fi", "time": "Mon Mar 03 23:40:12 2008 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 03 23:40:12 2008 -0800" }, "message": "[AF_KEY]: Dump SA/SP entries non-atomically\n\nStop dumping of entries when af_key socket receive queue is getting\nfull and continue it later when there is more room again.\n\nThis fixes dumping of large databases. Currently the entries not\nfitting into the receive queue are just dropped (including the\nend-of-dump message) which can confuse applications.\n\nSigned-off-by: Timo Teras \u003ctimo.teras@iki.fi\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "4c563f7669c10a12354b72b518c2287ffc6ebfb3", "tree": "056ec93f192f31640f32983c9e11bc7ce1c0692f", "parents": [ "1e04d530705280770e003ac8db516722cca54758" ], "author": { "name": "Timo Teras", "email": "timo.teras@iki.fi", "time": "Thu Feb 28 21:31:08 2008 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Thu Feb 28 21:31:08 2008 -0800" }, "message": "[XFRM]: Speed up xfrm_policy and xfrm_state walking\n\nChange xfrm_policy and xfrm_state walking algorithm from O(n^2) to O(n).\nThis is achieved adding the entries to one more list which is used\nsolely for walking the entries.\n\nThis also fixes some races where the dump can have duplicate or missing\nentries when the SPD/SADB is modified during an ongoing dump.\n\nDumping SADB with 20000 entries using \"time ip xfrm state\" the sys\ntime dropped from 1.012s to 0.080s.\n\nSigned-off-by: Timo Teras \u003ctimo.teras@iki.fi\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "d9595a7b9c777d45a74774f1428c263a0a47f4c0", "tree": "1151c7d17fe6b95f99134d8689876cdae8f491e4", "parents": [ "78374676efae525094aee45c0aab4bcab95ea9d1" ], "author": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Feb 26 22:20:44 2008 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Feb 26 22:23:31 2008 -0800" }, "message": "[AF_KEY]: Fix oops by converting to proc_net_*().\n\nTo make sure the procfs visibility occurs after the -\u003eproc_fs ops are\nsetup, use proc_net_fops_create() and proc_net_remove().\n\nThis also fixes an OOPS after module unload in that the name string\nfor remove was wrong, so it wouldn\u0027t actually be removed. That bug\nwas introduced by commit 61145aa1a12401ac71bcc450a58c773dd6e2bfb9\n(\"[KEY]: Clean up proc files creation a bit.\")\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "a4d6b8af1e92daa872f55d06415b76c35f44d8bd", "tree": "a1c4b760b39176cffdca6f2213681236d920734a", "parents": [ "d0c1fd7a8f4cadb95b093d2600ad627f432c5edb" ], "author": { "name": "Kazunori MIYAZAWA", "email": "kazunori@miyazawa.org", "time": "Thu Feb 14 14:51:38 2008 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Thu Feb 14 14:51:38 2008 -0800" }, "message": "[AF_KEY]: Fix bug in spdadd\n\nThis patch fix a BUG when adding spds which have same selector.\n\nSigned-off-by: Kazunori MIYAZAWA \u003ckazunori@miyazawa.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "bd2f747658b303d9b08d2c5bc815022d825a5e3c", "tree": "c04d118379e68c7cb17a967b16dc561dda418dcd", "parents": [ "61145aa1a12401ac71bcc450a58c773dd6e2bfb9" ], "author": { "name": "Pavel Emelyanov", "email": "xemul@openvz.org", "time": "Sat Feb 09 23:20:06 2008 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Feb 09 23:20:06 2008 -0800" }, "message": "[KEY]: Convert net/pfkey to use seq files.\n\nThe seq files API disposes the caller of the difficulty of\nchecking file position, the length of data to produce and\nthe size of provided buffer.\n\nSigned-off-by: Pavel Emelyanov \u003cxemul@openvz.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "61145aa1a12401ac71bcc450a58c773dd6e2bfb9", "tree": "8e9612d88158030e3a62ca76d95c3304948fc4ab", "parents": [ "0efeaa335ce494680d1884f267eed7642dee3ca8" ], "author": { "name": "Pavel Emelyanov", "email": "xemul@openvz.org", "time": "Sat Feb 09 23:19:14 2008 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Feb 09 23:19:14 2008 -0800" }, "message": "[KEY]: Clean up proc files creation a bit.\n\nMainly this removes ifdef-s from inside the ipsec_pfkey_init.\n\nSigned-off-by: Pavel Emelyanov \u003cxemul@openvz.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "0c11b9428f619ab377c92eff2f160a834a6585dd", "tree": "35b573715ad5730a77d067486838345132771a7a", "parents": [ "24e1c13c93cbdd05e4b7ea921c0050b036555adc" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Thu Jan 10 04:20:52 2008 -0500" }, "committer": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Fri Feb 01 14:04:59 2008 -0500" }, "message": "[PATCH] switch audit_get_loginuid() to task_struct *\n\nall callers pass something-\u003eaudit_context\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\n" }, { "commit": "64c31b3f76482bb64459e786f9eca3bd0164d153", "tree": "4f8fa9e23dbb2b2a73c4516263c983b01cff4f3a", "parents": [ "d66e37a99d323012165ce91fd5c4518e2fcea0c5" ], "author": { "name": "WANG Cong", "email": "xiyou.wangcong@gmail.com", "time": "Mon Jan 07 22:34:29 2008 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Jan 28 15:00:46 2008 -0800" }, "message": "[XFRM] xfrm_policy_destroy: Rename and relative fixes.\n\nSince __xfrm_policy_destroy is used to destory the resources\nallocated by xfrm_policy_alloc. So using the name\n__xfrm_policy_destroy is not correspond with xfrm_policy_alloc.\nRename it to xfrm_policy_destroy.\n\nAnd along with some instances that call xfrm_policy_alloc\nbut not using xfrm_policy_destroy to destroy the resource,\nfix them.\n\nSigned-off-by: WANG Cong \u003cxiyou.wangcong@gmail.com\u003e\nAcked-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "d4782c323d10d3698b71b6a6b3c7bdad33824658", "tree": "5c2b4706135ab68f5690adbbe7480b627476608d", "parents": [ "421c991483a6e52091cd2120c007cbc220d669ae" ], "author": { "name": "Patrick McHardy", "email": "kaber@trash.net", "time": "Sun Jan 20 17:24:29 2008 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sun Jan 20 20:31:45 2008 -0800" }, "message": "[AF_KEY]: Fix skb leak on pfkey_send_migrate() error\n\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "f398035f2dec0a6150833b0bc105057953594edb", "tree": "861e4cffa93b61d1469df346267fa068f9fdf283", "parents": [ "e0260feddf8a68301c75cdfff9ec251d5851b006" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Wed Dec 19 23:44:29 2007 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Dec 19 23:44:29 2007 -0800" }, "message": "[IPSEC]: Avoid undefined shift operation when testing algorithm ID\n\nThe aalgos/ealgos fields are only 32 bits wide. However, af_key tries\nto test them with the expression 1 \u003c\u003c id where id can be as large as\n253. This produces different behaviour on different architectures.\n\nThe following patch explicitly checks whether ID is greater than 31\nand fails the check if that\u0027s the case.\n\nWe cannot easily extend the mask to be longer than 32 bits due to\nexposure to user-space. Besides, this whole interface is obsolete\nanyway in favour of the xfrm_user interface which doesn\u0027t use this\nbit mask in templates (well not within the kernel anyway).\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "8053fc3de720e1027d690f892ff7d7c1737fdd9d", "tree": "0437efa29587beb5ebb174c402f7954cfde2269a", "parents": [ "7f9c33e515353ea91afc62341161fead19e78567" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Mon Nov 26 19:07:34 2007 +0800" }, "committer": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Mon Nov 26 19:07:34 2007 +0800" }, "message": "[IPSEC]: Temporarily remove locks around copying of non-atomic fields\n\nThe change 050f009e16f908932070313c1745d09dc69fd62b\n\n\t[IPSEC]: Lock state when copying non-atomic fields to user-space\n\ncaused a regression.\n\nIngo Molnar reports that it causes a potential dead-lock found by the\nlock validator as it tries to take x-\u003elock within xfrm_state_lock while\nnumerous other sites take the locks in opposite order.\n\nFor 2.6.24, the best fix is to simply remove the added locks as that puts\nus back in the same state as we\u0027ve been in for years. For later kernels\na proper fix would be to reverse the locking order for every xfrm state\nuser such that if x-\u003elock is taken together with xfrm_state_lock then\nit is to be taken within it.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\n" }, { "commit": "435000bebd94aae3a7a50078d142d11683d3b193", "tree": "f40c9c1a6b21db3d720ff608b3f81ce1f32f77ea", "parents": [ "8c92e6b0bf48a1735ddc61ebb08a0bb77c6bfa23" ], "author": { "name": "Charles Hardin", "email": "chardin@2wire.com", "time": "Thu Nov 22 19:35:15 2007 +0800" }, "committer": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Thu Nov 22 19:35:15 2007 +0800" }, "message": "[PFKEY]: Sending an SADB_GET responds with an SADB_GET\n\nFrom: Charles Hardin \u003cchardin@2wire.com\u003e\n\nKernel needs to respond to an SADB_GET with the same message type to\nconform to the RFC 2367 Section 3.1.5\n\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\n" }, { "commit": "6257ff2177ff02d7f260a7a501876aa41cb9a9f6", "tree": "9d9f80ccf16f3d4ef062e896f62974c5496193ad", "parents": [ "154adbc8469ff21fbf5c958446ee92dbaab01be1" ], "author": { "name": "Pavel Emelyanov", "email": "xemul@openvz.org", "time": "Thu Nov 01 00:39:31 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Thu Nov 01 00:39:31 2007 -0700" }, "message": "[NET]: Forget the zero_it argument of sk_alloc()\n\nFinally, the zero_it argument can be completely removed from\nthe callers and from the function prototype.\n\nBesides, fix the checkpatch.pl warnings about using the\nassignments inside if-s.\n\nThis patch is rather big, and it is a part of the previous one.\nI splitted it wishing to make the patches more readable. Hope \nthis particular split helped.\n\nSigned-off-by: Pavel Emelyanov \u003cxemul@openvz.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "298bb62175a8e8c2f21f3e00543cda853f423599", "tree": "185cd32204c9758369c125971f268db9749f9157", "parents": [ "97ef1bb0c8e371b7988287f38bd107c4aa14d78d" ], "author": { "name": "Stephen Rothwell", "email": "sfr@canb.auug.org.au", "time": "Tue Oct 30 23:57:05 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Oct 30 23:57:05 2007 -0700" }, "message": "[AF_KEY]: suppress a warning for 64k pages.\n\nOn PowerPC allmodconfig build we get this:\n\nnet/key/af_key.c:400: warning: comparison is always false due to limited range of data type\n\nSigned-off-by: Stephen Rothwell \u003csfr@canb.auug.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "050f009e16f908932070313c1745d09dc69fd62b", "tree": "2176b8034065bf2e8b401865efcfaab912bb1997", "parents": [ "68325d3b12ad5bce650c2883bb878257f197efff" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Tue Oct 09 13:31:47 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Oct 10 16:55:02 2007 -0700" }, "message": "[IPSEC]: Lock state when copying non-atomic fields to user-space\n\nThis patch adds locking so that when we\u0027re copying non-atomic fields such as\nlife-time or coaddr to user-space we don\u0027t get a partial result.\n\nFor af_key I\u0027ve changed every instance of pfkey_xfrm_state2msg apart from\nexpiration notification to include the keys and life-times. This is in-line\nwith XFRM behaviour.\n\nThe actual cases affected are:\n\n* pfkey_getspi: No change as we don\u0027t have any keys to copy.\n* key_notify_sa:\n\t+ ADD/UPD: This wouldn\u0027t work otherwise.\n\t+ DEL: It can\u0027t hurt.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "658b219e9379d75fbdc578b9630b598098471258", "tree": "fe802c4e1ee6468a9c2558a5e529b2380845a003", "parents": [ "75ba28c633952f7994a7117c98ae6515b58f8d30" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Tue Oct 09 13:29:52 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Oct 10 16:55:01 2007 -0700" }, "message": "[IPSEC]: Move common code into xfrm_alloc_spi\n\nThis patch moves some common code that conceptually belongs to the xfrm core\nfrom af_key/xfrm_user into xfrm_alloc_spi.\n\nIn particular, the spin lock on the state is now taken inside xfrm_alloc_spi.\nPreviously it also protected the construction of the response PF_KEY/XFRM\nmessages to user-space. This is inconsistent as other identical constructions\nare not protected by the state lock. This is bad because they in fact should\nbe protected but only in certain spots (so as not to hold the lock for too\nlong which may cause packet drops).\n\nThe SPI byte order conversion has also been moved.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "1b8d7ae42d02e483ad94035cca851e4f7fbecb40", "tree": "81f8cc0ee49ef99cc67dfed3dc7b7ecb510abf8b", "parents": [ "457c4cbc5a3dde259d2a1f15d5f9785290397267" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Mon Oct 08 23:24:22 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Oct 10 16:49:07 2007 -0700" }, "message": "[NET]: Make socket creation namespace safe.\n\nThis patch passes in the namespace a new socket should be created in\nand has the socket code do the appropriate reference counting. By\nvirtue of this all socket create methods are touched. In addition\nthe socket create methods are modified so that they will fail if\nyou attempt to create a socket in a non-default network namespace.\n\nFailing if we attempt to create a socket outside of the default\nnetwork namespace ensures that as we incrementally make the network stack\nnetwork namespace aware we will not export functionality that someone\nhas not audited and made certain is network namespace safe.\nAllowing us to partially enable network namespaces before all of the\nexotic protocols are supported.\n\nAny protocol layers I have missed will fail to compile because I now\npass an extra parameter into the socket creation code.\n\n[ Integrated AF_IUCV build fixes from Andrew Morton... -DaveM ]\n\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "457c4cbc5a3dde259d2a1f15d5f9785290397267", "tree": "a2ceee88780cbce27433b9a4434b3e9251efd81a", "parents": [ "07feaebfcc10cd35e745c7073667935246494bee" ], "author": { "name": "Eric W. Biederman", "email": "ebiederm@xmission.com", "time": "Wed Sep 12 12:01:34 2007 +0200" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Oct 10 16:49:06 2007 -0700" }, "message": "[NET]: Make /proc/net per network namespace\n\nThis patch makes /proc/net per network namespace. It modifies the global\nvariables proc_net and proc_net_stat to be per network namespace.\nThe proc_net file helpers are modified to take a network namespace argument,\nand all of their callers are fixed to pass \u0026init_net for that argument.\nThis ensures that all of the /proc/net files are only visible and\nusable in the initial network namespace until the code behind them\nhas been updated to be handle multiple network namespaces.\n\nMaking /proc/net per namespace is necessary as at least some files\nin /proc/net depend upon the set of network devices which is per\nnetwork namespace, and even more files in /proc/net have contents\nthat are relevant to a single network namespace.\n\nSigned-off-by: Eric W. Biederman \u003cebiederm@xmission.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "ab5f5e8b144e4c804ef3aa1ce08a9ca9f01187ce", "tree": "bf3915a618b29f507d882e9c665ed9d07e7c0765", "parents": [ "d2e9117c7aa9544d910634e17e3519fd67155229" ], "author": { "name": "Joy Latten", "email": "latten@austin.ibm.com", "time": "Mon Sep 17 11:51:22 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Oct 10 16:49:02 2007 -0700" }, "message": "[XFRM]: xfrm audit calls\n\nThis patch modifies the current ipsec audit layer\nby breaking it up into purpose driven audit calls.\n\nSo far, the only audit calls made are when add/delete\nan SA/policy. It had been discussed to give each\nkey manager it\u0027s own calls to do this, but I found\nthere to be much redundnacy since they did the exact\nsame things, except for how they got auid and sid, so I\ncombined them. The below audit calls can be made by any\nkey manager. Hopefully, this is ok.\n\nSigned-off-by: Joy Latten \u003clatten@austin.ibm.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "356f89e12e301376f26795643f3b5931c81c9cd5", "tree": "e9e180c3d39ea97e28e5b81e1ca26b32b1ff6e66", "parents": [ "18f02545a9a16c9a89778b91a162ad16d510bb32" ], "author": { "name": "Ilpo Järvinen", "email": "ilpo.jarvinen@helsinki.fi", "time": "Fri Aug 24 23:00:31 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Oct 10 16:48:30 2007 -0700" }, "message": "[NET] Cleanup: DIV_ROUND_UP\n\nSigned-off-by: Ilpo Järvinen \u003cilpo.jarvinen@helsinki.fi\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "4a4b6271a8df417e328aed4c8a7e04e0b282207e", "tree": "a1080744f58a4aa0864453f989966b2df64df41c", "parents": [ "3516ffb0fef710749daf288c0fe146503e0cf9d4" ], "author": { "name": "Joy Latten", "email": "latten@austin.ibm.com", "time": "Thu Aug 02 19:25:43 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Aug 02 19:42:29 2007 -0700" }, "message": "[PF_KEY]: Fix ipsec not working in 2.6.23-rc1-git10\n\nAlthough an ipsec SA was established, kernel couldn\u0027t seem to find it.\n\nI think since we are now using \"x-\u003esel.family\" instead of \"family\" in\nthe xfrm_selector_match() called in xfrm_state_find(), af_key needs to\nset this field too, just as xfrm_user.\n\nIn af_key.c, x-\u003esel.family only gets set when there\u0027s an\next_hdrs[SADB_EXT_ADDRESS_PROXY-1] which I think is for tunnel.\n\nI think pfkey needs to also set the x-\u003esel.family field when it is 0.\n\nTested with below patch, and ipsec worked when using pfkey.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "582ee43dad8e411513a74f2d801255dcffc6d29e", "tree": "bf822fd3dd9b889531134c7004e9f42b134485f1", "parents": [ "704eae1f32274c0435f7f3924077afdb811edd1d" ], "author": { "name": "Al Viro", "email": "viro@ftp.linux.org.uk", "time": "Thu Jul 26 17:33:39 2007 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@woody.linux-foundation.org", "time": "Thu Jul 26 11:11:56 2007 -0700" }, "message": "net/* misc endianness annotations\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@linux-foundation.org\u003e\n" }, { "commit": "4aa2e62c45b5ca08be2d0d3c0744d7585b56e860", "tree": "16649593d55f3df4dac54227fcda28bb4fb49f17", "parents": [ "b00b4bf94edb42852d55619af453588b2de2dc5e" ], "author": { "name": "Joy Latten", "email": "latten@austin.ibm.com", "time": "Mon Jun 04 19:05:57 2007 -0400" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Jun 07 13:42:46 2007 -0700" }, "message": "xfrm: Add security check before flushing SAD/SPD\n\nCurrently we check for permission before deleting entries from SAD and\nSPD, (see security_xfrm_policy_delete() security_xfrm_state_delete())\nHowever we are not checking for authorization when flushing the SPD and\nthe SAD completely. It was perhaps missed in the original security hooks\npatch.\n\nThis patch adds a security check when flushing entries from the SAD and\nSPD. It runs the entire database and checks each entry for a denial.\nIf the process attempting the flush is unable to remove all of the\nentries a denial is logged the the flush function returns an error\nwithout removing anything.\n\nThis is particularly useful when a process may need to create or delete\nits own xfrm entries used for things like labeled networking but that\nsame process should not be able to delete other entries or flush the\nentire database.\n\nSigned-off-by: Joy Latten\u003clatten@austin.ibm.com\u003e\nSigned-off-by: Eric Paris \u003ceparis@parisplace.org\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "c92b3a2f1f11655ecf6774b745017a414241d07c", "tree": "822a53d289b6848992b9476eb6e451f32b8daa5e", "parents": [ "580e572a4a1bfea2f42af63ba4785ac7dfbcb45d" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Sat May 19 14:21:18 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat May 19 14:21:18 2007 -0700" }, "message": "[IPSEC] pfkey: Load specific algorithm in pfkey_add rather than all\n\nThis is a natural extension of the changeset\n\n [XFRM]: Probe selected algorithm only.\n\nwhich only removed the probe call for xfrm_user. This patch does exactly\nthe same thing for af_key. In other words, we load the algorithm requested\nby the user rather than everything when adding xfrm states in af_key.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "3ff50b7997fe06cd5d276b229967bb52d6b3b6c1", "tree": "4f0f57123a945c3e6c39759456b6187bb78c4b1f", "parents": [ "c462238d6a6d8ee855bda10f9fff442971540ed2" ], "author": { "name": "Stephen Hemminger", "email": "shemminger@linux-foundation.org", "time": "Fri Apr 20 17:09:22 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Apr 25 22:29:24 2007 -0700" }, "message": "[NET]: cleanup extra semicolons\n\nSpring cleaning time...\n\nThere seems to be a lot of places in the network code that have\nextra bogus semicolons after conditionals. Most commonly is a\nbogus semicolon after: switch() { }\n\nSigned-off-by: Stephen Hemminger \u003cshemminger@linux-foundation.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "badff6d01a8589a1c828b0bf118903ca38627f4e", "tree": "89611d7058c612085c58dfb9913ee30ddf04b604", "parents": [ "0660e03f6b18f19b6bbafe7583265a51b90daf36" ], "author": { "name": "Arnaldo Carvalho de Melo", "email": "acme@redhat.com", "time": "Tue Mar 13 13:06:52 2007 -0300" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Apr 25 22:25:15 2007 -0700" }, "message": "[SK_BUFF]: Introduce skb_reset_transport_header(skb)\n\nFor the common, open coded \u0027skb-\u003eh.raw \u003d skb-\u003edata\u0027 operation, so that we can\nlater turn skb-\u003eh.raw into a offset, reducing the size of struct sk_buff in\n64bit land while possibly keeping it as a pointer on 32bit.\n\nThis one touches just the most simple cases:\n\nskb-\u003eh.raw \u003d skb-\u003edata;\nskb-\u003eh.raw \u003d {skb_push|[__]skb_pull}()\n\nThe next ones will handle the slightly more \"complex\" cases.\n\nSigned-off-by: Arnaldo Carvalho de Melo \u003cacme@redhat.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "fefaa75e0451c76225863644be01e4fd70884153", "tree": "685d90c0d228505ba7a9188eb82c6ed6949b3b86", "parents": [ "80d74d5123bf3aecd32302809c4e61bb8a16786b" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Tue Apr 17 21:48:10 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Apr 18 14:16:07 2007 -0700" }, "message": "[IPSEC] af_key: Fix thinko in pfkey_xfrm_policy2msg()\n\nMake sure to actually assign the determined mode to\nrq-\u003esadb_x_ipsecrequest_mode.\n\nNoticed by Joe Perches.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "55569ce256ce29f4624f0007213432c1ed646584", "tree": "e8c29263844ed733d6d40bbeb871588eaa1a9bd1", "parents": [ "b4dfa0b1fb39c7ffe74741d60668825de6a47b69" ], "author": { "name": "Kazunori MIYAZAWA", "email": "miyazawa@linux-ipv6.org", "time": "Tue Apr 17 12:32:20 2007 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Tue Apr 17 13:13:21 2007 -0700" }, "message": "[KEY]: Fix conversion between IPSEC_MODE_xxx and XFRM_MODE_xxx.\n\nWe should not blindly convert between IPSEC_MODE_xxx and XFRM_MODE_xxx just\nby incrementing / decrementing because the assumption is not true any longer.\n\nSigned-off-by: Kazunori MIYAZAWA \u003cmiyazawa@linux-ipv6.org\u003e\nSinged-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\n" }, { "commit": "16bec31db751030171b31d7767fa3a5bdbe980ea", "tree": "60b69d571ba42ef0bf9f54833bd10228220c87bd", "parents": [ "215a2dd3b43e0dc425e81d21de9d961416b1dad4" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Mar 07 16:02:16 2007 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Mar 07 16:08:11 2007 -0800" }, "message": "[IPSEC]: xfrm audit hook misplaced in pfkey_delete and xfrm_del_sa\n\nInside pfkey_delete and xfrm_del_sa the audit hooks were not called if\nthere was any permission/security failures in attempting to do the del\noperation (such as permission denied from security_xfrm_state_delete).\nThis patch moves the audit hook to the exit path such that all failures\n(and successes) will actually get audited.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Venkat Yekkirala \u003cvyekkirala@trustedcs.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "215a2dd3b43e0dc425e81d21de9d961416b1dad4", "tree": "1b59b4ae1b4682d5da10a684a262e67b22a19246", "parents": [ "ef41aaa0b755f479012341ac11db9ca5b8928d98" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Mar 07 16:01:45 2007 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Mar 07 16:08:10 2007 -0800" }, "message": "[IPSEC]: Add xfrm policy change auditing to pfkey_spdget\n\npfkey_spdget neither had an LSM security hook nor auditing for the\nremoval of xfrm_policy structs. The security hook was added when it was\nmoved into xfrm_policy_byid instead of the callers to that function by\nmy earlier patch and this patch adds the auditing hooks as well.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Venkat Yekkirala \u003cvyekkirala@trustedcs.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "ef41aaa0b755f479012341ac11db9ca5b8928d98", "tree": "f5cd83b9117d0092f40006fbf4fd1f39652ad925", "parents": [ "05e52dd7396514648fba6c275eb7b49eca333c6d" ], "author": { "name": "Eric Paris", "email": "eparis@redhat.com", "time": "Wed Mar 07 15:37:58 2007 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Mar 07 16:08:09 2007 -0800" }, "message": "[IPSEC]: xfrm_policy delete security check misplaced\n\nThe security hooks to check permissions to remove an xfrm_policy were\nactually done after the policy was removed. Since the unlinking and\ndeletion are done in xfrm_policy_by* functions this moves the hooks\ninside those 2 functions. There we have all the information needed to\ndo the security check and it can be done before the deletion. Since\nauditing requires the result of that security check err has to be passed\nback and forth from the xfrm_policy_by* functions.\n\nThis patch also fixes a bug where a deletion that failed the security\ncheck could cause improper accounting on the xfrm_policy\n(xfrm_get_policy didn\u0027t have a put on the exit path for the hold taken\nby xfrm_policy_by*)\n\nIt also fixes the return code when no policy is found in\nxfrm_add_pol_expire. In old code (at least back in the 2.6.18 days) err\nwasn\u0027t used before the return when no policy is found and so the\ninitialization would cause err to be ENOENT. But since err has since\nbeen used above when we don\u0027t get a policy back from the xfrm_policy_by*\nfunction we would always return 0 instead of the intended ENOENT. Also\nfixed some white space damage in the same area.\n\nSigned-off-by: Eric Paris \u003ceparis@redhat.com\u003e\nAcked-by: Venkat Yekkirala \u003cvyekkirala@trustedcs.com\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "13fcfbb0675bf87da694f55dec11cada489a205c", "tree": "2a1b81c5f7e69781f3e6ee523fd67c2b923531ca", "parents": [ "9121c77706a4bd75a878573c913553ade120e9ce" ], "author": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Mon Feb 12 13:53:54 2007 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Mon Feb 12 13:53:54 2007 -0800" }, "message": "[XFRM]: Fix OOPSes in xfrm_audit_log().\n\nMake sure that this function is called correctly, and\nadd BUG() checking to ensure the arguments are sane.\n\nBased upon a patch by Joy Latten.\n\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "8ff24541d9f80b9161022588b4435a9b54aec2e6", "tree": "48014e136da737e0eaabbb0480ff3fa3e07c6bb6", "parents": [ "6819bc2e1e46c71711a8dddf4040e706b02973c0" ], "author": { "name": "YOSHIFUJI Hideaki", "email": "yoshfuji@linux-ipv6.org", "time": "Fri Feb 09 23:24:58 2007 +0900" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Feb 10 23:19:49 2007 -0800" }, "message": "[NET] KEY: Fix whitespace errors.\n\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "08de61beab8a21c8e0b3906a97defda5f1f66ece", "tree": "f9b49420d9a9a7c13d8b6f0d9488a152d8af3550", "parents": [ "d0473655c8293b49808c9488152573beab4458cf" ], "author": { "name": "Shinta Sugimoto", "email": "shinta.sugimoto@ericsson.com", "time": "Thu Feb 08 13:14:33 2007 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Thu Feb 08 13:14:33 2007 -0800" }, "message": "[PFKEYV2]: Extension for dynamic update of endpoint address(es)\n\nExtend PF_KEYv2 framework so that user application can take advantage\nof MIGRATE feature via PF_KEYv2 interface. User application can either\nsend or receive an MIGRATE message to/from PF_KEY socket.\n\nDetail information can be found in the internet-draft\n\u003cdraft-sugimoto-mip6-pfkey-migrate\u003e.\n\nSigned-off-by: Shinta Sugimoto \u003cshinta.sugimoto@ericsson.com\u003e\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "161a09e737f0761ca064ee6a907313402f7a54b6", "tree": "80fdf6dc5de73d810ef0ec811299a5ec3c5ce23e", "parents": [ "95b99a670df31ca5271f503f378e5cac3aee8f5e" ], "author": { "name": "Joy Latten", "email": "latten@austin.ibm.com", "time": "Mon Nov 27 13:11:54 2006 -0600" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Dec 06 20:14:22 2006 -0800" }, "message": "audit: Add auditing to ipsec\n\nAn audit message occurs when an ipsec SA\nor ipsec policy is created/deleted.\n\nSigned-off-by: Joy Latten \u003clatten@austin.ibm.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "2718aa7c55ba7264dd463b8f7006f0975366fa7b", "tree": "e952581dde8c7c70a0ce39e1c713a2c5e1ab2cc9", "parents": [ "8511d01d7c70200ffd42debba9d7ac5c4f7f1031" ], "author": { "name": "Miika Komu", "email": "miika@iki.fi", "time": "Thu Nov 30 16:41:50 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:31:50 2006 -0800" }, "message": "[IPSEC]: Add AF_KEY interface for encapsulation family.\n\nSigned-off-by: Miika Komu \u003cmiika@iki.fi\u003e\nSigned-off-by: Diego Beltrami \u003cDiego.Beltrami@hiit.fi\u003e\nSigned-off-by: Kazunori Miyazawa \u003cmiyazawa@linux-ipv6.org\u003e\n" }, { "commit": "5d36b1803d875cf101fdb972ff9c56663e508e39", "tree": "36478dec86293ab8f3381a83ee3979f794958783", "parents": [ "d29ef86b0a497dd2c4f9601644a15392f7e21f73" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Nov 08 00:24:06 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Dec 02 21:21:18 2006 -0800" }, "message": "[XFRM]: annotate -\u003enew_mapping()\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "5b368e61c2bcb2666bb66e2acf1d6d85ba6f474d", "tree": "293f595f737540a546ba186ba1f054389aa95f6f", "parents": [ "134b0fc544ba062498451611cb6f3e4454221b3d" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@trustedcs.com", "time": "Thu Oct 05 15:42:18 2006 -0500" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Wed Oct 11 23:59:37 2006 -0700" }, "message": "IPsec: correct semantics for SELinux policy matching\n\nCurrently when an IPSec policy rule doesn\u0027t specify a security\ncontext, it is assumed to be \"unlabeled\" by SELinux, and so\nthe IPSec policy rule fails to match to a flow that it would\notherwise match to, unless one has explicitly added an SELinux\npolicy rule allowing the flow to \"polmatch\" to the \"unlabeled\"\nIPSec policy rules. In the absence of such an explicitly added\nSELinux policy rule, the IPSec policy rule fails to match and\nso the packet(s) flow in clear text without the otherwise applicable\nxfrm(s) applied.\n\nThe above SELinux behavior violates the SELinux security notion of\n\"deny by default\" which should actually translate to \"encrypt by\ndefault\" in the above case.\n\nThis was first reported by Evgeniy Polyakov and the way James Morris\nwas seeing the problem was when connecting via IPsec to a\nconfined service on an SELinux box (vsftpd), which did not have the\nappropriate SELinux policy permissions to send packets via IPsec.\n\nWith this patch applied, SELinux \"polmatching\" of flows Vs. IPSec\npolicy rules will only come into play when there\u0027s a explicit context\nspecified for the IPSec policy rule (which also means there\u0027s corresponding\nSELinux policy allowing appropriate domains/flows to polmatch to this context).\n\nSecondly, when a security module is loaded (in this case, SELinux), the\nsecurity_xfrm_policy_lookup() hook can return errors other than access denied,\nsuch as -EINVAL. We were not handling that correctly, and in fact\ninverting the return logic and propagating a false \"ok\" back up to\nxfrm_lookup(), which then allowed packets to pass as if they were not\nassociated with an xfrm policy.\n\nThe solution for this is to first ensure that errno values are\ncorrectly propagated all the way back up through the various call chains\nfrom security_xfrm_policy_lookup(), and handled correctly.\n\nThen, flow_cache_lookup() is modified, so that if the policy resolver\nfails (typically a permission denied via the security module), the flow\ncache entry is killed rather than having a null policy assigned (which\nindicates that the packet can pass freely). This also forces any future\nlookups for the same flow to consult the security module (e.g. SELinux)\nfor current security policy (rather than, say, caching the error on the\nflow cache entry).\n\nThis patch: Fix the selinux side of things.\n\nThis makes sure SELinux polmatching of flow contexts to IPSec policy\nrules comes into play only when an explicit context is associated\nwith the IPSec policy rule.\n\nAlso, this no longer defaults the context of a socket policy to\nthe context of the socket since the \"no explicit context\" case\nis now handled properly.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: James Morris \u003cjmorris@namei.org\u003e\n" }, { "commit": "8f83f23e6db8b9a9fe787d02f73489224668c4e2", "tree": "23348f11be718d24229ced9c49c0d2c82c759104", "parents": [ "f9d07e41f89e7305eb2c0475c170c51d21425581" ], "author": { "name": "Al Viro", "email": "viro@zeniv.linux.org.uk", "time": "Wed Sep 27 18:46:11 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Sep 28 18:02:33 2006 -0700" }, "message": "[XFRM]: ports in struct xfrm_selector annotated\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "f7b6983f0feeefcd2a594138adcffe640593d8de", "tree": "41878fad9f0f0306718fa832eac7dfa76f51222d", "parents": [ "41a49cc3c02ace59d4dddae91ea211c330970ee3" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Wed Aug 23 22:49:28 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 15:08:35 2006 -0700" }, "message": "[XFRM] POLICY: Support netlink socket interface for sub policy.\n\nSub policy can be used through netlink socket.\nPF_KEY uses main only and it is TODO to support sub.\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "7e49e6de30efa716614e280d97963c570f3acf29", "tree": "8eaef9d40300d16a7675722e082c5d8ab2a53d40", "parents": [ "77d16f450ae0452d7d4b009f78debb1294fb435c" ], "author": { "name": "Masahide NAKAMURA", "email": "nakam@linux-ipv6.org", "time": "Fri Sep 22 15:05:15 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Fri Sep 22 15:05:15 2006 -0700" }, "message": "[XFRM]: Add XFRM_MODE_xxx for future use.\n\nTransformation mode is used as either IPsec transport or tunnel.\nIt is required to add two more items, route optimization and inbound trigger\nfor Mobile IPv6.\nBased on MIPL2 kernel patch.\n\nThis patch was also written by: Ville Nuorvala \u003cvnuorval@tcs.hut.fi\u003e\n\nSigned-off-by: Masahide NAKAMURA \u003cnakam@linux-ipv6.org\u003e\nSigned-off-by: YOSHIFUJI Hideaki \u003cyoshfuji@linux-ipv6.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "cb969f072b6d67770b559617f14e767f47e77ece", "tree": "4112eb0182e8b3e28b42aebaa40ca25454fc6b76", "parents": [ "beb8d13bed80f8388f1a9a107d07ddd342e627e8" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Mon Jul 24 23:32:20 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:28 2006 -0700" }, "message": "[MLSXFRM]: Default labeling of socket specific IPSec policies\n\nThis defaults the label of socket-specific IPSec policies to be the\nsame as the socket they are set on.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "4e2ba18eae7f370c7c3ed96eaca747cc9b39f917", "tree": "9165d8c0fea650e3cf226d4e0bb3c153978f8ae0", "parents": [ "0d681623d30c6565e8b62889f3aa3f4d4662c3e8" ], "author": { "name": "Venkat Yekkirala", "email": "vyekkirala@TrustedCS.com", "time": "Mon Jul 24 23:31:14 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Fri Sep 22 14:53:26 2006 -0700" }, "message": "[MLSXFRM]: Add security context to acquire messages using PF_KEY\n\nThis includes the security context of a security association created\nfor use by IKE in the acquire messages sent to IKE daemons using\nPF_KEY. This would allow the daemons to include the security context\nin the negotiation, so that the resultant association is unique to\nthat security context.\n\nSigned-off-by: Venkat Yekkirala \u003cvyekkirala@TrustedCS.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "6ab3d5624e172c553004ecc862bfeac16d9d68b7", "tree": "6d98881fe91fd9583c109208d5c27131b93fa248", "parents": [ "e02169b682bc448ccdc819dc8639ed34a23cedd8" ], "author": { "name": "Jörn Engel", "email": "joern@wohnheim.fh-wedel.de", "time": "Fri Jun 30 19:25:36 2006 +0200" }, "committer": { "name": "Adrian Bunk", "email": "bunk@stusta.de", "time": "Fri Jun 30 19:25:36 2006 +0200" }, "message": "Remove obsolete #include \u003clinux/config.h\u003e\n\nSigned-off-by: Jörn Engel \u003cjoern@wohnheim.fh-wedel.de\u003e\nSigned-off-by: Adrian Bunk \u003cbunk@stusta.de\u003e\n" }, { "commit": "c8c05a8eec6f1258f6d5cb71a44ee5dc1e989b63", "tree": "b4a04dd9e2b940cb5b2911fb67fbe49c5f8b3fbf", "parents": [ "cec6f7f39c3db7d9f6091bf2f8fc8d520f372719" ], "author": { "name": "Catherine Zhang", "email": "cxzhang@watson.ibm.com", "time": "Thu Jun 08 23:39:49 2006 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Sat Jun 17 21:29:45 2006 -0700" }, "message": "[LSM-IPsec]: SELinux Authorize\n\nThis patch contains a fix for the previous patch that adds security\ncontexts to IPsec policies and security associations. In the previous\npatch, no authorization (besides the check for write permissions to\nSAD and SPD) is required to delete IPsec policies and security\nassocations with security contexts. Thus a user authorized to change\nSAD and SPD can bypass the IPsec policy authorization by simply\ndeleteing policies with security contexts. To fix this security hole,\nan additional authorization check is added for removing security\npolicies and security associations with security contexts.\n\nNote that if no security context is supplied on add or present on\npolicy to be deleted, the SELinux module allows the change\nunconditionally. The hook is called on deletion when no context is\npresent, which we may want to change. At present, I left it up to the\nmodule.\n\nLSM changes:\n\nThe patch adds two new LSM hooks: xfrm_policy_delete and\nxfrm_state_delete. The new hooks are necessary to authorize deletion\nof IPsec policies that have security contexts. The existing hooks\nxfrm_policy_free and xfrm_state_free lack the context to do the\nauthorization, so I decided to split authorization of deletion and\nmemory management of security data, as is typical in the LSM\ninterface.\n\nUse:\n\nThe new delete hooks are checked when xfrm_policy or xfrm_state are\ndeleted by either the xfrm_user interface (xfrm_get_policy,\nxfrm_del_sa) or the pfkey interface (pfkey_spddelete, pfkey_delete).\n\nSELinux changes:\n\nThe new policy_delete and state_delete functions are added.\n\nSigned-off-by: Catherine Zhang \u003ccxzhang@watson.ibm.com\u003e\nSigned-off-by: Trent Jaeger \u003ctjaeger@cse.psu.edu\u003e\nAcked-by: James Morris \u003cjmorris@namei.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "4a3e2f711a00a1feb72ae12fdc749da10179d185", "tree": "76ced9d3270dea4b864da71fa1d4415d2e3c8b11", "parents": [ "d4ccd08cdfa8d34f4d25b62041343c52fc79385f" ], "author": { "name": "Arjan van de Ven", "email": "arjan@infradead.org", "time": "Mon Mar 20 22:33:17 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 22:33:17 2006 -0800" }, "message": "[NET] sem2mutex: net/\n\nSemaphore to mutex conversion.\n\nThe conversion was generated via scripts, and the result was validated\nautomatically via a script as well.\n\nSigned-off-by: Arjan van de Ven \u003carjan@infradead.org\u003e\nSigned-off-by: Ingo Molnar \u003cmingo@elte.hu\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "d51d081d65048a7a6f9956a7809c3bb504f3b95d", "tree": "55c62e9f6ff96d131a3ba59090d76209b68051ae", "parents": [ "9500e8a81fe6302fcc5e4110adc4d166c9873d3a" ], "author": { "name": "Jamal Hadi Salim", "email": "hadi@cyberus.ca", "time": "Mon Mar 20 19:16:12 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Mar 20 19:16:12 2006 -0800" }, "message": "[IPSEC]: Sync series - user\n\nAdd xfrm as the user of the core changes\n\nSigned-off-by: Jamal Hadi Salim \u003chadi@cyberus.ca\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "21380b81ef8699179b535e197a95b891a7badac7", "tree": "1a6be9864cabbed59db6357b2f0244413acac4c4", "parents": [ "85259878499d6c428cba191bb4e415a250dcd75a" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Wed Feb 22 14:47:13 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Thu Feb 23 16:10:53 2006 -0800" }, "message": "[XFRM]: Eliminate refcounting confusion by creating __xfrm_state_put().\n\nWe often just do an atomic_dec(\u0026x-\u003erefcnt) on an xfrm_state object\nbecause we know there is more than 1 reference remaining and thus\nwe can elide the heavier xfrm_state_put() call.\n\nDo this behind an inline function called __xfrm_state_put() so that is\nmore obvious and also to allow us to more cleanly add refcount\ndebugging later.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "151bb0ffe51514979abf54063bb5c1dd49365137", "tree": "b8d3465f3a9f682640589395befae5e475168b64", "parents": [ "cabcac0b296cd9683bc168d60839729b720dc2b7" ], "author": { "name": "Jerome Borsboom", "email": "j.borsboom@erasmusmc.nl", "time": "Tue Jan 24 12:57:19 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Jan 24 12:57:19 2006 -0800" }, "message": "[AF_KEY]: no message type set\n\nWhen returning a message to userspace in reply to a SADB_FLUSH or \nSADB_X_SPDFLUSH message, the type was not set for the returned PFKEY \nmessage. The patch below corrects this problem.\n\nSigned-off-by: Jerome Borsboom \u003cj.borsboom@erasmusmc.nl\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "4fc268d24ceb9f4150777c1b5b2b8e6214e56b2b", "tree": "d2aaf0b5986b03e6129ed3ccd65b9f706cd59c7f", "parents": [ "16f7e0fe2ecc30f30652e8185e1772cdebe39109" ], "author": { "name": "Randy Dunlap", "email": "rdunlap@xenotime.net", "time": "Wed Jan 11 12:17:47 2006 -0800" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Wed Jan 11 18:42:14 2006 -0800" }, "message": "[PATCH] capable/capability.h (net/)\n\nnet: Use \u003clinux/capability.h\u003e where capable() is used.\n\nSigned-off-by: Randy Dunlap \u003crdunlap@xenotime.net\u003e\nSigned-off-by: Andrew Morton \u003cakpm@osdl.org\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "09a626600b437d91f6b13ade5c7c4b374893c54e", "tree": "a6de3c2a33b7d896cd22a3fe799d1b40d28daf40", "parents": [ "4bba3925924148c24fb0c7636a04ad69a6a56b84" ], "author": { "name": "Kris Katterjohn", "email": "kjak@users.sourceforge.net", "time": "Sun Jan 08 22:24:28 2006 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Mon Jan 09 14:16:18 2006 -0800" }, "message": "[NET]: Change some \"if (x) BUG();\" to \"BUG_ON(x);\"\n\nThis changes some simple \"if (x) BUG();\" statements to \"BUG_ON(x);\"\n\nSigned-off-by: Kris Katterjohn \u003ckjak@users.sourceforge.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "90ddc4f0470427df306f308ad03db6b6b21644b8", "tree": "f97c1d57b25585394ebbd4b42b8d42a339f98644", "parents": [ "77d76ea310b50a9c8ff15bd290fcb4ed4961adf2" ], "author": { "name": "Eric Dumazet", "email": "dada1@cosmosbay.com", "time": "Thu Dec 22 12:49:22 2005 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Tue Jan 03 13:11:15 2006 -0800" }, "message": "[NET]: move struct proto_ops to const\n\nI noticed that some of \u0027struct proto_ops\u0027 used in the kernel may share\na cache line used by locks or other heavily modified data. (default\nlinker alignement is 32 bytes, and L1_CACHE_LINE is 64 or 128 at\nleast)\n\nThis patch makes sure a \u0027struct proto_ops\u0027 can be declared as const,\nso that all cpus can share all parts of it without false sharing.\n\nThis is not mandatory : a driver can still use a read/write structure\nif it needs to (and eventually a __read_mostly)\n\nI made a global stubstitute to change all existing occurences to make\nthem const.\n\nThis should reduce the possibility of false sharing on SMP, and\nspeedup some socket system calls.\n\nSigned-off-by: Eric Dumazet \u003cdada1@cosmosbay.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "df71837d5024e2524cd51c93621e558aa7dd9f3f", "tree": "58938f1d46f3c6713b63e5a785e82fdbb10121a1", "parents": [ "88026842b0a760145aa71d69e74fbc9ec118ca44" ], "author": { "name": "Trent Jaeger", "email": "tjaeger@cse.psu.edu", "time": "Tue Dec 13 23:12:27 2005 -0800" }, "committer": { "name": "David S. Miller", "email": "davem@sunset.davemloft.net", "time": "Tue Jan 03 13:10:24 2006 -0800" }, "message": "[LSM-IPSec]: Security association restriction.\n\nThis patch series implements per packet access control via the\nextension of the Linux Security Modules (LSM) interface by hooks in\nthe XFRM and pfkey subsystems that leverage IPSec security\nassociations to label packets. Extensions to the SELinux LSM are\nincluded that leverage the patch for this purpose.\n\nThis patch implements the changes necessary to the XFRM subsystem,\npfkey interface, ipv4/ipv6, and xfrm_user interface to restrict a\nsocket to use only authorized security associations (or no security\nassociation) to send/receive network packets.\n\nPatch purpose:\n\nThe patch is designed to enable access control per packets based on\nthe strongly authenticated IPSec security association. Such access\ncontrols augment the existing ones based on network interface and IP\naddress. The former are very coarse-grained, and the latter can be\nspoofed. By using IPSec, the system can control access to remote\nhosts based on cryptographic keys generated using the IPSec mechanism.\nThis enables access control on a per-machine basis or per-application\nif the remote machine is running the same mechanism and trusted to\nenforce the access control policy.\n\nPatch design approach:\n\nThe overall approach is that policy (xfrm_policy) entries set by\nuser-level programs (e.g., setkey for ipsec-tools) are extended with a\nsecurity context that is used at policy selection time in the XFRM\nsubsystem to restrict the sockets that can send/receive packets via\nsecurity associations (xfrm_states) that are built from those\npolicies.\n\nA presentation available at\nwww.selinux-symposium.org/2005/presentations/session2/2-3-jaeger.pdf\nfrom the SELinux symposium describes the overall approach.\n\nPatch implementation details:\n\nOn output, the policy retrieved (via xfrm_policy_lookup or\nxfrm_sk_policy_lookup) must be authorized for the security context of\nthe socket and the same security context is required for resultant\nsecurity association (retrieved or negotiated via racoon in\nipsec-tools). This is enforced in xfrm_state_find.\n\nOn input, the policy retrieved must also be authorized for the socket\n(at __xfrm_policy_check), and the security context of the policy must\nalso match the security association being used.\n\nThe patch has virtually no impact on packets that do not use IPSec.\nThe existing Netfilter (outgoing) and LSM rcv_skb hooks are used as\nbefore.\n\nAlso, if IPSec is used without security contexts, the impact is\nminimal. The LSM must allow such policies to be selected for the\ncombination of socket and remote machine, but subsequent IPSec\nprocessing proceeds as in the original case.\n\nTesting:\n\nThe pfkey interface is tested using the ipsec-tools. ipsec-tools have\nbeen modified (a separate ipsec-tools patch is available for version\n0.5) that supports assignment of xfrm_policy entries and security\nassociations with security contexts via setkey and the negotiation\nusing the security contexts via racoon.\n\nThe xfrm_user interface is tested via ad hoc programs that set\nsecurity contexts. These programs are also available from me, and\ncontain programs for setting, getting, and deleting policy for testing\nthis interface. Testing of sa functions was done by tracing kernel\nbehavior.\n\nSigned-off-by: Trent Jaeger \u003ctjaeger@cse.psu.edu\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "dd0fc66fb33cd610bc1a5db8a5e232d34879b4d7", "tree": "51f96a9db96293b352e358f66032e1f4ff79fafb", "parents": [ "3b0e77bd144203a507eb191f7117d2c5004ea1de" ], "author": { "name": "Al Viro", "email": "viro@ftp.linux.org.uk", "time": "Fri Oct 07 07:46:04 2005 +0100" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@g5.osdl.org", "time": "Sat Oct 08 15:00:57 2005 -0700" }, "message": "[PATCH] gfp flags annotations - part 1\n\n - added typedef unsigned int __nocast gfp_t;\n\n - replaced __nocast uses for gfp flags with gfp_t - it gives exactly\n the same warnings as far as sparse is concerned, doesn\u0027t change\n generated code (from gcc point of view we replaced unsigned int with\n typedef) and documents what\u0027s going on far better.\n\nSigned-off-by: Al Viro \u003cviro@zeniv.linux.org.uk\u003e\nSigned-off-by: Linus Torvalds \u003ctorvalds@osdl.org\u003e\n" }, { "commit": "77d8d7a6848c81084f413e1ec4982123a56e2ccb", "tree": "37a160b0b5fcb8a079bcafec5091fd331e14d54c", "parents": [ "140e26fcd559f6988e5a9056385eecade19d9b49" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Wed Oct 05 12:15:12 2005 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Wed Oct 05 12:15:12 2005 -0700" }, "message": "[IPSEC]: Document that policy direction is derived from the index.\n\nHere is a patch that adds a helper called xfrm_policy_id2dir to\ndocument the fact that the policy direction can be and is derived\nfrom the index.\n\nThis is based on a patch by YOSHIFUJI Hideaki and 210313105@suda.edu.cn.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "00fa02334540ec795934737cd6e6ef8db2560731", "tree": "6d8b137ebcb01954712c33ba2a9ff777a5e81429", "parents": [ "c6f4fafccfa66f0530587ac3c11bb8fd0b8fe8ab" ], "author": { "name": "Randy Dunlap", "email": "rdunlap@xenotime.net", "time": "Tue Oct 04 22:43:04 2005 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Tue Oct 04 22:43:04 2005 -0700" }, "message": "[AF_KEY]: fix sparse gfp nocast warnings\n\nFix implicit nocast warnings in net/key code:\nnet/key/af_key.c:195:27: warning: implicit cast to nocast type\nnet/key/af_key.c:1439:28: warning: implicit cast to nocast type\n\nSigned-off-by: Randy Dunlap \u003crdunlap@xenotime.net\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "dd87147eed934eaff92869f3d158697c7239d1d2", "tree": "5a5d59c2678767530c2a3299a70ccfc14062b347", "parents": [ "d094cd83c06e06e01d8edb540555f3f64e4081c2" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Mon Jun 20 13:21:43 2005 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Jun 20 13:21:43 2005 -0700" }, "message": "[IPSEC]: Add XFRM_STATE_NOPMTUDISC flag\n\nThis patch adds the flag XFRM_STATE_NOPMTUDISC for xfrm states. It is\nsimilar to the nopmtudisc on IPIP/GRE tunnels. It only has an effect\non IPv4 tunnel mode states. For these states, it will ensure that the\nDF flag is always cleared.\n\nThis is primarily useful to work around ICMP blackholes.\n\nIn future this flag could also allow a larger MTU to be set within the\ntunnel just like IPIP/GRE tunnels. This could be useful for short haul\ntunnels where temporary fragmentation outside the tunnel is desired over\nsmaller fragments inside the tunnel.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nAcked-by: James Morris \u003cjmorris@redhat.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "72cb6962a91f2af9eef69a06198e1949c10259ae", "tree": "3ae65d1c4e7d7cb7ac05bfc6f457312df45f6996", "parents": [ "3f7a87d2fa9b42f7aade43914f060df68cc89cc7" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Mon Jun 20 13:18:08 2005 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Mon Jun 20 13:18:08 2005 -0700" }, "message": "[IPSEC]: Add xfrm_init_state\n\nThis patch adds xfrm_init_state which is simply a wrapper that calls\nxfrm_get_type and subsequently x-\u003etype-\u003einit_state. It also gets rid\nof the unused args argument.\n\nAbstracting it out allows us to add common initialisation code, e.g.,\nto set family-specific flags.\n\nThe add_time setting in xfrm_user.c was deleted because it\u0027s already\nset by xfrm_state_alloc.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nAcked-by: James Morris \u003cjmorris@redhat.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "7d6dfe1f5bc4c56e0c31173014a099ec3fa35907", "tree": "a6b04337c4f6d1ff7b050082dc7e69dc5617d3d0", "parents": [ "f60f6b8f70c756fc786d68f02ec17a1e84db645f" ], "author": { "name": "Patrick McHardy", "email": "kaber@trash.net", "time": "Sat Jun 18 22:45:31 2005 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Jun 18 22:45:31 2005 -0700" }, "message": "[IPSEC] Fix xfrm_state leaks in error path\n\nHerbert Xu wrote:\n\u003e @@ -1254,6 +1326,7 @@ static int pfkey_add(struct sock *sk, st\n\u003e if (IS_ERR(x))\n\u003e return PTR_ERR(x);\n\u003e\n\u003e + xfrm_state_hold(x);\n\nThis introduces a leak when xfrm_state_add()/xfrm_state_update()\nfail. We hold two references (one from xfrm_state_alloc(), one\nfrom xfrm_state_hold()), but only drop one. We need to take the\nreference because the reference from xfrm_state_alloc() can\nbe dropped by __xfrm_state_delete(), so the fix is to drop both\nreferences on error. Same problem in xfrm_user.c.\n\nSigned-off-by: Patrick McHardy \u003ckaber@trash.net\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n" }, { "commit": "f60f6b8f70c756fc786d68f02ec17a1e84db645f", "tree": "8eee05de129439e4ffde876d2208a613178acfe3", "parents": [ "e7443892f656d760ec1b9d92567178c87e100f4a" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Sat Jun 18 22:44:37 2005 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Jun 18 22:44:37 2005 -0700" }, "message": "[IPSEC] Use XFRM_MSG_* instead of XFRM_SAP_*\n\nThis patch removes XFRM_SAP_* and converts them over to XFRM_MSG_*.\nThe netlink interface is meant to map directly onto the underlying\nxfrm subsystem. Therefore rather than using a new independent\nrepresentation for the events we can simply use the existing ones\nfrom xfrm_user.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\n" }, { "commit": "bf08867f91a43aa3ba2e4598c06c4769a6cdddf6", "tree": "316504b4756a32d802ea037815f2d9022ab88bfe", "parents": [ "4f09f0bbc1cb3c74e8f2047ad4be201a059829ee" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Sat Jun 18 22:44:00 2005 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Jun 18 22:44:00 2005 -0700" }, "message": "[IPSEC] Turn km_event.data into a union\n\nThis patch turns km_event.data into a union. This makes code that\nuses it clearer.\n \nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\n" }, { "commit": "4f09f0bbc1cb3c74e8f2047ad4be201a059829ee", "tree": "d5ceba89f401b073cea383fa245c2b6299b7d07e", "parents": [ "4666faab095230ec8aa62da6c33391287f281154" ], "author": { "name": "Herbert Xu", "email": "herbert@gondor.apana.org.au", "time": "Sat Jun 18 22:43:43 2005 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Jun 18 22:43:43 2005 -0700" }, "message": "[IPSEC] Fix xfrm to pfkey SA state conversion\n\nThis patch adjusts the SA state conversion in af_key such that\nXFRM_STATE_ERROR/XFRM_STATE_DEAD will be converted to SADB_STATE_DEAD\ninstead of SADB_STATE_DYING.\n\nAccording to RFC 2367, SADB_STATE_DYING SAs can be turned into\nmature ones through updating their lifetime settings. Since SAs\nwhich are in the states XFRM_STATE_ERROR/XFRM_STATE_DEAD cannot\nbe resurrected, this value is unsuitable.\n\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\n" }, { "commit": "26b15dad9f1c19d6d4f7b999b07eaa6d98e4b375", "tree": "2ca3039488d9df023fb84eaa7c1f52aa8d1ce69c", "parents": [ "3aa3dfb372576f30835a94409556e3c8681b5756" ], "author": { "name": "Jamal Hadi Salim", "email": "hadi@cyberus.ca", "time": "Sat Jun 18 22:42:13 2005 -0700" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Sat Jun 18 22:42:13 2005 -0700" }, "message": "[IPSEC] Add complete xfrm event notification\n\nHeres the final patch.\nWhat this patch provides\n\n- netlink xfrm events\n- ability to have events generated by netlink propagated to pfkey\n and vice versa.\n- fixes the acquire lets-be-happy-with-one-success issue\n\nSigned-off-by: Jamal Hadi Salim \u003chadi@cyberus.ca\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\n" }, { "commit": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "tree": "0bba044c4ce775e45a88a51686b5d9f90697ea9d", "parents": [], "author": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "committer": { "name": "Linus Torvalds", "email": "torvalds@ppc970.osdl.org", "time": "Sat Apr 16 15:20:36 2005 -0700" }, "message": "Linux-2.6.12-rc2\n\nInitial git repository build. I\u0027m not bothering with the full history,\neven though we have it. We can create a separate \"historical\" git\narchive of that later if we want to, and in the meantime it\u0027s about\n3.2GB when imported into git - space that would just make the early\ngit days unnecessarily complicated, when we don\u0027t have a lot of good\ninfrastructure for it.\n\nLet it rip!\n" } ] }