linux/net/ipv6/netfilter, branch v3.3.2

Merge branch 'for-linus' of git://selinuxproject.org/~jmorris/linux-security

2012-01-15T02:36:33Z

* 'for-linus' of git://selinuxproject.org/~jmorris/linux-security: capabilities: remove __cap_full_set definition security: remove the security_netlink_recv hook as it is equivalent to capable() ptrace: do not audit capability check when outputing /proc/pid/stat capabilities: remove task_ns_* functions capabitlies: ns_capable can use the cap helpers rather than lsm call capabilities: style only - move capable below ns_capable capabilites: introduce new has_ns_capabilities_noaudit capabilities: call has_ns_capability from has_capability capabilities: remove all _real_ interfaces capabilities: introduce security_capable_noaudit capabilities: reverse arguments to security_capable capabilities: remove the task from capable LSM hook entirely selinux: sparse fix: fix several warnings in the security server cod selinux: sparse fix: fix warnings in netlink code selinux: sparse fix: eliminate warnings for selinuxfs selinux: sparse fix: declare selinux_disable() in security.h selinux: sparse fix: move selinux_complete_init selinux: sparse fix: make selinux_secmark_refcount static SELinux: Fix RCU deref check warning in sel_netport_insert() Manually fix up a semantic mis-merge wrt security_netlink_recv(): - the interface was removed in commit fd7784615248 ("security: remove the security_netlink_recv hook as it is equivalent to capable()") - a new user of it appeared in commit a38f7907b926 ("crypto: Add userspace configuration API") causing no automatic merge conflict, but Eric Paris pointed out the issue.

security: remove the security_netlink_recv hook as it is equivalent to capable()

2012-01-05T23:53:01Z

Once upon a time netlink was not sync and we had to get the effective capabilities from the skb that was being received. Today we instead get the capabilities from the current task. This has rendered the entire purpose of the hook moot as it is now functionally equivalent to the capable() call. Signed-off-by: Eric Paris

Merge branch 'nf-next' of git://1984.lsi.us.es/net-next

2011-12-25T07:21:45Z

module_param: make bool parameters really bool (net & drivers/net)

2011-12-20T03:27:29Z

module_param(bool) used to counter-intuitively take an int. In fddd5201 (mid-2009) we allowed bool or int/unsigned int using a messy trick. It's time to remove the int/unsigned int option. For this version it'll simply give a warning, but it'll break next kernel version. (Thanks to Joe Perches for suggesting coccinelle for 0/1 -> true/false). Cc: "David S. Miller" Cc: netdev@vger.kernel.org Signed-off-by: Rusty Russell Signed-off-by: David S. Miller

netfilter: add ipv6 reverse path filter match

2011-12-13T10:34:43Z

This is not merged with the ipv4 match into xt_rpfilter.c to avoid ipv6 module dependency issues. Signed-off-by: Florian Westphal Acked-by: David S. Miller Signed-off-by: Pablo Neira Ayuso

ipv6: Add fragment reporting to ipv6_skip_exthdr().

2011-12-03T17:35:10Z

While parsing through IPv6 extension headers, fragment headers are skipped making them invisible to the caller. This reports the fragment offset of the last header in order to make it possible to determine whether the packet is fragmented and, if so whether it is a first or last fragment. Signed-off-by: Jesse Gross

net: dont call jump_label_dec from irq context

2011-11-29T05:26:25Z

Igor Maravic reported an error caused by jump_label_dec() being called from IRQ context : BUG: sleeping function called from invalid context at kernel/mutex.c:271 in_atomic(): 1, irqs_disabled(): 0, pid: 0, name: swapper 1 lock held by swapper/0: #0: (&n->timer){+.-...}, at: [] call_timer_fn+0x0/0x340 Pid: 0, comm: swapper Not tainted 3.2.0-rc2-net-next-mpls+ #1 Call Trace: [] __might_sleep+0x137/0x1f0 [] mutex_lock_nested+0x2f/0x370 [] ? trace_hardirqs_off+0xd/0x10 [] ? local_clock+0x6f/0x80 [] ? lock_release_holdtime.part.22+0x15/0x1a0 [] ? sock_def_write_space+0x59/0x160 [] ? arp_error_report+0x3e/0x90 [] atomic_dec_and_mutex_lock+0x5d/0x80 [] jump_label_dec+0x1d/0x50 [] net_disable_timestamp+0x15/0x20 [] sock_disable_timestamp+0x45/0x50 [] __sk_free+0x80/0x200 [] ? sk_send_sigurg+0x70/0x70 [] ? arp_error_report+0x3e/0x90 [] sock_wfree+0x3a/0x70 [] skb_release_head_state+0x70/0x120 [] __kfree_skb+0x16/0x30 [] kfree_skb+0x49/0x170 [] arp_error_report+0x3e/0x90 [] neigh_invalidate+0x89/0xc0 [] neigh_timer_handler+0x9e/0x2a0 [] ? neigh_update+0x640/0x640 [] __do_softirq+0xc8/0x3a0 Since jump_label_{inc|dec} must be called from process context only, we must defer jump_label_dec() if net_disable_timestamp() is called from interrupt context. Reported-by: Igor Maravic Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

2011-11-26T19:47:03Z

Conflicts: net/ipv4/inet_diag.c

netfilter: Remove NOTRACK/RAW dependency on NETFILTER_ADVANCED.

2011-11-23T21:07:00Z

Distributions are using this in their default scripts, so don't hide them behind the advanced setting. Reported-by: Linus Torvalds Signed-off-by: David S. Miller

net: remove ipv6_addr_copy()

2011-11-22T21:43:32Z

C assignment can handle struct in6_addr copying. Signed-off-by: Alexey Dobriyan Signed-off-by: David S. Miller