diff options
author | Paul Moore <paul.moore@hp.com> | 2008-10-10 10:16:31 -0400 |
---|---|---|
committer | Paul Moore <paul.moore@hp.com> | 2008-10-10 10:16:31 -0400 |
commit | b1edeb102397546438ab4624489c6ccd7b410d97 (patch) | |
tree | ce7033f678ffe46ec3f517bb2771b9cbb04d62bb /net/netlabel | |
parent | a8134296ba9940b5b271d908666e532d34430a3c (diff) |
netlabel: Replace protocol/NetLabel linking with refrerence counts
NetLabel has always had a list of backpointers in the CIPSO DOI definition
structure which pointed to the NetLabel LSM domain mapping structures which
referenced the CIPSO DOI struct. The rationale for this was that when an
administrator removed a CIPSO DOI from the system all of the associated
NetLabel LSM domain mappings should be removed as well; a list of
backpointers made this a simple operation.
Unfortunately, while the backpointers did make the removal easier they were
a bit of a mess from an implementation point of view which was making
further development difficult. Since the removal of a CIPSO DOI is a
realtively rare event it seems to make sense to remove this backpointer
list as the optimization was hurting us more then it was helping. However,
we still need to be able to track when a CIPSO DOI definition is being used
so replace the backpointer list with a reference count. In order to
preserve the current functionality of removing the associated LSM domain
mappings when a CIPSO DOI is removed we walk the LSM domain mapping table,
removing the relevant entries.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Reviewed-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'net/netlabel')
-rw-r--r-- | net/netlabel/netlabel_cipso_v4.c | 77 | ||||
-rw-r--r-- | net/netlabel/netlabel_domainhash.c | 95 | ||||
-rw-r--r-- | net/netlabel/netlabel_domainhash.h | 2 | ||||
-rw-r--r-- | net/netlabel/netlabel_kapi.c | 43 | ||||
-rw-r--r-- | net/netlabel/netlabel_mgmt.c | 24 |
5 files changed, 123 insertions, 118 deletions
diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c index aaf50032b3ac..5c4f60bbc82d 100644 --- a/net/netlabel/netlabel_cipso_v4.c +++ b/net/netlabel/netlabel_cipso_v4.c | |||
@@ -43,6 +43,7 @@ | |||
43 | #include "netlabel_user.h" | 43 | #include "netlabel_user.h" |
44 | #include "netlabel_cipso_v4.h" | 44 | #include "netlabel_cipso_v4.h" |
45 | #include "netlabel_mgmt.h" | 45 | #include "netlabel_mgmt.h" |
46 | #include "netlabel_domainhash.h" | ||
46 | 47 | ||
47 | /* Argument struct for cipso_v4_doi_walk() */ | 48 | /* Argument struct for cipso_v4_doi_walk() */ |
48 | struct netlbl_cipsov4_doiwalk_arg { | 49 | struct netlbl_cipsov4_doiwalk_arg { |
@@ -51,6 +52,12 @@ struct netlbl_cipsov4_doiwalk_arg { | |||
51 | u32 seq; | 52 | u32 seq; |
52 | }; | 53 | }; |
53 | 54 | ||
55 | /* Argument struct for netlbl_domhsh_walk() */ | ||
56 | struct netlbl_domhsh_walk_arg { | ||
57 | struct netlbl_audit *audit_info; | ||
58 | u32 doi; | ||
59 | }; | ||
60 | |||
54 | /* NetLabel Generic NETLINK CIPSOv4 family */ | 61 | /* NetLabel Generic NETLINK CIPSOv4 family */ |
55 | static struct genl_family netlbl_cipsov4_gnl_family = { | 62 | static struct genl_family netlbl_cipsov4_gnl_family = { |
56 | .id = GENL_ID_GENERATE, | 63 | .id = GENL_ID_GENERATE, |
@@ -81,32 +88,6 @@ static const struct nla_policy netlbl_cipsov4_genl_policy[NLBL_CIPSOV4_A_MAX + 1 | |||
81 | */ | 88 | */ |
82 | 89 | ||
83 | /** | 90 | /** |
84 | * netlbl_cipsov4_doi_free - Frees a CIPSO V4 DOI definition | ||
85 | * @entry: the entry's RCU field | ||
86 | * | ||
87 | * Description: | ||
88 | * This function is designed to be used as a callback to the call_rcu() | ||
89 | * function so that the memory allocated to the DOI definition can be released | ||
90 | * safely. | ||
91 | * | ||
92 | */ | ||
93 | void netlbl_cipsov4_doi_free(struct rcu_head *entry) | ||
94 | { | ||
95 | struct cipso_v4_doi *ptr; | ||
96 | |||
97 | ptr = container_of(entry, struct cipso_v4_doi, rcu); | ||
98 | switch (ptr->type) { | ||
99 | case CIPSO_V4_MAP_STD: | ||
100 | kfree(ptr->map.std->lvl.cipso); | ||
101 | kfree(ptr->map.std->lvl.local); | ||
102 | kfree(ptr->map.std->cat.cipso); | ||
103 | kfree(ptr->map.std->cat.local); | ||
104 | break; | ||
105 | } | ||
106 | kfree(ptr); | ||
107 | } | ||
108 | |||
109 | /** | ||
110 | * netlbl_cipsov4_add_common - Parse the common sections of a ADD message | 91 | * netlbl_cipsov4_add_common - Parse the common sections of a ADD message |
111 | * @info: the Generic NETLINK info block | 92 | * @info: the Generic NETLINK info block |
112 | * @doi_def: the CIPSO V4 DOI definition | 93 | * @doi_def: the CIPSO V4 DOI definition |
@@ -342,7 +323,7 @@ static int netlbl_cipsov4_add_std(struct genl_info *info) | |||
342 | 323 | ||
343 | add_std_failure: | 324 | add_std_failure: |
344 | if (doi_def) | 325 | if (doi_def) |
345 | netlbl_cipsov4_doi_free(&doi_def->rcu); | 326 | cipso_v4_doi_free(doi_def); |
346 | return ret_val; | 327 | return ret_val; |
347 | } | 328 | } |
348 | 329 | ||
@@ -379,7 +360,7 @@ static int netlbl_cipsov4_add_pass(struct genl_info *info) | |||
379 | return 0; | 360 | return 0; |
380 | 361 | ||
381 | add_pass_failure: | 362 | add_pass_failure: |
382 | netlbl_cipsov4_doi_free(&doi_def->rcu); | 363 | cipso_v4_doi_free(doi_def); |
383 | return ret_val; | 364 | return ret_val; |
384 | } | 365 | } |
385 | 366 | ||
@@ -668,6 +649,29 @@ static int netlbl_cipsov4_listall(struct sk_buff *skb, | |||
668 | } | 649 | } |
669 | 650 | ||
670 | /** | 651 | /** |
652 | * netlbl_cipsov4_remove_cb - netlbl_cipsov4_remove() callback for REMOVE | ||
653 | * @entry: LSM domain mapping entry | ||
654 | * @arg: the netlbl_domhsh_walk_arg structure | ||
655 | * | ||
656 | * Description: | ||
657 | * This function is intended for use by netlbl_cipsov4_remove() as the callback | ||
658 | * for the netlbl_domhsh_walk() function; it removes LSM domain map entries | ||
659 | * which are associated with the CIPSO DOI specified in @arg. Returns zero on | ||
660 | * success, negative values on failure. | ||
661 | * | ||
662 | */ | ||
663 | static int netlbl_cipsov4_remove_cb(struct netlbl_dom_map *entry, void *arg) | ||
664 | { | ||
665 | struct netlbl_domhsh_walk_arg *cb_arg = arg; | ||
666 | |||
667 | if (entry->type == NETLBL_NLTYPE_CIPSOV4 && | ||
668 | entry->type_def.cipsov4->doi == cb_arg->doi) | ||
669 | return netlbl_domhsh_remove_entry(entry, cb_arg->audit_info); | ||
670 | |||
671 | return 0; | ||
672 | } | ||
673 | |||
674 | /** | ||
671 | * netlbl_cipsov4_remove - Handle a REMOVE message | 675 | * netlbl_cipsov4_remove - Handle a REMOVE message |
672 | * @skb: the NETLINK buffer | 676 | * @skb: the NETLINK buffer |
673 | * @info: the Generic NETLINK info block | 677 | * @info: the Generic NETLINK info block |
@@ -681,8 +685,11 @@ static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info) | |||
681 | { | 685 | { |
682 | int ret_val = -EINVAL; | 686 | int ret_val = -EINVAL; |
683 | u32 doi = 0; | 687 | u32 doi = 0; |
688 | struct netlbl_domhsh_walk_arg cb_arg; | ||
684 | struct audit_buffer *audit_buf; | 689 | struct audit_buffer *audit_buf; |
685 | struct netlbl_audit audit_info; | 690 | struct netlbl_audit audit_info; |
691 | u32 skip_bkt = 0; | ||
692 | u32 skip_chain = 0; | ||
686 | 693 | ||
687 | if (!info->attrs[NLBL_CIPSOV4_A_DOI]) | 694 | if (!info->attrs[NLBL_CIPSOV4_A_DOI]) |
688 | return -EINVAL; | 695 | return -EINVAL; |
@@ -690,11 +697,15 @@ static int netlbl_cipsov4_remove(struct sk_buff *skb, struct genl_info *info) | |||
690 | doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); | 697 | doi = nla_get_u32(info->attrs[NLBL_CIPSOV4_A_DOI]); |
691 | netlbl_netlink_auditinfo(skb, &audit_info); | 698 | netlbl_netlink_auditinfo(skb, &audit_info); |
692 | 699 | ||
693 | ret_val = cipso_v4_doi_remove(doi, | 700 | cb_arg.doi = doi; |
694 | &audit_info, | 701 | cb_arg.audit_info = &audit_info; |
695 | netlbl_cipsov4_doi_free); | 702 | ret_val = netlbl_domhsh_walk(&skip_bkt, &skip_chain, |
696 | if (ret_val == 0) | 703 | netlbl_cipsov4_remove_cb, &cb_arg); |
697 | atomic_dec(&netlabel_mgmt_protocount); | 704 | if (ret_val == 0 || ret_val == -ENOENT) { |
705 | ret_val = cipso_v4_doi_remove(doi, &audit_info); | ||
706 | if (ret_val == 0) | ||
707 | atomic_dec(&netlabel_mgmt_protocount); | ||
708 | } | ||
698 | 709 | ||
699 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL, | 710 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_DEL, |
700 | &audit_info); | 711 | &audit_info); |
diff --git a/net/netlabel/netlabel_domainhash.c b/net/netlabel/netlabel_domainhash.c index dc42206c4312..0243f0c57b41 100644 --- a/net/netlabel/netlabel_domainhash.c +++ b/net/netlabel/netlabel_domainhash.c | |||
@@ -217,20 +217,6 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry, | |||
217 | u32 bkt; | 217 | u32 bkt; |
218 | struct audit_buffer *audit_buf; | 218 | struct audit_buffer *audit_buf; |
219 | 219 | ||
220 | switch (entry->type) { | ||
221 | case NETLBL_NLTYPE_UNLABELED: | ||
222 | ret_val = 0; | ||
223 | break; | ||
224 | case NETLBL_NLTYPE_CIPSOV4: | ||
225 | ret_val = cipso_v4_doi_domhsh_add(entry->type_def.cipsov4, | ||
226 | entry->domain); | ||
227 | break; | ||
228 | default: | ||
229 | return -EINVAL; | ||
230 | } | ||
231 | if (ret_val != 0) | ||
232 | return ret_val; | ||
233 | |||
234 | entry->valid = 1; | 220 | entry->valid = 1; |
235 | INIT_RCU_HEAD(&entry->rcu); | 221 | INIT_RCU_HEAD(&entry->rcu); |
236 | 222 | ||
@@ -271,16 +257,6 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry, | |||
271 | } | 257 | } |
272 | rcu_read_unlock(); | 258 | rcu_read_unlock(); |
273 | 259 | ||
274 | if (ret_val != 0) { | ||
275 | switch (entry->type) { | ||
276 | case NETLBL_NLTYPE_CIPSOV4: | ||
277 | if (cipso_v4_doi_domhsh_remove(entry->type_def.cipsov4, | ||
278 | entry->domain) != 0) | ||
279 | BUG(); | ||
280 | break; | ||
281 | } | ||
282 | } | ||
283 | |||
284 | return ret_val; | 260 | return ret_val; |
285 | } | 261 | } |
286 | 262 | ||
@@ -302,35 +278,26 @@ int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, | |||
302 | } | 278 | } |
303 | 279 | ||
304 | /** | 280 | /** |
305 | * netlbl_domhsh_remove - Removes an entry from the domain hash table | 281 | * netlbl_domhsh_remove_entry - Removes a given entry from the domain table |
306 | * @domain: the domain to remove | 282 | * @entry: the entry to remove |
307 | * @audit_info: NetLabel audit information | 283 | * @audit_info: NetLabel audit information |
308 | * | 284 | * |
309 | * Description: | 285 | * Description: |
310 | * Removes an entry from the domain hash table and handles any updates to the | 286 | * Removes an entry from the domain hash table and handles any updates to the |
311 | * lower level protocol handler (i.e. CIPSO). Returns zero on success, | 287 | * lower level protocol handler (i.e. CIPSO). Caller is responsible for |
312 | * negative on failure. | 288 | * ensuring that the RCU read lock is held. Returns zero on success, negative |
289 | * on failure. | ||
313 | * | 290 | * |
314 | */ | 291 | */ |
315 | int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info) | 292 | int netlbl_domhsh_remove_entry(struct netlbl_dom_map *entry, |
293 | struct netlbl_audit *audit_info) | ||
316 | { | 294 | { |
317 | int ret_val = -ENOENT; | 295 | int ret_val = 0; |
318 | struct netlbl_dom_map *entry; | ||
319 | struct audit_buffer *audit_buf; | 296 | struct audit_buffer *audit_buf; |
320 | 297 | ||
321 | rcu_read_lock(); | ||
322 | if (domain) | ||
323 | entry = netlbl_domhsh_search(domain); | ||
324 | else | ||
325 | entry = netlbl_domhsh_search_def(domain); | ||
326 | if (entry == NULL) | 298 | if (entry == NULL) |
327 | goto remove_return; | 299 | return -ENOENT; |
328 | switch (entry->type) { | 300 | |
329 | case NETLBL_NLTYPE_CIPSOV4: | ||
330 | cipso_v4_doi_domhsh_remove(entry->type_def.cipsov4, | ||
331 | entry->domain); | ||
332 | break; | ||
333 | } | ||
334 | spin_lock(&netlbl_domhsh_lock); | 301 | spin_lock(&netlbl_domhsh_lock); |
335 | if (entry->valid) { | 302 | if (entry->valid) { |
336 | entry->valid = 0; | 303 | entry->valid = 0; |
@@ -338,8 +305,8 @@ int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info) | |||
338 | list_del_rcu(&entry->list); | 305 | list_del_rcu(&entry->list); |
339 | else | 306 | else |
340 | rcu_assign_pointer(netlbl_domhsh_def, NULL); | 307 | rcu_assign_pointer(netlbl_domhsh_def, NULL); |
341 | ret_val = 0; | 308 | } else |
342 | } | 309 | ret_val = -ENOENT; |
343 | spin_unlock(&netlbl_domhsh_lock); | 310 | spin_unlock(&netlbl_domhsh_lock); |
344 | 311 | ||
345 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL, audit_info); | 312 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_MAP_DEL, audit_info); |
@@ -351,10 +318,42 @@ int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info) | |||
351 | audit_log_end(audit_buf); | 318 | audit_log_end(audit_buf); |
352 | } | 319 | } |
353 | 320 | ||
354 | remove_return: | 321 | if (ret_val == 0) { |
355 | rcu_read_unlock(); | 322 | switch (entry->type) { |
356 | if (ret_val == 0) | 323 | case NETLBL_NLTYPE_CIPSOV4: |
324 | cipso_v4_doi_putdef(entry->type_def.cipsov4); | ||
325 | break; | ||
326 | } | ||
357 | call_rcu(&entry->rcu, netlbl_domhsh_free_entry); | 327 | call_rcu(&entry->rcu, netlbl_domhsh_free_entry); |
328 | } | ||
329 | |||
330 | return ret_val; | ||
331 | } | ||
332 | |||
333 | /** | ||
334 | * netlbl_domhsh_remove - Removes an entry from the domain hash table | ||
335 | * @domain: the domain to remove | ||
336 | * @audit_info: NetLabel audit information | ||
337 | * | ||
338 | * Description: | ||
339 | * Removes an entry from the domain hash table and handles any updates to the | ||
340 | * lower level protocol handler (i.e. CIPSO). Returns zero on success, | ||
341 | * negative on failure. | ||
342 | * | ||
343 | */ | ||
344 | int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info) | ||
345 | { | ||
346 | int ret_val; | ||
347 | struct netlbl_dom_map *entry; | ||
348 | |||
349 | rcu_read_lock(); | ||
350 | if (domain) | ||
351 | entry = netlbl_domhsh_search(domain); | ||
352 | else | ||
353 | entry = netlbl_domhsh_search_def(domain); | ||
354 | ret_val = netlbl_domhsh_remove_entry(entry, audit_info); | ||
355 | rcu_read_unlock(); | ||
356 | |||
358 | return ret_val; | 357 | return ret_val; |
359 | } | 358 | } |
360 | 359 | ||
diff --git a/net/netlabel/netlabel_domainhash.h b/net/netlabel/netlabel_domainhash.h index 8220990ceb96..afcc41a7432d 100644 --- a/net/netlabel/netlabel_domainhash.h +++ b/net/netlabel/netlabel_domainhash.h | |||
@@ -61,6 +61,8 @@ int netlbl_domhsh_add(struct netlbl_dom_map *entry, | |||
61 | struct netlbl_audit *audit_info); | 61 | struct netlbl_audit *audit_info); |
62 | int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, | 62 | int netlbl_domhsh_add_default(struct netlbl_dom_map *entry, |
63 | struct netlbl_audit *audit_info); | 63 | struct netlbl_audit *audit_info); |
64 | int netlbl_domhsh_remove_entry(struct netlbl_dom_map *entry, | ||
65 | struct netlbl_audit *audit_info); | ||
64 | int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info); | 66 | int netlbl_domhsh_remove(const char *domain, struct netlbl_audit *audit_info); |
65 | int netlbl_domhsh_remove_default(struct netlbl_audit *audit_info); | 67 | int netlbl_domhsh_remove_default(struct netlbl_audit *audit_info); |
66 | struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain); | 68 | struct netlbl_dom_map *netlbl_domhsh_getentry(const char *domain); |
diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c index 22faba620e4b..7d8ecea93914 100644 --- a/net/netlabel/netlabel_kapi.c +++ b/net/netlabel/netlabel_kapi.c | |||
@@ -121,10 +121,15 @@ int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def, | |||
121 | struct netlbl_audit *audit_info) | 121 | struct netlbl_audit *audit_info) |
122 | { | 122 | { |
123 | int ret_val = -ENOMEM; | 123 | int ret_val = -ENOMEM; |
124 | u32 doi; | ||
125 | u32 doi_type; | ||
124 | struct netlbl_dom_map *entry; | 126 | struct netlbl_dom_map *entry; |
125 | const char *type_str; | 127 | const char *type_str; |
126 | struct audit_buffer *audit_buf; | 128 | struct audit_buffer *audit_buf; |
127 | 129 | ||
130 | doi = doi_def->doi; | ||
131 | doi_type = doi_def->type; | ||
132 | |||
128 | entry = kzalloc(sizeof(*entry), GFP_ATOMIC); | 133 | entry = kzalloc(sizeof(*entry), GFP_ATOMIC); |
129 | if (entry == NULL) | 134 | if (entry == NULL) |
130 | return -ENOMEM; | 135 | return -ENOMEM; |
@@ -133,32 +138,25 @@ int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def, | |||
133 | if (entry->domain == NULL) | 138 | if (entry->domain == NULL) |
134 | goto cfg_cipsov4_add_map_failure; | 139 | goto cfg_cipsov4_add_map_failure; |
135 | } | 140 | } |
136 | entry->type = NETLBL_NLTYPE_CIPSOV4; | ||
137 | entry->type_def.cipsov4 = doi_def; | ||
138 | |||
139 | /* Grab a RCU read lock here so nothing happens to the doi_def variable | ||
140 | * between adding it to the CIPSOv4 protocol engine and adding a | ||
141 | * domain mapping for it. */ | ||
142 | 141 | ||
143 | rcu_read_lock(); | ||
144 | ret_val = cipso_v4_doi_add(doi_def); | 142 | ret_val = cipso_v4_doi_add(doi_def); |
145 | if (ret_val != 0) | 143 | if (ret_val != 0) |
146 | goto cfg_cipsov4_add_map_failure_unlock; | 144 | goto cfg_cipsov4_add_map_failure_remove_doi; |
145 | entry->type = NETLBL_NLTYPE_CIPSOV4; | ||
146 | entry->type_def.cipsov4 = cipso_v4_doi_getdef(doi); | ||
147 | if (entry->type_def.cipsov4 == NULL) { | ||
148 | ret_val = -ENOENT; | ||
149 | goto cfg_cipsov4_add_map_failure_remove_doi; | ||
150 | } | ||
147 | ret_val = netlbl_domhsh_add(entry, audit_info); | 151 | ret_val = netlbl_domhsh_add(entry, audit_info); |
148 | if (ret_val != 0) | 152 | if (ret_val != 0) |
149 | goto cfg_cipsov4_add_map_failure_remove_doi; | 153 | goto cfg_cipsov4_add_map_failure_release_doi; |
150 | rcu_read_unlock(); | ||
151 | |||
152 | return 0; | ||
153 | 154 | ||
154 | cfg_cipsov4_add_map_failure_remove_doi: | 155 | cfg_cipsov4_add_map_return: |
155 | cipso_v4_doi_remove(doi_def->doi, audit_info, netlbl_cipsov4_doi_free); | ||
156 | cfg_cipsov4_add_map_failure_unlock: | ||
157 | rcu_read_unlock(); | ||
158 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD, | 156 | audit_buf = netlbl_audit_start_common(AUDIT_MAC_CIPSOV4_ADD, |
159 | audit_info); | 157 | audit_info); |
160 | if (audit_buf != NULL) { | 158 | if (audit_buf != NULL) { |
161 | switch (doi_def->type) { | 159 | switch (doi_type) { |
162 | case CIPSO_V4_MAP_STD: | 160 | case CIPSO_V4_MAP_STD: |
163 | type_str = "std"; | 161 | type_str = "std"; |
164 | break; | 162 | break; |
@@ -170,14 +168,21 @@ cfg_cipsov4_add_map_failure_unlock: | |||
170 | } | 168 | } |
171 | audit_log_format(audit_buf, | 169 | audit_log_format(audit_buf, |
172 | " cipso_doi=%u cipso_type=%s res=%u", | 170 | " cipso_doi=%u cipso_type=%s res=%u", |
173 | doi_def->doi, type_str, ret_val == 0 ? 1 : 0); | 171 | doi, type_str, ret_val == 0 ? 1 : 0); |
174 | audit_log_end(audit_buf); | 172 | audit_log_end(audit_buf); |
175 | } | 173 | } |
174 | |||
175 | return ret_val; | ||
176 | |||
177 | cfg_cipsov4_add_map_failure_release_doi: | ||
178 | cipso_v4_doi_putdef(doi_def); | ||
179 | cfg_cipsov4_add_map_failure_remove_doi: | ||
180 | cipso_v4_doi_remove(doi, audit_info); | ||
176 | cfg_cipsov4_add_map_failure: | 181 | cfg_cipsov4_add_map_failure: |
177 | if (entry != NULL) | 182 | if (entry != NULL) |
178 | kfree(entry->domain); | 183 | kfree(entry->domain); |
179 | kfree(entry); | 184 | kfree(entry); |
180 | return ret_val; | 185 | goto cfg_cipsov4_add_map_return; |
181 | } | 186 | } |
182 | 187 | ||
183 | /* | 188 | /* |
diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c index 44be5d5261f4..c4e18c7bc0c1 100644 --- a/net/netlabel/netlabel_mgmt.c +++ b/net/netlabel/netlabel_mgmt.c | |||
@@ -122,18 +122,12 @@ static int netlbl_mgmt_add(struct sk_buff *skb, struct genl_info *info) | |||
122 | goto add_failure; | 122 | goto add_failure; |
123 | 123 | ||
124 | tmp_val = nla_get_u32(info->attrs[NLBL_MGMT_A_CV4DOI]); | 124 | tmp_val = nla_get_u32(info->attrs[NLBL_MGMT_A_CV4DOI]); |
125 | /* We should be holding a rcu_read_lock() here while we hold | ||
126 | * the result but since the entry will always be deleted when | ||
127 | * the CIPSO DOI is deleted we aren't going to keep the | ||
128 | * lock. */ | ||
129 | rcu_read_lock(); | ||
130 | entry->type_def.cipsov4 = cipso_v4_doi_getdef(tmp_val); | 125 | entry->type_def.cipsov4 = cipso_v4_doi_getdef(tmp_val); |
131 | if (entry->type_def.cipsov4 == NULL) { | 126 | if (entry->type_def.cipsov4 == NULL) |
132 | rcu_read_unlock(); | ||
133 | goto add_failure; | 127 | goto add_failure; |
134 | } | ||
135 | ret_val = netlbl_domhsh_add(entry, &audit_info); | 128 | ret_val = netlbl_domhsh_add(entry, &audit_info); |
136 | rcu_read_unlock(); | 129 | if (ret_val != 0) |
130 | cipso_v4_doi_putdef(entry->type_def.cipsov4); | ||
137 | break; | 131 | break; |
138 | default: | 132 | default: |
139 | goto add_failure; | 133 | goto add_failure; |
@@ -294,18 +288,12 @@ static int netlbl_mgmt_adddef(struct sk_buff *skb, struct genl_info *info) | |||
294 | goto adddef_failure; | 288 | goto adddef_failure; |
295 | 289 | ||
296 | tmp_val = nla_get_u32(info->attrs[NLBL_MGMT_A_CV4DOI]); | 290 | tmp_val = nla_get_u32(info->attrs[NLBL_MGMT_A_CV4DOI]); |
297 | /* We should be holding a rcu_read_lock() here while we hold | ||
298 | * the result but since the entry will always be deleted when | ||
299 | * the CIPSO DOI is deleted we aren't going to keep the | ||
300 | * lock. */ | ||
301 | rcu_read_lock(); | ||
302 | entry->type_def.cipsov4 = cipso_v4_doi_getdef(tmp_val); | 291 | entry->type_def.cipsov4 = cipso_v4_doi_getdef(tmp_val); |
303 | if (entry->type_def.cipsov4 == NULL) { | 292 | if (entry->type_def.cipsov4 == NULL) |
304 | rcu_read_unlock(); | ||
305 | goto adddef_failure; | 293 | goto adddef_failure; |
306 | } | ||
307 | ret_val = netlbl_domhsh_add_default(entry, &audit_info); | 294 | ret_val = netlbl_domhsh_add_default(entry, &audit_info); |
308 | rcu_read_unlock(); | 295 | if (ret_val != 0) |
296 | cipso_v4_doi_putdef(entry->type_def.cipsov4); | ||
309 | break; | 297 | break; |
310 | default: | 298 | default: |
311 | goto adddef_failure; | 299 | goto adddef_failure; |