Merge remote-tracking branch 'wireless-next/master' into mac80211-next

9 files changed, 48 insertions, 70 deletions

diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 95c2b2689a03..7db9954f1af2 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -580,15 +580,13 @@ static struct aa_namespace *__next_namespace(struct aa_namespace *root,
 
         /* check if the next ns is a sibling, parent, gp, .. */
         parent = ns->parent;
-        while (parent) {
+        while (ns != root) {
                 mutex_unlock(&ns->lock);
                 next = list_entry_next(ns, base.list);
                 if (!list_entry_is_head(next, &parent->sub_ns, base.list)) {
                         mutex_lock(&next->lock);
                         return next;
                 }
-                if (parent == root)
-                        return NULL;
                 ns = parent;
                 parent = parent->parent;
         }
diff --git a/security/apparmor/crypto.c b/security/apparmor/crypto.c
index d6222ba4e919..532471d0b3a0 100644
--- a/security/apparmor/crypto.c
+++ b/security/apparmor/crypto.c
@@ -15,14 +15,14 @@
  * it should be.
  */
 
-#include <linux/crypto.h>
+#include <crypto/hash.h>
 
 #include "include/apparmor.h"
 #include "include/crypto.h"
 
 static unsigned int apparmor_hash_size;
 
-static struct crypto_hash *apparmor_tfm;
+static struct crypto_shash *apparmor_tfm;
 
 unsigned int aa_hash_size(void)
 {
@@ -32,35 +32,33 @@ unsigned int aa_hash_size(void)
 int aa_calc_profile_hash(struct aa_profile *profile, u32 version, void *start,
                          size_t len)
 {
-        struct scatterlist sg[2];
-        struct hash_desc desc = {
-                .tfm = apparmor_tfm,
-                .flags = 0
-        };
+        struct {
+                struct shash_desc shash;
+                char ctx[crypto_shash_descsize(apparmor_tfm)];
+        } desc;
         int error = -ENOMEM;
         u32 le32_version = cpu_to_le32(version);
 
         if (!apparmor_tfm)
                 return 0;
 
-        sg_init_table(sg, 2);
-        sg_set_buf(&sg[0], &le32_version, 4);
-        sg_set_buf(&sg[1], (u8 *) start, len);
-
         profile->hash = kzalloc(apparmor_hash_size, GFP_KERNEL);
         if (!profile->hash)
                 goto fail;
 
-        error = crypto_hash_init(&desc);
+        desc.shash.tfm = apparmor_tfm;
+        desc.shash.flags = 0;
+
+        error = crypto_shash_init(&desc.shash);
         if (error)
                 goto fail;
-        error = crypto_hash_update(&desc, &sg[0], 4);
+        error = crypto_shash_update(&desc.shash, (u8 *) &le32_version, 4);
         if (error)
                 goto fail;
-        error = crypto_hash_update(&desc, &sg[1], len);
+        error = crypto_shash_update(&desc.shash, (u8 *) start, len);
         if (error)
                 goto fail;
-        error = crypto_hash_final(&desc, profile->hash);
+        error = crypto_shash_final(&desc.shash, profile->hash);
         if (error)
                 goto fail;
 
@@ -75,19 +73,19 @@ fail:
 
 static int __init init_profile_hash(void)
 {
-        struct crypto_hash *tfm;
+        struct crypto_shash *tfm;
 
         if (!apparmor_initialized)
                 return 0;
 
-        tfm = crypto_alloc_hash("sha1", 0, CRYPTO_ALG_ASYNC);
+        tfm = crypto_alloc_shash("sha1", 0, CRYPTO_ALG_ASYNC);
         if (IS_ERR(tfm)) {
                 int error = PTR_ERR(tfm);
                 AA_ERROR("failed to setup profile sha1 hashing: %d\n", error);
                 return error;
         }
         apparmor_tfm = tfm;
-        apparmor_hash_size = crypto_hash_digestsize(apparmor_tfm);
+        apparmor_hash_size = crypto_shash_digestsize(apparmor_tfm);
 
         aa_info_message("AppArmor sha1 policy hashing enabled");
 
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index f2d4b6348cbc..c28b0f20ab53 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -360,7 +360,9 @@ static inline void aa_put_replacedby(struct aa_replacedby *p)
 static inline void __aa_update_replacedby(struct aa_profile *orig,
                                           struct aa_profile *new)
 {
-        struct aa_profile *tmp = rcu_dereference(orig->replacedby->profile);
+        struct aa_profile *tmp;
+        tmp = rcu_dereference_protected(orig->replacedby->profile,
+                                        mutex_is_locked(&orig->ns->lock));
         rcu_assign_pointer(orig->replacedby->profile, aa_get_profile(new));
         orig->flags |= PFLAG_INVALID;
         aa_put_profile(tmp);
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 6172509fa2b7..705c2879d3a9 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -563,7 +563,8 @@ void __init aa_free_root_ns(void)
 static void free_replacedby(struct aa_replacedby *r)
 {
         if (r) {
-                aa_put_profile(rcu_dereference(r->profile));
+                /* r->profile will not be updated any more as r is dead */
+                aa_put_profile(rcu_dereference_protected(r->profile, true));
                 kzfree(r);
         }
 }
@@ -609,6 +610,7 @@ void aa_free_profile(struct aa_profile *profile)
         aa_put_dfa(profile->policy.dfa);
         aa_put_replacedby(profile->replacedby);
 
+        kzfree(profile->hash);
         kzfree(profile);
 }
 
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index c123628d3f84..7c2a0a71049e 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -63,16 +63,6 @@ static inline struct dev_cgroup *task_devcgroup(struct task_struct *task)
 
 struct cgroup_subsys devices_subsys;
 
-static int devcgroup_can_attach(struct cgroup_subsys_state *new_css,
-                                struct cgroup_taskset *set)
-{
-        struct task_struct *task = cgroup_taskset_first(set);
-
-        if (current != task && !capable(CAP_SYS_ADMIN))
-                return -EPERM;
-        return 0;
-}
-
 /*
  * called under devcgroup_mutex
  */
@@ -697,7 +687,6 @@ static struct cftype dev_cgroup_files[] = {
 
 struct cgroup_subsys devices_subsys = {
         .name = "devices",
-        .can_attach = devcgroup_can_attach,
         .css_alloc = devcgroup_css_alloc,
         .css_free = devcgroup_css_free,
         .css_online = devcgroup_online,
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 8d8d97dbb389..234bc2ab450c 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -302,18 +302,19 @@ static void dump_common_audit_data(struct audit_buffer *ab,
                                                 "faddr", "fport");
                                 break;
                         }
+#if IS_ENABLED(CONFIG_IPV6)
                         case AF_INET6: {
                                 struct inet_sock *inet = inet_sk(sk);
-                                struct ipv6_pinfo *inet6 = inet6_sk(sk);
 
-                                print_ipv6_addr(ab, &inet6->rcv_saddr,
+                                print_ipv6_addr(ab, &sk->sk_v6_rcv_saddr,
                                                 inet->inet_sport,
                                                 "laddr", "lport");
-                                print_ipv6_addr(ab, &inet6->daddr,
+                                print_ipv6_addr(ab, &sk->sk_v6_daddr,
                                                 inet->inet_dport,
                                                 "faddr", "fport");
                                 break;
                         }
+#endif
                         case AF_UNIX:
                                 u = unix_sk(sk);
                                 if (u->path.dentry) {
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index dad36a6ab45f..fc3e6628a864 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -746,7 +746,6 @@ inline int avc_has_perm_noaudit(u32 ssid, u32 tsid,
  * @tclass: target security class
  * @requested: requested permissions, interpreted based on @tclass
  * @auditdata: auxiliary audit data
- * @flags: VFS walk flags
  *
  * Check the AVC to determine whether the @requested permissions are granted
  * for the SID pair (@ssid, @tsid), interpreting the permissions
@@ -756,17 +755,15 @@ inline int avc_has_perm_noaudit(u32 ssid, u32 tsid,
  * permissions are granted, -%EACCES if any permissions are denied, or
  * another -errno upon other errors.
  */
-int avc_has_perm_flags(u32 ssid, u32 tsid, u16 tclass,
-                       u32 requested, struct common_audit_data *auditdata,
-                       unsigned flags)
+int avc_has_perm(u32 ssid, u32 tsid, u16 tclass,
+                 u32 requested, struct common_audit_data *auditdata)
 {
         struct av_decision avd;
         int rc, rc2;
 
         rc = avc_has_perm_noaudit(ssid, tsid, tclass, requested, 0, &avd);
 
-        rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata,
-                        flags);
+        rc2 = avc_audit(ssid, tsid, tclass, requested, &avd, rc, auditdata);
         if (rc2)
                 return rc2;
         return rc;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a5091ec06aa6..c540795fb3f2 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1502,7 +1502,7 @@ static int cred_has_capability(const struct cred *cred,
 
         rc = avc_has_perm_noaudit(sid, sid, sclass, av, 0, &avd);
         if (audit == SECURITY_CAP_AUDIT) {
-                int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad, 0);
+                int rc2 = avc_audit(sid, sid, sclass, av, &avd, rc, &ad);
                 if (rc2)
                         return rc2;
         }
@@ -1525,8 +1525,7 @@ static int task_has_system(struct task_struct *tsk,
 static int inode_has_perm(const struct cred *cred,
                           struct inode *inode,
                           u32 perms,
-                          struct common_audit_data *adp,
-                          unsigned flags)
+                          struct common_audit_data *adp)
 {
         struct inode_security_struct *isec;
         u32 sid;
@@ -1539,7 +1538,7 @@ static int inode_has_perm(const struct cred *cred,
         sid = cred_sid(cred);
         isec = inode->i_security;
 
-        return avc_has_perm_flags(sid, isec->sid, isec->sclass, perms, adp, flags);
+        return avc_has_perm(sid, isec->sid, isec->sclass, perms, adp);
 }
 
 /* Same as inode_has_perm, but pass explicit audit data containing
@@ -1554,7 +1553,7 @@ static inline int dentry_has_perm(const struct cred *cred,
 
         ad.type = LSM_AUDIT_DATA_DENTRY;
         ad.u.dentry = dentry;
-        return inode_has_perm(cred, inode, av, &ad, 0);
+        return inode_has_perm(cred, inode, av, &ad);
 }
 
 /* Same as inode_has_perm, but pass explicit audit data containing
@@ -1569,7 +1568,7 @@ static inline int path_has_perm(const struct cred *cred,
 
         ad.type = LSM_AUDIT_DATA_PATH;
         ad.u.path = *path;
-        return inode_has_perm(cred, inode, av, &ad, 0);
+        return inode_has_perm(cred, inode, av, &ad);
 }
 
 /* Same as path_has_perm, but uses the inode from the file struct. */
@@ -1581,7 +1580,7 @@ static inline int file_path_has_perm(const struct cred *cred,
 
         ad.type = LSM_AUDIT_DATA_PATH;
         ad.u.path = file->f_path;
-        return inode_has_perm(cred, file_inode(file), av, &ad, 0);
+        return inode_has_perm(cred, file_inode(file), av, &ad);
 }
 
 /* Check whether a task can use an open file descriptor to
@@ -1617,7 +1616,7 @@ static int file_has_perm(const struct cred *cred,
         /* av is zero if only checking access to the descriptor. */
         rc = 0;
         if (av)
-                rc = inode_has_perm(cred, inode, av, &ad, 0);
+                rc = inode_has_perm(cred, inode, av, &ad);
 
 out:
         return rc;
@@ -3929,7 +3928,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in
                 if (snum) {
                         int low, high;
 
-                        inet_get_local_port_range(&low, &high);
+                        inet_get_local_port_range(sock_net(sk), &low, &high);
 
                         if (snum < max(PROT_SOCK, low) || snum > high) {
                                 err = sel_netport_sid(sk->sk_protocol,
@@ -4668,7 +4667,7 @@ static unsigned int selinux_ip_forward(struct sk_buff *skb, int ifindex,
         return NF_ACCEPT;
 }
 
-static unsigned int selinux_ipv4_forward(unsigned int hooknum,
+static unsigned int selinux_ipv4_forward(const struct nf_hook_ops *ops,
                                          struct sk_buff *skb,
                                          const struct net_device *in,
                                          const struct net_device *out,
@@ -4678,7 +4677,7 @@ static unsigned int selinux_ipv4_forward(unsigned int hooknum,
 }
 
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-static unsigned int selinux_ipv6_forward(unsigned int hooknum,
+static unsigned int selinux_ipv6_forward(const struct nf_hook_ops *ops,
                                          struct sk_buff *skb,
                                          const struct net_device *in,
                                          const struct net_device *out,
@@ -4710,7 +4709,7 @@ static unsigned int selinux_ip_output(struct sk_buff *skb,
         return NF_ACCEPT;
 }
 
-static unsigned int selinux_ipv4_output(unsigned int hooknum,
+static unsigned int selinux_ipv4_output(const struct nf_hook_ops *ops,
                                         struct sk_buff *skb,
                                         const struct net_device *in,
                                         const struct net_device *out,
@@ -4837,7 +4836,7 @@ static unsigned int selinux_ip_postroute(struct sk_buff *skb, int ifindex,
         return NF_ACCEPT;
 }
 
-static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
+static unsigned int selinux_ipv4_postroute(const struct nf_hook_ops *ops,
                                            struct sk_buff *skb,
                                            const struct net_device *in,
                                            const struct net_device *out,
@@ -4847,7 +4846,7 @@ static unsigned int selinux_ipv4_postroute(unsigned int hooknum,
 }
 
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-static unsigned int selinux_ipv6_postroute(unsigned int hooknum,
+static unsigned int selinux_ipv6_postroute(const struct nf_hook_ops *ops,
                                            struct sk_buff *skb,
                                            const struct net_device *in,
                                            const struct net_device *out,
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index 92d0ab561db8..f53ee3c58d0f 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -130,7 +130,7 @@ static inline int avc_audit(u32 ssid, u32 tsid,
                             u16 tclass, u32 requested,
                             struct av_decision *avd,
                             int result,
-                            struct common_audit_data *a, unsigned flags)
+                            struct common_audit_data *a)
 {
         u32 audited, denied;
         audited = avc_audit_required(requested, avd, result, 0, &denied);
@@ -138,7 +138,7 @@ static inline int avc_audit(u32 ssid, u32 tsid,
                 return 0;
         return slow_avc_audit(ssid, tsid, tclass,
                               requested, audited, denied,
-                              a, flags);
+                              a, 0);
 }
 
 #define AVC_STRICT 1 /* Ignore permissive mode. */
@@ -147,17 +147,9 @@ int avc_has_perm_noaudit(u32 ssid, u32 tsid,
                          unsigned flags,
                          struct av_decision *avd);
 
-int avc_has_perm_flags(u32 ssid, u32 tsid,
-                       u16 tclass, u32 requested,
-                       struct common_audit_data *auditdata,
-                       unsigned);
-
-static inline int avc_has_perm(u32 ssid, u32 tsid,
-                               u16 tclass, u32 requested,
-                               struct common_audit_data *auditdata)
-{
-        return avc_has_perm_flags(ssid, tsid, tclass, requested, auditdata, 0);
-}
+int avc_has_perm(u32 ssid, u32 tsid,
+                 u16 tclass, u32 requested,
+                 struct common_audit_data *auditdata);
 
 u32 avc_policy_seqno(void);