17 files changed, 46 insertions, 91 deletions
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index 998100093332..65ca451a764d 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -668,7 +668,7 @@ static int param_set_aabool(const char *val, const struct kernel_param *kp);
 static int param_get_aabool(char *buffer, const struct kernel_param *kp);
 #define param_check_aabool param_check_bool
 static struct kernel_param_ops param_ops_aabool = {
-        .flags = KERNEL_PARAM_FL_NOARG,
+        .flags = KERNEL_PARAM_OPS_FL_NOARG,
        .set = param_set_aabool,
        .get = param_get_aabool
 };
@@ -685,7 +685,7 @@ static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp
 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp);
 #define param_check_aalockpolicy param_check_bool
 static struct kernel_param_ops param_ops_aalockpolicy = {
-        .flags = KERNEL_PARAM_FL_NOARG,
+        .flags = KERNEL_PARAM_OPS_FL_NOARG,
        .set = param_set_aalockpolicy,
        .get = param_get_aalockpolicy
 };
diff --git a/security/capability.c b/security/capability.c
index a74fde6a7468..d68c57a62bcf 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -343,9 +343,9 @@ static int cap_file_fcntl(struct file *file, unsigned int cmd,
        return 0;
 }
-static int cap_file_set_fowner(struct file *file)
+static void cap_file_set_fowner(struct file *file)
 {
-        return 0;
+        return;
 }
 static int cap_file_send_sigiotask(struct task_struct *tsk,
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index d9d69e6930ed..188c1d26393b 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -796,7 +796,7 @@ struct cgroup_subsys devices_cgrp_subsys = {
        .css_free = devcgroup_css_free,
        .css_online = devcgroup_online,
        .css_offline = devcgroup_offline,
-        .base_cftypes = dev_cgroup_files,
+        .legacy_cftypes = dev_cgroup_files,
 };
 /**
diff --git a/security/inode.c b/security/inode.c
index 43ce6e19015f..8e7ca62078ab 100644
--- a/security/inode.c
+++ b/security/inode.c
@@ -74,7 +74,7 @@ static struct file_system_type fs_type = {
 * pointer must be passed to the securityfs_remove() function when the file is
 * to be removed (no automatic cleanup happens if your module is unloaded,
 * you are responsible here).  If an error occurs, the function will return
- * the erorr value (via ERR_PTR).
+ * the error value (via ERR_PTR).
 *
 * If securityfs is not enabled in the kernel, the value %-ENODEV is
 * returned.
diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c
index d34e7dfc1118..78d66dae15f4 100644
--- a/security/integrity/ima/ima_crypto.c
+++ b/security/integrity/ima/ima_crypto.c
@@ -386,17 +386,14 @@ static int ima_calc_file_hash_tfm(struct file *file,
        loff_t i_size, offset = 0;
        char *rbuf;
        int rc, read = 0;
-        struct {
+        SHASH_DESC_ON_STACK(shash, tfm);
-                struct shash_desc shash;
-                char ctx[crypto_shash_descsize(tfm)];
-        } desc;
-        desc.shash.tfm = tfm;
+        shash->tfm = tfm;
-        desc.shash.flags = 0;
+        shash->flags = 0;
        hash->length = crypto_shash_digestsize(tfm);
-        rc = crypto_shash_init(&desc.shash);
+        rc = crypto_shash_init(shash);
        if (rc != 0)
                return rc;
@@ -426,7 +423,7 @@ static int ima_calc_file_hash_tfm(struct file *file,
                        break;
                offset += rbuf_len;
-                rc = crypto_shash_update(&desc.shash, rbuf, rbuf_len);
+                rc = crypto_shash_update(shash, rbuf, rbuf_len);
                if (rc)
                        break;
        }
@@ -435,7 +432,7 @@ static int ima_calc_file_hash_tfm(struct file *file,
        kfree(rbuf);
 out:
        if (!rc)
-                rc = crypto_shash_final(&desc.shash, hash->digest);
+                rc = crypto_shash_final(shash, hash->digest);
        return rc;
 }
@@ -493,18 +490,15 @@ static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data,
                                         struct ima_digest_data *hash,
                                         struct crypto_shash *tfm)
 {
-        struct {
+        SHASH_DESC_ON_STACK(shash, tfm);
-                struct shash_desc shash;
-                char ctx[crypto_shash_descsize(tfm)];
-        } desc;
        int rc, i;
-        desc.shash.tfm = tfm;
+        shash->tfm = tfm;
-        desc.shash.flags = 0;
+        shash->flags = 0;
        hash->length = crypto_shash_digestsize(tfm);
-        rc = crypto_shash_init(&desc.shash);
+        rc = crypto_shash_init(shash);
        if (rc != 0)
                return rc;
@@ -514,7 +508,7 @@ static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data,
                u32 datalen = field_data[i].len;
                if (strcmp(td->name, IMA_TEMPLATE_IMA_NAME) != 0) {
-                        rc = crypto_shash_update(&desc.shash,
+                        rc = crypto_shash_update(shash,
                                                (const u8 *) &field_data[i].len,
                                                sizeof(field_data[i].len));
                        if (rc)
@@ -524,13 +518,13 @@ static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data,
                        data_to_hash = buffer;
                        datalen = IMA_EVENT_NAME_LEN_MAX + 1;
                }
-                rc = crypto_shash_update(&desc.shash, data_to_hash, datalen);
+                rc = crypto_shash_update(shash, data_to_hash, datalen);
                if (rc)
                        break;
        }
        if (!rc)
-                rc = crypto_shash_final(&desc.shash, hash->digest);
+                rc = crypto_shash_final(shash, hash->digest);
        return rc;
 }
@@ -571,15 +565,12 @@ static int __init ima_calc_boot_aggregate_tfm(char *digest,
 {
        u8 pcr_i[TPM_DIGEST_SIZE];
        int rc, i;
-        struct {
+        SHASH_DESC_ON_STACK(shash, tfm);
-                struct shash_desc shash;
-                char ctx[crypto_shash_descsize(tfm)];
-        } desc;
-        desc.shash.tfm = tfm;
+        shash->tfm = tfm;
-        desc.shash.flags = 0;
+        shash->flags = 0;
-        rc = crypto_shash_init(&desc.shash);
+        rc = crypto_shash_init(shash);
        if (rc != 0)
                return rc;
@@ -587,10 +578,10 @@ static int __init ima_calc_boot_aggregate_tfm(char *digest,
        for (i = TPM_PCR0; i < TPM_PCR8; i++) {
                ima_pcrread(i, pcr_i);
                /* now accumulate with current aggregate */
-                rc = crypto_shash_update(&desc.shash, pcr_i, TPM_DIGEST_SIZE);
+                rc = crypto_shash_update(shash, pcr_i, TPM_DIGEST_SIZE);
        }
        if (!rc)
-                crypto_shash_final(&desc.shash, digest);
+                crypto_shash_final(shash, digest);
        return rc;
 }
diff --git a/security/keys/gc.c b/security/keys/gc.c
index d3222b6d7d59..9609a7f0faea 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -92,15 +92,6 @@ static void key_gc_timer_func(unsigned long data)
 }
 /*
- * wait_on_bit() sleep function for uninterruptible waiting
- */
-static int key_gc_wait_bit(void *flags)
-{
-        schedule();
-        return 0;
-}
-/*
 * Reap keys of dead type.
 *
 * We use three flags to make sure we see three complete cycles of the garbage
@@ -123,7 +114,7 @@ void key_gc_keytype(struct key_type *ktype)
        schedule_work(&key_gc_work);
        kdebug("sleep");
-        wait_on_bit(&key_gc_flags, KEY_GC_REAPING_KEYTYPE, key_gc_wait_bit,
+        wait_on_bit(&key_gc_flags, KEY_GC_REAPING_KEYTYPE,
                    TASK_UNINTERRUPTIBLE);
        key_gc_dead_keytype = NULL;
diff --git a/security/keys/key.c b/security/keys/key.c
index 8c0092ca0443..e17ba6aefdc0 100644
--- a/security/keys/key.c
+++ b/security/keys/key.c
@@ -27,8 +27,8 @@ DEFINE_SPINLOCK(key_serial_lock);
 struct rb_root  key_user_tree; /* tree of quota records indexed by UID */
 DEFINE_SPINLOCK(key_user_lock);
-unsigned int key_quota_root_maxkeys = 200;      /* root's key count quota */
+unsigned int key_quota_root_maxkeys = 1000000;  /* root's key count quota */
-unsigned int key_quota_root_maxbytes = 20000;   /* root's key space quota */
+unsigned int key_quota_root_maxbytes = 25000000; /* root's key space quota */
 unsigned int key_quota_maxkeys = 200;           /* general key count quota */
 unsigned int key_quota_maxbytes = 20000;        /* general key space quota */
diff --git a/security/keys/request_key.c b/security/keys/request_key.c
index dc6ed32b7844..bb4337c7ae1b 100644
--- a/security/keys/request_key.c
+++ b/security/keys/request_key.c
@@ -21,24 +21,6 @@
 #define key_negative_timeout    60      /* default timeout on a negative key's existence */
-/*
- * wait_on_bit() sleep function for uninterruptible waiting
- */
-static int key_wait_bit(void *flags)
-{
-        schedule();
-        return 0;
-}
-/*
- * wait_on_bit() sleep function for interruptible waiting
- */
-static int key_wait_bit_intr(void *flags)
-{
-        schedule();
-        return signal_pending(current) ? -ERESTARTSYS : 0;
-}
 /**
 * complete_request_key - Complete the construction of a key.
 * @cons: The key construction record.
@@ -603,10 +585,9 @@ int wait_for_key_construction(struct key *key, bool intr)
        int ret;
        ret = wait_on_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT,
-                          intr ? key_wait_bit_intr : key_wait_bit,
                          intr ? TASK_INTERRUPTIBLE : TASK_UNINTERRUPTIBLE);
-        if (ret < 0)
+        if (ret)
-                return ret;
+                return -ERESTARTSYS;
        if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) {
                smp_rmb();
                return key->type_data.reject_error;
diff --git a/security/security.c b/security/security.c
index e41b1a8d7644..18b35c63fc0c 100644
--- a/security/security.c
+++ b/security/security.c
@@ -775,9 +775,9 @@ int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
        return security_ops->file_fcntl(file, cmd, arg);
 }
-int security_file_set_fowner(struct file *file)
+void security_file_set_fowner(struct file *file)
 {
-        return security_ops->file_set_fowner(file);
+        security_ops->file_set_fowner(file);
 }
 int security_file_send_sigiotask(struct task_struct *tsk,
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 29e64d4ca099..e66314138b38 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -481,6 +481,7 @@ next_inode:
                                list_entry(sbsec->isec_head.next,
                                           struct inode_security_struct, list);
                struct inode *inode = isec->inode;
+                list_del_init(&isec->list);
                spin_unlock(&sbsec->isec_lock);
                inode = igrab(inode);
                if (inode) {
@@ -489,7 +490,6 @@ next_inode:
                        iput(inode);
                }
                spin_lock(&sbsec->isec_lock);
-                list_del_init(&isec->list);
                goto next_inode;
        }
        spin_unlock(&sbsec->isec_lock);
@@ -3381,14 +3381,12 @@ static int selinux_file_fcntl(struct file *file, unsigned int cmd,
        return err;
 }
-static int selinux_file_set_fowner(struct file *file)
+static void selinux_file_set_fowner(struct file *file)
 {
        struct file_security_struct *fsec;
        fsec = file->f_security;
        fsec->fown_sid = current_sid();
-        return 0;
 }
 static int selinux_file_send_sigiotask(struct task_struct *tsk,
diff --git a/security/selinux/netif.c b/security/selinux/netif.c
index 485524c477a4..e607b4473ef6 100644
--- a/security/selinux/netif.c
+++ b/security/selinux/netif.c
@@ -275,7 +275,7 @@ static struct notifier_block sel_netif_netdev_notifier = {
 static __init int sel_netif_init(void)
 {
-        int i, err;
+        int i;
        if (!selinux_enabled)
                return 0;
@@ -285,7 +285,7 @@ static __init int sel_netif_init(void)
        register_netdevice_notifier(&sel_netif_netdev_notifier);
-        return err;
+        return 0;
 }
 __initcall(sel_netif_init);
diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
index ddf315260839..da923f89d2a9 100644
--- a/security/selinux/netnode.c
+++ b/security/selinux/netnode.c
@@ -303,7 +303,6 @@ void sel_netnode_flush(void)
 static __init int sel_netnode_init(void)
 {
        int iter;
-        int ret;
        if (!selinux_enabled)
                return 0;
@@ -313,7 +312,7 @@ static __init int sel_netnode_init(void)
                sel_netnode_hash[iter].size = 0;
        }
-        return ret;
+        return 0;
 }
 __initcall(sel_netnode_init);
diff --git a/security/selinux/netport.c b/security/selinux/netport.c
index 73ac6784d091..3311cc393cb4 100644
--- a/security/selinux/netport.c
+++ b/security/selinux/netport.c
@@ -237,7 +237,6 @@ void sel_netport_flush(void)
 static __init int sel_netport_init(void)
 {
        int iter;
-        int ret;
        if (!selinux_enabled)
                return 0;
@@ -247,7 +246,7 @@ static __init int sel_netport_init(void)
                sel_netport_hash[iter].size = 0;
        }
-        return ret;
+        return 0;
 }
 __initcall(sel_netport_init);
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 93dc876734a4..d515ec25ae9f 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1570,12 +1570,11 @@ static int smack_mmap_file(struct file *file,
 * Returns 0
 * Further research may be required on this one.
 */
-static int smack_file_set_fowner(struct file *file)
+static void smack_file_set_fowner(struct file *file)
 {
        struct smack_known *skp = smk_of_current();
        file->f_security = skp;
-        return 0;
 }
 /**
diff --git a/security/tomoyo/audit.c b/security/tomoyo/audit.c
index c1b00375c9ad..3ffa4f5509d8 100644
--- a/security/tomoyo/audit.c
+++ b/security/tomoyo/audit.c
@@ -155,11 +155,9 @@ static char *tomoyo_print_header(struct tomoyo_request_info *r)
        u8 i;
        if (!buffer)
                return NULL;
-        {
-                struct timeval tv;
+        tomoyo_convert_time(get_seconds(), &stamp);
-                do_gettimeofday(&tv);
-                tomoyo_convert_time(tv.tv_sec, &stamp);
-        }
        pos = snprintf(buffer, tomoyo_buffer_len - 1,
                       "#%04u/%02u/%02u %02u:%02u:%02u# profile=%u mode=%s "
                       "granted=%s (global-pid=%u) task={ pid=%u ppid=%u "
diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c
index 283862aebdc8..e0fb75052550 100644
--- a/security/tomoyo/common.c
+++ b/security/tomoyo/common.c
@@ -2267,13 +2267,11 @@ static unsigned int tomoyo_stat_modified[TOMOYO_MAX_POLICY_STAT];
 */
 void tomoyo_update_stat(const u8 index)
 {
-        struct timeval tv;
-        do_gettimeofday(&tv);
        /*
         * I don't use atomic operations because race condition is not fatal.
         */
        tomoyo_stat_updated[index]++;
-        tomoyo_stat_modified[index] = tv.tv_sec;
+        tomoyo_stat_modified[index] = get_seconds();
 }
 /**
diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c
index a3386d119425..bed745c8b1a3 100644
--- a/security/tomoyo/realpath.c
+++ b/security/tomoyo/realpath.c
@@ -173,7 +173,7 @@ static char *tomoyo_get_local_path(struct dentry *dentry, char * const buffer,
                 * Use filesystem name if filesystem does not support rename()
                 * operation.
                 */
-                if (!inode->i_op->rename)
+                if (!inode->i_op->rename && !inode->i_op->rename2)
                        goto prepend_filesystem_name;
        }
        /* Prepend device name. */
@@ -282,7 +282,8 @@ char *tomoyo_realpath_from_path(struct path *path)
                 * Get local name for filesystems without rename() operation
                 * or dentry without vfsmount.
                 */
-                if (!path->mnt || !inode->i_op->rename)
+                if (!path->mnt ||
+                    (!inode->i_op->rename && !inode->i_op->rename2))
                        pos = tomoyo_get_local_path(path->dentry, buf,
                                                    buf_len - 1);
                /* Get absolute name for the rest. */

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 998100093332..65ca451a764d 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c
@@ -668,7 +668,7 @@ static int param_set_aabool(const char val, const struct kernel_param kp);
668	static int param_get_aabool(char buffer, const struct kernel_param kp);	668	static int param_get_aabool(char buffer, const struct kernel_param kp);
669	#define param_check_aabool param_check_bool	669	#define param_check_aabool param_check_bool
670	static struct kernel_param_ops param_ops_aabool = {	670	static struct kernel_param_ops param_ops_aabool = {
671	.flags = KERNEL_PARAM_FL_NOARG,	671	.flags = KERNEL_PARAM_OPS_FL_NOARG,
672	.set = param_set_aabool,	672	.set = param_set_aabool,
673	.get = param_get_aabool	673	.get = param_get_aabool
674	};	674	};
@@ -685,7 +685,7 @@ static int param_set_aalockpolicy(const char val, const struct kernel_param kp
685	static int param_get_aalockpolicy(char buffer, const struct kernel_param kp);	685	static int param_get_aalockpolicy(char buffer, const struct kernel_param kp);
686	#define param_check_aalockpolicy param_check_bool	686	#define param_check_aalockpolicy param_check_bool
687	static struct kernel_param_ops param_ops_aalockpolicy = {	687	static struct kernel_param_ops param_ops_aalockpolicy = {
688	.flags = KERNEL_PARAM_FL_NOARG,	688	.flags = KERNEL_PARAM_OPS_FL_NOARG,
689	.set = param_set_aalockpolicy,	689	.set = param_set_aalockpolicy,
690	.get = param_get_aalockpolicy	690	.get = param_get_aalockpolicy
691	};	691	};


diff --git a/security/capability.c b/security/capability.c index a74fde6a7468..d68c57a62bcf 100644 --- a/security/capability.c +++ b/security/capability.c
@@ -343,9 +343,9 @@ static int cap_file_fcntl(struct file *file, unsigned int cmd,
343	return 0;	343	return 0;
344	}	344	}
345		345
346	static int cap_file_set_fowner(struct file *file)	346	static void cap_file_set_fowner(struct file *file)
347	{	347	{
348	return 0;	348	return;
349	}	349	}
350		350
351	static int cap_file_send_sigiotask(struct task_struct *tsk,	351	static int cap_file_send_sigiotask(struct task_struct *tsk,


diff --git a/security/device_cgroup.c b/security/device_cgroup.c index d9d69e6930ed..188c1d26393b 100644 --- a/security/device_cgroup.c +++ b/security/device_cgroup.c
@@ -796,7 +796,7 @@ struct cgroup_subsys devices_cgrp_subsys = {
796	.css_free = devcgroup_css_free,	796	.css_free = devcgroup_css_free,
797	.css_online = devcgroup_online,	797	.css_online = devcgroup_online,
798	.css_offline = devcgroup_offline,	798	.css_offline = devcgroup_offline,
799	.base_cftypes = dev_cgroup_files,	799	.legacy_cftypes = dev_cgroup_files,
800	};	800	};
801		801
802	/**	802	/**


diff --git a/security/inode.c b/security/inode.c index 43ce6e19015f..8e7ca62078ab 100644 --- a/security/inode.c +++ b/security/inode.c
@@ -74,7 +74,7 @@ static struct file_system_type fs_type = {
74	* pointer must be passed to the securityfs_remove() function when the file is	74	* pointer must be passed to the securityfs_remove() function when the file is
75	* to be removed (no automatic cleanup happens if your module is unloaded,	75	* to be removed (no automatic cleanup happens if your module is unloaded,
76	* you are responsible here). If an error occurs, the function will return	76	* you are responsible here). If an error occurs, the function will return
77	* the erorr value (via ERR_PTR).	77	* the error value (via ERR_PTR).
78	*	78	*
79	* If securityfs is not enabled in the kernel, the value %-ENODEV is	79	* If securityfs is not enabled in the kernel, the value %-ENODEV is
80	* returned.	80	* returned.


diff --git a/security/integrity/ima/ima_crypto.c b/security/integrity/ima/ima_crypto.c index d34e7dfc1118..78d66dae15f4 100644 --- a/security/integrity/ima/ima_crypto.c +++ b/security/integrity/ima/ima_crypto.c
@@ -386,17 +386,14 @@ static int ima_calc_file_hash_tfm(struct file *file,
386	loff_t i_size, offset = 0;	386	loff_t i_size, offset = 0;
387	char *rbuf;	387	char *rbuf;
388	int rc, read = 0;	388	int rc, read = 0;
389	struct {	389	SHASH_DESC_ON_STACK(shash, tfm);
390	struct shash_desc shash;
391	char ctx[crypto_shash_descsize(tfm)];
392	} desc;
393		390
394	desc.shash.tfm = tfm;	391	shash->tfm = tfm;
395	desc.shash.flags = 0;	392	shash->flags = 0;
396		393
397	hash->length = crypto_shash_digestsize(tfm);	394	hash->length = crypto_shash_digestsize(tfm);
398		395
399	rc = crypto_shash_init(&desc.shash);	396	rc = crypto_shash_init(shash);
400	if (rc != 0)	397	if (rc != 0)
401	return rc;	398	return rc;
402		399
@@ -426,7 +423,7 @@ static int ima_calc_file_hash_tfm(struct file *file,
426	break;	423	break;
427	offset += rbuf_len;	424	offset += rbuf_len;
428		425
429	rc = crypto_shash_update(&desc.shash, rbuf, rbuf_len);	426	rc = crypto_shash_update(shash, rbuf, rbuf_len);
430	if (rc)	427	if (rc)
431	break;	428	break;
432	}	429	}
@@ -435,7 +432,7 @@ static int ima_calc_file_hash_tfm(struct file *file,
435	kfree(rbuf);	432	kfree(rbuf);
436	out:	433	out:
437	if (!rc)	434	if (!rc)
438	rc = crypto_shash_final(&desc.shash, hash->digest);	435	rc = crypto_shash_final(shash, hash->digest);
439	return rc;	436	return rc;
440	}	437	}
441		438
@@ -493,18 +490,15 @@ static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data,
493	struct ima_digest_data *hash,	490	struct ima_digest_data *hash,
494	struct crypto_shash *tfm)	491	struct crypto_shash *tfm)
495	{	492	{
496	struct {	493	SHASH_DESC_ON_STACK(shash, tfm);
497	struct shash_desc shash;
498	char ctx[crypto_shash_descsize(tfm)];
499	} desc;
500	int rc, i;	494	int rc, i;
501		495
502	desc.shash.tfm = tfm;	496	shash->tfm = tfm;
503	desc.shash.flags = 0;	497	shash->flags = 0;
504		498
505	hash->length = crypto_shash_digestsize(tfm);	499	hash->length = crypto_shash_digestsize(tfm);
506		500
507	rc = crypto_shash_init(&desc.shash);	501	rc = crypto_shash_init(shash);
508	if (rc != 0)	502	if (rc != 0)
509	return rc;	503	return rc;
510		504
@@ -514,7 +508,7 @@ static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data,
514	u32 datalen = field_data[i].len;	508	u32 datalen = field_data[i].len;
515		509
516	if (strcmp(td->name, IMA_TEMPLATE_IMA_NAME) != 0) {	510	if (strcmp(td->name, IMA_TEMPLATE_IMA_NAME) != 0) {
517	rc = crypto_shash_update(&desc.shash,	511	rc = crypto_shash_update(shash,
518	(const u8 *) &field_data[i].len,	512	(const u8 *) &field_data[i].len,
519	sizeof(field_data[i].len));	513	sizeof(field_data[i].len));
520	if (rc)	514	if (rc)
@@ -524,13 +518,13 @@ static int ima_calc_field_array_hash_tfm(struct ima_field_data *field_data,
524	data_to_hash = buffer;	518	data_to_hash = buffer;
525	datalen = IMA_EVENT_NAME_LEN_MAX + 1;	519	datalen = IMA_EVENT_NAME_LEN_MAX + 1;
526	}	520	}
527	rc = crypto_shash_update(&desc.shash, data_to_hash, datalen);	521	rc = crypto_shash_update(shash, data_to_hash, datalen);
528	if (rc)	522	if (rc)
529	break;	523	break;
530	}	524	}
531		525
532	if (!rc)	526	if (!rc)
533	rc = crypto_shash_final(&desc.shash, hash->digest);	527	rc = crypto_shash_final(shash, hash->digest);
534		528
535	return rc;	529	return rc;
536	}	530	}
@@ -571,15 +565,12 @@ static int __init ima_calc_boot_aggregate_tfm(char *digest,
571	{	565	{
572	u8 pcr_i[TPM_DIGEST_SIZE];	566	u8 pcr_i[TPM_DIGEST_SIZE];
573	int rc, i;	567	int rc, i;
574	struct {	568	SHASH_DESC_ON_STACK(shash, tfm);
575	struct shash_desc shash;
576	char ctx[crypto_shash_descsize(tfm)];
577	} desc;
578		569
579	desc.shash.tfm = tfm;	570	shash->tfm = tfm;
580	desc.shash.flags = 0;	571	shash->flags = 0;
581		572
582	rc = crypto_shash_init(&desc.shash);	573	rc = crypto_shash_init(shash);
583	if (rc != 0)	574	if (rc != 0)
584	return rc;	575	return rc;
585		576
@@ -587,10 +578,10 @@ static int __init ima_calc_boot_aggregate_tfm(char *digest,
587	for (i = TPM_PCR0; i < TPM_PCR8; i++) {	578	for (i = TPM_PCR0; i < TPM_PCR8; i++) {
588	ima_pcrread(i, pcr_i);	579	ima_pcrread(i, pcr_i);
589	/* now accumulate with current aggregate */	580	/* now accumulate with current aggregate */
590	rc = crypto_shash_update(&desc.shash, pcr_i, TPM_DIGEST_SIZE);	581	rc = crypto_shash_update(shash, pcr_i, TPM_DIGEST_SIZE);
591	}	582	}
592	if (!rc)	583	if (!rc)
593	crypto_shash_final(&desc.shash, digest);	584	crypto_shash_final(shash, digest);
594	return rc;	585	return rc;
595	}	586	}
596		587


diff --git a/security/keys/gc.c b/security/keys/gc.c index d3222b6d7d59..9609a7f0faea 100644 --- a/security/keys/gc.c +++ b/security/keys/gc.c
@@ -92,15 +92,6 @@ static void key_gc_timer_func(unsigned long data)
92	}	92	}
93		93
94	/*	94	/*
95	* wait_on_bit() sleep function for uninterruptible waiting
96	*/
97	static int key_gc_wait_bit(void *flags)
98	{
99	schedule();
100	return 0;
101	}
102
103	/*
104	* Reap keys of dead type.	95	* Reap keys of dead type.
105	*	96	*
106	* We use three flags to make sure we see three complete cycles of the garbage	97	* We use three flags to make sure we see three complete cycles of the garbage
@@ -123,7 +114,7 @@ void key_gc_keytype(struct key_type *ktype)
123	schedule_work(&key_gc_work);	114	schedule_work(&key_gc_work);
124		115
125	kdebug("sleep");	116	kdebug("sleep");
126	wait_on_bit(&key_gc_flags, KEY_GC_REAPING_KEYTYPE, key_gc_wait_bit,	117	wait_on_bit(&key_gc_flags, KEY_GC_REAPING_KEYTYPE,
127	TASK_UNINTERRUPTIBLE);	118	TASK_UNINTERRUPTIBLE);
128		119
129	key_gc_dead_keytype = NULL;	120	key_gc_dead_keytype = NULL;


diff --git a/security/keys/key.c b/security/keys/key.c index 8c0092ca0443..e17ba6aefdc0 100644 --- a/security/keys/key.c +++ b/security/keys/key.c
@@ -27,8 +27,8 @@ DEFINE_SPINLOCK(key_serial_lock);
27	struct rb_root key_user_tree; /* tree of quota records indexed by UID */	27	struct rb_root key_user_tree; /* tree of quota records indexed by UID */
28	DEFINE_SPINLOCK(key_user_lock);	28	DEFINE_SPINLOCK(key_user_lock);
29		29
30	unsigned int key_quota_root_maxkeys = 200; /* root's key count quota */	30	unsigned int key_quota_root_maxkeys = 1000000; /* root's key count quota */
31	unsigned int key_quota_root_maxbytes = 20000; /* root's key space quota */	31	unsigned int key_quota_root_maxbytes = 25000000; /* root's key space quota */
32	unsigned int key_quota_maxkeys = 200; /* general key count quota */	32	unsigned int key_quota_maxkeys = 200; /* general key count quota */
33	unsigned int key_quota_maxbytes = 20000; /* general key space quota */	33	unsigned int key_quota_maxbytes = 20000; /* general key space quota */
34		34


diff --git a/security/keys/request_key.c b/security/keys/request_key.c index dc6ed32b7844..bb4337c7ae1b 100644 --- a/security/keys/request_key.c +++ b/security/keys/request_key.c
@@ -21,24 +21,6 @@
21		21
22	#define key_negative_timeout 60 /* default timeout on a negative key's existence */	22	#define key_negative_timeout 60 /* default timeout on a negative key's existence */
23		23
24	/*
25	* wait_on_bit() sleep function for uninterruptible waiting
26	*/
27	static int key_wait_bit(void *flags)
28	{
29	schedule();
30	return 0;
31	}
32
33	/*
34	* wait_on_bit() sleep function for interruptible waiting
35	*/
36	static int key_wait_bit_intr(void *flags)
37	{
38	schedule();
39	return signal_pending(current) ? -ERESTARTSYS : 0;
40	}
41
42	/**	24	/**
43	* complete_request_key - Complete the construction of a key.	25	* complete_request_key - Complete the construction of a key.
44	* @cons: The key construction record.	26	* @cons: The key construction record.
@@ -603,10 +585,9 @@ int wait_for_key_construction(struct key *key, bool intr)
603	int ret;	585	int ret;
604		586
605	ret = wait_on_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT,	587	ret = wait_on_bit(&key->flags, KEY_FLAG_USER_CONSTRUCT,
606	intr ? key_wait_bit_intr : key_wait_bit,
607	intr ? TASK_INTERRUPTIBLE : TASK_UNINTERRUPTIBLE);	588	intr ? TASK_INTERRUPTIBLE : TASK_UNINTERRUPTIBLE);
608	if (ret < 0)	589	if (ret)
609	return ret;	590	return -ERESTARTSYS;
610	if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) {	591	if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) {
611	smp_rmb();	592	smp_rmb();
612	return key->type_data.reject_error;	593	return key->type_data.reject_error;


diff --git a/security/security.c b/security/security.c index e41b1a8d7644..18b35c63fc0c 100644 --- a/security/security.c +++ b/security/security.c
@@ -775,9 +775,9 @@ int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
775	return security_ops->file_fcntl(file, cmd, arg);	775	return security_ops->file_fcntl(file, cmd, arg);
776	}	776	}
777		777
778	int security_file_set_fowner(struct file *file)	778	void security_file_set_fowner(struct file *file)
779	{	779	{
780	return security_ops->file_set_fowner(file);	780	security_ops->file_set_fowner(file);
781	}	781	}
782		782
783	int security_file_send_sigiotask(struct task_struct *tsk,	783	int security_file_send_sigiotask(struct task_struct *tsk,


diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 29e64d4ca099..e66314138b38 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c
@@ -481,6 +481,7 @@ next_inode:
481	list_entry(sbsec->isec_head.next,	481	list_entry(sbsec->isec_head.next,
482	struct inode_security_struct, list);	482	struct inode_security_struct, list);
483	struct inode *inode = isec->inode;	483	struct inode *inode = isec->inode;
		484	list_del_init(&isec->list);
484	spin_unlock(&sbsec->isec_lock);	485	spin_unlock(&sbsec->isec_lock);
485	inode = igrab(inode);	486	inode = igrab(inode);
486	if (inode) {	487	if (inode) {
@@ -489,7 +490,6 @@ next_inode:
489	iput(inode);	490	iput(inode);
490	}	491	}
491	spin_lock(&sbsec->isec_lock);	492	spin_lock(&sbsec->isec_lock);
492	list_del_init(&isec->list);
493	goto next_inode;	493	goto next_inode;
494	}	494	}
495	spin_unlock(&sbsec->isec_lock);	495	spin_unlock(&sbsec->isec_lock);
@@ -3381,14 +3381,12 @@ static int selinux_file_fcntl(struct file *file, unsigned int cmd,
3381	return err;	3381	return err;
3382	}	3382	}
3383		3383
3384	static int selinux_file_set_fowner(struct file *file)	3384	static void selinux_file_set_fowner(struct file *file)
3385	{	3385	{
3386	struct file_security_struct *fsec;	3386	struct file_security_struct *fsec;
3387		3387
3388	fsec = file->f_security;	3388	fsec = file->f_security;
3389	fsec->fown_sid = current_sid();	3389	fsec->fown_sid = current_sid();
3390
3391	return 0;
3392	}	3390	}
3393		3391
3394	static int selinux_file_send_sigiotask(struct task_struct *tsk,	3392	static int selinux_file_send_sigiotask(struct task_struct *tsk,


diff --git a/security/selinux/netif.c b/security/selinux/netif.c index 485524c477a4..e607b4473ef6 100644 --- a/security/selinux/netif.c +++ b/security/selinux/netif.c
@@ -275,7 +275,7 @@ static struct notifier_block sel_netif_netdev_notifier = {
275		275
276	static __init int sel_netif_init(void)	276	static __init int sel_netif_init(void)
277	{	277	{
278	int i, err;	278	int i;
279		279
280	if (!selinux_enabled)	280	if (!selinux_enabled)
281	return 0;	281	return 0;
@@ -285,7 +285,7 @@ static __init int sel_netif_init(void)
285		285
286	register_netdevice_notifier(&sel_netif_netdev_notifier);	286	register_netdevice_notifier(&sel_netif_netdev_notifier);
287		287
288	return err;	288	return 0;
289	}	289	}
290		290
291	__initcall(sel_netif_init);	291	__initcall(sel_netif_init);


diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c index ddf315260839..da923f89d2a9 100644 --- a/security/selinux/netnode.c +++ b/security/selinux/netnode.c
@@ -303,7 +303,6 @@ void sel_netnode_flush(void)
303	static __init int sel_netnode_init(void)	303	static __init int sel_netnode_init(void)
304	{	304	{
305	int iter;	305	int iter;
306	int ret;
307		306
308	if (!selinux_enabled)	307	if (!selinux_enabled)
309	return 0;	308	return 0;
@@ -313,7 +312,7 @@ static __init int sel_netnode_init(void)
313	sel_netnode_hash[iter].size = 0;	312	sel_netnode_hash[iter].size = 0;
314	}	313	}
315		314
316	return ret;	315	return 0;
317	}	316	}
318		317
319	__initcall(sel_netnode_init);	318	__initcall(sel_netnode_init);


diff --git a/security/selinux/netport.c b/security/selinux/netport.c index 73ac6784d091..3311cc393cb4 100644 --- a/security/selinux/netport.c +++ b/security/selinux/netport.c
@@ -237,7 +237,6 @@ void sel_netport_flush(void)
237	static __init int sel_netport_init(void)	237	static __init int sel_netport_init(void)
238	{	238	{
239	int iter;	239	int iter;
240	int ret;
241		240
242	if (!selinux_enabled)	241	if (!selinux_enabled)
243	return 0;	242	return 0;
@@ -247,7 +246,7 @@ static __init int sel_netport_init(void)
247	sel_netport_hash[iter].size = 0;	246	sel_netport_hash[iter].size = 0;
248	}	247	}
249		248
250	return ret;	249	return 0;
251	}	250	}
252		251
253	__initcall(sel_netport_init);	252	__initcall(sel_netport_init);


diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 93dc876734a4..d515ec25ae9f 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c
@@ -1570,12 +1570,11 @@ static int smack_mmap_file(struct file *file,
1570	* Returns 0	1570	* Returns 0
1571	* Further research may be required on this one.	1571	* Further research may be required on this one.
1572	*/	1572	*/
1573	static int smack_file_set_fowner(struct file *file)	1573	static void smack_file_set_fowner(struct file *file)
1574	{	1574	{
1575	struct smack_known *skp = smk_of_current();	1575	struct smack_known *skp = smk_of_current();
1576		1576
1577	file->f_security = skp;	1577	file->f_security = skp;
1578	return 0;
1579	}	1578	}
1580		1579
1581	/**	1580	/**


diff --git a/security/tomoyo/audit.c b/security/tomoyo/audit.c index c1b00375c9ad..3ffa4f5509d8 100644 --- a/security/tomoyo/audit.c +++ b/security/tomoyo/audit.c
@@ -155,11 +155,9 @@ static char tomoyo_print_header(struct tomoyo_request_info r)
155	u8 i;	155	u8 i;
156	if (!buffer)	156	if (!buffer)
157	return NULL;	157	return NULL;
158	{	158
159	struct timeval tv;	159	tomoyo_convert_time(get_seconds(), &stamp);
160	do_gettimeofday(&tv);	160
161	tomoyo_convert_time(tv.tv_sec, &stamp);
162	}
163	pos = snprintf(buffer, tomoyo_buffer_len - 1,	161	pos = snprintf(buffer, tomoyo_buffer_len - 1,
164	"#%04u/%02u/%02u %02u:%02u:%02u# profile=%u mode=%s "	162	"#%04u/%02u/%02u %02u:%02u:%02u# profile=%u mode=%s "
165	"granted=%s (global-pid=%u) task={ pid=%u ppid=%u "	163	"granted=%s (global-pid=%u) task={ pid=%u ppid=%u "


diff --git a/security/tomoyo/common.c b/security/tomoyo/common.c index 283862aebdc8..e0fb75052550 100644 --- a/security/tomoyo/common.c +++ b/security/tomoyo/common.c
@@ -2267,13 +2267,11 @@ static unsigned int tomoyo_stat_modified[TOMOYO_MAX_POLICY_STAT];
2267	*/	2267	*/
2268	void tomoyo_update_stat(const u8 index)	2268	void tomoyo_update_stat(const u8 index)
2269	{	2269	{
2270	struct timeval tv;
2271	do_gettimeofday(&tv);
2272	/*	2270	/*
2273	* I don't use atomic operations because race condition is not fatal.	2271	* I don't use atomic operations because race condition is not fatal.
2274	*/	2272	*/
2275	tomoyo_stat_updated[index]++;	2273	tomoyo_stat_updated[index]++;
2276	tomoyo_stat_modified[index] = tv.tv_sec;	2274	tomoyo_stat_modified[index] = get_seconds();
2277	}	2275	}
2278		2276
2279	/**	2277	/**


diff --git a/security/tomoyo/realpath.c b/security/tomoyo/realpath.c index a3386d119425..bed745c8b1a3 100644 --- a/security/tomoyo/realpath.c +++ b/security/tomoyo/realpath.c
@@ -173,7 +173,7 @@ static char tomoyo_get_local_path(struct dentry dentry, char * const buffer,
173	* Use filesystem name if filesystem does not support rename()	173	* Use filesystem name if filesystem does not support rename()
174	* operation.	174	* operation.
175	*/	175	*/
176	if (!inode->i_op->rename)	176	if (!inode->i_op->rename && !inode->i_op->rename2)
177	goto prepend_filesystem_name;	177	goto prepend_filesystem_name;
178	}	178	}
179	/* Prepend device name. */	179	/* Prepend device name. */
@@ -282,7 +282,8 @@ char tomoyo_realpath_from_path(struct path path)
282	* Get local name for filesystems without rename() operation	282	* Get local name for filesystems without rename() operation
283	* or dentry without vfsmount.	283	* or dentry without vfsmount.
284	*/	284	*/
285	if (!path->mnt \|\| !inode->i_op->rename)	285	if (!path->mnt \|\|
		286	(!inode->i_op->rename && !inode->i_op->rename2))
286	pos = tomoyo_get_local_path(path->dentry, buf,	287	pos = tomoyo_get_local_path(path->dentry, buf,
287	buf_len - 1);	288	buf_len - 1);
288	/* Get absolute name for the rest. */	289	/* Get absolute name for the rest. */