4 files changed, 45 insertions, 53 deletions

diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index edb3ce15e92d..fb99e18123b4 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -668,6 +668,7 @@ static int param_set_aabool(const char *val, const struct kernel_param *kp);
 static int param_get_aabool(char *buffer, const struct kernel_param *kp);
 #define param_check_aabool param_check_bool
 static struct kernel_param_ops param_ops_aabool = {
+        .flags = KERNEL_PARAM_FL_NOARG,
         .set = param_set_aabool,
         .get = param_get_aabool
 };
@@ -684,6 +685,7 @@ static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp
 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp);
 #define param_check_aalockpolicy param_check_bool
 static struct kernel_param_ops param_ops_aalockpolicy = {
+        .flags = KERNEL_PARAM_FL_NOARG,
         .set = param_set_aalockpolicy,
         .get = param_get_aalockpolicy
 };
diff --git a/security/device_cgroup.c b/security/device_cgroup.c
index e8aad69f0d69..c123628d3f84 100644
--- a/security/device_cgroup.c
+++ b/security/device_cgroup.c
@@ -53,22 +53,17 @@ struct dev_cgroup {
 
 static inline struct dev_cgroup *css_to_devcgroup(struct cgroup_subsys_state *s)
 {
-        return container_of(s, struct dev_cgroup, css);
-}
-
-static inline struct dev_cgroup *cgroup_to_devcgroup(struct cgroup *cgroup)
-{
-        return css_to_devcgroup(cgroup_subsys_state(cgroup, devices_subsys_id));
+        return s ? container_of(s, struct dev_cgroup, css) : NULL;
 }
 
 static inline struct dev_cgroup *task_devcgroup(struct task_struct *task)
 {
-        return css_to_devcgroup(task_subsys_state(task, devices_subsys_id));
+        return css_to_devcgroup(task_css(task, devices_subsys_id));
 }
 
 struct cgroup_subsys devices_subsys;
 
-static int devcgroup_can_attach(struct cgroup *new_cgrp,
+static int devcgroup_can_attach(struct cgroup_subsys_state *new_css,
                                 struct cgroup_taskset *set)
 {
         struct task_struct *task = cgroup_taskset_first(set);
@@ -193,18 +188,16 @@ static inline bool is_devcg_online(const struct dev_cgroup *devcg)
 /**
  * devcgroup_online - initializes devcgroup's behavior and exceptions based on
  *                    parent's
- * @cgroup: cgroup getting online
+ * @css: css getting online
  * returns 0 in case of success, error code otherwise
  */
-static int devcgroup_online(struct cgroup *cgroup)
+static int devcgroup_online(struct cgroup_subsys_state *css)
 {
-        struct dev_cgroup *dev_cgroup, *parent_dev_cgroup = NULL;
+        struct dev_cgroup *dev_cgroup = css_to_devcgroup(css);
+        struct dev_cgroup *parent_dev_cgroup = css_to_devcgroup(css_parent(css));
         int ret = 0;
 
         mutex_lock(&devcgroup_mutex);
-        dev_cgroup = cgroup_to_devcgroup(cgroup);
-        if (cgroup->parent)
-                parent_dev_cgroup = cgroup_to_devcgroup(cgroup->parent);
 
         if (parent_dev_cgroup == NULL)
                 dev_cgroup->behavior = DEVCG_DEFAULT_ALLOW;
@@ -219,9 +212,9 @@ static int devcgroup_online(struct cgroup *cgroup)
         return ret;
 }
 
-static void devcgroup_offline(struct cgroup *cgroup)
+static void devcgroup_offline(struct cgroup_subsys_state *css)
 {
-        struct dev_cgroup *dev_cgroup = cgroup_to_devcgroup(cgroup);
+        struct dev_cgroup *dev_cgroup = css_to_devcgroup(css);
 
         mutex_lock(&devcgroup_mutex);
         dev_cgroup->behavior = DEVCG_DEFAULT_NONE;
@@ -231,7 +224,8 @@ static void devcgroup_offline(struct cgroup *cgroup)
 /*
  * called from kernel/cgroup.c with cgroup_lock() held.
  */
-static struct cgroup_subsys_state *devcgroup_css_alloc(struct cgroup *cgroup)
+static struct cgroup_subsys_state *
+devcgroup_css_alloc(struct cgroup_subsys_state *parent_css)
 {
         struct dev_cgroup *dev_cgroup;
 
@@ -244,11 +238,10 @@ static struct cgroup_subsys_state *devcgroup_css_alloc(struct cgroup *cgroup)
         return &dev_cgroup->css;
 }
 
-static void devcgroup_css_free(struct cgroup *cgroup)
+static void devcgroup_css_free(struct cgroup_subsys_state *css)
 {
-        struct dev_cgroup *dev_cgroup;
+        struct dev_cgroup *dev_cgroup = css_to_devcgroup(css);
 
-        dev_cgroup = cgroup_to_devcgroup(cgroup);
         __dev_exception_clean(dev_cgroup);
         kfree(dev_cgroup);
 }
@@ -291,10 +284,10 @@ static void set_majmin(char *str, unsigned m)
                 sprintf(str, "%u", m);
 }
 
-static int devcgroup_seq_read(struct cgroup *cgroup, struct cftype *cft,
-                                struct seq_file *m)
+static int devcgroup_seq_read(struct cgroup_subsys_state *css,
+                              struct cftype *cft, struct seq_file *m)
 {
-        struct dev_cgroup *devcgroup = cgroup_to_devcgroup(cgroup);
+        struct dev_cgroup *devcgroup = css_to_devcgroup(css);
         struct dev_exception_item *ex;
         char maj[MAJMINLEN], min[MAJMINLEN], acc[ACCLEN];
 
@@ -394,12 +387,10 @@ static bool may_access(struct dev_cgroup *dev_cgroup,
 static int parent_has_perm(struct dev_cgroup *childcg,
                                   struct dev_exception_item *ex)
 {
-        struct cgroup *pcg = childcg->css.cgroup->parent;
-        struct dev_cgroup *parent;
+        struct dev_cgroup *parent = css_to_devcgroup(css_parent(&childcg->css));
 
-        if (!pcg)
+        if (!parent)
                 return 1;
-        parent = cgroup_to_devcgroup(pcg);
         return may_access(parent, ex, childcg->behavior);
 }
 
@@ -451,13 +442,13 @@ static void revalidate_active_exceptions(struct dev_cgroup *devcg)
 static int propagate_exception(struct dev_cgroup *devcg_root,
                                struct dev_exception_item *ex)
 {
-        struct cgroup *root = devcg_root->css.cgroup, *pos;
+        struct cgroup_subsys_state *pos;
         int rc = 0;
 
         rcu_read_lock();
 
-        cgroup_for_each_descendant_pre(pos, root) {
-                struct dev_cgroup *devcg = cgroup_to_devcgroup(pos);
+        css_for_each_descendant_pre(pos, &devcg_root->css) {
+                struct dev_cgroup *devcg = css_to_devcgroup(pos);
 
                 /*
                  * Because devcgroup_mutex is held, no devcg will become
@@ -465,7 +456,7 @@ static int propagate_exception(struct dev_cgroup *devcg_root,
                  * methods), and online ones are safe to access outside RCU
                  * read lock without bumping refcnt.
                  */
-                if (!is_devcg_online(devcg))
+                if (pos == &devcg_root->css || !is_devcg_online(devcg))
                         continue;
 
                 rcu_read_unlock();
@@ -524,15 +515,11 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
         char temp[12];          /* 11 + 1 characters needed for a u32 */
         int count, rc = 0;
         struct dev_exception_item ex;
-        struct cgroup *p = devcgroup->css.cgroup;
-        struct dev_cgroup *parent = NULL;
+        struct dev_cgroup *parent = css_to_devcgroup(css_parent(&devcgroup->css));
 
         if (!capable(CAP_SYS_ADMIN))
                 return -EPERM;
 
-        if (p->parent)
-                parent = cgroup_to_devcgroup(p->parent);
-
         memset(&ex, 0, sizeof(ex));
         b = buffer;
 
@@ -677,13 +664,13 @@ static int devcgroup_update_access(struct dev_cgroup *devcgroup,
         return rc;
 }
 
-static int devcgroup_access_write(struct cgroup *cgrp, struct cftype *cft,
-                                  const char *buffer)
+static int devcgroup_access_write(struct cgroup_subsys_state *css,
+                                  struct cftype *cft, const char *buffer)
 {
         int retval;
 
         mutex_lock(&devcgroup_mutex);
-        retval = devcgroup_update_access(cgroup_to_devcgroup(cgrp),
+        retval = devcgroup_update_access(css_to_devcgroup(css),
                                          cft->private, buffer);
         mutex_unlock(&devcgroup_mutex);
         return retval;
diff --git a/security/selinux/include/xfrm.h b/security/selinux/include/xfrm.h
index 65f67cb0aefb..6713f04e30ba 100644
--- a/security/selinux/include/xfrm.h
+++ b/security/selinux/include/xfrm.h
@@ -50,8 +50,13 @@ int selinux_xfrm_decode_session(struct sk_buff *skb, u32 *sid, int ckall);
 
 static inline void selinux_xfrm_notify_policyload(void)
 {
+        struct net *net;
+
         atomic_inc(&flow_cache_genid);
-        rt_genid_bump(&init_net);
+        rtnl_lock();
+        for_each_net(net)
+                rt_genid_bump_all(net);
+        rtnl_unlock();
 }
 #else
 static inline int selinux_xfrm_enabled(void)
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 19de5e237683..8825375cc031 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1995,12 +1995,11 @@ static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address)
  *
  * Create or update the port list entry
  */
-static int smk_ipv6_port_check(struct sock *sk, struct sockaddr *address,
+static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address,
                                 int act)
 {
         __be16 *bep;
         __be32 *be32p;
-        struct sockaddr_in6 *addr6;
         struct smk_port_label *spp;
         struct socket_smack *ssp = sk->sk_security;
         struct smack_known *skp;
@@ -2022,10 +2021,9 @@ static int smk_ipv6_port_check(struct sock *sk, struct sockaddr *address,
         /*
          * Get the IP address and port from the address.
          */
-        addr6 = (struct sockaddr_in6 *)address;
-        port = ntohs(addr6->sin6_port);
-        bep = (__be16 *)(&addr6->sin6_addr);
-        be32p = (__be32 *)(&addr6->sin6_addr);
+        port = ntohs(address->sin6_port);
+        bep = (__be16 *)(&address->sin6_addr);
+        be32p = (__be32 *)(&address->sin6_addr);
 
         /*
          * It's remote, so port lookup does no good.
@@ -2057,9 +2055,9 @@ auditout:
         ad.a.u.net->family = sk->sk_family;
         ad.a.u.net->dport = port;
         if (act == SMK_RECEIVING)
-                ad.a.u.net->v6info.saddr = addr6->sin6_addr;
+                ad.a.u.net->v6info.saddr = address->sin6_addr;
         else
-                ad.a.u.net->v6info.daddr = addr6->sin6_addr;
+                ad.a.u.net->v6info.daddr = address->sin6_addr;
 #endif
         return smk_access(skp, object, MAY_WRITE, &ad);
 }
@@ -2198,7 +2196,8 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
         case PF_INET6:
                 if (addrlen < sizeof(struct sockaddr_in6))
                         return -EINVAL;
-                rc = smk_ipv6_port_check(sock->sk, sap, SMK_CONNECTING);
+                rc = smk_ipv6_port_check(sock->sk, (struct sockaddr_in6 *)sap,
+                                                SMK_CONNECTING);
                 break;
         }
         return rc;
@@ -3031,7 +3030,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
                                 int size)
 {
         struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name;
-        struct sockaddr *sap = (struct sockaddr *) msg->msg_name;
+        struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name;
         int rc = 0;
 
         /*
@@ -3136,9 +3135,8 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap,
         return smack_net_ambient;
 }
 
-static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr *sap)
+static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip)
 {
-        struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap;
         u8 nexthdr;
         int offset;
         int proto = -EINVAL;
@@ -3196,7 +3194,7 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
         struct netlbl_lsm_secattr secattr;
         struct socket_smack *ssp = sk->sk_security;
         struct smack_known *skp;
-        struct sockaddr sadd;
+        struct sockaddr_in6 sadd;
         int rc = 0;
         struct smk_audit_info ad;
 #ifdef CONFIG_AUDIT