1. 26 11月, 2008 2 次提交
  2. 13 11月, 2008 1 次提交
  3. 04 11月, 2008 1 次提交
  4. 03 11月, 2008 1 次提交
  5. 31 10月, 2008 3 次提交
  6. 30 10月, 2008 1 次提交
  7. 29 10月, 2008 2 次提交
  8. 06 10月, 2008 1 次提交
  9. 01 10月, 2008 1 次提交
    • H
      ipsec: Put dumpers on the dump list · 12a169e7
      Herbert Xu 提交于
      Herbert Xu came up with the idea and the original patch to make
      xfrm_state dump list contain also dumpers:
      
      As it is we go to extraordinary lengths to ensure that states
      don't go away while dumpers go to sleep.  It's much easier if
      we just put the dumpers themselves on the list since they can't
      go away while they're going.
      
      I've also changed the order of addition on new states to prevent
      a never-ending dump.
      
      Timo Teräs improved the patch to apply cleanly to latest tree,
      modified iteration code to be more readable by using a common
      struct for entries in the list, implemented the same idea for
      xfrm_policy dumping and moved the af_key specific "last" entry
      caching to af_key.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NTimo Teras <timo.teras@iki.fi>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      12a169e7
  10. 30 9月, 2008 1 次提交
  11. 23 9月, 2008 1 次提交
    • H
      ipsec: Fix xfrm_state_walk race · 5c182458
      Herbert Xu 提交于
      As discovered by Timo Teräs, the currently xfrm_state_walk scheme
      is racy because if a second dump finishes before the first, we
      may free xfrm states that the first dump would walk over later.
      
      This patch fixes this by storing the dumps in a list in order
      to calculate the correct completion counter which cures this
      problem.
      
      I've expanded netlink_cb in order to accomodate the extra state
      related to this.  It shouldn't be a big deal since netlink_cb
      is kmalloced for each dump and we're just increasing it by 4 or
      8 bytes.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5c182458
  12. 10 9月, 2008 3 次提交
  13. 09 9月, 2008 1 次提交
  14. 03 9月, 2008 2 次提交
  15. 14 8月, 2008 1 次提交
  16. 26 7月, 2008 1 次提交
  17. 25 7月, 2008 2 次提交
  18. 20 7月, 2008 1 次提交
  19. 11 7月, 2008 1 次提交
  20. 05 6月, 2008 1 次提交
  21. 22 5月, 2008 1 次提交
  22. 13 5月, 2008 1 次提交
  23. 29 4月, 2008 1 次提交
  24. 28 4月, 2008 3 次提交
  25. 22 4月, 2008 1 次提交
    • H
      [IPSEC]: Fix catch-22 with algorithm IDs above 31 · c5d18e98
      Herbert Xu 提交于
      As it stands it's impossible to use any authentication algorithms
      with an ID above 31 portably.  It just happens to work on x86 but
      fails miserably on ppc64.
      
      The reason is that we're using a bit mask to check the algorithm
      ID but the mask is only 32 bits wide.
      
      After looking at how this is used in the field, I have concluded
      that in the long term we should phase out state matching by IDs
      because this is made superfluous by the reqid feature.  For current
      applications, the best solution IMHO is to allow all algorithms when
      the bit masks are all ~0.
      
      The following patch does exactly that.
      
      This bug was identified by IBM when testing on the ppc64 platform
      using the NULL authentication algorithm which has an ID of 251.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c5d18e98
  26. 15 4月, 2008 1 次提交
    • D
      [XFRM]: Compilation warnings in xfrm_user.c. · 2c8dd116
      Denis V. Lunev 提交于
      When CONFIG_SECURITY_NETWORK_XFRM is undefined the following warnings appears:
      net/xfrm/xfrm_user.c: In function 'xfrm_add_pol_expire':
      net/xfrm/xfrm_user.c:1576: warning: 'ctx' may be used uninitialized in this function
      net/xfrm/xfrm_user.c: In function 'xfrm_get_policy':
      net/xfrm/xfrm_user.c:1340: warning: 'ctx' may be used uninitialized in this function
      (security_xfrm_policy_alloc is noop for the case).
      
      It seems that they are result of the commit
      03e1ad7b ("LSM: Make the Labeled IPsec
      hooks more stack friendly")
      Signed-off-by: NDenis V. Lunev <den@openvz.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2c8dd116
  27. 13 4月, 2008 1 次提交
  28. 10 4月, 2008 1 次提交
  29. 26 3月, 2008 1 次提交
  30. 25 3月, 2008 1 次提交
    • Y
      [XFRM] MIP6: Fix address keys for routing search. · 9bb182a7
      YOSHIFUJI Hideaki 提交于
      Each MIPv6 XFRM state (DSTOPT/RH2) holds either destination or source
      address to be mangled in the IPv6 header (that is "CoA").
      On Inter-MN communication after both nodes binds each other,
      they use route optimized traffic two MIPv6 states applied, and
      both source and destination address in the IPv6 header
      are replaced by the states respectively.
      The packet format is correct, however, next-hop routing search
      are not.
      This patch fixes it by remembering address pairs for later states.
      
      Based on patch from Masahide NAKAMURA <nakam@linux-ipv6.org>.
      Signed-off-by: NMasahide NAKAMURA <nakam@linux-ipv6.org>
      Signed-off-by: NYOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
      9bb182a7