Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.10.53 2021-07-19T07:45:03+00:00 2021-07-19T07:45:03+00:00 Tetsuo Handa penguin-kernel@i-love.sakura.ne.jp 2021-04-12T13:45:50+00:00 urn:sha1:3780348c1a0e14ffefcaf1fc521f815bcaac94b0 commit 49ec114a6e62d8d320037ce71c1aaf9650b3cafd upstream. Oops, I failed to update subject line. From 07571157c91b98ce1a4aa70967531e64b78e8346 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Date: Mon, 12 Apr 2021 22:25:06 +0900 Subject: smackfs: restrict bytes count in smk_set_cipso() Commit 7ef4c19d245f3dc2 ("smackfs: restrict bytes count in smackfs write functions") missed that count > SMK_CIPSOMAX check applies to only format == SMK_FIXED24_FMT case. Reported-by: syzbot <syzbot+77c53db50c9fff774e8e@syzkaller.appspotmail.com> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-03-07T11:34:05+00:00 Sabyrzhan Tasbolatov snovitoll@gmail.com 2021-01-28T11:58:01+00:00 urn:sha1:fa5b65609256fee27199c81368e984e48cb5dcfe commit 7ef4c19d245f3dc233fd4be5acea436edd1d83d8 upstream. syzbot found WARNINGs in several smackfs write operations where bytes count is passed to memdup_user_nul which exceeds GFP MAX_ORDER. Check count size if bigger than PAGE_SIZE. Per smackfs doc, smk_write_net4addr accepts any label or -CIPSO, smk_write_net6addr accepts any label or -DELETE. I couldn't find any general rule for other label lengths except SMK_LABELLEN, SMK_LONGLABEL, SMK_CIPSOMAX which are documented. Let's constrain, in general, smackfs label lengths for PAGE_SIZE. Although fuzzer crashes write to smackfs/netlabel on 0x400000 length. Here is a quick way to reproduce the WARNING: python -c "print('A' * 0x400000)" > /sys/fs/smackfs/netlabel Reported-by: syzbot+a71a442385a0b2815497@syzkaller.appspotmail.com Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-12-30T10:54:02+00:00 Casey Schaufler casey@schaufler-ca.com 2020-12-22T23:34:24+00:00 urn:sha1:8f939abd8119564c1df3d9d16534879796f063c1 [ Upstream commit 942cb357ae7d9249088e3687ee6a00ed2745a0c7 ] Smack assumes that kernel threads are privileged for smackfs operations. This was necessary because the credential of the kernel thread was not related to a user operation. With io_uring the credential does reflect a user's rights and can be used. Suggested-by: Jens Axboe <axboe@kernel.dk> Acked-by: Jens Axboe <axboe@kernel.dk> Acked-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-10-13T23:18:51+00:00 Linus Torvalds torvalds@linux-foundation.org 2020-10-13T23:18:51+00:00 urn:sha1:99a6740f88e9438cd220096d3d96eb6ba8d5c6f0 Pull smack updates from Casey Schaufler: "Two minor fixes and one performance enhancement to Smack. The performance improvement is significant and the new code is more like its counterpart in SELinux. - Two kernel test robot suggested clean-ups. - Teach Smack to use the IPv4 netlabel cache. This results in a 12-14% improvement on TCP benchmarks" * tag 'Smack-for-5.10' of git://github.com/cschaufler/smack-next: Smack: Remove unnecessary variable initialization Smack: Fix build when NETWORK_SECMARK is not set Smack: Use the netlabel cache Smack: Set socket labels only once Smack: Consolidate uses of secmark into a function 2020-10-05T21:20:51+00:00 Casey Schaufler casey@schaufler-ca.com 2020-10-05T21:20:51+00:00 urn:sha1:edd615371b668404d06699c04f5f90c4f438814a The initialization of rc in smack_from_netlbl() is pointless. Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2020-09-22T21:59:31+00:00 Casey Schaufler casey@schaufler-ca.com 2020-09-22T21:59:31+00:00 urn:sha1:bf0afe673b999439b6a53c75727821795ccb27e2 Use proper conditional compilation for the secmark field in the network skb. Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2020-09-11T22:31:31+00:00 Casey Schaufler casey@schaufler-ca.com 2020-08-12T00:39:43+00:00 urn:sha1:322dd63c7f98315b5794653bc582d109841219ae Utilize the Netlabel cache mechanism for incoming packet matching. Refactor the initialization of secattr structures, as it was being done in two places. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2020-09-11T22:31:30+00:00 Casey Schaufler casey@schaufler-ca.com 2020-08-12T00:39:42+00:00 urn:sha1:a2af031885071604452f03cd4e0eafdbd8014767 Refactor the IP send checks so that the netlabel value is set only when necessary, not on every send. Some functions get renamed as the changes made the old name misleading. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2020-09-11T22:31:30+00:00 Casey Schaufler casey@schaufler-ca.com 2020-08-12T00:39:41+00:00 urn:sha1:36be81293dbe35aca487917c2d76941bf734d2ad Add a function smack_from_skb() that returns the Smack label identified by a network secmark. Replace the explicit uses of the secmark with this function. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> 2020-08-23T22:36:59+00:00 Gustavo A. R. Silva gustavoars@kernel.org 2020-08-23T22:36:59+00:00 urn:sha1:df561f6688fef775baa341a0f5d960becd248b11 Replace the existing /* fall through */ comments and its variants with the new pseudo-keyword macro fallthrough[1]. Also, remove unnecessary fall-through markings when it is the case. [1] https://www.kernel.org/doc/html/v5.7/process/deprecated.html?highlight=fallthrough#implicit-switch-case-fall-through Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>