]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
3.12-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 18 Dec 2013 19:10:33 +0000 (11:10 -0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 18 Dec 2013 19:10:33 +0000 (11:10 -0800)
added patches:
ath9k-fix-duration-calculation-for-non-aggregated-packets.patch
ath9k-fix-quickdrop-usage.patch
ath9k-fix-xlna-bias-strength.patch
cfg80211-disable-5-10-mhz-support-for-all-drivers.patch
mac80211-fix-scheduled-scan-rtnl-deadlock.patch
revert-mac80211-allow-disable-power-save-in-mesh.patch
selinux-handle-tcp-syn-ack-packets-correctly-in-selinux_ip_output.patch
selinux-handle-tcp-syn-ack-packets-correctly-in-selinux_ip_postroute.patch

queue-3.12/ath9k-fix-duration-calculation-for-non-aggregated-packets.patch [new file with mode: 0644]
queue-3.12/ath9k-fix-quickdrop-usage.patch [new file with mode: 0644]
queue-3.12/ath9k-fix-xlna-bias-strength.patch [new file with mode: 0644]
queue-3.12/cfg80211-disable-5-10-mhz-support-for-all-drivers.patch [new file with mode: 0644]
queue-3.12/mac80211-fix-scheduled-scan-rtnl-deadlock.patch [new file with mode: 0644]
queue-3.12/revert-mac80211-allow-disable-power-save-in-mesh.patch [new file with mode: 0644]
queue-3.12/selinux-handle-tcp-syn-ack-packets-correctly-in-selinux_ip_output.patch [new file with mode: 0644]
queue-3.12/selinux-handle-tcp-syn-ack-packets-correctly-in-selinux_ip_postroute.patch [new file with mode: 0644]
queue-3.12/series

diff --git a/queue-3.12/ath9k-fix-duration-calculation-for-non-aggregated-packets.patch b/queue-3.12/ath9k-fix-duration-calculation-for-non-aggregated-packets.patch
new file mode 100644 (file)
index 0000000..01ee7dd
--- /dev/null
@@ -0,0 +1,40 @@
+From bbf807bc0697e577c137a5fffb30fca7c6a45da1 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@openwrt.org>
+Date: Thu, 5 Dec 2013 15:20:53 +0100
+Subject: ath9k: fix duration calculation for non-aggregated packets
+
+From: Felix Fietkau <nbd@openwrt.org>
+
+commit bbf807bc0697e577c137a5fffb30fca7c6a45da1 upstream.
+
+When not aggregating packets, fi->framelen should be passed in as length
+to calculate the duration. Before the tx path rework, ath_tx_fill_desc
+was called for either one aggregate, or one single frame, with the
+length of the packet or the aggregate as a parameter.
+After the rework, ath_tx_sched_aggr can pass a burst of single frames to
+ath_tx_fill_desc and sets len=0.
+Fix broken duration calculation by overriding the length in ath_tx_fill_desc
+before passing it to ath_buf_set_rate.
+
+Reported-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Felix Fietkau <nbd@openwrt.org>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/xmit.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath9k/xmit.c
++++ b/drivers/net/wireless/ath/ath9k/xmit.c
+@@ -1275,6 +1275,10 @@ static void ath_tx_fill_desc(struct ath_
+                               if (!rts_thresh || (len > rts_thresh))
+                                       rts = true;
+                       }
++
++                      if (!aggr)
++                              len = fi->framelen;
++
+                       ath_buf_set_rate(sc, bf, &info, len, rts);
+               }
diff --git a/queue-3.12/ath9k-fix-quickdrop-usage.patch b/queue-3.12/ath9k-fix-quickdrop-usage.patch
new file mode 100644 (file)
index 0000000..f49b9e8
--- /dev/null
@@ -0,0 +1,54 @@
+From 93c1cfbe598f72cfa7be49e4a7d2a1d482e15119 Mon Sep 17 00:00:00 2001
+From: Sujith Manoharan <c_manoha@qca.qualcomm.com>
+Date: Tue, 26 Nov 2013 07:21:08 +0530
+Subject: ath9k: Fix QuickDrop usage
+
+From: Sujith Manoharan <c_manoha@qca.qualcomm.com>
+
+commit 93c1cfbe598f72cfa7be49e4a7d2a1d482e15119 upstream.
+
+Bit 5 in the miscConfiguration field of the base EEPROM
+header denotes whether QuickDrop is enabled or not. Fix
+the incorrect usage of BIT(1) and also make sure that
+this is done only for the required chips.
+
+Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/ar9003_eeprom.c |   20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
++++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
+@@ -3966,18 +3966,20 @@ static void ar9003_hw_quick_drop_apply(s
+       int quick_drop;
+       s32 t[3], f[3] = {5180, 5500, 5785};
+-      if (!(pBase->miscConfiguration & BIT(1)))
++      if (!(pBase->miscConfiguration & BIT(4)))
+               return;
+-      if (freq < 4000)
+-              quick_drop = eep->modalHeader2G.quick_drop;
+-      else {
+-              t[0] = eep->base_ext1.quick_drop_low;
+-              t[1] = eep->modalHeader5G.quick_drop;
+-              t[2] = eep->base_ext1.quick_drop_high;
+-              quick_drop = ar9003_hw_power_interpolate(freq, f, t, 3);
++      if (AR_SREV_9300(ah) || AR_SREV_9580(ah) || AR_SREV_9340(ah)) {
++              if (freq < 4000) {
++                      quick_drop = eep->modalHeader2G.quick_drop;
++              } else {
++                      t[0] = eep->base_ext1.quick_drop_low;
++                      t[1] = eep->modalHeader5G.quick_drop;
++                      t[2] = eep->base_ext1.quick_drop_high;
++                      quick_drop = ar9003_hw_power_interpolate(freq, f, t, 3);
++              }
++              REG_RMW_FIELD(ah, AR_PHY_AGC, AR_PHY_AGC_QUICK_DROP, quick_drop);
+       }
+-      REG_RMW_FIELD(ah, AR_PHY_AGC, AR_PHY_AGC_QUICK_DROP, quick_drop);
+ }
+ static void ar9003_hw_txend_to_xpa_off_apply(struct ath_hw *ah, bool is2ghz)
diff --git a/queue-3.12/ath9k-fix-xlna-bias-strength.patch b/queue-3.12/ath9k-fix-xlna-bias-strength.patch
new file mode 100644 (file)
index 0000000..b232358
--- /dev/null
@@ -0,0 +1,32 @@
+From a1783a7b0846fc6414483e6caf646db72023fffd Mon Sep 17 00:00:00 2001
+From: Sujith Manoharan <c_manoha@qca.qualcomm.com>
+Date: Tue, 26 Nov 2013 07:21:39 +0530
+Subject: ath9k: Fix XLNA bias strength
+
+From: Sujith Manoharan <c_manoha@qca.qualcomm.com>
+
+commit a1783a7b0846fc6414483e6caf646db72023fffd upstream.
+
+The EEPROM parameter to determine whether the bias
+strength values for XLNA have to be applied is part
+of the miscConfiguration field and not featureEnable.
+
+Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/ar9003_eeprom.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
++++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
+@@ -4019,7 +4019,7 @@ static void ar9003_hw_xlna_bias_strength
+       struct ar9300_eeprom *eep = &ah->eeprom.ar9300_eep;
+       u8 bias;
+-      if (!(eep->baseEepHeader.featureEnable & 0x40))
++      if (!(eep->baseEepHeader.miscConfiguration & 0x40))
+               return;
+       if (!AR_SREV_9300(ah))
diff --git a/queue-3.12/cfg80211-disable-5-10-mhz-support-for-all-drivers.patch b/queue-3.12/cfg80211-disable-5-10-mhz-support-for-all-drivers.patch
new file mode 100644 (file)
index 0000000..ae71ce1
--- /dev/null
@@ -0,0 +1,36 @@
+From 9f16d84ad73ea04145a5dc85c8f1067915b37eea Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Sun, 17 Nov 2013 10:37:34 +0100
+Subject: cfg80211: disable 5/10 MHz support for all drivers
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 9f16d84ad73ea04145a5dc85c8f1067915b37eea upstream.
+
+Due to nl80211 API breakage, 5/10 MHz support is broken for
+all drivers. Fixing it requires adding new API, but that
+can't be done as a bugfix commit since that would require
+either updating all APIs in the trees needing the bugfix or
+cause different kernels to have incompatible API.
+
+Therefore, just disable 5/10 MHz support for all drivers.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/core.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/wireless/core.c
++++ b/net/wireless/core.c
+@@ -451,6 +451,9 @@ int wiphy_register(struct wiphy *wiphy)
+       int i;
+       u16 ifmodes = wiphy->interface_modes;
++      /* support for 5/10 MHz is broken due to nl80211 API mess - disable */
++      wiphy->flags &= ~WIPHY_FLAG_SUPPORTS_5_10_MHZ;
++
+ #ifdef CONFIG_PM
+       if (WARN_ON(wiphy->wowlan &&
+                   (wiphy->wowlan->flags & WIPHY_WOWLAN_GTK_REKEY_FAILURE) &&
diff --git a/queue-3.12/mac80211-fix-scheduled-scan-rtnl-deadlock.patch b/queue-3.12/mac80211-fix-scheduled-scan-rtnl-deadlock.patch
new file mode 100644 (file)
index 0000000..34d8c4a
--- /dev/null
@@ -0,0 +1,50 @@
+From 18db594a1005d908d995a2fc8f5a7bf4286fdca0 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 6 Nov 2013 10:34:36 +0100
+Subject: mac80211: fix scheduled scan rtnl deadlock
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 18db594a1005d908d995a2fc8f5a7bf4286fdca0 upstream.
+
+When changing cfg80211 to use RTNL locking, this caused a
+deadlock in mac80211 as it calls cfg80211_sched_scan_stopped()
+from a work item that's on a workqueue that is flushed with
+the RTNL held.
+
+Fix this by simply using schedule_work(), the work only needs
+to finish running before the wiphy is unregistered, no other
+synchronisation (e.g. with suspend) is really required since
+for suspend userspace is already blocked anyway when we flush
+the workqueue so will only pick up the event after resume.
+
+Fixes: 5fe231e87372 ("cfg80211: vastly simplify locking")
+Reported-and-tested-by: Eliad Peller <eliadx.peller@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/main.c |    1 +
+ net/mac80211/scan.c |    2 +-
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/main.c
++++ b/net/mac80211/main.c
+@@ -1047,6 +1047,7 @@ void ieee80211_unregister_hw(struct ieee
+       cancel_work_sync(&local->restart_work);
+       cancel_work_sync(&local->reconfig_filter);
++      flush_work(&local->sched_scan_stopped_work);
+       ieee80211_clear_tx_pending(local);
+       rate_control_deinitialize(local);
+--- a/net/mac80211/scan.c
++++ b/net/mac80211/scan.c
+@@ -1089,6 +1089,6 @@ void ieee80211_sched_scan_stopped(struct
+       trace_api_sched_scan_stopped(local);
+-      ieee80211_queue_work(&local->hw, &local->sched_scan_stopped_work);
++      schedule_work(&local->sched_scan_stopped_work);
+ }
+ EXPORT_SYMBOL(ieee80211_sched_scan_stopped);
diff --git a/queue-3.12/revert-mac80211-allow-disable-power-save-in-mesh.patch b/queue-3.12/revert-mac80211-allow-disable-power-save-in-mesh.patch
new file mode 100644 (file)
index 0000000..5e3bea6
--- /dev/null
@@ -0,0 +1,45 @@
+From 2d3db210860f1df099a35b1dd54cca35454e0361 Mon Sep 17 00:00:00 2001
+From: Bob Copeland <me@bobcopeland.com>
+Date: Tue, 29 Oct 2013 18:11:59 -0400
+Subject: Revert "mac80211: allow disable power save in mesh"
+
+From: Bob Copeland <me@bobcopeland.com>
+
+commit 2d3db210860f1df099a35b1dd54cca35454e0361 upstream.
+
+This reverts commit ee1f668136b2fb6640ee2d54c2a525ea41f98211.
+
+The aformentioned commit added a check to allow
+'iw wlan0 set power_save off' to work for mesh interfaces.
+
+However, this is problematic because it also allows
+'iw wlan0 set power_save on', which will crash in short order
+because all of the subsequent code manipulates sdata->u.mgd.
+
+The power-saving states for mesh interfaces can be manipulated
+through the mesh config, e.g:
+'iw wlan0 set mesh_param mesh_power_save=active' (which,
+despite the name, actualy disables power saving since the
+setting refers to the type of sleep the interface undergoes).
+
+Fixes: ee1f668136b2 ("mac80211: allow disable power save in mesh")
+Signed-off-by: Bob Copeland <me@bobcopeland.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/cfg.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -2386,8 +2386,7 @@ static int ieee80211_set_power_mgmt(stru
+       struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+       struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
+-      if (sdata->vif.type != NL80211_IFTYPE_STATION &&
+-          sdata->vif.type != NL80211_IFTYPE_MESH_POINT)
++      if (sdata->vif.type != NL80211_IFTYPE_STATION)
+               return -EOPNOTSUPP;
+       if (!(local->hw.flags & IEEE80211_HW_SUPPORTS_PS))
diff --git a/queue-3.12/selinux-handle-tcp-syn-ack-packets-correctly-in-selinux_ip_output.patch b/queue-3.12/selinux-handle-tcp-syn-ack-packets-correctly-in-selinux_ip_output.patch
new file mode 100644 (file)
index 0000000..4347a8d
--- /dev/null
@@ -0,0 +1,83 @@
+From 47180068276a04ed31d24fe04c673138208b07a9 Mon Sep 17 00:00:00 2001
+From: Paul Moore <pmoore@redhat.com>
+Date: Wed, 4 Dec 2013 16:10:45 -0500
+Subject: selinux: handle TCP SYN-ACK packets correctly in selinux_ip_output()
+
+From: Paul Moore <pmoore@redhat.com>
+
+commit 47180068276a04ed31d24fe04c673138208b07a9 upstream.
+
+In selinux_ip_output() we always label packets based on the parent
+socket.  While this approach works in almost all cases, it doesn't
+work in the case of TCP SYN-ACK packets when the correct label is not
+the label of the parent socket, but rather the label of the larval
+socket represented by the request_sock struct.
+
+Unfortunately, since the request_sock isn't queued on the parent
+socket until *after* the SYN-ACK packet is sent, we can't lookup the
+request_sock to determine the correct label for the packet; at this
+point in time the best we can do is simply pass/NF_ACCEPT the packet.
+It must be said that simply passing the packet without any explicit
+labeling action, while far from ideal, is not terrible as the SYN-ACK
+packet will inherit any IP option based labeling from the initial
+connection request so the label *should* be correct and all our
+access controls remain in place so we shouldn't have to worry about
+information leaks.
+
+Reported-by: Janak Desai <Janak.Desai@gtri.gatech.edu>
+Tested-by: Janak Desai <Janak.Desai@gtri.gatech.edu>
+Signed-off-by: Paul Moore <pmoore@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/hooks.c |   25 +++++++++++++++++++++++--
+ 1 file changed, 23 insertions(+), 2 deletions(-)
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -53,6 +53,7 @@
+ #include <net/ip.h>           /* for local_port_range[] */
+ #include <net/sock.h>
+ #include <net/tcp.h>          /* struct or_callable used in sock_rcv_skb */
++#include <net/inet_connection_sock.h>
+ #include <net/net_namespace.h>
+ #include <net/netlabel.h>
+ #include <linux/uaccess.h>
+@@ -4690,6 +4691,7 @@ static unsigned int selinux_ipv6_forward
+ static unsigned int selinux_ip_output(struct sk_buff *skb,
+                                     u16 family)
+ {
++      struct sock *sk;
+       u32 sid;
+       if (!netlbl_enabled())
+@@ -4698,8 +4700,27 @@ static unsigned int selinux_ip_output(st
+       /* we do this in the LOCAL_OUT path and not the POST_ROUTING path
+        * because we want to make sure we apply the necessary labeling
+        * before IPsec is applied so we can leverage AH protection */
+-      if (skb->sk) {
+-              struct sk_security_struct *sksec = skb->sk->sk_security;
++      sk = skb->sk;
++      if (sk) {
++              struct sk_security_struct *sksec;
++
++              if (sk->sk_state == TCP_LISTEN)
++                      /* if the socket is the listening state then this
++                       * packet is a SYN-ACK packet which means it needs to
++                       * be labeled based on the connection/request_sock and
++                       * not the parent socket.  unfortunately, we can't
++                       * lookup the request_sock yet as it isn't queued on
++                       * the parent socket until after the SYN-ACK is sent.
++                       * the "solution" is to simply pass the packet as-is
++                       * as any IP option based labeling should be copied
++                       * from the initial connection request (in the IP
++                       * layer).  it is far from ideal, but until we get a
++                       * security label in the packet itself this is the
++                       * best we can do. */
++                      return NF_ACCEPT;
++
++              /* standard practice, label using the parent socket */
++              sksec = sk->sk_security;
+               sid = sksec->sid;
+       } else
+               sid = SECINITSID_KERNEL;
diff --git a/queue-3.12/selinux-handle-tcp-syn-ack-packets-correctly-in-selinux_ip_postroute.patch b/queue-3.12/selinux-handle-tcp-syn-ack-packets-correctly-in-selinux_ip_postroute.patch
new file mode 100644 (file)
index 0000000..dfd5f2d
--- /dev/null
@@ -0,0 +1,138 @@
+From 446b802437f285de68ffb8d6fac3c44c3cab5b04 Mon Sep 17 00:00:00 2001
+From: Paul Moore <pmoore@redhat.com>
+Date: Wed, 4 Dec 2013 16:10:51 -0500
+Subject: selinux: handle TCP SYN-ACK packets correctly in selinux_ip_postroute()
+
+From: Paul Moore <pmoore@redhat.com>
+
+commit 446b802437f285de68ffb8d6fac3c44c3cab5b04 upstream.
+
+In selinux_ip_postroute() we perform access checks based on the
+packet's security label.  For locally generated traffic we get the
+packet's security label from the associated socket; this works in all
+cases except for TCP SYN-ACK packets.  In the case of SYN-ACK packet's
+the correct security label is stored in the connection's request_sock,
+not the server's socket.  Unfortunately, at the point in time when
+selinux_ip_postroute() is called we can't query the request_sock
+directly, we need to recreate the label using the same logic that
+originally labeled the associated request_sock.
+
+See the inline comments for more explanation.
+
+Reported-by: Janak Desai <Janak.Desai@gtri.gatech.edu>
+Tested-by: Janak Desai <Janak.Desai@gtri.gatech.edu>
+Signed-off-by: Paul Moore <pmoore@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/selinux/hooks.c |   68 ++++++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 53 insertions(+), 15 deletions(-)
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -3806,6 +3806,30 @@ static int selinux_skb_peerlbl_sid(struc
+       return 0;
+ }
++/**
++ * selinux_conn_sid - Determine the child socket label for a connection
++ * @sk_sid: the parent socket's SID
++ * @skb_sid: the packet's SID
++ * @conn_sid: the resulting connection SID
++ *
++ * If @skb_sid is valid then the user:role:type information from @sk_sid is
++ * combined with the MLS information from @skb_sid in order to create
++ * @conn_sid.  If @skb_sid is not valid then then @conn_sid is simply a copy
++ * of @sk_sid.  Returns zero on success, negative values on failure.
++ *
++ */
++static int selinux_conn_sid(u32 sk_sid, u32 skb_sid, u32 *conn_sid)
++{
++      int err = 0;
++
++      if (skb_sid != SECSID_NULL)
++              err = security_sid_mls_copy(sk_sid, skb_sid, conn_sid);
++      else
++              *conn_sid = sk_sid;
++
++      return err;
++}
++
+ /* socket security operations */
+ static int socket_sockcreate_sid(const struct task_security_struct *tsec,
+@@ -4412,7 +4436,7 @@ static int selinux_inet_conn_request(str
+       struct sk_security_struct *sksec = sk->sk_security;
+       int err;
+       u16 family = sk->sk_family;
+-      u32 newsid;
++      u32 connsid;
+       u32 peersid;
+       /* handle mapped IPv4 packets arriving via IPv6 sockets */
+@@ -4422,16 +4446,11 @@ static int selinux_inet_conn_request(str
+       err = selinux_skb_peerlbl_sid(skb, family, &peersid);
+       if (err)
+               return err;
+-      if (peersid == SECSID_NULL) {
+-              req->secid = sksec->sid;
+-              req->peer_secid = SECSID_NULL;
+-      } else {
+-              err = security_sid_mls_copy(sksec->sid, peersid, &newsid);
+-              if (err)
+-                      return err;
+-              req->secid = newsid;
+-              req->peer_secid = peersid;
+-      }
++      err = selinux_conn_sid(sksec->sid, peersid, &connsid);
++      if (err)
++              return err;
++      req->secid = connsid;
++      req->peer_secid = peersid;
+       return selinux_netlbl_inet_conn_request(req, family);
+ }
+@@ -4805,12 +4824,12 @@ static unsigned int selinux_ip_postroute
+       if (!secmark_active && !peerlbl_active)
+               return NF_ACCEPT;
+-      /* if the packet is being forwarded then get the peer label from the
+-       * packet itself; otherwise check to see if it is from a local
+-       * application or the kernel, if from an application get the peer label
+-       * from the sending socket, otherwise use the kernel's sid */
+       sk = skb->sk;
+       if (sk == NULL) {
++              /* Without an associated socket the packet is either coming
++               * from the kernel or it is being forwarded; check the packet
++               * to determine which and if the packet is being forwarded
++               * query the packet directly to determine the security label. */
+               if (skb->skb_iif) {
+                       secmark_perm = PACKET__FORWARD_OUT;
+                       if (selinux_skb_peerlbl_sid(skb, family, &peer_sid))
+@@ -4819,7 +4838,26 @@ static unsigned int selinux_ip_postroute
+                       secmark_perm = PACKET__SEND;
+                       peer_sid = SECINITSID_KERNEL;
+               }
++      } else if (sk->sk_state == TCP_LISTEN) {
++              /* Locally generated packet but the associated socket is in the
++               * listening state which means this is a SYN-ACK packet.  In
++               * this particular case the correct security label is assigned
++               * to the connection/request_sock but unfortunately we can't
++               * query the request_sock as it isn't queued on the parent
++               * socket until after the SYN-ACK packet is sent; the only
++               * viable choice is to regenerate the label like we do in
++               * selinux_inet_conn_request().  See also selinux_ip_output()
++               * for similar problems. */
++              u32 skb_sid;
++              struct sk_security_struct *sksec = sk->sk_security;
++              if (selinux_skb_peerlbl_sid(skb, family, &skb_sid))
++                      return NF_DROP;
++              if (selinux_conn_sid(sksec->sid, skb_sid, &peer_sid))
++                      return NF_DROP;
++              secmark_perm = PACKET__SEND;
+       } else {
++              /* Locally generated packet, fetch the security label from the
++               * associated socket. */
+               struct sk_security_struct *sksec = sk->sk_security;
+               peer_sid = sksec->sid;
+               secmark_perm = PACKET__SEND;
index ae980690c0d1f489b34c530599aaa46f6221234b..df85d000dca5840ee62c28b64a398b43016c5895 100644 (file)
@@ -46,3 +46,11 @@ regulator-pfuze100-fix-address-of-fabid.patch
 partially-revert-mtd-nand-pxa3xx-introduce-marvell-armada370-nand-compatible-string.patch
 iommu-arm-smmu-use-mutex-instead-of-spinlock-for-locking-page-tables.patch
 drm-i915-fix-pipe-csc-post-offset-calculation.patch
+ath9k-fix-quickdrop-usage.patch
+ath9k-fix-xlna-bias-strength.patch
+ath9k-fix-duration-calculation-for-non-aggregated-packets.patch
+cfg80211-disable-5-10-mhz-support-for-all-drivers.patch
+selinux-handle-tcp-syn-ack-packets-correctly-in-selinux_ip_output.patch
+selinux-handle-tcp-syn-ack-packets-correctly-in-selinux_ip_postroute.patch
+revert-mac80211-allow-disable-power-save-in-mesh.patch
+mac80211-fix-scheduled-scan-rtnl-deadlock.patch