git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Paul Moore <pmoore@redhat.com>
	Wed, 11 Feb 2015 19:46:37 +0000 (14:46 -0500)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 6 Mar 2015 22:57:32 +0000 (14:57 -0800)
commit	dd8ef93c99b2df301641f15bde5b8f1bea3916f1
tree	368918c44240ab18eb5f918a3e119bb246606671	tree
parent	416f74c66eef66acebfbca90b647c5d123814325	commit \| diff

cipso: don't use IPCB() to locate the CIPSO IP option

commit 04f81f0154e4bf002be6f4d85668ce1257efa4d9 upstream.

Using the IPCB() macro to get the IPv4 options is convenient, but
unfortunately NetLabel often needs to examine the CIPSO option outside
of the scope of the IP layer in the stack. While historically IPCB()
worked above the IP layer, due to the inclusion of the inet_skb_param
struct at the head of the {tcp,udp}_skb_cb structs, recent commit
971f10ec ("tcp: better TCP_SKB_CB layout to reduce cache line misses")
reordered the tcp_skb_cb struct and invalidated this IPCB() trick.

This patch fixes the problem by creating a new function,
cipso_v4_optptr(), which locates the CIPSO option inside the IP header
without calling IPCB(). Unfortunately, this isn't as fast as a simple
lookup so some additional tweaks were made to limit the use of this
new function.

Reported-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <pmoore@redhat.com>
Tested-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

include/net/cipso_ipv4.h		diff \| blob \| blame \| history
net/ipv4/cipso_ipv4.c		diff \| blob \| blame \| history
net/netlabel/netlabel_kapi.c		diff \| blob \| blame \| history