On Fri, Mar 07, 2014 at 05:27:17PM -0500, Paul Moore wrote: > On Friday, March 07, 2014 12:44:19 PM Nikolay Aleksandrov wrote: > > security_xfrm_policy_alloc can be called in atomic context so the > > allocation should be done with GFP_ATOMIC. Add an argument to let the > > callers choose the appropriate way. In order to do so a gfp argument > > needs to be added to the method xfrm_policy_alloc_security in struct > > security_operations and to the internal function > > selinux_xfrm_alloc_user. After that switch to GFP_ATOMIC in the atomic > > callers and leave GFP_KERNEL as before for the rest. > > The path that needed the gfp argument addition is: > > security_xfrm_policy_alloc -> security_ops.xfrm_policy_alloc_security -> > > all users of xfrm_policy_alloc_security (e.g. selinux_xfrm_policy_alloc) -> > > selinux_xfrm_alloc_user (here the allocation used to be GFP_KERNEL only) > > > > Now adding a gfp argument to selinux_xfrm_alloc_user requires us to also > > add it to security_context_to_sid which is used inside and prior to this > > patch did only GFP_KERNEL allocation. So add gfp argument to > > security_context_to_sid and adjust all of its callers as well. > > > > CC: Paul Moore <paul@xxxxxxxxxxxxxx> > > CC: Dave Jones <davej@xxxxxxxxxx> > > CC: Steffen Klassert <steffen.klassert@xxxxxxxxxxx> > > CC: Fan Du <fan.du@xxxxxxxxxxxxx> > > CC: David S. Miller <davem@xxxxxxxxxxxxx> > > CC: LSM list <linux-security-module@xxxxxxxxxxxxxxx> > > CC: SELinux list <selinux@xxxxxxxxxxxxx> > > > > Signed-off-by: Nikolay Aleksandrov <nikolay@xxxxxxxxxx> > > This looks good to me, thanks for finding this and following through with a > patch. > > Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx> > Both patches applied to the ipsec tree. Thanks everyone! _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
