From patchwork Sat Jun 23 22:21:07 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Al Viro X-Patchwork-Id: 10485731 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id D0858601D5 for ; Mon, 25 Jun 2018 12:07:22 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id BC12E201B1 for ; Mon, 25 Jun 2018 12:07:22 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B07D228385; Mon, 25 Jun 2018 12:07:22 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.2 required=2.0 tests=BAYES_00, MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED autolearn=unavailable version=3.3.1 Received: from UCOL19PA11.eemsg.mail.mil (ucol19pa11.eemsg.mail.mil [214.24.24.84]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 799DD201B1 for ; Mon, 25 Jun 2018 12:07:19 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.51,270,1526342400"; d="scan'208";a="541518438" Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by UCOL19PA11.eemsg.mail.mil with ESMTP; 25 Jun 2018 12:00:09 +0000 X-IronPort-AV: E=Sophos;i="5.51,270,1526342400"; d="scan'208";a="14973905" IronPort-PHdr: =?us-ascii?q?9a23=3AWf6b7R3c/eFjUjkzsmDT+DRfVm0co7zxezQtwd?= =?us-ascii?q?8Zse8SLf3xwZ3uMQTl6Ol3ixeRBMOHs68C07KempujcFRI2YyGvnEGfc4EfD?= =?us-ascii?q?4+ouJSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFA?= =?us-ascii?q?nhOgppPOT1HZPZg9iq2+yo9JDffwVFiCChbb9uMR67sRjfus4KjIV4N60/0A?= =?us-ascii?q?HJonxGe+RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L2?= =?us-ascii?q?81/szrugLdQgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9QKsqUj?= =?us-ascii?q?q+8ahkVB7oiD8GNzEn9mHXltdwh79frB64uhBz35LYbISTOfVwZKPdec4RS3?= =?us-ascii?q?RHUMhfSidNBpqwY5YTA+YEO+tTsovzqEYUrRamCweiBP3hxDxGhnD5wKI10e?= =?us-ascii?q?ouHxze3AEiAt4DvmjbotrrO6cJSu210KvFwC/fY/9Kwzrx9o7FeQ0hr/GWWr?= =?us-ascii?q?JwdNLcxFUrFwjYgVqQqJblPzSI3ekKrWib7vBgVeW0hmEktQ5xpDuhycg2ho?= =?us-ascii?q?nNh4IVzE3E9CpjzIYyP924R1R3YcOnEJZJsSyRKoh4Qts6Tm11tys3xacKtJ?= =?us-ascii?q?6mcCQQ1pgqyADTZ+aaf4SQ/x7uUOacLS18iX57Yr6zmRa//Ea6xuHiUMS/zU?= =?us-ascii?q?xEoTBfktbWs3AAzxnT6s+aRfRj5kqhwjOP1xzL6uFDPEA0ibLXK54/zb40kZ?= =?us-ascii?q?oeqVjDETXsmEX3ka+WbV8o+vSo6uv7YrXmoYWQN4lohQHlLqsigMm/AeU8Mg?= =?us-ascii?q?QWXmib//qz1KH78EHkT7hHgec6n6nEvJzAO8gWqbC1DxVI3oo77hawFTam0N?= =?us-ascii?q?AWnXkdK1JFfQqKj5P3NFHKIfD4C+q/glu1nDhwwPDGI7vhDYnTIXjYi7rhYb?= =?us-ascii?q?Z85FJcyAo019xf4YlUBasbLPL8XU/xqsTUDgUlPAys3+bnFNJ925scWWKIBK?= =?us-ascii?q?+WKr/SsV+S6eIpOOSMZogVuDD4K/c//P7ukWE2mUUGfaWz2psXcn+4FOx8I0?= =?us-ascii?q?qFeXrsnssBEWASswo8TuzlkkGNUT1IZ3a1WaI85y87BZmoDYfHW4Csj6eO3D?= =?us-ascii?q?q9Hp1Ke2BKEFeMEW3nd4+cQfcDdDqSItN9kjwDTbWhU5Eu2gqwuw/8yrpnMu?= =?us-ascii?q?3U9zYZtZ39ytd6+ffflRYo9Tx7F86dyX2CT3lonmMUQD87xL1woUt7yleFzK?= =?us-ascii?q?d3nfhYFd1I6vxTTAg6L5ncw/Z9C9DoVQLLZs2JR0q+QtW6HTExSco8zMISY0?= =?us-ascii?q?lnAdWvlQzM3y2vA7AJjbOLH4A0/rja33fvO8Z302zG27U5j1k6XstPMnWrib?= =?us-ascii?q?Bn9wfJHY7Jkl6Zmr2ydasGxi7N9XyDzXKKvE5CTAF/T7/JXXcFZkvZtd75/F?= =?us-ascii?q?/NT6eyCbQ7NQtM0c+CKq1WatL3iVVJWvLjN8rCY2Krm2a9HhGIxquSY4rsfm?= =?us-ascii?q?USxiTdCEwfnAAU8neKLw8+Bj2uo2jGFjxhCUrvY1/w8el5sH66QE40zwWPb0?= =?us-ascii?q?J/zbq44RAViuKBRPMUxLILoj8hqy9zHFa/wd3ZF8aAqxBmfKVGbtM3+E1H2n?= =?us-ascii?q?7BtwxhIpygKLhvhlAEcwttuUPhyxR3Cp5bnMgvtHMqzRN+KbmW0VNabT+Y2o?= =?us-ascii?q?rwOrLPIGno4B+vc7LW2k3Z0NuO+acA8vc4q1L+vAyyFUot6XZn095I03eG4Z?= =?us-ascii?q?XKFgUSW4rrUkkr7xh6u63aYi4l6ozOyHJsK6i0vSHY298yHuQq1hOgc81YMK?= =?us-ascii?q?OeGw/4C9caCNS2KOw2h1ipaQoJM/xI+64wIcymbOeG2a6sPOt7hzKpkWVH75?= =?us-ascii?q?570kKQ9ipzUPTE35AbzPGExgGHTSvzjE+9ssDrnoBJfSsSEXeixiX/C45RY6?= =?us-ascii?q?JzcZwNCWiwP8293s9+iIL1W35E6F6jAEsL2NSneRqIaFz9xhFQ2F8MoXyhni?= =?us-ascii?q?u5wTl0nCsvrqaF2izB3fjifgIdOmFXXGlikUvsIY+sgtEURkeoaxQpmwW/5U?= =?us-ascii?q?bh3KVburpwL3PITkdVeij6NWZiUrG/trCaec5A9IsosTlLUOS7eV2aVL/9rA?= =?us-ascii?q?cG0yPkBWtS3iw0dzGtupX/kBx3k2adLHd1rHXDY8Fwwg3T5NvGRf5exjAGXj?= =?us-ascii?q?V3iSHLBligONmk5dGUl5bYsuCiTm6hTYNccS3qzYOGqSu66nZnAQann/CynN?= =?us-ascii?q?3nEBQ10TTh29lsSyrIsA72YpP32KSiLeJnYk5oCUfm68p9HoF+lpU/hIsM1n?= =?us-ascii?q?gdiJSY5mEHkXrvPtVAw67+a2ANRTETyd7P/AflwFFjLm6Ox4/hVXWS3M1hZ8?= =?us-ascii?q?Khb2MVxC096dtKCKGK47xYhyd1pUC4rQ3Ja/hngjgd0ecu6GIdg+wRoAoi1D?= =?us-ascii?q?idArQMEklAJyPskQiI4M6krKhMeWavaqa/1FBlndy7F7GCpRxcWGzldZg8Ey?= =?us-ascii?q?9w6d9/MF3S33Hp7IHrZsXQZ8oJthKIixfAk/RVKJUpm/oUgypoJHnwvWMjy+?= =?us-ascii?q?EmjRxix5e6s5abK2915qK2HgZYNiHpZ8MU4jztlbxRntuS3420ApphGykLXZ?= =?us-ascii?q?vxQfKmCj0Ss+7rNwGUED0zsn2bA6bQHReD6Ed6qHLCC5OrNnGTJHYH1thiQR?= =?us-ascii?q?6dJEJRgA8KQDU6gp45FgevxMP/akt54C4e5kLgoBtW1u1oLwX/UnvYpAqwZD?= =?us-ascii?q?c7Up6fLAZR7gFH/ErVP9KR4f90HyFC5JKhtBaNKmuZZwtWEW4JRlaIB1f5Pr?= =?us-ascii?q?mh/dPA6fSXBvKiL/vSZrWDseJeV+2Wyp2yyYtp5TCMNtmIPnl5FPA0wFZMXX?= =?us-ascii?q?VjF8TegTUPRDQdlzjRYM6DuBe85ip3o9ik//vwXw7v4YqPC6BOMdV04Ry2mr?= =?us-ascii?q?mMOPKKiCZiNzlY0pIMxXnVyLkQx1MdlyFvdyOwEbQbryLMQrjfmrNMDx4cbS?= =?us-ascii?q?N/LsxI77gz3gNVI87Ulsv11qJkjv4yE1pFU13hmsWtZcMUOGGwL0nIC1iRNL?= =?us-ascii?q?SBPzHLxNv3YaykQ71KkOpUrwGwuSqcE0L7JTuDljbpVxepMexXkS6UIgdRuI?= =?us-ascii?q?CnfRZrE2TjS8jmahKjOt9tkTI22aE0hm/NNWMEKzd8fFlCrqOO4i5DhfV/A3?= =?us-ascii?q?JO7nxgLeaemiaZ6/LXKpEZsPdxBSR0je1a6mwgy7RJ9CFEWOB1mCzKo95ypF?= =?us-ascii?q?Gml/ODyiBgUBtPtDlLgpmEvV9lOarH9ZlNQmrL/BUI7WqMERsKvMdlBsfpu6?= =?us-ascii?q?9O1tjFjLjzJyta89LI4cscANDZKMCHMHshKRrpHzrUDAoZTTG1Lmzfgk1dkO?= =?us-ascii?q?2I9nKLtJQ6rYLsmJUWQL9BSFM1Du8aClhiHNEaJpd4QCkrkbqAgc4L4nq+tw?= =?us-ascii?q?XRS99cvpDcVfKSAO/jKDCHgrlYfxEI26/3LZwPNo3n3ExvckN6k5rRG0XOR9?= =?us-ascii?q?9NuDFubg8vrUpW8Xh+VHA820XragO1+n8cC/61kgQwigRgfeQn7C3s7EsvJl?= =?us-ascii?q?rWuCswl1E8lsj/jjCPcT7+MbywUJpMBCrurUgxNZ36Qx1rYgKugExkLjbER6?= =?us-ascii?q?5Rjrd6c2BklhPcs4NVGfFAVa1EfAMQxfaPavUs1lRcsDuoxUlG5OvCEpZimw?= =?us-ascii?q?0qcYO2o3JHwQJjY8Y/JbbMK6pR0lhQmqWOszez1u8vxA8eJkAN8H6deSMTpE?= =?us-ascii?q?MIMbwmKDay8ex39QyOgT1Dd3YQV/AyuPJl6ls9O/iczyLny7NMN1y+N+mYL6?= =?us-ascii?q?Ofp2jMiNWFQk0u2UMSlklE/L920cE5f0qSSU8v0KObFw4VOsraNQFVc81S+W?= =?us-ascii?q?DPfSaPtOXNxo51P4W9F+3zUOCOtaYVjVi/EwozGYQD8NgBFIG20E7ENcfnMK?= =?us-ascii?q?IFyRI16QvxIFWFDehGdwyTnzcCo8C/yph33Y9HKTwGGmp9MD+45rDOqg8knf?= =?us-ascii?q?qPRtE2bWkGXoEcLHI5RNW6mzJFv3RHFDS4yfwWyA6Z4jDmuyvQEifzb8B4ZP?= =?us-ascii?q?iOfxNtCMu6+TIl86i5kVTX6InRJ3nmNdR+vd/C8fkap5CGC/xITbl9tEPcm5?= =?us-ascii?q?JASXKzTmDBC8K4KZ/rZoYwatz0D2q1XUakizIpVcvxOsiiLrSQiwHyWYlUqJ?= =?us-ascii?q?Wb3CwkNcKlCj4eGQ1/qP0Y6a1gYg0DZ547YR/2uAQkK6ywPhuX0tW0T2aqMz?= =?us-ascii?q?tWQOFVzf+maLxP0yoscui6xWM6Tp4g1em39lUCSYoWjhHE3/mjeZdRUSzyGn?= =?us-ascii?q?xbdAXPoSs5l2dhNuYuzOcw2gnIsVwGPzCNauNpdHROv8sgClOKPXV2Fm04Sk?= =?us-ascii?q?eSjIbZ/gGs37ES/y5cn9lO0u1Iq3n+sYHBbz2yQqCrro/VsyU4Z9g8v6JxKZ?= =?us-ascii?q?DjIteBtJ7GmzzQVoPQsg6bXy6mFvpanNdQLTlWQfZSn2EqJcgGuY1c6UUsTc?= =?us-ascii?q?cyPbpPB7cwprqyczprETYSzTMFV4OHxDECmuC827/AmReKfpUiNxgEsJtZj9?= =?us-ascii?q?sYVC52ZTgeq7G/WIXMkG+EUXMLIAYV7QRD/g4AkZVwfu/96orSUJBM0yJWo+?= =?us-ascii?q?5zUibTDJZo7Ub7SmeMjVj7U/ihku2p3QNOzP33yNUbXgBwCVRFzeZMikQoMK?= =?us-ascii?q?13K7UXvoPSrj+Ickb6sXnxyOe6IVle0tfYd1vmA4rZrWD8SDET+WUIRY9Tz3?= =?us-ascii?q?HSDZYSkw1nZ6swuVpDPpumdVjk5zw42YtmAqO0Vca1yFY5tXwGXTulE8JdC+?= =?us-ascii?q?F6t1LaQCFlbI22p5XkIZpSRnRd94Gaq1dcjEpiKTW5yYZGJ8FL/DEMQCBFoS?= =?us-ascii?q?+Bs9uqVM1Dxch2AocXLddxp3jxBKFJNIWfrnAtprPvzXrZ9Cwmv1eh2DW/Aa?= =?us-ascii?q?m4QPxF/2cGAAUmO3yeqlUzD+sr6mrS6E7CvU10/+hBGriClkFxoDFjHp9QGD?= =?us-ascii?q?pGyXelIEltQ3VcteVVNrjVedRGQ/YufR+vJwA+Ffk+0kyR5kF0gW32bDFutg?= =?us-ascii?q?ZB4CDdWBQ0VTMJjbjznz0ettunNiUeS55SajUhdSjFIRqBmS9LpBZfd11qW5?= =?us-ascii?q?cBD9ZZ4bEUw5Vb8dfZREaxLSEFQAZiORgm0fpekk5DtFuXeTzHAQqvb/bPvQ?= =?us-ascii?q?V9fd2No86xMPT54ABHh5visO8i86UDQ2OpmRGxQd/EtYDxrduKuVWSdKfjL+?= =?us-ascii?q?Kze2fBQybWgRC2m7gkE4HA/zLPPwpDN5l61X0kbIDjCWHRJxRGILkbJ05BWq?= =?us-ascii?q?BkcthGp/1aZ8t4eKYI5aBtBwiIRhX0GIC1q/lGNFnTTyzELyqd6uy/vZ7T7b?= =?us-ascii?q?vFROjifMOMwXjHQ7hwPphn9zb2AKvq3pVY+krt3fdh7EV6RkbaMyqZttTuOh?= =?us-ascii?q?sL5NW+dkvlppApEi7WAJZ0kHrp2E5ActEaTDC0/5sDyZNW8nDwRfh/0kjpv+?= =?us-ascii?q?1Y76Nk5pUv47B11ce0Ir/fKfZbsU9iGRWUAxtl95UzD2hlRmBRZOARJO3Xfa?= =?us-ascii?q?sHkcDks/r3GLAP6B2J5+xZbsPKJ0fFmsSkCzGcTxlEkB0AqT4cIAuczeSKm7?= =?us-ascii?q?RoSca/uOj2xl4t40WkLhEY1rxt4p2E+qWQru/NcxTR1aQEWrTtRs7rq7QsvE?= =?us-ascii?q?WS5eErlLEQYWF1ZgynH/IbVsED2mfhw6cqzTgvE8PYBb7g/uBMV24hlDL6h5?= =?us-ascii?q?99B0kWGu8THbeT+YRehWI4luzCO90YbK9Nh2GPFQS+Hb8a036r7CmXL3d5jR?= =?us-ascii?q?HSyR3wRnmz7FDupy9iXSTM18vjklZSVrSvBEdTXjCmNlVkvz6UJwrnqsb3tr?= =?us-ascii?q?op400sNWzkrt2NnnO7OLxLB83/OMCcIS4sqV0MjZ0xXdKu1poZGdq8PNcR6G?= =?us-ascii?q?txbuba626wjyBBpLpIiJTE7cGI4PXXGmOggLeAp7WK3jBYxWAyvUsj5dC4Kv?= =?us-ascii?q?HO+9qKTuyw12kLUydwpwvBXhCyqrzBrFAYIFeL31nPmIwLONFZwHY521r+5O?= =?us-ascii?q?c5XNI86AVeF4jHZ/MYpjD/Ijj0zkiFY9IxSCae1yFbHlXvEVl3AKI8wn7/vN?= =?us-ascii?q?rVlXfM/F0lXoZweFb9hRNpE4U4KVkg6FwWwiofDwcNaQqUDKyzBUj/K4sLS1?= =?us-ascii?q?QDYwyd3LemYqc3wVFzwrS36e/cc+N8AbYNNvFajgKJh1hUBJYWsawYQLJhdF?= =?us-ascii?q?5Q76rXqRb4C4nnRffqj3wwOuOpQspC68AWq2Mi4hqjRxqn8ZpD6bcbh4yPdq?= =?us-ascii?q?5Ae5fMp9pw70Zg5T4IbSxNmwNyjxa2XOETvuzj5cLbsJWw4Oa0SKktX/kX9w?= =?us-ascii?q?QzB2lmgJv/nEsjocrO2+lBRYPbj4X/8AZQI3+Fo4va3Bx8JvAIK421Zrpg8G?= =?us-ascii?q?8HJycGLXIUIdWWc+U84zNqMDjL5VxCBcMMZdUCMMXRmQBUjlDpV6xS98raHF?= =?us-ascii?q?+YEIRzd8Ez4mrpyTA174EzUuL95z+3P5zf6U9CP+9bhiV2iN3CvPQVwebVCC?= =?us-ascii?q?UP4HmZdQJ6wiWZxpmJFvb/4OSMyNbPV18cGS42SYhdLiKY+QO7Xuq1iInpUg?= =?us-ascii?q?SM58/xnp0+ekyQRniqkaULqKlMF/BPijnh0jhYCI/1m+qfs8Cw52tPql1HDI?= =?us-ascii?q?Fz4AXKGKVbOZV6Nwr3ls2vRkVnHSv/f8fUdhsyt+aMwOcD/fl+PVPkZYAHOh?= =?us-ascii?q?IE16766X1NQwtrSb72vVWZXeUKadtkUvzErXdV6YR+JK8JJlSdooLlritQol?= =?us-ascii?q?AsHAApcKMwriBddkTWhwJaRaD0uKIbhwsHVd55vlNMGX6uOG0g+jXLT6NVjL?= =?us-ascii?q?OeCPYN6DWcUrQOU1l0MiN5Wx611othe7+onfBfrGxLhSJ8oPkv0zxjWhS8oy?= =?us-ascii?q?nsqLwX1TIn4rG4uy0LuWZZQeWGjyfIFVJDwewEjKcEEXbi6ECzb2cYYYv34b?= =?us-ascii?q?lnOd7g+pc773Q4exUjcDUMXf68BCHok6OIHouPvcpbhB6JpsrDdqezLSwIOb?= =?us-ascii?q?Qm1RLjRmRy0hTEnBl27mQHWDOg48E4JI+lI8Yq2jKoGXTHdFYL+q5JtMrxtV?= =?us-ascii?q?gWTOo5cF9hxGRj0tObRi0WX8HPGnw6jg4jaWled5JD8xAaHbEygjmUpqlG4h?= =?us-ascii?q?0UYDDMH4Sg4IbfgcfI2Xg7Tddt3W/WuKyFhpU0331hmtN06DOOuXsIe+zfSc?= =?us-ascii?q?9sDWD51p1Dxuzme/WtrucHRZNkyLu7U/8CNdKs9HCr2JVsRk+lxrMeH0e2MO?= =?us-ascii?q?8D2rfXSSGlRnOEWe6TaWiDgy45MlLu5RmvNlA3asJKr0gnMuvYh55cjBbsUb?= =?us-ascii?q?VuSSWVu1DbzXYvMeQAdwI5oI2nYRAFTPYNZ+iAIugj2OY+CFUJb3DVHCZ7CP?= =?us-ascii?q?S7sUCzk4hhOnVh4EL6YeL3/gDgLtSSBkpMLYmPgpdv+PDyY2OFPXJ6hEl+NV?= =?us-ascii?q?d58s/THko8s+tbfYrXm9XM0YdVy+kAIt5peRM8oNlbzpxi84684sqMUC+Xyp?= =?us-ascii?q?f0OMGTpeKXReDcmRd5MlpGW6YUNFumr74xOcQ0DviKROMD50YVGLQ6TZo9Nm?= =?us-ascii?q?z46KBzKkZpfxXMYKiv3ZK4m9mlTMB/n1aOsBQ9ISLHtFsGw/2wCwl6a8PP5T?= =?us-ascii?q?3+I5E1EzRGqdAlSh5rB5BGFM5IqQ27S4WVl6e2h575+05zt+IQ96ulDPfM2d?= =?us-ascii?q?k=3D?= X-IPAS-Result: =?us-ascii?q?A2CGAgA/2DBb/wHyM5BcGQEBAQEBAQEBAQEBAQcBAQEBA?= =?us-ascii?q?YNGA4FPEiiMXYtgggWQXoRAgWInEwGDLIQeITcVAQIBAQEBAQECAWwogjUkA?= =?us-ascii?q?YJOAQEBAQMBAiQTFCALAwMJAQEKDgYBAwkTAggIAwELBR0LChcICwUUBASFB?= =?us-ascii?q?AMBrDgzhFuDZYECiGyBCIENgQ+DD4RHARIBg1GCJAKHO5F0CYVNiTkLgUCMC?= =?us-ascii?q?SuHSYtQImFxTTQEO4JpgiMXjhhuegEBixSCOQEB?= Received: from tarius.tycho.ncsc.mil ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 25 Jun 2018 12:00:06 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus.infosec.tycho.ncsc.mil [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w5PC05VI003757; Mon, 25 Jun 2018 08:00:05 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id w5NMLCEH013515 for ; Sat, 23 Jun 2018 18:21:12 -0400 Received: from goalie.tycho.ncsc.mil (goalie.infosec.tycho.ncsc.mil [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id w5NMLJsA011589 for ; Sat, 23 Jun 2018 18:21:19 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A1DzAQDMxi5blyoaGNZbGgEBAQEBAgEBA?= =?us-ascii?q?QEIAQEBAYNGV3sSKIxdi2CCBZBehCyCMYMshBkhNhYBAgEBAQEBAQIUAQEBAQE?= =?us-ascii?q?IFgaGAAEBAgMnEz8QARgGAQMJExIPBSghExmDDIIDAa9jM4hBgQKIbIIVgQ+LO?= =?us-ascii?q?4IkAoc7kXQJhU2JOQuBQIwJK4dJi0EGgX1NNASDJIIjFxGOB258jhgBAQ?= X-IPAS-Result: =?us-ascii?q?A1DzAQDMxi5blyoaGNZbGgEBAQEBAgEBAQEIAQEBAYNGV3s?= =?us-ascii?q?SKIxdi2CCBZBehCyCMYMshBkhNhYBAgEBAQEBAQIUAQEBAQEIFgaGAAEBAgMnE?= =?us-ascii?q?z8QARgGAQMJExIPBSghExmDDIIDAa9jM4hBgQKIbIIVgQ+LO4IkAoc7kXQJhU2?= =?us-ascii?q?JOQuBQIwJK4dJi0EGgX1NNASDJIIjFxGOB258jhgBAQ?= X-IronPort-AV: E=Sophos;i="5.51,263,1526356800"; d="scan'208";a="308682" Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.35]) by goalie.tycho.ncsc.mil with ESMTP; 23 Jun 2018 18:21:19 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AxXYWaBweKfPK3Y7XCy+O+j09IxM/srCxBDY+r6?= =?us-ascii?q?Qd1O0TIJqq85mqBkHD//Il1AaPAd2Graocw8Pt8InYEVQa5piAtH1QOLdtbD?= =?us-ascii?q?Qizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBB?= =?us-ascii?q?r/KRB1JuPoEYLOksi7ze+/94HTbglSmDaxfa55IQmrownWqsQYm5ZpJLwryh?= =?us-ascii?q?vOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3?= =?us-ascii?q?o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDtU7s6RS?= =?us-ascii?q?qt4LtqSB/wiScIKTg58H3MisdtiK5XuQ+tqwBjz4LRZoyeKfhwcb7Hfd4CWG?= =?us-ascii?q?RPUMZfWTJCDIOyYIQAE/cOMuRWoInmvFYOsQeyCBOwCO/z0DJEmHn71rA63e?= =?us-ascii?q?Q7FgHG2RQtEs4KsH/Jo9r1Nb0SUeeox6TP0zXDbulW2TDm5YfLbB8hp/KCUr?= =?us-ascii?q?1qfcrVyEkvER7Fj1qKpYziJTOV2f4Bs3WY7+d5U++klm0pqxlprzSx28shhZ?= =?us-ascii?q?PFipwax1ze6yl0wZw5KNKmREJjfNKpFJtduzueOodoWM8uXWFltSggxrEYv5?= =?us-ascii?q?OwYTIEx449xxHFbvyKa4iI7QznVOaWOTp3im9rdrKiihqv9UWu0PHxWtW63V?= =?us-ascii?q?pQsCVKjNzMtmsC1xDJ78iIUPp9/kO71TaK1gDT7vlIIUEylaXFN54s2qA8mo?= =?us-ascii?q?ccvEjZACP7l1/6gLGXe0k+9eWk9fzrYrD8qZ+dM490hBv+MqMrmsGnH+Q4Mx?= =?us-ascii?q?IOX2+A9OSyyL3j5Vf1QLFLjv0wj6nYv4rWJcMBpq62GQNVz4Uj5w6lDzi6yN?= =?us-ascii?q?QYgWUHLFVddRKckYfpP1DOIPblDfawmFmsjDdqyOzGPr3mGJnNKGPDn637cb?= =?us-ascii?q?Zy7E5c1ll78dcKy5tKC71JBfP3XkLr/IjUBwE0NiS4yvjqDdF62J9YX2+TVP?= =?us-ascii?q?y3KqTX5HaMrtwuOe7EMJEUojHVGfUjxsCoiX4/hE9berOmm4YUPiPrVs96Kl?= =?us-ascii?q?mUNCK/yuwKFn0H609nFLSw0g+LTCJTanCuXqk1+jA8Dse8AJzeQpy23+XT4R?= =?us-ascii?q?yVNMZ9XkkeVBaBHHLzeMOBUvYILieTJpwpnj8FUO2nTIksnVGruRThwrVqZu?= =?us-ascii?q?zT5mUDtJ3l2dQ0r+3enB0/73p1WsKa1WyA?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0APAQAwxy5blyoaGNZbGgEBAQEBAgE?= =?us-ascii?q?BAQEIAQEBAYNGV3sSKIxdjWWQXoQsgjGDLIQ6NhYBAgEBAQEBAQIBEwEBAQE?= =?us-ascii?q?BCBYGWII1JAGCTgEBAgMnEz8QARgGAQMJExIPBSghExmDDIIDAa9lM4hBgQK?= =?us-ascii?q?LAYEPizuCJAKHO5F0CYVNiTkLgUCMCSuHSYtBBoF9TTQEgySCIxcRjgdufI4?= =?us-ascii?q?YAQE?= X-IPAS-Result: =?us-ascii?q?A0APAQAwxy5blyoaGNZbGgEBAQEBAgEBAQEIAQEBAYNGV?= =?us-ascii?q?3sSKIxdjWWQXoQsgjGDLIQ6NhYBAgEBAQEBAQIBEwEBAQEBCBYGWII1JAGCT?= =?us-ascii?q?gEBAgMnEz8QARgGAQMJExIPBSghExmDDIIDAa9lM4hBgQKLAYEPizuCJAKHO?= =?us-ascii?q?5F0CYVNiTkLgUCMCSuHSYtBBoF9TTQEgySCIxcRjgdufI4YAQE?= X-IronPort-AV: E=Sophos;i="5.51,263,1526342400"; d="scan'208";a="14956957" X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown Received: from uphb3cpa03.eemsg.mail.mil (HELO USFB19PA03.eemsg.mail.mil) ([214.24.26.42]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 23 Jun 2018 22:21:18 +0000 X-EEMSG-check-005: 0 X-EEMSG-check-006: 000-001;5cb6d5ca-c5c0-4663-a695-d298a4c31635 Received: from localhost.localdomain (localhost [127.0.0.1]) by USFBF3ID09.oob.disa.mil (Postfix) with SMTP id 41Cqf51m1RzFlX5 for ; Sat, 23 Jun 2018 22:21:17 +0000 (UTC) Received: from USFB3CPA06_EEMSG_MP28.eemsg.mil (unknown [192.168.16.23]) by USFBF3ID09.oob.disa.mil (Postfix) with ESMTP id 41Cqf46p66zFlWn for ; Sat, 23 Jun 2018 22:21:16 +0000 (UTC) Authentication-Results: USFB3CPA06.eemsg.mail.mil; dkim=none (message not signed) header.i=none X-EEMSG-check-008: 20728504|USFB3CPA06_EEMSG_MP28.csd.disa.mil X-EEMSG-SBRS: None X-EEMSG-ORIG-IP: 195.92.253.2 X-EEMSG-check-002: true X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A0BDBABjxC5b/wL9XMNbGgEBAQEBAgEBAQEIAQEBAYNJVIENKJg9ggWQXoQsgjABgyyEGSE1FwECAQEBAQEBAm0ohSgBAQUnEz8QAQoOBgEDCRMSDwUoIRMZhRCvYDOIQYECiGyCFYEPgw+ILIIkAoc7kXQJjwYLgUCMCSuHSYs8AjSBUk00BIMkgiMXjhg+MHoBAY4YAQE X-IPAS-Result: A0BDBABjxC5b/wL9XMNbGgEBAQEBAgEBAQEIAQEBAYNJVIENKJg9ggWQXoQsgjABgyyEGSE1FwECAQEBAQEBAm0ohSgBAQUnEz8QAQoOBgEDCRMSDwUoIRMZhRCvYDOIQYECiGyCFYEPgw+ILIIkAoc7kXQJjwYLgUCMCSuHSYs8AjSBUk00BIMkgiMXjhg+MHoBAY4YAQE Received: from zeniv.linux.org.uk ([195.92.253.2]) by USFB3CPA06.eemsg.mail.mil with ESMTP; 23 Jun 2018 22:21:15 +0000 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.87 #1 (Red Hat Linux)) id 1fWqu3-0007gU-2O; Sat, 23 Jun 2018 22:21:07 +0000 Date: Sat, 23 Jun 2018 23:21:07 +0100 X-EEMSG-check-009: 444-444 From: Al Viro To: David Miller Message-ID: <20180623222106.GE30522@ZenIV.linux.org.uk> References: <152970230022.7734.15824980755229329454.stgit@chester> <20180623.105706.385733107379565893.davem@davemloft.net> <20180623212626.GD30522@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20180623212626.GD30522@ZenIV.linux.org.uk> User-Agent: Mutt/1.9.1 (2017-09-22) X-Mailman-Approved-At: Mon, 25 Jun 2018 07:55:07 -0400 Subject: Re: [PATCH] ipv6: avoid copy_from_user() via ipv6_renew_options_kern() X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.21 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: Cc: netdev@vger.kernel.org, linux-security-module@vger.kernel.org, selinux@tycho.nsa.gov Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP On Sat, Jun 23, 2018 at 10:26:27PM +0100, Al Viro wrote: > On Sat, Jun 23, 2018 at 10:57:06AM +0900, David Miller wrote: > > From: Paul Moore > > Date: Fri, 22 Jun 2018 17:18:20 -0400 > > > > > - const mm_segment_t old_fs = get_fs(); > > > - > > > - set_fs(KERNEL_DS); > > > - ret_val = ipv6_renew_options(sk, opt, newtype, > > > - (struct ipv6_opt_hdr __user *)newopt, > > > - newoptlen); > > > - set_fs(old_fs); > > > > So is it really the case that the traditional construct: > > > > set_fs(KERNEL_DS); > > ... copy_{from,to}_user(...); > > set_fs(old_fs); > > > > is no longer allowed? > > s/no longer allowed/best avoided/, but IMO in this case the replacement is > too ugly to live ;-/ BTW, I wonder if the life would be simpler with do_ipv6_setsockopt() doing the copy-in and verifying ipv6_optlen(*hdr) <= newoptlen; that would've simplified ipv6_renew_option{,s}() quite a bit and completely eliminated ipv6_renew_options_kern()... Incidentally, is copying the entire value in case newoptlen > ipv6_optlen(...) the right thing? After all, the next update in any of those options will quietly lose everything past ipv6_optlen(...), wouldn't it? IOW, how about the following (completely untested): diff --git a/include/net/ipv6.h b/include/net/ipv6.h index 16475c269749..d02881e4ad1f 100644 --- a/include/net/ipv6.h +++ b/include/net/ipv6.h @@ -355,14 +355,7 @@ struct ipv6_txoptions *ipv6_dup_options(struct sock *sk, struct ipv6_txoptions *ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt, int newtype, - struct ipv6_opt_hdr __user *newopt, - int newoptlen); -struct ipv6_txoptions * -ipv6_renew_options_kern(struct sock *sk, - struct ipv6_txoptions *opt, - int newtype, - struct ipv6_opt_hdr *newopt, - int newoptlen); + struct ipv6_opt_hdr *newopt); struct ipv6_txoptions *ipv6_fixup_options(struct ipv6_txoptions *opt_space, struct ipv6_txoptions *opt); diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c index 1323b9679cf7..1c0bb9fb76e6 100644 --- a/net/ipv6/calipso.c +++ b/net/ipv6/calipso.c @@ -799,8 +799,7 @@ static int calipso_opt_update(struct sock *sk, struct ipv6_opt_hdr *hop) { struct ipv6_txoptions *old = txopt_get(inet6_sk(sk)), *txopts; - txopts = ipv6_renew_options_kern(sk, old, IPV6_HOPOPTS, - hop, hop ? ipv6_optlen(hop) : 0); + txopts = ipv6_renew_options(sk, old, IPV6_HOPOPTS, hop); txopt_put(old); if (IS_ERR(txopts)) return PTR_ERR(txopts); @@ -1222,8 +1221,7 @@ static int calipso_req_setattr(struct request_sock *req, if (IS_ERR(new)) return PTR_ERR(new); - txopts = ipv6_renew_options_kern(sk, req_inet->ipv6_opt, IPV6_HOPOPTS, - new, new ? ipv6_optlen(new) : 0); + txopts = ipv6_renew_options(sk, req_inet->ipv6_opt, IPV6_HOPOPTS, new); kfree(new); @@ -1260,8 +1258,7 @@ static void calipso_req_delattr(struct request_sock *req) if (calipso_opt_del(req_inet->ipv6_opt->hopopt, &new)) return; /* Nothing to do */ - txopts = ipv6_renew_options_kern(sk, req_inet->ipv6_opt, IPV6_HOPOPTS, - new, new ? ipv6_optlen(new) : 0); + txopts = ipv6_renew_options(sk, req_inet->ipv6_opt, IPV6_HOPOPTS, new); if (!IS_ERR(txopts)) { txopts = xchg(&req_inet->ipv6_opt, txopts); diff --git a/net/ipv6/exthdrs.c b/net/ipv6/exthdrs.c index 5bc2bf3733ab..4b6915eedfc3 100644 --- a/net/ipv6/exthdrs.c +++ b/net/ipv6/exthdrs.c @@ -1015,29 +1015,15 @@ ipv6_dup_options(struct sock *sk, struct ipv6_txoptions *opt) } EXPORT_SYMBOL_GPL(ipv6_dup_options); -static int ipv6_renew_option(void *ohdr, - struct ipv6_opt_hdr __user *newopt, int newoptlen, - int inherit, +static void ipv6_renew_option(struct ipv6_opt_hdr *opt, struct ipv6_opt_hdr **hdr, char **p) { - if (inherit) { - if (ohdr) { - memcpy(*p, ohdr, ipv6_optlen((struct ipv6_opt_hdr *)ohdr)); - *hdr = (struct ipv6_opt_hdr *)*p; - *p += CMSG_ALIGN(ipv6_optlen(*hdr)); - } - } else { - if (newopt) { - if (copy_from_user(*p, newopt, newoptlen)) - return -EFAULT; - *hdr = (struct ipv6_opt_hdr *)*p; - if (ipv6_optlen(*hdr) > newoptlen) - return -EINVAL; - *p += CMSG_ALIGN(newoptlen); - } + if (opt) { + memcpy(*p, opt, ipv6_optlen(opt)); + *hdr = (struct ipv6_opt_hdr *)*p; + *p += CMSG_ALIGN(ipv6_optlen(*hdr)); } - return 0; } /** @@ -1063,13 +1049,11 @@ static int ipv6_renew_option(void *ohdr, */ struct ipv6_txoptions * ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt, - int newtype, - struct ipv6_opt_hdr __user *newopt, int newoptlen) + int newtype, struct ipv6_opt_hdr *newopt) { int tot_len = 0; char *p; struct ipv6_txoptions *opt2; - int err; if (opt) { if (newtype != IPV6_HOPOPTS && opt->hopopt) @@ -1082,8 +1066,8 @@ ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt, tot_len += CMSG_ALIGN(ipv6_optlen(opt->dst1opt)); } - if (newopt && newoptlen) - tot_len += CMSG_ALIGN(newoptlen); + if (newopt) + tot_len += CMSG_ALIGN(ipv6_optlen(newopt)); if (!tot_len) return NULL; @@ -1098,67 +1082,25 @@ ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt, opt2->tot_len = tot_len; p = (char *)(opt2 + 1); - err = ipv6_renew_option(opt ? opt->hopopt : NULL, newopt, newoptlen, - newtype != IPV6_HOPOPTS, - &opt2->hopopt, &p); - if (err) - goto out; - - err = ipv6_renew_option(opt ? opt->dst0opt : NULL, newopt, newoptlen, - newtype != IPV6_RTHDRDSTOPTS, - &opt2->dst0opt, &p); - if (err) - goto out; - - err = ipv6_renew_option(opt ? opt->srcrt : NULL, newopt, newoptlen, - newtype != IPV6_RTHDR, - (struct ipv6_opt_hdr **)&opt2->srcrt, &p); - if (err) - goto out; - - err = ipv6_renew_option(opt ? opt->dst1opt : NULL, newopt, newoptlen, - newtype != IPV6_DSTOPTS, - &opt2->dst1opt, &p); - if (err) - goto out; - + ipv6_renew_option(newtype == IPV6_HOPOPTS ? newopt : + opt ? opt->hopopt : NULL, + &opt2->hopopt, &p); + + ipv6_renew_option(newtype == IPV6_RTHDRDSTOPTS ? newopt : + opt ? opt->dst0opt : NULL, + &opt2->dst0opt, &p); + ipv6_renew_option(newtype == IPV6_RTHDR ? newopt : + opt ? (struct ipv6_opt_hdr *)opt->srcrt : NULL, + (struct ipv6_opt_hdr **)&opt2->srcrt, &p); + ipv6_renew_option(newtype == IPV6_DSTOPTS ? newopt : + opt ? opt->dst1opt : NULL, + &opt2->dst1opt, &p); opt2->opt_nflen = (opt2->hopopt ? ipv6_optlen(opt2->hopopt) : 0) + (opt2->dst0opt ? ipv6_optlen(opt2->dst0opt) : 0) + (opt2->srcrt ? ipv6_optlen(opt2->srcrt) : 0); opt2->opt_flen = (opt2->dst1opt ? ipv6_optlen(opt2->dst1opt) : 0); return opt2; -out: - sock_kfree_s(sk, opt2, opt2->tot_len); - return ERR_PTR(err); -} - -/** - * ipv6_renew_options_kern - replace a specific ext hdr with a new one. - * - * @sk: sock from which to allocate memory - * @opt: original options - * @newtype: option type to replace in @opt - * @newopt: new option of type @newtype to replace (kernel-mem) - * @newoptlen: length of @newopt - * - * See ipv6_renew_options(). The difference is that @newopt is - * kernel memory, rather than user memory. - */ -struct ipv6_txoptions * -ipv6_renew_options_kern(struct sock *sk, struct ipv6_txoptions *opt, - int newtype, struct ipv6_opt_hdr *newopt, - int newoptlen) -{ - struct ipv6_txoptions *ret_val; - const mm_segment_t old_fs = get_fs(); - - set_fs(KERNEL_DS); - ret_val = ipv6_renew_options(sk, opt, newtype, - (struct ipv6_opt_hdr __user *)newopt, - newoptlen); - set_fs(old_fs); - return ret_val; } struct ipv6_txoptions *ipv6_fixup_options(struct ipv6_txoptions *opt_space, diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c index 4d780c7f0130..b69ba18e0138 100644 --- a/net/ipv6/ipv6_sockglue.c +++ b/net/ipv6/ipv6_sockglue.c @@ -398,6 +398,12 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, case IPV6_DSTOPTS: { struct ipv6_txoptions *opt; + struct ipv6_opt_hdr *new = NULL; + + /* hop-by-hop / destination options are privileged option */ + retv = -EPERM; + if (optname != IPV6_RTHDR && !ns_capable(net->user_ns, CAP_NET_RAW)) + break; /* remove any sticky options header with a zero option * length, per RFC3542. @@ -409,17 +415,23 @@ static int do_ipv6_setsockopt(struct sock *sk, int level, int optname, else if (optlen < sizeof(struct ipv6_opt_hdr) || optlen & 0x7 || optlen > 8 * 255) goto e_inval; - - /* hop-by-hop / destination options are privileged option */ - retv = -EPERM; - if (optname != IPV6_RTHDR && !ns_capable(net->user_ns, CAP_NET_RAW)) - break; + else { + new = kmemdup(optval, optlen, GFP_USER); + if (IS_ERR(new)) { + retv = PTR_ERR(new); + break; + } + if (unlikely(ipv6_optlen(new) > optlen)) { + kfree(new); + retv = -EINVAL; + break; + } + } opt = rcu_dereference_protected(np->opt, lockdep_sock_is_held(sk)); - opt = ipv6_renew_options(sk, opt, optname, - (struct ipv6_opt_hdr __user *)optval, - optlen); + opt = ipv6_renew_options(sk, opt, optname, new); + kfree(new); if (IS_ERR(opt)) { retv = PTR_ERR(opt); break;