BACKPORT: Smack: ipv6 label match fix

The check for a deleted entry in the list of IPv6 host
addresses was being performed in the wrong place, leading
to most peculiar results in some cases. This puts the
check into the right place.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
(cherry-picked from upstream 2e4939f7026f938a1dc81533d020801198562804)

diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index a7b9acbcb50fdc31b90e24e1e6f4ace275813717..8d7785a1608a87c3b5f6b238a6b9773f26cb0e60 100644 (file)
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2422,18 +2422,18 @@ static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip)
                return NULL;
 
        list_for_each_entry_rcu(snp, &smk_net6addr_list, list) {
+               /*
+                * If the label is NULL the entry has
+                * been renounced. Ignore it.
+                */
+               if (snp->smk_label == NULL)
+                       continue;
                /*
                * we break after finding the first match because
                * the list is sorted from longest to shortest mask
                * so we have found the most specific match
                */
                for (found = 1, i = 0; i < 8; i++) {
-                       /*
-                        * If the label is NULL the entry has
-                        * been renounced. Ignore it.
-                        */
-                       if (snp->smk_label == NULL)
-                               continue;
                        if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) !=
                            snp->smk_host.s6_addr16[i]) {
                                found = 0;