Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec

Steffen Klassert says: ==================== pull request (net): ipsec 2019-02-21 1) Don't do TX bytes accounting for the esp trailer when sending from a request socket as this will result in an out of bounds memory write. From Martin Willi. 2) Destroy xfrm_state synchronously on net exit path to avoid nested gc flush callbacks that may trigger a warning in xfrm6_tunnel_net_exit(). From Cong Wang. 3) Do an unconditionally clone in pfkey_broadcast_one() to avoid a race when freeing the skb. From Sean Tranchetti. 4) Fix inbound traffic via XFRM interfaces across network namespaces. We did the lookup for interfaces and policies in the wrong namespace. From Tobias Brunner. Please pull or let me know if there are problems. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2019-02-21 19:08:52 -0500
committer: David S. Miller <davem@davemloft.net> 2019-02-21 19:08:52 -0500
commit: b35560e485cb3a10bfe631732bcb75fe1a568da7 (patch)
tree: e46d5e1cf9f056f894a83076ea2fdac1d803f97b
parent: 31088cb5ca6e4b8fda36f8686d15f037bd039f2a (diff)
parent: 660899ddf06ae8bb5bbbd0a19418b739375430c5 (diff)
9 files changed, 53 insertions, 47 deletions
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 7298a53b9702..85386becbaea 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -853,7 +853,7 @@ static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
                xfrm_pol_put(pols[i]);
 }
-void __xfrm_state_destroy(struct xfrm_state *);
+void __xfrm_state_destroy(struct xfrm_state *, bool);
 static inline void __xfrm_state_put(struct xfrm_state *x)
 {
@@ -863,7 +863,13 @@ static inline void __xfrm_state_put(struct xfrm_state *x)
 static inline void xfrm_state_put(struct xfrm_state *x)
 {
        if (refcount_dec_and_test(&x->refcnt))
-                __xfrm_state_destroy(x);
+                __xfrm_state_destroy(x, false);
+}
+static inline void xfrm_state_put_sync(struct xfrm_state *x)
+{
+        if (refcount_dec_and_test(&x->refcnt))
+                __xfrm_state_destroy(x, true);
 }
 static inline void xfrm_state_hold(struct xfrm_state *x)
@@ -1590,7 +1596,7 @@ struct xfrmk_spdinfo {
 struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq);
 int xfrm_state_delete(struct xfrm_state *x);
-int xfrm_state_flush(struct net *net, u8 proto, bool task_valid);
+int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync);
 int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_valid);
 void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si);
 void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si);
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 5459f41fc26f..10e809b296ec 100644
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -328,7 +328,7 @@ int esp_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info *
                        skb->len += tailen;
                        skb->data_len += tailen;
                        skb->truesize += tailen;
-                        if (sk)
+                        if (sk && sk_fullsock(sk))
                                refcount_add(tailen, &sk->sk_wmem_alloc);
                        goto out;
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 5afe9f83374d..239d4a65ad6e 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -296,7 +296,7 @@ int esp6_output_head(struct xfrm_state *x, struct sk_buff *skb, struct esp_info
                        skb->len += tailen;
                        skb->data_len += tailen;
                        skb->truesize += tailen;
-                        if (sk)
+                        if (sk && sk_fullsock(sk))
                                refcount_add(tailen, &sk->sk_wmem_alloc);
                        goto out;
diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index f5b4febeaa25..bc65db782bfb 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -344,8 +344,8 @@ static void __net_exit xfrm6_tunnel_net_exit(struct net *net)
        struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);
        unsigned int i;
-        xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
        xfrm_flush_gc();
+        xfrm_state_flush(net, IPSEC_PROTO_ANY, false, true);
        for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++)
                WARN_ON_ONCE(!hlist_empty(&xfrm6_tn->spi_byaddr[i]));
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 655c787f9d54..5651c29cb5bd 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -196,30 +196,22 @@ static int pfkey_release(struct socket *sock)
        return 0;
 }
-static int pfkey_broadcast_one(struct sk_buff *skb, struct sk_buff **skb2,
+static int pfkey_broadcast_one(struct sk_buff *skb, gfp_t allocation,
-                               gfp_t allocation, struct sock *sk)
+                               struct sock *sk)
 {
        int err = -ENOBUFS;
-        sock_hold(sk);
+        if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf)
-        if (*skb2 == NULL) {
+                return err;
-                if (refcount_read(&skb->users) != 1) {
-                        *skb2 = skb_clone(skb, allocation);
+        skb = skb_clone(skb, allocation);
-                } else {
-                        *skb2 = skb;
+        if (skb) {
-                        refcount_inc(&skb->users);
+                skb_set_owner_r(skb, sk);
-                }
+                skb_queue_tail(&sk->sk_receive_queue, skb);
-        }
+                sk->sk_data_ready(sk);
-        if (*skb2 != NULL) {
+                err = 0;
-                if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf) {
-                        skb_set_owner_r(*skb2, sk);
-                        skb_queue_tail(&sk->sk_receive_queue, *skb2);
-                        sk->sk_data_ready(sk);
-                        *skb2 = NULL;
-                        err = 0;
-                }
        }
-        sock_put(sk);
        return err;
 }
@@ -234,7 +226,6 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation,
 {
        struct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id);
        struct sock *sk;
-        struct sk_buff *skb2 = NULL;
        int err = -ESRCH;
        /* XXX Do we need something like netlink_overrun?  I think
@@ -253,7 +244,7 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation,
                 * socket.
                 */
                if (pfk->promisc)
-                        pfkey_broadcast_one(skb, &skb2, GFP_ATOMIC, sk);
+                        pfkey_broadcast_one(skb, GFP_ATOMIC, sk);
                /* the exact target will be processed later */
                if (sk == one_sk)
@@ -268,7 +259,7 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation,
                                continue;
                }
-                err2 = pfkey_broadcast_one(skb, &skb2, GFP_ATOMIC, sk);
+                err2 = pfkey_broadcast_one(skb, GFP_ATOMIC, sk);
                /* Error is cleared after successful sending to at least one
                 * registered KM */
@@ -278,9 +269,8 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation,
        rcu_read_unlock();
        if (one_sk != NULL)
-                err = pfkey_broadcast_one(skb, &skb2, allocation, one_sk);
+                err = pfkey_broadcast_one(skb, allocation, one_sk);
-        kfree_skb(skb2);
        kfree_skb(skb);
        return err;
 }
@@ -1783,7 +1773,7 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, const struct sadb_m
        if (proto == 0)
                return -EINVAL;
-        err = xfrm_state_flush(net, proto, true);
+        err = xfrm_state_flush(net, proto, true, false);
        err2 = unicast_flush_resp(sk, hdr);
        if (err || err2) {
                if (err == -ESRCH) /* empty table - go quietly */
diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c
index 6be8c7df15bb..dbb3c1945b5c 100644
--- a/net/xfrm/xfrm_interface.c
+++ b/net/xfrm/xfrm_interface.c
@@ -76,10 +76,10 @@ static struct xfrm_if *xfrmi_decode_session(struct sk_buff *skb)
        int ifindex;
        struct xfrm_if *xi;
-        if (!skb->dev)
+        if (!secpath_exists(skb) || !skb->dev)
                return NULL;
-        xfrmn = net_generic(dev_net(skb->dev), xfrmi_net_id);
+        xfrmn = net_generic(xs_net(xfrm_input_state(skb)), xfrmi_net_id);
        ifindex = skb->dev->ifindex;
        for_each_xfrmi_rcu(xfrmn->xfrmi[0], xi) {
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index ba0a4048c846..8d1a898d0ba5 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -3314,8 +3314,10 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
        if (ifcb) {
                xi = ifcb->decode_session(skb);
-                if (xi)
+                if (xi) {
                        if_id = xi->p.if_id;
+                        net = xi->net;
+                }
        }
        rcu_read_unlock();
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 23c92891758a..1bb971f46fc6 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -432,7 +432,7 @@ void xfrm_state_free(struct xfrm_state *x)
 }
 EXPORT_SYMBOL(xfrm_state_free);
-static void xfrm_state_gc_destroy(struct xfrm_state *x)
+static void ___xfrm_state_destroy(struct xfrm_state *x)
 {
        tasklet_hrtimer_cancel(&x->mtimer);
        del_timer_sync(&x->rtimer);
@@ -474,7 +474,7 @@ static void xfrm_state_gc_task(struct work_struct *work)
        synchronize_rcu();
        hlist_for_each_entry_safe(x, tmp, &gc_list, gclist)
-                xfrm_state_gc_destroy(x);
+                ___xfrm_state_destroy(x);
 }
 static enum hrtimer_restart xfrm_timer_handler(struct hrtimer *me)
@@ -598,14 +598,19 @@ struct xfrm_state *xfrm_state_alloc(struct net *net)
 }
 EXPORT_SYMBOL(xfrm_state_alloc);
-void __xfrm_state_destroy(struct xfrm_state *x)
+void __xfrm_state_destroy(struct xfrm_state *x, bool sync)
 {
        WARN_ON(x->km.state != XFRM_STATE_DEAD);
-        spin_lock_bh(&xfrm_state_gc_lock);
+        if (sync) {
-        hlist_add_head(&x->gclist, &xfrm_state_gc_list);
+                synchronize_rcu();
-        spin_unlock_bh(&xfrm_state_gc_lock);
+                ___xfrm_state_destroy(x);
-        schedule_work(&xfrm_state_gc_work);
+        } else {
+                spin_lock_bh(&xfrm_state_gc_lock);
+                hlist_add_head(&x->gclist, &xfrm_state_gc_list);
+                spin_unlock_bh(&xfrm_state_gc_lock);
+                schedule_work(&xfrm_state_gc_work);
+        }
 }
 EXPORT_SYMBOL(__xfrm_state_destroy);
@@ -708,7 +713,7 @@ xfrm_dev_state_flush_secctx_check(struct net *net, struct net_device *dev, bool
 }
 #endif
-int xfrm_state_flush(struct net *net, u8 proto, bool task_valid)
+int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync)
 {
        int i, err = 0, cnt = 0;
@@ -730,7 +735,10 @@ restart:
                                err = xfrm_state_delete(x);
                                xfrm_audit_state_delete(x, err ? 0 : 1,
                                                        task_valid);
-                                xfrm_state_put(x);
+                                if (sync)
+                                        xfrm_state_put_sync(x);
+                                else
+                                        xfrm_state_put(x);
                                if (!err)
                                        cnt++;
@@ -2215,7 +2223,7 @@ void xfrm_state_delete_tunnel(struct xfrm_state *x)
                if (atomic_read(&t->tunnel_users) == 2)
                        xfrm_state_delete(t);
                atomic_dec(&t->tunnel_users);
-                xfrm_state_put(t);
+                xfrm_state_put_sync(t);
                x->tunnel = NULL;
        }
 }
@@ -2375,8 +2383,8 @@ void xfrm_state_fini(struct net *net)
        unsigned int sz;
        flush_work(&net->xfrm.state_hash_work);
-        xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
        flush_work(&xfrm_state_gc_work);
+        xfrm_state_flush(net, IPSEC_PROTO_ANY, false, true);
        WARN_ON(!list_empty(&net->xfrm.state_all));
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index c6d26afcf89d..a131f9ff979e 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1932,7 +1932,7 @@ static int xfrm_flush_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
        struct xfrm_usersa_flush *p = nlmsg_data(nlh);
        int err;
-        err = xfrm_state_flush(net, p->proto, true);
+        err = xfrm_state_flush(net, p->proto, true, false);
        if (err) {
                if (err == -ESRCH) /* empty table */
                        return 0;
author	David S. Miller <davem@davemloft.net>	2019-02-21 19:08:52 -0500
committer	David S. Miller <davem@davemloft.net>	2019-02-21 19:08:52 -0500
commit	b35560e485cb3a10bfe631732bcb75fe1a568da7 (patch)
tree	e46d5e1cf9f056f894a83076ea2fdac1d803f97b
parent	31088cb5ca6e4b8fda36f8686d15f037bd039f2a (diff)
parent	660899ddf06ae8bb5bbbd0a19418b739375430c5 (diff)

diff --git a/include/net/xfrm.h b/include/net/xfrm.h index 7298a53b9702..85386becbaea 100644 --- a/include/net/xfrm.h +++ b/include/net/xfrm.h
@@ -853,7 +853,7 @@ static inline void xfrm_pols_put(struct xfrm_policy **pols, int npols)
853	xfrm_pol_put(pols[i]);	853	xfrm_pol_put(pols[i]);
854	}	854	}
855		855
856	void __xfrm_state_destroy(struct xfrm_state *);	856	void __xfrm_state_destroy(struct xfrm_state *, bool);
857		857
858	static inline void __xfrm_state_put(struct xfrm_state *x)	858	static inline void __xfrm_state_put(struct xfrm_state *x)
859	{	859	{
@@ -863,7 +863,13 @@ static inline void __xfrm_state_put(struct xfrm_state *x)
863	static inline void xfrm_state_put(struct xfrm_state *x)	863	static inline void xfrm_state_put(struct xfrm_state *x)
864	{	864	{
865	if (refcount_dec_and_test(&x->refcnt))	865	if (refcount_dec_and_test(&x->refcnt))
866	__xfrm_state_destroy(x);	866	__xfrm_state_destroy(x, false);
		867	}
		868
		869	static inline void xfrm_state_put_sync(struct xfrm_state *x)
		870	{
		871	if (refcount_dec_and_test(&x->refcnt))
		872	__xfrm_state_destroy(x, true);
867	}	873	}
868		874
869	static inline void xfrm_state_hold(struct xfrm_state *x)	875	static inline void xfrm_state_hold(struct xfrm_state *x)
@@ -1590,7 +1596,7 @@ struct xfrmk_spdinfo {
1590		1596
1591	struct xfrm_state xfrm_find_acq_byseq(struct net net, u32 mark, u32 seq);	1597	struct xfrm_state xfrm_find_acq_byseq(struct net net, u32 mark, u32 seq);
1592	int xfrm_state_delete(struct xfrm_state *x);	1598	int xfrm_state_delete(struct xfrm_state *x);
1593	int xfrm_state_flush(struct net *net, u8 proto, bool task_valid);	1599	int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync);
1594	int xfrm_dev_state_flush(struct net net, struct net_device dev, bool task_valid);	1600	int xfrm_dev_state_flush(struct net net, struct net_device dev, bool task_valid);
1595	void xfrm_sad_getinfo(struct net net, struct xfrmk_sadinfo si);	1601	void xfrm_sad_getinfo(struct net net, struct xfrmk_sadinfo si);
1596	void xfrm_spd_getinfo(struct net net, struct xfrmk_spdinfo si);	1602	void xfrm_spd_getinfo(struct net net, struct xfrmk_spdinfo si);


diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index 5459f41fc26f..10e809b296ec 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c
@@ -328,7 +328,7 @@ int esp_output_head(struct xfrm_state x, struct sk_buff skb, struct esp_info *
328	skb->len += tailen;	328	skb->len += tailen;
329	skb->data_len += tailen;	329	skb->data_len += tailen;
330	skb->truesize += tailen;	330	skb->truesize += tailen;
331	if (sk)	331	if (sk && sk_fullsock(sk))
332	refcount_add(tailen, &sk->sk_wmem_alloc);	332	refcount_add(tailen, &sk->sk_wmem_alloc);
333		333
334	goto out;	334	goto out;


diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index 5afe9f83374d..239d4a65ad6e 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c
@@ -296,7 +296,7 @@ int esp6_output_head(struct xfrm_state x, struct sk_buff skb, struct esp_info
296	skb->len += tailen;	296	skb->len += tailen;
297	skb->data_len += tailen;	297	skb->data_len += tailen;
298	skb->truesize += tailen;	298	skb->truesize += tailen;
299	if (sk)	299	if (sk && sk_fullsock(sk))
300	refcount_add(tailen, &sk->sk_wmem_alloc);	300	refcount_add(tailen, &sk->sk_wmem_alloc);
301		301
302	goto out;	302	goto out;


diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c index f5b4febeaa25..bc65db782bfb 100644 --- a/net/ipv6/xfrm6_tunnel.c +++ b/net/ipv6/xfrm6_tunnel.c
@@ -344,8 +344,8 @@ static void __net_exit xfrm6_tunnel_net_exit(struct net *net)
344	struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);	344	struct xfrm6_tunnel_net *xfrm6_tn = xfrm6_tunnel_pernet(net);
345	unsigned int i;	345	unsigned int i;
346		346
347	xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
348	xfrm_flush_gc();	347	xfrm_flush_gc();
		348	xfrm_state_flush(net, IPSEC_PROTO_ANY, false, true);
349		349
350	for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++)	350	for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++)
351	WARN_ON_ONCE(!hlist_empty(&xfrm6_tn->spi_byaddr[i]));	351	WARN_ON_ONCE(!hlist_empty(&xfrm6_tn->spi_byaddr[i]));


diff --git a/net/key/af_key.c b/net/key/af_key.c index 655c787f9d54..5651c29cb5bd 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c
@@ -196,30 +196,22 @@ static int pfkey_release(struct socket *sock)
196	return 0;	196	return 0;
197	}	197	}
198		198
199	static int pfkey_broadcast_one(struct sk_buff skb, struct sk_buff *skb2,	199	static int pfkey_broadcast_one(struct sk_buff *skb, gfp_t allocation,
200	gfp_t allocation, struct sock *sk)	200	struct sock *sk)
201	{	201	{
202	int err = -ENOBUFS;	202	int err = -ENOBUFS;
203		203
204	sock_hold(sk);	204	if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf)
205	if (*skb2 == NULL) {	205	return err;
206	if (refcount_read(&skb->users) != 1) {	206
207	*skb2 = skb_clone(skb, allocation);	207	skb = skb_clone(skb, allocation);
208	} else {	208
209	*skb2 = skb;	209	if (skb) {
210	refcount_inc(&skb->users);	210	skb_set_owner_r(skb, sk);
211	}	211	skb_queue_tail(&sk->sk_receive_queue, skb);
212	}	212	sk->sk_data_ready(sk);
213	if (*skb2 != NULL) {	213	err = 0;
214	if (atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf) {
215	skb_set_owner_r(*skb2, sk);
216	skb_queue_tail(&sk->sk_receive_queue, *skb2);
217	sk->sk_data_ready(sk);
218	*skb2 = NULL;
219	err = 0;
220	}
221	}	214	}
222	sock_put(sk);
223	return err;	215	return err;
224	}	216	}
225		217
@@ -234,7 +226,6 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation,
234	{	226	{
235	struct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id);	227	struct netns_pfkey *net_pfkey = net_generic(net, pfkey_net_id);
236	struct sock *sk;	228	struct sock *sk;
237	struct sk_buff *skb2 = NULL;
238	int err = -ESRCH;	229	int err = -ESRCH;
239		230
240	/* XXX Do we need something like netlink_overrun? I think	231	/* XXX Do we need something like netlink_overrun? I think
@@ -253,7 +244,7 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation,
253	* socket.	244	* socket.
254	*/	245	*/
255	if (pfk->promisc)	246	if (pfk->promisc)
256	pfkey_broadcast_one(skb, &skb2, GFP_ATOMIC, sk);	247	pfkey_broadcast_one(skb, GFP_ATOMIC, sk);
257		248
258	/* the exact target will be processed later */	249	/* the exact target will be processed later */
259	if (sk == one_sk)	250	if (sk == one_sk)
@@ -268,7 +259,7 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation,
268	continue;	259	continue;
269	}	260	}
270		261
271	err2 = pfkey_broadcast_one(skb, &skb2, GFP_ATOMIC, sk);	262	err2 = pfkey_broadcast_one(skb, GFP_ATOMIC, sk);
272		263
273	/* Error is cleared after successful sending to at least one	264	/* Error is cleared after successful sending to at least one
274	* registered KM */	265	* registered KM */
@@ -278,9 +269,8 @@ static int pfkey_broadcast(struct sk_buff *skb, gfp_t allocation,
278	rcu_read_unlock();	269	rcu_read_unlock();
279		270
280	if (one_sk != NULL)	271	if (one_sk != NULL)
281	err = pfkey_broadcast_one(skb, &skb2, allocation, one_sk);	272	err = pfkey_broadcast_one(skb, allocation, one_sk);
282		273
283	kfree_skb(skb2);
284	kfree_skb(skb);	274	kfree_skb(skb);
285	return err;	275	return err;
286	}	276	}
@@ -1783,7 +1773,7 @@ static int pfkey_flush(struct sock sk, struct sk_buff skb, const struct sadb_m
1783	if (proto == 0)	1773	if (proto == 0)
1784	return -EINVAL;	1774	return -EINVAL;
1785		1775
1786	err = xfrm_state_flush(net, proto, true);	1776	err = xfrm_state_flush(net, proto, true, false);
1787	err2 = unicast_flush_resp(sk, hdr);	1777	err2 = unicast_flush_resp(sk, hdr);
1788	if (err \|\| err2) {	1778	if (err \|\| err2) {
1789	if (err == -ESRCH) /* empty table - go quietly */	1779	if (err == -ESRCH) /* empty table - go quietly */


diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c index 6be8c7df15bb..dbb3c1945b5c 100644 --- a/net/xfrm/xfrm_interface.c +++ b/net/xfrm/xfrm_interface.c
@@ -76,10 +76,10 @@ static struct xfrm_if xfrmi_decode_session(struct sk_buff skb)
76	int ifindex;	76	int ifindex;
77	struct xfrm_if *xi;	77	struct xfrm_if *xi;
78		78
79	if (!skb->dev)	79	if (!secpath_exists(skb) \|\| !skb->dev)
80	return NULL;	80	return NULL;
81		81
82	xfrmn = net_generic(dev_net(skb->dev), xfrmi_net_id);	82	xfrmn = net_generic(xs_net(xfrm_input_state(skb)), xfrmi_net_id);
83	ifindex = skb->dev->ifindex;	83	ifindex = skb->dev->ifindex;
84		84
85	for_each_xfrmi_rcu(xfrmn->xfrmi[0], xi) {	85	for_each_xfrmi_rcu(xfrmn->xfrmi[0], xi) {


diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index ba0a4048c846..8d1a898d0ba5 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c
@@ -3314,8 +3314,10 @@ int __xfrm_policy_check(struct sock sk, int dir, struct sk_buff skb,
3314		3314
3315	if (ifcb) {	3315	if (ifcb) {
3316	xi = ifcb->decode_session(skb);	3316	xi = ifcb->decode_session(skb);
3317	if (xi)	3317	if (xi) {
3318	if_id = xi->p.if_id;	3318	if_id = xi->p.if_id;
		3319	net = xi->net;
		3320	}
3319	}	3321	}
3320	rcu_read_unlock();	3322	rcu_read_unlock();
3321		3323


diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index 23c92891758a..1bb971f46fc6 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c
@@ -432,7 +432,7 @@ void xfrm_state_free(struct xfrm_state *x)
432	}	432	}
433	EXPORT_SYMBOL(xfrm_state_free);	433	EXPORT_SYMBOL(xfrm_state_free);
434		434
435	static void xfrm_state_gc_destroy(struct xfrm_state *x)	435	static void ___xfrm_state_destroy(struct xfrm_state *x)
436	{	436	{
437	tasklet_hrtimer_cancel(&x->mtimer);	437	tasklet_hrtimer_cancel(&x->mtimer);
438	del_timer_sync(&x->rtimer);	438	del_timer_sync(&x->rtimer);
@@ -474,7 +474,7 @@ static void xfrm_state_gc_task(struct work_struct *work)
474	synchronize_rcu();	474	synchronize_rcu();
475		475
476	hlist_for_each_entry_safe(x, tmp, &gc_list, gclist)	476	hlist_for_each_entry_safe(x, tmp, &gc_list, gclist)
477	xfrm_state_gc_destroy(x);	477	___xfrm_state_destroy(x);
478	}	478	}
479		479
480	static enum hrtimer_restart xfrm_timer_handler(struct hrtimer *me)	480	static enum hrtimer_restart xfrm_timer_handler(struct hrtimer *me)
@@ -598,14 +598,19 @@ struct xfrm_state xfrm_state_alloc(struct net net)
598	}	598	}
599	EXPORT_SYMBOL(xfrm_state_alloc);	599	EXPORT_SYMBOL(xfrm_state_alloc);
600		600
601	void __xfrm_state_destroy(struct xfrm_state *x)	601	void __xfrm_state_destroy(struct xfrm_state *x, bool sync)
602	{	602	{
603	WARN_ON(x->km.state != XFRM_STATE_DEAD);	603	WARN_ON(x->km.state != XFRM_STATE_DEAD);
604		604
605	spin_lock_bh(&xfrm_state_gc_lock);	605	if (sync) {
606	hlist_add_head(&x->gclist, &xfrm_state_gc_list);	606	synchronize_rcu();
607	spin_unlock_bh(&xfrm_state_gc_lock);	607	___xfrm_state_destroy(x);
608	schedule_work(&xfrm_state_gc_work);	608	} else {
		609	spin_lock_bh(&xfrm_state_gc_lock);
		610	hlist_add_head(&x->gclist, &xfrm_state_gc_list);
		611	spin_unlock_bh(&xfrm_state_gc_lock);
		612	schedule_work(&xfrm_state_gc_work);
		613	}
609	}	614	}
610	EXPORT_SYMBOL(__xfrm_state_destroy);	615	EXPORT_SYMBOL(__xfrm_state_destroy);
611		616
@@ -708,7 +713,7 @@ xfrm_dev_state_flush_secctx_check(struct net net, struct net_device dev, bool
708	}	713	}
709	#endif	714	#endif
710		715
711	int xfrm_state_flush(struct net *net, u8 proto, bool task_valid)	716	int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync)
712	{	717	{
713	int i, err = 0, cnt = 0;	718	int i, err = 0, cnt = 0;
714		719
@@ -730,7 +735,10 @@ restart:
730	err = xfrm_state_delete(x);	735	err = xfrm_state_delete(x);
731	xfrm_audit_state_delete(x, err ? 0 : 1,	736	xfrm_audit_state_delete(x, err ? 0 : 1,
732	task_valid);	737	task_valid);
733	xfrm_state_put(x);	738	if (sync)
		739	xfrm_state_put_sync(x);
		740	else
		741	xfrm_state_put(x);
734	if (!err)	742	if (!err)
735	cnt++;	743	cnt++;
736		744
@@ -2215,7 +2223,7 @@ void xfrm_state_delete_tunnel(struct xfrm_state *x)
2215	if (atomic_read(&t->tunnel_users) == 2)	2223	if (atomic_read(&t->tunnel_users) == 2)
2216	xfrm_state_delete(t);	2224	xfrm_state_delete(t);
2217	atomic_dec(&t->tunnel_users);	2225	atomic_dec(&t->tunnel_users);
2218	xfrm_state_put(t);	2226	xfrm_state_put_sync(t);
2219	x->tunnel = NULL;	2227	x->tunnel = NULL;
2220	}	2228	}
2221	}	2229	}
@@ -2375,8 +2383,8 @@ void xfrm_state_fini(struct net *net)
2375	unsigned int sz;	2383	unsigned int sz;
2376		2384
2377	flush_work(&net->xfrm.state_hash_work);	2385	flush_work(&net->xfrm.state_hash_work);
2378	xfrm_state_flush(net, IPSEC_PROTO_ANY, false);
2379	flush_work(&xfrm_state_gc_work);	2386	flush_work(&xfrm_state_gc_work);
		2387	xfrm_state_flush(net, IPSEC_PROTO_ANY, false, true);
2380		2388
2381	WARN_ON(!list_empty(&net->xfrm.state_all));	2389	WARN_ON(!list_empty(&net->xfrm.state_all));
2382		2390


diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index c6d26afcf89d..a131f9ff979e 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c
@@ -1932,7 +1932,7 @@ static int xfrm_flush_sa(struct sk_buff skb, struct nlmsghdr nlh,
1932	struct xfrm_usersa_flush *p = nlmsg_data(nlh);	1932	struct xfrm_usersa_flush *p = nlmsg_data(nlh);
1933	int err;	1933	int err;
1934		1934
1935	err = xfrm_state_flush(net, p->proto, true);	1935	err = xfrm_state_flush(net, p->proto, true, false);
1936	if (err) {	1936	if (err) {
1937	if (err == -ESRCH) /* empty table */	1937	if (err == -ESRCH) /* empty table */
1938	return 0;	1938	return 0;