Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec

Steffen Klassert says: ==================== 1) We used the wrong netlink attribute to verify the lenght of the replay window on async events. Fix this by using the right netlink attribute. 2) Policy lookups can not match the output interface on forwarding. Add the needed informations to the flow informations. 3) We update the pmtu when we receive a ICMPV6_DEST_UNREACH message on IPsec with ipv6. This is wrong and leads to strange fragmented packets, only ICMPV6_PKT_TOOBIG messages should update the pmtu. Fix this by removing the ICMPV6_DEST_UNREACH check from the IPsec protocol error handlers. 4) The legacy IPsec anti replay mechanism supports anti replay windows up to 32 packets. If a user requests for a bigger anti replay window, we use 32 packets but pretend that we use the requested window size. Fix from Fan Du. 5) If asynchronous events are enabled and replay_maxdiff is set to zero, we generate an async event for every received packet instead of checking whether a timeout occurred. Fix from Thomas Egerer. 6) Policies need a refcount when the state resolution timer is armed. Otherwise the timer can fire after the policy is deleted. 7) We might dreference a NULL pointer if the hold_queue is empty, add a check to avoid this. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2013-10-09 13:41:45 -0400
committer: David S. Miller <davem@davemloft.net> 2013-10-09 13:41:45 -0400
commit: f606385068afe00683f080555f5d0fa9fb8e1f37 (patch)
tree: 3334accd9ac56ad2fed5881e5500c40a820d7911 /net
parent: cb03db9d0e964568407fb08ea46cc2b6b7f67587 (diff)
parent: 2bb53e2557964c2c5368a0392cf3b3b63a288cd0 (diff)
9 files changed, 59 insertions, 42 deletions
diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
index 9a459be24af7..ccde54248c8c 100644
--- a/net/ipv4/xfrm4_policy.c
+++ b/net/ipv4/xfrm4_policy.c
@@ -107,6 +107,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
        memset(fl4, 0, sizeof(struct flowi4));
        fl4->flowi4_mark = skb->mark;
+        fl4->flowi4_oif = skb_dst(skb)->dev->ifindex;
        if (!ip_is_fragment(iph)) {
                switch (iph->protocol) {
diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c
index 73784c3d4642..82e1da3a40b9 100644
--- a/net/ipv6/ah6.c
+++ b/net/ipv6/ah6.c
@@ -618,8 +618,7 @@ static void ah6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
        struct ip_auth_hdr *ah = (struct ip_auth_hdr*)(skb->data+offset);
        struct xfrm_state *x;
-        if (type != ICMPV6_DEST_UNREACH &&
+        if (type != ICMPV6_PKT_TOOBIG &&
-            type != ICMPV6_PKT_TOOBIG &&
            type != NDISC_REDIRECT)
                return;
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index d3618a78fcac..e67e63f9858d 100644
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -436,8 +436,7 @@ static void esp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
        struct ip_esp_hdr *esph = (struct ip_esp_hdr *)(skb->data + offset);
        struct xfrm_state *x;
-        if (type != ICMPV6_DEST_UNREACH &&
+        if (type != ICMPV6_PKT_TOOBIG &&
-            type != ICMPV6_PKT_TOOBIG &&
            type != NDISC_REDIRECT)
                return;
diff --git a/net/ipv6/ipcomp6.c b/net/ipv6/ipcomp6.c
index 5636a912074a..ce507d9e1c90 100644
--- a/net/ipv6/ipcomp6.c
+++ b/net/ipv6/ipcomp6.c
@@ -64,8 +64,7 @@ static void ipcomp6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
                (struct ip_comp_hdr *)(skb->data + offset);
        struct xfrm_state *x;
-        if (type != ICMPV6_DEST_UNREACH &&
+        if (type != ICMPV6_PKT_TOOBIG &&
-            type != ICMPV6_PKT_TOOBIG &&
            type != NDISC_REDIRECT)
                return;
diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index 23ed03d786c8..08ed2772b7aa 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -138,6 +138,7 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
        memset(fl6, 0, sizeof(struct flowi6));
        fl6->flowi6_mark = skb->mark;
+        fl6->flowi6_oif = skb_dst(skb)->dev->ifindex;
        fl6->daddr = reverse ? hdr->saddr : hdr->daddr;
        fl6->saddr = reverse ? hdr->daddr : hdr->saddr;
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 9d585370c5b4..911ef03bf8fb 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1098,7 +1098,8 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net,
        x->id.proto = proto;
        x->id.spi = sa->sadb_sa_spi;
-        x->props.replay_window = sa->sadb_sa_replay;
+        x->props.replay_window = min_t(unsigned int, sa->sadb_sa_replay,
+                                        (sizeof(x->replay.bitmap) * 8));
        if (sa->sadb_sa_flags & SADB_SAFLAGS_NOECN)
                x->props.flags |= XFRM_STATE_NOECN;
        if (sa->sadb_sa_flags & SADB_SAFLAGS_DECAP_DSCP)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index ed38d5d81f9e..76e1873811d4 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -334,7 +334,8 @@ static void xfrm_policy_kill(struct xfrm_policy *policy)
        atomic_inc(&policy->genid);
-        del_timer(&policy->polq.hold_timer);
+        if (del_timer(&policy->polq.hold_timer))
+                xfrm_pol_put(policy);
        xfrm_queue_purge(&policy->polq.hold_queue);
        if (del_timer(&policy->timer))
@@ -589,7 +590,8 @@ static void xfrm_policy_requeue(struct xfrm_policy *old,
        spin_lock_bh(&pq->hold_queue.lock);
        skb_queue_splice_init(&pq->hold_queue, &list);
-        del_timer(&pq->hold_timer);
+        if (del_timer(&pq->hold_timer))
+                xfrm_pol_put(old);
        spin_unlock_bh(&pq->hold_queue.lock);
        if (skb_queue_empty(&list))
@@ -600,7 +602,8 @@ static void xfrm_policy_requeue(struct xfrm_policy *old,
        spin_lock_bh(&pq->hold_queue.lock);
        skb_queue_splice(&list, &pq->hold_queue);
        pq->timeout = XFRM_QUEUE_TMO_MIN;
-        mod_timer(&pq->hold_timer, jiffies);
+        if (!mod_timer(&pq->hold_timer, jiffies))
+                xfrm_pol_hold(new);
        spin_unlock_bh(&pq->hold_queue.lock);
 }
@@ -1769,6 +1772,10 @@ static void xfrm_policy_queue_process(unsigned long arg)
        spin_lock(&pq->hold_queue.lock);
        skb = skb_peek(&pq->hold_queue);
+        if (!skb) {
+                spin_unlock(&pq->hold_queue.lock);
+                goto out;
+        }
        dst = skb_dst(skb);
        sk = skb->sk;
        xfrm_decode_session(skb, &fl, dst->ops->family);
@@ -1787,8 +1794,9 @@ static void xfrm_policy_queue_process(unsigned long arg)
                        goto purge_queue;
                pq->timeout = pq->timeout << 1;
-                mod_timer(&pq->hold_timer, jiffies + pq->timeout);
+                if (!mod_timer(&pq->hold_timer, jiffies + pq->timeout))
-                return;
+                        xfrm_pol_hold(pol);
+        goto out;
        }
        dst_release(dst);
@@ -1819,11 +1827,14 @@ static void xfrm_policy_queue_process(unsigned long arg)
                err = dst_output(skb);
        }
+out:
+        xfrm_pol_put(pol);
        return;
 purge_queue:
        pq->timeout = 0;
        xfrm_queue_purge(&pq->hold_queue);
+        xfrm_pol_put(pol);
 }
 static int xdst_queue_output(struct sk_buff *skb)
@@ -1831,7 +1842,8 @@ static int xdst_queue_output(struct sk_buff *skb)
        unsigned long sched_next;
        struct dst_entry *dst = skb_dst(skb);
        struct xfrm_dst *xdst = (struct xfrm_dst *) dst;
-        struct xfrm_policy_queue *pq = &xdst->pols[0]->polq;
+        struct xfrm_policy *pol = xdst->pols[0];
+        struct xfrm_policy_queue *pq = &pol->polq;
        if (pq->hold_queue.qlen > XFRM_MAX_QUEUE_LEN) {
                kfree_skb(skb);
@@ -1850,10 +1862,12 @@ static int xdst_queue_output(struct sk_buff *skb)
        if (del_timer(&pq->hold_timer)) {
                if (time_before(pq->hold_timer.expires, sched_next))
                        sched_next = pq->hold_timer.expires;
+                xfrm_pol_put(pol);
        }
        __skb_queue_tail(&pq->hold_queue, skb);
-        mod_timer(&pq->hold_timer, sched_next);
+        if (!mod_timer(&pq->hold_timer, sched_next))
+                xfrm_pol_hold(pol);
        spin_unlock_bh(&pq->hold_queue.lock);
diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c
index 8dafe6d3c6e4..dab57daae408 100644
--- a/net/xfrm/xfrm_replay.c
+++ b/net/xfrm/xfrm_replay.c
@@ -61,9 +61,9 @@ static void xfrm_replay_notify(struct xfrm_state *x, int event)
        switch (event) {
        case XFRM_REPLAY_UPDATE:
-                if (x->replay_maxdiff &&
+                if (!x->replay_maxdiff ||
-                    (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
+                    ((x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
-                    (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
+                    (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff))) {
                        if (x->xflags & XFRM_TIME_DEFER)
                                event = XFRM_REPLAY_TIMEOUT;
                        else
@@ -129,8 +129,7 @@ static int xfrm_replay_check(struct xfrm_state *x,
                return 0;
        diff = x->replay.seq - seq;
-        if (diff >= min_t(unsigned int, x->props.replay_window,
+        if (diff >= x->props.replay_window) {
-                          sizeof(x->replay.bitmap) * 8)) {
                x->stats.replay_window++;
                goto err;
        }
@@ -302,9 +301,10 @@ static void xfrm_replay_notify_bmp(struct xfrm_state *x, int event)
        switch (event) {
        case XFRM_REPLAY_UPDATE:
-                if (x->replay_maxdiff &&
+                if (!x->replay_maxdiff ||
-                    (replay_esn->seq - preplay_esn->seq < x->replay_maxdiff) &&
+                    ((replay_esn->seq - preplay_esn->seq < x->replay_maxdiff) &&
-                    (replay_esn->oseq - preplay_esn->oseq < x->replay_maxdiff)) {
+                    (replay_esn->oseq - preplay_esn->oseq
+                     < x->replay_maxdiff))) {
                        if (x->xflags & XFRM_TIME_DEFER)
                                event = XFRM_REPLAY_TIMEOUT;
                        else
@@ -353,28 +353,30 @@ static void xfrm_replay_notify_esn(struct xfrm_state *x, int event)
        switch (event) {
        case XFRM_REPLAY_UPDATE:
-                if (!x->replay_maxdiff)
+                if (x->replay_maxdiff) {
-                        break;
+                        if (replay_esn->seq_hi == preplay_esn->seq_hi)
+                                seq_diff = replay_esn->seq - preplay_esn->seq;
-                if (replay_esn->seq_hi == preplay_esn->seq_hi)
+                        else
-                        seq_diff = replay_esn->seq - preplay_esn->seq;
+                                seq_diff = ~preplay_esn->seq + replay_esn->seq
-                else
+                                           + 1;
-                        seq_diff = ~preplay_esn->seq + replay_esn->seq + 1;
-                if (replay_esn->oseq_hi == preplay_esn->oseq_hi)
-                        oseq_diff = replay_esn->oseq - preplay_esn->oseq;
-                else
-                        oseq_diff = ~preplay_esn->oseq + replay_esn->oseq + 1;
-                if (seq_diff < x->replay_maxdiff &&
-                    oseq_diff < x->replay_maxdiff) {
-                        if (x->xflags & XFRM_TIME_DEFER)
+                        if (replay_esn->oseq_hi == preplay_esn->oseq_hi)
-                                event = XFRM_REPLAY_TIMEOUT;
+                                oseq_diff = replay_esn->oseq
+                                            - preplay_esn->oseq;
                        else
-                                return;
+                                oseq_diff = ~preplay_esn->oseq
+                                            + replay_esn->oseq + 1;
+                        if (seq_diff >= x->replay_maxdiff ||
+                            oseq_diff >= x->replay_maxdiff)
+                                break;
                }
+                if (x->xflags & XFRM_TIME_DEFER)
+                        event = XFRM_REPLAY_TIMEOUT;
+                else
+                        return;
                break;
        case XFRM_REPLAY_TIMEOUT:
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 3f565e495ac6..f964d4c00ffb 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -446,7 +446,8 @@ static void copy_from_user_state(struct xfrm_state *x, struct xfrm_usersa_info *
        memcpy(&x->sel, &p->sel, sizeof(x->sel));
        memcpy(&x->lft, &p->lft, sizeof(x->lft));
        x->props.mode = p->mode;
-        x->props.replay_window = p->replay_window;
+        x->props.replay_window = min_t(unsigned int, p->replay_window,
+                                        sizeof(x->replay.bitmap) * 8);
        x->props.reqid = p->reqid;
        x->props.family = p->family;
        memcpy(&x->props.saddr, &p->saddr, sizeof(x->props.saddr));
@@ -1856,7 +1857,7 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
        if (x->km.state != XFRM_STATE_VALID)
                goto out;
-        err = xfrm_replay_verify_len(x->replay_esn, rp);
+        err = xfrm_replay_verify_len(x->replay_esn, re);
        if (err)
                goto out;
author	David S. Miller <davem@davemloft.net>	2013-10-09 13:41:45 -0400
committer	David S. Miller <davem@davemloft.net>	2013-10-09 13:41:45 -0400
commit	f606385068afe00683f080555f5d0fa9fb8e1f37 (patch)
tree	3334accd9ac56ad2fed5881e5500c40a820d7911 /net
parent	cb03db9d0e964568407fb08ea46cc2b6b7f67587 (diff)
parent	2bb53e2557964c2c5368a0392cf3b3b63a288cd0 (diff)

diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c index 9a459be24af7..ccde54248c8c 100644 --- a/net/ipv4/xfrm4_policy.c +++ b/net/ipv4/xfrm4_policy.c
@@ -107,6 +107,7 @@ _decode_session4(struct sk_buff skb, struct flowi fl, int reverse)
107		107
108	memset(fl4, 0, sizeof(struct flowi4));	108	memset(fl4, 0, sizeof(struct flowi4));
109	fl4->flowi4_mark = skb->mark;	109	fl4->flowi4_mark = skb->mark;
		110	fl4->flowi4_oif = skb_dst(skb)->dev->ifindex;
110		111
111	if (!ip_is_fragment(iph)) {	112	if (!ip_is_fragment(iph)) {
112	switch (iph->protocol) {	113	switch (iph->protocol) {


diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c index 73784c3d4642..82e1da3a40b9 100644 --- a/net/ipv6/ah6.c +++ b/net/ipv6/ah6.c
@@ -618,8 +618,7 @@ static void ah6_err(struct sk_buff skb, struct inet6_skb_parm opt,
618	struct ip_auth_hdr ah = (struct ip_auth_hdr)(skb->data+offset);	618	struct ip_auth_hdr ah = (struct ip_auth_hdr)(skb->data+offset);
619	struct xfrm_state *x;	619	struct xfrm_state *x;
620		620
621	if (type != ICMPV6_DEST_UNREACH &&	621	if (type != ICMPV6_PKT_TOOBIG &&
622	type != ICMPV6_PKT_TOOBIG &&
623	type != NDISC_REDIRECT)	622	type != NDISC_REDIRECT)
624	return;	623	return;
625		624


diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index d3618a78fcac..e67e63f9858d 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c
@@ -436,8 +436,7 @@ static void esp6_err(struct sk_buff skb, struct inet6_skb_parm opt,
436	struct ip_esp_hdr esph = (struct ip_esp_hdr )(skb->data + offset);	436	struct ip_esp_hdr esph = (struct ip_esp_hdr )(skb->data + offset);
437	struct xfrm_state *x;	437	struct xfrm_state *x;
438		438
439	if (type != ICMPV6_DEST_UNREACH &&	439	if (type != ICMPV6_PKT_TOOBIG &&
440	type != ICMPV6_PKT_TOOBIG &&
441	type != NDISC_REDIRECT)	440	type != NDISC_REDIRECT)
442	return;	441	return;
443		442


diff --git a/net/ipv6/ipcomp6.c b/net/ipv6/ipcomp6.c index 5636a912074a..ce507d9e1c90 100644 --- a/net/ipv6/ipcomp6.c +++ b/net/ipv6/ipcomp6.c
@@ -64,8 +64,7 @@ static void ipcomp6_err(struct sk_buff skb, struct inet6_skb_parm opt,
64	(struct ip_comp_hdr *)(skb->data + offset);	64	(struct ip_comp_hdr *)(skb->data + offset);
65	struct xfrm_state *x;	65	struct xfrm_state *x;
66		66
67	if (type != ICMPV6_DEST_UNREACH &&	67	if (type != ICMPV6_PKT_TOOBIG &&
68	type != ICMPV6_PKT_TOOBIG &&
69	type != NDISC_REDIRECT)	68	type != NDISC_REDIRECT)
70	return;	69	return;
71		70


diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c index 23ed03d786c8..08ed2772b7aa 100644 --- a/net/ipv6/xfrm6_policy.c +++ b/net/ipv6/xfrm6_policy.c
@@ -138,6 +138,7 @@ _decode_session6(struct sk_buff skb, struct flowi fl, int reverse)
138		138
139	memset(fl6, 0, sizeof(struct flowi6));	139	memset(fl6, 0, sizeof(struct flowi6));
140	fl6->flowi6_mark = skb->mark;	140	fl6->flowi6_mark = skb->mark;
		141	fl6->flowi6_oif = skb_dst(skb)->dev->ifindex;
141		142
142	fl6->daddr = reverse ? hdr->saddr : hdr->daddr;	143	fl6->daddr = reverse ? hdr->saddr : hdr->daddr;
143	fl6->saddr = reverse ? hdr->daddr : hdr->saddr;	144	fl6->saddr = reverse ? hdr->daddr : hdr->saddr;


diff --git a/net/key/af_key.c b/net/key/af_key.c index 9d585370c5b4..911ef03bf8fb 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c
@@ -1098,7 +1098,8 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net,
1098		1098
1099	x->id.proto = proto;	1099	x->id.proto = proto;
1100	x->id.spi = sa->sadb_sa_spi;	1100	x->id.spi = sa->sadb_sa_spi;
1101	x->props.replay_window = sa->sadb_sa_replay;	1101	x->props.replay_window = min_t(unsigned int, sa->sadb_sa_replay,
		1102	(sizeof(x->replay.bitmap) * 8));
1102	if (sa->sadb_sa_flags & SADB_SAFLAGS_NOECN)	1103	if (sa->sadb_sa_flags & SADB_SAFLAGS_NOECN)
1103	x->props.flags \|= XFRM_STATE_NOECN;	1104	x->props.flags \|= XFRM_STATE_NOECN;
1104	if (sa->sadb_sa_flags & SADB_SAFLAGS_DECAP_DSCP)	1105	if (sa->sadb_sa_flags & SADB_SAFLAGS_DECAP_DSCP)


diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index ed38d5d81f9e..76e1873811d4 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c
@@ -334,7 +334,8 @@ static void xfrm_policy_kill(struct xfrm_policy *policy)
334		334
335	atomic_inc(&policy->genid);	335	atomic_inc(&policy->genid);
336		336
337	del_timer(&policy->polq.hold_timer);	337	if (del_timer(&policy->polq.hold_timer))
		338	xfrm_pol_put(policy);
338	xfrm_queue_purge(&policy->polq.hold_queue);	339	xfrm_queue_purge(&policy->polq.hold_queue);
339		340
340	if (del_timer(&policy->timer))	341	if (del_timer(&policy->timer))
@@ -589,7 +590,8 @@ static void xfrm_policy_requeue(struct xfrm_policy *old,
589		590
590	spin_lock_bh(&pq->hold_queue.lock);	591	spin_lock_bh(&pq->hold_queue.lock);
591	skb_queue_splice_init(&pq->hold_queue, &list);	592	skb_queue_splice_init(&pq->hold_queue, &list);
592	del_timer(&pq->hold_timer);	593	if (del_timer(&pq->hold_timer))
		594	xfrm_pol_put(old);
593	spin_unlock_bh(&pq->hold_queue.lock);	595	spin_unlock_bh(&pq->hold_queue.lock);
594		596
595	if (skb_queue_empty(&list))	597	if (skb_queue_empty(&list))
@@ -600,7 +602,8 @@ static void xfrm_policy_requeue(struct xfrm_policy *old,
600	spin_lock_bh(&pq->hold_queue.lock);	602	spin_lock_bh(&pq->hold_queue.lock);
601	skb_queue_splice(&list, &pq->hold_queue);	603	skb_queue_splice(&list, &pq->hold_queue);
602	pq->timeout = XFRM_QUEUE_TMO_MIN;	604	pq->timeout = XFRM_QUEUE_TMO_MIN;
603	mod_timer(&pq->hold_timer, jiffies);	605	if (!mod_timer(&pq->hold_timer, jiffies))
		606	xfrm_pol_hold(new);
604	spin_unlock_bh(&pq->hold_queue.lock);	607	spin_unlock_bh(&pq->hold_queue.lock);
605	}	608	}
606		609
@@ -1769,6 +1772,10 @@ static void xfrm_policy_queue_process(unsigned long arg)
1769		1772
1770	spin_lock(&pq->hold_queue.lock);	1773	spin_lock(&pq->hold_queue.lock);
1771	skb = skb_peek(&pq->hold_queue);	1774	skb = skb_peek(&pq->hold_queue);
		1775	if (!skb) {
		1776	spin_unlock(&pq->hold_queue.lock);
		1777	goto out;
		1778	}
1772	dst = skb_dst(skb);	1779	dst = skb_dst(skb);
1773	sk = skb->sk;	1780	sk = skb->sk;
1774	xfrm_decode_session(skb, &fl, dst->ops->family);	1781	xfrm_decode_session(skb, &fl, dst->ops->family);
@@ -1787,8 +1794,9 @@ static void xfrm_policy_queue_process(unsigned long arg)
1787	goto purge_queue;	1794	goto purge_queue;
1788		1795
1789	pq->timeout = pq->timeout << 1;	1796	pq->timeout = pq->timeout << 1;
1790	mod_timer(&pq->hold_timer, jiffies + pq->timeout);	1797	if (!mod_timer(&pq->hold_timer, jiffies + pq->timeout))
1791	return;	1798	xfrm_pol_hold(pol);
		1799	goto out;
1792	}	1800	}
1793		1801
1794	dst_release(dst);	1802	dst_release(dst);
@@ -1819,11 +1827,14 @@ static void xfrm_policy_queue_process(unsigned long arg)
1819	err = dst_output(skb);	1827	err = dst_output(skb);
1820	}	1828	}
1821		1829
		1830	out:
		1831	xfrm_pol_put(pol);
1822	return;	1832	return;
1823		1833
1824	purge_queue:	1834	purge_queue:
1825	pq->timeout = 0;	1835	pq->timeout = 0;
1826	xfrm_queue_purge(&pq->hold_queue);	1836	xfrm_queue_purge(&pq->hold_queue);
		1837	xfrm_pol_put(pol);
1827	}	1838	}
1828		1839
1829	static int xdst_queue_output(struct sk_buff *skb)	1840	static int xdst_queue_output(struct sk_buff *skb)
@@ -1831,7 +1842,8 @@ static int xdst_queue_output(struct sk_buff *skb)
1831	unsigned long sched_next;	1842	unsigned long sched_next;
1832	struct dst_entry *dst = skb_dst(skb);	1843	struct dst_entry *dst = skb_dst(skb);
1833	struct xfrm_dst xdst = (struct xfrm_dst ) dst;	1844	struct xfrm_dst xdst = (struct xfrm_dst ) dst;
1834	struct xfrm_policy_queue *pq = &xdst->pols[0]->polq;	1845	struct xfrm_policy *pol = xdst->pols[0];
		1846	struct xfrm_policy_queue *pq = &pol->polq;
1835		1847
1836	if (pq->hold_queue.qlen > XFRM_MAX_QUEUE_LEN) {	1848	if (pq->hold_queue.qlen > XFRM_MAX_QUEUE_LEN) {
1837	kfree_skb(skb);	1849	kfree_skb(skb);
@@ -1850,10 +1862,12 @@ static int xdst_queue_output(struct sk_buff *skb)
1850	if (del_timer(&pq->hold_timer)) {	1862	if (del_timer(&pq->hold_timer)) {
1851	if (time_before(pq->hold_timer.expires, sched_next))	1863	if (time_before(pq->hold_timer.expires, sched_next))
1852	sched_next = pq->hold_timer.expires;	1864	sched_next = pq->hold_timer.expires;
		1865	xfrm_pol_put(pol);
1853	}	1866	}
1854		1867
1855	__skb_queue_tail(&pq->hold_queue, skb);	1868	__skb_queue_tail(&pq->hold_queue, skb);
1856	mod_timer(&pq->hold_timer, sched_next);	1869	if (!mod_timer(&pq->hold_timer, sched_next))
		1870	xfrm_pol_hold(pol);
1857		1871
1858	spin_unlock_bh(&pq->hold_queue.lock);	1872	spin_unlock_bh(&pq->hold_queue.lock);
1859		1873


diff --git a/net/xfrm/xfrm_replay.c b/net/xfrm/xfrm_replay.c index 8dafe6d3c6e4..dab57daae408 100644 --- a/net/xfrm/xfrm_replay.c +++ b/net/xfrm/xfrm_replay.c
@@ -61,9 +61,9 @@ static void xfrm_replay_notify(struct xfrm_state *x, int event)
61		61
62	switch (event) {	62	switch (event) {
63	case XFRM_REPLAY_UPDATE:	63	case XFRM_REPLAY_UPDATE:
64	if (x->replay_maxdiff &&	64	if (!x->replay_maxdiff \|\|
65	(x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&	65	((x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
66	(x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {	66	(x->replay.oseq - x->preplay.oseq < x->replay_maxdiff))) {
67	if (x->xflags & XFRM_TIME_DEFER)	67	if (x->xflags & XFRM_TIME_DEFER)
68	event = XFRM_REPLAY_TIMEOUT;	68	event = XFRM_REPLAY_TIMEOUT;
69	else	69	else
@@ -129,8 +129,7 @@ static int xfrm_replay_check(struct xfrm_state *x,
129	return 0;	129	return 0;
130		130
131	diff = x->replay.seq - seq;	131	diff = x->replay.seq - seq;
132	if (diff >= min_t(unsigned int, x->props.replay_window,	132	if (diff >= x->props.replay_window) {
133	sizeof(x->replay.bitmap) * 8)) {
134	x->stats.replay_window++;	133	x->stats.replay_window++;
135	goto err;	134	goto err;
136	}	135	}
@@ -302,9 +301,10 @@ static void xfrm_replay_notify_bmp(struct xfrm_state *x, int event)
302		301
303	switch (event) {	302	switch (event) {
304	case XFRM_REPLAY_UPDATE:	303	case XFRM_REPLAY_UPDATE:
305	if (x->replay_maxdiff &&	304	if (!x->replay_maxdiff \|\|
306	(replay_esn->seq - preplay_esn->seq < x->replay_maxdiff) &&	305	((replay_esn->seq - preplay_esn->seq < x->replay_maxdiff) &&
307	(replay_esn->oseq - preplay_esn->oseq < x->replay_maxdiff)) {	306	(replay_esn->oseq - preplay_esn->oseq
		307	< x->replay_maxdiff))) {
308	if (x->xflags & XFRM_TIME_DEFER)	308	if (x->xflags & XFRM_TIME_DEFER)
309	event = XFRM_REPLAY_TIMEOUT;	309	event = XFRM_REPLAY_TIMEOUT;
310	else	310	else
@@ -353,28 +353,30 @@ static void xfrm_replay_notify_esn(struct xfrm_state *x, int event)
353		353
354	switch (event) {	354	switch (event) {
355	case XFRM_REPLAY_UPDATE:	355	case XFRM_REPLAY_UPDATE:
356	if (!x->replay_maxdiff)	356	if (x->replay_maxdiff) {
357	break;	357	if (replay_esn->seq_hi == preplay_esn->seq_hi)
358		358	seq_diff = replay_esn->seq - preplay_esn->seq;
359	if (replay_esn->seq_hi == preplay_esn->seq_hi)	359	else
360	seq_diff = replay_esn->seq - preplay_esn->seq;	360	seq_diff = ~preplay_esn->seq + replay_esn->seq
361	else	361	+ 1;
362	seq_diff = ~preplay_esn->seq + replay_esn->seq + 1;
363
364	if (replay_esn->oseq_hi == preplay_esn->oseq_hi)
365	oseq_diff = replay_esn->oseq - preplay_esn->oseq;
366	else
367	oseq_diff = ~preplay_esn->oseq + replay_esn->oseq + 1;
368
369	if (seq_diff < x->replay_maxdiff &&
370	oseq_diff < x->replay_maxdiff) {
371		362
372	if (x->xflags & XFRM_TIME_DEFER)	363	if (replay_esn->oseq_hi == preplay_esn->oseq_hi)
373	event = XFRM_REPLAY_TIMEOUT;	364	oseq_diff = replay_esn->oseq
		365	- preplay_esn->oseq;
374	else	366	else
375	return;	367	oseq_diff = ~preplay_esn->oseq
		368	+ replay_esn->oseq + 1;
		369
		370	if (seq_diff >= x->replay_maxdiff \|\|
		371	oseq_diff >= x->replay_maxdiff)
		372	break;
376	}	373	}
377		374
		375	if (x->xflags & XFRM_TIME_DEFER)
		376	event = XFRM_REPLAY_TIMEOUT;
		377	else
		378	return;
		379
378	break;	380	break;
379		381
380	case XFRM_REPLAY_TIMEOUT:	382	case XFRM_REPLAY_TIMEOUT:


diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 3f565e495ac6..f964d4c00ffb 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c
@@ -446,7 +446,8 @@ static void copy_from_user_state(struct xfrm_state x, struct xfrm_usersa_info
446	memcpy(&x->sel, &p->sel, sizeof(x->sel));	446	memcpy(&x->sel, &p->sel, sizeof(x->sel));
447	memcpy(&x->lft, &p->lft, sizeof(x->lft));	447	memcpy(&x->lft, &p->lft, sizeof(x->lft));
448	x->props.mode = p->mode;	448	x->props.mode = p->mode;
449	x->props.replay_window = p->replay_window;	449	x->props.replay_window = min_t(unsigned int, p->replay_window,
		450	sizeof(x->replay.bitmap) * 8);
450	x->props.reqid = p->reqid;	451	x->props.reqid = p->reqid;
451	x->props.family = p->family;	452	x->props.family = p->family;
452	memcpy(&x->props.saddr, &p->saddr, sizeof(x->props.saddr));	453	memcpy(&x->props.saddr, &p->saddr, sizeof(x->props.saddr));
@@ -1856,7 +1857,7 @@ static int xfrm_new_ae(struct sk_buff skb, struct nlmsghdr nlh,
1856	if (x->km.state != XFRM_STATE_VALID)	1857	if (x->km.state != XFRM_STATE_VALID)
1857	goto out;	1858	goto out;
1858		1859
1859	err = xfrm_replay_verify_len(x->replay_esn, rp);	1860	err = xfrm_replay_verify_len(x->replay_esn, re);
1860	if (err)	1861	if (err)
1861	goto out;	1862	goto out;
1862		1863