diff options
| author | Herbert Xu <herbert@gondor.apana.org.au> | 2007-11-14 00:45:58 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2008-01-28 17:53:52 -0500 |
| commit | 0ebea8ef3559b545c37b016f44e84c3b33e47c39 (patch) | |
| tree | 7a47787c1b830084ac2d36371490b9e2574e2472 | |
| parent | 668dc8af3150f837f7f0461001bbbc0ce25d7bdf (diff) | |
[IPSEC]: Move state lock into x->type->input
This patch releases the lock on the state before calling
x->type->input. It also adds the lock to the spots where they're
currently needed.
Most of those places (all except mip6) are expected to disappear with
async crypto.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/ipv4/ah4.c | 14 | ||||
| -rw-r--r-- | net/ipv4/esp4.c | 24 | ||||
| -rw-r--r-- | net/ipv6/ah6.c | 9 | ||||
| -rw-r--r-- | net/ipv6/esp6.c | 37 | ||||
| -rw-r--r-- | net/ipv6/mip6.c | 14 | ||||
| -rw-r--r-- | net/xfrm/xfrm_input.c | 4 |
6 files changed, 69 insertions, 33 deletions
diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c index a989d29b44ea..d76803a3dcae 100644 --- a/net/ipv4/ah4.c +++ b/net/ipv4/ah4.c | |||
| @@ -169,6 +169,8 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb) | |||
| 169 | if (ip_clear_mutable_options(iph, &dummy)) | 169 | if (ip_clear_mutable_options(iph, &dummy)) |
| 170 | goto out; | 170 | goto out; |
| 171 | } | 171 | } |
| 172 | |||
| 173 | spin_lock(&x->lock); | ||
| 172 | { | 174 | { |
| 173 | u8 auth_data[MAX_AH_AUTH_LEN]; | 175 | u8 auth_data[MAX_AH_AUTH_LEN]; |
| 174 | 176 | ||
| @@ -176,12 +178,16 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb) | |||
| 176 | skb_push(skb, ihl); | 178 | skb_push(skb, ihl); |
| 177 | err = ah_mac_digest(ahp, skb, ah->auth_data); | 179 | err = ah_mac_digest(ahp, skb, ah->auth_data); |
| 178 | if (err) | 180 | if (err) |
| 179 | goto out; | 181 | goto unlock; |
| 180 | if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) { | 182 | if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) |
| 181 | err = -EBADMSG; | 183 | err = -EBADMSG; |
| 182 | goto out; | ||
| 183 | } | ||
| 184 | } | 184 | } |
| 185 | unlock: | ||
| 186 | spin_unlock(&x->lock); | ||
| 187 | |||
| 188 | if (err) | ||
| 189 | goto out; | ||
| 190 | |||
| 185 | skb->network_header += ah_hlen; | 191 | skb->network_header += ah_hlen; |
| 186 | memcpy(skb_network_header(skb), work_buf, ihl); | 192 | memcpy(skb_network_header(skb), work_buf, ihl); |
| 187 | skb->transport_header = skb->network_header; | 193 | skb->transport_header = skb->network_header; |
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index 3350a7d50669..28ea5c77ca23 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c | |||
| @@ -171,29 +171,31 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb) | |||
| 171 | if (elen <= 0 || (elen & (blksize-1))) | 171 | if (elen <= 0 || (elen & (blksize-1))) |
| 172 | goto out; | 172 | goto out; |
| 173 | 173 | ||
| 174 | if ((err = skb_cow_data(skb, 0, &trailer)) < 0) | ||
| 175 | goto out; | ||
| 176 | nfrags = err; | ||
| 177 | |||
| 178 | skb->ip_summed = CHECKSUM_NONE; | ||
| 179 | |||
| 180 | spin_lock(&x->lock); | ||
| 181 | |||
| 174 | /* If integrity check is required, do this. */ | 182 | /* If integrity check is required, do this. */ |
| 175 | if (esp->auth.icv_full_len) { | 183 | if (esp->auth.icv_full_len) { |
| 176 | u8 sum[alen]; | 184 | u8 sum[alen]; |
| 177 | 185 | ||
| 178 | err = esp_mac_digest(esp, skb, 0, skb->len - alen); | 186 | err = esp_mac_digest(esp, skb, 0, skb->len - alen); |
| 179 | if (err) | 187 | if (err) |
| 180 | goto out; | 188 | goto unlock; |
| 181 | 189 | ||
| 182 | if (skb_copy_bits(skb, skb->len - alen, sum, alen)) | 190 | if (skb_copy_bits(skb, skb->len - alen, sum, alen)) |
| 183 | BUG(); | 191 | BUG(); |
| 184 | 192 | ||
| 185 | if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) { | 193 | if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) { |
| 186 | err = -EBADMSG; | 194 | err = -EBADMSG; |
| 187 | goto out; | 195 | goto unlock; |
| 188 | } | 196 | } |
| 189 | } | 197 | } |
| 190 | 198 | ||
| 191 | if ((err = skb_cow_data(skb, 0, &trailer)) < 0) | ||
| 192 | goto out; | ||
| 193 | nfrags = err; | ||
| 194 | |||
| 195 | skb->ip_summed = CHECKSUM_NONE; | ||
| 196 | |||
| 197 | esph = (struct ip_esp_hdr *)skb->data; | 199 | esph = (struct ip_esp_hdr *)skb->data; |
| 198 | 200 | ||
| 199 | /* Get ivec. This can be wrong, check against another impls. */ | 201 | /* Get ivec. This can be wrong, check against another impls. */ |
| @@ -206,7 +208,7 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb) | |||
| 206 | err = -ENOMEM; | 208 | err = -ENOMEM; |
| 207 | sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC); | 209 | sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC); |
| 208 | if (!sg) | 210 | if (!sg) |
| 209 | goto out; | 211 | goto unlock; |
| 210 | } | 212 | } |
| 211 | sg_init_table(sg, nfrags); | 213 | sg_init_table(sg, nfrags); |
| 212 | skb_to_sgvec(skb, sg, | 214 | skb_to_sgvec(skb, sg, |
| @@ -215,6 +217,10 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb) | |||
| 215 | err = crypto_blkcipher_decrypt(&desc, sg, sg, elen); | 217 | err = crypto_blkcipher_decrypt(&desc, sg, sg, elen); |
| 216 | if (unlikely(sg != &esp->sgbuf[0])) | 218 | if (unlikely(sg != &esp->sgbuf[0])) |
| 217 | kfree(sg); | 219 | kfree(sg); |
| 220 | |||
| 221 | unlock: | ||
| 222 | spin_unlock(&x->lock); | ||
| 223 | |||
| 218 | if (unlikely(err)) | 224 | if (unlikely(err)) |
| 219 | goto out; | 225 | goto out; |
| 220 | 226 | ||
diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c index d4b59ecb0b57..1b51d1eedbde 100644 --- a/net/ipv6/ah6.c +++ b/net/ipv6/ah6.c | |||
| @@ -370,6 +370,7 @@ static int ah6_input(struct xfrm_state *x, struct sk_buff *skb) | |||
| 370 | ip6h->flow_lbl[2] = 0; | 370 | ip6h->flow_lbl[2] = 0; |
| 371 | ip6h->hop_limit = 0; | 371 | ip6h->hop_limit = 0; |
| 372 | 372 | ||
| 373 | spin_lock(&x->lock); | ||
| 373 | { | 374 | { |
| 374 | u8 auth_data[MAX_AH_AUTH_LEN]; | 375 | u8 auth_data[MAX_AH_AUTH_LEN]; |
| 375 | 376 | ||
| @@ -378,13 +379,17 @@ static int ah6_input(struct xfrm_state *x, struct sk_buff *skb) | |||
| 378 | skb_push(skb, hdr_len); | 379 | skb_push(skb, hdr_len); |
| 379 | err = ah_mac_digest(ahp, skb, ah->auth_data); | 380 | err = ah_mac_digest(ahp, skb, ah->auth_data); |
| 380 | if (err) | 381 | if (err) |
| 381 | goto free_out; | 382 | goto unlock; |
| 382 | if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) { | 383 | if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) { |
| 383 | LIMIT_NETDEBUG(KERN_WARNING "ipsec ah authentication error\n"); | 384 | LIMIT_NETDEBUG(KERN_WARNING "ipsec ah authentication error\n"); |
| 384 | err = -EBADMSG; | 385 | err = -EBADMSG; |
| 385 | goto free_out; | ||
| 386 | } | 386 | } |
| 387 | } | 387 | } |
| 388 | unlock: | ||
| 389 | spin_unlock(&x->lock); | ||
| 390 | |||
| 391 | if (err) | ||
| 392 | goto free_out; | ||
| 388 | 393 | ||
| 389 | skb->network_header += ah_hlen; | 394 | skb->network_header += ah_hlen; |
| 390 | memcpy(skb_network_header(skb), tmp_hdr, hdr_len); | 395 | memcpy(skb_network_header(skb), tmp_hdr, hdr_len); |
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index 096974ba6420..5bd5292ad9fa 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c | |||
| @@ -165,30 +165,32 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb) | |||
| 165 | goto out; | 165 | goto out; |
| 166 | } | 166 | } |
| 167 | 167 | ||
| 168 | if ((nfrags = skb_cow_data(skb, 0, &trailer)) < 0) { | ||
| 169 | ret = -EINVAL; | ||
| 170 | goto out; | ||
| 171 | } | ||
| 172 | |||
| 173 | skb->ip_summed = CHECKSUM_NONE; | ||
| 174 | |||
| 175 | spin_lock(&x->lock); | ||
| 176 | |||
| 168 | /* If integrity check is required, do this. */ | 177 | /* If integrity check is required, do this. */ |
| 169 | if (esp->auth.icv_full_len) { | 178 | if (esp->auth.icv_full_len) { |
| 170 | u8 sum[alen]; | 179 | u8 sum[alen]; |
| 171 | 180 | ||
| 172 | ret = esp_mac_digest(esp, skb, 0, skb->len - alen); | 181 | ret = esp_mac_digest(esp, skb, 0, skb->len - alen); |
| 173 | if (ret) | 182 | if (ret) |
| 174 | goto out; | 183 | goto unlock; |
| 175 | 184 | ||
| 176 | if (skb_copy_bits(skb, skb->len - alen, sum, alen)) | 185 | if (skb_copy_bits(skb, skb->len - alen, sum, alen)) |
| 177 | BUG(); | 186 | BUG(); |
| 178 | 187 | ||
| 179 | if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) { | 188 | if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) { |
| 180 | ret = -EBADMSG; | 189 | ret = -EBADMSG; |
| 181 | goto out; | 190 | goto unlock; |
| 182 | } | 191 | } |
| 183 | } | 192 | } |
| 184 | 193 | ||
| 185 | if ((nfrags = skb_cow_data(skb, 0, &trailer)) < 0) { | ||
| 186 | ret = -EINVAL; | ||
| 187 | goto out; | ||
| 188 | } | ||
| 189 | |||
| 190 | skb->ip_summed = CHECKSUM_NONE; | ||
| 191 | |||
| 192 | esph = (struct ip_esp_hdr *)skb->data; | 194 | esph = (struct ip_esp_hdr *)skb->data; |
| 193 | iph = ipv6_hdr(skb); | 195 | iph = ipv6_hdr(skb); |
| 194 | 196 | ||
| @@ -197,15 +199,13 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb) | |||
| 197 | crypto_blkcipher_set_iv(tfm, esph->enc_data, esp->conf.ivlen); | 199 | crypto_blkcipher_set_iv(tfm, esph->enc_data, esp->conf.ivlen); |
| 198 | 200 | ||
| 199 | { | 201 | { |
| 200 | u8 nexthdr[2]; | ||
| 201 | struct scatterlist *sg = &esp->sgbuf[0]; | 202 | struct scatterlist *sg = &esp->sgbuf[0]; |
| 202 | u8 padlen; | ||
| 203 | 203 | ||
| 204 | if (unlikely(nfrags > ESP_NUM_FAST_SG)) { | 204 | if (unlikely(nfrags > ESP_NUM_FAST_SG)) { |
| 205 | sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC); | 205 | sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC); |
| 206 | if (!sg) { | 206 | if (!sg) { |
| 207 | ret = -ENOMEM; | 207 | ret = -ENOMEM; |
| 208 | goto out; | 208 | goto unlock; |
| 209 | } | 209 | } |
| 210 | } | 210 | } |
| 211 | sg_init_table(sg, nfrags); | 211 | sg_init_table(sg, nfrags); |
| @@ -215,8 +215,17 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb) | |||
| 215 | ret = crypto_blkcipher_decrypt(&desc, sg, sg, elen); | 215 | ret = crypto_blkcipher_decrypt(&desc, sg, sg, elen); |
| 216 | if (unlikely(sg != &esp->sgbuf[0])) | 216 | if (unlikely(sg != &esp->sgbuf[0])) |
| 217 | kfree(sg); | 217 | kfree(sg); |
| 218 | if (unlikely(ret)) | 218 | } |
| 219 | goto out; | 219 | |
| 220 | unlock: | ||
| 221 | spin_unlock(&x->lock); | ||
| 222 | |||
| 223 | if (unlikely(ret)) | ||
| 224 | goto out; | ||
| 225 | |||
| 226 | { | ||
| 227 | u8 nexthdr[2]; | ||
| 228 | u8 padlen; | ||
| 220 | 229 | ||
| 221 | if (skb_copy_bits(skb, skb->len-alen-2, nexthdr, 2)) | 230 | if (skb_copy_bits(skb, skb->len-alen-2, nexthdr, 2)) |
| 222 | BUG(); | 231 | BUG(); |
diff --git a/net/ipv6/mip6.c b/net/ipv6/mip6.c index edfd9cdd721c..49d396620eac 100644 --- a/net/ipv6/mip6.c +++ b/net/ipv6/mip6.c | |||
| @@ -128,12 +128,15 @@ static int mip6_destopt_input(struct xfrm_state *x, struct sk_buff *skb) | |||
| 128 | { | 128 | { |
| 129 | struct ipv6hdr *iph = ipv6_hdr(skb); | 129 | struct ipv6hdr *iph = ipv6_hdr(skb); |
| 130 | struct ipv6_destopt_hdr *destopt = (struct ipv6_destopt_hdr *)skb->data; | 130 | struct ipv6_destopt_hdr *destopt = (struct ipv6_destopt_hdr *)skb->data; |
| 131 | int err = destopt->nexthdr; | ||
| 131 | 132 | ||
| 133 | spin_lock(&x->lock); | ||
| 132 | if (!ipv6_addr_equal(&iph->saddr, (struct in6_addr *)x->coaddr) && | 134 | if (!ipv6_addr_equal(&iph->saddr, (struct in6_addr *)x->coaddr) && |
| 133 | !ipv6_addr_any((struct in6_addr *)x->coaddr)) | 135 | !ipv6_addr_any((struct in6_addr *)x->coaddr)) |
| 134 | return -ENOENT; | 136 | err = -ENOENT; |
| 137 | spin_unlock(&x->lock); | ||
| 135 | 138 | ||
| 136 | return destopt->nexthdr; | 139 | return err; |
| 137 | } | 140 | } |
| 138 | 141 | ||
| 139 | /* Destination Option Header is inserted. | 142 | /* Destination Option Header is inserted. |
| @@ -344,12 +347,15 @@ static struct xfrm_type mip6_destopt_type = | |||
| 344 | static int mip6_rthdr_input(struct xfrm_state *x, struct sk_buff *skb) | 347 | static int mip6_rthdr_input(struct xfrm_state *x, struct sk_buff *skb) |
| 345 | { | 348 | { |
| 346 | struct rt2_hdr *rt2 = (struct rt2_hdr *)skb->data; | 349 | struct rt2_hdr *rt2 = (struct rt2_hdr *)skb->data; |
| 350 | int err = rt2->rt_hdr.nexthdr; | ||
| 347 | 351 | ||
| 352 | spin_lock(&x->lock); | ||
| 348 | if (!ipv6_addr_equal(&rt2->addr, (struct in6_addr *)x->coaddr) && | 353 | if (!ipv6_addr_equal(&rt2->addr, (struct in6_addr *)x->coaddr) && |
| 349 | !ipv6_addr_any((struct in6_addr *)x->coaddr)) | 354 | !ipv6_addr_any((struct in6_addr *)x->coaddr)) |
| 350 | return -ENOENT; | 355 | err = -ENOENT; |
| 356 | spin_unlock(&x->lock); | ||
| 351 | 357 | ||
| 352 | return rt2->rt_hdr.nexthdr; | 358 | return err; |
| 353 | } | 359 | } |
| 354 | 360 | ||
| 355 | /* Routing Header type 2 is inserted. | 361 | /* Routing Header type 2 is inserted. |
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index b7d68eb9434c..5cad522e8ef6 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c | |||
| @@ -146,7 +146,11 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) | |||
| 146 | if (xfrm_state_check_expire(x)) | 146 | if (xfrm_state_check_expire(x)) |
| 147 | goto drop_unlock; | 147 | goto drop_unlock; |
| 148 | 148 | ||
| 149 | spin_unlock(&x->lock); | ||
| 150 | |||
| 149 | nexthdr = x->type->input(x, skb); | 151 | nexthdr = x->type->input(x, skb); |
| 152 | |||
| 153 | spin_lock(&x->lock); | ||
| 150 | if (nexthdr <= 0) { | 154 | if (nexthdr <= 0) { |
| 151 | if (nexthdr == -EBADMSG) | 155 | if (nexthdr == -EBADMSG) |
| 152 | x->stats.integrity_failed++; | 156 | x->stats.integrity_failed++; |