ipv6: split inet6_hash_frag for netfilter and initialize secrets with net_get_random_once

Defer the fragmentation hash secret initialization for IPv6 like the
previous patch did for IPv4.

Because the netfilter logic reuses the hash secret we have to split it
first. Thus introduce a new nf_hash_frag function which takes care to
seed the hash secret.

Cc: David S. Miller <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

2 files changed, 20 insertions, 8 deletions

diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index dffdc1a389c5..4a258263d8ec 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -144,12 +144,24 @@ static inline u8 ip6_frag_ecn(const struct ipv6hdr *ipv6h)
         return 1 << (ipv6_get_dsfield(ipv6h) & INET_ECN_MASK);
 }
 
+static unsigned int nf_hash_frag(__be32 id, const struct in6_addr *saddr,
+                                 const struct in6_addr *daddr)
+{
+        u32 c;
+
+        net_get_random_once(&nf_frags.rnd, sizeof(nf_frags.rnd));
+        c = jhash_3words(ipv6_addr_hash(saddr), ipv6_addr_hash(daddr),
+                         (__force u32)id, nf_frags.rnd);
+        return c & (INETFRAGS_HASHSZ - 1);
+}
+
+
 static unsigned int nf_hashfn(struct inet_frag_queue *q)
 {
         const struct frag_queue *nq;
 
         nq = container_of(q, struct frag_queue, q);
-        return inet6_hash_frag(nq->id, &nq->saddr, &nq->daddr, nf_frags.rnd);
+        return nf_hash_frag(nq->id, &nq->saddr, &nq->daddr);
 }
 
 static void nf_skb_free(struct sk_buff *skb)
@@ -185,7 +197,7 @@ static inline struct frag_queue *fq_find(struct net *net, __be32 id,
         arg.ecn = ecn;
 
         read_lock_bh(&nf_frags.lock);
-        hash = inet6_hash_frag(id, src, dst, nf_frags.rnd);
+        hash = nf_hash_frag(id, src, dst);
 
         q = inet_frag_find(&net->nf_frag.frags, &nf_frags, &arg, hash);
         local_bh_enable();
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index 1aeb473b2cc6..cc85a9ba5010 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -82,24 +82,24 @@ static int ip6_frag_reasm(struct frag_queue *fq, struct sk_buff *prev,
  * callers should be careful not to use the hash value outside the ipfrag_lock
  * as doing so could race with ipfrag_hash_rnd being recalculated.
  */
-unsigned int inet6_hash_frag(__be32 id, const struct in6_addr *saddr,
-                             const struct in6_addr *daddr, u32 rnd)
+static unsigned int inet6_hash_frag(__be32 id, const struct in6_addr *saddr,
+                                    const struct in6_addr *daddr)
 {
         u32 c;
 
+        net_get_random_once(&ip6_frags.rnd, sizeof(ip6_frags.rnd));
         c = jhash_3words(ipv6_addr_hash(saddr), ipv6_addr_hash(daddr),
-                         (__force u32)id, rnd);
+                         (__force u32)id, ip6_frags.rnd);
 
         return c & (INETFRAGS_HASHSZ - 1);
 }
-EXPORT_SYMBOL_GPL(inet6_hash_frag);
 
 static unsigned int ip6_hashfn(struct inet_frag_queue *q)
 {
         struct frag_queue *fq;
 
         fq = container_of(q, struct frag_queue, q);
-        return inet6_hash_frag(fq->id, &fq->saddr, &fq->daddr, ip6_frags.rnd);
+        return inet6_hash_frag(fq->id, &fq->saddr, &fq->daddr);
 }
 
 bool ip6_frag_match(struct inet_frag_queue *q, void *a)
@@ -193,7 +193,7 @@ fq_find(struct net *net, __be32 id, const struct in6_addr *src,
         arg.ecn = ecn;
 
         read_lock(&ip6_frags.lock);
-        hash = inet6_hash_frag(id, src, dst, ip6_frags.rnd);
+        hash = inet6_hash_frag(id, src, dst);
 
         q = inet_frag_find(&net->ipv6.frags, &ip6_frags, &arg, hash);
         if (IS_ERR_OR_NULL(q)) {