diff options
| author | Herbert Xu <herbert@gondor.apana.org.au> | 2007-10-09 16:33:35 -0400 |
|---|---|---|
| committer | David S. Miller <davem@sunset.davemloft.net> | 2007-10-10 19:55:03 -0400 |
| commit | b7c6538cd84f8072fad43bfce530f5bf695edbba (patch) | |
| tree | e0ba79ffe7b79355985a45de9961b17a0462764f /net | |
| parent | 050f009e16f908932070313c1745d09dc69fd62b (diff) | |
[IPSEC]: Move state lock into x->type->output
This patch releases the lock on the state before calling x->type->output.
It also adds the lock to the spots where they're currently needed.
Most of those places (all except mip6) are expected to disappear with
async crypto.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/ipv4/ah4.c | 7 | ||||
| -rw-r--r-- | net/ipv4/esp4.c | 10 | ||||
| -rw-r--r-- | net/ipv6/ah6.c | 9 | ||||
| -rw-r--r-- | net/ipv6/esp6.c | 10 | ||||
| -rw-r--r-- | net/ipv6/mip6.c | 4 | ||||
| -rw-r--r-- | net/xfrm/xfrm_output.c | 8 |
6 files changed, 36 insertions, 12 deletions
diff --git a/net/ipv4/ah4.c b/net/ipv4/ah4.c index 58af298e1941..3513149c3843 100644 --- a/net/ipv4/ah4.c +++ b/net/ipv4/ah4.c | |||
| @@ -5,6 +5,7 @@ | |||
| 5 | #include <net/ah.h> | 5 | #include <net/ah.h> |
| 6 | #include <linux/crypto.h> | 6 | #include <linux/crypto.h> |
| 7 | #include <linux/pfkeyv2.h> | 7 | #include <linux/pfkeyv2.h> |
| 8 | #include <linux/spinlock.h> | ||
| 8 | #include <net/icmp.h> | 9 | #include <net/icmp.h> |
| 9 | #include <net/protocol.h> | 10 | #include <net/protocol.h> |
| 10 | #include <asm/scatterlist.h> | 11 | #include <asm/scatterlist.h> |
| @@ -97,10 +98,14 @@ static int ah_output(struct xfrm_state *x, struct sk_buff *skb) | |||
| 97 | ah->reserved = 0; | 98 | ah->reserved = 0; |
| 98 | ah->spi = x->id.spi; | 99 | ah->spi = x->id.spi; |
| 99 | ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq); | 100 | ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq); |
| 101 | |||
| 102 | spin_lock_bh(&x->lock); | ||
| 100 | err = ah_mac_digest(ahp, skb, ah->auth_data); | 103 | err = ah_mac_digest(ahp, skb, ah->auth_data); |
| 104 | memcpy(ah->auth_data, ahp->work_icv, ahp->icv_trunc_len); | ||
| 105 | spin_unlock_bh(&x->lock); | ||
| 106 | |||
| 101 | if (err) | 107 | if (err) |
| 102 | goto error; | 108 | goto error; |
| 103 | memcpy(ah->auth_data, ahp->work_icv, ahp->icv_trunc_len); | ||
| 104 | 109 | ||
| 105 | top_iph->tos = iph->tos; | 110 | top_iph->tos = iph->tos; |
| 106 | top_iph->ttl = iph->ttl; | 111 | top_iph->ttl = iph->ttl; |
diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c index ffd565350411..452910dae89f 100644 --- a/net/ipv4/esp4.c +++ b/net/ipv4/esp4.c | |||
| @@ -8,6 +8,7 @@ | |||
| 8 | #include <linux/kernel.h> | 8 | #include <linux/kernel.h> |
| 9 | #include <linux/pfkeyv2.h> | 9 | #include <linux/pfkeyv2.h> |
| 10 | #include <linux/random.h> | 10 | #include <linux/random.h> |
| 11 | #include <linux/spinlock.h> | ||
| 11 | #include <net/icmp.h> | 12 | #include <net/icmp.h> |
| 12 | #include <net/protocol.h> | 13 | #include <net/protocol.h> |
| 13 | #include <net/udp.h> | 14 | #include <net/udp.h> |
| @@ -66,6 +67,8 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb) | |||
| 66 | top_iph->tot_len = htons(skb->len + alen); | 67 | top_iph->tot_len = htons(skb->len + alen); |
| 67 | *(skb_tail_pointer(trailer) - 1) = top_iph->protocol; | 68 | *(skb_tail_pointer(trailer) - 1) = top_iph->protocol; |
| 68 | 69 | ||
| 70 | spin_lock_bh(&x->lock); | ||
| 71 | |||
| 69 | /* this is non-NULL only with UDP Encapsulation */ | 72 | /* this is non-NULL only with UDP Encapsulation */ |
| 70 | if (x->encap) { | 73 | if (x->encap) { |
| 71 | struct xfrm_encap_tmpl *encap = x->encap; | 74 | struct xfrm_encap_tmpl *encap = x->encap; |
| @@ -111,7 +114,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb) | |||
| 111 | if (unlikely(nfrags > ESP_NUM_FAST_SG)) { | 114 | if (unlikely(nfrags > ESP_NUM_FAST_SG)) { |
| 112 | sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC); | 115 | sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC); |
| 113 | if (!sg) | 116 | if (!sg) |
| 114 | goto error; | 117 | goto unlock; |
| 115 | } | 118 | } |
| 116 | skb_to_sgvec(skb, sg, esph->enc_data+esp->conf.ivlen-skb->data, clen); | 119 | skb_to_sgvec(skb, sg, esph->enc_data+esp->conf.ivlen-skb->data, clen); |
| 117 | err = crypto_blkcipher_encrypt(&desc, sg, sg, clen); | 120 | err = crypto_blkcipher_encrypt(&desc, sg, sg, clen); |
| @@ -120,7 +123,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb) | |||
| 120 | } while (0); | 123 | } while (0); |
| 121 | 124 | ||
| 122 | if (unlikely(err)) | 125 | if (unlikely(err)) |
| 123 | goto error; | 126 | goto unlock; |
| 124 | 127 | ||
| 125 | if (esp->conf.ivlen) { | 128 | if (esp->conf.ivlen) { |
| 126 | memcpy(esph->enc_data, esp->conf.ivec, esp->conf.ivlen); | 129 | memcpy(esph->enc_data, esp->conf.ivec, esp->conf.ivlen); |
| @@ -133,6 +136,9 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb) | |||
| 133 | memcpy(pskb_put(skb, trailer, alen), esp->auth.work_icv, alen); | 136 | memcpy(pskb_put(skb, trailer, alen), esp->auth.work_icv, alen); |
| 134 | } | 137 | } |
| 135 | 138 | ||
| 139 | unlock: | ||
| 140 | spin_unlock_bh(&x->lock); | ||
| 141 | |||
| 136 | ip_send_check(top_iph); | 142 | ip_send_check(top_iph); |
| 137 | 143 | ||
| 138 | error: | 144 | error: |
diff --git a/net/ipv6/ah6.c b/net/ipv6/ah6.c index ff904a711f3a..c51d77564b44 100644 --- a/net/ipv6/ah6.c +++ b/net/ipv6/ah6.c | |||
| @@ -29,6 +29,7 @@ | |||
| 29 | #include <net/ah.h> | 29 | #include <net/ah.h> |
| 30 | #include <linux/crypto.h> | 30 | #include <linux/crypto.h> |
| 31 | #include <linux/pfkeyv2.h> | 31 | #include <linux/pfkeyv2.h> |
| 32 | #include <linux/spinlock.h> | ||
| 32 | #include <linux/string.h> | 33 | #include <linux/string.h> |
| 33 | #include <net/icmp.h> | 34 | #include <net/icmp.h> |
| 34 | #include <net/ipv6.h> | 35 | #include <net/ipv6.h> |
| @@ -284,12 +285,14 @@ static int ah6_output(struct xfrm_state *x, struct sk_buff *skb) | |||
| 284 | ah->reserved = 0; | 285 | ah->reserved = 0; |
| 285 | ah->spi = x->id.spi; | 286 | ah->spi = x->id.spi; |
| 286 | ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq); | 287 | ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq); |
| 288 | |||
| 289 | spin_lock_bh(&x->lock); | ||
| 287 | err = ah_mac_digest(ahp, skb, ah->auth_data); | 290 | err = ah_mac_digest(ahp, skb, ah->auth_data); |
| 288 | if (err) | ||
| 289 | goto error_free_iph; | ||
| 290 | memcpy(ah->auth_data, ahp->work_icv, ahp->icv_trunc_len); | 291 | memcpy(ah->auth_data, ahp->work_icv, ahp->icv_trunc_len); |
| 292 | spin_unlock_bh(&x->lock); | ||
| 291 | 293 | ||
| 292 | err = 0; | 294 | if (err) |
| 295 | goto error_free_iph; | ||
| 293 | 296 | ||
| 294 | memcpy(top_iph, tmp_base, sizeof(tmp_base)); | 297 | memcpy(top_iph, tmp_base, sizeof(tmp_base)); |
| 295 | if (tmp_ext) { | 298 | if (tmp_ext) { |
diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c index 9fc19400b851..7355bb0345e2 100644 --- a/net/ipv6/esp6.c +++ b/net/ipv6/esp6.c | |||
| @@ -34,6 +34,7 @@ | |||
| 34 | #include <linux/kernel.h> | 34 | #include <linux/kernel.h> |
| 35 | #include <linux/pfkeyv2.h> | 35 | #include <linux/pfkeyv2.h> |
| 36 | #include <linux/random.h> | 36 | #include <linux/random.h> |
| 37 | #include <linux/spinlock.h> | ||
| 37 | #include <net/icmp.h> | 38 | #include <net/icmp.h> |
| 38 | #include <net/ipv6.h> | 39 | #include <net/ipv6.h> |
| 39 | #include <net/protocol.h> | 40 | #include <net/protocol.h> |
| @@ -98,6 +99,8 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb) | |||
| 98 | esph->spi = x->id.spi; | 99 | esph->spi = x->id.spi; |
| 99 | esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq); | 100 | esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq); |
| 100 | 101 | ||
| 102 | spin_lock_bh(&x->lock); | ||
| 103 | |||
| 101 | if (esp->conf.ivlen) { | 104 | if (esp->conf.ivlen) { |
| 102 | if (unlikely(!esp->conf.ivinitted)) { | 105 | if (unlikely(!esp->conf.ivinitted)) { |
| 103 | get_random_bytes(esp->conf.ivec, esp->conf.ivlen); | 106 | get_random_bytes(esp->conf.ivec, esp->conf.ivlen); |
| @@ -112,7 +115,7 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb) | |||
| 112 | if (unlikely(nfrags > ESP_NUM_FAST_SG)) { | 115 | if (unlikely(nfrags > ESP_NUM_FAST_SG)) { |
| 113 | sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC); | 116 | sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC); |
| 114 | if (!sg) | 117 | if (!sg) |
| 115 | goto error; | 118 | goto unlock; |
| 116 | } | 119 | } |
| 117 | skb_to_sgvec(skb, sg, esph->enc_data+esp->conf.ivlen-skb->data, clen); | 120 | skb_to_sgvec(skb, sg, esph->enc_data+esp->conf.ivlen-skb->data, clen); |
| 118 | err = crypto_blkcipher_encrypt(&desc, sg, sg, clen); | 121 | err = crypto_blkcipher_encrypt(&desc, sg, sg, clen); |
| @@ -121,7 +124,7 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb) | |||
| 121 | } while (0); | 124 | } while (0); |
| 122 | 125 | ||
| 123 | if (unlikely(err)) | 126 | if (unlikely(err)) |
| 124 | goto error; | 127 | goto unlock; |
| 125 | 128 | ||
| 126 | if (esp->conf.ivlen) { | 129 | if (esp->conf.ivlen) { |
| 127 | memcpy(esph->enc_data, esp->conf.ivec, esp->conf.ivlen); | 130 | memcpy(esph->enc_data, esp->conf.ivec, esp->conf.ivlen); |
| @@ -134,6 +137,9 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb) | |||
| 134 | memcpy(pskb_put(skb, trailer, alen), esp->auth.work_icv, alen); | 137 | memcpy(pskb_put(skb, trailer, alen), esp->auth.work_icv, alen); |
| 135 | } | 138 | } |
| 136 | 139 | ||
| 140 | unlock: | ||
| 141 | spin_unlock_bh(&x->lock); | ||
| 142 | |||
| 137 | error: | 143 | error: |
| 138 | return err; | 144 | return err; |
| 139 | } | 145 | } |
diff --git a/net/ipv6/mip6.c b/net/ipv6/mip6.c index 7261c29898cb..6475baca63d2 100644 --- a/net/ipv6/mip6.c +++ b/net/ipv6/mip6.c | |||
| @@ -172,7 +172,9 @@ static int mip6_destopt_output(struct xfrm_state *x, struct sk_buff *skb) | |||
| 172 | len = ((char *)hao - (char *)dstopt) + sizeof(*hao); | 172 | len = ((char *)hao - (char *)dstopt) + sizeof(*hao); |
| 173 | 173 | ||
| 174 | memcpy(&hao->addr, &iph->saddr, sizeof(hao->addr)); | 174 | memcpy(&hao->addr, &iph->saddr, sizeof(hao->addr)); |
| 175 | spin_lock_bh(&x->lock); | ||
| 175 | memcpy(&iph->saddr, x->coaddr, sizeof(iph->saddr)); | 176 | memcpy(&iph->saddr, x->coaddr, sizeof(iph->saddr)); |
| 177 | spin_unlock_bh(&x->lock); | ||
| 176 | 178 | ||
| 177 | BUG_TRAP(len == x->props.header_len); | 179 | BUG_TRAP(len == x->props.header_len); |
| 178 | dstopt->hdrlen = (x->props.header_len >> 3) - 1; | 180 | dstopt->hdrlen = (x->props.header_len >> 3) - 1; |
| @@ -381,7 +383,9 @@ static int mip6_rthdr_output(struct xfrm_state *x, struct sk_buff *skb) | |||
| 381 | BUG_TRAP(rt2->rt_hdr.hdrlen == 2); | 383 | BUG_TRAP(rt2->rt_hdr.hdrlen == 2); |
| 382 | 384 | ||
| 383 | memcpy(&rt2->addr, &iph->daddr, sizeof(rt2->addr)); | 385 | memcpy(&rt2->addr, &iph->daddr, sizeof(rt2->addr)); |
| 386 | spin_lock_bh(&x->lock); | ||
| 384 | memcpy(&iph->daddr, x->coaddr, sizeof(iph->daddr)); | 387 | memcpy(&iph->daddr, x->coaddr, sizeof(iph->daddr)); |
| 388 | spin_unlock_bh(&x->lock); | ||
| 385 | 389 | ||
| 386 | return 0; | 390 | return 0; |
| 387 | } | 391 | } |
diff --git a/net/xfrm/xfrm_output.c b/net/xfrm/xfrm_output.c index 9847baec4094..0eb3377602e9 100644 --- a/net/xfrm/xfrm_output.c +++ b/net/xfrm/xfrm_output.c | |||
| @@ -67,15 +67,15 @@ int xfrm_output(struct sk_buff *skb) | |||
| 67 | if (err) | 67 | if (err) |
| 68 | goto error; | 68 | goto error; |
| 69 | 69 | ||
| 70 | err = x->type->output(x, skb); | ||
| 71 | if (err) | ||
| 72 | goto error; | ||
| 73 | |||
| 74 | x->curlft.bytes += skb->len; | 70 | x->curlft.bytes += skb->len; |
| 75 | x->curlft.packets++; | 71 | x->curlft.packets++; |
| 76 | 72 | ||
| 77 | spin_unlock_bh(&x->lock); | 73 | spin_unlock_bh(&x->lock); |
| 78 | 74 | ||
| 75 | err = x->type->output(x, skb); | ||
| 76 | if (err) | ||
| 77 | goto error_nolock; | ||
| 78 | |||
| 79 | if (!(skb->dst = dst_pop(dst))) { | 79 | if (!(skb->dst = dst_pop(dst))) { |
| 80 | err = -EHOSTUNREACH; | 80 | err = -EHOSTUNREACH; |
| 81 | goto error_nolock; | 81 | goto error_nolock; |