aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/net/netns/xfrm.h4
-rw-r--r--include/net/xfrm.h11
-rw-r--r--net/key/af_key.c15
-rw-r--r--net/xfrm/xfrm_policy.c104
-rw-r--r--net/xfrm/xfrm_state.c104
-rw-r--r--net/xfrm/xfrm_user.c14
6 files changed, 138 insertions, 114 deletions
diff --git a/include/net/netns/xfrm.h b/include/net/netns/xfrm.h
index 5299e69a32af..ea28404e9d79 100644
--- a/include/net/netns/xfrm.h
+++ b/include/net/netns/xfrm.h
@@ -59,6 +59,10 @@ struct netns_xfrm {
59#if IS_ENABLED(CONFIG_IPV6) 59#if IS_ENABLED(CONFIG_IPV6)
60 struct dst_ops xfrm6_dst_ops; 60 struct dst_ops xfrm6_dst_ops;
61#endif 61#endif
62 spinlock_t xfrm_state_lock;
63 spinlock_t xfrm_policy_sk_bundle_lock;
64 rwlock_t xfrm_policy_lock;
65 struct mutex xfrm_cfg_mutex;
62}; 66};
63 67
64#endif 68#endif
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 5b522c5f0188..59f5d0a6c7f8 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -53,7 +53,6 @@
53#define XFRM_INC_STATS_USER(net, field) ((void)(net)) 53#define XFRM_INC_STATS_USER(net, field) ((void)(net))
54#endif 54#endif
55 55
56extern struct mutex xfrm_cfg_mutex;
57 56
58/* Organization of SPD aka "XFRM rules" 57/* Organization of SPD aka "XFRM rules"
59 ------------------------------------ 58 ------------------------------------
@@ -1409,7 +1408,7 @@ static inline void xfrm_sysctl_fini(struct net *net)
1409void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto); 1408void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto);
1410int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk, 1409int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
1411 int (*func)(struct xfrm_state *, int, void*), void *); 1410 int (*func)(struct xfrm_state *, int, void*), void *);
1412void xfrm_state_walk_done(struct xfrm_state_walk *walk); 1411void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net);
1413struct xfrm_state *xfrm_state_alloc(struct net *net); 1412struct xfrm_state *xfrm_state_alloc(struct net *net);
1414struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr, 1413struct xfrm_state *xfrm_state_find(const xfrm_address_t *daddr,
1415 const xfrm_address_t *saddr, 1414 const xfrm_address_t *saddr,
@@ -1436,12 +1435,12 @@ struct xfrm_state *xfrm_state_lookup_byaddr(struct net *net, u32 mark,
1436 unsigned short family); 1435 unsigned short family);
1437#ifdef CONFIG_XFRM_SUB_POLICY 1436#ifdef CONFIG_XFRM_SUB_POLICY
1438int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n, 1437int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1439 unsigned short family); 1438 unsigned short family, struct net *net);
1440int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n, 1439int xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1441 unsigned short family); 1440 unsigned short family);
1442#else 1441#else
1443static inline int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, 1442static inline int xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src,
1444 int n, unsigned short family) 1443 int n, unsigned short family, struct net *net)
1445{ 1444{
1446 return -ENOSYS; 1445 return -ENOSYS;
1447} 1446}
@@ -1553,7 +1552,7 @@ void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type);
1553int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk, 1552int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
1554 int (*func)(struct xfrm_policy *, int, int, void*), 1553 int (*func)(struct xfrm_policy *, int, int, void*),
1555 void *); 1554 void *);
1556void xfrm_policy_walk_done(struct xfrm_policy_walk *walk); 1555void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net);
1557int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl); 1556int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl);
1558struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark, 1557struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark,
1559 u8 type, int dir, 1558 u8 type, int dir,
@@ -1576,7 +1575,7 @@ int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
1576int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, 1575int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
1577 const struct xfrm_migrate *m, int num_bundles, 1576 const struct xfrm_migrate *m, int num_bundles,
1578 const struct xfrm_kmaddress *k); 1577 const struct xfrm_kmaddress *k);
1579struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m); 1578struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net);
1580struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x, 1579struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x,
1581 struct xfrm_migrate *m); 1580 struct xfrm_migrate *m);
1582int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type, 1581int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 3fa811c46913..9a039acf37e8 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1785,7 +1785,9 @@ static int pfkey_dump_sa(struct pfkey_sock *pfk)
1785 1785
1786static void pfkey_dump_sa_done(struct pfkey_sock *pfk) 1786static void pfkey_dump_sa_done(struct pfkey_sock *pfk)
1787{ 1787{
1788 xfrm_state_walk_done(&pfk->dump.u.state); 1788 struct net *net = sock_net(&pfk->sk);
1789
1790 xfrm_state_walk_done(&pfk->dump.u.state, net);
1789} 1791}
1790 1792
1791static int pfkey_dump(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs) 1793static int pfkey_dump(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
@@ -1861,7 +1863,7 @@ static u32 gen_reqid(struct net *net)
1861 reqid = IPSEC_MANUAL_REQID_MAX+1; 1863 reqid = IPSEC_MANUAL_REQID_MAX+1;
1862 xfrm_policy_walk_init(&walk, XFRM_POLICY_TYPE_MAIN); 1864 xfrm_policy_walk_init(&walk, XFRM_POLICY_TYPE_MAIN);
1863 rc = xfrm_policy_walk(net, &walk, check_reqid, (void*)&reqid); 1865 rc = xfrm_policy_walk(net, &walk, check_reqid, (void*)&reqid);
1864 xfrm_policy_walk_done(&walk); 1866 xfrm_policy_walk_done(&walk, net);
1865 if (rc != -EEXIST) 1867 if (rc != -EEXIST)
1866 return reqid; 1868 return reqid;
1867 } while (reqid != start); 1869 } while (reqid != start);
@@ -2660,7 +2662,9 @@ static int pfkey_dump_sp(struct pfkey_sock *pfk)
2660 2662
2661static void pfkey_dump_sp_done(struct pfkey_sock *pfk) 2663static void pfkey_dump_sp_done(struct pfkey_sock *pfk)
2662{ 2664{
2663 xfrm_policy_walk_done(&pfk->dump.u.policy); 2665 struct net *net = sock_net((struct sock *)pfk);
2666
2667 xfrm_policy_walk_done(&pfk->dump.u.policy, net);
2664} 2668}
2665 2669
2666static int pfkey_spddump(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs) 2670static int pfkey_spddump(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
@@ -3570,6 +3574,7 @@ static int pfkey_sendmsg(struct kiocb *kiocb,
3570 struct sk_buff *skb = NULL; 3574 struct sk_buff *skb = NULL;
3571 struct sadb_msg *hdr = NULL; 3575 struct sadb_msg *hdr = NULL;
3572 int err; 3576 int err;
3577 struct net *net = sock_net(sk);
3573 3578
3574 err = -EOPNOTSUPP; 3579 err = -EOPNOTSUPP;
3575 if (msg->msg_flags & MSG_OOB) 3580 if (msg->msg_flags & MSG_OOB)
@@ -3592,9 +3597,9 @@ static int pfkey_sendmsg(struct kiocb *kiocb,
3592 if (!hdr) 3597 if (!hdr)
3593 goto out; 3598 goto out;
3594 3599
3595 mutex_lock(&xfrm_cfg_mutex); 3600 mutex_lock(&net->xfrm.xfrm_cfg_mutex);
3596 err = pfkey_process(sk, skb, hdr); 3601 err = pfkey_process(sk, skb, hdr);
3597 mutex_unlock(&xfrm_cfg_mutex); 3602 mutex_unlock(&net->xfrm.xfrm_cfg_mutex);
3598 3603
3599out: 3604out:
3600 if (err && hdr && pfkey_error(hdr, err, sk) == 0) 3605 if (err && hdr && pfkey_error(hdr, err, sk) == 0)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 907fd2fa70bc..73b04d3df44e 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -39,12 +39,7 @@
39#define XFRM_QUEUE_TMO_MAX ((unsigned)(60*HZ)) 39#define XFRM_QUEUE_TMO_MAX ((unsigned)(60*HZ))
40#define XFRM_MAX_QUEUE_LEN 100 40#define XFRM_MAX_QUEUE_LEN 100
41 41
42DEFINE_MUTEX(xfrm_cfg_mutex);
43EXPORT_SYMBOL(xfrm_cfg_mutex);
44
45static DEFINE_SPINLOCK(xfrm_policy_sk_bundle_lock);
46static struct dst_entry *xfrm_policy_sk_bundles; 42static struct dst_entry *xfrm_policy_sk_bundles;
47static DEFINE_RWLOCK(xfrm_policy_lock);
48 43
49static DEFINE_SPINLOCK(xfrm_policy_afinfo_lock); 44static DEFINE_SPINLOCK(xfrm_policy_afinfo_lock);
50static struct xfrm_policy_afinfo __rcu *xfrm_policy_afinfo[NPROTO] 45static struct xfrm_policy_afinfo __rcu *xfrm_policy_afinfo[NPROTO]
@@ -438,7 +433,7 @@ static void xfrm_bydst_resize(struct net *net, int dir)
438 if (!ndst) 433 if (!ndst)
439 return; 434 return;
440 435
441 write_lock_bh(&xfrm_policy_lock); 436 write_lock_bh(&net->xfrm.xfrm_policy_lock);
442 437
443 for (i = hmask; i >= 0; i--) 438 for (i = hmask; i >= 0; i--)
444 xfrm_dst_hash_transfer(odst + i, ndst, nhashmask); 439 xfrm_dst_hash_transfer(odst + i, ndst, nhashmask);
@@ -446,7 +441,7 @@ static void xfrm_bydst_resize(struct net *net, int dir)
446 net->xfrm.policy_bydst[dir].table = ndst; 441 net->xfrm.policy_bydst[dir].table = ndst;
447 net->xfrm.policy_bydst[dir].hmask = nhashmask; 442 net->xfrm.policy_bydst[dir].hmask = nhashmask;
448 443
449 write_unlock_bh(&xfrm_policy_lock); 444 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
450 445
451 xfrm_hash_free(odst, (hmask + 1) * sizeof(struct hlist_head)); 446 xfrm_hash_free(odst, (hmask + 1) * sizeof(struct hlist_head));
452} 447}
@@ -463,7 +458,7 @@ static void xfrm_byidx_resize(struct net *net, int total)
463 if (!nidx) 458 if (!nidx)
464 return; 459 return;
465 460
466 write_lock_bh(&xfrm_policy_lock); 461 write_lock_bh(&net->xfrm.xfrm_policy_lock);
467 462
468 for (i = hmask; i >= 0; i--) 463 for (i = hmask; i >= 0; i--)
469 xfrm_idx_hash_transfer(oidx + i, nidx, nhashmask); 464 xfrm_idx_hash_transfer(oidx + i, nidx, nhashmask);
@@ -471,7 +466,7 @@ static void xfrm_byidx_resize(struct net *net, int total)
471 net->xfrm.policy_byidx = nidx; 466 net->xfrm.policy_byidx = nidx;
472 net->xfrm.policy_idx_hmask = nhashmask; 467 net->xfrm.policy_idx_hmask = nhashmask;
473 468
474 write_unlock_bh(&xfrm_policy_lock); 469 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
475 470
476 xfrm_hash_free(oidx, (hmask + 1) * sizeof(struct hlist_head)); 471 xfrm_hash_free(oidx, (hmask + 1) * sizeof(struct hlist_head));
477} 472}
@@ -504,7 +499,7 @@ static inline int xfrm_byidx_should_resize(struct net *net, int total)
504 499
505void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si) 500void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si)
506{ 501{
507 read_lock_bh(&xfrm_policy_lock); 502 read_lock_bh(&net->xfrm.xfrm_policy_lock);
508 si->incnt = net->xfrm.policy_count[XFRM_POLICY_IN]; 503 si->incnt = net->xfrm.policy_count[XFRM_POLICY_IN];
509 si->outcnt = net->xfrm.policy_count[XFRM_POLICY_OUT]; 504 si->outcnt = net->xfrm.policy_count[XFRM_POLICY_OUT];
510 si->fwdcnt = net->xfrm.policy_count[XFRM_POLICY_FWD]; 505 si->fwdcnt = net->xfrm.policy_count[XFRM_POLICY_FWD];
@@ -513,7 +508,7 @@ void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si)
513 si->fwdscnt = net->xfrm.policy_count[XFRM_POLICY_FWD+XFRM_POLICY_MAX]; 508 si->fwdscnt = net->xfrm.policy_count[XFRM_POLICY_FWD+XFRM_POLICY_MAX];
514 si->spdhcnt = net->xfrm.policy_idx_hmask; 509 si->spdhcnt = net->xfrm.policy_idx_hmask;
515 si->spdhmcnt = xfrm_policy_hashmax; 510 si->spdhmcnt = xfrm_policy_hashmax;
516 read_unlock_bh(&xfrm_policy_lock); 511 read_unlock_bh(&net->xfrm.xfrm_policy_lock);
517} 512}
518EXPORT_SYMBOL(xfrm_spd_getinfo); 513EXPORT_SYMBOL(xfrm_spd_getinfo);
519 514
@@ -636,7 +631,7 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
636 struct hlist_head *chain; 631 struct hlist_head *chain;
637 struct hlist_node *newpos; 632 struct hlist_node *newpos;
638 633
639 write_lock_bh(&xfrm_policy_lock); 634 write_lock_bh(&net->xfrm.xfrm_policy_lock);
640 chain = policy_hash_bysel(net, &policy->selector, policy->family, dir); 635 chain = policy_hash_bysel(net, &policy->selector, policy->family, dir);
641 delpol = NULL; 636 delpol = NULL;
642 newpos = NULL; 637 newpos = NULL;
@@ -647,7 +642,7 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
647 xfrm_sec_ctx_match(pol->security, policy->security) && 642 xfrm_sec_ctx_match(pol->security, policy->security) &&
648 !WARN_ON(delpol)) { 643 !WARN_ON(delpol)) {
649 if (excl) { 644 if (excl) {
650 write_unlock_bh(&xfrm_policy_lock); 645 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
651 return -EEXIST; 646 return -EEXIST;
652 } 647 }
653 delpol = pol; 648 delpol = pol;
@@ -685,7 +680,7 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
685 if (!mod_timer(&policy->timer, jiffies + HZ)) 680 if (!mod_timer(&policy->timer, jiffies + HZ))
686 xfrm_pol_hold(policy); 681 xfrm_pol_hold(policy);
687 list_add(&policy->walk.all, &net->xfrm.policy_all); 682 list_add(&policy->walk.all, &net->xfrm.policy_all);
688 write_unlock_bh(&xfrm_policy_lock); 683 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
689 684
690 if (delpol) 685 if (delpol)
691 xfrm_policy_kill(delpol); 686 xfrm_policy_kill(delpol);
@@ -705,7 +700,7 @@ struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark, u8 type,
705 struct hlist_head *chain; 700 struct hlist_head *chain;
706 701
707 *err = 0; 702 *err = 0;
708 write_lock_bh(&xfrm_policy_lock); 703 write_lock_bh(&net->xfrm.xfrm_policy_lock);
709 chain = policy_hash_bysel(net, sel, sel->family, dir); 704 chain = policy_hash_bysel(net, sel, sel->family, dir);
710 ret = NULL; 705 ret = NULL;
711 hlist_for_each_entry(pol, chain, bydst) { 706 hlist_for_each_entry(pol, chain, bydst) {
@@ -718,7 +713,7 @@ struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark, u8 type,
718 *err = security_xfrm_policy_delete( 713 *err = security_xfrm_policy_delete(
719 pol->security); 714 pol->security);
720 if (*err) { 715 if (*err) {
721 write_unlock_bh(&xfrm_policy_lock); 716 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
722 return pol; 717 return pol;
723 } 718 }
724 __xfrm_policy_unlink(pol, dir); 719 __xfrm_policy_unlink(pol, dir);
@@ -727,7 +722,7 @@ struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark, u8 type,
727 break; 722 break;
728 } 723 }
729 } 724 }
730 write_unlock_bh(&xfrm_policy_lock); 725 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
731 726
732 if (ret && delete) 727 if (ret && delete)
733 xfrm_policy_kill(ret); 728 xfrm_policy_kill(ret);
@@ -746,7 +741,7 @@ struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u8 type,
746 return NULL; 741 return NULL;
747 742
748 *err = 0; 743 *err = 0;
749 write_lock_bh(&xfrm_policy_lock); 744 write_lock_bh(&net->xfrm.xfrm_policy_lock);
750 chain = net->xfrm.policy_byidx + idx_hash(net, id); 745 chain = net->xfrm.policy_byidx + idx_hash(net, id);
751 ret = NULL; 746 ret = NULL;
752 hlist_for_each_entry(pol, chain, byidx) { 747 hlist_for_each_entry(pol, chain, byidx) {
@@ -757,7 +752,7 @@ struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u8 type,
757 *err = security_xfrm_policy_delete( 752 *err = security_xfrm_policy_delete(
758 pol->security); 753 pol->security);
759 if (*err) { 754 if (*err) {
760 write_unlock_bh(&xfrm_policy_lock); 755 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
761 return pol; 756 return pol;
762 } 757 }
763 __xfrm_policy_unlink(pol, dir); 758 __xfrm_policy_unlink(pol, dir);
@@ -766,7 +761,7 @@ struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u8 type,
766 break; 761 break;
767 } 762 }
768 } 763 }
769 write_unlock_bh(&xfrm_policy_lock); 764 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
770 765
771 if (ret && delete) 766 if (ret && delete)
772 xfrm_policy_kill(ret); 767 xfrm_policy_kill(ret);
@@ -829,7 +824,7 @@ int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
829{ 824{
830 int dir, err = 0, cnt = 0; 825 int dir, err = 0, cnt = 0;
831 826
832 write_lock_bh(&xfrm_policy_lock); 827 write_lock_bh(&net->xfrm.xfrm_policy_lock);
833 828
834 err = xfrm_policy_flush_secctx_check(net, type, audit_info); 829 err = xfrm_policy_flush_secctx_check(net, type, audit_info);
835 if (err) 830 if (err)
@@ -845,7 +840,7 @@ int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
845 if (pol->type != type) 840 if (pol->type != type)
846 continue; 841 continue;
847 __xfrm_policy_unlink(pol, dir); 842 __xfrm_policy_unlink(pol, dir);
848 write_unlock_bh(&xfrm_policy_lock); 843 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
849 cnt++; 844 cnt++;
850 845
851 xfrm_audit_policy_delete(pol, 1, audit_info->loginuid, 846 xfrm_audit_policy_delete(pol, 1, audit_info->loginuid,
@@ -854,7 +849,7 @@ int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
854 849
855 xfrm_policy_kill(pol); 850 xfrm_policy_kill(pol);
856 851
857 write_lock_bh(&xfrm_policy_lock); 852 write_lock_bh(&net->xfrm.xfrm_policy_lock);
858 goto again1; 853 goto again1;
859 } 854 }
860 855
@@ -866,7 +861,7 @@ int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
866 if (pol->type != type) 861 if (pol->type != type)
867 continue; 862 continue;
868 __xfrm_policy_unlink(pol, dir); 863 __xfrm_policy_unlink(pol, dir);
869 write_unlock_bh(&xfrm_policy_lock); 864 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
870 cnt++; 865 cnt++;
871 866
872 xfrm_audit_policy_delete(pol, 1, 867 xfrm_audit_policy_delete(pol, 1,
@@ -875,7 +870,7 @@ int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
875 audit_info->secid); 870 audit_info->secid);
876 xfrm_policy_kill(pol); 871 xfrm_policy_kill(pol);
877 872
878 write_lock_bh(&xfrm_policy_lock); 873 write_lock_bh(&net->xfrm.xfrm_policy_lock);
879 goto again2; 874 goto again2;
880 } 875 }
881 } 876 }
@@ -884,7 +879,7 @@ int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
884 if (!cnt) 879 if (!cnt)
885 err = -ESRCH; 880 err = -ESRCH;
886out: 881out:
887 write_unlock_bh(&xfrm_policy_lock); 882 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
888 return err; 883 return err;
889} 884}
890EXPORT_SYMBOL(xfrm_policy_flush); 885EXPORT_SYMBOL(xfrm_policy_flush);
@@ -904,7 +899,7 @@ int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
904 if (list_empty(&walk->walk.all) && walk->seq != 0) 899 if (list_empty(&walk->walk.all) && walk->seq != 0)
905 return 0; 900 return 0;
906 901
907 write_lock_bh(&xfrm_policy_lock); 902 write_lock_bh(&net->xfrm.xfrm_policy_lock);
908 if (list_empty(&walk->walk.all)) 903 if (list_empty(&walk->walk.all))
909 x = list_first_entry(&net->xfrm.policy_all, struct xfrm_policy_walk_entry, all); 904 x = list_first_entry(&net->xfrm.policy_all, struct xfrm_policy_walk_entry, all);
910 else 905 else
@@ -930,7 +925,7 @@ int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,
930 } 925 }
931 list_del_init(&walk->walk.all); 926 list_del_init(&walk->walk.all);
932out: 927out:
933 write_unlock_bh(&xfrm_policy_lock); 928 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
934 return error; 929 return error;
935} 930}
936EXPORT_SYMBOL(xfrm_policy_walk); 931EXPORT_SYMBOL(xfrm_policy_walk);
@@ -944,14 +939,14 @@ void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type)
944} 939}
945EXPORT_SYMBOL(xfrm_policy_walk_init); 940EXPORT_SYMBOL(xfrm_policy_walk_init);
946 941
947void xfrm_policy_walk_done(struct xfrm_policy_walk *walk) 942void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net)
948{ 943{
949 if (list_empty(&walk->walk.all)) 944 if (list_empty(&walk->walk.all))
950 return; 945 return;
951 946
952 write_lock_bh(&xfrm_policy_lock); 947 write_lock_bh(&net->xfrm.xfrm_policy_lock); /*FIXME where is net? */
953 list_del(&walk->walk.all); 948 list_del(&walk->walk.all);
954 write_unlock_bh(&xfrm_policy_lock); 949 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
955} 950}
956EXPORT_SYMBOL(xfrm_policy_walk_done); 951EXPORT_SYMBOL(xfrm_policy_walk_done);
957 952
@@ -996,7 +991,7 @@ static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type,
996 if (unlikely(!daddr || !saddr)) 991 if (unlikely(!daddr || !saddr))
997 return NULL; 992 return NULL;
998 993
999 read_lock_bh(&xfrm_policy_lock); 994 read_lock_bh(&net->xfrm.xfrm_policy_lock);
1000 chain = policy_hash_direct(net, daddr, saddr, family, dir); 995 chain = policy_hash_direct(net, daddr, saddr, family, dir);
1001 ret = NULL; 996 ret = NULL;
1002 hlist_for_each_entry(pol, chain, bydst) { 997 hlist_for_each_entry(pol, chain, bydst) {
@@ -1032,7 +1027,7 @@ static struct xfrm_policy *xfrm_policy_lookup_bytype(struct net *net, u8 type,
1032 if (ret) 1027 if (ret)
1033 xfrm_pol_hold(ret); 1028 xfrm_pol_hold(ret);
1034fail: 1029fail:
1035 read_unlock_bh(&xfrm_policy_lock); 1030 read_unlock_bh(&net->xfrm.xfrm_policy_lock);
1036 1031
1037 return ret; 1032 return ret;
1038} 1033}
@@ -1109,8 +1104,9 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir,
1109 const struct flowi *fl) 1104 const struct flowi *fl)
1110{ 1105{
1111 struct xfrm_policy *pol; 1106 struct xfrm_policy *pol;
1107 struct net *net = sock_net(sk);
1112 1108
1113 read_lock_bh(&xfrm_policy_lock); 1109 read_lock_bh(&net->xfrm.xfrm_policy_lock);
1114 if ((pol = sk->sk_policy[dir]) != NULL) { 1110 if ((pol = sk->sk_policy[dir]) != NULL) {
1115 bool match = xfrm_selector_match(&pol->selector, fl, 1111 bool match = xfrm_selector_match(&pol->selector, fl,
1116 sk->sk_family); 1112 sk->sk_family);
@@ -1134,7 +1130,7 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir,
1134 pol = NULL; 1130 pol = NULL;
1135 } 1131 }
1136out: 1132out:
1137 read_unlock_bh(&xfrm_policy_lock); 1133 read_unlock_bh(&net->xfrm.xfrm_policy_lock);
1138 return pol; 1134 return pol;
1139} 1135}
1140 1136
@@ -1172,9 +1168,11 @@ static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
1172 1168
1173int xfrm_policy_delete(struct xfrm_policy *pol, int dir) 1169int xfrm_policy_delete(struct xfrm_policy *pol, int dir)
1174{ 1170{
1175 write_lock_bh(&xfrm_policy_lock); 1171 struct net *net = xp_net(pol);
1172
1173 write_lock_bh(&net->xfrm.xfrm_policy_lock);
1176 pol = __xfrm_policy_unlink(pol, dir); 1174 pol = __xfrm_policy_unlink(pol, dir);
1177 write_unlock_bh(&xfrm_policy_lock); 1175 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
1178 if (pol) { 1176 if (pol) {
1179 xfrm_policy_kill(pol); 1177 xfrm_policy_kill(pol);
1180 return 0; 1178 return 0;
@@ -1193,7 +1191,7 @@ int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
1193 return -EINVAL; 1191 return -EINVAL;
1194#endif 1192#endif
1195 1193
1196 write_lock_bh(&xfrm_policy_lock); 1194 write_lock_bh(&net->xfrm.xfrm_policy_lock);
1197 old_pol = sk->sk_policy[dir]; 1195 old_pol = sk->sk_policy[dir];
1198 sk->sk_policy[dir] = pol; 1196 sk->sk_policy[dir] = pol;
1199 if (pol) { 1197 if (pol) {
@@ -1210,7 +1208,7 @@ int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
1210 */ 1208 */
1211 __xfrm_policy_unlink(old_pol, XFRM_POLICY_MAX+dir); 1209 __xfrm_policy_unlink(old_pol, XFRM_POLICY_MAX+dir);
1212 } 1210 }
1213 write_unlock_bh(&xfrm_policy_lock); 1211 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
1214 1212
1215 if (old_pol) { 1213 if (old_pol) {
1216 xfrm_policy_kill(old_pol); 1214 xfrm_policy_kill(old_pol);
@@ -1221,6 +1219,7 @@ int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
1221static struct xfrm_policy *clone_policy(const struct xfrm_policy *old, int dir) 1219static struct xfrm_policy *clone_policy(const struct xfrm_policy *old, int dir)
1222{ 1220{
1223 struct xfrm_policy *newp = xfrm_policy_alloc(xp_net(old), GFP_ATOMIC); 1221 struct xfrm_policy *newp = xfrm_policy_alloc(xp_net(old), GFP_ATOMIC);
1222 struct net *net = xp_net(old);
1224 1223
1225 if (newp) { 1224 if (newp) {
1226 newp->selector = old->selector; 1225 newp->selector = old->selector;
@@ -1239,9 +1238,9 @@ static struct xfrm_policy *clone_policy(const struct xfrm_policy *old, int dir)
1239 newp->type = old->type; 1238 newp->type = old->type;
1240 memcpy(newp->xfrm_vec, old->xfrm_vec, 1239 memcpy(newp->xfrm_vec, old->xfrm_vec,
1241 newp->xfrm_nr*sizeof(struct xfrm_tmpl)); 1240 newp->xfrm_nr*sizeof(struct xfrm_tmpl));
1242 write_lock_bh(&xfrm_policy_lock); 1241 write_lock_bh(&net->xfrm.xfrm_policy_lock);
1243 __xfrm_policy_link(newp, XFRM_POLICY_MAX+dir); 1242 __xfrm_policy_link(newp, XFRM_POLICY_MAX+dir);
1244 write_unlock_bh(&xfrm_policy_lock); 1243 write_unlock_bh(&net->xfrm.xfrm_policy_lock);
1245 xfrm_pol_put(newp); 1244 xfrm_pol_put(newp);
1246 } 1245 }
1247 return newp; 1246 return newp;
@@ -2112,10 +2111,10 @@ restart:
2112 2111
2113 dst_hold(&xdst->u.dst); 2112 dst_hold(&xdst->u.dst);
2114 2113
2115 spin_lock_bh(&xfrm_policy_sk_bundle_lock); 2114 spin_lock_bh(&net->xfrm.xfrm_policy_sk_bundle_lock);
2116 xdst->u.dst.next = xfrm_policy_sk_bundles; 2115 xdst->u.dst.next = xfrm_policy_sk_bundles;
2117 xfrm_policy_sk_bundles = &xdst->u.dst; 2116 xfrm_policy_sk_bundles = &xdst->u.dst;
2118 spin_unlock_bh(&xfrm_policy_sk_bundle_lock); 2117 spin_unlock_bh(&net->xfrm.xfrm_policy_sk_bundle_lock);
2119 2118
2120 route = xdst->route; 2119 route = xdst->route;
2121 } 2120 }
@@ -2440,7 +2439,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
2440 } 2439 }
2441 xfrm_nr = ti; 2440 xfrm_nr = ti;
2442 if (npols > 1) { 2441 if (npols > 1) {
2443 xfrm_tmpl_sort(stp, tpp, xfrm_nr, family); 2442 xfrm_tmpl_sort(stp, tpp, xfrm_nr, family, net);
2444 tpp = stp; 2443 tpp = stp;
2445 } 2444 }
2446 2445
@@ -2569,10 +2568,10 @@ static void __xfrm_garbage_collect(struct net *net)
2569{ 2568{
2570 struct dst_entry *head, *next; 2569 struct dst_entry *head, *next;
2571 2570
2572 spin_lock_bh(&xfrm_policy_sk_bundle_lock); 2571 spin_lock_bh(&net->xfrm.xfrm_policy_sk_bundle_lock);
2573 head = xfrm_policy_sk_bundles; 2572 head = xfrm_policy_sk_bundles;
2574 xfrm_policy_sk_bundles = NULL; 2573 xfrm_policy_sk_bundles = NULL;
2575 spin_unlock_bh(&xfrm_policy_sk_bundle_lock); 2574 spin_unlock_bh(&net->xfrm.xfrm_policy_sk_bundle_lock);
2576 2575
2577 while (head) { 2576 while (head) {
2578 next = head->next; 2577 next = head->next;
@@ -2956,6 +2955,13 @@ static int __net_init xfrm_net_init(struct net *net)
2956 rv = xfrm_sysctl_init(net); 2955 rv = xfrm_sysctl_init(net);
2957 if (rv < 0) 2956 if (rv < 0)
2958 goto out_sysctl; 2957 goto out_sysctl;
2958
2959 /* Initialize the per-net locks here */
2960 spin_lock_init(&net->xfrm.xfrm_state_lock);
2961 rwlock_init(&net->xfrm.xfrm_policy_lock);
2962 spin_lock_init(&net->xfrm.xfrm_policy_sk_bundle_lock);
2963 mutex_init(&net->xfrm.xfrm_cfg_mutex);
2964
2959 return 0; 2965 return 0;
2960 2966
2961out_sysctl: 2967out_sysctl:
@@ -3082,7 +3088,7 @@ static struct xfrm_policy * xfrm_migrate_policy_find(const struct xfrm_selector
3082 struct hlist_head *chain; 3088 struct hlist_head *chain;
3083 u32 priority = ~0U; 3089 u32 priority = ~0U;
3084 3090
3085 read_lock_bh(&xfrm_policy_lock); 3091 read_lock_bh(&net->xfrm.xfrm_policy_lock); /*FIXME*/
3086 chain = policy_hash_direct(net, &sel->daddr, &sel->saddr, sel->family, dir); 3092 chain = policy_hash_direct(net, &sel->daddr, &sel->saddr, sel->family, dir);
3087 hlist_for_each_entry(pol, chain, bydst) { 3093 hlist_for_each_entry(pol, chain, bydst) {
3088 if (xfrm_migrate_selector_match(sel, &pol->selector) && 3094 if (xfrm_migrate_selector_match(sel, &pol->selector) &&
@@ -3105,7 +3111,7 @@ static struct xfrm_policy * xfrm_migrate_policy_find(const struct xfrm_selector
3105 if (ret) 3111 if (ret)
3106 xfrm_pol_hold(ret); 3112 xfrm_pol_hold(ret);
3107 3113
3108 read_unlock_bh(&xfrm_policy_lock); 3114 read_unlock_bh(&net->xfrm.xfrm_policy_lock);
3109 3115
3110 return ret; 3116 return ret;
3111} 3117}
@@ -3236,7 +3242,7 @@ int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
3236 3242
3237 /* Stage 2 - find and update state(s) */ 3243 /* Stage 2 - find and update state(s) */
3238 for (i = 0, mp = m; i < num_migrate; i++, mp++) { 3244 for (i = 0, mp = m; i < num_migrate; i++, mp++) {
3239 if ((x = xfrm_migrate_state_find(mp))) { 3245 if ((x = xfrm_migrate_state_find(mp, net))) {
3240 x_cur[nx_cur] = x; 3246 x_cur[nx_cur] = x;
3241 nx_cur++; 3247 nx_cur++;
3242 if ((xc = xfrm_state_migrate(x, mp))) { 3248 if ((xc = xfrm_state_migrate(x, mp))) {
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 68c2f357a183..290479d0746d 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -35,8 +35,6 @@
35 destination/tunnel endpoint. (output) 35 destination/tunnel endpoint. (output)
36 */ 36 */
37 37
38static DEFINE_SPINLOCK(xfrm_state_lock);
39
40static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024; 38static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
41 39
42static inline unsigned int xfrm_dst_hash(struct net *net, 40static inline unsigned int xfrm_dst_hash(struct net *net,
@@ -127,7 +125,7 @@ static void xfrm_hash_resize(struct work_struct *work)
127 goto out_unlock; 125 goto out_unlock;
128 } 126 }
129 127
130 spin_lock_bh(&xfrm_state_lock); 128 spin_lock_bh(&net->xfrm.xfrm_state_lock);
131 129
132 nhashmask = (nsize / sizeof(struct hlist_head)) - 1U; 130 nhashmask = (nsize / sizeof(struct hlist_head)) - 1U;
133 for (i = net->xfrm.state_hmask; i >= 0; i--) 131 for (i = net->xfrm.state_hmask; i >= 0; i--)
@@ -144,7 +142,7 @@ static void xfrm_hash_resize(struct work_struct *work)
144 net->xfrm.state_byspi = nspi; 142 net->xfrm.state_byspi = nspi;
145 net->xfrm.state_hmask = nhashmask; 143 net->xfrm.state_hmask = nhashmask;
146 144
147 spin_unlock_bh(&xfrm_state_lock); 145 spin_unlock_bh(&net->xfrm.xfrm_state_lock);
148 146
149 osize = (ohashmask + 1) * sizeof(struct hlist_head); 147 osize = (ohashmask + 1) * sizeof(struct hlist_head);
150 xfrm_hash_free(odst, osize); 148 xfrm_hash_free(odst, osize);
@@ -535,14 +533,14 @@ int __xfrm_state_delete(struct xfrm_state *x)
535 533
536 if (x->km.state != XFRM_STATE_DEAD) { 534 if (x->km.state != XFRM_STATE_DEAD) {
537 x->km.state = XFRM_STATE_DEAD; 535 x->km.state = XFRM_STATE_DEAD;
538 spin_lock(&xfrm_state_lock); 536 spin_lock(&net->xfrm.xfrm_state_lock);
539 list_del(&x->km.all); 537 list_del(&x->km.all);
540 hlist_del(&x->bydst); 538 hlist_del(&x->bydst);
541 hlist_del(&x->bysrc); 539 hlist_del(&x->bysrc);
542 if (x->id.spi) 540 if (x->id.spi)
543 hlist_del(&x->byspi); 541 hlist_del(&x->byspi);
544 net->xfrm.state_num--; 542 net->xfrm.state_num--;
545 spin_unlock(&xfrm_state_lock); 543 spin_unlock(&net->xfrm.xfrm_state_lock);
546 544
547 /* All xfrm_state objects are created by xfrm_state_alloc. 545 /* All xfrm_state objects are created by xfrm_state_alloc.
548 * The xfrm_state_alloc call gives a reference, and that 546 * The xfrm_state_alloc call gives a reference, and that
@@ -603,7 +601,7 @@ int xfrm_state_flush(struct net *net, u8 proto, struct xfrm_audit *audit_info)
603{ 601{
604 int i, err = 0, cnt = 0; 602 int i, err = 0, cnt = 0;
605 603
606 spin_lock_bh(&xfrm_state_lock); 604 spin_lock_bh(&net->xfrm.xfrm_state_lock);
607 err = xfrm_state_flush_secctx_check(net, proto, audit_info); 605 err = xfrm_state_flush_secctx_check(net, proto, audit_info);
608 if (err) 606 if (err)
609 goto out; 607 goto out;
@@ -616,7 +614,7 @@ restart:
616 if (!xfrm_state_kern(x) && 614 if (!xfrm_state_kern(x) &&
617 xfrm_id_proto_match(x->id.proto, proto)) { 615 xfrm_id_proto_match(x->id.proto, proto)) {
618 xfrm_state_hold(x); 616 xfrm_state_hold(x);
619 spin_unlock_bh(&xfrm_state_lock); 617 spin_unlock_bh(&net->xfrm.xfrm_state_lock);
620 618
621 err = xfrm_state_delete(x); 619 err = xfrm_state_delete(x);
622 xfrm_audit_state_delete(x, err ? 0 : 1, 620 xfrm_audit_state_delete(x, err ? 0 : 1,
@@ -627,7 +625,7 @@ restart:
627 if (!err) 625 if (!err)
628 cnt++; 626 cnt++;
629 627
630 spin_lock_bh(&xfrm_state_lock); 628 spin_lock_bh(&net->xfrm.xfrm_state_lock);
631 goto restart; 629 goto restart;
632 } 630 }
633 } 631 }
@@ -636,7 +634,7 @@ restart:
636 err = 0; 634 err = 0;
637 635
638out: 636out:
639 spin_unlock_bh(&xfrm_state_lock); 637 spin_unlock_bh(&net->xfrm.xfrm_state_lock);
640 wake_up(&net->xfrm.km_waitq); 638 wake_up(&net->xfrm.km_waitq);
641 return err; 639 return err;
642} 640}
@@ -644,11 +642,11 @@ EXPORT_SYMBOL(xfrm_state_flush);
644 642
645void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si) 643void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si)
646{ 644{
647 spin_lock_bh(&xfrm_state_lock); 645 spin_lock_bh(&net->xfrm.xfrm_state_lock);
648 si->sadcnt = net->xfrm.state_num; 646 si->sadcnt = net->xfrm.state_num;
649 si->sadhcnt = net->xfrm.state_hmask; 647 si->sadhcnt = net->xfrm.state_hmask;
650 si->sadhmcnt = xfrm_state_hashmax; 648 si->sadhmcnt = xfrm_state_hashmax;
651 spin_unlock_bh(&xfrm_state_lock); 649 spin_unlock_bh(&net->xfrm.xfrm_state_lock);
652} 650}
653EXPORT_SYMBOL(xfrm_sad_getinfo); 651EXPORT_SYMBOL(xfrm_sad_getinfo);
654 652
@@ -801,7 +799,7 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr,
801 799
802 to_put = NULL; 800 to_put = NULL;
803 801
804 spin_lock_bh(&xfrm_state_lock); 802 spin_lock_bh(&net->xfrm.xfrm_state_lock);
805 h = xfrm_dst_hash(net, daddr, saddr, tmpl->reqid, encap_family); 803 h = xfrm_dst_hash(net, daddr, saddr, tmpl->reqid, encap_family);
806 hlist_for_each_entry(x, net->xfrm.state_bydst+h, bydst) { 804 hlist_for_each_entry(x, net->xfrm.state_bydst+h, bydst) {
807 if (x->props.family == encap_family && 805 if (x->props.family == encap_family &&
@@ -886,7 +884,7 @@ out:
886 xfrm_state_hold(x); 884 xfrm_state_hold(x);
887 else 885 else
888 *err = acquire_in_progress ? -EAGAIN : error; 886 *err = acquire_in_progress ? -EAGAIN : error;
889 spin_unlock_bh(&xfrm_state_lock); 887 spin_unlock_bh(&net->xfrm.xfrm_state_lock);
890 if (to_put) 888 if (to_put)
891 xfrm_state_put(to_put); 889 xfrm_state_put(to_put);
892 return x; 890 return x;
@@ -900,7 +898,7 @@ xfrm_stateonly_find(struct net *net, u32 mark,
900 unsigned int h; 898 unsigned int h;
901 struct xfrm_state *rx = NULL, *x = NULL; 899 struct xfrm_state *rx = NULL, *x = NULL;
902 900
903 spin_lock(&xfrm_state_lock); 901 spin_lock(&net->xfrm.xfrm_state_lock);
904 h = xfrm_dst_hash(net, daddr, saddr, reqid, family); 902 h = xfrm_dst_hash(net, daddr, saddr, reqid, family);
905 hlist_for_each_entry(x, net->xfrm.state_bydst+h, bydst) { 903 hlist_for_each_entry(x, net->xfrm.state_bydst+h, bydst) {
906 if (x->props.family == family && 904 if (x->props.family == family &&
@@ -918,7 +916,7 @@ xfrm_stateonly_find(struct net *net, u32 mark,
918 916
919 if (rx) 917 if (rx)
920 xfrm_state_hold(rx); 918 xfrm_state_hold(rx);
921 spin_unlock(&xfrm_state_lock); 919 spin_unlock(&net->xfrm.xfrm_state_lock);
922 920
923 921
924 return rx; 922 return rx;
@@ -957,7 +955,7 @@ static void __xfrm_state_insert(struct xfrm_state *x)
957 xfrm_hash_grow_check(net, x->bydst.next != NULL); 955 xfrm_hash_grow_check(net, x->bydst.next != NULL);
958} 956}
959 957
960/* xfrm_state_lock is held */ 958/* net->xfrm.xfrm_state_lock is held */
961static void __xfrm_state_bump_genids(struct xfrm_state *xnew) 959static void __xfrm_state_bump_genids(struct xfrm_state *xnew)
962{ 960{
963 struct net *net = xs_net(xnew); 961 struct net *net = xs_net(xnew);
@@ -980,14 +978,16 @@ static void __xfrm_state_bump_genids(struct xfrm_state *xnew)
980 978
981void xfrm_state_insert(struct xfrm_state *x) 979void xfrm_state_insert(struct xfrm_state *x)
982{ 980{
983 spin_lock_bh(&xfrm_state_lock); 981 struct net *net = xs_net(x);
982
983 spin_lock_bh(&net->xfrm.xfrm_state_lock);
984 __xfrm_state_bump_genids(x); 984 __xfrm_state_bump_genids(x);
985 __xfrm_state_insert(x); 985 __xfrm_state_insert(x);
986 spin_unlock_bh(&xfrm_state_lock); 986 spin_unlock_bh(&net->xfrm.xfrm_state_lock);
987} 987}
988EXPORT_SYMBOL(xfrm_state_insert); 988EXPORT_SYMBOL(xfrm_state_insert);
989 989
990/* xfrm_state_lock is held */ 990/* net->xfrm.xfrm_state_lock is held */
991static struct xfrm_state *__find_acq_core(struct net *net, 991static struct xfrm_state *__find_acq_core(struct net *net,
992 const struct xfrm_mark *m, 992 const struct xfrm_mark *m,
993 unsigned short family, u8 mode, 993 unsigned short family, u8 mode,
@@ -1079,7 +1079,7 @@ int xfrm_state_add(struct xfrm_state *x)
1079 1079
1080 to_put = NULL; 1080 to_put = NULL;
1081 1081
1082 spin_lock_bh(&xfrm_state_lock); 1082 spin_lock_bh(&net->xfrm.xfrm_state_lock);
1083 1083
1084 x1 = __xfrm_state_locate(x, use_spi, family); 1084 x1 = __xfrm_state_locate(x, use_spi, family);
1085 if (x1) { 1085 if (x1) {
@@ -1108,7 +1108,7 @@ int xfrm_state_add(struct xfrm_state *x)
1108 err = 0; 1108 err = 0;
1109 1109
1110out: 1110out:
1111 spin_unlock_bh(&xfrm_state_lock); 1111 spin_unlock_bh(&net->xfrm.xfrm_state_lock);
1112 1112
1113 if (x1) { 1113 if (x1) {
1114 xfrm_state_delete(x1); 1114 xfrm_state_delete(x1);
@@ -1203,16 +1203,16 @@ out:
1203 return NULL; 1203 return NULL;
1204} 1204}
1205 1205
1206/* xfrm_state_lock is held */ 1206/* net->xfrm.xfrm_state_lock is held */
1207struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m) 1207struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net)
1208{ 1208{
1209 unsigned int h; 1209 unsigned int h;
1210 struct xfrm_state *x; 1210 struct xfrm_state *x;
1211 1211
1212 if (m->reqid) { 1212 if (m->reqid) {
1213 h = xfrm_dst_hash(&init_net, &m->old_daddr, &m->old_saddr, 1213 h = xfrm_dst_hash(net, &m->old_daddr, &m->old_saddr,
1214 m->reqid, m->old_family); 1214 m->reqid, m->old_family);
1215 hlist_for_each_entry(x, init_net.xfrm.state_bydst+h, bydst) { 1215 hlist_for_each_entry(x, net->xfrm.state_bydst+h, bydst) {
1216 if (x->props.mode != m->mode || 1216 if (x->props.mode != m->mode ||
1217 x->id.proto != m->proto) 1217 x->id.proto != m->proto)
1218 continue; 1218 continue;
@@ -1227,9 +1227,9 @@ struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m)
1227 return x; 1227 return x;
1228 } 1228 }
1229 } else { 1229 } else {
1230 h = xfrm_src_hash(&init_net, &m->old_daddr, &m->old_saddr, 1230 h = xfrm_src_hash(net, &m->old_daddr, &m->old_saddr,
1231 m->old_family); 1231 m->old_family);
1232 hlist_for_each_entry(x, init_net.xfrm.state_bysrc+h, bysrc) { 1232 hlist_for_each_entry(x, net->xfrm.state_bysrc+h, bysrc) {
1233 if (x->props.mode != m->mode || 1233 if (x->props.mode != m->mode ||
1234 x->id.proto != m->proto) 1234 x->id.proto != m->proto)
1235 continue; 1235 continue;
@@ -1283,10 +1283,11 @@ int xfrm_state_update(struct xfrm_state *x)
1283 struct xfrm_state *x1, *to_put; 1283 struct xfrm_state *x1, *to_put;
1284 int err; 1284 int err;
1285 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY); 1285 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1286 struct net *net = xs_net(x);
1286 1287
1287 to_put = NULL; 1288 to_put = NULL;
1288 1289
1289 spin_lock_bh(&xfrm_state_lock); 1290 spin_lock_bh(&net->xfrm.xfrm_state_lock);
1290 x1 = __xfrm_state_locate(x, use_spi, x->props.family); 1291 x1 = __xfrm_state_locate(x, use_spi, x->props.family);
1291 1292
1292 err = -ESRCH; 1293 err = -ESRCH;
@@ -1306,7 +1307,7 @@ int xfrm_state_update(struct xfrm_state *x)
1306 err = 0; 1307 err = 0;
1307 1308
1308out: 1309out:
1309 spin_unlock_bh(&xfrm_state_lock); 1310 spin_unlock_bh(&net->xfrm.xfrm_state_lock);
1310 1311
1311 if (to_put) 1312 if (to_put)
1312 xfrm_state_put(to_put); 1313 xfrm_state_put(to_put);
@@ -1377,9 +1378,9 @@ xfrm_state_lookup(struct net *net, u32 mark, const xfrm_address_t *daddr, __be32
1377{ 1378{
1378 struct xfrm_state *x; 1379 struct xfrm_state *x;
1379 1380
1380 spin_lock_bh(&xfrm_state_lock); 1381 spin_lock_bh(&net->xfrm.xfrm_state_lock);
1381 x = __xfrm_state_lookup(net, mark, daddr, spi, proto, family); 1382 x = __xfrm_state_lookup(net, mark, daddr, spi, proto, family);
1382 spin_unlock_bh(&xfrm_state_lock); 1383 spin_unlock_bh(&net->xfrm.xfrm_state_lock);
1383 return x; 1384 return x;
1384} 1385}
1385EXPORT_SYMBOL(xfrm_state_lookup); 1386EXPORT_SYMBOL(xfrm_state_lookup);
@@ -1391,9 +1392,9 @@ xfrm_state_lookup_byaddr(struct net *net, u32 mark,
1391{ 1392{
1392 struct xfrm_state *x; 1393 struct xfrm_state *x;
1393 1394
1394 spin_lock_bh(&xfrm_state_lock); 1395 spin_lock_bh(&net->xfrm.xfrm_state_lock);
1395 x = __xfrm_state_lookup_byaddr(net, mark, daddr, saddr, proto, family); 1396 x = __xfrm_state_lookup_byaddr(net, mark, daddr, saddr, proto, family);
1396 spin_unlock_bh(&xfrm_state_lock); 1397 spin_unlock_bh(&net->xfrm.xfrm_state_lock);
1397 return x; 1398 return x;
1398} 1399}
1399EXPORT_SYMBOL(xfrm_state_lookup_byaddr); 1400EXPORT_SYMBOL(xfrm_state_lookup_byaddr);
@@ -1405,9 +1406,9 @@ xfrm_find_acq(struct net *net, const struct xfrm_mark *mark, u8 mode, u32 reqid,
1405{ 1406{
1406 struct xfrm_state *x; 1407 struct xfrm_state *x;
1407 1408
1408 spin_lock_bh(&xfrm_state_lock); 1409 spin_lock_bh(&net->xfrm.xfrm_state_lock);
1409 x = __find_acq_core(net, mark, family, mode, reqid, proto, daddr, saddr, create); 1410 x = __find_acq_core(net, mark, family, mode, reqid, proto, daddr, saddr, create);
1410 spin_unlock_bh(&xfrm_state_lock); 1411 spin_unlock_bh(&net->xfrm.xfrm_state_lock);
1411 1412
1412 return x; 1413 return x;
1413} 1414}
@@ -1416,17 +1417,17 @@ EXPORT_SYMBOL(xfrm_find_acq);
1416#ifdef CONFIG_XFRM_SUB_POLICY 1417#ifdef CONFIG_XFRM_SUB_POLICY
1417int 1418int
1418xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n, 1419xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1419 unsigned short family) 1420 unsigned short family, struct net *net)
1420{ 1421{
1421 int err = 0; 1422 int err = 0;
1422 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family); 1423 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1423 if (!afinfo) 1424 if (!afinfo)
1424 return -EAFNOSUPPORT; 1425 return -EAFNOSUPPORT;
1425 1426
1426 spin_lock_bh(&xfrm_state_lock); 1427 spin_lock_bh(&net->xfrm.xfrm_state_lock); /*FIXME*/
1427 if (afinfo->tmpl_sort) 1428 if (afinfo->tmpl_sort)
1428 err = afinfo->tmpl_sort(dst, src, n); 1429 err = afinfo->tmpl_sort(dst, src, n);
1429 spin_unlock_bh(&xfrm_state_lock); 1430 spin_unlock_bh(&net->xfrm.xfrm_state_lock);
1430 xfrm_state_put_afinfo(afinfo); 1431 xfrm_state_put_afinfo(afinfo);
1431 return err; 1432 return err;
1432} 1433}
@@ -1438,13 +1439,15 @@ xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1438{ 1439{
1439 int err = 0; 1440 int err = 0;
1440 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family); 1441 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1442 struct net *net = xs_net(*dst);
1443
1441 if (!afinfo) 1444 if (!afinfo)
1442 return -EAFNOSUPPORT; 1445 return -EAFNOSUPPORT;
1443 1446
1444 spin_lock_bh(&xfrm_state_lock); 1447 spin_lock_bh(&net->xfrm.xfrm_state_lock);
1445 if (afinfo->state_sort) 1448 if (afinfo->state_sort)
1446 err = afinfo->state_sort(dst, src, n); 1449 err = afinfo->state_sort(dst, src, n);
1447 spin_unlock_bh(&xfrm_state_lock); 1450 spin_unlock_bh(&net->xfrm.xfrm_state_lock);
1448 xfrm_state_put_afinfo(afinfo); 1451 xfrm_state_put_afinfo(afinfo);
1449 return err; 1452 return err;
1450} 1453}
@@ -1476,9 +1479,9 @@ struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq)
1476{ 1479{
1477 struct xfrm_state *x; 1480 struct xfrm_state *x;
1478 1481
1479 spin_lock_bh(&xfrm_state_lock); 1482 spin_lock_bh(&net->xfrm.xfrm_state_lock);
1480 x = __xfrm_find_acq_byseq(net, mark, seq); 1483 x = __xfrm_find_acq_byseq(net, mark, seq);
1481 spin_unlock_bh(&xfrm_state_lock); 1484 spin_unlock_bh(&net->xfrm.xfrm_state_lock);
1482 return x; 1485 return x;
1483} 1486}
1484EXPORT_SYMBOL(xfrm_find_acq_byseq); 1487EXPORT_SYMBOL(xfrm_find_acq_byseq);
@@ -1536,10 +1539,10 @@ int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high)
1536 } 1539 }
1537 } 1540 }
1538 if (x->id.spi) { 1541 if (x->id.spi) {
1539 spin_lock_bh(&xfrm_state_lock); 1542 spin_lock_bh(&net->xfrm.xfrm_state_lock);
1540 h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, x->props.family); 1543 h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, x->props.family);
1541 hlist_add_head(&x->byspi, net->xfrm.state_byspi+h); 1544 hlist_add_head(&x->byspi, net->xfrm.state_byspi+h);
1542 spin_unlock_bh(&xfrm_state_lock); 1545 spin_unlock_bh(&net->xfrm.xfrm_state_lock);
1543 1546
1544 err = 0; 1547 err = 0;
1545 } 1548 }
@@ -1562,7 +1565,7 @@ int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
1562 if (walk->seq != 0 && list_empty(&walk->all)) 1565 if (walk->seq != 0 && list_empty(&walk->all))
1563 return 0; 1566 return 0;
1564 1567
1565 spin_lock_bh(&xfrm_state_lock); 1568 spin_lock_bh(&net->xfrm.xfrm_state_lock);
1566 if (list_empty(&walk->all)) 1569 if (list_empty(&walk->all))
1567 x = list_first_entry(&net->xfrm.state_all, struct xfrm_state_walk, all); 1570 x = list_first_entry(&net->xfrm.state_all, struct xfrm_state_walk, all);
1568 else 1571 else
@@ -1586,7 +1589,7 @@ int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
1586 } 1589 }
1587 list_del_init(&walk->all); 1590 list_del_init(&walk->all);
1588out: 1591out:
1589 spin_unlock_bh(&xfrm_state_lock); 1592 spin_unlock_bh(&net->xfrm.xfrm_state_lock);
1590 return err; 1593 return err;
1591} 1594}
1592EXPORT_SYMBOL(xfrm_state_walk); 1595EXPORT_SYMBOL(xfrm_state_walk);
@@ -1600,14 +1603,14 @@ void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto)
1600} 1603}
1601EXPORT_SYMBOL(xfrm_state_walk_init); 1604EXPORT_SYMBOL(xfrm_state_walk_init);
1602 1605
1603void xfrm_state_walk_done(struct xfrm_state_walk *walk) 1606void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net)
1604{ 1607{
1605 if (list_empty(&walk->all)) 1608 if (list_empty(&walk->all))
1606 return; 1609 return;
1607 1610
1608 spin_lock_bh(&xfrm_state_lock); 1611 spin_lock_bh(&net->xfrm.xfrm_state_lock);
1609 list_del(&walk->all); 1612 list_del(&walk->all);
1610 spin_unlock_bh(&xfrm_state_lock); 1613 spin_unlock_bh(&net->xfrm.xfrm_state_lock);
1611} 1614}
1612EXPORT_SYMBOL(xfrm_state_walk_done); 1615EXPORT_SYMBOL(xfrm_state_walk_done);
1613 1616
@@ -2026,6 +2029,7 @@ int __net_init xfrm_state_init(struct net *net)
2026 INIT_HLIST_HEAD(&net->xfrm.state_gc_list); 2029 INIT_HLIST_HEAD(&net->xfrm.state_gc_list);
2027 INIT_WORK(&net->xfrm.state_gc_work, xfrm_state_gc_task); 2030 INIT_WORK(&net->xfrm.state_gc_work, xfrm_state_gc_task);
2028 init_waitqueue_head(&net->xfrm.km_waitq); 2031 init_waitqueue_head(&net->xfrm.km_waitq);
2032 spin_lock_init(&net->xfrm.xfrm_state_lock);
2029 return 0; 2033 return 0;
2030 2034
2031out_byspi: 2035out_byspi:
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 840cc8d9fbe4..16c84608e81e 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -877,7 +877,10 @@ static int dump_one_state(struct xfrm_state *x, int count, void *ptr)
877static int xfrm_dump_sa_done(struct netlink_callback *cb) 877static int xfrm_dump_sa_done(struct netlink_callback *cb)
878{ 878{
879 struct xfrm_state_walk *walk = (struct xfrm_state_walk *) &cb->args[1]; 879 struct xfrm_state_walk *walk = (struct xfrm_state_walk *) &cb->args[1];
880 xfrm_state_walk_done(walk); 880 struct sock *sk = cb->skb->sk;
881 struct net *net = sock_net(sk);
882
883 xfrm_state_walk_done(walk, net);
881 return 0; 884 return 0;
882} 885}
883 886
@@ -1555,8 +1558,9 @@ static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr
1555static int xfrm_dump_policy_done(struct netlink_callback *cb) 1558static int xfrm_dump_policy_done(struct netlink_callback *cb)
1556{ 1559{
1557 struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1]; 1560 struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
1561 struct net *net = sock_net(cb->skb->sk);
1558 1562
1559 xfrm_policy_walk_done(walk); 1563 xfrm_policy_walk_done(walk, net);
1560 return 0; 1564 return 0;
1561} 1565}
1562 1566
@@ -2403,9 +2407,11 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
2403 2407
2404static void xfrm_netlink_rcv(struct sk_buff *skb) 2408static void xfrm_netlink_rcv(struct sk_buff *skb)
2405{ 2409{
2406 mutex_lock(&xfrm_cfg_mutex); 2410 struct net *net = sock_net(skb->sk);
2411
2412 mutex_lock(&net->xfrm.xfrm_cfg_mutex);
2407 netlink_rcv_skb(skb, &xfrm_user_rcv_msg); 2413 netlink_rcv_skb(skb, &xfrm_user_rcv_msg);
2408 mutex_unlock(&xfrm_cfg_mutex); 2414 mutex_unlock(&net->xfrm.xfrm_cfg_mutex);
2409} 2415}
2410 2416
2411static inline size_t xfrm_expire_msgsize(void) 2417static inline size_t xfrm_expire_msgsize(void)
generated by cgit v1.2.2 (git 2.25.0) at 2026-05-12 10:40:10 -0400