1 files changed, 20 insertions, 9 deletions
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 545f047868ad..1a04c1329362 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1340,6 +1340,12 @@ static int pfkey_getspi(struct sock *sk, struct sk_buff *skb, const struct sadb_
                max_spi = range->sadb_spirange_max;
        }
+        err = verify_spi_info(x->id.proto, min_spi, max_spi);
+        if (err) {
+                xfrm_state_put(x);
+                return err;
+        }
        err = xfrm_alloc_spi(x, min_spi, max_spi);
        resp_skb = err ? ERR_PTR(err) : pfkey_xfrm_state2msg(x);
@@ -1380,10 +1386,9 @@ static int pfkey_acquire(struct sock *sk, struct sk_buff *skb, const struct sadb
                return 0;
        spin_lock_bh(&x->lock);
-        if (x->km.state == XFRM_STATE_ACQ) {
+        if (x->km.state == XFRM_STATE_ACQ)
                x->km.state = XFRM_STATE_ERROR;
-                wake_up(&net->xfrm.km_waitq);
-        }
        spin_unlock_bh(&x->lock);
        xfrm_state_put(x);
        return 0;
@@ -1785,7 +1790,9 @@ static int pfkey_dump_sa(struct pfkey_sock *pfk)
 static void pfkey_dump_sa_done(struct pfkey_sock *pfk)
 {
-        xfrm_state_walk_done(&pfk->dump.u.state);
+        struct net *net = sock_net(&pfk->sk);
+        xfrm_state_walk_done(&pfk->dump.u.state, net);
 }
 static int pfkey_dump(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
@@ -1861,7 +1868,7 @@ static u32 gen_reqid(struct net *net)
                        reqid = IPSEC_MANUAL_REQID_MAX+1;
                xfrm_policy_walk_init(&walk, XFRM_POLICY_TYPE_MAIN);
                rc = xfrm_policy_walk(net, &walk, check_reqid, (void*)&reqid);
-                xfrm_policy_walk_done(&walk);
+                xfrm_policy_walk_done(&walk, net);
                if (rc != -EEXIST)
                        return reqid;
        } while (reqid != start);
@@ -2485,6 +2492,7 @@ static int pfkey_migrate(struct sock *sk, struct sk_buff *skb,
        struct xfrm_selector sel;
        struct xfrm_migrate m[XFRM_MAX_DEPTH];
        struct xfrm_kmaddress k;
+        struct net *net = sock_net(sk);
        if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC - 1],
                                     ext_hdrs[SADB_EXT_ADDRESS_DST - 1]) ||
@@ -2558,7 +2566,7 @@ static int pfkey_migrate(struct sock *sk, struct sk_buff *skb,
        }
        return xfrm_migrate(&sel, dir, XFRM_POLICY_TYPE_MAIN, m, i,
-                            kma ? &k : NULL);
+                            kma ? &k : NULL, net);
 out:
        return err;
@@ -2659,7 +2667,9 @@ static int pfkey_dump_sp(struct pfkey_sock *pfk)
 static void pfkey_dump_sp_done(struct pfkey_sock *pfk)
 {
-        xfrm_policy_walk_done(&pfk->dump.u.policy);
+        struct net *net = sock_net((struct sock *)pfk);
+        xfrm_policy_walk_done(&pfk->dump.u.policy, net);
 }
 static int pfkey_spddump(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
@@ -3569,6 +3579,7 @@ static int pfkey_sendmsg(struct kiocb *kiocb,
        struct sk_buff *skb = NULL;
        struct sadb_msg *hdr = NULL;
        int err;
+        struct net *net = sock_net(sk);
        err = -EOPNOTSUPP;
        if (msg->msg_flags & MSG_OOB)
@@ -3591,9 +3602,9 @@ static int pfkey_sendmsg(struct kiocb *kiocb,
        if (!hdr)
                goto out;
-        mutex_lock(&xfrm_cfg_mutex);
+        mutex_lock(&net->xfrm.xfrm_cfg_mutex);
        err = pfkey_process(sk, skb, hdr);
-        mutex_unlock(&xfrm_cfg_mutex);
+        mutex_unlock(&net->xfrm.xfrm_cfg_mutex);
 out:
        if (err && hdr && pfkey_error(hdr, err, sk) == 0)

diff --git a/net/key/af_key.c b/net/key/af_key.c index 545f047868ad..1a04c1329362 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c
@@ -1340,6 +1340,12 @@ static int pfkey_getspi(struct sock sk, struct sk_buff skb, const struct sadb_
1340	max_spi = range->sadb_spirange_max;	1340	max_spi = range->sadb_spirange_max;
1341	}	1341	}
1342		1342
		1343	err = verify_spi_info(x->id.proto, min_spi, max_spi);
		1344	if (err) {
		1345	xfrm_state_put(x);
		1346	return err;
		1347	}
		1348
1343	err = xfrm_alloc_spi(x, min_spi, max_spi);	1349	err = xfrm_alloc_spi(x, min_spi, max_spi);
1344	resp_skb = err ? ERR_PTR(err) : pfkey_xfrm_state2msg(x);	1350	resp_skb = err ? ERR_PTR(err) : pfkey_xfrm_state2msg(x);
1345		1351
@@ -1380,10 +1386,9 @@ static int pfkey_acquire(struct sock sk, struct sk_buff skb, const struct sadb
1380	return 0;	1386	return 0;
1381		1387
1382	spin_lock_bh(&x->lock);	1388	spin_lock_bh(&x->lock);
1383	if (x->km.state == XFRM_STATE_ACQ) {	1389	if (x->km.state == XFRM_STATE_ACQ)
1384	x->km.state = XFRM_STATE_ERROR;	1390	x->km.state = XFRM_STATE_ERROR;
1385	wake_up(&net->xfrm.km_waitq);	1391
1386	}
1387	spin_unlock_bh(&x->lock);	1392	spin_unlock_bh(&x->lock);
1388	xfrm_state_put(x);	1393	xfrm_state_put(x);
1389	return 0;	1394	return 0;
@@ -1785,7 +1790,9 @@ static int pfkey_dump_sa(struct pfkey_sock *pfk)
1785		1790
1786	static void pfkey_dump_sa_done(struct pfkey_sock *pfk)	1791	static void pfkey_dump_sa_done(struct pfkey_sock *pfk)
1787	{	1792	{
1788	xfrm_state_walk_done(&pfk->dump.u.state);	1793	struct net *net = sock_net(&pfk->sk);
		1794
		1795	xfrm_state_walk_done(&pfk->dump.u.state, net);
1789	}	1796	}
1790		1797
1791	static int pfkey_dump(struct sock sk, struct sk_buff skb, const struct sadb_msg hdr, void const *ext_hdrs)	1798	static int pfkey_dump(struct sock sk, struct sk_buff skb, const struct sadb_msg hdr, void const *ext_hdrs)
@@ -1861,7 +1868,7 @@ static u32 gen_reqid(struct net *net)
1861	reqid = IPSEC_MANUAL_REQID_MAX+1;	1868	reqid = IPSEC_MANUAL_REQID_MAX+1;
1862	xfrm_policy_walk_init(&walk, XFRM_POLICY_TYPE_MAIN);	1869	xfrm_policy_walk_init(&walk, XFRM_POLICY_TYPE_MAIN);
1863	rc = xfrm_policy_walk(net, &walk, check_reqid, (void*)&reqid);	1870	rc = xfrm_policy_walk(net, &walk, check_reqid, (void*)&reqid);
1864	xfrm_policy_walk_done(&walk);	1871	xfrm_policy_walk_done(&walk, net);
1865	if (rc != -EEXIST)	1872	if (rc != -EEXIST)
1866	return reqid;	1873	return reqid;
1867	} while (reqid != start);	1874	} while (reqid != start);
@@ -2485,6 +2492,7 @@ static int pfkey_migrate(struct sock sk, struct sk_buff skb,
2485	struct xfrm_selector sel;	2492	struct xfrm_selector sel;
2486	struct xfrm_migrate m[XFRM_MAX_DEPTH];	2493	struct xfrm_migrate m[XFRM_MAX_DEPTH];
2487	struct xfrm_kmaddress k;	2494	struct xfrm_kmaddress k;
		2495	struct net *net = sock_net(sk);
2488		2496
2489	if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC - 1],	2497	if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC - 1],
2490	ext_hdrs[SADB_EXT_ADDRESS_DST - 1]) \|\|	2498	ext_hdrs[SADB_EXT_ADDRESS_DST - 1]) \|\|
@@ -2558,7 +2566,7 @@ static int pfkey_migrate(struct sock sk, struct sk_buff skb,
2558	}	2566	}
2559		2567
2560	return xfrm_migrate(&sel, dir, XFRM_POLICY_TYPE_MAIN, m, i,	2568	return xfrm_migrate(&sel, dir, XFRM_POLICY_TYPE_MAIN, m, i,
2561	kma ? &k : NULL);	2569	kma ? &k : NULL, net);
2562		2570
2563	out:	2571	out:
2564	return err;	2572	return err;
@@ -2659,7 +2667,9 @@ static int pfkey_dump_sp(struct pfkey_sock *pfk)
2659		2667
2660	static void pfkey_dump_sp_done(struct pfkey_sock *pfk)	2668	static void pfkey_dump_sp_done(struct pfkey_sock *pfk)
2661	{	2669	{
2662	xfrm_policy_walk_done(&pfk->dump.u.policy);	2670	struct net net = sock_net((struct sock )pfk);
		2671
		2672	xfrm_policy_walk_done(&pfk->dump.u.policy, net);
2663	}	2673	}
2664		2674
2665	static int pfkey_spddump(struct sock sk, struct sk_buff skb, const struct sadb_msg hdr, void const *ext_hdrs)	2675	static int pfkey_spddump(struct sock sk, struct sk_buff skb, const struct sadb_msg hdr, void const *ext_hdrs)
@@ -3569,6 +3579,7 @@ static int pfkey_sendmsg(struct kiocb *kiocb,
3569	struct sk_buff *skb = NULL;	3579	struct sk_buff *skb = NULL;
3570	struct sadb_msg *hdr = NULL;	3580	struct sadb_msg *hdr = NULL;
3571	int err;	3581	int err;
		3582	struct net *net = sock_net(sk);
3572		3583
3573	err = -EOPNOTSUPP;	3584	err = -EOPNOTSUPP;
3574	if (msg->msg_flags & MSG_OOB)	3585	if (msg->msg_flags & MSG_OOB)
@@ -3591,9 +3602,9 @@ static int pfkey_sendmsg(struct kiocb *kiocb,
3591	if (!hdr)	3602	if (!hdr)
3592	goto out;	3603	goto out;
3593		3604
3594	mutex_lock(&xfrm_cfg_mutex);	3605	mutex_lock(&net->xfrm.xfrm_cfg_mutex);
3595	err = pfkey_process(sk, skb, hdr);	3606	err = pfkey_process(sk, skb, hdr);
3596	mutex_unlock(&xfrm_cfg_mutex);	3607	mutex_unlock(&net->xfrm.xfrm_cfg_mutex);
3597		3608
3598	out:	3609	out:
3599	if (err && hdr && pfkey_error(hdr, err, sk) == 0)	3610	if (err && hdr && pfkey_error(hdr, err, sk) == 0)