aboutsummaryrefslogtreecommitdiffstats
path: root/net/xfrm/xfrm_policy.c
diff options
context:
space:
mode:
Diffstat (limited to 'net/xfrm/xfrm_policy.c')
-rw-r--r--net/xfrm/xfrm_policy.c901
1 files changed, 483 insertions, 418 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 0ecb16a9a883..cbab6e1a8c9c 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -37,6 +37,8 @@
37DEFINE_MUTEX(xfrm_cfg_mutex); 37DEFINE_MUTEX(xfrm_cfg_mutex);
38EXPORT_SYMBOL(xfrm_cfg_mutex); 38EXPORT_SYMBOL(xfrm_cfg_mutex);
39 39
40static DEFINE_SPINLOCK(xfrm_policy_sk_bundle_lock);
41static struct dst_entry *xfrm_policy_sk_bundles;
40static DEFINE_RWLOCK(xfrm_policy_lock); 42static DEFINE_RWLOCK(xfrm_policy_lock);
41 43
42static DEFINE_RWLOCK(xfrm_policy_afinfo_lock); 44static DEFINE_RWLOCK(xfrm_policy_afinfo_lock);
@@ -44,12 +46,10 @@ static struct xfrm_policy_afinfo *xfrm_policy_afinfo[NPROTO];
44 46
45static struct kmem_cache *xfrm_dst_cache __read_mostly; 47static struct kmem_cache *xfrm_dst_cache __read_mostly;
46 48
47static HLIST_HEAD(xfrm_policy_gc_list);
48static DEFINE_SPINLOCK(xfrm_policy_gc_lock);
49
50static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family); 49static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family);
51static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo); 50static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo);
52static void xfrm_init_pmtu(struct dst_entry *dst); 51static void xfrm_init_pmtu(struct dst_entry *dst);
52static int stale_bundle(struct dst_entry *dst);
53 53
54static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol, 54static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
55 int dir); 55 int dir);
@@ -156,7 +156,7 @@ static void xfrm_policy_timer(unsigned long data)
156 156
157 read_lock(&xp->lock); 157 read_lock(&xp->lock);
158 158
159 if (xp->walk.dead) 159 if (unlikely(xp->walk.dead))
160 goto out; 160 goto out;
161 161
162 dir = xfrm_policy_id2dir(xp->index); 162 dir = xfrm_policy_id2dir(xp->index);
@@ -216,6 +216,35 @@ expired:
216 xfrm_pol_put(xp); 216 xfrm_pol_put(xp);
217} 217}
218 218
219static struct flow_cache_object *xfrm_policy_flo_get(struct flow_cache_object *flo)
220{
221 struct xfrm_policy *pol = container_of(flo, struct xfrm_policy, flo);
222
223 if (unlikely(pol->walk.dead))
224 flo = NULL;
225 else
226 xfrm_pol_hold(pol);
227
228 return flo;
229}
230
231static int xfrm_policy_flo_check(struct flow_cache_object *flo)
232{
233 struct xfrm_policy *pol = container_of(flo, struct xfrm_policy, flo);
234
235 return !pol->walk.dead;
236}
237
238static void xfrm_policy_flo_delete(struct flow_cache_object *flo)
239{
240 xfrm_pol_put(container_of(flo, struct xfrm_policy, flo));
241}
242
243static const struct flow_cache_ops xfrm_policy_fc_ops = {
244 .get = xfrm_policy_flo_get,
245 .check = xfrm_policy_flo_check,
246 .delete = xfrm_policy_flo_delete,
247};
219 248
220/* Allocate xfrm_policy. Not used here, it is supposed to be used by pfkeyv2 249/* Allocate xfrm_policy. Not used here, it is supposed to be used by pfkeyv2
221 * SPD calls. 250 * SPD calls.
@@ -236,6 +265,7 @@ struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp)
236 atomic_set(&policy->refcnt, 1); 265 atomic_set(&policy->refcnt, 1);
237 setup_timer(&policy->timer, xfrm_policy_timer, 266 setup_timer(&policy->timer, xfrm_policy_timer,
238 (unsigned long)policy); 267 (unsigned long)policy);
268 policy->flo.ops = &xfrm_policy_fc_ops;
239 } 269 }
240 return policy; 270 return policy;
241} 271}
@@ -247,8 +277,6 @@ void xfrm_policy_destroy(struct xfrm_policy *policy)
247{ 277{
248 BUG_ON(!policy->walk.dead); 278 BUG_ON(!policy->walk.dead);
249 279
250 BUG_ON(policy->bundles);
251
252 if (del_timer(&policy->timer)) 280 if (del_timer(&policy->timer))
253 BUG(); 281 BUG();
254 282
@@ -257,63 +285,20 @@ void xfrm_policy_destroy(struct xfrm_policy *policy)
257} 285}
258EXPORT_SYMBOL(xfrm_policy_destroy); 286EXPORT_SYMBOL(xfrm_policy_destroy);
259 287
260static void xfrm_policy_gc_kill(struct xfrm_policy *policy)
261{
262 struct dst_entry *dst;
263
264 while ((dst = policy->bundles) != NULL) {
265 policy->bundles = dst->next;
266 dst_free(dst);
267 }
268
269 if (del_timer(&policy->timer))
270 atomic_dec(&policy->refcnt);
271
272 if (atomic_read(&policy->refcnt) > 1)
273 flow_cache_flush();
274
275 xfrm_pol_put(policy);
276}
277
278static void xfrm_policy_gc_task(struct work_struct *work)
279{
280 struct xfrm_policy *policy;
281 struct hlist_node *entry, *tmp;
282 struct hlist_head gc_list;
283
284 spin_lock_bh(&xfrm_policy_gc_lock);
285 gc_list.first = xfrm_policy_gc_list.first;
286 INIT_HLIST_HEAD(&xfrm_policy_gc_list);
287 spin_unlock_bh(&xfrm_policy_gc_lock);
288
289 hlist_for_each_entry_safe(policy, entry, tmp, &gc_list, bydst)
290 xfrm_policy_gc_kill(policy);
291}
292static DECLARE_WORK(xfrm_policy_gc_work, xfrm_policy_gc_task);
293
294/* Rule must be locked. Release descentant resources, announce 288/* Rule must be locked. Release descentant resources, announce
295 * entry dead. The rule must be unlinked from lists to the moment. 289 * entry dead. The rule must be unlinked from lists to the moment.
296 */ 290 */
297 291
298static void xfrm_policy_kill(struct xfrm_policy *policy) 292static void xfrm_policy_kill(struct xfrm_policy *policy)
299{ 293{
300 int dead;
301
302 write_lock_bh(&policy->lock);
303 dead = policy->walk.dead;
304 policy->walk.dead = 1; 294 policy->walk.dead = 1;
305 write_unlock_bh(&policy->lock);
306 295
307 if (unlikely(dead)) { 296 atomic_inc(&policy->genid);
308 WARN_ON(1);
309 return;
310 }
311 297
312 spin_lock_bh(&xfrm_policy_gc_lock); 298 if (del_timer(&policy->timer))
313 hlist_add_head(&policy->bydst, &xfrm_policy_gc_list); 299 xfrm_pol_put(policy);
314 spin_unlock_bh(&xfrm_policy_gc_lock);
315 300
316 schedule_work(&xfrm_policy_gc_work); 301 xfrm_pol_put(policy);
317} 302}
318 303
319static unsigned int xfrm_policy_hashmax __read_mostly = 1 * 1024 * 1024; 304static unsigned int xfrm_policy_hashmax __read_mostly = 1 * 1024 * 1024;
@@ -555,7 +540,7 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
555 struct xfrm_policy *delpol; 540 struct xfrm_policy *delpol;
556 struct hlist_head *chain; 541 struct hlist_head *chain;
557 struct hlist_node *entry, *newpos; 542 struct hlist_node *entry, *newpos;
558 struct dst_entry *gc_list; 543 u32 mark = policy->mark.v & policy->mark.m;
559 544
560 write_lock_bh(&xfrm_policy_lock); 545 write_lock_bh(&xfrm_policy_lock);
561 chain = policy_hash_bysel(net, &policy->selector, policy->family, dir); 546 chain = policy_hash_bysel(net, &policy->selector, policy->family, dir);
@@ -564,6 +549,7 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
564 hlist_for_each_entry(pol, entry, chain, bydst) { 549 hlist_for_each_entry(pol, entry, chain, bydst) {
565 if (pol->type == policy->type && 550 if (pol->type == policy->type &&
566 !selector_cmp(&pol->selector, &policy->selector) && 551 !selector_cmp(&pol->selector, &policy->selector) &&
552 (mark & pol->mark.m) == pol->mark.v &&
567 xfrm_sec_ctx_match(pol->security, policy->security) && 553 xfrm_sec_ctx_match(pol->security, policy->security) &&
568 !WARN_ON(delpol)) { 554 !WARN_ON(delpol)) {
569 if (excl) { 555 if (excl) {
@@ -603,40 +589,12 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
603 else if (xfrm_bydst_should_resize(net, dir, NULL)) 589 else if (xfrm_bydst_should_resize(net, dir, NULL))
604 schedule_work(&net->xfrm.policy_hash_work); 590 schedule_work(&net->xfrm.policy_hash_work);
605 591
606 read_lock_bh(&xfrm_policy_lock);
607 gc_list = NULL;
608 entry = &policy->bydst;
609 hlist_for_each_entry_continue(policy, entry, bydst) {
610 struct dst_entry *dst;
611
612 write_lock(&policy->lock);
613 dst = policy->bundles;
614 if (dst) {
615 struct dst_entry *tail = dst;
616 while (tail->next)
617 tail = tail->next;
618 tail->next = gc_list;
619 gc_list = dst;
620
621 policy->bundles = NULL;
622 }
623 write_unlock(&policy->lock);
624 }
625 read_unlock_bh(&xfrm_policy_lock);
626
627 while (gc_list) {
628 struct dst_entry *dst = gc_list;
629
630 gc_list = dst->next;
631 dst_free(dst);
632 }
633
634 return 0; 592 return 0;
635} 593}
636EXPORT_SYMBOL(xfrm_policy_insert); 594EXPORT_SYMBOL(xfrm_policy_insert);
637 595
638struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u8 type, int dir, 596struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark, u8 type,
639 struct xfrm_selector *sel, 597 int dir, struct xfrm_selector *sel,
640 struct xfrm_sec_ctx *ctx, int delete, 598 struct xfrm_sec_ctx *ctx, int delete,
641 int *err) 599 int *err)
642{ 600{
@@ -650,6 +608,7 @@ struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u8 type, int dir,
650 ret = NULL; 608 ret = NULL;
651 hlist_for_each_entry(pol, entry, chain, bydst) { 609 hlist_for_each_entry(pol, entry, chain, bydst) {
652 if (pol->type == type && 610 if (pol->type == type &&
611 (mark & pol->mark.m) == pol->mark.v &&
653 !selector_cmp(sel, &pol->selector) && 612 !selector_cmp(sel, &pol->selector) &&
654 xfrm_sec_ctx_match(ctx, pol->security)) { 613 xfrm_sec_ctx_match(ctx, pol->security)) {
655 xfrm_pol_hold(pol); 614 xfrm_pol_hold(pol);
@@ -668,16 +627,14 @@ struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u8 type, int dir,
668 } 627 }
669 write_unlock_bh(&xfrm_policy_lock); 628 write_unlock_bh(&xfrm_policy_lock);
670 629
671 if (ret && delete) { 630 if (ret && delete)
672 atomic_inc(&flow_cache_genid);
673 xfrm_policy_kill(ret); 631 xfrm_policy_kill(ret);
674 }
675 return ret; 632 return ret;
676} 633}
677EXPORT_SYMBOL(xfrm_policy_bysel_ctx); 634EXPORT_SYMBOL(xfrm_policy_bysel_ctx);
678 635
679struct xfrm_policy *xfrm_policy_byid(struct net *net, u8 type, int dir, u32 id, 636struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u8 type,
680 int delete, int *err) 637 int dir, u32 id, int delete, int *err)
681{ 638{
682 struct xfrm_policy *pol, *ret; 639 struct xfrm_policy *pol, *ret;
683 struct hlist_head *chain; 640 struct hlist_head *chain;
@@ -692,7 +649,8 @@ struct xfrm_policy *xfrm_policy_byid(struct net *net, u8 type, int dir, u32 id,
692 chain = net->xfrm.policy_byidx + idx_hash(net, id); 649 chain = net->xfrm.policy_byidx + idx_hash(net, id);
693 ret = NULL; 650 ret = NULL;
694 hlist_for_each_entry(pol, entry, chain, byidx) { 651 hlist_for_each_entry(pol, entry, chain, byidx) {
695 if (pol->type == type && pol->index == id) { 652 if (pol->type == type && pol->index == id &&
653 (mark & pol->mark.m) == pol->mark.v) {
696 xfrm_pol_hold(pol); 654 xfrm_pol_hold(pol);
697 if (delete) { 655 if (delete) {
698 *err = security_xfrm_policy_delete( 656 *err = security_xfrm_policy_delete(
@@ -709,10 +667,8 @@ struct xfrm_policy *xfrm_policy_byid(struct net *net, u8 type, int dir, u32 id,
709 } 667 }
710 write_unlock_bh(&xfrm_policy_lock); 668 write_unlock_bh(&xfrm_policy_lock);
711 669
712 if (ret && delete) { 670 if (ret && delete)
713 atomic_inc(&flow_cache_genid);
714 xfrm_policy_kill(ret); 671 xfrm_policy_kill(ret);
715 }
716 return ret; 672 return ret;
717} 673}
718EXPORT_SYMBOL(xfrm_policy_byid); 674EXPORT_SYMBOL(xfrm_policy_byid);
@@ -771,7 +727,7 @@ xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audi
771 727
772int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info) 728int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
773{ 729{
774 int dir, err = 0; 730 int dir, err = 0, cnt = 0;
775 731
776 write_lock_bh(&xfrm_policy_lock); 732 write_lock_bh(&xfrm_policy_lock);
777 733
@@ -791,6 +747,7 @@ int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
791 continue; 747 continue;
792 __xfrm_policy_unlink(pol, dir); 748 __xfrm_policy_unlink(pol, dir);
793 write_unlock_bh(&xfrm_policy_lock); 749 write_unlock_bh(&xfrm_policy_lock);
750 cnt++;
794 751
795 xfrm_audit_policy_delete(pol, 1, audit_info->loginuid, 752 xfrm_audit_policy_delete(pol, 1, audit_info->loginuid,
796 audit_info->sessionid, 753 audit_info->sessionid,
@@ -811,6 +768,7 @@ int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
811 continue; 768 continue;
812 __xfrm_policy_unlink(pol, dir); 769 __xfrm_policy_unlink(pol, dir);
813 write_unlock_bh(&xfrm_policy_lock); 770 write_unlock_bh(&xfrm_policy_lock);
771 cnt++;
814 772
815 xfrm_audit_policy_delete(pol, 1, 773 xfrm_audit_policy_delete(pol, 1,
816 audit_info->loginuid, 774 audit_info->loginuid,
@@ -824,7 +782,8 @@ int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
824 } 782 }
825 783
826 } 784 }
827 atomic_inc(&flow_cache_genid); 785 if (!cnt)
786 err = -ESRCH;
828out: 787out:
829 write_unlock_bh(&xfrm_policy_lock); 788 write_unlock_bh(&xfrm_policy_lock);
830 return err; 789 return err;
@@ -909,6 +868,7 @@ static int xfrm_policy_match(struct xfrm_policy *pol, struct flowi *fl,
909 int match, ret = -ESRCH; 868 int match, ret = -ESRCH;
910 869
911 if (pol->family != family || 870 if (pol->family != family ||
871 (fl->mark & pol->mark.m) != pol->mark.v ||
912 pol->type != type) 872 pol->type != type)
913 return ret; 873 return ret;
914 874
@@ -977,32 +937,37 @@ fail:
977 return ret; 937 return ret;
978} 938}
979 939
980static int xfrm_policy_lookup(struct net *net, struct flowi *fl, u16 family, 940static struct xfrm_policy *
981 u8 dir, void **objp, atomic_t **obj_refp) 941__xfrm_policy_lookup(struct net *net, struct flowi *fl, u16 family, u8 dir)
982{ 942{
943#ifdef CONFIG_XFRM_SUB_POLICY
983 struct xfrm_policy *pol; 944 struct xfrm_policy *pol;
984 int err = 0;
985 945
986#ifdef CONFIG_XFRM_SUB_POLICY
987 pol = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_SUB, fl, family, dir); 946 pol = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_SUB, fl, family, dir);
988 if (IS_ERR(pol)) { 947 if (pol != NULL)
989 err = PTR_ERR(pol); 948 return pol;
990 pol = NULL;
991 }
992 if (pol || err)
993 goto end;
994#endif 949#endif
995 pol = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_MAIN, fl, family, dir); 950 return xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_MAIN, fl, family, dir);
996 if (IS_ERR(pol)) { 951}
997 err = PTR_ERR(pol); 952
998 pol = NULL; 953static struct flow_cache_object *
999 } 954xfrm_policy_lookup(struct net *net, struct flowi *fl, u16 family,
1000#ifdef CONFIG_XFRM_SUB_POLICY 955 u8 dir, struct flow_cache_object *old_obj, void *ctx)
1001end: 956{
1002#endif 957 struct xfrm_policy *pol;
1003 if ((*objp = (void *) pol) != NULL) 958
1004 *obj_refp = &pol->refcnt; 959 if (old_obj)
1005 return err; 960 xfrm_pol_put(container_of(old_obj, struct xfrm_policy, flo));
961
962 pol = __xfrm_policy_lookup(net, fl, family, dir);
963 if (IS_ERR_OR_NULL(pol))
964 return ERR_CAST(pol);
965
966 /* Resolver returns two references:
967 * one for cache and one for caller of flow_cache_lookup() */
968 xfrm_pol_hold(pol);
969
970 return &pol->flo;
1006} 971}
1007 972
1008static inline int policy_to_flow_dir(int dir) 973static inline int policy_to_flow_dir(int dir)
@@ -1033,6 +998,10 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struc
1033 int err = 0; 998 int err = 0;
1034 999
1035 if (match) { 1000 if (match) {
1001 if ((sk->sk_mark & pol->mark.m) != pol->mark.v) {
1002 pol = NULL;
1003 goto out;
1004 }
1036 err = security_xfrm_policy_lookup(pol->security, 1005 err = security_xfrm_policy_lookup(pol->security,
1037 fl->secid, 1006 fl->secid,
1038 policy_to_flow_dir(dir)); 1007 policy_to_flow_dir(dir));
@@ -1045,6 +1014,7 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struc
1045 } else 1014 } else
1046 pol = NULL; 1015 pol = NULL;
1047 } 1016 }
1017out:
1048 read_unlock_bh(&xfrm_policy_lock); 1018 read_unlock_bh(&xfrm_policy_lock);
1049 return pol; 1019 return pol;
1050} 1020}
@@ -1087,8 +1057,6 @@ int xfrm_policy_delete(struct xfrm_policy *pol, int dir)
1087 pol = __xfrm_policy_unlink(pol, dir); 1057 pol = __xfrm_policy_unlink(pol, dir);
1088 write_unlock_bh(&xfrm_policy_lock); 1058 write_unlock_bh(&xfrm_policy_lock);
1089 if (pol) { 1059 if (pol) {
1090 if (dir < XFRM_POLICY_MAX)
1091 atomic_inc(&flow_cache_genid);
1092 xfrm_policy_kill(pol); 1060 xfrm_policy_kill(pol);
1093 return 0; 1061 return 0;
1094 } 1062 }
@@ -1115,6 +1083,9 @@ int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
1115 __xfrm_policy_link(pol, XFRM_POLICY_MAX+dir); 1083 __xfrm_policy_link(pol, XFRM_POLICY_MAX+dir);
1116 } 1084 }
1117 if (old_pol) 1085 if (old_pol)
1086 /* Unlinking succeeds always. This is the only function
1087 * allowed to delete or replace socket policy.
1088 */
1118 __xfrm_policy_unlink(old_pol, XFRM_POLICY_MAX+dir); 1089 __xfrm_policy_unlink(old_pol, XFRM_POLICY_MAX+dir);
1119 write_unlock_bh(&xfrm_policy_lock); 1090 write_unlock_bh(&xfrm_policy_lock);
1120 1091
@@ -1137,6 +1108,7 @@ static struct xfrm_policy *clone_policy(struct xfrm_policy *old, int dir)
1137 } 1108 }
1138 newp->lft = old->lft; 1109 newp->lft = old->lft;
1139 newp->curlft = old->curlft; 1110 newp->curlft = old->curlft;
1111 newp->mark = old->mark;
1140 newp->action = old->action; 1112 newp->action = old->action;
1141 newp->flags = old->flags; 1113 newp->flags = old->flags;
1142 newp->xfrm_nr = old->xfrm_nr; 1114 newp->xfrm_nr = old->xfrm_nr;
@@ -1203,9 +1175,8 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy, struct flowi *fl,
1203 tmpl->mode == XFRM_MODE_BEET) { 1175 tmpl->mode == XFRM_MODE_BEET) {
1204 remote = &tmpl->id.daddr; 1176 remote = &tmpl->id.daddr;
1205 local = &tmpl->saddr; 1177 local = &tmpl->saddr;
1206 family = tmpl->encap_family; 1178 if (xfrm_addr_any(local, tmpl->encap_family)) {
1207 if (xfrm_addr_any(local, family)) { 1179 error = xfrm_get_saddr(net, &tmp, remote, tmpl->encap_family);
1208 error = xfrm_get_saddr(net, &tmp, remote, family);
1209 if (error) 1180 if (error)
1210 goto fail; 1181 goto fail;
1211 local = &tmp; 1182 local = &tmp;
@@ -1282,18 +1253,6 @@ xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, struct flowi *fl,
1282 * still valid. 1253 * still valid.
1283 */ 1254 */
1284 1255
1285static struct dst_entry *
1286xfrm_find_bundle(struct flowi *fl, struct xfrm_policy *policy, unsigned short family)
1287{
1288 struct dst_entry *x;
1289 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1290 if (unlikely(afinfo == NULL))
1291 return ERR_PTR(-EINVAL);
1292 x = afinfo->find_bundle(fl, policy);
1293 xfrm_policy_put_afinfo(afinfo);
1294 return x;
1295}
1296
1297static inline int xfrm_get_tos(struct flowi *fl, int family) 1256static inline int xfrm_get_tos(struct flowi *fl, int family)
1298{ 1257{
1299 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); 1258 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
@@ -1309,6 +1268,54 @@ static inline int xfrm_get_tos(struct flowi *fl, int family)
1309 return tos; 1268 return tos;
1310} 1269}
1311 1270
1271static struct flow_cache_object *xfrm_bundle_flo_get(struct flow_cache_object *flo)
1272{
1273 struct xfrm_dst *xdst = container_of(flo, struct xfrm_dst, flo);
1274 struct dst_entry *dst = &xdst->u.dst;
1275
1276 if (xdst->route == NULL) {
1277 /* Dummy bundle - if it has xfrms we were not
1278 * able to build bundle as template resolution failed.
1279 * It means we need to try again resolving. */
1280 if (xdst->num_xfrms > 0)
1281 return NULL;
1282 } else {
1283 /* Real bundle */
1284 if (stale_bundle(dst))
1285 return NULL;
1286 }
1287
1288 dst_hold(dst);
1289 return flo;
1290}
1291
1292static int xfrm_bundle_flo_check(struct flow_cache_object *flo)
1293{
1294 struct xfrm_dst *xdst = container_of(flo, struct xfrm_dst, flo);
1295 struct dst_entry *dst = &xdst->u.dst;
1296
1297 if (!xdst->route)
1298 return 0;
1299 if (stale_bundle(dst))
1300 return 0;
1301
1302 return 1;
1303}
1304
1305static void xfrm_bundle_flo_delete(struct flow_cache_object *flo)
1306{
1307 struct xfrm_dst *xdst = container_of(flo, struct xfrm_dst, flo);
1308 struct dst_entry *dst = &xdst->u.dst;
1309
1310 dst_free(dst);
1311}
1312
1313static const struct flow_cache_ops xfrm_bundle_fc_ops = {
1314 .get = xfrm_bundle_flo_get,
1315 .check = xfrm_bundle_flo_check,
1316 .delete = xfrm_bundle_flo_delete,
1317};
1318
1312static inline struct xfrm_dst *xfrm_alloc_dst(struct net *net, int family) 1319static inline struct xfrm_dst *xfrm_alloc_dst(struct net *net, int family)
1313{ 1320{
1314 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); 1321 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
@@ -1331,9 +1338,10 @@ static inline struct xfrm_dst *xfrm_alloc_dst(struct net *net, int family)
1331 BUG(); 1338 BUG();
1332 } 1339 }
1333 xdst = dst_alloc(dst_ops) ?: ERR_PTR(-ENOBUFS); 1340 xdst = dst_alloc(dst_ops) ?: ERR_PTR(-ENOBUFS);
1334
1335 xfrm_policy_put_afinfo(afinfo); 1341 xfrm_policy_put_afinfo(afinfo);
1336 1342
1343 xdst->flo.ops = &xfrm_bundle_fc_ops;
1344
1337 return xdst; 1345 return xdst;
1338} 1346}
1339 1347
@@ -1354,7 +1362,8 @@ static inline int xfrm_init_path(struct xfrm_dst *path, struct dst_entry *dst,
1354 return err; 1362 return err;
1355} 1363}
1356 1364
1357static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev) 1365static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
1366 struct flowi *fl)
1358{ 1367{
1359 struct xfrm_policy_afinfo *afinfo = 1368 struct xfrm_policy_afinfo *afinfo =
1360 xfrm_policy_get_afinfo(xdst->u.dst.ops->family); 1369 xfrm_policy_get_afinfo(xdst->u.dst.ops->family);
@@ -1363,13 +1372,14 @@ static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev)
1363 if (!afinfo) 1372 if (!afinfo)
1364 return -EINVAL; 1373 return -EINVAL;
1365 1374
1366 err = afinfo->fill_dst(xdst, dev); 1375 err = afinfo->fill_dst(xdst, dev, fl);
1367 1376
1368 xfrm_policy_put_afinfo(afinfo); 1377 xfrm_policy_put_afinfo(afinfo);
1369 1378
1370 return err; 1379 return err;
1371} 1380}
1372 1381
1382
1373/* Allocate chain of dst_entry's, attach known xfrm's, calculate 1383/* Allocate chain of dst_entry's, attach known xfrm's, calculate
1374 * all the metrics... Shortly, bundle a bundle. 1384 * all the metrics... Shortly, bundle a bundle.
1375 */ 1385 */
@@ -1433,7 +1443,7 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
1433 dst_hold(dst); 1443 dst_hold(dst);
1434 1444
1435 dst1->xfrm = xfrm[i]; 1445 dst1->xfrm = xfrm[i];
1436 xdst->genid = xfrm[i]->genid; 1446 xdst->xfrm_genid = xfrm[i]->genid;
1437 1447
1438 dst1->obsolete = -1; 1448 dst1->obsolete = -1;
1439 dst1->flags |= DST_HOST; 1449 dst1->flags |= DST_HOST;
@@ -1468,7 +1478,7 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
1468 for (dst_prev = dst0; dst_prev != dst; dst_prev = dst_prev->child) { 1478 for (dst_prev = dst0; dst_prev != dst; dst_prev = dst_prev->child) {
1469 struct xfrm_dst *xdst = (struct xfrm_dst *)dst_prev; 1479 struct xfrm_dst *xdst = (struct xfrm_dst *)dst_prev;
1470 1480
1471 err = xfrm_fill_dst(xdst, dev); 1481 err = xfrm_fill_dst(xdst, dev, fl);
1472 if (err) 1482 if (err)
1473 goto free_dst; 1483 goto free_dst;
1474 1484
@@ -1526,7 +1536,193 @@ xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
1526#endif 1536#endif
1527} 1537}
1528 1538
1529static int stale_bundle(struct dst_entry *dst); 1539static int xfrm_expand_policies(struct flowi *fl, u16 family,
1540 struct xfrm_policy **pols,
1541 int *num_pols, int *num_xfrms)
1542{
1543 int i;
1544
1545 if (*num_pols == 0 || !pols[0]) {
1546 *num_pols = 0;
1547 *num_xfrms = 0;
1548 return 0;
1549 }
1550 if (IS_ERR(pols[0]))
1551 return PTR_ERR(pols[0]);
1552
1553 *num_xfrms = pols[0]->xfrm_nr;
1554
1555#ifdef CONFIG_XFRM_SUB_POLICY
1556 if (pols[0] && pols[0]->action == XFRM_POLICY_ALLOW &&
1557 pols[0]->type != XFRM_POLICY_TYPE_MAIN) {
1558 pols[1] = xfrm_policy_lookup_bytype(xp_net(pols[0]),
1559 XFRM_POLICY_TYPE_MAIN,
1560 fl, family,
1561 XFRM_POLICY_OUT);
1562 if (pols[1]) {
1563 if (IS_ERR(pols[1])) {
1564 xfrm_pols_put(pols, *num_pols);
1565 return PTR_ERR(pols[1]);
1566 }
1567 (*num_pols) ++;
1568 (*num_xfrms) += pols[1]->xfrm_nr;
1569 }
1570 }
1571#endif
1572 for (i = 0; i < *num_pols; i++) {
1573 if (pols[i]->action != XFRM_POLICY_ALLOW) {
1574 *num_xfrms = -1;
1575 break;
1576 }
1577 }
1578
1579 return 0;
1580
1581}
1582
1583static struct xfrm_dst *
1584xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
1585 struct flowi *fl, u16 family,
1586 struct dst_entry *dst_orig)
1587{
1588 struct net *net = xp_net(pols[0]);
1589 struct xfrm_state *xfrm[XFRM_MAX_DEPTH];
1590 struct dst_entry *dst;
1591 struct xfrm_dst *xdst;
1592 int err;
1593
1594 /* Try to instantiate a bundle */
1595 err = xfrm_tmpl_resolve(pols, num_pols, fl, xfrm, family);
1596 if (err <= 0) {
1597 if (err != 0 && err != -EAGAIN)
1598 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);
1599 return ERR_PTR(err);
1600 }
1601
1602 dst = xfrm_bundle_create(pols[0], xfrm, err, fl, dst_orig);
1603 if (IS_ERR(dst)) {
1604 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLEGENERROR);
1605 return ERR_CAST(dst);
1606 }
1607
1608 xdst = (struct xfrm_dst *)dst;
1609 xdst->num_xfrms = err;
1610 if (num_pols > 1)
1611 err = xfrm_dst_update_parent(dst, &pols[1]->selector);
1612 else
1613 err = xfrm_dst_update_origin(dst, fl);
1614 if (unlikely(err)) {
1615 dst_free(dst);
1616 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLECHECKERROR);
1617 return ERR_PTR(err);
1618 }
1619
1620 xdst->num_pols = num_pols;
1621 memcpy(xdst->pols, pols, sizeof(struct xfrm_policy*) * num_pols);
1622 xdst->policy_genid = atomic_read(&pols[0]->genid);
1623
1624 return xdst;
1625}
1626
1627static struct flow_cache_object *
1628xfrm_bundle_lookup(struct net *net, struct flowi *fl, u16 family, u8 dir,
1629 struct flow_cache_object *oldflo, void *ctx)
1630{
1631 struct dst_entry *dst_orig = (struct dst_entry *)ctx;
1632 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
1633 struct xfrm_dst *xdst, *new_xdst;
1634 int num_pols = 0, num_xfrms = 0, i, err, pol_dead;
1635
1636 /* Check if the policies from old bundle are usable */
1637 xdst = NULL;
1638 if (oldflo) {
1639 xdst = container_of(oldflo, struct xfrm_dst, flo);
1640 num_pols = xdst->num_pols;
1641 num_xfrms = xdst->num_xfrms;
1642 pol_dead = 0;
1643 for (i = 0; i < num_pols; i++) {
1644 pols[i] = xdst->pols[i];
1645 pol_dead |= pols[i]->walk.dead;
1646 }
1647 if (pol_dead) {
1648 dst_free(&xdst->u.dst);
1649 xdst = NULL;
1650 num_pols = 0;
1651 num_xfrms = 0;
1652 oldflo = NULL;
1653 }
1654 }
1655
1656 /* Resolve policies to use if we couldn't get them from
1657 * previous cache entry */
1658 if (xdst == NULL) {
1659 num_pols = 1;
1660 pols[0] = __xfrm_policy_lookup(net, fl, family, dir);
1661 err = xfrm_expand_policies(fl, family, pols,
1662 &num_pols, &num_xfrms);
1663 if (err < 0)
1664 goto inc_error;
1665 if (num_pols == 0)
1666 return NULL;
1667 if (num_xfrms <= 0)
1668 goto make_dummy_bundle;
1669 }
1670
1671 new_xdst = xfrm_resolve_and_create_bundle(pols, num_pols, fl, family, dst_orig);
1672 if (IS_ERR(new_xdst)) {
1673 err = PTR_ERR(new_xdst);
1674 if (err != -EAGAIN)
1675 goto error;
1676 if (oldflo == NULL)
1677 goto make_dummy_bundle;
1678 dst_hold(&xdst->u.dst);
1679 return oldflo;
1680 } else if (new_xdst == NULL) {
1681 num_xfrms = 0;
1682 if (oldflo == NULL)
1683 goto make_dummy_bundle;
1684 xdst->num_xfrms = 0;
1685 dst_hold(&xdst->u.dst);
1686 return oldflo;
1687 }
1688
1689 /* Kill the previous bundle */
1690 if (xdst) {
1691 /* The policies were stolen for newly generated bundle */
1692 xdst->num_pols = 0;
1693 dst_free(&xdst->u.dst);
1694 }
1695
1696 /* Flow cache does not have reference, it dst_free()'s,
1697 * but we do need to return one reference for original caller */
1698 dst_hold(&new_xdst->u.dst);
1699 return &new_xdst->flo;
1700
1701make_dummy_bundle:
1702 /* We found policies, but there's no bundles to instantiate:
1703 * either because the policy blocks, has no transformations or
1704 * we could not build template (no xfrm_states).*/
1705 xdst = xfrm_alloc_dst(net, family);
1706 if (IS_ERR(xdst)) {
1707 xfrm_pols_put(pols, num_pols);
1708 return ERR_CAST(xdst);
1709 }
1710 xdst->num_pols = num_pols;
1711 xdst->num_xfrms = num_xfrms;
1712 memcpy(xdst->pols, pols, sizeof(struct xfrm_policy*) * num_pols);
1713
1714 dst_hold(&xdst->u.dst);
1715 return &xdst->flo;
1716
1717inc_error:
1718 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);
1719error:
1720 if (xdst != NULL)
1721 dst_free(&xdst->u.dst);
1722 else
1723 xfrm_pols_put(pols, num_pols);
1724 return ERR_PTR(err);
1725}
1530 1726
1531/* Main function: finds/creates a bundle for given flow. 1727/* Main function: finds/creates a bundle for given flow.
1532 * 1728 *
@@ -1536,245 +1732,156 @@ static int stale_bundle(struct dst_entry *dst);
1536int __xfrm_lookup(struct net *net, struct dst_entry **dst_p, struct flowi *fl, 1732int __xfrm_lookup(struct net *net, struct dst_entry **dst_p, struct flowi *fl,
1537 struct sock *sk, int flags) 1733 struct sock *sk, int flags)
1538{ 1734{
1539 struct xfrm_policy *policy;
1540 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX]; 1735 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
1541 int npols; 1736 struct flow_cache_object *flo;
1542 int pol_dead; 1737 struct xfrm_dst *xdst;
1543 int xfrm_nr; 1738 struct dst_entry *dst, *dst_orig = *dst_p, *route;
1544 int pi; 1739 u16 family = dst_orig->ops->family;
1545 struct xfrm_state *xfrm[XFRM_MAX_DEPTH];
1546 struct dst_entry *dst, *dst_orig = *dst_p;
1547 int nx = 0;
1548 int err;
1549 u32 genid;
1550 u16 family;
1551 u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT); 1740 u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT);
1741 int i, err, num_pols, num_xfrms = 0, drop_pols = 0;
1552 1742
1553restart: 1743restart:
1554 genid = atomic_read(&flow_cache_genid); 1744 dst = NULL;
1555 policy = NULL; 1745 xdst = NULL;
1556 for (pi = 0; pi < ARRAY_SIZE(pols); pi++) 1746 route = NULL;
1557 pols[pi] = NULL;
1558 npols = 0;
1559 pol_dead = 0;
1560 xfrm_nr = 0;
1561 1747
1562 if (sk && sk->sk_policy[XFRM_POLICY_OUT]) { 1748 if (sk && sk->sk_policy[XFRM_POLICY_OUT]) {
1563 policy = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl); 1749 num_pols = 1;
1564 err = PTR_ERR(policy); 1750 pols[0] = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl);
1565 if (IS_ERR(policy)) { 1751 err = xfrm_expand_policies(fl, family, pols,
1566 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR); 1752 &num_pols, &num_xfrms);
1753 if (err < 0)
1567 goto dropdst; 1754 goto dropdst;
1755
1756 if (num_pols) {
1757 if (num_xfrms <= 0) {
1758 drop_pols = num_pols;
1759 goto no_transform;
1760 }
1761
1762 xdst = xfrm_resolve_and_create_bundle(
1763 pols, num_pols, fl,
1764 family, dst_orig);
1765 if (IS_ERR(xdst)) {
1766 xfrm_pols_put(pols, num_pols);
1767 err = PTR_ERR(xdst);
1768 goto dropdst;
1769 } else if (xdst == NULL) {
1770 num_xfrms = 0;
1771 drop_pols = num_pols;
1772 goto no_transform;
1773 }
1774
1775 spin_lock_bh(&xfrm_policy_sk_bundle_lock);
1776 xdst->u.dst.next = xfrm_policy_sk_bundles;
1777 xfrm_policy_sk_bundles = &xdst->u.dst;
1778 spin_unlock_bh(&xfrm_policy_sk_bundle_lock);
1779
1780 route = xdst->route;
1568 } 1781 }
1569 } 1782 }
1570 1783
1571 if (!policy) { 1784 if (xdst == NULL) {
1572 /* To accelerate a bit... */ 1785 /* To accelerate a bit... */
1573 if ((dst_orig->flags & DST_NOXFRM) || 1786 if ((dst_orig->flags & DST_NOXFRM) ||
1574 !net->xfrm.policy_count[XFRM_POLICY_OUT]) 1787 !net->xfrm.policy_count[XFRM_POLICY_OUT])
1575 goto nopol; 1788 goto nopol;
1576 1789
1577 policy = flow_cache_lookup(net, fl, dst_orig->ops->family, 1790 flo = flow_cache_lookup(net, fl, family, dir,
1578 dir, xfrm_policy_lookup); 1791 xfrm_bundle_lookup, dst_orig);
1579 err = PTR_ERR(policy); 1792 if (flo == NULL)
1580 if (IS_ERR(policy)) { 1793 goto nopol;
1581 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR); 1794 if (IS_ERR(flo)) {
1795 err = PTR_ERR(flo);
1582 goto dropdst; 1796 goto dropdst;
1583 } 1797 }
1798 xdst = container_of(flo, struct xfrm_dst, flo);
1799
1800 num_pols = xdst->num_pols;
1801 num_xfrms = xdst->num_xfrms;
1802 memcpy(pols, xdst->pols, sizeof(struct xfrm_policy*) * num_pols);
1803 route = xdst->route;
1804 }
1805
1806 dst = &xdst->u.dst;
1807 if (route == NULL && num_xfrms > 0) {
1808 /* The only case when xfrm_bundle_lookup() returns a
1809 * bundle with null route, is when the template could
1810 * not be resolved. It means policies are there, but
1811 * bundle could not be created, since we don't yet
1812 * have the xfrm_state's. We need to wait for KM to
1813 * negotiate new SA's or bail out with error.*/
1814 if (net->xfrm.sysctl_larval_drop) {
1815 /* EREMOTE tells the caller to generate
1816 * a one-shot blackhole route. */
1817 dst_release(dst);
1818 xfrm_pols_put(pols, drop_pols);
1819 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
1820 return -EREMOTE;
1821 }
1822 if (flags & XFRM_LOOKUP_WAIT) {
1823 DECLARE_WAITQUEUE(wait, current);
1824
1825 add_wait_queue(&net->xfrm.km_waitq, &wait);
1826 set_current_state(TASK_INTERRUPTIBLE);
1827 schedule();
1828 set_current_state(TASK_RUNNING);
1829 remove_wait_queue(&net->xfrm.km_waitq, &wait);
1830
1831 if (!signal_pending(current)) {
1832 dst_release(dst);
1833 goto restart;
1834 }
1835
1836 err = -ERESTART;
1837 } else
1838 err = -EAGAIN;
1839
1840 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
1841 goto error;
1584 } 1842 }
1585 1843
1586 if (!policy) 1844no_transform:
1845 if (num_pols == 0)
1587 goto nopol; 1846 goto nopol;
1588 1847
1589 family = dst_orig->ops->family; 1848 if ((flags & XFRM_LOOKUP_ICMP) &&
1590 pols[0] = policy; 1849 !(pols[0]->flags & XFRM_POLICY_ICMP)) {
1591 npols ++; 1850 err = -ENOENT;
1592 xfrm_nr += pols[0]->xfrm_nr;
1593
1594 err = -ENOENT;
1595 if ((flags & XFRM_LOOKUP_ICMP) && !(policy->flags & XFRM_POLICY_ICMP))
1596 goto error; 1851 goto error;
1852 }
1597 1853
1598 policy->curlft.use_time = get_seconds(); 1854 for (i = 0; i < num_pols; i++)
1855 pols[i]->curlft.use_time = get_seconds();
1599 1856
1600 switch (policy->action) { 1857 if (num_xfrms < 0) {
1601 default:
1602 case XFRM_POLICY_BLOCK:
1603 /* Prohibit the flow */ 1858 /* Prohibit the flow */
1604 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLBLOCK); 1859 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLBLOCK);
1605 err = -EPERM; 1860 err = -EPERM;
1606 goto error; 1861 goto error;
1607 1862 } else if (num_xfrms > 0) {
1608 case XFRM_POLICY_ALLOW: 1863 /* Flow transformed */
1609#ifndef CONFIG_XFRM_SUB_POLICY 1864 *dst_p = dst;
1610 if (policy->xfrm_nr == 0) { 1865 dst_release(dst_orig);
1611 /* Flow passes not transformed. */ 1866 } else {
1612 xfrm_pol_put(policy); 1867 /* Flow passes untransformed */
1613 return 0; 1868 dst_release(dst);
1614 }
1615#endif
1616
1617 /* Try to find matching bundle.
1618 *
1619 * LATER: help from flow cache. It is optional, this
1620 * is required only for output policy.
1621 */
1622 dst = xfrm_find_bundle(fl, policy, family);
1623 if (IS_ERR(dst)) {
1624 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLECHECKERROR);
1625 err = PTR_ERR(dst);
1626 goto error;
1627 }
1628
1629 if (dst)
1630 break;
1631
1632#ifdef CONFIG_XFRM_SUB_POLICY
1633 if (pols[0]->type != XFRM_POLICY_TYPE_MAIN) {
1634 pols[1] = xfrm_policy_lookup_bytype(net,
1635 XFRM_POLICY_TYPE_MAIN,
1636 fl, family,
1637 XFRM_POLICY_OUT);
1638 if (pols[1]) {
1639 if (IS_ERR(pols[1])) {
1640 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);
1641 err = PTR_ERR(pols[1]);
1642 goto error;
1643 }
1644 if (pols[1]->action == XFRM_POLICY_BLOCK) {
1645 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLBLOCK);
1646 err = -EPERM;
1647 goto error;
1648 }
1649 npols ++;
1650 xfrm_nr += pols[1]->xfrm_nr;
1651 }
1652 }
1653
1654 /*
1655 * Because neither flowi nor bundle information knows about
1656 * transformation template size. On more than one policy usage
1657 * we can realize whether all of them is bypass or not after
1658 * they are searched. See above not-transformed bypass
1659 * is surrounded by non-sub policy configuration, too.
1660 */
1661 if (xfrm_nr == 0) {
1662 /* Flow passes not transformed. */
1663 xfrm_pols_put(pols, npols);
1664 return 0;
1665 }
1666
1667#endif
1668 nx = xfrm_tmpl_resolve(pols, npols, fl, xfrm, family);
1669
1670 if (unlikely(nx<0)) {
1671 err = nx;
1672 if (err == -EAGAIN && net->xfrm.sysctl_larval_drop) {
1673 /* EREMOTE tells the caller to generate
1674 * a one-shot blackhole route.
1675 */
1676 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
1677 xfrm_pol_put(policy);
1678 return -EREMOTE;
1679 }
1680 if (err == -EAGAIN && (flags & XFRM_LOOKUP_WAIT)) {
1681 DECLARE_WAITQUEUE(wait, current);
1682
1683 add_wait_queue(&net->xfrm.km_waitq, &wait);
1684 set_current_state(TASK_INTERRUPTIBLE);
1685 schedule();
1686 set_current_state(TASK_RUNNING);
1687 remove_wait_queue(&net->xfrm.km_waitq, &wait);
1688
1689 nx = xfrm_tmpl_resolve(pols, npols, fl, xfrm, family);
1690
1691 if (nx == -EAGAIN && signal_pending(current)) {
1692 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
1693 err = -ERESTART;
1694 goto error;
1695 }
1696 if (nx == -EAGAIN ||
1697 genid != atomic_read(&flow_cache_genid)) {
1698 xfrm_pols_put(pols, npols);
1699 goto restart;
1700 }
1701 err = nx;
1702 }
1703 if (err < 0) {
1704 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
1705 goto error;
1706 }
1707 }
1708 if (nx == 0) {
1709 /* Flow passes not transformed. */
1710 xfrm_pols_put(pols, npols);
1711 return 0;
1712 }
1713
1714 dst = xfrm_bundle_create(policy, xfrm, nx, fl, dst_orig);
1715 err = PTR_ERR(dst);
1716 if (IS_ERR(dst)) {
1717 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLEGENERROR);
1718 goto error;
1719 }
1720
1721 for (pi = 0; pi < npols; pi++) {
1722 read_lock_bh(&pols[pi]->lock);
1723 pol_dead |= pols[pi]->walk.dead;
1724 read_unlock_bh(&pols[pi]->lock);
1725 }
1726
1727 write_lock_bh(&policy->lock);
1728 if (unlikely(pol_dead || stale_bundle(dst))) {
1729 /* Wow! While we worked on resolving, this
1730 * policy has gone. Retry. It is not paranoia,
1731 * we just cannot enlist new bundle to dead object.
1732 * We can't enlist stable bundles either.
1733 */
1734 write_unlock_bh(&policy->lock);
1735 dst_free(dst);
1736
1737 if (pol_dead)
1738 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLDEAD);
1739 else
1740 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLECHECKERROR);
1741 err = -EHOSTUNREACH;
1742 goto error;
1743 }
1744
1745 if (npols > 1)
1746 err = xfrm_dst_update_parent(dst, &pols[1]->selector);
1747 else
1748 err = xfrm_dst_update_origin(dst, fl);
1749 if (unlikely(err)) {
1750 write_unlock_bh(&policy->lock);
1751 dst_free(dst);
1752 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLECHECKERROR);
1753 goto error;
1754 }
1755
1756 dst->next = policy->bundles;
1757 policy->bundles = dst;
1758 dst_hold(dst);
1759 write_unlock_bh(&policy->lock);
1760 } 1869 }
1761 *dst_p = dst; 1870ok:
1762 dst_release(dst_orig); 1871 xfrm_pols_put(pols, drop_pols);
1763 xfrm_pols_put(pols, npols);
1764 return 0; 1872 return 0;
1765 1873
1874nopol:
1875 if (!(flags & XFRM_LOOKUP_ICMP))
1876 goto ok;
1877 err = -ENOENT;
1766error: 1878error:
1767 xfrm_pols_put(pols, npols); 1879 dst_release(dst);
1768dropdst: 1880dropdst:
1769 dst_release(dst_orig); 1881 dst_release(dst_orig);
1770 *dst_p = NULL; 1882 *dst_p = NULL;
1883 xfrm_pols_put(pols, drop_pols);
1771 return err; 1884 return err;
1772
1773nopol:
1774 err = -ENOENT;
1775 if (flags & XFRM_LOOKUP_ICMP)
1776 goto dropdst;
1777 return 0;
1778} 1885}
1779EXPORT_SYMBOL(__xfrm_lookup); 1886EXPORT_SYMBOL(__xfrm_lookup);
1780 1887
@@ -1933,9 +2040,16 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
1933 } 2040 }
1934 } 2041 }
1935 2042
1936 if (!pol) 2043 if (!pol) {
1937 pol = flow_cache_lookup(net, &fl, family, fl_dir, 2044 struct flow_cache_object *flo;
1938 xfrm_policy_lookup); 2045
2046 flo = flow_cache_lookup(net, &fl, family, fl_dir,
2047 xfrm_policy_lookup, NULL);
2048 if (IS_ERR_OR_NULL(flo))
2049 pol = ERR_CAST(flo);
2050 else
2051 pol = container_of(flo, struct xfrm_policy, flo);
2052 }
1939 2053
1940 if (IS_ERR(pol)) { 2054 if (IS_ERR(pol)) {
1941 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR); 2055 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
@@ -2045,11 +2159,11 @@ int __xfrm_route_forward(struct sk_buff *skb, unsigned short family)
2045 int res; 2159 int res;
2046 2160
2047 if (xfrm_decode_session(skb, &fl, family) < 0) { 2161 if (xfrm_decode_session(skb, &fl, family) < 0) {
2048 /* XXX: we should have something like FWDHDRERROR here. */ 2162 XFRM_INC_STATS(net, LINUX_MIB_XFRMFWDHDRERROR);
2049 XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR);
2050 return 0; 2163 return 0;
2051 } 2164 }
2052 2165
2166 skb_dst_force(skb);
2053 dst = skb_dst(skb); 2167 dst = skb_dst(skb);
2054 2168
2055 res = xfrm_lookup(net, &dst, &fl, NULL, 0) == 0; 2169 res = xfrm_lookup(net, &dst, &fl, NULL, 0) == 0;
@@ -2106,7 +2220,6 @@ EXPORT_SYMBOL(xfrm_dst_ifdown);
2106static void xfrm_link_failure(struct sk_buff *skb) 2220static void xfrm_link_failure(struct sk_buff *skb)
2107{ 2221{
2108 /* Impossible. Such dst must be popped before reaches point of failure. */ 2222 /* Impossible. Such dst must be popped before reaches point of failure. */
2109 return;
2110} 2223}
2111 2224
2112static struct dst_entry *xfrm_negative_advice(struct dst_entry *dst) 2225static struct dst_entry *xfrm_negative_advice(struct dst_entry *dst)
@@ -2120,71 +2233,24 @@ static struct dst_entry *xfrm_negative_advice(struct dst_entry *dst)
2120 return dst; 2233 return dst;
2121} 2234}
2122 2235
2123static void prune_one_bundle(struct xfrm_policy *pol, int (*func)(struct dst_entry *), struct dst_entry **gc_list_p) 2236static void __xfrm_garbage_collect(struct net *net)
2124{
2125 struct dst_entry *dst, **dstp;
2126
2127 write_lock(&pol->lock);
2128 dstp = &pol->bundles;
2129 while ((dst=*dstp) != NULL) {
2130 if (func(dst)) {
2131 *dstp = dst->next;
2132 dst->next = *gc_list_p;
2133 *gc_list_p = dst;
2134 } else {
2135 dstp = &dst->next;
2136 }
2137 }
2138 write_unlock(&pol->lock);
2139}
2140
2141static void xfrm_prune_bundles(struct net *net, int (*func)(struct dst_entry *))
2142{ 2237{
2143 struct dst_entry *gc_list = NULL; 2238 struct dst_entry *head, *next;
2144 int dir;
2145 2239
2146 read_lock_bh(&xfrm_policy_lock); 2240 flow_cache_flush();
2147 for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) {
2148 struct xfrm_policy *pol;
2149 struct hlist_node *entry;
2150 struct hlist_head *table;
2151 int i;
2152
2153 hlist_for_each_entry(pol, entry,
2154 &net->xfrm.policy_inexact[dir], bydst)
2155 prune_one_bundle(pol, func, &gc_list);
2156 2241
2157 table = net->xfrm.policy_bydst[dir].table; 2242 spin_lock_bh(&xfrm_policy_sk_bundle_lock);
2158 for (i = net->xfrm.policy_bydst[dir].hmask; i >= 0; i--) { 2243 head = xfrm_policy_sk_bundles;
2159 hlist_for_each_entry(pol, entry, table + i, bydst) 2244 xfrm_policy_sk_bundles = NULL;
2160 prune_one_bundle(pol, func, &gc_list); 2245 spin_unlock_bh(&xfrm_policy_sk_bundle_lock);
2161 }
2162 }
2163 read_unlock_bh(&xfrm_policy_lock);
2164 2246
2165 while (gc_list) { 2247 while (head) {
2166 struct dst_entry *dst = gc_list; 2248 next = head->next;
2167 gc_list = dst->next; 2249 dst_free(head);
2168 dst_free(dst); 2250 head = next;
2169 } 2251 }
2170} 2252}
2171 2253
2172static int unused_bundle(struct dst_entry *dst)
2173{
2174 return !atomic_read(&dst->__refcnt);
2175}
2176
2177static void __xfrm_garbage_collect(struct net *net)
2178{
2179 xfrm_prune_bundles(net, unused_bundle);
2180}
2181
2182static int xfrm_flush_bundles(struct net *net)
2183{
2184 xfrm_prune_bundles(net, stale_bundle);
2185 return 0;
2186}
2187
2188static void xfrm_init_pmtu(struct dst_entry *dst) 2254static void xfrm_init_pmtu(struct dst_entry *dst)
2189{ 2255{
2190 do { 2256 do {
@@ -2242,7 +2308,10 @@ int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
2242 return 0; 2308 return 0;
2243 if (dst->xfrm->km.state != XFRM_STATE_VALID) 2309 if (dst->xfrm->km.state != XFRM_STATE_VALID)
2244 return 0; 2310 return 0;
2245 if (xdst->genid != dst->xfrm->genid) 2311 if (xdst->xfrm_genid != dst->xfrm->genid)
2312 return 0;
2313 if (xdst->num_pols > 0 &&
2314 xdst->policy_genid != atomic_read(&xdst->pols[0]->genid))
2246 return 0; 2315 return 0;
2247 2316
2248 if (strict && fl && 2317 if (strict && fl &&
@@ -2407,7 +2476,7 @@ static int xfrm_dev_event(struct notifier_block *this, unsigned long event, void
2407 2476
2408 switch (event) { 2477 switch (event) {
2409 case NETDEV_DOWN: 2478 case NETDEV_DOWN:
2410 xfrm_flush_bundles(dev_net(dev)); 2479 __xfrm_garbage_collect(dev_net(dev));
2411 } 2480 }
2412 return NOTIFY_DONE; 2481 return NOTIFY_DONE;
2413} 2482}
@@ -2421,19 +2490,20 @@ static int __net_init xfrm_statistics_init(struct net *net)
2421{ 2490{
2422 int rv; 2491 int rv;
2423 2492
2424 if (snmp_mib_init((void **)net->mib.xfrm_statistics, 2493 if (snmp_mib_init((void __percpu **)net->mib.xfrm_statistics,
2425 sizeof(struct linux_xfrm_mib)) < 0) 2494 sizeof(struct linux_xfrm_mib),
2495 __alignof__(struct linux_xfrm_mib)) < 0)
2426 return -ENOMEM; 2496 return -ENOMEM;
2427 rv = xfrm_proc_init(net); 2497 rv = xfrm_proc_init(net);
2428 if (rv < 0) 2498 if (rv < 0)
2429 snmp_mib_free((void **)net->mib.xfrm_statistics); 2499 snmp_mib_free((void __percpu **)net->mib.xfrm_statistics);
2430 return rv; 2500 return rv;
2431} 2501}
2432 2502
2433static void xfrm_statistics_fini(struct net *net) 2503static void xfrm_statistics_fini(struct net *net)
2434{ 2504{
2435 xfrm_proc_fini(net); 2505 xfrm_proc_fini(net);
2436 snmp_mib_free((void **)net->mib.xfrm_statistics); 2506 snmp_mib_free((void __percpu **)net->mib.xfrm_statistics);
2437} 2507}
2438#else 2508#else
2439static int __net_init xfrm_statistics_init(struct net *net) 2509static int __net_init xfrm_statistics_init(struct net *net)
@@ -2513,7 +2583,6 @@ static void xfrm_policy_fini(struct net *net)
2513 audit_info.sessionid = -1; 2583 audit_info.sessionid = -1;
2514 audit_info.secid = 0; 2584 audit_info.secid = 0;
2515 xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info); 2585 xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info);
2516 flush_work(&xfrm_policy_gc_work);
2517 2586
2518 WARN_ON(!list_empty(&net->xfrm.policy_all)); 2587 WARN_ON(!list_empty(&net->xfrm.policy_all));
2519 2588
@@ -2739,7 +2808,6 @@ static int xfrm_policy_migrate(struct xfrm_policy *pol,
2739 struct xfrm_migrate *m, int num_migrate) 2808 struct xfrm_migrate *m, int num_migrate)
2740{ 2809{
2741 struct xfrm_migrate *mp; 2810 struct xfrm_migrate *mp;
2742 struct dst_entry *dst;
2743 int i, j, n = 0; 2811 int i, j, n = 0;
2744 2812
2745 write_lock_bh(&pol->lock); 2813 write_lock_bh(&pol->lock);
@@ -2764,10 +2832,7 @@ static int xfrm_policy_migrate(struct xfrm_policy *pol,
2764 sizeof(pol->xfrm_vec[i].saddr)); 2832 sizeof(pol->xfrm_vec[i].saddr));
2765 pol->xfrm_vec[i].encap_family = mp->new_family; 2833 pol->xfrm_vec[i].encap_family = mp->new_family;
2766 /* flush bundles */ 2834 /* flush bundles */
2767 while ((dst = pol->bundles) != NULL) { 2835 atomic_inc(&pol->genid);
2768 pol->bundles = dst->next;
2769 dst_free(dst);
2770 }
2771 } 2836 }
2772 } 2837 }
2773 2838
generated by cgit v1.2.2 (git 2.25.0) at 2025-12-11 01:38:06 -0500