aboutsummaryrefslogtreecommitdiffstats
path: root/net/xfrm/xfrm_policy.c
diff options
context:
space:
mode:
Diffstat (limited to 'net/xfrm/xfrm_policy.c')
-rw-r--r--net/xfrm/xfrm_policy.c848
1 files changed, 441 insertions, 407 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 843e066649cb..d965a2bad8d3 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -37,6 +37,8 @@
37DEFINE_MUTEX(xfrm_cfg_mutex); 37DEFINE_MUTEX(xfrm_cfg_mutex);
38EXPORT_SYMBOL(xfrm_cfg_mutex); 38EXPORT_SYMBOL(xfrm_cfg_mutex);
39 39
40static DEFINE_SPINLOCK(xfrm_policy_sk_bundle_lock);
41static struct dst_entry *xfrm_policy_sk_bundles;
40static DEFINE_RWLOCK(xfrm_policy_lock); 42static DEFINE_RWLOCK(xfrm_policy_lock);
41 43
42static DEFINE_RWLOCK(xfrm_policy_afinfo_lock); 44static DEFINE_RWLOCK(xfrm_policy_afinfo_lock);
@@ -44,12 +46,10 @@ static struct xfrm_policy_afinfo *xfrm_policy_afinfo[NPROTO];
44 46
45static struct kmem_cache *xfrm_dst_cache __read_mostly; 47static struct kmem_cache *xfrm_dst_cache __read_mostly;
46 48
47static HLIST_HEAD(xfrm_policy_gc_list);
48static DEFINE_SPINLOCK(xfrm_policy_gc_lock);
49
50static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family); 49static struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family);
51static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo); 50static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo);
52static void xfrm_init_pmtu(struct dst_entry *dst); 51static void xfrm_init_pmtu(struct dst_entry *dst);
52static int stale_bundle(struct dst_entry *dst);
53 53
54static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol, 54static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
55 int dir); 55 int dir);
@@ -156,7 +156,7 @@ static void xfrm_policy_timer(unsigned long data)
156 156
157 read_lock(&xp->lock); 157 read_lock(&xp->lock);
158 158
159 if (xp->walk.dead) 159 if (unlikely(xp->walk.dead))
160 goto out; 160 goto out;
161 161
162 dir = xfrm_policy_id2dir(xp->index); 162 dir = xfrm_policy_id2dir(xp->index);
@@ -216,6 +216,35 @@ expired:
216 xfrm_pol_put(xp); 216 xfrm_pol_put(xp);
217} 217}
218 218
219static struct flow_cache_object *xfrm_policy_flo_get(struct flow_cache_object *flo)
220{
221 struct xfrm_policy *pol = container_of(flo, struct xfrm_policy, flo);
222
223 if (unlikely(pol->walk.dead))
224 flo = NULL;
225 else
226 xfrm_pol_hold(pol);
227
228 return flo;
229}
230
231static int xfrm_policy_flo_check(struct flow_cache_object *flo)
232{
233 struct xfrm_policy *pol = container_of(flo, struct xfrm_policy, flo);
234
235 return !pol->walk.dead;
236}
237
238static void xfrm_policy_flo_delete(struct flow_cache_object *flo)
239{
240 xfrm_pol_put(container_of(flo, struct xfrm_policy, flo));
241}
242
243static const struct flow_cache_ops xfrm_policy_fc_ops = {
244 .get = xfrm_policy_flo_get,
245 .check = xfrm_policy_flo_check,
246 .delete = xfrm_policy_flo_delete,
247};
219 248
220/* Allocate xfrm_policy. Not used here, it is supposed to be used by pfkeyv2 249/* Allocate xfrm_policy. Not used here, it is supposed to be used by pfkeyv2
221 * SPD calls. 250 * SPD calls.
@@ -236,6 +265,7 @@ struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp)
236 atomic_set(&policy->refcnt, 1); 265 atomic_set(&policy->refcnt, 1);
237 setup_timer(&policy->timer, xfrm_policy_timer, 266 setup_timer(&policy->timer, xfrm_policy_timer,
238 (unsigned long)policy); 267 (unsigned long)policy);
268 policy->flo.ops = &xfrm_policy_fc_ops;
239 } 269 }
240 return policy; 270 return policy;
241} 271}
@@ -247,8 +277,6 @@ void xfrm_policy_destroy(struct xfrm_policy *policy)
247{ 277{
248 BUG_ON(!policy->walk.dead); 278 BUG_ON(!policy->walk.dead);
249 279
250 BUG_ON(policy->bundles);
251
252 if (del_timer(&policy->timer)) 280 if (del_timer(&policy->timer))
253 BUG(); 281 BUG();
254 282
@@ -257,63 +285,20 @@ void xfrm_policy_destroy(struct xfrm_policy *policy)
257} 285}
258EXPORT_SYMBOL(xfrm_policy_destroy); 286EXPORT_SYMBOL(xfrm_policy_destroy);
259 287
260static void xfrm_policy_gc_kill(struct xfrm_policy *policy)
261{
262 struct dst_entry *dst;
263
264 while ((dst = policy->bundles) != NULL) {
265 policy->bundles = dst->next;
266 dst_free(dst);
267 }
268
269 if (del_timer(&policy->timer))
270 atomic_dec(&policy->refcnt);
271
272 if (atomic_read(&policy->refcnt) > 1)
273 flow_cache_flush();
274
275 xfrm_pol_put(policy);
276}
277
278static void xfrm_policy_gc_task(struct work_struct *work)
279{
280 struct xfrm_policy *policy;
281 struct hlist_node *entry, *tmp;
282 struct hlist_head gc_list;
283
284 spin_lock_bh(&xfrm_policy_gc_lock);
285 gc_list.first = xfrm_policy_gc_list.first;
286 INIT_HLIST_HEAD(&xfrm_policy_gc_list);
287 spin_unlock_bh(&xfrm_policy_gc_lock);
288
289 hlist_for_each_entry_safe(policy, entry, tmp, &gc_list, bydst)
290 xfrm_policy_gc_kill(policy);
291}
292static DECLARE_WORK(xfrm_policy_gc_work, xfrm_policy_gc_task);
293
294/* Rule must be locked. Release descentant resources, announce 288/* Rule must be locked. Release descentant resources, announce
295 * entry dead. The rule must be unlinked from lists to the moment. 289 * entry dead. The rule must be unlinked from lists to the moment.
296 */ 290 */
297 291
298static void xfrm_policy_kill(struct xfrm_policy *policy) 292static void xfrm_policy_kill(struct xfrm_policy *policy)
299{ 293{
300 int dead;
301
302 write_lock_bh(&policy->lock);
303 dead = policy->walk.dead;
304 policy->walk.dead = 1; 294 policy->walk.dead = 1;
305 write_unlock_bh(&policy->lock);
306 295
307 if (unlikely(dead)) { 296 atomic_inc(&policy->genid);
308 WARN_ON(1);
309 return;
310 }
311 297
312 spin_lock_bh(&xfrm_policy_gc_lock); 298 if (del_timer(&policy->timer))
313 hlist_add_head(&policy->bydst, &xfrm_policy_gc_list); 299 xfrm_pol_put(policy);
314 spin_unlock_bh(&xfrm_policy_gc_lock);
315 300
316 schedule_work(&xfrm_policy_gc_work); 301 xfrm_pol_put(policy);
317} 302}
318 303
319static unsigned int xfrm_policy_hashmax __read_mostly = 1 * 1024 * 1024; 304static unsigned int xfrm_policy_hashmax __read_mostly = 1 * 1024 * 1024;
@@ -555,7 +540,6 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
555 struct xfrm_policy *delpol; 540 struct xfrm_policy *delpol;
556 struct hlist_head *chain; 541 struct hlist_head *chain;
557 struct hlist_node *entry, *newpos; 542 struct hlist_node *entry, *newpos;
558 struct dst_entry *gc_list;
559 u32 mark = policy->mark.v & policy->mark.m; 543 u32 mark = policy->mark.v & policy->mark.m;
560 544
561 write_lock_bh(&xfrm_policy_lock); 545 write_lock_bh(&xfrm_policy_lock);
@@ -605,34 +589,6 @@ int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
605 else if (xfrm_bydst_should_resize(net, dir, NULL)) 589 else if (xfrm_bydst_should_resize(net, dir, NULL))
606 schedule_work(&net->xfrm.policy_hash_work); 590 schedule_work(&net->xfrm.policy_hash_work);
607 591
608 read_lock_bh(&xfrm_policy_lock);
609 gc_list = NULL;
610 entry = &policy->bydst;
611 hlist_for_each_entry_continue(policy, entry, bydst) {
612 struct dst_entry *dst;
613
614 write_lock(&policy->lock);
615 dst = policy->bundles;
616 if (dst) {
617 struct dst_entry *tail = dst;
618 while (tail->next)
619 tail = tail->next;
620 tail->next = gc_list;
621 gc_list = dst;
622
623 policy->bundles = NULL;
624 }
625 write_unlock(&policy->lock);
626 }
627 read_unlock_bh(&xfrm_policy_lock);
628
629 while (gc_list) {
630 struct dst_entry *dst = gc_list;
631
632 gc_list = dst->next;
633 dst_free(dst);
634 }
635
636 return 0; 592 return 0;
637} 593}
638EXPORT_SYMBOL(xfrm_policy_insert); 594EXPORT_SYMBOL(xfrm_policy_insert);
@@ -671,10 +627,8 @@ struct xfrm_policy *xfrm_policy_bysel_ctx(struct net *net, u32 mark, u8 type,
671 } 627 }
672 write_unlock_bh(&xfrm_policy_lock); 628 write_unlock_bh(&xfrm_policy_lock);
673 629
674 if (ret && delete) { 630 if (ret && delete)
675 atomic_inc(&flow_cache_genid);
676 xfrm_policy_kill(ret); 631 xfrm_policy_kill(ret);
677 }
678 return ret; 632 return ret;
679} 633}
680EXPORT_SYMBOL(xfrm_policy_bysel_ctx); 634EXPORT_SYMBOL(xfrm_policy_bysel_ctx);
@@ -713,10 +667,8 @@ struct xfrm_policy *xfrm_policy_byid(struct net *net, u32 mark, u8 type,
713 } 667 }
714 write_unlock_bh(&xfrm_policy_lock); 668 write_unlock_bh(&xfrm_policy_lock);
715 669
716 if (ret && delete) { 670 if (ret && delete)
717 atomic_inc(&flow_cache_genid);
718 xfrm_policy_kill(ret); 671 xfrm_policy_kill(ret);
719 }
720 return ret; 672 return ret;
721} 673}
722EXPORT_SYMBOL(xfrm_policy_byid); 674EXPORT_SYMBOL(xfrm_policy_byid);
@@ -776,7 +728,6 @@ xfrm_policy_flush_secctx_check(struct net *net, u8 type, struct xfrm_audit *audi
776int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info) 728int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
777{ 729{
778 int dir, err = 0, cnt = 0; 730 int dir, err = 0, cnt = 0;
779 struct xfrm_policy *dp;
780 731
781 write_lock_bh(&xfrm_policy_lock); 732 write_lock_bh(&xfrm_policy_lock);
782 733
@@ -794,10 +745,9 @@ int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
794 &net->xfrm.policy_inexact[dir], bydst) { 745 &net->xfrm.policy_inexact[dir], bydst) {
795 if (pol->type != type) 746 if (pol->type != type)
796 continue; 747 continue;
797 dp = __xfrm_policy_unlink(pol, dir); 748 __xfrm_policy_unlink(pol, dir);
798 write_unlock_bh(&xfrm_policy_lock); 749 write_unlock_bh(&xfrm_policy_lock);
799 if (dp) 750 cnt++;
800 cnt++;
801 751
802 xfrm_audit_policy_delete(pol, 1, audit_info->loginuid, 752 xfrm_audit_policy_delete(pol, 1, audit_info->loginuid,
803 audit_info->sessionid, 753 audit_info->sessionid,
@@ -816,10 +766,9 @@ int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
816 bydst) { 766 bydst) {
817 if (pol->type != type) 767 if (pol->type != type)
818 continue; 768 continue;
819 dp = __xfrm_policy_unlink(pol, dir); 769 __xfrm_policy_unlink(pol, dir);
820 write_unlock_bh(&xfrm_policy_lock); 770 write_unlock_bh(&xfrm_policy_lock);
821 if (dp) 771 cnt++;
822 cnt++;
823 772
824 xfrm_audit_policy_delete(pol, 1, 773 xfrm_audit_policy_delete(pol, 1,
825 audit_info->loginuid, 774 audit_info->loginuid,
@@ -835,7 +784,6 @@ int xfrm_policy_flush(struct net *net, u8 type, struct xfrm_audit *audit_info)
835 } 784 }
836 if (!cnt) 785 if (!cnt)
837 err = -ESRCH; 786 err = -ESRCH;
838 atomic_inc(&flow_cache_genid);
839out: 787out:
840 write_unlock_bh(&xfrm_policy_lock); 788 write_unlock_bh(&xfrm_policy_lock);
841 return err; 789 return err;
@@ -989,32 +937,37 @@ fail:
989 return ret; 937 return ret;
990} 938}
991 939
992static int xfrm_policy_lookup(struct net *net, struct flowi *fl, u16 family, 940static struct xfrm_policy *
993 u8 dir, void **objp, atomic_t **obj_refp) 941__xfrm_policy_lookup(struct net *net, struct flowi *fl, u16 family, u8 dir)
994{ 942{
943#ifdef CONFIG_XFRM_SUB_POLICY
995 struct xfrm_policy *pol; 944 struct xfrm_policy *pol;
996 int err = 0;
997 945
998#ifdef CONFIG_XFRM_SUB_POLICY
999 pol = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_SUB, fl, family, dir); 946 pol = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_SUB, fl, family, dir);
1000 if (IS_ERR(pol)) { 947 if (pol != NULL)
1001 err = PTR_ERR(pol); 948 return pol;
1002 pol = NULL;
1003 }
1004 if (pol || err)
1005 goto end;
1006#endif
1007 pol = xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_MAIN, fl, family, dir);
1008 if (IS_ERR(pol)) {
1009 err = PTR_ERR(pol);
1010 pol = NULL;
1011 }
1012#ifdef CONFIG_XFRM_SUB_POLICY
1013end:
1014#endif 949#endif
1015 if ((*objp = (void *) pol) != NULL) 950 return xfrm_policy_lookup_bytype(net, XFRM_POLICY_TYPE_MAIN, fl, family, dir);
1016 *obj_refp = &pol->refcnt; 951}
1017 return err; 952
953static struct flow_cache_object *
954xfrm_policy_lookup(struct net *net, struct flowi *fl, u16 family,
955 u8 dir, struct flow_cache_object *old_obj, void *ctx)
956{
957 struct xfrm_policy *pol;
958
959 if (old_obj)
960 xfrm_pol_put(container_of(old_obj, struct xfrm_policy, flo));
961
962 pol = __xfrm_policy_lookup(net, fl, family, dir);
963 if (IS_ERR_OR_NULL(pol))
964 return ERR_CAST(pol);
965
966 /* Resolver returns two references:
967 * one for cache and one for caller of flow_cache_lookup() */
968 xfrm_pol_hold(pol);
969
970 return &pol->flo;
1018} 971}
1019 972
1020static inline int policy_to_flow_dir(int dir) 973static inline int policy_to_flow_dir(int dir)
@@ -1104,8 +1057,6 @@ int xfrm_policy_delete(struct xfrm_policy *pol, int dir)
1104 pol = __xfrm_policy_unlink(pol, dir); 1057 pol = __xfrm_policy_unlink(pol, dir);
1105 write_unlock_bh(&xfrm_policy_lock); 1058 write_unlock_bh(&xfrm_policy_lock);
1106 if (pol) { 1059 if (pol) {
1107 if (dir < XFRM_POLICY_MAX)
1108 atomic_inc(&flow_cache_genid);
1109 xfrm_policy_kill(pol); 1060 xfrm_policy_kill(pol);
1110 return 0; 1061 return 0;
1111 } 1062 }
@@ -1132,6 +1083,9 @@ int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol)
1132 __xfrm_policy_link(pol, XFRM_POLICY_MAX+dir); 1083 __xfrm_policy_link(pol, XFRM_POLICY_MAX+dir);
1133 } 1084 }
1134 if (old_pol) 1085 if (old_pol)
1086 /* Unlinking succeeds always. This is the only function
1087 * allowed to delete or replace socket policy.
1088 */
1135 __xfrm_policy_unlink(old_pol, XFRM_POLICY_MAX+dir); 1089 __xfrm_policy_unlink(old_pol, XFRM_POLICY_MAX+dir);
1136 write_unlock_bh(&xfrm_policy_lock); 1090 write_unlock_bh(&xfrm_policy_lock);
1137 1091
@@ -1300,18 +1254,6 @@ xfrm_tmpl_resolve(struct xfrm_policy **pols, int npols, struct flowi *fl,
1300 * still valid. 1254 * still valid.
1301 */ 1255 */
1302 1256
1303static struct dst_entry *
1304xfrm_find_bundle(struct flowi *fl, struct xfrm_policy *policy, unsigned short family)
1305{
1306 struct dst_entry *x;
1307 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
1308 if (unlikely(afinfo == NULL))
1309 return ERR_PTR(-EINVAL);
1310 x = afinfo->find_bundle(fl, policy);
1311 xfrm_policy_put_afinfo(afinfo);
1312 return x;
1313}
1314
1315static inline int xfrm_get_tos(struct flowi *fl, int family) 1257static inline int xfrm_get_tos(struct flowi *fl, int family)
1316{ 1258{
1317 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); 1259 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
@@ -1327,6 +1269,54 @@ static inline int xfrm_get_tos(struct flowi *fl, int family)
1327 return tos; 1269 return tos;
1328} 1270}
1329 1271
1272static struct flow_cache_object *xfrm_bundle_flo_get(struct flow_cache_object *flo)
1273{
1274 struct xfrm_dst *xdst = container_of(flo, struct xfrm_dst, flo);
1275 struct dst_entry *dst = &xdst->u.dst;
1276
1277 if (xdst->route == NULL) {
1278 /* Dummy bundle - if it has xfrms we were not
1279 * able to build bundle as template resolution failed.
1280 * It means we need to try again resolving. */
1281 if (xdst->num_xfrms > 0)
1282 return NULL;
1283 } else {
1284 /* Real bundle */
1285 if (stale_bundle(dst))
1286 return NULL;
1287 }
1288
1289 dst_hold(dst);
1290 return flo;
1291}
1292
1293static int xfrm_bundle_flo_check(struct flow_cache_object *flo)
1294{
1295 struct xfrm_dst *xdst = container_of(flo, struct xfrm_dst, flo);
1296 struct dst_entry *dst = &xdst->u.dst;
1297
1298 if (!xdst->route)
1299 return 0;
1300 if (stale_bundle(dst))
1301 return 0;
1302
1303 return 1;
1304}
1305
1306static void xfrm_bundle_flo_delete(struct flow_cache_object *flo)
1307{
1308 struct xfrm_dst *xdst = container_of(flo, struct xfrm_dst, flo);
1309 struct dst_entry *dst = &xdst->u.dst;
1310
1311 dst_free(dst);
1312}
1313
1314static const struct flow_cache_ops xfrm_bundle_fc_ops = {
1315 .get = xfrm_bundle_flo_get,
1316 .check = xfrm_bundle_flo_check,
1317 .delete = xfrm_bundle_flo_delete,
1318};
1319
1330static inline struct xfrm_dst *xfrm_alloc_dst(struct net *net, int family) 1320static inline struct xfrm_dst *xfrm_alloc_dst(struct net *net, int family)
1331{ 1321{
1332 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family); 1322 struct xfrm_policy_afinfo *afinfo = xfrm_policy_get_afinfo(family);
@@ -1349,9 +1339,10 @@ static inline struct xfrm_dst *xfrm_alloc_dst(struct net *net, int family)
1349 BUG(); 1339 BUG();
1350 } 1340 }
1351 xdst = dst_alloc(dst_ops) ?: ERR_PTR(-ENOBUFS); 1341 xdst = dst_alloc(dst_ops) ?: ERR_PTR(-ENOBUFS);
1352
1353 xfrm_policy_put_afinfo(afinfo); 1342 xfrm_policy_put_afinfo(afinfo);
1354 1343
1344 xdst->flo.ops = &xfrm_bundle_fc_ops;
1345
1355 return xdst; 1346 return xdst;
1356} 1347}
1357 1348
@@ -1389,6 +1380,7 @@ static inline int xfrm_fill_dst(struct xfrm_dst *xdst, struct net_device *dev,
1389 return err; 1380 return err;
1390} 1381}
1391 1382
1383
1392/* Allocate chain of dst_entry's, attach known xfrm's, calculate 1384/* Allocate chain of dst_entry's, attach known xfrm's, calculate
1393 * all the metrics... Shortly, bundle a bundle. 1385 * all the metrics... Shortly, bundle a bundle.
1394 */ 1386 */
@@ -1452,7 +1444,7 @@ static struct dst_entry *xfrm_bundle_create(struct xfrm_policy *policy,
1452 dst_hold(dst); 1444 dst_hold(dst);
1453 1445
1454 dst1->xfrm = xfrm[i]; 1446 dst1->xfrm = xfrm[i];
1455 xdst->genid = xfrm[i]->genid; 1447 xdst->xfrm_genid = xfrm[i]->genid;
1456 1448
1457 dst1->obsolete = -1; 1449 dst1->obsolete = -1;
1458 dst1->flags |= DST_HOST; 1450 dst1->flags |= DST_HOST;
@@ -1545,7 +1537,186 @@ xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
1545#endif 1537#endif
1546} 1538}
1547 1539
1548static int stale_bundle(struct dst_entry *dst); 1540static int xfrm_expand_policies(struct flowi *fl, u16 family,
1541 struct xfrm_policy **pols,
1542 int *num_pols, int *num_xfrms)
1543{
1544 int i;
1545
1546 if (*num_pols == 0 || !pols[0]) {
1547 *num_pols = 0;
1548 *num_xfrms = 0;
1549 return 0;
1550 }
1551 if (IS_ERR(pols[0]))
1552 return PTR_ERR(pols[0]);
1553
1554 *num_xfrms = pols[0]->xfrm_nr;
1555
1556#ifdef CONFIG_XFRM_SUB_POLICY
1557 if (pols[0] && pols[0]->action == XFRM_POLICY_ALLOW &&
1558 pols[0]->type != XFRM_POLICY_TYPE_MAIN) {
1559 pols[1] = xfrm_policy_lookup_bytype(xp_net(pols[0]),
1560 XFRM_POLICY_TYPE_MAIN,
1561 fl, family,
1562 XFRM_POLICY_OUT);
1563 if (pols[1]) {
1564 if (IS_ERR(pols[1])) {
1565 xfrm_pols_put(pols, *num_pols);
1566 return PTR_ERR(pols[1]);
1567 }
1568 (*num_pols) ++;
1569 (*num_xfrms) += pols[1]->xfrm_nr;
1570 }
1571 }
1572#endif
1573 for (i = 0; i < *num_pols; i++) {
1574 if (pols[i]->action != XFRM_POLICY_ALLOW) {
1575 *num_xfrms = -1;
1576 break;
1577 }
1578 }
1579
1580 return 0;
1581
1582}
1583
1584static struct xfrm_dst *
1585xfrm_resolve_and_create_bundle(struct xfrm_policy **pols, int num_pols,
1586 struct flowi *fl, u16 family,
1587 struct dst_entry *dst_orig)
1588{
1589 struct net *net = xp_net(pols[0]);
1590 struct xfrm_state *xfrm[XFRM_MAX_DEPTH];
1591 struct dst_entry *dst;
1592 struct xfrm_dst *xdst;
1593 int err;
1594
1595 /* Try to instantiate a bundle */
1596 err = xfrm_tmpl_resolve(pols, num_pols, fl, xfrm, family);
1597 if (err < 0) {
1598 if (err != -EAGAIN)
1599 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);
1600 return ERR_PTR(err);
1601 }
1602
1603 dst = xfrm_bundle_create(pols[0], xfrm, err, fl, dst_orig);
1604 if (IS_ERR(dst)) {
1605 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLEGENERROR);
1606 return ERR_CAST(dst);
1607 }
1608
1609 xdst = (struct xfrm_dst *)dst;
1610 xdst->num_xfrms = err;
1611 if (num_pols > 1)
1612 err = xfrm_dst_update_parent(dst, &pols[1]->selector);
1613 else
1614 err = xfrm_dst_update_origin(dst, fl);
1615 if (unlikely(err)) {
1616 dst_free(dst);
1617 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLECHECKERROR);
1618 return ERR_PTR(err);
1619 }
1620
1621 xdst->num_pols = num_pols;
1622 memcpy(xdst->pols, pols, sizeof(struct xfrm_policy*) * num_pols);
1623 xdst->policy_genid = atomic_read(&pols[0]->genid);
1624
1625 return xdst;
1626}
1627
1628static struct flow_cache_object *
1629xfrm_bundle_lookup(struct net *net, struct flowi *fl, u16 family, u8 dir,
1630 struct flow_cache_object *oldflo, void *ctx)
1631{
1632 struct dst_entry *dst_orig = (struct dst_entry *)ctx;
1633 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
1634 struct xfrm_dst *xdst, *new_xdst;
1635 int num_pols = 0, num_xfrms = 0, i, err, pol_dead;
1636
1637 /* Check if the policies from old bundle are usable */
1638 xdst = NULL;
1639 if (oldflo) {
1640 xdst = container_of(oldflo, struct xfrm_dst, flo);
1641 num_pols = xdst->num_pols;
1642 num_xfrms = xdst->num_xfrms;
1643 pol_dead = 0;
1644 for (i = 0; i < num_pols; i++) {
1645 pols[i] = xdst->pols[i];
1646 pol_dead |= pols[i]->walk.dead;
1647 }
1648 if (pol_dead) {
1649 dst_free(&xdst->u.dst);
1650 xdst = NULL;
1651 num_pols = 0;
1652 num_xfrms = 0;
1653 oldflo = NULL;
1654 }
1655 }
1656
1657 /* Resolve policies to use if we couldn't get them from
1658 * previous cache entry */
1659 if (xdst == NULL) {
1660 num_pols = 1;
1661 pols[0] = __xfrm_policy_lookup(net, fl, family, dir);
1662 err = xfrm_expand_policies(fl, family, pols,
1663 &num_pols, &num_xfrms);
1664 if (err < 0)
1665 goto inc_error;
1666 if (num_pols == 0)
1667 return NULL;
1668 if (num_xfrms <= 0)
1669 goto make_dummy_bundle;
1670 }
1671
1672 new_xdst = xfrm_resolve_and_create_bundle(pols, num_pols, fl, family, dst_orig);
1673 if (IS_ERR(new_xdst)) {
1674 err = PTR_ERR(new_xdst);
1675 if (err != -EAGAIN)
1676 goto error;
1677 if (oldflo == NULL)
1678 goto make_dummy_bundle;
1679 dst_hold(&xdst->u.dst);
1680 return oldflo;
1681 }
1682
1683 /* Kill the previous bundle */
1684 if (xdst) {
1685 /* The policies were stolen for newly generated bundle */
1686 xdst->num_pols = 0;
1687 dst_free(&xdst->u.dst);
1688 }
1689
1690 /* Flow cache does not have reference, it dst_free()'s,
1691 * but we do need to return one reference for original caller */
1692 dst_hold(&new_xdst->u.dst);
1693 return &new_xdst->flo;
1694
1695make_dummy_bundle:
1696 /* We found policies, but there's no bundles to instantiate:
1697 * either because the policy blocks, has no transformations or
1698 * we could not build template (no xfrm_states).*/
1699 xdst = xfrm_alloc_dst(net, family);
1700 if (IS_ERR(xdst)) {
1701 xfrm_pols_put(pols, num_pols);
1702 return ERR_CAST(xdst);
1703 }
1704 xdst->num_pols = num_pols;
1705 xdst->num_xfrms = num_xfrms;
1706 memcpy(xdst->pols, pols, sizeof(struct xfrm_policy*) * num_pols);
1707
1708 dst_hold(&xdst->u.dst);
1709 return &xdst->flo;
1710
1711inc_error:
1712 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);
1713error:
1714 if (xdst != NULL)
1715 dst_free(&xdst->u.dst);
1716 else
1717 xfrm_pols_put(pols, num_pols);
1718 return ERR_PTR(err);
1719}
1549 1720
1550/* Main function: finds/creates a bundle for given flow. 1721/* Main function: finds/creates a bundle for given flow.
1551 * 1722 *
@@ -1555,245 +1726,152 @@ static int stale_bundle(struct dst_entry *dst);
1555int __xfrm_lookup(struct net *net, struct dst_entry **dst_p, struct flowi *fl, 1726int __xfrm_lookup(struct net *net, struct dst_entry **dst_p, struct flowi *fl,
1556 struct sock *sk, int flags) 1727 struct sock *sk, int flags)
1557{ 1728{
1558 struct xfrm_policy *policy;
1559 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX]; 1729 struct xfrm_policy *pols[XFRM_POLICY_TYPE_MAX];
1560 int npols; 1730 struct flow_cache_object *flo;
1561 int pol_dead; 1731 struct xfrm_dst *xdst;
1562 int xfrm_nr; 1732 struct dst_entry *dst, *dst_orig = *dst_p, *route;
1563 int pi; 1733 u16 family = dst_orig->ops->family;
1564 struct xfrm_state *xfrm[XFRM_MAX_DEPTH];
1565 struct dst_entry *dst, *dst_orig = *dst_p;
1566 int nx = 0;
1567 int err;
1568 u32 genid;
1569 u16 family;
1570 u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT); 1734 u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT);
1735 int i, err, num_pols, num_xfrms = 0, drop_pols = 0;
1571 1736
1572restart: 1737restart:
1573 genid = atomic_read(&flow_cache_genid); 1738 dst = NULL;
1574 policy = NULL; 1739 xdst = NULL;
1575 for (pi = 0; pi < ARRAY_SIZE(pols); pi++) 1740 route = NULL;
1576 pols[pi] = NULL;
1577 npols = 0;
1578 pol_dead = 0;
1579 xfrm_nr = 0;
1580 1741
1581 if (sk && sk->sk_policy[XFRM_POLICY_OUT]) { 1742 if (sk && sk->sk_policy[XFRM_POLICY_OUT]) {
1582 policy = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl); 1743 num_pols = 1;
1583 err = PTR_ERR(policy); 1744 pols[0] = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl);
1584 if (IS_ERR(policy)) { 1745 err = xfrm_expand_policies(fl, family, pols,
1585 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR); 1746 &num_pols, &num_xfrms);
1747 if (err < 0)
1586 goto dropdst; 1748 goto dropdst;
1749
1750 if (num_pols) {
1751 if (num_xfrms <= 0) {
1752 drop_pols = num_pols;
1753 goto no_transform;
1754 }
1755
1756 xdst = xfrm_resolve_and_create_bundle(
1757 pols, num_pols, fl,
1758 family, dst_orig);
1759 if (IS_ERR(xdst)) {
1760 xfrm_pols_put(pols, num_pols);
1761 err = PTR_ERR(xdst);
1762 goto dropdst;
1763 }
1764
1765 spin_lock_bh(&xfrm_policy_sk_bundle_lock);
1766 xdst->u.dst.next = xfrm_policy_sk_bundles;
1767 xfrm_policy_sk_bundles = &xdst->u.dst;
1768 spin_unlock_bh(&xfrm_policy_sk_bundle_lock);
1769
1770 route = xdst->route;
1587 } 1771 }
1588 } 1772 }
1589 1773
1590 if (!policy) { 1774 if (xdst == NULL) {
1591 /* To accelerate a bit... */ 1775 /* To accelerate a bit... */
1592 if ((dst_orig->flags & DST_NOXFRM) || 1776 if ((dst_orig->flags & DST_NOXFRM) ||
1593 !net->xfrm.policy_count[XFRM_POLICY_OUT]) 1777 !net->xfrm.policy_count[XFRM_POLICY_OUT])
1594 goto nopol; 1778 goto nopol;
1595 1779
1596 policy = flow_cache_lookup(net, fl, dst_orig->ops->family, 1780 flo = flow_cache_lookup(net, fl, family, dir,
1597 dir, xfrm_policy_lookup); 1781 xfrm_bundle_lookup, dst_orig);
1598 err = PTR_ERR(policy); 1782 if (flo == NULL)
1599 if (IS_ERR(policy)) { 1783 goto nopol;
1600 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR); 1784 if (IS_ERR(flo)) {
1785 err = PTR_ERR(flo);
1601 goto dropdst; 1786 goto dropdst;
1602 } 1787 }
1788 xdst = container_of(flo, struct xfrm_dst, flo);
1789
1790 num_pols = xdst->num_pols;
1791 num_xfrms = xdst->num_xfrms;
1792 memcpy(pols, xdst->pols, sizeof(struct xfrm_policy*) * num_pols);
1793 route = xdst->route;
1794 }
1795
1796 dst = &xdst->u.dst;
1797 if (route == NULL && num_xfrms > 0) {
1798 /* The only case when xfrm_bundle_lookup() returns a
1799 * bundle with null route, is when the template could
1800 * not be resolved. It means policies are there, but
1801 * bundle could not be created, since we don't yet
1802 * have the xfrm_state's. We need to wait for KM to
1803 * negotiate new SA's or bail out with error.*/
1804 if (net->xfrm.sysctl_larval_drop) {
1805 /* EREMOTE tells the caller to generate
1806 * a one-shot blackhole route. */
1807 dst_release(dst);
1808 xfrm_pols_put(pols, drop_pols);
1809 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
1810 return -EREMOTE;
1811 }
1812 if (flags & XFRM_LOOKUP_WAIT) {
1813 DECLARE_WAITQUEUE(wait, current);
1814
1815 add_wait_queue(&net->xfrm.km_waitq, &wait);
1816 set_current_state(TASK_INTERRUPTIBLE);
1817 schedule();
1818 set_current_state(TASK_RUNNING);
1819 remove_wait_queue(&net->xfrm.km_waitq, &wait);
1820
1821 if (!signal_pending(current)) {
1822 dst_release(dst);
1823 goto restart;
1824 }
1825
1826 err = -ERESTART;
1827 } else
1828 err = -EAGAIN;
1829
1830 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
1831 goto error;
1603 } 1832 }
1604 1833
1605 if (!policy) 1834no_transform:
1835 if (num_pols == 0)
1606 goto nopol; 1836 goto nopol;
1607 1837
1608 family = dst_orig->ops->family; 1838 if ((flags & XFRM_LOOKUP_ICMP) &&
1609 pols[0] = policy; 1839 !(pols[0]->flags & XFRM_POLICY_ICMP)) {
1610 npols ++; 1840 err = -ENOENT;
1611 xfrm_nr += pols[0]->xfrm_nr;
1612
1613 err = -ENOENT;
1614 if ((flags & XFRM_LOOKUP_ICMP) && !(policy->flags & XFRM_POLICY_ICMP))
1615 goto error; 1841 goto error;
1842 }
1616 1843
1617 policy->curlft.use_time = get_seconds(); 1844 for (i = 0; i < num_pols; i++)
1845 pols[i]->curlft.use_time = get_seconds();
1618 1846
1619 switch (policy->action) { 1847 if (num_xfrms < 0) {
1620 default:
1621 case XFRM_POLICY_BLOCK:
1622 /* Prohibit the flow */ 1848 /* Prohibit the flow */
1623 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLBLOCK); 1849 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLBLOCK);
1624 err = -EPERM; 1850 err = -EPERM;
1625 goto error; 1851 goto error;
1626 1852 } else if (num_xfrms > 0) {
1627 case XFRM_POLICY_ALLOW: 1853 /* Flow transformed */
1628#ifndef CONFIG_XFRM_SUB_POLICY 1854 *dst_p = dst;
1629 if (policy->xfrm_nr == 0) { 1855 dst_release(dst_orig);
1630 /* Flow passes not transformed. */ 1856 } else {
1631 xfrm_pol_put(policy); 1857 /* Flow passes untransformed */
1632 return 0; 1858 dst_release(dst);
1633 }
1634#endif
1635
1636 /* Try to find matching bundle.
1637 *
1638 * LATER: help from flow cache. It is optional, this
1639 * is required only for output policy.
1640 */
1641 dst = xfrm_find_bundle(fl, policy, family);
1642 if (IS_ERR(dst)) {
1643 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLECHECKERROR);
1644 err = PTR_ERR(dst);
1645 goto error;
1646 }
1647
1648 if (dst)
1649 break;
1650
1651#ifdef CONFIG_XFRM_SUB_POLICY
1652 if (pols[0]->type != XFRM_POLICY_TYPE_MAIN) {
1653 pols[1] = xfrm_policy_lookup_bytype(net,
1654 XFRM_POLICY_TYPE_MAIN,
1655 fl, family,
1656 XFRM_POLICY_OUT);
1657 if (pols[1]) {
1658 if (IS_ERR(pols[1])) {
1659 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR);
1660 err = PTR_ERR(pols[1]);
1661 goto error;
1662 }
1663 if (pols[1]->action == XFRM_POLICY_BLOCK) {
1664 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLBLOCK);
1665 err = -EPERM;
1666 goto error;
1667 }
1668 npols ++;
1669 xfrm_nr += pols[1]->xfrm_nr;
1670 }
1671 }
1672
1673 /*
1674 * Because neither flowi nor bundle information knows about
1675 * transformation template size. On more than one policy usage
1676 * we can realize whether all of them is bypass or not after
1677 * they are searched. See above not-transformed bypass
1678 * is surrounded by non-sub policy configuration, too.
1679 */
1680 if (xfrm_nr == 0) {
1681 /* Flow passes not transformed. */
1682 xfrm_pols_put(pols, npols);
1683 return 0;
1684 }
1685
1686#endif
1687 nx = xfrm_tmpl_resolve(pols, npols, fl, xfrm, family);
1688
1689 if (unlikely(nx<0)) {
1690 err = nx;
1691 if (err == -EAGAIN && net->xfrm.sysctl_larval_drop) {
1692 /* EREMOTE tells the caller to generate
1693 * a one-shot blackhole route.
1694 */
1695 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
1696 xfrm_pol_put(policy);
1697 return -EREMOTE;
1698 }
1699 if (err == -EAGAIN && (flags & XFRM_LOOKUP_WAIT)) {
1700 DECLARE_WAITQUEUE(wait, current);
1701
1702 add_wait_queue(&net->xfrm.km_waitq, &wait);
1703 set_current_state(TASK_INTERRUPTIBLE);
1704 schedule();
1705 set_current_state(TASK_RUNNING);
1706 remove_wait_queue(&net->xfrm.km_waitq, &wait);
1707
1708 nx = xfrm_tmpl_resolve(pols, npols, fl, xfrm, family);
1709
1710 if (nx == -EAGAIN && signal_pending(current)) {
1711 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
1712 err = -ERESTART;
1713 goto error;
1714 }
1715 if (nx == -EAGAIN ||
1716 genid != atomic_read(&flow_cache_genid)) {
1717 xfrm_pols_put(pols, npols);
1718 goto restart;
1719 }
1720 err = nx;
1721 }
1722 if (err < 0) {
1723 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTNOSTATES);
1724 goto error;
1725 }
1726 }
1727 if (nx == 0) {
1728 /* Flow passes not transformed. */
1729 xfrm_pols_put(pols, npols);
1730 return 0;
1731 }
1732
1733 dst = xfrm_bundle_create(policy, xfrm, nx, fl, dst_orig);
1734 err = PTR_ERR(dst);
1735 if (IS_ERR(dst)) {
1736 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLEGENERROR);
1737 goto error;
1738 }
1739
1740 for (pi = 0; pi < npols; pi++) {
1741 read_lock_bh(&pols[pi]->lock);
1742 pol_dead |= pols[pi]->walk.dead;
1743 read_unlock_bh(&pols[pi]->lock);
1744 }
1745
1746 write_lock_bh(&policy->lock);
1747 if (unlikely(pol_dead || stale_bundle(dst))) {
1748 /* Wow! While we worked on resolving, this
1749 * policy has gone. Retry. It is not paranoia,
1750 * we just cannot enlist new bundle to dead object.
1751 * We can't enlist stable bundles either.
1752 */
1753 write_unlock_bh(&policy->lock);
1754 dst_free(dst);
1755
1756 if (pol_dead)
1757 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLDEAD);
1758 else
1759 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLECHECKERROR);
1760 err = -EHOSTUNREACH;
1761 goto error;
1762 }
1763
1764 if (npols > 1)
1765 err = xfrm_dst_update_parent(dst, &pols[1]->selector);
1766 else
1767 err = xfrm_dst_update_origin(dst, fl);
1768 if (unlikely(err)) {
1769 write_unlock_bh(&policy->lock);
1770 dst_free(dst);
1771 XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTBUNDLECHECKERROR);
1772 goto error;
1773 }
1774
1775 dst->next = policy->bundles;
1776 policy->bundles = dst;
1777 dst_hold(dst);
1778 write_unlock_bh(&policy->lock);
1779 } 1859 }
1780 *dst_p = dst; 1860ok:
1781 dst_release(dst_orig); 1861 xfrm_pols_put(pols, drop_pols);
1782 xfrm_pols_put(pols, npols);
1783 return 0; 1862 return 0;
1784 1863
1864nopol:
1865 if (!(flags & XFRM_LOOKUP_ICMP))
1866 goto ok;
1867 err = -ENOENT;
1785error: 1868error:
1786 xfrm_pols_put(pols, npols); 1869 dst_release(dst);
1787dropdst: 1870dropdst:
1788 dst_release(dst_orig); 1871 dst_release(dst_orig);
1789 *dst_p = NULL; 1872 *dst_p = NULL;
1873 xfrm_pols_put(pols, drop_pols);
1790 return err; 1874 return err;
1791
1792nopol:
1793 err = -ENOENT;
1794 if (flags & XFRM_LOOKUP_ICMP)
1795 goto dropdst;
1796 return 0;
1797} 1875}
1798EXPORT_SYMBOL(__xfrm_lookup); 1876EXPORT_SYMBOL(__xfrm_lookup);
1799 1877
@@ -1952,9 +2030,16 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
1952 } 2030 }
1953 } 2031 }
1954 2032
1955 if (!pol) 2033 if (!pol) {
1956 pol = flow_cache_lookup(net, &fl, family, fl_dir, 2034 struct flow_cache_object *flo;
1957 xfrm_policy_lookup); 2035
2036 flo = flow_cache_lookup(net, &fl, family, fl_dir,
2037 xfrm_policy_lookup, NULL);
2038 if (IS_ERR_OR_NULL(flo))
2039 pol = ERR_CAST(flo);
2040 else
2041 pol = container_of(flo, struct xfrm_policy, flo);
2042 }
1958 2043
1959 if (IS_ERR(pol)) { 2044 if (IS_ERR(pol)) {
1960 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR); 2045 XFRM_INC_STATS(net, LINUX_MIB_XFRMINPOLERROR);
@@ -2124,7 +2209,6 @@ EXPORT_SYMBOL(xfrm_dst_ifdown);
2124static void xfrm_link_failure(struct sk_buff *skb) 2209static void xfrm_link_failure(struct sk_buff *skb)
2125{ 2210{
2126 /* Impossible. Such dst must be popped before reaches point of failure. */ 2211 /* Impossible. Such dst must be popped before reaches point of failure. */
2127 return;
2128} 2212}
2129 2213
2130static struct dst_entry *xfrm_negative_advice(struct dst_entry *dst) 2214static struct dst_entry *xfrm_negative_advice(struct dst_entry *dst)
@@ -2138,71 +2222,24 @@ static struct dst_entry *xfrm_negative_advice(struct dst_entry *dst)
2138 return dst; 2222 return dst;
2139} 2223}
2140 2224
2141static void prune_one_bundle(struct xfrm_policy *pol, int (*func)(struct dst_entry *), struct dst_entry **gc_list_p) 2225static void __xfrm_garbage_collect(struct net *net)
2142{
2143 struct dst_entry *dst, **dstp;
2144
2145 write_lock(&pol->lock);
2146 dstp = &pol->bundles;
2147 while ((dst=*dstp) != NULL) {
2148 if (func(dst)) {
2149 *dstp = dst->next;
2150 dst->next = *gc_list_p;
2151 *gc_list_p = dst;
2152 } else {
2153 dstp = &dst->next;
2154 }
2155 }
2156 write_unlock(&pol->lock);
2157}
2158
2159static void xfrm_prune_bundles(struct net *net, int (*func)(struct dst_entry *))
2160{ 2226{
2161 struct dst_entry *gc_list = NULL; 2227 struct dst_entry *head, *next;
2162 int dir;
2163 2228
2164 read_lock_bh(&xfrm_policy_lock); 2229 flow_cache_flush();
2165 for (dir = 0; dir < XFRM_POLICY_MAX * 2; dir++) {
2166 struct xfrm_policy *pol;
2167 struct hlist_node *entry;
2168 struct hlist_head *table;
2169 int i;
2170 2230
2171 hlist_for_each_entry(pol, entry, 2231 spin_lock_bh(&xfrm_policy_sk_bundle_lock);
2172 &net->xfrm.policy_inexact[dir], bydst) 2232 head = xfrm_policy_sk_bundles;
2173 prune_one_bundle(pol, func, &gc_list); 2233 xfrm_policy_sk_bundles = NULL;
2234 spin_unlock_bh(&xfrm_policy_sk_bundle_lock);
2174 2235
2175 table = net->xfrm.policy_bydst[dir].table; 2236 while (head) {
2176 for (i = net->xfrm.policy_bydst[dir].hmask; i >= 0; i--) { 2237 next = head->next;
2177 hlist_for_each_entry(pol, entry, table + i, bydst) 2238 dst_free(head);
2178 prune_one_bundle(pol, func, &gc_list); 2239 head = next;
2179 }
2180 }
2181 read_unlock_bh(&xfrm_policy_lock);
2182
2183 while (gc_list) {
2184 struct dst_entry *dst = gc_list;
2185 gc_list = dst->next;
2186 dst_free(dst);
2187 } 2240 }
2188} 2241}
2189 2242
2190static int unused_bundle(struct dst_entry *dst)
2191{
2192 return !atomic_read(&dst->__refcnt);
2193}
2194
2195static void __xfrm_garbage_collect(struct net *net)
2196{
2197 xfrm_prune_bundles(net, unused_bundle);
2198}
2199
2200static int xfrm_flush_bundles(struct net *net)
2201{
2202 xfrm_prune_bundles(net, stale_bundle);
2203 return 0;
2204}
2205
2206static void xfrm_init_pmtu(struct dst_entry *dst) 2243static void xfrm_init_pmtu(struct dst_entry *dst)
2207{ 2244{
2208 do { 2245 do {
@@ -2260,7 +2297,9 @@ int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
2260 return 0; 2297 return 0;
2261 if (dst->xfrm->km.state != XFRM_STATE_VALID) 2298 if (dst->xfrm->km.state != XFRM_STATE_VALID)
2262 return 0; 2299 return 0;
2263 if (xdst->genid != dst->xfrm->genid) 2300 if (xdst->xfrm_genid != dst->xfrm->genid)
2301 return 0;
2302 if (xdst->policy_genid != atomic_read(&xdst->pols[0]->genid))
2264 return 0; 2303 return 0;
2265 2304
2266 if (strict && fl && 2305 if (strict && fl &&
@@ -2425,7 +2464,7 @@ static int xfrm_dev_event(struct notifier_block *this, unsigned long event, void
2425 2464
2426 switch (event) { 2465 switch (event) {
2427 case NETDEV_DOWN: 2466 case NETDEV_DOWN:
2428 xfrm_flush_bundles(dev_net(dev)); 2467 __xfrm_garbage_collect(dev_net(dev));
2429 } 2468 }
2430 return NOTIFY_DONE; 2469 return NOTIFY_DONE;
2431} 2470}
@@ -2531,7 +2570,6 @@ static void xfrm_policy_fini(struct net *net)
2531 audit_info.sessionid = -1; 2570 audit_info.sessionid = -1;
2532 audit_info.secid = 0; 2571 audit_info.secid = 0;
2533 xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info); 2572 xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info);
2534 flush_work(&xfrm_policy_gc_work);
2535 2573
2536 WARN_ON(!list_empty(&net->xfrm.policy_all)); 2574 WARN_ON(!list_empty(&net->xfrm.policy_all));
2537 2575
@@ -2757,7 +2795,6 @@ static int xfrm_policy_migrate(struct xfrm_policy *pol,
2757 struct xfrm_migrate *m, int num_migrate) 2795 struct xfrm_migrate *m, int num_migrate)
2758{ 2796{
2759 struct xfrm_migrate *mp; 2797 struct xfrm_migrate *mp;
2760 struct dst_entry *dst;
2761 int i, j, n = 0; 2798 int i, j, n = 0;
2762 2799
2763 write_lock_bh(&pol->lock); 2800 write_lock_bh(&pol->lock);
@@ -2782,10 +2819,7 @@ static int xfrm_policy_migrate(struct xfrm_policy *pol,
2782 sizeof(pol->xfrm_vec[i].saddr)); 2819 sizeof(pol->xfrm_vec[i].saddr));
2783 pol->xfrm_vec[i].encap_family = mp->new_family; 2820 pol->xfrm_vec[i].encap_family = mp->new_family;
2784 /* flush bundles */ 2821 /* flush bundles */
2785 while ((dst = pol->bundles) != NULL) { 2822 atomic_inc(&pol->genid);
2786 pol->bundles = dst->next;
2787 dst_free(dst);
2788 }
2789 } 2823 }
2790 } 2824 }
2791 2825
generated by cgit v1.2.2 (git 2.25.0) at 2025-01-24 06:25:42 -0500