3 files changed, 63 insertions, 35 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index ba924d40df7d..f6c77bd36fdd 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -50,6 +50,40 @@ static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo);
 static struct xfrm_policy_afinfo *xfrm_policy_lock_afinfo(unsigned int family);
 static void xfrm_policy_unlock_afinfo(struct xfrm_policy_afinfo *afinfo);
+static inline int
+__xfrm4_selector_match(struct xfrm_selector *sel, struct flowi *fl)
+{
+        return  addr_match(&fl->fl4_dst, &sel->daddr, sel->prefixlen_d) &&
+                addr_match(&fl->fl4_src, &sel->saddr, sel->prefixlen_s) &&
+                !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) &&
+                !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) &&
+                (fl->proto == sel->proto || !sel->proto) &&
+                (fl->oif == sel->ifindex || !sel->ifindex);
+}
+static inline int
+__xfrm6_selector_match(struct xfrm_selector *sel, struct flowi *fl)
+{
+        return  addr_match(&fl->fl6_dst, &sel->daddr, sel->prefixlen_d) &&
+                addr_match(&fl->fl6_src, &sel->saddr, sel->prefixlen_s) &&
+                !((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) &&
+                !((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) &&
+                (fl->proto == sel->proto || !sel->proto) &&
+                (fl->oif == sel->ifindex || !sel->ifindex);
+}
+int xfrm_selector_match(struct xfrm_selector *sel, struct flowi *fl,
+                    unsigned short family)
+{
+        switch (family) {
+        case AF_INET:
+                return __xfrm4_selector_match(sel, fl);
+        case AF_INET6:
+                return __xfrm6_selector_match(sel, fl);
+        }
+        return 0;
+}
 int xfrm_register_type(struct xfrm_type *type, unsigned short family)
 {
        struct xfrm_policy_afinfo *afinfo = xfrm_policy_lock_afinfo(family);
@@ -1177,6 +1211,7 @@ xfrm_tmpl_resolve_one(struct xfrm_policy *policy, struct flowi *fl,
                if (tmpl->mode == XFRM_MODE_TUNNEL) {
                        remote = &tmpl->id.daddr;
                        local = &tmpl->saddr;
+                        family = tmpl->encap_family;
                        if (xfrm_addr_any(local, family)) {
                                error = xfrm_get_saddr(&tmp, remote, family);
                                if (error)
@@ -1894,7 +1929,8 @@ int xfrm_bundle_ok(struct xfrm_policy *pol, struct xfrm_dst *first,
                if (fl && !xfrm_selector_match(&dst->xfrm->sel, fl, family))
                        return 0;
-                if (fl && !security_xfrm_flow_state_match(fl, dst->xfrm, pol))
+                if (fl && pol &&
+                    !security_xfrm_state_pol_flow_match(dst->xfrm, pol, fl))
                        return 0;
                if (dst->xfrm->km.state != XFRM_STATE_VALID)
                        return 0;
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 40c527179843..da54a64ccfa3 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -1304,7 +1304,7 @@ int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol)
 }
 EXPORT_SYMBOL(km_query);
-int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, u16 sport)
+int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
 {
        int err = -EINVAL;
        struct xfrm_mgr *km;
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index c4cde57d9216..6f97665983d2 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -244,11 +244,10 @@ static int attach_one_algo(struct xfrm_algo **algpp, u8 *props,
        *props = algo->desc.sadb_alg_id;
        len = sizeof(*ualg) + (ualg->alg_key_len + 7U) / 8;
-        p = kmalloc(len, GFP_KERNEL);
+        p = kmemdup(ualg, len, GFP_KERNEL);
        if (!p)
                return -ENOMEM;
-        memcpy(p, ualg, len);
        strcpy(p->alg_name, algo->name);
        *algpp = p;
        return 0;
@@ -263,11 +262,10 @@ static int attach_encap_tmpl(struct xfrm_encap_tmpl **encapp, struct rtattr *u_a
                return 0;
        uencap = RTA_DATA(rta);
-        p = kmalloc(sizeof(*p), GFP_KERNEL);
+        p = kmemdup(uencap, sizeof(*p), GFP_KERNEL);
        if (!p)
                return -ENOMEM;
-        memcpy(p, uencap, sizeof(*p));
        *encapp = p;
        return 0;
 }
@@ -305,11 +303,10 @@ static int attach_one_addr(xfrm_address_t **addrpp, struct rtattr *u_arg)
                return 0;
        uaddrp = RTA_DATA(rta);
-        p = kmalloc(sizeof(*p), GFP_KERNEL);
+        p = kmemdup(uaddrp, sizeof(*p), GFP_KERNEL);
        if (!p)
                return -ENOMEM;
-        memcpy(p, uaddrp, sizeof(*p));
        *addrpp = p;
        return 0;
 }
@@ -495,6 +492,7 @@ static struct xfrm_state *xfrm_user_state_lookup(struct xfrm_usersa_id *p,
                        goto out;
                }
+                err = -ESRCH;
                x = xfrm_state_lookup_byaddr(&p->daddr, saddr, p->proto,
                                             p->family);
        }
@@ -652,7 +650,6 @@ static struct sk_buff *xfrm_state_netlink(struct sk_buff *in_skb,
        if (!skb)
                return ERR_PTR(-ENOMEM);
-        NETLINK_CB(skb).dst_pid = NETLINK_CB(in_skb).pid;
        info.in_skb = in_skb;
        info.out_skb = skb;
        info.nlmsg_seq = seq;
@@ -772,7 +769,7 @@ out_noput:
        return err;
 }
-static int verify_policy_dir(__u8 dir)
+static int verify_policy_dir(u8 dir)
 {
        switch (dir) {
        case XFRM_POLICY_IN:
@@ -787,7 +784,7 @@ static int verify_policy_dir(__u8 dir)
        return 0;
 }
-static int verify_policy_type(__u8 type)
+static int verify_policy_type(u8 type)
 {
        switch (type) {
        case XFRM_POLICY_TYPE_MAIN:
@@ -861,6 +858,7 @@ static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut,
        int i;
        xp->xfrm_nr = nr;
+        xp->family = ut->family;
        for (i = 0; i < nr; i++, ut++) {
                struct xfrm_tmpl *t = &xp->xfrm_vec[i];
@@ -874,6 +872,7 @@ static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut,
                t->aalgos = ut->aalgos;
                t->ealgos = ut->ealgos;
                t->calgos = ut->calgos;
+                t->encap_family = ut->family;
        }
 }
@@ -900,7 +899,7 @@ static int copy_from_user_policy_type(u8 *tp, struct rtattr **xfrma)
 {
        struct rtattr *rt = xfrma[XFRMA_POLICY_TYPE-1];
        struct xfrm_userpolicy_type *upt;
-        __u8 type = XFRM_POLICY_TYPE_MAIN;
+        u8 type = XFRM_POLICY_TYPE_MAIN;
        int err;
        if (rt) {
@@ -1027,7 +1026,7 @@ static int copy_to_user_tmpl(struct xfrm_policy *xp, struct sk_buff *skb)
                struct xfrm_tmpl *kp = &xp->xfrm_vec[i];
                memcpy(&up->id, &kp->id, sizeof(up->id));
-                up->family = xp->family;
+                up->family = kp->encap_family;
                memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr));
                up->reqid = kp->reqid;
                up->mode = kp->mode;
@@ -1082,12 +1081,12 @@ static inline int copy_to_user_sec_ctx(struct xfrm_policy *xp, struct sk_buff *s
 }
 #ifdef CONFIG_XFRM_SUB_POLICY
-static int copy_to_user_policy_type(struct xfrm_policy *xp, struct sk_buff *skb)
+static int copy_to_user_policy_type(u8 type, struct sk_buff *skb)
 {
        struct xfrm_userpolicy_type upt;
        memset(&upt, 0, sizeof(upt));
-        upt.type = xp->type;
+        upt.type = type;
        RTA_PUT(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt);
@@ -1098,7 +1097,7 @@ rtattr_failure:
 }
 #else
-static inline int copy_to_user_policy_type(struct xfrm_policy *xp, struct sk_buff *skb)
+static inline int copy_to_user_policy_type(u8 type, struct sk_buff *skb)
 {
        return 0;
 }
@@ -1127,7 +1126,7 @@ static int dump_one_policy(struct xfrm_policy *xp, int dir, int count, void *ptr
                goto nlmsg_failure;
        if (copy_to_user_sec_ctx(xp, skb))
                goto nlmsg_failure;
-        if (copy_to_user_policy_type(xp, skb) < 0)
+        if (copy_to_user_policy_type(xp->type, skb) < 0)
                goto nlmsg_failure;
        nlh->nlmsg_len = skb->tail - b;
@@ -1170,7 +1169,6 @@ static struct sk_buff *xfrm_policy_netlink(struct sk_buff *in_skb,
        if (!skb)
                return ERR_PTR(-ENOMEM);
-        NETLINK_CB(skb).dst_pid = NETLINK_CB(in_skb).pid;
        info.in_skb = in_skb;
        info.out_skb = skb;
        info.nlmsg_seq = seq;
@@ -1189,7 +1187,7 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfr
 {
        struct xfrm_policy *xp;
        struct xfrm_userpolicy_id *p;
-        __u8 type = XFRM_POLICY_TYPE_MAIN;
+        u8 type = XFRM_POLICY_TYPE_MAIN;
        int err;
        struct km_event c;
        int delete;
@@ -1283,10 +1281,12 @@ static int build_aevent(struct sk_buff *skb, struct xfrm_state *x, struct km_eve
        id = NLMSG_DATA(nlh);
        nlh->nlmsg_flags = 0;
-        id->sa_id.daddr = x->id.daddr;
+        memcpy(&id->sa_id.daddr, &x->id.daddr,sizeof(x->id.daddr));
        id->sa_id.spi = x->id.spi;
        id->sa_id.family = x->props.family;
        id->sa_id.proto = x->id.proto;
+        memcpy(&id->saddr, &x->props.saddr,sizeof(x->props.saddr));
+        id->reqid = x->props.reqid;
        id->flags = c->data.aevent;
        RTA_PUT(skb, XFRMA_REPLAY_VAL, sizeof(x->replay), &x->replay);
@@ -1407,7 +1407,7 @@ out:
 static int xfrm_flush_policy(struct sk_buff *skb, struct nlmsghdr *nlh, void **xfrma)
 {
        struct km_event c;
-        __u8 type = XFRM_POLICY_TYPE_MAIN;
+        u8 type = XFRM_POLICY_TYPE_MAIN;
        int err;
        err = copy_from_user_policy_type(&type, (struct rtattr **)xfrma);
@@ -1428,7 +1428,7 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh, void *
        struct xfrm_policy *xp;
        struct xfrm_user_polexpire *up = NLMSG_DATA(nlh);
        struct xfrm_userpolicy_info *p = &up->pol;
-        __u8 type = XFRM_POLICY_TYPE_MAIN;
+        u8 type = XFRM_POLICY_TYPE_MAIN;
        int err = -ENOENT;
        err = copy_from_user_policy_type(&type, (struct rtattr **)xfrma);
@@ -1907,7 +1907,7 @@ static int build_acquire(struct sk_buff *skb, struct xfrm_state *x,
                goto nlmsg_failure;
        if (copy_to_user_state_sec_ctx(x, skb))
                goto nlmsg_failure;
-        if (copy_to_user_policy_type(xp, skb) < 0)
+        if (copy_to_user_policy_type(xp->type, skb) < 0)
                goto nlmsg_failure;
        nlh->nlmsg_len = skb->tail - b;
@@ -2017,7 +2017,7 @@ static int build_polexpire(struct sk_buff *skb, struct xfrm_policy *xp,
                goto nlmsg_failure;
        if (copy_to_user_sec_ctx(xp, skb))
                goto nlmsg_failure;
-        if (copy_to_user_policy_type(xp, skb) < 0)
+        if (copy_to_user_policy_type(xp->type, skb) < 0)
                goto nlmsg_failure;
        upe->hard = !!hard;
@@ -2096,7 +2096,7 @@ static int xfrm_notify_policy(struct xfrm_policy *xp, int dir, struct km_event *
        copy_to_user_policy(xp, p, dir);
        if (copy_to_user_tmpl(xp, skb) < 0)
                goto nlmsg_failure;
-        if (copy_to_user_policy_type(xp, skb) < 0)
+        if (copy_to_user_policy_type(xp->type, skb) < 0)
                goto nlmsg_failure;
        nlh->nlmsg_len = skb->tail - b;
@@ -2117,7 +2117,6 @@ static int xfrm_notify_policy_flush(struct km_event *c)
        unsigned char *b;
        int len = 0;
 #ifdef CONFIG_XFRM_SUB_POLICY
-        struct xfrm_userpolicy_type upt;
        len += RTA_SPACE(sizeof(struct xfrm_userpolicy_type));
 #endif
        len += NLMSG_LENGTH(0);
@@ -2130,12 +2129,8 @@ static int xfrm_notify_policy_flush(struct km_event *c)
        nlh = NLMSG_PUT(skb, c->pid, c->seq, XFRM_MSG_FLUSHPOLICY, 0);
        nlh->nlmsg_flags = 0;
+        if (copy_to_user_policy_type(c->data.type, skb) < 0)
-#ifdef CONFIG_XFRM_SUB_POLICY
+                goto nlmsg_failure;
-        memset(&upt, 0, sizeof(upt));
-        upt.type = c->data.type;
-        RTA_PUT(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt);
-#endif
        nlh->nlmsg_len = skb->tail - b;
@@ -2143,9 +2138,6 @@ static int xfrm_notify_policy_flush(struct km_event *c)
        return netlink_broadcast(xfrm_nl, skb, 0, XFRMNLGRP_POLICY, GFP_ATOMIC);
 nlmsg_failure:
-#ifdef CONFIG_XFRM_SUB_POLICY
-rtattr_failure:
-#endif
        kfree_skb(skb);
        return -1;
 }

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index ba924d40df7d..f6c77bd36fdd 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c
@@ -50,6 +50,40 @@ static void xfrm_policy_put_afinfo(struct xfrm_policy_afinfo *afinfo);
50	static struct xfrm_policy_afinfo *xfrm_policy_lock_afinfo(unsigned int family);	50	static struct xfrm_policy_afinfo *xfrm_policy_lock_afinfo(unsigned int family);
51	static void xfrm_policy_unlock_afinfo(struct xfrm_policy_afinfo *afinfo);	51	static void xfrm_policy_unlock_afinfo(struct xfrm_policy_afinfo *afinfo);
52		52
		53	static inline int
		54	__xfrm4_selector_match(struct xfrm_selector sel, struct flowi fl)
		55	{
		56	return addr_match(&fl->fl4_dst, &sel->daddr, sel->prefixlen_d) &&
		57	addr_match(&fl->fl4_src, &sel->saddr, sel->prefixlen_s) &&
		58	!((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) &&
		59	!((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) &&
		60	(fl->proto == sel->proto \|\| !sel->proto) &&
		61	(fl->oif == sel->ifindex \|\| !sel->ifindex);
		62	}
		63
		64	static inline int
		65	__xfrm6_selector_match(struct xfrm_selector sel, struct flowi fl)
		66	{
		67	return addr_match(&fl->fl6_dst, &sel->daddr, sel->prefixlen_d) &&
		68	addr_match(&fl->fl6_src, &sel->saddr, sel->prefixlen_s) &&
		69	!((xfrm_flowi_dport(fl) ^ sel->dport) & sel->dport_mask) &&
		70	!((xfrm_flowi_sport(fl) ^ sel->sport) & sel->sport_mask) &&
		71	(fl->proto == sel->proto \|\| !sel->proto) &&
		72	(fl->oif == sel->ifindex \|\| !sel->ifindex);
		73	}
		74
		75	int xfrm_selector_match(struct xfrm_selector sel, struct flowi fl,
		76	unsigned short family)
		77	{
		78	switch (family) {
		79	case AF_INET:
		80	return __xfrm4_selector_match(sel, fl);
		81	case AF_INET6:
		82	return __xfrm6_selector_match(sel, fl);
		83	}
		84	return 0;
		85	}
		86
53	int xfrm_register_type(struct xfrm_type *type, unsigned short family)	87	int xfrm_register_type(struct xfrm_type *type, unsigned short family)
54	{	88	{
55	struct xfrm_policy_afinfo *afinfo = xfrm_policy_lock_afinfo(family);	89	struct xfrm_policy_afinfo *afinfo = xfrm_policy_lock_afinfo(family);
@@ -1177,6 +1211,7 @@ xfrm_tmpl_resolve_one(struct xfrm_policy policy, struct flowi fl,
1177	if (tmpl->mode == XFRM_MODE_TUNNEL) {	1211	if (tmpl->mode == XFRM_MODE_TUNNEL) {
1178	remote = &tmpl->id.daddr;	1212	remote = &tmpl->id.daddr;
1179	local = &tmpl->saddr;	1213	local = &tmpl->saddr;
		1214	family = tmpl->encap_family;
1180	if (xfrm_addr_any(local, family)) {	1215	if (xfrm_addr_any(local, family)) {
1181	error = xfrm_get_saddr(&tmp, remote, family);	1216	error = xfrm_get_saddr(&tmp, remote, family);
1182	if (error)	1217	if (error)
@@ -1894,7 +1929,8 @@ int xfrm_bundle_ok(struct xfrm_policy pol, struct xfrm_dst first,
1894		1929
1895	if (fl && !xfrm_selector_match(&dst->xfrm->sel, fl, family))	1930	if (fl && !xfrm_selector_match(&dst->xfrm->sel, fl, family))
1896	return 0;	1931	return 0;
1897	if (fl && !security_xfrm_flow_state_match(fl, dst->xfrm, pol))	1932	if (fl && pol &&
		1933	!security_xfrm_state_pol_flow_match(dst->xfrm, pol, fl))
1898	return 0;	1934	return 0;
1899	if (dst->xfrm->km.state != XFRM_STATE_VALID)	1935	if (dst->xfrm->km.state != XFRM_STATE_VALID)
1900	return 0;	1936	return 0;


diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index 40c527179843..da54a64ccfa3 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c
@@ -1304,7 +1304,7 @@ int km_query(struct xfrm_state x, struct xfrm_tmpl t, struct xfrm_policy *pol)
1304	}	1304	}
1305	EXPORT_SYMBOL(km_query);	1305	EXPORT_SYMBOL(km_query);
1306		1306
1307	int km_new_mapping(struct xfrm_state x, xfrm_address_t ipaddr, u16 sport)	1307	int km_new_mapping(struct xfrm_state x, xfrm_address_t ipaddr, __be16 sport)
1308	{	1308	{
1309	int err = -EINVAL;	1309	int err = -EINVAL;
1310	struct xfrm_mgr *km;	1310	struct xfrm_mgr *km;


diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index c4cde57d9216..6f97665983d2 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c
@@ -244,11 +244,10 @@ static int attach_one_algo(struct xfrm_algo *algpp, u8 props,
244	*props = algo->desc.sadb_alg_id;	244	*props = algo->desc.sadb_alg_id;
245		245
246	len = sizeof(*ualg) + (ualg->alg_key_len + 7U) / 8;	246	len = sizeof(*ualg) + (ualg->alg_key_len + 7U) / 8;
247	p = kmalloc(len, GFP_KERNEL);	247	p = kmemdup(ualg, len, GFP_KERNEL);
248	if (!p)	248	if (!p)
249	return -ENOMEM;	249	return -ENOMEM;
250		250
251	memcpy(p, ualg, len);
252	strcpy(p->alg_name, algo->name);	251	strcpy(p->alg_name, algo->name);
253	*algpp = p;	252	*algpp = p;
254	return 0;	253	return 0;
@@ -263,11 +262,10 @@ static int attach_encap_tmpl(struct xfrm_encap_tmpl *encapp, struct rtattr u_a
263	return 0;	262	return 0;
264		263
265	uencap = RTA_DATA(rta);	264	uencap = RTA_DATA(rta);
266	p = kmalloc(sizeof(*p), GFP_KERNEL);	265	p = kmemdup(uencap, sizeof(*p), GFP_KERNEL);
267	if (!p)	266	if (!p)
268	return -ENOMEM;	267	return -ENOMEM;
269		268
270	memcpy(p, uencap, sizeof(*p));
271	*encapp = p;	269	*encapp = p;
272	return 0;	270	return 0;
273	}	271	}
@@ -305,11 +303,10 @@ static int attach_one_addr(xfrm_address_t *addrpp, struct rtattr u_arg)
305	return 0;	303	return 0;
306		304
307	uaddrp = RTA_DATA(rta);	305	uaddrp = RTA_DATA(rta);
308	p = kmalloc(sizeof(*p), GFP_KERNEL);	306	p = kmemdup(uaddrp, sizeof(*p), GFP_KERNEL);
309	if (!p)	307	if (!p)
310	return -ENOMEM;	308	return -ENOMEM;
311		309
312	memcpy(p, uaddrp, sizeof(*p));
313	*addrpp = p;	310	*addrpp = p;
314	return 0;	311	return 0;
315	}	312	}
@@ -495,6 +492,7 @@ static struct xfrm_state xfrm_user_state_lookup(struct xfrm_usersa_id p,
495	goto out;	492	goto out;
496	}	493	}
497		494
		495	err = -ESRCH;
498	x = xfrm_state_lookup_byaddr(&p->daddr, saddr, p->proto,	496	x = xfrm_state_lookup_byaddr(&p->daddr, saddr, p->proto,
499	p->family);	497	p->family);
500	}	498	}
@@ -652,7 +650,6 @@ static struct sk_buff xfrm_state_netlink(struct sk_buff in_skb,
652	if (!skb)	650	if (!skb)
653	return ERR_PTR(-ENOMEM);	651	return ERR_PTR(-ENOMEM);
654		652
655	NETLINK_CB(skb).dst_pid = NETLINK_CB(in_skb).pid;
656	info.in_skb = in_skb;	653	info.in_skb = in_skb;
657	info.out_skb = skb;	654	info.out_skb = skb;
658	info.nlmsg_seq = seq;	655	info.nlmsg_seq = seq;
@@ -772,7 +769,7 @@ out_noput:
772	return err;	769	return err;
773	}	770	}
774		771
775	static int verify_policy_dir(__u8 dir)	772	static int verify_policy_dir(u8 dir)
776	{	773	{
777	switch (dir) {	774	switch (dir) {
778	case XFRM_POLICY_IN:	775	case XFRM_POLICY_IN:
@@ -787,7 +784,7 @@ static int verify_policy_dir(__u8 dir)
787	return 0;	784	return 0;
788	}	785	}
789		786
790	static int verify_policy_type(__u8 type)	787	static int verify_policy_type(u8 type)
791	{	788	{
792	switch (type) {	789	switch (type) {
793	case XFRM_POLICY_TYPE_MAIN:	790	case XFRM_POLICY_TYPE_MAIN:
@@ -861,6 +858,7 @@ static void copy_templates(struct xfrm_policy xp, struct xfrm_user_tmpl ut,
861	int i;	858	int i;
862		859
863	xp->xfrm_nr = nr;	860	xp->xfrm_nr = nr;
		861	xp->family = ut->family;
864	for (i = 0; i < nr; i++, ut++) {	862	for (i = 0; i < nr; i++, ut++) {
865	struct xfrm_tmpl *t = &xp->xfrm_vec[i];	863	struct xfrm_tmpl *t = &xp->xfrm_vec[i];
866		864
@@ -874,6 +872,7 @@ static void copy_templates(struct xfrm_policy xp, struct xfrm_user_tmpl ut,
874	t->aalgos = ut->aalgos;	872	t->aalgos = ut->aalgos;
875	t->ealgos = ut->ealgos;	873	t->ealgos = ut->ealgos;
876	t->calgos = ut->calgos;	874	t->calgos = ut->calgos;
		875	t->encap_family = ut->family;
877	}	876	}
878	}	877	}
879		878
@@ -900,7 +899,7 @@ static int copy_from_user_policy_type(u8 tp, struct rtattr *xfrma)
900	{	899	{
901	struct rtattr *rt = xfrma[XFRMA_POLICY_TYPE-1];	900	struct rtattr *rt = xfrma[XFRMA_POLICY_TYPE-1];
902	struct xfrm_userpolicy_type *upt;	901	struct xfrm_userpolicy_type *upt;
903	__u8 type = XFRM_POLICY_TYPE_MAIN;	902	u8 type = XFRM_POLICY_TYPE_MAIN;
904	int err;	903	int err;
905		904
906	if (rt) {	905	if (rt) {
@@ -1027,7 +1026,7 @@ static int copy_to_user_tmpl(struct xfrm_policy xp, struct sk_buff skb)
1027	struct xfrm_tmpl *kp = &xp->xfrm_vec[i];	1026	struct xfrm_tmpl *kp = &xp->xfrm_vec[i];
1028		1027
1029	memcpy(&up->id, &kp->id, sizeof(up->id));	1028	memcpy(&up->id, &kp->id, sizeof(up->id));
1030	up->family = xp->family;	1029	up->family = kp->encap_family;
1031	memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr));	1030	memcpy(&up->saddr, &kp->saddr, sizeof(up->saddr));
1032	up->reqid = kp->reqid;	1031	up->reqid = kp->reqid;
1033	up->mode = kp->mode;	1032	up->mode = kp->mode;
@@ -1082,12 +1081,12 @@ static inline int copy_to_user_sec_ctx(struct xfrm_policy xp, struct sk_buff s
1082	}	1081	}
1083		1082
1084	#ifdef CONFIG_XFRM_SUB_POLICY	1083	#ifdef CONFIG_XFRM_SUB_POLICY
1085	static int copy_to_user_policy_type(struct xfrm_policy xp, struct sk_buff skb)	1084	static int copy_to_user_policy_type(u8 type, struct sk_buff *skb)
1086	{	1085	{
1087	struct xfrm_userpolicy_type upt;	1086	struct xfrm_userpolicy_type upt;
1088		1087
1089	memset(&upt, 0, sizeof(upt));	1088	memset(&upt, 0, sizeof(upt));
1090	upt.type = xp->type;	1089	upt.type = type;
1091		1090
1092	RTA_PUT(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt);	1091	RTA_PUT(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt);
1093		1092
@@ -1098,7 +1097,7 @@ rtattr_failure:
1098	}	1097	}
1099		1098
1100	#else	1099	#else
1101	static inline int copy_to_user_policy_type(struct xfrm_policy xp, struct sk_buff skb)	1100	static inline int copy_to_user_policy_type(u8 type, struct sk_buff *skb)
1102	{	1101	{
1103	return 0;	1102	return 0;
1104	}	1103	}
@@ -1127,7 +1126,7 @@ static int dump_one_policy(struct xfrm_policy xp, int dir, int count, void ptr
1127	goto nlmsg_failure;	1126	goto nlmsg_failure;
1128	if (copy_to_user_sec_ctx(xp, skb))	1127	if (copy_to_user_sec_ctx(xp, skb))
1129	goto nlmsg_failure;	1128	goto nlmsg_failure;
1130	if (copy_to_user_policy_type(xp, skb) < 0)	1129	if (copy_to_user_policy_type(xp->type, skb) < 0)
1131	goto nlmsg_failure;	1130	goto nlmsg_failure;
1132		1131
1133	nlh->nlmsg_len = skb->tail - b;	1132	nlh->nlmsg_len = skb->tail - b;
@@ -1170,7 +1169,6 @@ static struct sk_buff xfrm_policy_netlink(struct sk_buff in_skb,
1170	if (!skb)	1169	if (!skb)
1171	return ERR_PTR(-ENOMEM);	1170	return ERR_PTR(-ENOMEM);
1172		1171
1173	NETLINK_CB(skb).dst_pid = NETLINK_CB(in_skb).pid;
1174	info.in_skb = in_skb;	1172	info.in_skb = in_skb;
1175	info.out_skb = skb;	1173	info.out_skb = skb;
1176	info.nlmsg_seq = seq;	1174	info.nlmsg_seq = seq;
@@ -1189,7 +1187,7 @@ static int xfrm_get_policy(struct sk_buff skb, struct nlmsghdr nlh, void **xfr
1189	{	1187	{
1190	struct xfrm_policy *xp;	1188	struct xfrm_policy *xp;
1191	struct xfrm_userpolicy_id *p;	1189	struct xfrm_userpolicy_id *p;
1192	__u8 type = XFRM_POLICY_TYPE_MAIN;	1190	u8 type = XFRM_POLICY_TYPE_MAIN;
1193	int err;	1191	int err;
1194	struct km_event c;	1192	struct km_event c;
1195	int delete;	1193	int delete;
@@ -1283,10 +1281,12 @@ static int build_aevent(struct sk_buff skb, struct xfrm_state x, struct km_eve
1283	id = NLMSG_DATA(nlh);	1281	id = NLMSG_DATA(nlh);
1284	nlh->nlmsg_flags = 0;	1282	nlh->nlmsg_flags = 0;
1285		1283
1286	id->sa_id.daddr = x->id.daddr;	1284	memcpy(&id->sa_id.daddr, &x->id.daddr,sizeof(x->id.daddr));
1287	id->sa_id.spi = x->id.spi;	1285	id->sa_id.spi = x->id.spi;
1288	id->sa_id.family = x->props.family;	1286	id->sa_id.family = x->props.family;
1289	id->sa_id.proto = x->id.proto;	1287	id->sa_id.proto = x->id.proto;
		1288	memcpy(&id->saddr, &x->props.saddr,sizeof(x->props.saddr));
		1289	id->reqid = x->props.reqid;
1290	id->flags = c->data.aevent;	1290	id->flags = c->data.aevent;
1291		1291
1292	RTA_PUT(skb, XFRMA_REPLAY_VAL, sizeof(x->replay), &x->replay);	1292	RTA_PUT(skb, XFRMA_REPLAY_VAL, sizeof(x->replay), &x->replay);
@@ -1407,7 +1407,7 @@ out:
1407	static int xfrm_flush_policy(struct sk_buff skb, struct nlmsghdr nlh, void **xfrma)	1407	static int xfrm_flush_policy(struct sk_buff skb, struct nlmsghdr nlh, void **xfrma)
1408	{	1408	{
1409	struct km_event c;	1409	struct km_event c;
1410	__u8 type = XFRM_POLICY_TYPE_MAIN;	1410	u8 type = XFRM_POLICY_TYPE_MAIN;
1411	int err;	1411	int err;
1412		1412
1413	err = copy_from_user_policy_type(&type, (struct rtattr **)xfrma);	1413	err = copy_from_user_policy_type(&type, (struct rtattr **)xfrma);
@@ -1428,7 +1428,7 @@ static int xfrm_add_pol_expire(struct sk_buff skb, struct nlmsghdr nlh, void *
1428	struct xfrm_policy *xp;	1428	struct xfrm_policy *xp;
1429	struct xfrm_user_polexpire *up = NLMSG_DATA(nlh);	1429	struct xfrm_user_polexpire *up = NLMSG_DATA(nlh);
1430	struct xfrm_userpolicy_info *p = &up->pol;	1430	struct xfrm_userpolicy_info *p = &up->pol;
1431	__u8 type = XFRM_POLICY_TYPE_MAIN;	1431	u8 type = XFRM_POLICY_TYPE_MAIN;
1432	int err = -ENOENT;	1432	int err = -ENOENT;
1433		1433
1434	err = copy_from_user_policy_type(&type, (struct rtattr **)xfrma);	1434	err = copy_from_user_policy_type(&type, (struct rtattr **)xfrma);
@@ -1907,7 +1907,7 @@ static int build_acquire(struct sk_buff skb, struct xfrm_state x,
1907	goto nlmsg_failure;	1907	goto nlmsg_failure;
1908	if (copy_to_user_state_sec_ctx(x, skb))	1908	if (copy_to_user_state_sec_ctx(x, skb))
1909	goto nlmsg_failure;	1909	goto nlmsg_failure;
1910	if (copy_to_user_policy_type(xp, skb) < 0)	1910	if (copy_to_user_policy_type(xp->type, skb) < 0)
1911	goto nlmsg_failure;	1911	goto nlmsg_failure;
1912		1912
1913	nlh->nlmsg_len = skb->tail - b;	1913	nlh->nlmsg_len = skb->tail - b;
@@ -2017,7 +2017,7 @@ static int build_polexpire(struct sk_buff skb, struct xfrm_policy xp,
2017	goto nlmsg_failure;	2017	goto nlmsg_failure;
2018	if (copy_to_user_sec_ctx(xp, skb))	2018	if (copy_to_user_sec_ctx(xp, skb))
2019	goto nlmsg_failure;	2019	goto nlmsg_failure;
2020	if (copy_to_user_policy_type(xp, skb) < 0)	2020	if (copy_to_user_policy_type(xp->type, skb) < 0)
2021	goto nlmsg_failure;	2021	goto nlmsg_failure;
2022	upe->hard = !!hard;	2022	upe->hard = !!hard;
2023		2023
@@ -2096,7 +2096,7 @@ static int xfrm_notify_policy(struct xfrm_policy xp, int dir, struct km_event
2096	copy_to_user_policy(xp, p, dir);	2096	copy_to_user_policy(xp, p, dir);
2097	if (copy_to_user_tmpl(xp, skb) < 0)	2097	if (copy_to_user_tmpl(xp, skb) < 0)
2098	goto nlmsg_failure;	2098	goto nlmsg_failure;
2099	if (copy_to_user_policy_type(xp, skb) < 0)	2099	if (copy_to_user_policy_type(xp->type, skb) < 0)
2100	goto nlmsg_failure;	2100	goto nlmsg_failure;
2101		2101
2102	nlh->nlmsg_len = skb->tail - b;	2102	nlh->nlmsg_len = skb->tail - b;
@@ -2117,7 +2117,6 @@ static int xfrm_notify_policy_flush(struct km_event *c)
2117	unsigned char *b;	2117	unsigned char *b;
2118	int len = 0;	2118	int len = 0;
2119	#ifdef CONFIG_XFRM_SUB_POLICY	2119	#ifdef CONFIG_XFRM_SUB_POLICY
2120	struct xfrm_userpolicy_type upt;
2121	len += RTA_SPACE(sizeof(struct xfrm_userpolicy_type));	2120	len += RTA_SPACE(sizeof(struct xfrm_userpolicy_type));
2122	#endif	2121	#endif
2123	len += NLMSG_LENGTH(0);	2122	len += NLMSG_LENGTH(0);
@@ -2130,12 +2129,8 @@ static int xfrm_notify_policy_flush(struct km_event *c)
2130		2129
2131	nlh = NLMSG_PUT(skb, c->pid, c->seq, XFRM_MSG_FLUSHPOLICY, 0);	2130	nlh = NLMSG_PUT(skb, c->pid, c->seq, XFRM_MSG_FLUSHPOLICY, 0);
2132	nlh->nlmsg_flags = 0;	2131	nlh->nlmsg_flags = 0;
2133		2132	if (copy_to_user_policy_type(c->data.type, skb) < 0)
2134	#ifdef CONFIG_XFRM_SUB_POLICY	2133	goto nlmsg_failure;
2135	memset(&upt, 0, sizeof(upt));
2136	upt.type = c->data.type;
2137	RTA_PUT(skb, XFRMA_POLICY_TYPE, sizeof(upt), &upt);
2138	#endif
2139		2134
2140	nlh->nlmsg_len = skb->tail - b;	2135	nlh->nlmsg_len = skb->tail - b;
2141		2136
@@ -2143,9 +2138,6 @@ static int xfrm_notify_policy_flush(struct km_event *c)
2143	return netlink_broadcast(xfrm_nl, skb, 0, XFRMNLGRP_POLICY, GFP_ATOMIC);	2138	return netlink_broadcast(xfrm_nl, skb, 0, XFRMNLGRP_POLICY, GFP_ATOMIC);
2144		2139
2145	nlmsg_failure:	2140	nlmsg_failure:
2146	#ifdef CONFIG_XFRM_SUB_POLICY
2147	rtattr_failure:
2148	#endif
2149	kfree_skb(skb);	2141	kfree_skb(skb);
2150	return -1;	2142	return -1;
2151	}	2143	}