aboutsummaryrefslogtreecommitdiffstats
path: root/net/xfrm/xfrm_policy.c
Commit message (Collapse)AuthorAgeFilesLines
* Merge commit '2e54c4f' into HEADKalimochoAz2012-10-141-1/+1
|\
| * xfrm: fix a read lock imbalance in make_blackholeLi RongQing2012-10-131-1/+1
| | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 433a19548061bb5457b6ab77ed7ea58ca6e43ddb ] if xfrm_policy_get_afinfo returns 0, it has already released the read lock, xfrm_policy_put_afinfo should not be called again. Signed-off-by: Li RongQing <roy.qing.li@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | Merge remote-tracking branch 'google/android-samsung-3.0-jb' into HEADKalimochoAz2012-07-201-4/+6
|\ \ | |/ |/| | | | | | | | | Conflicts: arch/arm/mach-s5pv210/mach-herring.c drivers/media/video/samsung/fimc/fimc_dev.c include/trace/events/cpufreq_interactive.h
| * net: check return value for dst_allocMadalin Bucur2012-05-091-4/+6
| | | | | | | | | | | | | | return value of dst_alloc must be checked before use Signed-off-by: Madalin Bucur <madalin.bucur@freescale.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | ipv6: fix incorrect ipsec fragmentGao feng2012-06-101-0/+3
|/ | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 0c1833797a5a6ec23ea9261d979aa18078720b74 ] Since commit ad0081e43a "ipv6: Fragment locally generated tunnel-mode IPSec6 packets as needed" the fragment of packets is incorrect. because tunnel mode needs IPsec headers and trailer for all fragments, while on transport mode it is sufficient to add the headers to the first fragment and the trailer to the last. so modify mtu and maxfraglen base on ipsec mode and if fragment is first or last. with my test,it work well(every fragment's size is the mtu) and does not trigger slow fragment path. Changes from v1: though optimization, mtu_prev and maxfraglen_prev can be delete. replace xfrm mode codes with dst_entry's new frag DST_XFRM_TUNNEL. add fuction ip6_append_data_mtu to make codes clearer. Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* net: fix NULL dereferences in check_peer_redir()Eric Dumazet2012-02-131-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit d3aaeb38c40e5a6c08dd31a1b64da65c4352be36, along with dependent backports of commits: 69cce1d1404968f78b177a0314f5822d5afdbbfb 9de79c127cccecb11ae6a21ab1499e87aa222880 218fa90f072e4aeff9003d57e390857f4f35513e 580da35a31f91a594f3090b7a2c39b85cb051a12 f7e57044eeb1841847c24aa06766c8290c202583 e049f28883126c689cf95859480d9ee4ab23b7fa ] Gergely Kalman reported crashes in check_peer_redir(). It appears commit f39925dbde778 (ipv4: Cache learned redirect information in inetpeer.) added a race, leading to possible NULL ptr dereference. Since we can now change dst neighbour, we should make sure a reader can safely use a neighbour. Add RCU protection to dst neighbour, and make sure check_peer_redir() can be called safely by different cpus in parallel. As neighbours are already freed after one RCU grace period, this patch should not add typical RCU penalty (cache cold effects) Many thanks to Gergely for providing a pretty report pointing to the bug. Reported-by: Gergely Kalman <synapse@hippy.csoma.elte.hu> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* xfrm: Remove family arg from xfrm_bundle_okSteffen Klassert2011-07-011-3/+3
| | | | | | | The family arg is not used any more, so remove it. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* Merge branch 'master' of ↵David S. Miller2011-05-111-1/+13
|\ | | | | | | | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/davem/net-3.6 Conflicts: drivers/net/benet/be_main.c
| * xfrm: Assign the inner mode output function to the dst entrySteffen Klassert2011-05-101-1/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As it is, we assign the outer modes output function to the dst entry when we create the xfrm bundle. This leads to two problems on interfamily scenarios. We might insert ipv4 packets into ip6_fragment when called from xfrm6_output. The system crashes if we try to fragment an ipv4 packet with ip6_fragment. This issue was introduced with git commit ad0081e4 (ipv6: Fragment locally generated tunnel-mode IPSec6 packets as needed). The second issue is, that we might insert ipv4 packets in netfilter6 and vice versa on interfamily scenarios. With this patch we assign the inner mode output function to the dst entry when we create the xfrm bundle. So xfrm4_output/xfrm6_output from the inner mode is used and the right fragmentation and netfilter functions are called. We switch then to outer mode with the output_finish functions. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | net: Use non-zero allocations in dst_alloc().David S. Miller2011-04-281-0/+1
| | | | | | | | | | | | | | | | | | | | Make dst_alloc() and it's users explicitly initialize the entire entry. The zero'ing done by kmem_cache_zalloc() was almost entirely redundant. Signed-off-by: David S. Miller <davem@davemloft.net>
* | net: Make dst_alloc() take more explicit initializations.David S. Miller2011-04-281-1/+1
|/ | | | | | | Now the dst->dev, dev->obsolete, and dst->flags values can be specified as well. Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Refcount destination entry on xfrm_lookupSteffen Klassert2011-03-161-0/+2
| | | | | | | | | | | | | | We return a destination entry without refcount if a socket policy is found in xfrm_lookup. This triggers a warning on a negative refcount when freeeing this dst entry. So take a refcount in this case to fix it. This refcount was forgotten when xfrm changed to cache bundles instead of policies for outgoing flows. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Timo Teräs <timo.teras@iki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: fix __xfrm_route_forward()Eric Dumazet2011-03-151-2/+2
| | | | | | | | | | This function should return 0 in case of error, 1 if OK commit 452edd598f60522 (xfrm: Return dst directly from xfrm_lookup()) got it wrong. Reported-and-bisected-by: Michael Smith <msmith@cbnco.com> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Use flowi4 and flowi6 in xfrm layer.David S. Miller2011-03-121-12/+16
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Break struct flowi out into AF specific instances.David S. Miller2011-03-121-4/+4
| | | | | | | | | | | Now we have struct flowi4, flowi6, and flowidn for each address family. And struct flowi is just a union of them all. It might have been troublesome to convert flow_cache_uli_match() but as it turns out this function is completely unused and therefore can be simply removed. Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Make flowi ports AF dependent.David S. Miller2011-03-121-4/+4
| | | | | | | | | | | | Create two sets of port member accessors, one set prefixed by fl4_* and the other prefixed by fl6_* This will let us to create AF optimal flow instances. It will work because every context in which we access the ports, we have to be fully aware of which AF the flowi is anyways. Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Put flowi_* prefix on AF independent members of struct flowiDavid S. Miller2011-03-121-9/+9
| | | | | | | | | | I intend to turn struct flowi into a union of AF specific flowi structs. There will be a common structure that each variant includes first, much like struct sock_common. This is the first step to move in that direction. Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Eliminate "fl" and "pol" args to xfrm_bundle_ok().David S. Miller2011-03-121-19/+3
| | | | | | | There is only one caller of xfrm_bundle_ok(), and that always passes these parameters as NULL. Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Return dst directly from xfrm_lookup()David S. Miller2011-03-021-17/+17
| | | | | | Instead of on the stack. Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Handle blackhole route creation via afinfo.David S. Miller2011-03-011-20/+26
| | | | | | | That way we don't have to potentially do this in every xfrm_lookup() caller. Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Kill XFRM_LOOKUP_WAIT flag.David S. Miller2011-03-011-1/+1
| | | | | | This can be determined from the flow flags instead. Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify sec_path arg to secpath_has_nontransport.David S. Miller2011-02-231-1/+1
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify ptr args to xfrm_policy_ok.David S. Miller2011-02-231-1/+1
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify ptr args to xfrm_state_ok.David S. Miller2011-02-231-1/+1
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify selector arg to xfrm_dst_update_parent.David S. Miller2011-02-231-1/+1
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify policy arg to clone_policy.David S. Miller2011-02-231-1/+1
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify policy arg and local selector in xfrm_policy_match.David S. Miller2011-02-231-2/+3
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify local xfrm_address_t pointers in xfrm_policy_lookup_bytype.David S. Miller2011-02-231-1/+1
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify selector args in xfrm_migrate paths.David S. Miller2011-02-231-4/+4
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify address args to hash helpers.David S. Miller2011-02-231-2/+7
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify pointer args to migrate_tmpl_match and xfrm_migrate_checkDavid S. Miller2011-02-231-2/+2
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify address arguments to __xfrm_dst_lookup()David S. Miller2011-02-231-2/+2
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Const'ify selector argument to xfrm_selector_match()David S. Miller2011-02-231-3/+3
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Make flow cache paths use a const struct flowi.David S. Miller2011-02-221-5/+8
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to xfrm_resolve_and_create_bundle() const.David S. Miller2011-02-221-1/+1
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to xfrm_dst_{alloc_copy,update_origin}() const.David S. Miller2011-02-221-2/+2
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to xfrm_bundle_create() const.David S. Miller2011-02-221-1/+1
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to xfrm_tmpl_resolve{,_one}() const.David S. Miller2011-02-221-6/+4
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to xfrm_expand_policies() const.David S. Miller2011-02-221-2/+2
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to xfrm_policy_{lookup_by_type,match}() const.David S. Miller2011-02-221-2/+2
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Kill strict arg to xfrm_bundle_ok().David S. Miller2011-02-221-8/+3
| | | | | | Always set to "0". Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to xfrm_selector_match() const.David S. Miller2011-02-221-4/+4
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to xfrm_type->reject() const.David S. Miller2011-02-221-1/+1
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to ->fill_dst() const.David S. Miller2011-02-221-1/+1
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: Mark flowi arg to ->get_tos() const.David S. Miller2011-02-221-1/+1
| | | | Signed-off-by: David S. Miller <davem@davemloft.net>
* Merge branch 'master' of ↵David S. Miller2011-02-191-2/+5
|\ | | | | | | | | | | | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 Conflicts: Documentation/feature-removal-schedule.txt drivers/net/e1000e/netdev.c net/xfrm/xfrm_policy.c
| * xfrm: avoid possible oopse in xfrm_alloc_dstHiroaki SHIMODA2011-02-101-2/+5
| | | | | | | | | | | | | | | | Commit 80c802f3073e84 (xfrm: cache bundles instead of policies for outgoing flows) introduced possible oopse when dst_alloc returns NULL. Signed-off-by: Hiroaki SHIMODA <shimoda.hiroaki@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | net: Add initial_ref arg to dst_alloc().David S. Miller2011-02-171-1/+1
|/ | | | | | | | | | This allows avoiding multiple writes to the initial __refcnt. The most simplest cases of wanting an initial reference of "1" in ipv4 and ipv6 have been converted, the rest have been left along and kept at the existing "0". Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Abstract default MTU metric calculation behind an accessor.David S. Miller2010-12-141-0/+7
| | | | | | | | | | | Like RTAX_ADVMSS, make the default calculation go through a dst_ops method rather than caching the computation in the routing cache entries. Now dst metrics are pretty much left as-is when new entries are created, thus optimizing metric sharing becomes a real possibility. Signed-off-by: David S. Miller <davem@davemloft.net>
* net: Abstract default ADVMSS behind an accessor.David S. Miller2010-12-131-0/+7
| | | | | | | | | | | | | | | | | | Make all RTAX_ADVMSS metric accesses go through a new helper function, dst_metric_advmss(). Leave the actual default metric as "zero" in the real metric slot, and compute the actual default value dynamically via a new dst_ops AF specific callback. For stacked IPSEC routes, we use the advmss of the path which preserves existing behavior. Unlike ipv4/ipv6, DecNET ties the advmss to the mtu and thus updates advmss on pmtu updates. This inconsistency in advmss handling results in more raw metric accesses than I wish we ended up with. Signed-off-by: David S. Miller <davem@davemloft.net>
generated by cgit v1.1 at 2025-02-02 18:48:49 +0000