projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
[XFRM]: Assorted IPsec fixups
[deliverable/linux.git] / net / xfrm / xfrm_state.c
1 /*
2 * xfrm_state.c
3 *
4 * Changes:
5 * Mitsuru KANDA @USAGI
6 * Kazunori MIYAZAWA @USAGI
7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
8 * IPv6 support
9 * YOSHIFUJI Hideaki @USAGI
10 * Split up af-specific functions
11 * Derek Atkins <derek@ihtfp.com>
12 * Add UDP Encapsulation
13 *
14 */
15
16 #include <linux/workqueue.h>
17 #include <net/xfrm.h>
18 #include <linux/pfkeyv2.h>
19 #include <linux/ipsec.h>
20 #include <linux/module.h>
21 #include <linux/cache.h>
22 #include <linux/audit.h>
23 #include <asm/uaccess.h>
24
25 #include "xfrm_hash.h"
26
27 struct sock *xfrm_nl;
28 EXPORT_SYMBOL(xfrm_nl);
29
30 u32 sysctl_xfrm_aevent_etime __read_mostly = XFRM_AE_ETIME;
31 EXPORT_SYMBOL(sysctl_xfrm_aevent_etime);
32
33 u32 sysctl_xfrm_aevent_rseqth __read_mostly = XFRM_AE_SEQT_SIZE;
34 EXPORT_SYMBOL(sysctl_xfrm_aevent_rseqth);
35
36 u32 sysctl_xfrm_acq_expires __read_mostly = 30;
37
38 /* Each xfrm_state may be linked to two tables:
39
40 1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl)
41 2. Hash table by (daddr,family,reqid) to find what SAs exist for given
42 destination/tunnel endpoint. (output)
43 */
44
45 static DEFINE_SPINLOCK(xfrm_state_lock);
46
47 /* Hash table to find appropriate SA towards given target (endpoint
48 * of tunnel or destination of transport mode) allowed by selector.
49 *
50 * Main use is finding SA after policy selected tunnel or transport mode.
51 * Also, it can be used by ah/esp icmp error handler to find offending SA.
52 */
53 static struct hlist_head *xfrm_state_bydst __read_mostly;
54 static struct hlist_head *xfrm_state_bysrc __read_mostly;
55 static struct hlist_head *xfrm_state_byspi __read_mostly;
56 static unsigned int xfrm_state_hmask __read_mostly;
57 static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
58 static unsigned int xfrm_state_num;
59 static unsigned int xfrm_state_genid;
60
61 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
62 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
63
64 static inline unsigned int xfrm_dst_hash(xfrm_address_t *daddr,
65 xfrm_address_t *saddr,
66 u32 reqid,
67 unsigned short family)
68 {
69 return __xfrm_dst_hash(daddr, saddr, reqid, family, xfrm_state_hmask);
70 }
71
72 static inline unsigned int xfrm_src_hash(xfrm_address_t *daddr,
73 xfrm_address_t *saddr,
74 unsigned short family)
75 {
76 return __xfrm_src_hash(daddr, saddr, family, xfrm_state_hmask);
77 }
78
79 static inline unsigned int
80 xfrm_spi_hash(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
81 {
82 return __xfrm_spi_hash(daddr, spi, proto, family, xfrm_state_hmask);
83 }
84
85 static void xfrm_hash_transfer(struct hlist_head *list,
86 struct hlist_head *ndsttable,
87 struct hlist_head *nsrctable,
88 struct hlist_head *nspitable,
89 unsigned int nhashmask)
90 {
91 struct hlist_node *entry, *tmp;
92 struct xfrm_state *x;
93
94 hlist_for_each_entry_safe(x, entry, tmp, list, bydst) {
95 unsigned int h;
96
97 h = __xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
98 x->props.reqid, x->props.family,
99 nhashmask);
100 hlist_add_head(&x->bydst, ndsttable+h);
101
102 h = __xfrm_src_hash(&x->id.daddr, &x->props.saddr,
103 x->props.family,
104 nhashmask);
105 hlist_add_head(&x->bysrc, nsrctable+h);
106
107 if (x->id.spi) {
108 h = __xfrm_spi_hash(&x->id.daddr, x->id.spi,
109 x->id.proto, x->props.family,
110 nhashmask);
111 hlist_add_head(&x->byspi, nspitable+h);
112 }
113 }
114 }
115
116 static unsigned long xfrm_hash_new_size(void)
117 {
118 return ((xfrm_state_hmask + 1) << 1) *
119 sizeof(struct hlist_head);
120 }
121
122 static DEFINE_MUTEX(hash_resize_mutex);
123
124 static void xfrm_hash_resize(struct work_struct *__unused)
125 {
126 struct hlist_head *ndst, *nsrc, *nspi, *odst, *osrc, *ospi;
127 unsigned long nsize, osize;
128 unsigned int nhashmask, ohashmask;
129 int i;
130
131 mutex_lock(&hash_resize_mutex);
132
133 nsize = xfrm_hash_new_size();
134 ndst = xfrm_hash_alloc(nsize);
135 if (!ndst)
136 goto out_unlock;
137 nsrc = xfrm_hash_alloc(nsize);
138 if (!nsrc) {
139 xfrm_hash_free(ndst, nsize);
140 goto out_unlock;
141 }
142 nspi = xfrm_hash_alloc(nsize);
143 if (!nspi) {
144 xfrm_hash_free(ndst, nsize);
145 xfrm_hash_free(nsrc, nsize);
146 goto out_unlock;
147 }
148
149 spin_lock_bh(&xfrm_state_lock);
150
151 nhashmask = (nsize / sizeof(struct hlist_head)) - 1U;
152 for (i = xfrm_state_hmask; i >= 0; i--)
153 xfrm_hash_transfer(xfrm_state_bydst+i, ndst, nsrc, nspi,
154 nhashmask);
155
156 odst = xfrm_state_bydst;
157 osrc = xfrm_state_bysrc;
158 ospi = xfrm_state_byspi;
159 ohashmask = xfrm_state_hmask;
160
161 xfrm_state_bydst = ndst;
162 xfrm_state_bysrc = nsrc;
163 xfrm_state_byspi = nspi;
164 xfrm_state_hmask = nhashmask;
165
166 spin_unlock_bh(&xfrm_state_lock);
167
168 osize = (ohashmask + 1) * sizeof(struct hlist_head);
169 xfrm_hash_free(odst, osize);
170 xfrm_hash_free(osrc, osize);
171 xfrm_hash_free(ospi, osize);
172
173 out_unlock:
174 mutex_unlock(&hash_resize_mutex);
175 }
176
177 static DECLARE_WORK(xfrm_hash_work, xfrm_hash_resize);
178
179 DECLARE_WAIT_QUEUE_HEAD(km_waitq);
180 EXPORT_SYMBOL(km_waitq);
181
182 static DEFINE_RWLOCK(xfrm_state_afinfo_lock);
183 static struct xfrm_state_afinfo *xfrm_state_afinfo[NPROTO];
184
185 static struct work_struct xfrm_state_gc_work;
186 static HLIST_HEAD(xfrm_state_gc_list);
187 static DEFINE_SPINLOCK(xfrm_state_gc_lock);
188
189 int __xfrm_state_delete(struct xfrm_state *x);
190
191 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
192 void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
193
194 static struct xfrm_state_afinfo *xfrm_state_lock_afinfo(unsigned int family)
195 {
196 struct xfrm_state_afinfo *afinfo;
197 if (unlikely(family >= NPROTO))
198 return NULL;
199 write_lock_bh(&xfrm_state_afinfo_lock);
200 afinfo = xfrm_state_afinfo[family];
201 if (unlikely(!afinfo))
202 write_unlock_bh(&xfrm_state_afinfo_lock);
203 return afinfo;
204 }
205
206 static void xfrm_state_unlock_afinfo(struct xfrm_state_afinfo *afinfo)
207 {
208 write_unlock_bh(&xfrm_state_afinfo_lock);
209 }
210
211 int xfrm_register_type(struct xfrm_type *type, unsigned short family)
212 {
213 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family);
214 struct xfrm_type **typemap;
215 int err = 0;
216
217 if (unlikely(afinfo == NULL))
218 return -EAFNOSUPPORT;
219 typemap = afinfo->type_map;
220
221 if (likely(typemap[type->proto] == NULL))
222 typemap[type->proto] = type;
223 else
224 err = -EEXIST;
225 xfrm_state_unlock_afinfo(afinfo);
226 return err;
227 }
228 EXPORT_SYMBOL(xfrm_register_type);
229
230 int xfrm_unregister_type(struct xfrm_type *type, unsigned short family)
231 {
232 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family);
233 struct xfrm_type **typemap;
234 int err = 0;
235
236 if (unlikely(afinfo == NULL))
237 return -EAFNOSUPPORT;
238 typemap = afinfo->type_map;
239
240 if (unlikely(typemap[type->proto] != type))
241 err = -ENOENT;
242 else
243 typemap[type->proto] = NULL;
244 xfrm_state_unlock_afinfo(afinfo);
245 return err;
246 }
247 EXPORT_SYMBOL(xfrm_unregister_type);
248
249 static struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family)
250 {
251 struct xfrm_state_afinfo *afinfo;
252 struct xfrm_type **typemap;
253 struct xfrm_type *type;
254 int modload_attempted = 0;
255
256 retry:
257 afinfo = xfrm_state_get_afinfo(family);
258 if (unlikely(afinfo == NULL))
259 return NULL;
260 typemap = afinfo->type_map;
261
262 type = typemap[proto];
263 if (unlikely(type && !try_module_get(type->owner)))
264 type = NULL;
265 if (!type && !modload_attempted) {
266 xfrm_state_put_afinfo(afinfo);
267 request_module("xfrm-type-%d-%d", family, proto);
268 modload_attempted = 1;
269 goto retry;
270 }
271
272 xfrm_state_put_afinfo(afinfo);
273 return type;
274 }
275
276 static void xfrm_put_type(struct xfrm_type *type)
277 {
278 module_put(type->owner);
279 }
280
281 int xfrm_register_mode(struct xfrm_mode *mode, int family)
282 {
283 struct xfrm_state_afinfo *afinfo;
284 struct xfrm_mode **modemap;
285 int err;
286
287 if (unlikely(mode->encap >= XFRM_MODE_MAX))
288 return -EINVAL;
289
290 afinfo = xfrm_state_lock_afinfo(family);
291 if (unlikely(afinfo == NULL))
292 return -EAFNOSUPPORT;
293
294 err = -EEXIST;
295 modemap = afinfo->mode_map;
296 if (modemap[mode->encap])
297 goto out;
298
299 err = -ENOENT;
300 if (!try_module_get(afinfo->owner))
301 goto out;
302
303 mode->afinfo = afinfo;
304 modemap[mode->encap] = mode;
305 err = 0;
306
307 out:
308 xfrm_state_unlock_afinfo(afinfo);
309 return err;
310 }
311 EXPORT_SYMBOL(xfrm_register_mode);
312
313 int xfrm_unregister_mode(struct xfrm_mode *mode, int family)
314 {
315 struct xfrm_state_afinfo *afinfo;
316 struct xfrm_mode **modemap;
317 int err;
318
319 if (unlikely(mode->encap >= XFRM_MODE_MAX))
320 return -EINVAL;
321
322 afinfo = xfrm_state_lock_afinfo(family);
323 if (unlikely(afinfo == NULL))
324 return -EAFNOSUPPORT;
325
326 err = -ENOENT;
327 modemap = afinfo->mode_map;
328 if (likely(modemap[mode->encap] == mode)) {
329 modemap[mode->encap] = NULL;
330 module_put(mode->afinfo->owner);
331 err = 0;
332 }
333
334 xfrm_state_unlock_afinfo(afinfo);
335 return err;
336 }
337 EXPORT_SYMBOL(xfrm_unregister_mode);
338
339 static struct xfrm_mode *xfrm_get_mode(unsigned int encap, int family)
340 {
341 struct xfrm_state_afinfo *afinfo;
342 struct xfrm_mode *mode;
343 int modload_attempted = 0;
344
345 if (unlikely(encap >= XFRM_MODE_MAX))
346 return NULL;
347
348 retry:
349 afinfo = xfrm_state_get_afinfo(family);
350 if (unlikely(afinfo == NULL))
351 return NULL;
352
353 mode = afinfo->mode_map[encap];
354 if (unlikely(mode && !try_module_get(mode->owner)))
355 mode = NULL;
356 if (!mode && !modload_attempted) {
357 xfrm_state_put_afinfo(afinfo);
358 request_module("xfrm-mode-%d-%d", family, encap);
359 modload_attempted = 1;
360 goto retry;
361 }
362
363 xfrm_state_put_afinfo(afinfo);
364 return mode;
365 }
366
367 static void xfrm_put_mode(struct xfrm_mode *mode)
368 {
369 module_put(mode->owner);
370 }
371
372 static void xfrm_state_gc_destroy(struct xfrm_state *x)
373 {
374 del_timer_sync(&x->timer);
375 del_timer_sync(&x->rtimer);
376 kfree(x->aalg);
377 kfree(x->ealg);
378 kfree(x->calg);
379 kfree(x->encap);
380 kfree(x->coaddr);
381 if (x->inner_mode)
382 xfrm_put_mode(x->inner_mode);
383 if (x->outer_mode)
384 xfrm_put_mode(x->outer_mode);
385 if (x->type) {
386 x->type->destructor(x);
387 xfrm_put_type(x->type);
388 }
389 security_xfrm_state_free(x);
390 kfree(x);
391 }
392
393 static void xfrm_state_gc_task(struct work_struct *data)
394 {
395 struct xfrm_state *x;
396 struct hlist_node *entry, *tmp;
397 struct hlist_head gc_list;
398
399 spin_lock_bh(&xfrm_state_gc_lock);
400 gc_list.first = xfrm_state_gc_list.first;
401 INIT_HLIST_HEAD(&xfrm_state_gc_list);
402 spin_unlock_bh(&xfrm_state_gc_lock);
403
404 hlist_for_each_entry_safe(x, entry, tmp, &gc_list, bydst)
405 xfrm_state_gc_destroy(x);
406
407 wake_up(&km_waitq);
408 }
409
410 static inline unsigned long make_jiffies(long secs)
411 {
412 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
413 return MAX_SCHEDULE_TIMEOUT-1;
414 else
415 return secs*HZ;
416 }
417
418 static void xfrm_timer_handler(unsigned long data)
419 {
420 struct xfrm_state *x = (struct xfrm_state*)data;
421 unsigned long now = get_seconds();
422 long next = LONG_MAX;
423 int warn = 0;
424 int err = 0;
425
426 spin_lock(&x->lock);
427 if (x->km.state == XFRM_STATE_DEAD)
428 goto out;
429 if (x->km.state == XFRM_STATE_EXPIRED)
430 goto expired;
431 if (x->lft.hard_add_expires_seconds) {
432 long tmo = x->lft.hard_add_expires_seconds +
433 x->curlft.add_time - now;
434 if (tmo <= 0)
435 goto expired;
436 if (tmo < next)
437 next = tmo;
438 }
439 if (x->lft.hard_use_expires_seconds) {
440 long tmo = x->lft.hard_use_expires_seconds +
441 (x->curlft.use_time ? : now) - now;
442 if (tmo <= 0)
443 goto expired;
444 if (tmo < next)
445 next = tmo;
446 }
447 if (x->km.dying)
448 goto resched;
449 if (x->lft.soft_add_expires_seconds) {
450 long tmo = x->lft.soft_add_expires_seconds +
451 x->curlft.add_time - now;
452 if (tmo <= 0)
453 warn = 1;
454 else if (tmo < next)
455 next = tmo;
456 }
457 if (x->lft.soft_use_expires_seconds) {
458 long tmo = x->lft.soft_use_expires_seconds +
459 (x->curlft.use_time ? : now) - now;
460 if (tmo <= 0)
461 warn = 1;
462 else if (tmo < next)
463 next = tmo;
464 }
465
466 x->km.dying = warn;
467 if (warn)
468 km_state_expired(x, 0, 0);
469 resched:
470 if (next != LONG_MAX)
471 mod_timer(&x->timer, jiffies + make_jiffies(next));
472
473 goto out;
474
475 expired:
476 if (x->km.state == XFRM_STATE_ACQ && x->id.spi == 0) {
477 x->km.state = XFRM_STATE_EXPIRED;
478 wake_up(&km_waitq);
479 next = 2;
480 goto resched;
481 }
482
483 err = __xfrm_state_delete(x);
484 if (!err && x->id.spi)
485 km_state_expired(x, 1, 0);
486
487 xfrm_audit_state_delete(x, err ? 0 : 1,
488 audit_get_loginuid(current->audit_context), 0);
489
490 out:
491 spin_unlock(&x->lock);
492 }
493
494 static void xfrm_replay_timer_handler(unsigned long data);
495
496 struct xfrm_state *xfrm_state_alloc(void)
497 {
498 struct xfrm_state *x;
499
500 x = kzalloc(sizeof(struct xfrm_state), GFP_ATOMIC);
501
502 if (x) {
503 atomic_set(&x->refcnt, 1);
504 atomic_set(&x->tunnel_users, 0);
505 INIT_HLIST_NODE(&x->bydst);
506 INIT_HLIST_NODE(&x->bysrc);
507 INIT_HLIST_NODE(&x->byspi);
508 setup_timer(&x->timer, xfrm_timer_handler, (unsigned long)x);
509 setup_timer(&x->rtimer, xfrm_replay_timer_handler,
510 (unsigned long)x);
511 x->curlft.add_time = get_seconds();
512 x->lft.soft_byte_limit = XFRM_INF;
513 x->lft.soft_packet_limit = XFRM_INF;
514 x->lft.hard_byte_limit = XFRM_INF;
515 x->lft.hard_packet_limit = XFRM_INF;
516 x->replay_maxage = 0;
517 x->replay_maxdiff = 0;
518 spin_lock_init(&x->lock);
519 }
520 return x;
521 }
522 EXPORT_SYMBOL(xfrm_state_alloc);
523
524 void __xfrm_state_destroy(struct xfrm_state *x)
525 {
526 BUG_TRAP(x->km.state == XFRM_STATE_DEAD);
527
528 spin_lock_bh(&xfrm_state_gc_lock);
529 hlist_add_head(&x->bydst, &xfrm_state_gc_list);
530 spin_unlock_bh(&xfrm_state_gc_lock);
531 schedule_work(&xfrm_state_gc_work);
532 }
533 EXPORT_SYMBOL(__xfrm_state_destroy);
534
535 int __xfrm_state_delete(struct xfrm_state *x)
536 {
537 int err = -ESRCH;
538
539 if (x->km.state != XFRM_STATE_DEAD) {
540 x->km.state = XFRM_STATE_DEAD;
541 spin_lock(&xfrm_state_lock);
542 hlist_del(&x->bydst);
543 hlist_del(&x->bysrc);
544 if (x->id.spi)
545 hlist_del(&x->byspi);
546 xfrm_state_num--;
547 spin_unlock(&xfrm_state_lock);
548
549 /* All xfrm_state objects are created by xfrm_state_alloc.
550 * The xfrm_state_alloc call gives a reference, and that
551 * is what we are dropping here.
552 */
553 xfrm_state_put(x);
554 err = 0;
555 }
556
557 return err;
558 }
559 EXPORT_SYMBOL(__xfrm_state_delete);
560
561 int xfrm_state_delete(struct xfrm_state *x)
562 {
563 int err;
564
565 spin_lock_bh(&x->lock);
566 err = __xfrm_state_delete(x);
567 spin_unlock_bh(&x->lock);
568
569 return err;
570 }
571 EXPORT_SYMBOL(xfrm_state_delete);
572
573 #ifdef CONFIG_SECURITY_NETWORK_XFRM
574 static inline int
575 xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
576 {
577 int i, err = 0;
578
579 for (i = 0; i <= xfrm_state_hmask; i++) {
580 struct hlist_node *entry;
581 struct xfrm_state *x;
582
583 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
584 if (xfrm_id_proto_match(x->id.proto, proto) &&
585 (err = security_xfrm_state_delete(x)) != 0) {
586 xfrm_audit_state_delete(x, 0,
587 audit_info->loginuid,
588 audit_info->secid);
589 return err;
590 }
591 }
592 }
593
594 return err;
595 }
596 #else
597 static inline int
598 xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
599 {
600 return 0;
601 }
602 #endif
603
604 int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info)
605 {
606 int i, err = 0;
607
608 spin_lock_bh(&xfrm_state_lock);
609 err = xfrm_state_flush_secctx_check(proto, audit_info);
610 if (err)
611 goto out;
612
613 for (i = 0; i <= xfrm_state_hmask; i++) {
614 struct hlist_node *entry;
615 struct xfrm_state *x;
616 restart:
617 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
618 if (!xfrm_state_kern(x) &&
619 xfrm_id_proto_match(x->id.proto, proto)) {
620 xfrm_state_hold(x);
621 spin_unlock_bh(&xfrm_state_lock);
622
623 err = xfrm_state_delete(x);
624 xfrm_audit_state_delete(x, err ? 0 : 1,
625 audit_info->loginuid,
626 audit_info->secid);
627 xfrm_state_put(x);
628
629 spin_lock_bh(&xfrm_state_lock);
630 goto restart;
631 }
632 }
633 }
634 err = 0;
635
636 out:
637 spin_unlock_bh(&xfrm_state_lock);
638 wake_up(&km_waitq);
639 return err;
640 }
641 EXPORT_SYMBOL(xfrm_state_flush);
642
643 void xfrm_sad_getinfo(struct xfrmk_sadinfo *si)
644 {
645 spin_lock_bh(&xfrm_state_lock);
646 si->sadcnt = xfrm_state_num;
647 si->sadhcnt = xfrm_state_hmask;
648 si->sadhmcnt = xfrm_state_hashmax;
649 spin_unlock_bh(&xfrm_state_lock);
650 }
651 EXPORT_SYMBOL(xfrm_sad_getinfo);
652
653 static int
654 xfrm_init_tempsel(struct xfrm_state *x, struct flowi *fl,
655 struct xfrm_tmpl *tmpl,
656 xfrm_address_t *daddr, xfrm_address_t *saddr,
657 unsigned short family)
658 {
659 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
660 if (!afinfo)
661 return -1;
662 afinfo->init_tempsel(x, fl, tmpl, daddr, saddr);
663 xfrm_state_put_afinfo(afinfo);
664 return 0;
665 }
666
667 static struct xfrm_state *__xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
668 {
669 unsigned int h = xfrm_spi_hash(daddr, spi, proto, family);
670 struct xfrm_state *x;
671 struct hlist_node *entry;
672
673 hlist_for_each_entry(x, entry, xfrm_state_byspi+h, byspi) {
674 if (x->props.family != family ||
675 x->id.spi != spi ||
676 x->id.proto != proto)
677 continue;
678
679 switch (family) {
680 case AF_INET:
681 if (x->id.daddr.a4 != daddr->a4)
682 continue;
683 break;
684 case AF_INET6:
685 if (!ipv6_addr_equal((struct in6_addr *)daddr,
686 (struct in6_addr *)
687 x->id.daddr.a6))
688 continue;
689 break;
690 }
691
692 xfrm_state_hold(x);
693 return x;
694 }
695
696 return NULL;
697 }
698
699 static struct xfrm_state *__xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family)
700 {
701 unsigned int h = xfrm_src_hash(daddr, saddr, family);
702 struct xfrm_state *x;
703 struct hlist_node *entry;
704
705 hlist_for_each_entry(x, entry, xfrm_state_bysrc+h, bysrc) {
706 if (x->props.family != family ||
707 x->id.proto != proto)
708 continue;
709
710 switch (family) {
711 case AF_INET:
712 if (x->id.daddr.a4 != daddr->a4 ||
713 x->props.saddr.a4 != saddr->a4)
714 continue;
715 break;
716 case AF_INET6:
717 if (!ipv6_addr_equal((struct in6_addr *)daddr,
718 (struct in6_addr *)
719 x->id.daddr.a6) ||
720 !ipv6_addr_equal((struct in6_addr *)saddr,
721 (struct in6_addr *)
722 x->props.saddr.a6))
723 continue;
724 break;
725 }
726
727 xfrm_state_hold(x);
728 return x;
729 }
730
731 return NULL;
732 }
733
734 static inline struct xfrm_state *
735 __xfrm_state_locate(struct xfrm_state *x, int use_spi, int family)
736 {
737 if (use_spi)
738 return __xfrm_state_lookup(&x->id.daddr, x->id.spi,
739 x->id.proto, family);
740 else
741 return __xfrm_state_lookup_byaddr(&x->id.daddr,
742 &x->props.saddr,
743 x->id.proto, family);
744 }
745
746 static void xfrm_hash_grow_check(int have_hash_collision)
747 {
748 if (have_hash_collision &&
749 (xfrm_state_hmask + 1) < xfrm_state_hashmax &&
750 xfrm_state_num > xfrm_state_hmask)
751 schedule_work(&xfrm_hash_work);
752 }
753
754 struct xfrm_state *
755 xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
756 struct flowi *fl, struct xfrm_tmpl *tmpl,
757 struct xfrm_policy *pol, int *err,
758 unsigned short family)
759 {
760 unsigned int h;
761 struct hlist_node *entry;
762 struct xfrm_state *x, *x0;
763 int acquire_in_progress = 0;
764 int error = 0;
765 struct xfrm_state *best = NULL;
766
767 spin_lock_bh(&xfrm_state_lock);
768 h = xfrm_dst_hash(daddr, saddr, tmpl->reqid, family);
769 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
770 if (x->props.family == family &&
771 x->props.reqid == tmpl->reqid &&
772 !(x->props.flags & XFRM_STATE_WILDRECV) &&
773 xfrm_state_addr_check(x, daddr, saddr, family) &&
774 tmpl->mode == x->props.mode &&
775 tmpl->id.proto == x->id.proto &&
776 (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) {
777 /* Resolution logic:
778 1. There is a valid state with matching selector.
779 Done.
780 2. Valid state with inappropriate selector. Skip.
781
782 Entering area of "sysdeps".
783
784 3. If state is not valid, selector is temporary,
785 it selects only session which triggered
786 previous resolution. Key manager will do
787 something to install a state with proper
788 selector.
789 */
790 if (x->km.state == XFRM_STATE_VALID) {
791 if (!xfrm_selector_match(&x->sel, fl, x->sel.family) ||
792 !security_xfrm_state_pol_flow_match(x, pol, fl))
793 continue;
794 if (!best ||
795 best->km.dying > x->km.dying ||
796 (best->km.dying == x->km.dying &&
797 best->curlft.add_time < x->curlft.add_time))
798 best = x;
799 } else if (x->km.state == XFRM_STATE_ACQ) {
800 acquire_in_progress = 1;
801 } else if (x->km.state == XFRM_STATE_ERROR ||
802 x->km.state == XFRM_STATE_EXPIRED) {
803 if (xfrm_selector_match(&x->sel, fl, x->sel.family) &&
804 security_xfrm_state_pol_flow_match(x, pol, fl))
805 error = -ESRCH;
806 }
807 }
808 }
809
810 x = best;
811 if (!x && !error && !acquire_in_progress) {
812 if (tmpl->id.spi &&
813 (x0 = __xfrm_state_lookup(daddr, tmpl->id.spi,
814 tmpl->id.proto, family)) != NULL) {
815 xfrm_state_put(x0);
816 error = -EEXIST;
817 goto out;
818 }
819 x = xfrm_state_alloc();
820 if (x == NULL) {
821 error = -ENOMEM;
822 goto out;
823 }
824 /* Initialize temporary selector matching only
825 * to current session. */
826 xfrm_init_tempsel(x, fl, tmpl, daddr, saddr, family);
827
828 error = security_xfrm_state_alloc_acquire(x, pol->security, fl->secid);
829 if (error) {
830 x->km.state = XFRM_STATE_DEAD;
831 xfrm_state_put(x);
832 x = NULL;
833 goto out;
834 }
835
836 if (km_query(x, tmpl, pol) == 0) {
837 x->km.state = XFRM_STATE_ACQ;
838 hlist_add_head(&x->bydst, xfrm_state_bydst+h);
839 h = xfrm_src_hash(daddr, saddr, family);
840 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
841 if (x->id.spi) {
842 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, family);
843 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
844 }
845 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
846 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
847 add_timer(&x->timer);
848 xfrm_state_num++;
849 xfrm_hash_grow_check(x->bydst.next != NULL);
850 } else {
851 x->km.state = XFRM_STATE_DEAD;
852 xfrm_state_put(x);
853 x = NULL;
854 error = -ESRCH;
855 }
856 }
857 out:
858 if (x)
859 xfrm_state_hold(x);
860 else
861 *err = acquire_in_progress ? -EAGAIN : error;
862 spin_unlock_bh(&xfrm_state_lock);
863 return x;
864 }
865
866 struct xfrm_state *
867 xfrm_stateonly_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
868 unsigned short family, u8 mode, u8 proto, u32 reqid)
869 {
870 unsigned int h;
871 struct xfrm_state *rx = NULL, *x = NULL;
872 struct hlist_node *entry;
873
874 spin_lock(&xfrm_state_lock);
875 h = xfrm_dst_hash(daddr, saddr, reqid, family);
876 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
877 if (x->props.family == family &&
878 x->props.reqid == reqid &&
879 !(x->props.flags & XFRM_STATE_WILDRECV) &&
880 xfrm_state_addr_check(x, daddr, saddr, family) &&
881 mode == x->props.mode &&
882 proto == x->id.proto &&
883 x->km.state == XFRM_STATE_VALID) {
884 rx = x;
885 break;
886 }
887 }
888
889 if (rx)
890 xfrm_state_hold(rx);
891 spin_unlock(&xfrm_state_lock);
892
893
894 return rx;
895 }
896 EXPORT_SYMBOL(xfrm_stateonly_find);
897
898 static void __xfrm_state_insert(struct xfrm_state *x)
899 {
900 unsigned int h;
901
902 x->genid = ++xfrm_state_genid;
903
904 h = xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
905 x->props.reqid, x->props.family);
906 hlist_add_head(&x->bydst, xfrm_state_bydst+h);
907
908 h = xfrm_src_hash(&x->id.daddr, &x->props.saddr, x->props.family);
909 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
910
911 if (x->id.spi) {
912 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto,
913 x->props.family);
914
915 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
916 }
917
918 mod_timer(&x->timer, jiffies + HZ);
919 if (x->replay_maxage)
920 mod_timer(&x->rtimer, jiffies + x->replay_maxage);
921
922 wake_up(&km_waitq);
923
924 xfrm_state_num++;
925
926 xfrm_hash_grow_check(x->bydst.next != NULL);
927 }
928
929 /* xfrm_state_lock is held */
930 static void __xfrm_state_bump_genids(struct xfrm_state *xnew)
931 {
932 unsigned short family = xnew->props.family;
933 u32 reqid = xnew->props.reqid;
934 struct xfrm_state *x;
935 struct hlist_node *entry;
936 unsigned int h;
937
938 h = xfrm_dst_hash(&xnew->id.daddr, &xnew->props.saddr, reqid, family);
939 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
940 if (x->props.family == family &&
941 x->props.reqid == reqid &&
942 !xfrm_addr_cmp(&x->id.daddr, &xnew->id.daddr, family) &&
943 !xfrm_addr_cmp(&x->props.saddr, &xnew->props.saddr, family))
944 x->genid = xfrm_state_genid;
945 }
946 }
947
948 void xfrm_state_insert(struct xfrm_state *x)
949 {
950 spin_lock_bh(&xfrm_state_lock);
951 __xfrm_state_bump_genids(x);
952 __xfrm_state_insert(x);
953 spin_unlock_bh(&xfrm_state_lock);
954 }
955 EXPORT_SYMBOL(xfrm_state_insert);
956
957 /* xfrm_state_lock is held */
958 static struct xfrm_state *__find_acq_core(unsigned short family, u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create)
959 {
960 unsigned int h = xfrm_dst_hash(daddr, saddr, reqid, family);
961 struct hlist_node *entry;
962 struct xfrm_state *x;
963
964 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
965 if (x->props.reqid != reqid ||
966 x->props.mode != mode ||
967 x->props.family != family ||
968 x->km.state != XFRM_STATE_ACQ ||
969 x->id.spi != 0 ||
970 x->id.proto != proto)
971 continue;
972
973 switch (family) {
974 case AF_INET:
975 if (x->id.daddr.a4 != daddr->a4 ||
976 x->props.saddr.a4 != saddr->a4)
977 continue;
978 break;
979 case AF_INET6:
980 if (!ipv6_addr_equal((struct in6_addr *)x->id.daddr.a6,
981 (struct in6_addr *)daddr) ||
982 !ipv6_addr_equal((struct in6_addr *)
983 x->props.saddr.a6,
984 (struct in6_addr *)saddr))
985 continue;
986 break;
987 }
988
989 xfrm_state_hold(x);
990 return x;
991 }
992
993 if (!create)
994 return NULL;
995
996 x = xfrm_state_alloc();
997 if (likely(x)) {
998 switch (family) {
999 case AF_INET:
1000 x->sel.daddr.a4 = daddr->a4;
1001 x->sel.saddr.a4 = saddr->a4;
1002 x->sel.prefixlen_d = 32;
1003 x->sel.prefixlen_s = 32;
1004 x->props.saddr.a4 = saddr->a4;
1005 x->id.daddr.a4 = daddr->a4;
1006 break;
1007
1008 case AF_INET6:
1009 ipv6_addr_copy((struct in6_addr *)x->sel.daddr.a6,
1010 (struct in6_addr *)daddr);
1011 ipv6_addr_copy((struct in6_addr *)x->sel.saddr.a6,
1012 (struct in6_addr *)saddr);
1013 x->sel.prefixlen_d = 128;
1014 x->sel.prefixlen_s = 128;
1015 ipv6_addr_copy((struct in6_addr *)x->props.saddr.a6,
1016 (struct in6_addr *)saddr);
1017 ipv6_addr_copy((struct in6_addr *)x->id.daddr.a6,
1018 (struct in6_addr *)daddr);
1019 break;
1020 }
1021
1022 x->km.state = XFRM_STATE_ACQ;
1023 x->id.proto = proto;
1024 x->props.family = family;
1025 x->props.mode = mode;
1026 x->props.reqid = reqid;
1027 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
1028 xfrm_state_hold(x);
1029 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
1030 add_timer(&x->timer);
1031 hlist_add_head(&x->bydst, xfrm_state_bydst+h);
1032 h = xfrm_src_hash(daddr, saddr, family);
1033 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
1034
1035 xfrm_state_num++;
1036
1037 xfrm_hash_grow_check(x->bydst.next != NULL);
1038 }
1039
1040 return x;
1041 }
1042
1043 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq);
1044
1045 int xfrm_state_add(struct xfrm_state *x)
1046 {
1047 struct xfrm_state *x1;
1048 int family;
1049 int err;
1050 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1051
1052 family = x->props.family;
1053
1054 spin_lock_bh(&xfrm_state_lock);
1055
1056 x1 = __xfrm_state_locate(x, use_spi, family);
1057 if (x1) {
1058 xfrm_state_put(x1);
1059 x1 = NULL;
1060 err = -EEXIST;
1061 goto out;
1062 }
1063
1064 if (use_spi && x->km.seq) {
1065 x1 = __xfrm_find_acq_byseq(x->km.seq);
1066 if (x1 && ((x1->id.proto != x->id.proto) ||
1067 xfrm_addr_cmp(&x1->id.daddr, &x->id.daddr, family))) {
1068 xfrm_state_put(x1);
1069 x1 = NULL;
1070 }
1071 }
1072
1073 if (use_spi && !x1)
1074 x1 = __find_acq_core(family, x->props.mode, x->props.reqid,
1075 x->id.proto,
1076 &x->id.daddr, &x->props.saddr, 0);
1077
1078 __xfrm_state_bump_genids(x);
1079 __xfrm_state_insert(x);
1080 err = 0;
1081
1082 out:
1083 spin_unlock_bh(&xfrm_state_lock);
1084
1085 if (x1) {
1086 xfrm_state_delete(x1);
1087 xfrm_state_put(x1);
1088 }
1089
1090 return err;
1091 }
1092 EXPORT_SYMBOL(xfrm_state_add);
1093
1094 #ifdef CONFIG_XFRM_MIGRATE
1095 struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp)
1096 {
1097 int err = -ENOMEM;
1098 struct xfrm_state *x = xfrm_state_alloc();
1099 if (!x)
1100 goto error;
1101
1102 memcpy(&x->id, &orig->id, sizeof(x->id));
1103 memcpy(&x->sel, &orig->sel, sizeof(x->sel));
1104 memcpy(&x->lft, &orig->lft, sizeof(x->lft));
1105 x->props.mode = orig->props.mode;
1106 x->props.replay_window = orig->props.replay_window;
1107 x->props.reqid = orig->props.reqid;
1108 x->props.family = orig->props.family;
1109 x->props.saddr = orig->props.saddr;
1110
1111 if (orig->aalg) {
1112 x->aalg = xfrm_algo_clone(orig->aalg);
1113 if (!x->aalg)
1114 goto error;
1115 }
1116 x->props.aalgo = orig->props.aalgo;
1117
1118 if (orig->ealg) {
1119 x->ealg = xfrm_algo_clone(orig->ealg);
1120 if (!x->ealg)
1121 goto error;
1122 }
1123 x->props.ealgo = orig->props.ealgo;
1124
1125 if (orig->calg) {
1126 x->calg = xfrm_algo_clone(orig->calg);
1127 if (!x->calg)
1128 goto error;
1129 }
1130 x->props.calgo = orig->props.calgo;
1131
1132 if (orig->encap) {
1133 x->encap = kmemdup(orig->encap, sizeof(*x->encap), GFP_KERNEL);
1134 if (!x->encap)
1135 goto error;
1136 }
1137
1138 if (orig->coaddr) {
1139 x->coaddr = kmemdup(orig->coaddr, sizeof(*x->coaddr),
1140 GFP_KERNEL);
1141 if (!x->coaddr)
1142 goto error;
1143 }
1144
1145 err = xfrm_init_state(x);
1146 if (err)
1147 goto error;
1148
1149 x->props.flags = orig->props.flags;
1150
1151 x->curlft.add_time = orig->curlft.add_time;
1152 x->km.state = orig->km.state;
1153 x->km.seq = orig->km.seq;
1154
1155 return x;
1156
1157 error:
1158 if (errp)
1159 *errp = err;
1160 if (x) {
1161 kfree(x->aalg);
1162 kfree(x->ealg);
1163 kfree(x->calg);
1164 kfree(x->encap);
1165 kfree(x->coaddr);
1166 }
1167 kfree(x);
1168 return NULL;
1169 }
1170 EXPORT_SYMBOL(xfrm_state_clone);
1171
1172 /* xfrm_state_lock is held */
1173 struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m)
1174 {
1175 unsigned int h;
1176 struct xfrm_state *x;
1177 struct hlist_node *entry;
1178
1179 if (m->reqid) {
1180 h = xfrm_dst_hash(&m->old_daddr, &m->old_saddr,
1181 m->reqid, m->old_family);
1182 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
1183 if (x->props.mode != m->mode ||
1184 x->id.proto != m->proto)
1185 continue;
1186 if (m->reqid && x->props.reqid != m->reqid)
1187 continue;
1188 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1189 m->old_family) ||
1190 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1191 m->old_family))
1192 continue;
1193 xfrm_state_hold(x);
1194 return x;
1195 }
1196 } else {
1197 h = xfrm_src_hash(&m->old_daddr, &m->old_saddr,
1198 m->old_family);
1199 hlist_for_each_entry(x, entry, xfrm_state_bysrc+h, bysrc) {
1200 if (x->props.mode != m->mode ||
1201 x->id.proto != m->proto)
1202 continue;
1203 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1204 m->old_family) ||
1205 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1206 m->old_family))
1207 continue;
1208 xfrm_state_hold(x);
1209 return x;
1210 }
1211 }
1212
1213 return NULL;
1214 }
1215 EXPORT_SYMBOL(xfrm_migrate_state_find);
1216
1217 struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
1218 struct xfrm_migrate *m)
1219 {
1220 struct xfrm_state *xc;
1221 int err;
1222
1223 xc = xfrm_state_clone(x, &err);
1224 if (!xc)
1225 return NULL;
1226
1227 memcpy(&xc->id.daddr, &m->new_daddr, sizeof(xc->id.daddr));
1228 memcpy(&xc->props.saddr, &m->new_saddr, sizeof(xc->props.saddr));
1229
1230 /* add state */
1231 if (!xfrm_addr_cmp(&x->id.daddr, &m->new_daddr, m->new_family)) {
1232 /* a care is needed when the destination address of the
1233 state is to be updated as it is a part of triplet */
1234 xfrm_state_insert(xc);
1235 } else {
1236 if ((err = xfrm_state_add(xc)) < 0)
1237 goto error;
1238 }
1239
1240 return xc;
1241 error:
1242 kfree(xc);
1243 return NULL;
1244 }
1245 EXPORT_SYMBOL(xfrm_state_migrate);
1246 #endif
1247
1248 int xfrm_state_update(struct xfrm_state *x)
1249 {
1250 struct xfrm_state *x1;
1251 int err;
1252 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1253
1254 spin_lock_bh(&xfrm_state_lock);
1255 x1 = __xfrm_state_locate(x, use_spi, x->props.family);
1256
1257 err = -ESRCH;
1258 if (!x1)
1259 goto out;
1260
1261 if (xfrm_state_kern(x1)) {
1262 xfrm_state_put(x1);
1263 err = -EEXIST;
1264 goto out;
1265 }
1266
1267 if (x1->km.state == XFRM_STATE_ACQ) {
1268 __xfrm_state_insert(x);
1269 x = NULL;
1270 }
1271 err = 0;
1272
1273 out:
1274 spin_unlock_bh(&xfrm_state_lock);
1275
1276 if (err)
1277 return err;
1278
1279 if (!x) {
1280 xfrm_state_delete(x1);
1281 xfrm_state_put(x1);
1282 return 0;
1283 }
1284
1285 err = -EINVAL;
1286 spin_lock_bh(&x1->lock);
1287 if (likely(x1->km.state == XFRM_STATE_VALID)) {
1288 if (x->encap && x1->encap)
1289 memcpy(x1->encap, x->encap, sizeof(*x1->encap));
1290 if (x->coaddr && x1->coaddr) {
1291 memcpy(x1->coaddr, x->coaddr, sizeof(*x1->coaddr));
1292 }
1293 if (!use_spi && memcmp(&x1->sel, &x->sel, sizeof(x1->sel)))
1294 memcpy(&x1->sel, &x->sel, sizeof(x1->sel));
1295 memcpy(&x1->lft, &x->lft, sizeof(x1->lft));
1296 x1->km.dying = 0;
1297
1298 mod_timer(&x1->timer, jiffies + HZ);
1299 if (x1->curlft.use_time)
1300 xfrm_state_check_expire(x1);
1301
1302 err = 0;
1303 }
1304 spin_unlock_bh(&x1->lock);
1305
1306 xfrm_state_put(x1);
1307
1308 return err;
1309 }
1310 EXPORT_SYMBOL(xfrm_state_update);
1311
1312 int xfrm_state_check_expire(struct xfrm_state *x)
1313 {
1314 if (!x->curlft.use_time)
1315 x->curlft.use_time = get_seconds();
1316
1317 if (x->km.state != XFRM_STATE_VALID)
1318 return -EINVAL;
1319
1320 if (x->curlft.bytes >= x->lft.hard_byte_limit ||
1321 x->curlft.packets >= x->lft.hard_packet_limit) {
1322 x->km.state = XFRM_STATE_EXPIRED;
1323 mod_timer(&x->timer, jiffies);
1324 return -EINVAL;
1325 }
1326
1327 if (!x->km.dying &&
1328 (x->curlft.bytes >= x->lft.soft_byte_limit ||
1329 x->curlft.packets >= x->lft.soft_packet_limit)) {
1330 x->km.dying = 1;
1331 km_state_expired(x, 0, 0);
1332 }
1333 return 0;
1334 }
1335 EXPORT_SYMBOL(xfrm_state_check_expire);
1336
1337 struct xfrm_state *
1338 xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto,
1339 unsigned short family)
1340 {
1341 struct xfrm_state *x;
1342
1343 spin_lock_bh(&xfrm_state_lock);
1344 x = __xfrm_state_lookup(daddr, spi, proto, family);
1345 spin_unlock_bh(&xfrm_state_lock);
1346 return x;
1347 }
1348 EXPORT_SYMBOL(xfrm_state_lookup);
1349
1350 struct xfrm_state *
1351 xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr,
1352 u8 proto, unsigned short family)
1353 {
1354 struct xfrm_state *x;
1355
1356 spin_lock_bh(&xfrm_state_lock);
1357 x = __xfrm_state_lookup_byaddr(daddr, saddr, proto, family);
1358 spin_unlock_bh(&xfrm_state_lock);
1359 return x;
1360 }
1361 EXPORT_SYMBOL(xfrm_state_lookup_byaddr);
1362
1363 struct xfrm_state *
1364 xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
1365 xfrm_address_t *daddr, xfrm_address_t *saddr,
1366 int create, unsigned short family)
1367 {
1368 struct xfrm_state *x;
1369
1370 spin_lock_bh(&xfrm_state_lock);
1371 x = __find_acq_core(family, mode, reqid, proto, daddr, saddr, create);
1372 spin_unlock_bh(&xfrm_state_lock);
1373
1374 return x;
1375 }
1376 EXPORT_SYMBOL(xfrm_find_acq);
1377
1378 #ifdef CONFIG_XFRM_SUB_POLICY
1379 int
1380 xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1381 unsigned short family)
1382 {
1383 int err = 0;
1384 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1385 if (!afinfo)
1386 return -EAFNOSUPPORT;
1387
1388 spin_lock_bh(&xfrm_state_lock);
1389 if (afinfo->tmpl_sort)
1390 err = afinfo->tmpl_sort(dst, src, n);
1391 spin_unlock_bh(&xfrm_state_lock);
1392 xfrm_state_put_afinfo(afinfo);
1393 return err;
1394 }
1395 EXPORT_SYMBOL(xfrm_tmpl_sort);
1396
1397 int
1398 xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1399 unsigned short family)
1400 {
1401 int err = 0;
1402 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1403 if (!afinfo)
1404 return -EAFNOSUPPORT;
1405
1406 spin_lock_bh(&xfrm_state_lock);
1407 if (afinfo->state_sort)
1408 err = afinfo->state_sort(dst, src, n);
1409 spin_unlock_bh(&xfrm_state_lock);
1410 xfrm_state_put_afinfo(afinfo);
1411 return err;
1412 }
1413 EXPORT_SYMBOL(xfrm_state_sort);
1414 #endif
1415
1416 /* Silly enough, but I'm lazy to build resolution list */
1417
1418 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq)
1419 {
1420 int i;
1421
1422 for (i = 0; i <= xfrm_state_hmask; i++) {
1423 struct hlist_node *entry;
1424 struct xfrm_state *x;
1425
1426 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
1427 if (x->km.seq == seq &&
1428 x->km.state == XFRM_STATE_ACQ) {
1429 xfrm_state_hold(x);
1430 return x;
1431 }
1432 }
1433 }
1434 return NULL;
1435 }
1436
1437 struct xfrm_state *xfrm_find_acq_byseq(u32 seq)
1438 {
1439 struct xfrm_state *x;
1440
1441 spin_lock_bh(&xfrm_state_lock);
1442 x = __xfrm_find_acq_byseq(seq);
1443 spin_unlock_bh(&xfrm_state_lock);
1444 return x;
1445 }
1446 EXPORT_SYMBOL(xfrm_find_acq_byseq);
1447
1448 u32 xfrm_get_acqseq(void)
1449 {
1450 u32 res;
1451 static u32 acqseq;
1452 static DEFINE_SPINLOCK(acqseq_lock);
1453
1454 spin_lock_bh(&acqseq_lock);
1455 res = (++acqseq ? : ++acqseq);
1456 spin_unlock_bh(&acqseq_lock);
1457 return res;
1458 }
1459 EXPORT_SYMBOL(xfrm_get_acqseq);
1460
1461 int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high)
1462 {
1463 unsigned int h;
1464 struct xfrm_state *x0;
1465 int err = -ENOENT;
1466 __be32 minspi = htonl(low);
1467 __be32 maxspi = htonl(high);
1468
1469 spin_lock_bh(&x->lock);
1470 if (x->km.state == XFRM_STATE_DEAD)
1471 goto unlock;
1472
1473 err = 0;
1474 if (x->id.spi)
1475 goto unlock;
1476
1477 err = -ENOENT;
1478
1479 if (minspi == maxspi) {
1480 x0 = xfrm_state_lookup(&x->id.daddr, minspi, x->id.proto, x->props.family);
1481 if (x0) {
1482 xfrm_state_put(x0);
1483 goto unlock;
1484 }
1485 x->id.spi = minspi;
1486 } else {
1487 u32 spi = 0;
1488 for (h=0; h<high-low+1; h++) {
1489 spi = low + net_random()%(high-low+1);
1490 x0 = xfrm_state_lookup(&x->id.daddr, htonl(spi), x->id.proto, x->props.family);
1491 if (x0 == NULL) {
1492 x->id.spi = htonl(spi);
1493 break;
1494 }
1495 xfrm_state_put(x0);
1496 }
1497 }
1498 if (x->id.spi) {
1499 spin_lock_bh(&xfrm_state_lock);
1500 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, x->props.family);
1501 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
1502 spin_unlock_bh(&xfrm_state_lock);
1503
1504 err = 0;
1505 }
1506
1507 unlock:
1508 spin_unlock_bh(&x->lock);
1509
1510 return err;
1511 }
1512 EXPORT_SYMBOL(xfrm_alloc_spi);
1513
1514 int xfrm_state_walk(u8 proto, int (*func)(struct xfrm_state *, int, void*),
1515 void *data)
1516 {
1517 int i;
1518 struct xfrm_state *x, *last = NULL;
1519 struct hlist_node *entry;
1520 int count = 0;
1521 int err = 0;
1522
1523 spin_lock_bh(&xfrm_state_lock);
1524 for (i = 0; i <= xfrm_state_hmask; i++) {
1525 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
1526 if (!xfrm_id_proto_match(x->id.proto, proto))
1527 continue;
1528 if (last) {
1529 err = func(last, count, data);
1530 if (err)
1531 goto out;
1532 }
1533 last = x;
1534 count++;
1535 }
1536 }
1537 if (count == 0) {
1538 err = -ENOENT;
1539 goto out;
1540 }
1541 err = func(last, 0, data);
1542 out:
1543 spin_unlock_bh(&xfrm_state_lock);
1544 return err;
1545 }
1546 EXPORT_SYMBOL(xfrm_state_walk);
1547
1548
1549 void xfrm_replay_notify(struct xfrm_state *x, int event)
1550 {
1551 struct km_event c;
1552 /* we send notify messages in case
1553 * 1. we updated on of the sequence numbers, and the seqno difference
1554 * is at least x->replay_maxdiff, in this case we also update the
1555 * timeout of our timer function
1556 * 2. if x->replay_maxage has elapsed since last update,
1557 * and there were changes
1558 *
1559 * The state structure must be locked!
1560 */
1561
1562 switch (event) {
1563 case XFRM_REPLAY_UPDATE:
1564 if (x->replay_maxdiff &&
1565 (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
1566 (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
1567 if (x->xflags & XFRM_TIME_DEFER)
1568 event = XFRM_REPLAY_TIMEOUT;
1569 else
1570 return;
1571 }
1572
1573 break;
1574
1575 case XFRM_REPLAY_TIMEOUT:
1576 if ((x->replay.seq == x->preplay.seq) &&
1577 (x->replay.bitmap == x->preplay.bitmap) &&
1578 (x->replay.oseq == x->preplay.oseq)) {
1579 x->xflags |= XFRM_TIME_DEFER;
1580 return;
1581 }
1582
1583 break;
1584 }
1585
1586 memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state));
1587 c.event = XFRM_MSG_NEWAE;
1588 c.data.aevent = event;
1589 km_state_notify(x, &c);
1590
1591 if (x->replay_maxage &&
1592 !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
1593 x->xflags &= ~XFRM_TIME_DEFER;
1594 }
1595
1596 static void xfrm_replay_timer_handler(unsigned long data)
1597 {
1598 struct xfrm_state *x = (struct xfrm_state*)data;
1599
1600 spin_lock(&x->lock);
1601
1602 if (x->km.state == XFRM_STATE_VALID) {
1603 if (xfrm_aevent_is_on())
1604 xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT);
1605 else
1606 x->xflags |= XFRM_TIME_DEFER;
1607 }
1608
1609 spin_unlock(&x->lock);
1610 }
1611
1612 int xfrm_replay_check(struct xfrm_state *x, __be32 net_seq)
1613 {
1614 u32 diff;
1615 u32 seq = ntohl(net_seq);
1616
1617 if (unlikely(seq == 0))
1618 return -EINVAL;
1619
1620 if (likely(seq > x->replay.seq))
1621 return 0;
1622
1623 diff = x->replay.seq - seq;
1624 if (diff >= min_t(unsigned int, x->props.replay_window,
1625 sizeof(x->replay.bitmap) * 8)) {
1626 x->stats.replay_window++;
1627 return -EINVAL;
1628 }
1629
1630 if (x->replay.bitmap & (1U << diff)) {
1631 x->stats.replay++;
1632 return -EINVAL;
1633 }
1634 return 0;
1635 }
1636 EXPORT_SYMBOL(xfrm_replay_check);
1637
1638 void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq)
1639 {
1640 u32 diff;
1641 u32 seq = ntohl(net_seq);
1642
1643 if (seq > x->replay.seq) {
1644 diff = seq - x->replay.seq;
1645 if (diff < x->props.replay_window)
1646 x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;
1647 else
1648 x->replay.bitmap = 1;
1649 x->replay.seq = seq;
1650 } else {
1651 diff = x->replay.seq - seq;
1652 x->replay.bitmap |= (1U << diff);
1653 }
1654
1655 if (xfrm_aevent_is_on())
1656 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
1657 }
1658 EXPORT_SYMBOL(xfrm_replay_advance);
1659
1660 static LIST_HEAD(xfrm_km_list);
1661 static DEFINE_RWLOCK(xfrm_km_lock);
1662
1663 void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
1664 {
1665 struct xfrm_mgr *km;
1666
1667 read_lock(&xfrm_km_lock);
1668 list_for_each_entry(km, &xfrm_km_list, list)
1669 if (km->notify_policy)
1670 km->notify_policy(xp, dir, c);
1671 read_unlock(&xfrm_km_lock);
1672 }
1673
1674 void km_state_notify(struct xfrm_state *x, struct km_event *c)
1675 {
1676 struct xfrm_mgr *km;
1677 read_lock(&xfrm_km_lock);
1678 list_for_each_entry(km, &xfrm_km_list, list)
1679 if (km->notify)
1680 km->notify(x, c);
1681 read_unlock(&xfrm_km_lock);
1682 }
1683
1684 EXPORT_SYMBOL(km_policy_notify);
1685 EXPORT_SYMBOL(km_state_notify);
1686
1687 void km_state_expired(struct xfrm_state *x, int hard, u32 pid)
1688 {
1689 struct km_event c;
1690
1691 c.data.hard = hard;
1692 c.pid = pid;
1693 c.event = XFRM_MSG_EXPIRE;
1694 km_state_notify(x, &c);
1695
1696 if (hard)
1697 wake_up(&km_waitq);
1698 }
1699
1700 EXPORT_SYMBOL(km_state_expired);
1701 /*
1702 * We send to all registered managers regardless of failure
1703 * We are happy with one success
1704 */
1705 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol)
1706 {
1707 int err = -EINVAL, acqret;
1708 struct xfrm_mgr *km;
1709
1710 read_lock(&xfrm_km_lock);
1711 list_for_each_entry(km, &xfrm_km_list, list) {
1712 acqret = km->acquire(x, t, pol, XFRM_POLICY_OUT);
1713 if (!acqret)
1714 err = acqret;
1715 }
1716 read_unlock(&xfrm_km_lock);
1717 return err;
1718 }
1719 EXPORT_SYMBOL(km_query);
1720
1721 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
1722 {
1723 int err = -EINVAL;
1724 struct xfrm_mgr *km;
1725
1726 read_lock(&xfrm_km_lock);
1727 list_for_each_entry(km, &xfrm_km_list, list) {
1728 if (km->new_mapping)
1729 err = km->new_mapping(x, ipaddr, sport);
1730 if (!err)
1731 break;
1732 }
1733 read_unlock(&xfrm_km_lock);
1734 return err;
1735 }
1736 EXPORT_SYMBOL(km_new_mapping);
1737
1738 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid)
1739 {
1740 struct km_event c;
1741
1742 c.data.hard = hard;
1743 c.pid = pid;
1744 c.event = XFRM_MSG_POLEXPIRE;
1745 km_policy_notify(pol, dir, &c);
1746
1747 if (hard)
1748 wake_up(&km_waitq);
1749 }
1750 EXPORT_SYMBOL(km_policy_expired);
1751
1752 #ifdef CONFIG_XFRM_MIGRATE
1753 int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1754 struct xfrm_migrate *m, int num_migrate)
1755 {
1756 int err = -EINVAL;
1757 int ret;
1758 struct xfrm_mgr *km;
1759
1760 read_lock(&xfrm_km_lock);
1761 list_for_each_entry(km, &xfrm_km_list, list) {
1762 if (km->migrate) {
1763 ret = km->migrate(sel, dir, type, m, num_migrate);
1764 if (!ret)
1765 err = ret;
1766 }
1767 }
1768 read_unlock(&xfrm_km_lock);
1769 return err;
1770 }
1771 EXPORT_SYMBOL(km_migrate);
1772 #endif
1773
1774 int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr)
1775 {
1776 int err = -EINVAL;
1777 int ret;
1778 struct xfrm_mgr *km;
1779
1780 read_lock(&xfrm_km_lock);
1781 list_for_each_entry(km, &xfrm_km_list, list) {
1782 if (km->report) {
1783 ret = km->report(proto, sel, addr);
1784 if (!ret)
1785 err = ret;
1786 }
1787 }
1788 read_unlock(&xfrm_km_lock);
1789 return err;
1790 }
1791 EXPORT_SYMBOL(km_report);
1792
1793 int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1794 {
1795 int err;
1796 u8 *data;
1797 struct xfrm_mgr *km;
1798 struct xfrm_policy *pol = NULL;
1799
1800 if (optlen <= 0 || optlen > PAGE_SIZE)
1801 return -EMSGSIZE;
1802
1803 data = kmalloc(optlen, GFP_KERNEL);
1804 if (!data)
1805 return -ENOMEM;
1806
1807 err = -EFAULT;
1808 if (copy_from_user(data, optval, optlen))
1809 goto out;
1810
1811 err = -EINVAL;
1812 read_lock(&xfrm_km_lock);
1813 list_for_each_entry(km, &xfrm_km_list, list) {
1814 pol = km->compile_policy(sk, optname, data,
1815 optlen, &err);
1816 if (err >= 0)
1817 break;
1818 }
1819 read_unlock(&xfrm_km_lock);
1820
1821 if (err >= 0) {
1822 xfrm_sk_policy_insert(sk, err, pol);
1823 xfrm_pol_put(pol);
1824 err = 0;
1825 }
1826
1827 out:
1828 kfree(data);
1829 return err;
1830 }
1831 EXPORT_SYMBOL(xfrm_user_policy);
1832
1833 int xfrm_register_km(struct xfrm_mgr *km)
1834 {
1835 write_lock_bh(&xfrm_km_lock);
1836 list_add_tail(&km->list, &xfrm_km_list);
1837 write_unlock_bh(&xfrm_km_lock);
1838 return 0;
1839 }
1840 EXPORT_SYMBOL(xfrm_register_km);
1841
1842 int xfrm_unregister_km(struct xfrm_mgr *km)
1843 {
1844 write_lock_bh(&xfrm_km_lock);
1845 list_del(&km->list);
1846 write_unlock_bh(&xfrm_km_lock);
1847 return 0;
1848 }
1849 EXPORT_SYMBOL(xfrm_unregister_km);
1850
1851 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo)
1852 {
1853 int err = 0;
1854 if (unlikely(afinfo == NULL))
1855 return -EINVAL;
1856 if (unlikely(afinfo->family >= NPROTO))
1857 return -EAFNOSUPPORT;
1858 write_lock_bh(&xfrm_state_afinfo_lock);
1859 if (unlikely(xfrm_state_afinfo[afinfo->family] != NULL))
1860 err = -ENOBUFS;
1861 else
1862 xfrm_state_afinfo[afinfo->family] = afinfo;
1863 write_unlock_bh(&xfrm_state_afinfo_lock);
1864 return err;
1865 }
1866 EXPORT_SYMBOL(xfrm_state_register_afinfo);
1867
1868 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo)
1869 {
1870 int err = 0;
1871 if (unlikely(afinfo == NULL))
1872 return -EINVAL;
1873 if (unlikely(afinfo->family >= NPROTO))
1874 return -EAFNOSUPPORT;
1875 write_lock_bh(&xfrm_state_afinfo_lock);
1876 if (likely(xfrm_state_afinfo[afinfo->family] != NULL)) {
1877 if (unlikely(xfrm_state_afinfo[afinfo->family] != afinfo))
1878 err = -EINVAL;
1879 else
1880 xfrm_state_afinfo[afinfo->family] = NULL;
1881 }
1882 write_unlock_bh(&xfrm_state_afinfo_lock);
1883 return err;
1884 }
1885 EXPORT_SYMBOL(xfrm_state_unregister_afinfo);
1886
1887 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family)
1888 {
1889 struct xfrm_state_afinfo *afinfo;
1890 if (unlikely(family >= NPROTO))
1891 return NULL;
1892 read_lock(&xfrm_state_afinfo_lock);
1893 afinfo = xfrm_state_afinfo[family];
1894 if (unlikely(!afinfo))
1895 read_unlock(&xfrm_state_afinfo_lock);
1896 return afinfo;
1897 }
1898
1899 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo)
1900 {
1901 read_unlock(&xfrm_state_afinfo_lock);
1902 }
1903
1904 /* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */
1905 void xfrm_state_delete_tunnel(struct xfrm_state *x)
1906 {
1907 if (x->tunnel) {
1908 struct xfrm_state *t = x->tunnel;
1909
1910 if (atomic_read(&t->tunnel_users) == 2)
1911 xfrm_state_delete(t);
1912 atomic_dec(&t->tunnel_users);
1913 xfrm_state_put(t);
1914 x->tunnel = NULL;
1915 }
1916 }
1917 EXPORT_SYMBOL(xfrm_state_delete_tunnel);
1918
1919 int xfrm_state_mtu(struct xfrm_state *x, int mtu)
1920 {
1921 int res;
1922
1923 spin_lock_bh(&x->lock);
1924 if (x->km.state == XFRM_STATE_VALID &&
1925 x->type && x->type->get_mtu)
1926 res = x->type->get_mtu(x, mtu);
1927 else
1928 res = mtu - x->props.header_len;
1929 spin_unlock_bh(&x->lock);
1930 return res;
1931 }
1932
1933 int xfrm_init_state(struct xfrm_state *x)
1934 {
1935 struct xfrm_state_afinfo *afinfo;
1936 int family = x->props.family;
1937 int err;
1938
1939 err = -EAFNOSUPPORT;
1940 afinfo = xfrm_state_get_afinfo(family);
1941 if (!afinfo)
1942 goto error;
1943
1944 err = 0;
1945 if (afinfo->init_flags)
1946 err = afinfo->init_flags(x);
1947
1948 xfrm_state_put_afinfo(afinfo);
1949
1950 if (err)
1951 goto error;
1952
1953 err = -EPROTONOSUPPORT;
1954 x->inner_mode = xfrm_get_mode(x->props.mode, x->sel.family);
1955 if (x->inner_mode == NULL)
1956 goto error;
1957
1958 if (!(x->inner_mode->flags & XFRM_MODE_FLAG_TUNNEL) &&
1959 family != x->sel.family)
1960 goto error;
1961
1962 x->type = xfrm_get_type(x->id.proto, family);
1963 if (x->type == NULL)
1964 goto error;
1965
1966 err = x->type->init_state(x);
1967 if (err)
1968 goto error;
1969
1970 x->outer_mode = xfrm_get_mode(x->props.mode, family);
1971 if (x->outer_mode == NULL)
1972 goto error;
1973
1974 x->km.state = XFRM_STATE_VALID;
1975
1976 error:
1977 return err;
1978 }
1979
1980 EXPORT_SYMBOL(xfrm_init_state);
1981
1982 void __init xfrm_state_init(void)
1983 {
1984 unsigned int sz;
1985
1986 sz = sizeof(struct hlist_head) * 8;
1987
1988 xfrm_state_bydst = xfrm_hash_alloc(sz);
1989 xfrm_state_bysrc = xfrm_hash_alloc(sz);
1990 xfrm_state_byspi = xfrm_hash_alloc(sz);
1991 if (!xfrm_state_bydst || !xfrm_state_bysrc || !xfrm_state_byspi)
1992 panic("XFRM: Cannot allocate bydst/bysrc/byspi hashes.");
1993 xfrm_state_hmask = ((sz / sizeof(struct hlist_head)) - 1);
1994
1995 INIT_WORK(&xfrm_state_gc_work, xfrm_state_gc_task);
1996 }
1997
1998 #ifdef CONFIG_AUDITSYSCALL
1999 static inline void xfrm_audit_common_stateinfo(struct xfrm_state *x,
2000 struct audit_buffer *audit_buf)
2001 {
2002 struct xfrm_sec_ctx *ctx = x->security;
2003 u32 spi = ntohl(x->id.spi);
2004
2005 if (ctx)
2006 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
2007 ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str);
2008
2009 switch(x->props.family) {
2010 case AF_INET:
2011 audit_log_format(audit_buf,
2012 " src=" NIPQUAD_FMT " dst=" NIPQUAD_FMT,
2013 NIPQUAD(x->props.saddr.a4),
2014 NIPQUAD(x->id.daddr.a4));
2015 break;
2016 case AF_INET6:
2017 audit_log_format(audit_buf,
2018 " src=" NIP6_FMT " dst=" NIP6_FMT,
2019 NIP6(*(struct in6_addr *)x->props.saddr.a6),
2020 NIP6(*(struct in6_addr *)x->id.daddr.a6));
2021 break;
2022 }
2023
2024 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi);
2025 }
2026
2027 void xfrm_audit_state_add(struct xfrm_state *x, int result,
2028 u32 auid, u32 secid)
2029 {
2030 struct audit_buffer *audit_buf;
2031
2032 if (audit_enabled == 0)
2033 return;
2034 audit_buf = xfrm_audit_start(auid, secid);
2035 if (audit_buf == NULL)
2036 return;
2037 audit_log_format(audit_buf, " op=SAD-add res=%u", result);
2038 xfrm_audit_common_stateinfo(x, audit_buf);
2039 audit_log_end(audit_buf);
2040 }
2041 EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
2042
2043 void xfrm_audit_state_delete(struct xfrm_state *x, int result,
2044 u32 auid, u32 secid)
2045 {
2046 struct audit_buffer *audit_buf;
2047
2048 if (audit_enabled == 0)
2049 return;
2050 audit_buf = xfrm_audit_start(auid, secid);
2051 if (audit_buf == NULL)
2052 return;
2053 audit_log_format(audit_buf, " op=SAD-delete res=%u", result);
2054 xfrm_audit_common_stateinfo(x, audit_buf);
2055 audit_log_end(audit_buf);
2056 }
2057 EXPORT_SYMBOL_GPL(xfrm_audit_state_delete);
2058 #endif /* CONFIG_AUDITSYSCALL */
Linux kernel - Deliverables
This page took 0.107687 seconds and 5 git commands to generate.