projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
[PPP] synchronous tty: convert dead_sem to completion
[deliverable/linux.git] / net / xfrm / xfrm_state.c
1 /*
2 * xfrm_state.c
3 *
4 * Changes:
5 * Mitsuru KANDA @USAGI
6 * Kazunori MIYAZAWA @USAGI
7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
8 * IPv6 support
9 * YOSHIFUJI Hideaki @USAGI
10 * Split up af-specific functions
11 * Derek Atkins <derek@ihtfp.com>
12 * Add UDP Encapsulation
13 *
14 */
15
16 #include <linux/workqueue.h>
17 #include <net/xfrm.h>
18 #include <linux/pfkeyv2.h>
19 #include <linux/ipsec.h>
20 #include <linux/module.h>
21 #include <linux/cache.h>
22 #include <asm/uaccess.h>
23
24 #include "xfrm_hash.h"
25
26 struct sock *xfrm_nl;
27 EXPORT_SYMBOL(xfrm_nl);
28
29 u32 sysctl_xfrm_aevent_etime __read_mostly = XFRM_AE_ETIME;
30 EXPORT_SYMBOL(sysctl_xfrm_aevent_etime);
31
32 u32 sysctl_xfrm_aevent_rseqth __read_mostly = XFRM_AE_SEQT_SIZE;
33 EXPORT_SYMBOL(sysctl_xfrm_aevent_rseqth);
34
35 u32 sysctl_xfrm_acq_expires __read_mostly = 30;
36
37 /* Each xfrm_state may be linked to two tables:
38
39 1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl)
40 2. Hash table by (daddr,family,reqid) to find what SAs exist for given
41 destination/tunnel endpoint. (output)
42 */
43
44 static DEFINE_SPINLOCK(xfrm_state_lock);
45
46 /* Hash table to find appropriate SA towards given target (endpoint
47 * of tunnel or destination of transport mode) allowed by selector.
48 *
49 * Main use is finding SA after policy selected tunnel or transport mode.
50 * Also, it can be used by ah/esp icmp error handler to find offending SA.
51 */
52 static struct hlist_head *xfrm_state_bydst __read_mostly;
53 static struct hlist_head *xfrm_state_bysrc __read_mostly;
54 static struct hlist_head *xfrm_state_byspi __read_mostly;
55 static unsigned int xfrm_state_hmask __read_mostly;
56 static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
57 static unsigned int xfrm_state_num;
58 static unsigned int xfrm_state_genid;
59
60 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
61 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
62
63 static inline unsigned int xfrm_dst_hash(xfrm_address_t *daddr,
64 xfrm_address_t *saddr,
65 u32 reqid,
66 unsigned short family)
67 {
68 return __xfrm_dst_hash(daddr, saddr, reqid, family, xfrm_state_hmask);
69 }
70
71 static inline unsigned int xfrm_src_hash(xfrm_address_t *daddr,
72 xfrm_address_t *saddr,
73 unsigned short family)
74 {
75 return __xfrm_src_hash(daddr, saddr, family, xfrm_state_hmask);
76 }
77
78 static inline unsigned int
79 xfrm_spi_hash(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
80 {
81 return __xfrm_spi_hash(daddr, spi, proto, family, xfrm_state_hmask);
82 }
83
84 static void xfrm_hash_transfer(struct hlist_head *list,
85 struct hlist_head *ndsttable,
86 struct hlist_head *nsrctable,
87 struct hlist_head *nspitable,
88 unsigned int nhashmask)
89 {
90 struct hlist_node *entry, *tmp;
91 struct xfrm_state *x;
92
93 hlist_for_each_entry_safe(x, entry, tmp, list, bydst) {
94 unsigned int h;
95
96 h = __xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
97 x->props.reqid, x->props.family,
98 nhashmask);
99 hlist_add_head(&x->bydst, ndsttable+h);
100
101 h = __xfrm_src_hash(&x->id.daddr, &x->props.saddr,
102 x->props.family,
103 nhashmask);
104 hlist_add_head(&x->bysrc, nsrctable+h);
105
106 if (x->id.spi) {
107 h = __xfrm_spi_hash(&x->id.daddr, x->id.spi,
108 x->id.proto, x->props.family,
109 nhashmask);
110 hlist_add_head(&x->byspi, nspitable+h);
111 }
112 }
113 }
114
115 static unsigned long xfrm_hash_new_size(void)
116 {
117 return ((xfrm_state_hmask + 1) << 1) *
118 sizeof(struct hlist_head);
119 }
120
121 static DEFINE_MUTEX(hash_resize_mutex);
122
123 static void xfrm_hash_resize(struct work_struct *__unused)
124 {
125 struct hlist_head *ndst, *nsrc, *nspi, *odst, *osrc, *ospi;
126 unsigned long nsize, osize;
127 unsigned int nhashmask, ohashmask;
128 int i;
129
130 mutex_lock(&hash_resize_mutex);
131
132 nsize = xfrm_hash_new_size();
133 ndst = xfrm_hash_alloc(nsize);
134 if (!ndst)
135 goto out_unlock;
136 nsrc = xfrm_hash_alloc(nsize);
137 if (!nsrc) {
138 xfrm_hash_free(ndst, nsize);
139 goto out_unlock;
140 }
141 nspi = xfrm_hash_alloc(nsize);
142 if (!nspi) {
143 xfrm_hash_free(ndst, nsize);
144 xfrm_hash_free(nsrc, nsize);
145 goto out_unlock;
146 }
147
148 spin_lock_bh(&xfrm_state_lock);
149
150 nhashmask = (nsize / sizeof(struct hlist_head)) - 1U;
151 for (i = xfrm_state_hmask; i >= 0; i--)
152 xfrm_hash_transfer(xfrm_state_bydst+i, ndst, nsrc, nspi,
153 nhashmask);
154
155 odst = xfrm_state_bydst;
156 osrc = xfrm_state_bysrc;
157 ospi = xfrm_state_byspi;
158 ohashmask = xfrm_state_hmask;
159
160 xfrm_state_bydst = ndst;
161 xfrm_state_bysrc = nsrc;
162 xfrm_state_byspi = nspi;
163 xfrm_state_hmask = nhashmask;
164
165 spin_unlock_bh(&xfrm_state_lock);
166
167 osize = (ohashmask + 1) * sizeof(struct hlist_head);
168 xfrm_hash_free(odst, osize);
169 xfrm_hash_free(osrc, osize);
170 xfrm_hash_free(ospi, osize);
171
172 out_unlock:
173 mutex_unlock(&hash_resize_mutex);
174 }
175
176 static DECLARE_WORK(xfrm_hash_work, xfrm_hash_resize);
177
178 DECLARE_WAIT_QUEUE_HEAD(km_waitq);
179 EXPORT_SYMBOL(km_waitq);
180
181 static DEFINE_RWLOCK(xfrm_state_afinfo_lock);
182 static struct xfrm_state_afinfo *xfrm_state_afinfo[NPROTO];
183
184 static struct work_struct xfrm_state_gc_work;
185 static HLIST_HEAD(xfrm_state_gc_list);
186 static DEFINE_SPINLOCK(xfrm_state_gc_lock);
187
188 int __xfrm_state_delete(struct xfrm_state *x);
189
190 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
191 void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
192
193 static struct xfrm_state_afinfo *xfrm_state_lock_afinfo(unsigned int family)
194 {
195 struct xfrm_state_afinfo *afinfo;
196 if (unlikely(family >= NPROTO))
197 return NULL;
198 write_lock_bh(&xfrm_state_afinfo_lock);
199 afinfo = xfrm_state_afinfo[family];
200 if (unlikely(!afinfo))
201 write_unlock_bh(&xfrm_state_afinfo_lock);
202 return afinfo;
203 }
204
205 static void xfrm_state_unlock_afinfo(struct xfrm_state_afinfo *afinfo)
206 {
207 write_unlock_bh(&xfrm_state_afinfo_lock);
208 }
209
210 int xfrm_register_type(struct xfrm_type *type, unsigned short family)
211 {
212 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family);
213 struct xfrm_type **typemap;
214 int err = 0;
215
216 if (unlikely(afinfo == NULL))
217 return -EAFNOSUPPORT;
218 typemap = afinfo->type_map;
219
220 if (likely(typemap[type->proto] == NULL))
221 typemap[type->proto] = type;
222 else
223 err = -EEXIST;
224 xfrm_state_unlock_afinfo(afinfo);
225 return err;
226 }
227 EXPORT_SYMBOL(xfrm_register_type);
228
229 int xfrm_unregister_type(struct xfrm_type *type, unsigned short family)
230 {
231 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family);
232 struct xfrm_type **typemap;
233 int err = 0;
234
235 if (unlikely(afinfo == NULL))
236 return -EAFNOSUPPORT;
237 typemap = afinfo->type_map;
238
239 if (unlikely(typemap[type->proto] != type))
240 err = -ENOENT;
241 else
242 typemap[type->proto] = NULL;
243 xfrm_state_unlock_afinfo(afinfo);
244 return err;
245 }
246 EXPORT_SYMBOL(xfrm_unregister_type);
247
248 static struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family)
249 {
250 struct xfrm_state_afinfo *afinfo;
251 struct xfrm_type **typemap;
252 struct xfrm_type *type;
253 int modload_attempted = 0;
254
255 retry:
256 afinfo = xfrm_state_get_afinfo(family);
257 if (unlikely(afinfo == NULL))
258 return NULL;
259 typemap = afinfo->type_map;
260
261 type = typemap[proto];
262 if (unlikely(type && !try_module_get(type->owner)))
263 type = NULL;
264 if (!type && !modload_attempted) {
265 xfrm_state_put_afinfo(afinfo);
266 request_module("xfrm-type-%d-%d", family, proto);
267 modload_attempted = 1;
268 goto retry;
269 }
270
271 xfrm_state_put_afinfo(afinfo);
272 return type;
273 }
274
275 static void xfrm_put_type(struct xfrm_type *type)
276 {
277 module_put(type->owner);
278 }
279
280 int xfrm_register_mode(struct xfrm_mode *mode, int family)
281 {
282 struct xfrm_state_afinfo *afinfo;
283 struct xfrm_mode **modemap;
284 int err;
285
286 if (unlikely(mode->encap >= XFRM_MODE_MAX))
287 return -EINVAL;
288
289 afinfo = xfrm_state_lock_afinfo(family);
290 if (unlikely(afinfo == NULL))
291 return -EAFNOSUPPORT;
292
293 err = -EEXIST;
294 modemap = afinfo->mode_map;
295 if (modemap[mode->encap])
296 goto out;
297
298 err = -ENOENT;
299 if (!try_module_get(afinfo->owner))
300 goto out;
301
302 mode->afinfo = afinfo;
303 modemap[mode->encap] = mode;
304 err = 0;
305
306 out:
307 xfrm_state_unlock_afinfo(afinfo);
308 return err;
309 }
310 EXPORT_SYMBOL(xfrm_register_mode);
311
312 int xfrm_unregister_mode(struct xfrm_mode *mode, int family)
313 {
314 struct xfrm_state_afinfo *afinfo;
315 struct xfrm_mode **modemap;
316 int err;
317
318 if (unlikely(mode->encap >= XFRM_MODE_MAX))
319 return -EINVAL;
320
321 afinfo = xfrm_state_lock_afinfo(family);
322 if (unlikely(afinfo == NULL))
323 return -EAFNOSUPPORT;
324
325 err = -ENOENT;
326 modemap = afinfo->mode_map;
327 if (likely(modemap[mode->encap] == mode)) {
328 modemap[mode->encap] = NULL;
329 module_put(mode->afinfo->owner);
330 err = 0;
331 }
332
333 xfrm_state_unlock_afinfo(afinfo);
334 return err;
335 }
336 EXPORT_SYMBOL(xfrm_unregister_mode);
337
338 static struct xfrm_mode *xfrm_get_mode(unsigned int encap, int family)
339 {
340 struct xfrm_state_afinfo *afinfo;
341 struct xfrm_mode *mode;
342 int modload_attempted = 0;
343
344 if (unlikely(encap >= XFRM_MODE_MAX))
345 return NULL;
346
347 retry:
348 afinfo = xfrm_state_get_afinfo(family);
349 if (unlikely(afinfo == NULL))
350 return NULL;
351
352 mode = afinfo->mode_map[encap];
353 if (unlikely(mode && !try_module_get(mode->owner)))
354 mode = NULL;
355 if (!mode && !modload_attempted) {
356 xfrm_state_put_afinfo(afinfo);
357 request_module("xfrm-mode-%d-%d", family, encap);
358 modload_attempted = 1;
359 goto retry;
360 }
361
362 xfrm_state_put_afinfo(afinfo);
363 return mode;
364 }
365
366 static void xfrm_put_mode(struct xfrm_mode *mode)
367 {
368 module_put(mode->owner);
369 }
370
371 static void xfrm_state_gc_destroy(struct xfrm_state *x)
372 {
373 del_timer_sync(&x->timer);
374 del_timer_sync(&x->rtimer);
375 kfree(x->aalg);
376 kfree(x->ealg);
377 kfree(x->calg);
378 kfree(x->encap);
379 kfree(x->coaddr);
380 if (x->inner_mode)
381 xfrm_put_mode(x->inner_mode);
382 if (x->outer_mode)
383 xfrm_put_mode(x->outer_mode);
384 if (x->type) {
385 x->type->destructor(x);
386 xfrm_put_type(x->type);
387 }
388 security_xfrm_state_free(x);
389 kfree(x);
390 }
391
392 static void xfrm_state_gc_task(struct work_struct *data)
393 {
394 struct xfrm_state *x;
395 struct hlist_node *entry, *tmp;
396 struct hlist_head gc_list;
397
398 spin_lock_bh(&xfrm_state_gc_lock);
399 gc_list.first = xfrm_state_gc_list.first;
400 INIT_HLIST_HEAD(&xfrm_state_gc_list);
401 spin_unlock_bh(&xfrm_state_gc_lock);
402
403 hlist_for_each_entry_safe(x, entry, tmp, &gc_list, bydst)
404 xfrm_state_gc_destroy(x);
405
406 wake_up(&km_waitq);
407 }
408
409 static inline unsigned long make_jiffies(long secs)
410 {
411 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
412 return MAX_SCHEDULE_TIMEOUT-1;
413 else
414 return secs*HZ;
415 }
416
417 static void xfrm_timer_handler(unsigned long data)
418 {
419 struct xfrm_state *x = (struct xfrm_state*)data;
420 unsigned long now = get_seconds();
421 long next = LONG_MAX;
422 int warn = 0;
423 int err = 0;
424
425 spin_lock(&x->lock);
426 if (x->km.state == XFRM_STATE_DEAD)
427 goto out;
428 if (x->km.state == XFRM_STATE_EXPIRED)
429 goto expired;
430 if (x->lft.hard_add_expires_seconds) {
431 long tmo = x->lft.hard_add_expires_seconds +
432 x->curlft.add_time - now;
433 if (tmo <= 0)
434 goto expired;
435 if (tmo < next)
436 next = tmo;
437 }
438 if (x->lft.hard_use_expires_seconds) {
439 long tmo = x->lft.hard_use_expires_seconds +
440 (x->curlft.use_time ? : now) - now;
441 if (tmo <= 0)
442 goto expired;
443 if (tmo < next)
444 next = tmo;
445 }
446 if (x->km.dying)
447 goto resched;
448 if (x->lft.soft_add_expires_seconds) {
449 long tmo = x->lft.soft_add_expires_seconds +
450 x->curlft.add_time - now;
451 if (tmo <= 0)
452 warn = 1;
453 else if (tmo < next)
454 next = tmo;
455 }
456 if (x->lft.soft_use_expires_seconds) {
457 long tmo = x->lft.soft_use_expires_seconds +
458 (x->curlft.use_time ? : now) - now;
459 if (tmo <= 0)
460 warn = 1;
461 else if (tmo < next)
462 next = tmo;
463 }
464
465 x->km.dying = warn;
466 if (warn)
467 km_state_expired(x, 0, 0);
468 resched:
469 if (next != LONG_MAX)
470 mod_timer(&x->timer, jiffies + make_jiffies(next));
471
472 goto out;
473
474 expired:
475 if (x->km.state == XFRM_STATE_ACQ && x->id.spi == 0) {
476 x->km.state = XFRM_STATE_EXPIRED;
477 wake_up(&km_waitq);
478 next = 2;
479 goto resched;
480 }
481
482 err = __xfrm_state_delete(x);
483 if (!err && x->id.spi)
484 km_state_expired(x, 1, 0);
485
486 xfrm_audit_state_delete(x, err ? 0 : 1,
487 audit_get_loginuid(current->audit_context), 0);
488
489 out:
490 spin_unlock(&x->lock);
491 }
492
493 static void xfrm_replay_timer_handler(unsigned long data);
494
495 struct xfrm_state *xfrm_state_alloc(void)
496 {
497 struct xfrm_state *x;
498
499 x = kzalloc(sizeof(struct xfrm_state), GFP_ATOMIC);
500
501 if (x) {
502 atomic_set(&x->refcnt, 1);
503 atomic_set(&x->tunnel_users, 0);
504 INIT_HLIST_NODE(&x->bydst);
505 INIT_HLIST_NODE(&x->bysrc);
506 INIT_HLIST_NODE(&x->byspi);
507 setup_timer(&x->timer, xfrm_timer_handler, (unsigned long)x);
508 setup_timer(&x->rtimer, xfrm_replay_timer_handler,
509 (unsigned long)x);
510 x->curlft.add_time = get_seconds();
511 x->lft.soft_byte_limit = XFRM_INF;
512 x->lft.soft_packet_limit = XFRM_INF;
513 x->lft.hard_byte_limit = XFRM_INF;
514 x->lft.hard_packet_limit = XFRM_INF;
515 x->replay_maxage = 0;
516 x->replay_maxdiff = 0;
517 spin_lock_init(&x->lock);
518 }
519 return x;
520 }
521 EXPORT_SYMBOL(xfrm_state_alloc);
522
523 void __xfrm_state_destroy(struct xfrm_state *x)
524 {
525 BUG_TRAP(x->km.state == XFRM_STATE_DEAD);
526
527 spin_lock_bh(&xfrm_state_gc_lock);
528 hlist_add_head(&x->bydst, &xfrm_state_gc_list);
529 spin_unlock_bh(&xfrm_state_gc_lock);
530 schedule_work(&xfrm_state_gc_work);
531 }
532 EXPORT_SYMBOL(__xfrm_state_destroy);
533
534 int __xfrm_state_delete(struct xfrm_state *x)
535 {
536 int err = -ESRCH;
537
538 if (x->km.state != XFRM_STATE_DEAD) {
539 x->km.state = XFRM_STATE_DEAD;
540 spin_lock(&xfrm_state_lock);
541 hlist_del(&x->bydst);
542 hlist_del(&x->bysrc);
543 if (x->id.spi)
544 hlist_del(&x->byspi);
545 xfrm_state_num--;
546 spin_unlock(&xfrm_state_lock);
547
548 /* All xfrm_state objects are created by xfrm_state_alloc.
549 * The xfrm_state_alloc call gives a reference, and that
550 * is what we are dropping here.
551 */
552 xfrm_state_put(x);
553 err = 0;
554 }
555
556 return err;
557 }
558 EXPORT_SYMBOL(__xfrm_state_delete);
559
560 int xfrm_state_delete(struct xfrm_state *x)
561 {
562 int err;
563
564 spin_lock_bh(&x->lock);
565 err = __xfrm_state_delete(x);
566 spin_unlock_bh(&x->lock);
567
568 return err;
569 }
570 EXPORT_SYMBOL(xfrm_state_delete);
571
572 #ifdef CONFIG_SECURITY_NETWORK_XFRM
573 static inline int
574 xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
575 {
576 int i, err = 0;
577
578 for (i = 0; i <= xfrm_state_hmask; i++) {
579 struct hlist_node *entry;
580 struct xfrm_state *x;
581
582 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
583 if (xfrm_id_proto_match(x->id.proto, proto) &&
584 (err = security_xfrm_state_delete(x)) != 0) {
585 xfrm_audit_state_delete(x, 0,
586 audit_info->loginuid,
587 audit_info->secid);
588 return err;
589 }
590 }
591 }
592
593 return err;
594 }
595 #else
596 static inline int
597 xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info)
598 {
599 return 0;
600 }
601 #endif
602
603 int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info)
604 {
605 int i, err = 0;
606
607 spin_lock_bh(&xfrm_state_lock);
608 err = xfrm_state_flush_secctx_check(proto, audit_info);
609 if (err)
610 goto out;
611
612 for (i = 0; i <= xfrm_state_hmask; i++) {
613 struct hlist_node *entry;
614 struct xfrm_state *x;
615 restart:
616 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
617 if (!xfrm_state_kern(x) &&
618 xfrm_id_proto_match(x->id.proto, proto)) {
619 xfrm_state_hold(x);
620 spin_unlock_bh(&xfrm_state_lock);
621
622 err = xfrm_state_delete(x);
623 xfrm_audit_state_delete(x, err ? 0 : 1,
624 audit_info->loginuid,
625 audit_info->secid);
626 xfrm_state_put(x);
627
628 spin_lock_bh(&xfrm_state_lock);
629 goto restart;
630 }
631 }
632 }
633 err = 0;
634
635 out:
636 spin_unlock_bh(&xfrm_state_lock);
637 wake_up(&km_waitq);
638 return err;
639 }
640 EXPORT_SYMBOL(xfrm_state_flush);
641
642 void xfrm_sad_getinfo(struct xfrmk_sadinfo *si)
643 {
644 spin_lock_bh(&xfrm_state_lock);
645 si->sadcnt = xfrm_state_num;
646 si->sadhcnt = xfrm_state_hmask;
647 si->sadhmcnt = xfrm_state_hashmax;
648 spin_unlock_bh(&xfrm_state_lock);
649 }
650 EXPORT_SYMBOL(xfrm_sad_getinfo);
651
652 static int
653 xfrm_init_tempsel(struct xfrm_state *x, struct flowi *fl,
654 struct xfrm_tmpl *tmpl,
655 xfrm_address_t *daddr, xfrm_address_t *saddr,
656 unsigned short family)
657 {
658 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
659 if (!afinfo)
660 return -1;
661 afinfo->init_tempsel(x, fl, tmpl, daddr, saddr);
662 xfrm_state_put_afinfo(afinfo);
663 return 0;
664 }
665
666 static struct xfrm_state *__xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
667 {
668 unsigned int h = xfrm_spi_hash(daddr, spi, proto, family);
669 struct xfrm_state *x;
670 struct hlist_node *entry;
671
672 hlist_for_each_entry(x, entry, xfrm_state_byspi+h, byspi) {
673 if (x->props.family != family ||
674 x->id.spi != spi ||
675 x->id.proto != proto)
676 continue;
677
678 switch (family) {
679 case AF_INET:
680 if (x->id.daddr.a4 != daddr->a4)
681 continue;
682 break;
683 case AF_INET6:
684 if (!ipv6_addr_equal((struct in6_addr *)daddr,
685 (struct in6_addr *)
686 x->id.daddr.a6))
687 continue;
688 break;
689 }
690
691 xfrm_state_hold(x);
692 return x;
693 }
694
695 return NULL;
696 }
697
698 static struct xfrm_state *__xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family)
699 {
700 unsigned int h = xfrm_src_hash(daddr, saddr, family);
701 struct xfrm_state *x;
702 struct hlist_node *entry;
703
704 hlist_for_each_entry(x, entry, xfrm_state_bysrc+h, bysrc) {
705 if (x->props.family != family ||
706 x->id.proto != proto)
707 continue;
708
709 switch (family) {
710 case AF_INET:
711 if (x->id.daddr.a4 != daddr->a4 ||
712 x->props.saddr.a4 != saddr->a4)
713 continue;
714 break;
715 case AF_INET6:
716 if (!ipv6_addr_equal((struct in6_addr *)daddr,
717 (struct in6_addr *)
718 x->id.daddr.a6) ||
719 !ipv6_addr_equal((struct in6_addr *)saddr,
720 (struct in6_addr *)
721 x->props.saddr.a6))
722 continue;
723 break;
724 }
725
726 xfrm_state_hold(x);
727 return x;
728 }
729
730 return NULL;
731 }
732
733 static inline struct xfrm_state *
734 __xfrm_state_locate(struct xfrm_state *x, int use_spi, int family)
735 {
736 if (use_spi)
737 return __xfrm_state_lookup(&x->id.daddr, x->id.spi,
738 x->id.proto, family);
739 else
740 return __xfrm_state_lookup_byaddr(&x->id.daddr,
741 &x->props.saddr,
742 x->id.proto, family);
743 }
744
745 static void xfrm_hash_grow_check(int have_hash_collision)
746 {
747 if (have_hash_collision &&
748 (xfrm_state_hmask + 1) < xfrm_state_hashmax &&
749 xfrm_state_num > xfrm_state_hmask)
750 schedule_work(&xfrm_hash_work);
751 }
752
753 struct xfrm_state *
754 xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
755 struct flowi *fl, struct xfrm_tmpl *tmpl,
756 struct xfrm_policy *pol, int *err,
757 unsigned short family)
758 {
759 unsigned int h = xfrm_dst_hash(daddr, saddr, tmpl->reqid, family);
760 struct hlist_node *entry;
761 struct xfrm_state *x, *x0;
762 int acquire_in_progress = 0;
763 int error = 0;
764 struct xfrm_state *best = NULL;
765
766 spin_lock_bh(&xfrm_state_lock);
767 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
768 if (x->props.family == family &&
769 x->props.reqid == tmpl->reqid &&
770 !(x->props.flags & XFRM_STATE_WILDRECV) &&
771 xfrm_state_addr_check(x, daddr, saddr, family) &&
772 tmpl->mode == x->props.mode &&
773 tmpl->id.proto == x->id.proto &&
774 (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) {
775 /* Resolution logic:
776 1. There is a valid state with matching selector.
777 Done.
778 2. Valid state with inappropriate selector. Skip.
779
780 Entering area of "sysdeps".
781
782 3. If state is not valid, selector is temporary,
783 it selects only session which triggered
784 previous resolution. Key manager will do
785 something to install a state with proper
786 selector.
787 */
788 if (x->km.state == XFRM_STATE_VALID) {
789 if (!xfrm_selector_match(&x->sel, fl, x->sel.family) ||
790 !security_xfrm_state_pol_flow_match(x, pol, fl))
791 continue;
792 if (!best ||
793 best->km.dying > x->km.dying ||
794 (best->km.dying == x->km.dying &&
795 best->curlft.add_time < x->curlft.add_time))
796 best = x;
797 } else if (x->km.state == XFRM_STATE_ACQ) {
798 acquire_in_progress = 1;
799 } else if (x->km.state == XFRM_STATE_ERROR ||
800 x->km.state == XFRM_STATE_EXPIRED) {
801 if (xfrm_selector_match(&x->sel, fl, x->sel.family) &&
802 security_xfrm_state_pol_flow_match(x, pol, fl))
803 error = -ESRCH;
804 }
805 }
806 }
807
808 x = best;
809 if (!x && !error && !acquire_in_progress) {
810 if (tmpl->id.spi &&
811 (x0 = __xfrm_state_lookup(daddr, tmpl->id.spi,
812 tmpl->id.proto, family)) != NULL) {
813 xfrm_state_put(x0);
814 error = -EEXIST;
815 goto out;
816 }
817 x = xfrm_state_alloc();
818 if (x == NULL) {
819 error = -ENOMEM;
820 goto out;
821 }
822 /* Initialize temporary selector matching only
823 * to current session. */
824 xfrm_init_tempsel(x, fl, tmpl, daddr, saddr, family);
825
826 error = security_xfrm_state_alloc_acquire(x, pol->security, fl->secid);
827 if (error) {
828 x->km.state = XFRM_STATE_DEAD;
829 xfrm_state_put(x);
830 x = NULL;
831 goto out;
832 }
833
834 if (km_query(x, tmpl, pol) == 0) {
835 x->km.state = XFRM_STATE_ACQ;
836 hlist_add_head(&x->bydst, xfrm_state_bydst+h);
837 h = xfrm_src_hash(daddr, saddr, family);
838 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
839 if (x->id.spi) {
840 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, family);
841 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
842 }
843 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
844 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
845 add_timer(&x->timer);
846 xfrm_state_num++;
847 xfrm_hash_grow_check(x->bydst.next != NULL);
848 } else {
849 x->km.state = XFRM_STATE_DEAD;
850 xfrm_state_put(x);
851 x = NULL;
852 error = -ESRCH;
853 }
854 }
855 out:
856 if (x)
857 xfrm_state_hold(x);
858 else
859 *err = acquire_in_progress ? -EAGAIN : error;
860 spin_unlock_bh(&xfrm_state_lock);
861 return x;
862 }
863
864 struct xfrm_state *
865 xfrm_stateonly_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
866 unsigned short family, u8 mode, u8 proto, u32 reqid)
867 {
868 unsigned int h = xfrm_dst_hash(daddr, saddr, reqid, family);
869 struct xfrm_state *rx = NULL, *x = NULL;
870 struct hlist_node *entry;
871
872 spin_lock(&xfrm_state_lock);
873 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
874 if (x->props.family == family &&
875 x->props.reqid == reqid &&
876 !(x->props.flags & XFRM_STATE_WILDRECV) &&
877 xfrm_state_addr_check(x, daddr, saddr, family) &&
878 mode == x->props.mode &&
879 proto == x->id.proto &&
880 x->km.state == XFRM_STATE_VALID) {
881 rx = x;
882 break;
883 }
884 }
885
886 if (rx)
887 xfrm_state_hold(rx);
888 spin_unlock(&xfrm_state_lock);
889
890
891 return rx;
892 }
893 EXPORT_SYMBOL(xfrm_stateonly_find);
894
895 static void __xfrm_state_insert(struct xfrm_state *x)
896 {
897 unsigned int h;
898
899 x->genid = ++xfrm_state_genid;
900
901 h = xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
902 x->props.reqid, x->props.family);
903 hlist_add_head(&x->bydst, xfrm_state_bydst+h);
904
905 h = xfrm_src_hash(&x->id.daddr, &x->props.saddr, x->props.family);
906 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
907
908 if (x->id.spi) {
909 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto,
910 x->props.family);
911
912 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
913 }
914
915 mod_timer(&x->timer, jiffies + HZ);
916 if (x->replay_maxage)
917 mod_timer(&x->rtimer, jiffies + x->replay_maxage);
918
919 wake_up(&km_waitq);
920
921 xfrm_state_num++;
922
923 xfrm_hash_grow_check(x->bydst.next != NULL);
924 }
925
926 /* xfrm_state_lock is held */
927 static void __xfrm_state_bump_genids(struct xfrm_state *xnew)
928 {
929 unsigned short family = xnew->props.family;
930 u32 reqid = xnew->props.reqid;
931 struct xfrm_state *x;
932 struct hlist_node *entry;
933 unsigned int h;
934
935 h = xfrm_dst_hash(&xnew->id.daddr, &xnew->props.saddr, reqid, family);
936 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
937 if (x->props.family == family &&
938 x->props.reqid == reqid &&
939 !xfrm_addr_cmp(&x->id.daddr, &xnew->id.daddr, family) &&
940 !xfrm_addr_cmp(&x->props.saddr, &xnew->props.saddr, family))
941 x->genid = xfrm_state_genid;
942 }
943 }
944
945 void xfrm_state_insert(struct xfrm_state *x)
946 {
947 spin_lock_bh(&xfrm_state_lock);
948 __xfrm_state_bump_genids(x);
949 __xfrm_state_insert(x);
950 spin_unlock_bh(&xfrm_state_lock);
951 }
952 EXPORT_SYMBOL(xfrm_state_insert);
953
954 /* xfrm_state_lock is held */
955 static struct xfrm_state *__find_acq_core(unsigned short family, u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create)
956 {
957 unsigned int h = xfrm_dst_hash(daddr, saddr, reqid, family);
958 struct hlist_node *entry;
959 struct xfrm_state *x;
960
961 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
962 if (x->props.reqid != reqid ||
963 x->props.mode != mode ||
964 x->props.family != family ||
965 x->km.state != XFRM_STATE_ACQ ||
966 x->id.spi != 0 ||
967 x->id.proto != proto)
968 continue;
969
970 switch (family) {
971 case AF_INET:
972 if (x->id.daddr.a4 != daddr->a4 ||
973 x->props.saddr.a4 != saddr->a4)
974 continue;
975 break;
976 case AF_INET6:
977 if (!ipv6_addr_equal((struct in6_addr *)x->id.daddr.a6,
978 (struct in6_addr *)daddr) ||
979 !ipv6_addr_equal((struct in6_addr *)
980 x->props.saddr.a6,
981 (struct in6_addr *)saddr))
982 continue;
983 break;
984 }
985
986 xfrm_state_hold(x);
987 return x;
988 }
989
990 if (!create)
991 return NULL;
992
993 x = xfrm_state_alloc();
994 if (likely(x)) {
995 switch (family) {
996 case AF_INET:
997 x->sel.daddr.a4 = daddr->a4;
998 x->sel.saddr.a4 = saddr->a4;
999 x->sel.prefixlen_d = 32;
1000 x->sel.prefixlen_s = 32;
1001 x->props.saddr.a4 = saddr->a4;
1002 x->id.daddr.a4 = daddr->a4;
1003 break;
1004
1005 case AF_INET6:
1006 ipv6_addr_copy((struct in6_addr *)x->sel.daddr.a6,
1007 (struct in6_addr *)daddr);
1008 ipv6_addr_copy((struct in6_addr *)x->sel.saddr.a6,
1009 (struct in6_addr *)saddr);
1010 x->sel.prefixlen_d = 128;
1011 x->sel.prefixlen_s = 128;
1012 ipv6_addr_copy((struct in6_addr *)x->props.saddr.a6,
1013 (struct in6_addr *)saddr);
1014 ipv6_addr_copy((struct in6_addr *)x->id.daddr.a6,
1015 (struct in6_addr *)daddr);
1016 break;
1017 }
1018
1019 x->km.state = XFRM_STATE_ACQ;
1020 x->id.proto = proto;
1021 x->props.family = family;
1022 x->props.mode = mode;
1023 x->props.reqid = reqid;
1024 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
1025 xfrm_state_hold(x);
1026 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
1027 add_timer(&x->timer);
1028 hlist_add_head(&x->bydst, xfrm_state_bydst+h);
1029 h = xfrm_src_hash(daddr, saddr, family);
1030 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h);
1031
1032 xfrm_state_num++;
1033
1034 xfrm_hash_grow_check(x->bydst.next != NULL);
1035 }
1036
1037 return x;
1038 }
1039
1040 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq);
1041
1042 int xfrm_state_add(struct xfrm_state *x)
1043 {
1044 struct xfrm_state *x1;
1045 int family;
1046 int err;
1047 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1048
1049 family = x->props.family;
1050
1051 spin_lock_bh(&xfrm_state_lock);
1052
1053 x1 = __xfrm_state_locate(x, use_spi, family);
1054 if (x1) {
1055 xfrm_state_put(x1);
1056 x1 = NULL;
1057 err = -EEXIST;
1058 goto out;
1059 }
1060
1061 if (use_spi && x->km.seq) {
1062 x1 = __xfrm_find_acq_byseq(x->km.seq);
1063 if (x1 && ((x1->id.proto != x->id.proto) ||
1064 xfrm_addr_cmp(&x1->id.daddr, &x->id.daddr, family))) {
1065 xfrm_state_put(x1);
1066 x1 = NULL;
1067 }
1068 }
1069
1070 if (use_spi && !x1)
1071 x1 = __find_acq_core(family, x->props.mode, x->props.reqid,
1072 x->id.proto,
1073 &x->id.daddr, &x->props.saddr, 0);
1074
1075 __xfrm_state_bump_genids(x);
1076 __xfrm_state_insert(x);
1077 err = 0;
1078
1079 out:
1080 spin_unlock_bh(&xfrm_state_lock);
1081
1082 if (x1) {
1083 xfrm_state_delete(x1);
1084 xfrm_state_put(x1);
1085 }
1086
1087 return err;
1088 }
1089 EXPORT_SYMBOL(xfrm_state_add);
1090
1091 #ifdef CONFIG_XFRM_MIGRATE
1092 struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp)
1093 {
1094 int err = -ENOMEM;
1095 struct xfrm_state *x = xfrm_state_alloc();
1096 if (!x)
1097 goto error;
1098
1099 memcpy(&x->id, &orig->id, sizeof(x->id));
1100 memcpy(&x->sel, &orig->sel, sizeof(x->sel));
1101 memcpy(&x->lft, &orig->lft, sizeof(x->lft));
1102 x->props.mode = orig->props.mode;
1103 x->props.replay_window = orig->props.replay_window;
1104 x->props.reqid = orig->props.reqid;
1105 x->props.family = orig->props.family;
1106 x->props.saddr = orig->props.saddr;
1107
1108 if (orig->aalg) {
1109 x->aalg = xfrm_algo_clone(orig->aalg);
1110 if (!x->aalg)
1111 goto error;
1112 }
1113 x->props.aalgo = orig->props.aalgo;
1114
1115 if (orig->ealg) {
1116 x->ealg = xfrm_algo_clone(orig->ealg);
1117 if (!x->ealg)
1118 goto error;
1119 }
1120 x->props.ealgo = orig->props.ealgo;
1121
1122 if (orig->calg) {
1123 x->calg = xfrm_algo_clone(orig->calg);
1124 if (!x->calg)
1125 goto error;
1126 }
1127 x->props.calgo = orig->props.calgo;
1128
1129 if (orig->encap) {
1130 x->encap = kmemdup(orig->encap, sizeof(*x->encap), GFP_KERNEL);
1131 if (!x->encap)
1132 goto error;
1133 }
1134
1135 if (orig->coaddr) {
1136 x->coaddr = kmemdup(orig->coaddr, sizeof(*x->coaddr),
1137 GFP_KERNEL);
1138 if (!x->coaddr)
1139 goto error;
1140 }
1141
1142 err = xfrm_init_state(x);
1143 if (err)
1144 goto error;
1145
1146 x->props.flags = orig->props.flags;
1147
1148 x->curlft.add_time = orig->curlft.add_time;
1149 x->km.state = orig->km.state;
1150 x->km.seq = orig->km.seq;
1151
1152 return x;
1153
1154 error:
1155 if (errp)
1156 *errp = err;
1157 if (x) {
1158 kfree(x->aalg);
1159 kfree(x->ealg);
1160 kfree(x->calg);
1161 kfree(x->encap);
1162 kfree(x->coaddr);
1163 }
1164 kfree(x);
1165 return NULL;
1166 }
1167 EXPORT_SYMBOL(xfrm_state_clone);
1168
1169 /* xfrm_state_lock is held */
1170 struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m)
1171 {
1172 unsigned int h;
1173 struct xfrm_state *x;
1174 struct hlist_node *entry;
1175
1176 if (m->reqid) {
1177 h = xfrm_dst_hash(&m->old_daddr, &m->old_saddr,
1178 m->reqid, m->old_family);
1179 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) {
1180 if (x->props.mode != m->mode ||
1181 x->id.proto != m->proto)
1182 continue;
1183 if (m->reqid && x->props.reqid != m->reqid)
1184 continue;
1185 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1186 m->old_family) ||
1187 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1188 m->old_family))
1189 continue;
1190 xfrm_state_hold(x);
1191 return x;
1192 }
1193 } else {
1194 h = xfrm_src_hash(&m->old_daddr, &m->old_saddr,
1195 m->old_family);
1196 hlist_for_each_entry(x, entry, xfrm_state_bysrc+h, bysrc) {
1197 if (x->props.mode != m->mode ||
1198 x->id.proto != m->proto)
1199 continue;
1200 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1201 m->old_family) ||
1202 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1203 m->old_family))
1204 continue;
1205 xfrm_state_hold(x);
1206 return x;
1207 }
1208 }
1209
1210 return NULL;
1211 }
1212 EXPORT_SYMBOL(xfrm_migrate_state_find);
1213
1214 struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
1215 struct xfrm_migrate *m)
1216 {
1217 struct xfrm_state *xc;
1218 int err;
1219
1220 xc = xfrm_state_clone(x, &err);
1221 if (!xc)
1222 return NULL;
1223
1224 memcpy(&xc->id.daddr, &m->new_daddr, sizeof(xc->id.daddr));
1225 memcpy(&xc->props.saddr, &m->new_saddr, sizeof(xc->props.saddr));
1226
1227 /* add state */
1228 if (!xfrm_addr_cmp(&x->id.daddr, &m->new_daddr, m->new_family)) {
1229 /* a care is needed when the destination address of the
1230 state is to be updated as it is a part of triplet */
1231 xfrm_state_insert(xc);
1232 } else {
1233 if ((err = xfrm_state_add(xc)) < 0)
1234 goto error;
1235 }
1236
1237 return xc;
1238 error:
1239 kfree(xc);
1240 return NULL;
1241 }
1242 EXPORT_SYMBOL(xfrm_state_migrate);
1243 #endif
1244
1245 int xfrm_state_update(struct xfrm_state *x)
1246 {
1247 struct xfrm_state *x1;
1248 int err;
1249 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1250
1251 spin_lock_bh(&xfrm_state_lock);
1252 x1 = __xfrm_state_locate(x, use_spi, x->props.family);
1253
1254 err = -ESRCH;
1255 if (!x1)
1256 goto out;
1257
1258 if (xfrm_state_kern(x1)) {
1259 xfrm_state_put(x1);
1260 err = -EEXIST;
1261 goto out;
1262 }
1263
1264 if (x1->km.state == XFRM_STATE_ACQ) {
1265 __xfrm_state_insert(x);
1266 x = NULL;
1267 }
1268 err = 0;
1269
1270 out:
1271 spin_unlock_bh(&xfrm_state_lock);
1272
1273 if (err)
1274 return err;
1275
1276 if (!x) {
1277 xfrm_state_delete(x1);
1278 xfrm_state_put(x1);
1279 return 0;
1280 }
1281
1282 err = -EINVAL;
1283 spin_lock_bh(&x1->lock);
1284 if (likely(x1->km.state == XFRM_STATE_VALID)) {
1285 if (x->encap && x1->encap)
1286 memcpy(x1->encap, x->encap, sizeof(*x1->encap));
1287 if (x->coaddr && x1->coaddr) {
1288 memcpy(x1->coaddr, x->coaddr, sizeof(*x1->coaddr));
1289 }
1290 if (!use_spi && memcmp(&x1->sel, &x->sel, sizeof(x1->sel)))
1291 memcpy(&x1->sel, &x->sel, sizeof(x1->sel));
1292 memcpy(&x1->lft, &x->lft, sizeof(x1->lft));
1293 x1->km.dying = 0;
1294
1295 mod_timer(&x1->timer, jiffies + HZ);
1296 if (x1->curlft.use_time)
1297 xfrm_state_check_expire(x1);
1298
1299 err = 0;
1300 }
1301 spin_unlock_bh(&x1->lock);
1302
1303 xfrm_state_put(x1);
1304
1305 return err;
1306 }
1307 EXPORT_SYMBOL(xfrm_state_update);
1308
1309 int xfrm_state_check_expire(struct xfrm_state *x)
1310 {
1311 if (!x->curlft.use_time)
1312 x->curlft.use_time = get_seconds();
1313
1314 if (x->km.state != XFRM_STATE_VALID)
1315 return -EINVAL;
1316
1317 if (x->curlft.bytes >= x->lft.hard_byte_limit ||
1318 x->curlft.packets >= x->lft.hard_packet_limit) {
1319 x->km.state = XFRM_STATE_EXPIRED;
1320 mod_timer(&x->timer, jiffies);
1321 return -EINVAL;
1322 }
1323
1324 if (!x->km.dying &&
1325 (x->curlft.bytes >= x->lft.soft_byte_limit ||
1326 x->curlft.packets >= x->lft.soft_packet_limit)) {
1327 x->km.dying = 1;
1328 km_state_expired(x, 0, 0);
1329 }
1330 return 0;
1331 }
1332 EXPORT_SYMBOL(xfrm_state_check_expire);
1333
1334 struct xfrm_state *
1335 xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto,
1336 unsigned short family)
1337 {
1338 struct xfrm_state *x;
1339
1340 spin_lock_bh(&xfrm_state_lock);
1341 x = __xfrm_state_lookup(daddr, spi, proto, family);
1342 spin_unlock_bh(&xfrm_state_lock);
1343 return x;
1344 }
1345 EXPORT_SYMBOL(xfrm_state_lookup);
1346
1347 struct xfrm_state *
1348 xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr,
1349 u8 proto, unsigned short family)
1350 {
1351 struct xfrm_state *x;
1352
1353 spin_lock_bh(&xfrm_state_lock);
1354 x = __xfrm_state_lookup_byaddr(daddr, saddr, proto, family);
1355 spin_unlock_bh(&xfrm_state_lock);
1356 return x;
1357 }
1358 EXPORT_SYMBOL(xfrm_state_lookup_byaddr);
1359
1360 struct xfrm_state *
1361 xfrm_find_acq(u8 mode, u32 reqid, u8 proto,
1362 xfrm_address_t *daddr, xfrm_address_t *saddr,
1363 int create, unsigned short family)
1364 {
1365 struct xfrm_state *x;
1366
1367 spin_lock_bh(&xfrm_state_lock);
1368 x = __find_acq_core(family, mode, reqid, proto, daddr, saddr, create);
1369 spin_unlock_bh(&xfrm_state_lock);
1370
1371 return x;
1372 }
1373 EXPORT_SYMBOL(xfrm_find_acq);
1374
1375 #ifdef CONFIG_XFRM_SUB_POLICY
1376 int
1377 xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1378 unsigned short family)
1379 {
1380 int err = 0;
1381 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1382 if (!afinfo)
1383 return -EAFNOSUPPORT;
1384
1385 spin_lock_bh(&xfrm_state_lock);
1386 if (afinfo->tmpl_sort)
1387 err = afinfo->tmpl_sort(dst, src, n);
1388 spin_unlock_bh(&xfrm_state_lock);
1389 xfrm_state_put_afinfo(afinfo);
1390 return err;
1391 }
1392 EXPORT_SYMBOL(xfrm_tmpl_sort);
1393
1394 int
1395 xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1396 unsigned short family)
1397 {
1398 int err = 0;
1399 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1400 if (!afinfo)
1401 return -EAFNOSUPPORT;
1402
1403 spin_lock_bh(&xfrm_state_lock);
1404 if (afinfo->state_sort)
1405 err = afinfo->state_sort(dst, src, n);
1406 spin_unlock_bh(&xfrm_state_lock);
1407 xfrm_state_put_afinfo(afinfo);
1408 return err;
1409 }
1410 EXPORT_SYMBOL(xfrm_state_sort);
1411 #endif
1412
1413 /* Silly enough, but I'm lazy to build resolution list */
1414
1415 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq)
1416 {
1417 int i;
1418
1419 for (i = 0; i <= xfrm_state_hmask; i++) {
1420 struct hlist_node *entry;
1421 struct xfrm_state *x;
1422
1423 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
1424 if (x->km.seq == seq &&
1425 x->km.state == XFRM_STATE_ACQ) {
1426 xfrm_state_hold(x);
1427 return x;
1428 }
1429 }
1430 }
1431 return NULL;
1432 }
1433
1434 struct xfrm_state *xfrm_find_acq_byseq(u32 seq)
1435 {
1436 struct xfrm_state *x;
1437
1438 spin_lock_bh(&xfrm_state_lock);
1439 x = __xfrm_find_acq_byseq(seq);
1440 spin_unlock_bh(&xfrm_state_lock);
1441 return x;
1442 }
1443 EXPORT_SYMBOL(xfrm_find_acq_byseq);
1444
1445 u32 xfrm_get_acqseq(void)
1446 {
1447 u32 res;
1448 static u32 acqseq;
1449 static DEFINE_SPINLOCK(acqseq_lock);
1450
1451 spin_lock_bh(&acqseq_lock);
1452 res = (++acqseq ? : ++acqseq);
1453 spin_unlock_bh(&acqseq_lock);
1454 return res;
1455 }
1456 EXPORT_SYMBOL(xfrm_get_acqseq);
1457
1458 int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high)
1459 {
1460 unsigned int h;
1461 struct xfrm_state *x0;
1462 int err = -ENOENT;
1463 __be32 minspi = htonl(low);
1464 __be32 maxspi = htonl(high);
1465
1466 spin_lock_bh(&x->lock);
1467 if (x->km.state == XFRM_STATE_DEAD)
1468 goto unlock;
1469
1470 err = 0;
1471 if (x->id.spi)
1472 goto unlock;
1473
1474 err = -ENOENT;
1475
1476 if (minspi == maxspi) {
1477 x0 = xfrm_state_lookup(&x->id.daddr, minspi, x->id.proto, x->props.family);
1478 if (x0) {
1479 xfrm_state_put(x0);
1480 goto unlock;
1481 }
1482 x->id.spi = minspi;
1483 } else {
1484 u32 spi = 0;
1485 for (h=0; h<high-low+1; h++) {
1486 spi = low + net_random()%(high-low+1);
1487 x0 = xfrm_state_lookup(&x->id.daddr, htonl(spi), x->id.proto, x->props.family);
1488 if (x0 == NULL) {
1489 x->id.spi = htonl(spi);
1490 break;
1491 }
1492 xfrm_state_put(x0);
1493 }
1494 }
1495 if (x->id.spi) {
1496 spin_lock_bh(&xfrm_state_lock);
1497 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, x->props.family);
1498 hlist_add_head(&x->byspi, xfrm_state_byspi+h);
1499 spin_unlock_bh(&xfrm_state_lock);
1500
1501 err = 0;
1502 }
1503
1504 unlock:
1505 spin_unlock_bh(&x->lock);
1506
1507 return err;
1508 }
1509 EXPORT_SYMBOL(xfrm_alloc_spi);
1510
1511 int xfrm_state_walk(u8 proto, int (*func)(struct xfrm_state *, int, void*),
1512 void *data)
1513 {
1514 int i;
1515 struct xfrm_state *x, *last = NULL;
1516 struct hlist_node *entry;
1517 int count = 0;
1518 int err = 0;
1519
1520 spin_lock_bh(&xfrm_state_lock);
1521 for (i = 0; i <= xfrm_state_hmask; i++) {
1522 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
1523 if (!xfrm_id_proto_match(x->id.proto, proto))
1524 continue;
1525 if (last) {
1526 err = func(last, count, data);
1527 if (err)
1528 goto out;
1529 }
1530 last = x;
1531 count++;
1532 }
1533 }
1534 if (count == 0) {
1535 err = -ENOENT;
1536 goto out;
1537 }
1538 err = func(last, 0, data);
1539 out:
1540 spin_unlock_bh(&xfrm_state_lock);
1541 return err;
1542 }
1543 EXPORT_SYMBOL(xfrm_state_walk);
1544
1545
1546 void xfrm_replay_notify(struct xfrm_state *x, int event)
1547 {
1548 struct km_event c;
1549 /* we send notify messages in case
1550 * 1. we updated on of the sequence numbers, and the seqno difference
1551 * is at least x->replay_maxdiff, in this case we also update the
1552 * timeout of our timer function
1553 * 2. if x->replay_maxage has elapsed since last update,
1554 * and there were changes
1555 *
1556 * The state structure must be locked!
1557 */
1558
1559 switch (event) {
1560 case XFRM_REPLAY_UPDATE:
1561 if (x->replay_maxdiff &&
1562 (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
1563 (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
1564 if (x->xflags & XFRM_TIME_DEFER)
1565 event = XFRM_REPLAY_TIMEOUT;
1566 else
1567 return;
1568 }
1569
1570 break;
1571
1572 case XFRM_REPLAY_TIMEOUT:
1573 if ((x->replay.seq == x->preplay.seq) &&
1574 (x->replay.bitmap == x->preplay.bitmap) &&
1575 (x->replay.oseq == x->preplay.oseq)) {
1576 x->xflags |= XFRM_TIME_DEFER;
1577 return;
1578 }
1579
1580 break;
1581 }
1582
1583 memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state));
1584 c.event = XFRM_MSG_NEWAE;
1585 c.data.aevent = event;
1586 km_state_notify(x, &c);
1587
1588 if (x->replay_maxage &&
1589 !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
1590 x->xflags &= ~XFRM_TIME_DEFER;
1591 }
1592
1593 static void xfrm_replay_timer_handler(unsigned long data)
1594 {
1595 struct xfrm_state *x = (struct xfrm_state*)data;
1596
1597 spin_lock(&x->lock);
1598
1599 if (x->km.state == XFRM_STATE_VALID) {
1600 if (xfrm_aevent_is_on())
1601 xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT);
1602 else
1603 x->xflags |= XFRM_TIME_DEFER;
1604 }
1605
1606 spin_unlock(&x->lock);
1607 }
1608
1609 int xfrm_replay_check(struct xfrm_state *x, __be32 net_seq)
1610 {
1611 u32 diff;
1612 u32 seq = ntohl(net_seq);
1613
1614 if (unlikely(seq == 0))
1615 return -EINVAL;
1616
1617 if (likely(seq > x->replay.seq))
1618 return 0;
1619
1620 diff = x->replay.seq - seq;
1621 if (diff >= min_t(unsigned int, x->props.replay_window,
1622 sizeof(x->replay.bitmap) * 8)) {
1623 x->stats.replay_window++;
1624 return -EINVAL;
1625 }
1626
1627 if (x->replay.bitmap & (1U << diff)) {
1628 x->stats.replay++;
1629 return -EINVAL;
1630 }
1631 return 0;
1632 }
1633 EXPORT_SYMBOL(xfrm_replay_check);
1634
1635 void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq)
1636 {
1637 u32 diff;
1638 u32 seq = ntohl(net_seq);
1639
1640 if (seq > x->replay.seq) {
1641 diff = seq - x->replay.seq;
1642 if (diff < x->props.replay_window)
1643 x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;
1644 else
1645 x->replay.bitmap = 1;
1646 x->replay.seq = seq;
1647 } else {
1648 diff = x->replay.seq - seq;
1649 x->replay.bitmap |= (1U << diff);
1650 }
1651
1652 if (xfrm_aevent_is_on())
1653 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
1654 }
1655 EXPORT_SYMBOL(xfrm_replay_advance);
1656
1657 static LIST_HEAD(xfrm_km_list);
1658 static DEFINE_RWLOCK(xfrm_km_lock);
1659
1660 void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
1661 {
1662 struct xfrm_mgr *km;
1663
1664 read_lock(&xfrm_km_lock);
1665 list_for_each_entry(km, &xfrm_km_list, list)
1666 if (km->notify_policy)
1667 km->notify_policy(xp, dir, c);
1668 read_unlock(&xfrm_km_lock);
1669 }
1670
1671 void km_state_notify(struct xfrm_state *x, struct km_event *c)
1672 {
1673 struct xfrm_mgr *km;
1674 read_lock(&xfrm_km_lock);
1675 list_for_each_entry(km, &xfrm_km_list, list)
1676 if (km->notify)
1677 km->notify(x, c);
1678 read_unlock(&xfrm_km_lock);
1679 }
1680
1681 EXPORT_SYMBOL(km_policy_notify);
1682 EXPORT_SYMBOL(km_state_notify);
1683
1684 void km_state_expired(struct xfrm_state *x, int hard, u32 pid)
1685 {
1686 struct km_event c;
1687
1688 c.data.hard = hard;
1689 c.pid = pid;
1690 c.event = XFRM_MSG_EXPIRE;
1691 km_state_notify(x, &c);
1692
1693 if (hard)
1694 wake_up(&km_waitq);
1695 }
1696
1697 EXPORT_SYMBOL(km_state_expired);
1698 /*
1699 * We send to all registered managers regardless of failure
1700 * We are happy with one success
1701 */
1702 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol)
1703 {
1704 int err = -EINVAL, acqret;
1705 struct xfrm_mgr *km;
1706
1707 read_lock(&xfrm_km_lock);
1708 list_for_each_entry(km, &xfrm_km_list, list) {
1709 acqret = km->acquire(x, t, pol, XFRM_POLICY_OUT);
1710 if (!acqret)
1711 err = acqret;
1712 }
1713 read_unlock(&xfrm_km_lock);
1714 return err;
1715 }
1716 EXPORT_SYMBOL(km_query);
1717
1718 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
1719 {
1720 int err = -EINVAL;
1721 struct xfrm_mgr *km;
1722
1723 read_lock(&xfrm_km_lock);
1724 list_for_each_entry(km, &xfrm_km_list, list) {
1725 if (km->new_mapping)
1726 err = km->new_mapping(x, ipaddr, sport);
1727 if (!err)
1728 break;
1729 }
1730 read_unlock(&xfrm_km_lock);
1731 return err;
1732 }
1733 EXPORT_SYMBOL(km_new_mapping);
1734
1735 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid)
1736 {
1737 struct km_event c;
1738
1739 c.data.hard = hard;
1740 c.pid = pid;
1741 c.event = XFRM_MSG_POLEXPIRE;
1742 km_policy_notify(pol, dir, &c);
1743
1744 if (hard)
1745 wake_up(&km_waitq);
1746 }
1747 EXPORT_SYMBOL(km_policy_expired);
1748
1749 #ifdef CONFIG_XFRM_MIGRATE
1750 int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
1751 struct xfrm_migrate *m, int num_migrate)
1752 {
1753 int err = -EINVAL;
1754 int ret;
1755 struct xfrm_mgr *km;
1756
1757 read_lock(&xfrm_km_lock);
1758 list_for_each_entry(km, &xfrm_km_list, list) {
1759 if (km->migrate) {
1760 ret = km->migrate(sel, dir, type, m, num_migrate);
1761 if (!ret)
1762 err = ret;
1763 }
1764 }
1765 read_unlock(&xfrm_km_lock);
1766 return err;
1767 }
1768 EXPORT_SYMBOL(km_migrate);
1769 #endif
1770
1771 int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr)
1772 {
1773 int err = -EINVAL;
1774 int ret;
1775 struct xfrm_mgr *km;
1776
1777 read_lock(&xfrm_km_lock);
1778 list_for_each_entry(km, &xfrm_km_list, list) {
1779 if (km->report) {
1780 ret = km->report(proto, sel, addr);
1781 if (!ret)
1782 err = ret;
1783 }
1784 }
1785 read_unlock(&xfrm_km_lock);
1786 return err;
1787 }
1788 EXPORT_SYMBOL(km_report);
1789
1790 int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1791 {
1792 int err;
1793 u8 *data;
1794 struct xfrm_mgr *km;
1795 struct xfrm_policy *pol = NULL;
1796
1797 if (optlen <= 0 || optlen > PAGE_SIZE)
1798 return -EMSGSIZE;
1799
1800 data = kmalloc(optlen, GFP_KERNEL);
1801 if (!data)
1802 return -ENOMEM;
1803
1804 err = -EFAULT;
1805 if (copy_from_user(data, optval, optlen))
1806 goto out;
1807
1808 err = -EINVAL;
1809 read_lock(&xfrm_km_lock);
1810 list_for_each_entry(km, &xfrm_km_list, list) {
1811 pol = km->compile_policy(sk, optname, data,
1812 optlen, &err);
1813 if (err >= 0)
1814 break;
1815 }
1816 read_unlock(&xfrm_km_lock);
1817
1818 if (err >= 0) {
1819 xfrm_sk_policy_insert(sk, err, pol);
1820 xfrm_pol_put(pol);
1821 err = 0;
1822 }
1823
1824 out:
1825 kfree(data);
1826 return err;
1827 }
1828 EXPORT_SYMBOL(xfrm_user_policy);
1829
1830 int xfrm_register_km(struct xfrm_mgr *km)
1831 {
1832 write_lock_bh(&xfrm_km_lock);
1833 list_add_tail(&km->list, &xfrm_km_list);
1834 write_unlock_bh(&xfrm_km_lock);
1835 return 0;
1836 }
1837 EXPORT_SYMBOL(xfrm_register_km);
1838
1839 int xfrm_unregister_km(struct xfrm_mgr *km)
1840 {
1841 write_lock_bh(&xfrm_km_lock);
1842 list_del(&km->list);
1843 write_unlock_bh(&xfrm_km_lock);
1844 return 0;
1845 }
1846 EXPORT_SYMBOL(xfrm_unregister_km);
1847
1848 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo)
1849 {
1850 int err = 0;
1851 if (unlikely(afinfo == NULL))
1852 return -EINVAL;
1853 if (unlikely(afinfo->family >= NPROTO))
1854 return -EAFNOSUPPORT;
1855 write_lock_bh(&xfrm_state_afinfo_lock);
1856 if (unlikely(xfrm_state_afinfo[afinfo->family] != NULL))
1857 err = -ENOBUFS;
1858 else
1859 xfrm_state_afinfo[afinfo->family] = afinfo;
1860 write_unlock_bh(&xfrm_state_afinfo_lock);
1861 return err;
1862 }
1863 EXPORT_SYMBOL(xfrm_state_register_afinfo);
1864
1865 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo)
1866 {
1867 int err = 0;
1868 if (unlikely(afinfo == NULL))
1869 return -EINVAL;
1870 if (unlikely(afinfo->family >= NPROTO))
1871 return -EAFNOSUPPORT;
1872 write_lock_bh(&xfrm_state_afinfo_lock);
1873 if (likely(xfrm_state_afinfo[afinfo->family] != NULL)) {
1874 if (unlikely(xfrm_state_afinfo[afinfo->family] != afinfo))
1875 err = -EINVAL;
1876 else
1877 xfrm_state_afinfo[afinfo->family] = NULL;
1878 }
1879 write_unlock_bh(&xfrm_state_afinfo_lock);
1880 return err;
1881 }
1882 EXPORT_SYMBOL(xfrm_state_unregister_afinfo);
1883
1884 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family)
1885 {
1886 struct xfrm_state_afinfo *afinfo;
1887 if (unlikely(family >= NPROTO))
1888 return NULL;
1889 read_lock(&xfrm_state_afinfo_lock);
1890 afinfo = xfrm_state_afinfo[family];
1891 if (unlikely(!afinfo))
1892 read_unlock(&xfrm_state_afinfo_lock);
1893 return afinfo;
1894 }
1895
1896 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo)
1897 {
1898 read_unlock(&xfrm_state_afinfo_lock);
1899 }
1900
1901 /* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */
1902 void xfrm_state_delete_tunnel(struct xfrm_state *x)
1903 {
1904 if (x->tunnel) {
1905 struct xfrm_state *t = x->tunnel;
1906
1907 if (atomic_read(&t->tunnel_users) == 2)
1908 xfrm_state_delete(t);
1909 atomic_dec(&t->tunnel_users);
1910 xfrm_state_put(t);
1911 x->tunnel = NULL;
1912 }
1913 }
1914 EXPORT_SYMBOL(xfrm_state_delete_tunnel);
1915
1916 int xfrm_state_mtu(struct xfrm_state *x, int mtu)
1917 {
1918 int res;
1919
1920 spin_lock_bh(&x->lock);
1921 if (x->km.state == XFRM_STATE_VALID &&
1922 x->type && x->type->get_mtu)
1923 res = x->type->get_mtu(x, mtu);
1924 else
1925 res = mtu - x->props.header_len;
1926 spin_unlock_bh(&x->lock);
1927 return res;
1928 }
1929
1930 int xfrm_init_state(struct xfrm_state *x)
1931 {
1932 struct xfrm_state_afinfo *afinfo;
1933 int family = x->props.family;
1934 int err;
1935
1936 err = -EAFNOSUPPORT;
1937 afinfo = xfrm_state_get_afinfo(family);
1938 if (!afinfo)
1939 goto error;
1940
1941 err = 0;
1942 if (afinfo->init_flags)
1943 err = afinfo->init_flags(x);
1944
1945 xfrm_state_put_afinfo(afinfo);
1946
1947 if (err)
1948 goto error;
1949
1950 err = -EPROTONOSUPPORT;
1951 x->inner_mode = xfrm_get_mode(x->props.mode, x->sel.family);
1952 if (x->inner_mode == NULL)
1953 goto error;
1954
1955 if (!(x->inner_mode->flags & XFRM_MODE_FLAG_TUNNEL) &&
1956 family != x->sel.family)
1957 goto error;
1958
1959 x->type = xfrm_get_type(x->id.proto, family);
1960 if (x->type == NULL)
1961 goto error;
1962
1963 err = x->type->init_state(x);
1964 if (err)
1965 goto error;
1966
1967 x->outer_mode = xfrm_get_mode(x->props.mode, family);
1968 if (x->outer_mode == NULL)
1969 goto error;
1970
1971 x->km.state = XFRM_STATE_VALID;
1972
1973 error:
1974 return err;
1975 }
1976
1977 EXPORT_SYMBOL(xfrm_init_state);
1978
1979 void __init xfrm_state_init(void)
1980 {
1981 unsigned int sz;
1982
1983 sz = sizeof(struct hlist_head) * 8;
1984
1985 xfrm_state_bydst = xfrm_hash_alloc(sz);
1986 xfrm_state_bysrc = xfrm_hash_alloc(sz);
1987 xfrm_state_byspi = xfrm_hash_alloc(sz);
1988 if (!xfrm_state_bydst || !xfrm_state_bysrc || !xfrm_state_byspi)
1989 panic("XFRM: Cannot allocate bydst/bysrc/byspi hashes.");
1990 xfrm_state_hmask = ((sz / sizeof(struct hlist_head)) - 1);
1991
1992 INIT_WORK(&xfrm_state_gc_work, xfrm_state_gc_task);
1993 }
1994
1995 #ifdef CONFIG_AUDITSYSCALL
1996 static inline void xfrm_audit_common_stateinfo(struct xfrm_state *x,
1997 struct audit_buffer *audit_buf)
1998 {
1999 if (x->security)
2000 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
2001 x->security->ctx_alg, x->security->ctx_doi,
2002 x->security->ctx_str);
2003
2004 switch(x->props.family) {
2005 case AF_INET:
2006 audit_log_format(audit_buf, " src=%u.%u.%u.%u dst=%u.%u.%u.%u",
2007 NIPQUAD(x->props.saddr.a4),
2008 NIPQUAD(x->id.daddr.a4));
2009 break;
2010 case AF_INET6:
2011 {
2012 struct in6_addr saddr6, daddr6;
2013
2014 memcpy(&saddr6, x->props.saddr.a6,
2015 sizeof(struct in6_addr));
2016 memcpy(&daddr6, x->id.daddr.a6,
2017 sizeof(struct in6_addr));
2018 audit_log_format(audit_buf,
2019 " src=" NIP6_FMT " dst=" NIP6_FMT,
2020 NIP6(saddr6), NIP6(daddr6));
2021 }
2022 break;
2023 }
2024 }
2025
2026 void
2027 xfrm_audit_state_add(struct xfrm_state *x, int result, u32 auid, u32 sid)
2028 {
2029 struct audit_buffer *audit_buf;
2030 u32 spi;
2031 extern int audit_enabled;
2032
2033 if (audit_enabled == 0)
2034 return;
2035 audit_buf = xfrm_audit_start(auid, sid);
2036 if (audit_buf == NULL)
2037 return;
2038 audit_log_format(audit_buf, " op=SAD-add res=%u",result);
2039 xfrm_audit_common_stateinfo(x, audit_buf);
2040 spi = ntohl(x->id.spi);
2041 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi);
2042 audit_log_end(audit_buf);
2043 }
2044 EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
2045
2046 void
2047 xfrm_audit_state_delete(struct xfrm_state *x, int result, u32 auid, u32 sid)
2048 {
2049 struct audit_buffer *audit_buf;
2050 u32 spi;
2051 extern int audit_enabled;
2052
2053 if (audit_enabled == 0)
2054 return;
2055 audit_buf = xfrm_audit_start(auid, sid);
2056 if (audit_buf == NULL)
2057 return;
2058 audit_log_format(audit_buf, " op=SAD-delete res=%u",result);
2059 xfrm_audit_common_stateinfo(x, audit_buf);
2060 spi = ntohl(x->id.spi);
2061 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi);
2062 audit_log_end(audit_buf);
2063 }
2064 EXPORT_SYMBOL_GPL(xfrm_audit_state_delete);
2065 #endif /* CONFIG_AUDITSYSCALL */
Linux kernel - Deliverables
This page took 0.101846 seconds and 5 git commands to generate.