1. 09 2月, 2017 3 次提交
  2. 04 1月, 2017 1 次提交
  3. 18 11月, 2016 1 次提交
  4. 10 11月, 2016 1 次提交
  5. 24 8月, 2016 1 次提交
  6. 12 8月, 2016 8 次提交
  7. 29 7月, 2016 1 次提交
    • T
      xfrm: Ignore socket policies when rebuilding hash tables · 6916fb3b
      Tobias Brunner 提交于
      Whenever thresholds are changed the hash tables are rebuilt.  This is
      done by enumerating all policies and hashing and inserting them into
      the right table according to the thresholds and direction.
      
      Because socket policies are also contained in net->xfrm.policy_all but
      no hash tables are defined for their direction (dir + XFRM_POLICY_MAX)
      this causes a NULL or invalid pointer dereference after returning from
      policy_hash_bysel() if the rebuild is done while any socket policies
      are installed.
      
      Since the rebuild after changing thresholds is scheduled this crash
      could even occur if the userland sets thresholds seemingly before
      installing any socket policies.
      
      Fixes: 53c2e285 ("xfrm: Do not hash socket policies")
      Signed-off-by: NTobias Brunner <tobias@strongswan.org>
      Acked-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      6916fb3b
  8. 12 12月, 2015 2 次提交
  9. 08 12月, 2015 1 次提交
  10. 03 11月, 2015 1 次提交
    • D
      xfrm: dst_entries_init() per-net dst_ops · a8a572a6
      Dan Streetman 提交于
      Remove the dst_entries_init/destroy calls for xfrm4 and xfrm6 dst_ops
      templates; their dst_entries counters will never be used.  Move the
      xfrm dst_ops initialization from the common xfrm/xfrm_policy.c to
      xfrm4/xfrm4_policy.c and xfrm6/xfrm6_policy.c, and call dst_entries_init
      and dst_entries_destroy for each net namespace.
      
      The ipv4 and ipv6 xfrms each create dst_ops template, and perform
      dst_entries_init on the templates.  The template values are copied to each
      net namespace's xfrm.xfrm*_dst_ops.  The problem there is the dst_ops
      pcpuc_entries field is a percpu counter and cannot be used correctly by
      simply copying it to another object.
      
      The result of this is a very subtle bug; changes to the dst entries
      counter from one net namespace may sometimes get applied to a different
      net namespace dst entries counter.  This is because of how the percpu
      counter works; it has a main count field as well as a pointer to the
      percpu variables.  Each net namespace maintains its own main count
      variable, but all point to one set of percpu variables.  When any net
      namespace happens to change one of the percpu variables to outside its
      small batch range, its count is moved to the net namespace's main count
      variable.  So with multiple net namespaces operating concurrently, the
      dst_ops entries counter can stray from the actual value that it should
      be; if counts are consistently moved from one net namespace to another
      (which my testing showed is likely), then one net namespace winds up
      with a negative dst_ops count while another winds up with a continually
      increasing count, eventually reaching its gc_thresh limit, which causes
      all new traffic on the net namespace to fail with -ENOBUFS.
      Signed-off-by: NDan Streetman <dan.streetman@canonical.com>
      Signed-off-by: NDan Streetman <ddstreet@ieee.org>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      a8a572a6
  11. 08 10月, 2015 3 次提交
  12. 26 9月, 2015 1 次提交
  13. 18 9月, 2015 2 次提交
  14. 11 8月, 2015 1 次提交
  15. 18 5月, 2015 1 次提交
  16. 05 5月, 2015 2 次提交
  17. 23 4月, 2015 3 次提交
  18. 12 2月, 2015 1 次提交
  19. 13 11月, 2014 2 次提交
    • H
      xfrm: Use __xfrm_policy_link in xfrm_policy_insert · 12bfa8bd
      Herbert Xu 提交于
      For a long time we couldn't actually use __xfrm_policy_link in
      xfrm_policy_insert because the latter wanted to do hashing at
      a specific position.
      
      Now that __xfrm_policy_link no longer does hashing it can now
      be safely used in xfrm_policy_insert to kill some duplicate code,
      finally reuniting general policies with socket policies.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      12bfa8bd
    • H
      xfrm: Do not hash socket policies · 53c2e285
      Herbert Xu 提交于
      Back in 2003 when I added policy expiration, I half-heartedly
      did a clean-up and renamed xfrm_sk_policy_link/xfrm_sk_policy_unlink
      to __xfrm_policy_link/__xfrm_policy_unlink, because the latter
      could be reused for all policies.  I never actually got around
      to using __xfrm_policy_link for non-socket policies.
      
      Later on hashing was added to all xfrm policies, including socket
      policies.  In fact, we don't need hashing on socket policies at
      all since they're always looked up via a linked list.
      
      This patch restores xfrm_sk_policy_link/xfrm_sk_policy_unlink
      as wrappers around __xfrm_policy_link/__xfrm_policy_unlink so
      that it's obvious we're dealing with socket policies.
      
      This patch also removes hashing from __xfrm_policy_link as for
      now it's only used by socket policies which do not need to be
      hashed.  Ironically this will in fact allow us to use this helper
      for non-socket policies which I shall do later.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      53c2e285
  20. 31 10月, 2014 1 次提交
  21. 27 10月, 2014 1 次提交
  22. 02 10月, 2014 1 次提交
  23. 16 9月, 2014 1 次提交