1. 23 4月, 2019 1 次提交
  2. 08 4月, 2019 3 次提交
    • F
      xfrm: store xfrm_mode directly, not its address · c9500d7b
      Florian Westphal 提交于
      This structure is now only 4 bytes, so its more efficient
      to cache a copy rather than its address.
      
      No significant size difference in allmodconfig vmlinux.
      
      With non-modular kernel that has all XFRM options enabled, this
      series reduces vmlinux image size by ~11kb. All xfrm_mode
      indirections are gone and all modes are built-in.
      
      before (ipsec-next master):
          text      data      bss         dec   filename
      21071494   7233140 11104324    39408958   vmlinux.master
      
      after this series:
      21066448   7226772 11104324    39397544   vmlinux.patched
      
      With allmodconfig kernel, the size increase is only 362 bytes,
      even all the xfrm config options removed in this series are
      modular.
      
      before:
          text      data     bss      dec   filename
      15731286   6936912 4046908 26715106   vmlinux.master
      
      after this series:
      15731492   6937068  4046908  26715468 vmlinux
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Reviewed-by: NSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      c9500d7b
    • F
      xfrm: make xfrm modes builtin · 4c145dce
      Florian Westphal 提交于
      after previous changes, xfrm_mode contains no function pointers anymore
      and all modules defining such struct contain no code except an init/exit
      functions to register the xfrm_mode struct with the xfrm core.
      
      Just place the xfrm modes core and remove the modules,
      the run-time xfrm_mode register/unregister functionality is removed.
      
      Before:
      
          text    data     bss      dec filename
          7523     200    2364    10087 net/xfrm/xfrm_input.o
         40003     628     440    41071 net/xfrm/xfrm_state.o
      15730338 6937080 4046908 26714326 vmlinux
      
          7389     200    2364    9953  net/xfrm/xfrm_input.o
         40574     656     440   41670  net/xfrm/xfrm_state.o
      15730084 6937068 4046908 26714060 vmlinux
      
      The xfrm*_mode_{transport,tunnel,beet} modules are gone.
      
      v2: replace CONFIG_INET6_XFRM_MODE_* IS_ENABLED guards with CONFIG_IPV6
          ones rather than removing them.
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Reviewed-by: NSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      4c145dce
    • F
      xfrm: remove afinfo pointer from xfrm_mode · 733a5fac
      Florian Westphal 提交于
      Adds an EXPORT_SYMBOL for afinfo_get_rcu, as it will now be called from
      ipv6 in case of CONFIG_IPV6=m.
      
      This change has virtually no effect on vmlinux size, but it reduces
      afinfo size and allows followup patch to make xfrm modes const.
      
      v2: mark if (afinfo) tests as likely (Sabrina)
          re-fetch afinfo according to inner_mode in xfrm_prepare_input().
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Reviewed-by: NSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      733a5fac
  3. 18 2月, 2019 1 次提交
    • T
      xfrm: Fix inbound traffic via XFRM interfaces across network namespaces · 660899dd
      Tobias Brunner 提交于
      After moving an XFRM interface to another namespace it stays associated
      with the original namespace (net in `struct xfrm_if` and the list keyed
      with `xfrmi_net_id`), allowing processes in the new namespace to use
      SAs/policies that were created in the original namespace.  For instance,
      this allows a keying daemon in one namespace to establish IPsec SAs for
      other namespaces without processes there having access to the keys or IKE
      credentials.
      
      This worked fine for outbound traffic, however, for inbound traffic the
      lookup for the interfaces and the policies used the incorrect namespace
      (the one the XFRM interface was moved to).
      
      Fixes: f203b76d ("xfrm: Add virtual xfrm interfaces")
      Signed-off-by: NTobias Brunner <tobias@strongswan.org>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      660899dd
  4. 16 1月, 2019 1 次提交
  5. 09 1月, 2019 5 次提交
    • F
      xfrm: policy: fix infinite loop when merging src-nodes · 12750aba
      Florian Westphal 提交于
      With very small change to test script we can trigger softlockup due to
      bogus assignment of 'p' (policy to be examined) on restart.
      
      Previously the two to-be-merged nodes had same address/prefixlength pair,
      so no erase/reinsert was necessary, we only had to append the list from
      node a to b.
      
      If prefix lengths are different, the node has to be deleted and re-inserted
      into the tree, with the updated prefix length.  This was broken; due to
      bogus update to 'p' this loops forever.
      
      Add a 'restart' label and use that instead.
      
      While at it, don't perform the unneeded reinserts of the policies that
      are already sorted into the 'new' node.
      
      A previous patch in this series made xfrm_policy_inexact_list_reinsert()
      use the relative position indicator to sort policies according to age in
      case priorities are identical.
      
      Fixes: 6ac098b2 ("xfrm: policy: add 2nd-level saddr trees for inexact policies")
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      12750aba
    • F
      xfrm: policy: fix reinsertion on node merge · 1d38900c
      Florian Westphal 提交于
      "newpos" has wrong scope.  It must be NULL on each iteration of the loop.
      Otherwise, when policy is to be inserted at the start, we would instead
      insert at point found by the previous loop-iteration instead.
      
      Also, we need to unlink the policy before we reinsert it to the new node,
      else we can get next-points-to-self loops.
      
      Because policies are only ordered by priority it is irrelevant which policy
      is "more recent" except when two policies have same priority.
      (the more recent one is placed after the older one).
      
      In these cases, we can use the ->pos id number to know which one is the
      'older': the higher the id, the more recent the policy.
      
      So we only need to unlink all policies from the node that is about to be
      removed, and insert them to the replacement node.
      
      Fixes: 9cf545eb ("xfrm: policy: store inexact policies in a tree ordered by destination address")
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      1d38900c
    • F
      xfrm: policy: delete inexact policies from inexact list on hash rebuild · 1548bc4e
      Florian Westphal 提交于
      An xfrm hash rebuild has to reset the inexact policy list before the
      policies get re-inserted: A change of hash thresholds will result in
      policies to get moved from inexact tree to the policy hash table.
      
      If the thresholds are increased again later, they get moved from hash
      table to inexact tree.
      
      We must unlink all policies from the inexact tree before re-insertion.
      
      Otherwise 'migrate' may find policies that are in main hash table a
      second time, when it searches the inexact lists.
      
      Furthermore, re-insertion without deletion can cause elements ->next to
      point back to itself, causing soft lockups or double-frees.
      
      Reported-by: syzbot+9d971dd21eb26567036b@syzkaller.appspotmail.com
      Fixes: 9cf545eb ("xfrm: policy: store inexact policies in a tree ordered by destination address")
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      1548bc4e
    • F
      xfrm: policy: increment xfrm_hash_generation on hash rebuild · 7a474c36
      Florian Westphal 提交于
      Hash rebuild will re-set all the inexact entries, then re-insert them.
      Lookups that can occur in parallel will therefore not find any policies.
      
      This was safe when lookups were still guarded by rwlock.
      After rcu-ification, lookups check the hash_generation seqcount to detect
      when a hash resize takes place.  Hash rebuild missed the needed increment.
      
      Hash resizes and hash rebuilds cannot occur in parallel (both acquire
      hash_resize_mutex), so just increment xfrm_hash_generation, like resize.
      
      Fixes: a7c44247 ("xfrm: policy: make xfrm_policy_lookup_bytype lockless")
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      7a474c36
    • F
      xfrm: policy: use hlist rcu variants on inexact insert, part 2 · 355b00d1
      Florian Westphal 提交于
      This function was modeled on the 'exact' insert one, which did not use
      the rcu variant either.
      
      When I fixed the 'exact' insert I forgot to propagate this to my
      development tree, so the inexact variant retained the bug.
      
      Fixes: 9cf545eb ("xfrm: policy: store inexact policies in a tree ordered by destination address")
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      355b00d1
  6. 20 12月, 2018 1 次提交
  7. 19 12月, 2018 1 次提交
  8. 28 11月, 2018 1 次提交
    • F
      xfrm: policy: fix policy hash rebuild · 88584c30
      Florian Westphal 提交于
      Dan Carpenter reports following static checker warning:
       net/xfrm/xfrm_policy.c:1316 xfrm_hash_rebuild()
       warn: 'dir' is out of bounds '3' vs '2'
      
       |  1280          /* reset the bydst and inexact table in all directions */
       |  1281          xfrm_hash_reset_inexact_table(net);
       |  1282
       |  1283          for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {
       |                              ^^^^^^^^^^^^^^^^^^^^^
       |dir == XFRM_POLICY_MAX at the end of this loop.
       |  1304          /* re-insert all policies by order of creation */
       |  1305          list_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) {
       [..]
       |  1314                                            xfrm_policy_id2dir(policy->index));
       |  1315                  if (!chain) {
       |  1316                          void *p = xfrm_policy_inexact_insert(policy, dir, 0);
      
      Fix this by updating 'dir' based on current policy.  Otherwise, the
      inexact policies won't be found anymore during lookup, as they get
      hashed to a bogus bin.
      Reported-by: NDan Carpenter <dan.carpenter@oracle.com>
      Fixes: cc1bb845 ("xfrm: policy: return NULL when inexact search needed")
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      88584c30
  9. 16 11月, 2018 2 次提交
  10. 09 11月, 2018 10 次提交
  11. 11 10月, 2018 1 次提交
  12. 11 9月, 2018 1 次提交
  13. 26 7月, 2018 1 次提交
  14. 20 7月, 2018 1 次提交
    • B
      xfrm: Remove xfrmi interface ID from flowi · bc56b334
      Benedict Wong 提交于
      In order to remove performance impact of having the extra u32 in every
      single flowi, this change removes the flowi_xfrm struct, prefering to
      take the if_id as a method parameter where needed.
      
      In the inbound direction, if_id is only needed during the
      __xfrm_check_policy() function, and the if_id can be determined at that
      point based on the skb. As such, xfrmi_decode_session() is only called
      with the skb in __xfrm_check_policy().
      
      In the outbound direction, the only place where if_id is needed is the
      xfrm_lookup() call in xfrmi_xmit2(). With this change, the if_id is
      directly passed into the xfrm_lookup_with_ifid() call. All existing
      callers can still call xfrm_lookup(), which uses a default if_id of 0.
      
      This change does not change any behavior of XFRMIs except for improving
      overall system performance via flowi size reduction.
      
      This change has been tested against the Android Kernel Networking Tests:
      
      https://android.googlesource.com/kernel/tests/+/master/net/testSigned-off-by: NBenedict Wong <benedictwong@google.com>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      bc56b334
  15. 11 7月, 2018 1 次提交
    • A
      xfrm: use time64_t for in-kernel timestamps · 386c5680
      Arnd Bergmann 提交于
      The lifetime managment uses '__u64' timestamps on the user space
      interface, but 'unsigned long' for reading the current time in the kernel
      with get_seconds().
      
      While this is probably safe beyond y2038, it will still overflow in 2106,
      and the get_seconds() call is deprecated because fo that.
      
      This changes the xfrm time handling to use time64_t consistently, along
      with reading the time using the safer ktime_get_real_seconds(). It still
      suffers from problems that can happen from a concurrent settimeofday()
      call or (to a lesser degree) a leap second update, but since the time
      stamps are part of the user API, there is nothing we can do to prevent
      that.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      386c5680
  16. 25 6月, 2018 1 次提交
    • F
      xfrm: policy: remove pcpu policy cache · e4db5b61
      Florian Westphal 提交于
      Kristian Evensen says:
        In a project I am involved in, we are running ipsec (Strongswan) on
        different mt7621-based routers. Each router is configured as an
        initiator and has around ~30 tunnels to different responders (running
        on misc. devices). Before the flow cache was removed (kernel 4.9), we
        got a combined throughput of around 70Mbit/s for all tunnels on one
        router. However, we recently switched to kernel 4.14 (4.14.48), and
        the total throughput is somewhere around 57Mbit/s (best-case). I.e., a
        drop of around 20%. Reverting the flow cache removal restores, as
        expected, performance levels to that of kernel 4.9.
      
      When pcpu xdst exists, it has to be validated first before it can be
      used.
      
      A negative hit thus increases cost vs. no-cache.
      
      As number of tunnels increases, hit rate decreases so this pcpu caching
      isn't a viable strategy.
      
      Furthermore, the xdst cache also needs to run with BH off, so when
      removing this the bh disable/enable pairs can be removed too.
      
      Kristian tested a 4.14.y backport of this change and reported
      increased performance:
      
        In our tests, the throughput reduction has been reduced from around -20%
        to -5%. We also see that the overall throughput is independent of the
        number of tunnels, while before the throughput was reduced as the number
        of tunnels increased.
      Reported-by: NKristian Evensen <kristian.evensen@gmail.com>
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      e4db5b61
  17. 23 6月, 2018 4 次提交
  18. 31 5月, 2018 1 次提交
  19. 30 3月, 2018 1 次提交
  20. 28 3月, 2018 1 次提交
  21. 07 3月, 2018 1 次提交