提交 0ebea8ef 编写于 作者: H Herbert Xu 提交者: David S. Miller

[IPSEC]: Move state lock into x->type->input

This patch releases the lock on the state before calling
x->type->input.  It also adds the lock to the spots where they're
currently needed.

Most of those places (all except mip6) are expected to disappear with
async crypto.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 668dc8af
...@@ -169,6 +169,8 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb) ...@@ -169,6 +169,8 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb)
if (ip_clear_mutable_options(iph, &dummy)) if (ip_clear_mutable_options(iph, &dummy))
goto out; goto out;
} }
spin_lock(&x->lock);
{ {
u8 auth_data[MAX_AH_AUTH_LEN]; u8 auth_data[MAX_AH_AUTH_LEN];
...@@ -176,12 +178,16 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb) ...@@ -176,12 +178,16 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb)
skb_push(skb, ihl); skb_push(skb, ihl);
err = ah_mac_digest(ahp, skb, ah->auth_data); err = ah_mac_digest(ahp, skb, ah->auth_data);
if (err) if (err)
goto out; goto unlock;
if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) { if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len))
err = -EBADMSG; err = -EBADMSG;
goto out;
}
} }
unlock:
spin_unlock(&x->lock);
if (err)
goto out;
skb->network_header += ah_hlen; skb->network_header += ah_hlen;
memcpy(skb_network_header(skb), work_buf, ihl); memcpy(skb_network_header(skb), work_buf, ihl);
skb->transport_header = skb->network_header; skb->transport_header = skb->network_header;
......
...@@ -171,29 +171,31 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb) ...@@ -171,29 +171,31 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
if (elen <= 0 || (elen & (blksize-1))) if (elen <= 0 || (elen & (blksize-1)))
goto out; goto out;
if ((err = skb_cow_data(skb, 0, &trailer)) < 0)
goto out;
nfrags = err;
skb->ip_summed = CHECKSUM_NONE;
spin_lock(&x->lock);
/* If integrity check is required, do this. */ /* If integrity check is required, do this. */
if (esp->auth.icv_full_len) { if (esp->auth.icv_full_len) {
u8 sum[alen]; u8 sum[alen];
err = esp_mac_digest(esp, skb, 0, skb->len - alen); err = esp_mac_digest(esp, skb, 0, skb->len - alen);
if (err) if (err)
goto out; goto unlock;
if (skb_copy_bits(skb, skb->len - alen, sum, alen)) if (skb_copy_bits(skb, skb->len - alen, sum, alen))
BUG(); BUG();
if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) { if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) {
err = -EBADMSG; err = -EBADMSG;
goto out; goto unlock;
} }
} }
if ((err = skb_cow_data(skb, 0, &trailer)) < 0)
goto out;
nfrags = err;
skb->ip_summed = CHECKSUM_NONE;
esph = (struct ip_esp_hdr *)skb->data; esph = (struct ip_esp_hdr *)skb->data;
/* Get ivec. This can be wrong, check against another impls. */ /* Get ivec. This can be wrong, check against another impls. */
...@@ -206,7 +208,7 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb) ...@@ -206,7 +208,7 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
err = -ENOMEM; err = -ENOMEM;
sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC); sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC);
if (!sg) if (!sg)
goto out; goto unlock;
} }
sg_init_table(sg, nfrags); sg_init_table(sg, nfrags);
skb_to_sgvec(skb, sg, skb_to_sgvec(skb, sg,
...@@ -215,6 +217,10 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb) ...@@ -215,6 +217,10 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
err = crypto_blkcipher_decrypt(&desc, sg, sg, elen); err = crypto_blkcipher_decrypt(&desc, sg, sg, elen);
if (unlikely(sg != &esp->sgbuf[0])) if (unlikely(sg != &esp->sgbuf[0]))
kfree(sg); kfree(sg);
unlock:
spin_unlock(&x->lock);
if (unlikely(err)) if (unlikely(err))
goto out; goto out;
......
...@@ -370,6 +370,7 @@ static int ah6_input(struct xfrm_state *x, struct sk_buff *skb) ...@@ -370,6 +370,7 @@ static int ah6_input(struct xfrm_state *x, struct sk_buff *skb)
ip6h->flow_lbl[2] = 0; ip6h->flow_lbl[2] = 0;
ip6h->hop_limit = 0; ip6h->hop_limit = 0;
spin_lock(&x->lock);
{ {
u8 auth_data[MAX_AH_AUTH_LEN]; u8 auth_data[MAX_AH_AUTH_LEN];
...@@ -378,13 +379,17 @@ static int ah6_input(struct xfrm_state *x, struct sk_buff *skb) ...@@ -378,13 +379,17 @@ static int ah6_input(struct xfrm_state *x, struct sk_buff *skb)
skb_push(skb, hdr_len); skb_push(skb, hdr_len);
err = ah_mac_digest(ahp, skb, ah->auth_data); err = ah_mac_digest(ahp, skb, ah->auth_data);
if (err) if (err)
goto free_out; goto unlock;
if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) { if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) {
LIMIT_NETDEBUG(KERN_WARNING "ipsec ah authentication error\n"); LIMIT_NETDEBUG(KERN_WARNING "ipsec ah authentication error\n");
err = -EBADMSG; err = -EBADMSG;
goto free_out;
} }
} }
unlock:
spin_unlock(&x->lock);
if (err)
goto free_out;
skb->network_header += ah_hlen; skb->network_header += ah_hlen;
memcpy(skb_network_header(skb), tmp_hdr, hdr_len); memcpy(skb_network_header(skb), tmp_hdr, hdr_len);
......
...@@ -165,30 +165,32 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb) ...@@ -165,30 +165,32 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
goto out; goto out;
} }
if ((nfrags = skb_cow_data(skb, 0, &trailer)) < 0) {
ret = -EINVAL;
goto out;
}
skb->ip_summed = CHECKSUM_NONE;
spin_lock(&x->lock);
/* If integrity check is required, do this. */ /* If integrity check is required, do this. */
if (esp->auth.icv_full_len) { if (esp->auth.icv_full_len) {
u8 sum[alen]; u8 sum[alen];
ret = esp_mac_digest(esp, skb, 0, skb->len - alen); ret = esp_mac_digest(esp, skb, 0, skb->len - alen);
if (ret) if (ret)
goto out; goto unlock;
if (skb_copy_bits(skb, skb->len - alen, sum, alen)) if (skb_copy_bits(skb, skb->len - alen, sum, alen))
BUG(); BUG();
if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) { if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) {
ret = -EBADMSG; ret = -EBADMSG;
goto out; goto unlock;
} }
} }
if ((nfrags = skb_cow_data(skb, 0, &trailer)) < 0) {
ret = -EINVAL;
goto out;
}
skb->ip_summed = CHECKSUM_NONE;
esph = (struct ip_esp_hdr *)skb->data; esph = (struct ip_esp_hdr *)skb->data;
iph = ipv6_hdr(skb); iph = ipv6_hdr(skb);
...@@ -197,15 +199,13 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb) ...@@ -197,15 +199,13 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
crypto_blkcipher_set_iv(tfm, esph->enc_data, esp->conf.ivlen); crypto_blkcipher_set_iv(tfm, esph->enc_data, esp->conf.ivlen);
{ {
u8 nexthdr[2];
struct scatterlist *sg = &esp->sgbuf[0]; struct scatterlist *sg = &esp->sgbuf[0];
u8 padlen;
if (unlikely(nfrags > ESP_NUM_FAST_SG)) { if (unlikely(nfrags > ESP_NUM_FAST_SG)) {
sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC); sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC);
if (!sg) { if (!sg) {
ret = -ENOMEM; ret = -ENOMEM;
goto out; goto unlock;
} }
} }
sg_init_table(sg, nfrags); sg_init_table(sg, nfrags);
...@@ -215,8 +215,17 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb) ...@@ -215,8 +215,17 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
ret = crypto_blkcipher_decrypt(&desc, sg, sg, elen); ret = crypto_blkcipher_decrypt(&desc, sg, sg, elen);
if (unlikely(sg != &esp->sgbuf[0])) if (unlikely(sg != &esp->sgbuf[0]))
kfree(sg); kfree(sg);
if (unlikely(ret)) }
goto out;
unlock:
spin_unlock(&x->lock);
if (unlikely(ret))
goto out;
{
u8 nexthdr[2];
u8 padlen;
if (skb_copy_bits(skb, skb->len-alen-2, nexthdr, 2)) if (skb_copy_bits(skb, skb->len-alen-2, nexthdr, 2))
BUG(); BUG();
......
...@@ -128,12 +128,15 @@ static int mip6_destopt_input(struct xfrm_state *x, struct sk_buff *skb) ...@@ -128,12 +128,15 @@ static int mip6_destopt_input(struct xfrm_state *x, struct sk_buff *skb)
{ {
struct ipv6hdr *iph = ipv6_hdr(skb); struct ipv6hdr *iph = ipv6_hdr(skb);
struct ipv6_destopt_hdr *destopt = (struct ipv6_destopt_hdr *)skb->data; struct ipv6_destopt_hdr *destopt = (struct ipv6_destopt_hdr *)skb->data;
int err = destopt->nexthdr;
spin_lock(&x->lock);
if (!ipv6_addr_equal(&iph->saddr, (struct in6_addr *)x->coaddr) && if (!ipv6_addr_equal(&iph->saddr, (struct in6_addr *)x->coaddr) &&
!ipv6_addr_any((struct in6_addr *)x->coaddr)) !ipv6_addr_any((struct in6_addr *)x->coaddr))
return -ENOENT; err = -ENOENT;
spin_unlock(&x->lock);
return destopt->nexthdr; return err;
} }
/* Destination Option Header is inserted. /* Destination Option Header is inserted.
...@@ -344,12 +347,15 @@ static struct xfrm_type mip6_destopt_type = ...@@ -344,12 +347,15 @@ static struct xfrm_type mip6_destopt_type =
static int mip6_rthdr_input(struct xfrm_state *x, struct sk_buff *skb) static int mip6_rthdr_input(struct xfrm_state *x, struct sk_buff *skb)
{ {
struct rt2_hdr *rt2 = (struct rt2_hdr *)skb->data; struct rt2_hdr *rt2 = (struct rt2_hdr *)skb->data;
int err = rt2->rt_hdr.nexthdr;
spin_lock(&x->lock);
if (!ipv6_addr_equal(&rt2->addr, (struct in6_addr *)x->coaddr) && if (!ipv6_addr_equal(&rt2->addr, (struct in6_addr *)x->coaddr) &&
!ipv6_addr_any((struct in6_addr *)x->coaddr)) !ipv6_addr_any((struct in6_addr *)x->coaddr))
return -ENOENT; err = -ENOENT;
spin_unlock(&x->lock);
return rt2->rt_hdr.nexthdr; return err;
} }
/* Routing Header type 2 is inserted. /* Routing Header type 2 is inserted.
......
...@@ -146,7 +146,11 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type) ...@@ -146,7 +146,11 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
if (xfrm_state_check_expire(x)) if (xfrm_state_check_expire(x))
goto drop_unlock; goto drop_unlock;
spin_unlock(&x->lock);
nexthdr = x->type->input(x, skb); nexthdr = x->type->input(x, skb);
spin_lock(&x->lock);
if (nexthdr <= 0) { if (nexthdr <= 0) {
if (nexthdr == -EBADMSG) if (nexthdr == -EBADMSG)
x->stats.integrity_failed++; x->stats.integrity_failed++;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册