[IPSEC]: Move state lock into x->type->input
authorHerbert Xu <herbert@gondor.apana.org.au>
Wed, 14 Nov 2007 05:45:58 +0000 (21:45 -0800)
committerDavid S. Miller <davem@davemloft.net>
Mon, 28 Jan 2008 22:53:52 +0000 (14:53 -0800)
This patch releases the lock on the state before calling
x->type->input.  It also adds the lock to the spots where they're
currently needed.

Most of those places (all except mip6) are expected to disappear with
async crypto.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/ah4.c
net/ipv4/esp4.c
net/ipv6/ah6.c
net/ipv6/esp6.c
net/ipv6/mip6.c
net/xfrm/xfrm_input.c

index a989d29b44ead664be1a97148bd81515e474370c..d76803a3dcae843f1ebf07794fdd0da6c34b9498 100644 (file)
@@ -169,6 +169,8 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb)
                if (ip_clear_mutable_options(iph, &dummy))
                        goto out;
        }
+
+       spin_lock(&x->lock);
        {
                u8 auth_data[MAX_AH_AUTH_LEN];
 
@@ -176,12 +178,16 @@ static int ah_input(struct xfrm_state *x, struct sk_buff *skb)
                skb_push(skb, ihl);
                err = ah_mac_digest(ahp, skb, ah->auth_data);
                if (err)
-                       goto out;
-               if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) {
+                       goto unlock;
+               if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len))
                        err = -EBADMSG;
-                       goto out;
-               }
        }
+unlock:
+       spin_unlock(&x->lock);
+
+       if (err)
+               goto out;
+
        skb->network_header += ah_hlen;
        memcpy(skb_network_header(skb), work_buf, ihl);
        skb->transport_header = skb->network_header;
index 3350a7d506699897811f0e76a45dd78ddedd2d41..28ea5c77ca238a72a424ae292c2decc622c2d70e 100644 (file)
@@ -171,29 +171,31 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
        if (elen <= 0 || (elen & (blksize-1)))
                goto out;
 
+       if ((err = skb_cow_data(skb, 0, &trailer)) < 0)
+               goto out;
+       nfrags = err;
+
+       skb->ip_summed = CHECKSUM_NONE;
+
+       spin_lock(&x->lock);
+
        /* If integrity check is required, do this. */
        if (esp->auth.icv_full_len) {
                u8 sum[alen];
 
                err = esp_mac_digest(esp, skb, 0, skb->len - alen);
                if (err)
-                       goto out;
+                       goto unlock;
 
                if (skb_copy_bits(skb, skb->len - alen, sum, alen))
                        BUG();
 
                if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) {
                        err = -EBADMSG;
-                       goto out;
+                       goto unlock;
                }
        }
 
-       if ((err = skb_cow_data(skb, 0, &trailer)) < 0)
-               goto out;
-       nfrags = err;
-
-       skb->ip_summed = CHECKSUM_NONE;
-
        esph = (struct ip_esp_hdr *)skb->data;
 
        /* Get ivec. This can be wrong, check against another impls. */
@@ -206,7 +208,7 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
                err = -ENOMEM;
                sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC);
                if (!sg)
-                       goto out;
+                       goto unlock;
        }
        sg_init_table(sg, nfrags);
        skb_to_sgvec(skb, sg,
@@ -215,6 +217,10 @@ static int esp_input(struct xfrm_state *x, struct sk_buff *skb)
        err = crypto_blkcipher_decrypt(&desc, sg, sg, elen);
        if (unlikely(sg != &esp->sgbuf[0]))
                kfree(sg);
+
+unlock:
+       spin_unlock(&x->lock);
+
        if (unlikely(err))
                goto out;
 
index d4b59ecb0b57853b6ad03598c7f0768c0a0e9400..1b51d1eedbded106ce2adf60490636b1e23e0cb3 100644 (file)
@@ -370,6 +370,7 @@ static int ah6_input(struct xfrm_state *x, struct sk_buff *skb)
        ip6h->flow_lbl[2] = 0;
        ip6h->hop_limit   = 0;
 
+       spin_lock(&x->lock);
        {
                u8 auth_data[MAX_AH_AUTH_LEN];
 
@@ -378,13 +379,17 @@ static int ah6_input(struct xfrm_state *x, struct sk_buff *skb)
                skb_push(skb, hdr_len);
                err = ah_mac_digest(ahp, skb, ah->auth_data);
                if (err)
-                       goto free_out;
+                       goto unlock;
                if (memcmp(ahp->work_icv, auth_data, ahp->icv_trunc_len)) {
                        LIMIT_NETDEBUG(KERN_WARNING "ipsec ah authentication error\n");
                        err = -EBADMSG;
-                       goto free_out;
                }
        }
+unlock:
+       spin_unlock(&x->lock);
+
+       if (err)
+               goto free_out;
 
        skb->network_header += ah_hlen;
        memcpy(skb_network_header(skb), tmp_hdr, hdr_len);
index 096974ba642084c99360a15a27b5934e3c806b34..5bd5292ad9fa9021cf31899355db8cd60857a165 100644 (file)
@@ -165,30 +165,32 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
                goto out;
        }
 
+       if ((nfrags = skb_cow_data(skb, 0, &trailer)) < 0) {
+               ret = -EINVAL;
+               goto out;
+       }
+
+       skb->ip_summed = CHECKSUM_NONE;
+
+       spin_lock(&x->lock);
+
        /* If integrity check is required, do this. */
        if (esp->auth.icv_full_len) {
                u8 sum[alen];
 
                ret = esp_mac_digest(esp, skb, 0, skb->len - alen);
                if (ret)
-                       goto out;
+                       goto unlock;
 
                if (skb_copy_bits(skb, skb->len - alen, sum, alen))
                        BUG();
 
                if (unlikely(memcmp(esp->auth.work_icv, sum, alen))) {
                        ret = -EBADMSG;
-                       goto out;
+                       goto unlock;
                }
        }
 
-       if ((nfrags = skb_cow_data(skb, 0, &trailer)) < 0) {
-               ret = -EINVAL;
-               goto out;
-       }
-
-       skb->ip_summed = CHECKSUM_NONE;
-
        esph = (struct ip_esp_hdr *)skb->data;
        iph = ipv6_hdr(skb);
 
@@ -197,15 +199,13 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
                crypto_blkcipher_set_iv(tfm, esph->enc_data, esp->conf.ivlen);
 
        {
-               u8 nexthdr[2];
                struct scatterlist *sg = &esp->sgbuf[0];
-               u8 padlen;
 
                if (unlikely(nfrags > ESP_NUM_FAST_SG)) {
                        sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC);
                        if (!sg) {
                                ret = -ENOMEM;
-                               goto out;
+                               goto unlock;
                        }
                }
                sg_init_table(sg, nfrags);
@@ -215,8 +215,17 @@ static int esp6_input(struct xfrm_state *x, struct sk_buff *skb)
                ret = crypto_blkcipher_decrypt(&desc, sg, sg, elen);
                if (unlikely(sg != &esp->sgbuf[0]))
                        kfree(sg);
-               if (unlikely(ret))
-                       goto out;
+       }
+
+unlock:
+       spin_unlock(&x->lock);
+
+       if (unlikely(ret))
+               goto out;
+
+       {
+               u8 nexthdr[2];
+               u8 padlen;
 
                if (skb_copy_bits(skb, skb->len-alen-2, nexthdr, 2))
                        BUG();
index edfd9cdd721c8b283ac55e2460ed4c85d12b7fcd..49d396620eac97e42d6c4602ac178d3cdfd9f1b8 100644 (file)
@@ -128,12 +128,15 @@ static int mip6_destopt_input(struct xfrm_state *x, struct sk_buff *skb)
 {
        struct ipv6hdr *iph = ipv6_hdr(skb);
        struct ipv6_destopt_hdr *destopt = (struct ipv6_destopt_hdr *)skb->data;
+       int err = destopt->nexthdr;
 
+       spin_lock(&x->lock);
        if (!ipv6_addr_equal(&iph->saddr, (struct in6_addr *)x->coaddr) &&
            !ipv6_addr_any((struct in6_addr *)x->coaddr))
-               return -ENOENT;
+               err = -ENOENT;
+       spin_unlock(&x->lock);
 
-       return destopt->nexthdr;
+       return err;
 }
 
 /* Destination Option Header is inserted.
@@ -344,12 +347,15 @@ static struct xfrm_type mip6_destopt_type =
 static int mip6_rthdr_input(struct xfrm_state *x, struct sk_buff *skb)
 {
        struct rt2_hdr *rt2 = (struct rt2_hdr *)skb->data;
+       int err = rt2->rt_hdr.nexthdr;
 
+       spin_lock(&x->lock);
        if (!ipv6_addr_equal(&rt2->addr, (struct in6_addr *)x->coaddr) &&
            !ipv6_addr_any((struct in6_addr *)x->coaddr))
-               return -ENOENT;
+               err = -ENOENT;
+       spin_unlock(&x->lock);
 
-       return rt2->rt_hdr.nexthdr;
+       return err;
 }
 
 /* Routing Header type 2 is inserted.
index b7d68eb9434cdc663af43bc940f58eb49d0ba306..5cad522e8ef613cf44afa724cfc9a4877928d8ce 100644 (file)
@@ -146,7 +146,11 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
                if (xfrm_state_check_expire(x))
                        goto drop_unlock;
 
+               spin_unlock(&x->lock);
+
                nexthdr = x->type->input(x, skb);
+
+               spin_lock(&x->lock);
                if (nexthdr <= 0) {
                        if (nexthdr == -EBADMSG)
                                x->stats.integrity_failed++;