Commit b7c6538c authored by Herbert Xu's avatar Herbert Xu Committed by David S. Miller

[IPSEC]: Move state lock into x->type->output

This patch releases the lock on the state before calling x->type->output.
It also adds the lock to the spots where they're currently needed.

Most of those places (all except mip6) are expected to disappear with
async crypto.
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 050f009e
...@@ -5,6 +5,7 @@ ...@@ -5,6 +5,7 @@
#include <net/ah.h> #include <net/ah.h>
#include <linux/crypto.h> #include <linux/crypto.h>
#include <linux/pfkeyv2.h> #include <linux/pfkeyv2.h>
#include <linux/spinlock.h>
#include <net/icmp.h> #include <net/icmp.h>
#include <net/protocol.h> #include <net/protocol.h>
#include <asm/scatterlist.h> #include <asm/scatterlist.h>
...@@ -97,10 +98,14 @@ static int ah_output(struct xfrm_state *x, struct sk_buff *skb) ...@@ -97,10 +98,14 @@ static int ah_output(struct xfrm_state *x, struct sk_buff *skb)
ah->reserved = 0; ah->reserved = 0;
ah->spi = x->id.spi; ah->spi = x->id.spi;
ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq); ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq);
spin_lock_bh(&x->lock);
err = ah_mac_digest(ahp, skb, ah->auth_data); err = ah_mac_digest(ahp, skb, ah->auth_data);
memcpy(ah->auth_data, ahp->work_icv, ahp->icv_trunc_len);
spin_unlock_bh(&x->lock);
if (err) if (err)
goto error; goto error;
memcpy(ah->auth_data, ahp->work_icv, ahp->icv_trunc_len);
top_iph->tos = iph->tos; top_iph->tos = iph->tos;
top_iph->ttl = iph->ttl; top_iph->ttl = iph->ttl;
......
...@@ -8,6 +8,7 @@ ...@@ -8,6 +8,7 @@
#include <linux/kernel.h> #include <linux/kernel.h>
#include <linux/pfkeyv2.h> #include <linux/pfkeyv2.h>
#include <linux/random.h> #include <linux/random.h>
#include <linux/spinlock.h>
#include <net/icmp.h> #include <net/icmp.h>
#include <net/protocol.h> #include <net/protocol.h>
#include <net/udp.h> #include <net/udp.h>
...@@ -66,6 +67,8 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb) ...@@ -66,6 +67,8 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
top_iph->tot_len = htons(skb->len + alen); top_iph->tot_len = htons(skb->len + alen);
*(skb_tail_pointer(trailer) - 1) = top_iph->protocol; *(skb_tail_pointer(trailer) - 1) = top_iph->protocol;
spin_lock_bh(&x->lock);
/* this is non-NULL only with UDP Encapsulation */ /* this is non-NULL only with UDP Encapsulation */
if (x->encap) { if (x->encap) {
struct xfrm_encap_tmpl *encap = x->encap; struct xfrm_encap_tmpl *encap = x->encap;
...@@ -111,7 +114,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb) ...@@ -111,7 +114,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
if (unlikely(nfrags > ESP_NUM_FAST_SG)) { if (unlikely(nfrags > ESP_NUM_FAST_SG)) {
sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC); sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC);
if (!sg) if (!sg)
goto error; goto unlock;
} }
skb_to_sgvec(skb, sg, esph->enc_data+esp->conf.ivlen-skb->data, clen); skb_to_sgvec(skb, sg, esph->enc_data+esp->conf.ivlen-skb->data, clen);
err = crypto_blkcipher_encrypt(&desc, sg, sg, clen); err = crypto_blkcipher_encrypt(&desc, sg, sg, clen);
...@@ -120,7 +123,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb) ...@@ -120,7 +123,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
} while (0); } while (0);
if (unlikely(err)) if (unlikely(err))
goto error; goto unlock;
if (esp->conf.ivlen) { if (esp->conf.ivlen) {
memcpy(esph->enc_data, esp->conf.ivec, esp->conf.ivlen); memcpy(esph->enc_data, esp->conf.ivec, esp->conf.ivlen);
...@@ -133,6 +136,9 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb) ...@@ -133,6 +136,9 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
memcpy(pskb_put(skb, trailer, alen), esp->auth.work_icv, alen); memcpy(pskb_put(skb, trailer, alen), esp->auth.work_icv, alen);
} }
unlock:
spin_unlock_bh(&x->lock);
ip_send_check(top_iph); ip_send_check(top_iph);
error: error:
......
...@@ -29,6 +29,7 @@ ...@@ -29,6 +29,7 @@
#include <net/ah.h> #include <net/ah.h>
#include <linux/crypto.h> #include <linux/crypto.h>
#include <linux/pfkeyv2.h> #include <linux/pfkeyv2.h>
#include <linux/spinlock.h>
#include <linux/string.h> #include <linux/string.h>
#include <net/icmp.h> #include <net/icmp.h>
#include <net/ipv6.h> #include <net/ipv6.h>
...@@ -284,12 +285,14 @@ static int ah6_output(struct xfrm_state *x, struct sk_buff *skb) ...@@ -284,12 +285,14 @@ static int ah6_output(struct xfrm_state *x, struct sk_buff *skb)
ah->reserved = 0; ah->reserved = 0;
ah->spi = x->id.spi; ah->spi = x->id.spi;
ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq); ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq);
spin_lock_bh(&x->lock);
err = ah_mac_digest(ahp, skb, ah->auth_data); err = ah_mac_digest(ahp, skb, ah->auth_data);
if (err)
goto error_free_iph;
memcpy(ah->auth_data, ahp->work_icv, ahp->icv_trunc_len); memcpy(ah->auth_data, ahp->work_icv, ahp->icv_trunc_len);
spin_unlock_bh(&x->lock);
err = 0; if (err)
goto error_free_iph;
memcpy(top_iph, tmp_base, sizeof(tmp_base)); memcpy(top_iph, tmp_base, sizeof(tmp_base));
if (tmp_ext) { if (tmp_ext) {
......
...@@ -34,6 +34,7 @@ ...@@ -34,6 +34,7 @@
#include <linux/kernel.h> #include <linux/kernel.h>
#include <linux/pfkeyv2.h> #include <linux/pfkeyv2.h>
#include <linux/random.h> #include <linux/random.h>
#include <linux/spinlock.h>
#include <net/icmp.h> #include <net/icmp.h>
#include <net/ipv6.h> #include <net/ipv6.h>
#include <net/protocol.h> #include <net/protocol.h>
...@@ -98,6 +99,8 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb) ...@@ -98,6 +99,8 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb)
esph->spi = x->id.spi; esph->spi = x->id.spi;
esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq); esph->seq_no = htonl(XFRM_SKB_CB(skb)->seq);
spin_lock_bh(&x->lock);
if (esp->conf.ivlen) { if (esp->conf.ivlen) {
if (unlikely(!esp->conf.ivinitted)) { if (unlikely(!esp->conf.ivinitted)) {
get_random_bytes(esp->conf.ivec, esp->conf.ivlen); get_random_bytes(esp->conf.ivec, esp->conf.ivlen);
...@@ -112,7 +115,7 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb) ...@@ -112,7 +115,7 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb)
if (unlikely(nfrags > ESP_NUM_FAST_SG)) { if (unlikely(nfrags > ESP_NUM_FAST_SG)) {
sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC); sg = kmalloc(sizeof(struct scatterlist)*nfrags, GFP_ATOMIC);
if (!sg) if (!sg)
goto error; goto unlock;
} }
skb_to_sgvec(skb, sg, esph->enc_data+esp->conf.ivlen-skb->data, clen); skb_to_sgvec(skb, sg, esph->enc_data+esp->conf.ivlen-skb->data, clen);
err = crypto_blkcipher_encrypt(&desc, sg, sg, clen); err = crypto_blkcipher_encrypt(&desc, sg, sg, clen);
...@@ -121,7 +124,7 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb) ...@@ -121,7 +124,7 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb)
} while (0); } while (0);
if (unlikely(err)) if (unlikely(err))
goto error; goto unlock;
if (esp->conf.ivlen) { if (esp->conf.ivlen) {
memcpy(esph->enc_data, esp->conf.ivec, esp->conf.ivlen); memcpy(esph->enc_data, esp->conf.ivec, esp->conf.ivlen);
...@@ -134,6 +137,9 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb) ...@@ -134,6 +137,9 @@ static int esp6_output(struct xfrm_state *x, struct sk_buff *skb)
memcpy(pskb_put(skb, trailer, alen), esp->auth.work_icv, alen); memcpy(pskb_put(skb, trailer, alen), esp->auth.work_icv, alen);
} }
unlock:
spin_unlock_bh(&x->lock);
error: error:
return err; return err;
} }
......
...@@ -172,7 +172,9 @@ static int mip6_destopt_output(struct xfrm_state *x, struct sk_buff *skb) ...@@ -172,7 +172,9 @@ static int mip6_destopt_output(struct xfrm_state *x, struct sk_buff *skb)
len = ((char *)hao - (char *)dstopt) + sizeof(*hao); len = ((char *)hao - (char *)dstopt) + sizeof(*hao);
memcpy(&hao->addr, &iph->saddr, sizeof(hao->addr)); memcpy(&hao->addr, &iph->saddr, sizeof(hao->addr));
spin_lock_bh(&x->lock);
memcpy(&iph->saddr, x->coaddr, sizeof(iph->saddr)); memcpy(&iph->saddr, x->coaddr, sizeof(iph->saddr));
spin_unlock_bh(&x->lock);
BUG_TRAP(len == x->props.header_len); BUG_TRAP(len == x->props.header_len);
dstopt->hdrlen = (x->props.header_len >> 3) - 1; dstopt->hdrlen = (x->props.header_len >> 3) - 1;
...@@ -381,7 +383,9 @@ static int mip6_rthdr_output(struct xfrm_state *x, struct sk_buff *skb) ...@@ -381,7 +383,9 @@ static int mip6_rthdr_output(struct xfrm_state *x, struct sk_buff *skb)
BUG_TRAP(rt2->rt_hdr.hdrlen == 2); BUG_TRAP(rt2->rt_hdr.hdrlen == 2);
memcpy(&rt2->addr, &iph->daddr, sizeof(rt2->addr)); memcpy(&rt2->addr, &iph->daddr, sizeof(rt2->addr));
spin_lock_bh(&x->lock);
memcpy(&iph->daddr, x->coaddr, sizeof(iph->daddr)); memcpy(&iph->daddr, x->coaddr, sizeof(iph->daddr));
spin_unlock_bh(&x->lock);
return 0; return 0;
} }
......
...@@ -67,15 +67,15 @@ int xfrm_output(struct sk_buff *skb) ...@@ -67,15 +67,15 @@ int xfrm_output(struct sk_buff *skb)
if (err) if (err)
goto error; goto error;
err = x->type->output(x, skb);
if (err)
goto error;
x->curlft.bytes += skb->len; x->curlft.bytes += skb->len;
x->curlft.packets++; x->curlft.packets++;
spin_unlock_bh(&x->lock); spin_unlock_bh(&x->lock);
err = x->type->output(x, skb);
if (err)
goto error_nolock;
if (!(skb->dst = dst_pop(dst))) { if (!(skb->dst = dst_pop(dst))) {
err = -EHOSTUNREACH; err = -EHOSTUNREACH;
goto error_nolock; goto error_nolock;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment