1 /* 2 * xfrm_state.c 3 * 4 * Changes: 5 * Mitsuru KANDA @USAGI 6 * Kazunori MIYAZAWA @USAGI 7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com> 8 * IPv6 support 9 * YOSHIFUJI Hideaki @USAGI 10 * Split up af-specific functions 11 * Derek Atkins <derek@ihtfp.com> 12 * Add UDP Encapsulation 13 * 14 */ 15 16 #include <linux/workqueue.h> 17 #include <net/xfrm.h> 18 #include <linux/pfkeyv2.h> 19 #include <linux/ipsec.h> 20 #include <linux/module.h> 21 #include <linux/cache.h> 22 #include <asm/uaccess.h> 23 24 #include "xfrm_hash.h" 25 26 struct sock *xfrm_nl; 27 EXPORT_SYMBOL(xfrm_nl); 28 29 u32 sysctl_xfrm_aevent_etime __read_mostly = XFRM_AE_ETIME; 30 EXPORT_SYMBOL(sysctl_xfrm_aevent_etime); 31 32 u32 sysctl_xfrm_aevent_rseqth __read_mostly = XFRM_AE_SEQT_SIZE; 33 EXPORT_SYMBOL(sysctl_xfrm_aevent_rseqth); 34 35 u32 sysctl_xfrm_acq_expires __read_mostly = 30; 36 37 /* Each xfrm_state may be linked to two tables: 38 39 1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl) 40 2. Hash table by (daddr,family,reqid) to find what SAs exist for given 41 destination/tunnel endpoint. (output) 42 */ 43 44 static DEFINE_SPINLOCK(xfrm_state_lock); 45 46 /* Hash table to find appropriate SA towards given target (endpoint 47 * of tunnel or destination of transport mode) allowed by selector. 48 * 49 * Main use is finding SA after policy selected tunnel or transport mode. 50 * Also, it can be used by ah/esp icmp error handler to find offending SA. 51 */ 52 static struct hlist_head *xfrm_state_bydst __read_mostly; 53 static struct hlist_head *xfrm_state_bysrc __read_mostly; 54 static struct hlist_head *xfrm_state_byspi __read_mostly; 55 static unsigned int xfrm_state_hmask __read_mostly; 56 static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024; 57 static unsigned int xfrm_state_num; 58 static unsigned int xfrm_state_genid; 59 60 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family); 61 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo); 62 63 static inline unsigned int xfrm_dst_hash(xfrm_address_t *daddr, 64 xfrm_address_t *saddr, 65 u32 reqid, 66 unsigned short family) 67 { 68 return __xfrm_dst_hash(daddr, saddr, reqid, family, xfrm_state_hmask); 69 } 70 71 static inline unsigned int xfrm_src_hash(xfrm_address_t *daddr, 72 xfrm_address_t *saddr, 73 unsigned short family) 74 { 75 return __xfrm_src_hash(daddr, saddr, family, xfrm_state_hmask); 76 } 77 78 static inline unsigned int 79 xfrm_spi_hash(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family) 80 { 81 return __xfrm_spi_hash(daddr, spi, proto, family, xfrm_state_hmask); 82 } 83 84 static void xfrm_hash_transfer(struct hlist_head *list, 85 struct hlist_head *ndsttable, 86 struct hlist_head *nsrctable, 87 struct hlist_head *nspitable, 88 unsigned int nhashmask) 89 { 90 struct hlist_node *entry, *tmp; 91 struct xfrm_state *x; 92 93 hlist_for_each_entry_safe(x, entry, tmp, list, bydst) { 94 unsigned int h; 95 96 h = __xfrm_dst_hash(&x->id.daddr, &x->props.saddr, 97 x->props.reqid, x->props.family, 98 nhashmask); 99 hlist_add_head(&x->bydst, ndsttable+h); 100 101 h = __xfrm_src_hash(&x->id.daddr, &x->props.saddr, 102 x->props.family, 103 nhashmask); 104 hlist_add_head(&x->bysrc, nsrctable+h); 105 106 if (x->id.spi) { 107 h = __xfrm_spi_hash(&x->id.daddr, x->id.spi, 108 x->id.proto, x->props.family, 109 nhashmask); 110 hlist_add_head(&x->byspi, nspitable+h); 111 } 112 } 113 } 114 115 static unsigned long xfrm_hash_new_size(void) 116 { 117 return ((xfrm_state_hmask + 1) << 1) * 118 sizeof(struct hlist_head); 119 } 120 121 static DEFINE_MUTEX(hash_resize_mutex); 122 123 static void xfrm_hash_resize(struct work_struct *__unused) 124 { 125 struct hlist_head *ndst, *nsrc, *nspi, *odst, *osrc, *ospi; 126 unsigned long nsize, osize; 127 unsigned int nhashmask, ohashmask; 128 int i; 129 130 mutex_lock(&hash_resize_mutex); 131 132 nsize = xfrm_hash_new_size(); 133 ndst = xfrm_hash_alloc(nsize); 134 if (!ndst) 135 goto out_unlock; 136 nsrc = xfrm_hash_alloc(nsize); 137 if (!nsrc) { 138 xfrm_hash_free(ndst, nsize); 139 goto out_unlock; 140 } 141 nspi = xfrm_hash_alloc(nsize); 142 if (!nspi) { 143 xfrm_hash_free(ndst, nsize); 144 xfrm_hash_free(nsrc, nsize); 145 goto out_unlock; 146 } 147 148 spin_lock_bh(&xfrm_state_lock); 149 150 nhashmask = (nsize / sizeof(struct hlist_head)) - 1U; 151 for (i = xfrm_state_hmask; i >= 0; i--) 152 xfrm_hash_transfer(xfrm_state_bydst+i, ndst, nsrc, nspi, 153 nhashmask); 154 155 odst = xfrm_state_bydst; 156 osrc = xfrm_state_bysrc; 157 ospi = xfrm_state_byspi; 158 ohashmask = xfrm_state_hmask; 159 160 xfrm_state_bydst = ndst; 161 xfrm_state_bysrc = nsrc; 162 xfrm_state_byspi = nspi; 163 xfrm_state_hmask = nhashmask; 164 165 spin_unlock_bh(&xfrm_state_lock); 166 167 osize = (ohashmask + 1) * sizeof(struct hlist_head); 168 xfrm_hash_free(odst, osize); 169 xfrm_hash_free(osrc, osize); 170 xfrm_hash_free(ospi, osize); 171 172 out_unlock: 173 mutex_unlock(&hash_resize_mutex); 174 } 175 176 static DECLARE_WORK(xfrm_hash_work, xfrm_hash_resize); 177 178 DECLARE_WAIT_QUEUE_HEAD(km_waitq); 179 EXPORT_SYMBOL(km_waitq); 180 181 static DEFINE_RWLOCK(xfrm_state_afinfo_lock); 182 static struct xfrm_state_afinfo *xfrm_state_afinfo[NPROTO]; 183 184 static struct work_struct xfrm_state_gc_work; 185 static HLIST_HEAD(xfrm_state_gc_list); 186 static DEFINE_SPINLOCK(xfrm_state_gc_lock); 187 188 int __xfrm_state_delete(struct xfrm_state *x); 189 190 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol); 191 void km_state_expired(struct xfrm_state *x, int hard, u32 pid); 192 193 static struct xfrm_state_afinfo *xfrm_state_lock_afinfo(unsigned int family) 194 { 195 struct xfrm_state_afinfo *afinfo; 196 if (unlikely(family >= NPROTO)) 197 return NULL; 198 write_lock_bh(&xfrm_state_afinfo_lock); 199 afinfo = xfrm_state_afinfo[family]; 200 if (unlikely(!afinfo)) 201 write_unlock_bh(&xfrm_state_afinfo_lock); 202 return afinfo; 203 } 204 205 static void xfrm_state_unlock_afinfo(struct xfrm_state_afinfo *afinfo) 206 { 207 write_unlock_bh(&xfrm_state_afinfo_lock); 208 } 209 210 int xfrm_register_type(struct xfrm_type *type, unsigned short family) 211 { 212 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family); 213 struct xfrm_type **typemap; 214 int err = 0; 215 216 if (unlikely(afinfo == NULL)) 217 return -EAFNOSUPPORT; 218 typemap = afinfo->type_map; 219 220 if (likely(typemap[type->proto] == NULL)) 221 typemap[type->proto] = type; 222 else 223 err = -EEXIST; 224 xfrm_state_unlock_afinfo(afinfo); 225 return err; 226 } 227 EXPORT_SYMBOL(xfrm_register_type); 228 229 int xfrm_unregister_type(struct xfrm_type *type, unsigned short family) 230 { 231 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family); 232 struct xfrm_type **typemap; 233 int err = 0; 234 235 if (unlikely(afinfo == NULL)) 236 return -EAFNOSUPPORT; 237 typemap = afinfo->type_map; 238 239 if (unlikely(typemap[type->proto] != type)) 240 err = -ENOENT; 241 else 242 typemap[type->proto] = NULL; 243 xfrm_state_unlock_afinfo(afinfo); 244 return err; 245 } 246 EXPORT_SYMBOL(xfrm_unregister_type); 247 248 static struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family) 249 { 250 struct xfrm_state_afinfo *afinfo; 251 struct xfrm_type **typemap; 252 struct xfrm_type *type; 253 int modload_attempted = 0; 254 255 retry: 256 afinfo = xfrm_state_get_afinfo(family); 257 if (unlikely(afinfo == NULL)) 258 return NULL; 259 typemap = afinfo->type_map; 260 261 type = typemap[proto]; 262 if (unlikely(type && !try_module_get(type->owner))) 263 type = NULL; 264 if (!type && !modload_attempted) { 265 xfrm_state_put_afinfo(afinfo); 266 request_module("xfrm-type-%d-%d", family, proto); 267 modload_attempted = 1; 268 goto retry; 269 } 270 271 xfrm_state_put_afinfo(afinfo); 272 return type; 273 } 274 275 static void xfrm_put_type(struct xfrm_type *type) 276 { 277 module_put(type->owner); 278 } 279 280 int xfrm_register_mode(struct xfrm_mode *mode, int family) 281 { 282 struct xfrm_state_afinfo *afinfo; 283 struct xfrm_mode **modemap; 284 int err; 285 286 if (unlikely(mode->encap >= XFRM_MODE_MAX)) 287 return -EINVAL; 288 289 afinfo = xfrm_state_lock_afinfo(family); 290 if (unlikely(afinfo == NULL)) 291 return -EAFNOSUPPORT; 292 293 err = -EEXIST; 294 modemap = afinfo->mode_map; 295 if (modemap[mode->encap]) 296 goto out; 297 298 err = -ENOENT; 299 if (!try_module_get(afinfo->owner)) 300 goto out; 301 302 mode->afinfo = afinfo; 303 modemap[mode->encap] = mode; 304 err = 0; 305 306 out: 307 xfrm_state_unlock_afinfo(afinfo); 308 return err; 309 } 310 EXPORT_SYMBOL(xfrm_register_mode); 311 312 int xfrm_unregister_mode(struct xfrm_mode *mode, int family) 313 { 314 struct xfrm_state_afinfo *afinfo; 315 struct xfrm_mode **modemap; 316 int err; 317 318 if (unlikely(mode->encap >= XFRM_MODE_MAX)) 319 return -EINVAL; 320 321 afinfo = xfrm_state_lock_afinfo(family); 322 if (unlikely(afinfo == NULL)) 323 return -EAFNOSUPPORT; 324 325 err = -ENOENT; 326 modemap = afinfo->mode_map; 327 if (likely(modemap[mode->encap] == mode)) { 328 modemap[mode->encap] = NULL; 329 module_put(mode->afinfo->owner); 330 err = 0; 331 } 332 333 xfrm_state_unlock_afinfo(afinfo); 334 return err; 335 } 336 EXPORT_SYMBOL(xfrm_unregister_mode); 337 338 static struct xfrm_mode *xfrm_get_mode(unsigned int encap, int family) 339 { 340 struct xfrm_state_afinfo *afinfo; 341 struct xfrm_mode *mode; 342 int modload_attempted = 0; 343 344 if (unlikely(encap >= XFRM_MODE_MAX)) 345 return NULL; 346 347 retry: 348 afinfo = xfrm_state_get_afinfo(family); 349 if (unlikely(afinfo == NULL)) 350 return NULL; 351 352 mode = afinfo->mode_map[encap]; 353 if (unlikely(mode && !try_module_get(mode->owner))) 354 mode = NULL; 355 if (!mode && !modload_attempted) { 356 xfrm_state_put_afinfo(afinfo); 357 request_module("xfrm-mode-%d-%d", family, encap); 358 modload_attempted = 1; 359 goto retry; 360 } 361 362 xfrm_state_put_afinfo(afinfo); 363 return mode; 364 } 365 366 static void xfrm_put_mode(struct xfrm_mode *mode) 367 { 368 module_put(mode->owner); 369 } 370 371 static void xfrm_state_gc_destroy(struct xfrm_state *x) 372 { 373 del_timer_sync(&x->timer); 374 del_timer_sync(&x->rtimer); 375 kfree(x->aalg); 376 kfree(x->ealg); 377 kfree(x->calg); 378 kfree(x->encap); 379 kfree(x->coaddr); 380 if (x->inner_mode) 381 xfrm_put_mode(x->inner_mode); 382 if (x->outer_mode) 383 xfrm_put_mode(x->outer_mode); 384 if (x->type) { 385 x->type->destructor(x); 386 xfrm_put_type(x->type); 387 } 388 security_xfrm_state_free(x); 389 kfree(x); 390 } 391 392 static void xfrm_state_gc_task(struct work_struct *data) 393 { 394 struct xfrm_state *x; 395 struct hlist_node *entry, *tmp; 396 struct hlist_head gc_list; 397 398 spin_lock_bh(&xfrm_state_gc_lock); 399 gc_list.first = xfrm_state_gc_list.first; 400 INIT_HLIST_HEAD(&xfrm_state_gc_list); 401 spin_unlock_bh(&xfrm_state_gc_lock); 402 403 hlist_for_each_entry_safe(x, entry, tmp, &gc_list, bydst) 404 xfrm_state_gc_destroy(x); 405 406 wake_up(&km_waitq); 407 } 408 409 static inline unsigned long make_jiffies(long secs) 410 { 411 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ) 412 return MAX_SCHEDULE_TIMEOUT-1; 413 else 414 return secs*HZ; 415 } 416 417 static void xfrm_timer_handler(unsigned long data) 418 { 419 struct xfrm_state *x = (struct xfrm_state*)data; 420 unsigned long now = get_seconds(); 421 long next = LONG_MAX; 422 int warn = 0; 423 int err = 0; 424 425 spin_lock(&x->lock); 426 if (x->km.state == XFRM_STATE_DEAD) 427 goto out; 428 if (x->km.state == XFRM_STATE_EXPIRED) 429 goto expired; 430 if (x->lft.hard_add_expires_seconds) { 431 long tmo = x->lft.hard_add_expires_seconds + 432 x->curlft.add_time - now; 433 if (tmo <= 0) 434 goto expired; 435 if (tmo < next) 436 next = tmo; 437 } 438 if (x->lft.hard_use_expires_seconds) { 439 long tmo = x->lft.hard_use_expires_seconds + 440 (x->curlft.use_time ? : now) - now; 441 if (tmo <= 0) 442 goto expired; 443 if (tmo < next) 444 next = tmo; 445 } 446 if (x->km.dying) 447 goto resched; 448 if (x->lft.soft_add_expires_seconds) { 449 long tmo = x->lft.soft_add_expires_seconds + 450 x->curlft.add_time - now; 451 if (tmo <= 0) 452 warn = 1; 453 else if (tmo < next) 454 next = tmo; 455 } 456 if (x->lft.soft_use_expires_seconds) { 457 long tmo = x->lft.soft_use_expires_seconds + 458 (x->curlft.use_time ? : now) - now; 459 if (tmo <= 0) 460 warn = 1; 461 else if (tmo < next) 462 next = tmo; 463 } 464 465 x->km.dying = warn; 466 if (warn) 467 km_state_expired(x, 0, 0); 468 resched: 469 if (next != LONG_MAX) 470 mod_timer(&x->timer, jiffies + make_jiffies(next)); 471 472 goto out; 473 474 expired: 475 if (x->km.state == XFRM_STATE_ACQ && x->id.spi == 0) { 476 x->km.state = XFRM_STATE_EXPIRED; 477 wake_up(&km_waitq); 478 next = 2; 479 goto resched; 480 } 481 482 err = __xfrm_state_delete(x); 483 if (!err && x->id.spi) 484 km_state_expired(x, 1, 0); 485 486 xfrm_audit_state_delete(x, err ? 0 : 1, 487 audit_get_loginuid(current->audit_context), 0); 488 489 out: 490 spin_unlock(&x->lock); 491 } 492 493 static void xfrm_replay_timer_handler(unsigned long data); 494 495 struct xfrm_state *xfrm_state_alloc(void) 496 { 497 struct xfrm_state *x; 498 499 x = kzalloc(sizeof(struct xfrm_state), GFP_ATOMIC); 500 501 if (x) { 502 atomic_set(&x->refcnt, 1); 503 atomic_set(&x->tunnel_users, 0); 504 INIT_HLIST_NODE(&x->bydst); 505 INIT_HLIST_NODE(&x->bysrc); 506 INIT_HLIST_NODE(&x->byspi); 507 init_timer(&x->timer); 508 x->timer.function = xfrm_timer_handler; 509 x->timer.data = (unsigned long)x; 510 init_timer(&x->rtimer); 511 x->rtimer.function = xfrm_replay_timer_handler; 512 x->rtimer.data = (unsigned long)x; 513 x->curlft.add_time = get_seconds(); 514 x->lft.soft_byte_limit = XFRM_INF; 515 x->lft.soft_packet_limit = XFRM_INF; 516 x->lft.hard_byte_limit = XFRM_INF; 517 x->lft.hard_packet_limit = XFRM_INF; 518 x->replay_maxage = 0; 519 x->replay_maxdiff = 0; 520 spin_lock_init(&x->lock); 521 } 522 return x; 523 } 524 EXPORT_SYMBOL(xfrm_state_alloc); 525 526 void __xfrm_state_destroy(struct xfrm_state *x) 527 { 528 BUG_TRAP(x->km.state == XFRM_STATE_DEAD); 529 530 spin_lock_bh(&xfrm_state_gc_lock); 531 hlist_add_head(&x->bydst, &xfrm_state_gc_list); 532 spin_unlock_bh(&xfrm_state_gc_lock); 533 schedule_work(&xfrm_state_gc_work); 534 } 535 EXPORT_SYMBOL(__xfrm_state_destroy); 536 537 int __xfrm_state_delete(struct xfrm_state *x) 538 { 539 int err = -ESRCH; 540 541 if (x->km.state != XFRM_STATE_DEAD) { 542 x->km.state = XFRM_STATE_DEAD; 543 spin_lock(&xfrm_state_lock); 544 hlist_del(&x->bydst); 545 hlist_del(&x->bysrc); 546 if (x->id.spi) 547 hlist_del(&x->byspi); 548 xfrm_state_num--; 549 spin_unlock(&xfrm_state_lock); 550 551 /* All xfrm_state objects are created by xfrm_state_alloc. 552 * The xfrm_state_alloc call gives a reference, and that 553 * is what we are dropping here. 554 */ 555 __xfrm_state_put(x); 556 err = 0; 557 } 558 559 return err; 560 } 561 EXPORT_SYMBOL(__xfrm_state_delete); 562 563 int xfrm_state_delete(struct xfrm_state *x) 564 { 565 int err; 566 567 spin_lock_bh(&x->lock); 568 err = __xfrm_state_delete(x); 569 spin_unlock_bh(&x->lock); 570 571 return err; 572 } 573 EXPORT_SYMBOL(xfrm_state_delete); 574 575 #ifdef CONFIG_SECURITY_NETWORK_XFRM 576 static inline int 577 xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info) 578 { 579 int i, err = 0; 580 581 for (i = 0; i <= xfrm_state_hmask; i++) { 582 struct hlist_node *entry; 583 struct xfrm_state *x; 584 585 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) { 586 if (xfrm_id_proto_match(x->id.proto, proto) && 587 (err = security_xfrm_state_delete(x)) != 0) { 588 xfrm_audit_state_delete(x, 0, 589 audit_info->loginuid, 590 audit_info->secid); 591 return err; 592 } 593 } 594 } 595 596 return err; 597 } 598 #else 599 static inline int 600 xfrm_state_flush_secctx_check(u8 proto, struct xfrm_audit *audit_info) 601 { 602 return 0; 603 } 604 #endif 605 606 int xfrm_state_flush(u8 proto, struct xfrm_audit *audit_info) 607 { 608 int i, err = 0; 609 610 spin_lock_bh(&xfrm_state_lock); 611 err = xfrm_state_flush_secctx_check(proto, audit_info); 612 if (err) 613 goto out; 614 615 for (i = 0; i <= xfrm_state_hmask; i++) { 616 struct hlist_node *entry; 617 struct xfrm_state *x; 618 restart: 619 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) { 620 if (!xfrm_state_kern(x) && 621 xfrm_id_proto_match(x->id.proto, proto)) { 622 xfrm_state_hold(x); 623 spin_unlock_bh(&xfrm_state_lock); 624 625 err = xfrm_state_delete(x); 626 xfrm_audit_state_delete(x, err ? 0 : 1, 627 audit_info->loginuid, 628 audit_info->secid); 629 xfrm_state_put(x); 630 631 spin_lock_bh(&xfrm_state_lock); 632 goto restart; 633 } 634 } 635 } 636 err = 0; 637 638 out: 639 spin_unlock_bh(&xfrm_state_lock); 640 wake_up(&km_waitq); 641 return err; 642 } 643 EXPORT_SYMBOL(xfrm_state_flush); 644 645 void xfrm_sad_getinfo(struct xfrmk_sadinfo *si) 646 { 647 spin_lock_bh(&xfrm_state_lock); 648 si->sadcnt = xfrm_state_num; 649 si->sadhcnt = xfrm_state_hmask; 650 si->sadhmcnt = xfrm_state_hashmax; 651 spin_unlock_bh(&xfrm_state_lock); 652 } 653 EXPORT_SYMBOL(xfrm_sad_getinfo); 654 655 static int 656 xfrm_init_tempsel(struct xfrm_state *x, struct flowi *fl, 657 struct xfrm_tmpl *tmpl, 658 xfrm_address_t *daddr, xfrm_address_t *saddr, 659 unsigned short family) 660 { 661 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family); 662 if (!afinfo) 663 return -1; 664 afinfo->init_tempsel(x, fl, tmpl, daddr, saddr); 665 xfrm_state_put_afinfo(afinfo); 666 return 0; 667 } 668 669 static struct xfrm_state *__xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family) 670 { 671 unsigned int h = xfrm_spi_hash(daddr, spi, proto, family); 672 struct xfrm_state *x; 673 struct hlist_node *entry; 674 675 hlist_for_each_entry(x, entry, xfrm_state_byspi+h, byspi) { 676 if (x->props.family != family || 677 x->id.spi != spi || 678 x->id.proto != proto) 679 continue; 680 681 switch (family) { 682 case AF_INET: 683 if (x->id.daddr.a4 != daddr->a4) 684 continue; 685 break; 686 case AF_INET6: 687 if (!ipv6_addr_equal((struct in6_addr *)daddr, 688 (struct in6_addr *) 689 x->id.daddr.a6)) 690 continue; 691 break; 692 } 693 694 xfrm_state_hold(x); 695 return x; 696 } 697 698 return NULL; 699 } 700 701 static struct xfrm_state *__xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family) 702 { 703 unsigned int h = xfrm_src_hash(daddr, saddr, family); 704 struct xfrm_state *x; 705 struct hlist_node *entry; 706 707 hlist_for_each_entry(x, entry, xfrm_state_bysrc+h, bysrc) { 708 if (x->props.family != family || 709 x->id.proto != proto) 710 continue; 711 712 switch (family) { 713 case AF_INET: 714 if (x->id.daddr.a4 != daddr->a4 || 715 x->props.saddr.a4 != saddr->a4) 716 continue; 717 break; 718 case AF_INET6: 719 if (!ipv6_addr_equal((struct in6_addr *)daddr, 720 (struct in6_addr *) 721 x->id.daddr.a6) || 722 !ipv6_addr_equal((struct in6_addr *)saddr, 723 (struct in6_addr *) 724 x->props.saddr.a6)) 725 continue; 726 break; 727 } 728 729 xfrm_state_hold(x); 730 return x; 731 } 732 733 return NULL; 734 } 735 736 static inline struct xfrm_state * 737 __xfrm_state_locate(struct xfrm_state *x, int use_spi, int family) 738 { 739 if (use_spi) 740 return __xfrm_state_lookup(&x->id.daddr, x->id.spi, 741 x->id.proto, family); 742 else 743 return __xfrm_state_lookup_byaddr(&x->id.daddr, 744 &x->props.saddr, 745 x->id.proto, family); 746 } 747 748 static void xfrm_hash_grow_check(int have_hash_collision) 749 { 750 if (have_hash_collision && 751 (xfrm_state_hmask + 1) < xfrm_state_hashmax && 752 xfrm_state_num > xfrm_state_hmask) 753 schedule_work(&xfrm_hash_work); 754 } 755 756 struct xfrm_state * 757 xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr, 758 struct flowi *fl, struct xfrm_tmpl *tmpl, 759 struct xfrm_policy *pol, int *err, 760 unsigned short family) 761 { 762 unsigned int h = xfrm_dst_hash(daddr, saddr, tmpl->reqid, family); 763 struct hlist_node *entry; 764 struct xfrm_state *x, *x0; 765 int acquire_in_progress = 0; 766 int error = 0; 767 struct xfrm_state *best = NULL; 768 769 spin_lock_bh(&xfrm_state_lock); 770 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) { 771 if (x->props.family == family && 772 x->props.reqid == tmpl->reqid && 773 !(x->props.flags & XFRM_STATE_WILDRECV) && 774 xfrm_state_addr_check(x, daddr, saddr, family) && 775 tmpl->mode == x->props.mode && 776 tmpl->id.proto == x->id.proto && 777 (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) { 778 /* Resolution logic: 779 1. There is a valid state with matching selector. 780 Done. 781 2. Valid state with inappropriate selector. Skip. 782 783 Entering area of "sysdeps". 784 785 3. If state is not valid, selector is temporary, 786 it selects only session which triggered 787 previous resolution. Key manager will do 788 something to install a state with proper 789 selector. 790 */ 791 if (x->km.state == XFRM_STATE_VALID) { 792 if (!xfrm_selector_match(&x->sel, fl, x->sel.family) || 793 !security_xfrm_state_pol_flow_match(x, pol, fl)) 794 continue; 795 if (!best || 796 best->km.dying > x->km.dying || 797 (best->km.dying == x->km.dying && 798 best->curlft.add_time < x->curlft.add_time)) 799 best = x; 800 } else if (x->km.state == XFRM_STATE_ACQ) { 801 acquire_in_progress = 1; 802 } else if (x->km.state == XFRM_STATE_ERROR || 803 x->km.state == XFRM_STATE_EXPIRED) { 804 if (xfrm_selector_match(&x->sel, fl, x->sel.family) && 805 security_xfrm_state_pol_flow_match(x, pol, fl)) 806 error = -ESRCH; 807 } 808 } 809 } 810 811 x = best; 812 if (!x && !error && !acquire_in_progress) { 813 if (tmpl->id.spi && 814 (x0 = __xfrm_state_lookup(daddr, tmpl->id.spi, 815 tmpl->id.proto, family)) != NULL) { 816 xfrm_state_put(x0); 817 error = -EEXIST; 818 goto out; 819 } 820 x = xfrm_state_alloc(); 821 if (x == NULL) { 822 error = -ENOMEM; 823 goto out; 824 } 825 /* Initialize temporary selector matching only 826 * to current session. */ 827 xfrm_init_tempsel(x, fl, tmpl, daddr, saddr, family); 828 829 error = security_xfrm_state_alloc_acquire(x, pol->security, fl->secid); 830 if (error) { 831 x->km.state = XFRM_STATE_DEAD; 832 xfrm_state_put(x); 833 x = NULL; 834 goto out; 835 } 836 837 if (km_query(x, tmpl, pol) == 0) { 838 x->km.state = XFRM_STATE_ACQ; 839 hlist_add_head(&x->bydst, xfrm_state_bydst+h); 840 h = xfrm_src_hash(daddr, saddr, family); 841 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h); 842 if (x->id.spi) { 843 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, family); 844 hlist_add_head(&x->byspi, xfrm_state_byspi+h); 845 } 846 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires; 847 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ; 848 add_timer(&x->timer); 849 xfrm_state_num++; 850 xfrm_hash_grow_check(x->bydst.next != NULL); 851 } else { 852 x->km.state = XFRM_STATE_DEAD; 853 xfrm_state_put(x); 854 x = NULL; 855 error = -ESRCH; 856 } 857 } 858 out: 859 if (x) 860 xfrm_state_hold(x); 861 else 862 *err = acquire_in_progress ? -EAGAIN : error; 863 spin_unlock_bh(&xfrm_state_lock); 864 return x; 865 } 866 867 struct xfrm_state * 868 xfrm_stateonly_find(xfrm_address_t *daddr, xfrm_address_t *saddr, 869 unsigned short family, u8 mode, u8 proto, u32 reqid) 870 { 871 unsigned int h = xfrm_dst_hash(daddr, saddr, reqid, family); 872 struct xfrm_state *rx = NULL, *x = NULL; 873 struct hlist_node *entry; 874 875 spin_lock(&xfrm_state_lock); 876 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) { 877 if (x->props.family == family && 878 x->props.reqid == reqid && 879 !(x->props.flags & XFRM_STATE_WILDRECV) && 880 xfrm_state_addr_check(x, daddr, saddr, family) && 881 mode == x->props.mode && 882 proto == x->id.proto && 883 x->km.state == XFRM_STATE_VALID) { 884 rx = x; 885 break; 886 } 887 } 888 889 if (rx) 890 xfrm_state_hold(rx); 891 spin_unlock(&xfrm_state_lock); 892 893 894 return rx; 895 } 896 EXPORT_SYMBOL(xfrm_stateonly_find); 897 898 static void __xfrm_state_insert(struct xfrm_state *x) 899 { 900 unsigned int h; 901 902 x->genid = ++xfrm_state_genid; 903 904 h = xfrm_dst_hash(&x->id.daddr, &x->props.saddr, 905 x->props.reqid, x->props.family); 906 hlist_add_head(&x->bydst, xfrm_state_bydst+h); 907 908 h = xfrm_src_hash(&x->id.daddr, &x->props.saddr, x->props.family); 909 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h); 910 911 if (x->id.spi) { 912 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, 913 x->props.family); 914 915 hlist_add_head(&x->byspi, xfrm_state_byspi+h); 916 } 917 918 mod_timer(&x->timer, jiffies + HZ); 919 if (x->replay_maxage) 920 mod_timer(&x->rtimer, jiffies + x->replay_maxage); 921 922 wake_up(&km_waitq); 923 924 xfrm_state_num++; 925 926 xfrm_hash_grow_check(x->bydst.next != NULL); 927 } 928 929 /* xfrm_state_lock is held */ 930 static void __xfrm_state_bump_genids(struct xfrm_state *xnew) 931 { 932 unsigned short family = xnew->props.family; 933 u32 reqid = xnew->props.reqid; 934 struct xfrm_state *x; 935 struct hlist_node *entry; 936 unsigned int h; 937 938 h = xfrm_dst_hash(&xnew->id.daddr, &xnew->props.saddr, reqid, family); 939 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) { 940 if (x->props.family == family && 941 x->props.reqid == reqid && 942 !xfrm_addr_cmp(&x->id.daddr, &xnew->id.daddr, family) && 943 !xfrm_addr_cmp(&x->props.saddr, &xnew->props.saddr, family)) 944 x->genid = xfrm_state_genid; 945 } 946 } 947 948 void xfrm_state_insert(struct xfrm_state *x) 949 { 950 spin_lock_bh(&xfrm_state_lock); 951 __xfrm_state_bump_genids(x); 952 __xfrm_state_insert(x); 953 spin_unlock_bh(&xfrm_state_lock); 954 } 955 EXPORT_SYMBOL(xfrm_state_insert); 956 957 /* xfrm_state_lock is held */ 958 static struct xfrm_state *__find_acq_core(unsigned short family, u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create) 959 { 960 unsigned int h = xfrm_dst_hash(daddr, saddr, reqid, family); 961 struct hlist_node *entry; 962 struct xfrm_state *x; 963 964 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) { 965 if (x->props.reqid != reqid || 966 x->props.mode != mode || 967 x->props.family != family || 968 x->km.state != XFRM_STATE_ACQ || 969 x->id.spi != 0 || 970 x->id.proto != proto) 971 continue; 972 973 switch (family) { 974 case AF_INET: 975 if (x->id.daddr.a4 != daddr->a4 || 976 x->props.saddr.a4 != saddr->a4) 977 continue; 978 break; 979 case AF_INET6: 980 if (!ipv6_addr_equal((struct in6_addr *)x->id.daddr.a6, 981 (struct in6_addr *)daddr) || 982 !ipv6_addr_equal((struct in6_addr *) 983 x->props.saddr.a6, 984 (struct in6_addr *)saddr)) 985 continue; 986 break; 987 } 988 989 xfrm_state_hold(x); 990 return x; 991 } 992 993 if (!create) 994 return NULL; 995 996 x = xfrm_state_alloc(); 997 if (likely(x)) { 998 switch (family) { 999 case AF_INET: 1000 x->sel.daddr.a4 = daddr->a4; 1001 x->sel.saddr.a4 = saddr->a4; 1002 x->sel.prefixlen_d = 32; 1003 x->sel.prefixlen_s = 32; 1004 x->props.saddr.a4 = saddr->a4; 1005 x->id.daddr.a4 = daddr->a4; 1006 break; 1007 1008 case AF_INET6: 1009 ipv6_addr_copy((struct in6_addr *)x->sel.daddr.a6, 1010 (struct in6_addr *)daddr); 1011 ipv6_addr_copy((struct in6_addr *)x->sel.saddr.a6, 1012 (struct in6_addr *)saddr); 1013 x->sel.prefixlen_d = 128; 1014 x->sel.prefixlen_s = 128; 1015 ipv6_addr_copy((struct in6_addr *)x->props.saddr.a6, 1016 (struct in6_addr *)saddr); 1017 ipv6_addr_copy((struct in6_addr *)x->id.daddr.a6, 1018 (struct in6_addr *)daddr); 1019 break; 1020 } 1021 1022 x->km.state = XFRM_STATE_ACQ; 1023 x->id.proto = proto; 1024 x->props.family = family; 1025 x->props.mode = mode; 1026 x->props.reqid = reqid; 1027 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires; 1028 xfrm_state_hold(x); 1029 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ; 1030 add_timer(&x->timer); 1031 hlist_add_head(&x->bydst, xfrm_state_bydst+h); 1032 h = xfrm_src_hash(daddr, saddr, family); 1033 hlist_add_head(&x->bysrc, xfrm_state_bysrc+h); 1034 1035 xfrm_state_num++; 1036 1037 xfrm_hash_grow_check(x->bydst.next != NULL); 1038 } 1039 1040 return x; 1041 } 1042 1043 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq); 1044 1045 int xfrm_state_add(struct xfrm_state *x) 1046 { 1047 struct xfrm_state *x1; 1048 int family; 1049 int err; 1050 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY); 1051 1052 family = x->props.family; 1053 1054 spin_lock_bh(&xfrm_state_lock); 1055 1056 x1 = __xfrm_state_locate(x, use_spi, family); 1057 if (x1) { 1058 xfrm_state_put(x1); 1059 x1 = NULL; 1060 err = -EEXIST; 1061 goto out; 1062 } 1063 1064 if (use_spi && x->km.seq) { 1065 x1 = __xfrm_find_acq_byseq(x->km.seq); 1066 if (x1 && ((x1->id.proto != x->id.proto) || 1067 xfrm_addr_cmp(&x1->id.daddr, &x->id.daddr, family))) { 1068 xfrm_state_put(x1); 1069 x1 = NULL; 1070 } 1071 } 1072 1073 if (use_spi && !x1) 1074 x1 = __find_acq_core(family, x->props.mode, x->props.reqid, 1075 x->id.proto, 1076 &x->id.daddr, &x->props.saddr, 0); 1077 1078 __xfrm_state_bump_genids(x); 1079 __xfrm_state_insert(x); 1080 err = 0; 1081 1082 out: 1083 spin_unlock_bh(&xfrm_state_lock); 1084 1085 if (x1) { 1086 xfrm_state_delete(x1); 1087 xfrm_state_put(x1); 1088 } 1089 1090 return err; 1091 } 1092 EXPORT_SYMBOL(xfrm_state_add); 1093 1094 #ifdef CONFIG_XFRM_MIGRATE 1095 struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp) 1096 { 1097 int err = -ENOMEM; 1098 struct xfrm_state *x = xfrm_state_alloc(); 1099 if (!x) 1100 goto error; 1101 1102 memcpy(&x->id, &orig->id, sizeof(x->id)); 1103 memcpy(&x->sel, &orig->sel, sizeof(x->sel)); 1104 memcpy(&x->lft, &orig->lft, sizeof(x->lft)); 1105 x->props.mode = orig->props.mode; 1106 x->props.replay_window = orig->props.replay_window; 1107 x->props.reqid = orig->props.reqid; 1108 x->props.family = orig->props.family; 1109 x->props.saddr = orig->props.saddr; 1110 1111 if (orig->aalg) { 1112 x->aalg = xfrm_algo_clone(orig->aalg); 1113 if (!x->aalg) 1114 goto error; 1115 } 1116 x->props.aalgo = orig->props.aalgo; 1117 1118 if (orig->ealg) { 1119 x->ealg = xfrm_algo_clone(orig->ealg); 1120 if (!x->ealg) 1121 goto error; 1122 } 1123 x->props.ealgo = orig->props.ealgo; 1124 1125 if (orig->calg) { 1126 x->calg = xfrm_algo_clone(orig->calg); 1127 if (!x->calg) 1128 goto error; 1129 } 1130 x->props.calgo = orig->props.calgo; 1131 1132 if (orig->encap) { 1133 x->encap = kmemdup(orig->encap, sizeof(*x->encap), GFP_KERNEL); 1134 if (!x->encap) 1135 goto error; 1136 } 1137 1138 if (orig->coaddr) { 1139 x->coaddr = kmemdup(orig->coaddr, sizeof(*x->coaddr), 1140 GFP_KERNEL); 1141 if (!x->coaddr) 1142 goto error; 1143 } 1144 1145 err = xfrm_init_state(x); 1146 if (err) 1147 goto error; 1148 1149 x->props.flags = orig->props.flags; 1150 1151 x->curlft.add_time = orig->curlft.add_time; 1152 x->km.state = orig->km.state; 1153 x->km.seq = orig->km.seq; 1154 1155 return x; 1156 1157 error: 1158 if (errp) 1159 *errp = err; 1160 if (x) { 1161 kfree(x->aalg); 1162 kfree(x->ealg); 1163 kfree(x->calg); 1164 kfree(x->encap); 1165 kfree(x->coaddr); 1166 } 1167 kfree(x); 1168 return NULL; 1169 } 1170 EXPORT_SYMBOL(xfrm_state_clone); 1171 1172 /* xfrm_state_lock is held */ 1173 struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m) 1174 { 1175 unsigned int h; 1176 struct xfrm_state *x; 1177 struct hlist_node *entry; 1178 1179 if (m->reqid) { 1180 h = xfrm_dst_hash(&m->old_daddr, &m->old_saddr, 1181 m->reqid, m->old_family); 1182 hlist_for_each_entry(x, entry, xfrm_state_bydst+h, bydst) { 1183 if (x->props.mode != m->mode || 1184 x->id.proto != m->proto) 1185 continue; 1186 if (m->reqid && x->props.reqid != m->reqid) 1187 continue; 1188 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr, 1189 m->old_family) || 1190 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr, 1191 m->old_family)) 1192 continue; 1193 xfrm_state_hold(x); 1194 return x; 1195 } 1196 } else { 1197 h = xfrm_src_hash(&m->old_daddr, &m->old_saddr, 1198 m->old_family); 1199 hlist_for_each_entry(x, entry, xfrm_state_bysrc+h, bysrc) { 1200 if (x->props.mode != m->mode || 1201 x->id.proto != m->proto) 1202 continue; 1203 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr, 1204 m->old_family) || 1205 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr, 1206 m->old_family)) 1207 continue; 1208 xfrm_state_hold(x); 1209 return x; 1210 } 1211 } 1212 1213 return NULL; 1214 } 1215 EXPORT_SYMBOL(xfrm_migrate_state_find); 1216 1217 struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x, 1218 struct xfrm_migrate *m) 1219 { 1220 struct xfrm_state *xc; 1221 int err; 1222 1223 xc = xfrm_state_clone(x, &err); 1224 if (!xc) 1225 return NULL; 1226 1227 memcpy(&xc->id.daddr, &m->new_daddr, sizeof(xc->id.daddr)); 1228 memcpy(&xc->props.saddr, &m->new_saddr, sizeof(xc->props.saddr)); 1229 1230 /* add state */ 1231 if (!xfrm_addr_cmp(&x->id.daddr, &m->new_daddr, m->new_family)) { 1232 /* a care is needed when the destination address of the 1233 state is to be updated as it is a part of triplet */ 1234 xfrm_state_insert(xc); 1235 } else { 1236 if ((err = xfrm_state_add(xc)) < 0) 1237 goto error; 1238 } 1239 1240 return xc; 1241 error: 1242 kfree(xc); 1243 return NULL; 1244 } 1245 EXPORT_SYMBOL(xfrm_state_migrate); 1246 #endif 1247 1248 int xfrm_state_update(struct xfrm_state *x) 1249 { 1250 struct xfrm_state *x1; 1251 int err; 1252 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY); 1253 1254 spin_lock_bh(&xfrm_state_lock); 1255 x1 = __xfrm_state_locate(x, use_spi, x->props.family); 1256 1257 err = -ESRCH; 1258 if (!x1) 1259 goto out; 1260 1261 if (xfrm_state_kern(x1)) { 1262 xfrm_state_put(x1); 1263 err = -EEXIST; 1264 goto out; 1265 } 1266 1267 if (x1->km.state == XFRM_STATE_ACQ) { 1268 __xfrm_state_insert(x); 1269 x = NULL; 1270 } 1271 err = 0; 1272 1273 out: 1274 spin_unlock_bh(&xfrm_state_lock); 1275 1276 if (err) 1277 return err; 1278 1279 if (!x) { 1280 xfrm_state_delete(x1); 1281 xfrm_state_put(x1); 1282 return 0; 1283 } 1284 1285 err = -EINVAL; 1286 spin_lock_bh(&x1->lock); 1287 if (likely(x1->km.state == XFRM_STATE_VALID)) { 1288 if (x->encap && x1->encap) 1289 memcpy(x1->encap, x->encap, sizeof(*x1->encap)); 1290 if (x->coaddr && x1->coaddr) { 1291 memcpy(x1->coaddr, x->coaddr, sizeof(*x1->coaddr)); 1292 } 1293 if (!use_spi && memcmp(&x1->sel, &x->sel, sizeof(x1->sel))) 1294 memcpy(&x1->sel, &x->sel, sizeof(x1->sel)); 1295 memcpy(&x1->lft, &x->lft, sizeof(x1->lft)); 1296 x1->km.dying = 0; 1297 1298 mod_timer(&x1->timer, jiffies + HZ); 1299 if (x1->curlft.use_time) 1300 xfrm_state_check_expire(x1); 1301 1302 err = 0; 1303 } 1304 spin_unlock_bh(&x1->lock); 1305 1306 xfrm_state_put(x1); 1307 1308 return err; 1309 } 1310 EXPORT_SYMBOL(xfrm_state_update); 1311 1312 int xfrm_state_check_expire(struct xfrm_state *x) 1313 { 1314 if (!x->curlft.use_time) 1315 x->curlft.use_time = get_seconds(); 1316 1317 if (x->km.state != XFRM_STATE_VALID) 1318 return -EINVAL; 1319 1320 if (x->curlft.bytes >= x->lft.hard_byte_limit || 1321 x->curlft.packets >= x->lft.hard_packet_limit) { 1322 x->km.state = XFRM_STATE_EXPIRED; 1323 mod_timer(&x->timer, jiffies); 1324 return -EINVAL; 1325 } 1326 1327 if (!x->km.dying && 1328 (x->curlft.bytes >= x->lft.soft_byte_limit || 1329 x->curlft.packets >= x->lft.soft_packet_limit)) { 1330 x->km.dying = 1; 1331 km_state_expired(x, 0, 0); 1332 } 1333 return 0; 1334 } 1335 EXPORT_SYMBOL(xfrm_state_check_expire); 1336 1337 struct xfrm_state * 1338 xfrm_state_lookup(xfrm_address_t *daddr, __be32 spi, u8 proto, 1339 unsigned short family) 1340 { 1341 struct xfrm_state *x; 1342 1343 spin_lock_bh(&xfrm_state_lock); 1344 x = __xfrm_state_lookup(daddr, spi, proto, family); 1345 spin_unlock_bh(&xfrm_state_lock); 1346 return x; 1347 } 1348 EXPORT_SYMBOL(xfrm_state_lookup); 1349 1350 struct xfrm_state * 1351 xfrm_state_lookup_byaddr(xfrm_address_t *daddr, xfrm_address_t *saddr, 1352 u8 proto, unsigned short family) 1353 { 1354 struct xfrm_state *x; 1355 1356 spin_lock_bh(&xfrm_state_lock); 1357 x = __xfrm_state_lookup_byaddr(daddr, saddr, proto, family); 1358 spin_unlock_bh(&xfrm_state_lock); 1359 return x; 1360 } 1361 EXPORT_SYMBOL(xfrm_state_lookup_byaddr); 1362 1363 struct xfrm_state * 1364 xfrm_find_acq(u8 mode, u32 reqid, u8 proto, 1365 xfrm_address_t *daddr, xfrm_address_t *saddr, 1366 int create, unsigned short family) 1367 { 1368 struct xfrm_state *x; 1369 1370 spin_lock_bh(&xfrm_state_lock); 1371 x = __find_acq_core(family, mode, reqid, proto, daddr, saddr, create); 1372 spin_unlock_bh(&xfrm_state_lock); 1373 1374 return x; 1375 } 1376 EXPORT_SYMBOL(xfrm_find_acq); 1377 1378 #ifdef CONFIG_XFRM_SUB_POLICY 1379 int 1380 xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n, 1381 unsigned short family) 1382 { 1383 int err = 0; 1384 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family); 1385 if (!afinfo) 1386 return -EAFNOSUPPORT; 1387 1388 spin_lock_bh(&xfrm_state_lock); 1389 if (afinfo->tmpl_sort) 1390 err = afinfo->tmpl_sort(dst, src, n); 1391 spin_unlock_bh(&xfrm_state_lock); 1392 xfrm_state_put_afinfo(afinfo); 1393 return err; 1394 } 1395 EXPORT_SYMBOL(xfrm_tmpl_sort); 1396 1397 int 1398 xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n, 1399 unsigned short family) 1400 { 1401 int err = 0; 1402 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family); 1403 if (!afinfo) 1404 return -EAFNOSUPPORT; 1405 1406 spin_lock_bh(&xfrm_state_lock); 1407 if (afinfo->state_sort) 1408 err = afinfo->state_sort(dst, src, n); 1409 spin_unlock_bh(&xfrm_state_lock); 1410 xfrm_state_put_afinfo(afinfo); 1411 return err; 1412 } 1413 EXPORT_SYMBOL(xfrm_state_sort); 1414 #endif 1415 1416 /* Silly enough, but I'm lazy to build resolution list */ 1417 1418 static struct xfrm_state *__xfrm_find_acq_byseq(u32 seq) 1419 { 1420 int i; 1421 1422 for (i = 0; i <= xfrm_state_hmask; i++) { 1423 struct hlist_node *entry; 1424 struct xfrm_state *x; 1425 1426 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) { 1427 if (x->km.seq == seq && 1428 x->km.state == XFRM_STATE_ACQ) { 1429 xfrm_state_hold(x); 1430 return x; 1431 } 1432 } 1433 } 1434 return NULL; 1435 } 1436 1437 struct xfrm_state *xfrm_find_acq_byseq(u32 seq) 1438 { 1439 struct xfrm_state *x; 1440 1441 spin_lock_bh(&xfrm_state_lock); 1442 x = __xfrm_find_acq_byseq(seq); 1443 spin_unlock_bh(&xfrm_state_lock); 1444 return x; 1445 } 1446 EXPORT_SYMBOL(xfrm_find_acq_byseq); 1447 1448 u32 xfrm_get_acqseq(void) 1449 { 1450 u32 res; 1451 static u32 acqseq; 1452 static DEFINE_SPINLOCK(acqseq_lock); 1453 1454 spin_lock_bh(&acqseq_lock); 1455 res = (++acqseq ? : ++acqseq); 1456 spin_unlock_bh(&acqseq_lock); 1457 return res; 1458 } 1459 EXPORT_SYMBOL(xfrm_get_acqseq); 1460 1461 int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high) 1462 { 1463 unsigned int h; 1464 struct xfrm_state *x0; 1465 int err = -ENOENT; 1466 __be32 minspi = htonl(low); 1467 __be32 maxspi = htonl(high); 1468 1469 spin_lock_bh(&x->lock); 1470 if (x->km.state == XFRM_STATE_DEAD) 1471 goto unlock; 1472 1473 err = 0; 1474 if (x->id.spi) 1475 goto unlock; 1476 1477 err = -ENOENT; 1478 1479 if (minspi == maxspi) { 1480 x0 = xfrm_state_lookup(&x->id.daddr, minspi, x->id.proto, x->props.family); 1481 if (x0) { 1482 xfrm_state_put(x0); 1483 goto unlock; 1484 } 1485 x->id.spi = minspi; 1486 } else { 1487 u32 spi = 0; 1488 for (h=0; h<high-low+1; h++) { 1489 spi = low + net_random()%(high-low+1); 1490 x0 = xfrm_state_lookup(&x->id.daddr, htonl(spi), x->id.proto, x->props.family); 1491 if (x0 == NULL) { 1492 x->id.spi = htonl(spi); 1493 break; 1494 } 1495 xfrm_state_put(x0); 1496 } 1497 } 1498 if (x->id.spi) { 1499 spin_lock_bh(&xfrm_state_lock); 1500 h = xfrm_spi_hash(&x->id.daddr, x->id.spi, x->id.proto, x->props.family); 1501 hlist_add_head(&x->byspi, xfrm_state_byspi+h); 1502 spin_unlock_bh(&xfrm_state_lock); 1503 1504 err = 0; 1505 } 1506 1507 unlock: 1508 spin_unlock_bh(&x->lock); 1509 1510 return err; 1511 } 1512 EXPORT_SYMBOL(xfrm_alloc_spi); 1513 1514 int xfrm_state_walk(u8 proto, int (*func)(struct xfrm_state *, int, void*), 1515 void *data) 1516 { 1517 int i; 1518 struct xfrm_state *x, *last = NULL; 1519 struct hlist_node *entry; 1520 int count = 0; 1521 int err = 0; 1522 1523 spin_lock_bh(&xfrm_state_lock); 1524 for (i = 0; i <= xfrm_state_hmask; i++) { 1525 hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) { 1526 if (!xfrm_id_proto_match(x->id.proto, proto)) 1527 continue; 1528 if (last) { 1529 err = func(last, count, data); 1530 if (err) 1531 goto out; 1532 } 1533 last = x; 1534 count++; 1535 } 1536 } 1537 if (count == 0) { 1538 err = -ENOENT; 1539 goto out; 1540 } 1541 err = func(last, 0, data); 1542 out: 1543 spin_unlock_bh(&xfrm_state_lock); 1544 return err; 1545 } 1546 EXPORT_SYMBOL(xfrm_state_walk); 1547 1548 1549 void xfrm_replay_notify(struct xfrm_state *x, int event) 1550 { 1551 struct km_event c; 1552 /* we send notify messages in case 1553 * 1. we updated on of the sequence numbers, and the seqno difference 1554 * is at least x->replay_maxdiff, in this case we also update the 1555 * timeout of our timer function 1556 * 2. if x->replay_maxage has elapsed since last update, 1557 * and there were changes 1558 * 1559 * The state structure must be locked! 1560 */ 1561 1562 switch (event) { 1563 case XFRM_REPLAY_UPDATE: 1564 if (x->replay_maxdiff && 1565 (x->replay.seq - x->preplay.seq < x->replay_maxdiff) && 1566 (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) { 1567 if (x->xflags & XFRM_TIME_DEFER) 1568 event = XFRM_REPLAY_TIMEOUT; 1569 else 1570 return; 1571 } 1572 1573 break; 1574 1575 case XFRM_REPLAY_TIMEOUT: 1576 if ((x->replay.seq == x->preplay.seq) && 1577 (x->replay.bitmap == x->preplay.bitmap) && 1578 (x->replay.oseq == x->preplay.oseq)) { 1579 x->xflags |= XFRM_TIME_DEFER; 1580 return; 1581 } 1582 1583 break; 1584 } 1585 1586 memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state)); 1587 c.event = XFRM_MSG_NEWAE; 1588 c.data.aevent = event; 1589 km_state_notify(x, &c); 1590 1591 if (x->replay_maxage && 1592 !mod_timer(&x->rtimer, jiffies + x->replay_maxage)) 1593 x->xflags &= ~XFRM_TIME_DEFER; 1594 } 1595 1596 static void xfrm_replay_timer_handler(unsigned long data) 1597 { 1598 struct xfrm_state *x = (struct xfrm_state*)data; 1599 1600 spin_lock(&x->lock); 1601 1602 if (x->km.state == XFRM_STATE_VALID) { 1603 if (xfrm_aevent_is_on()) 1604 xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT); 1605 else 1606 x->xflags |= XFRM_TIME_DEFER; 1607 } 1608 1609 spin_unlock(&x->lock); 1610 } 1611 1612 int xfrm_replay_check(struct xfrm_state *x, __be32 net_seq) 1613 { 1614 u32 diff; 1615 u32 seq = ntohl(net_seq); 1616 1617 if (unlikely(seq == 0)) 1618 return -EINVAL; 1619 1620 if (likely(seq > x->replay.seq)) 1621 return 0; 1622 1623 diff = x->replay.seq - seq; 1624 if (diff >= min_t(unsigned int, x->props.replay_window, 1625 sizeof(x->replay.bitmap) * 8)) { 1626 x->stats.replay_window++; 1627 return -EINVAL; 1628 } 1629 1630 if (x->replay.bitmap & (1U << diff)) { 1631 x->stats.replay++; 1632 return -EINVAL; 1633 } 1634 return 0; 1635 } 1636 EXPORT_SYMBOL(xfrm_replay_check); 1637 1638 void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq) 1639 { 1640 u32 diff; 1641 u32 seq = ntohl(net_seq); 1642 1643 if (seq > x->replay.seq) { 1644 diff = seq - x->replay.seq; 1645 if (diff < x->props.replay_window) 1646 x->replay.bitmap = ((x->replay.bitmap) << diff) | 1; 1647 else 1648 x->replay.bitmap = 1; 1649 x->replay.seq = seq; 1650 } else { 1651 diff = x->replay.seq - seq; 1652 x->replay.bitmap |= (1U << diff); 1653 } 1654 1655 if (xfrm_aevent_is_on()) 1656 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE); 1657 } 1658 EXPORT_SYMBOL(xfrm_replay_advance); 1659 1660 static struct list_head xfrm_km_list = LIST_HEAD_INIT(xfrm_km_list); 1661 static DEFINE_RWLOCK(xfrm_km_lock); 1662 1663 void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c) 1664 { 1665 struct xfrm_mgr *km; 1666 1667 read_lock(&xfrm_km_lock); 1668 list_for_each_entry(km, &xfrm_km_list, list) 1669 if (km->notify_policy) 1670 km->notify_policy(xp, dir, c); 1671 read_unlock(&xfrm_km_lock); 1672 } 1673 1674 void km_state_notify(struct xfrm_state *x, struct km_event *c) 1675 { 1676 struct xfrm_mgr *km; 1677 read_lock(&xfrm_km_lock); 1678 list_for_each_entry(km, &xfrm_km_list, list) 1679 if (km->notify) 1680 km->notify(x, c); 1681 read_unlock(&xfrm_km_lock); 1682 } 1683 1684 EXPORT_SYMBOL(km_policy_notify); 1685 EXPORT_SYMBOL(km_state_notify); 1686 1687 void km_state_expired(struct xfrm_state *x, int hard, u32 pid) 1688 { 1689 struct km_event c; 1690 1691 c.data.hard = hard; 1692 c.pid = pid; 1693 c.event = XFRM_MSG_EXPIRE; 1694 km_state_notify(x, &c); 1695 1696 if (hard) 1697 wake_up(&km_waitq); 1698 } 1699 1700 EXPORT_SYMBOL(km_state_expired); 1701 /* 1702 * We send to all registered managers regardless of failure 1703 * We are happy with one success 1704 */ 1705 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol) 1706 { 1707 int err = -EINVAL, acqret; 1708 struct xfrm_mgr *km; 1709 1710 read_lock(&xfrm_km_lock); 1711 list_for_each_entry(km, &xfrm_km_list, list) { 1712 acqret = km->acquire(x, t, pol, XFRM_POLICY_OUT); 1713 if (!acqret) 1714 err = acqret; 1715 } 1716 read_unlock(&xfrm_km_lock); 1717 return err; 1718 } 1719 EXPORT_SYMBOL(km_query); 1720 1721 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport) 1722 { 1723 int err = -EINVAL; 1724 struct xfrm_mgr *km; 1725 1726 read_lock(&xfrm_km_lock); 1727 list_for_each_entry(km, &xfrm_km_list, list) { 1728 if (km->new_mapping) 1729 err = km->new_mapping(x, ipaddr, sport); 1730 if (!err) 1731 break; 1732 } 1733 read_unlock(&xfrm_km_lock); 1734 return err; 1735 } 1736 EXPORT_SYMBOL(km_new_mapping); 1737 1738 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid) 1739 { 1740 struct km_event c; 1741 1742 c.data.hard = hard; 1743 c.pid = pid; 1744 c.event = XFRM_MSG_POLEXPIRE; 1745 km_policy_notify(pol, dir, &c); 1746 1747 if (hard) 1748 wake_up(&km_waitq); 1749 } 1750 EXPORT_SYMBOL(km_policy_expired); 1751 1752 int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type, 1753 struct xfrm_migrate *m, int num_migrate) 1754 { 1755 int err = -EINVAL; 1756 int ret; 1757 struct xfrm_mgr *km; 1758 1759 read_lock(&xfrm_km_lock); 1760 list_for_each_entry(km, &xfrm_km_list, list) { 1761 if (km->migrate) { 1762 ret = km->migrate(sel, dir, type, m, num_migrate); 1763 if (!ret) 1764 err = ret; 1765 } 1766 } 1767 read_unlock(&xfrm_km_lock); 1768 return err; 1769 } 1770 EXPORT_SYMBOL(km_migrate); 1771 1772 int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr) 1773 { 1774 int err = -EINVAL; 1775 int ret; 1776 struct xfrm_mgr *km; 1777 1778 read_lock(&xfrm_km_lock); 1779 list_for_each_entry(km, &xfrm_km_list, list) { 1780 if (km->report) { 1781 ret = km->report(proto, sel, addr); 1782 if (!ret) 1783 err = ret; 1784 } 1785 } 1786 read_unlock(&xfrm_km_lock); 1787 return err; 1788 } 1789 EXPORT_SYMBOL(km_report); 1790 1791 int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen) 1792 { 1793 int err; 1794 u8 *data; 1795 struct xfrm_mgr *km; 1796 struct xfrm_policy *pol = NULL; 1797 1798 if (optlen <= 0 || optlen > PAGE_SIZE) 1799 return -EMSGSIZE; 1800 1801 data = kmalloc(optlen, GFP_KERNEL); 1802 if (!data) 1803 return -ENOMEM; 1804 1805 err = -EFAULT; 1806 if (copy_from_user(data, optval, optlen)) 1807 goto out; 1808 1809 err = -EINVAL; 1810 read_lock(&xfrm_km_lock); 1811 list_for_each_entry(km, &xfrm_km_list, list) { 1812 pol = km->compile_policy(sk, optname, data, 1813 optlen, &err); 1814 if (err >= 0) 1815 break; 1816 } 1817 read_unlock(&xfrm_km_lock); 1818 1819 if (err >= 0) { 1820 xfrm_sk_policy_insert(sk, err, pol); 1821 xfrm_pol_put(pol); 1822 err = 0; 1823 } 1824 1825 out: 1826 kfree(data); 1827 return err; 1828 } 1829 EXPORT_SYMBOL(xfrm_user_policy); 1830 1831 int xfrm_register_km(struct xfrm_mgr *km) 1832 { 1833 write_lock_bh(&xfrm_km_lock); 1834 list_add_tail(&km->list, &xfrm_km_list); 1835 write_unlock_bh(&xfrm_km_lock); 1836 return 0; 1837 } 1838 EXPORT_SYMBOL(xfrm_register_km); 1839 1840 int xfrm_unregister_km(struct xfrm_mgr *km) 1841 { 1842 write_lock_bh(&xfrm_km_lock); 1843 list_del(&km->list); 1844 write_unlock_bh(&xfrm_km_lock); 1845 return 0; 1846 } 1847 EXPORT_SYMBOL(xfrm_unregister_km); 1848 1849 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo) 1850 { 1851 int err = 0; 1852 if (unlikely(afinfo == NULL)) 1853 return -EINVAL; 1854 if (unlikely(afinfo->family >= NPROTO)) 1855 return -EAFNOSUPPORT; 1856 write_lock_bh(&xfrm_state_afinfo_lock); 1857 if (unlikely(xfrm_state_afinfo[afinfo->family] != NULL)) 1858 err = -ENOBUFS; 1859 else 1860 xfrm_state_afinfo[afinfo->family] = afinfo; 1861 write_unlock_bh(&xfrm_state_afinfo_lock); 1862 return err; 1863 } 1864 EXPORT_SYMBOL(xfrm_state_register_afinfo); 1865 1866 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo) 1867 { 1868 int err = 0; 1869 if (unlikely(afinfo == NULL)) 1870 return -EINVAL; 1871 if (unlikely(afinfo->family >= NPROTO)) 1872 return -EAFNOSUPPORT; 1873 write_lock_bh(&xfrm_state_afinfo_lock); 1874 if (likely(xfrm_state_afinfo[afinfo->family] != NULL)) { 1875 if (unlikely(xfrm_state_afinfo[afinfo->family] != afinfo)) 1876 err = -EINVAL; 1877 else 1878 xfrm_state_afinfo[afinfo->family] = NULL; 1879 } 1880 write_unlock_bh(&xfrm_state_afinfo_lock); 1881 return err; 1882 } 1883 EXPORT_SYMBOL(xfrm_state_unregister_afinfo); 1884 1885 static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family) 1886 { 1887 struct xfrm_state_afinfo *afinfo; 1888 if (unlikely(family >= NPROTO)) 1889 return NULL; 1890 read_lock(&xfrm_state_afinfo_lock); 1891 afinfo = xfrm_state_afinfo[family]; 1892 if (unlikely(!afinfo)) 1893 read_unlock(&xfrm_state_afinfo_lock); 1894 return afinfo; 1895 } 1896 1897 static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo) 1898 { 1899 read_unlock(&xfrm_state_afinfo_lock); 1900 } 1901 1902 /* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */ 1903 void xfrm_state_delete_tunnel(struct xfrm_state *x) 1904 { 1905 if (x->tunnel) { 1906 struct xfrm_state *t = x->tunnel; 1907 1908 if (atomic_read(&t->tunnel_users) == 2) 1909 xfrm_state_delete(t); 1910 atomic_dec(&t->tunnel_users); 1911 xfrm_state_put(t); 1912 x->tunnel = NULL; 1913 } 1914 } 1915 EXPORT_SYMBOL(xfrm_state_delete_tunnel); 1916 1917 int xfrm_state_mtu(struct xfrm_state *x, int mtu) 1918 { 1919 int res; 1920 1921 spin_lock_bh(&x->lock); 1922 if (x->km.state == XFRM_STATE_VALID && 1923 x->type && x->type->get_mtu) 1924 res = x->type->get_mtu(x, mtu); 1925 else 1926 res = mtu - x->props.header_len; 1927 spin_unlock_bh(&x->lock); 1928 return res; 1929 } 1930 1931 int xfrm_init_state(struct xfrm_state *x) 1932 { 1933 struct xfrm_state_afinfo *afinfo; 1934 int family = x->props.family; 1935 int err; 1936 1937 err = -EAFNOSUPPORT; 1938 afinfo = xfrm_state_get_afinfo(family); 1939 if (!afinfo) 1940 goto error; 1941 1942 err = 0; 1943 if (afinfo->init_flags) 1944 err = afinfo->init_flags(x); 1945 1946 xfrm_state_put_afinfo(afinfo); 1947 1948 if (err) 1949 goto error; 1950 1951 err = -EPROTONOSUPPORT; 1952 x->inner_mode = xfrm_get_mode(x->props.mode, x->sel.family); 1953 if (x->inner_mode == NULL) 1954 goto error; 1955 1956 if (!(x->inner_mode->flags & XFRM_MODE_FLAG_TUNNEL) && 1957 family != x->sel.family) 1958 goto error; 1959 1960 x->type = xfrm_get_type(x->id.proto, family); 1961 if (x->type == NULL) 1962 goto error; 1963 1964 err = x->type->init_state(x); 1965 if (err) 1966 goto error; 1967 1968 x->outer_mode = xfrm_get_mode(x->props.mode, family); 1969 if (x->outer_mode == NULL) 1970 goto error; 1971 1972 x->km.state = XFRM_STATE_VALID; 1973 1974 error: 1975 return err; 1976 } 1977 1978 EXPORT_SYMBOL(xfrm_init_state); 1979 1980 void __init xfrm_state_init(void) 1981 { 1982 unsigned int sz; 1983 1984 sz = sizeof(struct hlist_head) * 8; 1985 1986 xfrm_state_bydst = xfrm_hash_alloc(sz); 1987 xfrm_state_bysrc = xfrm_hash_alloc(sz); 1988 xfrm_state_byspi = xfrm_hash_alloc(sz); 1989 if (!xfrm_state_bydst || !xfrm_state_bysrc || !xfrm_state_byspi) 1990 panic("XFRM: Cannot allocate bydst/bysrc/byspi hashes."); 1991 xfrm_state_hmask = ((sz / sizeof(struct hlist_head)) - 1); 1992 1993 INIT_WORK(&xfrm_state_gc_work, xfrm_state_gc_task); 1994 } 1995 1996 #ifdef CONFIG_AUDITSYSCALL 1997 static inline void xfrm_audit_common_stateinfo(struct xfrm_state *x, 1998 struct audit_buffer *audit_buf) 1999 { 2000 if (x->security) 2001 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s", 2002 x->security->ctx_alg, x->security->ctx_doi, 2003 x->security->ctx_str); 2004 2005 switch(x->props.family) { 2006 case AF_INET: 2007 audit_log_format(audit_buf, " src=%u.%u.%u.%u dst=%u.%u.%u.%u", 2008 NIPQUAD(x->props.saddr.a4), 2009 NIPQUAD(x->id.daddr.a4)); 2010 break; 2011 case AF_INET6: 2012 { 2013 struct in6_addr saddr6, daddr6; 2014 2015 memcpy(&saddr6, x->props.saddr.a6, 2016 sizeof(struct in6_addr)); 2017 memcpy(&daddr6, x->id.daddr.a6, 2018 sizeof(struct in6_addr)); 2019 audit_log_format(audit_buf, 2020 " src=" NIP6_FMT " dst=" NIP6_FMT, 2021 NIP6(saddr6), NIP6(daddr6)); 2022 } 2023 break; 2024 } 2025 } 2026 2027 void 2028 xfrm_audit_state_add(struct xfrm_state *x, int result, u32 auid, u32 sid) 2029 { 2030 struct audit_buffer *audit_buf; 2031 extern int audit_enabled; 2032 2033 if (audit_enabled == 0) 2034 return; 2035 audit_buf = xfrm_audit_start(sid, auid); 2036 if (audit_buf == NULL) 2037 return; 2038 audit_log_format(audit_buf, " op=SAD-add res=%u",result); 2039 xfrm_audit_common_stateinfo(x, audit_buf); 2040 audit_log_format(audit_buf, " spi=%lu(0x%lx)", 2041 (unsigned long)x->id.spi, (unsigned long)x->id.spi); 2042 audit_log_end(audit_buf); 2043 } 2044 EXPORT_SYMBOL_GPL(xfrm_audit_state_add); 2045 2046 void 2047 xfrm_audit_state_delete(struct xfrm_state *x, int result, u32 auid, u32 sid) 2048 { 2049 struct audit_buffer *audit_buf; 2050 extern int audit_enabled; 2051 2052 if (audit_enabled == 0) 2053 return; 2054 audit_buf = xfrm_audit_start(sid, auid); 2055 if (audit_buf == NULL) 2056 return; 2057 audit_log_format(audit_buf, " op=SAD-delete res=%u",result); 2058 xfrm_audit_common_stateinfo(x, audit_buf); 2059 audit_log_format(audit_buf, " spi=%lu(0x%lx)", 2060 (unsigned long)x->id.spi, (unsigned long)x->id.spi); 2061 audit_log_end(audit_buf); 2062 } 2063 EXPORT_SYMBOL_GPL(xfrm_audit_state_delete); 2064 #endif /* CONFIG_AUDITSYSCALL */ 2065