]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame - net/xfrm/xfrm_state.c
projects / mirror_ubuntu-artful-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
netns xfrm: xfrm_input() fixup
[mirror_ubuntu-artful-kernel.git] / net / xfrm / xfrm_state.c
CommitLineData
1da177e4
LT		 1/*
2 * xfrm_state.c
3 *
4 * Changes:
5 * Mitsuru KANDA @USAGI
6 * Kazunori MIYAZAWA @USAGI
7 * Kunihiro Ishiguro <kunihiro@ipinfusion.com>
8 * IPv6 support
9 * YOSHIFUJI Hideaki @USAGI
10 * Split up af-specific functions
11 * Derek Atkins <derek@ihtfp.com>
12 * Add UDP Encapsulation
df71837d 13 *
1da177e4
LT		 14 */
15
16#include <linux/workqueue.h>
17#include <net/xfrm.h>
18#include <linux/pfkeyv2.h>
19#include <linux/ipsec.h>
20#include <linux/module.h>
f034b5d4 21#include <linux/cache.h>
68277acc 22#include <linux/audit.h>
b5890d8b 23#include <asm/uaccess.h>
1da177e4 24
44e36b42
DM		 25#include "xfrm_hash.h"
26
ee857a7d
DM		 27struct sock *xfrm_nl;
28EXPORT_SYMBOL(xfrm_nl);
29
01e67d08 30u32 sysctl_xfrm_aevent_etime __read_mostly = XFRM_AE_ETIME;
a70fcb0b
DM		 31EXPORT_SYMBOL(sysctl_xfrm_aevent_etime);
32
01e67d08 33u32 sysctl_xfrm_aevent_rseqth __read_mostly = XFRM_AE_SEQT_SIZE;
a70fcb0b
DM		 34EXPORT_SYMBOL(sysctl_xfrm_aevent_rseqth);
35
01e67d08
DM		 36u32 sysctl_xfrm_acq_expires __read_mostly = 30;
37
1da177e4
LT		 38/* Each xfrm_state may be linked to two tables:
39
40 1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl)
a624c108 41 2. Hash table by (daddr,family,reqid) to find what SAs exist for given
1da177e4
LT		 42 destination/tunnel endpoint. (output)
43 */
44
45static DEFINE_SPINLOCK(xfrm_state_lock);
46
f034b5d4 47static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
9d4a706d 48static unsigned int xfrm_state_genid;
f034b5d4 49
17c2a42a
HX		 50static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family);
51static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo);
52
afeb14b4
PM		 53#ifdef CONFIG_AUDITSYSCALL
54static void xfrm_audit_state_replay(struct xfrm_state *x,
55 struct sk_buff *skb, __be32 net_seq);
56#else
57#define xfrm_audit_state_replay(x, s, sq) do { ; } while (0)
58#endif /* CONFIG_AUDITSYSCALL */
59
64d0cd00
AD		 60static inline unsigned int xfrm_dst_hash(struct net *net,
61 xfrm_address_t *daddr,
c1969f29
DM		 62 xfrm_address_t *saddr,
63 u32 reqid,
a624c108 64 unsigned short family)
f034b5d4 65{
64d0cd00 66 return __xfrm_dst_hash(daddr, saddr, reqid, family, net->xfrm.state_hmask);
f034b5d4
DM		 67}
68
64d0cd00
AD		 69static inline unsigned int xfrm_src_hash(struct net *net,
70 xfrm_address_t *daddr,
667bbcb6 71 xfrm_address_t *saddr,
44e36b42 72 unsigned short family)
f034b5d4 73{
64d0cd00 74 return __xfrm_src_hash(daddr, saddr, family, net->xfrm.state_hmask);
f034b5d4
DM		 75}
76
f034b5d4 77static inline unsigned int
64d0cd00 78xfrm_spi_hash(struct net *net, xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
f034b5d4 79{
64d0cd00 80 return __xfrm_spi_hash(daddr, spi, proto, family, net->xfrm.state_hmask);
f034b5d4
DM		 81}
82
f034b5d4
DM		 83static void xfrm_hash_transfer(struct hlist_head *list,
84 struct hlist_head *ndsttable,
85 struct hlist_head *nsrctable,
86 struct hlist_head *nspitable,
87 unsigned int nhashmask)
88{
89 struct hlist_node *entry, *tmp;
90 struct xfrm_state *x;
91
92 hlist_for_each_entry_safe(x, entry, tmp, list, bydst) {
93 unsigned int h;
94
c1969f29
DM		 95 h = __xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
96 x->props.reqid, x->props.family,
97 nhashmask);
f034b5d4
DM		 98 hlist_add_head(&x->bydst, ndsttable+h);
99
667bbcb6
MN		 100 h = __xfrm_src_hash(&x->id.daddr, &x->props.saddr,
101 x->props.family,
f034b5d4
DM		 102 nhashmask);
103 hlist_add_head(&x->bysrc, nsrctable+h);
104
7b4dc360
MN		 105 if (x->id.spi) {
106 h = __xfrm_spi_hash(&x->id.daddr, x->id.spi,
107 x->id.proto, x->props.family,
108 nhashmask);
109 hlist_add_head(&x->byspi, nspitable+h);
110 }
f034b5d4
DM		 111 }
112}
113
63082733 114static unsigned long xfrm_hash_new_size(unsigned int state_hmask)
f034b5d4 115{
63082733 116 return ((state_hmask + 1) << 1) * sizeof(struct hlist_head);
f034b5d4
DM		 117}
118
119static DEFINE_MUTEX(hash_resize_mutex);
120
63082733 121static void xfrm_hash_resize(struct work_struct *work)
f034b5d4 122{
63082733 123 struct net *net = container_of(work, struct net, xfrm.state_hash_work);
f034b5d4
DM		 124 struct hlist_head *ndst, *nsrc, *nspi, *odst, *osrc, *ospi;
125 unsigned long nsize, osize;
126 unsigned int nhashmask, ohashmask;
127 int i;
128
129 mutex_lock(&hash_resize_mutex);
130
63082733 131 nsize = xfrm_hash_new_size(net->xfrm.state_hmask);
44e36b42 132 ndst = xfrm_hash_alloc(nsize);
f034b5d4
DM		 133 if (!ndst)
134 goto out_unlock;
44e36b42 135 nsrc = xfrm_hash_alloc(nsize);
f034b5d4 136 if (!nsrc) {
44e36b42 137 xfrm_hash_free(ndst, nsize);
f034b5d4
DM		 138 goto out_unlock;
139 }
44e36b42 140 nspi = xfrm_hash_alloc(nsize);
f034b5d4 141 if (!nspi) {
44e36b42
DM		 142 xfrm_hash_free(ndst, nsize);
143 xfrm_hash_free(nsrc, nsize);
f034b5d4
DM		 144 goto out_unlock;
145 }
146
147 spin_lock_bh(&xfrm_state_lock);
148
149 nhashmask = (nsize / sizeof(struct hlist_head)) - 1U;
63082733
AD		 150 for (i = net->xfrm.state_hmask; i >= 0; i--)
151 xfrm_hash_transfer(net->xfrm.state_bydst+i, ndst, nsrc, nspi,
f034b5d4
DM		 152 nhashmask);
153
63082733
AD		 154 odst = net->xfrm.state_bydst;
155 osrc = net->xfrm.state_bysrc;
156 ospi = net->xfrm.state_byspi;
157 ohashmask = net->xfrm.state_hmask;
f034b5d4 158
63082733
AD		 159 net->xfrm.state_bydst = ndst;
160 net->xfrm.state_bysrc = nsrc;
161 net->xfrm.state_byspi = nspi;
162 net->xfrm.state_hmask = nhashmask;
f034b5d4
DM		 163
164 spin_unlock_bh(&xfrm_state_lock);
165
166 osize = (ohashmask + 1) * sizeof(struct hlist_head);
44e36b42
DM		 167 xfrm_hash_free(odst, osize);
168 xfrm_hash_free(osrc, osize);
169 xfrm_hash_free(ospi, osize);
f034b5d4
DM		 170
171out_unlock:
172 mutex_unlock(&hash_resize_mutex);
173}
174
1da177e4
LT		 175static DEFINE_RWLOCK(xfrm_state_afinfo_lock);
176static struct xfrm_state_afinfo *xfrm_state_afinfo[NPROTO];
177
1da177e4
LT		 178static DEFINE_SPINLOCK(xfrm_state_gc_lock);
179
53bc6b4d 180int __xfrm_state_delete(struct xfrm_state *x);
1da177e4 181
980ebd25 182int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
53bc6b4d 183void km_state_expired(struct xfrm_state *x, int hard, u32 pid);
1da177e4 184
aa5d62cc
HX		 185static struct xfrm_state_afinfo *xfrm_state_lock_afinfo(unsigned int family)
186{
187 struct xfrm_state_afinfo *afinfo;
188 if (unlikely(family >= NPROTO))
189 return NULL;
190 write_lock_bh(&xfrm_state_afinfo_lock);
191 afinfo = xfrm_state_afinfo[family];
192 if (unlikely(!afinfo))
193 write_unlock_bh(&xfrm_state_afinfo_lock);
194 return afinfo;
195}
196
197static void xfrm_state_unlock_afinfo(struct xfrm_state_afinfo *afinfo)
9a429c49 198 __releases(xfrm_state_afinfo_lock)
aa5d62cc
HX		 199{
200 write_unlock_bh(&xfrm_state_afinfo_lock);
201}
202
533cb5b0 203int xfrm_register_type(const struct xfrm_type *type, unsigned short family)
aa5d62cc
HX		 204{
205 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family);
533cb5b0 206 const struct xfrm_type **typemap;
aa5d62cc
HX		 207 int err = 0;
208
209 if (unlikely(afinfo == NULL))
210 return -EAFNOSUPPORT;
211 typemap = afinfo->type_map;
212
213 if (likely(typemap[type->proto] == NULL))
214 typemap[type->proto] = type;
215 else
216 err = -EEXIST;
217 xfrm_state_unlock_afinfo(afinfo);
218 return err;
219}
220EXPORT_SYMBOL(xfrm_register_type);
221
533cb5b0 222int xfrm_unregister_type(const struct xfrm_type *type, unsigned short family)
aa5d62cc
HX		 223{
224 struct xfrm_state_afinfo *afinfo = xfrm_state_lock_afinfo(family);
533cb5b0 225 const struct xfrm_type **typemap;
aa5d62cc
HX		 226 int err = 0;
227
228 if (unlikely(afinfo == NULL))
229 return -EAFNOSUPPORT;
230 typemap = afinfo->type_map;
231
232 if (unlikely(typemap[type->proto] != type))
233 err = -ENOENT;
234 else
235 typemap[type->proto] = NULL;
236 xfrm_state_unlock_afinfo(afinfo);
237 return err;
238}
239EXPORT_SYMBOL(xfrm_unregister_type);
240
533cb5b0 241static const struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family)
aa5d62cc
HX		 242{
243 struct xfrm_state_afinfo *afinfo;
533cb5b0
ED		 244 const struct xfrm_type **typemap;
245 const struct xfrm_type *type;
aa5d62cc
HX		 246 int modload_attempted = 0;
247
248retry:
249 afinfo = xfrm_state_get_afinfo(family);
250 if (unlikely(afinfo == NULL))
251 return NULL;
252 typemap = afinfo->type_map;
253
254 type = typemap[proto];
255 if (unlikely(type && !try_module_get(type->owner)))
256 type = NULL;
257 if (!type && !modload_attempted) {
258 xfrm_state_put_afinfo(afinfo);
259 request_module("xfrm-type-%d-%d", family, proto);
260 modload_attempted = 1;
261 goto retry;
262 }
263
264 xfrm_state_put_afinfo(afinfo);
265 return type;
266}
267
533cb5b0 268static void xfrm_put_type(const struct xfrm_type *type)
aa5d62cc
HX		 269{
270 module_put(type->owner);
271}
272
273int xfrm_register_mode(struct xfrm_mode *mode, int family)
274{
275 struct xfrm_state_afinfo *afinfo;
276 struct xfrm_mode **modemap;
277 int err;
278
279 if (unlikely(mode->encap >= XFRM_MODE_MAX))
280 return -EINVAL;
281
282 afinfo = xfrm_state_lock_afinfo(family);
283 if (unlikely(afinfo == NULL))
284 return -EAFNOSUPPORT;
285
286 err = -EEXIST;
287 modemap = afinfo->mode_map;
17c2a42a
HX		 288 if (modemap[mode->encap])
289 goto out;
aa5d62cc 290
17c2a42a
HX		 291 err = -ENOENT;
292 if (!try_module_get(afinfo->owner))
293 goto out;
294
295 mode->afinfo = afinfo;
296 modemap[mode->encap] = mode;
297 err = 0;
298
299out:
aa5d62cc
HX		 300 xfrm_state_unlock_afinfo(afinfo);
301 return err;
302}
303EXPORT_SYMBOL(xfrm_register_mode);
304
305int xfrm_unregister_mode(struct xfrm_mode *mode, int family)
306{
307 struct xfrm_state_afinfo *afinfo;
308 struct xfrm_mode **modemap;
309 int err;
310
311 if (unlikely(mode->encap >= XFRM_MODE_MAX))
312 return -EINVAL;
313
314 afinfo = xfrm_state_lock_afinfo(family);
315 if (unlikely(afinfo == NULL))
316 return -EAFNOSUPPORT;
317
318 err = -ENOENT;
319 modemap = afinfo->mode_map;
320 if (likely(modemap[mode->encap] == mode)) {
321 modemap[mode->encap] = NULL;
17c2a42a 322 module_put(mode->afinfo->owner);
aa5d62cc
HX		 323 err = 0;
324 }
325
326 xfrm_state_unlock_afinfo(afinfo);
327 return err;
328}
329EXPORT_SYMBOL(xfrm_unregister_mode);
330
331static struct xfrm_mode *xfrm_get_mode(unsigned int encap, int family)
332{
333 struct xfrm_state_afinfo *afinfo;
334 struct xfrm_mode *mode;
335 int modload_attempted = 0;
336
337 if (unlikely(encap >= XFRM_MODE_MAX))
338 return NULL;
339
340retry:
341 afinfo = xfrm_state_get_afinfo(family);
342 if (unlikely(afinfo == NULL))
343 return NULL;
344
345 mode = afinfo->mode_map[encap];
346 if (unlikely(mode && !try_module_get(mode->owner)))
347 mode = NULL;
348 if (!mode && !modload_attempted) {
349 xfrm_state_put_afinfo(afinfo);
350 request_module("xfrm-mode-%d-%d", family, encap);
351 modload_attempted = 1;
352 goto retry;
353 }
354
355 xfrm_state_put_afinfo(afinfo);
356 return mode;
357}
358
359static void xfrm_put_mode(struct xfrm_mode *mode)
360{
361 module_put(mode->owner);
362}
363
1da177e4
LT		 364static void xfrm_state_gc_destroy(struct xfrm_state *x)
365{
a47f0ce0
DM		 366 del_timer_sync(&x->timer);
367 del_timer_sync(&x->rtimer);
a51482bd
JJ		 368 kfree(x->aalg);
369 kfree(x->ealg);
370 kfree(x->calg);
371 kfree(x->encap);
060f02a3 372 kfree(x->coaddr);
13996378
HX		 373 if (x->inner_mode)
374 xfrm_put_mode(x->inner_mode);
df9dcb45
KM		 375 if (x->inner_mode_iaf)
376 xfrm_put_mode(x->inner_mode_iaf);
13996378
HX		 377 if (x->outer_mode)
378 xfrm_put_mode(x->outer_mode);
1da177e4
LT		 379 if (x->type) {
380 x->type->destructor(x);
381 xfrm_put_type(x->type);
382 }
df71837d 383 security_xfrm_state_free(x);
1da177e4
LT		 384 kfree(x);
385}
386
c7837144 387static void xfrm_state_gc_task(struct work_struct *work)
1da177e4 388{
c7837144 389 struct net *net = container_of(work, struct net, xfrm.state_gc_work);
12a169e7
HX		 390 struct xfrm_state *x;
391 struct hlist_node *entry, *tmp;
392 struct hlist_head gc_list;
1da177e4 393
1da177e4 394 spin_lock_bh(&xfrm_state_gc_lock);
c7837144 395 hlist_move_list(&net->xfrm.state_gc_list, &gc_list);
1da177e4
LT		 396 spin_unlock_bh(&xfrm_state_gc_lock);
397
12a169e7 398 hlist_for_each_entry_safe(x, entry, tmp, &gc_list, gclist)
1da177e4 399 xfrm_state_gc_destroy(x);
8f126e37 400
50a30657 401 wake_up(&net->xfrm.km_waitq);
1da177e4
LT		 402}
403
404static inline unsigned long make_jiffies(long secs)
405{
406 if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
407 return MAX_SCHEDULE_TIMEOUT-1;
408 else
a716c119 409 return secs*HZ;
1da177e4
LT		 410}
411
412static void xfrm_timer_handler(unsigned long data)
413{
414 struct xfrm_state *x = (struct xfrm_state*)data;
98806f75 415 struct net *net = xs_net(x);
9d729f72 416 unsigned long now = get_seconds();
1da177e4
LT		 417 long next = LONG_MAX;
418 int warn = 0;
161a09e7 419 int err = 0;
1da177e4
LT		 420
421 spin_lock(&x->lock);
422 if (x->km.state == XFRM_STATE_DEAD)
423 goto out;
424 if (x->km.state == XFRM_STATE_EXPIRED)
425 goto expired;
426 if (x->lft.hard_add_expires_seconds) {
427 long tmo = x->lft.hard_add_expires_seconds +
428 x->curlft.add_time - now;
429 if (tmo <= 0)
430 goto expired;
431 if (tmo < next)
432 next = tmo;
433 }
434 if (x->lft.hard_use_expires_seconds) {
435 long tmo = x->lft.hard_use_expires_seconds +
436 (x->curlft.use_time ? : now) - now;
437 if (tmo <= 0)
438 goto expired;
439 if (tmo < next)
440 next = tmo;
441 }
442 if (x->km.dying)
443 goto resched;
444 if (x->lft.soft_add_expires_seconds) {
445 long tmo = x->lft.soft_add_expires_seconds +
446 x->curlft.add_time - now;
447 if (tmo <= 0)
448 warn = 1;
449 else if (tmo < next)
450 next = tmo;
451 }
452 if (x->lft.soft_use_expires_seconds) {
453 long tmo = x->lft.soft_use_expires_seconds +
454 (x->curlft.use_time ? : now) - now;
455 if (tmo <= 0)
456 warn = 1;
457 else if (tmo < next)
458 next = tmo;
459 }
460
4666faab 461 x->km.dying = warn;
1da177e4 462 if (warn)
53bc6b4d 463 km_state_expired(x, 0, 0);
1da177e4 464resched:
a47f0ce0
DM		 465 if (next != LONG_MAX)
466 mod_timer(&x->timer, jiffies + make_jiffies(next));
467
1da177e4
LT		 468 goto out;
469
470expired:
471 if (x->km.state == XFRM_STATE_ACQ && x->id.spi == 0) {
472 x->km.state = XFRM_STATE_EXPIRED;
98806f75 473 wake_up(&net->xfrm.km_waitq);
1da177e4
LT		 474 next = 2;
475 goto resched;
476 }
161a09e7
JL		 477
478 err = __xfrm_state_delete(x);
479 if (!err && x->id.spi)
53bc6b4d 480 km_state_expired(x, 1, 0);
1da177e4 481
ab5f5e8b 482 xfrm_audit_state_delete(x, err ? 0 : 1,
2532386f
EP		 483 audit_get_loginuid(current),
484 audit_get_sessionid(current), 0);
161a09e7 485
1da177e4
LT		 486out:
487 spin_unlock(&x->lock);
1da177e4
LT		 488}
489
0ac84752
DM		 490static void xfrm_replay_timer_handler(unsigned long data);
491
673c09be 492struct xfrm_state *xfrm_state_alloc(struct net *net)
1da177e4
LT		 493{
494 struct xfrm_state *x;
495
0da974f4 496 x = kzalloc(sizeof(struct xfrm_state), GFP_ATOMIC);
1da177e4
LT		 497
498 if (x) {
673c09be 499 write_pnet(&x->xs_net, net);
1da177e4
LT		 500 atomic_set(&x->refcnt, 1);
501 atomic_set(&x->tunnel_users, 0);
12a169e7 502 INIT_LIST_HEAD(&x->km.all);
8f126e37
DM		 503 INIT_HLIST_NODE(&x->bydst);
504 INIT_HLIST_NODE(&x->bysrc);
505 INIT_HLIST_NODE(&x->byspi);
b24b8a24
PE		 506 setup_timer(&x->timer, xfrm_timer_handler, (unsigned long)x);
507 setup_timer(&x->rtimer, xfrm_replay_timer_handler,
508 (unsigned long)x);
9d729f72 509 x->curlft.add_time = get_seconds();
1da177e4
LT		 510 x->lft.soft_byte_limit = XFRM_INF;
511 x->lft.soft_packet_limit = XFRM_INF;
512 x->lft.hard_byte_limit = XFRM_INF;
513 x->lft.hard_packet_limit = XFRM_INF;
f8cd5488
JHS		 514 x->replay_maxage = 0;
515 x->replay_maxdiff = 0;
df9dcb45
KM		 516 x->inner_mode = NULL;
517 x->inner_mode_iaf = NULL;
1da177e4
LT		 518 spin_lock_init(&x->lock);
519 }
520 return x;
521}
522EXPORT_SYMBOL(xfrm_state_alloc);
523
524void __xfrm_state_destroy(struct xfrm_state *x)
525{
98806f75
AD		 526 struct net *net = xs_net(x);
527
547b792c 528 WARN_ON(x->km.state != XFRM_STATE_DEAD);
1da177e4
LT		 529
530 spin_lock_bh(&xfrm_state_gc_lock);
98806f75 531 hlist_add_head(&x->gclist, &net->xfrm.state_gc_list);
1da177e4 532 spin_unlock_bh(&xfrm_state_gc_lock);
98806f75 533 schedule_work(&net->xfrm.state_gc_work);
1da177e4
LT		 534}
535EXPORT_SYMBOL(__xfrm_state_destroy);
536
53bc6b4d 537int __xfrm_state_delete(struct xfrm_state *x)
1da177e4 538{
98806f75 539 struct net *net = xs_net(x);
26b15dad
JHS		 540 int err = -ESRCH;
541
1da177e4
LT		 542 if (x->km.state != XFRM_STATE_DEAD) {
543 x->km.state = XFRM_STATE_DEAD;
544 spin_lock(&xfrm_state_lock);
12a169e7 545 list_del(&x->km.all);
8f126e37 546 hlist_del(&x->bydst);
8f126e37 547 hlist_del(&x->bysrc);
a47f0ce0 548 if (x->id.spi)
8f126e37 549 hlist_del(&x->byspi);
98806f75 550 net->xfrm.state_num--;
1da177e4 551 spin_unlock(&xfrm_state_lock);
1da177e4 552
1da177e4
LT		 553 /* All xfrm_state objects are created by xfrm_state_alloc.
554 * The xfrm_state_alloc call gives a reference, and that
555 * is what we are dropping here.
556 */
5dba4797 557 xfrm_state_put(x);
26b15dad 558 err = 0;
1da177e4 559 }
26b15dad
JHS		 560
561 return err;
1da177e4 562}
53bc6b4d 563EXPORT_SYMBOL(__xfrm_state_delete);
1da177e4 564
26b15dad 565int xfrm_state_delete(struct xfrm_state *x)
1da177e4 566{
26b15dad
JHS		 567 int err;
568
1da177e4 569 spin_lock_bh(&x->lock);
26b15dad 570 err = __xfrm_state_delete(x);
1da177e4 571 spin_unlock_bh(&x->lock);
26b15dad
JHS		 572
573 return err;
1da177e4
LT		 574}
575EXPORT_SYMBOL(xfrm_state_delete);
576
4aa2e62c
JL		 577#ifdef CONFIG_SECURITY_NETWORK_XFRM
578static inline int
0e602451 579xfrm_state_flush_secctx_check(struct net *net, u8 proto, struct xfrm_audit *audit_info)
1da177e4 580{
4aa2e62c
JL		 581 int i, err = 0;
582
0e602451 583 for (i = 0; i <= net->xfrm.state_hmask; i++) {
4aa2e62c
JL		 584 struct hlist_node *entry;
585 struct xfrm_state *x;
586
0e602451 587 hlist_for_each_entry(x, entry, net->xfrm.state_bydst+i, bydst) {
4aa2e62c
JL		 588 if (xfrm_id_proto_match(x->id.proto, proto) &&
589 (err = security_xfrm_state_delete(x)) != 0) {
ab5f5e8b
JL		 590 xfrm_audit_state_delete(x, 0,
591 audit_info->loginuid,
2532386f 592 audit_info->sessionid,
ab5f5e8b 593 audit_info->secid);
4aa2e62c
JL		 594 return err;
595 }
596 }
597 }
598
599 return err;
600}
601#else
602static inline int
0e602451 603xfrm_state_flush_secctx_check(struct net *net, u8 proto, struct xfrm_audit *audit_info)
4aa2e62c
JL		 604{
605 return 0;
606}
607#endif
608
0e602451 609int xfrm_state_flush(struct net *net, u8 proto, struct xfrm_audit *audit_info)
4aa2e62c
JL		 610{
611 int i, err = 0;
1da177e4
LT		 612
613 spin_lock_bh(&xfrm_state_lock);
0e602451 614 err = xfrm_state_flush_secctx_check(net, proto, audit_info);
4aa2e62c
JL		 615 if (err)
616 goto out;
617
0e602451 618 for (i = 0; i <= net->xfrm.state_hmask; i++) {
8f126e37
DM		 619 struct hlist_node *entry;
620 struct xfrm_state *x;
1da177e4 621restart:
0e602451 622 hlist_for_each_entry(x, entry, net->xfrm.state_bydst+i, bydst) {
1da177e4 623 if (!xfrm_state_kern(x) &&
5794708f 624 xfrm_id_proto_match(x->id.proto, proto)) {
1da177e4
LT		 625 xfrm_state_hold(x);
626 spin_unlock_bh(&xfrm_state_lock);
627
161a09e7 628 err = xfrm_state_delete(x);
ab5f5e8b
JL		 629 xfrm_audit_state_delete(x, err ? 0 : 1,
630 audit_info->loginuid,
2532386f 631 audit_info->sessionid,
ab5f5e8b 632 audit_info->secid);
1da177e4
LT		 633 xfrm_state_put(x);
634
635 spin_lock_bh(&xfrm_state_lock);
636 goto restart;
637 }
638 }
639 }
4aa2e62c
JL		 640 err = 0;
641
642out:
1da177e4 643 spin_unlock_bh(&xfrm_state_lock);
0e602451 644 wake_up(&net->xfrm.km_waitq);
4aa2e62c 645 return err;
1da177e4
LT		 646}
647EXPORT_SYMBOL(xfrm_state_flush);
648
af11e316 649void xfrm_sad_getinfo(struct xfrmk_sadinfo *si)
28d8909b
JHS		 650{
651 spin_lock_bh(&xfrm_state_lock);
0bf7c5b0 652 si->sadcnt = init_net.xfrm.state_num;
529983ec 653 si->sadhcnt = init_net.xfrm.state_hmask;
28d8909b
JHS		 654 si->sadhmcnt = xfrm_state_hashmax;
655 spin_unlock_bh(&xfrm_state_lock);
656}
657EXPORT_SYMBOL(xfrm_sad_getinfo);
658
1da177e4
LT		 659static int
660xfrm_init_tempsel(struct xfrm_state *x, struct flowi *fl,
661 struct xfrm_tmpl *tmpl,
662 xfrm_address_t *daddr, xfrm_address_t *saddr,
663 unsigned short family)
664{
665 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
666 if (!afinfo)
667 return -1;
668 afinfo->init_tempsel(x, fl, tmpl, daddr, saddr);
669 xfrm_state_put_afinfo(afinfo);
670 return 0;
671}
672
221df1ed 673static struct xfrm_state *__xfrm_state_lookup(struct net *net, xfrm_address_t *daddr, __be32 spi, u8 proto, unsigned short family)
edcd5821 674{
221df1ed 675 unsigned int h = xfrm_spi_hash(net, daddr, spi, proto, family);
edcd5821 676 struct xfrm_state *x;
8f126e37 677 struct hlist_node *entry;
edcd5821 678
221df1ed 679 hlist_for_each_entry(x, entry, net->xfrm.state_byspi+h, byspi) {
edcd5821
DM		 680 if (x->props.family != family ||
681 x->id.spi != spi ||
682 x->id.proto != proto)
683 continue;
684
685 switch (family) {
686 case AF_INET:
687 if (x->id.daddr.a4 != daddr->a4)
688 continue;
689 break;
690 case AF_INET6:
691 if (!ipv6_addr_equal((struct in6_addr *)daddr,
692 (struct in6_addr *)
693 x->id.daddr.a6))
694 continue;
695 break;
3ff50b79 696 }
edcd5821
DM		 697
698 xfrm_state_hold(x);
699 return x;
700 }
701
702 return NULL;
703}
704
221df1ed 705static struct xfrm_state *__xfrm_state_lookup_byaddr(struct net *net, xfrm_address_t *daddr, xfrm_address_t *saddr, u8 proto, unsigned short family)
edcd5821 706{
221df1ed 707 unsigned int h = xfrm_src_hash(net, daddr, saddr, family);
edcd5821 708 struct xfrm_state *x;
8f126e37 709 struct hlist_node *entry;
edcd5821 710
221df1ed 711 hlist_for_each_entry(x, entry, net->xfrm.state_bysrc+h, bysrc) {
edcd5821
DM		 712 if (x->props.family != family ||
713 x->id.proto != proto)
714 continue;
715
716 switch (family) {
717 case AF_INET:
718 if (x->id.daddr.a4 != daddr->a4 ||
719 x->props.saddr.a4 != saddr->a4)
720 continue;
721 break;
722 case AF_INET6:
723 if (!ipv6_addr_equal((struct in6_addr *)daddr,
724 (struct in6_addr *)
725 x->id.daddr.a6) ||
726 !ipv6_addr_equal((struct in6_addr *)saddr,
727 (struct in6_addr *)
728 x->props.saddr.a6))
729 continue;
730 break;
3ff50b79 731 }
edcd5821
DM		 732
733 xfrm_state_hold(x);
734 return x;
735 }
736
737 return NULL;
738}
739
740static inline struct xfrm_state *
741__xfrm_state_locate(struct xfrm_state *x, int use_spi, int family)
742{
221df1ed
AD		 743 struct net *net = xs_net(x);
744
edcd5821 745 if (use_spi)
221df1ed 746 return __xfrm_state_lookup(net, &x->id.daddr, x->id.spi,
edcd5821
DM		 747 x->id.proto, family);
748 else
221df1ed 749 return __xfrm_state_lookup_byaddr(net, &x->id.daddr,
edcd5821
DM		 750 &x->props.saddr,
751 x->id.proto, family);
752}
753
98806f75 754static void xfrm_hash_grow_check(struct net *net, int have_hash_collision)
2fab22f2
PM		 755{
756 if (have_hash_collision &&
98806f75
AD		 757 (net->xfrm.state_hmask + 1) < xfrm_state_hashmax &&
758 net->xfrm.state_num > net->xfrm.state_hmask)
759 schedule_work(&net->xfrm.state_hash_work);
2fab22f2
PM		 760}
761
1da177e4 762struct xfrm_state *
a716c119 763xfrm_state_find(xfrm_address_t *daddr, xfrm_address_t *saddr,
1da177e4
LT		 764 struct flowi *fl, struct xfrm_tmpl *tmpl,
765 struct xfrm_policy *pol, int *err,
766 unsigned short family)
767{
5447c5e4 768 struct net *net = xp_net(pol);
4bda4f25 769 unsigned int h;
8f126e37 770 struct hlist_node *entry;
37b08e34 771 struct xfrm_state *x, *x0, *to_put;
1da177e4
LT		 772 int acquire_in_progress = 0;
773 int error = 0;
774 struct xfrm_state *best = NULL;
a716c119 775
37b08e34
DM		 776 to_put = NULL;
777
1da177e4 778 spin_lock_bh(&xfrm_state_lock);
5447c5e4
AD		 779 h = xfrm_dst_hash(net, daddr, saddr, tmpl->reqid, family);
780 hlist_for_each_entry(x, entry, net->xfrm.state_bydst+h, bydst) {
1da177e4
LT		 781 if (x->props.family == family &&
782 x->props.reqid == tmpl->reqid &&
fbd9a5b4 783 !(x->props.flags & XFRM_STATE_WILDRECV) &&
1da177e4
LT		 784 xfrm_state_addr_check(x, daddr, saddr, family) &&
785 tmpl->mode == x->props.mode &&
786 tmpl->id.proto == x->id.proto &&
787 (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) {
788 /* Resolution logic:
789 1. There is a valid state with matching selector.
790 Done.
791 2. Valid state with inappropriate selector. Skip.
792
793 Entering area of "sysdeps".
794
795 3. If state is not valid, selector is temporary,
796 it selects only session which triggered
797 previous resolution. Key manager will do
798 something to install a state with proper
799 selector.
800 */
801 if (x->km.state == XFRM_STATE_VALID) {
df9dcb45 802 if ((x->sel.family && !xfrm_selector_match(&x->sel, fl, x->sel.family)) ||
e0d1caa7 803 !security_xfrm_state_pol_flow_match(x, pol, fl))
1da177e4
LT		 804 continue;
805 if (!best ||
806 best->km.dying > x->km.dying ||
807 (best->km.dying == x->km.dying &&
808 best->curlft.add_time < x->curlft.add_time))
809 best = x;
810 } else if (x->km.state == XFRM_STATE_ACQ) {
811 acquire_in_progress = 1;
812 } else if (x->km.state == XFRM_STATE_ERROR ||
813 x->km.state == XFRM_STATE_EXPIRED) {
48b8d783 814 if (xfrm_selector_match(&x->sel, fl, x->sel.family) &&
e0d1caa7 815 security_xfrm_state_pol_flow_match(x, pol, fl))
1da177e4
LT		 816 error = -ESRCH;
817 }
818 }
819 }
820
821 x = best;
822 if (!x && !error && !acquire_in_progress) {
5c5d281a 823 if (tmpl->id.spi &&
5447c5e4 824 (x0 = __xfrm_state_lookup(net, daddr, tmpl->id.spi,
edcd5821 825 tmpl->id.proto, family)) != NULL) {
37b08e34 826 to_put = x0;
1da177e4
LT		 827 error = -EEXIST;
828 goto out;
829 }
5447c5e4 830 x = xfrm_state_alloc(net);
1da177e4
LT		 831 if (x == NULL) {
832 error = -ENOMEM;
833 goto out;
834 }
835 /* Initialize temporary selector matching only
836 * to current session. */
837 xfrm_init_tempsel(x, fl, tmpl, daddr, saddr, family);
838
e0d1caa7
VY		 839 error = security_xfrm_state_alloc_acquire(x, pol->security, fl->secid);
840 if (error) {
841 x->km.state = XFRM_STATE_DEAD;
37b08e34 842 to_put = x;
e0d1caa7
VY		 843 x = NULL;
844 goto out;
845 }
846
1da177e4
LT		 847 if (km_query(x, tmpl, pol) == 0) {
848 x->km.state = XFRM_STATE_ACQ;
5447c5e4
AD		 849 list_add(&x->km.all, &net->xfrm.state_all);
850 hlist_add_head(&x->bydst, net->xfrm.state_bydst+h);
851 h = xfrm_src_hash(net, daddr, saddr, family);
852 hlist_add_head(&x->bysrc, net->xfrm.state_bysrc+h);
1da177e4 853 if (x->id.spi) {
5447c5e4
AD		 854 h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, family);
855 hlist_add_head(&x->byspi, net->xfrm.state_byspi+h);
1da177e4 856 }
01e67d08
DM		 857 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
858 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
1da177e4 859 add_timer(&x->timer);
5447c5e4
AD		 860 net->xfrm.state_num++;
861 xfrm_hash_grow_check(net, x->bydst.next != NULL);
1da177e4
LT		 862 } else {
863 x->km.state = XFRM_STATE_DEAD;
37b08e34 864 to_put = x;
1da177e4
LT		 865 x = NULL;
866 error = -ESRCH;
867 }
868 }
869out:
870 if (x)
871 xfrm_state_hold(x);
872 else
873 *err = acquire_in_progress ? -EAGAIN : error;
874 spin_unlock_bh(&xfrm_state_lock);
37b08e34
DM		 875 if (to_put)
876 xfrm_state_put(to_put);
1da177e4
LT		 877 return x;
878}
879
628529b6 880struct xfrm_state *
5447c5e4
AD		 881xfrm_stateonly_find(struct net *net,
882 xfrm_address_t *daddr, xfrm_address_t *saddr,
628529b6
JHS		 883 unsigned short family, u8 mode, u8 proto, u32 reqid)
884{
4bda4f25 885 unsigned int h;
628529b6
JHS		 886 struct xfrm_state *rx = NULL, *x = NULL;
887 struct hlist_node *entry;
888
889 spin_lock(&xfrm_state_lock);
5447c5e4
AD		 890 h = xfrm_dst_hash(net, daddr, saddr, reqid, family);
891 hlist_for_each_entry(x, entry, net->xfrm.state_bydst+h, bydst) {
628529b6
JHS		 892 if (x->props.family == family &&
893 x->props.reqid == reqid &&
894 !(x->props.flags & XFRM_STATE_WILDRECV) &&
895 xfrm_state_addr_check(x, daddr, saddr, family) &&
896 mode == x->props.mode &&
897 proto == x->id.proto &&
898 x->km.state == XFRM_STATE_VALID) {
899 rx = x;
900 break;
901 }
902 }
903
904 if (rx)
905 xfrm_state_hold(rx);
906 spin_unlock(&xfrm_state_lock);
907
908
909 return rx;
910}
911EXPORT_SYMBOL(xfrm_stateonly_find);
912
1da177e4
LT		 913static void __xfrm_state_insert(struct xfrm_state *x)
914{
98806f75 915 struct net *net = xs_net(x);
a624c108 916 unsigned int h;
1da177e4 917
9d4a706d
DM		 918 x->genid = ++xfrm_state_genid;
919
98806f75 920 list_add(&x->km.all, &net->xfrm.state_all);
4c563f76 921
98806f75 922 h = xfrm_dst_hash(net, &x->id.daddr, &x->props.saddr,
c1969f29 923 x->props.reqid, x->props.family);
98806f75 924 hlist_add_head(&x->bydst, net->xfrm.state_bydst+h);
1da177e4 925
98806f75
AD		 926 h = xfrm_src_hash(net, &x->id.daddr, &x->props.saddr, x->props.family);
927 hlist_add_head(&x->bysrc, net->xfrm.state_bysrc+h);
1da177e4 928
7b4dc360 929 if (x->id.spi) {
98806f75 930 h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto,
6c44e6b7
MN		 931 x->props.family);
932
98806f75 933 hlist_add_head(&x->byspi, net->xfrm.state_byspi+h);
6c44e6b7
MN		 934 }
935
a47f0ce0
DM		 936 mod_timer(&x->timer, jiffies + HZ);
937 if (x->replay_maxage)
938 mod_timer(&x->rtimer, jiffies + x->replay_maxage);
f8cd5488 939
98806f75 940 wake_up(&net->xfrm.km_waitq);
f034b5d4 941
98806f75 942 net->xfrm.state_num++;
f034b5d4 943
98806f75 944 xfrm_hash_grow_check(net, x->bydst.next != NULL);
1da177e4
LT		 945}
946
c7f5ea3a
DM		 947/* xfrm_state_lock is held */
948static void __xfrm_state_bump_genids(struct xfrm_state *xnew)
949{
98806f75 950 struct net *net = xs_net(xnew);
c7f5ea3a
DM		 951 unsigned short family = xnew->props.family;
952 u32 reqid = xnew->props.reqid;
953 struct xfrm_state *x;
954 struct hlist_node *entry;
955 unsigned int h;
956
98806f75
AD		 957 h = xfrm_dst_hash(net, &xnew->id.daddr, &xnew->props.saddr, reqid, family);
958 hlist_for_each_entry(x, entry, net->xfrm.state_bydst+h, bydst) {
c7f5ea3a
DM		 959 if (x->props.family == family &&
960 x->props.reqid == reqid &&
c1969f29
DM		 961 !xfrm_addr_cmp(&x->id.daddr, &xnew->id.daddr, family) &&
962 !xfrm_addr_cmp(&x->props.saddr, &xnew->props.saddr, family))
c7f5ea3a
DM		 963 x->genid = xfrm_state_genid;
964 }
965}
966
1da177e4
LT		 967void xfrm_state_insert(struct xfrm_state *x)
968{
969 spin_lock_bh(&xfrm_state_lock);
c7f5ea3a 970 __xfrm_state_bump_genids(x);
1da177e4
LT		 971 __xfrm_state_insert(x);
972 spin_unlock_bh(&xfrm_state_lock);
973}
974EXPORT_SYMBOL(xfrm_state_insert);
975
2770834c 976/* xfrm_state_lock is held */
5447c5e4 977static struct xfrm_state *__find_acq_core(struct net *net, unsigned short family, u8 mode, u32 reqid, u8 proto, xfrm_address_t *daddr, xfrm_address_t *saddr, int create)
2770834c 978{
5447c5e4 979 unsigned int h = xfrm_dst_hash(net, daddr, saddr, reqid, family);
8f126e37 980 struct hlist_node *entry;
2770834c
DM		 981 struct xfrm_state *x;
982
5447c5e4 983 hlist_for_each_entry(x, entry, net->xfrm.state_bydst+h, bydst) {
2770834c
DM		 984 if (x->props.reqid != reqid ||
985 x->props.mode != mode ||
986 x->props.family != family ||
987 x->km.state != XFRM_STATE_ACQ ||
75e252d9
JL		 988 x->id.spi != 0 ||
989 x->id.proto != proto)
2770834c
DM		 990 continue;
991
992 switch (family) {
993 case AF_INET:
994 if (x->id.daddr.a4 != daddr->a4 ||
995 x->props.saddr.a4 != saddr->a4)
996 continue;
997 break;
998 case AF_INET6:
999 if (!ipv6_addr_equal((struct in6_addr *)x->id.daddr.a6,
1000 (struct in6_addr *)daddr) ||
1001 !ipv6_addr_equal((struct in6_addr *)
1002 x->props.saddr.a6,
1003 (struct in6_addr *)saddr))
1004 continue;
1005 break;
3ff50b79 1006 }
2770834c
DM		 1007
1008 xfrm_state_hold(x);
1009 return x;
1010 }
1011
1012 if (!create)
1013 return NULL;
1014
5447c5e4 1015 x = xfrm_state_alloc(net);
2770834c
DM		 1016 if (likely(x)) {
1017 switch (family) {
1018 case AF_INET:
1019 x->sel.daddr.a4 = daddr->a4;
1020 x->sel.saddr.a4 = saddr->a4;
1021 x->sel.prefixlen_d = 32;
1022 x->sel.prefixlen_s = 32;
1023 x->props.saddr.a4 = saddr->a4;
1024 x->id.daddr.a4 = daddr->a4;
1025 break;
1026
1027 case AF_INET6:
1028 ipv6_addr_copy((struct in6_addr *)x->sel.daddr.a6,
1029 (struct in6_addr *)daddr);
1030 ipv6_addr_copy((struct in6_addr *)x->sel.saddr.a6,
1031 (struct in6_addr *)saddr);
1032 x->sel.prefixlen_d = 128;
1033 x->sel.prefixlen_s = 128;
1034 ipv6_addr_copy((struct in6_addr *)x->props.saddr.a6,
1035 (struct in6_addr *)saddr);
1036 ipv6_addr_copy((struct in6_addr *)x->id.daddr.a6,
1037 (struct in6_addr *)daddr);
1038 break;
3ff50b79 1039 }
2770834c
DM		 1040
1041 x->km.state = XFRM_STATE_ACQ;
1042 x->id.proto = proto;
1043 x->props.family = family;
1044 x->props.mode = mode;
1045 x->props.reqid = reqid;
01e67d08 1046 x->lft.hard_add_expires_seconds = sysctl_xfrm_acq_expires;
2770834c 1047 xfrm_state_hold(x);
01e67d08 1048 x->timer.expires = jiffies + sysctl_xfrm_acq_expires*HZ;
2770834c 1049 add_timer(&x->timer);
5447c5e4
AD		 1050 list_add(&x->km.all, &net->xfrm.state_all);
1051 hlist_add_head(&x->bydst, net->xfrm.state_bydst+h);
1052 h = xfrm_src_hash(net, daddr, saddr, family);
1053 hlist_add_head(&x->bysrc, net->xfrm.state_bysrc+h);
918049f0 1054
5447c5e4 1055 net->xfrm.state_num++;
918049f0 1056
5447c5e4 1057 xfrm_hash_grow_check(net, x->bydst.next != NULL);
2770834c
DM		 1058 }
1059
1060 return x;
1061}
1062
5447c5e4 1063static struct xfrm_state *__xfrm_find_acq_byseq(struct net *net, u32 seq);
1da177e4
LT		 1064
1065int xfrm_state_add(struct xfrm_state *x)
1066{
5447c5e4 1067 struct net *net = xs_net(x);
37b08e34 1068 struct xfrm_state *x1, *to_put;
1da177e4
LT		 1069 int family;
1070 int err;
eb2971b6 1071 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1da177e4
LT		 1072
1073 family = x->props.family;
1da177e4 1074
37b08e34
DM		 1075 to_put = NULL;
1076
1da177e4
LT		 1077 spin_lock_bh(&xfrm_state_lock);
1078
edcd5821 1079 x1 = __xfrm_state_locate(x, use_spi, family);
1da177e4 1080 if (x1) {
37b08e34 1081 to_put = x1;
1da177e4
LT		 1082 x1 = NULL;
1083 err = -EEXIST;
1084 goto out;
1085 }
1086
eb2971b6 1087 if (use_spi && x->km.seq) {
5447c5e4 1088 x1 = __xfrm_find_acq_byseq(net, x->km.seq);
75e252d9
JL		 1089 if (x1 && ((x1->id.proto != x->id.proto) ||
1090 xfrm_addr_cmp(&x1->id.daddr, &x->id.daddr, family))) {
37b08e34 1091 to_put = x1;
1da177e4
LT		 1092 x1 = NULL;
1093 }
1094 }
1095
eb2971b6 1096 if (use_spi && !x1)
5447c5e4 1097 x1 = __find_acq_core(net, family, x->props.mode, x->props.reqid,
2770834c
DM		 1098 x->id.proto,
1099 &x->id.daddr, &x->props.saddr, 0);
1da177e4 1100
c7f5ea3a 1101 __xfrm_state_bump_genids(x);
1da177e4
LT		 1102 __xfrm_state_insert(x);
1103 err = 0;
1104
1105out:
1106 spin_unlock_bh(&xfrm_state_lock);
1da177e4
LT		 1107
1108 if (x1) {
1109 xfrm_state_delete(x1);
1110 xfrm_state_put(x1);
1111 }
1112
37b08e34
DM		 1113 if (to_put)
1114 xfrm_state_put(to_put);
1115
1da177e4
LT		 1116 return err;
1117}
1118EXPORT_SYMBOL(xfrm_state_add);
1119
80c9abaa 1120#ifdef CONFIG_XFRM_MIGRATE
6666351d 1121static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig, int *errp)
80c9abaa 1122{
98806f75 1123 struct net *net = xs_net(orig);
80c9abaa 1124 int err = -ENOMEM;
98806f75 1125 struct xfrm_state *x = xfrm_state_alloc(net);
80c9abaa
SS		 1126 if (!x)
1127 goto error;
1128
1129 memcpy(&x->id, &orig->id, sizeof(x->id));
1130 memcpy(&x->sel, &orig->sel, sizeof(x->sel));
1131 memcpy(&x->lft, &orig->lft, sizeof(x->lft));
1132 x->props.mode = orig->props.mode;
1133 x->props.replay_window = orig->props.replay_window;
1134 x->props.reqid = orig->props.reqid;
1135 x->props.family = orig->props.family;
1136 x->props.saddr = orig->props.saddr;
1137
1138 if (orig->aalg) {
1139 x->aalg = xfrm_algo_clone(orig->aalg);
1140 if (!x->aalg)
1141 goto error;
1142 }
1143 x->props.aalgo = orig->props.aalgo;
1144
1145 if (orig->ealg) {
1146 x->ealg = xfrm_algo_clone(orig->ealg);
1147 if (!x->ealg)
1148 goto error;
1149 }
1150 x->props.ealgo = orig->props.ealgo;
1151
1152 if (orig->calg) {
1153 x->calg = xfrm_algo_clone(orig->calg);
1154 if (!x->calg)
1155 goto error;
1156 }
1157 x->props.calgo = orig->props.calgo;
1158
a716c119 1159 if (orig->encap) {
80c9abaa
SS		 1160 x->encap = kmemdup(orig->encap, sizeof(*x->encap), GFP_KERNEL);
1161 if (!x->encap)
1162 goto error;
1163 }
1164
1165 if (orig->coaddr) {
1166 x->coaddr = kmemdup(orig->coaddr, sizeof(*x->coaddr),
1167 GFP_KERNEL);
1168 if (!x->coaddr)
1169 goto error;
1170 }
1171
1172 err = xfrm_init_state(x);
1173 if (err)
1174 goto error;
1175
1176 x->props.flags = orig->props.flags;
1177
1178 x->curlft.add_time = orig->curlft.add_time;
1179 x->km.state = orig->km.state;
1180 x->km.seq = orig->km.seq;
1181
1182 return x;
1183
1184 error:
1185 if (errp)
1186 *errp = err;
1187 if (x) {
1188 kfree(x->aalg);
1189 kfree(x->ealg);
1190 kfree(x->calg);
1191 kfree(x->encap);
1192 kfree(x->coaddr);
1193 }
1194 kfree(x);
1195 return NULL;
1196}
80c9abaa
SS		 1197
1198/* xfrm_state_lock is held */
1199struct xfrm_state * xfrm_migrate_state_find(struct xfrm_migrate *m)
1200{
1201 unsigned int h;
1202 struct xfrm_state *x;
1203 struct hlist_node *entry;
1204
1205 if (m->reqid) {
64d0cd00 1206 h = xfrm_dst_hash(&init_net, &m->old_daddr, &m->old_saddr,
80c9abaa 1207 m->reqid, m->old_family);
73d189dc 1208 hlist_for_each_entry(x, entry, init_net.xfrm.state_bydst+h, bydst) {
80c9abaa
SS		 1209 if (x->props.mode != m->mode ||
1210 x->id.proto != m->proto)
1211 continue;
1212 if (m->reqid && x->props.reqid != m->reqid)
1213 continue;
1214 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1215 m->old_family) ||
1216 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1217 m->old_family))
1218 continue;
1219 xfrm_state_hold(x);
1220 return x;
1221 }
1222 } else {
64d0cd00 1223 h = xfrm_src_hash(&init_net, &m->old_daddr, &m->old_saddr,
80c9abaa 1224 m->old_family);
d320bbb3 1225 hlist_for_each_entry(x, entry, init_net.xfrm.state_bysrc+h, bysrc) {
80c9abaa
SS		 1226 if (x->props.mode != m->mode ||
1227 x->id.proto != m->proto)
1228 continue;
1229 if (xfrm_addr_cmp(&x->id.daddr, &m->old_daddr,
1230 m->old_family) ||
1231 xfrm_addr_cmp(&x->props.saddr, &m->old_saddr,
1232 m->old_family))
1233 continue;
1234 xfrm_state_hold(x);
1235 return x;
1236 }
1237 }
1238
a716c119 1239 return NULL;
80c9abaa
SS		 1240}
1241EXPORT_SYMBOL(xfrm_migrate_state_find);
1242
1243struct xfrm_state * xfrm_state_migrate(struct xfrm_state *x,
1244 struct xfrm_migrate *m)
1245{
1246 struct xfrm_state *xc;
1247 int err;
1248
1249 xc = xfrm_state_clone(x, &err);
1250 if (!xc)
1251 return NULL;
1252
1253 memcpy(&xc->id.daddr, &m->new_daddr, sizeof(xc->id.daddr));
1254 memcpy(&xc->props.saddr, &m->new_saddr, sizeof(xc->props.saddr));
1255
1256 /* add state */
1257 if (!xfrm_addr_cmp(&x->id.daddr, &m->new_daddr, m->new_family)) {
1258 /* a care is needed when the destination address of the
1259 state is to be updated as it is a part of triplet */
1260 xfrm_state_insert(xc);
1261 } else {
1262 if ((err = xfrm_state_add(xc)) < 0)
1263 goto error;
1264 }
1265
1266 return xc;
1267error:
1268 kfree(xc);
1269 return NULL;
1270}
1271EXPORT_SYMBOL(xfrm_state_migrate);
1272#endif
1273
1da177e4
LT		 1274int xfrm_state_update(struct xfrm_state *x)
1275{
37b08e34 1276 struct xfrm_state *x1, *to_put;
1da177e4 1277 int err;
eb2971b6 1278 int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1da177e4 1279
37b08e34
DM		 1280 to_put = NULL;
1281
1da177e4 1282 spin_lock_bh(&xfrm_state_lock);
edcd5821 1283 x1 = __xfrm_state_locate(x, use_spi, x->props.family);
1da177e4
LT		 1284
1285 err = -ESRCH;
1286 if (!x1)
1287 goto out;
1288
1289 if (xfrm_state_kern(x1)) {
37b08e34 1290 to_put = x1;
1da177e4
LT		 1291 err = -EEXIST;
1292 goto out;
1293 }
1294
1295 if (x1->km.state == XFRM_STATE_ACQ) {
1296 __xfrm_state_insert(x);
1297 x = NULL;
1298 }
1299 err = 0;
1300
1301out:
1302 spin_unlock_bh(&xfrm_state_lock);
1da177e4 1303
37b08e34
DM		 1304 if (to_put)
1305 xfrm_state_put(to_put);
1306
1da177e4
LT		 1307 if (err)
1308 return err;
1309
1310 if (!x) {
1311 xfrm_state_delete(x1);
1312 xfrm_state_put(x1);
1313 return 0;
1314 }
1315
1316 err = -EINVAL;
1317 spin_lock_bh(&x1->lock);
1318 if (likely(x1->km.state == XFRM_STATE_VALID)) {
1319 if (x->encap && x1->encap)
1320 memcpy(x1->encap, x->encap, sizeof(*x1->encap));
060f02a3
NT		 1321 if (x->coaddr && x1->coaddr) {
1322 memcpy(x1->coaddr, x->coaddr, sizeof(*x1->coaddr));
1323 }
1324 if (!use_spi && memcmp(&x1->sel, &x->sel, sizeof(x1->sel)))
1325 memcpy(&x1->sel, &x->sel, sizeof(x1->sel));
1da177e4
LT		 1326 memcpy(&x1->lft, &x->lft, sizeof(x1->lft));
1327 x1->km.dying = 0;
1328
a47f0ce0 1329 mod_timer(&x1->timer, jiffies + HZ);
1da177e4
LT		 1330 if (x1->curlft.use_time)
1331 xfrm_state_check_expire(x1);
1332
1333 err = 0;
1334 }
1335 spin_unlock_bh(&x1->lock);
1336
1337 xfrm_state_put(x1);
1338
1339 return err;
1340}
1341EXPORT_SYMBOL(xfrm_state_update);
1342
1343int xfrm_state_check_expire(struct xfrm_state *x)
1344{
1345 if (!x->curlft.use_time)
9d729f72 1346 x->curlft.use_time = get_seconds();
1da177e4
LT		 1347
1348 if (x->km.state != XFRM_STATE_VALID)
1349 return -EINVAL;
1350
1351 if (x->curlft.bytes >= x->lft.hard_byte_limit ||
1352 x->curlft.packets >= x->lft.hard_packet_limit) {
4666faab 1353 x->km.state = XFRM_STATE_EXPIRED;
a47f0ce0 1354 mod_timer(&x->timer, jiffies);
1da177e4
LT		 1355 return -EINVAL;
1356 }
1357
1358 if (!x->km.dying &&
1359 (x->curlft.bytes >= x->lft.soft_byte_limit ||
4666faab
HX		 1360 x->curlft.packets >= x->lft.soft_packet_limit)) {
1361 x->km.dying = 1;
53bc6b4d 1362 km_state_expired(x, 0, 0);
4666faab 1363 }
1da177e4
LT		 1364 return 0;
1365}
1366EXPORT_SYMBOL(xfrm_state_check_expire);
1367
1da177e4 1368struct xfrm_state *
221df1ed 1369xfrm_state_lookup(struct net *net, xfrm_address_t *daddr, __be32 spi, u8 proto,
1da177e4
LT		 1370 unsigned short family)
1371{
1372 struct xfrm_state *x;
1da177e4
LT		 1373
1374 spin_lock_bh(&xfrm_state_lock);
221df1ed 1375 x = __xfrm_state_lookup(net, daddr, spi, proto, family);
1da177e4 1376 spin_unlock_bh(&xfrm_state_lock);
1da177e4
LT		 1377 return x;
1378}
1379EXPORT_SYMBOL(xfrm_state_lookup);
1380
1381struct xfrm_state *
221df1ed
AD		 1382xfrm_state_lookup_byaddr(struct net *net,
1383 xfrm_address_t *daddr, xfrm_address_t *saddr,
eb2971b6
MN		 1384 u8 proto, unsigned short family)
1385{
1386 struct xfrm_state *x;
eb2971b6
MN		 1387
1388 spin_lock_bh(&xfrm_state_lock);
221df1ed 1389 x = __xfrm_state_lookup_byaddr(net, daddr, saddr, proto, family);
eb2971b6 1390 spin_unlock_bh(&xfrm_state_lock);
eb2971b6
MN		 1391 return x;
1392}
1393EXPORT_SYMBOL(xfrm_state_lookup_byaddr);
1394
1395struct xfrm_state *
5447c5e4 1396xfrm_find_acq(struct net *net, u8 mode, u32 reqid, u8 proto,
a716c119 1397 xfrm_address_t *daddr, xfrm_address_t *saddr,
1da177e4
LT		 1398 int create, unsigned short family)
1399{
1400 struct xfrm_state *x;
1da177e4
LT		 1401
1402 spin_lock_bh(&xfrm_state_lock);
5447c5e4 1403 x = __find_acq_core(net, family, mode, reqid, proto, daddr, saddr, create);
1da177e4 1404 spin_unlock_bh(&xfrm_state_lock);
2770834c 1405
1da177e4
LT		 1406 return x;
1407}
1408EXPORT_SYMBOL(xfrm_find_acq);
1409
41a49cc3
MN		 1410#ifdef CONFIG_XFRM_SUB_POLICY
1411int
1412xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
1413 unsigned short family)
1414{
1415 int err = 0;
1416 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1417 if (!afinfo)
1418 return -EAFNOSUPPORT;
1419
1420 spin_lock_bh(&xfrm_state_lock);
1421 if (afinfo->tmpl_sort)
1422 err = afinfo->tmpl_sort(dst, src, n);
1423 spin_unlock_bh(&xfrm_state_lock);
1424 xfrm_state_put_afinfo(afinfo);
1425 return err;
1426}
1427EXPORT_SYMBOL(xfrm_tmpl_sort);
1428
1429int
1430xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
1431 unsigned short family)
1432{
1433 int err = 0;
1434 struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
1435 if (!afinfo)
1436 return -EAFNOSUPPORT;
1437
1438 spin_lock_bh(&xfrm_state_lock);
1439 if (afinfo->state_sort)
1440 err = afinfo->state_sort(dst, src, n);
1441 spin_unlock_bh(&xfrm_state_lock);
1442 xfrm_state_put_afinfo(afinfo);
1443 return err;
1444}
1445EXPORT_SYMBOL(xfrm_state_sort);
1446#endif
1447
1da177e4
LT		 1448/* Silly enough, but I'm lazy to build resolution list */
1449
5447c5e4 1450static struct xfrm_state *__xfrm_find_acq_byseq(struct net *net, u32 seq)
1da177e4
LT		 1451{
1452 int i;
1da177e4 1453
5447c5e4 1454 for (i = 0; i <= net->xfrm.state_hmask; i++) {
8f126e37
DM		 1455 struct hlist_node *entry;
1456 struct xfrm_state *x;
1457
5447c5e4 1458 hlist_for_each_entry(x, entry, net->xfrm.state_bydst+i, bydst) {
8f126e37
DM		 1459 if (x->km.seq == seq &&
1460 x->km.state == XFRM_STATE_ACQ) {
1da177e4
LT		 1461 xfrm_state_hold(x);
1462 return x;
1463 }
1464 }
1465 }
1466 return NULL;
1467}
1468
5447c5e4 1469struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 seq)
1da177e4
LT		 1470{
1471 struct xfrm_state *x;
1472
1473 spin_lock_bh(&xfrm_state_lock);
5447c5e4 1474 x = __xfrm_find_acq_byseq(net, seq);
1da177e4
LT		 1475 spin_unlock_bh(&xfrm_state_lock);
1476 return x;
1477}
1478EXPORT_SYMBOL(xfrm_find_acq_byseq);
1479
1480u32 xfrm_get_acqseq(void)
1481{
1482 u32 res;
1483 static u32 acqseq;
1484 static DEFINE_SPINLOCK(acqseq_lock);
1485
1486 spin_lock_bh(&acqseq_lock);
1487 res = (++acqseq ? : ++acqseq);
1488 spin_unlock_bh(&acqseq_lock);
1489 return res;
1490}
1491EXPORT_SYMBOL(xfrm_get_acqseq);
1492
658b219e 1493int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high)
1da177e4 1494{
221df1ed 1495 struct net *net = xs_net(x);
f034b5d4 1496 unsigned int h;
1da177e4 1497 struct xfrm_state *x0;
658b219e
HX		 1498 int err = -ENOENT;
1499 __be32 minspi = htonl(low);
1500 __be32 maxspi = htonl(high);
1da177e4 1501
658b219e
HX		 1502 spin_lock_bh(&x->lock);
1503 if (x->km.state == XFRM_STATE_DEAD)
1504 goto unlock;
1505
1506 err = 0;
1da177e4 1507 if (x->id.spi)
658b219e
HX		 1508 goto unlock;
1509
1510 err = -ENOENT;
1da177e4
LT		 1511
1512 if (minspi == maxspi) {
221df1ed 1513 x0 = xfrm_state_lookup(net, &x->id.daddr, minspi, x->id.proto, x->props.family);
1da177e4
LT		 1514 if (x0) {
1515 xfrm_state_put(x0);
658b219e 1516 goto unlock;
1da177e4
LT		 1517 }
1518 x->id.spi = minspi;
1519 } else {
1520 u32 spi = 0;
26977b4e
AV		 1521 for (h=0; h<high-low+1; h++) {
1522 spi = low + net_random()%(high-low+1);
221df1ed 1523 x0 = xfrm_state_lookup(net, &x->id.daddr, htonl(spi), x->id.proto, x->props.family);
1da177e4
LT		 1524 if (x0 == NULL) {
1525 x->id.spi = htonl(spi);
1526 break;
1527 }
1528 xfrm_state_put(x0);
1529 }
1530 }
1531 if (x->id.spi) {
1532 spin_lock_bh(&xfrm_state_lock);
12604d8a
AD		 1533 h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, x->props.family);
1534 hlist_add_head(&x->byspi, net->xfrm.state_byspi+h);
1da177e4 1535 spin_unlock_bh(&xfrm_state_lock);
658b219e
HX		 1536
1537 err = 0;
1da177e4 1538 }
658b219e
HX		 1539
1540unlock:
1541 spin_unlock_bh(&x->lock);
1542
1543 return err;
1da177e4
LT		 1544}
1545EXPORT_SYMBOL(xfrm_alloc_spi);
1546
284fa7da 1547int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
4c563f76 1548 int (*func)(struct xfrm_state *, int, void*),
1da177e4
LT		 1549 void *data)
1550{
12a169e7
HX		 1551 struct xfrm_state *state;
1552 struct xfrm_state_walk *x;
1da177e4
LT		 1553 int err = 0;
1554
12a169e7 1555 if (walk->seq != 0 && list_empty(&walk->all))
4c563f76
TT		 1556 return 0;
1557
1da177e4 1558 spin_lock_bh(&xfrm_state_lock);
12a169e7 1559 if (list_empty(&walk->all))
284fa7da 1560 x = list_first_entry(&net->xfrm.state_all, struct xfrm_state_walk, all);
12a169e7
HX		 1561 else
1562 x = list_entry(&walk->all, struct xfrm_state_walk, all);
284fa7da 1563 list_for_each_entry_from(x, &net->xfrm.state_all, all) {
12a169e7 1564 if (x->state == XFRM_STATE_DEAD)
4c563f76 1565 continue;
12a169e7
HX		 1566 state = container_of(x, struct xfrm_state, km);
1567 if (!xfrm_id_proto_match(state->id.proto, walk->proto))
4c563f76 1568 continue;
12a169e7
HX		 1569 err = func(state, walk->seq, data);
1570 if (err) {
1571 list_move_tail(&walk->all, &x->all);
1572 goto out;
1da177e4 1573 }
12a169e7 1574 walk->seq++;
1da177e4 1575 }
12a169e7 1576 if (walk->seq == 0) {
1da177e4
LT		 1577 err = -ENOENT;
1578 goto out;
1579 }
12a169e7 1580 list_del_init(&walk->all);
1da177e4
LT		 1581out:
1582 spin_unlock_bh(&xfrm_state_lock);
1583 return err;
1584}
1585EXPORT_SYMBOL(xfrm_state_walk);
1586
5c182458
HX		 1587void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto)
1588{
12a169e7 1589 INIT_LIST_HEAD(&walk->all);
5c182458 1590 walk->proto = proto;
12a169e7
HX		 1591 walk->state = XFRM_STATE_DEAD;
1592 walk->seq = 0;
5c182458
HX		 1593}
1594EXPORT_SYMBOL(xfrm_state_walk_init);
1595
abb81c4f
HX		 1596void xfrm_state_walk_done(struct xfrm_state_walk *walk)
1597{
12a169e7 1598 if (list_empty(&walk->all))
5c182458 1599 return;
5c182458 1600
12a169e7
HX		 1601 spin_lock_bh(&xfrm_state_lock);
1602 list_del(&walk->all);
1603 spin_lock_bh(&xfrm_state_lock);
abb81c4f
HX		 1604}
1605EXPORT_SYMBOL(xfrm_state_walk_done);
1606
f8cd5488
JHS		 1607
1608void xfrm_replay_notify(struct xfrm_state *x, int event)
1609{
1610 struct km_event c;
1611 /* we send notify messages in case
1612 * 1. we updated on of the sequence numbers, and the seqno difference
1613 * is at least x->replay_maxdiff, in this case we also update the
1614 * timeout of our timer function
1615 * 2. if x->replay_maxage has elapsed since last update,
1616 * and there were changes
1617 *
1618 * The state structure must be locked!
1619 */
1620
1621 switch (event) {
1622 case XFRM_REPLAY_UPDATE:
1623 if (x->replay_maxdiff &&
1624 (x->replay.seq - x->preplay.seq < x->replay_maxdiff) &&
2717096a
JHS		 1625 (x->replay.oseq - x->preplay.oseq < x->replay_maxdiff)) {
1626 if (x->xflags & XFRM_TIME_DEFER)
1627 event = XFRM_REPLAY_TIMEOUT;
1628 else
1629 return;
1630 }
f8cd5488
JHS		 1631
1632 break;
1633
1634 case XFRM_REPLAY_TIMEOUT:
1635 if ((x->replay.seq == x->preplay.seq) &&
1636 (x->replay.bitmap == x->preplay.bitmap) &&
2717096a
JHS		 1637 (x->replay.oseq == x->preplay.oseq)) {
1638 x->xflags |= XFRM_TIME_DEFER;
f8cd5488 1639 return;
2717096a 1640 }
f8cd5488
JHS		 1641
1642 break;
1643 }
1644
1645 memcpy(&x->preplay, &x->replay, sizeof(struct xfrm_replay_state));
1646 c.event = XFRM_MSG_NEWAE;
1647 c.data.aevent = event;
1648 km_state_notify(x, &c);
1649
f8cd5488 1650 if (x->replay_maxage &&
a47f0ce0 1651 !mod_timer(&x->rtimer, jiffies + x->replay_maxage))
2717096a 1652 x->xflags &= ~XFRM_TIME_DEFER;
f8cd5488
JHS		 1653}
1654
1655static void xfrm_replay_timer_handler(unsigned long data)
1656{
1657 struct xfrm_state *x = (struct xfrm_state*)data;
1658
1659 spin_lock(&x->lock);
1660
2717096a
JHS		 1661 if (x->km.state == XFRM_STATE_VALID) {
1662 if (xfrm_aevent_is_on())
1663 xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT);
1664 else
1665 x->xflags |= XFRM_TIME_DEFER;
1666 }
f8cd5488
JHS		 1667
1668 spin_unlock(&x->lock);
1669}
1670
afeb14b4
PM		 1671int xfrm_replay_check(struct xfrm_state *x,
1672 struct sk_buff *skb, __be32 net_seq)
1da177e4
LT		 1673{
1674 u32 diff;
a252cc23 1675 u32 seq = ntohl(net_seq);
1da177e4
LT		 1676
1677 if (unlikely(seq == 0))
afeb14b4 1678 goto err;
1da177e4
LT		 1679
1680 if (likely(seq > x->replay.seq))
1681 return 0;
1682
1683 diff = x->replay.seq - seq;
4c4d51a7
HX		 1684 if (diff >= min_t(unsigned int, x->props.replay_window,
1685 sizeof(x->replay.bitmap) * 8)) {
1da177e4 1686 x->stats.replay_window++;
afeb14b4 1687 goto err;
1da177e4
LT		 1688 }
1689
1690 if (x->replay.bitmap & (1U << diff)) {
1691 x->stats.replay++;
afeb14b4 1692 goto err;
1da177e4
LT		 1693 }
1694 return 0;
afeb14b4
PM		 1695
1696err:
1697 xfrm_audit_state_replay(x, skb, net_seq);
1698 return -EINVAL;
1da177e4 1699}
1da177e4 1700
61f4627b 1701void xfrm_replay_advance(struct xfrm_state *x, __be32 net_seq)
1da177e4
LT		 1702{
1703 u32 diff;
61f4627b 1704 u32 seq = ntohl(net_seq);
1da177e4
LT		 1705
1706 if (seq > x->replay.seq) {
1707 diff = seq - x->replay.seq;
1708 if (diff < x->props.replay_window)
1709 x->replay.bitmap = ((x->replay.bitmap) << diff) | 1;
1710 else
1711 x->replay.bitmap = 1;
1712 x->replay.seq = seq;
1713 } else {
1714 diff = x->replay.seq - seq;
1715 x->replay.bitmap |= (1U << diff);
1716 }
f8cd5488
JHS		 1717
1718 if (xfrm_aevent_is_on())
1719 xfrm_replay_notify(x, XFRM_REPLAY_UPDATE);
1da177e4 1720}
1da177e4 1721
df01812e 1722static LIST_HEAD(xfrm_km_list);
1da177e4
LT		 1723static DEFINE_RWLOCK(xfrm_km_lock);
1724
26b15dad 1725void km_policy_notify(struct xfrm_policy *xp, int dir, struct km_event *c)
1da177e4
LT		 1726{
1727 struct xfrm_mgr *km;
1728
26b15dad
JHS		 1729 read_lock(&xfrm_km_lock);
1730 list_for_each_entry(km, &xfrm_km_list, list)
1731 if (km->notify_policy)
1732 km->notify_policy(xp, dir, c);
1733 read_unlock(&xfrm_km_lock);
1734}
1da177e4 1735
26b15dad
JHS		 1736void km_state_notify(struct xfrm_state *x, struct km_event *c)
1737{
1738 struct xfrm_mgr *km;
1da177e4
LT		 1739 read_lock(&xfrm_km_lock);
1740 list_for_each_entry(km, &xfrm_km_list, list)
26b15dad
JHS		 1741 if (km->notify)
1742 km->notify(x, c);
1da177e4 1743 read_unlock(&xfrm_km_lock);
26b15dad
JHS		 1744}
1745
1746EXPORT_SYMBOL(km_policy_notify);
1747EXPORT_SYMBOL(km_state_notify);
1748
53bc6b4d 1749void km_state_expired(struct xfrm_state *x, int hard, u32 pid)
26b15dad 1750{
98806f75 1751 struct net *net = xs_net(x);
26b15dad
JHS		 1752 struct km_event c;
1753
bf08867f 1754 c.data.hard = hard;
53bc6b4d 1755 c.pid = pid;
f60f6b8f 1756 c.event = XFRM_MSG_EXPIRE;
26b15dad 1757 km_state_notify(x, &c);
1da177e4
LT		 1758
1759 if (hard)
98806f75 1760 wake_up(&net->xfrm.km_waitq);
1da177e4
LT		 1761}
1762
53bc6b4d 1763EXPORT_SYMBOL(km_state_expired);
26b15dad
JHS		 1764/*
1765 * We send to all registered managers regardless of failure
1766 * We are happy with one success
1767*/
980ebd25 1768int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol)
1da177e4 1769{
26b15dad 1770 int err = -EINVAL, acqret;
1da177e4
LT		 1771 struct xfrm_mgr *km;
1772
1773 read_lock(&xfrm_km_lock);
1774 list_for_each_entry(km, &xfrm_km_list, list) {
26b15dad
JHS		 1775 acqret = km->acquire(x, t, pol, XFRM_POLICY_OUT);
1776 if (!acqret)
1777 err = acqret;
1da177e4
LT		 1778 }
1779 read_unlock(&xfrm_km_lock);
1780 return err;
1781}
980ebd25 1782EXPORT_SYMBOL(km_query);
1da177e4 1783
5d36b180 1784int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
1da177e4
LT		 1785{
1786 int err = -EINVAL;
1787 struct xfrm_mgr *km;
1788
1789 read_lock(&xfrm_km_lock);
1790 list_for_each_entry(km, &xfrm_km_list, list) {
1791 if (km->new_mapping)
1792 err = km->new_mapping(x, ipaddr, sport);
1793 if (!err)
1794 break;
1795 }
1796 read_unlock(&xfrm_km_lock);
1797 return err;
1798}
1799EXPORT_SYMBOL(km_new_mapping);
1800
6c5c8ca7 1801void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 pid)
1da177e4 1802{
98806f75 1803 struct net *net = xp_net(pol);
26b15dad 1804 struct km_event c;
1da177e4 1805
bf08867f 1806 c.data.hard = hard;
6c5c8ca7 1807 c.pid = pid;
f60f6b8f 1808 c.event = XFRM_MSG_POLEXPIRE;
26b15dad 1809 km_policy_notify(pol, dir, &c);
1da177e4
LT		 1810
1811 if (hard)
98806f75 1812 wake_up(&net->xfrm.km_waitq);
1da177e4 1813}
a70fcb0b 1814EXPORT_SYMBOL(km_policy_expired);
1da177e4 1815
2d60abc2 1816#ifdef CONFIG_XFRM_MIGRATE
80c9abaa 1817int km_migrate(struct xfrm_selector *sel, u8 dir, u8 type,
13c1d189
AE		 1818 struct xfrm_migrate *m, int num_migrate,
1819 struct xfrm_kmaddress *k)
80c9abaa
SS		 1820{
1821 int err = -EINVAL;
1822 int ret;
1823 struct xfrm_mgr *km;
1824
1825 read_lock(&xfrm_km_lock);
1826 list_for_each_entry(km, &xfrm_km_list, list) {
1827 if (km->migrate) {
13c1d189 1828 ret = km->migrate(sel, dir, type, m, num_migrate, k);
80c9abaa
SS		 1829 if (!ret)
1830 err = ret;
1831 }
1832 }
1833 read_unlock(&xfrm_km_lock);
1834 return err;
1835}
1836EXPORT_SYMBOL(km_migrate);
2d60abc2 1837#endif
80c9abaa 1838
97a64b45
MN		 1839int km_report(u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr)
1840{
1841 int err = -EINVAL;
1842 int ret;
1843 struct xfrm_mgr *km;
1844
1845 read_lock(&xfrm_km_lock);
1846 list_for_each_entry(km, &xfrm_km_list, list) {
1847 if (km->report) {
1848 ret = km->report(proto, sel, addr);
1849 if (!ret)
1850 err = ret;
1851 }
1852 }
1853 read_unlock(&xfrm_km_lock);
1854 return err;
1855}
1856EXPORT_SYMBOL(km_report);
1857
1da177e4
LT		 1858int xfrm_user_policy(struct sock *sk, int optname, u8 __user *optval, int optlen)
1859{
1860 int err;
1861 u8 *data;
1862 struct xfrm_mgr *km;
1863 struct xfrm_policy *pol = NULL;
1864
1865 if (optlen <= 0 || optlen > PAGE_SIZE)
1866 return -EMSGSIZE;
1867
1868 data = kmalloc(optlen, GFP_KERNEL);
1869 if (!data)
1870 return -ENOMEM;
1871
1872 err = -EFAULT;
1873 if (copy_from_user(data, optval, optlen))
1874 goto out;
1875
1876 err = -EINVAL;
1877 read_lock(&xfrm_km_lock);
1878 list_for_each_entry(km, &xfrm_km_list, list) {
cb969f07 1879 pol = km->compile_policy(sk, optname, data,
1da177e4
LT		 1880 optlen, &err);
1881 if (err >= 0)
1882 break;
1883 }
1884 read_unlock(&xfrm_km_lock);
1885
1886 if (err >= 0) {
1887 xfrm_sk_policy_insert(sk, err, pol);
1888 xfrm_pol_put(pol);
1889 err = 0;
1890 }
1891
1892out:
1893 kfree(data);
1894 return err;
1895}
1896EXPORT_SYMBOL(xfrm_user_policy);
1897
1898int xfrm_register_km(struct xfrm_mgr *km)
1899{
1900 write_lock_bh(&xfrm_km_lock);
1901 list_add_tail(&km->list, &xfrm_km_list);
1902 write_unlock_bh(&xfrm_km_lock);
1903 return 0;
1904}
1905EXPORT_SYMBOL(xfrm_register_km);
1906
1907int xfrm_unregister_km(struct xfrm_mgr *km)
1908{
1909 write_lock_bh(&xfrm_km_lock);
1910 list_del(&km->list);
1911 write_unlock_bh(&xfrm_km_lock);
1912 return 0;
1913}
1914EXPORT_SYMBOL(xfrm_unregister_km);
1915
1916int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo)
1917{
1918 int err = 0;
1919 if (unlikely(afinfo == NULL))
1920 return -EINVAL;
1921 if (unlikely(afinfo->family >= NPROTO))
1922 return -EAFNOSUPPORT;
f3111502 1923 write_lock_bh(&xfrm_state_afinfo_lock);
1da177e4
LT		 1924 if (unlikely(xfrm_state_afinfo[afinfo->family] != NULL))
1925 err = -ENOBUFS;
edcd5821 1926 else
1da177e4 1927 xfrm_state_afinfo[afinfo->family] = afinfo;
f3111502 1928 write_unlock_bh(&xfrm_state_afinfo_lock);
1da177e4
LT		 1929 return err;
1930}
1931EXPORT_SYMBOL(xfrm_state_register_afinfo);
1932
1933int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo)
1934{
1935 int err = 0;
1936 if (unlikely(afinfo == NULL))
1937 return -EINVAL;
1938 if (unlikely(afinfo->family >= NPROTO))
1939 return -EAFNOSUPPORT;
f3111502 1940 write_lock_bh(&xfrm_state_afinfo_lock);
1da177e4
LT		 1941 if (likely(xfrm_state_afinfo[afinfo->family] != NULL)) {
1942 if (unlikely(xfrm_state_afinfo[afinfo->family] != afinfo))
1943 err = -EINVAL;
edcd5821 1944 else
1da177e4 1945 xfrm_state_afinfo[afinfo->family] = NULL;
1da177e4 1946 }
f3111502 1947 write_unlock_bh(&xfrm_state_afinfo_lock);
1da177e4
LT		 1948 return err;
1949}
1950EXPORT_SYMBOL(xfrm_state_unregister_afinfo);
1951
17c2a42a 1952static struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family)
1da177e4
LT		 1953{
1954 struct xfrm_state_afinfo *afinfo;
1955 if (unlikely(family >= NPROTO))
1956 return NULL;
1957 read_lock(&xfrm_state_afinfo_lock);
1958 afinfo = xfrm_state_afinfo[family];
546be240
HX		 1959 if (unlikely(!afinfo))
1960 read_unlock(&xfrm_state_afinfo_lock);
1da177e4
LT		 1961 return afinfo;
1962}
1963
17c2a42a 1964static void xfrm_state_put_afinfo(struct xfrm_state_afinfo *afinfo)
9a429c49 1965 __releases(xfrm_state_afinfo_lock)
1da177e4 1966{
546be240 1967 read_unlock(&xfrm_state_afinfo_lock);
1da177e4
LT		 1968}
1969
1970/* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */
1971void xfrm_state_delete_tunnel(struct xfrm_state *x)
1972{
1973 if (x->tunnel) {
1974 struct xfrm_state *t = x->tunnel;
1975
1976 if (atomic_read(&t->tunnel_users) == 2)
1977 xfrm_state_delete(t);
1978 atomic_dec(&t->tunnel_users);
1979 xfrm_state_put(t);
1980 x->tunnel = NULL;
1981 }
1982}
1983EXPORT_SYMBOL(xfrm_state_delete_tunnel);
1984
1985int xfrm_state_mtu(struct xfrm_state *x, int mtu)
1986{
c5c25238 1987 int res;
1da177e4 1988
c5c25238
PM		 1989 spin_lock_bh(&x->lock);
1990 if (x->km.state == XFRM_STATE_VALID &&
1991 x->type && x->type->get_mtu)
1992 res = x->type->get_mtu(x, mtu);
1993 else
28121617 1994 res = mtu - x->props.header_len;
c5c25238 1995 spin_unlock_bh(&x->lock);
1da177e4
LT		 1996 return res;
1997}
1998
72cb6962
HX		 1999int xfrm_init_state(struct xfrm_state *x)
2000{
d094cd83 2001 struct xfrm_state_afinfo *afinfo;
df9dcb45 2002 struct xfrm_mode *inner_mode;
d094cd83 2003 int family = x->props.family;
72cb6962
HX		 2004 int err;
2005
d094cd83
HX		 2006 err = -EAFNOSUPPORT;
2007 afinfo = xfrm_state_get_afinfo(family);
2008 if (!afinfo)
2009 goto error;
2010
2011 err = 0;
2012 if (afinfo->init_flags)
2013 err = afinfo->init_flags(x);
2014
2015 xfrm_state_put_afinfo(afinfo);
2016
2017 if (err)
2018 goto error;
2019
2020 err = -EPROTONOSUPPORT;
13996378 2021
df9dcb45
KM		 2022 if (x->sel.family != AF_UNSPEC) {
2023 inner_mode = xfrm_get_mode(x->props.mode, x->sel.family);
2024 if (inner_mode == NULL)
2025 goto error;
2026
2027 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL) &&
2028 family != x->sel.family) {
2029 xfrm_put_mode(inner_mode);
2030 goto error;
2031 }
2032
2033 x->inner_mode = inner_mode;
2034 } else {
2035 struct xfrm_mode *inner_mode_iaf;
2036
2037 inner_mode = xfrm_get_mode(x->props.mode, AF_INET);
2038 if (inner_mode == NULL)
2039 goto error;
2040
2041 if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL)) {
2042 xfrm_put_mode(inner_mode);
2043 goto error;
2044 }
2045
2046 inner_mode_iaf = xfrm_get_mode(x->props.mode, AF_INET6);
2047 if (inner_mode_iaf == NULL)
2048 goto error;
2049
2050 if (!(inner_mode_iaf->flags & XFRM_MODE_FLAG_TUNNEL)) {
2051 xfrm_put_mode(inner_mode_iaf);
2052 goto error;
2053 }
2054
2055 if (x->props.family == AF_INET) {
2056 x->inner_mode = inner_mode;
2057 x->inner_mode_iaf = inner_mode_iaf;
2058 } else {
2059 x->inner_mode = inner_mode_iaf;
2060 x->inner_mode_iaf = inner_mode;
2061 }
2062 }
13996378 2063
d094cd83 2064 x->type = xfrm_get_type(x->id.proto, family);
72cb6962
HX		 2065 if (x->type == NULL)
2066 goto error;
2067
2068 err = x->type->init_state(x);
2069 if (err)
2070 goto error;
2071
13996378
HX		 2072 x->outer_mode = xfrm_get_mode(x->props.mode, family);
2073 if (x->outer_mode == NULL)
b59f45d0
HX		 2074 goto error;
2075
72cb6962
HX		 2076 x->km.state = XFRM_STATE_VALID;
2077
2078error:
2079 return err;
2080}
2081
2082EXPORT_SYMBOL(xfrm_init_state);
a716c119 2083
d62ddc21 2084int __net_init xfrm_state_init(struct net *net)
1da177e4 2085{
f034b5d4
DM		 2086 unsigned int sz;
2087
9d4139c7
AD		 2088 INIT_LIST_HEAD(&net->xfrm.state_all);
2089
f034b5d4
DM		 2090 sz = sizeof(struct hlist_head) * 8;
2091
73d189dc
AD		 2092 net->xfrm.state_bydst = xfrm_hash_alloc(sz);
2093 if (!net->xfrm.state_bydst)
2094 goto out_bydst;
d320bbb3
AD		 2095 net->xfrm.state_bysrc = xfrm_hash_alloc(sz);
2096 if (!net->xfrm.state_bysrc)
2097 goto out_bysrc;
b754a4fd
AD		 2098 net->xfrm.state_byspi = xfrm_hash_alloc(sz);
2099 if (!net->xfrm.state_byspi)
2100 goto out_byspi;
529983ec 2101 net->xfrm.state_hmask = ((sz / sizeof(struct hlist_head)) - 1);
1da177e4 2102
0bf7c5b0 2103 net->xfrm.state_num = 0;
63082733 2104 INIT_WORK(&net->xfrm.state_hash_work, xfrm_hash_resize);
b8a0ae20 2105 INIT_HLIST_HEAD(&net->xfrm.state_gc_list);
c7837144 2106 INIT_WORK(&net->xfrm.state_gc_work, xfrm_state_gc_task);
50a30657 2107 init_waitqueue_head(&net->xfrm.km_waitq);
d62ddc21 2108 return 0;
73d189dc 2109
b754a4fd
AD		 2110out_byspi:
2111 xfrm_hash_free(net->xfrm.state_bysrc, sz);
d320bbb3
AD		 2112out_bysrc:
2113 xfrm_hash_free(net->xfrm.state_bydst, sz);
73d189dc
AD		 2114out_bydst:
2115 return -ENOMEM;
d62ddc21
AD		 2116}
2117
2118void xfrm_state_fini(struct net *net)
2119{
73d189dc
AD		 2120 unsigned int sz;
2121
9d4139c7 2122 WARN_ON(!list_empty(&net->xfrm.state_all));
73d189dc 2123
529983ec 2124 sz = (net->xfrm.state_hmask + 1) * sizeof(struct hlist_head);
b754a4fd
AD		 2125 WARN_ON(!hlist_empty(net->xfrm.state_byspi));
2126 xfrm_hash_free(net->xfrm.state_byspi, sz);
d320bbb3
AD		 2127 WARN_ON(!hlist_empty(net->xfrm.state_bysrc));
2128 xfrm_hash_free(net->xfrm.state_bysrc, sz);
73d189dc
AD		 2129 WARN_ON(!hlist_empty(net->xfrm.state_bydst));
2130 xfrm_hash_free(net->xfrm.state_bydst, sz);
1da177e4
LT		 2131}
2132
ab5f5e8b 2133#ifdef CONFIG_AUDITSYSCALL
cf35f43e
IJ		 2134static void xfrm_audit_helper_sainfo(struct xfrm_state *x,
2135 struct audit_buffer *audit_buf)
ab5f5e8b 2136{
68277acc
PM		 2137 struct xfrm_sec_ctx *ctx = x->security;
2138 u32 spi = ntohl(x->id.spi);
2139
2140 if (ctx)
ab5f5e8b 2141 audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
68277acc 2142 ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str);
ab5f5e8b
JL		 2143
2144 switch(x->props.family) {
2145 case AF_INET:
21454aaa
HH		 2146 audit_log_format(audit_buf, " src=%pI4 dst=%pI4",
2147 &x->props.saddr.a4, &x->id.daddr.a4);
ab5f5e8b
JL		 2148 break;
2149 case AF_INET6:
5b095d98 2150 audit_log_format(audit_buf, " src=%pI6 dst=%pI6",
fdb46ee7 2151 x->props.saddr.a6, x->id.daddr.a6);
ab5f5e8b
JL		 2152 break;
2153 }
68277acc
PM		 2154
2155 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi);
ab5f5e8b
JL		 2156}
2157
cf35f43e
IJ		 2158static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family,
2159 struct audit_buffer *audit_buf)
afeb14b4
PM		 2160{
2161 struct iphdr *iph4;
2162 struct ipv6hdr *iph6;
2163
2164 switch (family) {
2165 case AF_INET:
2166 iph4 = ip_hdr(skb);
21454aaa
HH		 2167 audit_log_format(audit_buf, " src=%pI4 dst=%pI4",
2168 &iph4->saddr, &iph4->daddr);
afeb14b4
PM		 2169 break;
2170 case AF_INET6:
2171 iph6 = ipv6_hdr(skb);
2172 audit_log_format(audit_buf,
5b095d98 2173 " src=%pI6 dst=%pI6 flowlbl=0x%x%02x%02x",
fdb46ee7 2174 &iph6->saddr,&iph6->daddr,
afeb14b4
PM		 2175 iph6->flow_lbl[0] & 0x0f,
2176 iph6->flow_lbl[1],
2177 iph6->flow_lbl[2]);
2178 break;
2179 }
2180}
2181
68277acc 2182void xfrm_audit_state_add(struct xfrm_state *x, int result,
2532386f 2183 uid_t auid, u32 sessionid, u32 secid)
ab5f5e8b
JL		 2184{
2185 struct audit_buffer *audit_buf;
ab5f5e8b 2186
afeb14b4 2187 audit_buf = xfrm_audit_start("SAD-add");
ab5f5e8b
JL		 2188 if (audit_buf == NULL)
2189 return;
2532386f 2190 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
afeb14b4
PM		 2191 xfrm_audit_helper_sainfo(x, audit_buf);
2192 audit_log_format(audit_buf, " res=%u", result);
ab5f5e8b
JL		 2193 audit_log_end(audit_buf);
2194}
2195EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
2196
68277acc 2197void xfrm_audit_state_delete(struct xfrm_state *x, int result,
2532386f 2198 uid_t auid, u32 sessionid, u32 secid)
ab5f5e8b
JL		 2199{
2200 struct audit_buffer *audit_buf;
ab5f5e8b 2201
afeb14b4 2202 audit_buf = xfrm_audit_start("SAD-delete");
ab5f5e8b
JL		 2203 if (audit_buf == NULL)
2204 return;
2532386f 2205 xfrm_audit_helper_usrinfo(auid, sessionid, secid, audit_buf);
afeb14b4
PM		 2206 xfrm_audit_helper_sainfo(x, audit_buf);
2207 audit_log_format(audit_buf, " res=%u", result);
ab5f5e8b
JL		 2208 audit_log_end(audit_buf);
2209}
2210EXPORT_SYMBOL_GPL(xfrm_audit_state_delete);
afeb14b4
PM		 2211
2212void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
2213 struct sk_buff *skb)
2214{
2215 struct audit_buffer *audit_buf;
2216 u32 spi;
2217
2218 audit_buf = xfrm_audit_start("SA-replay-overflow");
2219 if (audit_buf == NULL)
2220 return;
2221 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2222 /* don't record the sequence number because it's inherent in this kind
2223 * of audit message */
2224 spi = ntohl(x->id.spi);
2225 audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi);
2226 audit_log_end(audit_buf);
2227}
2228EXPORT_SYMBOL_GPL(xfrm_audit_state_replay_overflow);
2229
2230static void xfrm_audit_state_replay(struct xfrm_state *x,
2231 struct sk_buff *skb, __be32 net_seq)
2232{
2233 struct audit_buffer *audit_buf;
2234 u32 spi;
2235
2236 audit_buf = xfrm_audit_start("SA-replayed-pkt");
2237 if (audit_buf == NULL)
2238 return;
2239 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2240 spi = ntohl(x->id.spi);
2241 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2242 spi, spi, ntohl(net_seq));
2243 audit_log_end(audit_buf);
2244}
2245
2246void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family)
2247{
2248 struct audit_buffer *audit_buf;
2249
2250 audit_buf = xfrm_audit_start("SA-notfound");
2251 if (audit_buf == NULL)
2252 return;
2253 xfrm_audit_helper_pktinfo(skb, family, audit_buf);
2254 audit_log_end(audit_buf);
2255}
2256EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound_simple);
2257
2258void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
2259 __be32 net_spi, __be32 net_seq)
2260{
2261 struct audit_buffer *audit_buf;
2262 u32 spi;
2263
2264 audit_buf = xfrm_audit_start("SA-notfound");
2265 if (audit_buf == NULL)
2266 return;
2267 xfrm_audit_helper_pktinfo(skb, family, audit_buf);
2268 spi = ntohl(net_spi);
2269 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2270 spi, spi, ntohl(net_seq));
2271 audit_log_end(audit_buf);
2272}
2273EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound);
2274
2275void xfrm_audit_state_icvfail(struct xfrm_state *x,
2276 struct sk_buff *skb, u8 proto)
2277{
2278 struct audit_buffer *audit_buf;
2279 __be32 net_spi;
2280 __be32 net_seq;
2281
2282 audit_buf = xfrm_audit_start("SA-icv-failure");
2283 if (audit_buf == NULL)
2284 return;
2285 xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
2286 if (xfrm_parse_spi(skb, proto, &net_spi, &net_seq) == 0) {
2287 u32 spi = ntohl(net_spi);
2288 audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
2289 spi, spi, ntohl(net_seq));
2290 }
2291 audit_log_end(audit_buf);
2292}
2293EXPORT_SYMBOL_GPL(xfrm_audit_state_icvfail);
ab5f5e8b 2294#endif /* CONFIG_AUDITSYSCALL */
Ubuntu Artful kernel mirror