* [PATCH ipsec-next 0/7] xfrm: add extack support to some more message types
@ 2022-11-24 14:43 Sabrina Dubroca
2022-11-24 14:43 ` [PATCH ipsec-next 1/7] xfrm: a few coding style clean ups Sabrina Dubroca
` (7 more replies)
0 siblings, 8 replies; 9+ messages in thread
From: Sabrina Dubroca @ 2022-11-24 14:43 UTC (permalink / raw)
To: netdev; +Cc: steffen.klassert, Sabrina Dubroca
This is the last part of my extack work for xfrm, adding extack
messages to the last remaining operations: NEWSPDINFO, ALLOCSPI,
MIGRATE, NEWAE, DELSA, EXPIRE.
The first patch does a few clean ups on code that will be changed
later on it the series.
Sabrina Dubroca (7):
xfrm: a few coding style clean ups
xfrm: add extack to xfrm_add_sa_expire
xfrm: add extack to xfrm_del_sa
xfrm: add extack to xfrm_new_ae and xfrm_replay_verify_len
xfrm: add extack to xfrm_do_migrate
xfrm: add extack to xfrm_alloc_userspi
xfrm: add extack to xfrm_set_spdinfo
include/net/xfrm.h | 8 ++--
net/key/af_key.c | 6 +--
net/xfrm/xfrm_policy.c | 33 ++++++++++++-----
net/xfrm/xfrm_state.c | 21 ++++++++---
net/xfrm/xfrm_user.c | 84 ++++++++++++++++++++++++++++++------------
5 files changed, 109 insertions(+), 43 deletions(-)
--
2.38.0
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH ipsec-next 1/7] xfrm: a few coding style clean ups
2022-11-24 14:43 [PATCH ipsec-next 0/7] xfrm: add extack support to some more message types Sabrina Dubroca
@ 2022-11-24 14:43 ` Sabrina Dubroca
2022-11-24 14:43 ` [PATCH ipsec-next 2/7] xfrm: add extack to xfrm_add_sa_expire Sabrina Dubroca
` (6 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Sabrina Dubroca @ 2022-11-24 14:43 UTC (permalink / raw)
To: netdev; +Cc: steffen.klassert, Sabrina Dubroca
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
net/xfrm/xfrm_policy.c | 9 ++++++---
net/xfrm/xfrm_user.c | 6 +++---
2 files changed, 9 insertions(+), 6 deletions(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index d80519c4e389..a049f91d4446 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -4414,7 +4414,8 @@ int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
struct xfrm_migrate *mp;
/* Stage 0 - sanity checks */
- if ((err = xfrm_migrate_check(m, num_migrate)) < 0)
+ err = xfrm_migrate_check(m, num_migrate);
+ if (err < 0)
goto out;
if (dir >= XFRM_POLICY_MAX) {
@@ -4423,7 +4424,8 @@ int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
}
/* Stage 1 - find policy */
- if ((pol = xfrm_migrate_policy_find(sel, dir, type, net, if_id)) == NULL) {
+ pol = xfrm_migrate_policy_find(sel, dir, type, net, if_id);
+ if (!pol) {
err = -ENOENT;
goto out;
}
@@ -4445,7 +4447,8 @@ int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
}
/* Stage 3 - update policy */
- if ((err = xfrm_policy_migrate(pol, m, num_migrate)) < 0)
+ err = xfrm_policy_migrate(pol, m, num_migrate);
+ if (err < 0)
goto restore_state;
/* Stage 4 - delete old state(s) */
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index e73f9efc54c1..25de6e8faf8d 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1538,7 +1538,7 @@ static int xfrm_alloc_userspi(struct sk_buff *skb, struct nlmsghdr *nlh,
&p->info.saddr, 1,
family);
err = -ENOENT;
- if (x == NULL)
+ if (!x)
goto out_noput;
err = xfrm_alloc_spi(x, p->min, p->max);
@@ -2718,7 +2718,7 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh,
struct xfrm_encap_tmpl *encap = NULL;
u32 if_id = 0;
- if (attrs[XFRMA_MIGRATE] == NULL)
+ if (!attrs[XFRMA_MIGRATE])
return -EINVAL;
kmp = attrs[XFRMA_KMADDRESS] ? &km : NULL;
@@ -2727,7 +2727,7 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh,
if (err)
return err;
- err = copy_from_user_migrate((struct xfrm_migrate *)m, kmp, attrs, &n);
+ err = copy_from_user_migrate(m, kmp, attrs, &n);
if (err)
return err;
--
2.38.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH ipsec-next 2/7] xfrm: add extack to xfrm_add_sa_expire
2022-11-24 14:43 [PATCH ipsec-next 0/7] xfrm: add extack support to some more message types Sabrina Dubroca
2022-11-24 14:43 ` [PATCH ipsec-next 1/7] xfrm: a few coding style clean ups Sabrina Dubroca
@ 2022-11-24 14:43 ` Sabrina Dubroca
2022-11-24 14:43 ` [PATCH ipsec-next 3/7] xfrm: add extack to xfrm_del_sa Sabrina Dubroca
` (5 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Sabrina Dubroca @ 2022-11-24 14:43 UTC (permalink / raw)
To: netdev; +Cc: steffen.klassert, Sabrina Dubroca
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
net/xfrm/xfrm_user.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 25de6e8faf8d..1664baefae80 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2584,8 +2584,11 @@ static int xfrm_add_sa_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
spin_lock_bh(&x->lock);
err = -EINVAL;
- if (x->km.state != XFRM_STATE_VALID)
+ if (x->km.state != XFRM_STATE_VALID) {
+ NL_SET_ERR_MSG(extack, "SA must be in VALID state");
goto out;
+ }
+
km_state_expired(x, ue->hard, nlh->nlmsg_pid);
if (ue->hard) {
--
2.38.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH ipsec-next 3/7] xfrm: add extack to xfrm_del_sa
2022-11-24 14:43 [PATCH ipsec-next 0/7] xfrm: add extack support to some more message types Sabrina Dubroca
2022-11-24 14:43 ` [PATCH ipsec-next 1/7] xfrm: a few coding style clean ups Sabrina Dubroca
2022-11-24 14:43 ` [PATCH ipsec-next 2/7] xfrm: add extack to xfrm_add_sa_expire Sabrina Dubroca
@ 2022-11-24 14:43 ` Sabrina Dubroca
2022-11-24 14:43 ` [PATCH ipsec-next 4/7] xfrm: add extack to xfrm_new_ae and xfrm_replay_verify_len Sabrina Dubroca
` (4 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Sabrina Dubroca @ 2022-11-24 14:43 UTC (permalink / raw)
To: netdev; +Cc: steffen.klassert, Sabrina Dubroca
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
net/xfrm/xfrm_user.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 1664baefae80..06a379d35ebb 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -862,12 +862,12 @@ static int xfrm_del_sa(struct sk_buff *skb, struct nlmsghdr *nlh,
goto out;
if (xfrm_state_kern(x)) {
+ NL_SET_ERR_MSG(extack, "SA is in use by tunnels");
err = -EPERM;
goto out;
}
err = xfrm_state_delete(x);
-
if (err < 0)
goto out;
--
2.38.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH ipsec-next 4/7] xfrm: add extack to xfrm_new_ae and xfrm_replay_verify_len
2022-11-24 14:43 [PATCH ipsec-next 0/7] xfrm: add extack support to some more message types Sabrina Dubroca
` (2 preceding siblings ...)
2022-11-24 14:43 ` [PATCH ipsec-next 3/7] xfrm: add extack to xfrm_del_sa Sabrina Dubroca
@ 2022-11-24 14:43 ` Sabrina Dubroca
2022-11-24 14:43 ` [PATCH ipsec-next 5/7] xfrm: add extack to xfrm_do_migrate Sabrina Dubroca
` (3 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Sabrina Dubroca @ 2022-11-24 14:43 UTC (permalink / raw)
To: netdev; +Cc: steffen.klassert, Sabrina Dubroca
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
net/xfrm/xfrm_user.c | 37 ++++++++++++++++++++++++++++---------
1 file changed, 28 insertions(+), 9 deletions(-)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 06a379d35ebb..13607df4f30d 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -515,7 +515,8 @@ static int attach_aead(struct xfrm_state *x, struct nlattr *rta,
}
static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_esn,
- struct nlattr *rp)
+ struct nlattr *rp,
+ struct netlink_ext_ack *extack)
{
struct xfrm_replay_state_esn *up;
unsigned int ulen;
@@ -528,13 +529,25 @@ static inline int xfrm_replay_verify_len(struct xfrm_replay_state_esn *replay_es
/* Check the overall length and the internal bitmap length to avoid
* potential overflow. */
- if (nla_len(rp) < (int)ulen ||
- xfrm_replay_state_esn_len(replay_esn) != ulen ||
- replay_esn->bmp_len != up->bmp_len)
+ if (nla_len(rp) < (int)ulen) {
+ NL_SET_ERR_MSG(extack, "ESN attribute is too short");
return -EINVAL;
+ }
- if (up->replay_window > up->bmp_len * sizeof(__u32) * 8)
+ if (xfrm_replay_state_esn_len(replay_esn) != ulen) {
+ NL_SET_ERR_MSG(extack, "New ESN size doesn't match the existing SA's ESN size");
return -EINVAL;
+ }
+
+ if (replay_esn->bmp_len != up->bmp_len) {
+ NL_SET_ERR_MSG(extack, "New ESN bitmap size doesn't match the existing SA's ESN bitmap");
+ return -EINVAL;
+ }
+
+ if (up->replay_window > up->bmp_len * sizeof(__u32) * 8) {
+ NL_SET_ERR_MSG(extack, "ESN replay window is longer than the bitmap");
+ return -EINVAL;
+ }
return 0;
}
@@ -2433,12 +2446,16 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
struct nlattr *et = attrs[XFRMA_ETIMER_THRESH];
struct nlattr *rt = attrs[XFRMA_REPLAY_THRESH];
- if (!lt && !rp && !re && !et && !rt)
+ if (!lt && !rp && !re && !et && !rt) {
+ NL_SET_ERR_MSG(extack, "Missing required attribute for AE");
return err;
+ }
/* pedantic mode - thou shalt sayeth replaceth */
- if (!(nlh->nlmsg_flags&NLM_F_REPLACE))
+ if (!(nlh->nlmsg_flags & NLM_F_REPLACE)) {
+ NL_SET_ERR_MSG(extack, "NLM_F_REPLACE flag is required");
return err;
+ }
mark = xfrm_mark_get(attrs, &m);
@@ -2446,10 +2463,12 @@ static int xfrm_new_ae(struct sk_buff *skb, struct nlmsghdr *nlh,
if (x == NULL)
return -ESRCH;
- if (x->km.state != XFRM_STATE_VALID)
+ if (x->km.state != XFRM_STATE_VALID) {
+ NL_SET_ERR_MSG(extack, "SA must be in VALID state");
goto out;
+ }
- err = xfrm_replay_verify_len(x->replay_esn, re);
+ err = xfrm_replay_verify_len(x->replay_esn, re, extack);
if (err)
goto out;
--
2.38.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH ipsec-next 5/7] xfrm: add extack to xfrm_do_migrate
2022-11-24 14:43 [PATCH ipsec-next 0/7] xfrm: add extack support to some more message types Sabrina Dubroca
` (3 preceding siblings ...)
2022-11-24 14:43 ` [PATCH ipsec-next 4/7] xfrm: add extack to xfrm_new_ae and xfrm_replay_verify_len Sabrina Dubroca
@ 2022-11-24 14:43 ` Sabrina Dubroca
2022-11-24 14:43 ` [PATCH ipsec-next 6/7] xfrm: add extack to xfrm_alloc_userspi Sabrina Dubroca
` (2 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: Sabrina Dubroca @ 2022-11-24 14:43 UTC (permalink / raw)
To: netdev; +Cc: steffen.klassert, Sabrina Dubroca
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
include/net/xfrm.h | 3 ++-
net/key/af_key.c | 2 +-
net/xfrm/xfrm_policy.c | 28 ++++++++++++++++++++--------
net/xfrm/xfrm_user.c | 16 +++++++++++-----
4 files changed, 34 insertions(+), 15 deletions(-)
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index dbc81f5eb553..576566bd0be9 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -1703,7 +1703,8 @@ struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x,
int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
struct xfrm_migrate *m, int num_bundles,
struct xfrm_kmaddress *k, struct net *net,
- struct xfrm_encap_tmpl *encap, u32 if_id);
+ struct xfrm_encap_tmpl *encap, u32 if_id,
+ struct netlink_ext_ack *extack);
#endif
int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport);
diff --git a/net/key/af_key.c b/net/key/af_key.c
index c85df5b958d2..7f4ff5fe2257 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -2626,7 +2626,7 @@ static int pfkey_migrate(struct sock *sk, struct sk_buff *skb,
}
return xfrm_migrate(&sel, dir, XFRM_POLICY_TYPE_MAIN, m, i,
- kma ? &k : NULL, net, NULL, 0);
+ kma ? &k : NULL, net, NULL, 0, NULL);
out:
return err;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index a049f91d4446..9b9e2765363d 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -4333,7 +4333,8 @@ static int migrate_tmpl_match(const struct xfrm_migrate *m, const struct xfrm_tm
/* update endpoint address(es) of template(s) */
static int xfrm_policy_migrate(struct xfrm_policy *pol,
- struct xfrm_migrate *m, int num_migrate)
+ struct xfrm_migrate *m, int num_migrate,
+ struct netlink_ext_ack *extack)
{
struct xfrm_migrate *mp;
int i, j, n = 0;
@@ -4341,6 +4342,7 @@ static int xfrm_policy_migrate(struct xfrm_policy *pol,
write_lock_bh(&pol->lock);
if (unlikely(pol->walk.dead)) {
/* target policy has been deleted */
+ NL_SET_ERR_MSG(extack, "Target policy not found");
write_unlock_bh(&pol->lock);
return -ENOENT;
}
@@ -4372,17 +4374,22 @@ static int xfrm_policy_migrate(struct xfrm_policy *pol,
return 0;
}
-static int xfrm_migrate_check(const struct xfrm_migrate *m, int num_migrate)
+static int xfrm_migrate_check(const struct xfrm_migrate *m, int num_migrate,
+ struct netlink_ext_ack *extack)
{
int i, j;
- if (num_migrate < 1 || num_migrate > XFRM_MAX_DEPTH)
+ if (num_migrate < 1 || num_migrate > XFRM_MAX_DEPTH) {
+ NL_SET_ERR_MSG(extack, "Invalid number of SAs to migrate, must be 0 < num <= XFRM_MAX_DEPTH (6)");
return -EINVAL;
+ }
for (i = 0; i < num_migrate; i++) {
if (xfrm_addr_any(&m[i].new_daddr, m[i].new_family) ||
- xfrm_addr_any(&m[i].new_saddr, m[i].new_family))
+ xfrm_addr_any(&m[i].new_saddr, m[i].new_family)) {
+ NL_SET_ERR_MSG(extack, "Addresses in the MIGRATE attribute's list cannot be null");
return -EINVAL;
+ }
/* check if there is any duplicated entry */
for (j = i + 1; j < num_migrate; j++) {
@@ -4393,8 +4400,10 @@ static int xfrm_migrate_check(const struct xfrm_migrate *m, int num_migrate)
m[i].proto == m[j].proto &&
m[i].mode == m[j].mode &&
m[i].reqid == m[j].reqid &&
- m[i].old_family == m[j].old_family)
+ m[i].old_family == m[j].old_family) {
+ NL_SET_ERR_MSG(extack, "Entries in the MIGRATE attribute's list must be unique");
return -EINVAL;
+ }
}
}
@@ -4404,7 +4413,8 @@ static int xfrm_migrate_check(const struct xfrm_migrate *m, int num_migrate)
int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
struct xfrm_migrate *m, int num_migrate,
struct xfrm_kmaddress *k, struct net *net,
- struct xfrm_encap_tmpl *encap, u32 if_id)
+ struct xfrm_encap_tmpl *encap, u32 if_id,
+ struct netlink_ext_ack *extack)
{
int i, err, nx_cur = 0, nx_new = 0;
struct xfrm_policy *pol = NULL;
@@ -4414,11 +4424,12 @@ int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
struct xfrm_migrate *mp;
/* Stage 0 - sanity checks */
- err = xfrm_migrate_check(m, num_migrate);
+ err = xfrm_migrate_check(m, num_migrate, extack);
if (err < 0)
goto out;
if (dir >= XFRM_POLICY_MAX) {
+ NL_SET_ERR_MSG(extack, "Invalid policy direction");
err = -EINVAL;
goto out;
}
@@ -4426,6 +4437,7 @@ int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
/* Stage 1 - find policy */
pol = xfrm_migrate_policy_find(sel, dir, type, net, if_id);
if (!pol) {
+ NL_SET_ERR_MSG(extack, "Target policy not found");
err = -ENOENT;
goto out;
}
@@ -4447,7 +4459,7 @@ int xfrm_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
}
/* Stage 3 - update policy */
- err = xfrm_policy_migrate(pol, m, num_migrate);
+ err = xfrm_policy_migrate(pol, m, num_migrate, extack);
if (err < 0)
goto restore_state;
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 13607df4f30d..c5d6a92d73cb 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2687,7 +2687,8 @@ static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh,
#ifdef CONFIG_XFRM_MIGRATE
static int copy_from_user_migrate(struct xfrm_migrate *ma,
struct xfrm_kmaddress *k,
- struct nlattr **attrs, int *num)
+ struct nlattr **attrs, int *num,
+ struct netlink_ext_ack *extack)
{
struct nlattr *rt = attrs[XFRMA_MIGRATE];
struct xfrm_user_migrate *um;
@@ -2706,8 +2707,10 @@ static int copy_from_user_migrate(struct xfrm_migrate *ma,
um = nla_data(rt);
num_migrate = nla_len(rt) / sizeof(*um);
- if (num_migrate <= 0 || num_migrate > XFRM_MAX_DEPTH)
+ if (num_migrate <= 0 || num_migrate > XFRM_MAX_DEPTH) {
+ NL_SET_ERR_MSG(extack, "Invalid number of SAs to migrate, must be 0 < num <= XFRM_MAX_DEPTH (6)");
return -EINVAL;
+ }
for (i = 0; i < num_migrate; i++, um++, ma++) {
memcpy(&ma->old_daddr, &um->old_daddr, sizeof(ma->old_daddr));
@@ -2740,8 +2743,10 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh,
struct xfrm_encap_tmpl *encap = NULL;
u32 if_id = 0;
- if (!attrs[XFRMA_MIGRATE])
+ if (!attrs[XFRMA_MIGRATE]) {
+ NL_SET_ERR_MSG(extack, "Missing required MIGRATE attribute");
return -EINVAL;
+ }
kmp = attrs[XFRMA_KMADDRESS] ? &km : NULL;
@@ -2749,7 +2754,7 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh,
if (err)
return err;
- err = copy_from_user_migrate(m, kmp, attrs, &n);
+ err = copy_from_user_migrate(m, kmp, attrs, &n, extack);
if (err)
return err;
@@ -2766,7 +2771,8 @@ static int xfrm_do_migrate(struct sk_buff *skb, struct nlmsghdr *nlh,
if (attrs[XFRMA_IF_ID])
if_id = nla_get_u32(attrs[XFRMA_IF_ID]);
- err = xfrm_migrate(&pi->sel, pi->dir, type, m, n, kmp, net, encap, if_id);
+ err = xfrm_migrate(&pi->sel, pi->dir, type, m, n, kmp, net, encap,
+ if_id, extack);
kfree(encap);
--
2.38.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH ipsec-next 6/7] xfrm: add extack to xfrm_alloc_userspi
2022-11-24 14:43 [PATCH ipsec-next 0/7] xfrm: add extack support to some more message types Sabrina Dubroca
` (4 preceding siblings ...)
2022-11-24 14:43 ` [PATCH ipsec-next 5/7] xfrm: add extack to xfrm_do_migrate Sabrina Dubroca
@ 2022-11-24 14:43 ` Sabrina Dubroca
2022-11-24 14:43 ` [PATCH ipsec-next 7/7] xfrm: add extack to xfrm_set_spdinfo Sabrina Dubroca
2022-11-26 10:35 ` [PATCH ipsec-next 0/7] xfrm: add extack support to some more message types Steffen Klassert
7 siblings, 0 replies; 9+ messages in thread
From: Sabrina Dubroca @ 2022-11-24 14:43 UTC (permalink / raw)
To: netdev; +Cc: steffen.klassert, Sabrina Dubroca
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
include/net/xfrm.h | 5 +++--
net/key/af_key.c | 4 ++--
net/xfrm/xfrm_state.c | 21 ++++++++++++++++-----
net/xfrm/xfrm_user.c | 8 +++++---
4 files changed, 26 insertions(+), 12 deletions(-)
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 576566bd0be9..e0cc6791c001 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -1681,8 +1681,9 @@ struct xfrm_policy *xfrm_policy_byid(struct net *net,
int xfrm_policy_flush(struct net *net, u8 type, bool task_valid);
void xfrm_policy_hash_rebuild(struct net *net);
u32 xfrm_get_acqseq(void);
-int verify_spi_info(u8 proto, u32 min, u32 max);
-int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi);
+int verify_spi_info(u8 proto, u32 min, u32 max, struct netlink_ext_ack *extack);
+int xfrm_alloc_spi(struct xfrm_state *x, u32 minspi, u32 maxspi,
+ struct netlink_ext_ack *extack);
struct xfrm_state *xfrm_find_acq(struct net *net, const struct xfrm_mark *mark,
u8 mode, u32 reqid, u32 if_id, u8 proto,
const xfrm_address_t *daddr,
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 7f4ff5fe2257..e1d2155605aa 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1377,13 +1377,13 @@ static int pfkey_getspi(struct sock *sk, struct sk_buff *skb, const struct sadb_
max_spi = range->sadb_spirange_max;
}
- err = verify_spi_info(x->id.proto, min_spi, max_spi);
+ err = verify_spi_info(x->id.proto, min_spi, max_spi, NULL);
if (err) {
xfrm_state_put(x);
return err;
}
- err = xfrm_alloc_spi(x, min_spi, max_spi);
+ err = xfrm_alloc_spi(x, min_spi, max_spi, NULL);
resp_skb = err ? ERR_PTR(err) : pfkey_xfrm_state2msg(x);
if (IS_ERR(resp_skb)) {
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 81df34b3da6e..d0ae17e3bb38 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2017,7 +2017,7 @@ u32 xfrm_get_acqseq(void)
}
EXPORT_SYMBOL(xfrm_get_acqseq);
-int verify_spi_info(u8 proto, u32 min, u32 max)
+int verify_spi_info(u8 proto, u32 min, u32 max, struct netlink_ext_ack *extack)
{
switch (proto) {
case IPPROTO_AH:
@@ -2026,22 +2026,28 @@ int verify_spi_info(u8 proto, u32 min, u32 max)
case IPPROTO_COMP:
/* IPCOMP spi is 16-bits. */
- if (max >= 0x10000)
+ if (max >= 0x10000) {
+ NL_SET_ERR_MSG(extack, "IPCOMP SPI must be <= 65535");
return -EINVAL;
+ }
break;
default:
+ NL_SET_ERR_MSG(extack, "Invalid protocol, must be one of AH, ESP, IPCOMP");
return -EINVAL;
}
- if (min > max)
+ if (min > max) {
+ NL_SET_ERR_MSG(extack, "Invalid SPI range: min > max");
return -EINVAL;
+ }
return 0;
}
EXPORT_SYMBOL(verify_spi_info);
-int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high)
+int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high,
+ struct netlink_ext_ack *extack)
{
struct net *net = xs_net(x);
unsigned int h;
@@ -2053,8 +2059,10 @@ int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high)
u32 mark = x->mark.v & x->mark.m;
spin_lock_bh(&x->lock);
- if (x->km.state == XFRM_STATE_DEAD)
+ if (x->km.state == XFRM_STATE_DEAD) {
+ NL_SET_ERR_MSG(extack, "Target ACQUIRE is in DEAD state");
goto unlock;
+ }
err = 0;
if (x->id.spi)
@@ -2065,6 +2073,7 @@ int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high)
if (minspi == maxspi) {
x0 = xfrm_state_lookup(net, mark, &x->id.daddr, minspi, x->id.proto, x->props.family);
if (x0) {
+ NL_SET_ERR_MSG(extack, "Requested SPI is already in use");
xfrm_state_put(x0);
goto unlock;
}
@@ -2089,6 +2098,8 @@ int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high)
spin_unlock_bh(&net->xfrm.xfrm_state_lock);
err = 0;
+ } else {
+ NL_SET_ERR_MSG(extack, "No SPI available in the requested range");
}
unlock:
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index c5d6a92d73cb..5c280e04e02c 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1523,7 +1523,7 @@ static int xfrm_alloc_userspi(struct sk_buff *skb, struct nlmsghdr *nlh,
u32 if_id = 0;
p = nlmsg_data(nlh);
- err = verify_spi_info(p->info.id.proto, p->min, p->max);
+ err = verify_spi_info(p->info.id.proto, p->min, p->max, extack);
if (err)
goto out_noput;
@@ -1551,10 +1551,12 @@ static int xfrm_alloc_userspi(struct sk_buff *skb, struct nlmsghdr *nlh,
&p->info.saddr, 1,
family);
err = -ENOENT;
- if (!x)
+ if (!x) {
+ NL_SET_ERR_MSG(extack, "Target ACQUIRE not found");
goto out_noput;
+ }
- err = xfrm_alloc_spi(x, p->min, p->max);
+ err = xfrm_alloc_spi(x, p->min, p->max, extack);
if (err)
goto out;
--
2.38.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH ipsec-next 7/7] xfrm: add extack to xfrm_set_spdinfo
2022-11-24 14:43 [PATCH ipsec-next 0/7] xfrm: add extack support to some more message types Sabrina Dubroca
` (5 preceding siblings ...)
2022-11-24 14:43 ` [PATCH ipsec-next 6/7] xfrm: add extack to xfrm_alloc_userspi Sabrina Dubroca
@ 2022-11-24 14:43 ` Sabrina Dubroca
2022-11-26 10:35 ` [PATCH ipsec-next 0/7] xfrm: add extack support to some more message types Steffen Klassert
7 siblings, 0 replies; 9+ messages in thread
From: Sabrina Dubroca @ 2022-11-24 14:43 UTC (permalink / raw)
To: netdev; +Cc: steffen.klassert, Sabrina Dubroca
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
---
net/xfrm/xfrm_user.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 5c280e04e02c..0eb4696661c8 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1367,20 +1367,28 @@ static int xfrm_set_spdinfo(struct sk_buff *skb, struct nlmsghdr *nlh,
if (attrs[XFRMA_SPD_IPV4_HTHRESH]) {
struct nlattr *rta = attrs[XFRMA_SPD_IPV4_HTHRESH];
- if (nla_len(rta) < sizeof(*thresh4))
+ if (nla_len(rta) < sizeof(*thresh4)) {
+ NL_SET_ERR_MSG(extack, "Invalid SPD_IPV4_HTHRESH attribute length");
return -EINVAL;
+ }
thresh4 = nla_data(rta);
- if (thresh4->lbits > 32 || thresh4->rbits > 32)
+ if (thresh4->lbits > 32 || thresh4->rbits > 32) {
+ NL_SET_ERR_MSG(extack, "Invalid hash threshold (must be <= 32 for IPv4)");
return -EINVAL;
+ }
}
if (attrs[XFRMA_SPD_IPV6_HTHRESH]) {
struct nlattr *rta = attrs[XFRMA_SPD_IPV6_HTHRESH];
- if (nla_len(rta) < sizeof(*thresh6))
+ if (nla_len(rta) < sizeof(*thresh6)) {
+ NL_SET_ERR_MSG(extack, "Invalid SPD_IPV6_HTHRESH attribute length");
return -EINVAL;
+ }
thresh6 = nla_data(rta);
- if (thresh6->lbits > 128 || thresh6->rbits > 128)
+ if (thresh6->lbits > 128 || thresh6->rbits > 128) {
+ NL_SET_ERR_MSG(extack, "Invalid hash threshold (must be <= 128 for IPv6)");
return -EINVAL;
+ }
}
if (thresh4 || thresh6) {
--
2.38.0
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH ipsec-next 0/7] xfrm: add extack support to some more message types
2022-11-24 14:43 [PATCH ipsec-next 0/7] xfrm: add extack support to some more message types Sabrina Dubroca
` (6 preceding siblings ...)
2022-11-24 14:43 ` [PATCH ipsec-next 7/7] xfrm: add extack to xfrm_set_spdinfo Sabrina Dubroca
@ 2022-11-26 10:35 ` Steffen Klassert
7 siblings, 0 replies; 9+ messages in thread
From: Steffen Klassert @ 2022-11-26 10:35 UTC (permalink / raw)
To: Sabrina Dubroca; +Cc: netdev
On Thu, Nov 24, 2022 at 03:43:37PM +0100, Sabrina Dubroca wrote:
> This is the last part of my extack work for xfrm, adding extack
> messages to the last remaining operations: NEWSPDINFO, ALLOCSPI,
> MIGRATE, NEWAE, DELSA, EXPIRE.
>
> The first patch does a few clean ups on code that will be changed
> later on it the series.
>
> Sabrina Dubroca (7):
> xfrm: a few coding style clean ups
> xfrm: add extack to xfrm_add_sa_expire
> xfrm: add extack to xfrm_del_sa
> xfrm: add extack to xfrm_new_ae and xfrm_replay_verify_len
> xfrm: add extack to xfrm_do_migrate
> xfrm: add extack to xfrm_alloc_userspi
> xfrm: add extack to xfrm_set_spdinfo
Series applied, thanks Sabrina!
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2022-11-26 10:35 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-11-24 14:43 [PATCH ipsec-next 0/7] xfrm: add extack support to some more message types Sabrina Dubroca
2022-11-24 14:43 ` [PATCH ipsec-next 1/7] xfrm: a few coding style clean ups Sabrina Dubroca
2022-11-24 14:43 ` [PATCH ipsec-next 2/7] xfrm: add extack to xfrm_add_sa_expire Sabrina Dubroca
2022-11-24 14:43 ` [PATCH ipsec-next 3/7] xfrm: add extack to xfrm_del_sa Sabrina Dubroca
2022-11-24 14:43 ` [PATCH ipsec-next 4/7] xfrm: add extack to xfrm_new_ae and xfrm_replay_verify_len Sabrina Dubroca
2022-11-24 14:43 ` [PATCH ipsec-next 5/7] xfrm: add extack to xfrm_do_migrate Sabrina Dubroca
2022-11-24 14:43 ` [PATCH ipsec-next 6/7] xfrm: add extack to xfrm_alloc_userspi Sabrina Dubroca
2022-11-24 14:43 ` [PATCH ipsec-next 7/7] xfrm: add extack to xfrm_set_spdinfo Sabrina Dubroca
2022-11-26 10:35 ` [PATCH ipsec-next 0/7] xfrm: add extack support to some more message types Steffen Klassert
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.