From: Greg Kroah-Hartman <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
torvalds@osdl.org, akpm@osdl.org, alan@lxorguk.ukuu.org.uk,
davem@davemloft.net
Subject: [patch 14/19] [IPSEC]: Perform SA switchover immediately.
Date: Fri, 23 Dec 2005 14:48:37 -0800 [thread overview]
Message-ID: <20051223224837.GN19057@kroah.com> (raw)
In-Reply-To: <20051223224712.GA18975@kroah.com>
[-- Attachment #1: ipsec-perform-SA-switchover-immediately.patch --]
[-- Type: text/plain, Size: 2456 bytes --]
-stable review patch. If anyone has any objections, please let us know.
------------------
From: "David S. Miller" <davem@davemloft.net>
When we insert a new xfrm_state which potentially
subsumes an existing one, make sure all cached
bundles are flushed so that the new SA is used
immediately.
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
include/net/xfrm.h | 1 +
net/xfrm/xfrm_policy.c | 19 ++++++++++++++-----
net/xfrm/xfrm_state.c | 5 +++++
3 files changed, 20 insertions(+), 5 deletions(-)
--- linux-2.6.14.4.orig/include/net/xfrm.h
+++ linux-2.6.14.4/include/net/xfrm.h
@@ -890,6 +890,7 @@ struct xfrm_state * xfrm_find_acq(u8 mod
extern void xfrm_policy_flush(void);
extern int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol);
extern int xfrm_flush_bundles(void);
+extern void xfrm_flush_all_bundles(void);
extern int xfrm_bundle_ok(struct xfrm_dst *xdst, struct flowi *fl, int family);
extern void xfrm_init_pmtu(struct dst_entry *dst);
--- linux-2.6.14.4.orig/net/xfrm/xfrm_policy.c
+++ linux-2.6.14.4/net/xfrm/xfrm_policy.c
@@ -1014,13 +1014,12 @@ int __xfrm_route_forward(struct sk_buff
}
EXPORT_SYMBOL(__xfrm_route_forward);
-/* Optimize later using cookies and generation ids. */
-
static struct dst_entry *xfrm_dst_check(struct dst_entry *dst, u32 cookie)
{
- if (!stale_bundle(dst))
- return dst;
-
+ /* If it is marked obsolete, which is how we even get here,
+ * then we have purged it from the policy bundle list and we
+ * did that for a good reason.
+ */
return NULL;
}
@@ -1104,6 +1103,16 @@ int xfrm_flush_bundles(void)
return 0;
}
+static int always_true(struct dst_entry *dst)
+{
+ return 1;
+}
+
+void xfrm_flush_all_bundles(void)
+{
+ xfrm_prune_bundles(always_true);
+}
+
void xfrm_init_pmtu(struct dst_entry *dst)
{
do {
--- linux-2.6.14.4.orig/net/xfrm/xfrm_state.c
+++ linux-2.6.14.4/net/xfrm/xfrm_state.c
@@ -435,6 +435,8 @@ void xfrm_state_insert(struct xfrm_state
spin_lock_bh(&xfrm_state_lock);
__xfrm_state_insert(x);
spin_unlock_bh(&xfrm_state_lock);
+
+ xfrm_flush_all_bundles();
}
EXPORT_SYMBOL(xfrm_state_insert);
@@ -482,6 +484,9 @@ out:
spin_unlock_bh(&xfrm_state_lock);
xfrm_state_put_afinfo(afinfo);
+ if (!err)
+ xfrm_flush_all_bundles();
+
if (x1) {
xfrm_state_delete(x1);
xfrm_state_put(x1);
--
next prev parent reply other threads:[~2005-12-23 22:52 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20051223221200.342826000@press.kroah.org>
2005-12-23 22:47 ` [patch 00/19] -stable review for 2.6.14.5 Greg Kroah-Hartman
2005-12-23 22:47 ` [patch 01/19] ACPI: Add support for FADT P_LVL2_UP flag Greg Kroah-Hartman
2005-12-24 15:38 ` Pavel Machek
2005-12-24 16:14 ` Daniel Drake
2005-12-26 23:54 ` Greg KH
2005-12-23 22:47 ` [patch 02/19] ACPI: Prefer _CST over FADT for C-state capabilities Greg Kroah-Hartman
2005-12-23 22:47 ` [patch 03/19] [NETFILTER]: Fix CTA_PROTO_NUM attribute size in ctnetlink Greg Kroah-Hartman
2005-12-23 22:47 ` [patch 04/19] [NETFILTER]: Fix unbalanced read_unlock_bh " Greg Kroah-Hartman
2005-12-23 22:47 ` [patch 05/19] apci: fix NULL deref in video/lcd/brightness Greg Kroah-Hartman
2005-12-23 22:47 ` [patch 06/19] [PATCH] dpt_i2o fix for deadlock condition Greg Kroah-Hartman
2005-12-23 22:48 ` [patch 07/19] [GRE]: Fix hardware checksum modification Greg Kroah-Hartman
2005-12-23 22:48 ` [patch 08/19] [VLAN]: Fix hardware rx csum errors Greg Kroah-Hartman
2005-12-23 22:48 ` [patch 09/19] [NETFILTER]: Fix NAT init order Greg Kroah-Hartman
2005-12-23 22:48 ` [patch 10/19] [NETFILTER]: Fix incorrect dependency for IP6_NF_TARGET_NFQUEUE Greg Kroah-Hartman
2005-12-23 22:48 ` [patch 11/19] [RTNETLINK]: Fix RTNLGRP definitions in rtnetlink.h Greg Kroah-Hartman
2005-12-23 22:48 ` [patch 12/19] [BRIDGE-NF]: Fix bridge-nf ipv6 length check Greg Kroah-Hartman
2005-12-23 22:48 ` [patch 13/19] [IPV6]: Fix route lifetime Greg Kroah-Hartman
2005-12-23 22:48 ` Greg Kroah-Hartman [this message]
2005-12-23 22:48 ` [patch 15/19] [PATCH] Input: fix an OOPS in HID driver Greg Kroah-Hartman
2005-12-23 22:48 ` [patch 16/19] kernel/params.c: fix sysfs access with CONFIG_MODULES=n Greg Kroah-Hartman
2005-12-23 22:48 ` [patch 17/19] SCSI: fix transfer direction in sd (kernel panic when ejecting iPod) Greg Kroah-Hartman
2005-12-23 22:48 ` [patch 18/19] SCSI: fix transfer direction in scsi_lib and st Greg Kroah-Hartman
2005-12-23 23:05 ` James Bottomley
2005-12-23 23:22 ` [stable] " Chris Wright
2005-12-23 22:48 ` [patch 19/19] setting ACLs on readonly mounted NFS filesystems (CVE-2005-3623) Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20051223224837.GN19057@kroah.com \
--to=gregkh@suse.de \
--cc=akpm@osdl.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rdunlap@xenotime.net \
--cc=stable@kernel.org \
--cc=torvalds@osdl.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox