net: use skb_sec_path helper in more places
skb_sec_path gains 'const' qualifier to avoid xt_policy.c: 'skb_sec_path' discards 'const' qualifier from pointer target type same reasoning as previous conversions: Won't need to touch these spots anymore when skb->sp is removed. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
7af8f4ca31
commit
2294be0f11
|
@ -4124,7 +4124,7 @@ static inline bool skb_get_dst_pending_confirm(const struct sk_buff *skb)
|
||||||
return skb->dst_pending_confirm != 0;
|
return skb->dst_pending_confirm != 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline struct sec_path *skb_sec_path(struct sk_buff *skb)
|
static inline struct sec_path *skb_sec_path(const struct sk_buff *skb)
|
||||||
{
|
{
|
||||||
#ifdef CONFIG_XFRM
|
#ifdef CONFIG_XFRM
|
||||||
return skb->sp;
|
return skb->sp;
|
||||||
|
|
|
@ -1896,14 +1896,16 @@ static inline void xfrm_states_delete(struct xfrm_state **states, int n)
|
||||||
#ifdef CONFIG_XFRM
|
#ifdef CONFIG_XFRM
|
||||||
static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
|
static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
|
||||||
{
|
{
|
||||||
return skb->sp->xvec[skb->sp->len - 1];
|
struct sec_path *sp = skb_sec_path(skb);
|
||||||
|
|
||||||
|
return sp->xvec[sp->len - 1];
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
static inline struct xfrm_offload *xfrm_offload(struct sk_buff *skb)
|
static inline struct xfrm_offload *xfrm_offload(struct sk_buff *skb)
|
||||||
{
|
{
|
||||||
#ifdef CONFIG_XFRM
|
#ifdef CONFIG_XFRM
|
||||||
struct sec_path *sp = skb->sp;
|
struct sec_path *sp = skb_sec_path(skb);
|
||||||
|
|
||||||
if (!sp || !sp->olen || sp->len != sp->olen)
|
if (!sp || !sp->olen || sp->len != sp->olen)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
|
@ -125,10 +125,13 @@ static void esp_output_done(struct crypto_async_request *base, int err)
|
||||||
void *tmp;
|
void *tmp;
|
||||||
struct xfrm_state *x;
|
struct xfrm_state *x;
|
||||||
|
|
||||||
if (xo && (xo->flags & XFRM_DEV_RESUME))
|
if (xo && (xo->flags & XFRM_DEV_RESUME)) {
|
||||||
x = skb->sp->xvec[skb->sp->len - 1];
|
struct sec_path *sp = skb_sec_path(skb);
|
||||||
else
|
|
||||||
|
x = sp->xvec[sp->len - 1];
|
||||||
|
} else {
|
||||||
x = skb_dst(skb)->xfrm;
|
x = skb_dst(skb)->xfrm;
|
||||||
|
}
|
||||||
|
|
||||||
tmp = ESP_SKB_CB(skb)->tmp;
|
tmp = ESP_SKB_CB(skb)->tmp;
|
||||||
esp_ssg_unref(x, tmp);
|
esp_ssg_unref(x, tmp);
|
||||||
|
|
|
@ -115,6 +115,7 @@ static struct sk_buff *esp4_gso_segment(struct sk_buff *skb,
|
||||||
struct crypto_aead *aead;
|
struct crypto_aead *aead;
|
||||||
netdev_features_t esp_features = features;
|
netdev_features_t esp_features = features;
|
||||||
struct xfrm_offload *xo = xfrm_offload(skb);
|
struct xfrm_offload *xo = xfrm_offload(skb);
|
||||||
|
struct sec_path *sp;
|
||||||
|
|
||||||
if (!xo)
|
if (!xo)
|
||||||
return ERR_PTR(-EINVAL);
|
return ERR_PTR(-EINVAL);
|
||||||
|
@ -122,7 +123,8 @@ static struct sk_buff *esp4_gso_segment(struct sk_buff *skb,
|
||||||
if (!(skb_shinfo(skb)->gso_type & SKB_GSO_ESP))
|
if (!(skb_shinfo(skb)->gso_type & SKB_GSO_ESP))
|
||||||
return ERR_PTR(-EINVAL);
|
return ERR_PTR(-EINVAL);
|
||||||
|
|
||||||
x = skb->sp->xvec[skb->sp->len - 1];
|
sp = skb_sec_path(skb);
|
||||||
|
x = sp->xvec[sp->len - 1];
|
||||||
aead = x->data;
|
aead = x->data;
|
||||||
esph = ip_esp_hdr(skb);
|
esph = ip_esp_hdr(skb);
|
||||||
|
|
||||||
|
|
|
@ -145,10 +145,13 @@ static void esp_output_done(struct crypto_async_request *base, int err)
|
||||||
void *tmp;
|
void *tmp;
|
||||||
struct xfrm_state *x;
|
struct xfrm_state *x;
|
||||||
|
|
||||||
if (xo && (xo->flags & XFRM_DEV_RESUME))
|
if (xo && (xo->flags & XFRM_DEV_RESUME)) {
|
||||||
x = skb->sp->xvec[skb->sp->len - 1];
|
struct sec_path *sp = skb_sec_path(skb);
|
||||||
else
|
|
||||||
|
x = sp->xvec[sp->len - 1];
|
||||||
|
} else {
|
||||||
x = skb_dst(skb)->xfrm;
|
x = skb_dst(skb)->xfrm;
|
||||||
|
}
|
||||||
|
|
||||||
tmp = ESP_SKB_CB(skb)->tmp;
|
tmp = ESP_SKB_CB(skb)->tmp;
|
||||||
esp_ssg_unref(x, tmp);
|
esp_ssg_unref(x, tmp);
|
||||||
|
|
|
@ -142,6 +142,7 @@ static struct sk_buff *esp6_gso_segment(struct sk_buff *skb,
|
||||||
struct crypto_aead *aead;
|
struct crypto_aead *aead;
|
||||||
netdev_features_t esp_features = features;
|
netdev_features_t esp_features = features;
|
||||||
struct xfrm_offload *xo = xfrm_offload(skb);
|
struct xfrm_offload *xo = xfrm_offload(skb);
|
||||||
|
struct sec_path *sp;
|
||||||
|
|
||||||
if (!xo)
|
if (!xo)
|
||||||
return ERR_PTR(-EINVAL);
|
return ERR_PTR(-EINVAL);
|
||||||
|
@ -149,7 +150,8 @@ static struct sk_buff *esp6_gso_segment(struct sk_buff *skb,
|
||||||
if (!(skb_shinfo(skb)->gso_type & SKB_GSO_ESP))
|
if (!(skb_shinfo(skb)->gso_type & SKB_GSO_ESP))
|
||||||
return ERR_PTR(-EINVAL);
|
return ERR_PTR(-EINVAL);
|
||||||
|
|
||||||
x = skb->sp->xvec[skb->sp->len - 1];
|
sp = skb_sec_path(skb);
|
||||||
|
x = sp->xvec[sp->len - 1];
|
||||||
aead = x->data;
|
aead = x->data;
|
||||||
esph = ip_esp_hdr(skb);
|
esph = ip_esp_hdr(skb);
|
||||||
|
|
||||||
|
|
|
@ -147,7 +147,7 @@ int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
|
||||||
goto drop;
|
goto drop;
|
||||||
}
|
}
|
||||||
|
|
||||||
skb->sp->xvec[skb->sp->len++] = x;
|
sp->xvec[sp->len++] = x;
|
||||||
|
|
||||||
spin_lock(&x->lock);
|
spin_lock(&x->lock);
|
||||||
|
|
||||||
|
|
|
@ -161,7 +161,7 @@ static void nft_xfrm_get_eval_in(const struct nft_xfrm *priv,
|
||||||
struct nft_regs *regs,
|
struct nft_regs *regs,
|
||||||
const struct nft_pktinfo *pkt)
|
const struct nft_pktinfo *pkt)
|
||||||
{
|
{
|
||||||
const struct sec_path *sp = pkt->skb->sp;
|
const struct sec_path *sp = skb_sec_path(pkt->skb);
|
||||||
const struct xfrm_state *state;
|
const struct xfrm_state *state;
|
||||||
|
|
||||||
if (sp == NULL || sp->len <= priv->spnum) {
|
if (sp == NULL || sp->len <= priv->spnum) {
|
||||||
|
|
|
@ -56,7 +56,7 @@ match_policy_in(const struct sk_buff *skb, const struct xt_policy_info *info,
|
||||||
unsigned short family)
|
unsigned short family)
|
||||||
{
|
{
|
||||||
const struct xt_policy_elem *e;
|
const struct xt_policy_elem *e;
|
||||||
const struct sec_path *sp = skb->sp;
|
const struct sec_path *sp = skb_sec_path(skb);
|
||||||
int strict = info->flags & XT_POLICY_MATCH_STRICT;
|
int strict = info->flags & XT_POLICY_MATCH_STRICT;
|
||||||
int i, pos;
|
int i, pos;
|
||||||
|
|
||||||
|
|
|
@ -32,6 +32,7 @@ struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t featur
|
||||||
struct softnet_data *sd;
|
struct softnet_data *sd;
|
||||||
netdev_features_t esp_features = features;
|
netdev_features_t esp_features = features;
|
||||||
struct xfrm_offload *xo = xfrm_offload(skb);
|
struct xfrm_offload *xo = xfrm_offload(skb);
|
||||||
|
struct sec_path *sp;
|
||||||
|
|
||||||
if (!xo)
|
if (!xo)
|
||||||
return skb;
|
return skb;
|
||||||
|
@ -39,7 +40,8 @@ struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t featur
|
||||||
if (!(features & NETIF_F_HW_ESP))
|
if (!(features & NETIF_F_HW_ESP))
|
||||||
esp_features = features & ~(NETIF_F_SG | NETIF_F_CSUM_MASK);
|
esp_features = features & ~(NETIF_F_SG | NETIF_F_CSUM_MASK);
|
||||||
|
|
||||||
x = skb->sp->xvec[skb->sp->len - 1];
|
sp = skb_sec_path(skb);
|
||||||
|
x = sp->xvec[sp->len - 1];
|
||||||
if (xo->flags & XFRM_GRO || x->xso.flags & XFRM_OFFLOAD_INBOUND)
|
if (xo->flags & XFRM_GRO || x->xso.flags & XFRM_OFFLOAD_INBOUND)
|
||||||
return skb;
|
return skb;
|
||||||
|
|
||||||
|
|
|
@ -330,7 +330,9 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
|
||||||
daddr = (xfrm_address_t *)(skb_network_header(skb) +
|
daddr = (xfrm_address_t *)(skb_network_header(skb) +
|
||||||
XFRM_SPI_SKB_CB(skb)->daddroff);
|
XFRM_SPI_SKB_CB(skb)->daddroff);
|
||||||
do {
|
do {
|
||||||
if (skb->sp->len == XFRM_MAX_DEPTH) {
|
sp = skb_sec_path(skb);
|
||||||
|
|
||||||
|
if (sp->len == XFRM_MAX_DEPTH) {
|
||||||
secpath_reset(skb);
|
secpath_reset(skb);
|
||||||
XFRM_INC_STATS(net, LINUX_MIB_XFRMINBUFFERERROR);
|
XFRM_INC_STATS(net, LINUX_MIB_XFRMINBUFFERERROR);
|
||||||
goto drop;
|
goto drop;
|
||||||
|
@ -346,7 +348,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
|
||||||
|
|
||||||
skb->mark = xfrm_smark_get(skb->mark, x);
|
skb->mark = xfrm_smark_get(skb->mark, x);
|
||||||
|
|
||||||
skb->sp->xvec[skb->sp->len++] = x;
|
sp->xvec[sp->len++] = x;
|
||||||
|
|
||||||
lock:
|
lock:
|
||||||
spin_lock(&x->lock);
|
spin_lock(&x->lock);
|
||||||
|
@ -470,8 +472,9 @@ resume:
|
||||||
nf_reset(skb);
|
nf_reset(skb);
|
||||||
|
|
||||||
if (decaps) {
|
if (decaps) {
|
||||||
if (skb->sp)
|
sp = skb_sec_path(skb);
|
||||||
skb->sp->olen = 0;
|
if (sp)
|
||||||
|
sp->olen = 0;
|
||||||
skb_dst_drop(skb);
|
skb_dst_drop(skb);
|
||||||
gro_cells_receive(&gro_cells, skb);
|
gro_cells_receive(&gro_cells, skb);
|
||||||
return 0;
|
return 0;
|
||||||
|
@ -482,8 +485,9 @@ resume:
|
||||||
|
|
||||||
err = x->inner_mode->afinfo->transport_finish(skb, xfrm_gro || async);
|
err = x->inner_mode->afinfo->transport_finish(skb, xfrm_gro || async);
|
||||||
if (xfrm_gro) {
|
if (xfrm_gro) {
|
||||||
if (skb->sp)
|
sp = skb_sec_path(skb);
|
||||||
skb->sp->olen = 0;
|
if (sp)
|
||||||
|
sp->olen = 0;
|
||||||
skb_dst_drop(skb);
|
skb_dst_drop(skb);
|
||||||
gro_cells_receive(&gro_cells, skb);
|
gro_cells_receive(&gro_cells, skb);
|
||||||
return err;
|
return err;
|
||||||
|
|
|
@ -3200,11 +3200,12 @@ EXPORT_SYMBOL(xfrm_lookup_route);
|
||||||
static inline int
|
static inline int
|
||||||
xfrm_secpath_reject(int idx, struct sk_buff *skb, const struct flowi *fl)
|
xfrm_secpath_reject(int idx, struct sk_buff *skb, const struct flowi *fl)
|
||||||
{
|
{
|
||||||
|
struct sec_path *sp = skb_sec_path(skb);
|
||||||
struct xfrm_state *x;
|
struct xfrm_state *x;
|
||||||
|
|
||||||
if (!skb->sp || idx < 0 || idx >= skb->sp->len)
|
if (!sp || idx < 0 || idx >= sp->len)
|
||||||
return 0;
|
return 0;
|
||||||
x = skb->sp->xvec[idx];
|
x = sp->xvec[idx];
|
||||||
if (!x->type->reject)
|
if (!x->type->reject)
|
||||||
return 0;
|
return 0;
|
||||||
return x->type->reject(x, skb, fl);
|
return x->type->reject(x, skb, fl);
|
||||||
|
@ -3304,6 +3305,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
|
||||||
struct flowi fl;
|
struct flowi fl;
|
||||||
int xerr_idx = -1;
|
int xerr_idx = -1;
|
||||||
const struct xfrm_if_cb *ifcb;
|
const struct xfrm_if_cb *ifcb;
|
||||||
|
struct sec_path *sp;
|
||||||
struct xfrm_if *xi;
|
struct xfrm_if *xi;
|
||||||
u32 if_id = 0;
|
u32 if_id = 0;
|
||||||
|
|
||||||
|
@ -3328,11 +3330,12 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
|
||||||
nf_nat_decode_session(skb, &fl, family);
|
nf_nat_decode_session(skb, &fl, family);
|
||||||
|
|
||||||
/* First, check used SA against their selectors. */
|
/* First, check used SA against their selectors. */
|
||||||
if (skb->sp) {
|
sp = skb_sec_path(skb);
|
||||||
|
if (sp) {
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
for (i = skb->sp->len-1; i >= 0; i--) {
|
for (i = sp->len - 1; i >= 0; i--) {
|
||||||
struct xfrm_state *x = skb->sp->xvec[i];
|
struct xfrm_state *x = sp->xvec[i];
|
||||||
if (!xfrm_selector_match(&x->sel, &fl, family)) {
|
if (!xfrm_selector_match(&x->sel, &fl, family)) {
|
||||||
XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEMISMATCH);
|
XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEMISMATCH);
|
||||||
return 0;
|
return 0;
|
||||||
|
@ -3359,7 +3362,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!pol) {
|
if (!pol) {
|
||||||
if (skb->sp && secpath_has_nontransport(skb->sp, 0, &xerr_idx)) {
|
if (sp && secpath_has_nontransport(sp, 0, &xerr_idx)) {
|
||||||
xfrm_secpath_reject(xerr_idx, skb, &fl);
|
xfrm_secpath_reject(xerr_idx, skb, &fl);
|
||||||
XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS);
|
XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS);
|
||||||
return 0;
|
return 0;
|
||||||
|
@ -3388,7 +3391,6 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (pol->action == XFRM_POLICY_ALLOW) {
|
if (pol->action == XFRM_POLICY_ALLOW) {
|
||||||
struct sec_path *sp;
|
|
||||||
static struct sec_path dummy;
|
static struct sec_path dummy;
|
||||||
struct xfrm_tmpl *tp[XFRM_MAX_DEPTH];
|
struct xfrm_tmpl *tp[XFRM_MAX_DEPTH];
|
||||||
struct xfrm_tmpl *stp[XFRM_MAX_DEPTH];
|
struct xfrm_tmpl *stp[XFRM_MAX_DEPTH];
|
||||||
|
@ -3396,7 +3398,8 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
|
||||||
int ti = 0;
|
int ti = 0;
|
||||||
int i, k;
|
int i, k;
|
||||||
|
|
||||||
if ((sp = skb->sp) == NULL)
|
sp = skb_sec_path(skb);
|
||||||
|
if (!sp)
|
||||||
sp = &dummy;
|
sp = &dummy;
|
||||||
|
|
||||||
for (pi = 0; pi < npols; pi++) {
|
for (pi = 0; pi < npols; pi++) {
|
||||||
|
|
|
@ -230,7 +230,7 @@ static int selinux_xfrm_skb_sid_ingress(struct sk_buff *skb,
|
||||||
u32 *sid, int ckall)
|
u32 *sid, int ckall)
|
||||||
{
|
{
|
||||||
u32 sid_session = SECSID_NULL;
|
u32 sid_session = SECSID_NULL;
|
||||||
struct sec_path *sp = skb->sp;
|
struct sec_path *sp = skb_sec_path(skb);
|
||||||
|
|
||||||
if (sp) {
|
if (sp) {
|
||||||
int i;
|
int i;
|
||||||
|
@ -408,7 +408,7 @@ int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
|
||||||
struct common_audit_data *ad)
|
struct common_audit_data *ad)
|
||||||
{
|
{
|
||||||
int i;
|
int i;
|
||||||
struct sec_path *sp = skb->sp;
|
struct sec_path *sp = skb_sec_path(skb);
|
||||||
u32 peer_sid = SECINITSID_UNLABELED;
|
u32 peer_sid = SECINITSID_UNLABELED;
|
||||||
|
|
||||||
if (sp) {
|
if (sp) {
|
||||||
|
|
Loading…
Reference in New Issue