xref: /linux/net/xfrm/xfrm_state.c (revision 0ad9617c78acbc71373fb341a6f75d4012b01d69) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * xfrm_state.c
4  *
5  * Changes:
6  *	Mitsuru KANDA @USAGI
7  * 	Kazunori MIYAZAWA @USAGI
8  * 	Kunihiro Ishiguro <kunihiro@ipinfusion.com>
9  * 		IPv6 support
10  * 	YOSHIFUJI Hideaki @USAGI
11  * 		Split up af-specific functions
12  *	Derek Atkins <derek@ihtfp.com>
13  *		Add UDP Encapsulation
14  *
15  */
16 
17 #include <linux/compat.h>
18 #include <linux/workqueue.h>
19 #include <net/xfrm.h>
20 #include <linux/pfkeyv2.h>
21 #include <linux/ipsec.h>
22 #include <linux/module.h>
23 #include <linux/cache.h>
24 #include <linux/audit.h>
25 #include <linux/uaccess.h>
26 #include <linux/ktime.h>
27 #include <linux/slab.h>
28 #include <linux/interrupt.h>
29 #include <linux/kernel.h>
30 
31 #include <crypto/aead.h>
32 
33 #include "xfrm_hash.h"
34 
35 #define xfrm_state_deref_prot(table, net) \
36 	rcu_dereference_protected((table), lockdep_is_held(&(net)->xfrm.xfrm_state_lock))
37 
38 static void xfrm_state_gc_task(struct work_struct *work);
39 
40 /* Each xfrm_state may be linked to two tables:
41 
42    1. Hash table by (spi,daddr,ah/esp) to find SA by SPI. (input,ctl)
43    2. Hash table by (daddr,family,reqid) to find what SAs exist for given
44       destination/tunnel endpoint. (output)
45  */
46 
47 static unsigned int xfrm_state_hashmax __read_mostly = 1 * 1024 * 1024;
48 static struct kmem_cache *xfrm_state_cache __ro_after_init;
49 
50 static DECLARE_WORK(xfrm_state_gc_work, xfrm_state_gc_task);
51 static HLIST_HEAD(xfrm_state_gc_list);
52 static HLIST_HEAD(xfrm_state_dev_gc_list);
53 
54 static inline bool xfrm_state_hold_rcu(struct xfrm_state __rcu *x)
55 {
56 	return refcount_inc_not_zero(&x->refcnt);
57 }
58 
59 static inline unsigned int xfrm_dst_hash(struct net *net,
60 					 const xfrm_address_t *daddr,
61 					 const xfrm_address_t *saddr,
62 					 u32 reqid,
63 					 unsigned short family)
64 {
65 	return __xfrm_dst_hash(daddr, saddr, reqid, family, net->xfrm.state_hmask);
66 }
67 
68 static inline unsigned int xfrm_src_hash(struct net *net,
69 					 const xfrm_address_t *daddr,
70 					 const xfrm_address_t *saddr,
71 					 unsigned short family)
72 {
73 	return __xfrm_src_hash(daddr, saddr, family, net->xfrm.state_hmask);
74 }
75 
76 static inline unsigned int
77 xfrm_spi_hash(struct net *net, const xfrm_address_t *daddr,
78 	      __be32 spi, u8 proto, unsigned short family)
79 {
80 	return __xfrm_spi_hash(daddr, spi, proto, family, net->xfrm.state_hmask);
81 }
82 
83 static unsigned int xfrm_seq_hash(struct net *net, u32 seq)
84 {
85 	return __xfrm_seq_hash(seq, net->xfrm.state_hmask);
86 }
87 
88 #define XFRM_STATE_INSERT(by, _n, _h, _type)                               \
89 	{                                                                  \
90 		struct xfrm_state *_x = NULL;                              \
91 									   \
92 		if (_type != XFRM_DEV_OFFLOAD_PACKET) {                    \
93 			hlist_for_each_entry_rcu(_x, _h, by) {             \
94 				if (_x->xso.type == XFRM_DEV_OFFLOAD_PACKET) \
95 					continue;                          \
96 				break;                                     \
97 			}                                                  \
98 		}                                                          \
99 									   \
100 		if (!_x || _x->xso.type == XFRM_DEV_OFFLOAD_PACKET)        \
101 			/* SAD is empty or consist from HW SAs only */     \
102 			hlist_add_head_rcu(_n, _h);                        \
103 		else                                                       \
104 			hlist_add_before_rcu(_n, &_x->by);                 \
105 	}
106 
107 static void xfrm_hash_transfer(struct hlist_head *list,
108 			       struct hlist_head *ndsttable,
109 			       struct hlist_head *nsrctable,
110 			       struct hlist_head *nspitable,
111 			       struct hlist_head *nseqtable,
112 			       unsigned int nhashmask)
113 {
114 	struct hlist_node *tmp;
115 	struct xfrm_state *x;
116 
117 	hlist_for_each_entry_safe(x, tmp, list, bydst) {
118 		unsigned int h;
119 
120 		h = __xfrm_dst_hash(&x->id.daddr, &x->props.saddr,
121 				    x->props.reqid, x->props.family,
122 				    nhashmask);
123 		XFRM_STATE_INSERT(bydst, &x->bydst, ndsttable + h, x->xso.type);
124 
125 		h = __xfrm_src_hash(&x->id.daddr, &x->props.saddr,
126 				    x->props.family,
127 				    nhashmask);
128 		XFRM_STATE_INSERT(bysrc, &x->bysrc, nsrctable + h, x->xso.type);
129 
130 		if (x->id.spi) {
131 			h = __xfrm_spi_hash(&x->id.daddr, x->id.spi,
132 					    x->id.proto, x->props.family,
133 					    nhashmask);
134 			XFRM_STATE_INSERT(byspi, &x->byspi, nspitable + h,
135 					  x->xso.type);
136 		}
137 
138 		if (x->km.seq) {
139 			h = __xfrm_seq_hash(x->km.seq, nhashmask);
140 			XFRM_STATE_INSERT(byseq, &x->byseq, nseqtable + h,
141 					  x->xso.type);
142 		}
143 	}
144 }
145 
146 static unsigned long xfrm_hash_new_size(unsigned int state_hmask)
147 {
148 	return ((state_hmask + 1) << 1) * sizeof(struct hlist_head);
149 }
150 
151 static void xfrm_hash_resize(struct work_struct *work)
152 {
153 	struct net *net = container_of(work, struct net, xfrm.state_hash_work);
154 	struct hlist_head *ndst, *nsrc, *nspi, *nseq, *odst, *osrc, *ospi, *oseq;
155 	unsigned long nsize, osize;
156 	unsigned int nhashmask, ohashmask;
157 	int i;
158 
159 	nsize = xfrm_hash_new_size(net->xfrm.state_hmask);
160 	ndst = xfrm_hash_alloc(nsize);
161 	if (!ndst)
162 		return;
163 	nsrc = xfrm_hash_alloc(nsize);
164 	if (!nsrc) {
165 		xfrm_hash_free(ndst, nsize);
166 		return;
167 	}
168 	nspi = xfrm_hash_alloc(nsize);
169 	if (!nspi) {
170 		xfrm_hash_free(ndst, nsize);
171 		xfrm_hash_free(nsrc, nsize);
172 		return;
173 	}
174 	nseq = xfrm_hash_alloc(nsize);
175 	if (!nseq) {
176 		xfrm_hash_free(ndst, nsize);
177 		xfrm_hash_free(nsrc, nsize);
178 		xfrm_hash_free(nspi, nsize);
179 		return;
180 	}
181 
182 	spin_lock_bh(&net->xfrm.xfrm_state_lock);
183 	write_seqcount_begin(&net->xfrm.xfrm_state_hash_generation);
184 
185 	nhashmask = (nsize / sizeof(struct hlist_head)) - 1U;
186 	odst = xfrm_state_deref_prot(net->xfrm.state_bydst, net);
187 	for (i = net->xfrm.state_hmask; i >= 0; i--)
188 		xfrm_hash_transfer(odst + i, ndst, nsrc, nspi, nseq, nhashmask);
189 
190 	osrc = xfrm_state_deref_prot(net->xfrm.state_bysrc, net);
191 	ospi = xfrm_state_deref_prot(net->xfrm.state_byspi, net);
192 	oseq = xfrm_state_deref_prot(net->xfrm.state_byseq, net);
193 	ohashmask = net->xfrm.state_hmask;
194 
195 	rcu_assign_pointer(net->xfrm.state_bydst, ndst);
196 	rcu_assign_pointer(net->xfrm.state_bysrc, nsrc);
197 	rcu_assign_pointer(net->xfrm.state_byspi, nspi);
198 	rcu_assign_pointer(net->xfrm.state_byseq, nseq);
199 	net->xfrm.state_hmask = nhashmask;
200 
201 	write_seqcount_end(&net->xfrm.xfrm_state_hash_generation);
202 	spin_unlock_bh(&net->xfrm.xfrm_state_lock);
203 
204 	osize = (ohashmask + 1) * sizeof(struct hlist_head);
205 
206 	synchronize_rcu();
207 
208 	xfrm_hash_free(odst, osize);
209 	xfrm_hash_free(osrc, osize);
210 	xfrm_hash_free(ospi, osize);
211 	xfrm_hash_free(oseq, osize);
212 }
213 
214 static DEFINE_SPINLOCK(xfrm_state_afinfo_lock);
215 static struct xfrm_state_afinfo __rcu *xfrm_state_afinfo[NPROTO];
216 
217 static DEFINE_SPINLOCK(xfrm_state_gc_lock);
218 static DEFINE_SPINLOCK(xfrm_state_dev_gc_lock);
219 
220 int __xfrm_state_delete(struct xfrm_state *x);
221 
222 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol);
223 static bool km_is_alive(const struct km_event *c);
224 void km_state_expired(struct xfrm_state *x, int hard, u32 portid);
225 
226 int xfrm_register_type(const struct xfrm_type *type, unsigned short family)
227 {
228 	struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
229 	int err = 0;
230 
231 	if (!afinfo)
232 		return -EAFNOSUPPORT;
233 
234 #define X(afi, T, name) do {			\
235 		WARN_ON((afi)->type_ ## name);	\
236 		(afi)->type_ ## name = (T);	\
237 	} while (0)
238 
239 	switch (type->proto) {
240 	case IPPROTO_COMP:
241 		X(afinfo, type, comp);
242 		break;
243 	case IPPROTO_AH:
244 		X(afinfo, type, ah);
245 		break;
246 	case IPPROTO_ESP:
247 		X(afinfo, type, esp);
248 		break;
249 	case IPPROTO_IPIP:
250 		X(afinfo, type, ipip);
251 		break;
252 	case IPPROTO_DSTOPTS:
253 		X(afinfo, type, dstopts);
254 		break;
255 	case IPPROTO_ROUTING:
256 		X(afinfo, type, routing);
257 		break;
258 	case IPPROTO_IPV6:
259 		X(afinfo, type, ipip6);
260 		break;
261 	default:
262 		WARN_ON(1);
263 		err = -EPROTONOSUPPORT;
264 		break;
265 	}
266 #undef X
267 	rcu_read_unlock();
268 	return err;
269 }
270 EXPORT_SYMBOL(xfrm_register_type);
271 
272 void xfrm_unregister_type(const struct xfrm_type *type, unsigned short family)
273 {
274 	struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
275 
276 	if (unlikely(afinfo == NULL))
277 		return;
278 
279 #define X(afi, T, name) do {				\
280 		WARN_ON((afi)->type_ ## name != (T));	\
281 		(afi)->type_ ## name = NULL;		\
282 	} while (0)
283 
284 	switch (type->proto) {
285 	case IPPROTO_COMP:
286 		X(afinfo, type, comp);
287 		break;
288 	case IPPROTO_AH:
289 		X(afinfo, type, ah);
290 		break;
291 	case IPPROTO_ESP:
292 		X(afinfo, type, esp);
293 		break;
294 	case IPPROTO_IPIP:
295 		X(afinfo, type, ipip);
296 		break;
297 	case IPPROTO_DSTOPTS:
298 		X(afinfo, type, dstopts);
299 		break;
300 	case IPPROTO_ROUTING:
301 		X(afinfo, type, routing);
302 		break;
303 	case IPPROTO_IPV6:
304 		X(afinfo, type, ipip6);
305 		break;
306 	default:
307 		WARN_ON(1);
308 		break;
309 	}
310 #undef X
311 	rcu_read_unlock();
312 }
313 EXPORT_SYMBOL(xfrm_unregister_type);
314 
315 static const struct xfrm_type *xfrm_get_type(u8 proto, unsigned short family)
316 {
317 	const struct xfrm_type *type = NULL;
318 	struct xfrm_state_afinfo *afinfo;
319 	int modload_attempted = 0;
320 
321 retry:
322 	afinfo = xfrm_state_get_afinfo(family);
323 	if (unlikely(afinfo == NULL))
324 		return NULL;
325 
326 	switch (proto) {
327 	case IPPROTO_COMP:
328 		type = afinfo->type_comp;
329 		break;
330 	case IPPROTO_AH:
331 		type = afinfo->type_ah;
332 		break;
333 	case IPPROTO_ESP:
334 		type = afinfo->type_esp;
335 		break;
336 	case IPPROTO_IPIP:
337 		type = afinfo->type_ipip;
338 		break;
339 	case IPPROTO_DSTOPTS:
340 		type = afinfo->type_dstopts;
341 		break;
342 	case IPPROTO_ROUTING:
343 		type = afinfo->type_routing;
344 		break;
345 	case IPPROTO_IPV6:
346 		type = afinfo->type_ipip6;
347 		break;
348 	default:
349 		break;
350 	}
351 
352 	if (unlikely(type && !try_module_get(type->owner)))
353 		type = NULL;
354 
355 	rcu_read_unlock();
356 
357 	if (!type && !modload_attempted) {
358 		request_module("xfrm-type-%d-%d", family, proto);
359 		modload_attempted = 1;
360 		goto retry;
361 	}
362 
363 	return type;
364 }
365 
366 static void xfrm_put_type(const struct xfrm_type *type)
367 {
368 	module_put(type->owner);
369 }
370 
371 int xfrm_register_type_offload(const struct xfrm_type_offload *type,
372 			       unsigned short family)
373 {
374 	struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
375 	int err = 0;
376 
377 	if (unlikely(afinfo == NULL))
378 		return -EAFNOSUPPORT;
379 
380 	switch (type->proto) {
381 	case IPPROTO_ESP:
382 		WARN_ON(afinfo->type_offload_esp);
383 		afinfo->type_offload_esp = type;
384 		break;
385 	default:
386 		WARN_ON(1);
387 		err = -EPROTONOSUPPORT;
388 		break;
389 	}
390 
391 	rcu_read_unlock();
392 	return err;
393 }
394 EXPORT_SYMBOL(xfrm_register_type_offload);
395 
396 void xfrm_unregister_type_offload(const struct xfrm_type_offload *type,
397 				  unsigned short family)
398 {
399 	struct xfrm_state_afinfo *afinfo = xfrm_state_get_afinfo(family);
400 
401 	if (unlikely(afinfo == NULL))
402 		return;
403 
404 	switch (type->proto) {
405 	case IPPROTO_ESP:
406 		WARN_ON(afinfo->type_offload_esp != type);
407 		afinfo->type_offload_esp = NULL;
408 		break;
409 	default:
410 		WARN_ON(1);
411 		break;
412 	}
413 	rcu_read_unlock();
414 }
415 EXPORT_SYMBOL(xfrm_unregister_type_offload);
416 
417 static const struct xfrm_type_offload *
418 xfrm_get_type_offload(u8 proto, unsigned short family, bool try_load)
419 {
420 	const struct xfrm_type_offload *type = NULL;
421 	struct xfrm_state_afinfo *afinfo;
422 
423 retry:
424 	afinfo = xfrm_state_get_afinfo(family);
425 	if (unlikely(afinfo == NULL))
426 		return NULL;
427 
428 	switch (proto) {
429 	case IPPROTO_ESP:
430 		type = afinfo->type_offload_esp;
431 		break;
432 	default:
433 		break;
434 	}
435 
436 	if ((type && !try_module_get(type->owner)))
437 		type = NULL;
438 
439 	rcu_read_unlock();
440 
441 	if (!type && try_load) {
442 		request_module("xfrm-offload-%d-%d", family, proto);
443 		try_load = false;
444 		goto retry;
445 	}
446 
447 	return type;
448 }
449 
450 static void xfrm_put_type_offload(const struct xfrm_type_offload *type)
451 {
452 	module_put(type->owner);
453 }
454 
455 static const struct xfrm_mode xfrm4_mode_map[XFRM_MODE_MAX] = {
456 	[XFRM_MODE_BEET] = {
457 		.encap = XFRM_MODE_BEET,
458 		.flags = XFRM_MODE_FLAG_TUNNEL,
459 		.family = AF_INET,
460 	},
461 	[XFRM_MODE_TRANSPORT] = {
462 		.encap = XFRM_MODE_TRANSPORT,
463 		.family = AF_INET,
464 	},
465 	[XFRM_MODE_TUNNEL] = {
466 		.encap = XFRM_MODE_TUNNEL,
467 		.flags = XFRM_MODE_FLAG_TUNNEL,
468 		.family = AF_INET,
469 	},
470 	[XFRM_MODE_IPTFS] = {
471 		.encap = XFRM_MODE_IPTFS,
472 		.flags = XFRM_MODE_FLAG_TUNNEL,
473 		.family = AF_INET,
474 	},
475 };
476 
477 static const struct xfrm_mode xfrm6_mode_map[XFRM_MODE_MAX] = {
478 	[XFRM_MODE_BEET] = {
479 		.encap = XFRM_MODE_BEET,
480 		.flags = XFRM_MODE_FLAG_TUNNEL,
481 		.family = AF_INET6,
482 	},
483 	[XFRM_MODE_ROUTEOPTIMIZATION] = {
484 		.encap = XFRM_MODE_ROUTEOPTIMIZATION,
485 		.family = AF_INET6,
486 	},
487 	[XFRM_MODE_TRANSPORT] = {
488 		.encap = XFRM_MODE_TRANSPORT,
489 		.family = AF_INET6,
490 	},
491 	[XFRM_MODE_TUNNEL] = {
492 		.encap = XFRM_MODE_TUNNEL,
493 		.flags = XFRM_MODE_FLAG_TUNNEL,
494 		.family = AF_INET6,
495 	},
496 	[XFRM_MODE_IPTFS] = {
497 		.encap = XFRM_MODE_IPTFS,
498 		.flags = XFRM_MODE_FLAG_TUNNEL,
499 		.family = AF_INET6,
500 	},
501 };
502 
503 static const struct xfrm_mode *xfrm_get_mode(unsigned int encap, int family)
504 {
505 	const struct xfrm_mode *mode;
506 
507 	if (unlikely(encap >= XFRM_MODE_MAX))
508 		return NULL;
509 
510 	switch (family) {
511 	case AF_INET:
512 		mode = &xfrm4_mode_map[encap];
513 		if (mode->family == family)
514 			return mode;
515 		break;
516 	case AF_INET6:
517 		mode = &xfrm6_mode_map[encap];
518 		if (mode->family == family)
519 			return mode;
520 		break;
521 	default:
522 		break;
523 	}
524 
525 	return NULL;
526 }
527 
528 static const struct xfrm_mode_cbs  __rcu *xfrm_mode_cbs_map[XFRM_MODE_MAX];
529 static DEFINE_SPINLOCK(xfrm_mode_cbs_map_lock);
530 
531 int xfrm_register_mode_cbs(u8 mode, const struct xfrm_mode_cbs *mode_cbs)
532 {
533 	if (mode >= XFRM_MODE_MAX)
534 		return -EINVAL;
535 
536 	spin_lock_bh(&xfrm_mode_cbs_map_lock);
537 	rcu_assign_pointer(xfrm_mode_cbs_map[mode], mode_cbs);
538 	spin_unlock_bh(&xfrm_mode_cbs_map_lock);
539 
540 	return 0;
541 }
542 EXPORT_SYMBOL(xfrm_register_mode_cbs);
543 
544 void xfrm_unregister_mode_cbs(u8 mode)
545 {
546 	if (mode >= XFRM_MODE_MAX)
547 		return;
548 
549 	spin_lock_bh(&xfrm_mode_cbs_map_lock);
550 	RCU_INIT_POINTER(xfrm_mode_cbs_map[mode], NULL);
551 	spin_unlock_bh(&xfrm_mode_cbs_map_lock);
552 	synchronize_rcu();
553 }
554 EXPORT_SYMBOL(xfrm_unregister_mode_cbs);
555 
556 static const struct xfrm_mode_cbs *xfrm_get_mode_cbs(u8 mode)
557 {
558 	const struct xfrm_mode_cbs *cbs;
559 	bool try_load = true;
560 
561 	if (mode >= XFRM_MODE_MAX)
562 		return NULL;
563 
564 retry:
565 	rcu_read_lock();
566 
567 	cbs = rcu_dereference(xfrm_mode_cbs_map[mode]);
568 	if (cbs && !try_module_get(cbs->owner))
569 		cbs = NULL;
570 
571 	rcu_read_unlock();
572 
573 	if (mode == XFRM_MODE_IPTFS && !cbs && try_load) {
574 		request_module("xfrm-iptfs");
575 		try_load = false;
576 		goto retry;
577 	}
578 
579 	return cbs;
580 }
581 
582 void xfrm_state_free(struct xfrm_state *x)
583 {
584 	kmem_cache_free(xfrm_state_cache, x);
585 }
586 EXPORT_SYMBOL(xfrm_state_free);
587 
588 static void ___xfrm_state_destroy(struct xfrm_state *x)
589 {
590 	if (x->mode_cbs && x->mode_cbs->destroy_state)
591 		x->mode_cbs->destroy_state(x);
592 	hrtimer_cancel(&x->mtimer);
593 	del_timer_sync(&x->rtimer);
594 	kfree(x->aead);
595 	kfree(x->aalg);
596 	kfree(x->ealg);
597 	kfree(x->calg);
598 	kfree(x->encap);
599 	kfree(x->coaddr);
600 	kfree(x->replay_esn);
601 	kfree(x->preplay_esn);
602 	if (x->type_offload)
603 		xfrm_put_type_offload(x->type_offload);
604 	if (x->type) {
605 		x->type->destructor(x);
606 		xfrm_put_type(x->type);
607 	}
608 	if (x->xfrag.page)
609 		put_page(x->xfrag.page);
610 	xfrm_dev_state_free(x);
611 	security_xfrm_state_free(x);
612 	xfrm_state_free(x);
613 }
614 
615 static void xfrm_state_gc_task(struct work_struct *work)
616 {
617 	struct xfrm_state *x;
618 	struct hlist_node *tmp;
619 	struct hlist_head gc_list;
620 
621 	spin_lock_bh(&xfrm_state_gc_lock);
622 	hlist_move_list(&xfrm_state_gc_list, &gc_list);
623 	spin_unlock_bh(&xfrm_state_gc_lock);
624 
625 	synchronize_rcu();
626 
627 	hlist_for_each_entry_safe(x, tmp, &gc_list, gclist)
628 		___xfrm_state_destroy(x);
629 }
630 
631 static enum hrtimer_restart xfrm_timer_handler(struct hrtimer *me)
632 {
633 	struct xfrm_state *x = container_of(me, struct xfrm_state, mtimer);
634 	enum hrtimer_restart ret = HRTIMER_NORESTART;
635 	time64_t now = ktime_get_real_seconds();
636 	time64_t next = TIME64_MAX;
637 	int warn = 0;
638 	int err = 0;
639 
640 	spin_lock(&x->lock);
641 	xfrm_dev_state_update_stats(x);
642 
643 	if (x->km.state == XFRM_STATE_DEAD)
644 		goto out;
645 	if (x->km.state == XFRM_STATE_EXPIRED)
646 		goto expired;
647 	if (x->lft.hard_add_expires_seconds) {
648 		time64_t tmo = x->lft.hard_add_expires_seconds +
649 			x->curlft.add_time - now;
650 		if (tmo <= 0) {
651 			if (x->xflags & XFRM_SOFT_EXPIRE) {
652 				/* enter hard expire without soft expire first?!
653 				 * setting a new date could trigger this.
654 				 * workaround: fix x->curflt.add_time by below:
655 				 */
656 				x->curlft.add_time = now - x->saved_tmo - 1;
657 				tmo = x->lft.hard_add_expires_seconds - x->saved_tmo;
658 			} else
659 				goto expired;
660 		}
661 		if (tmo < next)
662 			next = tmo;
663 	}
664 	if (x->lft.hard_use_expires_seconds) {
665 		time64_t tmo = x->lft.hard_use_expires_seconds +
666 			(READ_ONCE(x->curlft.use_time) ? : now) - now;
667 		if (tmo <= 0)
668 			goto expired;
669 		if (tmo < next)
670 			next = tmo;
671 	}
672 	if (x->km.dying)
673 		goto resched;
674 	if (x->lft.soft_add_expires_seconds) {
675 		time64_t tmo = x->lft.soft_add_expires_seconds +
676 			x->curlft.add_time - now;
677 		if (tmo <= 0) {
678 			warn = 1;
679 			x->xflags &= ~XFRM_SOFT_EXPIRE;
680 		} else if (tmo < next) {
681 			next = tmo;
682 			x->xflags |= XFRM_SOFT_EXPIRE;
683 			x->saved_tmo = tmo;
684 		}
685 	}
686 	if (x->lft.soft_use_expires_seconds) {
687 		time64_t tmo = x->lft.soft_use_expires_seconds +
688 			(READ_ONCE(x->curlft.use_time) ? : now) - now;
689 		if (tmo <= 0)
690 			warn = 1;
691 		else if (tmo < next)
692 			next = tmo;
693 	}
694 
695 	x->km.dying = warn;
696 	if (warn)
697 		km_state_expired(x, 0, 0);
698 resched:
699 	if (next != TIME64_MAX) {
700 		hrtimer_forward_now(&x->mtimer, ktime_set(next, 0));
701 		ret = HRTIMER_RESTART;
702 	}
703 
704 	goto out;
705 
706 expired:
707 	if (x->km.state == XFRM_STATE_ACQ && x->id.spi == 0)
708 		x->km.state = XFRM_STATE_EXPIRED;
709 
710 	err = __xfrm_state_delete(x);
711 	if (!err)
712 		km_state_expired(x, 1, 0);
713 
714 	xfrm_audit_state_delete(x, err ? 0 : 1, true);
715 
716 out:
717 	spin_unlock(&x->lock);
718 	return ret;
719 }
720 
721 static void xfrm_replay_timer_handler(struct timer_list *t);
722 
723 struct xfrm_state *xfrm_state_alloc(struct net *net)
724 {
725 	struct xfrm_state *x;
726 
727 	x = kmem_cache_zalloc(xfrm_state_cache, GFP_ATOMIC);
728 
729 	if (x) {
730 		write_pnet(&x->xs_net, net);
731 		refcount_set(&x->refcnt, 1);
732 		atomic_set(&x->tunnel_users, 0);
733 		INIT_LIST_HEAD(&x->km.all);
734 		INIT_HLIST_NODE(&x->state_cache);
735 		INIT_HLIST_NODE(&x->bydst);
736 		INIT_HLIST_NODE(&x->bysrc);
737 		INIT_HLIST_NODE(&x->byspi);
738 		INIT_HLIST_NODE(&x->byseq);
739 		hrtimer_init(&x->mtimer, CLOCK_BOOTTIME, HRTIMER_MODE_ABS_SOFT);
740 		x->mtimer.function = xfrm_timer_handler;
741 		timer_setup(&x->rtimer, xfrm_replay_timer_handler, 0);
742 		x->curlft.add_time = ktime_get_real_seconds();
743 		x->lft.soft_byte_limit = XFRM_INF;
744 		x->lft.soft_packet_limit = XFRM_INF;
745 		x->lft.hard_byte_limit = XFRM_INF;
746 		x->lft.hard_packet_limit = XFRM_INF;
747 		x->replay_maxage = 0;
748 		x->replay_maxdiff = 0;
749 		x->pcpu_num = UINT_MAX;
750 		spin_lock_init(&x->lock);
751 		x->mode_data = NULL;
752 	}
753 	return x;
754 }
755 EXPORT_SYMBOL(xfrm_state_alloc);
756 
757 #ifdef CONFIG_XFRM_OFFLOAD
758 void xfrm_dev_state_delete(struct xfrm_state *x)
759 {
760 	struct xfrm_dev_offload *xso = &x->xso;
761 	struct net_device *dev = READ_ONCE(xso->dev);
762 
763 	if (dev) {
764 		dev->xfrmdev_ops->xdo_dev_state_delete(x);
765 		spin_lock_bh(&xfrm_state_dev_gc_lock);
766 		hlist_add_head(&x->dev_gclist, &xfrm_state_dev_gc_list);
767 		spin_unlock_bh(&xfrm_state_dev_gc_lock);
768 	}
769 }
770 EXPORT_SYMBOL_GPL(xfrm_dev_state_delete);
771 
772 void xfrm_dev_state_free(struct xfrm_state *x)
773 {
774 	struct xfrm_dev_offload *xso = &x->xso;
775 	struct net_device *dev = READ_ONCE(xso->dev);
776 
777 	if (dev && dev->xfrmdev_ops) {
778 		spin_lock_bh(&xfrm_state_dev_gc_lock);
779 		if (!hlist_unhashed(&x->dev_gclist))
780 			hlist_del(&x->dev_gclist);
781 		spin_unlock_bh(&xfrm_state_dev_gc_lock);
782 
783 		if (dev->xfrmdev_ops->xdo_dev_state_free)
784 			dev->xfrmdev_ops->xdo_dev_state_free(x);
785 		WRITE_ONCE(xso->dev, NULL);
786 		xso->type = XFRM_DEV_OFFLOAD_UNSPECIFIED;
787 		netdev_put(dev, &xso->dev_tracker);
788 	}
789 }
790 #endif
791 
792 void __xfrm_state_destroy(struct xfrm_state *x, bool sync)
793 {
794 	WARN_ON(x->km.state != XFRM_STATE_DEAD);
795 
796 	if (sync) {
797 		synchronize_rcu();
798 		___xfrm_state_destroy(x);
799 	} else {
800 		spin_lock_bh(&xfrm_state_gc_lock);
801 		hlist_add_head(&x->gclist, &xfrm_state_gc_list);
802 		spin_unlock_bh(&xfrm_state_gc_lock);
803 		schedule_work(&xfrm_state_gc_work);
804 	}
805 }
806 EXPORT_SYMBOL(__xfrm_state_destroy);
807 
808 int __xfrm_state_delete(struct xfrm_state *x)
809 {
810 	struct net *net = xs_net(x);
811 	int err = -ESRCH;
812 
813 	if (x->km.state != XFRM_STATE_DEAD) {
814 		x->km.state = XFRM_STATE_DEAD;
815 
816 		spin_lock(&net->xfrm.xfrm_state_lock);
817 		list_del(&x->km.all);
818 		hlist_del_rcu(&x->bydst);
819 		hlist_del_rcu(&x->bysrc);
820 		if (x->km.seq)
821 			hlist_del_rcu(&x->byseq);
822 		if (!hlist_unhashed(&x->state_cache))
823 			hlist_del_rcu(&x->state_cache);
824 		if (!hlist_unhashed(&x->state_cache_input))
825 			hlist_del_rcu(&x->state_cache_input);
826 
827 		if (x->id.spi)
828 			hlist_del_rcu(&x->byspi);
829 		net->xfrm.state_num--;
830 		xfrm_nat_keepalive_state_updated(x);
831 		spin_unlock(&net->xfrm.xfrm_state_lock);
832 
833 		if (x->encap_sk)
834 			sock_put(rcu_dereference_raw(x->encap_sk));
835 
836 		xfrm_dev_state_delete(x);
837 
838 		/* All xfrm_state objects are created by xfrm_state_alloc.
839 		 * The xfrm_state_alloc call gives a reference, and that
840 		 * is what we are dropping here.
841 		 */
842 		xfrm_state_put(x);
843 		err = 0;
844 	}
845 
846 	return err;
847 }
848 EXPORT_SYMBOL(__xfrm_state_delete);
849 
850 int xfrm_state_delete(struct xfrm_state *x)
851 {
852 	int err;
853 
854 	spin_lock_bh(&x->lock);
855 	err = __xfrm_state_delete(x);
856 	spin_unlock_bh(&x->lock);
857 
858 	return err;
859 }
860 EXPORT_SYMBOL(xfrm_state_delete);
861 
862 #ifdef CONFIG_SECURITY_NETWORK_XFRM
863 static inline int
864 xfrm_state_flush_secctx_check(struct net *net, u8 proto, bool task_valid)
865 {
866 	int i, err = 0;
867 
868 	for (i = 0; i <= net->xfrm.state_hmask; i++) {
869 		struct xfrm_state *x;
870 
871 		hlist_for_each_entry(x, net->xfrm.state_bydst+i, bydst) {
872 			if (xfrm_id_proto_match(x->id.proto, proto) &&
873 			   (err = security_xfrm_state_delete(x)) != 0) {
874 				xfrm_audit_state_delete(x, 0, task_valid);
875 				return err;
876 			}
877 		}
878 	}
879 
880 	return err;
881 }
882 
883 static inline int
884 xfrm_dev_state_flush_secctx_check(struct net *net, struct net_device *dev, bool task_valid)
885 {
886 	int i, err = 0;
887 
888 	for (i = 0; i <= net->xfrm.state_hmask; i++) {
889 		struct xfrm_state *x;
890 		struct xfrm_dev_offload *xso;
891 
892 		hlist_for_each_entry(x, net->xfrm.state_bydst+i, bydst) {
893 			xso = &x->xso;
894 
895 			if (xso->dev == dev &&
896 			   (err = security_xfrm_state_delete(x)) != 0) {
897 				xfrm_audit_state_delete(x, 0, task_valid);
898 				return err;
899 			}
900 		}
901 	}
902 
903 	return err;
904 }
905 #else
906 static inline int
907 xfrm_state_flush_secctx_check(struct net *net, u8 proto, bool task_valid)
908 {
909 	return 0;
910 }
911 
912 static inline int
913 xfrm_dev_state_flush_secctx_check(struct net *net, struct net_device *dev, bool task_valid)
914 {
915 	return 0;
916 }
917 #endif
918 
919 int xfrm_state_flush(struct net *net, u8 proto, bool task_valid, bool sync)
920 {
921 	int i, err = 0, cnt = 0;
922 
923 	spin_lock_bh(&net->xfrm.xfrm_state_lock);
924 	err = xfrm_state_flush_secctx_check(net, proto, task_valid);
925 	if (err)
926 		goto out;
927 
928 	err = -ESRCH;
929 	for (i = 0; i <= net->xfrm.state_hmask; i++) {
930 		struct xfrm_state *x;
931 restart:
932 		hlist_for_each_entry(x, net->xfrm.state_bydst+i, bydst) {
933 			if (!xfrm_state_kern(x) &&
934 			    xfrm_id_proto_match(x->id.proto, proto)) {
935 				xfrm_state_hold(x);
936 				spin_unlock_bh(&net->xfrm.xfrm_state_lock);
937 
938 				err = xfrm_state_delete(x);
939 				xfrm_audit_state_delete(x, err ? 0 : 1,
940 							task_valid);
941 				if (sync)
942 					xfrm_state_put_sync(x);
943 				else
944 					xfrm_state_put(x);
945 				if (!err)
946 					cnt++;
947 
948 				spin_lock_bh(&net->xfrm.xfrm_state_lock);
949 				goto restart;
950 			}
951 		}
952 	}
953 out:
954 	spin_unlock_bh(&net->xfrm.xfrm_state_lock);
955 	if (cnt)
956 		err = 0;
957 
958 	return err;
959 }
960 EXPORT_SYMBOL(xfrm_state_flush);
961 
962 int xfrm_dev_state_flush(struct net *net, struct net_device *dev, bool task_valid)
963 {
964 	struct xfrm_state *x;
965 	struct hlist_node *tmp;
966 	struct xfrm_dev_offload *xso;
967 	int i, err = 0, cnt = 0;
968 
969 	spin_lock_bh(&net->xfrm.xfrm_state_lock);
970 	err = xfrm_dev_state_flush_secctx_check(net, dev, task_valid);
971 	if (err)
972 		goto out;
973 
974 	err = -ESRCH;
975 	for (i = 0; i <= net->xfrm.state_hmask; i++) {
976 restart:
977 		hlist_for_each_entry(x, net->xfrm.state_bydst+i, bydst) {
978 			xso = &x->xso;
979 
980 			if (!xfrm_state_kern(x) && xso->dev == dev) {
981 				xfrm_state_hold(x);
982 				spin_unlock_bh(&net->xfrm.xfrm_state_lock);
983 
984 				err = xfrm_state_delete(x);
985 				xfrm_dev_state_free(x);
986 
987 				xfrm_audit_state_delete(x, err ? 0 : 1,
988 							task_valid);
989 				xfrm_state_put(x);
990 				if (!err)
991 					cnt++;
992 
993 				spin_lock_bh(&net->xfrm.xfrm_state_lock);
994 				goto restart;
995 			}
996 		}
997 	}
998 	if (cnt)
999 		err = 0;
1000 
1001 out:
1002 	spin_unlock_bh(&net->xfrm.xfrm_state_lock);
1003 
1004 	spin_lock_bh(&xfrm_state_dev_gc_lock);
1005 restart_gc:
1006 	hlist_for_each_entry_safe(x, tmp, &xfrm_state_dev_gc_list, dev_gclist) {
1007 		xso = &x->xso;
1008 
1009 		if (xso->dev == dev) {
1010 			spin_unlock_bh(&xfrm_state_dev_gc_lock);
1011 			xfrm_dev_state_free(x);
1012 			spin_lock_bh(&xfrm_state_dev_gc_lock);
1013 			goto restart_gc;
1014 		}
1015 
1016 	}
1017 	spin_unlock_bh(&xfrm_state_dev_gc_lock);
1018 
1019 	xfrm_flush_gc();
1020 
1021 	return err;
1022 }
1023 EXPORT_SYMBOL(xfrm_dev_state_flush);
1024 
1025 void xfrm_sad_getinfo(struct net *net, struct xfrmk_sadinfo *si)
1026 {
1027 	spin_lock_bh(&net->xfrm.xfrm_state_lock);
1028 	si->sadcnt = net->xfrm.state_num;
1029 	si->sadhcnt = net->xfrm.state_hmask + 1;
1030 	si->sadhmcnt = xfrm_state_hashmax;
1031 	spin_unlock_bh(&net->xfrm.xfrm_state_lock);
1032 }
1033 EXPORT_SYMBOL(xfrm_sad_getinfo);
1034 
1035 static void
1036 __xfrm4_init_tempsel(struct xfrm_selector *sel, const struct flowi *fl)
1037 {
1038 	const struct flowi4 *fl4 = &fl->u.ip4;
1039 
1040 	sel->daddr.a4 = fl4->daddr;
1041 	sel->saddr.a4 = fl4->saddr;
1042 	sel->dport = xfrm_flowi_dport(fl, &fl4->uli);
1043 	sel->dport_mask = htons(0xffff);
1044 	sel->sport = xfrm_flowi_sport(fl, &fl4->uli);
1045 	sel->sport_mask = htons(0xffff);
1046 	sel->family = AF_INET;
1047 	sel->prefixlen_d = 32;
1048 	sel->prefixlen_s = 32;
1049 	sel->proto = fl4->flowi4_proto;
1050 	sel->ifindex = fl4->flowi4_oif;
1051 }
1052 
1053 static void
1054 __xfrm6_init_tempsel(struct xfrm_selector *sel, const struct flowi *fl)
1055 {
1056 	const struct flowi6 *fl6 = &fl->u.ip6;
1057 
1058 	/* Initialize temporary selector matching only to current session. */
1059 	*(struct in6_addr *)&sel->daddr = fl6->daddr;
1060 	*(struct in6_addr *)&sel->saddr = fl6->saddr;
1061 	sel->dport = xfrm_flowi_dport(fl, &fl6->uli);
1062 	sel->dport_mask = htons(0xffff);
1063 	sel->sport = xfrm_flowi_sport(fl, &fl6->uli);
1064 	sel->sport_mask = htons(0xffff);
1065 	sel->family = AF_INET6;
1066 	sel->prefixlen_d = 128;
1067 	sel->prefixlen_s = 128;
1068 	sel->proto = fl6->flowi6_proto;
1069 	sel->ifindex = fl6->flowi6_oif;
1070 }
1071 
1072 static void
1073 xfrm_init_tempstate(struct xfrm_state *x, const struct flowi *fl,
1074 		    const struct xfrm_tmpl *tmpl,
1075 		    const xfrm_address_t *daddr, const xfrm_address_t *saddr,
1076 		    unsigned short family)
1077 {
1078 	switch (family) {
1079 	case AF_INET:
1080 		__xfrm4_init_tempsel(&x->sel, fl);
1081 		break;
1082 	case AF_INET6:
1083 		__xfrm6_init_tempsel(&x->sel, fl);
1084 		break;
1085 	}
1086 
1087 	x->id = tmpl->id;
1088 
1089 	switch (tmpl->encap_family) {
1090 	case AF_INET:
1091 		if (x->id.daddr.a4 == 0)
1092 			x->id.daddr.a4 = daddr->a4;
1093 		x->props.saddr = tmpl->saddr;
1094 		if (x->props.saddr.a4 == 0)
1095 			x->props.saddr.a4 = saddr->a4;
1096 		break;
1097 	case AF_INET6:
1098 		if (ipv6_addr_any((struct in6_addr *)&x->id.daddr))
1099 			memcpy(&x->id.daddr, daddr, sizeof(x->sel.daddr));
1100 		memcpy(&x->props.saddr, &tmpl->saddr, sizeof(x->props.saddr));
1101 		if (ipv6_addr_any((struct in6_addr *)&x->props.saddr))
1102 			memcpy(&x->props.saddr, saddr, sizeof(x->props.saddr));
1103 		break;
1104 	}
1105 
1106 	x->props.mode = tmpl->mode;
1107 	x->props.reqid = tmpl->reqid;
1108 	x->props.family = tmpl->encap_family;
1109 }
1110 
1111 static struct xfrm_state *__xfrm_state_lookup_all(struct net *net, u32 mark,
1112 						  const xfrm_address_t *daddr,
1113 						  __be32 spi, u8 proto,
1114 						  unsigned short family,
1115 						  struct xfrm_dev_offload *xdo)
1116 {
1117 	unsigned int h = xfrm_spi_hash(net, daddr, spi, proto, family);
1118 	struct xfrm_state *x;
1119 
1120 	hlist_for_each_entry_rcu(x, net->xfrm.state_byspi + h, byspi) {
1121 #ifdef CONFIG_XFRM_OFFLOAD
1122 		if (xdo->type == XFRM_DEV_OFFLOAD_PACKET) {
1123 			if (x->xso.type != XFRM_DEV_OFFLOAD_PACKET)
1124 				/* HW states are in the head of list, there is
1125 				 * no need to iterate further.
1126 				 */
1127 				break;
1128 
1129 			/* Packet offload: both policy and SA should
1130 			 * have same device.
1131 			 */
1132 			if (xdo->dev != x->xso.dev)
1133 				continue;
1134 		} else if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET)
1135 			/* Skip HW policy for SW lookups */
1136 			continue;
1137 #endif
1138 		if (x->props.family != family ||
1139 		    x->id.spi       != spi ||
1140 		    x->id.proto     != proto ||
1141 		    !xfrm_addr_equal(&x->id.daddr, daddr, family))
1142 			continue;
1143 
1144 		if ((mark & x->mark.m) != x->mark.v)
1145 			continue;
1146 		if (!xfrm_state_hold_rcu(x))
1147 			continue;
1148 		return x;
1149 	}
1150 
1151 	return NULL;
1152 }
1153 
1154 static struct xfrm_state *__xfrm_state_lookup(struct net *net, u32 mark,
1155 					      const xfrm_address_t *daddr,
1156 					      __be32 spi, u8 proto,
1157 					      unsigned short family)
1158 {
1159 	unsigned int h = xfrm_spi_hash(net, daddr, spi, proto, family);
1160 	struct xfrm_state *x;
1161 
1162 	hlist_for_each_entry_rcu(x, net->xfrm.state_byspi + h, byspi) {
1163 		if (x->props.family != family ||
1164 		    x->id.spi       != spi ||
1165 		    x->id.proto     != proto ||
1166 		    !xfrm_addr_equal(&x->id.daddr, daddr, family))
1167 			continue;
1168 
1169 		if ((mark & x->mark.m) != x->mark.v)
1170 			continue;
1171 		if (!xfrm_state_hold_rcu(x))
1172 			continue;
1173 		return x;
1174 	}
1175 
1176 	return NULL;
1177 }
1178 
1179 struct xfrm_state *xfrm_input_state_lookup(struct net *net, u32 mark,
1180 					   const xfrm_address_t *daddr,
1181 					   __be32 spi, u8 proto,
1182 					   unsigned short family)
1183 {
1184 	struct hlist_head *state_cache_input;
1185 	struct xfrm_state *x = NULL;
1186 	int cpu = get_cpu();
1187 
1188 	state_cache_input =  per_cpu_ptr(net->xfrm.state_cache_input, cpu);
1189 
1190 	rcu_read_lock();
1191 	hlist_for_each_entry_rcu(x, state_cache_input, state_cache_input) {
1192 		if (x->props.family != family ||
1193 		    x->id.spi       != spi ||
1194 		    x->id.proto     != proto ||
1195 		    !xfrm_addr_equal(&x->id.daddr, daddr, family))
1196 			continue;
1197 
1198 		if ((mark & x->mark.m) != x->mark.v)
1199 			continue;
1200 		if (!xfrm_state_hold_rcu(x))
1201 			continue;
1202 		goto out;
1203 	}
1204 
1205 	x = __xfrm_state_lookup(net, mark, daddr, spi, proto, family);
1206 
1207 	if (x && x->km.state == XFRM_STATE_VALID) {
1208 		spin_lock_bh(&net->xfrm.xfrm_state_lock);
1209 		if (hlist_unhashed(&x->state_cache_input)) {
1210 			hlist_add_head_rcu(&x->state_cache_input, state_cache_input);
1211 		} else {
1212 			hlist_del_rcu(&x->state_cache_input);
1213 			hlist_add_head_rcu(&x->state_cache_input, state_cache_input);
1214 		}
1215 		spin_unlock_bh(&net->xfrm.xfrm_state_lock);
1216 	}
1217 
1218 out:
1219 	rcu_read_unlock();
1220 	put_cpu();
1221 	return x;
1222 }
1223 EXPORT_SYMBOL(xfrm_input_state_lookup);
1224 
1225 static struct xfrm_state *__xfrm_state_lookup_byaddr(struct net *net, u32 mark,
1226 						     const xfrm_address_t *daddr,
1227 						     const xfrm_address_t *saddr,
1228 						     u8 proto, unsigned short family)
1229 {
1230 	unsigned int h = xfrm_src_hash(net, daddr, saddr, family);
1231 	struct xfrm_state *x;
1232 
1233 	hlist_for_each_entry_rcu(x, net->xfrm.state_bysrc + h, bysrc) {
1234 		if (x->props.family != family ||
1235 		    x->id.proto     != proto ||
1236 		    !xfrm_addr_equal(&x->id.daddr, daddr, family) ||
1237 		    !xfrm_addr_equal(&x->props.saddr, saddr, family))
1238 			continue;
1239 
1240 		if ((mark & x->mark.m) != x->mark.v)
1241 			continue;
1242 		if (!xfrm_state_hold_rcu(x))
1243 			continue;
1244 		return x;
1245 	}
1246 
1247 	return NULL;
1248 }
1249 
1250 static inline struct xfrm_state *
1251 __xfrm_state_locate(struct xfrm_state *x, int use_spi, int family)
1252 {
1253 	struct net *net = xs_net(x);
1254 	u32 mark = x->mark.v & x->mark.m;
1255 
1256 	if (use_spi)
1257 		return __xfrm_state_lookup(net, mark, &x->id.daddr,
1258 					   x->id.spi, x->id.proto, family);
1259 	else
1260 		return __xfrm_state_lookup_byaddr(net, mark,
1261 						  &x->id.daddr,
1262 						  &x->props.saddr,
1263 						  x->id.proto, family);
1264 }
1265 
1266 static void xfrm_hash_grow_check(struct net *net, int have_hash_collision)
1267 {
1268 	if (have_hash_collision &&
1269 	    (net->xfrm.state_hmask + 1) < xfrm_state_hashmax &&
1270 	    net->xfrm.state_num > net->xfrm.state_hmask)
1271 		schedule_work(&net->xfrm.state_hash_work);
1272 }
1273 
1274 static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x,
1275 			       const struct flowi *fl, unsigned short family,
1276 			       struct xfrm_state **best, int *acq_in_progress,
1277 			       int *error)
1278 {
1279 	/* We need the cpu id just as a lookup key,
1280 	 * we don't require it to be stable.
1281 	 */
1282 	unsigned int pcpu_id = get_cpu();
1283 	put_cpu();
1284 
1285 	/* Resolution logic:
1286 	 * 1. There is a valid state with matching selector. Done.
1287 	 * 2. Valid state with inappropriate selector. Skip.
1288 	 *
1289 	 * Entering area of "sysdeps".
1290 	 *
1291 	 * 3. If state is not valid, selector is temporary, it selects
1292 	 *    only session which triggered previous resolution. Key
1293 	 *    manager will do something to install a state with proper
1294 	 *    selector.
1295 	 */
1296 	if (x->km.state == XFRM_STATE_VALID) {
1297 		if ((x->sel.family &&
1298 		     (x->sel.family != family ||
1299 		      !xfrm_selector_match(&x->sel, fl, family))) ||
1300 		    !security_xfrm_state_pol_flow_match(x, pol,
1301 							&fl->u.__fl_common))
1302 			return;
1303 
1304 		if (x->pcpu_num != UINT_MAX && x->pcpu_num != pcpu_id)
1305 			return;
1306 
1307 		if (!*best ||
1308 		    ((*best)->pcpu_num == UINT_MAX && x->pcpu_num == pcpu_id) ||
1309 		    (*best)->km.dying > x->km.dying ||
1310 		    ((*best)->km.dying == x->km.dying &&
1311 		     (*best)->curlft.add_time < x->curlft.add_time))
1312 			*best = x;
1313 	} else if (x->km.state == XFRM_STATE_ACQ) {
1314 		if (!*best || x->pcpu_num == pcpu_id)
1315 			*acq_in_progress = 1;
1316 	} else if (x->km.state == XFRM_STATE_ERROR ||
1317 		   x->km.state == XFRM_STATE_EXPIRED) {
1318 		if ((!x->sel.family ||
1319 		     (x->sel.family == family &&
1320 		      xfrm_selector_match(&x->sel, fl, family))) &&
1321 		    security_xfrm_state_pol_flow_match(x, pol,
1322 						       &fl->u.__fl_common))
1323 			*error = -ESRCH;
1324 	}
1325 }
1326 
1327 struct xfrm_state *
1328 xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr,
1329 		const struct flowi *fl, struct xfrm_tmpl *tmpl,
1330 		struct xfrm_policy *pol, int *err,
1331 		unsigned short family, u32 if_id)
1332 {
1333 	static xfrm_address_t saddr_wildcard = { };
1334 	struct net *net = xp_net(pol);
1335 	unsigned int h, h_wildcard;
1336 	struct xfrm_state *x, *x0, *to_put;
1337 	int acquire_in_progress = 0;
1338 	int error = 0;
1339 	struct xfrm_state *best = NULL;
1340 	u32 mark = pol->mark.v & pol->mark.m;
1341 	unsigned short encap_family = tmpl->encap_family;
1342 	unsigned int sequence;
1343 	struct km_event c;
1344 	unsigned int pcpu_id;
1345 	bool cached = false;
1346 
1347 	/* We need the cpu id just as a lookup key,
1348 	 * we don't require it to be stable.
1349 	 */
1350 	pcpu_id = get_cpu();
1351 	put_cpu();
1352 
1353 	to_put = NULL;
1354 
1355 	sequence = read_seqcount_begin(&net->xfrm.xfrm_state_hash_generation);
1356 
1357 	rcu_read_lock();
1358 	hlist_for_each_entry_rcu(x, &pol->state_cache_list, state_cache) {
1359 		if (x->props.family == encap_family &&
1360 		    x->props.reqid == tmpl->reqid &&
1361 		    (mark & x->mark.m) == x->mark.v &&
1362 		    x->if_id == if_id &&
1363 		    !(x->props.flags & XFRM_STATE_WILDRECV) &&
1364 		    xfrm_state_addr_check(x, daddr, saddr, encap_family) &&
1365 		    tmpl->mode == x->props.mode &&
1366 		    tmpl->id.proto == x->id.proto &&
1367 		    (tmpl->id.spi == x->id.spi || !tmpl->id.spi))
1368 			xfrm_state_look_at(pol, x, fl, encap_family,
1369 					   &best, &acquire_in_progress, &error);
1370 	}
1371 
1372 	if (best)
1373 		goto cached;
1374 
1375 	hlist_for_each_entry_rcu(x, &pol->state_cache_list, state_cache) {
1376 		if (x->props.family == encap_family &&
1377 		    x->props.reqid == tmpl->reqid &&
1378 		    (mark & x->mark.m) == x->mark.v &&
1379 		    x->if_id == if_id &&
1380 		    !(x->props.flags & XFRM_STATE_WILDRECV) &&
1381 		    xfrm_addr_equal(&x->id.daddr, daddr, encap_family) &&
1382 		    tmpl->mode == x->props.mode &&
1383 		    tmpl->id.proto == x->id.proto &&
1384 		    (tmpl->id.spi == x->id.spi || !tmpl->id.spi))
1385 			xfrm_state_look_at(pol, x, fl, family,
1386 					   &best, &acquire_in_progress, &error);
1387 	}
1388 
1389 cached:
1390 	cached = true;
1391 	if (best)
1392 		goto found;
1393 	else if (error)
1394 		best = NULL;
1395 	else if (acquire_in_progress) /* XXX: acquire_in_progress should not happen */
1396 		WARN_ON(1);
1397 
1398 	h = xfrm_dst_hash(net, daddr, saddr, tmpl->reqid, encap_family);
1399 	hlist_for_each_entry_rcu(x, net->xfrm.state_bydst + h, bydst) {
1400 #ifdef CONFIG_XFRM_OFFLOAD
1401 		if (pol->xdo.type == XFRM_DEV_OFFLOAD_PACKET) {
1402 			if (x->xso.type != XFRM_DEV_OFFLOAD_PACKET)
1403 				/* HW states are in the head of list, there is
1404 				 * no need to iterate further.
1405 				 */
1406 				break;
1407 
1408 			/* Packet offload: both policy and SA should
1409 			 * have same device.
1410 			 */
1411 			if (pol->xdo.dev != x->xso.dev)
1412 				continue;
1413 		} else if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET)
1414 			/* Skip HW policy for SW lookups */
1415 			continue;
1416 #endif
1417 		if (x->props.family == encap_family &&
1418 		    x->props.reqid == tmpl->reqid &&
1419 		    (mark & x->mark.m) == x->mark.v &&
1420 		    x->if_id == if_id &&
1421 		    !(x->props.flags & XFRM_STATE_WILDRECV) &&
1422 		    xfrm_state_addr_check(x, daddr, saddr, encap_family) &&
1423 		    tmpl->mode == x->props.mode &&
1424 		    tmpl->id.proto == x->id.proto &&
1425 		    (tmpl->id.spi == x->id.spi || !tmpl->id.spi))
1426 			xfrm_state_look_at(pol, x, fl, family,
1427 					   &best, &acquire_in_progress, &error);
1428 	}
1429 	if (best || acquire_in_progress)
1430 		goto found;
1431 
1432 	h_wildcard = xfrm_dst_hash(net, daddr, &saddr_wildcard, tmpl->reqid, encap_family);
1433 	hlist_for_each_entry_rcu(x, net->xfrm.state_bydst + h_wildcard, bydst) {
1434 #ifdef CONFIG_XFRM_OFFLOAD
1435 		if (pol->xdo.type == XFRM_DEV_OFFLOAD_PACKET) {
1436 			if (x->xso.type != XFRM_DEV_OFFLOAD_PACKET)
1437 				/* HW states are in the head of list, there is
1438 				 * no need to iterate further.
1439 				 */
1440 				break;
1441 
1442 			/* Packet offload: both policy and SA should
1443 			 * have same device.
1444 			 */
1445 			if (pol->xdo.dev != x->xso.dev)
1446 				continue;
1447 		} else if (x->xso.type == XFRM_DEV_OFFLOAD_PACKET)
1448 			/* Skip HW policy for SW lookups */
1449 			continue;
1450 #endif
1451 		if (x->props.family == encap_family &&
1452 		    x->props.reqid == tmpl->reqid &&
1453 		    (mark & x->mark.m) == x->mark.v &&
1454 		    x->if_id == if_id &&
1455 		    !(x->props.flags & XFRM_STATE_WILDRECV) &&
1456 		    xfrm_addr_equal(&x->id.daddr, daddr, encap_family) &&
1457 		    tmpl->mode == x->props.mode &&
1458 		    tmpl->id.proto == x->id.proto &&
1459 		    (tmpl->id.spi == x->id.spi || !tmpl->id.spi))
1460 			xfrm_state_look_at(pol, x, fl, family,
1461 					   &best, &acquire_in_progress, &error);
1462 	}
1463 
1464 found:
1465 	if (!(pol->flags & XFRM_POLICY_CPU_ACQUIRE) ||
1466 	    (best && (best->pcpu_num == pcpu_id)))
1467 		x = best;
1468 
1469 	if (!x && !error && !acquire_in_progress) {
1470 		if (tmpl->id.spi &&
1471 		    (x0 = __xfrm_state_lookup_all(net, mark, daddr,
1472 						  tmpl->id.spi, tmpl->id.proto,
1473 						  encap_family,
1474 						  &pol->xdo)) != NULL) {
1475 			to_put = x0;
1476 			error = -EEXIST;
1477 			goto out;
1478 		}
1479 
1480 		c.net = net;
1481 		/* If the KMs have no listeners (yet...), avoid allocating an SA
1482 		 * for each and every packet - garbage collection might not
1483 		 * handle the flood.
1484 		 */
1485 		if (!km_is_alive(&c)) {
1486 			error = -ESRCH;
1487 			goto out;
1488 		}
1489 
1490 		x = xfrm_state_alloc(net);
1491 		if (x == NULL) {
1492 			error = -ENOMEM;
1493 			goto out;
1494 		}
1495 		/* Initialize temporary state matching only
1496 		 * to current session. */
1497 		xfrm_init_tempstate(x, fl, tmpl, daddr, saddr, family);
1498 		memcpy(&x->mark, &pol->mark, sizeof(x->mark));
1499 		x->if_id = if_id;
1500 		if ((pol->flags & XFRM_POLICY_CPU_ACQUIRE) && best)
1501 			x->pcpu_num = pcpu_id;
1502 
1503 		error = security_xfrm_state_alloc_acquire(x, pol->security, fl->flowi_secid);
1504 		if (error) {
1505 			x->km.state = XFRM_STATE_DEAD;
1506 			to_put = x;
1507 			x = NULL;
1508 			goto out;
1509 		}
1510 #ifdef CONFIG_XFRM_OFFLOAD
1511 		if (pol->xdo.type == XFRM_DEV_OFFLOAD_PACKET) {
1512 			struct xfrm_dev_offload *xdo = &pol->xdo;
1513 			struct xfrm_dev_offload *xso = &x->xso;
1514 
1515 			xso->type = XFRM_DEV_OFFLOAD_PACKET;
1516 			xso->dir = xdo->dir;
1517 			xso->dev = xdo->dev;
1518 			xso->real_dev = xdo->real_dev;
1519 			xso->flags = XFRM_DEV_OFFLOAD_FLAG_ACQ;
1520 			netdev_hold(xso->dev, &xso->dev_tracker, GFP_ATOMIC);
1521 			error = xso->dev->xfrmdev_ops->xdo_dev_state_add(x, NULL);
1522 			if (error) {
1523 				xso->dir = 0;
1524 				netdev_put(xso->dev, &xso->dev_tracker);
1525 				xso->dev = NULL;
1526 				xso->real_dev = NULL;
1527 				xso->type = XFRM_DEV_OFFLOAD_UNSPECIFIED;
1528 				x->km.state = XFRM_STATE_DEAD;
1529 				to_put = x;
1530 				x = NULL;
1531 				goto out;
1532 			}
1533 		}
1534 #endif
1535 		if (km_query(x, tmpl, pol) == 0) {
1536 			spin_lock_bh(&net->xfrm.xfrm_state_lock);
1537 			x->km.state = XFRM_STATE_ACQ;
1538 			x->dir = XFRM_SA_DIR_OUT;
1539 			list_add(&x->km.all, &net->xfrm.state_all);
1540 			h = xfrm_dst_hash(net, daddr, saddr, tmpl->reqid, encap_family);
1541 			XFRM_STATE_INSERT(bydst, &x->bydst,
1542 					  net->xfrm.state_bydst + h,
1543 					  x->xso.type);
1544 			h = xfrm_src_hash(net, daddr, saddr, encap_family);
1545 			XFRM_STATE_INSERT(bysrc, &x->bysrc,
1546 					  net->xfrm.state_bysrc + h,
1547 					  x->xso.type);
1548 			INIT_HLIST_NODE(&x->state_cache);
1549 			if (x->id.spi) {
1550 				h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, encap_family);
1551 				XFRM_STATE_INSERT(byspi, &x->byspi,
1552 						  net->xfrm.state_byspi + h,
1553 						  x->xso.type);
1554 			}
1555 			if (x->km.seq) {
1556 				h = xfrm_seq_hash(net, x->km.seq);
1557 				XFRM_STATE_INSERT(byseq, &x->byseq,
1558 						  net->xfrm.state_byseq + h,
1559 						  x->xso.type);
1560 			}
1561 			x->lft.hard_add_expires_seconds = net->xfrm.sysctl_acq_expires;
1562 			hrtimer_start(&x->mtimer,
1563 				      ktime_set(net->xfrm.sysctl_acq_expires, 0),
1564 				      HRTIMER_MODE_REL_SOFT);
1565 			net->xfrm.state_num++;
1566 			xfrm_hash_grow_check(net, x->bydst.next != NULL);
1567 			spin_unlock_bh(&net->xfrm.xfrm_state_lock);
1568 		} else {
1569 #ifdef CONFIG_XFRM_OFFLOAD
1570 			struct xfrm_dev_offload *xso = &x->xso;
1571 
1572 			if (xso->type == XFRM_DEV_OFFLOAD_PACKET) {
1573 				xfrm_dev_state_delete(x);
1574 				xfrm_dev_state_free(x);
1575 			}
1576 #endif
1577 			x->km.state = XFRM_STATE_DEAD;
1578 			to_put = x;
1579 			x = NULL;
1580 			error = -ESRCH;
1581 		}
1582 
1583 		/* Use the already installed 'fallback' while the CPU-specific
1584 		 * SA acquire is handled*/
1585 		if (best)
1586 			x = best;
1587 	}
1588 out:
1589 	if (x) {
1590 		if (!xfrm_state_hold_rcu(x)) {
1591 			*err = -EAGAIN;
1592 			x = NULL;
1593 		}
1594 	} else {
1595 		*err = acquire_in_progress ? -EAGAIN : error;
1596 	}
1597 
1598 	if (x && x->km.state == XFRM_STATE_VALID && !cached &&
1599 	    (!(pol->flags & XFRM_POLICY_CPU_ACQUIRE) || x->pcpu_num == pcpu_id)) {
1600 		spin_lock_bh(&net->xfrm.xfrm_state_lock);
1601 		if (hlist_unhashed(&x->state_cache))
1602 			hlist_add_head_rcu(&x->state_cache, &pol->state_cache_list);
1603 		spin_unlock_bh(&net->xfrm.xfrm_state_lock);
1604 	}
1605 
1606 	rcu_read_unlock();
1607 	if (to_put)
1608 		xfrm_state_put(to_put);
1609 
1610 	if (read_seqcount_retry(&net->xfrm.xfrm_state_hash_generation, sequence)) {
1611 		*err = -EAGAIN;
1612 		if (x) {
1613 			xfrm_state_put(x);
1614 			x = NULL;
1615 		}
1616 	}
1617 
1618 	return x;
1619 }
1620 
1621 struct xfrm_state *
1622 xfrm_stateonly_find(struct net *net, u32 mark, u32 if_id,
1623 		    xfrm_address_t *daddr, xfrm_address_t *saddr,
1624 		    unsigned short family, u8 mode, u8 proto, u32 reqid)
1625 {
1626 	unsigned int h;
1627 	struct xfrm_state *rx = NULL, *x = NULL;
1628 
1629 	spin_lock_bh(&net->xfrm.xfrm_state_lock);
1630 	h = xfrm_dst_hash(net, daddr, saddr, reqid, family);
1631 	hlist_for_each_entry(x, net->xfrm.state_bydst+h, bydst) {
1632 		if (x->props.family == family &&
1633 		    x->props.reqid == reqid &&
1634 		    (mark & x->mark.m) == x->mark.v &&
1635 		    x->if_id == if_id &&
1636 		    !(x->props.flags & XFRM_STATE_WILDRECV) &&
1637 		    xfrm_state_addr_check(x, daddr, saddr, family) &&
1638 		    mode == x->props.mode &&
1639 		    proto == x->id.proto &&
1640 		    x->km.state == XFRM_STATE_VALID) {
1641 			rx = x;
1642 			break;
1643 		}
1644 	}
1645 
1646 	if (rx)
1647 		xfrm_state_hold(rx);
1648 	spin_unlock_bh(&net->xfrm.xfrm_state_lock);
1649 
1650 
1651 	return rx;
1652 }
1653 EXPORT_SYMBOL(xfrm_stateonly_find);
1654 
1655 struct xfrm_state *xfrm_state_lookup_byspi(struct net *net, __be32 spi,
1656 					      unsigned short family)
1657 {
1658 	struct xfrm_state *x;
1659 	struct xfrm_state_walk *w;
1660 
1661 	spin_lock_bh(&net->xfrm.xfrm_state_lock);
1662 	list_for_each_entry(w, &net->xfrm.state_all, all) {
1663 		x = container_of(w, struct xfrm_state, km);
1664 		if (x->props.family != family ||
1665 			x->id.spi != spi)
1666 			continue;
1667 
1668 		xfrm_state_hold(x);
1669 		spin_unlock_bh(&net->xfrm.xfrm_state_lock);
1670 		return x;
1671 	}
1672 	spin_unlock_bh(&net->xfrm.xfrm_state_lock);
1673 	return NULL;
1674 }
1675 EXPORT_SYMBOL(xfrm_state_lookup_byspi);
1676 
1677 static void __xfrm_state_insert(struct xfrm_state *x)
1678 {
1679 	struct net *net = xs_net(x);
1680 	unsigned int h;
1681 
1682 	list_add(&x->km.all, &net->xfrm.state_all);
1683 
1684 	h = xfrm_dst_hash(net, &x->id.daddr, &x->props.saddr,
1685 			  x->props.reqid, x->props.family);
1686 	XFRM_STATE_INSERT(bydst, &x->bydst, net->xfrm.state_bydst + h,
1687 			  x->xso.type);
1688 
1689 	h = xfrm_src_hash(net, &x->id.daddr, &x->props.saddr, x->props.family);
1690 	XFRM_STATE_INSERT(bysrc, &x->bysrc, net->xfrm.state_bysrc + h,
1691 			  x->xso.type);
1692 
1693 	if (x->id.spi) {
1694 		h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto,
1695 				  x->props.family);
1696 
1697 		XFRM_STATE_INSERT(byspi, &x->byspi, net->xfrm.state_byspi + h,
1698 				  x->xso.type);
1699 	}
1700 
1701 	if (x->km.seq) {
1702 		h = xfrm_seq_hash(net, x->km.seq);
1703 
1704 		XFRM_STATE_INSERT(byseq, &x->byseq, net->xfrm.state_byseq + h,
1705 				  x->xso.type);
1706 	}
1707 
1708 	hrtimer_start(&x->mtimer, ktime_set(1, 0), HRTIMER_MODE_REL_SOFT);
1709 	if (x->replay_maxage)
1710 		mod_timer(&x->rtimer, jiffies + x->replay_maxage);
1711 
1712 	net->xfrm.state_num++;
1713 
1714 	xfrm_hash_grow_check(net, x->bydst.next != NULL);
1715 	xfrm_nat_keepalive_state_updated(x);
1716 }
1717 
1718 /* net->xfrm.xfrm_state_lock is held */
1719 static void __xfrm_state_bump_genids(struct xfrm_state *xnew)
1720 {
1721 	struct net *net = xs_net(xnew);
1722 	unsigned short family = xnew->props.family;
1723 	u32 reqid = xnew->props.reqid;
1724 	struct xfrm_state *x;
1725 	unsigned int h;
1726 	u32 mark = xnew->mark.v & xnew->mark.m;
1727 	u32 if_id = xnew->if_id;
1728 	u32 cpu_id = xnew->pcpu_num;
1729 
1730 	h = xfrm_dst_hash(net, &xnew->id.daddr, &xnew->props.saddr, reqid, family);
1731 	hlist_for_each_entry(x, net->xfrm.state_bydst+h, bydst) {
1732 		if (x->props.family	== family &&
1733 		    x->props.reqid	== reqid &&
1734 		    x->if_id		== if_id &&
1735 		    x->pcpu_num		== cpu_id &&
1736 		    (mark & x->mark.m) == x->mark.v &&
1737 		    xfrm_addr_equal(&x->id.daddr, &xnew->id.daddr, family) &&
1738 		    xfrm_addr_equal(&x->props.saddr, &xnew->props.saddr, family))
1739 			x->genid++;
1740 	}
1741 }
1742 
1743 void xfrm_state_insert(struct xfrm_state *x)
1744 {
1745 	struct net *net = xs_net(x);
1746 
1747 	spin_lock_bh(&net->xfrm.xfrm_state_lock);
1748 	__xfrm_state_bump_genids(x);
1749 	__xfrm_state_insert(x);
1750 	spin_unlock_bh(&net->xfrm.xfrm_state_lock);
1751 }
1752 EXPORT_SYMBOL(xfrm_state_insert);
1753 
1754 /* net->xfrm.xfrm_state_lock is held */
1755 static struct xfrm_state *__find_acq_core(struct net *net,
1756 					  const struct xfrm_mark *m,
1757 					  unsigned short family, u8 mode,
1758 					  u32 reqid, u32 if_id, u32 pcpu_num, u8 proto,
1759 					  const xfrm_address_t *daddr,
1760 					  const xfrm_address_t *saddr,
1761 					  int create)
1762 {
1763 	unsigned int h = xfrm_dst_hash(net, daddr, saddr, reqid, family);
1764 	struct xfrm_state *x;
1765 	u32 mark = m->v & m->m;
1766 
1767 	hlist_for_each_entry(x, net->xfrm.state_bydst+h, bydst) {
1768 		if (x->props.reqid  != reqid ||
1769 		    x->props.mode   != mode ||
1770 		    x->props.family != family ||
1771 		    x->km.state     != XFRM_STATE_ACQ ||
1772 		    x->id.spi       != 0 ||
1773 		    x->id.proto	    != proto ||
1774 		    (mark & x->mark.m) != x->mark.v ||
1775 		    x->pcpu_num != pcpu_num ||
1776 		    !xfrm_addr_equal(&x->id.daddr, daddr, family) ||
1777 		    !xfrm_addr_equal(&x->props.saddr, saddr, family))
1778 			continue;
1779 
1780 		xfrm_state_hold(x);
1781 		return x;
1782 	}
1783 
1784 	if (!create)
1785 		return NULL;
1786 
1787 	x = xfrm_state_alloc(net);
1788 	if (likely(x)) {
1789 		switch (family) {
1790 		case AF_INET:
1791 			x->sel.daddr.a4 = daddr->a4;
1792 			x->sel.saddr.a4 = saddr->a4;
1793 			x->sel.prefixlen_d = 32;
1794 			x->sel.prefixlen_s = 32;
1795 			x->props.saddr.a4 = saddr->a4;
1796 			x->id.daddr.a4 = daddr->a4;
1797 			break;
1798 
1799 		case AF_INET6:
1800 			x->sel.daddr.in6 = daddr->in6;
1801 			x->sel.saddr.in6 = saddr->in6;
1802 			x->sel.prefixlen_d = 128;
1803 			x->sel.prefixlen_s = 128;
1804 			x->props.saddr.in6 = saddr->in6;
1805 			x->id.daddr.in6 = daddr->in6;
1806 			break;
1807 		}
1808 
1809 		x->pcpu_num = pcpu_num;
1810 		x->km.state = XFRM_STATE_ACQ;
1811 		x->id.proto = proto;
1812 		x->props.family = family;
1813 		x->props.mode = mode;
1814 		x->props.reqid = reqid;
1815 		x->if_id = if_id;
1816 		x->mark.v = m->v;
1817 		x->mark.m = m->m;
1818 		x->lft.hard_add_expires_seconds = net->xfrm.sysctl_acq_expires;
1819 		xfrm_state_hold(x);
1820 		hrtimer_start(&x->mtimer,
1821 			      ktime_set(net->xfrm.sysctl_acq_expires, 0),
1822 			      HRTIMER_MODE_REL_SOFT);
1823 		list_add(&x->km.all, &net->xfrm.state_all);
1824 		XFRM_STATE_INSERT(bydst, &x->bydst, net->xfrm.state_bydst + h,
1825 				  x->xso.type);
1826 		h = xfrm_src_hash(net, daddr, saddr, family);
1827 		XFRM_STATE_INSERT(bysrc, &x->bysrc, net->xfrm.state_bysrc + h,
1828 				  x->xso.type);
1829 
1830 		net->xfrm.state_num++;
1831 
1832 		xfrm_hash_grow_check(net, x->bydst.next != NULL);
1833 	}
1834 
1835 	return x;
1836 }
1837 
1838 static struct xfrm_state *__xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq, u32 pcpu_num);
1839 
1840 int xfrm_state_add(struct xfrm_state *x)
1841 {
1842 	struct net *net = xs_net(x);
1843 	struct xfrm_state *x1, *to_put;
1844 	int family;
1845 	int err;
1846 	u32 mark = x->mark.v & x->mark.m;
1847 	int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
1848 
1849 	family = x->props.family;
1850 
1851 	to_put = NULL;
1852 
1853 	spin_lock_bh(&net->xfrm.xfrm_state_lock);
1854 
1855 	x1 = __xfrm_state_locate(x, use_spi, family);
1856 	if (x1) {
1857 		to_put = x1;
1858 		x1 = NULL;
1859 		err = -EEXIST;
1860 		goto out;
1861 	}
1862 
1863 	if (use_spi && x->km.seq) {
1864 		x1 = __xfrm_find_acq_byseq(net, mark, x->km.seq, x->pcpu_num);
1865 		if (x1 && ((x1->id.proto != x->id.proto) ||
1866 		    !xfrm_addr_equal(&x1->id.daddr, &x->id.daddr, family))) {
1867 			to_put = x1;
1868 			x1 = NULL;
1869 		}
1870 	}
1871 
1872 	if (use_spi && !x1)
1873 		x1 = __find_acq_core(net, &x->mark, family, x->props.mode,
1874 				     x->props.reqid, x->if_id, x->pcpu_num, x->id.proto,
1875 				     &x->id.daddr, &x->props.saddr, 0);
1876 
1877 	__xfrm_state_bump_genids(x);
1878 	__xfrm_state_insert(x);
1879 	err = 0;
1880 
1881 out:
1882 	spin_unlock_bh(&net->xfrm.xfrm_state_lock);
1883 
1884 	if (x1) {
1885 		xfrm_state_delete(x1);
1886 		xfrm_state_put(x1);
1887 	}
1888 
1889 	if (to_put)
1890 		xfrm_state_put(to_put);
1891 
1892 	return err;
1893 }
1894 EXPORT_SYMBOL(xfrm_state_add);
1895 
1896 #ifdef CONFIG_XFRM_MIGRATE
1897 static inline int clone_security(struct xfrm_state *x, struct xfrm_sec_ctx *security)
1898 {
1899 	struct xfrm_user_sec_ctx *uctx;
1900 	int size = sizeof(*uctx) + security->ctx_len;
1901 	int err;
1902 
1903 	uctx = kmalloc(size, GFP_KERNEL);
1904 	if (!uctx)
1905 		return -ENOMEM;
1906 
1907 	uctx->exttype = XFRMA_SEC_CTX;
1908 	uctx->len = size;
1909 	uctx->ctx_doi = security->ctx_doi;
1910 	uctx->ctx_alg = security->ctx_alg;
1911 	uctx->ctx_len = security->ctx_len;
1912 	memcpy(uctx + 1, security->ctx_str, security->ctx_len);
1913 	err = security_xfrm_state_alloc(x, uctx);
1914 	kfree(uctx);
1915 	if (err)
1916 		return err;
1917 
1918 	return 0;
1919 }
1920 
1921 static struct xfrm_state *xfrm_state_clone(struct xfrm_state *orig,
1922 					   struct xfrm_encap_tmpl *encap)
1923 {
1924 	struct net *net = xs_net(orig);
1925 	struct xfrm_state *x = xfrm_state_alloc(net);
1926 	if (!x)
1927 		goto out;
1928 
1929 	memcpy(&x->id, &orig->id, sizeof(x->id));
1930 	memcpy(&x->sel, &orig->sel, sizeof(x->sel));
1931 	memcpy(&x->lft, &orig->lft, sizeof(x->lft));
1932 	x->props.mode = orig->props.mode;
1933 	x->props.replay_window = orig->props.replay_window;
1934 	x->props.reqid = orig->props.reqid;
1935 	x->props.family = orig->props.family;
1936 	x->props.saddr = orig->props.saddr;
1937 
1938 	if (orig->aalg) {
1939 		x->aalg = xfrm_algo_auth_clone(orig->aalg);
1940 		if (!x->aalg)
1941 			goto error;
1942 	}
1943 	x->props.aalgo = orig->props.aalgo;
1944 
1945 	if (orig->aead) {
1946 		x->aead = xfrm_algo_aead_clone(orig->aead);
1947 		x->geniv = orig->geniv;
1948 		if (!x->aead)
1949 			goto error;
1950 	}
1951 	if (orig->ealg) {
1952 		x->ealg = xfrm_algo_clone(orig->ealg);
1953 		if (!x->ealg)
1954 			goto error;
1955 	}
1956 	x->props.ealgo = orig->props.ealgo;
1957 
1958 	if (orig->calg) {
1959 		x->calg = xfrm_algo_clone(orig->calg);
1960 		if (!x->calg)
1961 			goto error;
1962 	}
1963 	x->props.calgo = orig->props.calgo;
1964 
1965 	if (encap || orig->encap) {
1966 		if (encap)
1967 			x->encap = kmemdup(encap, sizeof(*x->encap),
1968 					GFP_KERNEL);
1969 		else
1970 			x->encap = kmemdup(orig->encap, sizeof(*x->encap),
1971 					GFP_KERNEL);
1972 
1973 		if (!x->encap)
1974 			goto error;
1975 	}
1976 
1977 	if (orig->security)
1978 		if (clone_security(x, orig->security))
1979 			goto error;
1980 
1981 	if (orig->coaddr) {
1982 		x->coaddr = kmemdup(orig->coaddr, sizeof(*x->coaddr),
1983 				    GFP_KERNEL);
1984 		if (!x->coaddr)
1985 			goto error;
1986 	}
1987 
1988 	if (orig->replay_esn) {
1989 		if (xfrm_replay_clone(x, orig))
1990 			goto error;
1991 	}
1992 
1993 	memcpy(&x->mark, &orig->mark, sizeof(x->mark));
1994 	memcpy(&x->props.smark, &orig->props.smark, sizeof(x->props.smark));
1995 
1996 	x->props.flags = orig->props.flags;
1997 	x->props.extra_flags = orig->props.extra_flags;
1998 
1999 	x->pcpu_num = orig->pcpu_num;
2000 	x->if_id = orig->if_id;
2001 	x->tfcpad = orig->tfcpad;
2002 	x->replay_maxdiff = orig->replay_maxdiff;
2003 	x->replay_maxage = orig->replay_maxage;
2004 	memcpy(&x->curlft, &orig->curlft, sizeof(x->curlft));
2005 	x->km.state = orig->km.state;
2006 	x->km.seq = orig->km.seq;
2007 	x->replay = orig->replay;
2008 	x->preplay = orig->preplay;
2009 	x->mapping_maxage = orig->mapping_maxage;
2010 	x->lastused = orig->lastused;
2011 	x->new_mapping = 0;
2012 	x->new_mapping_sport = 0;
2013 	x->dir = orig->dir;
2014 
2015 	x->mode_cbs = orig->mode_cbs;
2016 	if (x->mode_cbs && x->mode_cbs->clone_state) {
2017 		if (x->mode_cbs->clone_state(x, orig))
2018 			goto error;
2019 	}
2020 
2021 	return x;
2022 
2023  error:
2024 	xfrm_state_put(x);
2025 out:
2026 	return NULL;
2027 }
2028 
2029 struct xfrm_state *xfrm_migrate_state_find(struct xfrm_migrate *m, struct net *net,
2030 						u32 if_id)
2031 {
2032 	unsigned int h;
2033 	struct xfrm_state *x = NULL;
2034 
2035 	spin_lock_bh(&net->xfrm.xfrm_state_lock);
2036 
2037 	if (m->reqid) {
2038 		h = xfrm_dst_hash(net, &m->old_daddr, &m->old_saddr,
2039 				  m->reqid, m->old_family);
2040 		hlist_for_each_entry(x, net->xfrm.state_bydst+h, bydst) {
2041 			if (x->props.mode != m->mode ||
2042 			    x->id.proto != m->proto)
2043 				continue;
2044 			if (m->reqid && x->props.reqid != m->reqid)
2045 				continue;
2046 			if (if_id != 0 && x->if_id != if_id)
2047 				continue;
2048 			if (!xfrm_addr_equal(&x->id.daddr, &m->old_daddr,
2049 					     m->old_family) ||
2050 			    !xfrm_addr_equal(&x->props.saddr, &m->old_saddr,
2051 					     m->old_family))
2052 				continue;
2053 			xfrm_state_hold(x);
2054 			break;
2055 		}
2056 	} else {
2057 		h = xfrm_src_hash(net, &m->old_daddr, &m->old_saddr,
2058 				  m->old_family);
2059 		hlist_for_each_entry(x, net->xfrm.state_bysrc+h, bysrc) {
2060 			if (x->props.mode != m->mode ||
2061 			    x->id.proto != m->proto)
2062 				continue;
2063 			if (if_id != 0 && x->if_id != if_id)
2064 				continue;
2065 			if (!xfrm_addr_equal(&x->id.daddr, &m->old_daddr,
2066 					     m->old_family) ||
2067 			    !xfrm_addr_equal(&x->props.saddr, &m->old_saddr,
2068 					     m->old_family))
2069 				continue;
2070 			xfrm_state_hold(x);
2071 			break;
2072 		}
2073 	}
2074 
2075 	spin_unlock_bh(&net->xfrm.xfrm_state_lock);
2076 
2077 	return x;
2078 }
2079 EXPORT_SYMBOL(xfrm_migrate_state_find);
2080 
2081 struct xfrm_state *xfrm_state_migrate(struct xfrm_state *x,
2082 				      struct xfrm_migrate *m,
2083 				      struct xfrm_encap_tmpl *encap)
2084 {
2085 	struct xfrm_state *xc;
2086 
2087 	xc = xfrm_state_clone(x, encap);
2088 	if (!xc)
2089 		return NULL;
2090 
2091 	xc->props.family = m->new_family;
2092 
2093 	if (xfrm_init_state(xc) < 0)
2094 		goto error;
2095 
2096 	memcpy(&xc->id.daddr, &m->new_daddr, sizeof(xc->id.daddr));
2097 	memcpy(&xc->props.saddr, &m->new_saddr, sizeof(xc->props.saddr));
2098 
2099 	/* add state */
2100 	if (xfrm_addr_equal(&x->id.daddr, &m->new_daddr, m->new_family)) {
2101 		/* a care is needed when the destination address of the
2102 		   state is to be updated as it is a part of triplet */
2103 		xfrm_state_insert(xc);
2104 	} else {
2105 		if (xfrm_state_add(xc) < 0)
2106 			goto error;
2107 	}
2108 
2109 	return xc;
2110 error:
2111 	xfrm_state_put(xc);
2112 	return NULL;
2113 }
2114 EXPORT_SYMBOL(xfrm_state_migrate);
2115 #endif
2116 
2117 int xfrm_state_update(struct xfrm_state *x)
2118 {
2119 	struct xfrm_state *x1, *to_put;
2120 	int err;
2121 	int use_spi = xfrm_id_proto_match(x->id.proto, IPSEC_PROTO_ANY);
2122 	struct net *net = xs_net(x);
2123 
2124 	to_put = NULL;
2125 
2126 	spin_lock_bh(&net->xfrm.xfrm_state_lock);
2127 	x1 = __xfrm_state_locate(x, use_spi, x->props.family);
2128 
2129 	err = -ESRCH;
2130 	if (!x1)
2131 		goto out;
2132 
2133 	if (xfrm_state_kern(x1)) {
2134 		to_put = x1;
2135 		err = -EEXIST;
2136 		goto out;
2137 	}
2138 
2139 	if (x1->km.state == XFRM_STATE_ACQ) {
2140 		if (x->dir && x1->dir != x->dir)
2141 			goto out;
2142 
2143 		__xfrm_state_insert(x);
2144 		x = NULL;
2145 	} else {
2146 		if (x1->dir != x->dir)
2147 			goto out;
2148 	}
2149 	err = 0;
2150 
2151 out:
2152 	spin_unlock_bh(&net->xfrm.xfrm_state_lock);
2153 
2154 	if (to_put)
2155 		xfrm_state_put(to_put);
2156 
2157 	if (err)
2158 		return err;
2159 
2160 	if (!x) {
2161 		xfrm_state_delete(x1);
2162 		xfrm_state_put(x1);
2163 		return 0;
2164 	}
2165 
2166 	err = -EINVAL;
2167 	spin_lock_bh(&x1->lock);
2168 	if (likely(x1->km.state == XFRM_STATE_VALID)) {
2169 		if (x->encap && x1->encap &&
2170 		    x->encap->encap_type == x1->encap->encap_type)
2171 			memcpy(x1->encap, x->encap, sizeof(*x1->encap));
2172 		else if (x->encap || x1->encap)
2173 			goto fail;
2174 
2175 		if (x->coaddr && x1->coaddr) {
2176 			memcpy(x1->coaddr, x->coaddr, sizeof(*x1->coaddr));
2177 		}
2178 		if (!use_spi && memcmp(&x1->sel, &x->sel, sizeof(x1->sel)))
2179 			memcpy(&x1->sel, &x->sel, sizeof(x1->sel));
2180 		memcpy(&x1->lft, &x->lft, sizeof(x1->lft));
2181 		x1->km.dying = 0;
2182 
2183 		hrtimer_start(&x1->mtimer, ktime_set(1, 0),
2184 			      HRTIMER_MODE_REL_SOFT);
2185 		if (READ_ONCE(x1->curlft.use_time))
2186 			xfrm_state_check_expire(x1);
2187 
2188 		if (x->props.smark.m || x->props.smark.v || x->if_id) {
2189 			spin_lock_bh(&net->xfrm.xfrm_state_lock);
2190 
2191 			if (x->props.smark.m || x->props.smark.v)
2192 				x1->props.smark = x->props.smark;
2193 
2194 			if (x->if_id)
2195 				x1->if_id = x->if_id;
2196 
2197 			__xfrm_state_bump_genids(x1);
2198 			spin_unlock_bh(&net->xfrm.xfrm_state_lock);
2199 		}
2200 
2201 		err = 0;
2202 		x->km.state = XFRM_STATE_DEAD;
2203 		__xfrm_state_put(x);
2204 	}
2205 
2206 fail:
2207 	spin_unlock_bh(&x1->lock);
2208 
2209 	xfrm_state_put(x1);
2210 
2211 	return err;
2212 }
2213 EXPORT_SYMBOL(xfrm_state_update);
2214 
2215 int xfrm_state_check_expire(struct xfrm_state *x)
2216 {
2217 	xfrm_dev_state_update_stats(x);
2218 
2219 	if (!READ_ONCE(x->curlft.use_time))
2220 		WRITE_ONCE(x->curlft.use_time, ktime_get_real_seconds());
2221 
2222 	if (x->curlft.bytes >= x->lft.hard_byte_limit ||
2223 	    x->curlft.packets >= x->lft.hard_packet_limit) {
2224 		x->km.state = XFRM_STATE_EXPIRED;
2225 		hrtimer_start(&x->mtimer, 0, HRTIMER_MODE_REL_SOFT);
2226 		return -EINVAL;
2227 	}
2228 
2229 	if (!x->km.dying &&
2230 	    (x->curlft.bytes >= x->lft.soft_byte_limit ||
2231 	     x->curlft.packets >= x->lft.soft_packet_limit)) {
2232 		x->km.dying = 1;
2233 		km_state_expired(x, 0, 0);
2234 	}
2235 	return 0;
2236 }
2237 EXPORT_SYMBOL(xfrm_state_check_expire);
2238 
2239 void xfrm_state_update_stats(struct net *net)
2240 {
2241 	struct xfrm_state *x;
2242 	int i;
2243 
2244 	spin_lock_bh(&net->xfrm.xfrm_state_lock);
2245 	for (i = 0; i <= net->xfrm.state_hmask; i++) {
2246 		hlist_for_each_entry(x, net->xfrm.state_bydst + i, bydst)
2247 			xfrm_dev_state_update_stats(x);
2248 	}
2249 	spin_unlock_bh(&net->xfrm.xfrm_state_lock);
2250 }
2251 
2252 struct xfrm_state *
2253 xfrm_state_lookup(struct net *net, u32 mark, const xfrm_address_t *daddr, __be32 spi,
2254 		  u8 proto, unsigned short family)
2255 {
2256 	struct xfrm_state *x;
2257 
2258 	rcu_read_lock();
2259 	x = __xfrm_state_lookup(net, mark, daddr, spi, proto, family);
2260 	rcu_read_unlock();
2261 	return x;
2262 }
2263 EXPORT_SYMBOL(xfrm_state_lookup);
2264 
2265 struct xfrm_state *
2266 xfrm_state_lookup_byaddr(struct net *net, u32 mark,
2267 			 const xfrm_address_t *daddr, const xfrm_address_t *saddr,
2268 			 u8 proto, unsigned short family)
2269 {
2270 	struct xfrm_state *x;
2271 
2272 	spin_lock_bh(&net->xfrm.xfrm_state_lock);
2273 	x = __xfrm_state_lookup_byaddr(net, mark, daddr, saddr, proto, family);
2274 	spin_unlock_bh(&net->xfrm.xfrm_state_lock);
2275 	return x;
2276 }
2277 EXPORT_SYMBOL(xfrm_state_lookup_byaddr);
2278 
2279 struct xfrm_state *
2280 xfrm_find_acq(struct net *net, const struct xfrm_mark *mark, u8 mode, u32 reqid,
2281 	      u32 if_id, u32 pcpu_num, u8 proto, const xfrm_address_t *daddr,
2282 	      const xfrm_address_t *saddr, int create, unsigned short family)
2283 {
2284 	struct xfrm_state *x;
2285 
2286 	spin_lock_bh(&net->xfrm.xfrm_state_lock);
2287 	x = __find_acq_core(net, mark, family, mode, reqid, if_id, pcpu_num,
2288 			    proto, daddr, saddr, create);
2289 	spin_unlock_bh(&net->xfrm.xfrm_state_lock);
2290 
2291 	return x;
2292 }
2293 EXPORT_SYMBOL(xfrm_find_acq);
2294 
2295 #ifdef CONFIG_XFRM_SUB_POLICY
2296 #if IS_ENABLED(CONFIG_IPV6)
2297 /* distribution counting sort function for xfrm_state and xfrm_tmpl */
2298 static void
2299 __xfrm6_sort(void **dst, void **src, int n,
2300 	     int (*cmp)(const void *p), int maxclass)
2301 {
2302 	int count[XFRM_MAX_DEPTH] = { };
2303 	int class[XFRM_MAX_DEPTH];
2304 	int i;
2305 
2306 	for (i = 0; i < n; i++) {
2307 		int c = cmp(src[i]);
2308 
2309 		class[i] = c;
2310 		count[c]++;
2311 	}
2312 
2313 	for (i = 2; i < maxclass; i++)
2314 		count[i] += count[i - 1];
2315 
2316 	for (i = 0; i < n; i++) {
2317 		dst[count[class[i] - 1]++] = src[i];
2318 		src[i] = NULL;
2319 	}
2320 }
2321 
2322 /* Rule for xfrm_state:
2323  *
2324  * rule 1: select IPsec transport except AH
2325  * rule 2: select MIPv6 RO or inbound trigger
2326  * rule 3: select IPsec transport AH
2327  * rule 4: select IPsec tunnel
2328  * rule 5: others
2329  */
2330 static int __xfrm6_state_sort_cmp(const void *p)
2331 {
2332 	const struct xfrm_state *v = p;
2333 
2334 	switch (v->props.mode) {
2335 	case XFRM_MODE_TRANSPORT:
2336 		if (v->id.proto != IPPROTO_AH)
2337 			return 1;
2338 		else
2339 			return 3;
2340 #if IS_ENABLED(CONFIG_IPV6_MIP6)
2341 	case XFRM_MODE_ROUTEOPTIMIZATION:
2342 	case XFRM_MODE_IN_TRIGGER:
2343 		return 2;
2344 #endif
2345 	case XFRM_MODE_TUNNEL:
2346 	case XFRM_MODE_BEET:
2347 	case XFRM_MODE_IPTFS:
2348 		return 4;
2349 	}
2350 	return 5;
2351 }
2352 
2353 /* Rule for xfrm_tmpl:
2354  *
2355  * rule 1: select IPsec transport
2356  * rule 2: select MIPv6 RO or inbound trigger
2357  * rule 3: select IPsec tunnel
2358  * rule 4: others
2359  */
2360 static int __xfrm6_tmpl_sort_cmp(const void *p)
2361 {
2362 	const struct xfrm_tmpl *v = p;
2363 
2364 	switch (v->mode) {
2365 	case XFRM_MODE_TRANSPORT:
2366 		return 1;
2367 #if IS_ENABLED(CONFIG_IPV6_MIP6)
2368 	case XFRM_MODE_ROUTEOPTIMIZATION:
2369 	case XFRM_MODE_IN_TRIGGER:
2370 		return 2;
2371 #endif
2372 	case XFRM_MODE_TUNNEL:
2373 	case XFRM_MODE_BEET:
2374 	case XFRM_MODE_IPTFS:
2375 		return 3;
2376 	}
2377 	return 4;
2378 }
2379 #else
2380 static inline int __xfrm6_state_sort_cmp(const void *p) { return 5; }
2381 static inline int __xfrm6_tmpl_sort_cmp(const void *p) { return 4; }
2382 
2383 static inline void
2384 __xfrm6_sort(void **dst, void **src, int n,
2385 	     int (*cmp)(const void *p), int maxclass)
2386 {
2387 	int i;
2388 
2389 	for (i = 0; i < n; i++)
2390 		dst[i] = src[i];
2391 }
2392 #endif /* CONFIG_IPV6 */
2393 
2394 void
2395 xfrm_tmpl_sort(struct xfrm_tmpl **dst, struct xfrm_tmpl **src, int n,
2396 	       unsigned short family)
2397 {
2398 	int i;
2399 
2400 	if (family == AF_INET6)
2401 		__xfrm6_sort((void **)dst, (void **)src, n,
2402 			     __xfrm6_tmpl_sort_cmp, 5);
2403 	else
2404 		for (i = 0; i < n; i++)
2405 			dst[i] = src[i];
2406 }
2407 
2408 void
2409 xfrm_state_sort(struct xfrm_state **dst, struct xfrm_state **src, int n,
2410 		unsigned short family)
2411 {
2412 	int i;
2413 
2414 	if (family == AF_INET6)
2415 		__xfrm6_sort((void **)dst, (void **)src, n,
2416 			     __xfrm6_state_sort_cmp, 6);
2417 	else
2418 		for (i = 0; i < n; i++)
2419 			dst[i] = src[i];
2420 }
2421 #endif
2422 
2423 /* Silly enough, but I'm lazy to build resolution list */
2424 
2425 static struct xfrm_state *__xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq, u32 pcpu_num)
2426 {
2427 	unsigned int h = xfrm_seq_hash(net, seq);
2428 	struct xfrm_state *x;
2429 
2430 	hlist_for_each_entry_rcu(x, net->xfrm.state_byseq + h, byseq) {
2431 		if (x->km.seq == seq &&
2432 		    (mark & x->mark.m) == x->mark.v &&
2433 		    x->pcpu_num == pcpu_num &&
2434 		    x->km.state == XFRM_STATE_ACQ) {
2435 			xfrm_state_hold(x);
2436 			return x;
2437 		}
2438 	}
2439 
2440 	return NULL;
2441 }
2442 
2443 struct xfrm_state *xfrm_find_acq_byseq(struct net *net, u32 mark, u32 seq, u32 pcpu_num)
2444 {
2445 	struct xfrm_state *x;
2446 
2447 	spin_lock_bh(&net->xfrm.xfrm_state_lock);
2448 	x = __xfrm_find_acq_byseq(net, mark, seq, pcpu_num);
2449 	spin_unlock_bh(&net->xfrm.xfrm_state_lock);
2450 	return x;
2451 }
2452 EXPORT_SYMBOL(xfrm_find_acq_byseq);
2453 
2454 u32 xfrm_get_acqseq(void)
2455 {
2456 	u32 res;
2457 	static atomic_t acqseq;
2458 
2459 	do {
2460 		res = atomic_inc_return(&acqseq);
2461 	} while (!res);
2462 
2463 	return res;
2464 }
2465 EXPORT_SYMBOL(xfrm_get_acqseq);
2466 
2467 int verify_spi_info(u8 proto, u32 min, u32 max, struct netlink_ext_ack *extack)
2468 {
2469 	switch (proto) {
2470 	case IPPROTO_AH:
2471 	case IPPROTO_ESP:
2472 		break;
2473 
2474 	case IPPROTO_COMP:
2475 		/* IPCOMP spi is 16-bits. */
2476 		if (max >= 0x10000) {
2477 			NL_SET_ERR_MSG(extack, "IPCOMP SPI must be <= 65535");
2478 			return -EINVAL;
2479 		}
2480 		break;
2481 
2482 	default:
2483 		NL_SET_ERR_MSG(extack, "Invalid protocol, must be one of AH, ESP, IPCOMP");
2484 		return -EINVAL;
2485 	}
2486 
2487 	if (min > max) {
2488 		NL_SET_ERR_MSG(extack, "Invalid SPI range: min > max");
2489 		return -EINVAL;
2490 	}
2491 
2492 	return 0;
2493 }
2494 EXPORT_SYMBOL(verify_spi_info);
2495 
2496 int xfrm_alloc_spi(struct xfrm_state *x, u32 low, u32 high,
2497 		   struct netlink_ext_ack *extack)
2498 {
2499 	struct net *net = xs_net(x);
2500 	unsigned int h;
2501 	struct xfrm_state *x0;
2502 	int err = -ENOENT;
2503 	__be32 minspi = htonl(low);
2504 	__be32 maxspi = htonl(high);
2505 	__be32 newspi = 0;
2506 	u32 mark = x->mark.v & x->mark.m;
2507 
2508 	spin_lock_bh(&x->lock);
2509 	if (x->km.state == XFRM_STATE_DEAD) {
2510 		NL_SET_ERR_MSG(extack, "Target ACQUIRE is in DEAD state");
2511 		goto unlock;
2512 	}
2513 
2514 	err = 0;
2515 	if (x->id.spi)
2516 		goto unlock;
2517 
2518 	err = -ENOENT;
2519 
2520 	if (minspi == maxspi) {
2521 		x0 = xfrm_state_lookup(net, mark, &x->id.daddr, minspi, x->id.proto, x->props.family);
2522 		if (x0) {
2523 			NL_SET_ERR_MSG(extack, "Requested SPI is already in use");
2524 			xfrm_state_put(x0);
2525 			goto unlock;
2526 		}
2527 		newspi = minspi;
2528 	} else {
2529 		u32 spi = 0;
2530 		for (h = 0; h < high-low+1; h++) {
2531 			spi = get_random_u32_inclusive(low, high);
2532 			x0 = xfrm_state_lookup(net, mark, &x->id.daddr, htonl(spi), x->id.proto, x->props.family);
2533 			if (x0 == NULL) {
2534 				newspi = htonl(spi);
2535 				break;
2536 			}
2537 			xfrm_state_put(x0);
2538 		}
2539 	}
2540 	if (newspi) {
2541 		spin_lock_bh(&net->xfrm.xfrm_state_lock);
2542 		x->id.spi = newspi;
2543 		h = xfrm_spi_hash(net, &x->id.daddr, x->id.spi, x->id.proto, x->props.family);
2544 		XFRM_STATE_INSERT(byspi, &x->byspi, net->xfrm.state_byspi + h,
2545 				  x->xso.type);
2546 		spin_unlock_bh(&net->xfrm.xfrm_state_lock);
2547 
2548 		err = 0;
2549 	} else {
2550 		NL_SET_ERR_MSG(extack, "No SPI available in the requested range");
2551 	}
2552 
2553 unlock:
2554 	spin_unlock_bh(&x->lock);
2555 
2556 	return err;
2557 }
2558 EXPORT_SYMBOL(xfrm_alloc_spi);
2559 
2560 static bool __xfrm_state_filter_match(struct xfrm_state *x,
2561 				      struct xfrm_address_filter *filter)
2562 {
2563 	if (filter) {
2564 		if ((filter->family == AF_INET ||
2565 		     filter->family == AF_INET6) &&
2566 		    x->props.family != filter->family)
2567 			return false;
2568 
2569 		return addr_match(&x->props.saddr, &filter->saddr,
2570 				  filter->splen) &&
2571 		       addr_match(&x->id.daddr, &filter->daddr,
2572 				  filter->dplen);
2573 	}
2574 	return true;
2575 }
2576 
2577 int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
2578 		    int (*func)(struct xfrm_state *, int, void*),
2579 		    void *data)
2580 {
2581 	struct xfrm_state *state;
2582 	struct xfrm_state_walk *x;
2583 	int err = 0;
2584 
2585 	if (walk->seq != 0 && list_empty(&walk->all))
2586 		return 0;
2587 
2588 	spin_lock_bh(&net->xfrm.xfrm_state_lock);
2589 	if (list_empty(&walk->all))
2590 		x = list_first_entry(&net->xfrm.state_all, struct xfrm_state_walk, all);
2591 	else
2592 		x = list_first_entry(&walk->all, struct xfrm_state_walk, all);
2593 	list_for_each_entry_from(x, &net->xfrm.state_all, all) {
2594 		if (x->state == XFRM_STATE_DEAD)
2595 			continue;
2596 		state = container_of(x, struct xfrm_state, km);
2597 		if (!xfrm_id_proto_match(state->id.proto, walk->proto))
2598 			continue;
2599 		if (!__xfrm_state_filter_match(state, walk->filter))
2600 			continue;
2601 		err = func(state, walk->seq, data);
2602 		if (err) {
2603 			list_move_tail(&walk->all, &x->all);
2604 			goto out;
2605 		}
2606 		walk->seq++;
2607 	}
2608 	if (walk->seq == 0) {
2609 		err = -ENOENT;
2610 		goto out;
2611 	}
2612 	list_del_init(&walk->all);
2613 out:
2614 	spin_unlock_bh(&net->xfrm.xfrm_state_lock);
2615 	return err;
2616 }
2617 EXPORT_SYMBOL(xfrm_state_walk);
2618 
2619 void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto,
2620 			  struct xfrm_address_filter *filter)
2621 {
2622 	INIT_LIST_HEAD(&walk->all);
2623 	walk->proto = proto;
2624 	walk->state = XFRM_STATE_DEAD;
2625 	walk->seq = 0;
2626 	walk->filter = filter;
2627 }
2628 EXPORT_SYMBOL(xfrm_state_walk_init);
2629 
2630 void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net)
2631 {
2632 	kfree(walk->filter);
2633 
2634 	if (list_empty(&walk->all))
2635 		return;
2636 
2637 	spin_lock_bh(&net->xfrm.xfrm_state_lock);
2638 	list_del(&walk->all);
2639 	spin_unlock_bh(&net->xfrm.xfrm_state_lock);
2640 }
2641 EXPORT_SYMBOL(xfrm_state_walk_done);
2642 
2643 static void xfrm_replay_timer_handler(struct timer_list *t)
2644 {
2645 	struct xfrm_state *x = from_timer(x, t, rtimer);
2646 
2647 	spin_lock(&x->lock);
2648 
2649 	if (x->km.state == XFRM_STATE_VALID) {
2650 		if (xfrm_aevent_is_on(xs_net(x)))
2651 			xfrm_replay_notify(x, XFRM_REPLAY_TIMEOUT);
2652 		else
2653 			x->xflags |= XFRM_TIME_DEFER;
2654 	}
2655 
2656 	spin_unlock(&x->lock);
2657 }
2658 
2659 static LIST_HEAD(xfrm_km_list);
2660 
2661 void km_policy_notify(struct xfrm_policy *xp, int dir, const struct km_event *c)
2662 {
2663 	struct xfrm_mgr *km;
2664 
2665 	rcu_read_lock();
2666 	list_for_each_entry_rcu(km, &xfrm_km_list, list)
2667 		if (km->notify_policy)
2668 			km->notify_policy(xp, dir, c);
2669 	rcu_read_unlock();
2670 }
2671 
2672 void km_state_notify(struct xfrm_state *x, const struct km_event *c)
2673 {
2674 	struct xfrm_mgr *km;
2675 	rcu_read_lock();
2676 	list_for_each_entry_rcu(km, &xfrm_km_list, list)
2677 		if (km->notify)
2678 			km->notify(x, c);
2679 	rcu_read_unlock();
2680 }
2681 
2682 EXPORT_SYMBOL(km_policy_notify);
2683 EXPORT_SYMBOL(km_state_notify);
2684 
2685 void km_state_expired(struct xfrm_state *x, int hard, u32 portid)
2686 {
2687 	struct km_event c;
2688 
2689 	c.data.hard = hard;
2690 	c.portid = portid;
2691 	c.event = XFRM_MSG_EXPIRE;
2692 	km_state_notify(x, &c);
2693 }
2694 
2695 EXPORT_SYMBOL(km_state_expired);
2696 /*
2697  * We send to all registered managers regardless of failure
2698  * We are happy with one success
2699 */
2700 int km_query(struct xfrm_state *x, struct xfrm_tmpl *t, struct xfrm_policy *pol)
2701 {
2702 	int err = -EINVAL, acqret;
2703 	struct xfrm_mgr *km;
2704 
2705 	rcu_read_lock();
2706 	list_for_each_entry_rcu(km, &xfrm_km_list, list) {
2707 		acqret = km->acquire(x, t, pol);
2708 		if (!acqret)
2709 			err = acqret;
2710 	}
2711 	rcu_read_unlock();
2712 	return err;
2713 }
2714 EXPORT_SYMBOL(km_query);
2715 
2716 static int __km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
2717 {
2718 	int err = -EINVAL;
2719 	struct xfrm_mgr *km;
2720 
2721 	rcu_read_lock();
2722 	list_for_each_entry_rcu(km, &xfrm_km_list, list) {
2723 		if (km->new_mapping)
2724 			err = km->new_mapping(x, ipaddr, sport);
2725 		if (!err)
2726 			break;
2727 	}
2728 	rcu_read_unlock();
2729 	return err;
2730 }
2731 
2732 int km_new_mapping(struct xfrm_state *x, xfrm_address_t *ipaddr, __be16 sport)
2733 {
2734 	int ret = 0;
2735 
2736 	if (x->mapping_maxage) {
2737 		if ((jiffies / HZ - x->new_mapping) > x->mapping_maxage ||
2738 		    x->new_mapping_sport != sport) {
2739 			x->new_mapping_sport = sport;
2740 			x->new_mapping = jiffies / HZ;
2741 			ret = __km_new_mapping(x, ipaddr, sport);
2742 		}
2743 	} else {
2744 		ret = __km_new_mapping(x, ipaddr, sport);
2745 	}
2746 
2747 	return ret;
2748 }
2749 EXPORT_SYMBOL(km_new_mapping);
2750 
2751 void km_policy_expired(struct xfrm_policy *pol, int dir, int hard, u32 portid)
2752 {
2753 	struct km_event c;
2754 
2755 	c.data.hard = hard;
2756 	c.portid = portid;
2757 	c.event = XFRM_MSG_POLEXPIRE;
2758 	km_policy_notify(pol, dir, &c);
2759 }
2760 EXPORT_SYMBOL(km_policy_expired);
2761 
2762 #ifdef CONFIG_XFRM_MIGRATE
2763 int km_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
2764 	       const struct xfrm_migrate *m, int num_migrate,
2765 	       const struct xfrm_kmaddress *k,
2766 	       const struct xfrm_encap_tmpl *encap)
2767 {
2768 	int err = -EINVAL;
2769 	int ret;
2770 	struct xfrm_mgr *km;
2771 
2772 	rcu_read_lock();
2773 	list_for_each_entry_rcu(km, &xfrm_km_list, list) {
2774 		if (km->migrate) {
2775 			ret = km->migrate(sel, dir, type, m, num_migrate, k,
2776 					  encap);
2777 			if (!ret)
2778 				err = ret;
2779 		}
2780 	}
2781 	rcu_read_unlock();
2782 	return err;
2783 }
2784 EXPORT_SYMBOL(km_migrate);
2785 #endif
2786 
2787 int km_report(struct net *net, u8 proto, struct xfrm_selector *sel, xfrm_address_t *addr)
2788 {
2789 	int err = -EINVAL;
2790 	int ret;
2791 	struct xfrm_mgr *km;
2792 
2793 	rcu_read_lock();
2794 	list_for_each_entry_rcu(km, &xfrm_km_list, list) {
2795 		if (km->report) {
2796 			ret = km->report(net, proto, sel, addr);
2797 			if (!ret)
2798 				err = ret;
2799 		}
2800 	}
2801 	rcu_read_unlock();
2802 	return err;
2803 }
2804 EXPORT_SYMBOL(km_report);
2805 
2806 static bool km_is_alive(const struct km_event *c)
2807 {
2808 	struct xfrm_mgr *km;
2809 	bool is_alive = false;
2810 
2811 	rcu_read_lock();
2812 	list_for_each_entry_rcu(km, &xfrm_km_list, list) {
2813 		if (km->is_alive && km->is_alive(c)) {
2814 			is_alive = true;
2815 			break;
2816 		}
2817 	}
2818 	rcu_read_unlock();
2819 
2820 	return is_alive;
2821 }
2822 
2823 #if IS_ENABLED(CONFIG_XFRM_USER_COMPAT)
2824 static DEFINE_SPINLOCK(xfrm_translator_lock);
2825 static struct xfrm_translator __rcu *xfrm_translator;
2826 
2827 struct xfrm_translator *xfrm_get_translator(void)
2828 {
2829 	struct xfrm_translator *xtr;
2830 
2831 	rcu_read_lock();
2832 	xtr = rcu_dereference(xfrm_translator);
2833 	if (unlikely(!xtr))
2834 		goto out;
2835 	if (!try_module_get(xtr->owner))
2836 		xtr = NULL;
2837 out:
2838 	rcu_read_unlock();
2839 	return xtr;
2840 }
2841 EXPORT_SYMBOL_GPL(xfrm_get_translator);
2842 
2843 void xfrm_put_translator(struct xfrm_translator *xtr)
2844 {
2845 	module_put(xtr->owner);
2846 }
2847 EXPORT_SYMBOL_GPL(xfrm_put_translator);
2848 
2849 int xfrm_register_translator(struct xfrm_translator *xtr)
2850 {
2851 	int err = 0;
2852 
2853 	spin_lock_bh(&xfrm_translator_lock);
2854 	if (unlikely(xfrm_translator != NULL))
2855 		err = -EEXIST;
2856 	else
2857 		rcu_assign_pointer(xfrm_translator, xtr);
2858 	spin_unlock_bh(&xfrm_translator_lock);
2859 
2860 	return err;
2861 }
2862 EXPORT_SYMBOL_GPL(xfrm_register_translator);
2863 
2864 int xfrm_unregister_translator(struct xfrm_translator *xtr)
2865 {
2866 	int err = 0;
2867 
2868 	spin_lock_bh(&xfrm_translator_lock);
2869 	if (likely(xfrm_translator != NULL)) {
2870 		if (rcu_access_pointer(xfrm_translator) != xtr)
2871 			err = -EINVAL;
2872 		else
2873 			RCU_INIT_POINTER(xfrm_translator, NULL);
2874 	}
2875 	spin_unlock_bh(&xfrm_translator_lock);
2876 	synchronize_rcu();
2877 
2878 	return err;
2879 }
2880 EXPORT_SYMBOL_GPL(xfrm_unregister_translator);
2881 #endif
2882 
2883 int xfrm_user_policy(struct sock *sk, int optname, sockptr_t optval, int optlen)
2884 {
2885 	int err;
2886 	u8 *data;
2887 	struct xfrm_mgr *km;
2888 	struct xfrm_policy *pol = NULL;
2889 
2890 	if (sockptr_is_null(optval) && !optlen) {
2891 		xfrm_sk_policy_insert(sk, XFRM_POLICY_IN, NULL);
2892 		xfrm_sk_policy_insert(sk, XFRM_POLICY_OUT, NULL);
2893 		__sk_dst_reset(sk);
2894 		return 0;
2895 	}
2896 
2897 	if (optlen <= 0 || optlen > PAGE_SIZE)
2898 		return -EMSGSIZE;
2899 
2900 	data = memdup_sockptr(optval, optlen);
2901 	if (IS_ERR(data))
2902 		return PTR_ERR(data);
2903 
2904 	if (in_compat_syscall()) {
2905 		struct xfrm_translator *xtr = xfrm_get_translator();
2906 
2907 		if (!xtr) {
2908 			kfree(data);
2909 			return -EOPNOTSUPP;
2910 		}
2911 
2912 		err = xtr->xlate_user_policy_sockptr(&data, optlen);
2913 		xfrm_put_translator(xtr);
2914 		if (err) {
2915 			kfree(data);
2916 			return err;
2917 		}
2918 	}
2919 
2920 	err = -EINVAL;
2921 	rcu_read_lock();
2922 	list_for_each_entry_rcu(km, &xfrm_km_list, list) {
2923 		pol = km->compile_policy(sk, optname, data,
2924 					 optlen, &err);
2925 		if (err >= 0)
2926 			break;
2927 	}
2928 	rcu_read_unlock();
2929 
2930 	if (err >= 0) {
2931 		xfrm_sk_policy_insert(sk, err, pol);
2932 		xfrm_pol_put(pol);
2933 		__sk_dst_reset(sk);
2934 		err = 0;
2935 	}
2936 
2937 	kfree(data);
2938 	return err;
2939 }
2940 EXPORT_SYMBOL(xfrm_user_policy);
2941 
2942 static DEFINE_SPINLOCK(xfrm_km_lock);
2943 
2944 void xfrm_register_km(struct xfrm_mgr *km)
2945 {
2946 	spin_lock_bh(&xfrm_km_lock);
2947 	list_add_tail_rcu(&km->list, &xfrm_km_list);
2948 	spin_unlock_bh(&xfrm_km_lock);
2949 }
2950 EXPORT_SYMBOL(xfrm_register_km);
2951 
2952 void xfrm_unregister_km(struct xfrm_mgr *km)
2953 {
2954 	spin_lock_bh(&xfrm_km_lock);
2955 	list_del_rcu(&km->list);
2956 	spin_unlock_bh(&xfrm_km_lock);
2957 	synchronize_rcu();
2958 }
2959 EXPORT_SYMBOL(xfrm_unregister_km);
2960 
2961 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo)
2962 {
2963 	int err = 0;
2964 
2965 	if (WARN_ON(afinfo->family >= NPROTO))
2966 		return -EAFNOSUPPORT;
2967 
2968 	spin_lock_bh(&xfrm_state_afinfo_lock);
2969 	if (unlikely(xfrm_state_afinfo[afinfo->family] != NULL))
2970 		err = -EEXIST;
2971 	else
2972 		rcu_assign_pointer(xfrm_state_afinfo[afinfo->family], afinfo);
2973 	spin_unlock_bh(&xfrm_state_afinfo_lock);
2974 	return err;
2975 }
2976 EXPORT_SYMBOL(xfrm_state_register_afinfo);
2977 
2978 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo)
2979 {
2980 	int err = 0, family = afinfo->family;
2981 
2982 	if (WARN_ON(family >= NPROTO))
2983 		return -EAFNOSUPPORT;
2984 
2985 	spin_lock_bh(&xfrm_state_afinfo_lock);
2986 	if (likely(xfrm_state_afinfo[afinfo->family] != NULL)) {
2987 		if (rcu_access_pointer(xfrm_state_afinfo[family]) != afinfo)
2988 			err = -EINVAL;
2989 		else
2990 			RCU_INIT_POINTER(xfrm_state_afinfo[afinfo->family], NULL);
2991 	}
2992 	spin_unlock_bh(&xfrm_state_afinfo_lock);
2993 	synchronize_rcu();
2994 	return err;
2995 }
2996 EXPORT_SYMBOL(xfrm_state_unregister_afinfo);
2997 
2998 struct xfrm_state_afinfo *xfrm_state_afinfo_get_rcu(unsigned int family)
2999 {
3000 	if (unlikely(family >= NPROTO))
3001 		return NULL;
3002 
3003 	return rcu_dereference(xfrm_state_afinfo[family]);
3004 }
3005 EXPORT_SYMBOL_GPL(xfrm_state_afinfo_get_rcu);
3006 
3007 struct xfrm_state_afinfo *xfrm_state_get_afinfo(unsigned int family)
3008 {
3009 	struct xfrm_state_afinfo *afinfo;
3010 	if (unlikely(family >= NPROTO))
3011 		return NULL;
3012 	rcu_read_lock();
3013 	afinfo = rcu_dereference(xfrm_state_afinfo[family]);
3014 	if (unlikely(!afinfo))
3015 		rcu_read_unlock();
3016 	return afinfo;
3017 }
3018 
3019 void xfrm_flush_gc(void)
3020 {
3021 	flush_work(&xfrm_state_gc_work);
3022 }
3023 EXPORT_SYMBOL(xfrm_flush_gc);
3024 
3025 /* Temporarily located here until net/xfrm/xfrm_tunnel.c is created */
3026 void xfrm_state_delete_tunnel(struct xfrm_state *x)
3027 {
3028 	if (x->tunnel) {
3029 		struct xfrm_state *t = x->tunnel;
3030 
3031 		if (atomic_read(&t->tunnel_users) == 2)
3032 			xfrm_state_delete(t);
3033 		atomic_dec(&t->tunnel_users);
3034 		xfrm_state_put_sync(t);
3035 		x->tunnel = NULL;
3036 	}
3037 }
3038 EXPORT_SYMBOL(xfrm_state_delete_tunnel);
3039 
3040 u32 xfrm_state_mtu(struct xfrm_state *x, int mtu)
3041 {
3042 	const struct xfrm_type *type = READ_ONCE(x->type);
3043 	struct crypto_aead *aead;
3044 	u32 blksize, net_adj = 0;
3045 
3046 	if (x->km.state != XFRM_STATE_VALID ||
3047 	    !type || type->proto != IPPROTO_ESP)
3048 		return mtu - x->props.header_len;
3049 
3050 	aead = x->data;
3051 	blksize = ALIGN(crypto_aead_blocksize(aead), 4);
3052 
3053 	switch (x->props.mode) {
3054 	case XFRM_MODE_TRANSPORT:
3055 	case XFRM_MODE_BEET:
3056 		if (x->props.family == AF_INET)
3057 			net_adj = sizeof(struct iphdr);
3058 		else if (x->props.family == AF_INET6)
3059 			net_adj = sizeof(struct ipv6hdr);
3060 		break;
3061 	case XFRM_MODE_TUNNEL:
3062 		break;
3063 	default:
3064 		if (x->mode_cbs && x->mode_cbs->get_inner_mtu)
3065 			return x->mode_cbs->get_inner_mtu(x, mtu);
3066 
3067 		WARN_ON_ONCE(1);
3068 		break;
3069 	}
3070 
3071 	return ((mtu - x->props.header_len - crypto_aead_authsize(aead) -
3072 		 net_adj) & ~(blksize - 1)) + net_adj - 2;
3073 }
3074 EXPORT_SYMBOL_GPL(xfrm_state_mtu);
3075 
3076 int __xfrm_init_state(struct xfrm_state *x, bool init_replay, bool offload,
3077 		      struct netlink_ext_ack *extack)
3078 {
3079 	const struct xfrm_mode *inner_mode;
3080 	const struct xfrm_mode *outer_mode;
3081 	int family = x->props.family;
3082 	int err;
3083 
3084 	if (family == AF_INET &&
3085 	    READ_ONCE(xs_net(x)->ipv4.sysctl_ip_no_pmtu_disc))
3086 		x->props.flags |= XFRM_STATE_NOPMTUDISC;
3087 
3088 	err = -EPROTONOSUPPORT;
3089 
3090 	if (x->sel.family != AF_UNSPEC) {
3091 		inner_mode = xfrm_get_mode(x->props.mode, x->sel.family);
3092 		if (inner_mode == NULL) {
3093 			NL_SET_ERR_MSG(extack, "Requested mode not found");
3094 			goto error;
3095 		}
3096 
3097 		if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL) &&
3098 		    family != x->sel.family) {
3099 			NL_SET_ERR_MSG(extack, "Only tunnel modes can accommodate a change of family");
3100 			goto error;
3101 		}
3102 
3103 		x->inner_mode = *inner_mode;
3104 	} else {
3105 		const struct xfrm_mode *inner_mode_iaf;
3106 		int iafamily = AF_INET;
3107 
3108 		inner_mode = xfrm_get_mode(x->props.mode, x->props.family);
3109 		if (inner_mode == NULL) {
3110 			NL_SET_ERR_MSG(extack, "Requested mode not found");
3111 			goto error;
3112 		}
3113 
3114 		x->inner_mode = *inner_mode;
3115 
3116 		if (x->props.family == AF_INET)
3117 			iafamily = AF_INET6;
3118 
3119 		inner_mode_iaf = xfrm_get_mode(x->props.mode, iafamily);
3120 		if (inner_mode_iaf) {
3121 			if (inner_mode_iaf->flags & XFRM_MODE_FLAG_TUNNEL)
3122 				x->inner_mode_iaf = *inner_mode_iaf;
3123 		}
3124 	}
3125 
3126 	x->type = xfrm_get_type(x->id.proto, family);
3127 	if (x->type == NULL) {
3128 		NL_SET_ERR_MSG(extack, "Requested type not found");
3129 		goto error;
3130 	}
3131 
3132 	x->type_offload = xfrm_get_type_offload(x->id.proto, family, offload);
3133 
3134 	err = x->type->init_state(x, extack);
3135 	if (err)
3136 		goto error;
3137 
3138 	outer_mode = xfrm_get_mode(x->props.mode, family);
3139 	if (!outer_mode) {
3140 		NL_SET_ERR_MSG(extack, "Requested mode not found");
3141 		err = -EPROTONOSUPPORT;
3142 		goto error;
3143 	}
3144 
3145 	x->outer_mode = *outer_mode;
3146 	if (init_replay) {
3147 		err = xfrm_init_replay(x, extack);
3148 		if (err)
3149 			goto error;
3150 	}
3151 
3152 	if (x->nat_keepalive_interval) {
3153 		if (x->dir != XFRM_SA_DIR_OUT) {
3154 			NL_SET_ERR_MSG(extack, "NAT keepalive is only supported for outbound SAs");
3155 			err = -EINVAL;
3156 			goto error;
3157 		}
3158 
3159 		if (!x->encap || x->encap->encap_type != UDP_ENCAP_ESPINUDP) {
3160 			NL_SET_ERR_MSG(extack,
3161 				       "NAT keepalive is only supported for UDP encapsulation");
3162 			err = -EINVAL;
3163 			goto error;
3164 		}
3165 	}
3166 
3167 	x->mode_cbs = xfrm_get_mode_cbs(x->props.mode);
3168 	if (x->mode_cbs) {
3169 		if (x->mode_cbs->init_state)
3170 			err = x->mode_cbs->init_state(x);
3171 		module_put(x->mode_cbs->owner);
3172 	}
3173 error:
3174 	return err;
3175 }
3176 
3177 EXPORT_SYMBOL(__xfrm_init_state);
3178 
3179 int xfrm_init_state(struct xfrm_state *x)
3180 {
3181 	int err;
3182 
3183 	err = __xfrm_init_state(x, true, false, NULL);
3184 	if (!err)
3185 		x->km.state = XFRM_STATE_VALID;
3186 
3187 	return err;
3188 }
3189 
3190 EXPORT_SYMBOL(xfrm_init_state);
3191 
3192 int __net_init xfrm_state_init(struct net *net)
3193 {
3194 	unsigned int sz;
3195 
3196 	if (net_eq(net, &init_net))
3197 		xfrm_state_cache = KMEM_CACHE(xfrm_state,
3198 					      SLAB_HWCACHE_ALIGN | SLAB_PANIC);
3199 
3200 	INIT_LIST_HEAD(&net->xfrm.state_all);
3201 
3202 	sz = sizeof(struct hlist_head) * 8;
3203 
3204 	net->xfrm.state_bydst = xfrm_hash_alloc(sz);
3205 	if (!net->xfrm.state_bydst)
3206 		goto out_bydst;
3207 	net->xfrm.state_bysrc = xfrm_hash_alloc(sz);
3208 	if (!net->xfrm.state_bysrc)
3209 		goto out_bysrc;
3210 	net->xfrm.state_byspi = xfrm_hash_alloc(sz);
3211 	if (!net->xfrm.state_byspi)
3212 		goto out_byspi;
3213 	net->xfrm.state_byseq = xfrm_hash_alloc(sz);
3214 	if (!net->xfrm.state_byseq)
3215 		goto out_byseq;
3216 
3217 	net->xfrm.state_cache_input = alloc_percpu(struct hlist_head);
3218 	if (!net->xfrm.state_cache_input)
3219 		goto out_state_cache_input;
3220 
3221 	net->xfrm.state_hmask = ((sz / sizeof(struct hlist_head)) - 1);
3222 
3223 	net->xfrm.state_num = 0;
3224 	INIT_WORK(&net->xfrm.state_hash_work, xfrm_hash_resize);
3225 	spin_lock_init(&net->xfrm.xfrm_state_lock);
3226 	seqcount_spinlock_init(&net->xfrm.xfrm_state_hash_generation,
3227 			       &net->xfrm.xfrm_state_lock);
3228 	return 0;
3229 
3230 out_state_cache_input:
3231 	xfrm_hash_free(net->xfrm.state_byseq, sz);
3232 out_byseq:
3233 	xfrm_hash_free(net->xfrm.state_byspi, sz);
3234 out_byspi:
3235 	xfrm_hash_free(net->xfrm.state_bysrc, sz);
3236 out_bysrc:
3237 	xfrm_hash_free(net->xfrm.state_bydst, sz);
3238 out_bydst:
3239 	return -ENOMEM;
3240 }
3241 
3242 void xfrm_state_fini(struct net *net)
3243 {
3244 	unsigned int sz;
3245 
3246 	flush_work(&net->xfrm.state_hash_work);
3247 	flush_work(&xfrm_state_gc_work);
3248 	xfrm_state_flush(net, 0, false, true);
3249 
3250 	WARN_ON(!list_empty(&net->xfrm.state_all));
3251 
3252 	sz = (net->xfrm.state_hmask + 1) * sizeof(struct hlist_head);
3253 	WARN_ON(!hlist_empty(net->xfrm.state_byseq));
3254 	xfrm_hash_free(net->xfrm.state_byseq, sz);
3255 	WARN_ON(!hlist_empty(net->xfrm.state_byspi));
3256 	xfrm_hash_free(net->xfrm.state_byspi, sz);
3257 	WARN_ON(!hlist_empty(net->xfrm.state_bysrc));
3258 	xfrm_hash_free(net->xfrm.state_bysrc, sz);
3259 	WARN_ON(!hlist_empty(net->xfrm.state_bydst));
3260 	xfrm_hash_free(net->xfrm.state_bydst, sz);
3261 	free_percpu(net->xfrm.state_cache_input);
3262 }
3263 
3264 #ifdef CONFIG_AUDITSYSCALL
3265 static void xfrm_audit_helper_sainfo(struct xfrm_state *x,
3266 				     struct audit_buffer *audit_buf)
3267 {
3268 	struct xfrm_sec_ctx *ctx = x->security;
3269 	u32 spi = ntohl(x->id.spi);
3270 
3271 	if (ctx)
3272 		audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
3273 				 ctx->ctx_alg, ctx->ctx_doi, ctx->ctx_str);
3274 
3275 	switch (x->props.family) {
3276 	case AF_INET:
3277 		audit_log_format(audit_buf, " src=%pI4 dst=%pI4",
3278 				 &x->props.saddr.a4, &x->id.daddr.a4);
3279 		break;
3280 	case AF_INET6:
3281 		audit_log_format(audit_buf, " src=%pI6 dst=%pI6",
3282 				 x->props.saddr.a6, x->id.daddr.a6);
3283 		break;
3284 	}
3285 
3286 	audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi);
3287 }
3288 
3289 static void xfrm_audit_helper_pktinfo(struct sk_buff *skb, u16 family,
3290 				      struct audit_buffer *audit_buf)
3291 {
3292 	const struct iphdr *iph4;
3293 	const struct ipv6hdr *iph6;
3294 
3295 	switch (family) {
3296 	case AF_INET:
3297 		iph4 = ip_hdr(skb);
3298 		audit_log_format(audit_buf, " src=%pI4 dst=%pI4",
3299 				 &iph4->saddr, &iph4->daddr);
3300 		break;
3301 	case AF_INET6:
3302 		iph6 = ipv6_hdr(skb);
3303 		audit_log_format(audit_buf,
3304 				 " src=%pI6 dst=%pI6 flowlbl=0x%x%02x%02x",
3305 				 &iph6->saddr, &iph6->daddr,
3306 				 iph6->flow_lbl[0] & 0x0f,
3307 				 iph6->flow_lbl[1],
3308 				 iph6->flow_lbl[2]);
3309 		break;
3310 	}
3311 }
3312 
3313 void xfrm_audit_state_add(struct xfrm_state *x, int result, bool task_valid)
3314 {
3315 	struct audit_buffer *audit_buf;
3316 
3317 	audit_buf = xfrm_audit_start("SAD-add");
3318 	if (audit_buf == NULL)
3319 		return;
3320 	xfrm_audit_helper_usrinfo(task_valid, audit_buf);
3321 	xfrm_audit_helper_sainfo(x, audit_buf);
3322 	audit_log_format(audit_buf, " res=%u", result);
3323 	audit_log_end(audit_buf);
3324 }
3325 EXPORT_SYMBOL_GPL(xfrm_audit_state_add);
3326 
3327 void xfrm_audit_state_delete(struct xfrm_state *x, int result, bool task_valid)
3328 {
3329 	struct audit_buffer *audit_buf;
3330 
3331 	audit_buf = xfrm_audit_start("SAD-delete");
3332 	if (audit_buf == NULL)
3333 		return;
3334 	xfrm_audit_helper_usrinfo(task_valid, audit_buf);
3335 	xfrm_audit_helper_sainfo(x, audit_buf);
3336 	audit_log_format(audit_buf, " res=%u", result);
3337 	audit_log_end(audit_buf);
3338 }
3339 EXPORT_SYMBOL_GPL(xfrm_audit_state_delete);
3340 
3341 void xfrm_audit_state_replay_overflow(struct xfrm_state *x,
3342 				      struct sk_buff *skb)
3343 {
3344 	struct audit_buffer *audit_buf;
3345 	u32 spi;
3346 
3347 	audit_buf = xfrm_audit_start("SA-replay-overflow");
3348 	if (audit_buf == NULL)
3349 		return;
3350 	xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
3351 	/* don't record the sequence number because it's inherent in this kind
3352 	 * of audit message */
3353 	spi = ntohl(x->id.spi);
3354 	audit_log_format(audit_buf, " spi=%u(0x%x)", spi, spi);
3355 	audit_log_end(audit_buf);
3356 }
3357 EXPORT_SYMBOL_GPL(xfrm_audit_state_replay_overflow);
3358 
3359 void xfrm_audit_state_replay(struct xfrm_state *x,
3360 			     struct sk_buff *skb, __be32 net_seq)
3361 {
3362 	struct audit_buffer *audit_buf;
3363 	u32 spi;
3364 
3365 	audit_buf = xfrm_audit_start("SA-replayed-pkt");
3366 	if (audit_buf == NULL)
3367 		return;
3368 	xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
3369 	spi = ntohl(x->id.spi);
3370 	audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
3371 			 spi, spi, ntohl(net_seq));
3372 	audit_log_end(audit_buf);
3373 }
3374 EXPORT_SYMBOL_GPL(xfrm_audit_state_replay);
3375 
3376 void xfrm_audit_state_notfound_simple(struct sk_buff *skb, u16 family)
3377 {
3378 	struct audit_buffer *audit_buf;
3379 
3380 	audit_buf = xfrm_audit_start("SA-notfound");
3381 	if (audit_buf == NULL)
3382 		return;
3383 	xfrm_audit_helper_pktinfo(skb, family, audit_buf);
3384 	audit_log_end(audit_buf);
3385 }
3386 EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound_simple);
3387 
3388 void xfrm_audit_state_notfound(struct sk_buff *skb, u16 family,
3389 			       __be32 net_spi, __be32 net_seq)
3390 {
3391 	struct audit_buffer *audit_buf;
3392 	u32 spi;
3393 
3394 	audit_buf = xfrm_audit_start("SA-notfound");
3395 	if (audit_buf == NULL)
3396 		return;
3397 	xfrm_audit_helper_pktinfo(skb, family, audit_buf);
3398 	spi = ntohl(net_spi);
3399 	audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
3400 			 spi, spi, ntohl(net_seq));
3401 	audit_log_end(audit_buf);
3402 }
3403 EXPORT_SYMBOL_GPL(xfrm_audit_state_notfound);
3404 
3405 void xfrm_audit_state_icvfail(struct xfrm_state *x,
3406 			      struct sk_buff *skb, u8 proto)
3407 {
3408 	struct audit_buffer *audit_buf;
3409 	__be32 net_spi;
3410 	__be32 net_seq;
3411 
3412 	audit_buf = xfrm_audit_start("SA-icv-failure");
3413 	if (audit_buf == NULL)
3414 		return;
3415 	xfrm_audit_helper_pktinfo(skb, x->props.family, audit_buf);
3416 	if (xfrm_parse_spi(skb, proto, &net_spi, &net_seq) == 0) {
3417 		u32 spi = ntohl(net_spi);
3418 		audit_log_format(audit_buf, " spi=%u(0x%x) seqno=%u",
3419 				 spi, spi, ntohl(net_seq));
3420 	}
3421 	audit_log_end(audit_buf);
3422 }
3423 EXPORT_SYMBOL_GPL(xfrm_audit_state_icvfail);
3424 #endif /* CONFIG_AUDITSYSCALL */
3425