| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20181210145006.19098-14-fw@strlen.de>
Date: Mon, 10 Dec 2018 15:50:06 +0100
From: Florian Westphal <fw@...len.de>
To: <netdev@...r.kernel.org>
Cc: Florian Westphal <fw@...len.de>
Subject: [PATCH net-next 13/13] net: switch secpath to use skb extension infrastructure
Remove skb->sp and allocate secpath storage via extension
infrastructure. This also reduces sk_buff bu 8 bytes on x86_64.
Signed-off-by: Florian Westphal <fw@...len.de>
---
Documentation/networking/xfrm_device.txt | 7 +--
include/linux/skbuff.h | 10 ++---
include/net/xfrm.h | 22 +---------
net/core/skbuff.c | 54 +++++++++++++++++++----
net/xfrm/xfrm_input.c | 56 ++++--------------------
5 files changed, 64 insertions(+), 85 deletions(-)
diff --git a/Documentation/networking/xfrm_device.txt b/Documentation/networking/xfrm_device.txt
index 267f55b5f54a..a1c904dc70dc 100644
--- a/Documentation/networking/xfrm_device.txt
+++ b/Documentation/networking/xfrm_device.txt
@@ -111,9 +111,10 @@ the stack in xfrm_input().
xfrm_state_hold(xs);
store the state information into the skb
- skb->sp = secpath_dup(skb->sp);
- skb->sp->xvec[skb->sp->len++] = xs;
- skb->sp->olen++;
+ sp = secpath_set(skb);
+ if (!sp) return;
+ sp->xvec[sp->len++] = xs;
+ sp->olen++;
indicate the success and/or error status of the offload
xo = xfrm_offload(skb);
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 3ad9fbeb4ac4..7e8962810066 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -714,9 +714,6 @@ struct sk_buff {
struct list_head tcp_tsorted_anchor;
};
-#ifdef CONFIG_XFRM
- struct sec_path *sp;
-#endif
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
unsigned long _nfct;
#endif
@@ -3905,6 +3902,9 @@ static inline void nf_conntrack_get(struct nf_conntrack *nfct)
#ifdef CONFIG_SKB_EXTENSIONS
enum skb_ext_id {
+#ifdef CONFIG_XFRM
+ SKB_EXT_SEC_PATH,
+#endif
#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
SKB_EXT_BRIDGE_NF,
#endif
@@ -4077,7 +4077,7 @@ static inline void skb_init_secmark(struct sk_buff *skb)
static inline int secpath_exists(const struct sk_buff *skb)
{
#ifdef CONFIG_XFRM
- return skb->sp != NULL;
+ return skb_ext_exist(skb, SKB_EXT_SEC_PATH);
#else
return 0;
#endif
@@ -4135,7 +4135,7 @@ static inline bool skb_get_dst_pending_confirm(const struct sk_buff *skb)
static inline struct sec_path *skb_sec_path(const struct sk_buff *skb)
{
#ifdef CONFIG_XFRM
- return skb->sp;
+ return skb_ext_find(skb, SKB_EXT_SEC_PATH);
#else
return NULL;
#endif
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index da781735c21c..72cdbe8e9939 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -1093,7 +1093,6 @@ struct xfrm_offload {
};
struct sec_path {
- refcount_t refcnt;
int len;
int olen;
@@ -1101,32 +1100,13 @@ struct sec_path {
struct xfrm_offload ovec[XFRM_MAX_OFFLOAD_DEPTH];
};
-static inline struct sec_path *
-secpath_get(struct sec_path *sp)
-{
- if (sp)
- refcount_inc(&sp->refcnt);
- return sp;
-}
-
-void __secpath_destroy(struct sec_path *sp);
-
-static inline void
-secpath_put(struct sec_path *sp)
-{
- if (sp && refcount_dec_and_test(&sp->refcnt))
- __secpath_destroy(sp);
-}
-
-struct sec_path *secpath_dup(struct sec_path *src);
struct sec_path *secpath_set(struct sk_buff *skb);
static inline void
secpath_reset(struct sk_buff *skb)
{
#ifdef CONFIG_XFRM
- secpath_put(skb->sp);
- skb->sp = NULL;
+ skb_ext_del(skb, SKB_EXT_SEC_PATH);
#endif
}
diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 960406724970..a1181d6eab3b 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -606,7 +606,6 @@ static void kfree_skbmem(struct sk_buff *skb)
void skb_release_head_state(struct sk_buff *skb)
{
skb_dst_drop(skb);
- secpath_reset(skb);
if (skb->destructor) {
WARN_ON(in_irq());
skb->destructor(skb);
@@ -795,9 +794,6 @@ static void __copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
memcpy(new->cb, old->cb, sizeof(old->cb));
skb_dst_copy(new, old);
__skb_ext_copy(new, old);
-#ifdef CONFIG_XFRM
- new->sp = secpath_get(old->sp);
-#endif
__nf_copy(new, old, false);
/* Note : this field could be in headers_start/headers_end section
@@ -5562,6 +5558,9 @@ static const u8 skb_ext_type_len[] = {
#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
[SKB_EXT_BRIDGE_NF] = SKB_EXT_CHUNKSIZEOF(struct nf_bridge_info),
#endif
+#ifdef CONFIG_XFRM
+ [SKB_EXT_SEC_PATH] = SKB_EXT_CHUNKSIZEOF(struct sec_path),
+#endif
};
static void *skb_ext_get_ptr(struct skb_ext *ext, enum skb_ext_id id)
@@ -5570,7 +5569,9 @@ static void *skb_ext_get_ptr(struct skb_ext *ext, enum skb_ext_id id)
}
static struct skb_ext *skb_ext_cow(unsigned int len,
- struct skb_ext *old)
+ struct skb_ext *old,
+ unsigned int old_active)
+
{
struct skb_ext *new = kmalloc(len, GFP_ATOMIC);
@@ -5585,6 +5586,15 @@ static struct skb_ext *skb_ext_cow(unsigned int len,
memcpy(new, old, old->chunks * SKB_EXT_ALIGN_VALUE);
refcount_set(&new->refcnt, 1);
+
+ if (old_active & (1 << SKB_EXT_SEC_PATH)) {
+ struct sec_path *sp = skb_ext_get_ptr(old, SKB_EXT_SEC_PATH);
+ unsigned int i;
+
+ for (i = 0; i < sp->len; i++)
+ xfrm_state_hold(sp->xvec[i]);
+ }
+
__skb_ext_put(old);
return new;
}
@@ -5594,6 +5604,9 @@ static __always_inline unsigned int skb_ext_total_length(void)
return 0 +
#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
skb_ext_type_len[SKB_EXT_BRIDGE_NF] +
+#endif
+#ifdef CONFIG_XFRM
+ skb_ext_type_len[SKB_EXT_SEC_PATH] +
#endif
0;
}
@@ -5635,7 +5648,8 @@ void *skb_ext_add(struct sk_buff *skb, enum skb_ext_id id)
/* extension was allocated previously and it
* might be used by a cloned skb. COW needed.
*/
- new = skb_ext_cow(old->chunks * SKB_EXT_ALIGN_VALUE, old);
+ new = skb_ext_cow(old->chunks * SKB_EXT_ALIGN_VALUE, old,
+ skb->active_extensions);
if (!new)
return NULL;
@@ -5650,7 +5664,8 @@ void *skb_ext_add(struct sk_buff *skb, enum skb_ext_id id)
newlen = newoff + skb_ext_type_len[id];
if (cow_needed)
- new = skb_ext_cow(newlen * SKB_EXT_ALIGN_VALUE, old);
+ new = skb_ext_cow(newlen * SKB_EXT_ALIGN_VALUE, old,
+ skb->active_extensions);
else
new = krealloc(old, newlen * SKB_EXT_ALIGN_VALUE, GFP_ATOMIC);
if (!new)
@@ -5665,21 +5680,44 @@ void *skb_ext_add(struct sk_buff *skb, enum skb_ext_id id)
}
EXPORT_SYMBOL(skb_ext_add);
+#ifdef CONFIG_XFRM
+static void skb_ext_put_sp(struct sec_path *sp)
+{
+ unsigned int i;
+
+ for (i = 0; i < sp->len; i++)
+ xfrm_state_put(sp->xvec[i]);
+}
+#endif
+
void __skb_ext_del(struct sk_buff *skb, enum skb_ext_id id)
{
struct skb_ext *ext;
skb->active_extensions &= ~(1 << id);
+ ext = skb->extensions;
if (skb->active_extensions == 0) {
- ext = skb->extensions;
skb->extensions = NULL;
__skb_ext_put(ext);
+#ifdef CONFIG_XFRM
+ } else if (id == SKB_EXT_SEC_PATH &&
+ refcount_read(&ext->refcnt) == 1) {
+ struct sec_path *sp = skb_ext_get_ptr(ext, SKB_EXT_SEC_PATH);
+
+ skb_ext_put_sp(sp);
+ sp->len = 0;
+#endif
}
}
EXPORT_SYMBOL(__skb_ext_del);
void __skb_ext_free(struct skb_ext *ext)
{
+#ifdef CONFIG_XFRM
+ if (__skb_ext_exist(ext, SKB_EXT_SEC_PATH))
+ skb_ext_put_sp(skb_ext_get_ptr(ext, SKB_EXT_SEC_PATH));
+#endif
+
kfree(ext);
}
EXPORT_SYMBOL(__skb_ext_free);
diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index b4db25b244fa..6bc817359b58 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -38,8 +38,6 @@ struct xfrm_trans_cb {
#define XFRM_TRANS_SKB_CB(__skb) ((struct xfrm_trans_cb *)&((__skb)->cb[0]))
-static struct kmem_cache *secpath_cachep __ro_after_init;
-
static DEFINE_SPINLOCK(xfrm_input_afinfo_lock);
static struct xfrm_input_afinfo const __rcu *xfrm_input_afinfo[AF_INET6 + 1];
@@ -111,54 +109,21 @@ static int xfrm_rcv_cb(struct sk_buff *skb, unsigned int family, u8 protocol,
return ret;
}
-void __secpath_destroy(struct sec_path *sp)
-{
- int i;
- for (i = 0; i < sp->len; i++)
- xfrm_state_put(sp->xvec[i]);
- kmem_cache_free(secpath_cachep, sp);
-}
-EXPORT_SYMBOL(__secpath_destroy);
-
-struct sec_path *secpath_dup(struct sec_path *src)
+struct sec_path *secpath_set(struct sk_buff *skb)
{
- struct sec_path *sp;
+ struct sec_path *sp, *tmp = skb_ext_find(skb, SKB_EXT_SEC_PATH);
- sp = kmem_cache_alloc(secpath_cachep, GFP_ATOMIC);
+ sp = skb_ext_add(skb, SKB_EXT_SEC_PATH);
if (!sp)
return NULL;
- sp->len = 0;
- sp->olen = 0;
+ if (tmp) /* reused existing one (was COW'd if needed) */
+ return sp;
+ /* allocated new secpath */
memset(sp->ovec, 0, sizeof(sp->ovec));
-
- if (src) {
- int i;
-
- memcpy(sp, src, sizeof(*sp));
- for (i = 0; i < sp->len; i++)
- xfrm_state_hold(sp->xvec[i]);
- }
- refcount_set(&sp->refcnt, 1);
- return sp;
-}
-EXPORT_SYMBOL(secpath_dup);
-
-struct sec_path *secpath_set(struct sk_buff *skb)
-{
- struct sec_path *sp = skb->sp;
-
- /* Allocate new secpath or COW existing one. */
- if (!sp || refcount_read(&sp->refcnt) != 1) {
- sp = secpath_dup(skb->sp);
- if (!sp)
- return NULL;
-
- if (skb->sp)
- secpath_put(skb->sp);
- skb->sp = sp;
- }
+ sp->olen = 0;
+ sp->len = 0;
return sp;
}
@@ -552,11 +517,6 @@ void __init xfrm_input_init(void)
if (err)
gro_cells.cells = NULL;
- secpath_cachep = kmem_cache_create("secpath_cache",
- sizeof(struct sec_path),
- 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC,
- NULL);
-
for_each_possible_cpu(i) {
struct xfrm_trans_tasklet *trans;
--
2.19.2
Powered by blists - more mailing lists