1// SPDX-License-Identifier: GPL-2.0
2/*
3 * xfrm_input.c
4 *
5 * Changes:
6 * YOSHIFUJI Hideaki @USAGI
7 * Split up af-specific portion
8 *
9 */
10
11#include <linux/bottom_half.h>
12#include <linux/cache.h>
13#include <linux/interrupt.h>
14#include <linux/slab.h>
15#include <linux/module.h>
16#include <linux/netdevice.h>
17#include <linux/percpu.h>
18#include <net/dst.h>
19#include <net/ip.h>
20#include <net/xfrm.h>
21#include <net/ip_tunnels.h>
22#include <net/ip6_tunnel.h>
23#include <net/dst_metadata.h>
24#include <net/hotdata.h>
25
26#include "xfrm_inout.h"
27
28struct xfrm_trans_tasklet {
29 struct work_struct work;
30 spinlock_t queue_lock;
31 struct sk_buff_head queue;
32};
33
34struct xfrm_trans_cb {
35 union {
36 struct inet_skb_parm h4;
37#if IS_ENABLED(CONFIG_IPV6)
38 struct inet6_skb_parm h6;
39#endif
40 } header;
41 int (*finish)(struct net *net, struct sock *sk, struct sk_buff *skb);
42 struct net *net;
43};
44
45#define XFRM_TRANS_SKB_CB(__skb) ((struct xfrm_trans_cb *)&((__skb)->cb[0]))
46
47static DEFINE_SPINLOCK(xfrm_input_afinfo_lock);
48static struct xfrm_input_afinfo const __rcu *xfrm_input_afinfo[2][AF_INET6 + 1];
49
50static struct gro_cells gro_cells;
51static struct net_device *xfrm_napi_dev;
52
53static DEFINE_PER_CPU(struct xfrm_trans_tasklet, xfrm_trans_tasklet);
54
55int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo)
56{
57 int err = 0;
58
59 if (WARN_ON(afinfo->family > AF_INET6))
60 return -EAFNOSUPPORT;
61
62 spin_lock_bh(lock: &xfrm_input_afinfo_lock);
63 if (unlikely(xfrm_input_afinfo[afinfo->is_ipip][afinfo->family]))
64 err = -EEXIST;
65 else
66 rcu_assign_pointer(xfrm_input_afinfo[afinfo->is_ipip][afinfo->family], afinfo);
67 spin_unlock_bh(lock: &xfrm_input_afinfo_lock);
68 return err;
69}
70EXPORT_SYMBOL(xfrm_input_register_afinfo);
71
72int xfrm_input_unregister_afinfo(const struct xfrm_input_afinfo *afinfo)
73{
74 int err = 0;
75
76 spin_lock_bh(lock: &xfrm_input_afinfo_lock);
77 if (likely(xfrm_input_afinfo[afinfo->is_ipip][afinfo->family])) {
78 if (unlikely(xfrm_input_afinfo[afinfo->is_ipip][afinfo->family] != afinfo))
79 err = -EINVAL;
80 else
81 RCU_INIT_POINTER(xfrm_input_afinfo[afinfo->is_ipip][afinfo->family], NULL);
82 }
83 spin_unlock_bh(lock: &xfrm_input_afinfo_lock);
84 synchronize_rcu();
85 return err;
86}
87EXPORT_SYMBOL(xfrm_input_unregister_afinfo);
88
89static const struct xfrm_input_afinfo *xfrm_input_get_afinfo(u8 family, bool is_ipip)
90{
91 const struct xfrm_input_afinfo *afinfo;
92
93 if (WARN_ON_ONCE(family > AF_INET6))
94 return NULL;
95
96 rcu_read_lock();
97 afinfo = rcu_dereference(xfrm_input_afinfo[is_ipip][family]);
98 if (unlikely(!afinfo))
99 rcu_read_unlock();
100 return afinfo;
101}
102
103static int xfrm_rcv_cb(struct sk_buff *skb, unsigned int family, u8 protocol,
104 int err)
105{
106 bool is_ipip = (protocol == IPPROTO_IPIP || protocol == IPPROTO_IPV6);
107 const struct xfrm_input_afinfo *afinfo;
108 int ret;
109
110 afinfo = xfrm_input_get_afinfo(family, is_ipip);
111 if (!afinfo)
112 return -EAFNOSUPPORT;
113
114 ret = afinfo->callback(skb, protocol, err);
115 rcu_read_unlock();
116
117 return ret;
118}
119
120struct sec_path *secpath_set(struct sk_buff *skb)
121{
122 struct sec_path *sp, *tmp = skb_ext_find(skb, id: SKB_EXT_SEC_PATH);
123
124 sp = skb_ext_add(skb, id: SKB_EXT_SEC_PATH);
125 if (!sp)
126 return NULL;
127
128 if (tmp) /* reused existing one (was COW'd if needed) */
129 return sp;
130
131 /* allocated new secpath */
132 memset(sp->ovec, 0, sizeof(sp->ovec));
133 sp->olen = 0;
134 sp->len = 0;
135 sp->verified_cnt = 0;
136
137 return sp;
138}
139EXPORT_SYMBOL(secpath_set);
140
141/* Fetch spi and seq from ipsec header */
142
143int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq)
144{
145 int offset, offset_seq;
146 int hlen;
147
148 switch (nexthdr) {
149 case IPPROTO_AH:
150 hlen = sizeof(struct ip_auth_hdr);
151 offset = offsetof(struct ip_auth_hdr, spi);
152 offset_seq = offsetof(struct ip_auth_hdr, seq_no);
153 break;
154 case IPPROTO_ESP:
155 hlen = sizeof(struct ip_esp_hdr);
156 offset = offsetof(struct ip_esp_hdr, spi);
157 offset_seq = offsetof(struct ip_esp_hdr, seq_no);
158 break;
159 case IPPROTO_COMP:
160 if (!pskb_may_pull(skb, len: sizeof(struct ip_comp_hdr)))
161 return -EINVAL;
162 *spi = htonl(ntohs(*(__be16 *)(skb_transport_header(skb) + 2)));
163 *seq = 0;
164 return 0;
165 default:
166 return 1;
167 }
168
169 if (!pskb_may_pull(skb, len: hlen))
170 return -EINVAL;
171
172 *spi = *(__be32 *)(skb_transport_header(skb) + offset);
173 *seq = *(__be32 *)(skb_transport_header(skb) + offset_seq);
174 return 0;
175}
176EXPORT_SYMBOL(xfrm_parse_spi);
177
178static int xfrm4_remove_beet_encap(struct xfrm_state *x, struct sk_buff *skb)
179{
180 struct iphdr *iph;
181 int optlen = 0;
182 int err = -EINVAL;
183
184 skb->protocol = htons(ETH_P_IP);
185
186 if (unlikely(XFRM_MODE_SKB_CB(skb)->protocol == IPPROTO_BEETPH)) {
187 struct ip_beet_phdr *ph;
188 int phlen;
189
190 if (!pskb_may_pull(skb, len: sizeof(*ph)))
191 goto out;
192
193 ph = (struct ip_beet_phdr *)skb->data;
194
195 phlen = sizeof(*ph) + ph->padlen;
196 optlen = ph->hdrlen * 8 + (IPV4_BEET_PHMAXLEN - phlen);
197 if (optlen < 0 || optlen & 3 || optlen > 250)
198 goto out;
199
200 XFRM_MODE_SKB_CB(skb)->protocol = ph->nexthdr;
201
202 if (!pskb_may_pull(skb, len: phlen))
203 goto out;
204 __skb_pull(skb, len: phlen);
205 }
206
207 skb_push(skb, len: sizeof(*iph));
208 skb_reset_network_header(skb);
209 skb_mac_header_rebuild(skb);
210
211 xfrm4_beet_make_header(skb);
212
213 iph = ip_hdr(skb);
214
215 iph->ihl += optlen / 4;
216 iph->tot_len = htons(skb->len);
217 iph->daddr = x->sel.daddr.a4;
218 iph->saddr = x->sel.saddr.a4;
219 iph->check = 0;
220 iph->check = ip_fast_csum(iph: skb_network_header(skb), ihl: iph->ihl);
221 err = 0;
222out:
223 return err;
224}
225
226static void ipip_ecn_decapsulate(struct sk_buff *skb)
227{
228 struct iphdr *inner_iph = ipip_hdr(skb);
229
230 if (INET_ECN_is_ce(XFRM_MODE_SKB_CB(skb)->tos))
231 IP_ECN_set_ce(iph: inner_iph);
232}
233
234static int xfrm4_remove_tunnel_encap(struct xfrm_state *x, struct sk_buff *skb)
235{
236 int err = -EINVAL;
237
238 skb->protocol = htons(ETH_P_IP);
239
240 if (!pskb_may_pull(skb, len: sizeof(struct iphdr)))
241 goto out;
242
243 err = skb_unclone(skb, GFP_ATOMIC);
244 if (err)
245 goto out;
246
247 if (x->props.flags & XFRM_STATE_DECAP_DSCP)
248 ipv4_copy_dscp(XFRM_MODE_SKB_CB(skb)->tos, inner: ipip_hdr(skb));
249 if (!(x->props.flags & XFRM_STATE_NOECN))
250 ipip_ecn_decapsulate(skb);
251
252 skb_reset_network_header(skb);
253 skb_mac_header_rebuild(skb);
254 if (skb->mac_len)
255 eth_hdr(skb)->h_proto = skb->protocol;
256
257 err = 0;
258
259out:
260 return err;
261}
262
263static void ipip6_ecn_decapsulate(struct sk_buff *skb)
264{
265 struct ipv6hdr *inner_iph = ipipv6_hdr(skb);
266
267 if (INET_ECN_is_ce(XFRM_MODE_SKB_CB(skb)->tos))
268 IP6_ECN_set_ce(skb, iph: inner_iph);
269}
270
271static int xfrm6_remove_tunnel_encap(struct xfrm_state *x, struct sk_buff *skb)
272{
273 int err = -EINVAL;
274
275 skb->protocol = htons(ETH_P_IPV6);
276
277 if (!pskb_may_pull(skb, len: sizeof(struct ipv6hdr)))
278 goto out;
279
280 err = skb_unclone(skb, GFP_ATOMIC);
281 if (err)
282 goto out;
283
284 if (x->props.flags & XFRM_STATE_DECAP_DSCP)
285 ipv6_copy_dscp(XFRM_MODE_SKB_CB(skb)->tos, inner: ipipv6_hdr(skb));
286 if (!(x->props.flags & XFRM_STATE_NOECN))
287 ipip6_ecn_decapsulate(skb);
288
289 skb_reset_network_header(skb);
290 skb_mac_header_rebuild(skb);
291 if (skb->mac_len)
292 eth_hdr(skb)->h_proto = skb->protocol;
293
294 err = 0;
295
296out:
297 return err;
298}
299
300static int xfrm6_remove_beet_encap(struct xfrm_state *x, struct sk_buff *skb)
301{
302 struct ipv6hdr *ip6h;
303 int size = sizeof(struct ipv6hdr);
304 int err;
305
306 skb->protocol = htons(ETH_P_IPV6);
307
308 err = skb_cow_head(skb, headroom: size + skb->mac_len);
309 if (err)
310 goto out;
311
312 __skb_push(skb, len: size);
313 skb_reset_network_header(skb);
314 skb_mac_header_rebuild(skb);
315
316 xfrm6_beet_make_header(skb);
317
318 ip6h = ipv6_hdr(skb);
319 ip6h->payload_len = htons(skb->len - size);
320 ip6h->daddr = x->sel.daddr.in6;
321 ip6h->saddr = x->sel.saddr.in6;
322 err = 0;
323out:
324 return err;
325}
326
327/* Remove encapsulation header.
328 *
329 * The IP header will be moved over the top of the encapsulation
330 * header.
331 *
332 * On entry, the transport header shall point to where the IP header
333 * should be and the network header shall be set to where the IP
334 * header currently is. skb->data shall point to the start of the
335 * payload.
336 */
337static int
338xfrm_inner_mode_encap_remove(struct xfrm_state *x,
339 struct sk_buff *skb)
340{
341 switch (x->props.mode) {
342 case XFRM_MODE_BEET:
343 switch (x->sel.family) {
344 case AF_INET:
345 return xfrm4_remove_beet_encap(x, skb);
346 case AF_INET6:
347 return xfrm6_remove_beet_encap(x, skb);
348 }
349 break;
350 case XFRM_MODE_TUNNEL:
351 switch (XFRM_MODE_SKB_CB(skb)->protocol) {
352 case IPPROTO_IPIP:
353 return xfrm4_remove_tunnel_encap(x, skb);
354 case IPPROTO_IPV6:
355 return xfrm6_remove_tunnel_encap(x, skb);
356 break;
357 }
358 return -EINVAL;
359 }
360
361 WARN_ON_ONCE(1);
362 return -EOPNOTSUPP;
363}
364
365static int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb)
366{
367 switch (x->props.family) {
368 case AF_INET:
369 xfrm4_extract_header(skb);
370 break;
371 case AF_INET6:
372 xfrm6_extract_header(skb);
373 break;
374 default:
375 WARN_ON_ONCE(1);
376 return -EAFNOSUPPORT;
377 }
378
379 return xfrm_inner_mode_encap_remove(x, skb);
380}
381
382/* Remove encapsulation header.
383 *
384 * The IP header will be moved over the top of the encapsulation header.
385 *
386 * On entry, skb_transport_header() shall point to where the IP header
387 * should be and skb_network_header() shall be set to where the IP header
388 * currently is. skb->data shall point to the start of the payload.
389 */
390static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb)
391{
392 struct xfrm_offload *xo = xfrm_offload(skb);
393 int ihl = skb->data - skb_transport_header(skb);
394
395 if (skb->transport_header != skb->network_header) {
396 memmove(skb_transport_header(skb),
397 skb_network_header(skb), ihl);
398 if (xo)
399 xo->orig_mac_len =
400 skb_mac_header_was_set(skb) ? skb_mac_header_len(skb) : 0;
401 skb->network_header = skb->transport_header;
402 }
403 ip_hdr(skb)->tot_len = htons(skb->len + ihl);
404 skb_reset_transport_header(skb);
405 return 0;
406}
407
408static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb)
409{
410#if IS_ENABLED(CONFIG_IPV6)
411 struct xfrm_offload *xo = xfrm_offload(skb);
412 int ihl = skb->data - skb_transport_header(skb);
413
414 if (skb->transport_header != skb->network_header) {
415 memmove(skb_transport_header(skb),
416 skb_network_header(skb), ihl);
417 if (xo)
418 xo->orig_mac_len =
419 skb_mac_header_was_set(skb) ? skb_mac_header_len(skb) : 0;
420 skb->network_header = skb->transport_header;
421 }
422 ipv6_hdr(skb)->payload_len = htons(skb->len + ihl -
423 sizeof(struct ipv6hdr));
424 skb_reset_transport_header(skb);
425 return 0;
426#else
427 WARN_ON_ONCE(1);
428 return -EAFNOSUPPORT;
429#endif
430}
431
432static int xfrm_inner_mode_input(struct xfrm_state *x,
433 struct sk_buff *skb)
434{
435 switch (x->props.mode) {
436 case XFRM_MODE_BEET:
437 case XFRM_MODE_TUNNEL:
438 return xfrm_prepare_input(x, skb);
439 case XFRM_MODE_TRANSPORT:
440 if (x->props.family == AF_INET)
441 return xfrm4_transport_input(x, skb);
442 if (x->props.family == AF_INET6)
443 return xfrm6_transport_input(x, skb);
444 break;
445 case XFRM_MODE_ROUTEOPTIMIZATION:
446 WARN_ON_ONCE(1);
447 break;
448 default:
449 if (x->mode_cbs && x->mode_cbs->input)
450 return x->mode_cbs->input(x, skb);
451
452 WARN_ON_ONCE(1);
453 break;
454 }
455
456 return -EOPNOTSUPP;
457}
458
459/* NOTE: encap_type - In addition to the normal (non-negative) values for
460 * encap_type, a negative value of -1 or -2 can be used to resume/restart this
461 * function after a previous invocation early terminated for async operation.
462 */
463int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
464{
465 const struct xfrm_state_afinfo *afinfo;
466 struct net *net = dev_net(dev: skb->dev);
467 int err;
468 __be32 seq;
469 __be32 seq_hi;
470 struct xfrm_state *x = NULL;
471 xfrm_address_t *daddr;
472 u32 mark = skb->mark;
473 unsigned int family = AF_UNSPEC;
474 int decaps = 0;
475 int async = 0;
476 bool xfrm_gro = false;
477 bool crypto_done = false;
478 struct xfrm_offload *xo = xfrm_offload(skb);
479 struct sec_path *sp;
480
481 if (encap_type < 0 || (xo && (xo->flags & XFRM_GRO || encap_type == 0 ||
482 encap_type == UDP_ENCAP_ESPINUDP))) {
483 x = xfrm_input_state(skb);
484
485 if (unlikely(x->km.state != XFRM_STATE_VALID)) {
486 if (x->km.state == XFRM_STATE_ACQ)
487 XFRM_INC_STATS(net, LINUX_MIB_XFRMACQUIREERROR);
488 else
489 XFRM_INC_STATS(net,
490 LINUX_MIB_XFRMINSTATEINVALID);
491
492 if (encap_type == -1)
493 dev_put(dev: skb->dev);
494 goto drop;
495 }
496
497 family = x->props.family;
498
499 /* An encap_type of -2 indicates reconstructed inner packet */
500 if (encap_type == -2)
501 goto resume_decapped;
502
503 /* An encap_type of -1 indicates async resumption. */
504 if (encap_type == -1) {
505 async = 1;
506 dev_put(dev: skb->dev);
507 seq = XFRM_SKB_CB(skb)->seq.input.low;
508 spin_lock(lock: &x->lock);
509 goto resume;
510 }
511 /* GRO call */
512 seq = XFRM_SPI_SKB_CB(skb)->seq;
513
514 if (xo && (xo->flags & CRYPTO_DONE)) {
515 crypto_done = true;
516 family = XFRM_SPI_SKB_CB(skb)->family;
517
518 if (!(xo->status & CRYPTO_SUCCESS)) {
519 if (xo->status &
520 (CRYPTO_TRANSPORT_AH_AUTH_FAILED |
521 CRYPTO_TRANSPORT_ESP_AUTH_FAILED |
522 CRYPTO_TUNNEL_AH_AUTH_FAILED |
523 CRYPTO_TUNNEL_ESP_AUTH_FAILED)) {
524
525 xfrm_audit_state_icvfail(x, skb,
526 proto: x->type->proto);
527 x->stats.integrity_failed++;
528 XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEPROTOERROR);
529 goto drop;
530 }
531
532 if (xo->status & CRYPTO_INVALID_PROTOCOL) {
533 XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEPROTOERROR);
534 goto drop;
535 }
536
537 XFRM_INC_STATS(net, LINUX_MIB_XFRMINBUFFERERROR);
538 goto drop;
539 }
540
541 if (xfrm_parse_spi(skb, nexthdr, &spi, &seq)) {
542 XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR);
543 goto drop;
544 }
545
546 nexthdr = x->type_offload->input_tail(x, skb);
547 }
548
549 goto process;
550 }
551
552 family = XFRM_SPI_SKB_CB(skb)->family;
553
554 /* if tunnel is present override skb->mark value with tunnel i_key */
555 switch (family) {
556 case AF_INET:
557 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4)
558 mark = be32_to_cpu(XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4->parms.i_key);
559 break;
560 case AF_INET6:
561 if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6)
562 mark = be32_to_cpu(XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6->parms.i_key);
563 break;
564 }
565
566 sp = secpath_set(skb);
567 if (!sp) {
568 XFRM_INC_STATS(net, LINUX_MIB_XFRMINERROR);
569 goto drop;
570 }
571
572 seq = 0;
573 if (!spi && xfrm_parse_spi(skb, nexthdr, &spi, &seq)) {
574 secpath_reset(skb);
575 XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR);
576 goto drop;
577 }
578
579 daddr = (xfrm_address_t *)(skb_network_header(skb) +
580 XFRM_SPI_SKB_CB(skb)->daddroff);
581 do {
582 sp = skb_sec_path(skb);
583
584 if (sp->len == XFRM_MAX_DEPTH) {
585 secpath_reset(skb);
586 XFRM_INC_STATS(net, LINUX_MIB_XFRMINBUFFERERROR);
587 goto drop;
588 }
589
590 x = xfrm_input_state_lookup(net, mark, daddr, spi, proto: nexthdr, family);
591 if (x == NULL) {
592 secpath_reset(skb);
593 XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOSTATES);
594 xfrm_audit_state_notfound(skb, family, net_spi: spi, net_seq: seq);
595 goto drop;
596 }
597
598 if (unlikely(x->dir && x->dir != XFRM_SA_DIR_IN)) {
599 secpath_reset(skb);
600 XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEDIRERROR);
601 xfrm_audit_state_notfound(skb, family, net_spi: spi, net_seq: seq);
602 xfrm_state_put(x);
603 x = NULL;
604 goto drop;
605 }
606
607 skb->mark = xfrm_smark_get(mark: skb->mark, x);
608
609 sp->xvec[sp->len++] = x;
610
611 skb_dst_force(skb);
612 if (!skb_dst(skb)) {
613 XFRM_INC_STATS(net, LINUX_MIB_XFRMINERROR);
614 goto drop;
615 }
616
617process:
618 seq_hi = htonl(xfrm_replay_seqhi(x, seq));
619
620 XFRM_SKB_CB(skb)->seq.input.low = seq;
621 XFRM_SKB_CB(skb)->seq.input.hi = seq_hi;
622
623 spin_lock(lock: &x->lock);
624
625 if (unlikely(x->km.state != XFRM_STATE_VALID)) {
626 if (x->km.state == XFRM_STATE_ACQ)
627 XFRM_INC_STATS(net, LINUX_MIB_XFRMACQUIREERROR);
628 else
629 XFRM_INC_STATS(net,
630 LINUX_MIB_XFRMINSTATEINVALID);
631 goto drop_unlock;
632 }
633
634 if ((x->encap ? x->encap->encap_type : 0) != encap_type) {
635 XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEMISMATCH);
636 goto drop_unlock;
637 }
638
639 if (xfrm_replay_check(x, skb, net_seq: seq)) {
640 XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATESEQERROR);
641 goto drop_unlock;
642 }
643
644 if (xfrm_state_check_expire(x)) {
645 XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEEXPIRED);
646 goto drop_unlock;
647 }
648
649 if (xfrm_tunnel_check(skb, x, family)) {
650 XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEMODEERROR);
651 goto drop_unlock;
652 }
653
654 if (!crypto_done) {
655 spin_unlock(lock: &x->lock);
656 dev_hold(dev: skb->dev);
657
658 nexthdr = x->type->input(x, skb);
659 if (nexthdr == -EINPROGRESS)
660 return 0;
661
662 dev_put(dev: skb->dev);
663 spin_lock(lock: &x->lock);
664 }
665resume:
666 if (nexthdr < 0) {
667 if (nexthdr == -EBADMSG) {
668 xfrm_audit_state_icvfail(x, skb,
669 proto: x->type->proto);
670 x->stats.integrity_failed++;
671 }
672 XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEPROTOERROR);
673 goto drop_unlock;
674 }
675
676 /* only the first xfrm gets the encap type */
677 encap_type = 0;
678
679 if (!crypto_done && xfrm_replay_recheck(x, skb, net_seq: seq)) {
680 XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATESEQERROR);
681 goto drop_unlock;
682 }
683
684 xfrm_replay_advance(x, net_seq: seq);
685
686 x->curlft.bytes += skb->len;
687 x->curlft.packets++;
688 x->lastused = ktime_get_real_seconds();
689
690 spin_unlock(lock: &x->lock);
691
692 XFRM_MODE_SKB_CB(skb)->protocol = nexthdr;
693
694 err = xfrm_inner_mode_input(x, skb);
695 if (err == -EINPROGRESS)
696 return 0;
697 else if (err) {
698 XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEMODEERROR);
699 goto drop;
700 }
701resume_decapped:
702 if (x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL) {
703 decaps = 1;
704 break;
705 }
706
707 /*
708 * We need the inner address. However, we only get here for
709 * transport mode so the outer address is identical.
710 */
711 daddr = &x->id.daddr;
712 family = x->props.family;
713
714 err = xfrm_parse_spi(skb, nexthdr, &spi, &seq);
715 if (err < 0) {
716 XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR);
717 goto drop;
718 }
719 crypto_done = false;
720 } while (!err);
721
722 err = xfrm_rcv_cb(skb, family, protocol: x->type->proto, err: 0);
723 if (err)
724 goto drop;
725
726 nf_reset_ct(skb);
727
728 if (decaps) {
729 sp = skb_sec_path(skb);
730 if (sp)
731 sp->olen = 0;
732 if (skb_valid_dst(skb))
733 skb_dst_drop(skb);
734 gro_cells_receive(gcells: &gro_cells, skb);
735 return 0;
736 } else {
737 xo = xfrm_offload(skb);
738 if (xo)
739 xfrm_gro = xo->flags & XFRM_GRO;
740
741 err = -EAFNOSUPPORT;
742 rcu_read_lock();
743 afinfo = xfrm_state_afinfo_get_rcu(family: x->props.family);
744 if (likely(afinfo))
745 err = afinfo->transport_finish(skb, xfrm_gro || async);
746 rcu_read_unlock();
747 if (xfrm_gro) {
748 sp = skb_sec_path(skb);
749 if (sp)
750 sp->olen = 0;
751 if (skb_valid_dst(skb))
752 skb_dst_drop(skb);
753 gro_cells_receive(gcells: &gro_cells, skb);
754 return err;
755 }
756
757 return err;
758 }
759
760drop_unlock:
761 spin_unlock(lock: &x->lock);
762drop:
763 xfrm_rcv_cb(skb, family, protocol: x && x->type ? x->type->proto : nexthdr, err: -1);
764 kfree_skb(skb);
765 return 0;
766}
767EXPORT_SYMBOL(xfrm_input);
768
769int xfrm_input_resume(struct sk_buff *skb, int nexthdr)
770{
771 return xfrm_input(skb, nexthdr, 0, -1);
772}
773EXPORT_SYMBOL(xfrm_input_resume);
774
775static void xfrm_trans_reinject(struct work_struct *work)
776{
777 struct xfrm_trans_tasklet *trans = container_of(work, struct xfrm_trans_tasklet, work);
778 struct sk_buff_head queue;
779 struct sk_buff *skb;
780
781 __skb_queue_head_init(list: &queue);
782 spin_lock_bh(lock: &trans->queue_lock);
783 skb_queue_splice_init(list: &trans->queue, head: &queue);
784 spin_unlock_bh(lock: &trans->queue_lock);
785
786 local_bh_disable();
787 while ((skb = __skb_dequeue(list: &queue)))
788 XFRM_TRANS_SKB_CB(skb)->finish(XFRM_TRANS_SKB_CB(skb)->net,
789 NULL, skb);
790 local_bh_enable();
791}
792
793int xfrm_trans_queue_net(struct net *net, struct sk_buff *skb,
794 int (*finish)(struct net *, struct sock *,
795 struct sk_buff *))
796{
797 struct xfrm_trans_tasklet *trans;
798
799 trans = this_cpu_ptr(&xfrm_trans_tasklet);
800
801 if (skb_queue_len(list_: &trans->queue) >= READ_ONCE(net_hotdata.max_backlog))
802 return -ENOBUFS;
803
804 BUILD_BUG_ON(sizeof(struct xfrm_trans_cb) > sizeof(skb->cb));
805
806 XFRM_TRANS_SKB_CB(skb)->finish = finish;
807 XFRM_TRANS_SKB_CB(skb)->net = net;
808 spin_lock_bh(lock: &trans->queue_lock);
809 __skb_queue_tail(list: &trans->queue, newsk: skb);
810 spin_unlock_bh(lock: &trans->queue_lock);
811 schedule_work(work: &trans->work);
812 return 0;
813}
814EXPORT_SYMBOL(xfrm_trans_queue_net);
815
816int xfrm_trans_queue(struct sk_buff *skb,
817 int (*finish)(struct net *, struct sock *,
818 struct sk_buff *))
819{
820 return xfrm_trans_queue_net(dev_net(dev: skb->dev), skb, finish);
821}
822EXPORT_SYMBOL(xfrm_trans_queue);
823
824void __init xfrm_input_init(void)
825{
826 int err;
827 int i;
828
829 xfrm_napi_dev = alloc_netdev_dummy(sizeof_priv: 0);
830 if (!xfrm_napi_dev)
831 panic(fmt: "Failed to allocate XFRM dummy netdev\n");
832
833 err = gro_cells_init(gcells: &gro_cells, dev: xfrm_napi_dev);
834 if (err)
835 gro_cells.cells = NULL;
836
837 for_each_possible_cpu(i) {
838 struct xfrm_trans_tasklet *trans;
839
840 trans = &per_cpu(xfrm_trans_tasklet, i);
841 spin_lock_init(&trans->queue_lock);
842 __skb_queue_head_init(list: &trans->queue);
843 INIT_WORK(&trans->work, xfrm_trans_reinject);
844 }
845}
846

source code of linux/net/xfrm/xfrm_input.c