From patchwork Fri Feb 19 12:00:40 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: jamal <hadi@cyberus.ca>
X-Patchwork-Id: 45849
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 1A5A2B7CB6
	for <patchwork-incoming@ozlabs.org>;
	Fri, 19 Feb 2010 23:01:06 +1100 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752193Ab0BSMA7 (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Fri, 19 Feb 2010 07:00:59 -0500
Received: from qw-out-2122.google.com ([74.125.92.27]:23182 "EHLO
	qw-out-2122.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751645Ab0BSMA5 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 19 Feb 2010 07:00:57 -0500
Received: by qw-out-2122.google.com with SMTP id 8so171666qwh.37
	for <netdev@vger.kernel.org>; Fri, 19 Feb 2010 04:00:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:sender:from:to:cc:subject
	:date:message-id:x-mailer:in-reply-to:references;
	bh=w1Dpd4ofxejAuH01jbWawOcpj+59b2cAbN5iXZT8Veg=;
	b=WDASYcDhNwT2kifOsZ7fk96vBs8oS+wtgOF07i4ud4G+x8xePG6TQzvgB5OZlUgBbz
	kcIMv5S/4ah3X7XIEPjI0CXuQBZYeltwduR7YErSJwrVLHQ40K0OILM9PRUrF/pdyemx
	9PCIfOgat/83OS+WdyKGuyvm/16yXe+FaFHz8=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=sender:from:to:cc:subject:date:message-id:x-mailer:in-reply-to
	:references;
	b=GGSFIalXFY5zA4Y3C8AnJmfRe5d7npIkkDqQCWtrjO3+aR3ro3T3p0WrH18qI9DtmT
	4RUWDJ5jXLFqWU1/Lnj8QuWBVvo5NcNLh0NPOY2QmQHJkQk8pVQinCBLazdGj91SBx6J
	FFENANGdADIuh7jy90jzGvY2Cl57q4A8HaW3I=
Received: by 10.224.60.33 with SMTP id n33mr3278514qah.229.1266580856924;
	Fri, 19 Feb 2010 04:00:56 -0800 (PST)
Received: from localhost.localdomain
	(CPE0030ab124d2f-CM001bd7a7f1a0.cpe.net.cable.rogers.com
	[99.240.66.42])
	by mx.google.com with ESMTPS id 5sm146673qwg.28.2010.02.19.04.00.55
	(version=SSLv3 cipher=RC4-MD5);
	Fri, 19 Feb 2010 04:00:56 -0800 (PST)
From: jamal <hadi@cyberus.ca>
To: davem@davemloft.net, adobriyan@gmail.com
Cc: netdev@vger.kernel.org, Jamal Hadi Salim <hadi@cyberus.ca>
Subject: [PATCH 1/3] pfkey: fix SA and SP flush sequence
Date: Fri, 19 Feb 2010 07:00:40 -0500
Message-Id: <1266580842-10608-2-git-send-email-hadi@cyberus.ca>
X-Mailer: git-send-email 1.6.0.4
In-Reply-To: <1266580842-10608-1-git-send-email-hadi@cyberus.ca>
References: <flush-fix-xfrm>
	<1266580842-10608-1-git-send-email-hadi@cyberus.ca>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Jamal Hadi Salim <hadi@cyberus.ca>

RFC 2367 says flushing behavior should be:
1) user space -> kernel: flush
2) kernel: flush
3) kernel -> user space: flush event to ALL listeners

This is not realistic today in the presence of selinux policies
which may reject the flush etc. So we make the sequence become:
1) user space -> kernel: flush
2) kernel: flush
3) kernel -> user space: flush response to originater from #1
4) if there were no errors then:
kernel -> user space: flush event to ALL listeners

Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
---
 net/key/af_key.c |   33 +++++++++++++++++++++++++++------
 1 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/net/key/af_key.c b/net/key/af_key.c
index 79d2c0f..b3faede 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1712,6 +1712,23 @@ static int pfkey_register(struct sock *sk, struct sk_buff *skb, struct sadb_msg
 	return 0;
 }
 
+static int unicast_flush_resp(struct sock *sk, struct sadb_msg *ihdr)
+{
+	struct sk_buff *skb;
+	struct sadb_msg *hdr;
+
+	skb = alloc_skb(sizeof(struct sadb_msg) + 16, GFP_ATOMIC);
+	if (!skb)
+		return -ENOBUFS;
+
+	hdr = (struct sadb_msg *) skb_put(skb, sizeof(struct sadb_msg));
+	memcpy(hdr, ihdr, sizeof(struct sadb_msg));
+	hdr->sadb_msg_errno = (uint8_t) 0;
+	hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t));
+
+	return pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ONE, sk, sock_net(sk));
+}
+
 static int key_notify_sa_flush(struct km_event *c)
 {
 	struct sk_buff *skb;
@@ -1740,7 +1757,7 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hd
 	unsigned proto;
 	struct km_event c;
 	struct xfrm_audit audit_info;
-	int err;
+	int err, err2;
 
 	proto = pfkey_satype2proto(hdr->sadb_msg_satype);
 	if (proto == 0)
@@ -1750,8 +1767,10 @@ static int pfkey_flush(struct sock *sk, struct sk_buff *skb, struct sadb_msg *hd
 	audit_info.sessionid = audit_get_sessionid(current);
 	audit_info.secid = 0;
 	err = xfrm_state_flush(net, proto, &audit_info);
-	if (err)
-		return err;
+	err2 = unicast_flush_resp(sk, hdr);
+	if (err || err2)
+		return err ? err : err2;
+
 	c.data.proto = proto;
 	c.seq = hdr->sadb_msg_seq;
 	c.pid = hdr->sadb_msg_pid;
@@ -2706,14 +2725,16 @@ static int pfkey_spdflush(struct sock *sk, struct sk_buff *skb, struct sadb_msg
 	struct net *net = sock_net(sk);
 	struct km_event c;
 	struct xfrm_audit audit_info;
-	int err;
+	int err, err2;
 
 	audit_info.loginuid = audit_get_loginuid(current);
 	audit_info.sessionid = audit_get_sessionid(current);
 	audit_info.secid = 0;
 	err = xfrm_policy_flush(net, XFRM_POLICY_TYPE_MAIN, &audit_info);
-	if (err)
-		return err;
+	err2 = unicast_flush_resp(sk, hdr);
+	if (err || err2)
+		return err ? err : err2;
+
 	c.data.type = XFRM_POLICY_TYPE_MAIN;
 	c.event = XFRM_MSG_FLUSHPOLICY;
 	c.pid = hdr->sadb_msg_pid;