From patchwork Mon Jan 29 15:00:10 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Github ODP bot X-Patchwork-Id: 126166 Delivered-To: patch@linaro.org Received: by 10.46.84.92 with SMTP id y28csp2509101ljd; Mon, 29 Jan 2018 07:01:50 -0800 (PST) X-Google-Smtp-Source: AH8x22691VGzC/wf+g2/tCW/1urWjpZYqBlIR30v7mEa/KejZeo2MFvz4fDz2pMDqf5NhJaUoWAk X-Received: by 10.37.185.79 with SMTP id s15mr16555356ybm.348.1517238110757; Mon, 29 Jan 2018 07:01:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517238110; cv=none; d=google.com; s=arc-20160816; b=YfAsmF57/3ZnG3lVCGwfNRPk4HGReHJJtdbRNUh8vmHnrTKMTfVHQrW1dySaBvap5P eDQVnZFwrx7jl8Yq0O/BlJGcq6yeJ73Yx/no8m+sUgpiCYZfVgnK7LttvY/QsxYWJJPa XYOT8iw+OEId6GamecZliyuIDsLZNu3FQCqxAu8rLKDISwpPGP/It8W8Jk6xbY9tyBcN uEQhty9CM0sc34jknHabhgVPQS9J1ht2TbJx9ErUPW1CaJxhLIkuo2j4+E1NASnHbdom LD/Q98YjsGW/jHWh9B0btyrO7Dzuzdkha8blhijM/gEu03Z8nyrKIWuI/4asAobYNH5B vj7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:subject:github-pr-num :references:in-reply-to:message-id:date:to:from:delivered-to :arc-authentication-results; bh=lNeeTNCtPwcUqiwhcpWhFO5yHpz61+kttXRrf1e+UWg=; b=cPqq3L0z3QjUKZ7Dyrc5FNn+aKzxFtXoKPXEzOrQQncf7cH53bERkgkbTvpnNajvaf ZldGV25wDUKelp7XipLc5Xi3quq+cqs8AmZbqvjQ+hybn4Qgq1eG2N3UXvxZnPkepdCz sO+vDPle+tSstTfOF/0dKRNGwBpzWQ8314IrXl2tkWt6c6sCKpMBCvb8ZkpHjjE7gzHQ LFoRBcnB6uzEumFQ/iAYnDwViw7hSpHgYCdZ/V3PJ4Q8x3m5MzudlfaZMXfJDUL4pbpj R8Uxyz1HMjDOIoQ2jutxtGJ6yTKzSXx/iPRuQfqXwTF/qT2rTD5GhGGpxLhTFYpFrNmQ 1GoA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Return-Path: Received: from lists.linaro.org (ec2-54-197-127-237.compute-1.amazonaws.com. [54.197.127.237]) by mx.google.com with ESMTP id q4si191319qkb.218.2018.01.29.07.01.50; Mon, 29 Jan 2018 07:01:50 -0800 (PST) Received-SPF: pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) client-ip=54.197.127.237; Authentication-Results: mx.google.com; spf=pass (google.com: domain of lng-odp-bounces@lists.linaro.org designates 54.197.127.237 as permitted sender) smtp.mailfrom=lng-odp-bounces@lists.linaro.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=yandex.ru Received: by lists.linaro.org (Postfix, from userid 109) id 6371A61758; Mon, 29 Jan 2018 15:01:50 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on ip-10-142-244-252 X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW autolearn=disabled version=3.4.0 Received: from [127.0.0.1] (localhost [127.0.0.1]) by lists.linaro.org (Postfix) with ESMTP id 0414360956; Mon, 29 Jan 2018 15:00:38 +0000 (UTC) X-Original-To: lng-odp@lists.linaro.org Delivered-To: lng-odp@lists.linaro.org Received: by lists.linaro.org (Postfix, from userid 109) id E429160956; Mon, 29 Jan 2018 15:00:25 +0000 (UTC) Received: from forward104p.mail.yandex.net (forward104p.mail.yandex.net [77.88.28.107]) by lists.linaro.org (Postfix) with ESMTPS id 7922460813 for ; Mon, 29 Jan 2018 15:00:19 +0000 (UTC) Received: from mxback6j.mail.yandex.net (mxback6j.mail.yandex.net [IPv6:2a02:6b8:0:1619::10f]) by forward104p.mail.yandex.net (Yandex) with ESMTP id 99A63182833 for ; Mon, 29 Jan 2018 18:00:17 +0300 (MSK) Received: from smtp1o.mail.yandex.net (smtp1o.mail.yandex.net [2a02:6b8:0:1a2d::25]) by mxback6j.mail.yandex.net (nwsmtp/Yandex) with ESMTP id vY6OteGIv0-0HRWLOrP; Mon, 29 Jan 2018 18:00:17 +0300 Received: by smtp1o.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id ZIlIkHp1bF-0GUqXsC9; Mon, 29 Jan 2018 18:00:16 +0300 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (Client certificate not present) From: Github ODP bot To: lng-odp@lists.linaro.org Date: Mon, 29 Jan 2018 18:00:10 +0300 Message-Id: <1517238014-22220-2-git-send-email-odpbot@yandex.ru> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1517238014-22220-1-git-send-email-odpbot@yandex.ru> References: <1517238014-22220-1-git-send-email-odpbot@yandex.ru> Github-pr-num: 427 Subject: [lng-odp] [PATCH v2 1/5] linux-gen: ipsec: disallow using SAs while they are being created X-BeenThere: lng-odp@lists.linaro.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "The OpenDataPlane \(ODP\) List" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: lng-odp-bounces@lists.linaro.org Sender: "lng-odp" From: Dmitry Eremin-Solenikov Current code has a race condition between inbound traffic and creation of new SA. It is possible for inbound traffic to trigger partially created SA using SA_LOOKUP option (or INLINE mode). Add separate (RESERVED) stage for SA which is in process of being created. Fixes: https://bugs.linaro.org/show_bug.cgi?id=3594 Signed-off-by: Dmitry Eremin-Solenikov --- /** Email created from pull request 427 (lumag:ipsec-fix-sad) ** https://github.com/Linaro/odp/pull/427 ** Patch: https://github.com/Linaro/odp/pull/427.patch ** Base sha: 27480d82bd93a881ae683a3c314c11042a68ce29 ** Merge commit sha: 67c9dbf28c41ea7a53782ba841276b03f154c4ef **/ platform/linux-generic/odp_ipsec_sad.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/platform/linux-generic/odp_ipsec_sad.c b/platform/linux-generic/odp_ipsec_sad.c index 845a73dea..bb984db38 100644 --- a/platform/linux-generic/odp_ipsec_sad.c +++ b/platform/linux-generic/odp_ipsec_sad.c @@ -17,7 +17,8 @@ #include #define IPSEC_SA_STATE_DISABLE 0x40000000 -#define IPSEC_SA_STATE_FREE 0xc0000000 /* This includes disable !!! */ +#define IPSEC_SA_STATE_FREE 0xc0000000 +#define IPSEC_SA_STATE_RESERVED 0x80000000 typedef struct ipsec_sa_table_t { ipsec_sa_t ipsec_sa[ODP_CONFIG_IPSEC_SAS]; @@ -108,7 +109,8 @@ static ipsec_sa_t *ipsec_sa_reserve(void) ipsec_sa = ipsec_sa_entry(i); - if (odp_atomic_cas_acq_u32(&ipsec_sa->state, &state, 0)) + if (odp_atomic_cas_acq_u32(&ipsec_sa->state, &state, + IPSEC_SA_STATE_RESERVED)) return ipsec_sa; } @@ -120,6 +122,12 @@ static void ipsec_sa_release(ipsec_sa_t *ipsec_sa) odp_atomic_store_rel_u32(&ipsec_sa->state, IPSEC_SA_STATE_FREE); } +/* Mark reserved SA as available now */ +static void ipsec_sa_publish(ipsec_sa_t *ipsec_sa) +{ + odp_atomic_store_rel_u32(&ipsec_sa->state, 0); +} + static int ipsec_sa_lock(ipsec_sa_t *ipsec_sa) { int cas = 0; @@ -128,9 +136,11 @@ static int ipsec_sa_lock(ipsec_sa_t *ipsec_sa) while (0 == cas) { /* * This can be called from lookup path, so we really need this - * check + * check. Thanks to the way flags are defined we actually test + * that the SA is not DISABLED, FREE or RESERVED using just one + * condition. */ - if (state & IPSEC_SA_STATE_DISABLE) + if (state & IPSEC_SA_STATE_FREE) return -1; cas = odp_atomic_cas_acq_u32(&ipsec_sa->state, &state, @@ -438,6 +448,8 @@ odp_ipsec_sa_t odp_ipsec_sa_create(const odp_ipsec_sa_param_t *param) &ses_create_rc)) goto error; + ipsec_sa_publish(ipsec_sa); + return ipsec_sa->ipsec_sa_hdl; error: