net: use skb_sec_path helper in more places

skb_sec_path gains 'const' qualifier to avoid
xt_policy.c: 'skb_sec_path' discards 'const' qualifier from pointer target type

same reasoning as previous conversions: Won't need to touch these
spots anymore when skb->sp is removed.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 70ac58240ec0eaeffa37f5b1d3e31e2c04ed0f2a..d0f254a016bf09ea6d06285b93d50e82e9f219f0 100644 (file)
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -4124,7 +4124,7 @@ static inline bool skb_get_dst_pending_confirm(const struct sk_buff *skb)
        return skb->dst_pending_confirm != 0;
 }
 
-static inline struct sec_path *skb_sec_path(struct sk_buff *skb)
+static inline struct sec_path *skb_sec_path(const struct sk_buff *skb)
 {
 #ifdef CONFIG_XFRM
        return skb->sp;

diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 9cb506d09b983bb14acbb881be1d32c03170e4d3..af723448c972b97d343f270db578a8a24bfcd1a4 100644 (file)
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -1896,14 +1896,16 @@ static inline void xfrm_states_delete(struct xfrm_state **states, int n)
 #ifdef CONFIG_XFRM
 static inline struct xfrm_state *xfrm_input_state(struct sk_buff *skb)
 {
-       return skb->sp->xvec[skb->sp->len - 1];
+       struct sec_path *sp = skb_sec_path(skb);
+
+       return sp->xvec[sp->len - 1];
 }
 #endif
 
 static inline struct xfrm_offload *xfrm_offload(struct sk_buff *skb)
 {
 #ifdef CONFIG_XFRM
-       struct sec_path *sp = skb->sp;
+       struct sec_path *sp = skb_sec_path(skb);
 
        if (!sp || !sp->olen || sp->len != sp->olen)
                return NULL;

diff --git a/net/ipv4/esp4.c b/net/ipv4/esp4.c
index 9e1c840596c5ccd504598260dda853d77784860d..5459f41fc26fa75beeb2800bf55a19a3feda507d 100644 (file)
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -125,10 +125,13 @@ static void esp_output_done(struct crypto_async_request *base, int err)
        void *tmp;
        struct xfrm_state *x;
 
-       if (xo && (xo->flags & XFRM_DEV_RESUME))
-               x = skb->sp->xvec[skb->sp->len - 1];
-       else
+       if (xo && (xo->flags & XFRM_DEV_RESUME)) {
+               struct sec_path *sp = skb_sec_path(skb);
+
+               x = sp->xvec[sp->len - 1];
+       } else {
                x = skb_dst(skb)->xfrm;
+       }
 
        tmp = ESP_SKB_CB(skb)->tmp;
        esp_ssg_unref(x, tmp);

diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c
index 19bd22aa05f9006960de55500daa85942e4f7d58..8756e0e790d2a94a5b4a587c3bc3de0673baf2c4 100644 (file)
--- a/net/ipv4/esp4_offload.c
+++ b/net/ipv4/esp4_offload.c
@@ -115,6 +115,7 @@ static struct sk_buff *esp4_gso_segment(struct sk_buff *skb,
        struct crypto_aead *aead;
        netdev_features_t esp_features = features;
        struct xfrm_offload *xo = xfrm_offload(skb);
+       struct sec_path *sp;
 
        if (!xo)
                return ERR_PTR(-EINVAL);
@@ -122,7 +123,8 @@ static struct sk_buff *esp4_gso_segment(struct sk_buff *skb,
        if (!(skb_shinfo(skb)->gso_type & SKB_GSO_ESP))
                return ERR_PTR(-EINVAL);
 
-       x = skb->sp->xvec[skb->sp->len - 1];
+       sp = skb_sec_path(skb);
+       x = sp->xvec[sp->len - 1];
        aead = x->data;
        esph = ip_esp_hdr(skb);
 

diff --git a/net/ipv6/esp6.c b/net/ipv6/esp6.c
index 63b2b66f9dfae8f50bfe3ca6230b81585b673bf4..5afe9f83374de5239ced868cd7a5821e1de391c9 100644 (file)
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -145,10 +145,13 @@ static void esp_output_done(struct crypto_async_request *base, int err)
        void *tmp;
        struct xfrm_state *x;
 
-       if (xo && (xo->flags & XFRM_DEV_RESUME))
-               x = skb->sp->xvec[skb->sp->len - 1];
-       else
+       if (xo && (xo->flags & XFRM_DEV_RESUME)) {
+               struct sec_path *sp = skb_sec_path(skb);
+
+               x = sp->xvec[sp->len - 1];
+       } else {
                x = skb_dst(skb)->xfrm;
+       }
 
        tmp = ESP_SKB_CB(skb)->tmp;
        esp_ssg_unref(x, tmp);

diff --git a/net/ipv6/esp6_offload.c b/net/ipv6/esp6_offload.c
index 01a97f5dfa4e285cd46cd7ee3f9279fb6cbf4cb6..d46b4eb645c2e81993119b9a37405aa4b5eb82b3 100644 (file)
--- a/net/ipv6/esp6_offload.c
+++ b/net/ipv6/esp6_offload.c
@@ -142,6 +142,7 @@ static struct sk_buff *esp6_gso_segment(struct sk_buff *skb,
        struct crypto_aead *aead;
        netdev_features_t esp_features = features;
        struct xfrm_offload *xo = xfrm_offload(skb);
+       struct sec_path *sp;
 
        if (!xo)
                return ERR_PTR(-EINVAL);
@@ -149,7 +150,8 @@ static struct sk_buff *esp6_gso_segment(struct sk_buff *skb,
        if (!(skb_shinfo(skb)->gso_type & SKB_GSO_ESP))
                return ERR_PTR(-EINVAL);
 
-       x = skb->sp->xvec[skb->sp->len - 1];
+       sp = skb_sec_path(skb);
+       x = sp->xvec[sp->len - 1];
        aead = x->data;
        esph = ip_esp_hdr(skb);
 

diff --git a/net/ipv6/xfrm6_input.c b/net/ipv6/xfrm6_input.c
index 97c69df1b3298003bd4ae4a3a51532b3a88bab59..a52cb3fc6df5a9f6186ecc264a3aa07b6c2781b8 100644 (file)
--- a/net/ipv6/xfrm6_input.c
+++ b/net/ipv6/xfrm6_input.c
@@ -147,7 +147,7 @@ int xfrm6_input_addr(struct sk_buff *skb, xfrm_address_t *daddr,
                goto drop;
        }
 
-       skb->sp->xvec[skb->sp->len++] = x;
+       sp->xvec[sp->len++] = x;
 
        spin_lock(&x->lock);
 

diff --git a/net/netfilter/nft_xfrm.c b/net/netfilter/nft_xfrm.c
index 5322609f7662a4161e746e693b0e7f7712800056..b08865ec5ed36ea9278a63157e0e384b5ffd1daf 100644 (file)
--- a/net/netfilter/nft_xfrm.c
+++ b/net/netfilter/nft_xfrm.c
@@ -161,7 +161,7 @@ static void nft_xfrm_get_eval_in(const struct nft_xfrm *priv,
                                    struct nft_regs *regs,
                                    const struct nft_pktinfo *pkt)
 {
-       const struct sec_path *sp = pkt->skb->sp;
+       const struct sec_path *sp = skb_sec_path(pkt->skb);
        const struct xfrm_state *state;
 
        if (sp == NULL || sp->len <= priv->spnum) {

diff --git a/net/netfilter/xt_policy.c b/net/netfilter/xt_policy.c
index 13f8ccf946d622a21a057381839e65beb5e97c20..aa84e8121c93ee47cdb8fad16b866b7ca145944c 100644 (file)
--- a/net/netfilter/xt_policy.c
+++ b/net/netfilter/xt_policy.c
@@ -56,7 +56,7 @@ match_policy_in(const struct sk_buff *skb, const struct xt_policy_info *info,
                unsigned short family)
 {
        const struct xt_policy_elem *e;
-       const struct sec_path *sp = skb->sp;
+       const struct sec_path *sp = skb_sec_path(skb);
        int strict = info->flags & XT_POLICY_MATCH_STRICT;
        int i, pos;
 

diff --git a/net/xfrm/xfrm_device.c b/net/xfrm/xfrm_device.c
index 144c137886b1627299d304f7c11803b876c3c061..b8736f56e7f7b6c14e35e3bb9ada09ded462e61c 100644 (file)
--- a/net/xfrm/xfrm_device.c
+++ b/net/xfrm/xfrm_device.c
@@ -32,6 +32,7 @@ struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t featur
        struct softnet_data *sd;
        netdev_features_t esp_features = features;
        struct xfrm_offload *xo = xfrm_offload(skb);
+       struct sec_path *sp;
 
        if (!xo)
                return skb;
@@ -39,7 +40,8 @@ struct sk_buff *validate_xmit_xfrm(struct sk_buff *skb, netdev_features_t featur
        if (!(features & NETIF_F_HW_ESP))
                esp_features = features & ~(NETIF_F_SG | NETIF_F_CSUM_MASK);
 
-       x = skb->sp->xvec[skb->sp->len - 1];
+       sp = skb_sec_path(skb);
+       x = sp->xvec[sp->len - 1];
        if (xo->flags & XFRM_GRO || x->xso.flags & XFRM_OFFLOAD_INBOUND)
                return skb;
 

diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index bda929b9ff35f782b6b2f18cb3454b0e494d3ffa..b4db25b244fa511406aebe416006f53c23231b80 100644 (file)
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -330,7 +330,9 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
        daddr = (xfrm_address_t *)(skb_network_header(skb) +
                                   XFRM_SPI_SKB_CB(skb)->daddroff);
        do {
-               if (skb->sp->len == XFRM_MAX_DEPTH) {
+               sp = skb_sec_path(skb);
+
+               if (sp->len == XFRM_MAX_DEPTH) {
                        secpath_reset(skb);
                        XFRM_INC_STATS(net, LINUX_MIB_XFRMINBUFFERERROR);
                        goto drop;
@@ -346,7 +348,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 
                skb->mark = xfrm_smark_get(skb->mark, x);
 
-               skb->sp->xvec[skb->sp->len++] = x;
+               sp->xvec[sp->len++] = x;
 
 lock:
                spin_lock(&x->lock);
@@ -470,8 +472,9 @@ resume:
        nf_reset(skb);
 
        if (decaps) {
-               if (skb->sp)
-                       skb->sp->olen = 0;
+               sp = skb_sec_path(skb);
+               if (sp)
+                       sp->olen = 0;
                skb_dst_drop(skb);
                gro_cells_receive(&gro_cells, skb);
                return 0;
@@ -482,8 +485,9 @@ resume:
 
                err = x->inner_mode->afinfo->transport_finish(skb, xfrm_gro || async);
                if (xfrm_gro) {
-                       if (skb->sp)
-                               skb->sp->olen = 0;
+                       sp = skb_sec_path(skb);
+                       if (sp)
+                               sp->olen = 0;
                        skb_dst_drop(skb);
                        gro_cells_receive(&gro_cells, skb);
                        return err;

diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index be04091eb7db4a0f028e7828a1c36667a96fc6b0..d6acba07bdc961edd6cee9f70bde3e8f9552fd87 100644 (file)
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -3200,11 +3200,12 @@ EXPORT_SYMBOL(xfrm_lookup_route);
 static inline int
 xfrm_secpath_reject(int idx, struct sk_buff *skb, const struct flowi *fl)
 {
+       struct sec_path *sp = skb_sec_path(skb);
        struct xfrm_state *x;
 
-       if (!skb->sp || idx < 0 || idx >= skb->sp->len)
+       if (!sp || idx < 0 || idx >= sp->len)
                return 0;
-       x = skb->sp->xvec[idx];
+       x = sp->xvec[idx];
        if (!x->type->reject)
                return 0;
        return x->type->reject(x, skb, fl);
@@ -3304,6 +3305,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
        struct flowi fl;
        int xerr_idx = -1;
        const struct xfrm_if_cb *ifcb;
+       struct sec_path *sp;
        struct xfrm_if *xi;
        u32 if_id = 0;
 
@@ -3328,11 +3330,12 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
        nf_nat_decode_session(skb, &fl, family);
 
        /* First, check used SA against their selectors. */
-       if (skb->sp) {
+       sp = skb_sec_path(skb);
+       if (sp) {
                int i;
 
-               for (i = skb->sp->len-1; i >= 0; i--) {
-                       struct xfrm_state *x = skb->sp->xvec[i];
+               for (i = sp->len - 1; i >= 0; i--) {
+                       struct xfrm_state *x = sp->xvec[i];
                        if (!xfrm_selector_match(&x->sel, &fl, family)) {
                                XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEMISMATCH);
                                return 0;
@@ -3359,7 +3362,7 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
        }
 
        if (!pol) {
-               if (skb->sp && secpath_has_nontransport(skb->sp, 0, &xerr_idx)) {
+               if (sp && secpath_has_nontransport(sp, 0, &xerr_idx)) {
                        xfrm_secpath_reject(xerr_idx, skb, &fl);
                        XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOPOLS);
                        return 0;
@@ -3388,7 +3391,6 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
 #endif
 
        if (pol->action == XFRM_POLICY_ALLOW) {
-               struct sec_path *sp;
                static struct sec_path dummy;
                struct xfrm_tmpl *tp[XFRM_MAX_DEPTH];
                struct xfrm_tmpl *stp[XFRM_MAX_DEPTH];
@@ -3396,7 +3398,8 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
                int ti = 0;
                int i, k;
 
-               if ((sp = skb->sp) == NULL)
+               sp = skb_sec_path(skb);
+               if (!sp)
                        sp = &dummy;
 
                for (pi = 0; pi < npols; pi++) {

diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 91dc3783ed944470fecd8f626b2077113d82b2f0..bd7d18bdb147a8cad2003a41db60a94a19444fb4 100644 (file)
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -230,7 +230,7 @@ static int selinux_xfrm_skb_sid_ingress(struct sk_buff *skb,
                                        u32 *sid, int ckall)
 {
        u32 sid_session = SECSID_NULL;
-       struct sec_path *sp = skb->sp;
+       struct sec_path *sp = skb_sec_path(skb);
 
        if (sp) {
                int i;
@@ -408,7 +408,7 @@ int selinux_xfrm_sock_rcv_skb(u32 sk_sid, struct sk_buff *skb,
                              struct common_audit_data *ad)
 {
        int i;
-       struct sec_path *sp = skb->sp;
+       struct sec_path *sp = skb_sec_path(skb);
        u32 peer_sid = SECINITSID_UNLABELED;
 
        if (sp) {