xfrm: force a garbage collection after deleting a policy

In some cases after deleting a policy from the SPD the policy would remain in the dst/flow/route cache for an extended period of time which caused problems for SELinux as its dynamic network access controls key off of the number of XFRM policy and state entries. This patch corrects this problem by forcing a XFRM garbage collection whenever a policy is sucessfully removed. Reported-by: Ondrej Moris <omoris@redhat.com> Signed-off-by: Paul Moore <pmoore@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>

xfrm: force a garbage collection after deleting a policy
In some cases after deleting a policy from the SPD the policy would remain in the dst/flow/route cache for an extended period of time which caused problems for SELinux as its dynamic network access controls key off of the number of XFRM policy and state entries. This patch corrects this problem by forcing a XFRM garbage collection whenever a policy is sucessfully removed. Reported-by: Ondrej Moris <omoris@redhat.com> Signed-off-by: Paul Moore <pmoore@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Paul Moore · David S. Miller
1 parent 1e2bd517c1
Showing 4 changed files with 13 additions and 1 deletions Side-by-side Diff
include/net/xfrm.h
net/key/af_key.c
net/xfrm/xfrm_policy.c
net/xfrm/xfrm_user.c
@@ -1160,6 +1160,8 @@
 	}
 }
  
+extern void xfrm_garbage_collect(struct net *net);
+
 #else
  
 static inline void xfrm_sk_free_policy(struct sock *sk) {}
@@ -1193,6 +1195,9 @@
 					     struct sk_buff *skb)
 {
 	return 1;
+}
+static inline void xfrm_garbage_collect(struct net *net)
+{
 }
 #endif
  
@@ -2366,6 +2366,8 @@
  
 out:
 	xfrm_pol_put(xp);
+	if (err == 0)
+		xfrm_garbage_collect(net);
 	return err;
 }
  
@@ -2615,6 +2617,8 @@
  
 out:
 	xfrm_pol_put(xp);
+	if (delete && err == 0)
+		xfrm_garbage_collect(net);
 	return err;
 }
  
@@ -2557,11 +2557,12 @@
 	}
 }
  
-static void xfrm_garbage_collect(struct net *net)
+void xfrm_garbage_collect(struct net *net)
 {
 	flow_cache_flush();
 	__xfrm_garbage_collect(net);
 }
+EXPORT_SYMBOL(xfrm_garbage_collect);
  
 static void xfrm_garbage_collect_deferred(struct net *net)
 {
@@ -1681,6 +1681,8 @@
  
 out:
 	xfrm_pol_put(xp);
+	if (delete && err == 0)
+		xfrm_garbage_collect(net);
 	return err;
 }
...	...	@@ -1160,6 +1160,8 @@
1160	1160	}
1161	1161	}
1162	1162
	1163	+extern void xfrm_garbage_collect(struct net *net);
	1164	+
1163	1165	#else
1164	1166
1165	1167	static inline void xfrm_sk_free_policy(struct sock *sk) {}
...	...	@@ -1193,6 +1195,9 @@
1193	1195	struct sk_buff *skb)
1194	1196	{
1195	1197	return 1;
	1198	+}
	1199	+static inline void xfrm_garbage_collect(struct net *net)
	1200	+{
1196	1201	}
1197	1202	#endif
1198	1203
...	...	@@ -2366,6 +2366,8 @@
2366	2366
2367	2367	out:
2368	2368	xfrm_pol_put(xp);
	2369	+ if (err == 0)
	2370	+ xfrm_garbage_collect(net);
2369	2371	return err;
2370	2372	}
2371	2373
...	...	@@ -2615,6 +2617,8 @@
2615	2617
2616	2618	out:
2617	2619	xfrm_pol_put(xp);
	2620	+ if (delete && err == 0)
	2621	+ xfrm_garbage_collect(net);
2618	2622	return err;
2619	2623	}
2620	2624
...	...	@@ -2557,11 +2557,12 @@
2557	2557	}
2558	2558	}
2559	2559
2560		-static void xfrm_garbage_collect(struct net *net)
	2560	+void xfrm_garbage_collect(struct net *net)
2561	2561	{
2562	2562	flow_cache_flush();
2563	2563	__xfrm_garbage_collect(net);
2564	2564	}
	2565	+EXPORT_SYMBOL(xfrm_garbage_collect);
2565	2566
2566	2567	static void xfrm_garbage_collect_deferred(struct net *net)
2567	2568	{
...	...	@@ -1681,6 +1681,8 @@
1681	1681
1682	1682	out:
1683	1683	xfrm_pol_put(xp);
	1684	+ if (delete && err == 0)
	1685	+ xfrm_garbage_collect(net);
1684	1686	return err;
1685	1687	}
1686	1688