// SPDX-License-Identifier: GPL-2.0-only

  /*

   * xfrm_policy.c
   *
   * Changes:
   *	Mitsuru KANDA @USAGI
   * 	Kazunori MIYAZAWA @USAGI
   * 	Kunihiro Ishiguro <kunihiro@ipinfusion.com>
   * 		IPv6 support
   * 	Kazunori MIYAZAWA @USAGI
   * 	YOSHIFUJI Hideaki
   * 		Split up af-specific portion
   *	Derek Atkins <derek@ihtfp.com>		Add the post_input processor

   *

   */

  #include <linux/err.h>

  #include <linux/slab.h>
  #include <linux/kmod.h>
  #include <linux/list.h>
  #include <linux/spinlock.h>
  #include <linux/workqueue.h>
  #include <linux/notifier.h>
  #include <linux/netdevice.h>

  #include <linux/netfilter.h>

  #include <linux/module.h>

  #include <linux/cache.h>

  #include <linux/cpu.h>

  #include <linux/audit.h>

  #include <linux/rhashtable.h>

  #include <linux/if_tunnel.h>

  #include <net/dst.h>

  #include <net/flow.h>

  #include <net/xfrm.h>
  #include <net/ip.h>

  #if IS_ENABLED(CONFIG_IPV6_MIP6)
  #include <net/mip6.h>
  #endif

  #ifdef CONFIG_XFRM_STATISTICS
  #include <net/snmp.h>
  #endif

  #ifdef CONFIG_XFRM_ESPINTCP

  #include <net/espintcp.h>
  #endif

  #include "xfrm_hash.h"

  #define XFRM_QUEUE_TMO_MIN ((unsigned)(HZ/10))
  #define XFRM_QUEUE_TMO_MAX ((unsigned)(60*HZ))
  #define XFRM_MAX_QUEUE_LEN	100

  struct xfrm_flo {
  	struct dst_entry *dst_orig;
  	u8 flags;
  };

  /* prefixes smaller than this are stored in lists, not trees. */
  #define INEXACT_PREFIXLEN_IPV4	16
  #define INEXACT_PREFIXLEN_IPV6	48

  
  struct xfrm_pol_inexact_node {
  	struct rb_node node;
  	union {
  		xfrm_address_t addr;
  		struct rcu_head rcu;
  	};
  	u8 prefixlen;

  	struct rb_root root;

  	/* the policies matching this node, can be empty list */
  	struct hlist_head hhead;
  };
  
  /* xfrm inexact policy search tree:
   * xfrm_pol_inexact_bin = hash(dir,type,family,if_id);
   *  |
   * +---- root_d: sorted by daddr:prefix
   * |                 |
   * |        xfrm_pol_inexact_node
   * |                 |

   * |                 +- root: sorted by saddr/prefix
   * |                 |              |
   * |                 |         xfrm_pol_inexact_node
   * |                 |              |
   * |                 |              + root: unused
   * |                 |              |
   * |                 |              + hhead: saddr:daddr policies
   * |                 |

   * |                 +- coarse policies and all any:daddr policies
   * |

   * +---- root_s: sorted by saddr:prefix
   * |                 |
   * |        xfrm_pol_inexact_node
   * |                 |
   * |                 + root: unused
   * |                 |
   * |                 + hhead: saddr:any policies
   * |

   * +---- coarse policies and all any:any policies
   *

   * Lookups return four candidate lists:

   * 1. any:any list from top-level xfrm_pol_inexact_bin
   * 2. any:daddr list from daddr tree

   * 3. saddr:daddr list from 2nd level daddr tree
   * 4. saddr:any list from saddr tree

   *
   * This result set then needs to be searched for the policy with
   * the lowest priority.  If two results have same prio, youngest one wins.
   */

  struct xfrm_pol_inexact_key {
  	possible_net_t net;

  	u32 if_id;

  	u16 family;
  	u8 dir, type;
  };
  
  struct xfrm_pol_inexact_bin {
  	struct xfrm_pol_inexact_key k;
  	struct rhash_head head;

  	/* list containing '*:*' policies */

  	struct hlist_head hhead;

  	seqcount_spinlock_t count;

  	/* tree sorted by daddr/prefix */
  	struct rb_root root_d;

  	/* tree sorted by saddr/prefix */
  	struct rb_root root_s;

  	/* slow path below */
  	struct list_head inexact_bins;
  	struct rcu_head rcu;
  };

  enum xfrm_pol_inexact_candidate_type {

  	XFRM_POL_CAND_BOTH,

  	XFRM_POL_CAND_SADDR,

  	XFRM_POL_CAND_DADDR,

  	XFRM_POL_CAND_ANY,
  
  	XFRM_POL_CAND_MAX,
  };
  
  struct xfrm_pol_inexact_candidates {
  	struct hlist_head *res[XFRM_POL_CAND_MAX];
  };

  static DEFINE_SPINLOCK(xfrm_if_cb_lock);
  static struct xfrm_if_cb const __rcu *xfrm_if_cb __read_mostly;

  static DEFINE_SPINLOCK(xfrm_policy_afinfo_lock);

  static struct xfrm_policy_afinfo const __rcu *xfrm_policy_afinfo[AF_INET6 + 1]

  						__read_mostly;

  static struct kmem_cache *xfrm_dst_cache __ro_after_init;

  static __read_mostly seqcount_mutex_t xfrm_policy_hash_generation;

  static struct rhashtable xfrm_policy_inexact_table;
  static const struct rhashtable_params xfrm_pol_inexact_params;

  static void xfrm_init_pmtu(struct xfrm_dst **bundle, int nr);

  static int stale_bundle(struct dst_entry *dst);

  static int xfrm_bundle_ok(struct xfrm_dst *xdst);

  static void xfrm_policy_queue_process(struct timer_list *t);

  static void __xfrm_policy_link(struct xfrm_policy *pol, int dir);

  static struct xfrm_policy *__xfrm_policy_unlink(struct xfrm_policy *pol,
  						int dir);

  static struct xfrm_pol_inexact_bin *

  xfrm_policy_inexact_lookup(struct net *net, u8 type, u16 family, u8 dir,
  			   u32 if_id);

  
  static struct xfrm_pol_inexact_bin *
  xfrm_policy_inexact_lookup_rcu(struct net *net,

  			       u8 type, u16 family, u8 dir, u32 if_id);

  static struct xfrm_policy *
  xfrm_policy_insert_list(struct hlist_head *chain, struct xfrm_policy *policy,
  			bool excl);
  static void xfrm_policy_insert_inexact_list(struct hlist_head *chain,
  					    struct xfrm_policy *policy);

  static bool
  xfrm_policy_find_inexact_candidates(struct xfrm_pol_inexact_candidates *cand,
  				    struct xfrm_pol_inexact_bin *b,
  				    const xfrm_address_t *saddr,
  				    const xfrm_address_t *daddr);

  static inline bool xfrm_pol_hold_rcu(struct xfrm_policy *policy)
  {

  	return refcount_inc_not_zero(&policy->refcnt);

  }

  static inline bool

  __xfrm4_selector_match(const struct xfrm_selector *sel, const struct flowi *fl)

  {

  	const struct flowi4 *fl4 = &fl->u.ip4;

  	return  addr4_match(fl4->daddr, sel->daddr.a4, sel->prefixlen_d) &&
  		addr4_match(fl4->saddr, sel->saddr.a4, sel->prefixlen_s) &&

  		!((xfrm_flowi_dport(fl, &fl4->uli) ^ sel->dport) & sel->dport_mask) &&
  		!((xfrm_flowi_sport(fl, &fl4->uli) ^ sel->sport) & sel->sport_mask) &&
  		(fl4->flowi4_proto == sel->proto || !sel->proto) &&
  		(fl4->flowi4_oif == sel->ifindex || !sel->ifindex);

  }

  static inline bool

  __xfrm6_selector_match(const struct xfrm_selector *sel, const struct flowi *fl)

  {

  	const struct flowi6 *fl6 = &fl->u.ip6;
  
  	return  addr_match(&fl6->daddr, &sel->daddr, sel->prefixlen_d) &&
  		addr_match(&fl6->saddr, &sel->saddr, sel->prefixlen_s) &&
  		!((xfrm_flowi_dport(fl, &fl6->uli) ^ sel->dport) & sel->dport_mask) &&
  		!((xfrm_flowi_sport(fl, &fl6->uli) ^ sel->sport) & sel->sport_mask) &&
  		(fl6->flowi6_proto == sel->proto || !sel->proto) &&
  		(fl6->flowi6_oif == sel->ifindex || !sel->ifindex);

  }

  bool xfrm_selector_match(const struct xfrm_selector *sel, const struct flowi *fl,
  			 unsigned short family)

  {
  	switch (family) {
  	case AF_INET:
  		return __xfrm4_selector_match(sel, fl);
  	case AF_INET6:
  		return __xfrm6_selector_match(sel, fl);
  	}

  	return false;

  }

  static const struct xfrm_policy_afinfo *xfrm_policy_get_afinfo(unsigned short family)

  {

  	const struct xfrm_policy_afinfo *afinfo;

  	if (unlikely(family >= ARRAY_SIZE(xfrm_policy_afinfo)))

  		return NULL;
  	rcu_read_lock();
  	afinfo = rcu_dereference(xfrm_policy_afinfo[family]);
  	if (unlikely(!afinfo))
  		rcu_read_unlock();
  	return afinfo;
  }

  /* Called with rcu_read_lock(). */
  static const struct xfrm_if_cb *xfrm_if_get_cb(void)
  {
  	return rcu_dereference(xfrm_if_cb);
  }

  struct dst_entry *__xfrm_dst_lookup(struct net *net, int tos, int oif,
  				    const xfrm_address_t *saddr,
  				    const xfrm_address_t *daddr,

  				    int family, u32 mark)

  {

  	const struct xfrm_policy_afinfo *afinfo;

  	struct dst_entry *dst;
  
  	afinfo = xfrm_policy_get_afinfo(family);
  	if (unlikely(afinfo == NULL))
  		return ERR_PTR(-EAFNOSUPPORT);

  	dst = afinfo->dst_lookup(net, tos, oif, saddr, daddr, mark);

  	rcu_read_unlock();

  
  	return dst;
  }

  EXPORT_SYMBOL(__xfrm_dst_lookup);

  static inline struct dst_entry *xfrm_dst_lookup(struct xfrm_state *x,
  						int tos, int oif,

  						xfrm_address_t *prev_saddr,
  						xfrm_address_t *prev_daddr,

  						int family, u32 mark)

  {

  	struct net *net = xs_net(x);

  	xfrm_address_t *saddr = &x->props.saddr;
  	xfrm_address_t *daddr = &x->id.daddr;

  	struct dst_entry *dst;

  	if (x->type->flags & XFRM_TYPE_LOCAL_COADDR) {

  		saddr = x->coaddr;

  		daddr = prev_daddr;
  	}
  	if (x->type->flags & XFRM_TYPE_REMOTE_COADDR) {
  		saddr = prev_saddr;

  		daddr = x->coaddr;

  	}

  	dst = __xfrm_dst_lookup(net, tos, oif, saddr, daddr, family, mark);

  
  	if (!IS_ERR(dst)) {
  		if (prev_saddr != saddr)
  			memcpy(prev_saddr, saddr,  sizeof(*prev_saddr));
  		if (prev_daddr != daddr)
  			memcpy(prev_daddr, daddr,  sizeof(*prev_daddr));
  	}

  	return dst;

  }

  static inline unsigned long make_jiffies(long secs)
  {
  	if (secs >= (MAX_SCHEDULE_TIMEOUT-1)/HZ)
  		return MAX_SCHEDULE_TIMEOUT-1;
  	else

  		return secs*HZ;

  }

  static void xfrm_policy_timer(struct timer_list *t)

  {

  	struct xfrm_policy *xp = from_timer(xp, t, timer);

  	time64_t now = ktime_get_real_seconds();
  	time64_t next = TIME64_MAX;

  	int warn = 0;
  	int dir;
  
  	read_lock(&xp->lock);

  	if (unlikely(xp->walk.dead))

  		goto out;

  	dir = xfrm_policy_id2dir(xp->index);

  
  	if (xp->lft.hard_add_expires_seconds) {

  		time64_t tmo = xp->lft.hard_add_expires_seconds +

  			xp->curlft.add_time - now;
  		if (tmo <= 0)
  			goto expired;
  		if (tmo < next)
  			next = tmo;
  	}
  	if (xp->lft.hard_use_expires_seconds) {

  		time64_t tmo = xp->lft.hard_use_expires_seconds +

  			(xp->curlft.use_time ? : xp->curlft.add_time) - now;
  		if (tmo <= 0)
  			goto expired;
  		if (tmo < next)
  			next = tmo;
  	}
  	if (xp->lft.soft_add_expires_seconds) {

  		time64_t tmo = xp->lft.soft_add_expires_seconds +

  			xp->curlft.add_time - now;
  		if (tmo <= 0) {
  			warn = 1;
  			tmo = XFRM_KM_TIMEOUT;
  		}
  		if (tmo < next)
  			next = tmo;
  	}
  	if (xp->lft.soft_use_expires_seconds) {

  		time64_t tmo = xp->lft.soft_use_expires_seconds +

  			(xp->curlft.use_time ? : xp->curlft.add_time) - now;
  		if (tmo <= 0) {
  			warn = 1;
  			tmo = XFRM_KM_TIMEOUT;
  		}
  		if (tmo < next)
  			next = tmo;
  	}
  
  	if (warn)

  		km_policy_expired(xp, dir, 0, 0);

  	if (next != TIME64_MAX &&

  	    !mod_timer(&xp->timer, jiffies + make_jiffies(next)))
  		xfrm_pol_hold(xp);
  
  out:
  	read_unlock(&xp->lock);
  	xfrm_pol_put(xp);
  	return;
  
  expired:
  	read_unlock(&xp->lock);

  	if (!xfrm_policy_delete(xp, dir))

  		km_policy_expired(xp, dir, 1, 0);

  	xfrm_pol_put(xp);
  }

  /* Allocate xfrm_policy. Not used here, it is supposed to be used by pfkeyv2
   * SPD calls.
   */

  struct xfrm_policy *xfrm_policy_alloc(struct net *net, gfp_t gfp)

  {
  	struct xfrm_policy *policy;

  	policy = kzalloc(sizeof(struct xfrm_policy), gfp);

  
  	if (policy) {

  		write_pnet(&policy->xp_net, net);

  		INIT_LIST_HEAD(&policy->walk.all);

  		INIT_HLIST_NODE(&policy->bydst_inexact_list);

  		INIT_HLIST_NODE(&policy->bydst);
  		INIT_HLIST_NODE(&policy->byidx);

  		rwlock_init(&policy->lock);

  		refcount_set(&policy->refcnt, 1);

  		skb_queue_head_init(&policy->polq.hold_queue);

  		timer_setup(&policy->timer, xfrm_policy_timer, 0);
  		timer_setup(&policy->polq.hold_timer,
  			    xfrm_policy_queue_process, 0);

  	}
  	return policy;
  }
  EXPORT_SYMBOL(xfrm_policy_alloc);

  static void xfrm_policy_destroy_rcu(struct rcu_head *head)
  {
  	struct xfrm_policy *policy = container_of(head, struct xfrm_policy, rcu);
  
  	security_xfrm_policy_free(policy->security);
  	kfree(policy);
  }

  /* Destroy xfrm_policy: descendant resources must be released to this moment. */

  void xfrm_policy_destroy(struct xfrm_policy *policy)

  {

  	BUG_ON(!policy->walk.dead);

  	if (del_timer(&policy->timer) || del_timer(&policy->polq.hold_timer))

  		BUG();

  	call_rcu(&policy->rcu, xfrm_policy_destroy_rcu);

  }

  EXPORT_SYMBOL(xfrm_policy_destroy);

  /* Rule must be locked. Release descendant resources, announce

   * entry dead. The rule must be unlinked from lists to the moment.
   */
  
  static void xfrm_policy_kill(struct xfrm_policy *policy)
  {

  	write_lock_bh(&policy->lock);

  	policy->walk.dead = 1;

  	write_unlock_bh(&policy->lock);

  	atomic_inc(&policy->genid);

  	if (del_timer(&policy->polq.hold_timer))
  		xfrm_pol_put(policy);

  	skb_queue_purge(&policy->polq.hold_queue);

  	if (del_timer(&policy->timer))
  		xfrm_pol_put(policy);
  
  	xfrm_pol_put(policy);

  }

  static unsigned int xfrm_policy_hashmax __read_mostly = 1 * 1024 * 1024;

  static inline unsigned int idx_hash(struct net *net, u32 index)

  {

  	return __idx_hash(index, net->xfrm.policy_idx_hmask);

  }

  /* calculate policy hash thresholds */
  static void __get_hash_thresh(struct net *net,
  			      unsigned short family, int dir,
  			      u8 *dbits, u8 *sbits)
  {
  	switch (family) {
  	case AF_INET:
  		*dbits = net->xfrm.policy_bydst[dir].dbits4;
  		*sbits = net->xfrm.policy_bydst[dir].sbits4;
  		break;
  
  	case AF_INET6:
  		*dbits = net->xfrm.policy_bydst[dir].dbits6;
  		*sbits = net->xfrm.policy_bydst[dir].sbits6;
  		break;
  
  	default:
  		*dbits = 0;
  		*sbits = 0;
  	}
  }

  static struct hlist_head *policy_hash_bysel(struct net *net,
  					    const struct xfrm_selector *sel,
  					    unsigned short family, int dir)

  {

  	unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;

  	unsigned int hash;
  	u8 dbits;
  	u8 sbits;
  
  	__get_hash_thresh(net, family, dir, &dbits, &sbits);
  	hash = __sel_hash(sel, family, hmask, dbits, sbits);

  	if (hash == hmask + 1)

  		return NULL;

  
  	return rcu_dereference_check(net->xfrm.policy_bydst[dir].table,
  		     lockdep_is_held(&net->xfrm.xfrm_policy_lock)) + hash;

  }

  static struct hlist_head *policy_hash_direct(struct net *net,
  					     const xfrm_address_t *daddr,
  					     const xfrm_address_t *saddr,
  					     unsigned short family, int dir)

  {

  	unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;

  	unsigned int hash;
  	u8 dbits;
  	u8 sbits;
  
  	__get_hash_thresh(net, family, dir, &dbits, &sbits);
  	hash = __addr_hash(daddr, saddr, family, hmask, dbits, sbits);

  	return rcu_dereference_check(net->xfrm.policy_bydst[dir].table,
  		     lockdep_is_held(&net->xfrm.xfrm_policy_lock)) + hash;

  }

  static void xfrm_dst_hash_transfer(struct net *net,
  				   struct hlist_head *list,

  				   struct hlist_head *ndsttable,

  				   unsigned int nhashmask,
  				   int dir)

  {

  	struct hlist_node *tmp, *entry0 = NULL;

  	struct xfrm_policy *pol;

  	unsigned int h0 = 0;

  	u8 dbits;
  	u8 sbits;

  redo:

  	hlist_for_each_entry_safe(pol, tmp, list, bydst) {

  		unsigned int h;

  		__get_hash_thresh(net, pol->family, dir, &dbits, &sbits);

  		h = __addr_hash(&pol->selector.daddr, &pol->selector.saddr,

  				pol->family, nhashmask, dbits, sbits);

  		if (!entry0) {

  			hlist_del_rcu(&pol->bydst);
  			hlist_add_head_rcu(&pol->bydst, ndsttable + h);

  			h0 = h;
  		} else {
  			if (h != h0)
  				continue;

  			hlist_del_rcu(&pol->bydst);
  			hlist_add_behind_rcu(&pol->bydst, entry0);

  		}

  		entry0 = &pol->bydst;

  	}
  	if (!hlist_empty(list)) {
  		entry0 = NULL;
  		goto redo;

  	}
  }
  
  static void xfrm_idx_hash_transfer(struct hlist_head *list,
  				   struct hlist_head *nidxtable,
  				   unsigned int nhashmask)
  {

  	struct hlist_node *tmp;

  	struct xfrm_policy *pol;

  	hlist_for_each_entry_safe(pol, tmp, list, byidx) {

  		unsigned int h;
  
  		h = __idx_hash(pol->index, nhashmask);
  		hlist_add_head(&pol->byidx, nidxtable+h);
  	}
  }
  
  static unsigned long xfrm_new_hash_mask(unsigned int old_hmask)
  {
  	return ((old_hmask + 1) << 1) - 1;
  }

  static void xfrm_bydst_resize(struct net *net, int dir)

  {

  	unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;

  	unsigned int nhashmask = xfrm_new_hash_mask(hmask);
  	unsigned int nsize = (nhashmask + 1) * sizeof(struct hlist_head);

  	struct hlist_head *ndst = xfrm_hash_alloc(nsize);

  	struct hlist_head *odst;

  	int i;
  
  	if (!ndst)
  		return;

  	spin_lock_bh(&net->xfrm.xfrm_policy_lock);

  	write_seqcount_begin(&xfrm_policy_hash_generation);
  
  	odst = rcu_dereference_protected(net->xfrm.policy_bydst[dir].table,
  				lockdep_is_held(&net->xfrm.xfrm_policy_lock));

  
  	for (i = hmask; i >= 0; i--)

  		xfrm_dst_hash_transfer(net, odst + i, ndst, nhashmask, dir);

  	rcu_assign_pointer(net->xfrm.policy_bydst[dir].table, ndst);

  	net->xfrm.policy_bydst[dir].hmask = nhashmask;

  	write_seqcount_end(&xfrm_policy_hash_generation);

  	spin_unlock_bh(&net->xfrm.xfrm_policy_lock);

  	synchronize_rcu();

  	xfrm_hash_free(odst, (hmask + 1) * sizeof(struct hlist_head));

  }

  static void xfrm_byidx_resize(struct net *net, int total)

  {

  	unsigned int hmask = net->xfrm.policy_idx_hmask;

  	unsigned int nhashmask = xfrm_new_hash_mask(hmask);
  	unsigned int nsize = (nhashmask + 1) * sizeof(struct hlist_head);

  	struct hlist_head *oidx = net->xfrm.policy_byidx;

  	struct hlist_head *nidx = xfrm_hash_alloc(nsize);

  	int i;
  
  	if (!nidx)
  		return;

  	spin_lock_bh(&net->xfrm.xfrm_policy_lock);

  
  	for (i = hmask; i >= 0; i--)
  		xfrm_idx_hash_transfer(oidx + i, nidx, nhashmask);

  	net->xfrm.policy_byidx = nidx;
  	net->xfrm.policy_idx_hmask = nhashmask;

  	spin_unlock_bh(&net->xfrm.xfrm_policy_lock);

  	xfrm_hash_free(oidx, (hmask + 1) * sizeof(struct hlist_head));

  }

  static inline int xfrm_bydst_should_resize(struct net *net, int dir, int *total)

  {

  	unsigned int cnt = net->xfrm.policy_count[dir];
  	unsigned int hmask = net->xfrm.policy_bydst[dir].hmask;

  
  	if (total)
  		*total += cnt;
  
  	if ((hmask + 1) < xfrm_policy_hashmax &&
  	    cnt > hmask)
  		return 1;
  
  	return 0;
  }

  static inline int xfrm_byidx_should_resize(struct net *net, int total)

  {

  	unsigned int hmask = net->xfrm.policy_idx_hmask;

  
  	if ((hmask + 1) < xfrm_policy_hashmax &&
  	    total > hmask)
  		return 1;
  
  	return 0;
  }

  void xfrm_spd_getinfo(struct net *net, struct xfrmk_spdinfo *si)

  {

  	si->incnt = net->xfrm.policy_count[XFRM_POLICY_IN];
  	si->outcnt = net->xfrm.policy_count[XFRM_POLICY_OUT];
  	si->fwdcnt = net->xfrm.policy_count[XFRM_POLICY_FWD];
  	si->inscnt = net->xfrm.policy_count[XFRM_POLICY_IN+XFRM_POLICY_MAX];
  	si->outscnt = net->xfrm.policy_count[XFRM_POLICY_OUT+XFRM_POLICY_MAX];
  	si->fwdscnt = net->xfrm.policy_count[XFRM_POLICY_FWD+XFRM_POLICY_MAX];
  	si->spdhcnt = net->xfrm.policy_idx_hmask;

  	si->spdhmcnt = xfrm_policy_hashmax;

  }
  EXPORT_SYMBOL(xfrm_spd_getinfo);

  static DEFINE_MUTEX(hash_resize_mutex);

  static void xfrm_hash_resize(struct work_struct *work)

  {

  	struct net *net = container_of(work, struct net, xfrm.policy_hash_work);

  	int dir, total;
  
  	mutex_lock(&hash_resize_mutex);
  
  	total = 0;

  	for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {

  		if (xfrm_bydst_should_resize(net, dir, &total))
  			xfrm_bydst_resize(net, dir);

  	}

  	if (xfrm_byidx_should_resize(net, total))
  		xfrm_byidx_resize(net, total);

  
  	mutex_unlock(&hash_resize_mutex);
  }

  /* Make sure *pol can be inserted into fastbin.
   * Useful to check that later insert requests will be sucessful
   * (provided xfrm_policy_lock is held throughout).
   */
  static struct xfrm_pol_inexact_bin *
  xfrm_policy_inexact_alloc_bin(const struct xfrm_policy *pol, u8 dir)
  {
  	struct xfrm_pol_inexact_bin *bin, *prev;
  	struct xfrm_pol_inexact_key k = {
  		.family = pol->family,
  		.type = pol->type,
  		.dir = dir,

  		.if_id = pol->if_id,

  	};
  	struct net *net = xp_net(pol);
  
  	lockdep_assert_held(&net->xfrm.xfrm_policy_lock);
  
  	write_pnet(&k.net, net);
  	bin = rhashtable_lookup_fast(&xfrm_policy_inexact_table, &k,
  				     xfrm_pol_inexact_params);
  	if (bin)
  		return bin;
  
  	bin = kzalloc(sizeof(*bin), GFP_ATOMIC);
  	if (!bin)
  		return NULL;
  
  	bin->k = k;
  	INIT_HLIST_HEAD(&bin->hhead);

  	bin->root_d = RB_ROOT;

  	bin->root_s = RB_ROOT;

  	seqcount_spinlock_init(&bin->count, &net->xfrm.xfrm_policy_lock);

  
  	prev = rhashtable_lookup_get_insert_key(&xfrm_policy_inexact_table,
  						&bin->k, &bin->head,
  						xfrm_pol_inexact_params);
  	if (!prev) {
  		list_add(&bin->inexact_bins, &net->xfrm.inexact_bins);
  		return bin;
  	}
  
  	kfree(bin);
  
  	return IS_ERR(prev) ? NULL : prev;
  }

  static bool xfrm_pol_inexact_addr_use_any_list(const xfrm_address_t *addr,
  					       int family, u8 prefixlen)

  {

  	if (xfrm_addr_any(addr, family))
  		return true;
  
  	if (family == AF_INET6 && prefixlen < INEXACT_PREFIXLEN_IPV6)
  		return true;
  
  	if (family == AF_INET && prefixlen < INEXACT_PREFIXLEN_IPV4)
  		return true;
  
  	return false;
  }
  
  static bool
  xfrm_policy_inexact_insert_use_any_list(const struct xfrm_policy *policy)
  {
  	const xfrm_address_t *addr;
  	bool saddr_any, daddr_any;
  	u8 prefixlen;
  
  	addr = &policy->selector.saddr;
  	prefixlen = policy->selector.prefixlen_s;

  	saddr_any = xfrm_pol_inexact_addr_use_any_list(addr,
  						       policy->family,
  						       prefixlen);
  	addr = &policy->selector.daddr;
  	prefixlen = policy->selector.prefixlen_d;
  	daddr_any = xfrm_pol_inexact_addr_use_any_list(addr,
  						       policy->family,
  						       prefixlen);
  	return saddr_any && daddr_any;
  }

  static void xfrm_pol_inexact_node_init(struct xfrm_pol_inexact_node *node,
  				       const xfrm_address_t *addr, u8 prefixlen)
  {
  	node->addr = *addr;
  	node->prefixlen = prefixlen;
  }
  
  static struct xfrm_pol_inexact_node *
  xfrm_pol_inexact_node_alloc(const xfrm_address_t *addr, u8 prefixlen)
  {
  	struct xfrm_pol_inexact_node *node;
  
  	node = kzalloc(sizeof(*node), GFP_ATOMIC);
  	if (node)
  		xfrm_pol_inexact_node_init(node, addr, prefixlen);
  
  	return node;
  }
  
  static int xfrm_policy_addr_delta(const xfrm_address_t *a,
  				  const xfrm_address_t *b,
  				  u8 prefixlen, u16 family)
  {
  	unsigned int pdw, pbi;
  	int delta = 0;
  
  	switch (family) {
  	case AF_INET:
  		if (sizeof(long) == 4 && prefixlen == 0)
  			return ntohl(a->a4) - ntohl(b->a4);
  		return (ntohl(a->a4) & ((~0UL << (32 - prefixlen)))) -
  		       (ntohl(b->a4) & ((~0UL << (32 - prefixlen))));
  	case AF_INET6:
  		pdw = prefixlen >> 5;
  		pbi = prefixlen & 0x1f;
  
  		if (pdw) {
  			delta = memcmp(a->a6, b->a6, pdw << 2);
  			if (delta)
  				return delta;
  		}
  		if (pbi) {
  			u32 mask = ~0u << (32 - pbi);
  
  			delta = (ntohl(a->a6[pdw]) & mask) -
  				(ntohl(b->a6[pdw]) & mask);
  		}
  		break;
  	default:
  		break;
  	}
  
  	return delta;
  }
  
  static void xfrm_policy_inexact_list_reinsert(struct net *net,
  					      struct xfrm_pol_inexact_node *n,
  					      u16 family)
  {

  	unsigned int matched_s, matched_d;

  	struct xfrm_policy *policy, *p;

  	matched_s = 0;
  	matched_d = 0;

  	list_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) {

  		struct hlist_node *newpos = NULL;

  		bool matches_s, matches_d;

  		if (!policy->bydst_reinsert)
  			continue;
  
  		WARN_ON_ONCE(policy->family != family);
  
  		policy->bydst_reinsert = false;
  		hlist_for_each_entry(p, &n->hhead, bydst) {

  			if (policy->priority > p->priority)
  				newpos = &p->bydst;
  			else if (policy->priority == p->priority &&
  				 policy->pos > p->pos)

  				newpos = &p->bydst;
  			else
  				break;
  		}
  
  		if (newpos)

  			hlist_add_behind_rcu(&policy->bydst, newpos);

  		else

  			hlist_add_head_rcu(&policy->bydst, &n->hhead);

  
  		/* paranoia checks follow.
  		 * Check that the reinserted policy matches at least
  		 * saddr or daddr for current node prefix.
  		 *
  		 * Matching both is fine, matching saddr in one policy
  		 * (but not daddr) and then matching only daddr in another
  		 * is a bug.
  		 */
  		matches_s = xfrm_policy_addr_delta(&policy->selector.saddr,
  						   &n->addr,
  						   n->prefixlen,
  						   family) == 0;
  		matches_d = xfrm_policy_addr_delta(&policy->selector.daddr,
  						   &n->addr,
  						   n->prefixlen,
  						   family) == 0;
  		if (matches_s && matches_d)
  			continue;
  
  		WARN_ON_ONCE(!matches_s && !matches_d);
  		if (matches_s)
  			matched_s++;
  		if (matches_d)
  			matched_d++;
  		WARN_ON_ONCE(matched_s && matched_d);

  	}
  }

  static void xfrm_policy_inexact_node_reinsert(struct net *net,
  					      struct xfrm_pol_inexact_node *n,
  					      struct rb_root *new,
  					      u16 family)
  {

  	struct xfrm_pol_inexact_node *node;

  	struct rb_node **p, *parent;

  
  	/* we should not have another subtree here */
  	WARN_ON_ONCE(!RB_EMPTY_ROOT(&n->root));

  restart:
  	parent = NULL;

  	p = &new->rb_node;
  	while (*p) {
  		u8 prefixlen;
  		int delta;
  
  		parent = *p;
  		node = rb_entry(*p, struct xfrm_pol_inexact_node, node);
  
  		prefixlen = min(node->prefixlen, n->prefixlen);
  
  		delta = xfrm_policy_addr_delta(&n->addr, &node->addr,
  					       prefixlen, family);
  		if (delta < 0) {
  			p = &parent->rb_left;
  		} else if (delta > 0) {
  			p = &parent->rb_right;
  		} else {

  			bool same_prefixlen = node->prefixlen == n->prefixlen;

  			struct xfrm_policy *tmp;

  			hlist_for_each_entry(tmp, &n->hhead, bydst) {

  				tmp->bydst_reinsert = true;

  				hlist_del_rcu(&tmp->bydst);
  			}

  			node->prefixlen = prefixlen;

  			xfrm_policy_inexact_list_reinsert(net, node, family);

  			if (same_prefixlen) {

  				kfree_rcu(n, rcu);
  				return;
  			}
  
  			rb_erase(*p, new);
  			kfree_rcu(n, rcu);
  			n = node;

  			goto restart;

  		}
  	}
  
  	rb_link_node_rcu(&n->node, parent, p);
  	rb_insert_color(&n->node, new);
  }

  /* merge nodes v and n */
  static void xfrm_policy_inexact_node_merge(struct net *net,
  					   struct xfrm_pol_inexact_node *v,
  					   struct xfrm_pol_inexact_node *n,
  					   u16 family)
  {

  	struct xfrm_pol_inexact_node *node;

  	struct xfrm_policy *tmp;

  	struct rb_node *rnode;
  
  	/* To-be-merged node v has a subtree.
  	 *
  	 * Dismantle it and insert its nodes to n->root.
  	 */
  	while ((rnode = rb_first(&v->root)) != NULL) {
  		node = rb_entry(rnode, struct xfrm_pol_inexact_node, node);
  		rb_erase(&node->node, &v->root);
  		xfrm_policy_inexact_node_reinsert(net, node, &n->root,
  						  family);
  	}

  	hlist_for_each_entry(tmp, &v->hhead, bydst) {

  		tmp->bydst_reinsert = true;

  		hlist_del_rcu(&tmp->bydst);
  	}

  	xfrm_policy_inexact_list_reinsert(net, n, family);
  }
  
  static struct xfrm_pol_inexact_node *
  xfrm_policy_inexact_insert_node(struct net *net,
  				struct rb_root *root,
  				xfrm_address_t *addr,
  				u16 family, u8 prefixlen, u8 dir)
  {
  	struct xfrm_pol_inexact_node *cached = NULL;
  	struct rb_node **p, *parent = NULL;
  	struct xfrm_pol_inexact_node *node;
  
  	p = &root->rb_node;
  	while (*p) {
  		int delta;
  
  		parent = *p;
  		node = rb_entry(*p, struct xfrm_pol_inexact_node, node);
  
  		delta = xfrm_policy_addr_delta(addr, &node->addr,
  					       node->prefixlen,
  					       family);
  		if (delta == 0 && prefixlen >= node->prefixlen) {
  			WARN_ON_ONCE(cached); /* ipsec policies got lost */
  			return node;
  		}
  
  		if (delta < 0)
  			p = &parent->rb_left;
  		else
  			p = &parent->rb_right;
  
  		if (prefixlen < node->prefixlen) {
  			delta = xfrm_policy_addr_delta(addr, &node->addr,
  						       prefixlen,
  						       family);
  			if (delta)
  				continue;
  
  			/* This node is a subnet of the new prefix. It needs
  			 * to be removed and re-inserted with the smaller
  			 * prefix and all nodes that are now also covered
  			 * by the reduced prefixlen.
  			 */
  			rb_erase(&node->node, root);
  
  			if (!cached) {
  				xfrm_pol_inexact_node_init(node, addr,
  							   prefixlen);
  				cached = node;
  			} else {
  				/* This node also falls within the new
  				 * prefixlen. Merge the to-be-reinserted
  				 * node and this one.
  				 */
  				xfrm_policy_inexact_node_merge(net, node,
  							       cached, family);
  				kfree_rcu(node, rcu);
  			}
  
  			/* restart */
  			p = &root->rb_node;
  			parent = NULL;
  		}
  	}
  
  	node = cached;
  	if (!node) {
  		node = xfrm_pol_inexact_node_alloc(addr, prefixlen);
  		if (!node)
  			return NULL;
  	}
  
  	rb_link_node_rcu(&node->node, parent, p);
  	rb_insert_color(&node->node, root);
  
  	return node;
  }
  
  static void xfrm_policy_inexact_gc_tree(struct rb_root *r, bool rm)
  {
  	struct xfrm_pol_inexact_node *node;
  	struct rb_node *rn = rb_first(r);
  
  	while (rn) {
  		node = rb_entry(rn, struct xfrm_pol_inexact_node, node);

  		xfrm_policy_inexact_gc_tree(&node->root, rm);

  		rn = rb_next(rn);

  		if (!hlist_empty(&node->hhead) || !RB_EMPTY_ROOT(&node->root)) {

  			WARN_ON_ONCE(rm);
  			continue;
  		}
  
  		rb_erase(&node->node, r);
  		kfree_rcu(node, rcu);
  	}
  }

  static void __xfrm_policy_inexact_prune_bin(struct xfrm_pol_inexact_bin *b, bool net_exit)
  {

  	write_seqcount_begin(&b->count);
  	xfrm_policy_inexact_gc_tree(&b->root_d, net_exit);

  	xfrm_policy_inexact_gc_tree(&b->root_s, net_exit);

  	write_seqcount_end(&b->count);

  	if (!RB_EMPTY_ROOT(&b->root_d) || !RB_EMPTY_ROOT(&b->root_s) ||

  	    !hlist_empty(&b->hhead)) {

  		WARN_ON_ONCE(net_exit);

  		return;

  	}

  
  	if (rhashtable_remove_fast(&xfrm_policy_inexact_table, &b->head,
  				   xfrm_pol_inexact_params) == 0) {
  		list_del(&b->inexact_bins);
  		kfree_rcu(b, rcu);
  	}
  }

  static void xfrm_policy_inexact_prune_bin(struct xfrm_pol_inexact_bin *b)
  {
  	struct net *net = read_pnet(&b->k.net);
  
  	spin_lock_bh(&net->xfrm.xfrm_policy_lock);
  	__xfrm_policy_inexact_prune_bin(b, false);
  	spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
  }

  static void __xfrm_policy_inexact_flush(struct net *net)
  {

  	struct xfrm_pol_inexact_bin *bin, *t;

  
  	lockdep_assert_held(&net->xfrm.xfrm_policy_lock);

  	list_for_each_entry_safe(bin, t, &net->xfrm.inexact_bins, inexact_bins)
  		__xfrm_policy_inexact_prune_bin(bin, false);

  }

  static struct hlist_head *
  xfrm_policy_inexact_alloc_chain(struct xfrm_pol_inexact_bin *bin,
  				struct xfrm_policy *policy, u8 dir)
  {
  	struct xfrm_pol_inexact_node *n;
  	struct net *net;
  
  	net = xp_net(policy);
  	lockdep_assert_held(&net->xfrm.xfrm_policy_lock);
  
  	if (xfrm_policy_inexact_insert_use_any_list(policy))
  		return &bin->hhead;

  	if (xfrm_pol_inexact_addr_use_any_list(&policy->selector.daddr,
  					       policy->family,
  					       policy->selector.prefixlen_d)) {
  		write_seqcount_begin(&bin->count);
  		n = xfrm_policy_inexact_insert_node(net,
  						    &bin->root_s,
  						    &policy->selector.saddr,
  						    policy->family,
  						    policy->selector.prefixlen_s,
  						    dir);
  		write_seqcount_end(&bin->count);
  		if (!n)
  			return NULL;
  
  		return &n->hhead;
  	}

  	/* daddr is fixed */
  	write_seqcount_begin(&bin->count);
  	n = xfrm_policy_inexact_insert_node(net,
  					    &bin->root_d,
  					    &policy->selector.daddr,
  					    policy->family,
  					    policy->selector.prefixlen_d, dir);
  	write_seqcount_end(&bin->count);
  	if (!n)
  		return NULL;

  
  	/* saddr is wildcard */
  	if (xfrm_pol_inexact_addr_use_any_list(&policy->selector.saddr,
  					       policy->family,
  					       policy->selector.prefixlen_s))
  		return &n->hhead;
  
  	write_seqcount_begin(&bin->count);
  	n = xfrm_policy_inexact_insert_node(net,
  					    &n->root,
  					    &policy->selector.saddr,
  					    policy->family,
  					    policy->selector.prefixlen_s, dir);
  	write_seqcount_end(&bin->count);
  	if (!n)
  		return NULL;

  	return &n->hhead;
  }

  static struct xfrm_policy *
  xfrm_policy_inexact_insert(struct xfrm_policy *policy, u8 dir, int excl)
  {
  	struct xfrm_pol_inexact_bin *bin;
  	struct xfrm_policy *delpol;
  	struct hlist_head *chain;
  	struct net *net;
  
  	bin = xfrm_policy_inexact_alloc_bin(policy, dir);
  	if (!bin)
  		return ERR_PTR(-ENOMEM);

  	net = xp_net(policy);
  	lockdep_assert_held(&net->xfrm.xfrm_policy_lock);

  	chain = xfrm_policy_inexact_alloc_chain(bin, policy, dir);
  	if (!chain) {
  		__xfrm_policy_inexact_prune_bin(bin, false);
  		return ERR_PTR(-ENOMEM);

  	}

  	delpol = xfrm_policy_insert_list(chain, policy, excl);
  	if (delpol && excl) {
  		__xfrm_policy_inexact_prune_bin(bin, false);

  		return ERR_PTR(-EEXIST);

  	}

  	chain = &net->xfrm.policy_inexact[dir];
  	xfrm_policy_insert_inexact_list(chain, policy);

  	if (delpol)
  		__xfrm_policy_inexact_prune_bin(bin, false);

  	return delpol;
  }

  static void xfrm_hash_rebuild(struct work_struct *work)
  {
  	struct net *net = container_of(work, struct net,
  				       xfrm.policy_hthresh.work);
  	unsigned int hmask;
  	struct xfrm_policy *pol;
  	struct xfrm_policy *policy;
  	struct hlist_head *chain;
  	struct hlist_head *odst;
  	struct hlist_node *newpos;
  	int i;
  	int dir;
  	unsigned seq;
  	u8 lbits4, rbits4, lbits6, rbits6;
  
  	mutex_lock(&hash_resize_mutex);
  
  	/* read selector prefixlen thresholds */
  	do {
  		seq = read_seqbegin(&net->xfrm.policy_hthresh.lock);
  
  		lbits4 = net->xfrm.policy_hthresh.lbits4;
  		rbits4 = net->xfrm.policy_hthresh.rbits4;
  		lbits6 = net->xfrm.policy_hthresh.lbits6;
  		rbits6 = net->xfrm.policy_hthresh.rbits6;
  	} while (read_seqretry(&net->xfrm.policy_hthresh.lock, seq));

  	spin_lock_bh(&net->xfrm.xfrm_policy_lock);

  	write_seqcount_begin(&xfrm_policy_hash_generation);

  	/* make sure that we can insert the indirect policies again before
  	 * we start with destructive action.
  	 */
  	list_for_each_entry(policy, &net->xfrm.policy_all, walk.all) {

  		struct xfrm_pol_inexact_bin *bin;

  		u8 dbits, sbits;
  
  		dir = xfrm_policy_id2dir(policy->index);
  		if (policy->walk.dead || dir >= XFRM_POLICY_MAX)
  			continue;
  
  		if ((dir & XFRM_POLICY_MASK) == XFRM_POLICY_OUT) {
  			if (policy->family == AF_INET) {
  				dbits = rbits4;
  				sbits = lbits4;
  			} else {
  				dbits = rbits6;
  				sbits = lbits6;
  			}
  		} else {
  			if (policy->family == AF_INET) {
  				dbits = lbits4;
  				sbits = rbits4;
  			} else {
  				dbits = lbits6;
  				sbits = rbits6;
  			}
  		}
  
  		if (policy->selector.prefixlen_d < dbits ||
  		    policy->selector.prefixlen_s < sbits)
  			continue;

  		bin = xfrm_policy_inexact_alloc_bin(policy, dir);
  		if (!bin)

  			goto out_unlock;

  
  		if (!xfrm_policy_inexact_alloc_chain(bin, policy, dir))
  			goto out_unlock;

  	}

  	/* reset the bydst and inexact table in all directions */

  	for (dir = 0; dir < XFRM_POLICY_MAX; dir++) {

  		struct hlist_node *n;
  
  		hlist_for_each_entry_safe(policy, n,
  					  &net->xfrm.policy_inexact[dir],

  					  bydst_inexact_list) {
  			hlist_del_rcu(&policy->bydst);

  			hlist_del_init(&policy->bydst_inexact_list);

  		}

  		hmask = net->xfrm.policy_bydst[dir].hmask;
  		odst = net->xfrm.policy_bydst[dir].table;

  		for (i = hmask; i >= 0; i--) {
  			hlist_for_each_entry_safe(policy, n, odst + i, bydst)
  				hlist_del_rcu(&policy->bydst);
  		}

  		if ((dir & XFRM_POLICY_MASK) == XFRM_POLICY_OUT) {
  			/* dir out => dst = remote, src = local */
  			net->xfrm.policy_bydst[dir].dbits4 = rbits4;
  			net->xfrm.policy_bydst[dir].sbits4 = lbits4;
  			net->xfrm.policy_bydst[dir].dbits6 = rbits6;
  			net->xfrm.policy_bydst[dir].sbits6 = lbits6;
  		} else {
  			/* dir in/fwd => dst = local, src = remote */
  			net->xfrm.policy_bydst[dir].dbits4 = lbits4;
  			net->xfrm.policy_bydst[dir].sbits4 = rbits4;
  			net->xfrm.policy_bydst[dir].dbits6 = lbits6;
  			net->xfrm.policy_bydst[dir].sbits6 = rbits6;
  		}
  	}
  
  	/* re-insert all policies by order of creation */
  	list_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) {

  		if (policy->walk.dead)
  			continue;
  		dir = xfrm_policy_id2dir(policy->index);
  		if (dir >= XFRM_POLICY_MAX) {

  			/* skip socket policies */
  			continue;
  		}

  		newpos = NULL;
  		chain = policy_hash_bysel(net, &policy->selector,

  					  policy->family, dir);

  		if (!chain) {
  			void *p = xfrm_policy_inexact_insert(policy, dir, 0);
  
  			WARN_ONCE(IS_ERR(p), "reinsert: %ld
  ", PTR_ERR(p));
  			continue;
  		}

  		hlist_for_each_entry(pol, chain, bydst) {
  			if (policy->priority >= pol->priority)
  				newpos = &pol->bydst;
  			else
  				break;
  		}
  		if (newpos)

  			hlist_add_behind_rcu(&policy->bydst, newpos);

  		else

  			hlist_add_head_rcu(&policy->bydst, chain);

  	}

  out_unlock:

  	__xfrm_policy_inexact_flush(net);

  	write_seqcount_end(&xfrm_policy_hash_generation);

  	spin_unlock_bh(&net->xfrm.xfrm_policy_lock);

  
  	mutex_unlock(&hash_resize_mutex);
  }
  
  void xfrm_policy_hash_rebuild(struct net *net)
  {
  	schedule_work(&net->xfrm.policy_hthresh.work);
  }
  EXPORT_SYMBOL(xfrm_policy_hash_rebuild);

  /* Generate new index... KAME seems to generate them ordered by cost
   * of an absolute inpredictability of ordering of rules. This will not pass. */

  static u32 xfrm_gen_index(struct net *net, int dir, u32 index)

  {

  	static u32 idx_generator;
  
  	for (;;) {

  		struct hlist_head *list;
  		struct xfrm_policy *p;
  		u32 idx;
  		int found;

  		if (!index) {
  			idx = (idx_generator | dir);
  			idx_generator += 8;
  		} else {
  			idx = index;
  			index = 0;
  		}

  		if (idx == 0)
  			idx = 8;

  		list = net->xfrm.policy_byidx + idx_hash(net, idx);

  		found = 0;

  		hlist_for_each_entry(p, list, byidx) {

  			if (p->index == idx) {
  				found = 1;

  				break;

  			}

  		}

  		if (!found)

  			return idx;
  	}
  }

  static inline int selector_cmp(struct xfrm_selector *s1, struct xfrm_selector *s2)
  {
  	u32 *p1 = (u32 *) s1;
  	u32 *p2 = (u32 *) s2;
  	int len = sizeof(struct xfrm_selector) / sizeof(u32);
  	int i;
  
  	for (i = 0; i < len; i++) {
  		if (p1[i] != p2[i])
  			return 1;
  	}
  
  	return 0;
  }

  static void xfrm_policy_requeue(struct xfrm_policy *old,
  				struct xfrm_policy *new)
  {
  	struct xfrm_policy_queue *pq = &old->polq;
  	struct sk_buff_head list;

  	if (skb_queue_empty(&pq->hold_queue))
  		return;

  	__skb_queue_head_init(&list);
  
  	spin_lock_bh(&pq->hold_queue.lock);
  	skb_queue_splice_init(&pq->hold_queue, &list);

  	if (del_timer(&pq->hold_timer))
  		xfrm_pol_put(old);

  	spin_unlock_bh(&pq->hold_queue.lock);

  	pq = &new->polq;
  
  	spin_lock_bh(&pq->hold_queue.lock);
  	skb_queue_splice(&list, &pq->hold_queue);
  	pq->timeout = XFRM_QUEUE_TMO_MIN;

  	if (!mod_timer(&pq->hold_timer, jiffies))
  		xfrm_pol_hold(new);

  	spin_unlock_bh(&pq->hold_queue.lock);
  }

  static inline bool xfrm_policy_mark_match(const struct xfrm_mark *mark,
  					  struct xfrm_policy *pol)

  {

  	return mark->v == pol->mark.v && mark->m == pol->mark.m;

  }

  static u32 xfrm_pol_bin_key(const void *data, u32 len, u32 seed)
  {
  	const struct xfrm_pol_inexact_key *k = data;
  	u32 a = k->type << 24 | k->dir << 16 | k->family;

  	return jhash_3words(a, k->if_id, net_hash_mix(read_pnet(&k->net)),
  			    seed);

  }
  
  static u32 xfrm_pol_bin_obj(const void *data, u32 len, u32 seed)
  {
  	const struct xfrm_pol_inexact_bin *b = data;
  
  	return xfrm_pol_bin_key(&b->k, 0, seed);
  }
  
  static int xfrm_pol_bin_cmp(struct rhashtable_compare_arg *arg,
  			    const void *ptr)
  {
  	const struct xfrm_pol_inexact_key *key = arg->key;
  	const struct xfrm_pol_inexact_bin *b = ptr;
  	int ret;
  
  	if (!net_eq(read_pnet(&b->k.net), read_pnet(&key->net)))
  		return -1;
  
  	ret = b->k.dir ^ key->dir;
  	if (ret)
  		return ret;
  
  	ret = b->k.type ^ key->type;
  	if (ret)
  		return ret;
  
  	ret = b->k.family ^ key->family;
  	if (ret)
  		return ret;

  	return b->k.if_id ^ key->if_id;

  }
  
  static const struct rhashtable_params xfrm_pol_inexact_params = {
  	.head_offset		= offsetof(struct xfrm_pol_inexact_bin, head),
  	.hashfn			= xfrm_pol_bin_key,
  	.obj_hashfn		= xfrm_pol_bin_obj,
  	.obj_cmpfn		= xfrm_pol_bin_cmp,
  	.automatic_shrinking	= true,
  };
  
  static void xfrm_policy_insert_inexact_list(struct hlist_head *chain,
  					    struct xfrm_policy *policy)
  {
  	struct xfrm_policy *pol, *delpol = NULL;
  	struct hlist_node *newpos = NULL;

  	int i = 0;

  
  	hlist_for_each_entry(pol, chain, bydst_inexact_list) {
  		if (pol->type == policy->type &&
  		    pol->if_id == policy->if_id &&
  		    !selector_cmp(&pol->selector, &policy->selector) &&

  		    xfrm_policy_mark_match(&policy->mark, pol) &&

  		    xfrm_sec_ctx_match(pol->security, policy->security) &&
  		    !WARN_ON(delpol)) {
  			delpol = pol;
  			if (policy->priority > pol->priority)
  				continue;
  		} else if (policy->priority >= pol->priority) {
  			newpos = &pol->bydst_inexact_list;
  			continue;
  		}
  		if (delpol)
  			break;
  	}
  
  	if (newpos)
  		hlist_add_behind_rcu(&policy->bydst_inexact_list, newpos);
  	else
  		hlist_add_head_rcu(&policy->bydst_inexact_list, chain);

  
  	hlist_for_each_entry(pol, chain, bydst_inexact_list) {
  		pol->pos = i;
  		i++;
  	}

  }

  static struct xfrm_policy *xfrm_policy_insert_list(struct hlist_head *chain,
  						   struct xfrm_policy *policy,
  						   bool excl)

  {

  	struct xfrm_policy *pol, *newpos = NULL, *delpol = NULL;

  	hlist_for_each_entry(pol, chain, bydst) {

  		if (pol->type == policy->type &&

  		    pol->if_id == policy->if_id &&

  		    !selector_cmp(&pol->selector, &policy->selector) &&

  		    xfrm_policy_mark_match(&policy->mark, pol) &&

  		    xfrm_sec_ctx_match(pol->security, policy->security) &&
  		    !WARN_ON(delpol)) {

  			if (excl)
  				return ERR_PTR(-EEXIST);

  			delpol = pol;
  			if (policy->priority > pol->priority)
  				continue;
  		} else if (policy->priority >= pol->priority) {

  			newpos = pol;

  			continue;
  		}

  		if (delpol)
  			break;

  	}

  	if (newpos)

  		hlist_add_behind_rcu(&policy->bydst, &newpos->bydst);

  	else

  		hlist_add_head_rcu(&policy->bydst, chain);

  
  	return delpol;
  }
  
  int xfrm_policy_insert(int dir, struct xfrm_policy *policy, int excl)
  {
  	struct net *net = xp_net(policy);
  	struct xfrm_policy *delpol;
  	struct hlist_head *chain;
  
  	spin_lock_bh(&net->xfrm.xfrm_policy_lock);
  	chain = policy_hash_bysel(net, &policy->selector, policy->family, dir);

  	if (chain)

  		delpol = xfrm_policy_insert_list(chain, policy, excl);

  	else
  		delpol = xfrm_policy_inexact_insert(policy, dir, excl);

  
  	if (IS_ERR(delpol)) {
  		spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
  		return PTR_ERR(delpol);
  	}

  	__xfrm_policy_link(policy, dir);

  
  	/* After previous checking, family can either be AF_INET or AF_INET6 */
  	if (policy->family == AF_INET)
  		rt_genid_bump_ipv4(net);
  	else
  		rt_genid_bump_ipv6(net);

  	if (delpol) {
  		xfrm_policy_requeue(delpol, policy);

  		__xfrm_policy_unlink(delpol, dir);

  	}

  	policy->index = delpol ? delpol->index : xfrm_gen_index(net, dir, policy->index);

  	hlist_add_head(&policy->byidx, net->xfrm.policy_byidx+idx_hash(net, policy->index));

  	policy->curlft.add_time = ktime_get_real_seconds();

  	policy->curlft.use_time = 0;
  	if (!mod_timer(&policy->timer, jiffies + HZ))
  		xfrm_pol_hold(policy);

  	spin_unlock_bh(&net->xfrm.xfrm_policy_lock);

  	if (delpol)

  		xfrm_policy_kill(delpol);

  	else if (xfrm_bydst_should_resize(net, dir, NULL))
  		schedule_work(&net->xfrm.policy_hash_work);

  	return 0;
  }
  EXPORT_SYMBOL(xfrm_policy_insert);

  static struct xfrm_policy *

  __xfrm_policy_bysel_ctx(struct hlist_head *chain, const struct xfrm_mark *mark,
  			u32 if_id, u8 type, int dir, struct xfrm_selector *sel,

  			struct xfrm_sec_ctx *ctx)
  {
  	struct xfrm_policy *pol;
  
  	if (!chain)
  		return NULL;
  
  	hlist_for_each_entry(pol, chain, bydst) {
  		if (pol->type == type &&
  		    pol->if_id == if_id &&

  		    xfrm_policy_mark_match(mark, pol) &&

  		    !selector_cmp(sel, &pol->selector) &&
  		    xfrm_sec_ctx_match(ctx, pol->security))
  			return pol;
  	}
  
  	return NULL;
  }

  struct xfrm_policy *
  xfrm_policy_bysel_ctx(struct net *net, const struct xfrm_mark *mark, u32 if_id,
  		      u8 type, int dir, struct xfrm_selector *sel,
  		      struct xfrm_sec_ctx *ctx, int delete, int *err)

  {

  	struct xfrm_pol_inexact_bin *bin = NULL;
  	struct xfrm_policy *pol, *ret = NULL;

  	struct hlist_head *chain;

  	*err = 0;

  	spin_lock_bh(&net->xfrm.xfrm_policy_lock);

  	chain = policy_hash_bysel(net, sel, sel->family, dir);

  	if (!chain) {

  		struct xfrm_pol_inexact_candidates cand;
  		int i;

  		bin = xfrm_policy_inexact_lookup(net, type,

  						 sel->family, dir, if_id);

  		if (!bin) {
  			spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
  			return NULL;
  		}

  		if (!xfrm_policy_find_inexact_candidates(&cand, bin,
  							 &sel->saddr,
  							 &sel->daddr)) {
  			spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
  			return NULL;
  		}
  
  		pol = NULL;
  		for (i = 0; i < ARRAY_SIZE(cand.res); i++) {
  			struct xfrm_policy *tmp;
  
  			tmp = __xfrm_policy_bysel_ctx(cand.res[i], mark,
  						      if_id, type, dir,
  						      sel, ctx);

  			if (!tmp)
  				continue;
  
  			if (!pol || tmp->pos < pol->pos)

  				pol = tmp;
  		}
  	} else {
  		pol = __xfrm_policy_bysel_ctx(chain, mark, if_id, type, dir,
  					      sel, ctx);

  	}

  	if (pol) {
  		xfrm_pol_hold(pol);
  		if (delete) {
  			*err = security_xfrm_policy_delete(pol->security);
  			if (*err) {
  				spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
  				return pol;

  			}

  			__xfrm_policy_unlink(pol, dir);

  		}

  		ret = pol;

  	}

  	spin_unlock_bh(&net->xfrm.xfrm_policy_lock);

  	if (ret && delete)

  		xfrm_policy_kill(ret);

  	if (bin && delete)
  		xfrm_policy_inexact_prune_bin(bin);

  	return ret;

  }

  EXPORT_SYMBOL(xfrm_policy_bysel_ctx);

  struct xfrm_policy *
  xfrm_policy_byid(struct net *net, const struct xfrm_mark *mark, u32 if_id,
  		 u8 type, int dir, u32 id, int delete, int *err)

  {

  	struct xfrm_policy *pol, *ret;
  	struct hlist_head *chain;

  	*err = -ENOENT;
  	if (xfrm_policy_id2dir(id) != dir)
  		return NULL;

  	*err = 0;

  	spin_lock_bh(&net->xfrm.xfrm_policy_lock);

  	chain = net->xfrm.policy_byidx + idx_hash(net, id);

  	ret = NULL;

  	hlist_for_each_entry(pol, chain, byidx) {

  		if (pol->type == type && pol->index == id &&

  		    pol->if_id == if_id && xfrm_policy_mark_match(mark, pol)) {

  			xfrm_pol_hold(pol);

  			if (delete) {

  				*err = security_xfrm_policy_delete(
  								pol->security);

  				if (*err) {

  					spin_unlock_bh(&net->xfrm.xfrm_policy_lock);

  					return pol;
  				}

  				__xfrm_policy_unlink(pol, dir);

  			}
  			ret = pol;

  			break;
  		}
  	}

  	spin_unlock_bh(&net->xfrm.xfrm_policy_lock);

  	if (ret && delete)

  		xfrm_policy_kill(ret);

  	return ret;

  }
  EXPORT_SYMBOL(xfrm_policy_byid);

  #ifdef CONFIG_SECURITY_NETWORK_XFRM
  static inline int

  xfrm_policy_flush_secctx_check(struct net *net, u8 type, bool task_valid)

  {

  	struct xfrm_policy *pol;
  	int err = 0;

  	list_for_each_entry(pol, &net->xfrm.policy_all, walk.all) {
  		if (pol->walk.dead ||
  		    xfrm_policy_id2dir(pol->index) >= XFRM_POLICY_MAX ||
  		    pol->type != type)
  			continue;

  		err = security_xfrm_policy_delete(pol->security);
  		if (err) {
  			xfrm_audit_policy_delete(pol, 0, task_valid);
  			return err;

  		}
  	}
  	return err;
  }
  #else
  static inline int

  xfrm_policy_flush_secctx_check(struct net *net, u8 type, bool task_valid)

  {
  	return 0;
  }
  #endif

  int xfrm_policy_flush(struct net *net, u8 type, bool task_valid)

  {

  	int dir, err = 0, cnt = 0;

  	struct xfrm_policy *pol;

  	spin_lock_bh(&net->xfrm.xfrm_policy_lock);

  	err = xfrm_policy_flush_secctx_check(net, type, task_valid);

  	if (err)
  		goto out;

  again:
  	list_for_each_entry(pol, &net->xfrm.policy_all, walk.all) {
  		dir = xfrm_policy_id2dir(pol->index);
  		if (pol->walk.dead ||
  		    dir >= XFRM_POLICY_MAX ||
  		    pol->type != type)
  			continue;

  		__xfrm_policy_unlink(pol, dir);
  		spin_unlock_bh(&net->xfrm.xfrm_policy_lock);
  		cnt++;
  		xfrm_audit_policy_delete(pol, 1, task_valid);
  		xfrm_policy_kill(pol);
  		spin_lock_bh(&net->xfrm.xfrm_policy_lock);
  		goto again;

  	}

  	if (cnt)
  		__xfrm_policy_inexact_flush(net);
  	else

  		err = -ESRCH;

  out:

  	spin_unlock_bh(&net->xfrm.xfrm_policy_lock);

  	return err;

  }
  EXPORT_SYMBOL(xfrm_policy_flush);

  int xfrm_policy_walk(struct net *net, struct xfrm_policy_walk *walk,

  		     int (*func)(struct xfrm_policy *, int, int, void*),

  		     void *data)
  {

  	struct xfrm_policy *pol;
  	struct xfrm_policy_walk_entry *x;

  	int error = 0;
  
  	if (walk->type >= XFRM_POLICY_TYPE_MAX &&
  	    walk->type != XFRM_POLICY_TYPE_ANY)
  		return -EINVAL;

  	if (list_empty(&walk->walk.all) && walk->seq != 0)

  		return 0;

  	spin_lock_bh(&net->xfrm.xfrm_policy_lock);

  	if (list_empty(&walk->walk.all))

  		x = list_first_entry(&net->xfrm.policy_all, struct xfrm_policy_walk_entry, all);

  	else

  		x = list_first_entry(&walk->walk.all,
  				     struct xfrm_policy_walk_entry, all);

  	list_for_each_entry_from(x, &net->xfrm.policy_all, all) {

  		if (x->dead)

  			continue;

  		pol = container_of(x, struct xfrm_policy, walk);
  		if (walk->type != XFRM_POLICY_TYPE_ANY &&
  		    walk->type != pol->type)
  			continue;
  		error = func(pol, xfrm_policy_id2dir(pol->index),
  			     walk->seq, data);
  		if (error) {
  			list_move_tail(&walk->walk.all, &x->all);
  			goto out;

  		}

  		walk->seq++;

  	}

  	if (walk->seq == 0) {

  		error = -ENOENT;
  		goto out;
  	}

  	list_del_init(&walk->walk.all);

  out:

  	spin_unlock_bh(&net->xfrm.xfrm_policy_lock);

  	return error;
  }
  EXPORT_SYMBOL(xfrm_policy_walk);

  void xfrm_policy_walk_init(struct xfrm_policy_walk *walk, u8 type)
  {
  	INIT_LIST_HEAD(&walk->walk.all);
  	walk->walk.dead = 1;
  	walk->type = type;
  	walk->seq = 0;
  }
  EXPORT_SYMBOL(xfrm_policy_walk_init);

  void xfrm_policy_walk_done(struct xfrm_policy_walk *walk, struct net *net)

  {
  	if (list_empty(&walk->walk.all))
  		return;

  	spin_lock_bh(&net->xfrm.xfrm_policy_lock); /*FIXME where is net? */

  	list_del(&walk->walk.all);

  	spin_unlock_bh(&net->xfrm.xfrm_policy_lock);

  }
  EXPORT_SYMBOL(xfrm_policy_walk_done);

  /*
   * Find policy to apply to this flow.
   *
   * Returns 0 if policy found, else an -errno.
   */

  static int xfrm_policy_match(const struct xfrm_policy *pol,
  			     const struct flowi *fl,

  			     u8 type, u16 family, int dir, u32 if_id)

  {

  	const struct xfrm_selector *sel = &pol->selector;

  	int ret = -ESRCH;
  	bool match;

  	if (pol->family != family ||

  	    pol->if_id != if_id ||

  	    (fl->flowi_mark & pol->mark.m) != pol->mark.v ||

  	    pol->type != type)

  		return ret;

  	match = xfrm_selector_match(sel, fl, family);

  	if (match)

  		ret = security_xfrm_policy_lookup(pol->security, fl->flowi_secid,

  						  dir);

  	return ret;

  }

  static struct xfrm_pol_inexact_node *
  xfrm_policy_lookup_inexact_addr(const struct rb_root *r,

  				seqcount_spinlock_t *count,

  				const xfrm_address_t *addr, u16 family)
  {
  	const struct rb_node *parent;
  	int seq;
  
  again:
  	seq = read_seqcount_begin(count);
  
  	parent = rcu_dereference_raw(r->rb_node);
  	while (parent) {
  		struct xfrm_pol_inexact_node *node;
  		int delta;
  
  		node = rb_entry(parent, struct xfrm_pol_inexact_node, node);
  
  		delta = xfrm_policy_addr_delta(addr, &node->addr,
  					       node->prefixlen, family);
  		if (delta < 0) {
  			parent = rcu_dereference_raw(parent->rb_left);
  			continue;
  		} else if (delta > 0) {
  			parent = rcu_dereference_raw(parent->rb_right);
  			continue;
  		}
  
  		return node;
  	}
  
  	if (read_seqcount_retry(count, seq))
  		goto again;
  
  	return NULL;
  }