From ff404935e298035e368a30eaca5828f456172f23 Mon Sep 17 00:00:00 2001 From: rwatson Date: Tue, 4 May 2004 02:11:47 +0000 Subject: [PATCH] Switch to using the inpcb MAC label instead of socket MAC label when labeling new mbufs created from sockets/inpcbs in IPv4. This helps avoid the need for socket layer locking in the lower level network paths where inpcb locks are already frequently held where needed. In particular: - Use the inpcb for label instead of socket in raw_append(). - Use the inpcb for label instead of socket in tcp_output(). - Use the inpcb for label instead of socket in tcp_respond(). - Use the inpcb for label instead of socket in tcp_twrespond(). - Use the inpcb for label instead of socket in syncache_respond(). While here, modify tcp_respond() to avoid assigning NULL to a stack variable and centralize assertions about the inpcb when inp is assigned. Obtained from: TrustedBSD Project Sponsored by: DARPA, McAfee Research --- sys/netinet/raw_ip.c | 4 +++- sys/netinet/tcp_output.c | 2 +- sys/netinet/tcp_subr.c | 9 +++++++-- sys/netinet/tcp_syncache.c | 2 +- sys/netinet/tcp_timewait.c | 9 +++++++-- sys/netinet/udp_usrreq.c | 2 +- 6 files changed, 20 insertions(+), 8 deletions(-) diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c index 1953fd86ca05..12ab675a97c1 100644 --- a/sys/netinet/raw_ip.c +++ b/sys/netinet/raw_ip.c @@ -248,7 +248,9 @@ rip_output(struct mbuf *m, struct socket *so, u_long dst) int flags = (so->so_options & SO_DONTROUTE) | IP_ALLOWBROADCAST; #ifdef MAC - mac_create_mbuf_from_socket(so, m); + INP_LOCK(inp); + mac_create_mbuf_from_inpcb(inp, m); + INP_UNLOCK(inp); #endif /* diff --git a/sys/netinet/tcp_output.c b/sys/netinet/tcp_output.c index 098322ead9c4..46d9337caf03 100644 --- a/sys/netinet/tcp_output.c +++ b/sys/netinet/tcp_output.c @@ -692,7 +692,7 @@ send: } m->m_pkthdr.rcvif = (struct ifnet *)0; #ifdef MAC - mac_create_mbuf_from_socket(so, m); + mac_create_mbuf_from_inpcb(tp->t_inpcb, m); #endif #ifdef INET6 if (isipv6) { diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c index 23f08bafc9c3..5fca04c85115 100644 --- a/sys/netinet/tcp_subr.c +++ b/sys/netinet/tcp_subr.c @@ -412,7 +412,7 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags) int isipv6; #endif /* INET6 */ int ipflags = 0; - struct inpcb *inp = NULL; + struct inpcb *inp; KASSERT(tp != NULL || m != NULL, ("tcp_respond: tp and m both NULL")); @@ -427,6 +427,10 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags) KASSERT(inp != NULL, ("tcp control block w/o inpcb")); INP_INFO_WLOCK_ASSERT(&tcbinfo); INP_LOCK_ASSERT(inp); + } else + inp = NULL; + + if (tp != NULL) { if (!(flags & TH_RST)) { win = sbspace(&inp->inp_socket->so_rcv); if (win > (long)TCP_MAXWIN << tp->rcv_scale) @@ -509,7 +513,8 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags) * Packet is associated with a socket, so allow the * label of the response to reflect the socket label. */ - mac_create_mbuf_from_socket(inp->inp_socket, m); + INP_LOCK_ASSERT(inp); + mac_create_mbuf_from_inpcb(inp, m); } else { /* * Packet is not associated with a socket, so possibly diff --git a/sys/netinet/tcp_syncache.c b/sys/netinet/tcp_syncache.c index 51575a3779ae..1fb7e99e1b6f 100644 --- a/sys/netinet/tcp_syncache.c +++ b/sys/netinet/tcp_syncache.c @@ -1131,7 +1131,7 @@ syncache_respond(sc, m) inp = sc->sc_tp->t_inpcb; INP_LOCK(inp); #ifdef MAC - mac_create_mbuf_from_socket(inp->inp_socket, m); + mac_create_mbuf_from_inpcb(inp, m); #endif #ifdef INET6 diff --git a/sys/netinet/tcp_timewait.c b/sys/netinet/tcp_timewait.c index 23f08bafc9c3..5fca04c85115 100644 --- a/sys/netinet/tcp_timewait.c +++ b/sys/netinet/tcp_timewait.c @@ -412,7 +412,7 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags) int isipv6; #endif /* INET6 */ int ipflags = 0; - struct inpcb *inp = NULL; + struct inpcb *inp; KASSERT(tp != NULL || m != NULL, ("tcp_respond: tp and m both NULL")); @@ -427,6 +427,10 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags) KASSERT(inp != NULL, ("tcp control block w/o inpcb")); INP_INFO_WLOCK_ASSERT(&tcbinfo); INP_LOCK_ASSERT(inp); + } else + inp = NULL; + + if (tp != NULL) { if (!(flags & TH_RST)) { win = sbspace(&inp->inp_socket->so_rcv); if (win > (long)TCP_MAXWIN << tp->rcv_scale) @@ -509,7 +513,8 @@ tcp_respond(tp, ipgen, th, m, ack, seq, flags) * Packet is associated with a socket, so allow the * label of the response to reflect the socket label. */ - mac_create_mbuf_from_socket(inp->inp_socket, m); + INP_LOCK_ASSERT(inp); + mac_create_mbuf_from_inpcb(inp, m); } else { /* * Packet is not associated with a socket, so possibly diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c index 868049134d48..9c541dba8524 100644 --- a/sys/netinet/udp_usrreq.c +++ b/sys/netinet/udp_usrreq.c @@ -728,7 +728,7 @@ udp_output(inp, m, addr, control, td) INP_LOCK_ASSERT(inp); #ifdef MAC - mac_create_mbuf_from_socket(inp->inp_socket, m); + mac_create_mbuf_from_inpcb(inp, m); #endif if (len + sizeof(struct udpiphdr) > IP_MAXPACKET) {