[Openswan dev] RFC KLIPS patch for increased throughput on multicore systems
David McCullough
david_mccullough at mcafee.com
Tue Apr 17 06:32:51 EDT 2012
Jivin Jagdish Motwani lays it down ...
> Ref mail: KLIPS tdb_lock as rwlock instead of spinlock?
>
> Please find attached klips patch for increased throughput of single
> tunnel on multicore systems.
>
> This patch is just a RFC and may have side effects. Please report them
> by testing or code review.
>
> In-order to get increased throughput,
> 1)Apply the patch
> 2)Use Receive Packet Steering to send packets of different
> flows on different cpu's (/sys/class/net/eth0/queues/rx-0/rps_cpus)
The patch is clean and simple, but I am not sure if there is anything we
are missing here.
I'll try and get this loaded on a few different systems here and try it out.
Especially on an SMP OCF system just to check that angle as well.
At the end of the day we just need to be sure the SA table doesn't get
modified in any way while the state machine is using it.
My only suggestion would be to set a really short rekey time and run with
that while you are benchmarking. Maybe have 3 or 4 tunnels rekeying while
you are benchmarking if possible.
Given the performance improvements you have shown I think we need to look at
something like this no matter what, hopefully this patch is it :-)
Thanks,
Davidm
> diff --git a/linux/include/openswan/ipsec_proto.h b/linux/include/openswan/ipsec_proto.h
> index f40336c..db21b92 100644
> --- a/linux/include/openswan/ipsec_proto.h
> +++ b/linux/include/openswan/ipsec_proto.h
> @@ -41,7 +41,7 @@ extern struct prng ipsec_prng;
>
> /* ipsec_sa.c */
> extern struct ipsec_sa *ipsec_sadb_hash[SADB_HASHMOD];
> -extern spinlock_t tdb_lock;
> +extern rwlock_t tdb_lock;
> extern int ipsec_sadb_init(void);
> extern int ipsec_sadb_cleanup(__u8);
>
> diff --git a/linux/net/ipsec/ipsec_proc.c b/linux/net/ipsec/ipsec_proc.c
> index ec25a1b..9c3a331 100644
> --- a/linux/net/ipsec/ipsec_proc.c
> +++ b/linux/net/ipsec/ipsec_proc.c
> @@ -464,7 +464,7 @@ ipsec_spi_get_info(char *buffer,
> (int)offset,
> length);
>
> - spin_lock_bh(&tdb_lock);
> + write_lock_bh(&tdb_lock);
>
> for (i = 0; i < SADB_HASHMOD; i++) {
> for (sa_p = ipsec_sadb_hash[i];
> @@ -492,7 +492,7 @@ ipsec_spi_get_info(char *buffer,
> }
>
> done_spi_i:
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
>
> *start = buffer + (offset - begin); /* Start of wanted data */
> return len - (offset - begin);
> @@ -523,7 +523,7 @@ ipsec_spigrp_get_info(char *buffer,
> (int)offset,
> length);
>
> - spin_lock_bh(&tdb_lock);
> + write_lock_bh(&tdb_lock);
>
> for (i = 0; i < SADB_HASHMOD; i++) {
> for (sa_p = ipsec_sadb_hash[i];
> @@ -563,7 +563,7 @@ ipsec_spigrp_get_info(char *buffer,
> }
>
> done_spigrp_i:
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
>
> *start = buffer + (offset - begin); /* Start of wanted data */
> return len - (offset - begin);
> @@ -592,7 +592,7 @@ ipsec_saraw_get_info(char *buffer,
> (int)offset,
> length);
>
> - spin_lock_bh(&tdb_lock);
> + write_lock_bh(&tdb_lock);
>
> for (sa_p = ipsec_sa_raw; sa_p; sa_p = sa_p->ips_raw) {
>
> @@ -616,7 +616,7 @@ ipsec_saraw_get_info(char *buffer,
> }
>
> done_spi_i:
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
>
> *start = buffer + (offset - begin); /* Start of wanted data */
> return len - (offset - begin);
> diff --git a/linux/net/ipsec/ipsec_rcv.c b/linux/net/ipsec/ipsec_rcv.c
> index 8800a5d..9b6d468 100644
> --- a/linux/net/ipsec/ipsec_rcv.c
> +++ b/linux/net/ipsec/ipsec_rcv.c
> @@ -1980,7 +1980,7 @@ ipsec_rsm(struct ipsec_rcv_state *irs)
> /*
> * make sure nothing is removed from underneath us
> */
> - spin_lock_bh(&tdb_lock);
> + read_lock_bh(&tdb_lock);
>
> /*
> * if we have a valid said, then we must check it here to ensure it
> @@ -2021,7 +2021,7 @@ ipsec_rsm(struct ipsec_rcv_state *irs)
> * things are on hold until we return here in the next/new state
> * we check our SA is valid when we return
> */
> - spin_unlock_bh(&tdb_lock);
> + read_unlock_bh(&tdb_lock);
> return;
> } else {
> /* bad result, force state change to done */
> @@ -2036,7 +2036,7 @@ ipsec_rsm(struct ipsec_rcv_state *irs)
> /*
> * all done with anything needing locks
> */
> - spin_unlock_bh(&tdb_lock);
> + read_unlock_bh(&tdb_lock);
>
> if (irs->lastipsp) {
> ipsec_sa_put(irs->lastipsp, IPSEC_REFRX);
> diff --git a/linux/net/ipsec/ipsec_sa.c b/linux/net/ipsec/ipsec_sa.c
> index 7e77f73..ccd2b96 100644
> --- a/linux/net/ipsec/ipsec_sa.c
> +++ b/linux/net/ipsec/ipsec_sa.c
> @@ -83,8 +83,7 @@
> #define SENDERR(_x) do { error = -(_x); goto errlab; } while (0)
>
> struct ipsec_sa *ipsec_sadb_hash[SADB_HASHMOD];
> -DEFINE_SPINLOCK(tdb_lock);
> -
> +DEFINE_RWLOCK(tdb_lock);
> #ifdef IPSEC_SA_RECOUNT_DEBUG
> struct ipsec_sa *ipsec_sa_raw = NULL;
> #endif
> @@ -714,12 +713,12 @@ ipsec_sa_add(struct ipsec_sa *ips)
> hashval = IPS_HASH(&ips->ips_said);
>
> ipsec_sa_get(ips, IPSEC_REFSAADD);
> - spin_lock_bh(&tdb_lock);
> + write_lock_bh(&tdb_lock);
>
> ips->ips_hnext = ipsec_sadb_hash[hashval];
> ipsec_sadb_hash[hashval] = ips;
>
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
>
> return error;
> }
> @@ -882,7 +881,7 @@ ipsec_sadb_cleanup(__u8 proto)
> "cleaning up proto=%d.\n",
> proto);
>
> - spin_lock_bh(&tdb_lock);
> + write_lock_bh(&tdb_lock);
>
> for (i = 0; i < SADB_HASHMOD; i++) {
> ips = ipsec_sadb_hash[i];
> @@ -898,7 +897,7 @@ ipsec_sadb_cleanup(__u8 proto)
>
> /* errlab: */
>
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
>
>
> #if IPSEC_SA_REF_CODE
> diff --git a/linux/net/ipsec/ipsec_tunnel.c b/linux/net/ipsec/ipsec_tunnel.c
> index a375b79..59cd74d 100644
> --- a/linux/net/ipsec/ipsec_tunnel.c
> +++ b/linux/net/ipsec/ipsec_tunnel.c
> @@ -2145,7 +2145,8 @@ ipsec_tunnel_init(struct net_device *dev)
> dev->mtu = 0;
> dev->addr_len = 0;
> dev->type = ARPHRD_VOID; /* ARPHRD_TUNNEL; */ /* ARPHRD_ETHER; */
> - dev->tx_queue_len = 10; /* Small queue */
> + dev->tx_queue_len = 0; /* No qdisc */
> + dev->features |= NETIF_F_LLTX; /* No tx lock */
> #ifdef IFF_XMIT_DST_RELEASE
> dev->priv_flags &= ~IFF_XMIT_DST_RELEASE;
> #endif
> diff --git a/linux/net/ipsec/ipsec_xmit.c b/linux/net/ipsec/ipsec_xmit.c
> index b9e6a36..46f5126 100644
> --- a/linux/net/ipsec/ipsec_xmit.c
> +++ b/linux/net/ipsec/ipsec_xmit.c
> @@ -2820,7 +2820,7 @@ ipsec_xsm(struct ipsec_xmit_state *ixs)
> /*
> * make sure nothing is removed from underneath us
> */
> - spin_lock_bh(&tdb_lock);
> + read_lock_bh(&tdb_lock);
>
> /*
> * if we have a valid said, then we must check it here to ensure it
> @@ -2865,7 +2865,7 @@ ipsec_xsm(struct ipsec_xmit_state *ixs)
> * things are on hold until we return here in the next/new state
> * we check our SA is valid when we return
> */
> - spin_unlock_bh(&tdb_lock);
> + read_unlock_bh(&tdb_lock);
> return;
> } else {
> /* bad result, force state change to done */
> @@ -2880,7 +2880,7 @@ ipsec_xsm(struct ipsec_xmit_state *ixs)
> /*
> * all done with anything needing locks
> */
> - spin_unlock_bh(&tdb_lock);
> + read_unlock_bh(&tdb_lock);
>
> /*
> * let the caller continue with their processing
> diff --git a/linux/net/ipsec/pfkey_v2_parser.c b/linux/net/ipsec/pfkey_v2_parser.c
> index 6f787e0..5a4364d 100644
> --- a/linux/net/ipsec/pfkey_v2_parser.c
> +++ b/linux/net/ipsec/pfkey_v2_parser.c
> @@ -249,12 +249,12 @@ pfkey_getspi_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_e
>
> if(maxspi == minspi) {
> extr->ips->ips_said.spi = maxspi;
> - spin_lock_bh(&tdb_lock);
> + write_lock_bh(&tdb_lock);
> ipsq = ipsec_sa_getbyid(&(extr->ips->ips_said), IPSEC_REFSA);
> if(ipsq != NULL) {
> sa_len = KLIPS_SATOT(debug_pfkey, &extr->ips->ips_said, 0, sa, sizeof(sa));
> ipsec_sa_put(ipsq, IPSEC_REFSA);
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
> KLIPS_PRINT(debug_pfkey,
> "klips_debug:pfkey_getspi_parse: "
> "EMT_GETSPI found an old ipsec_sa for SA: %s, delete it first.\n",
> @@ -263,7 +263,7 @@ pfkey_getspi_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_e
> } else {
> found_avail = 1;
> }
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
> } else {
> int i = 0;
> __u32 rand_val;
> @@ -278,14 +278,14 @@ pfkey_getspi_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_e
> (rand_val %
> (spi_diff + 1)));
> i++;
> - spin_lock_bh(&tdb_lock);
> + write_lock_bh(&tdb_lock);
> ipsq = ipsec_sa_getbyid(&(extr->ips->ips_said), IPSEC_REFSA);
> if(ipsq == NULL) {
> found_avail = 1;
> } else {
> ipsec_sa_put(ipsq, IPSEC_REFSA);
> }
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
> }
> }
>
> @@ -443,11 +443,11 @@ pfkey_update_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_e
>
> sa_len = KLIPS_SATOT(debug_pfkey, &extr->ips->ips_said, 0, sa, sizeof(sa));
>
> - spin_lock_bh(&tdb_lock);
> + write_lock_bh(&tdb_lock);
>
> ipsq = ipsec_sa_getbyid(&(extr->ips->ips_said), IPSEC_REFSA);
> if (ipsq == NULL) {
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
> KLIPS_PRINT(debug_pfkey,
> "klips_debug:pfkey_update_parse: "
> "reserved ipsec_sa for SA: %s not found. Call K_SADB_GETSPI first or call K_SADB_ADD instead.\n",
> @@ -503,7 +503,7 @@ pfkey_update_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_e
> extr->ips->ips_rcvif = NULL;
> if ((error = pfkey_ipsec_sa_init(extr->ips))) {
> ipsec_sa_put(ipsq, IPSEC_REFSA);
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
> KLIPS_PRINT(debug_pfkey,
> "klips_debug:pfkey_update_parse: "
> "not successful for SA: %s, deleting.\n",
> @@ -517,7 +517,7 @@ pfkey_update_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_e
> ipsec_sa_put(ipsq, IPSEC_REFSA);
> }
>
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
>
> if(!(pfkey_safe_build(error = pfkey_msg_hdr_build(&extensions_reply[0],
> K_SADB_UPDATE,
> @@ -719,18 +719,18 @@ pfkey_add_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extr
>
> sa_len = KLIPS_SATOT(debug_pfkey, &extr->ips->ips_said, 0, sa, sizeof(sa));
>
> - spin_lock_bh(&tdb_lock);
> + write_lock_bh(&tdb_lock);
> ipsq = ipsec_sa_getbyid(&(extr->ips->ips_said), IPSEC_REFSA);
> if(ipsq != NULL) {
> ipsec_sa_put(ipsq, IPSEC_REFSA);
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
> KLIPS_PRINT(debug_pfkey,
> "klips_debug:pfkey_add_parse: "
> "found an old ipsec_sa for SA%s, delete it first.\n",
> sa_len ? sa : " (error)");
> SENDERR(EEXIST);
> }
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
>
> #ifdef CONFIG_KLIPS_IPV6
> if (ip_address_family(&extr->ips->ips_said.dst) == AF_INET6 &&
> @@ -770,16 +770,16 @@ pfkey_add_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extr
> }
>
> /* attach it to the SAref table */
> - spin_lock_bh(&tdb_lock);
> + write_lock_bh(&tdb_lock);
> if((error = ipsec_sa_intern(extr->ips)) != 0) {
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
> KLIPS_ERROR(debug_pfkey,
> "pfkey_add_parse: "
> "failed to intern SA as SAref#%lu\n"
> , (unsigned long)extr->ips->ips_ref);
> SENDERR(-error);
> }
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
>
> extr->ips->ips_life.ipl_addtime.ipl_count = jiffies / HZ;
> if(!extr->ips->ips_life.ipl_allocations.ipl_count) {
> @@ -953,11 +953,11 @@ pfkey_delete_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_e
>
> sa_len = KLIPS_SATOT(debug_pfkey, &extr->ips->ips_said, 0, sa, sizeof(sa));
>
> - spin_lock_bh(&tdb_lock);
> + write_lock_bh(&tdb_lock);
>
> ipsp = ipsec_sa_getbyid(&(extr->ips->ips_said), IPSEC_REFSA);
> if (ipsp == NULL) {
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
> KLIPS_PRINT(debug_pfkey,
> "klips_debug:pfkey_delete_parse: "
> "ipsec_sa not found for SA:%s, could not delete.\n",
> @@ -997,7 +997,7 @@ pfkey_delete_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_e
> /* this should cause ipsec_sa_wipe to get called on the SA/group */
> ipsec_sa_put(ipsq, IPSEC_REFALLOC);
>
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
>
> memset(&sab, 0, sizeof(sab));
> sab.sa_base.sadb_sa_exttype = K_SADB_EXT_SA;
> @@ -1092,11 +1092,11 @@ pfkey_get_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extr
>
> sa_len = KLIPS_SATOT(debug_pfkey, &extr->ips->ips_said, 0, sa, sizeof(sa));
>
> - spin_lock_bh(&tdb_lock);
> + write_lock_bh(&tdb_lock);
>
> ipsp = ipsec_sa_getbyid(&(extr->ips->ips_said), IPSEC_REFSA);
> if (ipsp == NULL) {
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
> KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_get_parse: "
> "ipsec_sa not found for SA=%s, could not get.\n",
> sa_len ? sa : " (error)");
> @@ -1230,14 +1230,14 @@ pfkey_get_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_extr
> #endif
> )) {
> ipsec_sa_put(ipsp, IPSEC_REFSA);
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
> KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_get_parse: "
> "failed to build the get reply message extensions\n");
> SENDERR(-error);
> }
>
> ipsec_sa_put(ipsp, IPSEC_REFSA);
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
>
> if((error = pfkey_msg_build(&pfkey_reply, extensions_reply, EXT_BITS_OUT))) {
> KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_get_parse: "
> @@ -1697,11 +1697,11 @@ pfkey_x_grpsa_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_
> sa_len2 = KLIPS_SATOT(debug_pfkey, &extr->ips2->ips_said, 0, sa2, sizeof(sa2));
> }
>
> - spin_lock_bh(&tdb_lock);
> + write_lock_bh(&tdb_lock);
>
> ips1p = ipsec_sa_getbyid(&(extr->ips->ips_said), IPSEC_REFSA);
> if(ips1p == NULL) {
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
> KLIPS_ERROR(debug_pfkey,
> "klips_debug:pfkey_x_grpsa_parse: "
> "reserved ipsec_sa for SA1: %s not found. Call K_SADB_ADD/UPDATE first.\n",
> @@ -1716,7 +1716,7 @@ pfkey_x_grpsa_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_
> ips2p = ipsec_sa_getbyid(&(extr->ips2->ips_said), IPSEC_REFSA);
> if(ips2p == NULL) {
> ipsec_sa_put(ips1p, IPSEC_REFSA);
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
> KLIPS_PRINT(debug_pfkey,
> "klips_debug:pfkey_x_grpsa_parse: "
> "reserved ipsec_sa for SA2: %s not found. Call K_SADB_ADD/UPDATE first.\n",
> @@ -1738,7 +1738,7 @@ pfkey_x_grpsa_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_
> if(ips1p->ips_next) {
> ipsec_sa_put(ips1p, IPSEC_REFSA);
> ipsec_sa_put(ips2p, IPSEC_REFSA);
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
> KLIPS_ERROR(debug_pfkey,
> "klips_debug:pfkey_x_grpsa_parse: "
> "ipsec_sa for SA: %s is already linked.\n",
> @@ -1752,7 +1752,7 @@ pfkey_x_grpsa_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_
> if(ipsp == ips1p) {
> ipsec_sa_put(ips1p, IPSEC_REFSA);
> ipsec_sa_put(ips2p, IPSEC_REFSA);
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
> KLIPS_ERROR(debug_pfkey,
> "klips_debug:pfkey_x_grpsa_parse: "
> "ipsec_sa for SA: %s is already linked to %s.\n",
> @@ -1799,7 +1799,7 @@ pfkey_x_grpsa_parse(struct sock *sk, struct sadb_ext **extensions, struct pfkey_
> sa_len1 ? sa1 : " (error)");
> }
>
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
>
> /* MCR: not only is this ugly to read, and impossible
> * to debug through, but it's also really inefficient.
> @@ -1964,11 +1964,11 @@ pfkey_x_addflow_parse(struct sock *sk, struct sadb_ext **extensions, struct pfke
> char sa[SATOT_BUF];
> size_t sa_len;
>
> - spin_lock_bh(&tdb_lock);
> + write_lock_bh(&tdb_lock);
>
> ipsq = ipsec_sa_getbyid(&(extr->ips->ips_said), IPSEC_REFSA);
> if(ipsq == NULL) {
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
> KLIPS_PRINT(debug_pfkey,
> "klips_debug:pfkey_x_addflow_parse: "
> "ipsec_sa not found, cannot set incoming policy.\n");
> @@ -1982,7 +1982,7 @@ pfkey_x_addflow_parse(struct sock *sk, struct sadb_ext **extensions, struct pfke
>
> if(ipsp == NULL) {
> ipsec_sa_put(ipsq, IPSEC_REFSA);
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
> KLIPS_PRINT(debug_pfkey,
> "klips_debug:pfkey_x_addflow_parse: "
> "SA chain does not have an IPIP SA, cannot set incoming policy.\n");
> @@ -2000,7 +2000,7 @@ pfkey_x_addflow_parse(struct sock *sk, struct sadb_ext **extensions, struct pfke
>
> ipsec_sa_put(ipsq, IPSEC_REFSA);
>
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
>
> KLIPS_PRINT(debug_pfkey,
> "klips_debug:pfkey_x_addflow_parse: "
> @@ -2470,7 +2470,7 @@ pfkey_expire(struct ipsec_sa *ipsp, int hard)
> extensions))) {
> KLIPS_PRINT(debug_pfkey, "klips_debug:pfkey_expire: "
> "failed to build the expire message extensions\n");
> - spin_unlock_bh(&tdb_lock);
> + write_unlock_bh(&tdb_lock);
> goto errlab;
> }
>
> diff --git a/linux/net/ipsec/prng.c b/linux/net/ipsec/prng.c
> index 05a16d0..8c8d7e6 100644
> --- a/linux/net/ipsec/prng.c
> +++ b/linux/net/ipsec/prng.c
> @@ -22,23 +22,21 @@
> #include <linux/interrupt.h>
>
> /*
> - * A horrible locking hack, we ride on tdb_lock for now since it
> - * is basically what we want. Since all calls into prng_bytes pass in
> - * a pointer to ipsec_prng, there is contention on the data in ipsec_prng
> - * as it is not always locked. TO make sure we never messup the PRNG, just
> - * locked it if we don't already have the tdb_lock
> + * TO make sure we never messup the PRNG, just
> + * locked with a new lock prng_lock -- please verify this
> */
> +DEFINE_SPINLOCK(prng_lock);
>
> #define LOCK_PRNG() \
> int ul = 0; \
> - if (spin_trylock_bh(&tdb_lock)) { \
> + if (spin_trylock_bh(&prng_lock)) { \
> ul = 1; \
> } else
>
> #define UNLOCK_PRNG() \
> if (ul) { \
> ul = 0; \
> - spin_unlock_bh(&tdb_lock); \
> + spin_unlock_bh(&prng_lock); \
> } else
>
> #else
> _______________________________________________
> Dev mailing list
> Dev at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/dev
--
David McCullough, david_mccullough at mcafee.com, Ph:+61 734352815
McAfee - SnapGear http://www.mcafee.com http://www.uCdot.org
More information about the Dev
mailing list