1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* connection-level event handling
3 *
4 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
5 * Written by David Howells (dhowells@redhat.com)
6 */
7
8 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
9
10 #include <linux/module.h>
11 #include <linux/net.h>
12 #include <linux/skbuff.h>
13 #include <linux/errqueue.h>
14 #include <net/sock.h>
15 #include <net/af_rxrpc.h>
16 #include <net/ip.h>
17 #include "ar-internal.h"
18
19 /*
20 * Set the completion state on an aborted connection.
21 */
rxrpc_set_conn_aborted(struct rxrpc_connection * conn,s32 abort_code,int err,enum rxrpc_call_completion compl)22 static bool rxrpc_set_conn_aborted(struct rxrpc_connection *conn,
23 s32 abort_code, int err,
24 enum rxrpc_call_completion compl)
25 {
26 bool aborted = false;
27
28 if (conn->state != RXRPC_CONN_ABORTED) {
29 spin_lock_irq(&conn->state_lock);
30 if (conn->state != RXRPC_CONN_ABORTED) {
31 conn->abort_code = abort_code;
32 conn->error = err;
33 conn->completion = compl;
34 /* Order the abort info before the state change. */
35 smp_store_release(&conn->state, RXRPC_CONN_ABORTED);
36 set_bit(RXRPC_CONN_DONT_REUSE, &conn->flags);
37 set_bit(RXRPC_CONN_EV_ABORT_CALLS, &conn->events);
38 aborted = true;
39 }
40 spin_unlock_irq(&conn->state_lock);
41 }
42
43 return aborted;
44 }
45
46 /*
47 * Mark a socket buffer to indicate that the connection it's on should be aborted.
48 */
rxrpc_abort_conn(struct rxrpc_connection * conn,struct sk_buff * skb,s32 abort_code,int err,enum rxrpc_abort_reason why)49 int rxrpc_abort_conn(struct rxrpc_connection *conn, struct sk_buff *skb,
50 s32 abort_code, int err, enum rxrpc_abort_reason why)
51 {
52
53 u32 cid = conn->proto.cid, call = 0, seq = 0;
54
55 if (skb) {
56 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
57
58 cid = sp->hdr.cid;
59 call = sp->hdr.callNumber;
60 seq = sp->hdr.seq;
61 }
62
63 if (rxrpc_set_conn_aborted(conn, abort_code, err,
64 RXRPC_CALL_LOCALLY_ABORTED)) {
65 trace_rxrpc_abort(0, why, cid, call, seq, abort_code, err);
66 rxrpc_poke_conn(conn, rxrpc_conn_get_poke_abort);
67 }
68 return -EPROTO;
69 }
70
71 /*
72 * Mark a connection as being remotely aborted.
73 */
rxrpc_input_conn_abort(struct rxrpc_connection * conn,struct sk_buff * skb)74 static void rxrpc_input_conn_abort(struct rxrpc_connection *conn,
75 struct sk_buff *skb)
76 {
77 trace_rxrpc_rx_conn_abort(conn, skb);
78 rxrpc_set_conn_aborted(conn, skb->priority, -ECONNABORTED,
79 RXRPC_CALL_REMOTELY_ABORTED);
80 }
81
82 /*
83 * Retransmit terminal ACK or ABORT of the previous call.
84 */
rxrpc_conn_retransmit_call(struct rxrpc_connection * conn,struct sk_buff * skb,unsigned int channel)85 void rxrpc_conn_retransmit_call(struct rxrpc_connection *conn,
86 struct sk_buff *skb,
87 unsigned int channel)
88 {
89 struct rxrpc_skb_priv *sp = skb ? rxrpc_skb(skb) : NULL;
90 struct rxrpc_channel *chan;
91 struct msghdr msg;
92 struct kvec iov[3];
93 struct {
94 struct rxrpc_wire_header whdr;
95 union {
96 __be32 abort_code;
97 struct rxrpc_ackpacket ack;
98 };
99 } __attribute__((packed)) pkt;
100 struct rxrpc_acktrailer trailer;
101 size_t len;
102 int ret, ioc;
103 u32 serial, max_mtu, if_mtu, call_id, padding;
104
105 _enter("%d", conn->debug_id);
106
107 if (sp && sp->hdr.type == RXRPC_PACKET_TYPE_ACK) {
108 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header),
109 &pkt.ack, sizeof(pkt.ack)) < 0)
110 return;
111 if (pkt.ack.reason == RXRPC_ACK_PING_RESPONSE)
112 return;
113 }
114
115 chan = &conn->channels[channel];
116
117 /* If the last call got moved on whilst we were waiting to run, just
118 * ignore this packet.
119 */
120 call_id = chan->last_call;
121 if (skb && call_id != sp->hdr.callNumber)
122 return;
123
124 msg.msg_name = &conn->peer->srx.transport;
125 msg.msg_namelen = conn->peer->srx.transport_len;
126 msg.msg_control = NULL;
127 msg.msg_controllen = 0;
128 msg.msg_flags = 0;
129
130 iov[0].iov_base = &pkt;
131 iov[0].iov_len = sizeof(pkt.whdr);
132 iov[1].iov_base = &padding;
133 iov[1].iov_len = 3;
134 iov[2].iov_base = &trailer;
135 iov[2].iov_len = sizeof(trailer);
136
137 serial = rxrpc_get_next_serial(conn);
138
139 pkt.whdr.epoch = htonl(conn->proto.epoch);
140 pkt.whdr.cid = htonl(conn->proto.cid | channel);
141 pkt.whdr.callNumber = htonl(call_id);
142 pkt.whdr.serial = htonl(serial);
143 pkt.whdr.seq = 0;
144 pkt.whdr.type = chan->last_type;
145 pkt.whdr.flags = conn->out_clientflag;
146 pkt.whdr.userStatus = 0;
147 pkt.whdr.securityIndex = conn->security_ix;
148 pkt.whdr._rsvd = 0;
149 pkt.whdr.serviceId = htons(conn->service_id);
150
151 len = sizeof(pkt.whdr);
152 switch (chan->last_type) {
153 case RXRPC_PACKET_TYPE_ABORT:
154 pkt.abort_code = htonl(chan->last_abort);
155 iov[0].iov_len += sizeof(pkt.abort_code);
156 len += sizeof(pkt.abort_code);
157 ioc = 1;
158 break;
159
160 case RXRPC_PACKET_TYPE_ACK:
161 if_mtu = conn->peer->if_mtu - conn->peer->hdrsize;
162 if (conn->peer->ackr_adv_pmtud) {
163 max_mtu = umax(conn->peer->max_data, rxrpc_rx_mtu);
164 } else {
165 if_mtu = umin(1444, if_mtu);
166 max_mtu = if_mtu;
167 }
168 pkt.ack.bufferSpace = 0;
169 pkt.ack.maxSkew = htons(skb ? skb->priority : 0);
170 pkt.ack.firstPacket = htonl(chan->last_seq + 1);
171 pkt.ack.previousPacket = htonl(chan->last_seq);
172 pkt.ack.serial = htonl(skb ? sp->hdr.serial : 0);
173 pkt.ack.reason = skb ? RXRPC_ACK_DUPLICATE : RXRPC_ACK_IDLE;
174 pkt.ack.nAcks = 0;
175 trailer.maxMTU = htonl(max_mtu);
176 trailer.ifMTU = htonl(if_mtu);
177 trailer.rwind = htonl(rxrpc_rx_window_size);
178 trailer.jumbo_max = 0;
179 pkt.whdr.flags |= RXRPC_SLOW_START_OK;
180 padding = 0;
181 iov[0].iov_len += sizeof(pkt.ack);
182 len += sizeof(pkt.ack) + 3 + sizeof(trailer);
183 ioc = 3;
184
185 trace_rxrpc_tx_ack(chan->call_debug_id, serial,
186 ntohl(pkt.ack.firstPacket),
187 ntohl(pkt.ack.serial),
188 pkt.ack.reason, 0, rxrpc_rx_window_size,
189 rxrpc_propose_ack_retransmit);
190 break;
191
192 default:
193 return;
194 }
195
196 ret = kernel_sendmsg(conn->local->socket, &msg, iov, ioc, len);
197 rxrpc_peer_mark_tx(conn->peer);
198 if (ret < 0)
199 trace_rxrpc_tx_fail(chan->call_debug_id, serial, ret,
200 rxrpc_tx_point_call_final_resend);
201 else
202 trace_rxrpc_tx_packet(chan->call_debug_id, &pkt.whdr,
203 rxrpc_tx_point_call_final_resend);
204
205 _leave("");
206 }
207
208 /*
209 * pass a connection-level abort onto all calls on that connection
210 */
rxrpc_abort_calls(struct rxrpc_connection * conn)211 static void rxrpc_abort_calls(struct rxrpc_connection *conn)
212 {
213 struct rxrpc_call *call;
214 int i;
215
216 _enter("{%d},%x", conn->debug_id, conn->abort_code);
217
218 for (i = 0; i < RXRPC_MAXCALLS; i++) {
219 call = conn->channels[i].call;
220 if (call) {
221 rxrpc_see_call(call, rxrpc_call_see_conn_abort);
222 rxrpc_set_call_completion(call,
223 conn->completion,
224 conn->abort_code,
225 conn->error);
226 rxrpc_poke_call(call, rxrpc_call_poke_conn_abort);
227 }
228 }
229
230 _leave("");
231 }
232
233 /*
234 * mark a call as being on a now-secured channel
235 * - must be called with BH's disabled.
236 */
rxrpc_call_is_secure(struct rxrpc_call * call)237 static void rxrpc_call_is_secure(struct rxrpc_call *call)
238 {
239 if (call && __test_and_clear_bit(RXRPC_CALL_CONN_CHALLENGING, &call->flags))
240 rxrpc_notify_socket(call);
241 }
242
rxrpc_verify_response(struct rxrpc_connection * conn,struct sk_buff * skb)243 static int rxrpc_verify_response(struct rxrpc_connection *conn,
244 struct sk_buff *skb)
245 {
246 int ret;
247
248 if (skb_cloned(skb) || skb_has_frag_list(skb) ||
249 skb_has_shared_frag(skb)) {
250 /* Copy the packet if shared so that we can do in-place
251 * decryption.
252 */
253 struct sk_buff *nskb = skb_copy(skb, GFP_NOFS);
254
255 if (nskb) {
256 rxrpc_new_skb(nskb, rxrpc_skb_new_unshared);
257 ret = conn->security->verify_response(conn, nskb);
258 rxrpc_free_skb(nskb, rxrpc_skb_put_response_copy);
259 } else {
260 /* OOM - Drop the packet. */
261 rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem);
262 ret = -ENOMEM;
263 }
264 } else {
265 ret = conn->security->verify_response(conn, skb);
266 }
267
268 return ret;
269 }
270
271 /*
272 * connection-level Rx packet processor
273 */
rxrpc_process_event(struct rxrpc_connection * conn,struct sk_buff * skb)274 static int rxrpc_process_event(struct rxrpc_connection *conn,
275 struct sk_buff *skb)
276 {
277 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
278 bool secured = false;
279 int ret;
280
281 if (conn->state == RXRPC_CONN_ABORTED)
282 return -ECONNABORTED;
283
284 _enter("{%d},{%u,%%%u},", conn->debug_id, sp->hdr.type, sp->hdr.serial);
285
286 switch (sp->hdr.type) {
287 case RXRPC_PACKET_TYPE_CHALLENGE:
288 ret = conn->security->respond_to_challenge(conn, skb);
289 sp->chall.conn = NULL;
290 rxrpc_put_connection(conn, rxrpc_conn_put_challenge_input);
291 return ret;
292
293 case RXRPC_PACKET_TYPE_RESPONSE:
294 spin_lock_irq(&conn->state_lock);
295 if (conn->state != RXRPC_CONN_SERVICE_CHALLENGING) {
296 spin_unlock_irq(&conn->state_lock);
297 return 0;
298 }
299 spin_unlock_irq(&conn->state_lock);
300
301 ret = rxrpc_verify_response(conn, skb);
302 if (ret < 0)
303 return ret;
304
305 ret = conn->security->init_connection_security(
306 conn, conn->key->payload.data[0]);
307 if (ret < 0)
308 return ret;
309
310 spin_lock_irq(&conn->state_lock);
311 if (conn->state == RXRPC_CONN_SERVICE_CHALLENGING) {
312 conn->state = RXRPC_CONN_SERVICE;
313 secured = true;
314 }
315 spin_unlock_irq(&conn->state_lock);
316
317 if (secured) {
318 /* Offload call state flipping to the I/O thread. As
319 * we've already received the packet, put it on the
320 * front of the queue.
321 */
322 sp->poke_conn = rxrpc_get_connection(
323 conn, rxrpc_conn_get_poke_secured);
324 skb->mark = RXRPC_SKB_MARK_SERVICE_CONN_SECURED;
325 rxrpc_get_skb(skb, rxrpc_skb_get_conn_secured);
326 skb_queue_head(&conn->local->rx_queue, skb);
327 rxrpc_wake_up_io_thread(conn->local);
328 }
329 return 0;
330
331 default:
332 WARN_ON_ONCE(1);
333 return -EPROTO;
334 }
335 }
336
337 /*
338 * set up security and issue a challenge
339 */
rxrpc_secure_connection(struct rxrpc_connection * conn)340 static void rxrpc_secure_connection(struct rxrpc_connection *conn)
341 {
342 if (conn->security->issue_challenge(conn) < 0)
343 rxrpc_abort_conn(conn, NULL, RX_CALL_DEAD, -ENOMEM,
344 rxrpc_abort_nomem);
345 }
346
347 /*
348 * Process delayed final ACKs that we haven't subsumed into a subsequent call.
349 */
rxrpc_process_delayed_final_acks(struct rxrpc_connection * conn,bool force)350 void rxrpc_process_delayed_final_acks(struct rxrpc_connection *conn, bool force)
351 {
352 unsigned long j = jiffies, next_j;
353 unsigned int channel;
354 bool set;
355
356 again:
357 next_j = j + LONG_MAX;
358 set = false;
359 for (channel = 0; channel < RXRPC_MAXCALLS; channel++) {
360 struct rxrpc_channel *chan = &conn->channels[channel];
361 unsigned long ack_at;
362
363 if (!test_bit(RXRPC_CONN_FINAL_ACK_0 + channel, &conn->flags))
364 continue;
365
366 ack_at = chan->final_ack_at;
367 if (time_before(j, ack_at) && !force) {
368 if (time_before(ack_at, next_j)) {
369 next_j = ack_at;
370 set = true;
371 }
372 continue;
373 }
374
375 if (test_and_clear_bit(RXRPC_CONN_FINAL_ACK_0 + channel,
376 &conn->flags))
377 rxrpc_conn_retransmit_call(conn, NULL, channel);
378 }
379
380 j = jiffies;
381 if (time_before_eq(next_j, j))
382 goto again;
383 if (set)
384 rxrpc_reduce_conn_timer(conn, next_j);
385 }
386
387 /*
388 * connection-level event processor
389 */
rxrpc_do_process_connection(struct rxrpc_connection * conn)390 static void rxrpc_do_process_connection(struct rxrpc_connection *conn)
391 {
392 struct sk_buff *skb;
393
394 if (test_and_clear_bit(RXRPC_CONN_EV_CHALLENGE, &conn->events))
395 rxrpc_secure_connection(conn);
396
397 /* go through the conn-level event packets, releasing the ref on this
398 * connection that each one has when we've finished with it */
399 while ((skb = skb_dequeue(&conn->rx_queue))) {
400 rxrpc_see_skb(skb, rxrpc_skb_see_conn_work);
401 rxrpc_process_event(conn, skb);
402 rxrpc_free_skb(skb, rxrpc_skb_put_conn_work);
403 }
404 }
405
rxrpc_process_connection(struct work_struct * work)406 void rxrpc_process_connection(struct work_struct *work)
407 {
408 struct rxrpc_connection *conn =
409 container_of(work, struct rxrpc_connection, processor);
410
411 rxrpc_see_connection(conn, rxrpc_conn_see_work);
412
413 if (__rxrpc_use_local(conn->local, rxrpc_local_use_conn_work)) {
414 rxrpc_do_process_connection(conn);
415 rxrpc_unuse_local(conn->local, rxrpc_local_unuse_conn_work);
416 }
417 }
418
419 /*
420 * post connection-level events to the connection
421 * - this includes challenges, responses, some aborts and call terminal packet
422 * retransmission.
423 */
rxrpc_post_packet_to_conn(struct rxrpc_connection * conn,struct sk_buff * skb)424 static void rxrpc_post_packet_to_conn(struct rxrpc_connection *conn,
425 struct sk_buff *skb)
426 {
427 _enter("%p,%p", conn, skb);
428
429 rxrpc_get_skb(skb, rxrpc_skb_get_conn_work);
430 skb_queue_tail(&conn->rx_queue, skb);
431 rxrpc_queue_conn(conn, rxrpc_conn_queue_rx_work);
432 }
433
434 /*
435 * Post a CHALLENGE packet to the socket of one of a connection's calls so that
436 * it can get application data to include in the packet, possibly querying
437 * userspace.
438 */
rxrpc_post_challenge(struct rxrpc_connection * conn,struct sk_buff * skb)439 static bool rxrpc_post_challenge(struct rxrpc_connection *conn,
440 struct sk_buff *skb)
441 {
442 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
443 struct rxrpc_call *call = NULL;
444 struct rxrpc_sock *rx;
445 bool respond = false;
446
447 sp->chall.conn =
448 rxrpc_get_connection(conn, rxrpc_conn_get_challenge_input);
449
450 if (!conn->security->challenge_to_recvmsg) {
451 rxrpc_post_packet_to_conn(conn, skb);
452 return true;
453 }
454
455 rcu_read_lock();
456
457 for (int i = 0; i < ARRAY_SIZE(conn->channels); i++) {
458 if (conn->channels[i].call) {
459 call = conn->channels[i].call;
460 rx = rcu_dereference(call->socket);
461 if (!rx) {
462 call = NULL;
463 continue;
464 }
465
466 respond = true;
467 if (test_bit(RXRPC_SOCK_MANAGE_RESPONSE, &rx->flags))
468 break;
469 call = NULL;
470 }
471 }
472
473 if (!respond) {
474 rcu_read_unlock();
475 rxrpc_put_connection(conn, rxrpc_conn_put_challenge_input);
476 sp->chall.conn = NULL;
477 return false;
478 }
479
480 if (call)
481 rxrpc_notify_socket_oob(call, skb);
482 rcu_read_unlock();
483
484 if (!call)
485 rxrpc_post_packet_to_conn(conn, skb);
486 return true;
487 }
488
489 /*
490 * Input a connection-level packet.
491 */
rxrpc_input_conn_packet(struct rxrpc_connection * conn,struct sk_buff * skb)492 bool rxrpc_input_conn_packet(struct rxrpc_connection *conn, struct sk_buff *skb)
493 {
494 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
495
496 switch (sp->hdr.type) {
497 case RXRPC_PACKET_TYPE_BUSY:
498 /* Just ignore BUSY packets for now. */
499 return true;
500
501 case RXRPC_PACKET_TYPE_ABORT:
502 if (rxrpc_is_conn_aborted(conn))
503 return true;
504 rxrpc_input_conn_abort(conn, skb);
505 rxrpc_abort_calls(conn);
506 return true;
507
508 case RXRPC_PACKET_TYPE_CHALLENGE:
509 rxrpc_see_skb(skb, rxrpc_skb_see_oob_challenge);
510 if (rxrpc_is_conn_aborted(conn)) {
511 if (conn->completion == RXRPC_CALL_LOCALLY_ABORTED)
512 rxrpc_send_conn_abort(conn);
513 return true;
514 }
515 if (!conn->security->validate_challenge(conn, skb))
516 return false;
517 return rxrpc_post_challenge(conn, skb);
518
519 case RXRPC_PACKET_TYPE_RESPONSE:
520 if (rxrpc_is_conn_aborted(conn)) {
521 if (conn->completion == RXRPC_CALL_LOCALLY_ABORTED)
522 rxrpc_send_conn_abort(conn);
523 return true;
524 }
525 rxrpc_post_packet_to_conn(conn, skb);
526 return true;
527
528 default:
529 WARN_ON_ONCE(1);
530 return true;
531 }
532 }
533
534 /*
535 * Input a connection event.
536 */
rxrpc_input_conn_event(struct rxrpc_connection * conn,struct sk_buff * skb)537 void rxrpc_input_conn_event(struct rxrpc_connection *conn, struct sk_buff *skb)
538 {
539 unsigned int loop;
540
541 if (test_and_clear_bit(RXRPC_CONN_EV_ABORT_CALLS, &conn->events))
542 rxrpc_abort_calls(conn);
543
544 if (conn->tx_response) {
545 struct sk_buff *skb;
546
547 spin_lock_irq(&conn->local->lock);
548 skb = conn->tx_response;
549 conn->tx_response = NULL;
550 spin_unlock_irq(&conn->local->lock);
551
552 if (conn->state != RXRPC_CONN_ABORTED)
553 rxrpc_send_response(conn, skb);
554 rxrpc_free_skb(skb, rxrpc_skb_put_response);
555 }
556
557 if (skb) {
558 switch (skb->mark) {
559 case RXRPC_SKB_MARK_SERVICE_CONN_SECURED:
560 if (conn->state != RXRPC_CONN_SERVICE)
561 break;
562
563 for (loop = 0; loop < RXRPC_MAXCALLS; loop++)
564 rxrpc_call_is_secure(conn->channels[loop].call);
565 break;
566 }
567 }
568
569 /* Process delayed ACKs whose time has come. */
570 if (conn->flags & RXRPC_CONN_FINAL_ACK_MASK)
571 rxrpc_process_delayed_final_acks(conn, false);
572 }
573
574 /*
575 * Post a RESPONSE message to the I/O thread for transmission.
576 */
rxrpc_post_response(struct rxrpc_connection * conn,struct sk_buff * skb)577 void rxrpc_post_response(struct rxrpc_connection *conn, struct sk_buff *skb)
578 {
579 struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
580 struct rxrpc_local *local = conn->local;
581 struct sk_buff *old;
582
583 _enter("%x", sp->resp.challenge_serial);
584
585 spin_lock_irq(&local->lock);
586 old = conn->tx_response;
587 if (old) {
588 struct rxrpc_skb_priv *osp = rxrpc_skb(old);
589
590 /* Always go with the response to the most recent challenge. */
591 if (after(sp->resp.challenge_serial, osp->resp.challenge_serial))
592 conn->tx_response = skb;
593 else
594 old = skb;
595 } else {
596 conn->tx_response = skb;
597 }
598 spin_unlock_irq(&local->lock);
599 rxrpc_poke_conn(conn, rxrpc_conn_get_poke_response);
600 rxrpc_free_skb(old, rxrpc_skb_put_old_response);
601 }
602