1 // SPDX-License-Identifier: GPL-2.0 2 /* Copyright (C) B.A.T.M.A.N. contributors: 3 * 4 * Martin Hundebøll <martin@hundeboll.net> 5 */ 6 7 #include "fragmentation.h" 8 #include "main.h" 9 10 #include <linux/atomic.h> 11 #include <linux/bug.h> 12 #include <linux/byteorder/generic.h> 13 #include <linux/errno.h> 14 #include <linux/etherdevice.h> 15 #include <linux/gfp.h> 16 #include <linux/if_ether.h> 17 #include <linux/jiffies.h> 18 #include <linux/lockdep.h> 19 #include <linux/minmax.h> 20 #include <linux/netdevice.h> 21 #include <linux/overflow.h> 22 #include <linux/skbuff.h> 23 #include <linux/slab.h> 24 #include <linux/spinlock.h> 25 #include <linux/string.h> 26 #include <uapi/linux/batadv_packet.h> 27 28 #include "hard-interface.h" 29 #include "originator.h" 30 #include "send.h" 31 32 /** 33 * batadv_frag_clear_chain() - delete entries in the fragment buffer chain 34 * @head: head of chain with entries. 35 * @dropped: whether the chain is cleared because all fragments are dropped 36 * 37 * Free fragments in the passed hlist. Should be called with appropriate lock. 38 */ 39 static void batadv_frag_clear_chain(struct hlist_head *head, bool dropped) 40 { 41 struct batadv_frag_list_entry *entry; 42 struct hlist_node *node; 43 44 hlist_for_each_entry_safe(entry, node, head, list) { 45 hlist_del(&entry->list); 46 47 if (dropped) 48 kfree_skb(entry->skb); 49 else 50 consume_skb(entry->skb); 51 52 kfree(entry); 53 } 54 } 55 56 /** 57 * batadv_frag_purge_orig() - free fragments associated to an orig 58 * @orig_node: originator to free fragments from 59 * @check_cb: optional function to tell if an entry should be purged 60 */ 61 void batadv_frag_purge_orig(struct batadv_orig_node *orig_node, 62 bool (*check_cb)(struct batadv_frag_table_entry *)) 63 { 64 struct batadv_frag_table_entry *chain; 65 u8 i; 66 67 for (i = 0; i < BATADV_FRAG_BUFFER_COUNT; i++) { 68 chain = &orig_node->fragments[i]; 69 spin_lock_bh(&chain->lock); 70 71 if (!check_cb || check_cb(chain)) { 72 batadv_frag_clear_chain(&chain->fragment_list, true); 73 chain->size = 0; 74 } 75 76 spin_unlock_bh(&chain->lock); 77 } 78 } 79 80 /** 81 * batadv_frag_size_limit() - maximum possible size of packet to be fragmented 82 * 83 * Return: the maximum size of payload that can be fragmented. 84 */ 85 static size_t batadv_frag_size_limit(void) 86 { 87 size_t limit = BATADV_FRAG_MAX_FRAG_SIZE; 88 89 limit -= sizeof(struct batadv_frag_packet); 90 limit *= BATADV_FRAG_MAX_FRAGMENTS; 91 92 return limit; 93 } 94 95 /** 96 * batadv_frag_init_chain() - check and prepare fragment chain for new fragment 97 * @chain: chain in fragments table to init 98 * @seqno: sequence number of the received fragment 99 * 100 * Make chain ready for a fragment with sequence number "seqno". Delete existing 101 * entries if they have an "old" sequence number. 102 * 103 * Caller must hold chain->lock. 104 * 105 * Return: true if chain is empty and the caller can just insert the new 106 * fragment without searching for the right position. 107 */ 108 static bool batadv_frag_init_chain(struct batadv_frag_table_entry *chain, 109 u16 seqno) 110 { 111 lockdep_assert_held(&chain->lock); 112 113 if (chain->seqno == seqno) 114 return false; 115 116 if (!hlist_empty(&chain->fragment_list)) 117 batadv_frag_clear_chain(&chain->fragment_list, true); 118 119 chain->size = 0; 120 chain->seqno = seqno; 121 122 return true; 123 } 124 125 /** 126 * batadv_frag_insert_packet() - insert a fragment into a fragment chain 127 * @orig_node: originator that the fragment was received from 128 * @skb: skb to insert 129 * @chain_out: list head to attach complete chains of fragments to 130 * 131 * Insert a new fragment into the reverse ordered chain in the right table 132 * entry. The hash table entry is cleared if "old" fragments exist in it. 133 * 134 * Return: true if skb is buffered, false on error. If the chain has all the 135 * fragments needed to merge the packet, the chain is moved to the passed head 136 * to avoid locking the chain in the table. 137 */ 138 static bool batadv_frag_insert_packet(struct batadv_orig_node *orig_node, 139 struct sk_buff *skb, 140 struct hlist_head *chain_out) 141 { 142 struct batadv_frag_table_entry *chain; 143 struct batadv_frag_list_entry *frag_entry_new = NULL, *frag_entry_curr; 144 struct batadv_frag_list_entry *frag_entry_last = NULL; 145 struct batadv_frag_packet *frag_packet; 146 u8 bucket; 147 u16 seqno, hdr_size = sizeof(struct batadv_frag_packet); 148 bool overflow = false; 149 bool ret = false; 150 size_t data_len; 151 152 /* Linearize packet to avoid linearizing 16 packets in a row when doing 153 * the later merge. Non-linear merge should be added to remove this 154 * linearization. 155 */ 156 if (skb_linearize(skb) < 0) 157 goto err; 158 159 frag_packet = (struct batadv_frag_packet *)skb->data; 160 data_len = skb->len - hdr_size; 161 seqno = ntohs(frag_packet->seqno); 162 bucket = seqno % BATADV_FRAG_BUFFER_COUNT; 163 164 frag_entry_new = kmalloc_obj(*frag_entry_new, GFP_ATOMIC); 165 if (!frag_entry_new) 166 goto err; 167 168 frag_entry_new->skb = skb; 169 frag_entry_new->no = frag_packet->no; 170 171 /* Select entry in the "chain table" and delete any prior fragments 172 * with another sequence number. batadv_frag_init_chain() returns true, 173 * if the list is empty at return. 174 */ 175 chain = &orig_node->fragments[bucket]; 176 spin_lock_bh(&chain->lock); 177 if (batadv_frag_init_chain(chain, seqno)) { 178 hlist_add_head(&frag_entry_new->list, &chain->fragment_list); 179 chain->size = data_len; 180 chain->timestamp = jiffies; 181 chain->total_size = ntohs(frag_packet->total_size); 182 ret = true; 183 goto out; 184 } 185 186 /* Find the position for the new fragment. */ 187 hlist_for_each_entry(frag_entry_curr, &chain->fragment_list, list) { 188 /* Drop packet if fragment already exists. */ 189 if (frag_entry_curr->no == frag_entry_new->no) 190 goto err_unlock; 191 192 /* Order fragments from highest to lowest. */ 193 if (frag_entry_curr->no < frag_entry_new->no) { 194 hlist_add_before(&frag_entry_new->list, 195 &frag_entry_curr->list); 196 197 if (check_add_overflow(chain->size, data_len, 198 &chain->size)) 199 overflow = true; 200 201 chain->timestamp = jiffies; 202 ret = true; 203 goto out; 204 } 205 206 /* store current entry because it could be the last in list */ 207 frag_entry_last = frag_entry_curr; 208 } 209 210 /* Reached the end of the list, so insert after 'frag_entry_last'. */ 211 if (likely(frag_entry_last)) { 212 hlist_add_behind(&frag_entry_new->list, &frag_entry_last->list); 213 214 if (check_add_overflow(chain->size, data_len, &chain->size)) 215 overflow = true; 216 217 chain->timestamp = jiffies; 218 ret = true; 219 } 220 221 out: 222 if (overflow || chain->size > batadv_frag_size_limit() || 223 chain->total_size != ntohs(frag_packet->total_size) || 224 chain->total_size > batadv_frag_size_limit()) { 225 /* Clear chain if total size of either the list or the packet 226 * exceeds the maximum size of one merged packet. Don't allow 227 * packets to have different total_size. 228 */ 229 batadv_frag_clear_chain(&chain->fragment_list, true); 230 chain->size = 0; 231 } else if (ntohs(frag_packet->total_size) == chain->size) { 232 /* All fragments received. Hand over chain to caller. */ 233 hlist_move_list(&chain->fragment_list, chain_out); 234 chain->size = 0; 235 } 236 237 err_unlock: 238 spin_unlock_bh(&chain->lock); 239 240 err: 241 if (!ret) { 242 kfree(frag_entry_new); 243 kfree_skb(skb); 244 } 245 246 return ret; 247 } 248 249 /** 250 * batadv_frag_merge_packets() - merge a chain of fragments 251 * @chain: head of chain with fragments 252 * 253 * Expand the first skb in the chain and copy the content of the remaining 254 * skb's into the expanded one. After doing so, clear the chain. 255 * 256 * Return: the merged skb or NULL on error. 257 */ 258 static struct sk_buff * 259 batadv_frag_merge_packets(struct hlist_head *chain) 260 { 261 struct batadv_frag_packet *packet; 262 struct batadv_frag_list_entry *entry; 263 struct sk_buff *skb_out; 264 int size, hdr_size = sizeof(struct batadv_frag_packet); 265 bool dropped = false; 266 267 /* Remove first entry, as this is the destination for the rest of the 268 * fragments. 269 */ 270 entry = hlist_entry(chain->first, struct batadv_frag_list_entry, list); 271 hlist_del(&entry->list); 272 skb_out = entry->skb; 273 kfree(entry); 274 275 packet = (struct batadv_frag_packet *)skb_out->data; 276 size = ntohs(packet->total_size) + hdr_size; 277 278 /* Make room for the rest of the fragments. */ 279 if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) { 280 kfree_skb(skb_out); 281 skb_out = NULL; 282 dropped = true; 283 goto free; 284 } 285 286 /* Move the existing MAC header to just before the payload. (Override 287 * the fragment header.) 288 */ 289 skb_pull(skb_out, hdr_size); 290 skb_out->ip_summed = CHECKSUM_NONE; 291 memmove(skb_out->data - ETH_HLEN, skb_mac_header(skb_out), ETH_HLEN); 292 skb_set_mac_header(skb_out, -ETH_HLEN); 293 skb_reset_network_header(skb_out); 294 skb_reset_transport_header(skb_out); 295 296 /* Copy the payload of the each fragment into the last skb */ 297 hlist_for_each_entry(entry, chain, list) { 298 size = entry->skb->len - hdr_size; 299 skb_put_data(skb_out, entry->skb->data + hdr_size, size); 300 } 301 302 free: 303 /* Locking is not needed, because 'chain' is not part of any orig. */ 304 batadv_frag_clear_chain(chain, dropped); 305 return skb_out; 306 } 307 308 /** 309 * batadv_skb_is_frag() - check if newly merged skb contains unicast fragment 310 * @skb: newly merged skb 311 * 312 * Return: true if the newly merged skb is of type BATADV_UNICAST_FRAG, false 313 * otherwise 314 */ 315 static bool batadv_skb_is_frag(struct sk_buff *skb) 316 { 317 struct batadv_ogm_packet *batadv_ogm_packet; 318 319 /* packet should hold at least type and version */ 320 if (unlikely(!pskb_may_pull(skb, 2))) 321 return false; 322 323 batadv_ogm_packet = (struct batadv_ogm_packet *)skb->data; 324 325 if (batadv_ogm_packet->version != BATADV_COMPAT_VERSION) 326 return false; 327 328 if (batadv_ogm_packet->packet_type != BATADV_UNICAST_FRAG) 329 return false; 330 331 return true; 332 } 333 334 /** 335 * batadv_frag_skb_buffer() - buffer fragment for later merge 336 * @skb: skb to buffer 337 * @orig_node_src: originator that the skb is received from 338 * 339 * Add fragment to buffer and merge fragments if possible. 340 * 341 * There are three possible outcomes: 1) Packet is merged: Return true and 342 * set *skb to merged packet; 2) Packet is buffered: Return true and set *skb 343 * to NULL; 3) Error: Return false and free skb. 344 * 345 * Return: true when the packet is merged or buffered, false when skb is not 346 * used. 347 */ 348 bool batadv_frag_skb_buffer(struct sk_buff **skb, 349 struct batadv_orig_node *orig_node_src) 350 { 351 struct sk_buff *skb_out = NULL; 352 struct hlist_head head = HLIST_HEAD_INIT; 353 bool ret = false; 354 355 /* Add packet to buffer and table entry if merge is possible. */ 356 if (!batadv_frag_insert_packet(orig_node_src, *skb, &head)) 357 goto out_err; 358 359 /* Leave if more fragments are needed to merge. */ 360 if (hlist_empty(&head)) 361 goto out; 362 363 skb_out = batadv_frag_merge_packets(&head); 364 if (!skb_out) 365 goto out_err; 366 367 /* fragment in fragment is not allowed. otherwise it is possible 368 * to exhaust the stack when receiving a matryoshka-style 369 * "fragments in a fragment packet" 370 */ 371 if (batadv_skb_is_frag(skb_out)) { 372 kfree_skb(skb_out); 373 skb_out = NULL; 374 goto out_err; 375 } 376 377 out: 378 ret = true; 379 out_err: 380 *skb = skb_out; 381 return ret; 382 } 383 384 /** 385 * batadv_frag_skb_fwd() - forward fragments that would exceed MTU when merged 386 * @skb: skb to forward 387 * @recv_if: interface that the skb is received on 388 * @orig_node_src: originator that the skb is received from 389 * 390 * Look up the next-hop of the fragments payload and check if the merged packet 391 * will exceed the MTU towards the next-hop. If so, the fragment is forwarded 392 * without merging it. 393 * 394 * Return: true if the fragment is consumed/forwarded, false otherwise. 395 */ 396 bool batadv_frag_skb_fwd(struct sk_buff *skb, 397 struct batadv_hard_iface *recv_if, 398 struct batadv_orig_node *orig_node_src) 399 { 400 struct batadv_priv *bat_priv = netdev_priv(recv_if->mesh_iface); 401 struct batadv_neigh_node *neigh_node = NULL; 402 struct batadv_frag_packet *packet; 403 u16 total_size; 404 bool ret = false; 405 406 packet = (struct batadv_frag_packet *)skb->data; 407 408 neigh_node = batadv_orig_to_router(bat_priv, packet->dest, recv_if); 409 if (!neigh_node) 410 goto out; 411 412 /* Forward the fragment, if the merged packet would be too big to 413 * be assembled. 414 */ 415 total_size = ntohs(packet->total_size); 416 if (total_size > neigh_node->if_incoming->net_dev->mtu) { 417 batadv_inc_counter(bat_priv, BATADV_CNT_FRAG_FWD); 418 batadv_add_counter(bat_priv, BATADV_CNT_FRAG_FWD_BYTES, 419 skb->len + ETH_HLEN); 420 421 packet->ttl--; 422 batadv_send_unicast_skb(skb, neigh_node); 423 ret = true; 424 } 425 426 out: 427 batadv_neigh_node_put(neigh_node); 428 return ret; 429 } 430 431 /** 432 * batadv_frag_create() - create a fragment from skb 433 * @net_dev: outgoing device for fragment 434 * @skb: skb to create fragment from 435 * @frag_head: header to use in new fragment 436 * @fragment_size: size of new fragment 437 * 438 * Split the passed skb into two fragments: A new one with size matching the 439 * passed mtu and the old one with the rest. The new skb contains data from the 440 * tail of the old skb. 441 * 442 * Return: the new fragment, NULL on error. 443 */ 444 static struct sk_buff *batadv_frag_create(struct net_device *net_dev, 445 struct sk_buff *skb, 446 struct batadv_frag_packet *frag_head, 447 unsigned int fragment_size) 448 { 449 unsigned int ll_reserved = LL_RESERVED_SPACE(net_dev); 450 unsigned int tailroom = net_dev->needed_tailroom; 451 struct sk_buff *skb_fragment; 452 unsigned int header_size = sizeof(*frag_head); 453 unsigned int mtu = fragment_size + header_size; 454 455 skb_fragment = dev_alloc_skb(ll_reserved + mtu + tailroom); 456 if (!skb_fragment) 457 goto err; 458 459 skb_fragment->priority = skb->priority; 460 461 /* Eat the last mtu-bytes of the skb */ 462 skb_reserve(skb_fragment, ll_reserved + header_size); 463 skb_split(skb, skb_fragment, skb->len - fragment_size); 464 465 /* Add the header */ 466 skb_push(skb_fragment, header_size); 467 memcpy(skb_fragment->data, frag_head, header_size); 468 469 err: 470 return skb_fragment; 471 } 472 473 /** 474 * batadv_frag_send_packet() - create up to 16 fragments from the passed skb 475 * @skb: skb to create fragments from 476 * @orig_node: final destination of the created fragments 477 * @neigh_node: next-hop of the created fragments 478 * 479 * Return: the netdev tx status or a negative errno code on a failure 480 */ 481 int batadv_frag_send_packet(struct sk_buff *skb, 482 struct batadv_orig_node *orig_node, 483 struct batadv_neigh_node *neigh_node) 484 { 485 struct net_device *net_dev = neigh_node->if_incoming->net_dev; 486 struct batadv_priv *bat_priv; 487 struct batadv_hard_iface *primary_if = NULL; 488 struct batadv_frag_packet frag_header; 489 struct sk_buff *skb_fragment; 490 unsigned int mtu = net_dev->mtu; 491 unsigned int header_size = sizeof(frag_header); 492 unsigned int max_fragment_size, num_fragments; 493 int ret; 494 495 /* To avoid merge and refragmentation at next-hops we never send 496 * fragments larger than BATADV_FRAG_MAX_FRAG_SIZE 497 */ 498 mtu = min_t(unsigned int, mtu, BATADV_FRAG_MAX_FRAG_SIZE); 499 max_fragment_size = mtu - header_size; 500 501 if (skb->len == 0 || max_fragment_size == 0) 502 return -EINVAL; 503 504 num_fragments = (skb->len - 1) / max_fragment_size + 1; 505 max_fragment_size = (skb->len - 1) / num_fragments + 1; 506 507 /* Don't even try to fragment, if we need more than 16 fragments */ 508 if (num_fragments > BATADV_FRAG_MAX_FRAGMENTS) { 509 ret = -EAGAIN; 510 goto free_skb; 511 } 512 513 bat_priv = orig_node->bat_priv; 514 primary_if = batadv_primary_if_get_selected(bat_priv); 515 if (!primary_if) { 516 ret = -EINVAL; 517 goto free_skb; 518 } 519 520 /* GRO might have added fragments to the fragment list instead of 521 * frags[]. But this is not handled by skb_split and must be 522 * linearized to avoid incorrect length information after all 523 * batman-adv fragments were created and submitted to the 524 * hard-interface 525 */ 526 if (skb_has_frag_list(skb) && __skb_linearize(skb)) { 527 ret = -ENOMEM; 528 goto free_skb; 529 } 530 531 /* Create one header to be copied to all fragments */ 532 frag_header.packet_type = BATADV_UNICAST_FRAG; 533 frag_header.version = BATADV_COMPAT_VERSION; 534 frag_header.ttl = BATADV_TTL; 535 frag_header.seqno = htons(atomic_inc_return(&bat_priv->frag_seqno)); 536 frag_header.reserved = 0; 537 frag_header.no = 0; 538 frag_header.total_size = htons(skb->len); 539 540 /* skb->priority values from 256->263 are magic values to 541 * directly indicate a specific 802.1d priority. This is used 542 * to allow 802.1d priority to be passed directly in from VLAN 543 * tags, etc. 544 */ 545 if (skb->priority >= 256 && skb->priority <= 263) 546 frag_header.priority = skb->priority - 256; 547 else 548 frag_header.priority = 0; 549 550 ether_addr_copy(frag_header.orig, primary_if->net_dev->dev_addr); 551 ether_addr_copy(frag_header.dest, orig_node->orig); 552 553 /* Eat and send fragments from the tail of skb */ 554 while (skb->len > max_fragment_size) { 555 /* The initial check in this function should cover this case */ 556 if (unlikely(frag_header.no == BATADV_FRAG_MAX_FRAGMENTS - 1)) { 557 ret = -EINVAL; 558 goto put_primary_if; 559 } 560 561 skb_fragment = batadv_frag_create(net_dev, skb, &frag_header, 562 max_fragment_size); 563 if (!skb_fragment) { 564 ret = -ENOMEM; 565 goto put_primary_if; 566 } 567 568 batadv_inc_counter(bat_priv, BATADV_CNT_FRAG_TX); 569 batadv_add_counter(bat_priv, BATADV_CNT_FRAG_TX_BYTES, 570 skb_fragment->len + ETH_HLEN); 571 ret = batadv_send_unicast_skb(skb_fragment, neigh_node); 572 if (ret != NET_XMIT_SUCCESS) { 573 ret = NET_XMIT_DROP; 574 goto put_primary_if; 575 } 576 577 frag_header.no++; 578 } 579 580 /* make sure that there is at least enough head for the fragmentation 581 * and ethernet headers 582 */ 583 ret = skb_cow_head(skb, ETH_HLEN + header_size); 584 if (ret < 0) 585 goto put_primary_if; 586 587 skb_push(skb, header_size); 588 memcpy(skb->data, &frag_header, header_size); 589 590 /* Send the last fragment */ 591 batadv_inc_counter(bat_priv, BATADV_CNT_FRAG_TX); 592 batadv_add_counter(bat_priv, BATADV_CNT_FRAG_TX_BYTES, 593 skb->len + ETH_HLEN); 594 ret = batadv_send_unicast_skb(skb, neigh_node); 595 /* skb was consumed */ 596 skb = NULL; 597 598 put_primary_if: 599 batadv_hardif_put(primary_if); 600 free_skb: 601 kfree_skb(skb); 602 603 return ret; 604 } 605