1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* connection-level event handling 3 * 4 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 9 10 #include <linux/module.h> 11 #include <linux/net.h> 12 #include <linux/skbuff.h> 13 #include <linux/errqueue.h> 14 #include <net/sock.h> 15 #include <net/af_rxrpc.h> 16 #include <net/ip.h> 17 #include "ar-internal.h" 18 19 /* 20 * Set the completion state on an aborted connection. 21 */ 22 static bool rxrpc_set_conn_aborted(struct rxrpc_connection *conn, 23 s32 abort_code, int err, 24 enum rxrpc_call_completion compl) 25 { 26 bool aborted = false; 27 28 if (conn->state != RXRPC_CONN_ABORTED) { 29 spin_lock_irq(&conn->state_lock); 30 if (conn->state != RXRPC_CONN_ABORTED) { 31 conn->abort_code = abort_code; 32 conn->error = err; 33 conn->completion = compl; 34 /* Order the abort info before the state change. */ 35 smp_store_release(&conn->state, RXRPC_CONN_ABORTED); 36 set_bit(RXRPC_CONN_DONT_REUSE, &conn->flags); 37 set_bit(RXRPC_CONN_EV_ABORT_CALLS, &conn->events); 38 aborted = true; 39 } 40 spin_unlock_irq(&conn->state_lock); 41 } 42 43 return aborted; 44 } 45 46 /* 47 * Mark a socket buffer to indicate that the connection it's on should be aborted. 48 */ 49 int rxrpc_abort_conn(struct rxrpc_connection *conn, struct sk_buff *skb, 50 s32 abort_code, int err, enum rxrpc_abort_reason why) 51 { 52 53 u32 cid = conn->proto.cid, call = 0, seq = 0; 54 55 if (skb) { 56 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 57 58 cid = sp->hdr.cid; 59 call = sp->hdr.callNumber; 60 seq = sp->hdr.seq; 61 } 62 63 if (rxrpc_set_conn_aborted(conn, abort_code, err, 64 RXRPC_CALL_LOCALLY_ABORTED)) { 65 trace_rxrpc_abort(0, why, cid, call, seq, abort_code, err); 66 rxrpc_poke_conn(conn, rxrpc_conn_get_poke_abort); 67 } 68 return -EPROTO; 69 } 70 71 /* 72 * Mark a connection as being remotely aborted. 73 */ 74 static void rxrpc_input_conn_abort(struct rxrpc_connection *conn, 75 struct sk_buff *skb) 76 { 77 trace_rxrpc_rx_conn_abort(conn, skb); 78 rxrpc_set_conn_aborted(conn, skb->priority, -ECONNABORTED, 79 RXRPC_CALL_REMOTELY_ABORTED); 80 } 81 82 /* 83 * Retransmit terminal ACK or ABORT of the previous call. 84 */ 85 void rxrpc_conn_retransmit_call(struct rxrpc_connection *conn, 86 struct sk_buff *skb, 87 unsigned int channel) 88 { 89 struct rxrpc_skb_priv *sp = skb ? rxrpc_skb(skb) : NULL; 90 struct rxrpc_channel *chan; 91 struct msghdr msg; 92 struct kvec iov[3]; 93 struct { 94 struct rxrpc_wire_header whdr; 95 union { 96 __be32 abort_code; 97 struct rxrpc_ackpacket ack; 98 }; 99 } __attribute__((packed)) pkt; 100 struct rxrpc_acktrailer trailer; 101 size_t len; 102 int ret, ioc; 103 u32 serial, max_mtu, if_mtu, call_id, padding; 104 105 _enter("%d", conn->debug_id); 106 107 if (sp && sp->hdr.type == RXRPC_PACKET_TYPE_ACK) { 108 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), 109 &pkt.ack, sizeof(pkt.ack)) < 0) 110 return; 111 if (pkt.ack.reason == RXRPC_ACK_PING_RESPONSE) 112 return; 113 } 114 115 chan = &conn->channels[channel]; 116 117 /* If the last call got moved on whilst we were waiting to run, just 118 * ignore this packet. 119 */ 120 call_id = chan->last_call; 121 if (skb && call_id != sp->hdr.callNumber) 122 return; 123 124 msg.msg_name = &conn->peer->srx.transport; 125 msg.msg_namelen = conn->peer->srx.transport_len; 126 msg.msg_control = NULL; 127 msg.msg_controllen = 0; 128 msg.msg_flags = 0; 129 130 iov[0].iov_base = &pkt; 131 iov[0].iov_len = sizeof(pkt.whdr); 132 iov[1].iov_base = &padding; 133 iov[1].iov_len = 3; 134 iov[2].iov_base = &trailer; 135 iov[2].iov_len = sizeof(trailer); 136 137 serial = rxrpc_get_next_serial(conn); 138 139 pkt.whdr.epoch = htonl(conn->proto.epoch); 140 pkt.whdr.cid = htonl(conn->proto.cid | channel); 141 pkt.whdr.callNumber = htonl(call_id); 142 pkt.whdr.serial = htonl(serial); 143 pkt.whdr.seq = 0; 144 pkt.whdr.type = chan->last_type; 145 pkt.whdr.flags = conn->out_clientflag; 146 pkt.whdr.userStatus = 0; 147 pkt.whdr.securityIndex = conn->security_ix; 148 pkt.whdr._rsvd = 0; 149 pkt.whdr.serviceId = htons(conn->service_id); 150 151 len = sizeof(pkt.whdr); 152 switch (chan->last_type) { 153 case RXRPC_PACKET_TYPE_ABORT: 154 pkt.abort_code = htonl(chan->last_abort); 155 iov[0].iov_len += sizeof(pkt.abort_code); 156 len += sizeof(pkt.abort_code); 157 ioc = 1; 158 break; 159 160 case RXRPC_PACKET_TYPE_ACK: 161 if_mtu = conn->peer->if_mtu - conn->peer->hdrsize; 162 if (conn->peer->ackr_adv_pmtud) { 163 max_mtu = umax(conn->peer->max_data, rxrpc_rx_mtu); 164 } else { 165 if_mtu = umin(1444, if_mtu); 166 max_mtu = if_mtu; 167 } 168 pkt.ack.bufferSpace = 0; 169 pkt.ack.maxSkew = htons(skb ? skb->priority : 0); 170 pkt.ack.firstPacket = htonl(chan->last_seq + 1); 171 pkt.ack.previousPacket = htonl(chan->last_seq); 172 pkt.ack.serial = htonl(skb ? sp->hdr.serial : 0); 173 pkt.ack.reason = skb ? RXRPC_ACK_DUPLICATE : RXRPC_ACK_IDLE; 174 pkt.ack.nAcks = 0; 175 trailer.maxMTU = htonl(max_mtu); 176 trailer.ifMTU = htonl(if_mtu); 177 trailer.rwind = htonl(rxrpc_rx_window_size); 178 trailer.jumbo_max = 0; 179 pkt.whdr.flags |= RXRPC_SLOW_START_OK; 180 padding = 0; 181 iov[0].iov_len += sizeof(pkt.ack); 182 len += sizeof(pkt.ack) + 3 + sizeof(trailer); 183 ioc = 3; 184 185 trace_rxrpc_tx_ack(chan->call_debug_id, serial, 186 ntohl(pkt.ack.firstPacket), 187 ntohl(pkt.ack.serial), 188 pkt.ack.reason, 0, rxrpc_rx_window_size, 189 rxrpc_propose_ack_retransmit); 190 break; 191 192 default: 193 return; 194 } 195 196 ret = kernel_sendmsg(conn->local->socket, &msg, iov, ioc, len); 197 rxrpc_peer_mark_tx(conn->peer); 198 if (ret < 0) 199 trace_rxrpc_tx_fail(chan->call_debug_id, serial, ret, 200 rxrpc_tx_point_call_final_resend); 201 else 202 trace_rxrpc_tx_packet(chan->call_debug_id, &pkt.whdr, 203 rxrpc_tx_point_call_final_resend); 204 205 _leave(""); 206 } 207 208 /* 209 * pass a connection-level abort onto all calls on that connection 210 */ 211 static void rxrpc_abort_calls(struct rxrpc_connection *conn) 212 { 213 struct rxrpc_call *call; 214 int i; 215 216 _enter("{%d},%x", conn->debug_id, conn->abort_code); 217 218 for (i = 0; i < RXRPC_MAXCALLS; i++) { 219 call = conn->channels[i].call; 220 if (call) { 221 rxrpc_see_call(call, rxrpc_call_see_conn_abort); 222 rxrpc_set_call_completion(call, 223 conn->completion, 224 conn->abort_code, 225 conn->error); 226 rxrpc_poke_call(call, rxrpc_call_poke_conn_abort); 227 } 228 } 229 230 _leave(""); 231 } 232 233 /* 234 * mark a call as being on a now-secured channel 235 * - must be called with BH's disabled. 236 */ 237 static void rxrpc_call_is_secure(struct rxrpc_call *call) 238 { 239 if (call && __test_and_clear_bit(RXRPC_CALL_CONN_CHALLENGING, &call->flags)) 240 rxrpc_notify_socket(call); 241 } 242 243 static int rxrpc_verify_response(struct rxrpc_connection *conn, 244 struct sk_buff *skb) 245 { 246 int ret; 247 248 if (skb_cloned(skb) || skb_has_frag_list(skb) || 249 skb_has_shared_frag(skb)) { 250 /* Copy the packet if shared so that we can do in-place 251 * decryption. 252 */ 253 struct sk_buff *nskb = skb_copy(skb, GFP_NOFS); 254 255 if (nskb) { 256 rxrpc_new_skb(nskb, rxrpc_skb_new_unshared); 257 ret = conn->security->verify_response(conn, nskb); 258 rxrpc_free_skb(nskb, rxrpc_skb_put_response_copy); 259 } else { 260 /* OOM - Drop the packet. */ 261 rxrpc_see_skb(skb, rxrpc_skb_see_unshare_nomem); 262 ret = -ENOMEM; 263 } 264 } else { 265 ret = conn->security->verify_response(conn, skb); 266 } 267 268 return ret; 269 } 270 271 /* 272 * connection-level Rx packet processor 273 */ 274 static int rxrpc_process_event(struct rxrpc_connection *conn, 275 struct sk_buff *skb) 276 { 277 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 278 bool secured = false; 279 int ret; 280 281 if (conn->state == RXRPC_CONN_ABORTED) 282 return -ECONNABORTED; 283 284 _enter("{%d},{%u,%%%u},", conn->debug_id, sp->hdr.type, sp->hdr.serial); 285 286 switch (sp->hdr.type) { 287 case RXRPC_PACKET_TYPE_CHALLENGE: 288 ret = conn->security->respond_to_challenge(conn, skb); 289 sp->chall.conn = NULL; 290 rxrpc_put_connection(conn, rxrpc_conn_put_challenge_input); 291 return ret; 292 293 case RXRPC_PACKET_TYPE_RESPONSE: 294 spin_lock_irq(&conn->state_lock); 295 if (conn->state != RXRPC_CONN_SERVICE_CHALLENGING) { 296 spin_unlock_irq(&conn->state_lock); 297 return 0; 298 } 299 spin_unlock_irq(&conn->state_lock); 300 301 ret = rxrpc_verify_response(conn, skb); 302 if (ret < 0) 303 return ret; 304 305 ret = conn->security->init_connection_security( 306 conn, conn->key->payload.data[0]); 307 if (ret < 0) 308 return ret; 309 310 spin_lock_irq(&conn->state_lock); 311 if (conn->state == RXRPC_CONN_SERVICE_CHALLENGING) { 312 conn->state = RXRPC_CONN_SERVICE; 313 secured = true; 314 } 315 spin_unlock_irq(&conn->state_lock); 316 317 if (secured) { 318 /* Offload call state flipping to the I/O thread. As 319 * we've already received the packet, put it on the 320 * front of the queue. 321 */ 322 sp->poke_conn = rxrpc_get_connection( 323 conn, rxrpc_conn_get_poke_secured); 324 skb->mark = RXRPC_SKB_MARK_SERVICE_CONN_SECURED; 325 rxrpc_get_skb(skb, rxrpc_skb_get_conn_secured); 326 skb_queue_head(&conn->local->rx_queue, skb); 327 rxrpc_wake_up_io_thread(conn->local); 328 } 329 return 0; 330 331 default: 332 WARN_ON_ONCE(1); 333 return -EPROTO; 334 } 335 } 336 337 /* 338 * set up security and issue a challenge 339 */ 340 static void rxrpc_secure_connection(struct rxrpc_connection *conn) 341 { 342 if (conn->security->issue_challenge(conn) < 0) 343 rxrpc_abort_conn(conn, NULL, RX_CALL_DEAD, -ENOMEM, 344 rxrpc_abort_nomem); 345 } 346 347 /* 348 * Process delayed final ACKs that we haven't subsumed into a subsequent call. 349 */ 350 void rxrpc_process_delayed_final_acks(struct rxrpc_connection *conn, bool force) 351 { 352 unsigned long j = jiffies, next_j; 353 unsigned int channel; 354 bool set; 355 356 again: 357 next_j = j + LONG_MAX; 358 set = false; 359 for (channel = 0; channel < RXRPC_MAXCALLS; channel++) { 360 struct rxrpc_channel *chan = &conn->channels[channel]; 361 unsigned long ack_at; 362 363 if (!test_bit(RXRPC_CONN_FINAL_ACK_0 + channel, &conn->flags)) 364 continue; 365 366 ack_at = chan->final_ack_at; 367 if (time_before(j, ack_at) && !force) { 368 if (time_before(ack_at, next_j)) { 369 next_j = ack_at; 370 set = true; 371 } 372 continue; 373 } 374 375 if (test_and_clear_bit(RXRPC_CONN_FINAL_ACK_0 + channel, 376 &conn->flags)) 377 rxrpc_conn_retransmit_call(conn, NULL, channel); 378 } 379 380 j = jiffies; 381 if (time_before_eq(next_j, j)) 382 goto again; 383 if (set) 384 rxrpc_reduce_conn_timer(conn, next_j); 385 } 386 387 /* 388 * connection-level event processor 389 */ 390 static void rxrpc_do_process_connection(struct rxrpc_connection *conn) 391 { 392 struct sk_buff *skb; 393 394 if (test_and_clear_bit(RXRPC_CONN_EV_CHALLENGE, &conn->events)) 395 rxrpc_secure_connection(conn); 396 397 /* go through the conn-level event packets, releasing the ref on this 398 * connection that each one has when we've finished with it */ 399 while ((skb = skb_dequeue(&conn->rx_queue))) { 400 rxrpc_see_skb(skb, rxrpc_skb_see_conn_work); 401 rxrpc_process_event(conn, skb); 402 rxrpc_free_skb(skb, rxrpc_skb_put_conn_work); 403 } 404 } 405 406 void rxrpc_process_connection(struct work_struct *work) 407 { 408 struct rxrpc_connection *conn = 409 container_of(work, struct rxrpc_connection, processor); 410 411 rxrpc_see_connection(conn, rxrpc_conn_see_work); 412 413 if (__rxrpc_use_local(conn->local, rxrpc_local_use_conn_work)) { 414 rxrpc_do_process_connection(conn); 415 rxrpc_unuse_local(conn->local, rxrpc_local_unuse_conn_work); 416 } 417 } 418 419 /* 420 * post connection-level events to the connection 421 * - this includes challenges, responses, some aborts and call terminal packet 422 * retransmission. 423 */ 424 static void rxrpc_post_packet_to_conn(struct rxrpc_connection *conn, 425 struct sk_buff *skb) 426 { 427 _enter("%p,%p", conn, skb); 428 429 rxrpc_get_skb(skb, rxrpc_skb_get_conn_work); 430 skb_queue_tail(&conn->rx_queue, skb); 431 rxrpc_queue_conn(conn, rxrpc_conn_queue_rx_work); 432 } 433 434 /* 435 * Post a CHALLENGE packet to the socket of one of a connection's calls so that 436 * it can get application data to include in the packet, possibly querying 437 * userspace. 438 */ 439 static bool rxrpc_post_challenge(struct rxrpc_connection *conn, 440 struct sk_buff *skb) 441 { 442 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 443 struct rxrpc_call *call = NULL; 444 struct rxrpc_sock *rx; 445 bool respond = false; 446 447 sp->chall.conn = 448 rxrpc_get_connection(conn, rxrpc_conn_get_challenge_input); 449 450 if (!conn->security->challenge_to_recvmsg) { 451 rxrpc_post_packet_to_conn(conn, skb); 452 return true; 453 } 454 455 rcu_read_lock(); 456 457 for (int i = 0; i < ARRAY_SIZE(conn->channels); i++) { 458 if (conn->channels[i].call) { 459 call = conn->channels[i].call; 460 rx = rcu_dereference(call->socket); 461 if (!rx) { 462 call = NULL; 463 continue; 464 } 465 466 respond = true; 467 if (test_bit(RXRPC_SOCK_MANAGE_RESPONSE, &rx->flags)) 468 break; 469 call = NULL; 470 } 471 } 472 473 if (!respond) { 474 rcu_read_unlock(); 475 rxrpc_put_connection(conn, rxrpc_conn_put_challenge_input); 476 sp->chall.conn = NULL; 477 return false; 478 } 479 480 if (call) 481 rxrpc_notify_socket_oob(call, skb); 482 rcu_read_unlock(); 483 484 if (!call) 485 rxrpc_post_packet_to_conn(conn, skb); 486 return true; 487 } 488 489 /* 490 * Input a connection-level packet. 491 */ 492 bool rxrpc_input_conn_packet(struct rxrpc_connection *conn, struct sk_buff *skb) 493 { 494 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 495 496 switch (sp->hdr.type) { 497 case RXRPC_PACKET_TYPE_BUSY: 498 /* Just ignore BUSY packets for now. */ 499 return true; 500 501 case RXRPC_PACKET_TYPE_ABORT: 502 if (rxrpc_is_conn_aborted(conn)) 503 return true; 504 rxrpc_input_conn_abort(conn, skb); 505 rxrpc_abort_calls(conn); 506 return true; 507 508 case RXRPC_PACKET_TYPE_CHALLENGE: 509 rxrpc_see_skb(skb, rxrpc_skb_see_oob_challenge); 510 if (rxrpc_is_conn_aborted(conn)) { 511 if (conn->completion == RXRPC_CALL_LOCALLY_ABORTED) 512 rxrpc_send_conn_abort(conn); 513 return true; 514 } 515 if (!conn->security->validate_challenge(conn, skb)) 516 return false; 517 return rxrpc_post_challenge(conn, skb); 518 519 case RXRPC_PACKET_TYPE_RESPONSE: 520 if (rxrpc_is_conn_aborted(conn)) { 521 if (conn->completion == RXRPC_CALL_LOCALLY_ABORTED) 522 rxrpc_send_conn_abort(conn); 523 return true; 524 } 525 rxrpc_post_packet_to_conn(conn, skb); 526 return true; 527 528 default: 529 WARN_ON_ONCE(1); 530 return true; 531 } 532 } 533 534 /* 535 * Input a connection event. 536 */ 537 void rxrpc_input_conn_event(struct rxrpc_connection *conn, struct sk_buff *skb) 538 { 539 unsigned int loop; 540 541 if (test_and_clear_bit(RXRPC_CONN_EV_ABORT_CALLS, &conn->events)) 542 rxrpc_abort_calls(conn); 543 544 if (conn->tx_response) { 545 struct sk_buff *skb; 546 547 spin_lock_irq(&conn->local->lock); 548 skb = conn->tx_response; 549 conn->tx_response = NULL; 550 spin_unlock_irq(&conn->local->lock); 551 552 if (conn->state != RXRPC_CONN_ABORTED) 553 rxrpc_send_response(conn, skb); 554 rxrpc_free_skb(skb, rxrpc_skb_put_response); 555 } 556 557 if (skb) { 558 switch (skb->mark) { 559 case RXRPC_SKB_MARK_SERVICE_CONN_SECURED: 560 if (conn->state != RXRPC_CONN_SERVICE) 561 break; 562 563 for (loop = 0; loop < RXRPC_MAXCALLS; loop++) 564 rxrpc_call_is_secure(conn->channels[loop].call); 565 break; 566 } 567 } 568 569 /* Process delayed ACKs whose time has come. */ 570 if (conn->flags & RXRPC_CONN_FINAL_ACK_MASK) 571 rxrpc_process_delayed_final_acks(conn, false); 572 } 573 574 /* 575 * Post a RESPONSE message to the I/O thread for transmission. 576 */ 577 void rxrpc_post_response(struct rxrpc_connection *conn, struct sk_buff *skb) 578 { 579 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 580 struct rxrpc_local *local = conn->local; 581 struct sk_buff *old; 582 583 _enter("%x", sp->resp.challenge_serial); 584 585 spin_lock_irq(&local->lock); 586 old = conn->tx_response; 587 if (old) { 588 struct rxrpc_skb_priv *osp = rxrpc_skb(old); 589 590 /* Always go with the response to the most recent challenge. */ 591 if (after(sp->resp.challenge_serial, osp->resp.challenge_serial)) 592 conn->tx_response = skb; 593 else 594 old = skb; 595 } else { 596 conn->tx_response = skb; 597 } 598 spin_unlock_irq(&local->lock); 599 rxrpc_poke_conn(conn, rxrpc_conn_get_poke_response); 600 rxrpc_free_skb(old, rxrpc_skb_put_old_response); 601 } 602