1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* connection-level event handling 3 * 4 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 9 10 #include <linux/module.h> 11 #include <linux/net.h> 12 #include <linux/skbuff.h> 13 #include <linux/errqueue.h> 14 #include <net/sock.h> 15 #include <net/af_rxrpc.h> 16 #include <net/ip.h> 17 #include "ar-internal.h" 18 19 /* 20 * Set the completion state on an aborted connection. 21 */ 22 static bool rxrpc_set_conn_aborted(struct rxrpc_connection *conn, 23 s32 abort_code, int err, 24 enum rxrpc_call_completion compl) 25 { 26 bool aborted = false; 27 28 if (conn->state != RXRPC_CONN_ABORTED) { 29 spin_lock_irq(&conn->state_lock); 30 if (conn->state != RXRPC_CONN_ABORTED) { 31 conn->abort_code = abort_code; 32 conn->error = err; 33 conn->completion = compl; 34 /* Order the abort info before the state change. */ 35 smp_store_release(&conn->state, RXRPC_CONN_ABORTED); 36 set_bit(RXRPC_CONN_DONT_REUSE, &conn->flags); 37 set_bit(RXRPC_CONN_EV_ABORT_CALLS, &conn->events); 38 aborted = true; 39 } 40 spin_unlock_irq(&conn->state_lock); 41 } 42 43 return aborted; 44 } 45 46 /* 47 * Mark a socket buffer to indicate that the connection it's on should be aborted. 48 */ 49 int rxrpc_abort_conn(struct rxrpc_connection *conn, struct sk_buff *skb, 50 s32 abort_code, int err, enum rxrpc_abort_reason why) 51 { 52 53 u32 cid = conn->proto.cid, call = 0, seq = 0; 54 55 if (skb) { 56 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 57 58 cid = sp->hdr.cid; 59 call = sp->hdr.callNumber; 60 seq = sp->hdr.seq; 61 } 62 63 if (rxrpc_set_conn_aborted(conn, abort_code, err, 64 RXRPC_CALL_LOCALLY_ABORTED)) { 65 trace_rxrpc_abort(0, why, cid, call, seq, abort_code, err); 66 rxrpc_poke_conn(conn, rxrpc_conn_get_poke_abort); 67 } 68 return -EPROTO; 69 } 70 71 /* 72 * Mark a connection as being remotely aborted. 73 */ 74 static void rxrpc_input_conn_abort(struct rxrpc_connection *conn, 75 struct sk_buff *skb) 76 { 77 trace_rxrpc_rx_conn_abort(conn, skb); 78 rxrpc_set_conn_aborted(conn, skb->priority, -ECONNABORTED, 79 RXRPC_CALL_REMOTELY_ABORTED); 80 } 81 82 /* 83 * Retransmit terminal ACK or ABORT of the previous call. 84 */ 85 void rxrpc_conn_retransmit_call(struct rxrpc_connection *conn, 86 struct sk_buff *skb, 87 unsigned int channel) 88 { 89 struct rxrpc_skb_priv *sp = skb ? rxrpc_skb(skb) : NULL; 90 struct rxrpc_channel *chan; 91 struct msghdr msg; 92 struct kvec iov[3]; 93 struct { 94 struct rxrpc_wire_header whdr; 95 union { 96 __be32 abort_code; 97 struct rxrpc_ackpacket ack; 98 }; 99 } __attribute__((packed)) pkt; 100 struct rxrpc_acktrailer trailer; 101 size_t len; 102 int ret, ioc; 103 u32 serial, max_mtu, if_mtu, call_id, padding; 104 105 _enter("%d", conn->debug_id); 106 107 if (sp && sp->hdr.type == RXRPC_PACKET_TYPE_ACK) { 108 if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), 109 &pkt.ack, sizeof(pkt.ack)) < 0) 110 return; 111 if (pkt.ack.reason == RXRPC_ACK_PING_RESPONSE) 112 return; 113 } 114 115 chan = &conn->channels[channel]; 116 117 /* If the last call got moved on whilst we were waiting to run, just 118 * ignore this packet. 119 */ 120 call_id = chan->last_call; 121 if (skb && call_id != sp->hdr.callNumber) 122 return; 123 124 msg.msg_name = &conn->peer->srx.transport; 125 msg.msg_namelen = conn->peer->srx.transport_len; 126 msg.msg_control = NULL; 127 msg.msg_controllen = 0; 128 msg.msg_flags = 0; 129 130 iov[0].iov_base = &pkt; 131 iov[0].iov_len = sizeof(pkt.whdr); 132 iov[1].iov_base = &padding; 133 iov[1].iov_len = 3; 134 iov[2].iov_base = &trailer; 135 iov[2].iov_len = sizeof(trailer); 136 137 serial = rxrpc_get_next_serial(conn); 138 139 pkt.whdr.epoch = htonl(conn->proto.epoch); 140 pkt.whdr.cid = htonl(conn->proto.cid | channel); 141 pkt.whdr.callNumber = htonl(call_id); 142 pkt.whdr.serial = htonl(serial); 143 pkt.whdr.seq = 0; 144 pkt.whdr.type = chan->last_type; 145 pkt.whdr.flags = conn->out_clientflag; 146 pkt.whdr.userStatus = 0; 147 pkt.whdr.securityIndex = conn->security_ix; 148 pkt.whdr._rsvd = 0; 149 pkt.whdr.serviceId = htons(conn->service_id); 150 151 len = sizeof(pkt.whdr); 152 switch (chan->last_type) { 153 case RXRPC_PACKET_TYPE_ABORT: 154 pkt.abort_code = htonl(chan->last_abort); 155 iov[0].iov_len += sizeof(pkt.abort_code); 156 len += sizeof(pkt.abort_code); 157 ioc = 1; 158 break; 159 160 case RXRPC_PACKET_TYPE_ACK: 161 if_mtu = conn->peer->if_mtu - conn->peer->hdrsize; 162 if (conn->peer->ackr_adv_pmtud) { 163 max_mtu = umax(conn->peer->max_data, rxrpc_rx_mtu); 164 } else { 165 if_mtu = umin(1444, if_mtu); 166 max_mtu = if_mtu; 167 } 168 pkt.ack.bufferSpace = 0; 169 pkt.ack.maxSkew = htons(skb ? skb->priority : 0); 170 pkt.ack.firstPacket = htonl(chan->last_seq + 1); 171 pkt.ack.previousPacket = htonl(chan->last_seq); 172 pkt.ack.serial = htonl(skb ? sp->hdr.serial : 0); 173 pkt.ack.reason = skb ? RXRPC_ACK_DUPLICATE : RXRPC_ACK_IDLE; 174 pkt.ack.nAcks = 0; 175 trailer.maxMTU = htonl(max_mtu); 176 trailer.ifMTU = htonl(if_mtu); 177 trailer.rwind = htonl(rxrpc_rx_window_size); 178 trailer.jumbo_max = 0; 179 pkt.whdr.flags |= RXRPC_SLOW_START_OK; 180 padding = 0; 181 iov[0].iov_len += sizeof(pkt.ack); 182 len += sizeof(pkt.ack) + 3 + sizeof(trailer); 183 ioc = 3; 184 185 trace_rxrpc_tx_ack(chan->call_debug_id, serial, 186 ntohl(pkt.ack.firstPacket), 187 ntohl(pkt.ack.serial), 188 pkt.ack.reason, 0, rxrpc_rx_window_size, 189 rxrpc_propose_ack_retransmit); 190 break; 191 192 default: 193 return; 194 } 195 196 ret = kernel_sendmsg(conn->local->socket, &msg, iov, ioc, len); 197 rxrpc_peer_mark_tx(conn->peer); 198 if (ret < 0) 199 trace_rxrpc_tx_fail(chan->call_debug_id, serial, ret, 200 rxrpc_tx_point_call_final_resend); 201 else 202 trace_rxrpc_tx_packet(chan->call_debug_id, &pkt.whdr, 203 rxrpc_tx_point_call_final_resend); 204 205 _leave(""); 206 } 207 208 /* 209 * pass a connection-level abort onto all calls on that connection 210 */ 211 static void rxrpc_abort_calls(struct rxrpc_connection *conn) 212 { 213 struct rxrpc_call *call; 214 int i; 215 216 _enter("{%d},%x", conn->debug_id, conn->abort_code); 217 218 for (i = 0; i < RXRPC_MAXCALLS; i++) { 219 call = conn->channels[i].call; 220 if (call) { 221 rxrpc_see_call(call, rxrpc_call_see_conn_abort); 222 rxrpc_set_call_completion(call, 223 conn->completion, 224 conn->abort_code, 225 conn->error); 226 rxrpc_poke_call(call, rxrpc_call_poke_conn_abort); 227 } 228 } 229 230 _leave(""); 231 } 232 233 /* 234 * mark a call as being on a now-secured channel 235 * - must be called with BH's disabled. 236 */ 237 static void rxrpc_call_is_secure(struct rxrpc_call *call) 238 { 239 if (call && __test_and_clear_bit(RXRPC_CALL_CONN_CHALLENGING, &call->flags)) 240 rxrpc_notify_socket(call); 241 } 242 243 static int rxrpc_verify_response(struct rxrpc_connection *conn, 244 struct sk_buff *skb) 245 { 246 unsigned int len = skb->len - sizeof(struct rxrpc_wire_header); 247 void *buffer; 248 int ret; 249 250 buffer = kmalloc(len, GFP_NOFS); 251 if (!buffer) 252 return -ENOMEM; 253 254 ret = skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), buffer, len); 255 if (ret < 0) 256 goto out; 257 258 ret = conn->security->verify_response(conn, skb, buffer, len); 259 260 out: 261 kfree(buffer); 262 return ret; 263 } 264 265 /* 266 * connection-level Rx packet processor 267 */ 268 static int rxrpc_process_event(struct rxrpc_connection *conn, 269 struct sk_buff *skb) 270 { 271 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 272 bool secured = false; 273 int ret; 274 275 if (conn->state == RXRPC_CONN_ABORTED) 276 return -ECONNABORTED; 277 278 _enter("{%d},{%u,%%%u},", conn->debug_id, sp->hdr.type, sp->hdr.serial); 279 280 switch (sp->hdr.type) { 281 case RXRPC_PACKET_TYPE_CHALLENGE: 282 ret = conn->security->respond_to_challenge(conn, skb); 283 sp->chall.conn = NULL; 284 rxrpc_put_connection(conn, rxrpc_conn_put_challenge_input); 285 return ret; 286 287 case RXRPC_PACKET_TYPE_RESPONSE: 288 spin_lock_irq(&conn->state_lock); 289 if (conn->state != RXRPC_CONN_SERVICE_CHALLENGING) { 290 spin_unlock_irq(&conn->state_lock); 291 return 0; 292 } 293 spin_unlock_irq(&conn->state_lock); 294 295 ret = rxrpc_verify_response(conn, skb); 296 if (ret < 0) 297 return ret; 298 299 ret = conn->security->init_connection_security( 300 conn, conn->key->payload.data[0]); 301 if (ret < 0) 302 return ret; 303 304 spin_lock_irq(&conn->state_lock); 305 if (conn->state == RXRPC_CONN_SERVICE_CHALLENGING) { 306 conn->state = RXRPC_CONN_SERVICE; 307 secured = true; 308 } 309 spin_unlock_irq(&conn->state_lock); 310 311 if (secured) { 312 /* Offload call state flipping to the I/O thread. As 313 * we've already received the packet, put it on the 314 * front of the queue. 315 */ 316 sp->poke_conn = rxrpc_get_connection( 317 conn, rxrpc_conn_get_poke_secured); 318 skb->mark = RXRPC_SKB_MARK_SERVICE_CONN_SECURED; 319 rxrpc_get_skb(skb, rxrpc_skb_get_conn_secured); 320 skb_queue_head(&conn->local->rx_queue, skb); 321 rxrpc_wake_up_io_thread(conn->local); 322 } 323 return 0; 324 325 default: 326 WARN_ON_ONCE(1); 327 return -EPROTO; 328 } 329 } 330 331 /* 332 * set up security and issue a challenge 333 */ 334 static void rxrpc_secure_connection(struct rxrpc_connection *conn) 335 { 336 if (conn->security->issue_challenge(conn) < 0) 337 rxrpc_abort_conn(conn, NULL, RX_CALL_DEAD, -ENOMEM, 338 rxrpc_abort_nomem); 339 } 340 341 /* 342 * Process delayed final ACKs that we haven't subsumed into a subsequent call. 343 */ 344 void rxrpc_process_delayed_final_acks(struct rxrpc_connection *conn, bool force) 345 { 346 unsigned long j = jiffies, next_j; 347 unsigned int channel; 348 bool set; 349 350 again: 351 next_j = j + LONG_MAX; 352 set = false; 353 for (channel = 0; channel < RXRPC_MAXCALLS; channel++) { 354 struct rxrpc_channel *chan = &conn->channels[channel]; 355 unsigned long ack_at; 356 357 if (!test_bit(RXRPC_CONN_FINAL_ACK_0 + channel, &conn->flags)) 358 continue; 359 360 ack_at = chan->final_ack_at; 361 if (time_before(j, ack_at) && !force) { 362 if (time_before(ack_at, next_j)) { 363 next_j = ack_at; 364 set = true; 365 } 366 continue; 367 } 368 369 if (test_and_clear_bit(RXRPC_CONN_FINAL_ACK_0 + channel, 370 &conn->flags)) 371 rxrpc_conn_retransmit_call(conn, NULL, channel); 372 } 373 374 j = jiffies; 375 if (time_before_eq(next_j, j)) 376 goto again; 377 if (set) 378 rxrpc_reduce_conn_timer(conn, next_j); 379 } 380 381 /* 382 * connection-level event processor 383 */ 384 static void rxrpc_do_process_connection(struct rxrpc_connection *conn) 385 { 386 struct sk_buff *skb; 387 388 if (test_and_clear_bit(RXRPC_CONN_EV_CHALLENGE, &conn->events)) 389 rxrpc_secure_connection(conn); 390 391 /* go through the conn-level event packets, releasing the ref on this 392 * connection that each one has when we've finished with it */ 393 while ((skb = skb_dequeue(&conn->rx_queue))) { 394 rxrpc_see_skb(skb, rxrpc_skb_see_conn_work); 395 rxrpc_process_event(conn, skb); 396 rxrpc_free_skb(skb, rxrpc_skb_put_conn_work); 397 } 398 } 399 400 void rxrpc_process_connection(struct work_struct *work) 401 { 402 struct rxrpc_connection *conn = 403 container_of(work, struct rxrpc_connection, processor); 404 405 rxrpc_see_connection(conn, rxrpc_conn_see_work); 406 407 if (__rxrpc_use_local(conn->local, rxrpc_local_use_conn_work)) { 408 rxrpc_do_process_connection(conn); 409 rxrpc_unuse_local(conn->local, rxrpc_local_unuse_conn_work); 410 } 411 } 412 413 /* 414 * post connection-level events to the connection 415 * - this includes challenges, responses, some aborts and call terminal packet 416 * retransmission. 417 */ 418 static void rxrpc_post_packet_to_conn(struct rxrpc_connection *conn, 419 struct sk_buff *skb) 420 { 421 _enter("%p,%p", conn, skb); 422 423 rxrpc_get_skb(skb, rxrpc_skb_get_conn_work); 424 skb_queue_tail(&conn->rx_queue, skb); 425 rxrpc_queue_conn(conn, rxrpc_conn_queue_rx_work); 426 } 427 428 /* 429 * Post a CHALLENGE packet to the socket of one of a connection's calls so that 430 * it can get application data to include in the packet, possibly querying 431 * userspace. 432 */ 433 static bool rxrpc_post_challenge(struct rxrpc_connection *conn, 434 struct sk_buff *skb) 435 { 436 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 437 struct rxrpc_call *call = NULL; 438 struct rxrpc_sock *rx; 439 bool respond = false; 440 441 sp->chall.conn = 442 rxrpc_get_connection(conn, rxrpc_conn_get_challenge_input); 443 444 if (!conn->security->challenge_to_recvmsg) { 445 rxrpc_post_packet_to_conn(conn, skb); 446 return true; 447 } 448 449 rcu_read_lock(); 450 451 for (int i = 0; i < ARRAY_SIZE(conn->channels); i++) { 452 if (conn->channels[i].call) { 453 call = conn->channels[i].call; 454 rx = rcu_dereference(call->socket); 455 if (!rx) { 456 call = NULL; 457 continue; 458 } 459 460 respond = true; 461 if (test_bit(RXRPC_SOCK_MANAGE_RESPONSE, &rx->flags)) 462 break; 463 call = NULL; 464 } 465 } 466 467 if (!respond) { 468 rcu_read_unlock(); 469 rxrpc_put_connection(conn, rxrpc_conn_put_challenge_input); 470 sp->chall.conn = NULL; 471 return false; 472 } 473 474 if (call) 475 rxrpc_notify_socket_oob(call, skb); 476 rcu_read_unlock(); 477 478 if (!call) 479 rxrpc_post_packet_to_conn(conn, skb); 480 return true; 481 } 482 483 /* 484 * Input a connection-level packet. 485 */ 486 bool rxrpc_input_conn_packet(struct rxrpc_connection *conn, struct sk_buff *skb) 487 { 488 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 489 490 switch (sp->hdr.type) { 491 case RXRPC_PACKET_TYPE_BUSY: 492 /* Just ignore BUSY packets for now. */ 493 return true; 494 495 case RXRPC_PACKET_TYPE_ABORT: 496 if (rxrpc_is_conn_aborted(conn)) 497 return true; 498 rxrpc_input_conn_abort(conn, skb); 499 rxrpc_abort_calls(conn); 500 return true; 501 502 case RXRPC_PACKET_TYPE_CHALLENGE: 503 rxrpc_see_skb(skb, rxrpc_skb_see_oob_challenge); 504 if (rxrpc_is_conn_aborted(conn)) { 505 if (conn->completion == RXRPC_CALL_LOCALLY_ABORTED) 506 rxrpc_send_conn_abort(conn); 507 return true; 508 } 509 if (!conn->security->validate_challenge(conn, skb)) 510 return false; 511 return rxrpc_post_challenge(conn, skb); 512 513 case RXRPC_PACKET_TYPE_RESPONSE: 514 if (rxrpc_is_conn_aborted(conn)) { 515 if (conn->completion == RXRPC_CALL_LOCALLY_ABORTED) 516 rxrpc_send_conn_abort(conn); 517 return true; 518 } 519 rxrpc_post_packet_to_conn(conn, skb); 520 return true; 521 522 default: 523 WARN_ON_ONCE(1); 524 return true; 525 } 526 } 527 528 /* 529 * Input a connection event. 530 */ 531 void rxrpc_input_conn_event(struct rxrpc_connection *conn, struct sk_buff *skb) 532 { 533 unsigned int loop; 534 535 if (test_and_clear_bit(RXRPC_CONN_EV_ABORT_CALLS, &conn->events)) 536 rxrpc_abort_calls(conn); 537 538 if (conn->tx_response) { 539 struct sk_buff *skb; 540 541 spin_lock_irq(&conn->local->lock); 542 skb = conn->tx_response; 543 conn->tx_response = NULL; 544 spin_unlock_irq(&conn->local->lock); 545 546 if (conn->state != RXRPC_CONN_ABORTED) 547 rxrpc_send_response(conn, skb); 548 rxrpc_free_skb(skb, rxrpc_skb_put_response); 549 } 550 551 if (skb) { 552 switch (skb->mark) { 553 case RXRPC_SKB_MARK_SERVICE_CONN_SECURED: 554 if (conn->state != RXRPC_CONN_SERVICE) 555 break; 556 557 for (loop = 0; loop < RXRPC_MAXCALLS; loop++) 558 rxrpc_call_is_secure(conn->channels[loop].call); 559 break; 560 } 561 } 562 563 /* Process delayed ACKs whose time has come. */ 564 if (conn->flags & RXRPC_CONN_FINAL_ACK_MASK) 565 rxrpc_process_delayed_final_acks(conn, false); 566 } 567 568 /* 569 * Post a RESPONSE message to the I/O thread for transmission. 570 */ 571 void rxrpc_post_response(struct rxrpc_connection *conn, struct sk_buff *skb) 572 { 573 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 574 struct rxrpc_local *local = conn->local; 575 struct sk_buff *old; 576 577 _enter("%x", sp->resp.challenge_serial); 578 579 spin_lock_irq(&local->lock); 580 old = conn->tx_response; 581 if (old) { 582 struct rxrpc_skb_priv *osp = rxrpc_skb(old); 583 584 /* Always go with the response to the most recent challenge. */ 585 if (after(sp->resp.challenge_serial, osp->resp.challenge_serial)) 586 conn->tx_response = skb; 587 else 588 old = skb; 589 } else { 590 conn->tx_response = skb; 591 } 592 spin_unlock_irq(&local->lock); 593 rxrpc_poke_conn(conn, rxrpc_conn_get_poke_response); 594 rxrpc_free_skb(old, rxrpc_skb_put_old_response); 595 } 596