mctp: prevent double key removal and unref
[platform/kernel/linux-rpi.git] / net / mctp / route.c
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * Management Component Transport Protocol (MCTP) - routing
4  * implementation.
5  *
6  * This is currently based on a simple routing table, with no dst cache. The
7  * number of routes should stay fairly small, so the lookup cost is small.
8  *
9  * Copyright (c) 2021 Code Construct
10  * Copyright (c) 2021 Google
11  */
12
13 #include <linux/idr.h>
14 #include <linux/kconfig.h>
15 #include <linux/mctp.h>
16 #include <linux/netdevice.h>
17 #include <linux/rtnetlink.h>
18 #include <linux/skbuff.h>
19
20 #include <uapi/linux/if_arp.h>
21
22 #include <net/mctp.h>
23 #include <net/mctpdevice.h>
24 #include <net/netlink.h>
25 #include <net/sock.h>
26
27 #include <trace/events/mctp.h>
28
29 static const unsigned int mctp_message_maxlen = 64 * 1024;
30 static const unsigned long mctp_key_lifetime = 6 * CONFIG_HZ;
31
32 static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev);
33
34 /* route output callbacks */
35 static int mctp_route_discard(struct mctp_route *route, struct sk_buff *skb)
36 {
37         kfree_skb(skb);
38         return 0;
39 }
40
41 static struct mctp_sock *mctp_lookup_bind(struct net *net, struct sk_buff *skb)
42 {
43         struct mctp_skb_cb *cb = mctp_cb(skb);
44         struct mctp_hdr *mh;
45         struct sock *sk;
46         u8 type;
47
48         WARN_ON(!rcu_read_lock_held());
49
50         /* TODO: look up in skb->cb? */
51         mh = mctp_hdr(skb);
52
53         if (!skb_headlen(skb))
54                 return NULL;
55
56         type = (*(u8 *)skb->data) & 0x7f;
57
58         sk_for_each_rcu(sk, &net->mctp.binds) {
59                 struct mctp_sock *msk = container_of(sk, struct mctp_sock, sk);
60
61                 if (msk->bind_net != MCTP_NET_ANY && msk->bind_net != cb->net)
62                         continue;
63
64                 if (msk->bind_type != type)
65                         continue;
66
67                 if (!mctp_address_matches(msk->bind_addr, mh->dest))
68                         continue;
69
70                 return msk;
71         }
72
73         return NULL;
74 }
75
76 static bool mctp_key_match(struct mctp_sk_key *key, mctp_eid_t local,
77                            mctp_eid_t peer, u8 tag)
78 {
79         if (!mctp_address_matches(key->local_addr, local))
80                 return false;
81
82         if (key->peer_addr != peer)
83                 return false;
84
85         if (key->tag != tag)
86                 return false;
87
88         return true;
89 }
90
91 /* returns a key (with key->lock held, and refcounted), or NULL if no such
92  * key exists.
93  */
94 static struct mctp_sk_key *mctp_lookup_key(struct net *net, struct sk_buff *skb,
95                                            mctp_eid_t peer,
96                                            unsigned long *irqflags)
97         __acquires(&key->lock)
98 {
99         struct mctp_sk_key *key, *ret;
100         unsigned long flags;
101         struct mctp_hdr *mh;
102         u8 tag;
103
104         mh = mctp_hdr(skb);
105         tag = mh->flags_seq_tag & (MCTP_HDR_TAG_MASK | MCTP_HDR_FLAG_TO);
106
107         ret = NULL;
108         spin_lock_irqsave(&net->mctp.keys_lock, flags);
109
110         hlist_for_each_entry(key, &net->mctp.keys, hlist) {
111                 if (!mctp_key_match(key, mh->dest, peer, tag))
112                         continue;
113
114                 spin_lock(&key->lock);
115                 if (key->valid) {
116                         refcount_inc(&key->refs);
117                         ret = key;
118                         break;
119                 }
120                 spin_unlock(&key->lock);
121         }
122
123         if (ret) {
124                 spin_unlock(&net->mctp.keys_lock);
125                 *irqflags = flags;
126         } else {
127                 spin_unlock_irqrestore(&net->mctp.keys_lock, flags);
128         }
129
130         return ret;
131 }
132
133 static struct mctp_sk_key *mctp_key_alloc(struct mctp_sock *msk,
134                                           mctp_eid_t local, mctp_eid_t peer,
135                                           u8 tag, gfp_t gfp)
136 {
137         struct mctp_sk_key *key;
138
139         key = kzalloc(sizeof(*key), gfp);
140         if (!key)
141                 return NULL;
142
143         key->peer_addr = peer;
144         key->local_addr = local;
145         key->tag = tag;
146         key->sk = &msk->sk;
147         key->valid = true;
148         spin_lock_init(&key->lock);
149         refcount_set(&key->refs, 1);
150
151         return key;
152 }
153
154 void mctp_key_unref(struct mctp_sk_key *key)
155 {
156         unsigned long flags;
157
158         if (!refcount_dec_and_test(&key->refs))
159                 return;
160
161         /* even though no refs exist here, the lock allows us to stay
162          * consistent with the locking requirement of mctp_dev_release_key
163          */
164         spin_lock_irqsave(&key->lock, flags);
165         mctp_dev_release_key(key->dev, key);
166         spin_unlock_irqrestore(&key->lock, flags);
167
168         kfree(key);
169 }
170
171 static int mctp_key_add(struct mctp_sk_key *key, struct mctp_sock *msk)
172 {
173         struct net *net = sock_net(&msk->sk);
174         struct mctp_sk_key *tmp;
175         unsigned long flags;
176         int rc = 0;
177
178         spin_lock_irqsave(&net->mctp.keys_lock, flags);
179
180         hlist_for_each_entry(tmp, &net->mctp.keys, hlist) {
181                 if (mctp_key_match(tmp, key->local_addr, key->peer_addr,
182                                    key->tag)) {
183                         spin_lock(&tmp->lock);
184                         if (tmp->valid)
185                                 rc = -EEXIST;
186                         spin_unlock(&tmp->lock);
187                         if (rc)
188                                 break;
189                 }
190         }
191
192         if (!rc) {
193                 refcount_inc(&key->refs);
194                 key->expiry = jiffies + mctp_key_lifetime;
195                 timer_reduce(&msk->key_expiry, key->expiry);
196
197                 hlist_add_head(&key->hlist, &net->mctp.keys);
198                 hlist_add_head(&key->sklist, &msk->keys);
199         }
200
201         spin_unlock_irqrestore(&net->mctp.keys_lock, flags);
202
203         return rc;
204 }
205
206 /* Helper for mctp_route_input().
207  * We're done with the key; unlock and unref the key.
208  * For the usual case of automatic expiry we remove the key from lists.
209  * In the case that manual allocation is set on a key we release the lock
210  * and local ref, reset reassembly, but don't remove from lists.
211  */
212 static void __mctp_key_done_in(struct mctp_sk_key *key, struct net *net,
213                                unsigned long flags, unsigned long reason)
214 __releases(&key->lock)
215 {
216         struct sk_buff *skb;
217
218         trace_mctp_key_release(key, reason);
219         skb = key->reasm_head;
220         key->reasm_head = NULL;
221
222         if (!key->manual_alloc) {
223                 key->reasm_dead = true;
224                 key->valid = false;
225                 mctp_dev_release_key(key->dev, key);
226         }
227         spin_unlock_irqrestore(&key->lock, flags);
228
229         if (!key->manual_alloc) {
230                 spin_lock_irqsave(&net->mctp.keys_lock, flags);
231                 if (!hlist_unhashed(&key->hlist)) {
232                         hlist_del_init(&key->hlist);
233                         hlist_del_init(&key->sklist);
234                         mctp_key_unref(key);
235                 }
236                 spin_unlock_irqrestore(&net->mctp.keys_lock, flags);
237         }
238
239         /* and one for the local reference */
240         mctp_key_unref(key);
241
242         kfree_skb(skb);
243 }
244
245 #ifdef CONFIG_MCTP_FLOWS
246 static void mctp_skb_set_flow(struct sk_buff *skb, struct mctp_sk_key *key)
247 {
248         struct mctp_flow *flow;
249
250         flow = skb_ext_add(skb, SKB_EXT_MCTP);
251         if (!flow)
252                 return;
253
254         refcount_inc(&key->refs);
255         flow->key = key;
256 }
257
258 static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev)
259 {
260         struct mctp_sk_key *key;
261         struct mctp_flow *flow;
262
263         flow = skb_ext_find(skb, SKB_EXT_MCTP);
264         if (!flow)
265                 return;
266
267         key = flow->key;
268
269         if (WARN_ON(key->dev && key->dev != dev))
270                 return;
271
272         mctp_dev_set_key(dev, key);
273 }
274 #else
275 static void mctp_skb_set_flow(struct sk_buff *skb, struct mctp_sk_key *key) {}
276 static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev) {}
277 #endif
278
279 static int mctp_frag_queue(struct mctp_sk_key *key, struct sk_buff *skb)
280 {
281         struct mctp_hdr *hdr = mctp_hdr(skb);
282         u8 exp_seq, this_seq;
283
284         this_seq = (hdr->flags_seq_tag >> MCTP_HDR_SEQ_SHIFT)
285                 & MCTP_HDR_SEQ_MASK;
286
287         if (!key->reasm_head) {
288                 key->reasm_head = skb;
289                 key->reasm_tailp = &(skb_shinfo(skb)->frag_list);
290                 key->last_seq = this_seq;
291                 return 0;
292         }
293
294         exp_seq = (key->last_seq + 1) & MCTP_HDR_SEQ_MASK;
295
296         if (this_seq != exp_seq)
297                 return -EINVAL;
298
299         if (key->reasm_head->len + skb->len > mctp_message_maxlen)
300                 return -EINVAL;
301
302         skb->next = NULL;
303         skb->sk = NULL;
304         *key->reasm_tailp = skb;
305         key->reasm_tailp = &skb->next;
306
307         key->last_seq = this_seq;
308
309         key->reasm_head->data_len += skb->len;
310         key->reasm_head->len += skb->len;
311         key->reasm_head->truesize += skb->truesize;
312
313         return 0;
314 }
315
316 static int mctp_route_input(struct mctp_route *route, struct sk_buff *skb)
317 {
318         struct net *net = dev_net(skb->dev);
319         struct mctp_sk_key *key;
320         struct mctp_sock *msk;
321         struct mctp_hdr *mh;
322         unsigned long f;
323         u8 tag, flags;
324         int rc;
325
326         msk = NULL;
327         rc = -EINVAL;
328
329         /* we may be receiving a locally-routed packet; drop source sk
330          * accounting
331          */
332         skb_orphan(skb);
333
334         /* ensure we have enough data for a header and a type */
335         if (skb->len < sizeof(struct mctp_hdr) + 1)
336                 goto out;
337
338         /* grab header, advance data ptr */
339         mh = mctp_hdr(skb);
340         skb_pull(skb, sizeof(struct mctp_hdr));
341
342         if (mh->ver != 1)
343                 goto out;
344
345         flags = mh->flags_seq_tag & (MCTP_HDR_FLAG_SOM | MCTP_HDR_FLAG_EOM);
346         tag = mh->flags_seq_tag & (MCTP_HDR_TAG_MASK | MCTP_HDR_FLAG_TO);
347
348         rcu_read_lock();
349
350         /* lookup socket / reasm context, exactly matching (src,dest,tag).
351          * we hold a ref on the key, and key->lock held.
352          */
353         key = mctp_lookup_key(net, skb, mh->src, &f);
354
355         if (flags & MCTP_HDR_FLAG_SOM) {
356                 if (key) {
357                         msk = container_of(key->sk, struct mctp_sock, sk);
358                 } else {
359                         /* first response to a broadcast? do a more general
360                          * key lookup to find the socket, but don't use this
361                          * key for reassembly - we'll create a more specific
362                          * one for future packets if required (ie, !EOM).
363                          */
364                         key = mctp_lookup_key(net, skb, MCTP_ADDR_ANY, &f);
365                         if (key) {
366                                 msk = container_of(key->sk,
367                                                    struct mctp_sock, sk);
368                                 spin_unlock_irqrestore(&key->lock, f);
369                                 mctp_key_unref(key);
370                                 key = NULL;
371                         }
372                 }
373
374                 if (!key && !msk && (tag & MCTP_HDR_FLAG_TO))
375                         msk = mctp_lookup_bind(net, skb);
376
377                 if (!msk) {
378                         rc = -ENOENT;
379                         goto out_unlock;
380                 }
381
382                 /* single-packet message? deliver to socket, clean up any
383                  * pending key.
384                  */
385                 if (flags & MCTP_HDR_FLAG_EOM) {
386                         sock_queue_rcv_skb(&msk->sk, skb);
387                         if (key) {
388                                 /* we've hit a pending reassembly; not much we
389                                  * can do but drop it
390                                  */
391                                 __mctp_key_done_in(key, net, f,
392                                                    MCTP_TRACE_KEY_REPLIED);
393                                 key = NULL;
394                         }
395                         rc = 0;
396                         goto out_unlock;
397                 }
398
399                 /* broadcast response or a bind() - create a key for further
400                  * packets for this message
401                  */
402                 if (!key) {
403                         key = mctp_key_alloc(msk, mh->dest, mh->src,
404                                              tag, GFP_ATOMIC);
405                         if (!key) {
406                                 rc = -ENOMEM;
407                                 goto out_unlock;
408                         }
409
410                         /* we can queue without the key lock here, as the
411                          * key isn't observable yet
412                          */
413                         mctp_frag_queue(key, skb);
414
415                         /* if the key_add fails, we've raced with another
416                          * SOM packet with the same src, dest and tag. There's
417                          * no way to distinguish future packets, so all we
418                          * can do is drop; we'll free the skb on exit from
419                          * this function.
420                          */
421                         rc = mctp_key_add(key, msk);
422                         if (rc) {
423                                 kfree(key);
424                         } else {
425                                 trace_mctp_key_acquire(key);
426
427                                 /* we don't need to release key->lock on exit */
428                                 mctp_key_unref(key);
429                         }
430                         key = NULL;
431
432                 } else {
433                         if (key->reasm_head || key->reasm_dead) {
434                                 /* duplicate start? drop everything */
435                                 __mctp_key_done_in(key, net, f,
436                                                    MCTP_TRACE_KEY_INVALIDATED);
437                                 rc = -EEXIST;
438                                 key = NULL;
439                         } else {
440                                 rc = mctp_frag_queue(key, skb);
441                         }
442                 }
443
444         } else if (key) {
445                 /* this packet continues a previous message; reassemble
446                  * using the message-specific key
447                  */
448
449                 /* we need to be continuing an existing reassembly... */
450                 if (!key->reasm_head)
451                         rc = -EINVAL;
452                 else
453                         rc = mctp_frag_queue(key, skb);
454
455                 /* end of message? deliver to socket, and we're done with
456                  * the reassembly/response key
457                  */
458                 if (!rc && flags & MCTP_HDR_FLAG_EOM) {
459                         sock_queue_rcv_skb(key->sk, key->reasm_head);
460                         key->reasm_head = NULL;
461                         __mctp_key_done_in(key, net, f, MCTP_TRACE_KEY_REPLIED);
462                         key = NULL;
463                 }
464
465         } else {
466                 /* not a start, no matching key */
467                 rc = -ENOENT;
468         }
469
470 out_unlock:
471         rcu_read_unlock();
472         if (key) {
473                 spin_unlock_irqrestore(&key->lock, f);
474                 mctp_key_unref(key);
475         }
476 out:
477         if (rc)
478                 kfree_skb(skb);
479         return rc;
480 }
481
482 static unsigned int mctp_route_mtu(struct mctp_route *rt)
483 {
484         return rt->mtu ?: READ_ONCE(rt->dev->dev->mtu);
485 }
486
487 static int mctp_route_output(struct mctp_route *route, struct sk_buff *skb)
488 {
489         struct mctp_skb_cb *cb = mctp_cb(skb);
490         struct mctp_hdr *hdr = mctp_hdr(skb);
491         char daddr_buf[MAX_ADDR_LEN];
492         char *daddr = NULL;
493         unsigned int mtu;
494         int rc;
495
496         skb->protocol = htons(ETH_P_MCTP);
497
498         mtu = READ_ONCE(skb->dev->mtu);
499         if (skb->len > mtu) {
500                 kfree_skb(skb);
501                 return -EMSGSIZE;
502         }
503
504         if (cb->ifindex) {
505                 /* direct route; use the hwaddr we stashed in sendmsg */
506                 if (cb->halen != skb->dev->addr_len) {
507                         /* sanity check, sendmsg should have already caught this */
508                         kfree_skb(skb);
509                         return -EMSGSIZE;
510                 }
511                 daddr = cb->haddr;
512         } else {
513                 /* If lookup fails let the device handle daddr==NULL */
514                 if (mctp_neigh_lookup(route->dev, hdr->dest, daddr_buf) == 0)
515                         daddr = daddr_buf;
516         }
517
518         rc = dev_hard_header(skb, skb->dev, ntohs(skb->protocol),
519                              daddr, skb->dev->dev_addr, skb->len);
520         if (rc < 0) {
521                 kfree_skb(skb);
522                 return -EHOSTUNREACH;
523         }
524
525         mctp_flow_prepare_output(skb, route->dev);
526
527         rc = dev_queue_xmit(skb);
528         if (rc)
529                 rc = net_xmit_errno(rc);
530
531         return rc;
532 }
533
534 /* route alloc/release */
535 static void mctp_route_release(struct mctp_route *rt)
536 {
537         if (refcount_dec_and_test(&rt->refs)) {
538                 mctp_dev_put(rt->dev);
539                 kfree_rcu(rt, rcu);
540         }
541 }
542
543 /* returns a route with the refcount at 1 */
544 static struct mctp_route *mctp_route_alloc(void)
545 {
546         struct mctp_route *rt;
547
548         rt = kzalloc(sizeof(*rt), GFP_KERNEL);
549         if (!rt)
550                 return NULL;
551
552         INIT_LIST_HEAD(&rt->list);
553         refcount_set(&rt->refs, 1);
554         rt->output = mctp_route_discard;
555
556         return rt;
557 }
558
559 unsigned int mctp_default_net(struct net *net)
560 {
561         return READ_ONCE(net->mctp.default_net);
562 }
563
564 int mctp_default_net_set(struct net *net, unsigned int index)
565 {
566         if (index == 0)
567                 return -EINVAL;
568         WRITE_ONCE(net->mctp.default_net, index);
569         return 0;
570 }
571
572 /* tag management */
573 static void mctp_reserve_tag(struct net *net, struct mctp_sk_key *key,
574                              struct mctp_sock *msk)
575 {
576         struct netns_mctp *mns = &net->mctp;
577
578         lockdep_assert_held(&mns->keys_lock);
579
580         key->expiry = jiffies + mctp_key_lifetime;
581         timer_reduce(&msk->key_expiry, key->expiry);
582
583         /* we hold the net->key_lock here, allowing updates to both
584          * then net and sk
585          */
586         hlist_add_head_rcu(&key->hlist, &mns->keys);
587         hlist_add_head_rcu(&key->sklist, &msk->keys);
588         refcount_inc(&key->refs);
589 }
590
591 /* Allocate a locally-owned tag value for (saddr, daddr), and reserve
592  * it for the socket msk
593  */
594 struct mctp_sk_key *mctp_alloc_local_tag(struct mctp_sock *msk,
595                                          mctp_eid_t daddr, mctp_eid_t saddr,
596                                          bool manual, u8 *tagp)
597 {
598         struct net *net = sock_net(&msk->sk);
599         struct netns_mctp *mns = &net->mctp;
600         struct mctp_sk_key *key, *tmp;
601         unsigned long flags;
602         u8 tagbits;
603
604         /* for NULL destination EIDs, we may get a response from any peer */
605         if (daddr == MCTP_ADDR_NULL)
606                 daddr = MCTP_ADDR_ANY;
607
608         /* be optimistic, alloc now */
609         key = mctp_key_alloc(msk, saddr, daddr, 0, GFP_KERNEL);
610         if (!key)
611                 return ERR_PTR(-ENOMEM);
612
613         /* 8 possible tag values */
614         tagbits = 0xff;
615
616         spin_lock_irqsave(&mns->keys_lock, flags);
617
618         /* Walk through the existing keys, looking for potential conflicting
619          * tags. If we find a conflict, clear that bit from tagbits
620          */
621         hlist_for_each_entry(tmp, &mns->keys, hlist) {
622                 /* We can check the lookup fields (*_addr, tag) without the
623                  * lock held, they don't change over the lifetime of the key.
624                  */
625
626                 /* if we don't own the tag, it can't conflict */
627                 if (tmp->tag & MCTP_HDR_FLAG_TO)
628                         continue;
629
630                 if (!(mctp_address_matches(tmp->peer_addr, daddr) &&
631                       mctp_address_matches(tmp->local_addr, saddr)))
632                         continue;
633
634                 spin_lock(&tmp->lock);
635                 /* key must still be valid. If we find a match, clear the
636                  * potential tag value
637                  */
638                 if (tmp->valid)
639                         tagbits &= ~(1 << tmp->tag);
640                 spin_unlock(&tmp->lock);
641
642                 if (!tagbits)
643                         break;
644         }
645
646         if (tagbits) {
647                 key->tag = __ffs(tagbits);
648                 mctp_reserve_tag(net, key, msk);
649                 trace_mctp_key_acquire(key);
650
651                 key->manual_alloc = manual;
652                 *tagp = key->tag;
653         }
654
655         spin_unlock_irqrestore(&mns->keys_lock, flags);
656
657         if (!tagbits) {
658                 kfree(key);
659                 return ERR_PTR(-EBUSY);
660         }
661
662         return key;
663 }
664
665 static struct mctp_sk_key *mctp_lookup_prealloc_tag(struct mctp_sock *msk,
666                                                     mctp_eid_t daddr,
667                                                     u8 req_tag, u8 *tagp)
668 {
669         struct net *net = sock_net(&msk->sk);
670         struct netns_mctp *mns = &net->mctp;
671         struct mctp_sk_key *key, *tmp;
672         unsigned long flags;
673
674         req_tag &= ~(MCTP_TAG_PREALLOC | MCTP_TAG_OWNER);
675         key = NULL;
676
677         spin_lock_irqsave(&mns->keys_lock, flags);
678
679         hlist_for_each_entry(tmp, &mns->keys, hlist) {
680                 if (tmp->tag != req_tag)
681                         continue;
682
683                 if (!mctp_address_matches(tmp->peer_addr, daddr))
684                         continue;
685
686                 if (!tmp->manual_alloc)
687                         continue;
688
689                 spin_lock(&tmp->lock);
690                 if (tmp->valid) {
691                         key = tmp;
692                         refcount_inc(&key->refs);
693                         spin_unlock(&tmp->lock);
694                         break;
695                 }
696                 spin_unlock(&tmp->lock);
697         }
698         spin_unlock_irqrestore(&mns->keys_lock, flags);
699
700         if (!key)
701                 return ERR_PTR(-ENOENT);
702
703         if (tagp)
704                 *tagp = key->tag;
705
706         return key;
707 }
708
709 /* routing lookups */
710 static bool mctp_rt_match_eid(struct mctp_route *rt,
711                               unsigned int net, mctp_eid_t eid)
712 {
713         return READ_ONCE(rt->dev->net) == net &&
714                 rt->min <= eid && rt->max >= eid;
715 }
716
717 /* compares match, used for duplicate prevention */
718 static bool mctp_rt_compare_exact(struct mctp_route *rt1,
719                                   struct mctp_route *rt2)
720 {
721         ASSERT_RTNL();
722         return rt1->dev->net == rt2->dev->net &&
723                 rt1->min == rt2->min &&
724                 rt1->max == rt2->max;
725 }
726
727 struct mctp_route *mctp_route_lookup(struct net *net, unsigned int dnet,
728                                      mctp_eid_t daddr)
729 {
730         struct mctp_route *tmp, *rt = NULL;
731
732         list_for_each_entry_rcu(tmp, &net->mctp.routes, list) {
733                 /* TODO: add metrics */
734                 if (mctp_rt_match_eid(tmp, dnet, daddr)) {
735                         if (refcount_inc_not_zero(&tmp->refs)) {
736                                 rt = tmp;
737                                 break;
738                         }
739                 }
740         }
741
742         return rt;
743 }
744
745 static struct mctp_route *mctp_route_lookup_null(struct net *net,
746                                                  struct net_device *dev)
747 {
748         struct mctp_route *rt;
749
750         list_for_each_entry_rcu(rt, &net->mctp.routes, list) {
751                 if (rt->dev->dev == dev && rt->type == RTN_LOCAL &&
752                     refcount_inc_not_zero(&rt->refs))
753                         return rt;
754         }
755
756         return NULL;
757 }
758
759 static int mctp_do_fragment_route(struct mctp_route *rt, struct sk_buff *skb,
760                                   unsigned int mtu, u8 tag)
761 {
762         const unsigned int hlen = sizeof(struct mctp_hdr);
763         struct mctp_hdr *hdr, *hdr2;
764         unsigned int pos, size, headroom;
765         struct sk_buff *skb2;
766         int rc;
767         u8 seq;
768
769         hdr = mctp_hdr(skb);
770         seq = 0;
771         rc = 0;
772
773         if (mtu < hlen + 1) {
774                 kfree_skb(skb);
775                 return -EMSGSIZE;
776         }
777
778         /* keep same headroom as the original skb */
779         headroom = skb_headroom(skb);
780
781         /* we've got the header */
782         skb_pull(skb, hlen);
783
784         for (pos = 0; pos < skb->len;) {
785                 /* size of message payload */
786                 size = min(mtu - hlen, skb->len - pos);
787
788                 skb2 = alloc_skb(headroom + hlen + size, GFP_KERNEL);
789                 if (!skb2) {
790                         rc = -ENOMEM;
791                         break;
792                 }
793
794                 /* generic skb copy */
795                 skb2->protocol = skb->protocol;
796                 skb2->priority = skb->priority;
797                 skb2->dev = skb->dev;
798                 memcpy(skb2->cb, skb->cb, sizeof(skb2->cb));
799
800                 if (skb->sk)
801                         skb_set_owner_w(skb2, skb->sk);
802
803                 /* establish packet */
804                 skb_reserve(skb2, headroom);
805                 skb_reset_network_header(skb2);
806                 skb_put(skb2, hlen + size);
807                 skb2->transport_header = skb2->network_header + hlen;
808
809                 /* copy header fields, calculate SOM/EOM flags & seq */
810                 hdr2 = mctp_hdr(skb2);
811                 hdr2->ver = hdr->ver;
812                 hdr2->dest = hdr->dest;
813                 hdr2->src = hdr->src;
814                 hdr2->flags_seq_tag = tag &
815                         (MCTP_HDR_TAG_MASK | MCTP_HDR_FLAG_TO);
816
817                 if (pos == 0)
818                         hdr2->flags_seq_tag |= MCTP_HDR_FLAG_SOM;
819
820                 if (pos + size == skb->len)
821                         hdr2->flags_seq_tag |= MCTP_HDR_FLAG_EOM;
822
823                 hdr2->flags_seq_tag |= seq << MCTP_HDR_SEQ_SHIFT;
824
825                 /* copy message payload */
826                 skb_copy_bits(skb, pos, skb_transport_header(skb2), size);
827
828                 /* do route */
829                 rc = rt->output(rt, skb2);
830                 if (rc)
831                         break;
832
833                 seq = (seq + 1) & MCTP_HDR_SEQ_MASK;
834                 pos += size;
835         }
836
837         consume_skb(skb);
838         return rc;
839 }
840
841 int mctp_local_output(struct sock *sk, struct mctp_route *rt,
842                       struct sk_buff *skb, mctp_eid_t daddr, u8 req_tag)
843 {
844         struct mctp_sock *msk = container_of(sk, struct mctp_sock, sk);
845         struct mctp_skb_cb *cb = mctp_cb(skb);
846         struct mctp_route tmp_rt = {0};
847         struct mctp_sk_key *key;
848         struct mctp_hdr *hdr;
849         unsigned long flags;
850         unsigned int mtu;
851         mctp_eid_t saddr;
852         bool ext_rt;
853         int rc;
854         u8 tag;
855
856         rc = -ENODEV;
857
858         if (rt) {
859                 ext_rt = false;
860                 if (WARN_ON(!rt->dev))
861                         goto out_release;
862
863         } else if (cb->ifindex) {
864                 struct net_device *dev;
865
866                 ext_rt = true;
867                 rt = &tmp_rt;
868
869                 rcu_read_lock();
870                 dev = dev_get_by_index_rcu(sock_net(sk), cb->ifindex);
871                 if (!dev) {
872                         rcu_read_unlock();
873                         return rc;
874                 }
875                 rt->dev = __mctp_dev_get(dev);
876                 rcu_read_unlock();
877
878                 if (!rt->dev)
879                         goto out_release;
880
881                 /* establish temporary route - we set up enough to keep
882                  * mctp_route_output happy
883                  */
884                 rt->output = mctp_route_output;
885                 rt->mtu = 0;
886
887         } else {
888                 return -EINVAL;
889         }
890
891         spin_lock_irqsave(&rt->dev->addrs_lock, flags);
892         if (rt->dev->num_addrs == 0) {
893                 rc = -EHOSTUNREACH;
894         } else {
895                 /* use the outbound interface's first address as our source */
896                 saddr = rt->dev->addrs[0];
897                 rc = 0;
898         }
899         spin_unlock_irqrestore(&rt->dev->addrs_lock, flags);
900
901         if (rc)
902                 goto out_release;
903
904         if (req_tag & MCTP_TAG_OWNER) {
905                 if (req_tag & MCTP_TAG_PREALLOC)
906                         key = mctp_lookup_prealloc_tag(msk, daddr,
907                                                        req_tag, &tag);
908                 else
909                         key = mctp_alloc_local_tag(msk, daddr, saddr,
910                                                    false, &tag);
911
912                 if (IS_ERR(key)) {
913                         rc = PTR_ERR(key);
914                         goto out_release;
915                 }
916                 mctp_skb_set_flow(skb, key);
917                 /* done with the key in this scope */
918                 mctp_key_unref(key);
919                 tag |= MCTP_HDR_FLAG_TO;
920         } else {
921                 key = NULL;
922                 tag = req_tag & MCTP_TAG_MASK;
923         }
924
925         skb->protocol = htons(ETH_P_MCTP);
926         skb->priority = 0;
927         skb_reset_transport_header(skb);
928         skb_push(skb, sizeof(struct mctp_hdr));
929         skb_reset_network_header(skb);
930         skb->dev = rt->dev->dev;
931
932         /* cb->net will have been set on initial ingress */
933         cb->src = saddr;
934
935         /* set up common header fields */
936         hdr = mctp_hdr(skb);
937         hdr->ver = 1;
938         hdr->dest = daddr;
939         hdr->src = saddr;
940
941         mtu = mctp_route_mtu(rt);
942
943         if (skb->len + sizeof(struct mctp_hdr) <= mtu) {
944                 hdr->flags_seq_tag = MCTP_HDR_FLAG_SOM |
945                         MCTP_HDR_FLAG_EOM | tag;
946                 rc = rt->output(rt, skb);
947         } else {
948                 rc = mctp_do_fragment_route(rt, skb, mtu, tag);
949         }
950
951 out_release:
952         if (!ext_rt)
953                 mctp_route_release(rt);
954
955         mctp_dev_put(tmp_rt.dev);
956
957         return rc;
958 }
959
960 /* route management */
961 static int mctp_route_add(struct mctp_dev *mdev, mctp_eid_t daddr_start,
962                           unsigned int daddr_extent, unsigned int mtu,
963                           unsigned char type)
964 {
965         int (*rtfn)(struct mctp_route *rt, struct sk_buff *skb);
966         struct net *net = dev_net(mdev->dev);
967         struct mctp_route *rt, *ert;
968
969         if (!mctp_address_unicast(daddr_start))
970                 return -EINVAL;
971
972         if (daddr_extent > 0xff || daddr_start + daddr_extent >= 255)
973                 return -EINVAL;
974
975         switch (type) {
976         case RTN_LOCAL:
977                 rtfn = mctp_route_input;
978                 break;
979         case RTN_UNICAST:
980                 rtfn = mctp_route_output;
981                 break;
982         default:
983                 return -EINVAL;
984         }
985
986         rt = mctp_route_alloc();
987         if (!rt)
988                 return -ENOMEM;
989
990         rt->min = daddr_start;
991         rt->max = daddr_start + daddr_extent;
992         rt->mtu = mtu;
993         rt->dev = mdev;
994         mctp_dev_hold(rt->dev);
995         rt->type = type;
996         rt->output = rtfn;
997
998         ASSERT_RTNL();
999         /* Prevent duplicate identical routes. */
1000         list_for_each_entry(ert, &net->mctp.routes, list) {
1001                 if (mctp_rt_compare_exact(rt, ert)) {
1002                         mctp_route_release(rt);
1003                         return -EEXIST;
1004                 }
1005         }
1006
1007         list_add_rcu(&rt->list, &net->mctp.routes);
1008
1009         return 0;
1010 }
1011
1012 static int mctp_route_remove(struct mctp_dev *mdev, mctp_eid_t daddr_start,
1013                              unsigned int daddr_extent, unsigned char type)
1014 {
1015         struct net *net = dev_net(mdev->dev);
1016         struct mctp_route *rt, *tmp;
1017         mctp_eid_t daddr_end;
1018         bool dropped;
1019
1020         if (daddr_extent > 0xff || daddr_start + daddr_extent >= 255)
1021                 return -EINVAL;
1022
1023         daddr_end = daddr_start + daddr_extent;
1024         dropped = false;
1025
1026         ASSERT_RTNL();
1027
1028         list_for_each_entry_safe(rt, tmp, &net->mctp.routes, list) {
1029                 if (rt->dev == mdev &&
1030                     rt->min == daddr_start && rt->max == daddr_end &&
1031                     rt->type == type) {
1032                         list_del_rcu(&rt->list);
1033                         /* TODO: immediate RTM_DELROUTE */
1034                         mctp_route_release(rt);
1035                         dropped = true;
1036                 }
1037         }
1038
1039         return dropped ? 0 : -ENOENT;
1040 }
1041
1042 int mctp_route_add_local(struct mctp_dev *mdev, mctp_eid_t addr)
1043 {
1044         return mctp_route_add(mdev, addr, 0, 0, RTN_LOCAL);
1045 }
1046
1047 int mctp_route_remove_local(struct mctp_dev *mdev, mctp_eid_t addr)
1048 {
1049         return mctp_route_remove(mdev, addr, 0, RTN_LOCAL);
1050 }
1051
1052 /* removes all entries for a given device */
1053 void mctp_route_remove_dev(struct mctp_dev *mdev)
1054 {
1055         struct net *net = dev_net(mdev->dev);
1056         struct mctp_route *rt, *tmp;
1057
1058         ASSERT_RTNL();
1059         list_for_each_entry_safe(rt, tmp, &net->mctp.routes, list) {
1060                 if (rt->dev == mdev) {
1061                         list_del_rcu(&rt->list);
1062                         /* TODO: immediate RTM_DELROUTE */
1063                         mctp_route_release(rt);
1064                 }
1065         }
1066 }
1067
1068 /* Incoming packet-handling */
1069
1070 static int mctp_pkttype_receive(struct sk_buff *skb, struct net_device *dev,
1071                                 struct packet_type *pt,
1072                                 struct net_device *orig_dev)
1073 {
1074         struct net *net = dev_net(dev);
1075         struct mctp_dev *mdev;
1076         struct mctp_skb_cb *cb;
1077         struct mctp_route *rt;
1078         struct mctp_hdr *mh;
1079
1080         rcu_read_lock();
1081         mdev = __mctp_dev_get(dev);
1082         rcu_read_unlock();
1083         if (!mdev) {
1084                 /* basic non-data sanity checks */
1085                 goto err_drop;
1086         }
1087
1088         if (!pskb_may_pull(skb, sizeof(struct mctp_hdr)))
1089                 goto err_drop;
1090
1091         skb_reset_transport_header(skb);
1092         skb_reset_network_header(skb);
1093
1094         /* We have enough for a header; decode and route */
1095         mh = mctp_hdr(skb);
1096         if (mh->ver < MCTP_VER_MIN || mh->ver > MCTP_VER_MAX)
1097                 goto err_drop;
1098
1099         /* source must be valid unicast or null; drop reserved ranges and
1100          * broadcast
1101          */
1102         if (!(mctp_address_unicast(mh->src) || mctp_address_null(mh->src)))
1103                 goto err_drop;
1104
1105         /* dest address: as above, but allow broadcast */
1106         if (!(mctp_address_unicast(mh->dest) || mctp_address_null(mh->dest) ||
1107               mctp_address_broadcast(mh->dest)))
1108                 goto err_drop;
1109
1110         /* MCTP drivers must populate halen/haddr */
1111         if (dev->type == ARPHRD_MCTP) {
1112                 cb = mctp_cb(skb);
1113         } else {
1114                 cb = __mctp_cb(skb);
1115                 cb->halen = 0;
1116         }
1117         cb->net = READ_ONCE(mdev->net);
1118         cb->ifindex = dev->ifindex;
1119
1120         rt = mctp_route_lookup(net, cb->net, mh->dest);
1121
1122         /* NULL EID, but addressed to our physical address */
1123         if (!rt && mh->dest == MCTP_ADDR_NULL && skb->pkt_type == PACKET_HOST)
1124                 rt = mctp_route_lookup_null(net, dev);
1125
1126         if (!rt)
1127                 goto err_drop;
1128
1129         rt->output(rt, skb);
1130         mctp_route_release(rt);
1131         mctp_dev_put(mdev);
1132
1133         return NET_RX_SUCCESS;
1134
1135 err_drop:
1136         kfree_skb(skb);
1137         mctp_dev_put(mdev);
1138         return NET_RX_DROP;
1139 }
1140
1141 static struct packet_type mctp_packet_type = {
1142         .type = cpu_to_be16(ETH_P_MCTP),
1143         .func = mctp_pkttype_receive,
1144 };
1145
1146 /* netlink interface */
1147
1148 static const struct nla_policy rta_mctp_policy[RTA_MAX + 1] = {
1149         [RTA_DST]               = { .type = NLA_U8 },
1150         [RTA_METRICS]           = { .type = NLA_NESTED },
1151         [RTA_OIF]               = { .type = NLA_U32 },
1152 };
1153
1154 /* Common part for RTM_NEWROUTE and RTM_DELROUTE parsing.
1155  * tb must hold RTA_MAX+1 elements.
1156  */
1157 static int mctp_route_nlparse(struct sk_buff *skb, struct nlmsghdr *nlh,
1158                               struct netlink_ext_ack *extack,
1159                               struct nlattr **tb, struct rtmsg **rtm,
1160                               struct mctp_dev **mdev, mctp_eid_t *daddr_start)
1161 {
1162         struct net *net = sock_net(skb->sk);
1163         struct net_device *dev;
1164         unsigned int ifindex;
1165         int rc;
1166
1167         rc = nlmsg_parse(nlh, sizeof(struct rtmsg), tb, RTA_MAX,
1168                          rta_mctp_policy, extack);
1169         if (rc < 0) {
1170                 NL_SET_ERR_MSG(extack, "incorrect format");
1171                 return rc;
1172         }
1173
1174         if (!tb[RTA_DST]) {
1175                 NL_SET_ERR_MSG(extack, "dst EID missing");
1176                 return -EINVAL;
1177         }
1178         *daddr_start = nla_get_u8(tb[RTA_DST]);
1179
1180         if (!tb[RTA_OIF]) {
1181                 NL_SET_ERR_MSG(extack, "ifindex missing");
1182                 return -EINVAL;
1183         }
1184         ifindex = nla_get_u32(tb[RTA_OIF]);
1185
1186         *rtm = nlmsg_data(nlh);
1187         if ((*rtm)->rtm_family != AF_MCTP) {
1188                 NL_SET_ERR_MSG(extack, "route family must be AF_MCTP");
1189                 return -EINVAL;
1190         }
1191
1192         dev = __dev_get_by_index(net, ifindex);
1193         if (!dev) {
1194                 NL_SET_ERR_MSG(extack, "bad ifindex");
1195                 return -ENODEV;
1196         }
1197         *mdev = mctp_dev_get_rtnl(dev);
1198         if (!*mdev)
1199                 return -ENODEV;
1200
1201         if (dev->flags & IFF_LOOPBACK) {
1202                 NL_SET_ERR_MSG(extack, "no routes to loopback");
1203                 return -EINVAL;
1204         }
1205
1206         return 0;
1207 }
1208
1209 static const struct nla_policy rta_metrics_policy[RTAX_MAX + 1] = {
1210         [RTAX_MTU]              = { .type = NLA_U32 },
1211 };
1212
1213 static int mctp_newroute(struct sk_buff *skb, struct nlmsghdr *nlh,
1214                          struct netlink_ext_ack *extack)
1215 {
1216         struct nlattr *tb[RTA_MAX + 1];
1217         struct nlattr *tbx[RTAX_MAX + 1];
1218         mctp_eid_t daddr_start;
1219         struct mctp_dev *mdev;
1220         struct rtmsg *rtm;
1221         unsigned int mtu;
1222         int rc;
1223
1224         rc = mctp_route_nlparse(skb, nlh, extack, tb,
1225                                 &rtm, &mdev, &daddr_start);
1226         if (rc < 0)
1227                 return rc;
1228
1229         if (rtm->rtm_type != RTN_UNICAST) {
1230                 NL_SET_ERR_MSG(extack, "rtm_type must be RTN_UNICAST");
1231                 return -EINVAL;
1232         }
1233
1234         mtu = 0;
1235         if (tb[RTA_METRICS]) {
1236                 rc = nla_parse_nested(tbx, RTAX_MAX, tb[RTA_METRICS],
1237                                       rta_metrics_policy, NULL);
1238                 if (rc < 0)
1239                         return rc;
1240                 if (tbx[RTAX_MTU])
1241                         mtu = nla_get_u32(tbx[RTAX_MTU]);
1242         }
1243
1244         if (rtm->rtm_type != RTN_UNICAST)
1245                 return -EINVAL;
1246
1247         rc = mctp_route_add(mdev, daddr_start, rtm->rtm_dst_len, mtu,
1248                             rtm->rtm_type);
1249         return rc;
1250 }
1251
1252 static int mctp_delroute(struct sk_buff *skb, struct nlmsghdr *nlh,
1253                          struct netlink_ext_ack *extack)
1254 {
1255         struct nlattr *tb[RTA_MAX + 1];
1256         mctp_eid_t daddr_start;
1257         struct mctp_dev *mdev;
1258         struct rtmsg *rtm;
1259         int rc;
1260
1261         rc = mctp_route_nlparse(skb, nlh, extack, tb,
1262                                 &rtm, &mdev, &daddr_start);
1263         if (rc < 0)
1264                 return rc;
1265
1266         /* we only have unicast routes */
1267         if (rtm->rtm_type != RTN_UNICAST)
1268                 return -EINVAL;
1269
1270         rc = mctp_route_remove(mdev, daddr_start, rtm->rtm_dst_len, RTN_UNICAST);
1271         return rc;
1272 }
1273
1274 static int mctp_fill_rtinfo(struct sk_buff *skb, struct mctp_route *rt,
1275                             u32 portid, u32 seq, int event, unsigned int flags)
1276 {
1277         struct nlmsghdr *nlh;
1278         struct rtmsg *hdr;
1279         void *metrics;
1280
1281         nlh = nlmsg_put(skb, portid, seq, event, sizeof(*hdr), flags);
1282         if (!nlh)
1283                 return -EMSGSIZE;
1284
1285         hdr = nlmsg_data(nlh);
1286         hdr->rtm_family = AF_MCTP;
1287
1288         /* we use the _len fields as a number of EIDs, rather than
1289          * a number of bits in the address
1290          */
1291         hdr->rtm_dst_len = rt->max - rt->min;
1292         hdr->rtm_src_len = 0;
1293         hdr->rtm_tos = 0;
1294         hdr->rtm_table = RT_TABLE_DEFAULT;
1295         hdr->rtm_protocol = RTPROT_STATIC; /* everything is user-defined */
1296         hdr->rtm_scope = RT_SCOPE_LINK; /* TODO: scope in mctp_route? */
1297         hdr->rtm_type = rt->type;
1298
1299         if (nla_put_u8(skb, RTA_DST, rt->min))
1300                 goto cancel;
1301
1302         metrics = nla_nest_start_noflag(skb, RTA_METRICS);
1303         if (!metrics)
1304                 goto cancel;
1305
1306         if (rt->mtu) {
1307                 if (nla_put_u32(skb, RTAX_MTU, rt->mtu))
1308                         goto cancel;
1309         }
1310
1311         nla_nest_end(skb, metrics);
1312
1313         if (rt->dev) {
1314                 if (nla_put_u32(skb, RTA_OIF, rt->dev->dev->ifindex))
1315                         goto cancel;
1316         }
1317
1318         /* TODO: conditional neighbour physaddr? */
1319
1320         nlmsg_end(skb, nlh);
1321
1322         return 0;
1323
1324 cancel:
1325         nlmsg_cancel(skb, nlh);
1326         return -EMSGSIZE;
1327 }
1328
1329 static int mctp_dump_rtinfo(struct sk_buff *skb, struct netlink_callback *cb)
1330 {
1331         struct net *net = sock_net(skb->sk);
1332         struct mctp_route *rt;
1333         int s_idx, idx;
1334
1335         /* TODO: allow filtering on route data, possibly under
1336          * cb->strict_check
1337          */
1338
1339         /* TODO: change to struct overlay */
1340         s_idx = cb->args[0];
1341         idx = 0;
1342
1343         rcu_read_lock();
1344         list_for_each_entry_rcu(rt, &net->mctp.routes, list) {
1345                 if (idx++ < s_idx)
1346                         continue;
1347                 if (mctp_fill_rtinfo(skb, rt,
1348                                      NETLINK_CB(cb->skb).portid,
1349                                      cb->nlh->nlmsg_seq,
1350                                      RTM_NEWROUTE, NLM_F_MULTI) < 0)
1351                         break;
1352         }
1353
1354         rcu_read_unlock();
1355         cb->args[0] = idx;
1356
1357         return skb->len;
1358 }
1359
1360 /* net namespace implementation */
1361 static int __net_init mctp_routes_net_init(struct net *net)
1362 {
1363         struct netns_mctp *ns = &net->mctp;
1364
1365         INIT_LIST_HEAD(&ns->routes);
1366         INIT_HLIST_HEAD(&ns->binds);
1367         mutex_init(&ns->bind_lock);
1368         INIT_HLIST_HEAD(&ns->keys);
1369         spin_lock_init(&ns->keys_lock);
1370         WARN_ON(mctp_default_net_set(net, MCTP_INITIAL_DEFAULT_NET));
1371         return 0;
1372 }
1373
1374 static void __net_exit mctp_routes_net_exit(struct net *net)
1375 {
1376         struct mctp_route *rt;
1377
1378         rcu_read_lock();
1379         list_for_each_entry_rcu(rt, &net->mctp.routes, list)
1380                 mctp_route_release(rt);
1381         rcu_read_unlock();
1382 }
1383
1384 static struct pernet_operations mctp_net_ops = {
1385         .init = mctp_routes_net_init,
1386         .exit = mctp_routes_net_exit,
1387 };
1388
1389 int __init mctp_routes_init(void)
1390 {
1391         dev_add_pack(&mctp_packet_type);
1392
1393         rtnl_register_module(THIS_MODULE, PF_MCTP, RTM_GETROUTE,
1394                              NULL, mctp_dump_rtinfo, 0);
1395         rtnl_register_module(THIS_MODULE, PF_MCTP, RTM_NEWROUTE,
1396                              mctp_newroute, NULL, 0);
1397         rtnl_register_module(THIS_MODULE, PF_MCTP, RTM_DELROUTE,
1398                              mctp_delroute, NULL, 0);
1399
1400         return register_pernet_subsys(&mctp_net_ops);
1401 }
1402
1403 void __exit mctp_routes_exit(void)
1404 {
1405         unregister_pernet_subsys(&mctp_net_ops);
1406         rtnl_unregister(PF_MCTP, RTM_DELROUTE);
1407         rtnl_unregister(PF_MCTP, RTM_NEWROUTE);
1408         rtnl_unregister(PF_MCTP, RTM_GETROUTE);
1409         dev_remove_pack(&mctp_packet_type);
1410 }
1411
1412 #if IS_ENABLED(CONFIG_MCTP_TEST)
1413 #include "test/route-test.c"
1414 #endif