1 // SPDX-License-Identifier: GPL-2.0-only
2 /* Copyright (c) 2016 Tom Herbert <tom@herbertland.com> */
4 #include <linux/skbuff.h>
5 #include <linux/workqueue.h>
6 #include <net/strparser.h>
13 static struct workqueue_struct *tls_strp_wq;
15 static void tls_strp_abort_strp(struct tls_strparser *strp, int err)
22 /* Report an error on the lower socket */
23 strp->sk->sk_err = -err;
24 sk_error_report(strp->sk);
27 static void tls_strp_anchor_free(struct tls_strparser *strp)
29 struct skb_shared_info *shinfo = skb_shinfo(strp->anchor);
31 DEBUG_NET_WARN_ON_ONCE(atomic_read(&shinfo->dataref) != 1);
33 shinfo->frag_list = NULL;
34 consume_skb(strp->anchor);
38 static struct sk_buff *
39 tls_strp_skb_copy(struct tls_strparser *strp, struct sk_buff *in_skb,
45 skb = alloc_skb_with_frags(0, len, TLS_PAGE_ORDER,
46 &err, strp->sk->sk_allocation);
50 for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
51 skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
53 WARN_ON_ONCE(skb_copy_bits(in_skb, offset,
54 skb_frag_address(frag),
55 skb_frag_size(frag)));
56 offset += skb_frag_size(frag);
61 skb_copy_header(skb, in_skb);
65 /* Create a new skb with the contents of input copied to its page frags */
66 static struct sk_buff *tls_strp_msg_make_copy(struct tls_strparser *strp)
71 skb = tls_strp_skb_copy(strp, strp->anchor, strp->stm.offset,
81 /* Steal the input skb, input msg is invalid after calling this function */
82 struct sk_buff *tls_strp_msg_detach(struct tls_sw_context_rx *ctx)
84 struct tls_strparser *strp = &ctx->strp;
86 #ifdef CONFIG_TLS_DEVICE
87 DEBUG_NET_WARN_ON_ONCE(!strp->anchor->decrypted);
89 /* This function turns an input into an output,
90 * that can only happen if we have offload.
95 if (strp->copy_mode) {
98 /* Replace anchor with an empty skb, this is a little
99 * dangerous but __tls_cur_msg() warns on empty skbs
100 * so hopefully we'll catch abuses.
102 skb = alloc_skb(0, strp->sk->sk_allocation);
106 swap(strp->anchor, skb);
110 return tls_strp_msg_make_copy(strp);
113 /* Force the input skb to be in copy mode. The data ownership remains
114 * with the input skb itself (meaning unpause will wipe it) but it can
117 int tls_strp_msg_cow(struct tls_sw_context_rx *ctx)
119 struct tls_strparser *strp = &ctx->strp;
125 skb = tls_strp_msg_make_copy(strp);
129 tls_strp_anchor_free(strp);
132 tcp_read_done(strp->sk, strp->stm.full_len);
138 /* Make a clone (in the skb sense) of the input msg to keep a reference
139 * to the underlying data. The reference-holding skbs get placed on
142 int tls_strp_msg_hold(struct tls_strparser *strp, struct sk_buff_head *dst)
144 struct skb_shared_info *shinfo = skb_shinfo(strp->anchor);
146 if (strp->copy_mode) {
149 WARN_ON_ONCE(!shinfo->nr_frags);
151 /* We can't skb_clone() the anchor, it gets wiped by unpause */
152 skb = alloc_skb(0, strp->sk->sk_allocation);
156 __skb_queue_tail(dst, strp->anchor);
159 struct sk_buff *iter, *clone;
160 int chunk, len, offset;
162 offset = strp->stm.offset;
163 len = strp->stm.full_len;
164 iter = shinfo->frag_list;
167 if (iter->len <= offset) {
172 chunk = iter->len - offset;
175 clone = skb_clone(iter, strp->sk->sk_allocation);
178 __skb_queue_tail(dst, clone);
189 static void tls_strp_flush_anchor_copy(struct tls_strparser *strp)
191 struct skb_shared_info *shinfo = skb_shinfo(strp->anchor);
194 DEBUG_NET_WARN_ON_ONCE(atomic_read(&shinfo->dataref) != 1);
196 for (i = 0; i < shinfo->nr_frags; i++)
197 __skb_frag_unref(&shinfo->frags[i], false);
198 shinfo->nr_frags = 0;
199 if (strp->copy_mode) {
200 kfree_skb_list(shinfo->frag_list);
201 shinfo->frag_list = NULL;
204 strp->mixed_decrypted = 0;
207 static int tls_strp_copyin_frag(struct tls_strparser *strp, struct sk_buff *skb,
208 struct sk_buff *in_skb, unsigned int offset,
215 frag = &skb_shinfo(skb)->frags[skb->len / PAGE_SIZE];
218 /* First make sure we got the header */
219 if (!strp->stm.full_len) {
220 /* Assume one page is more than enough for headers */
221 chunk = min_t(size_t, len, PAGE_SIZE - skb_frag_size(frag));
222 WARN_ON_ONCE(skb_copy_bits(in_skb, offset,
223 skb_frag_address(frag) +
228 skb->data_len += chunk;
229 skb_frag_size_add(frag, chunk);
231 sz = tls_rx_msg_size(strp, skb);
235 /* We may have over-read, sz == 0 is guaranteed under-read */
236 if (unlikely(sz && sz < skb->len)) {
237 int over = skb->len - sz;
239 WARN_ON_ONCE(over > chunk);
241 skb->data_len -= over;
242 skb_frag_size_add(frag, -over);
251 strp->stm.full_len = sz;
252 if (!strp->stm.full_len)
256 /* Load up more data */
257 while (len && strp->stm.full_len > skb->len) {
258 chunk = min_t(size_t, len, strp->stm.full_len - skb->len);
259 chunk = min_t(size_t, chunk, PAGE_SIZE - skb_frag_size(frag));
260 WARN_ON_ONCE(skb_copy_bits(in_skb, offset,
261 skb_frag_address(frag) +
266 skb->data_len += chunk;
267 skb_frag_size_add(frag, chunk);
277 static int tls_strp_copyin_skb(struct tls_strparser *strp, struct sk_buff *skb,
278 struct sk_buff *in_skb, unsigned int offset,
281 struct sk_buff *nskb, *first, *last;
282 struct skb_shared_info *shinfo;
286 if (strp->stm.full_len)
287 chunk = strp->stm.full_len - skb->len;
289 chunk = TLS_MAX_PAYLOAD_SIZE + PAGE_SIZE;
290 chunk = min(chunk, in_len);
292 nskb = tls_strp_skb_copy(strp, in_skb, offset, chunk);
296 shinfo = skb_shinfo(skb);
297 if (!shinfo->frag_list) {
298 shinfo->frag_list = nskb;
301 first = shinfo->frag_list;
308 skb->data_len += chunk;
310 if (!strp->stm.full_len) {
311 sz = tls_rx_msg_size(strp, skb);
315 /* We may have over-read, sz == 0 is guaranteed under-read */
316 if (unlikely(sz && sz < skb->len)) {
317 int over = skb->len - sz;
319 WARN_ON_ONCE(over > chunk);
321 skb->data_len -= over;
322 __pskb_trim(nskb, nskb->len - over);
327 strp->stm.full_len = sz;
333 static int tls_strp_copyin(read_descriptor_t *desc, struct sk_buff *in_skb,
334 unsigned int offset, size_t in_len)
336 struct tls_strparser *strp = (struct tls_strparser *)desc->arg.data;
345 skb_copy_decrypted(skb, in_skb);
347 strp->mixed_decrypted |= !!skb_cmp_decrypted(skb, in_skb);
349 if (IS_ENABLED(CONFIG_TLS_DEVICE) && strp->mixed_decrypted)
350 ret = tls_strp_copyin_skb(strp, skb, in_skb, offset, in_len);
352 ret = tls_strp_copyin_frag(strp, skb, in_skb, offset, in_len);
358 if (strp->stm.full_len && strp->stm.full_len == skb->len) {
362 tls_rx_msg_ready(strp);
368 static int tls_strp_read_copyin(struct tls_strparser *strp)
370 struct socket *sock = strp->sk->sk_socket;
371 read_descriptor_t desc;
373 desc.arg.data = strp;
375 desc.count = 1; /* give more than one skb per call */
377 /* sk should be locked here, so okay to do read_sock */
378 sock->ops->read_sock(strp->sk, &desc, tls_strp_copyin);
383 static int tls_strp_read_copy(struct tls_strparser *strp, bool qshort)
385 struct skb_shared_info *shinfo;
389 /* If the rbuf is small or rcv window has collapsed to 0 we need
390 * to read the data out. Otherwise the connection will stall.
391 * Without pressure threshold of INT_MAX will never be ready.
393 if (likely(qshort && !tcp_epollin_ready(strp->sk, INT_MAX)))
396 shinfo = skb_shinfo(strp->anchor);
397 shinfo->frag_list = NULL;
399 /* If we don't know the length go max plus page for cipher overhead */
400 need_spc = strp->stm.full_len ?: TLS_MAX_PAYLOAD_SIZE + PAGE_SIZE;
402 for (len = need_spc; len > 0; len -= PAGE_SIZE) {
403 page = alloc_page(strp->sk->sk_allocation);
405 tls_strp_flush_anchor_copy(strp);
409 skb_fill_page_desc(strp->anchor, shinfo->nr_frags++,
414 strp->stm.offset = 0;
416 strp->anchor->len = 0;
417 strp->anchor->data_len = 0;
418 strp->anchor->truesize = round_up(need_spc, PAGE_SIZE);
420 tls_strp_read_copyin(strp);
425 static bool tls_strp_check_queue_ok(struct tls_strparser *strp)
427 unsigned int len = strp->stm.offset + strp->stm.full_len;
428 struct sk_buff *first, *skb;
431 first = skb_shinfo(strp->anchor)->frag_list;
433 seq = TCP_SKB_CB(first)->seq;
435 /* Make sure there's no duplicate data in the queue,
436 * and the decrypted status matches.
438 while (skb->len < len) {
443 if (TCP_SKB_CB(skb)->seq != seq)
445 if (skb_cmp_decrypted(first, skb))
452 static void tls_strp_load_anchor_with_queue(struct tls_strparser *strp, int len)
454 struct tcp_sock *tp = tcp_sk(strp->sk);
455 struct sk_buff *first;
458 first = tcp_recv_skb(strp->sk, tp->copied_seq, &offset);
459 if (WARN_ON_ONCE(!first))
462 /* Bestow the state onto the anchor */
463 strp->anchor->len = offset + len;
464 strp->anchor->data_len = offset + len;
465 strp->anchor->truesize = offset + len;
467 skb_shinfo(strp->anchor)->frag_list = first;
469 skb_copy_header(strp->anchor, first);
470 strp->anchor->destructor = NULL;
472 strp->stm.offset = offset;
475 void tls_strp_msg_load(struct tls_strparser *strp, bool force_refresh)
477 struct strp_msg *rxm;
480 DEBUG_NET_WARN_ON_ONCE(!strp->msg_ready);
481 DEBUG_NET_WARN_ON_ONCE(!strp->stm.full_len);
483 if (!strp->copy_mode && force_refresh) {
484 if (WARN_ON(tcp_inq(strp->sk) < strp->stm.full_len))
487 tls_strp_load_anchor_with_queue(strp, strp->stm.full_len);
490 rxm = strp_msg(strp->anchor);
491 rxm->full_len = strp->stm.full_len;
492 rxm->offset = strp->stm.offset;
493 tlm = tls_msg(strp->anchor);
494 tlm->control = strp->mark;
497 /* Called with lock held on lower socket */
498 static int tls_strp_read_sock(struct tls_strparser *strp)
502 inq = tcp_inq(strp->sk);
506 if (unlikely(strp->copy_mode))
507 return tls_strp_read_copyin(strp);
509 if (inq < strp->stm.full_len)
510 return tls_strp_read_copy(strp, true);
512 if (!strp->stm.full_len) {
513 tls_strp_load_anchor_with_queue(strp, inq);
515 sz = tls_rx_msg_size(strp, strp->anchor);
517 tls_strp_abort_strp(strp, sz);
521 strp->stm.full_len = sz;
523 if (!strp->stm.full_len || inq < strp->stm.full_len)
524 return tls_strp_read_copy(strp, true);
527 if (!tls_strp_check_queue_ok(strp))
528 return tls_strp_read_copy(strp, false);
531 tls_rx_msg_ready(strp);
536 void tls_strp_check_rcv(struct tls_strparser *strp)
538 if (unlikely(strp->stopped) || strp->msg_ready)
541 if (tls_strp_read_sock(strp) == -ENOMEM)
542 queue_work(tls_strp_wq, &strp->work);
545 /* Lower sock lock held */
546 void tls_strp_data_ready(struct tls_strparser *strp)
548 /* This check is needed to synchronize with do_tls_strp_work.
549 * do_tls_strp_work acquires a process lock (lock_sock) whereas
550 * the lock held here is bh_lock_sock. The two locks can be
551 * held by different threads at the same time, but bh_lock_sock
552 * allows a thread in BH context to safely check if the process
553 * lock is held. In this case, if the lock is held, queue work.
555 if (sock_owned_by_user_nocheck(strp->sk)) {
556 queue_work(tls_strp_wq, &strp->work);
560 tls_strp_check_rcv(strp);
563 static void tls_strp_work(struct work_struct *w)
565 struct tls_strparser *strp =
566 container_of(w, struct tls_strparser, work);
569 tls_strp_check_rcv(strp);
570 release_sock(strp->sk);
573 void tls_strp_msg_done(struct tls_strparser *strp)
575 WARN_ON(!strp->stm.full_len);
577 if (likely(!strp->copy_mode))
578 tcp_read_done(strp->sk, strp->stm.full_len);
580 tls_strp_flush_anchor_copy(strp);
583 memset(&strp->stm, 0, sizeof(strp->stm));
585 tls_strp_check_rcv(strp);
588 void tls_strp_stop(struct tls_strparser *strp)
593 int tls_strp_init(struct tls_strparser *strp, struct sock *sk)
595 memset(strp, 0, sizeof(*strp));
599 strp->anchor = alloc_skb(0, GFP_KERNEL);
603 INIT_WORK(&strp->work, tls_strp_work);
608 /* strp must already be stopped so that tls_strp_recv will no longer be called.
609 * Note that tls_strp_done is not called with the lower socket held.
611 void tls_strp_done(struct tls_strparser *strp)
613 WARN_ON(!strp->stopped);
615 cancel_work_sync(&strp->work);
616 tls_strp_anchor_free(strp);
619 int __init tls_strp_dev_init(void)
621 tls_strp_wq = create_workqueue("tls-strp");
622 if (unlikely(!tls_strp_wq))
628 void tls_strp_dev_exit(void)
630 destroy_workqueue(tls_strp_wq);