psp_sock.c 6.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. #include <linux/file.h>
  3. #include <linux/net.h>
  4. #include <linux/rcupdate.h>
  5. #include <linux/tcp.h>
  6. #include <net/ip.h>
  7. #include <net/psp.h>
  8. #include "psp.h"
  9. struct psp_dev *psp_dev_get_for_sock(struct sock *sk)
  10. {
  11. struct psp_dev *psd = NULL;
  12. struct dst_entry *dst;
  13. rcu_read_lock();
  14. dst = __sk_dst_get(sk);
  15. if (dst) {
  16. psd = rcu_dereference(dst_dev_rcu(dst)->psp_dev);
  17. if (psd && !psp_dev_tryget(psd))
  18. psd = NULL;
  19. }
  20. rcu_read_unlock();
  21. return psd;
  22. }
  23. static struct sk_buff *
  24. psp_validate_xmit(struct sock *sk, struct net_device *dev, struct sk_buff *skb)
  25. {
  26. struct psp_assoc *pas;
  27. bool good;
  28. rcu_read_lock();
  29. pas = psp_skb_get_assoc_rcu(skb);
  30. good = !pas || rcu_access_pointer(dev->psp_dev) == pas->psd;
  31. rcu_read_unlock();
  32. if (!good) {
  33. sk_skb_reason_drop(sk, skb, SKB_DROP_REASON_PSP_OUTPUT);
  34. return NULL;
  35. }
  36. return skb;
  37. }
  38. struct psp_assoc *psp_assoc_create(struct psp_dev *psd)
  39. {
  40. struct psp_assoc *pas;
  41. lockdep_assert_held(&psd->lock);
  42. pas = kzalloc_flex(*pas, drv_data, psd->caps->assoc_drv_spc,
  43. GFP_KERNEL_ACCOUNT);
  44. if (!pas)
  45. return NULL;
  46. pas->psd = psd;
  47. pas->dev_id = psd->id;
  48. pas->generation = psd->generation;
  49. psp_dev_get(psd);
  50. refcount_set(&pas->refcnt, 1);
  51. list_add_tail(&pas->assocs_list, &psd->active_assocs);
  52. return pas;
  53. }
  54. static struct psp_assoc *psp_assoc_dummy(struct psp_assoc *pas)
  55. {
  56. struct psp_dev *psd = pas->psd;
  57. size_t sz;
  58. lockdep_assert_held(&psd->lock);
  59. sz = struct_size(pas, drv_data, psd->caps->assoc_drv_spc);
  60. return kmemdup(pas, sz, GFP_KERNEL);
  61. }
  62. static int psp_dev_tx_key_add(struct psp_dev *psd, struct psp_assoc *pas,
  63. struct netlink_ext_ack *extack)
  64. {
  65. return psd->ops->tx_key_add(psd, pas, extack);
  66. }
  67. void psp_dev_tx_key_del(struct psp_dev *psd, struct psp_assoc *pas)
  68. {
  69. if (pas->tx.spi)
  70. psd->ops->tx_key_del(psd, pas);
  71. list_del(&pas->assocs_list);
  72. }
  73. static void psp_assoc_free(struct work_struct *work)
  74. {
  75. struct psp_assoc *pas = container_of(work, struct psp_assoc, work);
  76. struct psp_dev *psd = pas->psd;
  77. mutex_lock(&psd->lock);
  78. if (psd->ops)
  79. psp_dev_tx_key_del(psd, pas);
  80. mutex_unlock(&psd->lock);
  81. psp_dev_put(psd);
  82. kfree(pas);
  83. }
  84. static void psp_assoc_free_queue(struct rcu_head *head)
  85. {
  86. struct psp_assoc *pas = container_of(head, struct psp_assoc, rcu);
  87. INIT_WORK(&pas->work, psp_assoc_free);
  88. schedule_work(&pas->work);
  89. }
  90. /**
  91. * psp_assoc_put() - release a reference on a PSP association
  92. * @pas: association to release
  93. */
  94. void psp_assoc_put(struct psp_assoc *pas)
  95. {
  96. if (pas && refcount_dec_and_test(&pas->refcnt))
  97. call_rcu(&pas->rcu, psp_assoc_free_queue);
  98. }
  99. void psp_sk_assoc_free(struct sock *sk)
  100. {
  101. struct psp_assoc *pas = rcu_dereference_protected(sk->psp_assoc, 1);
  102. rcu_assign_pointer(sk->psp_assoc, NULL);
  103. psp_assoc_put(pas);
  104. }
  105. int psp_sock_assoc_set_rx(struct sock *sk, struct psp_assoc *pas,
  106. struct psp_key_parsed *key,
  107. struct netlink_ext_ack *extack)
  108. {
  109. int err;
  110. memcpy(&pas->rx, key, sizeof(*key));
  111. lock_sock(sk);
  112. if (psp_sk_assoc(sk)) {
  113. NL_SET_ERR_MSG(extack, "Socket already has PSP state");
  114. err = -EBUSY;
  115. goto exit_unlock;
  116. }
  117. refcount_inc(&pas->refcnt);
  118. rcu_assign_pointer(sk->psp_assoc, pas);
  119. err = 0;
  120. exit_unlock:
  121. release_sock(sk);
  122. return err;
  123. }
  124. static int psp_sock_recv_queue_check(struct sock *sk, struct psp_assoc *pas)
  125. {
  126. struct psp_skb_ext *pse;
  127. struct sk_buff *skb;
  128. skb_rbtree_walk(skb, &tcp_sk(sk)->out_of_order_queue) {
  129. pse = skb_ext_find(skb, SKB_EXT_PSP);
  130. if (!psp_pse_matches_pas(pse, pas))
  131. return -EBUSY;
  132. }
  133. skb_queue_walk(&sk->sk_receive_queue, skb) {
  134. pse = skb_ext_find(skb, SKB_EXT_PSP);
  135. if (!psp_pse_matches_pas(pse, pas))
  136. return -EBUSY;
  137. }
  138. return 0;
  139. }
  140. int psp_sock_assoc_set_tx(struct sock *sk, struct psp_dev *psd,
  141. u32 version, struct psp_key_parsed *key,
  142. struct netlink_ext_ack *extack)
  143. {
  144. struct inet_connection_sock *icsk;
  145. struct psp_assoc *pas, *dummy;
  146. int err;
  147. lock_sock(sk);
  148. pas = psp_sk_assoc(sk);
  149. if (!pas) {
  150. NL_SET_ERR_MSG(extack, "Socket has no Rx key");
  151. err = -EINVAL;
  152. goto exit_unlock;
  153. }
  154. if (pas->psd != psd) {
  155. NL_SET_ERR_MSG(extack, "Rx key from different device");
  156. err = -EINVAL;
  157. goto exit_unlock;
  158. }
  159. if (pas->version != version) {
  160. NL_SET_ERR_MSG(extack,
  161. "PSP version mismatch with existing state");
  162. err = -EINVAL;
  163. goto exit_unlock;
  164. }
  165. if (pas->tx.spi) {
  166. NL_SET_ERR_MSG(extack, "Tx key already set");
  167. err = -EBUSY;
  168. goto exit_unlock;
  169. }
  170. err = psp_sock_recv_queue_check(sk, pas);
  171. if (err) {
  172. NL_SET_ERR_MSG(extack, "Socket has incompatible segments already in the recv queue");
  173. goto exit_unlock;
  174. }
  175. /* Pass a fake association to drivers to make sure they don't
  176. * try to store pointers to it. For re-keying we'll need to
  177. * re-allocate the assoc structures.
  178. */
  179. dummy = psp_assoc_dummy(pas);
  180. if (!dummy) {
  181. err = -ENOMEM;
  182. goto exit_unlock;
  183. }
  184. memcpy(&dummy->tx, key, sizeof(*key));
  185. err = psp_dev_tx_key_add(psd, dummy, extack);
  186. if (err)
  187. goto exit_free_dummy;
  188. memcpy(pas->drv_data, dummy->drv_data, psd->caps->assoc_drv_spc);
  189. memcpy(&pas->tx, key, sizeof(*key));
  190. WRITE_ONCE(sk->sk_validate_xmit_skb, psp_validate_xmit);
  191. tcp_write_collapse_fence(sk);
  192. pas->upgrade_seq = tcp_sk(sk)->rcv_nxt;
  193. icsk = inet_csk(sk);
  194. icsk->icsk_ext_hdr_len += psp_sk_overhead(sk);
  195. icsk->icsk_sync_mss(sk, icsk->icsk_pmtu_cookie);
  196. exit_free_dummy:
  197. kfree(dummy);
  198. exit_unlock:
  199. release_sock(sk);
  200. return err;
  201. }
  202. void psp_assocs_key_rotated(struct psp_dev *psd)
  203. {
  204. struct psp_assoc *pas, *next;
  205. /* Mark the stale associations as invalid, they will no longer
  206. * be able to Rx any traffic.
  207. */
  208. list_for_each_entry_safe(pas, next, &psd->prev_assocs, assocs_list) {
  209. pas->generation |= ~PSP_GEN_VALID_MASK;
  210. psd->stats.stales++;
  211. }
  212. list_splice_init(&psd->prev_assocs, &psd->stale_assocs);
  213. list_splice_init(&psd->active_assocs, &psd->prev_assocs);
  214. /* TODO: we should inform the sockets that got shut down */
  215. }
  216. void psp_twsk_init(struct inet_timewait_sock *tw, const struct sock *sk)
  217. {
  218. struct psp_assoc *pas = psp_sk_assoc(sk);
  219. if (pas)
  220. refcount_inc(&pas->refcnt);
  221. rcu_assign_pointer(tw->psp_assoc, pas);
  222. tw->tw_validate_xmit_skb = psp_validate_xmit;
  223. }
  224. void psp_twsk_assoc_free(struct inet_timewait_sock *tw)
  225. {
  226. struct psp_assoc *pas = rcu_dereference_protected(tw->psp_assoc, 1);
  227. rcu_assign_pointer(tw->psp_assoc, NULL);
  228. psp_assoc_put(pas);
  229. }
  230. void psp_reply_set_decrypted(const struct sock *sk, struct sk_buff *skb)
  231. {
  232. struct psp_assoc *pas;
  233. rcu_read_lock();
  234. pas = psp_sk_get_assoc_rcu(sk);
  235. if (pas && pas->tx.spi)
  236. skb->decrypted = 1;
  237. rcu_read_unlock();
  238. }
  239. EXPORT_IPV6_MOD_GPL(psp_reply_set_decrypted);