xfrm_input.c 20 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858
  1. // SPDX-License-Identifier: GPL-2.0
  2. /*
  3. * xfrm_input.c
  4. *
  5. * Changes:
  6. * YOSHIFUJI Hideaki @USAGI
  7. * Split up af-specific portion
  8. *
  9. */
  10. #include <linux/bottom_half.h>
  11. #include <linux/cache.h>
  12. #include <linux/interrupt.h>
  13. #include <linux/slab.h>
  14. #include <linux/module.h>
  15. #include <linux/netdevice.h>
  16. #include <linux/percpu.h>
  17. #include <net/dst.h>
  18. #include <net/ip.h>
  19. #include <net/xfrm.h>
  20. #include <net/ip_tunnels.h>
  21. #include <net/ip6_tunnel.h>
  22. #include <net/dst_metadata.h>
  23. #include <net/hotdata.h>
  24. #include "xfrm_inout.h"
  25. struct xfrm_trans_tasklet {
  26. struct work_struct work;
  27. spinlock_t queue_lock;
  28. struct sk_buff_head queue;
  29. };
  30. struct xfrm_trans_cb {
  31. union {
  32. struct inet_skb_parm h4;
  33. #if IS_ENABLED(CONFIG_IPV6)
  34. struct inet6_skb_parm h6;
  35. #endif
  36. } header;
  37. int (*finish)(struct net *net, struct sock *sk, struct sk_buff *skb);
  38. struct net *net;
  39. };
  40. #define XFRM_TRANS_SKB_CB(__skb) ((struct xfrm_trans_cb *)&((__skb)->cb[0]))
  41. static DEFINE_SPINLOCK(xfrm_input_afinfo_lock);
  42. static struct xfrm_input_afinfo const __rcu *xfrm_input_afinfo[2][AF_INET6 + 1];
  43. static struct gro_cells gro_cells;
  44. static struct net_device *xfrm_napi_dev;
  45. static DEFINE_PER_CPU(struct xfrm_trans_tasklet, xfrm_trans_tasklet);
  46. int xfrm_input_register_afinfo(const struct xfrm_input_afinfo *afinfo)
  47. {
  48. int err = 0;
  49. if (WARN_ON(afinfo->family > AF_INET6))
  50. return -EAFNOSUPPORT;
  51. spin_lock_bh(&xfrm_input_afinfo_lock);
  52. if (unlikely(xfrm_input_afinfo[afinfo->is_ipip][afinfo->family]))
  53. err = -EEXIST;
  54. else
  55. rcu_assign_pointer(xfrm_input_afinfo[afinfo->is_ipip][afinfo->family], afinfo);
  56. spin_unlock_bh(&xfrm_input_afinfo_lock);
  57. return err;
  58. }
  59. EXPORT_SYMBOL(xfrm_input_register_afinfo);
  60. int xfrm_input_unregister_afinfo(const struct xfrm_input_afinfo *afinfo)
  61. {
  62. int err = 0;
  63. spin_lock_bh(&xfrm_input_afinfo_lock);
  64. if (likely(xfrm_input_afinfo[afinfo->is_ipip][afinfo->family])) {
  65. const struct xfrm_input_afinfo *cur;
  66. cur = rcu_access_pointer(xfrm_input_afinfo[afinfo->is_ipip][afinfo->family]);
  67. if (unlikely(cur != afinfo))
  68. err = -EINVAL;
  69. else
  70. RCU_INIT_POINTER(xfrm_input_afinfo[afinfo->is_ipip][afinfo->family], NULL);
  71. }
  72. spin_unlock_bh(&xfrm_input_afinfo_lock);
  73. synchronize_rcu();
  74. return err;
  75. }
  76. EXPORT_SYMBOL(xfrm_input_unregister_afinfo);
  77. static const struct xfrm_input_afinfo *xfrm_input_get_afinfo(u8 family, bool is_ipip)
  78. {
  79. const struct xfrm_input_afinfo *afinfo;
  80. if (WARN_ON_ONCE(family > AF_INET6))
  81. return NULL;
  82. rcu_read_lock();
  83. afinfo = rcu_dereference(xfrm_input_afinfo[is_ipip][family]);
  84. if (unlikely(!afinfo))
  85. rcu_read_unlock();
  86. return afinfo;
  87. }
  88. static int xfrm_rcv_cb(struct sk_buff *skb, unsigned int family, u8 protocol,
  89. int err)
  90. {
  91. bool is_ipip = (protocol == IPPROTO_IPIP || protocol == IPPROTO_IPV6);
  92. const struct xfrm_input_afinfo *afinfo;
  93. int ret;
  94. afinfo = xfrm_input_get_afinfo(family, is_ipip);
  95. if (!afinfo)
  96. return -EAFNOSUPPORT;
  97. ret = afinfo->callback(skb, protocol, err);
  98. rcu_read_unlock();
  99. return ret;
  100. }
  101. struct sec_path *secpath_set(struct sk_buff *skb)
  102. {
  103. struct sec_path *sp, *tmp = skb_ext_find(skb, SKB_EXT_SEC_PATH);
  104. sp = skb_ext_add(skb, SKB_EXT_SEC_PATH);
  105. if (!sp)
  106. return NULL;
  107. if (tmp) /* reused existing one (was COW'd if needed) */
  108. return sp;
  109. /* allocated new secpath */
  110. memset(sp->ovec, 0, sizeof(sp->ovec));
  111. sp->olen = 0;
  112. sp->len = 0;
  113. sp->verified_cnt = 0;
  114. return sp;
  115. }
  116. EXPORT_SYMBOL(secpath_set);
  117. /* Fetch spi and seq from ipsec header */
  118. int xfrm_parse_spi(struct sk_buff *skb, u8 nexthdr, __be32 *spi, __be32 *seq)
  119. {
  120. int offset, offset_seq;
  121. int hlen;
  122. switch (nexthdr) {
  123. case IPPROTO_AH:
  124. hlen = sizeof(struct ip_auth_hdr);
  125. offset = offsetof(struct ip_auth_hdr, spi);
  126. offset_seq = offsetof(struct ip_auth_hdr, seq_no);
  127. break;
  128. case IPPROTO_ESP:
  129. hlen = sizeof(struct ip_esp_hdr);
  130. offset = offsetof(struct ip_esp_hdr, spi);
  131. offset_seq = offsetof(struct ip_esp_hdr, seq_no);
  132. break;
  133. case IPPROTO_COMP:
  134. if (!pskb_may_pull(skb, sizeof(struct ip_comp_hdr)))
  135. return -EINVAL;
  136. *spi = htonl(ntohs(*(__be16 *)(skb_transport_header(skb) + 2)));
  137. *seq = 0;
  138. return 0;
  139. default:
  140. return 1;
  141. }
  142. if (!pskb_may_pull(skb, hlen))
  143. return -EINVAL;
  144. *spi = *(__be32 *)(skb_transport_header(skb) + offset);
  145. *seq = *(__be32 *)(skb_transport_header(skb) + offset_seq);
  146. return 0;
  147. }
  148. EXPORT_SYMBOL(xfrm_parse_spi);
  149. static int xfrm4_remove_beet_encap(struct xfrm_state *x, struct sk_buff *skb)
  150. {
  151. struct iphdr *iph;
  152. int optlen = 0;
  153. int err = -EINVAL;
  154. skb->protocol = htons(ETH_P_IP);
  155. if (unlikely(XFRM_MODE_SKB_CB(skb)->protocol == IPPROTO_BEETPH)) {
  156. struct ip_beet_phdr *ph;
  157. int phlen;
  158. if (!pskb_may_pull(skb, sizeof(*ph)))
  159. goto out;
  160. ph = (struct ip_beet_phdr *)skb->data;
  161. phlen = sizeof(*ph) + ph->padlen;
  162. optlen = ph->hdrlen * 8 + (IPV4_BEET_PHMAXLEN - phlen);
  163. if (optlen < 0 || optlen & 3 || optlen > 250)
  164. goto out;
  165. XFRM_MODE_SKB_CB(skb)->protocol = ph->nexthdr;
  166. if (!pskb_may_pull(skb, phlen))
  167. goto out;
  168. __skb_pull(skb, phlen);
  169. }
  170. skb_push(skb, sizeof(*iph));
  171. skb_reset_network_header(skb);
  172. skb_mac_header_rebuild(skb);
  173. xfrm4_beet_make_header(skb);
  174. iph = ip_hdr(skb);
  175. iph->ihl += optlen / 4;
  176. iph->tot_len = htons(skb->len);
  177. iph->daddr = x->sel.daddr.a4;
  178. iph->saddr = x->sel.saddr.a4;
  179. iph->check = 0;
  180. iph->check = ip_fast_csum(skb_network_header(skb), iph->ihl);
  181. err = 0;
  182. out:
  183. return err;
  184. }
  185. static void ipip_ecn_decapsulate(struct sk_buff *skb)
  186. {
  187. struct iphdr *inner_iph = ipip_hdr(skb);
  188. if (INET_ECN_is_ce(XFRM_MODE_SKB_CB(skb)->tos))
  189. IP_ECN_set_ce(inner_iph);
  190. }
  191. static int xfrm4_remove_tunnel_encap(struct xfrm_state *x, struct sk_buff *skb)
  192. {
  193. int err = -EINVAL;
  194. skb->protocol = htons(ETH_P_IP);
  195. if (!pskb_may_pull(skb, sizeof(struct iphdr)))
  196. goto out;
  197. err = skb_unclone(skb, GFP_ATOMIC);
  198. if (err)
  199. goto out;
  200. if (x->props.flags & XFRM_STATE_DECAP_DSCP)
  201. ipv4_copy_dscp(XFRM_MODE_SKB_CB(skb)->tos, ipip_hdr(skb));
  202. if (!(x->props.flags & XFRM_STATE_NOECN))
  203. ipip_ecn_decapsulate(skb);
  204. skb_reset_network_header(skb);
  205. skb_mac_header_rebuild(skb);
  206. if (skb->mac_len)
  207. eth_hdr(skb)->h_proto = skb->protocol;
  208. err = 0;
  209. out:
  210. return err;
  211. }
  212. static void ipip6_ecn_decapsulate(struct sk_buff *skb)
  213. {
  214. struct ipv6hdr *inner_iph = ipipv6_hdr(skb);
  215. if (INET_ECN_is_ce(XFRM_MODE_SKB_CB(skb)->tos))
  216. IP6_ECN_set_ce(skb, inner_iph);
  217. }
  218. static int xfrm6_remove_tunnel_encap(struct xfrm_state *x, struct sk_buff *skb)
  219. {
  220. int err = -EINVAL;
  221. skb->protocol = htons(ETH_P_IPV6);
  222. if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
  223. goto out;
  224. err = skb_unclone(skb, GFP_ATOMIC);
  225. if (err)
  226. goto out;
  227. if (x->props.flags & XFRM_STATE_DECAP_DSCP)
  228. ipv6_copy_dscp(XFRM_MODE_SKB_CB(skb)->tos, ipipv6_hdr(skb));
  229. if (!(x->props.flags & XFRM_STATE_NOECN))
  230. ipip6_ecn_decapsulate(skb);
  231. skb_reset_network_header(skb);
  232. skb_mac_header_rebuild(skb);
  233. if (skb->mac_len)
  234. eth_hdr(skb)->h_proto = skb->protocol;
  235. err = 0;
  236. out:
  237. return err;
  238. }
  239. static int xfrm6_remove_beet_encap(struct xfrm_state *x, struct sk_buff *skb)
  240. {
  241. struct ipv6hdr *ip6h;
  242. int size = sizeof(struct ipv6hdr);
  243. int err;
  244. skb->protocol = htons(ETH_P_IPV6);
  245. err = skb_cow_head(skb, size + skb->mac_len);
  246. if (err)
  247. goto out;
  248. __skb_push(skb, size);
  249. skb_reset_network_header(skb);
  250. skb_mac_header_rebuild(skb);
  251. xfrm6_beet_make_header(skb);
  252. ip6h = ipv6_hdr(skb);
  253. ip6h->payload_len = htons(skb->len - size);
  254. ip6h->daddr = x->sel.daddr.in6;
  255. ip6h->saddr = x->sel.saddr.in6;
  256. err = 0;
  257. out:
  258. return err;
  259. }
  260. /* Remove encapsulation header.
  261. *
  262. * The IP header will be moved over the top of the encapsulation
  263. * header.
  264. *
  265. * On entry, the transport header shall point to where the IP header
  266. * should be and the network header shall be set to where the IP
  267. * header currently is. skb->data shall point to the start of the
  268. * payload.
  269. */
  270. static int
  271. xfrm_inner_mode_encap_remove(struct xfrm_state *x,
  272. struct sk_buff *skb)
  273. {
  274. switch (x->props.mode) {
  275. case XFRM_MODE_BEET:
  276. switch (x->sel.family) {
  277. case AF_INET:
  278. return xfrm4_remove_beet_encap(x, skb);
  279. case AF_INET6:
  280. return xfrm6_remove_beet_encap(x, skb);
  281. }
  282. break;
  283. case XFRM_MODE_TUNNEL:
  284. switch (XFRM_MODE_SKB_CB(skb)->protocol) {
  285. case IPPROTO_IPIP:
  286. return xfrm4_remove_tunnel_encap(x, skb);
  287. case IPPROTO_IPV6:
  288. return xfrm6_remove_tunnel_encap(x, skb);
  289. break;
  290. }
  291. return -EINVAL;
  292. }
  293. WARN_ON_ONCE(1);
  294. return -EOPNOTSUPP;
  295. }
  296. static int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb)
  297. {
  298. switch (x->props.family) {
  299. case AF_INET:
  300. xfrm4_extract_header(skb);
  301. break;
  302. case AF_INET6:
  303. xfrm6_extract_header(skb);
  304. break;
  305. default:
  306. WARN_ON_ONCE(1);
  307. return -EAFNOSUPPORT;
  308. }
  309. return xfrm_inner_mode_encap_remove(x, skb);
  310. }
  311. /* Remove encapsulation header.
  312. *
  313. * The IP header will be moved over the top of the encapsulation header.
  314. *
  315. * On entry, skb_transport_header() shall point to where the IP header
  316. * should be and skb_network_header() shall be set to where the IP header
  317. * currently is. skb->data shall point to the start of the payload.
  318. */
  319. static int xfrm4_transport_input(struct xfrm_state *x, struct sk_buff *skb)
  320. {
  321. struct xfrm_offload *xo = xfrm_offload(skb);
  322. int ihl = skb->data - skb_transport_header(skb);
  323. if (skb->transport_header != skb->network_header) {
  324. memmove(skb_transport_header(skb),
  325. skb_network_header(skb), ihl);
  326. if (xo)
  327. xo->orig_mac_len =
  328. skb_mac_header_was_set(skb) ? skb_mac_header_len(skb) : 0;
  329. skb->network_header = skb->transport_header;
  330. }
  331. ip_hdr(skb)->tot_len = htons(skb->len + ihl);
  332. skb_reset_transport_header(skb);
  333. return 0;
  334. }
  335. static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb)
  336. {
  337. #if IS_ENABLED(CONFIG_IPV6)
  338. struct xfrm_offload *xo = xfrm_offload(skb);
  339. int ihl = skb->data - skb_transport_header(skb);
  340. if (skb->transport_header != skb->network_header) {
  341. memmove(skb_transport_header(skb),
  342. skb_network_header(skb), ihl);
  343. if (xo)
  344. xo->orig_mac_len =
  345. skb_mac_header_was_set(skb) ? skb_mac_header_len(skb) : 0;
  346. skb->network_header = skb->transport_header;
  347. }
  348. ipv6_hdr(skb)->payload_len = htons(skb->len + ihl -
  349. sizeof(struct ipv6hdr));
  350. skb_reset_transport_header(skb);
  351. return 0;
  352. #else
  353. WARN_ON_ONCE(1);
  354. return -EAFNOSUPPORT;
  355. #endif
  356. }
  357. static int xfrm_inner_mode_input(struct xfrm_state *x,
  358. struct sk_buff *skb)
  359. {
  360. switch (x->props.mode) {
  361. case XFRM_MODE_BEET:
  362. case XFRM_MODE_TUNNEL:
  363. return xfrm_prepare_input(x, skb);
  364. case XFRM_MODE_TRANSPORT:
  365. if (x->props.family == AF_INET)
  366. return xfrm4_transport_input(x, skb);
  367. if (x->props.family == AF_INET6)
  368. return xfrm6_transport_input(x, skb);
  369. break;
  370. case XFRM_MODE_ROUTEOPTIMIZATION:
  371. WARN_ON_ONCE(1);
  372. break;
  373. default:
  374. if (x->mode_cbs && x->mode_cbs->input)
  375. return x->mode_cbs->input(x, skb);
  376. WARN_ON_ONCE(1);
  377. break;
  378. }
  379. return -EOPNOTSUPP;
  380. }
  381. /* NOTE: encap_type - In addition to the normal (non-negative) values for
  382. * encap_type, a negative value of -1 or -2 can be used to resume/restart this
  383. * function after a previous invocation early terminated for async operation.
  384. */
  385. int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
  386. {
  387. const struct xfrm_state_afinfo *afinfo;
  388. struct net *net = dev_net(skb->dev);
  389. int err;
  390. __be32 seq;
  391. __be32 seq_hi;
  392. struct xfrm_state *x = NULL;
  393. xfrm_address_t *daddr;
  394. u32 mark = skb->mark;
  395. unsigned int family = AF_UNSPEC;
  396. int decaps = 0;
  397. int async = 0;
  398. bool xfrm_gro = false;
  399. bool crypto_done = false;
  400. struct xfrm_offload *xo = xfrm_offload(skb);
  401. struct sec_path *sp;
  402. if (encap_type < 0 || (xo && (xo->flags & XFRM_GRO || encap_type == 0 ||
  403. encap_type == UDP_ENCAP_ESPINUDP))) {
  404. x = xfrm_input_state(skb);
  405. if (unlikely(x->km.state != XFRM_STATE_VALID)) {
  406. if (x->km.state == XFRM_STATE_ACQ)
  407. XFRM_INC_STATS(net, LINUX_MIB_XFRMACQUIREERROR);
  408. else
  409. XFRM_INC_STATS(net,
  410. LINUX_MIB_XFRMINSTATEINVALID);
  411. if (encap_type == -1)
  412. dev_put(skb->dev);
  413. goto drop;
  414. }
  415. family = x->props.family;
  416. /* An encap_type of -2 indicates reconstructed inner packet */
  417. if (encap_type == -2)
  418. goto resume_decapped;
  419. /* An encap_type of -1 indicates async resumption. */
  420. if (encap_type == -1) {
  421. async = 1;
  422. seq = XFRM_SKB_CB(skb)->seq.input.low;
  423. spin_lock(&x->lock);
  424. goto resume;
  425. }
  426. /* GRO call */
  427. seq = XFRM_SPI_SKB_CB(skb)->seq;
  428. if (xo && (xo->flags & CRYPTO_DONE)) {
  429. crypto_done = true;
  430. family = XFRM_SPI_SKB_CB(skb)->family;
  431. if (!(xo->status & CRYPTO_SUCCESS)) {
  432. if (xo->status &
  433. (CRYPTO_TRANSPORT_AH_AUTH_FAILED |
  434. CRYPTO_TRANSPORT_ESP_AUTH_FAILED |
  435. CRYPTO_TUNNEL_AH_AUTH_FAILED |
  436. CRYPTO_TUNNEL_ESP_AUTH_FAILED)) {
  437. xfrm_audit_state_icvfail(x, skb,
  438. x->type->proto);
  439. x->stats.integrity_failed++;
  440. XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEPROTOERROR);
  441. goto drop;
  442. }
  443. if (xo->status & CRYPTO_INVALID_PROTOCOL) {
  444. XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEPROTOERROR);
  445. goto drop;
  446. }
  447. XFRM_INC_STATS(net, LINUX_MIB_XFRMINBUFFERERROR);
  448. goto drop;
  449. }
  450. if (xfrm_parse_spi(skb, nexthdr, &spi, &seq)) {
  451. XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR);
  452. goto drop;
  453. }
  454. nexthdr = x->type_offload->input_tail(x, skb);
  455. }
  456. goto process;
  457. }
  458. family = XFRM_SPI_SKB_CB(skb)->family;
  459. /* if tunnel is present override skb->mark value with tunnel i_key */
  460. switch (family) {
  461. case AF_INET:
  462. if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4)
  463. mark = be32_to_cpu(XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4->parms.i_key);
  464. break;
  465. case AF_INET6:
  466. if (XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6)
  467. mark = be32_to_cpu(XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6->parms.i_key);
  468. break;
  469. }
  470. sp = secpath_set(skb);
  471. if (!sp) {
  472. XFRM_INC_STATS(net, LINUX_MIB_XFRMINERROR);
  473. goto drop;
  474. }
  475. seq = 0;
  476. if (!spi && xfrm_parse_spi(skb, nexthdr, &spi, &seq)) {
  477. secpath_reset(skb);
  478. XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR);
  479. goto drop;
  480. }
  481. daddr = (xfrm_address_t *)(skb_network_header(skb) +
  482. XFRM_SPI_SKB_CB(skb)->daddroff);
  483. do {
  484. sp = skb_sec_path(skb);
  485. if (sp->len == XFRM_MAX_DEPTH) {
  486. secpath_reset(skb);
  487. XFRM_INC_STATS(net, LINUX_MIB_XFRMINBUFFERERROR);
  488. goto drop;
  489. }
  490. x = xfrm_input_state_lookup(net, mark, daddr, spi, nexthdr, family);
  491. if (x == NULL) {
  492. secpath_reset(skb);
  493. XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOSTATES);
  494. xfrm_audit_state_notfound(skb, family, spi, seq);
  495. goto drop;
  496. }
  497. if (unlikely(x->dir && x->dir != XFRM_SA_DIR_IN)) {
  498. secpath_reset(skb);
  499. XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEDIRERROR);
  500. xfrm_audit_state_notfound(skb, family, spi, seq);
  501. xfrm_state_put(x);
  502. x = NULL;
  503. goto drop;
  504. }
  505. skb->mark = xfrm_smark_get(skb->mark, x);
  506. sp->xvec[sp->len++] = x;
  507. skb_dst_force(skb);
  508. if (!skb_dst(skb)) {
  509. XFRM_INC_STATS(net, LINUX_MIB_XFRMINERROR);
  510. goto drop;
  511. }
  512. process:
  513. seq_hi = htonl(xfrm_replay_seqhi(x, seq));
  514. XFRM_SKB_CB(skb)->seq.input.low = seq;
  515. XFRM_SKB_CB(skb)->seq.input.hi = seq_hi;
  516. spin_lock(&x->lock);
  517. if (unlikely(x->km.state != XFRM_STATE_VALID)) {
  518. if (x->km.state == XFRM_STATE_ACQ)
  519. XFRM_INC_STATS(net, LINUX_MIB_XFRMACQUIREERROR);
  520. else
  521. XFRM_INC_STATS(net,
  522. LINUX_MIB_XFRMINSTATEINVALID);
  523. goto drop_unlock;
  524. }
  525. if ((x->encap ? x->encap->encap_type : 0) != encap_type) {
  526. XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEMISMATCH);
  527. goto drop_unlock;
  528. }
  529. if (xfrm_replay_check(x, skb, seq)) {
  530. XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATESEQERROR);
  531. goto drop_unlock;
  532. }
  533. if (xfrm_state_check_expire(x)) {
  534. XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEEXPIRED);
  535. goto drop_unlock;
  536. }
  537. if (xfrm_tunnel_check(skb, x, family)) {
  538. XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEMODEERROR);
  539. goto drop_unlock;
  540. }
  541. if (!crypto_done) {
  542. spin_unlock(&x->lock);
  543. dev_hold(skb->dev);
  544. nexthdr = x->type->input(x, skb);
  545. if (nexthdr == -EINPROGRESS) {
  546. if (async)
  547. dev_put(skb->dev);
  548. return 0;
  549. }
  550. dev_put(skb->dev);
  551. spin_lock(&x->lock);
  552. }
  553. resume:
  554. if (nexthdr < 0) {
  555. if (nexthdr == -EBADMSG) {
  556. xfrm_audit_state_icvfail(x, skb,
  557. x->type->proto);
  558. x->stats.integrity_failed++;
  559. }
  560. XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEPROTOERROR);
  561. goto drop_unlock;
  562. }
  563. /* only the first xfrm gets the encap type */
  564. encap_type = 0;
  565. if (!crypto_done && xfrm_replay_recheck(x, skb, seq)) {
  566. XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATESEQERROR);
  567. goto drop_unlock;
  568. }
  569. xfrm_replay_advance(x, seq);
  570. x->curlft.bytes += skb->len;
  571. x->curlft.packets++;
  572. x->lastused = ktime_get_real_seconds();
  573. spin_unlock(&x->lock);
  574. XFRM_MODE_SKB_CB(skb)->protocol = nexthdr;
  575. err = xfrm_inner_mode_input(x, skb);
  576. if (err == -EINPROGRESS) {
  577. if (async)
  578. dev_put(skb->dev);
  579. return 0;
  580. } else if (err) {
  581. XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEMODEERROR);
  582. goto drop;
  583. }
  584. resume_decapped:
  585. if (x->outer_mode.flags & XFRM_MODE_FLAG_TUNNEL) {
  586. decaps = 1;
  587. break;
  588. }
  589. /*
  590. * We need the inner address. However, we only get here for
  591. * transport mode so the outer address is identical.
  592. */
  593. daddr = &x->id.daddr;
  594. family = x->props.family;
  595. err = xfrm_parse_spi(skb, nexthdr, &spi, &seq);
  596. if (err < 0) {
  597. XFRM_INC_STATS(net, LINUX_MIB_XFRMINHDRERROR);
  598. goto drop;
  599. }
  600. crypto_done = false;
  601. } while (!err);
  602. err = xfrm_rcv_cb(skb, family, x->type->proto, 0);
  603. if (err)
  604. goto drop;
  605. nf_reset_ct(skb);
  606. if (decaps) {
  607. sp = skb_sec_path(skb);
  608. if (sp)
  609. sp->olen = 0;
  610. if (skb_valid_dst(skb))
  611. skb_dst_drop(skb);
  612. if (async)
  613. dev_put(skb->dev);
  614. gro_cells_receive(&gro_cells, skb);
  615. return 0;
  616. } else {
  617. xo = xfrm_offload(skb);
  618. if (xo)
  619. xfrm_gro = xo->flags & XFRM_GRO;
  620. err = -EAFNOSUPPORT;
  621. rcu_read_lock();
  622. afinfo = xfrm_state_afinfo_get_rcu(x->props.family);
  623. if (likely(afinfo))
  624. err = afinfo->transport_finish(skb, xfrm_gro || async);
  625. rcu_read_unlock();
  626. if (xfrm_gro) {
  627. sp = skb_sec_path(skb);
  628. if (sp)
  629. sp->olen = 0;
  630. if (skb_valid_dst(skb))
  631. skb_dst_drop(skb);
  632. if (async)
  633. dev_put(skb->dev);
  634. gro_cells_receive(&gro_cells, skb);
  635. return err;
  636. }
  637. return err;
  638. }
  639. drop_unlock:
  640. spin_unlock(&x->lock);
  641. drop:
  642. if (async)
  643. dev_put(skb->dev);
  644. xfrm_rcv_cb(skb, family, x && x->type ? x->type->proto : nexthdr, -1);
  645. kfree_skb(skb);
  646. return 0;
  647. }
  648. EXPORT_SYMBOL(xfrm_input);
  649. int xfrm_input_resume(struct sk_buff *skb, int nexthdr)
  650. {
  651. return xfrm_input(skb, nexthdr, 0, -1);
  652. }
  653. EXPORT_SYMBOL(xfrm_input_resume);
  654. static void xfrm_trans_reinject(struct work_struct *work)
  655. {
  656. struct xfrm_trans_tasklet *trans = container_of(work, struct xfrm_trans_tasklet, work);
  657. struct sk_buff_head queue;
  658. struct sk_buff *skb;
  659. __skb_queue_head_init(&queue);
  660. spin_lock_bh(&trans->queue_lock);
  661. skb_queue_splice_init(&trans->queue, &queue);
  662. spin_unlock_bh(&trans->queue_lock);
  663. local_bh_disable();
  664. while ((skb = __skb_dequeue(&queue)))
  665. XFRM_TRANS_SKB_CB(skb)->finish(XFRM_TRANS_SKB_CB(skb)->net,
  666. NULL, skb);
  667. local_bh_enable();
  668. }
  669. int xfrm_trans_queue_net(struct net *net, struct sk_buff *skb,
  670. int (*finish)(struct net *, struct sock *,
  671. struct sk_buff *))
  672. {
  673. struct xfrm_trans_tasklet *trans;
  674. trans = this_cpu_ptr(&xfrm_trans_tasklet);
  675. if (skb_queue_len(&trans->queue) >= READ_ONCE(net_hotdata.max_backlog))
  676. return -ENOBUFS;
  677. BUILD_BUG_ON(sizeof(struct xfrm_trans_cb) > sizeof(skb->cb));
  678. XFRM_TRANS_SKB_CB(skb)->finish = finish;
  679. XFRM_TRANS_SKB_CB(skb)->net = net;
  680. spin_lock_bh(&trans->queue_lock);
  681. __skb_queue_tail(&trans->queue, skb);
  682. spin_unlock_bh(&trans->queue_lock);
  683. schedule_work(&trans->work);
  684. return 0;
  685. }
  686. EXPORT_SYMBOL(xfrm_trans_queue_net);
  687. int xfrm_trans_queue(struct sk_buff *skb,
  688. int (*finish)(struct net *, struct sock *,
  689. struct sk_buff *))
  690. {
  691. return xfrm_trans_queue_net(dev_net(skb->dev), skb, finish);
  692. }
  693. EXPORT_SYMBOL(xfrm_trans_queue);
  694. void __init xfrm_input_init(void)
  695. {
  696. int err;
  697. int i;
  698. xfrm_napi_dev = alloc_netdev_dummy(0);
  699. if (!xfrm_napi_dev)
  700. panic("Failed to allocate XFRM dummy netdev\n");
  701. err = gro_cells_init(&gro_cells, xfrm_napi_dev);
  702. if (err)
  703. gro_cells.cells = NULL;
  704. for_each_possible_cpu(i) {
  705. struct xfrm_trans_tasklet *trans;
  706. trans = &per_cpu(xfrm_trans_tasklet, i);
  707. spin_lock_init(&trans->queue_lock);
  708. __skb_queue_head_init(&trans->queue);
  709. INIT_WORK(&trans->work, xfrm_trans_reinject);
  710. }
  711. }