• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /* Service connection management
3  *
4  * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved.
5  * Written by David Howells (dhowells@redhat.com)
6  */
7 
8 #include <linux/slab.h>
9 #include "ar-internal.h"
10 
11 /*
12  * Find a service connection under RCU conditions.
13  *
14  * We could use a hash table, but that is subject to bucket stuffing by an
15  * attacker as the client gets to pick the epoch and cid values and would know
16  * the hash function.  So, instead, we use a hash table for the peer and from
17  * that an rbtree to find the service connection.  Under ordinary circumstances
18  * it might be slower than a large hash table, but it is at least limited in
19  * depth.
20  */
rxrpc_find_service_conn_rcu(struct rxrpc_peer * peer,struct sk_buff * skb)21 struct rxrpc_connection *rxrpc_find_service_conn_rcu(struct rxrpc_peer *peer,
22 						     struct sk_buff *skb)
23 {
24 	struct rxrpc_connection *conn = NULL;
25 	struct rxrpc_conn_proto k;
26 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
27 	struct rb_node *p;
28 	unsigned int seq = 0;
29 
30 	k.epoch	= sp->hdr.epoch;
31 	k.cid	= sp->hdr.cid & RXRPC_CIDMASK;
32 
33 	do {
34 		/* Unfortunately, rbtree walking doesn't give reliable results
35 		 * under just the RCU read lock, so we have to check for
36 		 * changes.
37 		 */
38 		read_seqbegin_or_lock(&peer->service_conn_lock, &seq);
39 
40 		p = rcu_dereference_raw(peer->service_conns.rb_node);
41 		while (p) {
42 			conn = rb_entry(p, struct rxrpc_connection, service_node);
43 
44 			if (conn->proto.index_key < k.index_key)
45 				p = rcu_dereference_raw(p->rb_left);
46 			else if (conn->proto.index_key > k.index_key)
47 				p = rcu_dereference_raw(p->rb_right);
48 			else
49 				break;
50 			conn = NULL;
51 		}
52 	} while (need_seqretry(&peer->service_conn_lock, seq));
53 
54 	done_seqretry(&peer->service_conn_lock, seq);
55 	_leave(" = %d", conn ? conn->debug_id : -1);
56 	return conn;
57 }
58 
59 /*
60  * Insert a service connection into a peer's tree, thereby making it a target
61  * for incoming packets.
62  */
rxrpc_publish_service_conn(struct rxrpc_peer * peer,struct rxrpc_connection * conn)63 static void rxrpc_publish_service_conn(struct rxrpc_peer *peer,
64 				       struct rxrpc_connection *conn)
65 {
66 	struct rxrpc_connection *cursor = NULL;
67 	struct rxrpc_conn_proto k = conn->proto;
68 	struct rb_node **pp, *parent;
69 
70 	write_seqlock_bh(&peer->service_conn_lock);
71 
72 	pp = &peer->service_conns.rb_node;
73 	parent = NULL;
74 	while (*pp) {
75 		parent = *pp;
76 		cursor = rb_entry(parent,
77 				  struct rxrpc_connection, service_node);
78 
79 		if (cursor->proto.index_key < k.index_key)
80 			pp = &(*pp)->rb_left;
81 		else if (cursor->proto.index_key > k.index_key)
82 			pp = &(*pp)->rb_right;
83 		else
84 			goto found_extant_conn;
85 	}
86 
87 	rb_link_node_rcu(&conn->service_node, parent, pp);
88 	rb_insert_color(&conn->service_node, &peer->service_conns);
89 conn_published:
90 	set_bit(RXRPC_CONN_IN_SERVICE_CONNS, &conn->flags);
91 	write_sequnlock_bh(&peer->service_conn_lock);
92 	_leave(" = %d [new]", conn->debug_id);
93 	return;
94 
95 found_extant_conn:
96 	if (atomic_read(&cursor->usage) == 0)
97 		goto replace_old_connection;
98 	write_sequnlock_bh(&peer->service_conn_lock);
99 	/* We should not be able to get here.  rxrpc_incoming_connection() is
100 	 * called in a non-reentrant context, so there can't be a race to
101 	 * insert a new connection.
102 	 */
103 	BUG();
104 
105 replace_old_connection:
106 	/* The old connection is from an outdated epoch. */
107 	_debug("replace conn");
108 	rb_replace_node_rcu(&cursor->service_node,
109 			    &conn->service_node,
110 			    &peer->service_conns);
111 	clear_bit(RXRPC_CONN_IN_SERVICE_CONNS, &cursor->flags);
112 	goto conn_published;
113 }
114 
115 /*
116  * Preallocate a service connection.  The connection is placed on the proc and
117  * reap lists so that we don't have to get the lock from BH context.
118  */
rxrpc_prealloc_service_connection(struct rxrpc_net * rxnet,gfp_t gfp)119 struct rxrpc_connection *rxrpc_prealloc_service_connection(struct rxrpc_net *rxnet,
120 							   gfp_t gfp)
121 {
122 	struct rxrpc_connection *conn = rxrpc_alloc_connection(gfp);
123 
124 	if (conn) {
125 		/* We maintain an extra ref on the connection whilst it is on
126 		 * the rxrpc_connections list.
127 		 */
128 		conn->state = RXRPC_CONN_SERVICE_PREALLOC;
129 		atomic_set(&conn->usage, 2);
130 
131 		atomic_inc(&rxnet->nr_conns);
132 		write_lock(&rxnet->conn_lock);
133 		list_add_tail(&conn->link, &rxnet->service_conns);
134 		list_add_tail(&conn->proc_link, &rxnet->conn_proc_list);
135 		write_unlock(&rxnet->conn_lock);
136 
137 		trace_rxrpc_conn(conn->debug_id, rxrpc_conn_new_service,
138 				 atomic_read(&conn->usage),
139 				 __builtin_return_address(0));
140 	}
141 
142 	return conn;
143 }
144 
145 /*
146  * Set up an incoming connection.  This is called in BH context with the RCU
147  * read lock held.
148  */
rxrpc_new_incoming_connection(struct rxrpc_sock * rx,struct rxrpc_connection * conn,const struct rxrpc_security * sec,struct key * key,struct sk_buff * skb)149 void rxrpc_new_incoming_connection(struct rxrpc_sock *rx,
150 				   struct rxrpc_connection *conn,
151 				   const struct rxrpc_security *sec,
152 				   struct key *key,
153 				   struct sk_buff *skb)
154 {
155 	struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
156 
157 	_enter("");
158 
159 	conn->proto.epoch	= sp->hdr.epoch;
160 	conn->proto.cid		= sp->hdr.cid & RXRPC_CIDMASK;
161 	conn->params.service_id	= sp->hdr.serviceId;
162 	conn->service_id	= sp->hdr.serviceId;
163 	conn->security_ix	= sp->hdr.securityIndex;
164 	conn->out_clientflag	= 0;
165 	conn->security		= sec;
166 	conn->server_key	= key_get(key);
167 	if (conn->security_ix)
168 		conn->state	= RXRPC_CONN_SERVICE_UNSECURED;
169 	else
170 		conn->state	= RXRPC_CONN_SERVICE;
171 
172 	/* See if we should upgrade the service.  This can only happen on the
173 	 * first packet on a new connection.  Once done, it applies to all
174 	 * subsequent calls on that connection.
175 	 */
176 	if (sp->hdr.userStatus == RXRPC_USERSTATUS_SERVICE_UPGRADE &&
177 	    conn->service_id == rx->service_upgrade.from)
178 		conn->service_id = rx->service_upgrade.to;
179 
180 	/* Make the connection a target for incoming packets. */
181 	rxrpc_publish_service_conn(conn->params.peer, conn);
182 
183 	_net("CONNECTION new %d {%x}", conn->debug_id, conn->proto.cid);
184 }
185 
186 /*
187  * Remove the service connection from the peer's tree, thereby removing it as a
188  * target for incoming packets.
189  */
rxrpc_unpublish_service_conn(struct rxrpc_connection * conn)190 void rxrpc_unpublish_service_conn(struct rxrpc_connection *conn)
191 {
192 	struct rxrpc_peer *peer = conn->params.peer;
193 
194 	write_seqlock_bh(&peer->service_conn_lock);
195 	if (test_and_clear_bit(RXRPC_CONN_IN_SERVICE_CONNS, &conn->flags))
196 		rb_erase(&conn->service_node, &peer->service_conns);
197 	write_sequnlock_bh(&peer->service_conn_lock);
198 }
199