xref: /openbmc/linux/net/core/neighbour.c (revision 5fb859f7)
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  *	Generic address resolution entity
4  *
5  *	Authors:
6  *	Pedro Roque		<roque@di.fc.ul.pt>
7  *	Alexey Kuznetsov	<kuznet@ms2.inr.ac.ru>
8  *
9  *	Fixes:
10  *	Vitaly E. Lavrov	releasing NULL neighbor in neigh_add.
11  *	Harald Welte		Add neighbour cache statistics like rtstat
12  */
13 
14 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
15 
16 #include <linux/slab.h>
17 #include <linux/kmemleak.h>
18 #include <linux/types.h>
19 #include <linux/kernel.h>
20 #include <linux/module.h>
21 #include <linux/socket.h>
22 #include <linux/netdevice.h>
23 #include <linux/proc_fs.h>
24 #ifdef CONFIG_SYSCTL
25 #include <linux/sysctl.h>
26 #endif
27 #include <linux/times.h>
28 #include <net/net_namespace.h>
29 #include <net/neighbour.h>
30 #include <net/arp.h>
31 #include <net/dst.h>
32 #include <net/sock.h>
33 #include <net/netevent.h>
34 #include <net/netlink.h>
35 #include <linux/rtnetlink.h>
36 #include <linux/random.h>
37 #include <linux/string.h>
38 #include <linux/log2.h>
39 #include <linux/inetdevice.h>
40 #include <net/addrconf.h>
41 
42 #include <trace/events/neigh.h>
43 
44 #define NEIGH_DEBUG 1
45 #define neigh_dbg(level, fmt, ...)		\
46 do {						\
47 	if (level <= NEIGH_DEBUG)		\
48 		pr_debug(fmt, ##__VA_ARGS__);	\
49 } while (0)
50 
51 #define PNEIGH_HASHMASK		0xF
52 
53 static void neigh_timer_handler(struct timer_list *t);
54 static void __neigh_notify(struct neighbour *n, int type, int flags,
55 			   u32 pid);
56 static void neigh_update_notify(struct neighbour *neigh, u32 nlmsg_pid);
57 static int pneigh_ifdown_and_unlock(struct neigh_table *tbl,
58 				    struct net_device *dev);
59 
60 #ifdef CONFIG_PROC_FS
61 static const struct seq_operations neigh_stat_seq_ops;
62 #endif
63 
64 /*
65    Neighbour hash table buckets are protected with rwlock tbl->lock.
66 
67    - All the scans/updates to hash buckets MUST be made under this lock.
68    - NOTHING clever should be made under this lock: no callbacks
69      to protocol backends, no attempts to send something to network.
70      It will result in deadlocks, if backend/driver wants to use neighbour
71      cache.
72    - If the entry requires some non-trivial actions, increase
73      its reference count and release table lock.
74 
75    Neighbour entries are protected:
76    - with reference count.
77    - with rwlock neigh->lock
78 
79    Reference count prevents destruction.
80 
81    neigh->lock mainly serializes ll address data and its validity state.
82    However, the same lock is used to protect another entry fields:
83     - timer
84     - resolution queue
85 
86    Again, nothing clever shall be made under neigh->lock,
87    the most complicated procedure, which we allow is dev->hard_header.
88    It is supposed, that dev->hard_header is simplistic and does
89    not make callbacks to neighbour tables.
90  */
91 
92 static int neigh_blackhole(struct neighbour *neigh, struct sk_buff *skb)
93 {
94 	kfree_skb(skb);
95 	return -ENETDOWN;
96 }
97 
98 static void neigh_cleanup_and_release(struct neighbour *neigh)
99 {
100 	trace_neigh_cleanup_and_release(neigh, 0);
101 	__neigh_notify(neigh, RTM_DELNEIGH, 0, 0);
102 	call_netevent_notifiers(NETEVENT_NEIGH_UPDATE, neigh);
103 	neigh_release(neigh);
104 }
105 
106 /*
107  * It is random distribution in the interval (1/2)*base...(3/2)*base.
108  * It corresponds to default IPv6 settings and is not overridable,
109  * because it is really reasonable choice.
110  */
111 
112 unsigned long neigh_rand_reach_time(unsigned long base)
113 {
114 	return base ? (prandom_u32() % base) + (base >> 1) : 0;
115 }
116 EXPORT_SYMBOL(neigh_rand_reach_time);
117 
118 static void neigh_mark_dead(struct neighbour *n)
119 {
120 	n->dead = 1;
121 	if (!list_empty(&n->gc_list)) {
122 		list_del_init(&n->gc_list);
123 		atomic_dec(&n->tbl->gc_entries);
124 	}
125 	if (!list_empty(&n->managed_list))
126 		list_del_init(&n->managed_list);
127 }
128 
129 static void neigh_update_gc_list(struct neighbour *n)
130 {
131 	bool on_gc_list, exempt_from_gc;
132 
133 	write_lock_bh(&n->tbl->lock);
134 	write_lock(&n->lock);
135 	if (n->dead)
136 		goto out;
137 
138 	/* remove from the gc list if new state is permanent or if neighbor
139 	 * is externally learned; otherwise entry should be on the gc list
140 	 */
141 	exempt_from_gc = n->nud_state & NUD_PERMANENT ||
142 			 n->flags & NTF_EXT_LEARNED;
143 	on_gc_list = !list_empty(&n->gc_list);
144 
145 	if (exempt_from_gc && on_gc_list) {
146 		list_del_init(&n->gc_list);
147 		atomic_dec(&n->tbl->gc_entries);
148 	} else if (!exempt_from_gc && !on_gc_list) {
149 		/* add entries to the tail; cleaning removes from the front */
150 		list_add_tail(&n->gc_list, &n->tbl->gc_list);
151 		atomic_inc(&n->tbl->gc_entries);
152 	}
153 out:
154 	write_unlock(&n->lock);
155 	write_unlock_bh(&n->tbl->lock);
156 }
157 
158 static void neigh_update_managed_list(struct neighbour *n)
159 {
160 	bool on_managed_list, add_to_managed;
161 
162 	write_lock_bh(&n->tbl->lock);
163 	write_lock(&n->lock);
164 	if (n->dead)
165 		goto out;
166 
167 	add_to_managed = n->flags & NTF_MANAGED;
168 	on_managed_list = !list_empty(&n->managed_list);
169 
170 	if (!add_to_managed && on_managed_list)
171 		list_del_init(&n->managed_list);
172 	else if (add_to_managed && !on_managed_list)
173 		list_add_tail(&n->managed_list, &n->tbl->managed_list);
174 out:
175 	write_unlock(&n->lock);
176 	write_unlock_bh(&n->tbl->lock);
177 }
178 
179 static void neigh_update_flags(struct neighbour *neigh, u32 flags, int *notify,
180 			       bool *gc_update, bool *managed_update)
181 {
182 	u32 ndm_flags, old_flags = neigh->flags;
183 
184 	if (!(flags & NEIGH_UPDATE_F_ADMIN))
185 		return;
186 
187 	ndm_flags  = (flags & NEIGH_UPDATE_F_EXT_LEARNED) ? NTF_EXT_LEARNED : 0;
188 	ndm_flags |= (flags & NEIGH_UPDATE_F_MANAGED) ? NTF_MANAGED : 0;
189 
190 	if ((old_flags ^ ndm_flags) & NTF_EXT_LEARNED) {
191 		if (ndm_flags & NTF_EXT_LEARNED)
192 			neigh->flags |= NTF_EXT_LEARNED;
193 		else
194 			neigh->flags &= ~NTF_EXT_LEARNED;
195 		*notify = 1;
196 		*gc_update = true;
197 	}
198 	if ((old_flags ^ ndm_flags) & NTF_MANAGED) {
199 		if (ndm_flags & NTF_MANAGED)
200 			neigh->flags |= NTF_MANAGED;
201 		else
202 			neigh->flags &= ~NTF_MANAGED;
203 		*notify = 1;
204 		*managed_update = true;
205 	}
206 }
207 
208 static bool neigh_del(struct neighbour *n, struct neighbour __rcu **np,
209 		      struct neigh_table *tbl)
210 {
211 	bool retval = false;
212 
213 	write_lock(&n->lock);
214 	if (refcount_read(&n->refcnt) == 1) {
215 		struct neighbour *neigh;
216 
217 		neigh = rcu_dereference_protected(n->next,
218 						  lockdep_is_held(&tbl->lock));
219 		rcu_assign_pointer(*np, neigh);
220 		neigh_mark_dead(n);
221 		retval = true;
222 	}
223 	write_unlock(&n->lock);
224 	if (retval)
225 		neigh_cleanup_and_release(n);
226 	return retval;
227 }
228 
229 bool neigh_remove_one(struct neighbour *ndel, struct neigh_table *tbl)
230 {
231 	struct neigh_hash_table *nht;
232 	void *pkey = ndel->primary_key;
233 	u32 hash_val;
234 	struct neighbour *n;
235 	struct neighbour __rcu **np;
236 
237 	nht = rcu_dereference_protected(tbl->nht,
238 					lockdep_is_held(&tbl->lock));
239 	hash_val = tbl->hash(pkey, ndel->dev, nht->hash_rnd);
240 	hash_val = hash_val >> (32 - nht->hash_shift);
241 
242 	np = &nht->hash_buckets[hash_val];
243 	while ((n = rcu_dereference_protected(*np,
244 					      lockdep_is_held(&tbl->lock)))) {
245 		if (n == ndel)
246 			return neigh_del(n, np, tbl);
247 		np = &n->next;
248 	}
249 	return false;
250 }
251 
252 static int neigh_forced_gc(struct neigh_table *tbl)
253 {
254 	int max_clean = atomic_read(&tbl->gc_entries) - tbl->gc_thresh2;
255 	unsigned long tref = jiffies - 5 * HZ;
256 	struct neighbour *n, *tmp;
257 	int shrunk = 0;
258 
259 	NEIGH_CACHE_STAT_INC(tbl, forced_gc_runs);
260 
261 	write_lock_bh(&tbl->lock);
262 
263 	list_for_each_entry_safe(n, tmp, &tbl->gc_list, gc_list) {
264 		if (refcount_read(&n->refcnt) == 1) {
265 			bool remove = false;
266 
267 			write_lock(&n->lock);
268 			if ((n->nud_state == NUD_FAILED) ||
269 			    (n->nud_state == NUD_NOARP) ||
270 			    (tbl->is_multicast &&
271 			     tbl->is_multicast(n->primary_key)) ||
272 			    time_after(tref, n->updated))
273 				remove = true;
274 			write_unlock(&n->lock);
275 
276 			if (remove && neigh_remove_one(n, tbl))
277 				shrunk++;
278 			if (shrunk >= max_clean)
279 				break;
280 		}
281 	}
282 
283 	tbl->last_flush = jiffies;
284 
285 	write_unlock_bh(&tbl->lock);
286 
287 	return shrunk;
288 }
289 
290 static void neigh_add_timer(struct neighbour *n, unsigned long when)
291 {
292 	neigh_hold(n);
293 	if (unlikely(mod_timer(&n->timer, when))) {
294 		printk("NEIGH: BUG, double timer add, state is %x\n",
295 		       n->nud_state);
296 		dump_stack();
297 	}
298 }
299 
300 static int neigh_del_timer(struct neighbour *n)
301 {
302 	if ((n->nud_state & NUD_IN_TIMER) &&
303 	    del_timer(&n->timer)) {
304 		neigh_release(n);
305 		return 1;
306 	}
307 	return 0;
308 }
309 
310 static void pneigh_queue_purge(struct sk_buff_head *list)
311 {
312 	struct sk_buff *skb;
313 
314 	while ((skb = skb_dequeue(list)) != NULL) {
315 		dev_put(skb->dev);
316 		kfree_skb(skb);
317 	}
318 }
319 
320 static void neigh_flush_dev(struct neigh_table *tbl, struct net_device *dev,
321 			    bool skip_perm)
322 {
323 	int i;
324 	struct neigh_hash_table *nht;
325 
326 	nht = rcu_dereference_protected(tbl->nht,
327 					lockdep_is_held(&tbl->lock));
328 
329 	for (i = 0; i < (1 << nht->hash_shift); i++) {
330 		struct neighbour *n;
331 		struct neighbour __rcu **np = &nht->hash_buckets[i];
332 
333 		while ((n = rcu_dereference_protected(*np,
334 					lockdep_is_held(&tbl->lock))) != NULL) {
335 			if (dev && n->dev != dev) {
336 				np = &n->next;
337 				continue;
338 			}
339 			if (skip_perm && n->nud_state & NUD_PERMANENT) {
340 				np = &n->next;
341 				continue;
342 			}
343 			rcu_assign_pointer(*np,
344 				   rcu_dereference_protected(n->next,
345 						lockdep_is_held(&tbl->lock)));
346 			write_lock(&n->lock);
347 			neigh_del_timer(n);
348 			neigh_mark_dead(n);
349 			if (refcount_read(&n->refcnt) != 1) {
350 				/* The most unpleasant situation.
351 				   We must destroy neighbour entry,
352 				   but someone still uses it.
353 
354 				   The destroy will be delayed until
355 				   the last user releases us, but
356 				   we must kill timers etc. and move
357 				   it to safe state.
358 				 */
359 				__skb_queue_purge(&n->arp_queue);
360 				n->arp_queue_len_bytes = 0;
361 				n->output = neigh_blackhole;
362 				if (n->nud_state & NUD_VALID)
363 					n->nud_state = NUD_NOARP;
364 				else
365 					n->nud_state = NUD_NONE;
366 				neigh_dbg(2, "neigh %p is stray\n", n);
367 			}
368 			write_unlock(&n->lock);
369 			neigh_cleanup_and_release(n);
370 		}
371 	}
372 }
373 
374 void neigh_changeaddr(struct neigh_table *tbl, struct net_device *dev)
375 {
376 	write_lock_bh(&tbl->lock);
377 	neigh_flush_dev(tbl, dev, false);
378 	write_unlock_bh(&tbl->lock);
379 }
380 EXPORT_SYMBOL(neigh_changeaddr);
381 
382 static int __neigh_ifdown(struct neigh_table *tbl, struct net_device *dev,
383 			  bool skip_perm)
384 {
385 	write_lock_bh(&tbl->lock);
386 	neigh_flush_dev(tbl, dev, skip_perm);
387 	pneigh_ifdown_and_unlock(tbl, dev);
388 
389 	del_timer_sync(&tbl->proxy_timer);
390 	pneigh_queue_purge(&tbl->proxy_queue);
391 	return 0;
392 }
393 
394 int neigh_carrier_down(struct neigh_table *tbl, struct net_device *dev)
395 {
396 	__neigh_ifdown(tbl, dev, true);
397 	return 0;
398 }
399 EXPORT_SYMBOL(neigh_carrier_down);
400 
401 int neigh_ifdown(struct neigh_table *tbl, struct net_device *dev)
402 {
403 	__neigh_ifdown(tbl, dev, false);
404 	return 0;
405 }
406 EXPORT_SYMBOL(neigh_ifdown);
407 
408 static struct neighbour *neigh_alloc(struct neigh_table *tbl,
409 				     struct net_device *dev,
410 				     u32 flags, bool exempt_from_gc)
411 {
412 	struct neighbour *n = NULL;
413 	unsigned long now = jiffies;
414 	int entries;
415 
416 	if (exempt_from_gc)
417 		goto do_alloc;
418 
419 	entries = atomic_inc_return(&tbl->gc_entries) - 1;
420 	if (entries >= tbl->gc_thresh3 ||
421 	    (entries >= tbl->gc_thresh2 &&
422 	     time_after(now, tbl->last_flush + 5 * HZ))) {
423 		if (!neigh_forced_gc(tbl) &&
424 		    entries >= tbl->gc_thresh3) {
425 			net_info_ratelimited("%s: neighbor table overflow!\n",
426 					     tbl->id);
427 			NEIGH_CACHE_STAT_INC(tbl, table_fulls);
428 			goto out_entries;
429 		}
430 	}
431 
432 do_alloc:
433 	n = kzalloc(tbl->entry_size + dev->neigh_priv_len, GFP_ATOMIC);
434 	if (!n)
435 		goto out_entries;
436 
437 	__skb_queue_head_init(&n->arp_queue);
438 	rwlock_init(&n->lock);
439 	seqlock_init(&n->ha_lock);
440 	n->updated	  = n->used = now;
441 	n->nud_state	  = NUD_NONE;
442 	n->output	  = neigh_blackhole;
443 	n->flags	  = flags;
444 	seqlock_init(&n->hh.hh_lock);
445 	n->parms	  = neigh_parms_clone(&tbl->parms);
446 	timer_setup(&n->timer, neigh_timer_handler, 0);
447 
448 	NEIGH_CACHE_STAT_INC(tbl, allocs);
449 	n->tbl		  = tbl;
450 	refcount_set(&n->refcnt, 1);
451 	n->dead		  = 1;
452 	INIT_LIST_HEAD(&n->gc_list);
453 	INIT_LIST_HEAD(&n->managed_list);
454 
455 	atomic_inc(&tbl->entries);
456 out:
457 	return n;
458 
459 out_entries:
460 	if (!exempt_from_gc)
461 		atomic_dec(&tbl->gc_entries);
462 	goto out;
463 }
464 
465 static void neigh_get_hash_rnd(u32 *x)
466 {
467 	*x = get_random_u32() | 1;
468 }
469 
470 static struct neigh_hash_table *neigh_hash_alloc(unsigned int shift)
471 {
472 	size_t size = (1 << shift) * sizeof(struct neighbour *);
473 	struct neigh_hash_table *ret;
474 	struct neighbour __rcu **buckets;
475 	int i;
476 
477 	ret = kmalloc(sizeof(*ret), GFP_ATOMIC);
478 	if (!ret)
479 		return NULL;
480 	if (size <= PAGE_SIZE) {
481 		buckets = kzalloc(size, GFP_ATOMIC);
482 	} else {
483 		buckets = (struct neighbour __rcu **)
484 			  __get_free_pages(GFP_ATOMIC | __GFP_ZERO,
485 					   get_order(size));
486 		kmemleak_alloc(buckets, size, 1, GFP_ATOMIC);
487 	}
488 	if (!buckets) {
489 		kfree(ret);
490 		return NULL;
491 	}
492 	ret->hash_buckets = buckets;
493 	ret->hash_shift = shift;
494 	for (i = 0; i < NEIGH_NUM_HASH_RND; i++)
495 		neigh_get_hash_rnd(&ret->hash_rnd[i]);
496 	return ret;
497 }
498 
499 static void neigh_hash_free_rcu(struct rcu_head *head)
500 {
501 	struct neigh_hash_table *nht = container_of(head,
502 						    struct neigh_hash_table,
503 						    rcu);
504 	size_t size = (1 << nht->hash_shift) * sizeof(struct neighbour *);
505 	struct neighbour __rcu **buckets = nht->hash_buckets;
506 
507 	if (size <= PAGE_SIZE) {
508 		kfree(buckets);
509 	} else {
510 		kmemleak_free(buckets);
511 		free_pages((unsigned long)buckets, get_order(size));
512 	}
513 	kfree(nht);
514 }
515 
516 static struct neigh_hash_table *neigh_hash_grow(struct neigh_table *tbl,
517 						unsigned long new_shift)
518 {
519 	unsigned int i, hash;
520 	struct neigh_hash_table *new_nht, *old_nht;
521 
522 	NEIGH_CACHE_STAT_INC(tbl, hash_grows);
523 
524 	old_nht = rcu_dereference_protected(tbl->nht,
525 					    lockdep_is_held(&tbl->lock));
526 	new_nht = neigh_hash_alloc(new_shift);
527 	if (!new_nht)
528 		return old_nht;
529 
530 	for (i = 0; i < (1 << old_nht->hash_shift); i++) {
531 		struct neighbour *n, *next;
532 
533 		for (n = rcu_dereference_protected(old_nht->hash_buckets[i],
534 						   lockdep_is_held(&tbl->lock));
535 		     n != NULL;
536 		     n = next) {
537 			hash = tbl->hash(n->primary_key, n->dev,
538 					 new_nht->hash_rnd);
539 
540 			hash >>= (32 - new_nht->hash_shift);
541 			next = rcu_dereference_protected(n->next,
542 						lockdep_is_held(&tbl->lock));
543 
544 			rcu_assign_pointer(n->next,
545 					   rcu_dereference_protected(
546 						new_nht->hash_buckets[hash],
547 						lockdep_is_held(&tbl->lock)));
548 			rcu_assign_pointer(new_nht->hash_buckets[hash], n);
549 		}
550 	}
551 
552 	rcu_assign_pointer(tbl->nht, new_nht);
553 	call_rcu(&old_nht->rcu, neigh_hash_free_rcu);
554 	return new_nht;
555 }
556 
557 struct neighbour *neigh_lookup(struct neigh_table *tbl, const void *pkey,
558 			       struct net_device *dev)
559 {
560 	struct neighbour *n;
561 
562 	NEIGH_CACHE_STAT_INC(tbl, lookups);
563 
564 	rcu_read_lock_bh();
565 	n = __neigh_lookup_noref(tbl, pkey, dev);
566 	if (n) {
567 		if (!refcount_inc_not_zero(&n->refcnt))
568 			n = NULL;
569 		NEIGH_CACHE_STAT_INC(tbl, hits);
570 	}
571 
572 	rcu_read_unlock_bh();
573 	return n;
574 }
575 EXPORT_SYMBOL(neigh_lookup);
576 
577 struct neighbour *neigh_lookup_nodev(struct neigh_table *tbl, struct net *net,
578 				     const void *pkey)
579 {
580 	struct neighbour *n;
581 	unsigned int key_len = tbl->key_len;
582 	u32 hash_val;
583 	struct neigh_hash_table *nht;
584 
585 	NEIGH_CACHE_STAT_INC(tbl, lookups);
586 
587 	rcu_read_lock_bh();
588 	nht = rcu_dereference_bh(tbl->nht);
589 	hash_val = tbl->hash(pkey, NULL, nht->hash_rnd) >> (32 - nht->hash_shift);
590 
591 	for (n = rcu_dereference_bh(nht->hash_buckets[hash_val]);
592 	     n != NULL;
593 	     n = rcu_dereference_bh(n->next)) {
594 		if (!memcmp(n->primary_key, pkey, key_len) &&
595 		    net_eq(dev_net(n->dev), net)) {
596 			if (!refcount_inc_not_zero(&n->refcnt))
597 				n = NULL;
598 			NEIGH_CACHE_STAT_INC(tbl, hits);
599 			break;
600 		}
601 	}
602 
603 	rcu_read_unlock_bh();
604 	return n;
605 }
606 EXPORT_SYMBOL(neigh_lookup_nodev);
607 
608 static struct neighbour *
609 ___neigh_create(struct neigh_table *tbl, const void *pkey,
610 		struct net_device *dev, u32 flags,
611 		bool exempt_from_gc, bool want_ref)
612 {
613 	u32 hash_val, key_len = tbl->key_len;
614 	struct neighbour *n1, *rc, *n;
615 	struct neigh_hash_table *nht;
616 	int error;
617 
618 	n = neigh_alloc(tbl, dev, flags, exempt_from_gc);
619 	trace_neigh_create(tbl, dev, pkey, n, exempt_from_gc);
620 	if (!n) {
621 		rc = ERR_PTR(-ENOBUFS);
622 		goto out;
623 	}
624 
625 	memcpy(n->primary_key, pkey, key_len);
626 	n->dev = dev;
627 	netdev_hold(dev, &n->dev_tracker, GFP_ATOMIC);
628 
629 	/* Protocol specific setup. */
630 	if (tbl->constructor &&	(error = tbl->constructor(n)) < 0) {
631 		rc = ERR_PTR(error);
632 		goto out_neigh_release;
633 	}
634 
635 	if (dev->netdev_ops->ndo_neigh_construct) {
636 		error = dev->netdev_ops->ndo_neigh_construct(dev, n);
637 		if (error < 0) {
638 			rc = ERR_PTR(error);
639 			goto out_neigh_release;
640 		}
641 	}
642 
643 	/* Device specific setup. */
644 	if (n->parms->neigh_setup &&
645 	    (error = n->parms->neigh_setup(n)) < 0) {
646 		rc = ERR_PTR(error);
647 		goto out_neigh_release;
648 	}
649 
650 	n->confirmed = jiffies - (NEIGH_VAR(n->parms, BASE_REACHABLE_TIME) << 1);
651 
652 	write_lock_bh(&tbl->lock);
653 	nht = rcu_dereference_protected(tbl->nht,
654 					lockdep_is_held(&tbl->lock));
655 
656 	if (atomic_read(&tbl->entries) > (1 << nht->hash_shift))
657 		nht = neigh_hash_grow(tbl, nht->hash_shift + 1);
658 
659 	hash_val = tbl->hash(n->primary_key, dev, nht->hash_rnd) >> (32 - nht->hash_shift);
660 
661 	if (n->parms->dead) {
662 		rc = ERR_PTR(-EINVAL);
663 		goto out_tbl_unlock;
664 	}
665 
666 	for (n1 = rcu_dereference_protected(nht->hash_buckets[hash_val],
667 					    lockdep_is_held(&tbl->lock));
668 	     n1 != NULL;
669 	     n1 = rcu_dereference_protected(n1->next,
670 			lockdep_is_held(&tbl->lock))) {
671 		if (dev == n1->dev && !memcmp(n1->primary_key, n->primary_key, key_len)) {
672 			if (want_ref)
673 				neigh_hold(n1);
674 			rc = n1;
675 			goto out_tbl_unlock;
676 		}
677 	}
678 
679 	n->dead = 0;
680 	if (!exempt_from_gc)
681 		list_add_tail(&n->gc_list, &n->tbl->gc_list);
682 	if (n->flags & NTF_MANAGED)
683 		list_add_tail(&n->managed_list, &n->tbl->managed_list);
684 	if (want_ref)
685 		neigh_hold(n);
686 	rcu_assign_pointer(n->next,
687 			   rcu_dereference_protected(nht->hash_buckets[hash_val],
688 						     lockdep_is_held(&tbl->lock)));
689 	rcu_assign_pointer(nht->hash_buckets[hash_val], n);
690 	write_unlock_bh(&tbl->lock);
691 	neigh_dbg(2, "neigh %p is created\n", n);
692 	rc = n;
693 out:
694 	return rc;
695 out_tbl_unlock:
696 	write_unlock_bh(&tbl->lock);
697 out_neigh_release:
698 	if (!exempt_from_gc)
699 		atomic_dec(&tbl->gc_entries);
700 	neigh_release(n);
701 	goto out;
702 }
703 
704 struct neighbour *__neigh_create(struct neigh_table *tbl, const void *pkey,
705 				 struct net_device *dev, bool want_ref)
706 {
707 	return ___neigh_create(tbl, pkey, dev, 0, false, want_ref);
708 }
709 EXPORT_SYMBOL(__neigh_create);
710 
711 static u32 pneigh_hash(const void *pkey, unsigned int key_len)
712 {
713 	u32 hash_val = *(u32 *)(pkey + key_len - 4);
714 	hash_val ^= (hash_val >> 16);
715 	hash_val ^= hash_val >> 8;
716 	hash_val ^= hash_val >> 4;
717 	hash_val &= PNEIGH_HASHMASK;
718 	return hash_val;
719 }
720 
721 static struct pneigh_entry *__pneigh_lookup_1(struct pneigh_entry *n,
722 					      struct net *net,
723 					      const void *pkey,
724 					      unsigned int key_len,
725 					      struct net_device *dev)
726 {
727 	while (n) {
728 		if (!memcmp(n->key, pkey, key_len) &&
729 		    net_eq(pneigh_net(n), net) &&
730 		    (n->dev == dev || !n->dev))
731 			return n;
732 		n = n->next;
733 	}
734 	return NULL;
735 }
736 
737 struct pneigh_entry *__pneigh_lookup(struct neigh_table *tbl,
738 		struct net *net, const void *pkey, struct net_device *dev)
739 {
740 	unsigned int key_len = tbl->key_len;
741 	u32 hash_val = pneigh_hash(pkey, key_len);
742 
743 	return __pneigh_lookup_1(tbl->phash_buckets[hash_val],
744 				 net, pkey, key_len, dev);
745 }
746 EXPORT_SYMBOL_GPL(__pneigh_lookup);
747 
748 struct pneigh_entry * pneigh_lookup(struct neigh_table *tbl,
749 				    struct net *net, const void *pkey,
750 				    struct net_device *dev, int creat)
751 {
752 	struct pneigh_entry *n;
753 	unsigned int key_len = tbl->key_len;
754 	u32 hash_val = pneigh_hash(pkey, key_len);
755 
756 	read_lock_bh(&tbl->lock);
757 	n = __pneigh_lookup_1(tbl->phash_buckets[hash_val],
758 			      net, pkey, key_len, dev);
759 	read_unlock_bh(&tbl->lock);
760 
761 	if (n || !creat)
762 		goto out;
763 
764 	ASSERT_RTNL();
765 
766 	n = kzalloc(sizeof(*n) + key_len, GFP_KERNEL);
767 	if (!n)
768 		goto out;
769 
770 	write_pnet(&n->net, net);
771 	memcpy(n->key, pkey, key_len);
772 	n->dev = dev;
773 	netdev_hold(dev, &n->dev_tracker, GFP_KERNEL);
774 
775 	if (tbl->pconstructor && tbl->pconstructor(n)) {
776 		netdev_put(dev, &n->dev_tracker);
777 		kfree(n);
778 		n = NULL;
779 		goto out;
780 	}
781 
782 	write_lock_bh(&tbl->lock);
783 	n->next = tbl->phash_buckets[hash_val];
784 	tbl->phash_buckets[hash_val] = n;
785 	write_unlock_bh(&tbl->lock);
786 out:
787 	return n;
788 }
789 EXPORT_SYMBOL(pneigh_lookup);
790 
791 
792 int pneigh_delete(struct neigh_table *tbl, struct net *net, const void *pkey,
793 		  struct net_device *dev)
794 {
795 	struct pneigh_entry *n, **np;
796 	unsigned int key_len = tbl->key_len;
797 	u32 hash_val = pneigh_hash(pkey, key_len);
798 
799 	write_lock_bh(&tbl->lock);
800 	for (np = &tbl->phash_buckets[hash_val]; (n = *np) != NULL;
801 	     np = &n->next) {
802 		if (!memcmp(n->key, pkey, key_len) && n->dev == dev &&
803 		    net_eq(pneigh_net(n), net)) {
804 			*np = n->next;
805 			write_unlock_bh(&tbl->lock);
806 			if (tbl->pdestructor)
807 				tbl->pdestructor(n);
808 			netdev_put(n->dev, &n->dev_tracker);
809 			kfree(n);
810 			return 0;
811 		}
812 	}
813 	write_unlock_bh(&tbl->lock);
814 	return -ENOENT;
815 }
816 
817 static int pneigh_ifdown_and_unlock(struct neigh_table *tbl,
818 				    struct net_device *dev)
819 {
820 	struct pneigh_entry *n, **np, *freelist = NULL;
821 	u32 h;
822 
823 	for (h = 0; h <= PNEIGH_HASHMASK; h++) {
824 		np = &tbl->phash_buckets[h];
825 		while ((n = *np) != NULL) {
826 			if (!dev || n->dev == dev) {
827 				*np = n->next;
828 				n->next = freelist;
829 				freelist = n;
830 				continue;
831 			}
832 			np = &n->next;
833 		}
834 	}
835 	write_unlock_bh(&tbl->lock);
836 	while ((n = freelist)) {
837 		freelist = n->next;
838 		n->next = NULL;
839 		if (tbl->pdestructor)
840 			tbl->pdestructor(n);
841 		netdev_put(n->dev, &n->dev_tracker);
842 		kfree(n);
843 	}
844 	return -ENOENT;
845 }
846 
847 static void neigh_parms_destroy(struct neigh_parms *parms);
848 
849 static inline void neigh_parms_put(struct neigh_parms *parms)
850 {
851 	if (refcount_dec_and_test(&parms->refcnt))
852 		neigh_parms_destroy(parms);
853 }
854 
855 /*
856  *	neighbour must already be out of the table;
857  *
858  */
859 void neigh_destroy(struct neighbour *neigh)
860 {
861 	struct net_device *dev = neigh->dev;
862 
863 	NEIGH_CACHE_STAT_INC(neigh->tbl, destroys);
864 
865 	if (!neigh->dead) {
866 		pr_warn("Destroying alive neighbour %p\n", neigh);
867 		dump_stack();
868 		return;
869 	}
870 
871 	if (neigh_del_timer(neigh))
872 		pr_warn("Impossible event\n");
873 
874 	write_lock_bh(&neigh->lock);
875 	__skb_queue_purge(&neigh->arp_queue);
876 	write_unlock_bh(&neigh->lock);
877 	neigh->arp_queue_len_bytes = 0;
878 
879 	if (dev->netdev_ops->ndo_neigh_destroy)
880 		dev->netdev_ops->ndo_neigh_destroy(dev, neigh);
881 
882 	netdev_put(dev, &neigh->dev_tracker);
883 	neigh_parms_put(neigh->parms);
884 
885 	neigh_dbg(2, "neigh %p is destroyed\n", neigh);
886 
887 	atomic_dec(&neigh->tbl->entries);
888 	kfree_rcu(neigh, rcu);
889 }
890 EXPORT_SYMBOL(neigh_destroy);
891 
892 /* Neighbour state is suspicious;
893    disable fast path.
894 
895    Called with write_locked neigh.
896  */
897 static void neigh_suspect(struct neighbour *neigh)
898 {
899 	neigh_dbg(2, "neigh %p is suspected\n", neigh);
900 
901 	neigh->output = neigh->ops->output;
902 }
903 
904 /* Neighbour state is OK;
905    enable fast path.
906 
907    Called with write_locked neigh.
908  */
909 static void neigh_connect(struct neighbour *neigh)
910 {
911 	neigh_dbg(2, "neigh %p is connected\n", neigh);
912 
913 	neigh->output = neigh->ops->connected_output;
914 }
915 
916 static void neigh_periodic_work(struct work_struct *work)
917 {
918 	struct neigh_table *tbl = container_of(work, struct neigh_table, gc_work.work);
919 	struct neighbour *n;
920 	struct neighbour __rcu **np;
921 	unsigned int i;
922 	struct neigh_hash_table *nht;
923 
924 	NEIGH_CACHE_STAT_INC(tbl, periodic_gc_runs);
925 
926 	write_lock_bh(&tbl->lock);
927 	nht = rcu_dereference_protected(tbl->nht,
928 					lockdep_is_held(&tbl->lock));
929 
930 	/*
931 	 *	periodically recompute ReachableTime from random function
932 	 */
933 
934 	if (time_after(jiffies, tbl->last_rand + 300 * HZ)) {
935 		struct neigh_parms *p;
936 		tbl->last_rand = jiffies;
937 		list_for_each_entry(p, &tbl->parms_list, list)
938 			p->reachable_time =
939 				neigh_rand_reach_time(NEIGH_VAR(p, BASE_REACHABLE_TIME));
940 	}
941 
942 	if (atomic_read(&tbl->entries) < tbl->gc_thresh1)
943 		goto out;
944 
945 	for (i = 0 ; i < (1 << nht->hash_shift); i++) {
946 		np = &nht->hash_buckets[i];
947 
948 		while ((n = rcu_dereference_protected(*np,
949 				lockdep_is_held(&tbl->lock))) != NULL) {
950 			unsigned int state;
951 
952 			write_lock(&n->lock);
953 
954 			state = n->nud_state;
955 			if ((state & (NUD_PERMANENT | NUD_IN_TIMER)) ||
956 			    (n->flags & NTF_EXT_LEARNED)) {
957 				write_unlock(&n->lock);
958 				goto next_elt;
959 			}
960 
961 			if (time_before(n->used, n->confirmed))
962 				n->used = n->confirmed;
963 
964 			if (refcount_read(&n->refcnt) == 1 &&
965 			    (state == NUD_FAILED ||
966 			     time_after(jiffies, n->used + NEIGH_VAR(n->parms, GC_STALETIME)))) {
967 				*np = n->next;
968 				neigh_mark_dead(n);
969 				write_unlock(&n->lock);
970 				neigh_cleanup_and_release(n);
971 				continue;
972 			}
973 			write_unlock(&n->lock);
974 
975 next_elt:
976 			np = &n->next;
977 		}
978 		/*
979 		 * It's fine to release lock here, even if hash table
980 		 * grows while we are preempted.
981 		 */
982 		write_unlock_bh(&tbl->lock);
983 		cond_resched();
984 		write_lock_bh(&tbl->lock);
985 		nht = rcu_dereference_protected(tbl->nht,
986 						lockdep_is_held(&tbl->lock));
987 	}
988 out:
989 	/* Cycle through all hash buckets every BASE_REACHABLE_TIME/2 ticks.
990 	 * ARP entry timeouts range from 1/2 BASE_REACHABLE_TIME to 3/2
991 	 * BASE_REACHABLE_TIME.
992 	 */
993 	queue_delayed_work(system_power_efficient_wq, &tbl->gc_work,
994 			      NEIGH_VAR(&tbl->parms, BASE_REACHABLE_TIME) >> 1);
995 	write_unlock_bh(&tbl->lock);
996 }
997 
998 static __inline__ int neigh_max_probes(struct neighbour *n)
999 {
1000 	struct neigh_parms *p = n->parms;
1001 	return NEIGH_VAR(p, UCAST_PROBES) + NEIGH_VAR(p, APP_PROBES) +
1002 	       (n->nud_state & NUD_PROBE ? NEIGH_VAR(p, MCAST_REPROBES) :
1003 	        NEIGH_VAR(p, MCAST_PROBES));
1004 }
1005 
1006 static void neigh_invalidate(struct neighbour *neigh)
1007 	__releases(neigh->lock)
1008 	__acquires(neigh->lock)
1009 {
1010 	struct sk_buff *skb;
1011 
1012 	NEIGH_CACHE_STAT_INC(neigh->tbl, res_failed);
1013 	neigh_dbg(2, "neigh %p is failed\n", neigh);
1014 	neigh->updated = jiffies;
1015 
1016 	/* It is very thin place. report_unreachable is very complicated
1017 	   routine. Particularly, it can hit the same neighbour entry!
1018 
1019 	   So that, we try to be accurate and avoid dead loop. --ANK
1020 	 */
1021 	while (neigh->nud_state == NUD_FAILED &&
1022 	       (skb = __skb_dequeue(&neigh->arp_queue)) != NULL) {
1023 		write_unlock(&neigh->lock);
1024 		neigh->ops->error_report(neigh, skb);
1025 		write_lock(&neigh->lock);
1026 	}
1027 	__skb_queue_purge(&neigh->arp_queue);
1028 	neigh->arp_queue_len_bytes = 0;
1029 }
1030 
1031 static void neigh_probe(struct neighbour *neigh)
1032 	__releases(neigh->lock)
1033 {
1034 	struct sk_buff *skb = skb_peek_tail(&neigh->arp_queue);
1035 	/* keep skb alive even if arp_queue overflows */
1036 	if (skb)
1037 		skb = skb_clone(skb, GFP_ATOMIC);
1038 	write_unlock(&neigh->lock);
1039 	if (neigh->ops->solicit)
1040 		neigh->ops->solicit(neigh, skb);
1041 	atomic_inc(&neigh->probes);
1042 	consume_skb(skb);
1043 }
1044 
1045 /* Called when a timer expires for a neighbour entry. */
1046 
1047 static void neigh_timer_handler(struct timer_list *t)
1048 {
1049 	unsigned long now, next;
1050 	struct neighbour *neigh = from_timer(neigh, t, timer);
1051 	unsigned int state;
1052 	int notify = 0;
1053 
1054 	write_lock(&neigh->lock);
1055 
1056 	state = neigh->nud_state;
1057 	now = jiffies;
1058 	next = now + HZ;
1059 
1060 	if (!(state & NUD_IN_TIMER))
1061 		goto out;
1062 
1063 	if (state & NUD_REACHABLE) {
1064 		if (time_before_eq(now,
1065 				   neigh->confirmed + neigh->parms->reachable_time)) {
1066 			neigh_dbg(2, "neigh %p is still alive\n", neigh);
1067 			next = neigh->confirmed + neigh->parms->reachable_time;
1068 		} else if (time_before_eq(now,
1069 					  neigh->used +
1070 					  NEIGH_VAR(neigh->parms, DELAY_PROBE_TIME))) {
1071 			neigh_dbg(2, "neigh %p is delayed\n", neigh);
1072 			neigh->nud_state = NUD_DELAY;
1073 			neigh->updated = jiffies;
1074 			neigh_suspect(neigh);
1075 			next = now + NEIGH_VAR(neigh->parms, DELAY_PROBE_TIME);
1076 		} else {
1077 			neigh_dbg(2, "neigh %p is suspected\n", neigh);
1078 			neigh->nud_state = NUD_STALE;
1079 			neigh->updated = jiffies;
1080 			neigh_suspect(neigh);
1081 			notify = 1;
1082 		}
1083 	} else if (state & NUD_DELAY) {
1084 		if (time_before_eq(now,
1085 				   neigh->confirmed +
1086 				   NEIGH_VAR(neigh->parms, DELAY_PROBE_TIME))) {
1087 			neigh_dbg(2, "neigh %p is now reachable\n", neigh);
1088 			neigh->nud_state = NUD_REACHABLE;
1089 			neigh->updated = jiffies;
1090 			neigh_connect(neigh);
1091 			notify = 1;
1092 			next = neigh->confirmed + neigh->parms->reachable_time;
1093 		} else {
1094 			neigh_dbg(2, "neigh %p is probed\n", neigh);
1095 			neigh->nud_state = NUD_PROBE;
1096 			neigh->updated = jiffies;
1097 			atomic_set(&neigh->probes, 0);
1098 			notify = 1;
1099 			next = now + max(NEIGH_VAR(neigh->parms, RETRANS_TIME),
1100 					 HZ/100);
1101 		}
1102 	} else {
1103 		/* NUD_PROBE|NUD_INCOMPLETE */
1104 		next = now + max(NEIGH_VAR(neigh->parms, RETRANS_TIME), HZ/100);
1105 	}
1106 
1107 	if ((neigh->nud_state & (NUD_INCOMPLETE | NUD_PROBE)) &&
1108 	    atomic_read(&neigh->probes) >= neigh_max_probes(neigh)) {
1109 		neigh->nud_state = NUD_FAILED;
1110 		notify = 1;
1111 		neigh_invalidate(neigh);
1112 		goto out;
1113 	}
1114 
1115 	if (neigh->nud_state & NUD_IN_TIMER) {
1116 		if (time_before(next, jiffies + HZ/100))
1117 			next = jiffies + HZ/100;
1118 		if (!mod_timer(&neigh->timer, next))
1119 			neigh_hold(neigh);
1120 	}
1121 	if (neigh->nud_state & (NUD_INCOMPLETE | NUD_PROBE)) {
1122 		neigh_probe(neigh);
1123 	} else {
1124 out:
1125 		write_unlock(&neigh->lock);
1126 	}
1127 
1128 	if (notify)
1129 		neigh_update_notify(neigh, 0);
1130 
1131 	trace_neigh_timer_handler(neigh, 0);
1132 
1133 	neigh_release(neigh);
1134 }
1135 
1136 int __neigh_event_send(struct neighbour *neigh, struct sk_buff *skb,
1137 		       const bool immediate_ok)
1138 {
1139 	int rc;
1140 	bool immediate_probe = false;
1141 
1142 	write_lock_bh(&neigh->lock);
1143 
1144 	rc = 0;
1145 	if (neigh->nud_state & (NUD_CONNECTED | NUD_DELAY | NUD_PROBE))
1146 		goto out_unlock_bh;
1147 	if (neigh->dead)
1148 		goto out_dead;
1149 
1150 	if (!(neigh->nud_state & (NUD_STALE | NUD_INCOMPLETE))) {
1151 		if (NEIGH_VAR(neigh->parms, MCAST_PROBES) +
1152 		    NEIGH_VAR(neigh->parms, APP_PROBES)) {
1153 			unsigned long next, now = jiffies;
1154 
1155 			atomic_set(&neigh->probes,
1156 				   NEIGH_VAR(neigh->parms, UCAST_PROBES));
1157 			neigh_del_timer(neigh);
1158 			neigh->nud_state = NUD_INCOMPLETE;
1159 			neigh->updated = now;
1160 			if (!immediate_ok) {
1161 				next = now + 1;
1162 			} else {
1163 				immediate_probe = true;
1164 				next = now + max(NEIGH_VAR(neigh->parms,
1165 							   RETRANS_TIME),
1166 						 HZ / 100);
1167 			}
1168 			neigh_add_timer(neigh, next);
1169 		} else {
1170 			neigh->nud_state = NUD_FAILED;
1171 			neigh->updated = jiffies;
1172 			write_unlock_bh(&neigh->lock);
1173 
1174 			kfree_skb_reason(skb, SKB_DROP_REASON_NEIGH_FAILED);
1175 			return 1;
1176 		}
1177 	} else if (neigh->nud_state & NUD_STALE) {
1178 		neigh_dbg(2, "neigh %p is delayed\n", neigh);
1179 		neigh_del_timer(neigh);
1180 		neigh->nud_state = NUD_DELAY;
1181 		neigh->updated = jiffies;
1182 		neigh_add_timer(neigh, jiffies +
1183 				NEIGH_VAR(neigh->parms, DELAY_PROBE_TIME));
1184 	}
1185 
1186 	if (neigh->nud_state == NUD_INCOMPLETE) {
1187 		if (skb) {
1188 			while (neigh->arp_queue_len_bytes + skb->truesize >
1189 			       NEIGH_VAR(neigh->parms, QUEUE_LEN_BYTES)) {
1190 				struct sk_buff *buff;
1191 
1192 				buff = __skb_dequeue(&neigh->arp_queue);
1193 				if (!buff)
1194 					break;
1195 				neigh->arp_queue_len_bytes -= buff->truesize;
1196 				kfree_skb_reason(buff, SKB_DROP_REASON_NEIGH_QUEUEFULL);
1197 				NEIGH_CACHE_STAT_INC(neigh->tbl, unres_discards);
1198 			}
1199 			skb_dst_force(skb);
1200 			__skb_queue_tail(&neigh->arp_queue, skb);
1201 			neigh->arp_queue_len_bytes += skb->truesize;
1202 		}
1203 		rc = 1;
1204 	}
1205 out_unlock_bh:
1206 	if (immediate_probe)
1207 		neigh_probe(neigh);
1208 	else
1209 		write_unlock(&neigh->lock);
1210 	local_bh_enable();
1211 	trace_neigh_event_send_done(neigh, rc);
1212 	return rc;
1213 
1214 out_dead:
1215 	if (neigh->nud_state & NUD_STALE)
1216 		goto out_unlock_bh;
1217 	write_unlock_bh(&neigh->lock);
1218 	kfree_skb_reason(skb, SKB_DROP_REASON_NEIGH_DEAD);
1219 	trace_neigh_event_send_dead(neigh, 1);
1220 	return 1;
1221 }
1222 EXPORT_SYMBOL(__neigh_event_send);
1223 
1224 static void neigh_update_hhs(struct neighbour *neigh)
1225 {
1226 	struct hh_cache *hh;
1227 	void (*update)(struct hh_cache*, const struct net_device*, const unsigned char *)
1228 		= NULL;
1229 
1230 	if (neigh->dev->header_ops)
1231 		update = neigh->dev->header_ops->cache_update;
1232 
1233 	if (update) {
1234 		hh = &neigh->hh;
1235 		if (READ_ONCE(hh->hh_len)) {
1236 			write_seqlock_bh(&hh->hh_lock);
1237 			update(hh, neigh->dev, neigh->ha);
1238 			write_sequnlock_bh(&hh->hh_lock);
1239 		}
1240 	}
1241 }
1242 
1243 /* Generic update routine.
1244    -- lladdr is new lladdr or NULL, if it is not supplied.
1245    -- new    is new state.
1246    -- flags
1247 	NEIGH_UPDATE_F_OVERRIDE allows to override existing lladdr,
1248 				if it is different.
1249 	NEIGH_UPDATE_F_WEAK_OVERRIDE will suspect existing "connected"
1250 				lladdr instead of overriding it
1251 				if it is different.
1252 	NEIGH_UPDATE_F_ADMIN	means that the change is administrative.
1253 	NEIGH_UPDATE_F_USE	means that the entry is user triggered.
1254 	NEIGH_UPDATE_F_MANAGED	means that the entry will be auto-refreshed.
1255 	NEIGH_UPDATE_F_OVERRIDE_ISROUTER allows to override existing
1256 				NTF_ROUTER flag.
1257 	NEIGH_UPDATE_F_ISROUTER	indicates if the neighbour is known as
1258 				a router.
1259 
1260    Caller MUST hold reference count on the entry.
1261  */
1262 static int __neigh_update(struct neighbour *neigh, const u8 *lladdr,
1263 			  u8 new, u32 flags, u32 nlmsg_pid,
1264 			  struct netlink_ext_ack *extack)
1265 {
1266 	bool gc_update = false, managed_update = false;
1267 	int update_isrouter = 0;
1268 	struct net_device *dev;
1269 	int err, notify = 0;
1270 	u8 old;
1271 
1272 	trace_neigh_update(neigh, lladdr, new, flags, nlmsg_pid);
1273 
1274 	write_lock_bh(&neigh->lock);
1275 
1276 	dev    = neigh->dev;
1277 	old    = neigh->nud_state;
1278 	err    = -EPERM;
1279 
1280 	if (neigh->dead) {
1281 		NL_SET_ERR_MSG(extack, "Neighbor entry is now dead");
1282 		new = old;
1283 		goto out;
1284 	}
1285 	if (!(flags & NEIGH_UPDATE_F_ADMIN) &&
1286 	    (old & (NUD_NOARP | NUD_PERMANENT)))
1287 		goto out;
1288 
1289 	neigh_update_flags(neigh, flags, &notify, &gc_update, &managed_update);
1290 	if (flags & (NEIGH_UPDATE_F_USE | NEIGH_UPDATE_F_MANAGED)) {
1291 		new = old & ~NUD_PERMANENT;
1292 		neigh->nud_state = new;
1293 		err = 0;
1294 		goto out;
1295 	}
1296 
1297 	if (!(new & NUD_VALID)) {
1298 		neigh_del_timer(neigh);
1299 		if (old & NUD_CONNECTED)
1300 			neigh_suspect(neigh);
1301 		neigh->nud_state = new;
1302 		err = 0;
1303 		notify = old & NUD_VALID;
1304 		if ((old & (NUD_INCOMPLETE | NUD_PROBE)) &&
1305 		    (new & NUD_FAILED)) {
1306 			neigh_invalidate(neigh);
1307 			notify = 1;
1308 		}
1309 		goto out;
1310 	}
1311 
1312 	/* Compare new lladdr with cached one */
1313 	if (!dev->addr_len) {
1314 		/* First case: device needs no address. */
1315 		lladdr = neigh->ha;
1316 	} else if (lladdr) {
1317 		/* The second case: if something is already cached
1318 		   and a new address is proposed:
1319 		   - compare new & old
1320 		   - if they are different, check override flag
1321 		 */
1322 		if ((old & NUD_VALID) &&
1323 		    !memcmp(lladdr, neigh->ha, dev->addr_len))
1324 			lladdr = neigh->ha;
1325 	} else {
1326 		/* No address is supplied; if we know something,
1327 		   use it, otherwise discard the request.
1328 		 */
1329 		err = -EINVAL;
1330 		if (!(old & NUD_VALID)) {
1331 			NL_SET_ERR_MSG(extack, "No link layer address given");
1332 			goto out;
1333 		}
1334 		lladdr = neigh->ha;
1335 	}
1336 
1337 	/* Update confirmed timestamp for neighbour entry after we
1338 	 * received ARP packet even if it doesn't change IP to MAC binding.
1339 	 */
1340 	if (new & NUD_CONNECTED)
1341 		neigh->confirmed = jiffies;
1342 
1343 	/* If entry was valid and address is not changed,
1344 	   do not change entry state, if new one is STALE.
1345 	 */
1346 	err = 0;
1347 	update_isrouter = flags & NEIGH_UPDATE_F_OVERRIDE_ISROUTER;
1348 	if (old & NUD_VALID) {
1349 		if (lladdr != neigh->ha && !(flags & NEIGH_UPDATE_F_OVERRIDE)) {
1350 			update_isrouter = 0;
1351 			if ((flags & NEIGH_UPDATE_F_WEAK_OVERRIDE) &&
1352 			    (old & NUD_CONNECTED)) {
1353 				lladdr = neigh->ha;
1354 				new = NUD_STALE;
1355 			} else
1356 				goto out;
1357 		} else {
1358 			if (lladdr == neigh->ha && new == NUD_STALE &&
1359 			    !(flags & NEIGH_UPDATE_F_ADMIN))
1360 				new = old;
1361 		}
1362 	}
1363 
1364 	/* Update timestamp only once we know we will make a change to the
1365 	 * neighbour entry. Otherwise we risk to move the locktime window with
1366 	 * noop updates and ignore relevant ARP updates.
1367 	 */
1368 	if (new != old || lladdr != neigh->ha)
1369 		neigh->updated = jiffies;
1370 
1371 	if (new != old) {
1372 		neigh_del_timer(neigh);
1373 		if (new & NUD_PROBE)
1374 			atomic_set(&neigh->probes, 0);
1375 		if (new & NUD_IN_TIMER)
1376 			neigh_add_timer(neigh, (jiffies +
1377 						((new & NUD_REACHABLE) ?
1378 						 neigh->parms->reachable_time :
1379 						 0)));
1380 		neigh->nud_state = new;
1381 		notify = 1;
1382 	}
1383 
1384 	if (lladdr != neigh->ha) {
1385 		write_seqlock(&neigh->ha_lock);
1386 		memcpy(&neigh->ha, lladdr, dev->addr_len);
1387 		write_sequnlock(&neigh->ha_lock);
1388 		neigh_update_hhs(neigh);
1389 		if (!(new & NUD_CONNECTED))
1390 			neigh->confirmed = jiffies -
1391 				      (NEIGH_VAR(neigh->parms, BASE_REACHABLE_TIME) << 1);
1392 		notify = 1;
1393 	}
1394 	if (new == old)
1395 		goto out;
1396 	if (new & NUD_CONNECTED)
1397 		neigh_connect(neigh);
1398 	else
1399 		neigh_suspect(neigh);
1400 	if (!(old & NUD_VALID)) {
1401 		struct sk_buff *skb;
1402 
1403 		/* Again: avoid dead loop if something went wrong */
1404 
1405 		while (neigh->nud_state & NUD_VALID &&
1406 		       (skb = __skb_dequeue(&neigh->arp_queue)) != NULL) {
1407 			struct dst_entry *dst = skb_dst(skb);
1408 			struct neighbour *n2, *n1 = neigh;
1409 			write_unlock_bh(&neigh->lock);
1410 
1411 			rcu_read_lock();
1412 
1413 			/* Why not just use 'neigh' as-is?  The problem is that
1414 			 * things such as shaper, eql, and sch_teql can end up
1415 			 * using alternative, different, neigh objects to output
1416 			 * the packet in the output path.  So what we need to do
1417 			 * here is re-lookup the top-level neigh in the path so
1418 			 * we can reinject the packet there.
1419 			 */
1420 			n2 = NULL;
1421 			if (dst && dst->obsolete != DST_OBSOLETE_DEAD) {
1422 				n2 = dst_neigh_lookup_skb(dst, skb);
1423 				if (n2)
1424 					n1 = n2;
1425 			}
1426 			n1->output(n1, skb);
1427 			if (n2)
1428 				neigh_release(n2);
1429 			rcu_read_unlock();
1430 
1431 			write_lock_bh(&neigh->lock);
1432 		}
1433 		__skb_queue_purge(&neigh->arp_queue);
1434 		neigh->arp_queue_len_bytes = 0;
1435 	}
1436 out:
1437 	if (update_isrouter)
1438 		neigh_update_is_router(neigh, flags, &notify);
1439 	write_unlock_bh(&neigh->lock);
1440 	if (((new ^ old) & NUD_PERMANENT) || gc_update)
1441 		neigh_update_gc_list(neigh);
1442 	if (managed_update)
1443 		neigh_update_managed_list(neigh);
1444 	if (notify)
1445 		neigh_update_notify(neigh, nlmsg_pid);
1446 	trace_neigh_update_done(neigh, err);
1447 	return err;
1448 }
1449 
1450 int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new,
1451 		 u32 flags, u32 nlmsg_pid)
1452 {
1453 	return __neigh_update(neigh, lladdr, new, flags, nlmsg_pid, NULL);
1454 }
1455 EXPORT_SYMBOL(neigh_update);
1456 
1457 /* Update the neigh to listen temporarily for probe responses, even if it is
1458  * in a NUD_FAILED state. The caller has to hold neigh->lock for writing.
1459  */
1460 void __neigh_set_probe_once(struct neighbour *neigh)
1461 {
1462 	if (neigh->dead)
1463 		return;
1464 	neigh->updated = jiffies;
1465 	if (!(neigh->nud_state & NUD_FAILED))
1466 		return;
1467 	neigh->nud_state = NUD_INCOMPLETE;
1468 	atomic_set(&neigh->probes, neigh_max_probes(neigh));
1469 	neigh_add_timer(neigh,
1470 			jiffies + max(NEIGH_VAR(neigh->parms, RETRANS_TIME),
1471 				      HZ/100));
1472 }
1473 EXPORT_SYMBOL(__neigh_set_probe_once);
1474 
1475 struct neighbour *neigh_event_ns(struct neigh_table *tbl,
1476 				 u8 *lladdr, void *saddr,
1477 				 struct net_device *dev)
1478 {
1479 	struct neighbour *neigh = __neigh_lookup(tbl, saddr, dev,
1480 						 lladdr || !dev->addr_len);
1481 	if (neigh)
1482 		neigh_update(neigh, lladdr, NUD_STALE,
1483 			     NEIGH_UPDATE_F_OVERRIDE, 0);
1484 	return neigh;
1485 }
1486 EXPORT_SYMBOL(neigh_event_ns);
1487 
1488 /* called with read_lock_bh(&n->lock); */
1489 static void neigh_hh_init(struct neighbour *n)
1490 {
1491 	struct net_device *dev = n->dev;
1492 	__be16 prot = n->tbl->protocol;
1493 	struct hh_cache	*hh = &n->hh;
1494 
1495 	write_lock_bh(&n->lock);
1496 
1497 	/* Only one thread can come in here and initialize the
1498 	 * hh_cache entry.
1499 	 */
1500 	if (!hh->hh_len)
1501 		dev->header_ops->cache(n, hh, prot);
1502 
1503 	write_unlock_bh(&n->lock);
1504 }
1505 
1506 /* Slow and careful. */
1507 
1508 int neigh_resolve_output(struct neighbour *neigh, struct sk_buff *skb)
1509 {
1510 	int rc = 0;
1511 
1512 	if (!neigh_event_send(neigh, skb)) {
1513 		int err;
1514 		struct net_device *dev = neigh->dev;
1515 		unsigned int seq;
1516 
1517 		if (dev->header_ops->cache && !READ_ONCE(neigh->hh.hh_len))
1518 			neigh_hh_init(neigh);
1519 
1520 		do {
1521 			__skb_pull(skb, skb_network_offset(skb));
1522 			seq = read_seqbegin(&neigh->ha_lock);
1523 			err = dev_hard_header(skb, dev, ntohs(skb->protocol),
1524 					      neigh->ha, NULL, skb->len);
1525 		} while (read_seqretry(&neigh->ha_lock, seq));
1526 
1527 		if (err >= 0)
1528 			rc = dev_queue_xmit(skb);
1529 		else
1530 			goto out_kfree_skb;
1531 	}
1532 out:
1533 	return rc;
1534 out_kfree_skb:
1535 	rc = -EINVAL;
1536 	kfree_skb(skb);
1537 	goto out;
1538 }
1539 EXPORT_SYMBOL(neigh_resolve_output);
1540 
1541 /* As fast as possible without hh cache */
1542 
1543 int neigh_connected_output(struct neighbour *neigh, struct sk_buff *skb)
1544 {
1545 	struct net_device *dev = neigh->dev;
1546 	unsigned int seq;
1547 	int err;
1548 
1549 	do {
1550 		__skb_pull(skb, skb_network_offset(skb));
1551 		seq = read_seqbegin(&neigh->ha_lock);
1552 		err = dev_hard_header(skb, dev, ntohs(skb->protocol),
1553 				      neigh->ha, NULL, skb->len);
1554 	} while (read_seqretry(&neigh->ha_lock, seq));
1555 
1556 	if (err >= 0)
1557 		err = dev_queue_xmit(skb);
1558 	else {
1559 		err = -EINVAL;
1560 		kfree_skb(skb);
1561 	}
1562 	return err;
1563 }
1564 EXPORT_SYMBOL(neigh_connected_output);
1565 
1566 int neigh_direct_output(struct neighbour *neigh, struct sk_buff *skb)
1567 {
1568 	return dev_queue_xmit(skb);
1569 }
1570 EXPORT_SYMBOL(neigh_direct_output);
1571 
1572 static void neigh_managed_work(struct work_struct *work)
1573 {
1574 	struct neigh_table *tbl = container_of(work, struct neigh_table,
1575 					       managed_work.work);
1576 	struct neighbour *neigh;
1577 
1578 	write_lock_bh(&tbl->lock);
1579 	list_for_each_entry(neigh, &tbl->managed_list, managed_list)
1580 		neigh_event_send_probe(neigh, NULL, false);
1581 	queue_delayed_work(system_power_efficient_wq, &tbl->managed_work,
1582 			   NEIGH_VAR(&tbl->parms, INTERVAL_PROBE_TIME_MS));
1583 	write_unlock_bh(&tbl->lock);
1584 }
1585 
1586 static void neigh_proxy_process(struct timer_list *t)
1587 {
1588 	struct neigh_table *tbl = from_timer(tbl, t, proxy_timer);
1589 	long sched_next = 0;
1590 	unsigned long now = jiffies;
1591 	struct sk_buff *skb, *n;
1592 
1593 	spin_lock(&tbl->proxy_queue.lock);
1594 
1595 	skb_queue_walk_safe(&tbl->proxy_queue, skb, n) {
1596 		long tdif = NEIGH_CB(skb)->sched_next - now;
1597 
1598 		if (tdif <= 0) {
1599 			struct net_device *dev = skb->dev;
1600 
1601 			__skb_unlink(skb, &tbl->proxy_queue);
1602 			if (tbl->proxy_redo && netif_running(dev)) {
1603 				rcu_read_lock();
1604 				tbl->proxy_redo(skb);
1605 				rcu_read_unlock();
1606 			} else {
1607 				kfree_skb(skb);
1608 			}
1609 
1610 			dev_put(dev);
1611 		} else if (!sched_next || tdif < sched_next)
1612 			sched_next = tdif;
1613 	}
1614 	del_timer(&tbl->proxy_timer);
1615 	if (sched_next)
1616 		mod_timer(&tbl->proxy_timer, jiffies + sched_next);
1617 	spin_unlock(&tbl->proxy_queue.lock);
1618 }
1619 
1620 void pneigh_enqueue(struct neigh_table *tbl, struct neigh_parms *p,
1621 		    struct sk_buff *skb)
1622 {
1623 	unsigned long sched_next = jiffies +
1624 			prandom_u32_max(NEIGH_VAR(p, PROXY_DELAY));
1625 
1626 	if (tbl->proxy_queue.qlen > NEIGH_VAR(p, PROXY_QLEN)) {
1627 		kfree_skb(skb);
1628 		return;
1629 	}
1630 
1631 	NEIGH_CB(skb)->sched_next = sched_next;
1632 	NEIGH_CB(skb)->flags |= LOCALLY_ENQUEUED;
1633 
1634 	spin_lock(&tbl->proxy_queue.lock);
1635 	if (del_timer(&tbl->proxy_timer)) {
1636 		if (time_before(tbl->proxy_timer.expires, sched_next))
1637 			sched_next = tbl->proxy_timer.expires;
1638 	}
1639 	skb_dst_drop(skb);
1640 	dev_hold(skb->dev);
1641 	__skb_queue_tail(&tbl->proxy_queue, skb);
1642 	mod_timer(&tbl->proxy_timer, sched_next);
1643 	spin_unlock(&tbl->proxy_queue.lock);
1644 }
1645 EXPORT_SYMBOL(pneigh_enqueue);
1646 
1647 static inline struct neigh_parms *lookup_neigh_parms(struct neigh_table *tbl,
1648 						      struct net *net, int ifindex)
1649 {
1650 	struct neigh_parms *p;
1651 
1652 	list_for_each_entry(p, &tbl->parms_list, list) {
1653 		if ((p->dev && p->dev->ifindex == ifindex && net_eq(neigh_parms_net(p), net)) ||
1654 		    (!p->dev && !ifindex && net_eq(net, &init_net)))
1655 			return p;
1656 	}
1657 
1658 	return NULL;
1659 }
1660 
1661 struct neigh_parms *neigh_parms_alloc(struct net_device *dev,
1662 				      struct neigh_table *tbl)
1663 {
1664 	struct neigh_parms *p;
1665 	struct net *net = dev_net(dev);
1666 	const struct net_device_ops *ops = dev->netdev_ops;
1667 
1668 	p = kmemdup(&tbl->parms, sizeof(*p), GFP_KERNEL);
1669 	if (p) {
1670 		p->tbl		  = tbl;
1671 		refcount_set(&p->refcnt, 1);
1672 		p->reachable_time =
1673 				neigh_rand_reach_time(NEIGH_VAR(p, BASE_REACHABLE_TIME));
1674 		netdev_hold(dev, &p->dev_tracker, GFP_KERNEL);
1675 		p->dev = dev;
1676 		write_pnet(&p->net, net);
1677 		p->sysctl_table = NULL;
1678 
1679 		if (ops->ndo_neigh_setup && ops->ndo_neigh_setup(dev, p)) {
1680 			netdev_put(dev, &p->dev_tracker);
1681 			kfree(p);
1682 			return NULL;
1683 		}
1684 
1685 		write_lock_bh(&tbl->lock);
1686 		list_add(&p->list, &tbl->parms.list);
1687 		write_unlock_bh(&tbl->lock);
1688 
1689 		neigh_parms_data_state_cleanall(p);
1690 	}
1691 	return p;
1692 }
1693 EXPORT_SYMBOL(neigh_parms_alloc);
1694 
1695 static void neigh_rcu_free_parms(struct rcu_head *head)
1696 {
1697 	struct neigh_parms *parms =
1698 		container_of(head, struct neigh_parms, rcu_head);
1699 
1700 	neigh_parms_put(parms);
1701 }
1702 
1703 void neigh_parms_release(struct neigh_table *tbl, struct neigh_parms *parms)
1704 {
1705 	if (!parms || parms == &tbl->parms)
1706 		return;
1707 	write_lock_bh(&tbl->lock);
1708 	list_del(&parms->list);
1709 	parms->dead = 1;
1710 	write_unlock_bh(&tbl->lock);
1711 	netdev_put(parms->dev, &parms->dev_tracker);
1712 	call_rcu(&parms->rcu_head, neigh_rcu_free_parms);
1713 }
1714 EXPORT_SYMBOL(neigh_parms_release);
1715 
1716 static void neigh_parms_destroy(struct neigh_parms *parms)
1717 {
1718 	kfree(parms);
1719 }
1720 
1721 static struct lock_class_key neigh_table_proxy_queue_class;
1722 
1723 static struct neigh_table *neigh_tables[NEIGH_NR_TABLES] __read_mostly;
1724 
1725 void neigh_table_init(int index, struct neigh_table *tbl)
1726 {
1727 	unsigned long now = jiffies;
1728 	unsigned long phsize;
1729 
1730 	INIT_LIST_HEAD(&tbl->parms_list);
1731 	INIT_LIST_HEAD(&tbl->gc_list);
1732 	INIT_LIST_HEAD(&tbl->managed_list);
1733 
1734 	list_add(&tbl->parms.list, &tbl->parms_list);
1735 	write_pnet(&tbl->parms.net, &init_net);
1736 	refcount_set(&tbl->parms.refcnt, 1);
1737 	tbl->parms.reachable_time =
1738 			  neigh_rand_reach_time(NEIGH_VAR(&tbl->parms, BASE_REACHABLE_TIME));
1739 
1740 	tbl->stats = alloc_percpu(struct neigh_statistics);
1741 	if (!tbl->stats)
1742 		panic("cannot create neighbour cache statistics");
1743 
1744 #ifdef CONFIG_PROC_FS
1745 	if (!proc_create_seq_data(tbl->id, 0, init_net.proc_net_stat,
1746 			      &neigh_stat_seq_ops, tbl))
1747 		panic("cannot create neighbour proc dir entry");
1748 #endif
1749 
1750 	RCU_INIT_POINTER(tbl->nht, neigh_hash_alloc(3));
1751 
1752 	phsize = (PNEIGH_HASHMASK + 1) * sizeof(struct pneigh_entry *);
1753 	tbl->phash_buckets = kzalloc(phsize, GFP_KERNEL);
1754 
1755 	if (!tbl->nht || !tbl->phash_buckets)
1756 		panic("cannot allocate neighbour cache hashes");
1757 
1758 	if (!tbl->entry_size)
1759 		tbl->entry_size = ALIGN(offsetof(struct neighbour, primary_key) +
1760 					tbl->key_len, NEIGH_PRIV_ALIGN);
1761 	else
1762 		WARN_ON(tbl->entry_size % NEIGH_PRIV_ALIGN);
1763 
1764 	rwlock_init(&tbl->lock);
1765 
1766 	INIT_DEFERRABLE_WORK(&tbl->gc_work, neigh_periodic_work);
1767 	queue_delayed_work(system_power_efficient_wq, &tbl->gc_work,
1768 			tbl->parms.reachable_time);
1769 	INIT_DEFERRABLE_WORK(&tbl->managed_work, neigh_managed_work);
1770 	queue_delayed_work(system_power_efficient_wq, &tbl->managed_work, 0);
1771 
1772 	timer_setup(&tbl->proxy_timer, neigh_proxy_process, 0);
1773 	skb_queue_head_init_class(&tbl->proxy_queue,
1774 			&neigh_table_proxy_queue_class);
1775 
1776 	tbl->last_flush = now;
1777 	tbl->last_rand	= now + tbl->parms.reachable_time * 20;
1778 
1779 	neigh_tables[index] = tbl;
1780 }
1781 EXPORT_SYMBOL(neigh_table_init);
1782 
1783 int neigh_table_clear(int index, struct neigh_table *tbl)
1784 {
1785 	neigh_tables[index] = NULL;
1786 	/* It is not clean... Fix it to unload IPv6 module safely */
1787 	cancel_delayed_work_sync(&tbl->managed_work);
1788 	cancel_delayed_work_sync(&tbl->gc_work);
1789 	del_timer_sync(&tbl->proxy_timer);
1790 	pneigh_queue_purge(&tbl->proxy_queue);
1791 	neigh_ifdown(tbl, NULL);
1792 	if (atomic_read(&tbl->entries))
1793 		pr_crit("neighbour leakage\n");
1794 
1795 	call_rcu(&rcu_dereference_protected(tbl->nht, 1)->rcu,
1796 		 neigh_hash_free_rcu);
1797 	tbl->nht = NULL;
1798 
1799 	kfree(tbl->phash_buckets);
1800 	tbl->phash_buckets = NULL;
1801 
1802 	remove_proc_entry(tbl->id, init_net.proc_net_stat);
1803 
1804 	free_percpu(tbl->stats);
1805 	tbl->stats = NULL;
1806 
1807 	return 0;
1808 }
1809 EXPORT_SYMBOL(neigh_table_clear);
1810 
1811 static struct neigh_table *neigh_find_table(int family)
1812 {
1813 	struct neigh_table *tbl = NULL;
1814 
1815 	switch (family) {
1816 	case AF_INET:
1817 		tbl = neigh_tables[NEIGH_ARP_TABLE];
1818 		break;
1819 	case AF_INET6:
1820 		tbl = neigh_tables[NEIGH_ND_TABLE];
1821 		break;
1822 	case AF_DECnet:
1823 		tbl = neigh_tables[NEIGH_DN_TABLE];
1824 		break;
1825 	}
1826 
1827 	return tbl;
1828 }
1829 
1830 const struct nla_policy nda_policy[NDA_MAX+1] = {
1831 	[NDA_UNSPEC]		= { .strict_start_type = NDA_NH_ID },
1832 	[NDA_DST]		= { .type = NLA_BINARY, .len = MAX_ADDR_LEN },
1833 	[NDA_LLADDR]		= { .type = NLA_BINARY, .len = MAX_ADDR_LEN },
1834 	[NDA_CACHEINFO]		= { .len = sizeof(struct nda_cacheinfo) },
1835 	[NDA_PROBES]		= { .type = NLA_U32 },
1836 	[NDA_VLAN]		= { .type = NLA_U16 },
1837 	[NDA_PORT]		= { .type = NLA_U16 },
1838 	[NDA_VNI]		= { .type = NLA_U32 },
1839 	[NDA_IFINDEX]		= { .type = NLA_U32 },
1840 	[NDA_MASTER]		= { .type = NLA_U32 },
1841 	[NDA_PROTOCOL]		= { .type = NLA_U8 },
1842 	[NDA_NH_ID]		= { .type = NLA_U32 },
1843 	[NDA_FLAGS_EXT]		= NLA_POLICY_MASK(NLA_U32, NTF_EXT_MASK),
1844 	[NDA_FDB_EXT_ATTRS]	= { .type = NLA_NESTED },
1845 };
1846 
1847 static int neigh_delete(struct sk_buff *skb, struct nlmsghdr *nlh,
1848 			struct netlink_ext_ack *extack)
1849 {
1850 	struct net *net = sock_net(skb->sk);
1851 	struct ndmsg *ndm;
1852 	struct nlattr *dst_attr;
1853 	struct neigh_table *tbl;
1854 	struct neighbour *neigh;
1855 	struct net_device *dev = NULL;
1856 	int err = -EINVAL;
1857 
1858 	ASSERT_RTNL();
1859 	if (nlmsg_len(nlh) < sizeof(*ndm))
1860 		goto out;
1861 
1862 	dst_attr = nlmsg_find_attr(nlh, sizeof(*ndm), NDA_DST);
1863 	if (!dst_attr) {
1864 		NL_SET_ERR_MSG(extack, "Network address not specified");
1865 		goto out;
1866 	}
1867 
1868 	ndm = nlmsg_data(nlh);
1869 	if (ndm->ndm_ifindex) {
1870 		dev = __dev_get_by_index(net, ndm->ndm_ifindex);
1871 		if (dev == NULL) {
1872 			err = -ENODEV;
1873 			goto out;
1874 		}
1875 	}
1876 
1877 	tbl = neigh_find_table(ndm->ndm_family);
1878 	if (tbl == NULL)
1879 		return -EAFNOSUPPORT;
1880 
1881 	if (nla_len(dst_attr) < (int)tbl->key_len) {
1882 		NL_SET_ERR_MSG(extack, "Invalid network address");
1883 		goto out;
1884 	}
1885 
1886 	if (ndm->ndm_flags & NTF_PROXY) {
1887 		err = pneigh_delete(tbl, net, nla_data(dst_attr), dev);
1888 		goto out;
1889 	}
1890 
1891 	if (dev == NULL)
1892 		goto out;
1893 
1894 	neigh = neigh_lookup(tbl, nla_data(dst_attr), dev);
1895 	if (neigh == NULL) {
1896 		err = -ENOENT;
1897 		goto out;
1898 	}
1899 
1900 	err = __neigh_update(neigh, NULL, NUD_FAILED,
1901 			     NEIGH_UPDATE_F_OVERRIDE | NEIGH_UPDATE_F_ADMIN,
1902 			     NETLINK_CB(skb).portid, extack);
1903 	write_lock_bh(&tbl->lock);
1904 	neigh_release(neigh);
1905 	neigh_remove_one(neigh, tbl);
1906 	write_unlock_bh(&tbl->lock);
1907 
1908 out:
1909 	return err;
1910 }
1911 
1912 static int neigh_add(struct sk_buff *skb, struct nlmsghdr *nlh,
1913 		     struct netlink_ext_ack *extack)
1914 {
1915 	int flags = NEIGH_UPDATE_F_ADMIN | NEIGH_UPDATE_F_OVERRIDE |
1916 		    NEIGH_UPDATE_F_OVERRIDE_ISROUTER;
1917 	struct net *net = sock_net(skb->sk);
1918 	struct ndmsg *ndm;
1919 	struct nlattr *tb[NDA_MAX+1];
1920 	struct neigh_table *tbl;
1921 	struct net_device *dev = NULL;
1922 	struct neighbour *neigh;
1923 	void *dst, *lladdr;
1924 	u8 protocol = 0;
1925 	u32 ndm_flags;
1926 	int err;
1927 
1928 	ASSERT_RTNL();
1929 	err = nlmsg_parse_deprecated(nlh, sizeof(*ndm), tb, NDA_MAX,
1930 				     nda_policy, extack);
1931 	if (err < 0)
1932 		goto out;
1933 
1934 	err = -EINVAL;
1935 	if (!tb[NDA_DST]) {
1936 		NL_SET_ERR_MSG(extack, "Network address not specified");
1937 		goto out;
1938 	}
1939 
1940 	ndm = nlmsg_data(nlh);
1941 	ndm_flags = ndm->ndm_flags;
1942 	if (tb[NDA_FLAGS_EXT]) {
1943 		u32 ext = nla_get_u32(tb[NDA_FLAGS_EXT]);
1944 
1945 		BUILD_BUG_ON(sizeof(neigh->flags) * BITS_PER_BYTE <
1946 			     (sizeof(ndm->ndm_flags) * BITS_PER_BYTE +
1947 			      hweight32(NTF_EXT_MASK)));
1948 		ndm_flags |= (ext << NTF_EXT_SHIFT);
1949 	}
1950 	if (ndm->ndm_ifindex) {
1951 		dev = __dev_get_by_index(net, ndm->ndm_ifindex);
1952 		if (dev == NULL) {
1953 			err = -ENODEV;
1954 			goto out;
1955 		}
1956 
1957 		if (tb[NDA_LLADDR] && nla_len(tb[NDA_LLADDR]) < dev->addr_len) {
1958 			NL_SET_ERR_MSG(extack, "Invalid link address");
1959 			goto out;
1960 		}
1961 	}
1962 
1963 	tbl = neigh_find_table(ndm->ndm_family);
1964 	if (tbl == NULL)
1965 		return -EAFNOSUPPORT;
1966 
1967 	if (nla_len(tb[NDA_DST]) < (int)tbl->key_len) {
1968 		NL_SET_ERR_MSG(extack, "Invalid network address");
1969 		goto out;
1970 	}
1971 
1972 	dst = nla_data(tb[NDA_DST]);
1973 	lladdr = tb[NDA_LLADDR] ? nla_data(tb[NDA_LLADDR]) : NULL;
1974 
1975 	if (tb[NDA_PROTOCOL])
1976 		protocol = nla_get_u8(tb[NDA_PROTOCOL]);
1977 	if (ndm_flags & NTF_PROXY) {
1978 		struct pneigh_entry *pn;
1979 
1980 		if (ndm_flags & NTF_MANAGED) {
1981 			NL_SET_ERR_MSG(extack, "Invalid NTF_* flag combination");
1982 			goto out;
1983 		}
1984 
1985 		err = -ENOBUFS;
1986 		pn = pneigh_lookup(tbl, net, dst, dev, 1);
1987 		if (pn) {
1988 			pn->flags = ndm_flags;
1989 			if (protocol)
1990 				pn->protocol = protocol;
1991 			err = 0;
1992 		}
1993 		goto out;
1994 	}
1995 
1996 	if (!dev) {
1997 		NL_SET_ERR_MSG(extack, "Device not specified");
1998 		goto out;
1999 	}
2000 
2001 	if (tbl->allow_add && !tbl->allow_add(dev, extack)) {
2002 		err = -EINVAL;
2003 		goto out;
2004 	}
2005 
2006 	neigh = neigh_lookup(tbl, dst, dev);
2007 	if (neigh == NULL) {
2008 		bool ndm_permanent  = ndm->ndm_state & NUD_PERMANENT;
2009 		bool exempt_from_gc = ndm_permanent ||
2010 				      ndm_flags & NTF_EXT_LEARNED;
2011 
2012 		if (!(nlh->nlmsg_flags & NLM_F_CREATE)) {
2013 			err = -ENOENT;
2014 			goto out;
2015 		}
2016 		if (ndm_permanent && (ndm_flags & NTF_MANAGED)) {
2017 			NL_SET_ERR_MSG(extack, "Invalid NTF_* flag for permanent entry");
2018 			err = -EINVAL;
2019 			goto out;
2020 		}
2021 
2022 		neigh = ___neigh_create(tbl, dst, dev,
2023 					ndm_flags &
2024 					(NTF_EXT_LEARNED | NTF_MANAGED),
2025 					exempt_from_gc, true);
2026 		if (IS_ERR(neigh)) {
2027 			err = PTR_ERR(neigh);
2028 			goto out;
2029 		}
2030 	} else {
2031 		if (nlh->nlmsg_flags & NLM_F_EXCL) {
2032 			err = -EEXIST;
2033 			neigh_release(neigh);
2034 			goto out;
2035 		}
2036 
2037 		if (!(nlh->nlmsg_flags & NLM_F_REPLACE))
2038 			flags &= ~(NEIGH_UPDATE_F_OVERRIDE |
2039 				   NEIGH_UPDATE_F_OVERRIDE_ISROUTER);
2040 	}
2041 
2042 	if (protocol)
2043 		neigh->protocol = protocol;
2044 	if (ndm_flags & NTF_EXT_LEARNED)
2045 		flags |= NEIGH_UPDATE_F_EXT_LEARNED;
2046 	if (ndm_flags & NTF_ROUTER)
2047 		flags |= NEIGH_UPDATE_F_ISROUTER;
2048 	if (ndm_flags & NTF_MANAGED)
2049 		flags |= NEIGH_UPDATE_F_MANAGED;
2050 	if (ndm_flags & NTF_USE)
2051 		flags |= NEIGH_UPDATE_F_USE;
2052 
2053 	err = __neigh_update(neigh, lladdr, ndm->ndm_state, flags,
2054 			     NETLINK_CB(skb).portid, extack);
2055 	if (!err && ndm_flags & (NTF_USE | NTF_MANAGED)) {
2056 		neigh_event_send(neigh, NULL);
2057 		err = 0;
2058 	}
2059 	neigh_release(neigh);
2060 out:
2061 	return err;
2062 }
2063 
2064 static int neightbl_fill_parms(struct sk_buff *skb, struct neigh_parms *parms)
2065 {
2066 	struct nlattr *nest;
2067 
2068 	nest = nla_nest_start_noflag(skb, NDTA_PARMS);
2069 	if (nest == NULL)
2070 		return -ENOBUFS;
2071 
2072 	if ((parms->dev &&
2073 	     nla_put_u32(skb, NDTPA_IFINDEX, parms->dev->ifindex)) ||
2074 	    nla_put_u32(skb, NDTPA_REFCNT, refcount_read(&parms->refcnt)) ||
2075 	    nla_put_u32(skb, NDTPA_QUEUE_LENBYTES,
2076 			NEIGH_VAR(parms, QUEUE_LEN_BYTES)) ||
2077 	    /* approximative value for deprecated QUEUE_LEN (in packets) */
2078 	    nla_put_u32(skb, NDTPA_QUEUE_LEN,
2079 			NEIGH_VAR(parms, QUEUE_LEN_BYTES) / SKB_TRUESIZE(ETH_FRAME_LEN)) ||
2080 	    nla_put_u32(skb, NDTPA_PROXY_QLEN, NEIGH_VAR(parms, PROXY_QLEN)) ||
2081 	    nla_put_u32(skb, NDTPA_APP_PROBES, NEIGH_VAR(parms, APP_PROBES)) ||
2082 	    nla_put_u32(skb, NDTPA_UCAST_PROBES,
2083 			NEIGH_VAR(parms, UCAST_PROBES)) ||
2084 	    nla_put_u32(skb, NDTPA_MCAST_PROBES,
2085 			NEIGH_VAR(parms, MCAST_PROBES)) ||
2086 	    nla_put_u32(skb, NDTPA_MCAST_REPROBES,
2087 			NEIGH_VAR(parms, MCAST_REPROBES)) ||
2088 	    nla_put_msecs(skb, NDTPA_REACHABLE_TIME, parms->reachable_time,
2089 			  NDTPA_PAD) ||
2090 	    nla_put_msecs(skb, NDTPA_BASE_REACHABLE_TIME,
2091 			  NEIGH_VAR(parms, BASE_REACHABLE_TIME), NDTPA_PAD) ||
2092 	    nla_put_msecs(skb, NDTPA_GC_STALETIME,
2093 			  NEIGH_VAR(parms, GC_STALETIME), NDTPA_PAD) ||
2094 	    nla_put_msecs(skb, NDTPA_DELAY_PROBE_TIME,
2095 			  NEIGH_VAR(parms, DELAY_PROBE_TIME), NDTPA_PAD) ||
2096 	    nla_put_msecs(skb, NDTPA_RETRANS_TIME,
2097 			  NEIGH_VAR(parms, RETRANS_TIME), NDTPA_PAD) ||
2098 	    nla_put_msecs(skb, NDTPA_ANYCAST_DELAY,
2099 			  NEIGH_VAR(parms, ANYCAST_DELAY), NDTPA_PAD) ||
2100 	    nla_put_msecs(skb, NDTPA_PROXY_DELAY,
2101 			  NEIGH_VAR(parms, PROXY_DELAY), NDTPA_PAD) ||
2102 	    nla_put_msecs(skb, NDTPA_LOCKTIME,
2103 			  NEIGH_VAR(parms, LOCKTIME), NDTPA_PAD) ||
2104 	    nla_put_msecs(skb, NDTPA_INTERVAL_PROBE_TIME_MS,
2105 			  NEIGH_VAR(parms, INTERVAL_PROBE_TIME_MS), NDTPA_PAD))
2106 		goto nla_put_failure;
2107 	return nla_nest_end(skb, nest);
2108 
2109 nla_put_failure:
2110 	nla_nest_cancel(skb, nest);
2111 	return -EMSGSIZE;
2112 }
2113 
2114 static int neightbl_fill_info(struct sk_buff *skb, struct neigh_table *tbl,
2115 			      u32 pid, u32 seq, int type, int flags)
2116 {
2117 	struct nlmsghdr *nlh;
2118 	struct ndtmsg *ndtmsg;
2119 
2120 	nlh = nlmsg_put(skb, pid, seq, type, sizeof(*ndtmsg), flags);
2121 	if (nlh == NULL)
2122 		return -EMSGSIZE;
2123 
2124 	ndtmsg = nlmsg_data(nlh);
2125 
2126 	read_lock_bh(&tbl->lock);
2127 	ndtmsg->ndtm_family = tbl->family;
2128 	ndtmsg->ndtm_pad1   = 0;
2129 	ndtmsg->ndtm_pad2   = 0;
2130 
2131 	if (nla_put_string(skb, NDTA_NAME, tbl->id) ||
2132 	    nla_put_msecs(skb, NDTA_GC_INTERVAL, tbl->gc_interval, NDTA_PAD) ||
2133 	    nla_put_u32(skb, NDTA_THRESH1, tbl->gc_thresh1) ||
2134 	    nla_put_u32(skb, NDTA_THRESH2, tbl->gc_thresh2) ||
2135 	    nla_put_u32(skb, NDTA_THRESH3, tbl->gc_thresh3))
2136 		goto nla_put_failure;
2137 	{
2138 		unsigned long now = jiffies;
2139 		long flush_delta = now - tbl->last_flush;
2140 		long rand_delta = now - tbl->last_rand;
2141 		struct neigh_hash_table *nht;
2142 		struct ndt_config ndc = {
2143 			.ndtc_key_len		= tbl->key_len,
2144 			.ndtc_entry_size	= tbl->entry_size,
2145 			.ndtc_entries		= atomic_read(&tbl->entries),
2146 			.ndtc_last_flush	= jiffies_to_msecs(flush_delta),
2147 			.ndtc_last_rand		= jiffies_to_msecs(rand_delta),
2148 			.ndtc_proxy_qlen	= tbl->proxy_queue.qlen,
2149 		};
2150 
2151 		rcu_read_lock_bh();
2152 		nht = rcu_dereference_bh(tbl->nht);
2153 		ndc.ndtc_hash_rnd = nht->hash_rnd[0];
2154 		ndc.ndtc_hash_mask = ((1 << nht->hash_shift) - 1);
2155 		rcu_read_unlock_bh();
2156 
2157 		if (nla_put(skb, NDTA_CONFIG, sizeof(ndc), &ndc))
2158 			goto nla_put_failure;
2159 	}
2160 
2161 	{
2162 		int cpu;
2163 		struct ndt_stats ndst;
2164 
2165 		memset(&ndst, 0, sizeof(ndst));
2166 
2167 		for_each_possible_cpu(cpu) {
2168 			struct neigh_statistics	*st;
2169 
2170 			st = per_cpu_ptr(tbl->stats, cpu);
2171 			ndst.ndts_allocs		+= st->allocs;
2172 			ndst.ndts_destroys		+= st->destroys;
2173 			ndst.ndts_hash_grows		+= st->hash_grows;
2174 			ndst.ndts_res_failed		+= st->res_failed;
2175 			ndst.ndts_lookups		+= st->lookups;
2176 			ndst.ndts_hits			+= st->hits;
2177 			ndst.ndts_rcv_probes_mcast	+= st->rcv_probes_mcast;
2178 			ndst.ndts_rcv_probes_ucast	+= st->rcv_probes_ucast;
2179 			ndst.ndts_periodic_gc_runs	+= st->periodic_gc_runs;
2180 			ndst.ndts_forced_gc_runs	+= st->forced_gc_runs;
2181 			ndst.ndts_table_fulls		+= st->table_fulls;
2182 		}
2183 
2184 		if (nla_put_64bit(skb, NDTA_STATS, sizeof(ndst), &ndst,
2185 				  NDTA_PAD))
2186 			goto nla_put_failure;
2187 	}
2188 
2189 	BUG_ON(tbl->parms.dev);
2190 	if (neightbl_fill_parms(skb, &tbl->parms) < 0)
2191 		goto nla_put_failure;
2192 
2193 	read_unlock_bh(&tbl->lock);
2194 	nlmsg_end(skb, nlh);
2195 	return 0;
2196 
2197 nla_put_failure:
2198 	read_unlock_bh(&tbl->lock);
2199 	nlmsg_cancel(skb, nlh);
2200 	return -EMSGSIZE;
2201 }
2202 
2203 static int neightbl_fill_param_info(struct sk_buff *skb,
2204 				    struct neigh_table *tbl,
2205 				    struct neigh_parms *parms,
2206 				    u32 pid, u32 seq, int type,
2207 				    unsigned int flags)
2208 {
2209 	struct ndtmsg *ndtmsg;
2210 	struct nlmsghdr *nlh;
2211 
2212 	nlh = nlmsg_put(skb, pid, seq, type, sizeof(*ndtmsg), flags);
2213 	if (nlh == NULL)
2214 		return -EMSGSIZE;
2215 
2216 	ndtmsg = nlmsg_data(nlh);
2217 
2218 	read_lock_bh(&tbl->lock);
2219 	ndtmsg->ndtm_family = tbl->family;
2220 	ndtmsg->ndtm_pad1   = 0;
2221 	ndtmsg->ndtm_pad2   = 0;
2222 
2223 	if (nla_put_string(skb, NDTA_NAME, tbl->id) < 0 ||
2224 	    neightbl_fill_parms(skb, parms) < 0)
2225 		goto errout;
2226 
2227 	read_unlock_bh(&tbl->lock);
2228 	nlmsg_end(skb, nlh);
2229 	return 0;
2230 errout:
2231 	read_unlock_bh(&tbl->lock);
2232 	nlmsg_cancel(skb, nlh);
2233 	return -EMSGSIZE;
2234 }
2235 
2236 static const struct nla_policy nl_neightbl_policy[NDTA_MAX+1] = {
2237 	[NDTA_NAME]		= { .type = NLA_STRING },
2238 	[NDTA_THRESH1]		= { .type = NLA_U32 },
2239 	[NDTA_THRESH2]		= { .type = NLA_U32 },
2240 	[NDTA_THRESH3]		= { .type = NLA_U32 },
2241 	[NDTA_GC_INTERVAL]	= { .type = NLA_U64 },
2242 	[NDTA_PARMS]		= { .type = NLA_NESTED },
2243 };
2244 
2245 static const struct nla_policy nl_ntbl_parm_policy[NDTPA_MAX+1] = {
2246 	[NDTPA_IFINDEX]			= { .type = NLA_U32 },
2247 	[NDTPA_QUEUE_LEN]		= { .type = NLA_U32 },
2248 	[NDTPA_PROXY_QLEN]		= { .type = NLA_U32 },
2249 	[NDTPA_APP_PROBES]		= { .type = NLA_U32 },
2250 	[NDTPA_UCAST_PROBES]		= { .type = NLA_U32 },
2251 	[NDTPA_MCAST_PROBES]		= { .type = NLA_U32 },
2252 	[NDTPA_MCAST_REPROBES]		= { .type = NLA_U32 },
2253 	[NDTPA_BASE_REACHABLE_TIME]	= { .type = NLA_U64 },
2254 	[NDTPA_GC_STALETIME]		= { .type = NLA_U64 },
2255 	[NDTPA_DELAY_PROBE_TIME]	= { .type = NLA_U64 },
2256 	[NDTPA_RETRANS_TIME]		= { .type = NLA_U64 },
2257 	[NDTPA_ANYCAST_DELAY]		= { .type = NLA_U64 },
2258 	[NDTPA_PROXY_DELAY]		= { .type = NLA_U64 },
2259 	[NDTPA_LOCKTIME]		= { .type = NLA_U64 },
2260 	[NDTPA_INTERVAL_PROBE_TIME_MS]	= { .type = NLA_U64, .min = 1 },
2261 };
2262 
2263 static int neightbl_set(struct sk_buff *skb, struct nlmsghdr *nlh,
2264 			struct netlink_ext_ack *extack)
2265 {
2266 	struct net *net = sock_net(skb->sk);
2267 	struct neigh_table *tbl;
2268 	struct ndtmsg *ndtmsg;
2269 	struct nlattr *tb[NDTA_MAX+1];
2270 	bool found = false;
2271 	int err, tidx;
2272 
2273 	err = nlmsg_parse_deprecated(nlh, sizeof(*ndtmsg), tb, NDTA_MAX,
2274 				     nl_neightbl_policy, extack);
2275 	if (err < 0)
2276 		goto errout;
2277 
2278 	if (tb[NDTA_NAME] == NULL) {
2279 		err = -EINVAL;
2280 		goto errout;
2281 	}
2282 
2283 	ndtmsg = nlmsg_data(nlh);
2284 
2285 	for (tidx = 0; tidx < NEIGH_NR_TABLES; tidx++) {
2286 		tbl = neigh_tables[tidx];
2287 		if (!tbl)
2288 			continue;
2289 		if (ndtmsg->ndtm_family && tbl->family != ndtmsg->ndtm_family)
2290 			continue;
2291 		if (nla_strcmp(tb[NDTA_NAME], tbl->id) == 0) {
2292 			found = true;
2293 			break;
2294 		}
2295 	}
2296 
2297 	if (!found)
2298 		return -ENOENT;
2299 
2300 	/*
2301 	 * We acquire tbl->lock to be nice to the periodic timers and
2302 	 * make sure they always see a consistent set of values.
2303 	 */
2304 	write_lock_bh(&tbl->lock);
2305 
2306 	if (tb[NDTA_PARMS]) {
2307 		struct nlattr *tbp[NDTPA_MAX+1];
2308 		struct neigh_parms *p;
2309 		int i, ifindex = 0;
2310 
2311 		err = nla_parse_nested_deprecated(tbp, NDTPA_MAX,
2312 						  tb[NDTA_PARMS],
2313 						  nl_ntbl_parm_policy, extack);
2314 		if (err < 0)
2315 			goto errout_tbl_lock;
2316 
2317 		if (tbp[NDTPA_IFINDEX])
2318 			ifindex = nla_get_u32(tbp[NDTPA_IFINDEX]);
2319 
2320 		p = lookup_neigh_parms(tbl, net, ifindex);
2321 		if (p == NULL) {
2322 			err = -ENOENT;
2323 			goto errout_tbl_lock;
2324 		}
2325 
2326 		for (i = 1; i <= NDTPA_MAX; i++) {
2327 			if (tbp[i] == NULL)
2328 				continue;
2329 
2330 			switch (i) {
2331 			case NDTPA_QUEUE_LEN:
2332 				NEIGH_VAR_SET(p, QUEUE_LEN_BYTES,
2333 					      nla_get_u32(tbp[i]) *
2334 					      SKB_TRUESIZE(ETH_FRAME_LEN));
2335 				break;
2336 			case NDTPA_QUEUE_LENBYTES:
2337 				NEIGH_VAR_SET(p, QUEUE_LEN_BYTES,
2338 					      nla_get_u32(tbp[i]));
2339 				break;
2340 			case NDTPA_PROXY_QLEN:
2341 				NEIGH_VAR_SET(p, PROXY_QLEN,
2342 					      nla_get_u32(tbp[i]));
2343 				break;
2344 			case NDTPA_APP_PROBES:
2345 				NEIGH_VAR_SET(p, APP_PROBES,
2346 					      nla_get_u32(tbp[i]));
2347 				break;
2348 			case NDTPA_UCAST_PROBES:
2349 				NEIGH_VAR_SET(p, UCAST_PROBES,
2350 					      nla_get_u32(tbp[i]));
2351 				break;
2352 			case NDTPA_MCAST_PROBES:
2353 				NEIGH_VAR_SET(p, MCAST_PROBES,
2354 					      nla_get_u32(tbp[i]));
2355 				break;
2356 			case NDTPA_MCAST_REPROBES:
2357 				NEIGH_VAR_SET(p, MCAST_REPROBES,
2358 					      nla_get_u32(tbp[i]));
2359 				break;
2360 			case NDTPA_BASE_REACHABLE_TIME:
2361 				NEIGH_VAR_SET(p, BASE_REACHABLE_TIME,
2362 					      nla_get_msecs(tbp[i]));
2363 				/* update reachable_time as well, otherwise, the change will
2364 				 * only be effective after the next time neigh_periodic_work
2365 				 * decides to recompute it (can be multiple minutes)
2366 				 */
2367 				p->reachable_time =
2368 					neigh_rand_reach_time(NEIGH_VAR(p, BASE_REACHABLE_TIME));
2369 				break;
2370 			case NDTPA_GC_STALETIME:
2371 				NEIGH_VAR_SET(p, GC_STALETIME,
2372 					      nla_get_msecs(tbp[i]));
2373 				break;
2374 			case NDTPA_DELAY_PROBE_TIME:
2375 				NEIGH_VAR_SET(p, DELAY_PROBE_TIME,
2376 					      nla_get_msecs(tbp[i]));
2377 				call_netevent_notifiers(NETEVENT_DELAY_PROBE_TIME_UPDATE, p);
2378 				break;
2379 			case NDTPA_INTERVAL_PROBE_TIME_MS:
2380 				NEIGH_VAR_SET(p, INTERVAL_PROBE_TIME_MS,
2381 					      nla_get_msecs(tbp[i]));
2382 				break;
2383 			case NDTPA_RETRANS_TIME:
2384 				NEIGH_VAR_SET(p, RETRANS_TIME,
2385 					      nla_get_msecs(tbp[i]));
2386 				break;
2387 			case NDTPA_ANYCAST_DELAY:
2388 				NEIGH_VAR_SET(p, ANYCAST_DELAY,
2389 					      nla_get_msecs(tbp[i]));
2390 				break;
2391 			case NDTPA_PROXY_DELAY:
2392 				NEIGH_VAR_SET(p, PROXY_DELAY,
2393 					      nla_get_msecs(tbp[i]));
2394 				break;
2395 			case NDTPA_LOCKTIME:
2396 				NEIGH_VAR_SET(p, LOCKTIME,
2397 					      nla_get_msecs(tbp[i]));
2398 				break;
2399 			}
2400 		}
2401 	}
2402 
2403 	err = -ENOENT;
2404 	if ((tb[NDTA_THRESH1] || tb[NDTA_THRESH2] ||
2405 	     tb[NDTA_THRESH3] || tb[NDTA_GC_INTERVAL]) &&
2406 	    !net_eq(net, &init_net))
2407 		goto errout_tbl_lock;
2408 
2409 	if (tb[NDTA_THRESH1])
2410 		tbl->gc_thresh1 = nla_get_u32(tb[NDTA_THRESH1]);
2411 
2412 	if (tb[NDTA_THRESH2])
2413 		tbl->gc_thresh2 = nla_get_u32(tb[NDTA_THRESH2]);
2414 
2415 	if (tb[NDTA_THRESH3])
2416 		tbl->gc_thresh3 = nla_get_u32(tb[NDTA_THRESH3]);
2417 
2418 	if (tb[NDTA_GC_INTERVAL])
2419 		tbl->gc_interval = nla_get_msecs(tb[NDTA_GC_INTERVAL]);
2420 
2421 	err = 0;
2422 
2423 errout_tbl_lock:
2424 	write_unlock_bh(&tbl->lock);
2425 errout:
2426 	return err;
2427 }
2428 
2429 static int neightbl_valid_dump_info(const struct nlmsghdr *nlh,
2430 				    struct netlink_ext_ack *extack)
2431 {
2432 	struct ndtmsg *ndtm;
2433 
2434 	if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*ndtm))) {
2435 		NL_SET_ERR_MSG(extack, "Invalid header for neighbor table dump request");
2436 		return -EINVAL;
2437 	}
2438 
2439 	ndtm = nlmsg_data(nlh);
2440 	if (ndtm->ndtm_pad1  || ndtm->ndtm_pad2) {
2441 		NL_SET_ERR_MSG(extack, "Invalid values in header for neighbor table dump request");
2442 		return -EINVAL;
2443 	}
2444 
2445 	if (nlmsg_attrlen(nlh, sizeof(*ndtm))) {
2446 		NL_SET_ERR_MSG(extack, "Invalid data after header in neighbor table dump request");
2447 		return -EINVAL;
2448 	}
2449 
2450 	return 0;
2451 }
2452 
2453 static int neightbl_dump_info(struct sk_buff *skb, struct netlink_callback *cb)
2454 {
2455 	const struct nlmsghdr *nlh = cb->nlh;
2456 	struct net *net = sock_net(skb->sk);
2457 	int family, tidx, nidx = 0;
2458 	int tbl_skip = cb->args[0];
2459 	int neigh_skip = cb->args[1];
2460 	struct neigh_table *tbl;
2461 
2462 	if (cb->strict_check) {
2463 		int err = neightbl_valid_dump_info(nlh, cb->extack);
2464 
2465 		if (err < 0)
2466 			return err;
2467 	}
2468 
2469 	family = ((struct rtgenmsg *)nlmsg_data(nlh))->rtgen_family;
2470 
2471 	for (tidx = 0; tidx < NEIGH_NR_TABLES; tidx++) {
2472 		struct neigh_parms *p;
2473 
2474 		tbl = neigh_tables[tidx];
2475 		if (!tbl)
2476 			continue;
2477 
2478 		if (tidx < tbl_skip || (family && tbl->family != family))
2479 			continue;
2480 
2481 		if (neightbl_fill_info(skb, tbl, NETLINK_CB(cb->skb).portid,
2482 				       nlh->nlmsg_seq, RTM_NEWNEIGHTBL,
2483 				       NLM_F_MULTI) < 0)
2484 			break;
2485 
2486 		nidx = 0;
2487 		p = list_next_entry(&tbl->parms, list);
2488 		list_for_each_entry_from(p, &tbl->parms_list, list) {
2489 			if (!net_eq(neigh_parms_net(p), net))
2490 				continue;
2491 
2492 			if (nidx < neigh_skip)
2493 				goto next;
2494 
2495 			if (neightbl_fill_param_info(skb, tbl, p,
2496 						     NETLINK_CB(cb->skb).portid,
2497 						     nlh->nlmsg_seq,
2498 						     RTM_NEWNEIGHTBL,
2499 						     NLM_F_MULTI) < 0)
2500 				goto out;
2501 		next:
2502 			nidx++;
2503 		}
2504 
2505 		neigh_skip = 0;
2506 	}
2507 out:
2508 	cb->args[0] = tidx;
2509 	cb->args[1] = nidx;
2510 
2511 	return skb->len;
2512 }
2513 
2514 static int neigh_fill_info(struct sk_buff *skb, struct neighbour *neigh,
2515 			   u32 pid, u32 seq, int type, unsigned int flags)
2516 {
2517 	u32 neigh_flags, neigh_flags_ext;
2518 	unsigned long now = jiffies;
2519 	struct nda_cacheinfo ci;
2520 	struct nlmsghdr *nlh;
2521 	struct ndmsg *ndm;
2522 
2523 	nlh = nlmsg_put(skb, pid, seq, type, sizeof(*ndm), flags);
2524 	if (nlh == NULL)
2525 		return -EMSGSIZE;
2526 
2527 	neigh_flags_ext = neigh->flags >> NTF_EXT_SHIFT;
2528 	neigh_flags     = neigh->flags & NTF_OLD_MASK;
2529 
2530 	ndm = nlmsg_data(nlh);
2531 	ndm->ndm_family	 = neigh->ops->family;
2532 	ndm->ndm_pad1    = 0;
2533 	ndm->ndm_pad2    = 0;
2534 	ndm->ndm_flags	 = neigh_flags;
2535 	ndm->ndm_type	 = neigh->type;
2536 	ndm->ndm_ifindex = neigh->dev->ifindex;
2537 
2538 	if (nla_put(skb, NDA_DST, neigh->tbl->key_len, neigh->primary_key))
2539 		goto nla_put_failure;
2540 
2541 	read_lock_bh(&neigh->lock);
2542 	ndm->ndm_state	 = neigh->nud_state;
2543 	if (neigh->nud_state & NUD_VALID) {
2544 		char haddr[MAX_ADDR_LEN];
2545 
2546 		neigh_ha_snapshot(haddr, neigh, neigh->dev);
2547 		if (nla_put(skb, NDA_LLADDR, neigh->dev->addr_len, haddr) < 0) {
2548 			read_unlock_bh(&neigh->lock);
2549 			goto nla_put_failure;
2550 		}
2551 	}
2552 
2553 	ci.ndm_used	 = jiffies_to_clock_t(now - neigh->used);
2554 	ci.ndm_confirmed = jiffies_to_clock_t(now - neigh->confirmed);
2555 	ci.ndm_updated	 = jiffies_to_clock_t(now - neigh->updated);
2556 	ci.ndm_refcnt	 = refcount_read(&neigh->refcnt) - 1;
2557 	read_unlock_bh(&neigh->lock);
2558 
2559 	if (nla_put_u32(skb, NDA_PROBES, atomic_read(&neigh->probes)) ||
2560 	    nla_put(skb, NDA_CACHEINFO, sizeof(ci), &ci))
2561 		goto nla_put_failure;
2562 
2563 	if (neigh->protocol && nla_put_u8(skb, NDA_PROTOCOL, neigh->protocol))
2564 		goto nla_put_failure;
2565 	if (neigh_flags_ext && nla_put_u32(skb, NDA_FLAGS_EXT, neigh_flags_ext))
2566 		goto nla_put_failure;
2567 
2568 	nlmsg_end(skb, nlh);
2569 	return 0;
2570 
2571 nla_put_failure:
2572 	nlmsg_cancel(skb, nlh);
2573 	return -EMSGSIZE;
2574 }
2575 
2576 static int pneigh_fill_info(struct sk_buff *skb, struct pneigh_entry *pn,
2577 			    u32 pid, u32 seq, int type, unsigned int flags,
2578 			    struct neigh_table *tbl)
2579 {
2580 	u32 neigh_flags, neigh_flags_ext;
2581 	struct nlmsghdr *nlh;
2582 	struct ndmsg *ndm;
2583 
2584 	nlh = nlmsg_put(skb, pid, seq, type, sizeof(*ndm), flags);
2585 	if (nlh == NULL)
2586 		return -EMSGSIZE;
2587 
2588 	neigh_flags_ext = pn->flags >> NTF_EXT_SHIFT;
2589 	neigh_flags     = pn->flags & NTF_OLD_MASK;
2590 
2591 	ndm = nlmsg_data(nlh);
2592 	ndm->ndm_family	 = tbl->family;
2593 	ndm->ndm_pad1    = 0;
2594 	ndm->ndm_pad2    = 0;
2595 	ndm->ndm_flags	 = neigh_flags | NTF_PROXY;
2596 	ndm->ndm_type	 = RTN_UNICAST;
2597 	ndm->ndm_ifindex = pn->dev ? pn->dev->ifindex : 0;
2598 	ndm->ndm_state	 = NUD_NONE;
2599 
2600 	if (nla_put(skb, NDA_DST, tbl->key_len, pn->key))
2601 		goto nla_put_failure;
2602 
2603 	if (pn->protocol && nla_put_u8(skb, NDA_PROTOCOL, pn->protocol))
2604 		goto nla_put_failure;
2605 	if (neigh_flags_ext && nla_put_u32(skb, NDA_FLAGS_EXT, neigh_flags_ext))
2606 		goto nla_put_failure;
2607 
2608 	nlmsg_end(skb, nlh);
2609 	return 0;
2610 
2611 nla_put_failure:
2612 	nlmsg_cancel(skb, nlh);
2613 	return -EMSGSIZE;
2614 }
2615 
2616 static void neigh_update_notify(struct neighbour *neigh, u32 nlmsg_pid)
2617 {
2618 	call_netevent_notifiers(NETEVENT_NEIGH_UPDATE, neigh);
2619 	__neigh_notify(neigh, RTM_NEWNEIGH, 0, nlmsg_pid);
2620 }
2621 
2622 static bool neigh_master_filtered(struct net_device *dev, int master_idx)
2623 {
2624 	struct net_device *master;
2625 
2626 	if (!master_idx)
2627 		return false;
2628 
2629 	master = dev ? netdev_master_upper_dev_get(dev) : NULL;
2630 
2631 	/* 0 is already used to denote NDA_MASTER wasn't passed, therefore need another
2632 	 * invalid value for ifindex to denote "no master".
2633 	 */
2634 	if (master_idx == -1)
2635 		return !!master;
2636 
2637 	if (!master || master->ifindex != master_idx)
2638 		return true;
2639 
2640 	return false;
2641 }
2642 
2643 static bool neigh_ifindex_filtered(struct net_device *dev, int filter_idx)
2644 {
2645 	if (filter_idx && (!dev || dev->ifindex != filter_idx))
2646 		return true;
2647 
2648 	return false;
2649 }
2650 
2651 struct neigh_dump_filter {
2652 	int master_idx;
2653 	int dev_idx;
2654 };
2655 
2656 static int neigh_dump_table(struct neigh_table *tbl, struct sk_buff *skb,
2657 			    struct netlink_callback *cb,
2658 			    struct neigh_dump_filter *filter)
2659 {
2660 	struct net *net = sock_net(skb->sk);
2661 	struct neighbour *n;
2662 	int rc, h, s_h = cb->args[1];
2663 	int idx, s_idx = idx = cb->args[2];
2664 	struct neigh_hash_table *nht;
2665 	unsigned int flags = NLM_F_MULTI;
2666 
2667 	if (filter->dev_idx || filter->master_idx)
2668 		flags |= NLM_F_DUMP_FILTERED;
2669 
2670 	rcu_read_lock_bh();
2671 	nht = rcu_dereference_bh(tbl->nht);
2672 
2673 	for (h = s_h; h < (1 << nht->hash_shift); h++) {
2674 		if (h > s_h)
2675 			s_idx = 0;
2676 		for (n = rcu_dereference_bh(nht->hash_buckets[h]), idx = 0;
2677 		     n != NULL;
2678 		     n = rcu_dereference_bh(n->next)) {
2679 			if (idx < s_idx || !net_eq(dev_net(n->dev), net))
2680 				goto next;
2681 			if (neigh_ifindex_filtered(n->dev, filter->dev_idx) ||
2682 			    neigh_master_filtered(n->dev, filter->master_idx))
2683 				goto next;
2684 			if (neigh_fill_info(skb, n, NETLINK_CB(cb->skb).portid,
2685 					    cb->nlh->nlmsg_seq,
2686 					    RTM_NEWNEIGH,
2687 					    flags) < 0) {
2688 				rc = -1;
2689 				goto out;
2690 			}
2691 next:
2692 			idx++;
2693 		}
2694 	}
2695 	rc = skb->len;
2696 out:
2697 	rcu_read_unlock_bh();
2698 	cb->args[1] = h;
2699 	cb->args[2] = idx;
2700 	return rc;
2701 }
2702 
2703 static int pneigh_dump_table(struct neigh_table *tbl, struct sk_buff *skb,
2704 			     struct netlink_callback *cb,
2705 			     struct neigh_dump_filter *filter)
2706 {
2707 	struct pneigh_entry *n;
2708 	struct net *net = sock_net(skb->sk);
2709 	int rc, h, s_h = cb->args[3];
2710 	int idx, s_idx = idx = cb->args[4];
2711 	unsigned int flags = NLM_F_MULTI;
2712 
2713 	if (filter->dev_idx || filter->master_idx)
2714 		flags |= NLM_F_DUMP_FILTERED;
2715 
2716 	read_lock_bh(&tbl->lock);
2717 
2718 	for (h = s_h; h <= PNEIGH_HASHMASK; h++) {
2719 		if (h > s_h)
2720 			s_idx = 0;
2721 		for (n = tbl->phash_buckets[h], idx = 0; n; n = n->next) {
2722 			if (idx < s_idx || pneigh_net(n) != net)
2723 				goto next;
2724 			if (neigh_ifindex_filtered(n->dev, filter->dev_idx) ||
2725 			    neigh_master_filtered(n->dev, filter->master_idx))
2726 				goto next;
2727 			if (pneigh_fill_info(skb, n, NETLINK_CB(cb->skb).portid,
2728 					    cb->nlh->nlmsg_seq,
2729 					    RTM_NEWNEIGH, flags, tbl) < 0) {
2730 				read_unlock_bh(&tbl->lock);
2731 				rc = -1;
2732 				goto out;
2733 			}
2734 		next:
2735 			idx++;
2736 		}
2737 	}
2738 
2739 	read_unlock_bh(&tbl->lock);
2740 	rc = skb->len;
2741 out:
2742 	cb->args[3] = h;
2743 	cb->args[4] = idx;
2744 	return rc;
2745 
2746 }
2747 
2748 static int neigh_valid_dump_req(const struct nlmsghdr *nlh,
2749 				bool strict_check,
2750 				struct neigh_dump_filter *filter,
2751 				struct netlink_ext_ack *extack)
2752 {
2753 	struct nlattr *tb[NDA_MAX + 1];
2754 	int err, i;
2755 
2756 	if (strict_check) {
2757 		struct ndmsg *ndm;
2758 
2759 		if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*ndm))) {
2760 			NL_SET_ERR_MSG(extack, "Invalid header for neighbor dump request");
2761 			return -EINVAL;
2762 		}
2763 
2764 		ndm = nlmsg_data(nlh);
2765 		if (ndm->ndm_pad1  || ndm->ndm_pad2  || ndm->ndm_ifindex ||
2766 		    ndm->ndm_state || ndm->ndm_type) {
2767 			NL_SET_ERR_MSG(extack, "Invalid values in header for neighbor dump request");
2768 			return -EINVAL;
2769 		}
2770 
2771 		if (ndm->ndm_flags & ~NTF_PROXY) {
2772 			NL_SET_ERR_MSG(extack, "Invalid flags in header for neighbor dump request");
2773 			return -EINVAL;
2774 		}
2775 
2776 		err = nlmsg_parse_deprecated_strict(nlh, sizeof(struct ndmsg),
2777 						    tb, NDA_MAX, nda_policy,
2778 						    extack);
2779 	} else {
2780 		err = nlmsg_parse_deprecated(nlh, sizeof(struct ndmsg), tb,
2781 					     NDA_MAX, nda_policy, extack);
2782 	}
2783 	if (err < 0)
2784 		return err;
2785 
2786 	for (i = 0; i <= NDA_MAX; ++i) {
2787 		if (!tb[i])
2788 			continue;
2789 
2790 		/* all new attributes should require strict_check */
2791 		switch (i) {
2792 		case NDA_IFINDEX:
2793 			filter->dev_idx = nla_get_u32(tb[i]);
2794 			break;
2795 		case NDA_MASTER:
2796 			filter->master_idx = nla_get_u32(tb[i]);
2797 			break;
2798 		default:
2799 			if (strict_check) {
2800 				NL_SET_ERR_MSG(extack, "Unsupported attribute in neighbor dump request");
2801 				return -EINVAL;
2802 			}
2803 		}
2804 	}
2805 
2806 	return 0;
2807 }
2808 
2809 static int neigh_dump_info(struct sk_buff *skb, struct netlink_callback *cb)
2810 {
2811 	const struct nlmsghdr *nlh = cb->nlh;
2812 	struct neigh_dump_filter filter = {};
2813 	struct neigh_table *tbl;
2814 	int t, family, s_t;
2815 	int proxy = 0;
2816 	int err;
2817 
2818 	family = ((struct rtgenmsg *)nlmsg_data(nlh))->rtgen_family;
2819 
2820 	/* check for full ndmsg structure presence, family member is
2821 	 * the same for both structures
2822 	 */
2823 	if (nlmsg_len(nlh) >= sizeof(struct ndmsg) &&
2824 	    ((struct ndmsg *)nlmsg_data(nlh))->ndm_flags == NTF_PROXY)
2825 		proxy = 1;
2826 
2827 	err = neigh_valid_dump_req(nlh, cb->strict_check, &filter, cb->extack);
2828 	if (err < 0 && cb->strict_check)
2829 		return err;
2830 
2831 	s_t = cb->args[0];
2832 
2833 	for (t = 0; t < NEIGH_NR_TABLES; t++) {
2834 		tbl = neigh_tables[t];
2835 
2836 		if (!tbl)
2837 			continue;
2838 		if (t < s_t || (family && tbl->family != family))
2839 			continue;
2840 		if (t > s_t)
2841 			memset(&cb->args[1], 0, sizeof(cb->args) -
2842 						sizeof(cb->args[0]));
2843 		if (proxy)
2844 			err = pneigh_dump_table(tbl, skb, cb, &filter);
2845 		else
2846 			err = neigh_dump_table(tbl, skb, cb, &filter);
2847 		if (err < 0)
2848 			break;
2849 	}
2850 
2851 	cb->args[0] = t;
2852 	return skb->len;
2853 }
2854 
2855 static int neigh_valid_get_req(const struct nlmsghdr *nlh,
2856 			       struct neigh_table **tbl,
2857 			       void **dst, int *dev_idx, u8 *ndm_flags,
2858 			       struct netlink_ext_ack *extack)
2859 {
2860 	struct nlattr *tb[NDA_MAX + 1];
2861 	struct ndmsg *ndm;
2862 	int err, i;
2863 
2864 	if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*ndm))) {
2865 		NL_SET_ERR_MSG(extack, "Invalid header for neighbor get request");
2866 		return -EINVAL;
2867 	}
2868 
2869 	ndm = nlmsg_data(nlh);
2870 	if (ndm->ndm_pad1  || ndm->ndm_pad2  || ndm->ndm_state ||
2871 	    ndm->ndm_type) {
2872 		NL_SET_ERR_MSG(extack, "Invalid values in header for neighbor get request");
2873 		return -EINVAL;
2874 	}
2875 
2876 	if (ndm->ndm_flags & ~NTF_PROXY) {
2877 		NL_SET_ERR_MSG(extack, "Invalid flags in header for neighbor get request");
2878 		return -EINVAL;
2879 	}
2880 
2881 	err = nlmsg_parse_deprecated_strict(nlh, sizeof(struct ndmsg), tb,
2882 					    NDA_MAX, nda_policy, extack);
2883 	if (err < 0)
2884 		return err;
2885 
2886 	*ndm_flags = ndm->ndm_flags;
2887 	*dev_idx = ndm->ndm_ifindex;
2888 	*tbl = neigh_find_table(ndm->ndm_family);
2889 	if (*tbl == NULL) {
2890 		NL_SET_ERR_MSG(extack, "Unsupported family in header for neighbor get request");
2891 		return -EAFNOSUPPORT;
2892 	}
2893 
2894 	for (i = 0; i <= NDA_MAX; ++i) {
2895 		if (!tb[i])
2896 			continue;
2897 
2898 		switch (i) {
2899 		case NDA_DST:
2900 			if (nla_len(tb[i]) != (int)(*tbl)->key_len) {
2901 				NL_SET_ERR_MSG(extack, "Invalid network address in neighbor get request");
2902 				return -EINVAL;
2903 			}
2904 			*dst = nla_data(tb[i]);
2905 			break;
2906 		default:
2907 			NL_SET_ERR_MSG(extack, "Unsupported attribute in neighbor get request");
2908 			return -EINVAL;
2909 		}
2910 	}
2911 
2912 	return 0;
2913 }
2914 
2915 static inline size_t neigh_nlmsg_size(void)
2916 {
2917 	return NLMSG_ALIGN(sizeof(struct ndmsg))
2918 	       + nla_total_size(MAX_ADDR_LEN) /* NDA_DST */
2919 	       + nla_total_size(MAX_ADDR_LEN) /* NDA_LLADDR */
2920 	       + nla_total_size(sizeof(struct nda_cacheinfo))
2921 	       + nla_total_size(4)  /* NDA_PROBES */
2922 	       + nla_total_size(4)  /* NDA_FLAGS_EXT */
2923 	       + nla_total_size(1); /* NDA_PROTOCOL */
2924 }
2925 
2926 static int neigh_get_reply(struct net *net, struct neighbour *neigh,
2927 			   u32 pid, u32 seq)
2928 {
2929 	struct sk_buff *skb;
2930 	int err = 0;
2931 
2932 	skb = nlmsg_new(neigh_nlmsg_size(), GFP_KERNEL);
2933 	if (!skb)
2934 		return -ENOBUFS;
2935 
2936 	err = neigh_fill_info(skb, neigh, pid, seq, RTM_NEWNEIGH, 0);
2937 	if (err) {
2938 		kfree_skb(skb);
2939 		goto errout;
2940 	}
2941 
2942 	err = rtnl_unicast(skb, net, pid);
2943 errout:
2944 	return err;
2945 }
2946 
2947 static inline size_t pneigh_nlmsg_size(void)
2948 {
2949 	return NLMSG_ALIGN(sizeof(struct ndmsg))
2950 	       + nla_total_size(MAX_ADDR_LEN) /* NDA_DST */
2951 	       + nla_total_size(4)  /* NDA_FLAGS_EXT */
2952 	       + nla_total_size(1); /* NDA_PROTOCOL */
2953 }
2954 
2955 static int pneigh_get_reply(struct net *net, struct pneigh_entry *neigh,
2956 			    u32 pid, u32 seq, struct neigh_table *tbl)
2957 {
2958 	struct sk_buff *skb;
2959 	int err = 0;
2960 
2961 	skb = nlmsg_new(pneigh_nlmsg_size(), GFP_KERNEL);
2962 	if (!skb)
2963 		return -ENOBUFS;
2964 
2965 	err = pneigh_fill_info(skb, neigh, pid, seq, RTM_NEWNEIGH, 0, tbl);
2966 	if (err) {
2967 		kfree_skb(skb);
2968 		goto errout;
2969 	}
2970 
2971 	err = rtnl_unicast(skb, net, pid);
2972 errout:
2973 	return err;
2974 }
2975 
2976 static int neigh_get(struct sk_buff *in_skb, struct nlmsghdr *nlh,
2977 		     struct netlink_ext_ack *extack)
2978 {
2979 	struct net *net = sock_net(in_skb->sk);
2980 	struct net_device *dev = NULL;
2981 	struct neigh_table *tbl = NULL;
2982 	struct neighbour *neigh;
2983 	void *dst = NULL;
2984 	u8 ndm_flags = 0;
2985 	int dev_idx = 0;
2986 	int err;
2987 
2988 	err = neigh_valid_get_req(nlh, &tbl, &dst, &dev_idx, &ndm_flags,
2989 				  extack);
2990 	if (err < 0)
2991 		return err;
2992 
2993 	if (dev_idx) {
2994 		dev = __dev_get_by_index(net, dev_idx);
2995 		if (!dev) {
2996 			NL_SET_ERR_MSG(extack, "Unknown device ifindex");
2997 			return -ENODEV;
2998 		}
2999 	}
3000 
3001 	if (!dst) {
3002 		NL_SET_ERR_MSG(extack, "Network address not specified");
3003 		return -EINVAL;
3004 	}
3005 
3006 	if (ndm_flags & NTF_PROXY) {
3007 		struct pneigh_entry *pn;
3008 
3009 		pn = pneigh_lookup(tbl, net, dst, dev, 0);
3010 		if (!pn) {
3011 			NL_SET_ERR_MSG(extack, "Proxy neighbour entry not found");
3012 			return -ENOENT;
3013 		}
3014 		return pneigh_get_reply(net, pn, NETLINK_CB(in_skb).portid,
3015 					nlh->nlmsg_seq, tbl);
3016 	}
3017 
3018 	if (!dev) {
3019 		NL_SET_ERR_MSG(extack, "No device specified");
3020 		return -EINVAL;
3021 	}
3022 
3023 	neigh = neigh_lookup(tbl, dst, dev);
3024 	if (!neigh) {
3025 		NL_SET_ERR_MSG(extack, "Neighbour entry not found");
3026 		return -ENOENT;
3027 	}
3028 
3029 	err = neigh_get_reply(net, neigh, NETLINK_CB(in_skb).portid,
3030 			      nlh->nlmsg_seq);
3031 
3032 	neigh_release(neigh);
3033 
3034 	return err;
3035 }
3036 
3037 void neigh_for_each(struct neigh_table *tbl, void (*cb)(struct neighbour *, void *), void *cookie)
3038 {
3039 	int chain;
3040 	struct neigh_hash_table *nht;
3041 
3042 	rcu_read_lock_bh();
3043 	nht = rcu_dereference_bh(tbl->nht);
3044 
3045 	read_lock(&tbl->lock); /* avoid resizes */
3046 	for (chain = 0; chain < (1 << nht->hash_shift); chain++) {
3047 		struct neighbour *n;
3048 
3049 		for (n = rcu_dereference_bh(nht->hash_buckets[chain]);
3050 		     n != NULL;
3051 		     n = rcu_dereference_bh(n->next))
3052 			cb(n, cookie);
3053 	}
3054 	read_unlock(&tbl->lock);
3055 	rcu_read_unlock_bh();
3056 }
3057 EXPORT_SYMBOL(neigh_for_each);
3058 
3059 /* The tbl->lock must be held as a writer and BH disabled. */
3060 void __neigh_for_each_release(struct neigh_table *tbl,
3061 			      int (*cb)(struct neighbour *))
3062 {
3063 	int chain;
3064 	struct neigh_hash_table *nht;
3065 
3066 	nht = rcu_dereference_protected(tbl->nht,
3067 					lockdep_is_held(&tbl->lock));
3068 	for (chain = 0; chain < (1 << nht->hash_shift); chain++) {
3069 		struct neighbour *n;
3070 		struct neighbour __rcu **np;
3071 
3072 		np = &nht->hash_buckets[chain];
3073 		while ((n = rcu_dereference_protected(*np,
3074 					lockdep_is_held(&tbl->lock))) != NULL) {
3075 			int release;
3076 
3077 			write_lock(&n->lock);
3078 			release = cb(n);
3079 			if (release) {
3080 				rcu_assign_pointer(*np,
3081 					rcu_dereference_protected(n->next,
3082 						lockdep_is_held(&tbl->lock)));
3083 				neigh_mark_dead(n);
3084 			} else
3085 				np = &n->next;
3086 			write_unlock(&n->lock);
3087 			if (release)
3088 				neigh_cleanup_and_release(n);
3089 		}
3090 	}
3091 }
3092 EXPORT_SYMBOL(__neigh_for_each_release);
3093 
3094 int neigh_xmit(int index, struct net_device *dev,
3095 	       const void *addr, struct sk_buff *skb)
3096 {
3097 	int err = -EAFNOSUPPORT;
3098 	if (likely(index < NEIGH_NR_TABLES)) {
3099 		struct neigh_table *tbl;
3100 		struct neighbour *neigh;
3101 
3102 		tbl = neigh_tables[index];
3103 		if (!tbl)
3104 			goto out;
3105 		rcu_read_lock_bh();
3106 		if (index == NEIGH_ARP_TABLE) {
3107 			u32 key = *((u32 *)addr);
3108 
3109 			neigh = __ipv4_neigh_lookup_noref(dev, key);
3110 		} else {
3111 			neigh = __neigh_lookup_noref(tbl, addr, dev);
3112 		}
3113 		if (!neigh)
3114 			neigh = __neigh_create(tbl, addr, dev, false);
3115 		err = PTR_ERR(neigh);
3116 		if (IS_ERR(neigh)) {
3117 			rcu_read_unlock_bh();
3118 			goto out_kfree_skb;
3119 		}
3120 		err = neigh->output(neigh, skb);
3121 		rcu_read_unlock_bh();
3122 	}
3123 	else if (index == NEIGH_LINK_TABLE) {
3124 		err = dev_hard_header(skb, dev, ntohs(skb->protocol),
3125 				      addr, NULL, skb->len);
3126 		if (err < 0)
3127 			goto out_kfree_skb;
3128 		err = dev_queue_xmit(skb);
3129 	}
3130 out:
3131 	return err;
3132 out_kfree_skb:
3133 	kfree_skb(skb);
3134 	goto out;
3135 }
3136 EXPORT_SYMBOL(neigh_xmit);
3137 
3138 #ifdef CONFIG_PROC_FS
3139 
3140 static struct neighbour *neigh_get_first(struct seq_file *seq)
3141 {
3142 	struct neigh_seq_state *state = seq->private;
3143 	struct net *net = seq_file_net(seq);
3144 	struct neigh_hash_table *nht = state->nht;
3145 	struct neighbour *n = NULL;
3146 	int bucket;
3147 
3148 	state->flags &= ~NEIGH_SEQ_IS_PNEIGH;
3149 	for (bucket = 0; bucket < (1 << nht->hash_shift); bucket++) {
3150 		n = rcu_dereference_bh(nht->hash_buckets[bucket]);
3151 
3152 		while (n) {
3153 			if (!net_eq(dev_net(n->dev), net))
3154 				goto next;
3155 			if (state->neigh_sub_iter) {
3156 				loff_t fakep = 0;
3157 				void *v;
3158 
3159 				v = state->neigh_sub_iter(state, n, &fakep);
3160 				if (!v)
3161 					goto next;
3162 			}
3163 			if (!(state->flags & NEIGH_SEQ_SKIP_NOARP))
3164 				break;
3165 			if (n->nud_state & ~NUD_NOARP)
3166 				break;
3167 next:
3168 			n = rcu_dereference_bh(n->next);
3169 		}
3170 
3171 		if (n)
3172 			break;
3173 	}
3174 	state->bucket = bucket;
3175 
3176 	return n;
3177 }
3178 
3179 static struct neighbour *neigh_get_next(struct seq_file *seq,
3180 					struct neighbour *n,
3181 					loff_t *pos)
3182 {
3183 	struct neigh_seq_state *state = seq->private;
3184 	struct net *net = seq_file_net(seq);
3185 	struct neigh_hash_table *nht = state->nht;
3186 
3187 	if (state->neigh_sub_iter) {
3188 		void *v = state->neigh_sub_iter(state, n, pos);
3189 		if (v)
3190 			return n;
3191 	}
3192 	n = rcu_dereference_bh(n->next);
3193 
3194 	while (1) {
3195 		while (n) {
3196 			if (!net_eq(dev_net(n->dev), net))
3197 				goto next;
3198 			if (state->neigh_sub_iter) {
3199 				void *v = state->neigh_sub_iter(state, n, pos);
3200 				if (v)
3201 					return n;
3202 				goto next;
3203 			}
3204 			if (!(state->flags & NEIGH_SEQ_SKIP_NOARP))
3205 				break;
3206 
3207 			if (n->nud_state & ~NUD_NOARP)
3208 				break;
3209 next:
3210 			n = rcu_dereference_bh(n->next);
3211 		}
3212 
3213 		if (n)
3214 			break;
3215 
3216 		if (++state->bucket >= (1 << nht->hash_shift))
3217 			break;
3218 
3219 		n = rcu_dereference_bh(nht->hash_buckets[state->bucket]);
3220 	}
3221 
3222 	if (n && pos)
3223 		--(*pos);
3224 	return n;
3225 }
3226 
3227 static struct neighbour *neigh_get_idx(struct seq_file *seq, loff_t *pos)
3228 {
3229 	struct neighbour *n = neigh_get_first(seq);
3230 
3231 	if (n) {
3232 		--(*pos);
3233 		while (*pos) {
3234 			n = neigh_get_next(seq, n, pos);
3235 			if (!n)
3236 				break;
3237 		}
3238 	}
3239 	return *pos ? NULL : n;
3240 }
3241 
3242 static struct pneigh_entry *pneigh_get_first(struct seq_file *seq)
3243 {
3244 	struct neigh_seq_state *state = seq->private;
3245 	struct net *net = seq_file_net(seq);
3246 	struct neigh_table *tbl = state->tbl;
3247 	struct pneigh_entry *pn = NULL;
3248 	int bucket;
3249 
3250 	state->flags |= NEIGH_SEQ_IS_PNEIGH;
3251 	for (bucket = 0; bucket <= PNEIGH_HASHMASK; bucket++) {
3252 		pn = tbl->phash_buckets[bucket];
3253 		while (pn && !net_eq(pneigh_net(pn), net))
3254 			pn = pn->next;
3255 		if (pn)
3256 			break;
3257 	}
3258 	state->bucket = bucket;
3259 
3260 	return pn;
3261 }
3262 
3263 static struct pneigh_entry *pneigh_get_next(struct seq_file *seq,
3264 					    struct pneigh_entry *pn,
3265 					    loff_t *pos)
3266 {
3267 	struct neigh_seq_state *state = seq->private;
3268 	struct net *net = seq_file_net(seq);
3269 	struct neigh_table *tbl = state->tbl;
3270 
3271 	do {
3272 		pn = pn->next;
3273 	} while (pn && !net_eq(pneigh_net(pn), net));
3274 
3275 	while (!pn) {
3276 		if (++state->bucket > PNEIGH_HASHMASK)
3277 			break;
3278 		pn = tbl->phash_buckets[state->bucket];
3279 		while (pn && !net_eq(pneigh_net(pn), net))
3280 			pn = pn->next;
3281 		if (pn)
3282 			break;
3283 	}
3284 
3285 	if (pn && pos)
3286 		--(*pos);
3287 
3288 	return pn;
3289 }
3290 
3291 static struct pneigh_entry *pneigh_get_idx(struct seq_file *seq, loff_t *pos)
3292 {
3293 	struct pneigh_entry *pn = pneigh_get_first(seq);
3294 
3295 	if (pn) {
3296 		--(*pos);
3297 		while (*pos) {
3298 			pn = pneigh_get_next(seq, pn, pos);
3299 			if (!pn)
3300 				break;
3301 		}
3302 	}
3303 	return *pos ? NULL : pn;
3304 }
3305 
3306 static void *neigh_get_idx_any(struct seq_file *seq, loff_t *pos)
3307 {
3308 	struct neigh_seq_state *state = seq->private;
3309 	void *rc;
3310 	loff_t idxpos = *pos;
3311 
3312 	rc = neigh_get_idx(seq, &idxpos);
3313 	if (!rc && !(state->flags & NEIGH_SEQ_NEIGH_ONLY))
3314 		rc = pneigh_get_idx(seq, &idxpos);
3315 
3316 	return rc;
3317 }
3318 
3319 void *neigh_seq_start(struct seq_file *seq, loff_t *pos, struct neigh_table *tbl, unsigned int neigh_seq_flags)
3320 	__acquires(tbl->lock)
3321 	__acquires(rcu_bh)
3322 {
3323 	struct neigh_seq_state *state = seq->private;
3324 
3325 	state->tbl = tbl;
3326 	state->bucket = 0;
3327 	state->flags = (neigh_seq_flags & ~NEIGH_SEQ_IS_PNEIGH);
3328 
3329 	rcu_read_lock_bh();
3330 	state->nht = rcu_dereference_bh(tbl->nht);
3331 	read_lock(&tbl->lock);
3332 
3333 	return *pos ? neigh_get_idx_any(seq, pos) : SEQ_START_TOKEN;
3334 }
3335 EXPORT_SYMBOL(neigh_seq_start);
3336 
3337 void *neigh_seq_next(struct seq_file *seq, void *v, loff_t *pos)
3338 {
3339 	struct neigh_seq_state *state;
3340 	void *rc;
3341 
3342 	if (v == SEQ_START_TOKEN) {
3343 		rc = neigh_get_first(seq);
3344 		goto out;
3345 	}
3346 
3347 	state = seq->private;
3348 	if (!(state->flags & NEIGH_SEQ_IS_PNEIGH)) {
3349 		rc = neigh_get_next(seq, v, NULL);
3350 		if (rc)
3351 			goto out;
3352 		if (!(state->flags & NEIGH_SEQ_NEIGH_ONLY))
3353 			rc = pneigh_get_first(seq);
3354 	} else {
3355 		BUG_ON(state->flags & NEIGH_SEQ_NEIGH_ONLY);
3356 		rc = pneigh_get_next(seq, v, NULL);
3357 	}
3358 out:
3359 	++(*pos);
3360 	return rc;
3361 }
3362 EXPORT_SYMBOL(neigh_seq_next);
3363 
3364 void neigh_seq_stop(struct seq_file *seq, void *v)
3365 	__releases(tbl->lock)
3366 	__releases(rcu_bh)
3367 {
3368 	struct neigh_seq_state *state = seq->private;
3369 	struct neigh_table *tbl = state->tbl;
3370 
3371 	read_unlock(&tbl->lock);
3372 	rcu_read_unlock_bh();
3373 }
3374 EXPORT_SYMBOL(neigh_seq_stop);
3375 
3376 /* statistics via seq_file */
3377 
3378 static void *neigh_stat_seq_start(struct seq_file *seq, loff_t *pos)
3379 {
3380 	struct neigh_table *tbl = pde_data(file_inode(seq->file));
3381 	int cpu;
3382 
3383 	if (*pos == 0)
3384 		return SEQ_START_TOKEN;
3385 
3386 	for (cpu = *pos-1; cpu < nr_cpu_ids; ++cpu) {
3387 		if (!cpu_possible(cpu))
3388 			continue;
3389 		*pos = cpu+1;
3390 		return per_cpu_ptr(tbl->stats, cpu);
3391 	}
3392 	return NULL;
3393 }
3394 
3395 static void *neigh_stat_seq_next(struct seq_file *seq, void *v, loff_t *pos)
3396 {
3397 	struct neigh_table *tbl = pde_data(file_inode(seq->file));
3398 	int cpu;
3399 
3400 	for (cpu = *pos; cpu < nr_cpu_ids; ++cpu) {
3401 		if (!cpu_possible(cpu))
3402 			continue;
3403 		*pos = cpu+1;
3404 		return per_cpu_ptr(tbl->stats, cpu);
3405 	}
3406 	(*pos)++;
3407 	return NULL;
3408 }
3409 
3410 static void neigh_stat_seq_stop(struct seq_file *seq, void *v)
3411 {
3412 
3413 }
3414 
3415 static int neigh_stat_seq_show(struct seq_file *seq, void *v)
3416 {
3417 	struct neigh_table *tbl = pde_data(file_inode(seq->file));
3418 	struct neigh_statistics *st = v;
3419 
3420 	if (v == SEQ_START_TOKEN) {
3421 		seq_puts(seq, "entries  allocs   destroys hash_grows lookups  hits     res_failed rcv_probes_mcast rcv_probes_ucast periodic_gc_runs forced_gc_runs unresolved_discards table_fulls\n");
3422 		return 0;
3423 	}
3424 
3425 	seq_printf(seq, "%08x %08lx %08lx %08lx   %08lx %08lx %08lx   "
3426 			"%08lx         %08lx         %08lx         "
3427 			"%08lx       %08lx            %08lx\n",
3428 		   atomic_read(&tbl->entries),
3429 
3430 		   st->allocs,
3431 		   st->destroys,
3432 		   st->hash_grows,
3433 
3434 		   st->lookups,
3435 		   st->hits,
3436 
3437 		   st->res_failed,
3438 
3439 		   st->rcv_probes_mcast,
3440 		   st->rcv_probes_ucast,
3441 
3442 		   st->periodic_gc_runs,
3443 		   st->forced_gc_runs,
3444 		   st->unres_discards,
3445 		   st->table_fulls
3446 		   );
3447 
3448 	return 0;
3449 }
3450 
3451 static const struct seq_operations neigh_stat_seq_ops = {
3452 	.start	= neigh_stat_seq_start,
3453 	.next	= neigh_stat_seq_next,
3454 	.stop	= neigh_stat_seq_stop,
3455 	.show	= neigh_stat_seq_show,
3456 };
3457 #endif /* CONFIG_PROC_FS */
3458 
3459 static void __neigh_notify(struct neighbour *n, int type, int flags,
3460 			   u32 pid)
3461 {
3462 	struct net *net = dev_net(n->dev);
3463 	struct sk_buff *skb;
3464 	int err = -ENOBUFS;
3465 
3466 	skb = nlmsg_new(neigh_nlmsg_size(), GFP_ATOMIC);
3467 	if (skb == NULL)
3468 		goto errout;
3469 
3470 	err = neigh_fill_info(skb, n, pid, 0, type, flags);
3471 	if (err < 0) {
3472 		/* -EMSGSIZE implies BUG in neigh_nlmsg_size() */
3473 		WARN_ON(err == -EMSGSIZE);
3474 		kfree_skb(skb);
3475 		goto errout;
3476 	}
3477 	rtnl_notify(skb, net, 0, RTNLGRP_NEIGH, NULL, GFP_ATOMIC);
3478 	return;
3479 errout:
3480 	if (err < 0)
3481 		rtnl_set_sk_err(net, RTNLGRP_NEIGH, err);
3482 }
3483 
3484 void neigh_app_ns(struct neighbour *n)
3485 {
3486 	__neigh_notify(n, RTM_GETNEIGH, NLM_F_REQUEST, 0);
3487 }
3488 EXPORT_SYMBOL(neigh_app_ns);
3489 
3490 #ifdef CONFIG_SYSCTL
3491 static int unres_qlen_max = INT_MAX / SKB_TRUESIZE(ETH_FRAME_LEN);
3492 
3493 static int proc_unres_qlen(struct ctl_table *ctl, int write,
3494 			   void *buffer, size_t *lenp, loff_t *ppos)
3495 {
3496 	int size, ret;
3497 	struct ctl_table tmp = *ctl;
3498 
3499 	tmp.extra1 = SYSCTL_ZERO;
3500 	tmp.extra2 = &unres_qlen_max;
3501 	tmp.data = &size;
3502 
3503 	size = *(int *)ctl->data / SKB_TRUESIZE(ETH_FRAME_LEN);
3504 	ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);
3505 
3506 	if (write && !ret)
3507 		*(int *)ctl->data = size * SKB_TRUESIZE(ETH_FRAME_LEN);
3508 	return ret;
3509 }
3510 
3511 static struct neigh_parms *neigh_get_dev_parms_rcu(struct net_device *dev,
3512 						   int family)
3513 {
3514 	switch (family) {
3515 	case AF_INET:
3516 		return __in_dev_arp_parms_get_rcu(dev);
3517 	case AF_INET6:
3518 		return __in6_dev_nd_parms_get_rcu(dev);
3519 	}
3520 	return NULL;
3521 }
3522 
3523 static void neigh_copy_dflt_parms(struct net *net, struct neigh_parms *p,
3524 				  int index)
3525 {
3526 	struct net_device *dev;
3527 	int family = neigh_parms_family(p);
3528 
3529 	rcu_read_lock();
3530 	for_each_netdev_rcu(net, dev) {
3531 		struct neigh_parms *dst_p =
3532 				neigh_get_dev_parms_rcu(dev, family);
3533 
3534 		if (dst_p && !test_bit(index, dst_p->data_state))
3535 			dst_p->data[index] = p->data[index];
3536 	}
3537 	rcu_read_unlock();
3538 }
3539 
3540 static void neigh_proc_update(struct ctl_table *ctl, int write)
3541 {
3542 	struct net_device *dev = ctl->extra1;
3543 	struct neigh_parms *p = ctl->extra2;
3544 	struct net *net = neigh_parms_net(p);
3545 	int index = (int *) ctl->data - p->data;
3546 
3547 	if (!write)
3548 		return;
3549 
3550 	set_bit(index, p->data_state);
3551 	if (index == NEIGH_VAR_DELAY_PROBE_TIME)
3552 		call_netevent_notifiers(NETEVENT_DELAY_PROBE_TIME_UPDATE, p);
3553 	if (!dev) /* NULL dev means this is default value */
3554 		neigh_copy_dflt_parms(net, p, index);
3555 }
3556 
3557 static int neigh_proc_dointvec_zero_intmax(struct ctl_table *ctl, int write,
3558 					   void *buffer, size_t *lenp,
3559 					   loff_t *ppos)
3560 {
3561 	struct ctl_table tmp = *ctl;
3562 	int ret;
3563 
3564 	tmp.extra1 = SYSCTL_ZERO;
3565 	tmp.extra2 = SYSCTL_INT_MAX;
3566 
3567 	ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);
3568 	neigh_proc_update(ctl, write);
3569 	return ret;
3570 }
3571 
3572 static int neigh_proc_dointvec_ms_jiffies_positive(struct ctl_table *ctl, int write,
3573 						   void *buffer, size_t *lenp, loff_t *ppos)
3574 {
3575 	struct ctl_table tmp = *ctl;
3576 	int ret;
3577 
3578 	int min = msecs_to_jiffies(1);
3579 
3580 	tmp.extra1 = &min;
3581 	tmp.extra2 = NULL;
3582 
3583 	ret = proc_dointvec_ms_jiffies_minmax(&tmp, write, buffer, lenp, ppos);
3584 	neigh_proc_update(ctl, write);
3585 	return ret;
3586 }
3587 
3588 int neigh_proc_dointvec(struct ctl_table *ctl, int write, void *buffer,
3589 			size_t *lenp, loff_t *ppos)
3590 {
3591 	int ret = proc_dointvec(ctl, write, buffer, lenp, ppos);
3592 
3593 	neigh_proc_update(ctl, write);
3594 	return ret;
3595 }
3596 EXPORT_SYMBOL(neigh_proc_dointvec);
3597 
3598 int neigh_proc_dointvec_jiffies(struct ctl_table *ctl, int write, void *buffer,
3599 				size_t *lenp, loff_t *ppos)
3600 {
3601 	int ret = proc_dointvec_jiffies(ctl, write, buffer, lenp, ppos);
3602 
3603 	neigh_proc_update(ctl, write);
3604 	return ret;
3605 }
3606 EXPORT_SYMBOL(neigh_proc_dointvec_jiffies);
3607 
3608 static int neigh_proc_dointvec_userhz_jiffies(struct ctl_table *ctl, int write,
3609 					      void *buffer, size_t *lenp,
3610 					      loff_t *ppos)
3611 {
3612 	int ret = proc_dointvec_userhz_jiffies(ctl, write, buffer, lenp, ppos);
3613 
3614 	neigh_proc_update(ctl, write);
3615 	return ret;
3616 }
3617 
3618 int neigh_proc_dointvec_ms_jiffies(struct ctl_table *ctl, int write,
3619 				   void *buffer, size_t *lenp, loff_t *ppos)
3620 {
3621 	int ret = proc_dointvec_ms_jiffies(ctl, write, buffer, lenp, ppos);
3622 
3623 	neigh_proc_update(ctl, write);
3624 	return ret;
3625 }
3626 EXPORT_SYMBOL(neigh_proc_dointvec_ms_jiffies);
3627 
3628 static int neigh_proc_dointvec_unres_qlen(struct ctl_table *ctl, int write,
3629 					  void *buffer, size_t *lenp,
3630 					  loff_t *ppos)
3631 {
3632 	int ret = proc_unres_qlen(ctl, write, buffer, lenp, ppos);
3633 
3634 	neigh_proc_update(ctl, write);
3635 	return ret;
3636 }
3637 
3638 static int neigh_proc_base_reachable_time(struct ctl_table *ctl, int write,
3639 					  void *buffer, size_t *lenp,
3640 					  loff_t *ppos)
3641 {
3642 	struct neigh_parms *p = ctl->extra2;
3643 	int ret;
3644 
3645 	if (strcmp(ctl->procname, "base_reachable_time") == 0)
3646 		ret = neigh_proc_dointvec_jiffies(ctl, write, buffer, lenp, ppos);
3647 	else if (strcmp(ctl->procname, "base_reachable_time_ms") == 0)
3648 		ret = neigh_proc_dointvec_ms_jiffies(ctl, write, buffer, lenp, ppos);
3649 	else
3650 		ret = -1;
3651 
3652 	if (write && ret == 0) {
3653 		/* update reachable_time as well, otherwise, the change will
3654 		 * only be effective after the next time neigh_periodic_work
3655 		 * decides to recompute it
3656 		 */
3657 		p->reachable_time =
3658 			neigh_rand_reach_time(NEIGH_VAR(p, BASE_REACHABLE_TIME));
3659 	}
3660 	return ret;
3661 }
3662 
3663 #define NEIGH_PARMS_DATA_OFFSET(index)	\
3664 	(&((struct neigh_parms *) 0)->data[index])
3665 
3666 #define NEIGH_SYSCTL_ENTRY(attr, data_attr, name, mval, proc) \
3667 	[NEIGH_VAR_ ## attr] = { \
3668 		.procname	= name, \
3669 		.data		= NEIGH_PARMS_DATA_OFFSET(NEIGH_VAR_ ## data_attr), \
3670 		.maxlen		= sizeof(int), \
3671 		.mode		= mval, \
3672 		.proc_handler	= proc, \
3673 	}
3674 
3675 #define NEIGH_SYSCTL_ZERO_INTMAX_ENTRY(attr, name) \
3676 	NEIGH_SYSCTL_ENTRY(attr, attr, name, 0644, neigh_proc_dointvec_zero_intmax)
3677 
3678 #define NEIGH_SYSCTL_JIFFIES_ENTRY(attr, name) \
3679 	NEIGH_SYSCTL_ENTRY(attr, attr, name, 0644, neigh_proc_dointvec_jiffies)
3680 
3681 #define NEIGH_SYSCTL_USERHZ_JIFFIES_ENTRY(attr, name) \
3682 	NEIGH_SYSCTL_ENTRY(attr, attr, name, 0644, neigh_proc_dointvec_userhz_jiffies)
3683 
3684 #define NEIGH_SYSCTL_MS_JIFFIES_POSITIVE_ENTRY(attr, name) \
3685 	NEIGH_SYSCTL_ENTRY(attr, attr, name, 0644, neigh_proc_dointvec_ms_jiffies_positive)
3686 
3687 #define NEIGH_SYSCTL_MS_JIFFIES_REUSED_ENTRY(attr, data_attr, name) \
3688 	NEIGH_SYSCTL_ENTRY(attr, data_attr, name, 0644, neigh_proc_dointvec_ms_jiffies)
3689 
3690 #define NEIGH_SYSCTL_UNRES_QLEN_REUSED_ENTRY(attr, data_attr, name) \
3691 	NEIGH_SYSCTL_ENTRY(attr, data_attr, name, 0644, neigh_proc_dointvec_unres_qlen)
3692 
3693 static struct neigh_sysctl_table {
3694 	struct ctl_table_header *sysctl_header;
3695 	struct ctl_table neigh_vars[NEIGH_VAR_MAX + 1];
3696 } neigh_sysctl_template __read_mostly = {
3697 	.neigh_vars = {
3698 		NEIGH_SYSCTL_ZERO_INTMAX_ENTRY(MCAST_PROBES, "mcast_solicit"),
3699 		NEIGH_SYSCTL_ZERO_INTMAX_ENTRY(UCAST_PROBES, "ucast_solicit"),
3700 		NEIGH_SYSCTL_ZERO_INTMAX_ENTRY(APP_PROBES, "app_solicit"),
3701 		NEIGH_SYSCTL_ZERO_INTMAX_ENTRY(MCAST_REPROBES, "mcast_resolicit"),
3702 		NEIGH_SYSCTL_USERHZ_JIFFIES_ENTRY(RETRANS_TIME, "retrans_time"),
3703 		NEIGH_SYSCTL_JIFFIES_ENTRY(BASE_REACHABLE_TIME, "base_reachable_time"),
3704 		NEIGH_SYSCTL_JIFFIES_ENTRY(DELAY_PROBE_TIME, "delay_first_probe_time"),
3705 		NEIGH_SYSCTL_MS_JIFFIES_POSITIVE_ENTRY(INTERVAL_PROBE_TIME_MS,
3706 						       "interval_probe_time_ms"),
3707 		NEIGH_SYSCTL_JIFFIES_ENTRY(GC_STALETIME, "gc_stale_time"),
3708 		NEIGH_SYSCTL_ZERO_INTMAX_ENTRY(QUEUE_LEN_BYTES, "unres_qlen_bytes"),
3709 		NEIGH_SYSCTL_ZERO_INTMAX_ENTRY(PROXY_QLEN, "proxy_qlen"),
3710 		NEIGH_SYSCTL_USERHZ_JIFFIES_ENTRY(ANYCAST_DELAY, "anycast_delay"),
3711 		NEIGH_SYSCTL_USERHZ_JIFFIES_ENTRY(PROXY_DELAY, "proxy_delay"),
3712 		NEIGH_SYSCTL_USERHZ_JIFFIES_ENTRY(LOCKTIME, "locktime"),
3713 		NEIGH_SYSCTL_UNRES_QLEN_REUSED_ENTRY(QUEUE_LEN, QUEUE_LEN_BYTES, "unres_qlen"),
3714 		NEIGH_SYSCTL_MS_JIFFIES_REUSED_ENTRY(RETRANS_TIME_MS, RETRANS_TIME, "retrans_time_ms"),
3715 		NEIGH_SYSCTL_MS_JIFFIES_REUSED_ENTRY(BASE_REACHABLE_TIME_MS, BASE_REACHABLE_TIME, "base_reachable_time_ms"),
3716 		[NEIGH_VAR_GC_INTERVAL] = {
3717 			.procname	= "gc_interval",
3718 			.maxlen		= sizeof(int),
3719 			.mode		= 0644,
3720 			.proc_handler	= proc_dointvec_jiffies,
3721 		},
3722 		[NEIGH_VAR_GC_THRESH1] = {
3723 			.procname	= "gc_thresh1",
3724 			.maxlen		= sizeof(int),
3725 			.mode		= 0644,
3726 			.extra1		= SYSCTL_ZERO,
3727 			.extra2		= SYSCTL_INT_MAX,
3728 			.proc_handler	= proc_dointvec_minmax,
3729 		},
3730 		[NEIGH_VAR_GC_THRESH2] = {
3731 			.procname	= "gc_thresh2",
3732 			.maxlen		= sizeof(int),
3733 			.mode		= 0644,
3734 			.extra1		= SYSCTL_ZERO,
3735 			.extra2		= SYSCTL_INT_MAX,
3736 			.proc_handler	= proc_dointvec_minmax,
3737 		},
3738 		[NEIGH_VAR_GC_THRESH3] = {
3739 			.procname	= "gc_thresh3",
3740 			.maxlen		= sizeof(int),
3741 			.mode		= 0644,
3742 			.extra1		= SYSCTL_ZERO,
3743 			.extra2		= SYSCTL_INT_MAX,
3744 			.proc_handler	= proc_dointvec_minmax,
3745 		},
3746 		{},
3747 	},
3748 };
3749 
3750 int neigh_sysctl_register(struct net_device *dev, struct neigh_parms *p,
3751 			  proc_handler *handler)
3752 {
3753 	int i;
3754 	struct neigh_sysctl_table *t;
3755 	const char *dev_name_source;
3756 	char neigh_path[ sizeof("net//neigh/") + IFNAMSIZ + IFNAMSIZ ];
3757 	char *p_name;
3758 
3759 	t = kmemdup(&neigh_sysctl_template, sizeof(*t), GFP_KERNEL_ACCOUNT);
3760 	if (!t)
3761 		goto err;
3762 
3763 	for (i = 0; i < NEIGH_VAR_GC_INTERVAL; i++) {
3764 		t->neigh_vars[i].data += (long) p;
3765 		t->neigh_vars[i].extra1 = dev;
3766 		t->neigh_vars[i].extra2 = p;
3767 	}
3768 
3769 	if (dev) {
3770 		dev_name_source = dev->name;
3771 		/* Terminate the table early */
3772 		memset(&t->neigh_vars[NEIGH_VAR_GC_INTERVAL], 0,
3773 		       sizeof(t->neigh_vars[NEIGH_VAR_GC_INTERVAL]));
3774 	} else {
3775 		struct neigh_table *tbl = p->tbl;
3776 		dev_name_source = "default";
3777 		t->neigh_vars[NEIGH_VAR_GC_INTERVAL].data = &tbl->gc_interval;
3778 		t->neigh_vars[NEIGH_VAR_GC_THRESH1].data = &tbl->gc_thresh1;
3779 		t->neigh_vars[NEIGH_VAR_GC_THRESH2].data = &tbl->gc_thresh2;
3780 		t->neigh_vars[NEIGH_VAR_GC_THRESH3].data = &tbl->gc_thresh3;
3781 	}
3782 
3783 	if (handler) {
3784 		/* RetransTime */
3785 		t->neigh_vars[NEIGH_VAR_RETRANS_TIME].proc_handler = handler;
3786 		/* ReachableTime */
3787 		t->neigh_vars[NEIGH_VAR_BASE_REACHABLE_TIME].proc_handler = handler;
3788 		/* RetransTime (in milliseconds)*/
3789 		t->neigh_vars[NEIGH_VAR_RETRANS_TIME_MS].proc_handler = handler;
3790 		/* ReachableTime (in milliseconds) */
3791 		t->neigh_vars[NEIGH_VAR_BASE_REACHABLE_TIME_MS].proc_handler = handler;
3792 	} else {
3793 		/* Those handlers will update p->reachable_time after
3794 		 * base_reachable_time(_ms) is set to ensure the new timer starts being
3795 		 * applied after the next neighbour update instead of waiting for
3796 		 * neigh_periodic_work to update its value (can be multiple minutes)
3797 		 * So any handler that replaces them should do this as well
3798 		 */
3799 		/* ReachableTime */
3800 		t->neigh_vars[NEIGH_VAR_BASE_REACHABLE_TIME].proc_handler =
3801 			neigh_proc_base_reachable_time;
3802 		/* ReachableTime (in milliseconds) */
3803 		t->neigh_vars[NEIGH_VAR_BASE_REACHABLE_TIME_MS].proc_handler =
3804 			neigh_proc_base_reachable_time;
3805 	}
3806 
3807 	switch (neigh_parms_family(p)) {
3808 	case AF_INET:
3809 	      p_name = "ipv4";
3810 	      break;
3811 	case AF_INET6:
3812 	      p_name = "ipv6";
3813 	      break;
3814 	default:
3815 	      BUG();
3816 	}
3817 
3818 	snprintf(neigh_path, sizeof(neigh_path), "net/%s/neigh/%s",
3819 		p_name, dev_name_source);
3820 	t->sysctl_header =
3821 		register_net_sysctl(neigh_parms_net(p), neigh_path, t->neigh_vars);
3822 	if (!t->sysctl_header)
3823 		goto free;
3824 
3825 	p->sysctl_table = t;
3826 	return 0;
3827 
3828 free:
3829 	kfree(t);
3830 err:
3831 	return -ENOBUFS;
3832 }
3833 EXPORT_SYMBOL(neigh_sysctl_register);
3834 
3835 void neigh_sysctl_unregister(struct neigh_parms *p)
3836 {
3837 	if (p->sysctl_table) {
3838 		struct neigh_sysctl_table *t = p->sysctl_table;
3839 		p->sysctl_table = NULL;
3840 		unregister_net_sysctl_table(t->sysctl_header);
3841 		kfree(t);
3842 	}
3843 }
3844 EXPORT_SYMBOL(neigh_sysctl_unregister);
3845 
3846 #endif	/* CONFIG_SYSCTL */
3847 
3848 static int __init neigh_init(void)
3849 {
3850 	rtnl_register(PF_UNSPEC, RTM_NEWNEIGH, neigh_add, NULL, 0);
3851 	rtnl_register(PF_UNSPEC, RTM_DELNEIGH, neigh_delete, NULL, 0);
3852 	rtnl_register(PF_UNSPEC, RTM_GETNEIGH, neigh_get, neigh_dump_info, 0);
3853 
3854 	rtnl_register(PF_UNSPEC, RTM_GETNEIGHTBL, NULL, neightbl_dump_info,
3855 		      0);
3856 	rtnl_register(PF_UNSPEC, RTM_SETNEIGHTBL, neightbl_set, NULL, 0);
3857 
3858 	return 0;
3859 }
3860 
3861 subsys_initcall(neigh_init);
3862