1 /* 6LoWPAN fragment reassembly 2 * 3 * 4 * Authors: 5 * Alexander Aring <aar@pengutronix.de> 6 * 7 * Based on: net/ipv6/reassembly.c 8 * 9 * This program is free software; you can redistribute it and/or 10 * modify it under the terms of the GNU General Public License 11 * as published by the Free Software Foundation; either version 12 * 2 of the License, or (at your option) any later version. 13 */ 14 15 #define pr_fmt(fmt) "6LoWPAN: " fmt 16 17 #include <linux/net.h> 18 #include <linux/list.h> 19 #include <linux/netdevice.h> 20 #include <linux/random.h> 21 #include <linux/jhash.h> 22 #include <linux/skbuff.h> 23 #include <linux/slab.h> 24 #include <linux/export.h> 25 26 #include <net/ieee802154_netdev.h> 27 #include <net/6lowpan.h> 28 #include <net/ipv6.h> 29 #include <net/inet_frag.h> 30 31 #include "6lowpan_i.h" 32 33 static const char lowpan_frags_cache_name[] = "lowpan-frags"; 34 35 struct lowpan_frag_info { 36 u16 d_tag; 37 u16 d_size; 38 u8 d_offset; 39 }; 40 41 static struct lowpan_frag_info *lowpan_cb(struct sk_buff *skb) 42 { 43 return (struct lowpan_frag_info *)skb->cb; 44 } 45 46 static struct inet_frags lowpan_frags; 47 48 static int lowpan_frag_reasm(struct lowpan_frag_queue *fq, 49 struct sk_buff *prev, struct net_device *dev); 50 51 static unsigned int lowpan_hash_frag(u16 tag, u16 d_size, 52 const struct ieee802154_addr *saddr, 53 const struct ieee802154_addr *daddr) 54 { 55 net_get_random_once(&lowpan_frags.rnd, sizeof(lowpan_frags.rnd)); 56 return jhash_3words(ieee802154_addr_hash(saddr), 57 ieee802154_addr_hash(daddr), 58 (__force u32)(tag + (d_size << 16)), 59 lowpan_frags.rnd); 60 } 61 62 static unsigned int lowpan_hashfn(const struct inet_frag_queue *q) 63 { 64 const struct lowpan_frag_queue *fq; 65 66 fq = container_of(q, struct lowpan_frag_queue, q); 67 return lowpan_hash_frag(fq->tag, fq->d_size, &fq->saddr, &fq->daddr); 68 } 69 70 static bool lowpan_frag_match(const struct inet_frag_queue *q, const void *a) 71 { 72 const struct lowpan_frag_queue *fq; 73 const struct lowpan_create_arg *arg = a; 74 75 fq = container_of(q, struct lowpan_frag_queue, q); 76 return fq->tag == arg->tag && fq->d_size == arg->d_size && 77 ieee802154_addr_equal(&fq->saddr, arg->src) && 78 ieee802154_addr_equal(&fq->daddr, arg->dst); 79 } 80 81 static void lowpan_frag_init(struct inet_frag_queue *q, const void *a) 82 { 83 const struct lowpan_create_arg *arg = a; 84 struct lowpan_frag_queue *fq; 85 86 fq = container_of(q, struct lowpan_frag_queue, q); 87 88 fq->tag = arg->tag; 89 fq->d_size = arg->d_size; 90 fq->saddr = *arg->src; 91 fq->daddr = *arg->dst; 92 } 93 94 static void lowpan_frag_expire(unsigned long data) 95 { 96 struct frag_queue *fq; 97 struct net *net; 98 99 fq = container_of((struct inet_frag_queue *)data, struct frag_queue, q); 100 net = container_of(fq->q.net, struct net, ieee802154_lowpan.frags); 101 102 spin_lock(&fq->q.lock); 103 104 if (fq->q.flags & INET_FRAG_COMPLETE) 105 goto out; 106 107 inet_frag_kill(&fq->q, &lowpan_frags); 108 out: 109 spin_unlock(&fq->q.lock); 110 inet_frag_put(&fq->q, &lowpan_frags); 111 } 112 113 static inline struct lowpan_frag_queue * 114 fq_find(struct net *net, const struct lowpan_frag_info *frag_info, 115 const struct ieee802154_addr *src, 116 const struct ieee802154_addr *dst) 117 { 118 struct inet_frag_queue *q; 119 struct lowpan_create_arg arg; 120 unsigned int hash; 121 struct netns_ieee802154_lowpan *ieee802154_lowpan = 122 net_ieee802154_lowpan(net); 123 124 arg.tag = frag_info->d_tag; 125 arg.d_size = frag_info->d_size; 126 arg.src = src; 127 arg.dst = dst; 128 129 hash = lowpan_hash_frag(frag_info->d_tag, frag_info->d_size, src, dst); 130 131 q = inet_frag_find(&ieee802154_lowpan->frags, 132 &lowpan_frags, &arg, hash); 133 if (IS_ERR_OR_NULL(q)) { 134 inet_frag_maybe_warn_overflow(q, pr_fmt()); 135 return NULL; 136 } 137 return container_of(q, struct lowpan_frag_queue, q); 138 } 139 140 static int lowpan_frag_queue(struct lowpan_frag_queue *fq, 141 struct sk_buff *skb, const u8 frag_type) 142 { 143 struct sk_buff *prev, *next; 144 struct net_device *dev; 145 int end, offset; 146 147 if (fq->q.flags & INET_FRAG_COMPLETE) 148 goto err; 149 150 offset = lowpan_cb(skb)->d_offset << 3; 151 end = lowpan_cb(skb)->d_size; 152 153 /* Is this the final fragment? */ 154 if (offset + skb->len == end) { 155 /* If we already have some bits beyond end 156 * or have different end, the segment is corrupted. 157 */ 158 if (end < fq->q.len || 159 ((fq->q.flags & INET_FRAG_LAST_IN) && end != fq->q.len)) 160 goto err; 161 fq->q.flags |= INET_FRAG_LAST_IN; 162 fq->q.len = end; 163 } else { 164 if (end > fq->q.len) { 165 /* Some bits beyond end -> corruption. */ 166 if (fq->q.flags & INET_FRAG_LAST_IN) 167 goto err; 168 fq->q.len = end; 169 } 170 } 171 172 /* Find out which fragments are in front and at the back of us 173 * in the chain of fragments so far. We must know where to put 174 * this fragment, right? 175 */ 176 prev = fq->q.fragments_tail; 177 if (!prev || lowpan_cb(prev)->d_offset < lowpan_cb(skb)->d_offset) { 178 next = NULL; 179 goto found; 180 } 181 prev = NULL; 182 for (next = fq->q.fragments; next != NULL; next = next->next) { 183 if (lowpan_cb(next)->d_offset >= lowpan_cb(skb)->d_offset) 184 break; /* bingo! */ 185 prev = next; 186 } 187 188 found: 189 /* Insert this fragment in the chain of fragments. */ 190 skb->next = next; 191 if (!next) 192 fq->q.fragments_tail = skb; 193 if (prev) 194 prev->next = skb; 195 else 196 fq->q.fragments = skb; 197 198 dev = skb->dev; 199 if (dev) 200 skb->dev = NULL; 201 202 fq->q.stamp = skb->tstamp; 203 if (frag_type == LOWPAN_DISPATCH_FRAG1) { 204 /* Calculate uncomp. 6lowpan header to estimate full size */ 205 fq->q.meat += lowpan_uncompress_size(skb, NULL); 206 fq->q.flags |= INET_FRAG_FIRST_IN; 207 } else { 208 fq->q.meat += skb->len; 209 } 210 add_frag_mem_limit(fq->q.net, skb->truesize); 211 212 if (fq->q.flags == (INET_FRAG_FIRST_IN | INET_FRAG_LAST_IN) && 213 fq->q.meat == fq->q.len) { 214 int res; 215 unsigned long orefdst = skb->_skb_refdst; 216 217 skb->_skb_refdst = 0UL; 218 res = lowpan_frag_reasm(fq, prev, dev); 219 skb->_skb_refdst = orefdst; 220 return res; 221 } 222 223 return -1; 224 err: 225 kfree_skb(skb); 226 return -1; 227 } 228 229 /* Check if this packet is complete. 230 * Returns NULL on failure by any reason, and pointer 231 * to current nexthdr field in reassembled frame. 232 * 233 * It is called with locked fq, and caller must check that 234 * queue is eligible for reassembly i.e. it is not COMPLETE, 235 * the last and the first frames arrived and all the bits are here. 236 */ 237 static int lowpan_frag_reasm(struct lowpan_frag_queue *fq, struct sk_buff *prev, 238 struct net_device *dev) 239 { 240 struct sk_buff *fp, *head = fq->q.fragments; 241 int sum_truesize; 242 243 inet_frag_kill(&fq->q, &lowpan_frags); 244 245 /* Make the one we just received the head. */ 246 if (prev) { 247 head = prev->next; 248 fp = skb_clone(head, GFP_ATOMIC); 249 250 if (!fp) 251 goto out_oom; 252 253 fp->next = head->next; 254 if (!fp->next) 255 fq->q.fragments_tail = fp; 256 prev->next = fp; 257 258 skb_morph(head, fq->q.fragments); 259 head->next = fq->q.fragments->next; 260 261 consume_skb(fq->q.fragments); 262 fq->q.fragments = head; 263 } 264 265 /* Head of list must not be cloned. */ 266 if (skb_unclone(head, GFP_ATOMIC)) 267 goto out_oom; 268 269 /* If the first fragment is fragmented itself, we split 270 * it to two chunks: the first with data and paged part 271 * and the second, holding only fragments. 272 */ 273 if (skb_has_frag_list(head)) { 274 struct sk_buff *clone; 275 int i, plen = 0; 276 277 clone = alloc_skb(0, GFP_ATOMIC); 278 if (!clone) 279 goto out_oom; 280 clone->next = head->next; 281 head->next = clone; 282 skb_shinfo(clone)->frag_list = skb_shinfo(head)->frag_list; 283 skb_frag_list_init(head); 284 for (i = 0; i < skb_shinfo(head)->nr_frags; i++) 285 plen += skb_frag_size(&skb_shinfo(head)->frags[i]); 286 clone->len = head->data_len - plen; 287 clone->data_len = clone->len; 288 head->data_len -= clone->len; 289 head->len -= clone->len; 290 add_frag_mem_limit(fq->q.net, clone->truesize); 291 } 292 293 WARN_ON(head == NULL); 294 295 sum_truesize = head->truesize; 296 for (fp = head->next; fp;) { 297 bool headstolen; 298 int delta; 299 struct sk_buff *next = fp->next; 300 301 sum_truesize += fp->truesize; 302 if (skb_try_coalesce(head, fp, &headstolen, &delta)) { 303 kfree_skb_partial(fp, headstolen); 304 } else { 305 if (!skb_shinfo(head)->frag_list) 306 skb_shinfo(head)->frag_list = fp; 307 head->data_len += fp->len; 308 head->len += fp->len; 309 head->truesize += fp->truesize; 310 } 311 fp = next; 312 } 313 sub_frag_mem_limit(fq->q.net, sum_truesize); 314 315 head->next = NULL; 316 head->dev = dev; 317 head->tstamp = fq->q.stamp; 318 319 fq->q.fragments = NULL; 320 fq->q.fragments_tail = NULL; 321 322 return 1; 323 out_oom: 324 net_dbg_ratelimited("lowpan_frag_reasm: no memory for reassembly\n"); 325 return -1; 326 } 327 328 static int lowpan_get_frag_info(struct sk_buff *skb, const u8 frag_type, 329 struct lowpan_frag_info *frag_info) 330 { 331 bool fail; 332 u8 pattern = 0, low = 0; 333 __be16 d_tag = 0; 334 335 fail = lowpan_fetch_skb(skb, &pattern, 1); 336 fail |= lowpan_fetch_skb(skb, &low, 1); 337 frag_info->d_size = (pattern & 7) << 8 | low; 338 fail |= lowpan_fetch_skb(skb, &d_tag, 2); 339 frag_info->d_tag = ntohs(d_tag); 340 341 if (frag_type == LOWPAN_DISPATCH_FRAGN) { 342 fail |= lowpan_fetch_skb(skb, &frag_info->d_offset, 1); 343 } else { 344 skb_reset_network_header(skb); 345 frag_info->d_offset = 0; 346 } 347 348 if (unlikely(fail)) 349 return -EIO; 350 351 return 0; 352 } 353 354 int lowpan_frag_rcv(struct sk_buff *skb, const u8 frag_type) 355 { 356 struct lowpan_frag_queue *fq; 357 struct net *net = dev_net(skb->dev); 358 struct lowpan_frag_info *frag_info = lowpan_cb(skb); 359 struct ieee802154_addr source, dest; 360 int err; 361 362 source = mac_cb(skb)->source; 363 dest = mac_cb(skb)->dest; 364 365 err = lowpan_get_frag_info(skb, frag_type, frag_info); 366 if (err < 0) 367 goto err; 368 369 if (frag_info->d_size > IPV6_MIN_MTU) { 370 net_warn_ratelimited("lowpan_frag_rcv: datagram size exceeds MTU\n"); 371 goto err; 372 } 373 374 fq = fq_find(net, frag_info, &source, &dest); 375 if (fq != NULL) { 376 int ret; 377 378 spin_lock(&fq->q.lock); 379 ret = lowpan_frag_queue(fq, skb, frag_type); 380 spin_unlock(&fq->q.lock); 381 382 inet_frag_put(&fq->q, &lowpan_frags); 383 return ret; 384 } 385 386 err: 387 kfree_skb(skb); 388 return -1; 389 } 390 EXPORT_SYMBOL(lowpan_frag_rcv); 391 392 #ifdef CONFIG_SYSCTL 393 static int zero; 394 395 static struct ctl_table lowpan_frags_ns_ctl_table[] = { 396 { 397 .procname = "6lowpanfrag_high_thresh", 398 .data = &init_net.ieee802154_lowpan.frags.high_thresh, 399 .maxlen = sizeof(int), 400 .mode = 0644, 401 .proc_handler = proc_dointvec_minmax, 402 .extra1 = &init_net.ieee802154_lowpan.frags.low_thresh 403 }, 404 { 405 .procname = "6lowpanfrag_low_thresh", 406 .data = &init_net.ieee802154_lowpan.frags.low_thresh, 407 .maxlen = sizeof(int), 408 .mode = 0644, 409 .proc_handler = proc_dointvec_minmax, 410 .extra1 = &zero, 411 .extra2 = &init_net.ieee802154_lowpan.frags.high_thresh 412 }, 413 { 414 .procname = "6lowpanfrag_time", 415 .data = &init_net.ieee802154_lowpan.frags.timeout, 416 .maxlen = sizeof(int), 417 .mode = 0644, 418 .proc_handler = proc_dointvec_jiffies, 419 }, 420 { } 421 }; 422 423 /* secret interval has been deprecated */ 424 static int lowpan_frags_secret_interval_unused; 425 static struct ctl_table lowpan_frags_ctl_table[] = { 426 { 427 .procname = "6lowpanfrag_secret_interval", 428 .data = &lowpan_frags_secret_interval_unused, 429 .maxlen = sizeof(int), 430 .mode = 0644, 431 .proc_handler = proc_dointvec_jiffies, 432 }, 433 { } 434 }; 435 436 static int __net_init lowpan_frags_ns_sysctl_register(struct net *net) 437 { 438 struct ctl_table *table; 439 struct ctl_table_header *hdr; 440 struct netns_ieee802154_lowpan *ieee802154_lowpan = 441 net_ieee802154_lowpan(net); 442 443 table = lowpan_frags_ns_ctl_table; 444 if (!net_eq(net, &init_net)) { 445 table = kmemdup(table, sizeof(lowpan_frags_ns_ctl_table), 446 GFP_KERNEL); 447 if (table == NULL) 448 goto err_alloc; 449 450 table[0].data = &ieee802154_lowpan->frags.high_thresh; 451 table[0].extra1 = &ieee802154_lowpan->frags.low_thresh; 452 table[0].extra2 = &init_net.ieee802154_lowpan.frags.high_thresh; 453 table[1].data = &ieee802154_lowpan->frags.low_thresh; 454 table[1].extra2 = &ieee802154_lowpan->frags.high_thresh; 455 table[2].data = &ieee802154_lowpan->frags.timeout; 456 457 /* Don't export sysctls to unprivileged users */ 458 if (net->user_ns != &init_user_ns) 459 table[0].procname = NULL; 460 } 461 462 hdr = register_net_sysctl(net, "net/ieee802154/6lowpan", table); 463 if (hdr == NULL) 464 goto err_reg; 465 466 ieee802154_lowpan->sysctl.frags_hdr = hdr; 467 return 0; 468 469 err_reg: 470 if (!net_eq(net, &init_net)) 471 kfree(table); 472 err_alloc: 473 return -ENOMEM; 474 } 475 476 static void __net_exit lowpan_frags_ns_sysctl_unregister(struct net *net) 477 { 478 struct ctl_table *table; 479 struct netns_ieee802154_lowpan *ieee802154_lowpan = 480 net_ieee802154_lowpan(net); 481 482 table = ieee802154_lowpan->sysctl.frags_hdr->ctl_table_arg; 483 unregister_net_sysctl_table(ieee802154_lowpan->sysctl.frags_hdr); 484 if (!net_eq(net, &init_net)) 485 kfree(table); 486 } 487 488 static struct ctl_table_header *lowpan_ctl_header; 489 490 static int __init lowpan_frags_sysctl_register(void) 491 { 492 lowpan_ctl_header = register_net_sysctl(&init_net, 493 "net/ieee802154/6lowpan", 494 lowpan_frags_ctl_table); 495 return lowpan_ctl_header == NULL ? -ENOMEM : 0; 496 } 497 498 static void lowpan_frags_sysctl_unregister(void) 499 { 500 unregister_net_sysctl_table(lowpan_ctl_header); 501 } 502 #else 503 static inline int lowpan_frags_ns_sysctl_register(struct net *net) 504 { 505 return 0; 506 } 507 508 static inline void lowpan_frags_ns_sysctl_unregister(struct net *net) 509 { 510 } 511 512 static inline int __init lowpan_frags_sysctl_register(void) 513 { 514 return 0; 515 } 516 517 static inline void lowpan_frags_sysctl_unregister(void) 518 { 519 } 520 #endif 521 522 static int __net_init lowpan_frags_init_net(struct net *net) 523 { 524 struct netns_ieee802154_lowpan *ieee802154_lowpan = 525 net_ieee802154_lowpan(net); 526 527 ieee802154_lowpan->frags.high_thresh = IPV6_FRAG_HIGH_THRESH; 528 ieee802154_lowpan->frags.low_thresh = IPV6_FRAG_LOW_THRESH; 529 ieee802154_lowpan->frags.timeout = IPV6_FRAG_TIMEOUT; 530 531 inet_frags_init_net(&ieee802154_lowpan->frags); 532 533 return lowpan_frags_ns_sysctl_register(net); 534 } 535 536 static void __net_exit lowpan_frags_exit_net(struct net *net) 537 { 538 struct netns_ieee802154_lowpan *ieee802154_lowpan = 539 net_ieee802154_lowpan(net); 540 541 lowpan_frags_ns_sysctl_unregister(net); 542 inet_frags_exit_net(&ieee802154_lowpan->frags, &lowpan_frags); 543 } 544 545 static struct pernet_operations lowpan_frags_ops = { 546 .init = lowpan_frags_init_net, 547 .exit = lowpan_frags_exit_net, 548 }; 549 550 int __init lowpan_net_frag_init(void) 551 { 552 int ret; 553 554 ret = lowpan_frags_sysctl_register(); 555 if (ret) 556 return ret; 557 558 ret = register_pernet_subsys(&lowpan_frags_ops); 559 if (ret) 560 goto err_pernet; 561 562 lowpan_frags.hashfn = lowpan_hashfn; 563 lowpan_frags.constructor = lowpan_frag_init; 564 lowpan_frags.destructor = NULL; 565 lowpan_frags.skb_free = NULL; 566 lowpan_frags.qsize = sizeof(struct frag_queue); 567 lowpan_frags.match = lowpan_frag_match; 568 lowpan_frags.frag_expire = lowpan_frag_expire; 569 lowpan_frags.frags_cache_name = lowpan_frags_cache_name; 570 ret = inet_frags_init(&lowpan_frags); 571 if (ret) 572 goto err_pernet; 573 574 return ret; 575 err_pernet: 576 lowpan_frags_sysctl_unregister(); 577 return ret; 578 } 579 580 void lowpan_net_frag_exit(void) 581 { 582 inet_frags_fini(&lowpan_frags); 583 lowpan_frags_sysctl_unregister(); 584 unregister_pernet_subsys(&lowpan_frags_ops); 585 } 586