1 /* incoming call handling 2 * 3 * Copyright (C) 2007 Red Hat, Inc. All Rights Reserved. 4 * Written by David Howells (dhowells@redhat.com) 5 * 6 * This program is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU General Public License 8 * as published by the Free Software Foundation; either version 9 * 2 of the License, or (at your option) any later version. 10 */ 11 12 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt 13 14 #include <linux/module.h> 15 #include <linux/net.h> 16 #include <linux/skbuff.h> 17 #include <linux/errqueue.h> 18 #include <linux/udp.h> 19 #include <linux/in.h> 20 #include <linux/in6.h> 21 #include <linux/icmp.h> 22 #include <linux/gfp.h> 23 #include <linux/circ_buf.h> 24 #include <net/sock.h> 25 #include <net/af_rxrpc.h> 26 #include <net/ip.h> 27 #include "ar-internal.h" 28 29 /* 30 * Preallocate a single service call, connection and peer and, if possible, 31 * give them a user ID and attach the user's side of the ID to them. 32 */ 33 static int rxrpc_service_prealloc_one(struct rxrpc_sock *rx, 34 struct rxrpc_backlog *b, 35 rxrpc_notify_rx_t notify_rx, 36 rxrpc_user_attach_call_t user_attach_call, 37 unsigned long user_call_ID, gfp_t gfp, 38 unsigned int debug_id) 39 { 40 const void *here = __builtin_return_address(0); 41 struct rxrpc_call *call; 42 struct rxrpc_net *rxnet = rxrpc_net(sock_net(&rx->sk)); 43 int max, tmp; 44 unsigned int size = RXRPC_BACKLOG_MAX; 45 unsigned int head, tail, call_head, call_tail; 46 47 max = rx->sk.sk_max_ack_backlog; 48 tmp = rx->sk.sk_ack_backlog; 49 if (tmp >= max) { 50 _leave(" = -ENOBUFS [full %u]", max); 51 return -ENOBUFS; 52 } 53 max -= tmp; 54 55 /* We don't need more conns and peers than we have calls, but on the 56 * other hand, we shouldn't ever use more peers than conns or conns 57 * than calls. 58 */ 59 call_head = b->call_backlog_head; 60 call_tail = READ_ONCE(b->call_backlog_tail); 61 tmp = CIRC_CNT(call_head, call_tail, size); 62 if (tmp >= max) { 63 _leave(" = -ENOBUFS [enough %u]", tmp); 64 return -ENOBUFS; 65 } 66 max = tmp + 1; 67 68 head = b->peer_backlog_head; 69 tail = READ_ONCE(b->peer_backlog_tail); 70 if (CIRC_CNT(head, tail, size) < max) { 71 struct rxrpc_peer *peer = rxrpc_alloc_peer(rx->local, gfp); 72 if (!peer) 73 return -ENOMEM; 74 b->peer_backlog[head] = peer; 75 smp_store_release(&b->peer_backlog_head, 76 (head + 1) & (size - 1)); 77 } 78 79 head = b->conn_backlog_head; 80 tail = READ_ONCE(b->conn_backlog_tail); 81 if (CIRC_CNT(head, tail, size) < max) { 82 struct rxrpc_connection *conn; 83 84 conn = rxrpc_prealloc_service_connection(rxnet, gfp); 85 if (!conn) 86 return -ENOMEM; 87 b->conn_backlog[head] = conn; 88 smp_store_release(&b->conn_backlog_head, 89 (head + 1) & (size - 1)); 90 91 trace_rxrpc_conn(conn, rxrpc_conn_new_service, 92 atomic_read(&conn->usage), here); 93 } 94 95 /* Now it gets complicated, because calls get registered with the 96 * socket here, particularly if a user ID is preassigned by the user. 97 */ 98 call = rxrpc_alloc_call(rx, gfp, debug_id); 99 if (!call) 100 return -ENOMEM; 101 call->flags |= (1 << RXRPC_CALL_IS_SERVICE); 102 call->state = RXRPC_CALL_SERVER_PREALLOC; 103 104 trace_rxrpc_call(call, rxrpc_call_new_service, 105 atomic_read(&call->usage), 106 here, (const void *)user_call_ID); 107 108 write_lock(&rx->call_lock); 109 if (user_attach_call) { 110 struct rxrpc_call *xcall; 111 struct rb_node *parent, **pp; 112 113 /* Check the user ID isn't already in use */ 114 pp = &rx->calls.rb_node; 115 parent = NULL; 116 while (*pp) { 117 parent = *pp; 118 xcall = rb_entry(parent, struct rxrpc_call, sock_node); 119 if (user_call_ID < xcall->user_call_ID) 120 pp = &(*pp)->rb_left; 121 else if (user_call_ID > xcall->user_call_ID) 122 pp = &(*pp)->rb_right; 123 else 124 goto id_in_use; 125 } 126 127 call->user_call_ID = user_call_ID; 128 call->notify_rx = notify_rx; 129 rxrpc_get_call(call, rxrpc_call_got_kernel); 130 user_attach_call(call, user_call_ID); 131 rxrpc_get_call(call, rxrpc_call_got_userid); 132 rb_link_node(&call->sock_node, parent, pp); 133 rb_insert_color(&call->sock_node, &rx->calls); 134 set_bit(RXRPC_CALL_HAS_USERID, &call->flags); 135 } 136 137 list_add(&call->sock_link, &rx->sock_calls); 138 139 write_unlock(&rx->call_lock); 140 141 rxnet = call->rxnet; 142 write_lock(&rxnet->call_lock); 143 list_add_tail(&call->link, &rxnet->calls); 144 write_unlock(&rxnet->call_lock); 145 146 b->call_backlog[call_head] = call; 147 smp_store_release(&b->call_backlog_head, (call_head + 1) & (size - 1)); 148 _leave(" = 0 [%d -> %lx]", call->debug_id, user_call_ID); 149 return 0; 150 151 id_in_use: 152 write_unlock(&rx->call_lock); 153 rxrpc_cleanup_call(call); 154 _leave(" = -EBADSLT"); 155 return -EBADSLT; 156 } 157 158 /* 159 * Preallocate sufficient service connections, calls and peers to cover the 160 * entire backlog of a socket. When a new call comes in, if we don't have 161 * sufficient of each available, the call gets rejected as busy or ignored. 162 * 163 * The backlog is replenished when a connection is accepted or rejected. 164 */ 165 int rxrpc_service_prealloc(struct rxrpc_sock *rx, gfp_t gfp) 166 { 167 struct rxrpc_backlog *b = rx->backlog; 168 169 if (!b) { 170 b = kzalloc(sizeof(struct rxrpc_backlog), gfp); 171 if (!b) 172 return -ENOMEM; 173 rx->backlog = b; 174 } 175 176 if (rx->discard_new_call) 177 return 0; 178 179 while (rxrpc_service_prealloc_one(rx, b, NULL, NULL, 0, gfp, 180 atomic_inc_return(&rxrpc_debug_id)) == 0) 181 ; 182 183 return 0; 184 } 185 186 /* 187 * Discard the preallocation on a service. 188 */ 189 void rxrpc_discard_prealloc(struct rxrpc_sock *rx) 190 { 191 struct rxrpc_backlog *b = rx->backlog; 192 struct rxrpc_net *rxnet = rxrpc_net(sock_net(&rx->sk)); 193 unsigned int size = RXRPC_BACKLOG_MAX, head, tail; 194 195 if (!b) 196 return; 197 rx->backlog = NULL; 198 199 /* Make sure that there aren't any incoming calls in progress before we 200 * clear the preallocation buffers. 201 */ 202 spin_lock_bh(&rx->incoming_lock); 203 spin_unlock_bh(&rx->incoming_lock); 204 205 head = b->peer_backlog_head; 206 tail = b->peer_backlog_tail; 207 while (CIRC_CNT(head, tail, size) > 0) { 208 struct rxrpc_peer *peer = b->peer_backlog[tail]; 209 kfree(peer); 210 tail = (tail + 1) & (size - 1); 211 } 212 213 head = b->conn_backlog_head; 214 tail = b->conn_backlog_tail; 215 while (CIRC_CNT(head, tail, size) > 0) { 216 struct rxrpc_connection *conn = b->conn_backlog[tail]; 217 write_lock(&rxnet->conn_lock); 218 list_del(&conn->link); 219 list_del(&conn->proc_link); 220 write_unlock(&rxnet->conn_lock); 221 kfree(conn); 222 if (atomic_dec_and_test(&rxnet->nr_conns)) 223 wake_up_var(&rxnet->nr_conns); 224 tail = (tail + 1) & (size - 1); 225 } 226 227 head = b->call_backlog_head; 228 tail = b->call_backlog_tail; 229 while (CIRC_CNT(head, tail, size) > 0) { 230 struct rxrpc_call *call = b->call_backlog[tail]; 231 rcu_assign_pointer(call->socket, rx); 232 if (rx->discard_new_call) { 233 _debug("discard %lx", call->user_call_ID); 234 rx->discard_new_call(call, call->user_call_ID); 235 rxrpc_put_call(call, rxrpc_call_put_kernel); 236 } 237 rxrpc_call_completed(call); 238 rxrpc_release_call(rx, call); 239 rxrpc_put_call(call, rxrpc_call_put); 240 tail = (tail + 1) & (size - 1); 241 } 242 243 kfree(b); 244 } 245 246 /* 247 * Allocate a new incoming call from the prealloc pool, along with a connection 248 * and a peer as necessary. 249 */ 250 static struct rxrpc_call *rxrpc_alloc_incoming_call(struct rxrpc_sock *rx, 251 struct rxrpc_local *local, 252 struct rxrpc_peer *peer, 253 struct rxrpc_connection *conn, 254 struct sk_buff *skb) 255 { 256 struct rxrpc_backlog *b = rx->backlog; 257 struct rxrpc_call *call; 258 unsigned short call_head, conn_head, peer_head; 259 unsigned short call_tail, conn_tail, peer_tail; 260 unsigned short call_count, conn_count; 261 262 /* #calls >= #conns >= #peers must hold true. */ 263 call_head = smp_load_acquire(&b->call_backlog_head); 264 call_tail = b->call_backlog_tail; 265 call_count = CIRC_CNT(call_head, call_tail, RXRPC_BACKLOG_MAX); 266 conn_head = smp_load_acquire(&b->conn_backlog_head); 267 conn_tail = b->conn_backlog_tail; 268 conn_count = CIRC_CNT(conn_head, conn_tail, RXRPC_BACKLOG_MAX); 269 ASSERTCMP(conn_count, >=, call_count); 270 peer_head = smp_load_acquire(&b->peer_backlog_head); 271 peer_tail = b->peer_backlog_tail; 272 ASSERTCMP(CIRC_CNT(peer_head, peer_tail, RXRPC_BACKLOG_MAX), >=, 273 conn_count); 274 275 if (call_count == 0) 276 return NULL; 277 278 if (!conn) { 279 if (peer && !rxrpc_get_peer_maybe(peer)) 280 peer = NULL; 281 if (!peer) { 282 peer = b->peer_backlog[peer_tail]; 283 if (rxrpc_extract_addr_from_skb(local, &peer->srx, skb) < 0) 284 return NULL; 285 b->peer_backlog[peer_tail] = NULL; 286 smp_store_release(&b->peer_backlog_tail, 287 (peer_tail + 1) & 288 (RXRPC_BACKLOG_MAX - 1)); 289 290 rxrpc_new_incoming_peer(local, peer); 291 } 292 293 /* Now allocate and set up the connection */ 294 conn = b->conn_backlog[conn_tail]; 295 b->conn_backlog[conn_tail] = NULL; 296 smp_store_release(&b->conn_backlog_tail, 297 (conn_tail + 1) & (RXRPC_BACKLOG_MAX - 1)); 298 conn->params.local = rxrpc_get_local(local); 299 conn->params.peer = peer; 300 rxrpc_see_connection(conn); 301 rxrpc_new_incoming_connection(rx, conn, skb); 302 } else { 303 rxrpc_get_connection(conn); 304 } 305 306 /* And now we can allocate and set up a new call */ 307 call = b->call_backlog[call_tail]; 308 b->call_backlog[call_tail] = NULL; 309 smp_store_release(&b->call_backlog_tail, 310 (call_tail + 1) & (RXRPC_BACKLOG_MAX - 1)); 311 312 rxrpc_see_call(call); 313 call->conn = conn; 314 call->peer = rxrpc_get_peer(conn->params.peer); 315 call->cong_cwnd = call->peer->cong_cwnd; 316 return call; 317 } 318 319 /* 320 * Set up a new incoming call. Called in BH context with the RCU read lock 321 * held. 322 * 323 * If this is for a kernel service, when we allocate the call, it will have 324 * three refs on it: (1) the kernel service, (2) the user_call_ID tree, (3) the 325 * retainer ref obtained from the backlog buffer. Prealloc calls for userspace 326 * services only have the ref from the backlog buffer. We want to pass this 327 * ref to non-BH context to dispose of. 328 * 329 * If we want to report an error, we mark the skb with the packet type and 330 * abort code and return NULL. 331 * 332 * The call is returned with the user access mutex held. 333 */ 334 struct rxrpc_call *rxrpc_new_incoming_call(struct rxrpc_local *local, 335 struct rxrpc_sock *rx, 336 struct rxrpc_peer *peer, 337 struct rxrpc_connection *conn, 338 struct sk_buff *skb) 339 { 340 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 341 struct rxrpc_call *call; 342 343 _enter(""); 344 345 spin_lock(&rx->incoming_lock); 346 if (rx->sk.sk_state == RXRPC_SERVER_LISTEN_DISABLED || 347 rx->sk.sk_state == RXRPC_CLOSE) { 348 trace_rxrpc_abort(0, "CLS", sp->hdr.cid, sp->hdr.callNumber, 349 sp->hdr.seq, RX_INVALID_OPERATION, ESHUTDOWN); 350 skb->mark = RXRPC_SKB_MARK_REJECT_ABORT; 351 skb->priority = RX_INVALID_OPERATION; 352 _leave(" = NULL [close]"); 353 call = NULL; 354 goto out; 355 } 356 357 call = rxrpc_alloc_incoming_call(rx, local, peer, conn, skb); 358 if (!call) { 359 skb->mark = RXRPC_SKB_MARK_REJECT_BUSY; 360 _leave(" = NULL [busy]"); 361 call = NULL; 362 goto out; 363 } 364 365 trace_rxrpc_receive(call, rxrpc_receive_incoming, 366 sp->hdr.serial, sp->hdr.seq); 367 368 /* Lock the call to prevent rxrpc_kernel_send/recv_data() and 369 * sendmsg()/recvmsg() inconveniently stealing the mutex once the 370 * notification is generated. 371 * 372 * The BUG should never happen because the kernel should be well 373 * behaved enough not to access the call before the first notification 374 * event and userspace is prevented from doing so until the state is 375 * appropriate. 376 */ 377 if (!mutex_trylock(&call->user_mutex)) 378 BUG(); 379 380 /* Make the call live. */ 381 rxrpc_incoming_call(rx, call, skb); 382 conn = call->conn; 383 384 if (rx->notify_new_call) 385 rx->notify_new_call(&rx->sk, call, call->user_call_ID); 386 else 387 sk_acceptq_added(&rx->sk); 388 389 spin_lock(&conn->state_lock); 390 switch (conn->state) { 391 case RXRPC_CONN_SERVICE_UNSECURED: 392 conn->state = RXRPC_CONN_SERVICE_CHALLENGING; 393 set_bit(RXRPC_CONN_EV_CHALLENGE, &call->conn->events); 394 rxrpc_queue_conn(call->conn); 395 break; 396 397 case RXRPC_CONN_SERVICE: 398 write_lock(&call->state_lock); 399 if (rx->discard_new_call) 400 call->state = RXRPC_CALL_SERVER_RECV_REQUEST; 401 else 402 call->state = RXRPC_CALL_SERVER_ACCEPTING; 403 write_unlock(&call->state_lock); 404 break; 405 406 case RXRPC_CONN_REMOTELY_ABORTED: 407 rxrpc_set_call_completion(call, RXRPC_CALL_REMOTELY_ABORTED, 408 conn->remote_abort, -ECONNABORTED); 409 break; 410 case RXRPC_CONN_LOCALLY_ABORTED: 411 rxrpc_abort_call("CON", call, sp->hdr.seq, 412 conn->local_abort, -ECONNABORTED); 413 break; 414 default: 415 BUG(); 416 } 417 spin_unlock(&conn->state_lock); 418 419 if (call->state == RXRPC_CALL_SERVER_ACCEPTING) 420 rxrpc_notify_socket(call); 421 422 /* We have to discard the prealloc queue's ref here and rely on a 423 * combination of the RCU read lock and refs held either by the socket 424 * (recvmsg queue, to-be-accepted queue or user ID tree) or the kernel 425 * service to prevent the call from being deallocated too early. 426 */ 427 rxrpc_put_call(call, rxrpc_call_put); 428 429 _leave(" = %p{%d}", call, call->debug_id); 430 out: 431 spin_unlock(&rx->incoming_lock); 432 return call; 433 } 434 435 /* 436 * handle acceptance of a call by userspace 437 * - assign the user call ID to the call at the front of the queue 438 * - called with the socket locked. 439 */ 440 struct rxrpc_call *rxrpc_accept_call(struct rxrpc_sock *rx, 441 unsigned long user_call_ID, 442 rxrpc_notify_rx_t notify_rx) 443 __releases(&rx->sk.sk_lock.slock) 444 __acquires(call->user_mutex) 445 { 446 struct rxrpc_call *call; 447 struct rb_node *parent, **pp; 448 int ret; 449 450 _enter(",%lx", user_call_ID); 451 452 ASSERT(!irqs_disabled()); 453 454 write_lock(&rx->call_lock); 455 456 if (list_empty(&rx->to_be_accepted)) { 457 write_unlock(&rx->call_lock); 458 release_sock(&rx->sk); 459 kleave(" = -ENODATA [empty]"); 460 return ERR_PTR(-ENODATA); 461 } 462 463 /* check the user ID isn't already in use */ 464 pp = &rx->calls.rb_node; 465 parent = NULL; 466 while (*pp) { 467 parent = *pp; 468 call = rb_entry(parent, struct rxrpc_call, sock_node); 469 470 if (user_call_ID < call->user_call_ID) 471 pp = &(*pp)->rb_left; 472 else if (user_call_ID > call->user_call_ID) 473 pp = &(*pp)->rb_right; 474 else 475 goto id_in_use; 476 } 477 478 /* Dequeue the first call and check it's still valid. We gain 479 * responsibility for the queue's reference. 480 */ 481 call = list_entry(rx->to_be_accepted.next, 482 struct rxrpc_call, accept_link); 483 write_unlock(&rx->call_lock); 484 485 /* We need to gain the mutex from the interrupt handler without 486 * upsetting lockdep, so we have to release it there and take it here. 487 * We are, however, still holding the socket lock, so other accepts 488 * must wait for us and no one can add the user ID behind our backs. 489 */ 490 if (mutex_lock_interruptible(&call->user_mutex) < 0) { 491 release_sock(&rx->sk); 492 kleave(" = -ERESTARTSYS"); 493 return ERR_PTR(-ERESTARTSYS); 494 } 495 496 write_lock(&rx->call_lock); 497 list_del_init(&call->accept_link); 498 sk_acceptq_removed(&rx->sk); 499 rxrpc_see_call(call); 500 501 /* Find the user ID insertion point. */ 502 pp = &rx->calls.rb_node; 503 parent = NULL; 504 while (*pp) { 505 parent = *pp; 506 call = rb_entry(parent, struct rxrpc_call, sock_node); 507 508 if (user_call_ID < call->user_call_ID) 509 pp = &(*pp)->rb_left; 510 else if (user_call_ID > call->user_call_ID) 511 pp = &(*pp)->rb_right; 512 else 513 BUG(); 514 } 515 516 write_lock_bh(&call->state_lock); 517 switch (call->state) { 518 case RXRPC_CALL_SERVER_ACCEPTING: 519 call->state = RXRPC_CALL_SERVER_RECV_REQUEST; 520 break; 521 case RXRPC_CALL_COMPLETE: 522 ret = call->error; 523 goto out_release; 524 default: 525 BUG(); 526 } 527 528 /* formalise the acceptance */ 529 call->notify_rx = notify_rx; 530 call->user_call_ID = user_call_ID; 531 rxrpc_get_call(call, rxrpc_call_got_userid); 532 rb_link_node(&call->sock_node, parent, pp); 533 rb_insert_color(&call->sock_node, &rx->calls); 534 if (test_and_set_bit(RXRPC_CALL_HAS_USERID, &call->flags)) 535 BUG(); 536 537 write_unlock_bh(&call->state_lock); 538 write_unlock(&rx->call_lock); 539 rxrpc_notify_socket(call); 540 rxrpc_service_prealloc(rx, GFP_KERNEL); 541 release_sock(&rx->sk); 542 _leave(" = %p{%d}", call, call->debug_id); 543 return call; 544 545 out_release: 546 _debug("release %p", call); 547 write_unlock_bh(&call->state_lock); 548 write_unlock(&rx->call_lock); 549 rxrpc_release_call(rx, call); 550 rxrpc_put_call(call, rxrpc_call_put); 551 goto out; 552 553 id_in_use: 554 ret = -EBADSLT; 555 write_unlock(&rx->call_lock); 556 out: 557 rxrpc_service_prealloc(rx, GFP_KERNEL); 558 release_sock(&rx->sk); 559 _leave(" = %d", ret); 560 return ERR_PTR(ret); 561 } 562 563 /* 564 * Handle rejection of a call by userspace 565 * - reject the call at the front of the queue 566 */ 567 int rxrpc_reject_call(struct rxrpc_sock *rx) 568 { 569 struct rxrpc_call *call; 570 bool abort = false; 571 int ret; 572 573 _enter(""); 574 575 ASSERT(!irqs_disabled()); 576 577 write_lock(&rx->call_lock); 578 579 if (list_empty(&rx->to_be_accepted)) { 580 write_unlock(&rx->call_lock); 581 return -ENODATA; 582 } 583 584 /* Dequeue the first call and check it's still valid. We gain 585 * responsibility for the queue's reference. 586 */ 587 call = list_entry(rx->to_be_accepted.next, 588 struct rxrpc_call, accept_link); 589 list_del_init(&call->accept_link); 590 sk_acceptq_removed(&rx->sk); 591 rxrpc_see_call(call); 592 593 write_lock_bh(&call->state_lock); 594 switch (call->state) { 595 case RXRPC_CALL_SERVER_ACCEPTING: 596 __rxrpc_abort_call("REJ", call, 1, RX_USER_ABORT, -ECONNABORTED); 597 abort = true; 598 /* fall through */ 599 case RXRPC_CALL_COMPLETE: 600 ret = call->error; 601 goto out_discard; 602 default: 603 BUG(); 604 } 605 606 out_discard: 607 write_unlock_bh(&call->state_lock); 608 write_unlock(&rx->call_lock); 609 if (abort) { 610 rxrpc_send_abort_packet(call); 611 rxrpc_release_call(rx, call); 612 rxrpc_put_call(call, rxrpc_call_put); 613 } 614 rxrpc_service_prealloc(rx, GFP_KERNEL); 615 _leave(" = %d", ret); 616 return ret; 617 } 618 619 /* 620 * rxrpc_kernel_charge_accept - Charge up socket with preallocated calls 621 * @sock: The socket on which to preallocate 622 * @notify_rx: Event notification function for the call 623 * @user_attach_call: Func to attach call to user_call_ID 624 * @user_call_ID: The tag to attach to the preallocated call 625 * @gfp: The allocation conditions. 626 * @debug_id: The tracing debug ID. 627 * 628 * Charge up the socket with preallocated calls, each with a user ID. A 629 * function should be provided to effect the attachment from the user's side. 630 * The user is given a ref to hold on the call. 631 * 632 * Note that the call may be come connected before this function returns. 633 */ 634 int rxrpc_kernel_charge_accept(struct socket *sock, 635 rxrpc_notify_rx_t notify_rx, 636 rxrpc_user_attach_call_t user_attach_call, 637 unsigned long user_call_ID, gfp_t gfp, 638 unsigned int debug_id) 639 { 640 struct rxrpc_sock *rx = rxrpc_sk(sock->sk); 641 struct rxrpc_backlog *b = rx->backlog; 642 643 if (sock->sk->sk_state == RXRPC_CLOSE) 644 return -ESHUTDOWN; 645 646 return rxrpc_service_prealloc_one(rx, b, notify_rx, 647 user_attach_call, user_call_ID, 648 gfp, debug_id); 649 } 650 EXPORT_SYMBOL(rxrpc_kernel_charge_accept); 651