1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* Service connection management 3 * 4 * Copyright (C) 2016 Red Hat, Inc. All Rights Reserved. 5 * Written by David Howells (dhowells@redhat.com) 6 */ 7 8 #include <linux/slab.h> 9 #include "ar-internal.h" 10 11 static struct rxrpc_bundle rxrpc_service_dummy_bundle = { 12 .ref = REFCOUNT_INIT(1), 13 .debug_id = UINT_MAX, 14 .channel_lock = __SPIN_LOCK_UNLOCKED(&rxrpc_service_dummy_bundle.channel_lock), 15 }; 16 17 /* 18 * Find a service connection under RCU conditions. 19 * 20 * We could use a hash table, but that is subject to bucket stuffing by an 21 * attacker as the client gets to pick the epoch and cid values and would know 22 * the hash function. So, instead, we use a hash table for the peer and from 23 * that an rbtree to find the service connection. Under ordinary circumstances 24 * it might be slower than a large hash table, but it is at least limited in 25 * depth. 26 */ 27 struct rxrpc_connection *rxrpc_find_service_conn_rcu(struct rxrpc_peer *peer, 28 struct sk_buff *skb) 29 { 30 struct rxrpc_connection *conn = NULL; 31 struct rxrpc_conn_proto k; 32 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 33 struct rb_node *p; 34 unsigned int seq = 0; 35 36 k.epoch = sp->hdr.epoch; 37 k.cid = sp->hdr.cid & RXRPC_CIDMASK; 38 39 do { 40 /* Unfortunately, rbtree walking doesn't give reliable results 41 * under just the RCU read lock, so we have to check for 42 * changes. 43 */ 44 read_seqbegin_or_lock(&peer->service_conn_lock, &seq); 45 46 p = rcu_dereference_raw(peer->service_conns.rb_node); 47 while (p) { 48 conn = rb_entry(p, struct rxrpc_connection, service_node); 49 50 if (conn->proto.index_key < k.index_key) 51 p = rcu_dereference_raw(p->rb_left); 52 else if (conn->proto.index_key > k.index_key) 53 p = rcu_dereference_raw(p->rb_right); 54 else 55 break; 56 conn = NULL; 57 } 58 } while (need_seqretry(&peer->service_conn_lock, seq)); 59 60 done_seqretry(&peer->service_conn_lock, seq); 61 _leave(" = %d", conn ? conn->debug_id : -1); 62 return conn; 63 } 64 65 /* 66 * Insert a service connection into a peer's tree, thereby making it a target 67 * for incoming packets. 68 */ 69 static void rxrpc_publish_service_conn(struct rxrpc_peer *peer, 70 struct rxrpc_connection *conn) 71 { 72 struct rxrpc_connection *cursor = NULL; 73 struct rxrpc_conn_proto k = conn->proto; 74 struct rb_node **pp, *parent; 75 76 write_seqlock(&peer->service_conn_lock); 77 78 pp = &peer->service_conns.rb_node; 79 parent = NULL; 80 while (*pp) { 81 parent = *pp; 82 cursor = rb_entry(parent, 83 struct rxrpc_connection, service_node); 84 85 if (cursor->proto.index_key < k.index_key) 86 pp = &(*pp)->rb_left; 87 else if (cursor->proto.index_key > k.index_key) 88 pp = &(*pp)->rb_right; 89 else 90 goto found_extant_conn; 91 } 92 93 rb_link_node_rcu(&conn->service_node, parent, pp); 94 rb_insert_color(&conn->service_node, &peer->service_conns); 95 conn_published: 96 set_bit(RXRPC_CONN_IN_SERVICE_CONNS, &conn->flags); 97 write_sequnlock(&peer->service_conn_lock); 98 _leave(" = %d [new]", conn->debug_id); 99 return; 100 101 found_extant_conn: 102 if (refcount_read(&cursor->ref) == 0) 103 goto replace_old_connection; 104 write_sequnlock(&peer->service_conn_lock); 105 /* We should not be able to get here. rxrpc_incoming_connection() is 106 * called in a non-reentrant context, so there can't be a race to 107 * insert a new connection. 108 */ 109 BUG(); 110 111 replace_old_connection: 112 /* The old connection is from an outdated epoch. */ 113 _debug("replace conn"); 114 rb_replace_node_rcu(&cursor->service_node, 115 &conn->service_node, 116 &peer->service_conns); 117 clear_bit(RXRPC_CONN_IN_SERVICE_CONNS, &cursor->flags); 118 goto conn_published; 119 } 120 121 /* 122 * Preallocate a service connection. The connection is placed on the proc and 123 * reap lists so that we don't have to get the lock from BH context. 124 */ 125 struct rxrpc_connection *rxrpc_prealloc_service_connection(struct rxrpc_net *rxnet, 126 gfp_t gfp) 127 { 128 struct rxrpc_connection *conn = rxrpc_alloc_connection(rxnet, gfp); 129 130 if (conn) { 131 /* We maintain an extra ref on the connection whilst it is on 132 * the rxrpc_connections list. 133 */ 134 conn->state = RXRPC_CONN_SERVICE_PREALLOC; 135 refcount_set(&conn->ref, 2); 136 conn->bundle = rxrpc_get_bundle(&rxrpc_service_dummy_bundle, 137 rxrpc_bundle_get_service_conn); 138 139 atomic_inc(&rxnet->nr_conns); 140 write_lock(&rxnet->conn_lock); 141 list_add_tail(&conn->link, &rxnet->service_conns); 142 list_add_tail(&conn->proc_link, &rxnet->conn_proc_list); 143 write_unlock(&rxnet->conn_lock); 144 145 rxrpc_see_connection(conn, rxrpc_conn_new_service); 146 } 147 148 return conn; 149 } 150 151 /* 152 * Set up an incoming connection. This is called in BH context with the RCU 153 * read lock held. 154 */ 155 void rxrpc_new_incoming_connection(struct rxrpc_sock *rx, 156 struct rxrpc_connection *conn, 157 const struct rxrpc_security *sec, 158 struct sk_buff *skb) 159 { 160 struct rxrpc_skb_priv *sp = rxrpc_skb(skb); 161 162 _enter(""); 163 164 conn->proto.epoch = sp->hdr.epoch; 165 conn->proto.cid = sp->hdr.cid & RXRPC_CIDMASK; 166 conn->orig_service_id = sp->hdr.serviceId; 167 conn->service_id = sp->hdr.serviceId; 168 conn->security_ix = sp->hdr.securityIndex; 169 conn->out_clientflag = 0; 170 conn->security = sec; 171 if (conn->security_ix) 172 conn->state = RXRPC_CONN_SERVICE_UNSECURED; 173 else 174 conn->state = RXRPC_CONN_SERVICE; 175 176 /* See if we should upgrade the service. This can only happen on the 177 * first packet on a new connection. Once done, it applies to all 178 * subsequent calls on that connection. 179 */ 180 if (sp->hdr.userStatus == RXRPC_USERSTATUS_SERVICE_UPGRADE && 181 conn->service_id == rx->service_upgrade.from) 182 conn->service_id = rx->service_upgrade.to; 183 184 atomic_set(&conn->active, 1); 185 186 /* Make the connection a target for incoming packets. */ 187 rxrpc_publish_service_conn(conn->peer, conn); 188 } 189 190 /* 191 * Remove the service connection from the peer's tree, thereby removing it as a 192 * target for incoming packets. 193 */ 194 void rxrpc_unpublish_service_conn(struct rxrpc_connection *conn) 195 { 196 struct rxrpc_peer *peer = conn->peer; 197 198 write_seqlock(&peer->service_conn_lock); 199 if (test_and_clear_bit(RXRPC_CONN_IN_SERVICE_CONNS, &conn->flags)) 200 rb_erase(&conn->service_node, &peer->service_conns); 201 write_sequnlock(&peer->service_conn_lock); 202 } 203