1 | // SPDX-License-Identifier: GPL-2.0-or-later |
2 | /* 6LoWPAN fragment reassembly |
3 | * |
4 | * Authors: |
5 | * Alexander Aring <aar@pengutronix.de> |
6 | * |
7 | * Based on: net/ipv6/reassembly.c |
8 | */ |
9 | |
10 | #define pr_fmt(fmt) "6LoWPAN: " fmt |
11 | |
12 | #include <linux/net.h> |
13 | #include <linux/list.h> |
14 | #include <linux/netdevice.h> |
15 | #include <linux/random.h> |
16 | #include <linux/jhash.h> |
17 | #include <linux/skbuff.h> |
18 | #include <linux/slab.h> |
19 | #include <linux/export.h> |
20 | |
21 | #include <net/ieee802154_netdev.h> |
22 | #include <net/6lowpan.h> |
23 | #include <net/ipv6_frag.h> |
24 | #include <net/inet_frag.h> |
25 | #include <net/ip.h> |
26 | |
27 | #include "6lowpan_i.h" |
28 | |
29 | static const char lowpan_frags_cache_name[] = "lowpan-frags" ; |
30 | |
31 | static struct inet_frags lowpan_frags; |
32 | |
33 | static int lowpan_frag_reasm(struct lowpan_frag_queue *fq, struct sk_buff *skb, |
34 | struct sk_buff *prev, struct net_device *ldev); |
35 | |
36 | static void lowpan_frag_init(struct inet_frag_queue *q, const void *a) |
37 | { |
38 | const struct frag_lowpan_compare_key *key = a; |
39 | |
40 | BUILD_BUG_ON(sizeof(*key) > sizeof(q->key)); |
41 | memcpy(&q->key, key, sizeof(*key)); |
42 | } |
43 | |
44 | static void lowpan_frag_expire(struct timer_list *t) |
45 | { |
46 | struct inet_frag_queue *frag = from_timer(frag, t, timer); |
47 | struct frag_queue *fq; |
48 | |
49 | fq = container_of(frag, struct frag_queue, q); |
50 | |
51 | spin_lock(lock: &fq->q.lock); |
52 | |
53 | if (fq->q.flags & INET_FRAG_COMPLETE) |
54 | goto out; |
55 | |
56 | inet_frag_kill(q: &fq->q); |
57 | out: |
58 | spin_unlock(lock: &fq->q.lock); |
59 | inet_frag_put(q: &fq->q); |
60 | } |
61 | |
62 | static inline struct lowpan_frag_queue * |
63 | fq_find(struct net *net, const struct lowpan_802154_cb *cb, |
64 | const struct ieee802154_addr *src, |
65 | const struct ieee802154_addr *dst) |
66 | { |
67 | struct netns_ieee802154_lowpan *ieee802154_lowpan = |
68 | net_ieee802154_lowpan(net); |
69 | struct frag_lowpan_compare_key key = {}; |
70 | struct inet_frag_queue *q; |
71 | |
72 | key.tag = cb->d_tag; |
73 | key.d_size = cb->d_size; |
74 | key.src = *src; |
75 | key.dst = *dst; |
76 | |
77 | q = inet_frag_find(fqdir: ieee802154_lowpan->fqdir, key: &key); |
78 | if (!q) |
79 | return NULL; |
80 | |
81 | return container_of(q, struct lowpan_frag_queue, q); |
82 | } |
83 | |
84 | static int lowpan_frag_queue(struct lowpan_frag_queue *fq, |
85 | struct sk_buff *skb, u8 frag_type) |
86 | { |
87 | struct sk_buff *prev_tail; |
88 | struct net_device *ldev; |
89 | int end, offset, err; |
90 | |
91 | /* inet_frag_queue_* functions use skb->cb; see struct ipfrag_skb_cb |
92 | * in inet_fragment.c |
93 | */ |
94 | BUILD_BUG_ON(sizeof(struct lowpan_802154_cb) > sizeof(struct inet_skb_parm)); |
95 | BUILD_BUG_ON(sizeof(struct lowpan_802154_cb) > sizeof(struct inet6_skb_parm)); |
96 | |
97 | if (fq->q.flags & INET_FRAG_COMPLETE) |
98 | goto err; |
99 | |
100 | offset = lowpan_802154_cb(skb)->d_offset << 3; |
101 | end = lowpan_802154_cb(skb)->d_size; |
102 | |
103 | /* Is this the final fragment? */ |
104 | if (offset + skb->len == end) { |
105 | /* If we already have some bits beyond end |
106 | * or have different end, the segment is corrupted. |
107 | */ |
108 | if (end < fq->q.len || |
109 | ((fq->q.flags & INET_FRAG_LAST_IN) && end != fq->q.len)) |
110 | goto err; |
111 | fq->q.flags |= INET_FRAG_LAST_IN; |
112 | fq->q.len = end; |
113 | } else { |
114 | if (end > fq->q.len) { |
115 | /* Some bits beyond end -> corruption. */ |
116 | if (fq->q.flags & INET_FRAG_LAST_IN) |
117 | goto err; |
118 | fq->q.len = end; |
119 | } |
120 | } |
121 | |
122 | ldev = skb->dev; |
123 | if (ldev) |
124 | skb->dev = NULL; |
125 | barrier(); |
126 | |
127 | prev_tail = fq->q.fragments_tail; |
128 | err = inet_frag_queue_insert(q: &fq->q, skb, offset, end); |
129 | if (err) |
130 | goto err; |
131 | |
132 | fq->q.stamp = skb->tstamp; |
133 | fq->q.mono_delivery_time = skb->mono_delivery_time; |
134 | if (frag_type == LOWPAN_DISPATCH_FRAG1) |
135 | fq->q.flags |= INET_FRAG_FIRST_IN; |
136 | |
137 | fq->q.meat += skb->len; |
138 | add_frag_mem_limit(fqdir: fq->q.fqdir, val: skb->truesize); |
139 | |
140 | if (fq->q.flags == (INET_FRAG_FIRST_IN | INET_FRAG_LAST_IN) && |
141 | fq->q.meat == fq->q.len) { |
142 | int res; |
143 | unsigned long orefdst = skb->_skb_refdst; |
144 | |
145 | skb->_skb_refdst = 0UL; |
146 | res = lowpan_frag_reasm(fq, skb, prev: prev_tail, ldev); |
147 | skb->_skb_refdst = orefdst; |
148 | return res; |
149 | } |
150 | skb_dst_drop(skb); |
151 | |
152 | return -1; |
153 | err: |
154 | kfree_skb(skb); |
155 | return -1; |
156 | } |
157 | |
158 | /* Check if this packet is complete. |
159 | * |
160 | * It is called with locked fq, and caller must check that |
161 | * queue is eligible for reassembly i.e. it is not COMPLETE, |
162 | * the last and the first frames arrived and all the bits are here. |
163 | */ |
164 | static int lowpan_frag_reasm(struct lowpan_frag_queue *fq, struct sk_buff *skb, |
165 | struct sk_buff *prev_tail, struct net_device *ldev) |
166 | { |
167 | void *reasm_data; |
168 | |
169 | inet_frag_kill(q: &fq->q); |
170 | |
171 | reasm_data = inet_frag_reasm_prepare(q: &fq->q, skb, parent: prev_tail); |
172 | if (!reasm_data) |
173 | goto out_oom; |
174 | inet_frag_reasm_finish(q: &fq->q, head: skb, reasm_data, try_coalesce: false); |
175 | |
176 | skb->dev = ldev; |
177 | skb->tstamp = fq->q.stamp; |
178 | fq->q.rb_fragments = RB_ROOT; |
179 | fq->q.fragments_tail = NULL; |
180 | fq->q.last_run_head = NULL; |
181 | |
182 | return 1; |
183 | out_oom: |
184 | net_dbg_ratelimited("lowpan_frag_reasm: no memory for reassembly\n" ); |
185 | return -1; |
186 | } |
187 | |
188 | static int lowpan_frag_rx_handlers_result(struct sk_buff *skb, |
189 | lowpan_rx_result res) |
190 | { |
191 | switch (res) { |
192 | case RX_QUEUED: |
193 | return NET_RX_SUCCESS; |
194 | case RX_CONTINUE: |
195 | /* nobody cared about this packet */ |
196 | net_warn_ratelimited("%s: received unknown dispatch\n" , |
197 | __func__); |
198 | |
199 | fallthrough; |
200 | default: |
201 | /* all others failure */ |
202 | return NET_RX_DROP; |
203 | } |
204 | } |
205 | |
206 | static lowpan_rx_result lowpan_frag_rx_h_iphc(struct sk_buff *skb) |
207 | { |
208 | int ret; |
209 | |
210 | if (!lowpan_is_iphc(dispatch: *skb_network_header(skb))) |
211 | return RX_CONTINUE; |
212 | |
213 | ret = lowpan_iphc_decompress(skb); |
214 | if (ret < 0) |
215 | return RX_DROP; |
216 | |
217 | return RX_QUEUED; |
218 | } |
219 | |
220 | static int lowpan_invoke_frag_rx_handlers(struct sk_buff *skb) |
221 | { |
222 | lowpan_rx_result res; |
223 | |
224 | #define CALL_RXH(rxh) \ |
225 | do { \ |
226 | res = rxh(skb); \ |
227 | if (res != RX_CONTINUE) \ |
228 | goto rxh_next; \ |
229 | } while (0) |
230 | |
231 | /* likely at first */ |
232 | CALL_RXH(lowpan_frag_rx_h_iphc); |
233 | CALL_RXH(lowpan_rx_h_ipv6); |
234 | |
235 | rxh_next: |
236 | return lowpan_frag_rx_handlers_result(skb, res); |
237 | #undef CALL_RXH |
238 | } |
239 | |
240 | #define LOWPAN_FRAG_DGRAM_SIZE_HIGH_MASK 0x07 |
241 | #define LOWPAN_FRAG_DGRAM_SIZE_HIGH_SHIFT 8 |
242 | |
243 | static int lowpan_get_cb(struct sk_buff *skb, u8 frag_type, |
244 | struct lowpan_802154_cb *cb) |
245 | { |
246 | bool fail; |
247 | u8 high = 0, low = 0; |
248 | __be16 d_tag = 0; |
249 | |
250 | fail = lowpan_fetch_skb(skb, data: &high, len: 1); |
251 | fail |= lowpan_fetch_skb(skb, data: &low, len: 1); |
252 | /* remove the dispatch value and use first three bits as high value |
253 | * for the datagram size |
254 | */ |
255 | cb->d_size = (high & LOWPAN_FRAG_DGRAM_SIZE_HIGH_MASK) << |
256 | LOWPAN_FRAG_DGRAM_SIZE_HIGH_SHIFT | low; |
257 | fail |= lowpan_fetch_skb(skb, data: &d_tag, len: 2); |
258 | cb->d_tag = ntohs(d_tag); |
259 | |
260 | if (frag_type == LOWPAN_DISPATCH_FRAGN) { |
261 | fail |= lowpan_fetch_skb(skb, data: &cb->d_offset, len: 1); |
262 | } else { |
263 | skb_reset_network_header(skb); |
264 | cb->d_offset = 0; |
265 | /* check if datagram_size has ipv6hdr on FRAG1 */ |
266 | fail |= cb->d_size < sizeof(struct ipv6hdr); |
267 | /* check if we can dereference the dispatch value */ |
268 | fail |= !skb->len; |
269 | } |
270 | |
271 | if (unlikely(fail)) |
272 | return -EIO; |
273 | |
274 | return 0; |
275 | } |
276 | |
277 | int lowpan_frag_rcv(struct sk_buff *skb, u8 frag_type) |
278 | { |
279 | struct lowpan_frag_queue *fq; |
280 | struct net *net = dev_net(dev: skb->dev); |
281 | struct lowpan_802154_cb *cb = lowpan_802154_cb(skb); |
282 | struct ieee802154_hdr hdr = {}; |
283 | int err; |
284 | |
285 | if (ieee802154_hdr_peek_addrs(skb, hdr: &hdr) < 0) |
286 | goto err; |
287 | |
288 | err = lowpan_get_cb(skb, frag_type, cb); |
289 | if (err < 0) |
290 | goto err; |
291 | |
292 | if (frag_type == LOWPAN_DISPATCH_FRAG1) { |
293 | err = lowpan_invoke_frag_rx_handlers(skb); |
294 | if (err == NET_RX_DROP) |
295 | goto err; |
296 | } |
297 | |
298 | if (cb->d_size > IPV6_MIN_MTU) { |
299 | net_warn_ratelimited("lowpan_frag_rcv: datagram size exceeds MTU\n" ); |
300 | goto err; |
301 | } |
302 | |
303 | fq = fq_find(net, cb, src: &hdr.source, dst: &hdr.dest); |
304 | if (fq != NULL) { |
305 | int ret; |
306 | |
307 | spin_lock(lock: &fq->q.lock); |
308 | ret = lowpan_frag_queue(fq, skb, frag_type); |
309 | spin_unlock(lock: &fq->q.lock); |
310 | |
311 | inet_frag_put(q: &fq->q); |
312 | return ret; |
313 | } |
314 | |
315 | err: |
316 | kfree_skb(skb); |
317 | return -1; |
318 | } |
319 | |
320 | #ifdef CONFIG_SYSCTL |
321 | |
322 | static struct ctl_table lowpan_frags_ns_ctl_table[] = { |
323 | { |
324 | .procname = "6lowpanfrag_high_thresh" , |
325 | .maxlen = sizeof(unsigned long), |
326 | .mode = 0644, |
327 | .proc_handler = proc_doulongvec_minmax, |
328 | }, |
329 | { |
330 | .procname = "6lowpanfrag_low_thresh" , |
331 | .maxlen = sizeof(unsigned long), |
332 | .mode = 0644, |
333 | .proc_handler = proc_doulongvec_minmax, |
334 | }, |
335 | { |
336 | .procname = "6lowpanfrag_time" , |
337 | .maxlen = sizeof(int), |
338 | .mode = 0644, |
339 | .proc_handler = proc_dointvec_jiffies, |
340 | }, |
341 | { } |
342 | }; |
343 | |
344 | /* secret interval has been deprecated */ |
345 | static int lowpan_frags_secret_interval_unused; |
346 | static struct ctl_table lowpan_frags_ctl_table[] = { |
347 | { |
348 | .procname = "6lowpanfrag_secret_interval" , |
349 | .data = &lowpan_frags_secret_interval_unused, |
350 | .maxlen = sizeof(int), |
351 | .mode = 0644, |
352 | .proc_handler = proc_dointvec_jiffies, |
353 | }, |
354 | { } |
355 | }; |
356 | |
357 | static int __net_init lowpan_frags_ns_sysctl_register(struct net *net) |
358 | { |
359 | struct ctl_table *table; |
360 | struct ctl_table_header *hdr; |
361 | struct netns_ieee802154_lowpan *ieee802154_lowpan = |
362 | net_ieee802154_lowpan(net); |
363 | size_t table_size = ARRAY_SIZE(lowpan_frags_ns_ctl_table); |
364 | |
365 | table = lowpan_frags_ns_ctl_table; |
366 | if (!net_eq(net1: net, net2: &init_net)) { |
367 | table = kmemdup(p: table, size: sizeof(lowpan_frags_ns_ctl_table), |
368 | GFP_KERNEL); |
369 | if (table == NULL) |
370 | goto err_alloc; |
371 | |
372 | /* Don't export sysctls to unprivileged users */ |
373 | if (net->user_ns != &init_user_ns) { |
374 | table[0].procname = NULL; |
375 | table_size = 0; |
376 | } |
377 | } |
378 | |
379 | table[0].data = &ieee802154_lowpan->fqdir->high_thresh; |
380 | table[0].extra1 = &ieee802154_lowpan->fqdir->low_thresh; |
381 | table[1].data = &ieee802154_lowpan->fqdir->low_thresh; |
382 | table[1].extra2 = &ieee802154_lowpan->fqdir->high_thresh; |
383 | table[2].data = &ieee802154_lowpan->fqdir->timeout; |
384 | |
385 | hdr = register_net_sysctl_sz(net, path: "net/ieee802154/6lowpan" , table, |
386 | table_size); |
387 | if (hdr == NULL) |
388 | goto err_reg; |
389 | |
390 | ieee802154_lowpan->sysctl.frags_hdr = hdr; |
391 | return 0; |
392 | |
393 | err_reg: |
394 | if (!net_eq(net1: net, net2: &init_net)) |
395 | kfree(objp: table); |
396 | err_alloc: |
397 | return -ENOMEM; |
398 | } |
399 | |
400 | static void __net_exit lowpan_frags_ns_sysctl_unregister(struct net *net) |
401 | { |
402 | struct ctl_table *table; |
403 | struct netns_ieee802154_lowpan *ieee802154_lowpan = |
404 | net_ieee802154_lowpan(net); |
405 | |
406 | table = ieee802154_lowpan->sysctl.frags_hdr->ctl_table_arg; |
407 | unregister_net_sysctl_table(header: ieee802154_lowpan->sysctl.frags_hdr); |
408 | if (!net_eq(net1: net, net2: &init_net)) |
409 | kfree(objp: table); |
410 | } |
411 | |
412 | static struct ctl_table_header *; |
413 | |
414 | static int __init lowpan_frags_sysctl_register(void) |
415 | { |
416 | lowpan_ctl_header = register_net_sysctl(&init_net, |
417 | "net/ieee802154/6lowpan" , |
418 | lowpan_frags_ctl_table); |
419 | return lowpan_ctl_header == NULL ? -ENOMEM : 0; |
420 | } |
421 | |
422 | static void lowpan_frags_sysctl_unregister(void) |
423 | { |
424 | unregister_net_sysctl_table(header: lowpan_ctl_header); |
425 | } |
426 | #else |
427 | static inline int lowpan_frags_ns_sysctl_register(struct net *net) |
428 | { |
429 | return 0; |
430 | } |
431 | |
432 | static inline void lowpan_frags_ns_sysctl_unregister(struct net *net) |
433 | { |
434 | } |
435 | |
436 | static inline int __init lowpan_frags_sysctl_register(void) |
437 | { |
438 | return 0; |
439 | } |
440 | |
441 | static inline void lowpan_frags_sysctl_unregister(void) |
442 | { |
443 | } |
444 | #endif |
445 | |
446 | static int __net_init lowpan_frags_init_net(struct net *net) |
447 | { |
448 | struct netns_ieee802154_lowpan *ieee802154_lowpan = |
449 | net_ieee802154_lowpan(net); |
450 | int res; |
451 | |
452 | |
453 | res = fqdir_init(fqdirp: &ieee802154_lowpan->fqdir, f: &lowpan_frags, net); |
454 | if (res < 0) |
455 | return res; |
456 | |
457 | ieee802154_lowpan->fqdir->high_thresh = IPV6_FRAG_HIGH_THRESH; |
458 | ieee802154_lowpan->fqdir->low_thresh = IPV6_FRAG_LOW_THRESH; |
459 | ieee802154_lowpan->fqdir->timeout = IPV6_FRAG_TIMEOUT; |
460 | |
461 | res = lowpan_frags_ns_sysctl_register(net); |
462 | if (res < 0) |
463 | fqdir_exit(fqdir: ieee802154_lowpan->fqdir); |
464 | return res; |
465 | } |
466 | |
467 | static void __net_exit lowpan_frags_pre_exit_net(struct net *net) |
468 | { |
469 | struct netns_ieee802154_lowpan *ieee802154_lowpan = |
470 | net_ieee802154_lowpan(net); |
471 | |
472 | fqdir_pre_exit(fqdir: ieee802154_lowpan->fqdir); |
473 | } |
474 | |
475 | static void __net_exit lowpan_frags_exit_net(struct net *net) |
476 | { |
477 | struct netns_ieee802154_lowpan *ieee802154_lowpan = |
478 | net_ieee802154_lowpan(net); |
479 | |
480 | lowpan_frags_ns_sysctl_unregister(net); |
481 | fqdir_exit(fqdir: ieee802154_lowpan->fqdir); |
482 | } |
483 | |
484 | static struct pernet_operations lowpan_frags_ops = { |
485 | .init = lowpan_frags_init_net, |
486 | .pre_exit = lowpan_frags_pre_exit_net, |
487 | .exit = lowpan_frags_exit_net, |
488 | }; |
489 | |
490 | static u32 lowpan_key_hashfn(const void *data, u32 len, u32 seed) |
491 | { |
492 | return jhash2(k: data, |
493 | length: sizeof(struct frag_lowpan_compare_key) / sizeof(u32), initval: seed); |
494 | } |
495 | |
496 | static u32 lowpan_obj_hashfn(const void *data, u32 len, u32 seed) |
497 | { |
498 | const struct inet_frag_queue *fq = data; |
499 | |
500 | return jhash2(k: (const u32 *)&fq->key, |
501 | length: sizeof(struct frag_lowpan_compare_key) / sizeof(u32), initval: seed); |
502 | } |
503 | |
504 | static int lowpan_obj_cmpfn(struct rhashtable_compare_arg *arg, const void *ptr) |
505 | { |
506 | const struct frag_lowpan_compare_key *key = arg->key; |
507 | const struct inet_frag_queue *fq = ptr; |
508 | |
509 | return !!memcmp(p: &fq->key, q: key, size: sizeof(*key)); |
510 | } |
511 | |
512 | static const struct rhashtable_params lowpan_rhash_params = { |
513 | .head_offset = offsetof(struct inet_frag_queue, node), |
514 | .hashfn = lowpan_key_hashfn, |
515 | .obj_hashfn = lowpan_obj_hashfn, |
516 | .obj_cmpfn = lowpan_obj_cmpfn, |
517 | .automatic_shrinking = true, |
518 | }; |
519 | |
520 | int __init lowpan_net_frag_init(void) |
521 | { |
522 | int ret; |
523 | |
524 | lowpan_frags.constructor = lowpan_frag_init; |
525 | lowpan_frags.destructor = NULL; |
526 | lowpan_frags.qsize = sizeof(struct frag_queue); |
527 | lowpan_frags.frag_expire = lowpan_frag_expire; |
528 | lowpan_frags.frags_cache_name = lowpan_frags_cache_name; |
529 | lowpan_frags.rhash_params = lowpan_rhash_params; |
530 | ret = inet_frags_init(&lowpan_frags); |
531 | if (ret) |
532 | goto out; |
533 | |
534 | ret = lowpan_frags_sysctl_register(); |
535 | if (ret) |
536 | goto err_sysctl; |
537 | |
538 | ret = register_pernet_subsys(&lowpan_frags_ops); |
539 | if (ret) |
540 | goto err_pernet; |
541 | out: |
542 | return ret; |
543 | err_pernet: |
544 | lowpan_frags_sysctl_unregister(); |
545 | err_sysctl: |
546 | inet_frags_fini(&lowpan_frags); |
547 | return ret; |
548 | } |
549 | |
550 | void lowpan_net_frag_exit(void) |
551 | { |
552 | lowpan_frags_sysctl_unregister(); |
553 | unregister_pernet_subsys(&lowpan_frags_ops); |
554 | inet_frags_fini(&lowpan_frags); |
555 | } |
556 | |