98d4435efc
Since smc_inet6_prot does not initialize ipv6_pinfo_offset, inet6_create()
copies an incorrect address value, sk + 0 (offset), to inet_sk(sk)->pinet6.
In addition, since inet_sk(sk)->pinet6 and smc_sk(sk)->clcsock practically
point to the same address, when smc_create_clcsk() stores the newly
created clcsock in smc_sk(sk)->clcsock, inet_sk(sk)->pinet6 is corrupted
into clcsock. This causes NULL pointer dereference and various other
memory corruptions.
To solve this problem, you need to initialize ipv6_pinfo_offset, add a
smc6_sock structure, and then add ipv6_pinfo as the second member of
the smc_sock structure.
Reported-by: syzkaller <syzkaller@googlegroups.com>
Fixes: d25a92ccae
("net/smc: Introduce IPPROTO_SMC")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
430 lines
13 KiB
C
430 lines
13 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
/*
|
|
* Shared Memory Communications over RDMA (SMC-R) and RoCE
|
|
*
|
|
* Definitions for the SMC module (socket related)
|
|
*
|
|
* Copyright IBM Corp. 2016
|
|
*
|
|
* Author(s): Ursula Braun <ubraun@linux.vnet.ibm.com>
|
|
*/
|
|
#ifndef __SMC_H
|
|
#define __SMC_H
|
|
|
|
#include <linux/socket.h>
|
|
#include <linux/types.h>
|
|
#include <linux/compiler.h> /* __aligned */
|
|
#include <net/genetlink.h>
|
|
#include <net/sock.h>
|
|
|
|
#include "smc_ib.h"
|
|
|
|
#define SMC_V1 1 /* SMC version V1 */
|
|
#define SMC_V2 2 /* SMC version V2 */
|
|
|
|
#define SMC_RELEASE_0 0
|
|
#define SMC_RELEASE_1 1
|
|
#define SMC_RELEASE SMC_RELEASE_1 /* the latest release version */
|
|
|
|
#define SMCPROTO_SMC 0 /* SMC protocol, IPv4 */
|
|
#define SMCPROTO_SMC6 1 /* SMC protocol, IPv6 */
|
|
|
|
#define SMC_AUTOCORKING_DEFAULT_SIZE 0x10000 /* 64K by default */
|
|
|
|
extern struct proto smc_proto;
|
|
extern struct proto smc_proto6;
|
|
|
|
extern struct smc_hashinfo smc_v4_hashinfo;
|
|
extern struct smc_hashinfo smc_v6_hashinfo;
|
|
|
|
int smc_hash_sk(struct sock *sk);
|
|
void smc_unhash_sk(struct sock *sk);
|
|
void smc_release_cb(struct sock *sk);
|
|
|
|
int smc_release(struct socket *sock);
|
|
int smc_bind(struct socket *sock, struct sockaddr *uaddr,
|
|
int addr_len);
|
|
int smc_connect(struct socket *sock, struct sockaddr *addr,
|
|
int alen, int flags);
|
|
int smc_accept(struct socket *sock, struct socket *new_sock,
|
|
struct proto_accept_arg *arg);
|
|
int smc_getname(struct socket *sock, struct sockaddr *addr,
|
|
int peer);
|
|
__poll_t smc_poll(struct file *file, struct socket *sock,
|
|
poll_table *wait);
|
|
int smc_ioctl(struct socket *sock, unsigned int cmd,
|
|
unsigned long arg);
|
|
int smc_listen(struct socket *sock, int backlog);
|
|
int smc_shutdown(struct socket *sock, int how);
|
|
int smc_setsockopt(struct socket *sock, int level, int optname,
|
|
sockptr_t optval, unsigned int optlen);
|
|
int smc_getsockopt(struct socket *sock, int level, int optname,
|
|
char __user *optval, int __user *optlen);
|
|
int smc_sendmsg(struct socket *sock, struct msghdr *msg, size_t len);
|
|
int smc_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
|
|
int flags);
|
|
ssize_t smc_splice_read(struct socket *sock, loff_t *ppos,
|
|
struct pipe_inode_info *pipe, size_t len,
|
|
unsigned int flags);
|
|
|
|
/* smc sock initialization */
|
|
void smc_sk_init(struct net *net, struct sock *sk, int protocol);
|
|
/* clcsock initialization */
|
|
int smc_create_clcsk(struct net *net, struct sock *sk, int family);
|
|
|
|
#ifdef ATOMIC64_INIT
|
|
#define KERNEL_HAS_ATOMIC64
|
|
#endif
|
|
|
|
enum smc_state { /* possible states of an SMC socket */
|
|
SMC_ACTIVE = 1,
|
|
SMC_INIT = 2,
|
|
SMC_CLOSED = 7,
|
|
SMC_LISTEN = 10,
|
|
/* normal close */
|
|
SMC_PEERCLOSEWAIT1 = 20,
|
|
SMC_PEERCLOSEWAIT2 = 21,
|
|
SMC_APPFINCLOSEWAIT = 24,
|
|
SMC_APPCLOSEWAIT1 = 22,
|
|
SMC_APPCLOSEWAIT2 = 23,
|
|
SMC_PEERFINCLOSEWAIT = 25,
|
|
/* abnormal close */
|
|
SMC_PEERABORTWAIT = 26,
|
|
SMC_PROCESSABORT = 27,
|
|
};
|
|
|
|
enum smc_supplemental_features {
|
|
SMC_SPF_EMULATED_ISM_DEV = 0,
|
|
};
|
|
|
|
#define SMC_FEATURE_MASK \
|
|
(BIT(SMC_SPF_EMULATED_ISM_DEV))
|
|
|
|
struct smc_link_group;
|
|
|
|
struct smc_wr_rx_hdr { /* common prefix part of LLC and CDC to demultiplex */
|
|
union {
|
|
u8 type;
|
|
#if defined(__BIG_ENDIAN_BITFIELD)
|
|
struct {
|
|
u8 llc_version:4,
|
|
llc_type:4;
|
|
};
|
|
#elif defined(__LITTLE_ENDIAN_BITFIELD)
|
|
struct {
|
|
u8 llc_type:4,
|
|
llc_version:4;
|
|
};
|
|
#endif
|
|
};
|
|
} __aligned(1);
|
|
|
|
struct smc_cdc_conn_state_flags {
|
|
#if defined(__BIG_ENDIAN_BITFIELD)
|
|
u8 peer_done_writing : 1; /* Sending done indicator */
|
|
u8 peer_conn_closed : 1; /* Peer connection closed indicator */
|
|
u8 peer_conn_abort : 1; /* Abnormal close indicator */
|
|
u8 reserved : 5;
|
|
#elif defined(__LITTLE_ENDIAN_BITFIELD)
|
|
u8 reserved : 5;
|
|
u8 peer_conn_abort : 1;
|
|
u8 peer_conn_closed : 1;
|
|
u8 peer_done_writing : 1;
|
|
#endif
|
|
};
|
|
|
|
struct smc_cdc_producer_flags {
|
|
#if defined(__BIG_ENDIAN_BITFIELD)
|
|
u8 write_blocked : 1; /* Writing Blocked, no rx buf space */
|
|
u8 urg_data_pending : 1; /* Urgent Data Pending */
|
|
u8 urg_data_present : 1; /* Urgent Data Present */
|
|
u8 cons_curs_upd_req : 1; /* cursor update requested */
|
|
u8 failover_validation : 1;/* message replay due to failover */
|
|
u8 reserved : 3;
|
|
#elif defined(__LITTLE_ENDIAN_BITFIELD)
|
|
u8 reserved : 3;
|
|
u8 failover_validation : 1;
|
|
u8 cons_curs_upd_req : 1;
|
|
u8 urg_data_present : 1;
|
|
u8 urg_data_pending : 1;
|
|
u8 write_blocked : 1;
|
|
#endif
|
|
};
|
|
|
|
/* in host byte order */
|
|
union smc_host_cursor { /* SMC cursor - an offset in an RMBE */
|
|
struct {
|
|
u16 reserved;
|
|
u16 wrap; /* window wrap sequence number */
|
|
u32 count; /* cursor (= offset) part */
|
|
};
|
|
#ifdef KERNEL_HAS_ATOMIC64
|
|
atomic64_t acurs; /* for atomic processing */
|
|
#else
|
|
u64 acurs; /* for atomic processing */
|
|
#endif
|
|
} __aligned(8);
|
|
|
|
/* in host byte order, except for flag bitfields in network byte order */
|
|
struct smc_host_cdc_msg { /* Connection Data Control message */
|
|
struct smc_wr_rx_hdr common; /* .type = 0xFE */
|
|
u8 len; /* length = 44 */
|
|
u16 seqno; /* connection seq # */
|
|
u32 token; /* alert_token */
|
|
union smc_host_cursor prod; /* producer cursor */
|
|
union smc_host_cursor cons; /* consumer cursor,
|
|
* piggy backed "ack"
|
|
*/
|
|
struct smc_cdc_producer_flags prod_flags; /* conn. tx/rx status */
|
|
struct smc_cdc_conn_state_flags conn_state_flags; /* peer conn. status*/
|
|
u8 reserved[18];
|
|
} __aligned(8);
|
|
|
|
enum smc_urg_state {
|
|
SMC_URG_VALID = 1, /* data present */
|
|
SMC_URG_NOTYET = 2, /* data pending */
|
|
SMC_URG_READ = 3, /* data was already read */
|
|
};
|
|
|
|
struct smc_mark_woken {
|
|
bool woken;
|
|
void *key;
|
|
wait_queue_entry_t wait_entry;
|
|
};
|
|
|
|
struct smc_connection {
|
|
struct rb_node alert_node;
|
|
struct smc_link_group *lgr; /* link group of connection */
|
|
struct smc_link *lnk; /* assigned SMC-R link */
|
|
u32 alert_token_local; /* unique conn. id */
|
|
u8 peer_rmbe_idx; /* from tcp handshake */
|
|
int peer_rmbe_size; /* size of peer rx buffer */
|
|
atomic_t peer_rmbe_space;/* remaining free bytes in peer
|
|
* rmbe
|
|
*/
|
|
int rtoken_idx; /* idx to peer RMB rkey/addr */
|
|
|
|
struct smc_buf_desc *sndbuf_desc; /* send buffer descriptor */
|
|
struct smc_buf_desc *rmb_desc; /* RMBE descriptor */
|
|
int rmbe_size_comp; /* compressed notation */
|
|
int rmbe_update_limit;
|
|
/* lower limit for consumer
|
|
* cursor update
|
|
*/
|
|
|
|
struct smc_host_cdc_msg local_tx_ctrl; /* host byte order staging
|
|
* buffer for CDC msg send
|
|
* .prod cf. TCP snd_nxt
|
|
* .cons cf. TCP sends ack
|
|
*/
|
|
union smc_host_cursor local_tx_ctrl_fin;
|
|
/* prod crsr - confirmed by peer
|
|
*/
|
|
union smc_host_cursor tx_curs_prep; /* tx - prepared data
|
|
* snd_max..wmem_alloc
|
|
*/
|
|
union smc_host_cursor tx_curs_sent; /* tx - sent data
|
|
* snd_nxt ?
|
|
*/
|
|
union smc_host_cursor tx_curs_fin; /* tx - confirmed by peer
|
|
* snd-wnd-begin ?
|
|
*/
|
|
atomic_t sndbuf_space; /* remaining space in sndbuf */
|
|
u16 tx_cdc_seq; /* sequence # for CDC send */
|
|
u16 tx_cdc_seq_fin; /* sequence # - tx completed */
|
|
spinlock_t send_lock; /* protect wr_sends */
|
|
atomic_t cdc_pend_tx_wr; /* number of pending tx CDC wqe
|
|
* - inc when post wqe,
|
|
* - dec on polled tx cqe
|
|
*/
|
|
wait_queue_head_t cdc_pend_tx_wq; /* wakeup on no cdc_pend_tx_wr*/
|
|
struct delayed_work tx_work; /* retry of smc_cdc_msg_send */
|
|
u32 tx_off; /* base offset in peer rmb */
|
|
|
|
struct smc_host_cdc_msg local_rx_ctrl; /* filled during event_handl.
|
|
* .prod cf. TCP rcv_nxt
|
|
* .cons cf. TCP snd_una
|
|
*/
|
|
union smc_host_cursor rx_curs_confirmed; /* confirmed to peer
|
|
* source of snd_una ?
|
|
*/
|
|
union smc_host_cursor urg_curs; /* points at urgent byte */
|
|
enum smc_urg_state urg_state;
|
|
bool urg_tx_pend; /* urgent data staged */
|
|
bool urg_rx_skip_pend;
|
|
/* indicate urgent oob data
|
|
* read, but previous regular
|
|
* data still pending
|
|
*/
|
|
char urg_rx_byte; /* urgent byte */
|
|
bool tx_in_release_sock;
|
|
/* flush pending tx data in
|
|
* sock release_cb()
|
|
*/
|
|
atomic_t bytes_to_rcv; /* arrived data,
|
|
* not yet received
|
|
*/
|
|
atomic_t splice_pending; /* number of spliced bytes
|
|
* pending processing
|
|
*/
|
|
#ifndef KERNEL_HAS_ATOMIC64
|
|
spinlock_t acurs_lock; /* protect cursors */
|
|
#endif
|
|
struct work_struct close_work; /* peer sent some closing */
|
|
struct work_struct abort_work; /* abort the connection */
|
|
struct tasklet_struct rx_tsklet; /* Receiver tasklet for SMC-D */
|
|
u8 rx_off; /* receive offset:
|
|
* 0 for SMC-R, 32 for SMC-D
|
|
*/
|
|
u64 peer_token; /* SMC-D token of peer */
|
|
u8 killed : 1; /* abnormal termination */
|
|
u8 freed : 1; /* normal termiation */
|
|
u8 out_of_sync : 1; /* out of sync with peer */
|
|
};
|
|
|
|
struct smc_sock { /* smc sock container */
|
|
struct sock sk;
|
|
#if IS_ENABLED(CONFIG_IPV6)
|
|
struct ipv6_pinfo *pinet6;
|
|
#endif
|
|
struct socket *clcsock; /* internal tcp socket */
|
|
void (*clcsk_state_change)(struct sock *sk);
|
|
/* original stat_change fct. */
|
|
void (*clcsk_data_ready)(struct sock *sk);
|
|
/* original data_ready fct. */
|
|
void (*clcsk_write_space)(struct sock *sk);
|
|
/* original write_space fct. */
|
|
void (*clcsk_error_report)(struct sock *sk);
|
|
/* original error_report fct. */
|
|
struct smc_connection conn; /* smc connection */
|
|
struct smc_sock *listen_smc; /* listen parent */
|
|
struct work_struct connect_work; /* handle non-blocking connect*/
|
|
struct work_struct tcp_listen_work;/* handle tcp socket accepts */
|
|
struct work_struct smc_listen_work;/* prepare new accept socket */
|
|
struct list_head accept_q; /* sockets to be accepted */
|
|
spinlock_t accept_q_lock; /* protects accept_q */
|
|
bool limit_smc_hs; /* put constraint on handshake */
|
|
bool use_fallback; /* fallback to tcp */
|
|
int fallback_rsn; /* reason for fallback */
|
|
u32 peer_diagnosis; /* decline reason from peer */
|
|
atomic_t queued_smc_hs; /* queued smc handshakes */
|
|
struct inet_connection_sock_af_ops af_ops;
|
|
const struct inet_connection_sock_af_ops *ori_af_ops;
|
|
/* original af ops */
|
|
int sockopt_defer_accept;
|
|
/* sockopt TCP_DEFER_ACCEPT
|
|
* value
|
|
*/
|
|
u8 wait_close_tx_prepared : 1;
|
|
/* shutdown wr or close
|
|
* started, waiting for unsent
|
|
* data to be sent
|
|
*/
|
|
u8 connect_nonblock : 1;
|
|
/* non-blocking connect in
|
|
* flight
|
|
*/
|
|
struct mutex clcsock_release_lock;
|
|
/* protects clcsock of a listen
|
|
* socket
|
|
* */
|
|
};
|
|
|
|
#define smc_sk(ptr) container_of_const(ptr, struct smc_sock, sk)
|
|
|
|
static inline void smc_init_saved_callbacks(struct smc_sock *smc)
|
|
{
|
|
smc->clcsk_state_change = NULL;
|
|
smc->clcsk_data_ready = NULL;
|
|
smc->clcsk_write_space = NULL;
|
|
smc->clcsk_error_report = NULL;
|
|
}
|
|
|
|
static inline struct smc_sock *smc_clcsock_user_data(const struct sock *clcsk)
|
|
{
|
|
return (struct smc_sock *)
|
|
((uintptr_t)clcsk->sk_user_data & ~SK_USER_DATA_NOCOPY);
|
|
}
|
|
|
|
/* save target_cb in saved_cb, and replace target_cb with new_cb */
|
|
static inline void smc_clcsock_replace_cb(void (**target_cb)(struct sock *),
|
|
void (*new_cb)(struct sock *),
|
|
void (**saved_cb)(struct sock *))
|
|
{
|
|
/* only save once */
|
|
if (!*saved_cb)
|
|
*saved_cb = *target_cb;
|
|
*target_cb = new_cb;
|
|
}
|
|
|
|
/* restore target_cb to saved_cb, and reset saved_cb to NULL */
|
|
static inline void smc_clcsock_restore_cb(void (**target_cb)(struct sock *),
|
|
void (**saved_cb)(struct sock *))
|
|
{
|
|
if (!*saved_cb)
|
|
return;
|
|
*target_cb = *saved_cb;
|
|
*saved_cb = NULL;
|
|
}
|
|
|
|
extern struct workqueue_struct *smc_hs_wq; /* wq for handshake work */
|
|
extern struct workqueue_struct *smc_close_wq; /* wq for close work */
|
|
|
|
#define SMC_SYSTEMID_LEN 8
|
|
|
|
extern u8 local_systemid[SMC_SYSTEMID_LEN]; /* unique system identifier */
|
|
|
|
#define ntohll(x) be64_to_cpu(x)
|
|
#define htonll(x) cpu_to_be64(x)
|
|
|
|
/* convert an u32 value into network byte order, store it into a 3 byte field */
|
|
static inline void hton24(u8 *net, u32 host)
|
|
{
|
|
__be32 t;
|
|
|
|
t = cpu_to_be32(host);
|
|
memcpy(net, ((u8 *)&t) + 1, 3);
|
|
}
|
|
|
|
/* convert a received 3 byte field into host byte order*/
|
|
static inline u32 ntoh24(u8 *net)
|
|
{
|
|
__be32 t = 0;
|
|
|
|
memcpy(((u8 *)&t) + 1, net, 3);
|
|
return be32_to_cpu(t);
|
|
}
|
|
|
|
#ifdef CONFIG_XFRM
|
|
static inline bool using_ipsec(struct smc_sock *smc)
|
|
{
|
|
return (smc->clcsock->sk->sk_policy[0] ||
|
|
smc->clcsock->sk->sk_policy[1]) ? true : false;
|
|
}
|
|
#else
|
|
static inline bool using_ipsec(struct smc_sock *smc)
|
|
{
|
|
return false;
|
|
}
|
|
#endif
|
|
|
|
struct smc_gidlist;
|
|
|
|
struct sock *smc_accept_dequeue(struct sock *parent, struct socket *new_sock);
|
|
void smc_close_non_accepted(struct sock *sk);
|
|
void smc_fill_gid_list(struct smc_link_group *lgr,
|
|
struct smc_gidlist *gidlist,
|
|
struct smc_ib_device *known_dev, u8 *known_gid);
|
|
|
|
/* smc handshake limitation interface for netlink */
|
|
int smc_nl_dump_hs_limitation(struct sk_buff *skb, struct netlink_callback *cb);
|
|
int smc_nl_enable_hs_limitation(struct sk_buff *skb, struct genl_info *info);
|
|
int smc_nl_disable_hs_limitation(struct sk_buff *skb, struct genl_info *info);
|
|
|
|
static inline void smc_sock_set_flag(struct sock *sk, enum sock_flags flag)
|
|
{
|
|
set_bit(flag, &sk->sk_flags);
|
|
}
|
|
|
|
#endif /* __SMC_H */
|