]> git.ipfire.org Git - thirdparty/linux.git/blob - drivers/net/wireguard/socket.c
io_uring: reset -EBUSY error when io sq thread is waken up
[thirdparty/linux.git] / drivers / net / wireguard / socket.c
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3 * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
4 */
5
6 #include "device.h"
7 #include "peer.h"
8 #include "socket.h"
9 #include "queueing.h"
10 #include "messages.h"
11
12 #include <linux/ctype.h>
13 #include <linux/net.h>
14 #include <linux/if_vlan.h>
15 #include <linux/if_ether.h>
16 #include <linux/inetdevice.h>
17 #include <net/udp_tunnel.h>
18 #include <net/ipv6.h>
19
20 static int send4(struct wg_device *wg, struct sk_buff *skb,
21 struct endpoint *endpoint, u8 ds, struct dst_cache *cache)
22 {
23 struct flowi4 fl = {
24 .saddr = endpoint->src4.s_addr,
25 .daddr = endpoint->addr4.sin_addr.s_addr,
26 .fl4_dport = endpoint->addr4.sin_port,
27 .flowi4_mark = wg->fwmark,
28 .flowi4_proto = IPPROTO_UDP
29 };
30 struct rtable *rt = NULL;
31 struct sock *sock;
32 int ret = 0;
33
34 skb_mark_not_on_list(skb);
35 skb->dev = wg->dev;
36 skb->mark = wg->fwmark;
37
38 rcu_read_lock_bh();
39 sock = rcu_dereference_bh(wg->sock4);
40
41 if (unlikely(!sock)) {
42 ret = -ENONET;
43 goto err;
44 }
45
46 fl.fl4_sport = inet_sk(sock)->inet_sport;
47
48 if (cache)
49 rt = dst_cache_get_ip4(cache, &fl.saddr);
50
51 if (!rt) {
52 security_sk_classify_flow(sock, flowi4_to_flowi(&fl));
53 if (unlikely(!inet_confirm_addr(sock_net(sock), NULL, 0,
54 fl.saddr, RT_SCOPE_HOST))) {
55 endpoint->src4.s_addr = 0;
56 *(__force __be32 *)&endpoint->src_if4 = 0;
57 fl.saddr = 0;
58 if (cache)
59 dst_cache_reset(cache);
60 }
61 rt = ip_route_output_flow(sock_net(sock), &fl, sock);
62 if (unlikely(endpoint->src_if4 && ((IS_ERR(rt) &&
63 PTR_ERR(rt) == -EINVAL) || (!IS_ERR(rt) &&
64 rt->dst.dev->ifindex != endpoint->src_if4)))) {
65 endpoint->src4.s_addr = 0;
66 *(__force __be32 *)&endpoint->src_if4 = 0;
67 fl.saddr = 0;
68 if (cache)
69 dst_cache_reset(cache);
70 if (!IS_ERR(rt))
71 ip_rt_put(rt);
72 rt = ip_route_output_flow(sock_net(sock), &fl, sock);
73 }
74 if (unlikely(IS_ERR(rt))) {
75 ret = PTR_ERR(rt);
76 net_dbg_ratelimited("%s: No route to %pISpfsc, error %d\n",
77 wg->dev->name, &endpoint->addr, ret);
78 goto err;
79 } else if (unlikely(rt->dst.dev == skb->dev)) {
80 ip_rt_put(rt);
81 ret = -ELOOP;
82 net_dbg_ratelimited("%s: Avoiding routing loop to %pISpfsc\n",
83 wg->dev->name, &endpoint->addr);
84 goto err;
85 }
86 if (cache)
87 dst_cache_set_ip4(cache, &rt->dst, fl.saddr);
88 }
89
90 skb->ignore_df = 1;
91 udp_tunnel_xmit_skb(rt, sock, skb, fl.saddr, fl.daddr, ds,
92 ip4_dst_hoplimit(&rt->dst), 0, fl.fl4_sport,
93 fl.fl4_dport, false, false);
94 goto out;
95
96 err:
97 kfree_skb(skb);
98 out:
99 rcu_read_unlock_bh();
100 return ret;
101 }
102
103 static int send6(struct wg_device *wg, struct sk_buff *skb,
104 struct endpoint *endpoint, u8 ds, struct dst_cache *cache)
105 {
106 #if IS_ENABLED(CONFIG_IPV6)
107 struct flowi6 fl = {
108 .saddr = endpoint->src6,
109 .daddr = endpoint->addr6.sin6_addr,
110 .fl6_dport = endpoint->addr6.sin6_port,
111 .flowi6_mark = wg->fwmark,
112 .flowi6_oif = endpoint->addr6.sin6_scope_id,
113 .flowi6_proto = IPPROTO_UDP
114 /* TODO: addr->sin6_flowinfo */
115 };
116 struct dst_entry *dst = NULL;
117 struct sock *sock;
118 int ret = 0;
119
120 skb_mark_not_on_list(skb);
121 skb->dev = wg->dev;
122 skb->mark = wg->fwmark;
123
124 rcu_read_lock_bh();
125 sock = rcu_dereference_bh(wg->sock6);
126
127 if (unlikely(!sock)) {
128 ret = -ENONET;
129 goto err;
130 }
131
132 fl.fl6_sport = inet_sk(sock)->inet_sport;
133
134 if (cache)
135 dst = dst_cache_get_ip6(cache, &fl.saddr);
136
137 if (!dst) {
138 security_sk_classify_flow(sock, flowi6_to_flowi(&fl));
139 if (unlikely(!ipv6_addr_any(&fl.saddr) &&
140 !ipv6_chk_addr(sock_net(sock), &fl.saddr, NULL, 0))) {
141 endpoint->src6 = fl.saddr = in6addr_any;
142 if (cache)
143 dst_cache_reset(cache);
144 }
145 dst = ipv6_stub->ipv6_dst_lookup_flow(sock_net(sock), sock, &fl,
146 NULL);
147 if (unlikely(IS_ERR(dst))) {
148 ret = PTR_ERR(dst);
149 net_dbg_ratelimited("%s: No route to %pISpfsc, error %d\n",
150 wg->dev->name, &endpoint->addr, ret);
151 goto err;
152 } else if (unlikely(dst->dev == skb->dev)) {
153 dst_release(dst);
154 ret = -ELOOP;
155 net_dbg_ratelimited("%s: Avoiding routing loop to %pISpfsc\n",
156 wg->dev->name, &endpoint->addr);
157 goto err;
158 }
159 if (cache)
160 dst_cache_set_ip6(cache, dst, &fl.saddr);
161 }
162
163 skb->ignore_df = 1;
164 udp_tunnel6_xmit_skb(dst, sock, skb, skb->dev, &fl.saddr, &fl.daddr, ds,
165 ip6_dst_hoplimit(dst), 0, fl.fl6_sport,
166 fl.fl6_dport, false);
167 goto out;
168
169 err:
170 kfree_skb(skb);
171 out:
172 rcu_read_unlock_bh();
173 return ret;
174 #else
175 return -EAFNOSUPPORT;
176 #endif
177 }
178
179 int wg_socket_send_skb_to_peer(struct wg_peer *peer, struct sk_buff *skb, u8 ds)
180 {
181 size_t skb_len = skb->len;
182 int ret = -EAFNOSUPPORT;
183
184 read_lock_bh(&peer->endpoint_lock);
185 if (peer->endpoint.addr.sa_family == AF_INET)
186 ret = send4(peer->device, skb, &peer->endpoint, ds,
187 &peer->endpoint_cache);
188 else if (peer->endpoint.addr.sa_family == AF_INET6)
189 ret = send6(peer->device, skb, &peer->endpoint, ds,
190 &peer->endpoint_cache);
191 else
192 dev_kfree_skb(skb);
193 if (likely(!ret))
194 peer->tx_bytes += skb_len;
195 read_unlock_bh(&peer->endpoint_lock);
196
197 return ret;
198 }
199
200 int wg_socket_send_buffer_to_peer(struct wg_peer *peer, void *buffer,
201 size_t len, u8 ds)
202 {
203 struct sk_buff *skb = alloc_skb(len + SKB_HEADER_LEN, GFP_ATOMIC);
204
205 if (unlikely(!skb))
206 return -ENOMEM;
207
208 skb_reserve(skb, SKB_HEADER_LEN);
209 skb_set_inner_network_header(skb, 0);
210 skb_put_data(skb, buffer, len);
211 return wg_socket_send_skb_to_peer(peer, skb, ds);
212 }
213
214 int wg_socket_send_buffer_as_reply_to_skb(struct wg_device *wg,
215 struct sk_buff *in_skb, void *buffer,
216 size_t len)
217 {
218 int ret = 0;
219 struct sk_buff *skb;
220 struct endpoint endpoint;
221
222 if (unlikely(!in_skb))
223 return -EINVAL;
224 ret = wg_socket_endpoint_from_skb(&endpoint, in_skb);
225 if (unlikely(ret < 0))
226 return ret;
227
228 skb = alloc_skb(len + SKB_HEADER_LEN, GFP_ATOMIC);
229 if (unlikely(!skb))
230 return -ENOMEM;
231 skb_reserve(skb, SKB_HEADER_LEN);
232 skb_set_inner_network_header(skb, 0);
233 skb_put_data(skb, buffer, len);
234
235 if (endpoint.addr.sa_family == AF_INET)
236 ret = send4(wg, skb, &endpoint, 0, NULL);
237 else if (endpoint.addr.sa_family == AF_INET6)
238 ret = send6(wg, skb, &endpoint, 0, NULL);
239 /* No other possibilities if the endpoint is valid, which it is,
240 * as we checked above.
241 */
242
243 return ret;
244 }
245
246 int wg_socket_endpoint_from_skb(struct endpoint *endpoint,
247 const struct sk_buff *skb)
248 {
249 memset(endpoint, 0, sizeof(*endpoint));
250 if (skb->protocol == htons(ETH_P_IP)) {
251 endpoint->addr4.sin_family = AF_INET;
252 endpoint->addr4.sin_port = udp_hdr(skb)->source;
253 endpoint->addr4.sin_addr.s_addr = ip_hdr(skb)->saddr;
254 endpoint->src4.s_addr = ip_hdr(skb)->daddr;
255 endpoint->src_if4 = skb->skb_iif;
256 } else if (skb->protocol == htons(ETH_P_IPV6)) {
257 endpoint->addr6.sin6_family = AF_INET6;
258 endpoint->addr6.sin6_port = udp_hdr(skb)->source;
259 endpoint->addr6.sin6_addr = ipv6_hdr(skb)->saddr;
260 endpoint->addr6.sin6_scope_id = ipv6_iface_scope_id(
261 &ipv6_hdr(skb)->saddr, skb->skb_iif);
262 endpoint->src6 = ipv6_hdr(skb)->daddr;
263 } else {
264 return -EINVAL;
265 }
266 return 0;
267 }
268
269 static bool endpoint_eq(const struct endpoint *a, const struct endpoint *b)
270 {
271 return (a->addr.sa_family == AF_INET && b->addr.sa_family == AF_INET &&
272 a->addr4.sin_port == b->addr4.sin_port &&
273 a->addr4.sin_addr.s_addr == b->addr4.sin_addr.s_addr &&
274 a->src4.s_addr == b->src4.s_addr && a->src_if4 == b->src_if4) ||
275 (a->addr.sa_family == AF_INET6 &&
276 b->addr.sa_family == AF_INET6 &&
277 a->addr6.sin6_port == b->addr6.sin6_port &&
278 ipv6_addr_equal(&a->addr6.sin6_addr, &b->addr6.sin6_addr) &&
279 a->addr6.sin6_scope_id == b->addr6.sin6_scope_id &&
280 ipv6_addr_equal(&a->src6, &b->src6)) ||
281 unlikely(!a->addr.sa_family && !b->addr.sa_family);
282 }
283
284 void wg_socket_set_peer_endpoint(struct wg_peer *peer,
285 const struct endpoint *endpoint)
286 {
287 /* First we check unlocked, in order to optimize, since it's pretty rare
288 * that an endpoint will change. If we happen to be mid-write, and two
289 * CPUs wind up writing the same thing or something slightly different,
290 * it doesn't really matter much either.
291 */
292 if (endpoint_eq(endpoint, &peer->endpoint))
293 return;
294 write_lock_bh(&peer->endpoint_lock);
295 if (endpoint->addr.sa_family == AF_INET) {
296 peer->endpoint.addr4 = endpoint->addr4;
297 peer->endpoint.src4 = endpoint->src4;
298 peer->endpoint.src_if4 = endpoint->src_if4;
299 } else if (endpoint->addr.sa_family == AF_INET6) {
300 peer->endpoint.addr6 = endpoint->addr6;
301 peer->endpoint.src6 = endpoint->src6;
302 } else {
303 goto out;
304 }
305 dst_cache_reset(&peer->endpoint_cache);
306 out:
307 write_unlock_bh(&peer->endpoint_lock);
308 }
309
310 void wg_socket_set_peer_endpoint_from_skb(struct wg_peer *peer,
311 const struct sk_buff *skb)
312 {
313 struct endpoint endpoint;
314
315 if (!wg_socket_endpoint_from_skb(&endpoint, skb))
316 wg_socket_set_peer_endpoint(peer, &endpoint);
317 }
318
319 void wg_socket_clear_peer_endpoint_src(struct wg_peer *peer)
320 {
321 write_lock_bh(&peer->endpoint_lock);
322 memset(&peer->endpoint.src6, 0, sizeof(peer->endpoint.src6));
323 dst_cache_reset(&peer->endpoint_cache);
324 write_unlock_bh(&peer->endpoint_lock);
325 }
326
327 static int wg_receive(struct sock *sk, struct sk_buff *skb)
328 {
329 struct wg_device *wg;
330
331 if (unlikely(!sk))
332 goto err;
333 wg = sk->sk_user_data;
334 if (unlikely(!wg))
335 goto err;
336 skb_mark_not_on_list(skb);
337 wg_packet_receive(wg, skb);
338 return 0;
339
340 err:
341 kfree_skb(skb);
342 return 0;
343 }
344
345 static void sock_free(struct sock *sock)
346 {
347 if (unlikely(!sock))
348 return;
349 sk_clear_memalloc(sock);
350 udp_tunnel_sock_release(sock->sk_socket);
351 }
352
353 static void set_sock_opts(struct socket *sock)
354 {
355 sock->sk->sk_allocation = GFP_ATOMIC;
356 sock->sk->sk_sndbuf = INT_MAX;
357 sk_set_memalloc(sock->sk);
358 }
359
360 int wg_socket_init(struct wg_device *wg, u16 port)
361 {
362 int ret;
363 struct udp_tunnel_sock_cfg cfg = {
364 .sk_user_data = wg,
365 .encap_type = 1,
366 .encap_rcv = wg_receive
367 };
368 struct socket *new4 = NULL, *new6 = NULL;
369 struct udp_port_cfg port4 = {
370 .family = AF_INET,
371 .local_ip.s_addr = htonl(INADDR_ANY),
372 .local_udp_port = htons(port),
373 .use_udp_checksums = true
374 };
375 #if IS_ENABLED(CONFIG_IPV6)
376 int retries = 0;
377 struct udp_port_cfg port6 = {
378 .family = AF_INET6,
379 .local_ip6 = IN6ADDR_ANY_INIT,
380 .use_udp6_tx_checksums = true,
381 .use_udp6_rx_checksums = true,
382 .ipv6_v6only = true
383 };
384 #endif
385
386 #if IS_ENABLED(CONFIG_IPV6)
387 retry:
388 #endif
389
390 ret = udp_sock_create(wg->creating_net, &port4, &new4);
391 if (ret < 0) {
392 pr_err("%s: Could not create IPv4 socket\n", wg->dev->name);
393 return ret;
394 }
395 set_sock_opts(new4);
396 setup_udp_tunnel_sock(wg->creating_net, new4, &cfg);
397
398 #if IS_ENABLED(CONFIG_IPV6)
399 if (ipv6_mod_enabled()) {
400 port6.local_udp_port = inet_sk(new4->sk)->inet_sport;
401 ret = udp_sock_create(wg->creating_net, &port6, &new6);
402 if (ret < 0) {
403 udp_tunnel_sock_release(new4);
404 if (ret == -EADDRINUSE && !port && retries++ < 100)
405 goto retry;
406 pr_err("%s: Could not create IPv6 socket\n",
407 wg->dev->name);
408 return ret;
409 }
410 set_sock_opts(new6);
411 setup_udp_tunnel_sock(wg->creating_net, new6, &cfg);
412 }
413 #endif
414
415 wg_socket_reinit(wg, new4->sk, new6 ? new6->sk : NULL);
416 return 0;
417 }
418
419 void wg_socket_reinit(struct wg_device *wg, struct sock *new4,
420 struct sock *new6)
421 {
422 struct sock *old4, *old6;
423
424 mutex_lock(&wg->socket_update_lock);
425 old4 = rcu_dereference_protected(wg->sock4,
426 lockdep_is_held(&wg->socket_update_lock));
427 old6 = rcu_dereference_protected(wg->sock6,
428 lockdep_is_held(&wg->socket_update_lock));
429 rcu_assign_pointer(wg->sock4, new4);
430 rcu_assign_pointer(wg->sock6, new6);
431 if (new4)
432 wg->incoming_port = ntohs(inet_sk(new4)->inet_sport);
433 mutex_unlock(&wg->socket_update_lock);
434 synchronize_rcu();
435 sock_free(old4);
436 sock_free(old6);
437 }