1	// SPDX-License-Identifier: GPL-2.0
2	/*
3	* Management Component Transport Protocol (MCTP) - routing
4	* implementation.
5	*
6	* This is currently based on a simple routing table, with no dst cache. The
7	* number of routes should stay fairly small, so the lookup cost is small.
8	*
9	* Copyright (c) 2021 Code Construct
10	* Copyright (c) 2021 Google
11	*/
12
13	#include <linux/idr.h>
14	#include <linux/kconfig.h>
15	#include <linux/mctp.h>
16	#include <linux/netdevice.h>
17	#include <linux/rtnetlink.h>
18	#include <linux/skbuff.h>
19
20	#include <kunit/static_stub.h>
21
22	#include <uapi/linux/if_arp.h>
23
24	#include <net/mctp.h>
25	#include <net/mctpdevice.h>
26	#include <net/netlink.h>
27	#include <net/sock.h>
28
29	#include <trace/events/mctp.h>
30
31	static const unsigned int mctp_message_maxlen = 64 * 1024;
32	static const unsigned long mctp_key_lifetime = 6 * CONFIG_HZ;
33
34	static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev);
35
36	/* route output callbacks */
37	static int mctp_dst_discard(struct mctp_dst *dst, struct sk_buff *skb)
38	{
39	kfree_skb(skb);
40	return 0;
41	}
42
43	static struct mctp_sock *mctp_lookup_bind_details(struct net *net,
44	struct sk_buff *skb,
45	u8 type, u8 dest,
46	u8 src, bool allow_net_any)
47	{
48	struct mctp_skb_cb *cb = mctp_cb(skb);
49	struct sock *sk;
50	u8 hash;
51
52	WARN_ON_ONCE(!rcu_read_lock_held());
53
54	hash = mctp_bind_hash(type, local_addr: dest, peer_addr: src);
55
56	sk_for_each_rcu(sk, &net->mctp.binds[hash]) {
57	struct mctp_sock *msk = container_of(sk, struct mctp_sock, sk);
58
59	if (!allow_net_any && msk->bind_net == MCTP_NET_ANY)
60	continue;
61
62	if (msk->bind_net != MCTP_NET_ANY && msk->bind_net != cb->net)
63	continue;
64
65	if (msk->bind_type != type)
66	continue;
67
68	if (msk->bind_peer_set &&
69	!mctp_address_matches(match: msk->bind_peer_addr, eid: src))
70	continue;
71
72	if (!mctp_address_matches(match: msk->bind_local_addr, eid: dest))
73	continue;
74
75	return msk;
76	}
77
78	return NULL;
79	}
80
81	static struct mctp_sock *mctp_lookup_bind(struct net *net, struct sk_buff *skb)
82	{
83	struct mctp_sock *msk;
84	struct mctp_hdr *mh;
85	u8 type;
86
87	/* TODO: look up in skb->cb? */
88	mh = mctp_hdr(skb);
89
90	if (!skb_headlen(skb))
91	return NULL;
92
93	type = (*(u8 *)skb->data) & 0x7f;
94
95	/* Look for binds in order of widening scope. A given destination or
96	* source address also implies matching on a particular network.
97	*
98	* - Matching destination and source
99	* - Matching destination
100	* - Matching source
101	* - Matching network, any address
102	* - Any network or address
103	*/
104
105	msk = mctp_lookup_bind_details(net, skb, type, dest: mh->dest, src: mh->src,
106	allow_net_any: false);
107	if (msk)
108	return msk;
109	msk = mctp_lookup_bind_details(net, skb, type, MCTP_ADDR_ANY, src: mh->src,
110	allow_net_any: false);
111	if (msk)
112	return msk;
113	msk = mctp_lookup_bind_details(net, skb, type, dest: mh->dest, MCTP_ADDR_ANY,
114	allow_net_any: false);
115	if (msk)
116	return msk;
117	msk = mctp_lookup_bind_details(net, skb, type, MCTP_ADDR_ANY,
118	MCTP_ADDR_ANY, allow_net_any: false);
119	if (msk)
120	return msk;
121	msk = mctp_lookup_bind_details(net, skb, type, MCTP_ADDR_ANY,
122	MCTP_ADDR_ANY, allow_net_any: true);
123	if (msk)
124	return msk;
125
126	return NULL;
127	}
128
129	/* A note on the key allocations.
130	*
131	* struct net->mctp.keys contains our set of currently-allocated keys for
132	* MCTP tag management. The lookup tuple for these is the peer EID,
133	* local EID and MCTP tag.
134	*
135	* In some cases, the peer EID may be MCTP_EID_ANY: for example, when a
136	* broadcast message is sent, we may receive responses from any peer EID.
137	* Because the broadcast dest address is equivalent to ANY, we create
138	* a key with (local = local-eid, peer = ANY). This allows a match on the
139	* incoming broadcast responses from any peer.
140	*
141	* We perform lookups when packets are received, and when tags are allocated
142	* in two scenarios:
143	*
144	* - when a packet is sent, with a locally-owned tag: we need to find an
145	* unused tag value for the (local, peer) EID pair.
146	*
147	* - when a tag is manually allocated: we need to find an unused tag value
148	* for the peer EID, but don't have a specific local EID at that stage.
149	*
150	* in the latter case, on successful allocation, we end up with a tag with
151	* (local = ANY, peer = peer-eid).
152	*
153	* So, the key set allows both a local EID of ANY, as well as a peer EID of
154	* ANY in the lookup tuple. Both may be ANY if we prealloc for a broadcast.
155	* The matching (in mctp_key_match()) during lookup allows the match value to
156	* be ANY in either the dest or source addresses.
157	*
158	* When allocating (+ inserting) a tag, we need to check for conflicts amongst
159	* the existing tag set. This requires macthing either exactly on the local
160	* and peer addresses, or either being ANY.
161	*/
162
163	static bool mctp_key_match(struct mctp_sk_key *key, unsigned int net,
164	mctp_eid_t local, mctp_eid_t peer, u8 tag)
165	{
166	if (key->net != net)
167	return false;
168
169	if (!mctp_address_matches(match: key->local_addr, eid: local))
170	return false;
171
172	if (!mctp_address_matches(match: key->peer_addr, eid: peer))
173	return false;
174
175	if (key->tag != tag)
176	return false;
177
178	return true;
179	}
180
181	/* returns a key (with key->lock held, and refcounted), or NULL if no such
182	* key exists.
183	*/
184	static struct mctp_sk_key *mctp_lookup_key(struct net *net, struct sk_buff *skb,
185	unsigned int netid, mctp_eid_t peer,
186	unsigned long *irqflags)
187	__acquires(&key->lock)
188	{
189	struct mctp_sk_key *key, *ret;
190	unsigned long flags;
191	struct mctp_hdr *mh;
192	u8 tag;
193
194	mh = mctp_hdr(skb);
195	tag = mh->flags_seq_tag & (MCTP_HDR_TAG_MASK | MCTP_HDR_FLAG_TO);
196
197	ret = NULL;
198	spin_lock_irqsave(&net->mctp.keys_lock, flags);
199
200	hlist_for_each_entry(key, &net->mctp.keys, hlist) {
201	if (!mctp_key_match(key, net: netid, local: mh->dest, peer, tag))
202	continue;
203
204	spin_lock(lock: &key->lock);
205	if (key->valid) {
206	refcount_inc(r: &key->refs);
207	ret = key;
208	break;
209	}
210	spin_unlock(lock: &key->lock);
211	}
212
213	if (ret) {
214	spin_unlock(lock: &net->mctp.keys_lock);
215	*irqflags = flags;
216	} else {
217	spin_unlock_irqrestore(lock: &net->mctp.keys_lock, flags);
218	}
219
220	return ret;
221	}
222
223	static struct mctp_sk_key *mctp_key_alloc(struct mctp_sock *msk,
224	unsigned int net,
225	mctp_eid_t local, mctp_eid_t peer,
226	u8 tag, gfp_t gfp)
227	{
228	struct mctp_sk_key *key;
229
230	key = kzalloc(sizeof(*key), gfp);
231	if (!key)
232	return NULL;
233
234	key->net = net;
235	key->peer_addr = peer;
236	key->local_addr = local;
237	key->tag = tag;
238	key->sk = &msk->sk;
239	key->valid = true;
240	spin_lock_init(&key->lock);
241	refcount_set(r: &key->refs, n: 1);
242	sock_hold(sk: key->sk);
243
244	return key;
245	}
246
247	void mctp_key_unref(struct mctp_sk_key *key)
248	{
249	unsigned long flags;
250
251	if (!refcount_dec_and_test(r: &key->refs))
252	return;
253
254	/* even though no refs exist here, the lock allows us to stay
255	* consistent with the locking requirement of mctp_dev_release_key
256	*/
257	spin_lock_irqsave(&key->lock, flags);
258	mctp_dev_release_key(dev: key->dev, key);
259	spin_unlock_irqrestore(lock: &key->lock, flags);
260
261	sock_put(sk: key->sk);
262	kfree(objp: key);
263	}
264
265	static int mctp_key_add(struct mctp_sk_key *key, struct mctp_sock *msk)
266	{
267	struct net *net = sock_net(sk: &msk->sk);
268	struct mctp_sk_key *tmp;
269	unsigned long flags;
270	int rc = 0;
271
272	spin_lock_irqsave(&net->mctp.keys_lock, flags);
273
274	if (sock_flag(sk: &msk->sk, flag: SOCK_DEAD)) {
275	rc = -EINVAL;
276	goto out_unlock;
277	}
278
279	hlist_for_each_entry(tmp, &net->mctp.keys, hlist) {
280	if (mctp_key_match(key: tmp, net: key->net, local: key->local_addr,
281	peer: key->peer_addr, tag: key->tag)) {
282	spin_lock(lock: &tmp->lock);
283	if (tmp->valid)
284	rc = -EEXIST;
285	spin_unlock(lock: &tmp->lock);
286	if (rc)
287	break;
288	}
289	}
290
291	if (!rc) {
292	refcount_inc(r: &key->refs);
293	key->expiry = jiffies + mctp_key_lifetime;
294	timer_reduce(timer: &msk->key_expiry, expires: key->expiry);
295
296	hlist_add_head(n: &key->hlist, h: &net->mctp.keys);
297	hlist_add_head(n: &key->sklist, h: &msk->keys);
298	}
299
300	out_unlock:
301	spin_unlock_irqrestore(lock: &net->mctp.keys_lock, flags);
302
303	return rc;
304	}
305
306	/* Helper for mctp_route_input().
307	* We're done with the key; unlock and unref the key.
308	* For the usual case of automatic expiry we remove the key from lists.
309	* In the case that manual allocation is set on a key we release the lock
310	* and local ref, reset reassembly, but don't remove from lists.
311	*/
312	static void __mctp_key_done_in(struct mctp_sk_key *key, struct net *net,
313	unsigned long flags, unsigned long reason)
314	__releases(&key->lock)
315	{
316	struct sk_buff *skb;
317
318	trace_mctp_key_release(key, reason);
319	skb = key->reasm_head;
320	key->reasm_head = NULL;
321
322	if (!key->manual_alloc) {
323	key->reasm_dead = true;
324	key->valid = false;
325	mctp_dev_release_key(dev: key->dev, key);
326	}
327	spin_unlock_irqrestore(lock: &key->lock, flags);
328
329	if (!key->manual_alloc) {
330	spin_lock_irqsave(&net->mctp.keys_lock, flags);
331	if (!hlist_unhashed(h: &key->hlist)) {
332	hlist_del_init(n: &key->hlist);
333	hlist_del_init(n: &key->sklist);
334	mctp_key_unref(key);
335	}
336	spin_unlock_irqrestore(lock: &net->mctp.keys_lock, flags);
337	}
338
339	/* and one for the local reference */
340	mctp_key_unref(key);
341
342	kfree_skb(skb);
343	}
344
345	#ifdef CONFIG_MCTP_FLOWS
346	static void mctp_skb_set_flow(struct sk_buff *skb, struct mctp_sk_key *key)
347	{
348	struct mctp_flow *flow;
349
350	flow = skb_ext_add(skb, id: SKB_EXT_MCTP);
351	if (!flow)
352	return;
353
354	refcount_inc(r: &key->refs);
355	flow->key = key;
356	}
357
358	static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev)
359	{
360	struct mctp_sk_key *key;
361	struct mctp_flow *flow;
362
363	flow = skb_ext_find(skb, id: SKB_EXT_MCTP);
364	if (!flow)
365	return;
366
367	key = flow->key;
368
369	if (key->dev) {
370	WARN_ON(key->dev != dev);
371	return;
372	}
373
374	mctp_dev_set_key(dev, key);
375	}
376	#else
377	static void mctp_skb_set_flow(struct sk_buff *skb, struct mctp_sk_key *key) {}
378	static void mctp_flow_prepare_output(struct sk_buff *skb, struct mctp_dev *dev) {}
379	#endif
380
381	/* takes ownership of skb, both in success and failure cases */
382	static int mctp_frag_queue(struct mctp_sk_key *key, struct sk_buff *skb)
383	{
384	struct mctp_hdr *hdr = mctp_hdr(skb);
385	u8 exp_seq, this_seq;
386
387	this_seq = (hdr->flags_seq_tag >> MCTP_HDR_SEQ_SHIFT)
388	& MCTP_HDR_SEQ_MASK;
389
390	if (!key->reasm_head) {
391	/* Since we're manipulating the shared frag_list, ensure it
392	* isn't shared with any other SKBs. In the cloned case,
393	* this will free the skb; callers can no longer access it
394	* safely.
395	*/
396	key->reasm_head = skb_unshare(skb, GFP_ATOMIC);
397	if (!key->reasm_head)
398	return -ENOMEM;
399
400	key->reasm_tailp = &(skb_shinfo(key->reasm_head)->frag_list);
401	key->last_seq = this_seq;
402	return 0;
403	}
404
405	exp_seq = (key->last_seq + 1) & MCTP_HDR_SEQ_MASK;
406
407	if (this_seq != exp_seq)
408	goto err_free;
409
410	if (key->reasm_head->len + skb->len > mctp_message_maxlen)
411	goto err_free;
412
413	skb->next = NULL;
414	skb->sk = NULL;
415	*key->reasm_tailp = skb;
416	key->reasm_tailp = &skb->next;
417
418	key->last_seq = this_seq;
419
420	key->reasm_head->data_len += skb->len;
421	key->reasm_head->len += skb->len;
422	key->reasm_head->truesize += skb->truesize;
423
424	return 0;
425
426	err_free:
427	kfree_skb(skb);
428	return -EINVAL;
429	}
430
431	static int mctp_dst_input(struct mctp_dst *dst, struct sk_buff *skb)
432	{
433	struct mctp_sk_key *key, *any_key = NULL;
434	struct net *net = dev_net(dev: skb->dev);
435	struct mctp_sock *msk;
436	struct mctp_hdr *mh;
437	unsigned int netid;
438	unsigned long f;
439	u8 tag, flags;
440	int rc;
441
442	msk = NULL;
443	rc = -EINVAL;
444
445	/* We may be receiving a locally-routed packet; drop source sk
446	* accounting.
447	*
448	* From here, we will either queue the skb - either to a frag_queue, or
449	* to a receiving socket. When that succeeds, we clear the skb pointer;
450	* a non-NULL skb on exit will be otherwise unowned, and hence
451	* kfree_skb()-ed.
452	*/
453	skb_orphan(skb);
454
455	if (skb->pkt_type == PACKET_OUTGOING)
456	skb->pkt_type = PACKET_LOOPBACK;
457
458	/* ensure we have enough data for a header and a type */
459	if (skb->len < sizeof(struct mctp_hdr) + 1)
460	goto out;
461
462	/* grab header, advance data ptr */
463	mh = mctp_hdr(skb);
464	netid = mctp_cb(skb)->net;
465	skb_pull(skb, len: sizeof(struct mctp_hdr));
466
467	if (mh->ver != 1)
468	goto out;
469
470	flags = mh->flags_seq_tag & (MCTP_HDR_FLAG_SOM | MCTP_HDR_FLAG_EOM);
471	tag = mh->flags_seq_tag & (MCTP_HDR_TAG_MASK | MCTP_HDR_FLAG_TO);
472
473	rcu_read_lock();
474
475	/* lookup socket / reasm context, exactly matching (src,dest,tag).
476	* we hold a ref on the key, and key->lock held.
477	*/
478	key = mctp_lookup_key(net, skb, netid, peer: mh->src, irqflags: &f);
479
480	if (flags & MCTP_HDR_FLAG_SOM) {
481	if (key) {
482	msk = container_of(key->sk, struct mctp_sock, sk);
483	} else {
484	/* first response to a broadcast? do a more general
485	* key lookup to find the socket, but don't use this
486	* key for reassembly - we'll create a more specific
487	* one for future packets if required (ie, !EOM).
488	*
489	* this lookup requires key->peer to be MCTP_ADDR_ANY,
490	* it doesn't match just any key->peer.
491	*/
492	any_key = mctp_lookup_key(net, skb, netid,
493	MCTP_ADDR_ANY, irqflags: &f);
494	if (any_key) {
495	msk = container_of(any_key->sk,
496	struct mctp_sock, sk);
497	spin_unlock_irqrestore(lock: &any_key->lock, flags: f);
498	}
499	}
500
501	if (!key && !msk && (tag & MCTP_HDR_FLAG_TO))
502	msk = mctp_lookup_bind(net, skb);
503
504	if (!msk) {
505	rc = -ENOENT;
506	goto out_unlock;
507	}
508
509	/* single-packet message? deliver to socket, clean up any
510	* pending key.
511	*/
512	if (flags & MCTP_HDR_FLAG_EOM) {
513	rc = sock_queue_rcv_skb(sk: &msk->sk, skb);
514	if (!rc)
515	skb = NULL;
516	if (key) {
517	/* we've hit a pending reassembly; not much we
518	* can do but drop it
519	*/
520	__mctp_key_done_in(key, net, flags: f,
521	reason: MCTP_TRACE_KEY_REPLIED);
522	key = NULL;
523	}
524	goto out_unlock;
525	}
526
527	/* broadcast response or a bind() - create a key for further
528	* packets for this message
529	*/
530	if (!key) {
531	key = mctp_key_alloc(msk, net: netid, local: mh->dest, peer: mh->src,
532	tag, GFP_ATOMIC);
533	if (!key) {
534	rc = -ENOMEM;
535	goto out_unlock;
536	}
537
538	/* we can queue without the key lock here, as the
539	* key isn't observable yet
540	*/
541	mctp_frag_queue(key, skb);
542	skb = NULL;
543
544	/* if the key_add fails, we've raced with another
545	* SOM packet with the same src, dest and tag. There's
546	* no way to distinguish future packets, so all we
547	* can do is drop.
548	*/
549	rc = mctp_key_add(key, msk);
550	if (!rc)
551	trace_mctp_key_acquire(key);
552
553	/* we don't need to release key->lock on exit, so
554	* clean up here and suppress the unlock via
555	* setting to NULL
556	*/
557	mctp_key_unref(key);
558	key = NULL;
559
560	} else {
561	if (key->reasm_head || key->reasm_dead) {
562	/* duplicate start? drop everything */
563	__mctp_key_done_in(key, net, flags: f,
564	reason: MCTP_TRACE_KEY_INVALIDATED);
565	rc = -EEXIST;
566	key = NULL;
567	} else {
568	rc = mctp_frag_queue(key, skb);
569	skb = NULL;
570	}
571	}
572
573	} else if (key) {
574	/* this packet continues a previous message; reassemble
575	* using the message-specific key
576	*/
577
578	/* we need to be continuing an existing reassembly... */
579	if (!key->reasm_head) {
580	rc = -EINVAL;
581	} else {
582	rc = mctp_frag_queue(key, skb);
583	skb = NULL;
584	}
585
586	if (rc)
587	goto out_unlock;
588
589	/* end of message? deliver to socket, and we're done with
590	* the reassembly/response key
591	*/
592	if (flags & MCTP_HDR_FLAG_EOM) {
593	rc = sock_queue_rcv_skb(sk: key->sk, skb: key->reasm_head);
594	if (!rc)
595	key->reasm_head = NULL;
596	__mctp_key_done_in(key, net, flags: f, reason: MCTP_TRACE_KEY_REPLIED);
597	key = NULL;
598	}
599
600	} else {
601	/* not a start, no matching key */
602	rc = -ENOENT;
603	}
604
605	out_unlock:
606	rcu_read_unlock();
607	if (key) {
608	spin_unlock_irqrestore(lock: &key->lock, flags: f);
609	mctp_key_unref(key);
610	}
611	if (any_key)
612	mctp_key_unref(key: any_key);
613	out:
614	kfree_skb(skb);
615	return rc;
616	}
617
618	static int mctp_dst_output(struct mctp_dst *dst, struct sk_buff *skb)
619	{
620	char daddr_buf[MAX_ADDR_LEN];
621	char *daddr = NULL;
622	int rc;
623
624	skb->protocol = htons(ETH_P_MCTP);
625	skb->pkt_type = PACKET_OUTGOING;
626	skb->dev = dst->dev->dev;
627
628	if (skb->len > dst->mtu) {
629	kfree_skb(skb);
630	return -EMSGSIZE;
631	}
632
633	/* direct route; use the hwaddr we stashed in sendmsg */
634	if (dst->halen) {
635	if (dst->halen != skb->dev->addr_len) {
636	/* sanity check, sendmsg should have already caught this */
637	kfree_skb(skb);
638	return -EMSGSIZE;
639	}
640	daddr = dst->haddr;
641	} else {
642	/* If lookup fails let the device handle daddr==NULL */
643	if (mctp_neigh_lookup(dev: dst->dev, eid: dst->nexthop, ret_hwaddr: daddr_buf) == 0)
644	daddr = daddr_buf;
645	}
646
647	rc = dev_hard_header(skb, dev: skb->dev, ntohs(skb->protocol),
648	daddr, saddr: skb->dev->dev_addr, len: skb->len);
649	if (rc < 0) {
650	kfree_skb(skb);
651	return -EHOSTUNREACH;
652	}
653
654	mctp_flow_prepare_output(skb, dev: dst->dev);
655
656	rc = dev_queue_xmit(skb);
657	if (rc)
658	rc = net_xmit_errno(rc);
659
660	return rc;
661	}
662
663	/* route alloc/release */
664	static void mctp_route_release(struct mctp_route *rt)
665	{
666	if (refcount_dec_and_test(r: &rt->refs)) {
667	if (rt->dst_type == MCTP_ROUTE_DIRECT)
668	mctp_dev_put(mdev: rt->dev);
669	kfree_rcu(rt, rcu);
670	}
671	}
672
673	/* returns a route with the refcount at 1 */
674	static struct mctp_route *mctp_route_alloc(void)
675	{
676	struct mctp_route *rt;
677
678	rt = kzalloc(sizeof(*rt), GFP_KERNEL);
679	if (!rt)
680	return NULL;
681
682	INIT_LIST_HEAD(list: &rt->list);
683	refcount_set(r: &rt->refs, n: 1);
684	rt->output = mctp_dst_discard;
685
686	return rt;
687	}
688
689	unsigned int mctp_default_net(struct net *net)
690	{
691	return READ_ONCE(net->mctp.default_net);
692	}
693
694	int mctp_default_net_set(struct net *net, unsigned int index)
695	{
696	if (index == 0)
697	return -EINVAL;
698	WRITE_ONCE(net->mctp.default_net, index);
699	return 0;
700	}
701
702	/* tag management */
703	static void mctp_reserve_tag(struct net *net, struct mctp_sk_key *key,
704	struct mctp_sock *msk)
705	{
706	struct netns_mctp *mns = &net->mctp;
707
708	lockdep_assert_held(&mns->keys_lock);
709
710	key->expiry = jiffies + mctp_key_lifetime;
711	timer_reduce(timer: &msk->key_expiry, expires: key->expiry);
712
713	/* we hold the net->key_lock here, allowing updates to both
714	* then net and sk
715	*/
716	hlist_add_head_rcu(n: &key->hlist, h: &mns->keys);
717	hlist_add_head_rcu(n: &key->sklist, h: &msk->keys);
718	refcount_inc(r: &key->refs);
719	}
720
721	/* Allocate a locally-owned tag value for (local, peer), and reserve
722	* it for the socket msk
723	*/
724	struct mctp_sk_key *mctp_alloc_local_tag(struct mctp_sock *msk,
725	unsigned int netid,
726	mctp_eid_t local, mctp_eid_t peer,
727	bool manual, u8 *tagp)
728	{
729	struct net *net = sock_net(sk: &msk->sk);
730	struct netns_mctp *mns = &net->mctp;
731	struct mctp_sk_key *key, *tmp;
732	unsigned long flags;
733	u8 tagbits;
734
735	/* for NULL destination EIDs, we may get a response from any peer */
736	if (peer == MCTP_ADDR_NULL)
737	peer = MCTP_ADDR_ANY;
738
739	/* be optimistic, alloc now */
740	key = mctp_key_alloc(msk, net: netid, local, peer, tag: 0, GFP_KERNEL);
741	if (!key)
742	return ERR_PTR(error: -ENOMEM);
743
744	/* 8 possible tag values */
745	tagbits = 0xff;
746
747	spin_lock_irqsave(&mns->keys_lock, flags);
748
749	/* Walk through the existing keys, looking for potential conflicting
750	* tags. If we find a conflict, clear that bit from tagbits
751	*/
752	hlist_for_each_entry(tmp, &mns->keys, hlist) {
753	/* We can check the lookup fields (*_addr, tag) without the
754	* lock held, they don't change over the lifetime of the key.
755	*/
756
757	/* tags are net-specific */
758	if (tmp->net != netid)
759	continue;
760
761	/* if we don't own the tag, it can't conflict */
762	if (tmp->tag & MCTP_HDR_FLAG_TO)
763	continue;
764
765	/* Since we're avoiding conflicting entries, match peer and
766	* local addresses, including with a wildcard on ANY. See
767	* 'A note on key allocations' for background.
768	*/
769	if (peer != MCTP_ADDR_ANY &&
770	!mctp_address_matches(match: tmp->peer_addr, eid: peer))
771	continue;
772
773	if (local != MCTP_ADDR_ANY &&
774	!mctp_address_matches(match: tmp->local_addr, eid: local))
775	continue;
776
777	spin_lock(lock: &tmp->lock);
778	/* key must still be valid. If we find a match, clear the
779	* potential tag value
780	*/
781	if (tmp->valid)
782	tagbits &= ~(1 << tmp->tag);
783	spin_unlock(lock: &tmp->lock);
784
785	if (!tagbits)
786	break;
787	}
788
789	if (tagbits) {
790	key->tag = __ffs(tagbits);
791	mctp_reserve_tag(net, key, msk);
792	trace_mctp_key_acquire(key);
793
794	key->manual_alloc = manual;
795	*tagp = key->tag;
796	}
797
798	spin_unlock_irqrestore(lock: &mns->keys_lock, flags);
799
800	if (!tagbits) {
801	mctp_key_unref(key);
802	return ERR_PTR(error: -EBUSY);
803	}
804
805	return key;
806	}
807
808	static struct mctp_sk_key *mctp_lookup_prealloc_tag(struct mctp_sock *msk,
809	unsigned int netid,
810	mctp_eid_t daddr,
811	u8 req_tag, u8 *tagp)
812	{
813	struct net *net = sock_net(sk: &msk->sk);
814	struct netns_mctp *mns = &net->mctp;
815	struct mctp_sk_key *key, *tmp;
816	unsigned long flags;
817
818	req_tag &= ~(MCTP_TAG_PREALLOC | MCTP_TAG_OWNER);
819	key = NULL;
820
821	spin_lock_irqsave(&mns->keys_lock, flags);
822
823	hlist_for_each_entry(tmp, &mns->keys, hlist) {
824	if (tmp->net != netid)
825	continue;
826
827	if (tmp->tag != req_tag)
828	continue;
829
830	if (!mctp_address_matches(match: tmp->peer_addr, eid: daddr))
831	continue;
832
833	if (!tmp->manual_alloc)
834	continue;
835
836	spin_lock(lock: &tmp->lock);
837	if (tmp->valid) {
838	key = tmp;
839	refcount_inc(r: &key->refs);
840	spin_unlock(lock: &tmp->lock);
841	break;
842	}
843	spin_unlock(lock: &tmp->lock);
844	}
845	spin_unlock_irqrestore(lock: &mns->keys_lock, flags);
846
847	if (!key)
848	return ERR_PTR(error: -ENOENT);
849
850	if (tagp)
851	*tagp = key->tag;
852
853	return key;
854	}
855
856	/* routing lookups */
857	static unsigned int mctp_route_netid(struct mctp_route *rt)
858	{
859	return rt->dst_type == MCTP_ROUTE_DIRECT ?
860	READ_ONCE(rt->dev->net) : rt->gateway.net;
861	}
862
863	static bool mctp_rt_match_eid(struct mctp_route *rt,
864	unsigned int net, mctp_eid_t eid)
865	{
866	return mctp_route_netid(rt) == net &&
867	rt->min <= eid && rt->max >= eid;
868	}
869
870	/* compares match, used for duplicate prevention */
871	static bool mctp_rt_compare_exact(struct mctp_route *rt1,
872	struct mctp_route *rt2)
873	{
874	ASSERT_RTNL();
875	return mctp_route_netid(rt: rt1) == mctp_route_netid(rt: rt2) &&
876	rt1->min == rt2->min &&
877	rt1->max == rt2->max;
878	}
879
880	/* must only be called on a direct route, as the final output hop */
881	static void mctp_dst_from_route(struct mctp_dst *dst, mctp_eid_t eid,
882	unsigned int mtu, struct mctp_route *route)
883	{
884	mctp_dev_hold(mdev: route->dev);
885	dst->nexthop = eid;
886	dst->dev = route->dev;
887	dst->mtu = READ_ONCE(dst->dev->dev->mtu);
888	if (mtu)
889	dst->mtu = min(dst->mtu, mtu);
890	dst->halen = 0;
891	dst->output = route->output;
892	}
893
894	int mctp_dst_from_extaddr(struct mctp_dst *dst, struct net *net, int ifindex,
895	unsigned char halen, const unsigned char *haddr)
896	{
897	struct net_device *netdev;
898	struct mctp_dev *dev;
899	int rc = -ENOENT;
900
901	if (halen > sizeof(dst->haddr))
902	return -EINVAL;
903
904	rcu_read_lock();
905
906	netdev = dev_get_by_index_rcu(net, ifindex);
907	if (!netdev)
908	goto out_unlock;
909
910	if (netdev->addr_len != halen) {
911	rc = -EINVAL;
912	goto out_unlock;
913	}
914
915	dev = __mctp_dev_get(dev: netdev);
916	if (!dev)
917	goto out_unlock;
918
919	dst->dev = dev;
920	dst->mtu = READ_ONCE(netdev->mtu);
921	dst->halen = halen;
922	dst->output = mctp_dst_output;
923	dst->nexthop = 0;
924	memcpy(dst->haddr, haddr, halen);
925
926	rc = 0;
927
928	out_unlock:
929	rcu_read_unlock();
930	return rc;
931	}
932
933	void mctp_dst_release(struct mctp_dst *dst)
934	{
935	mctp_dev_put(mdev: dst->dev);
936	}
937
938	static struct mctp_route *mctp_route_lookup_single(struct net *net,
939	unsigned int dnet,
940	mctp_eid_t daddr)
941	{
942	struct mctp_route *rt;
943
944	list_for_each_entry_rcu(rt, &net->mctp.routes, list) {
945	if (mctp_rt_match_eid(rt, net: dnet, eid: daddr))
946	return rt;
947	}
948
949	return NULL;
950	}
951
952	/* populates *dst on successful lookup, if set */
953	int mctp_route_lookup(struct net *net, unsigned int dnet,
954	mctp_eid_t daddr, struct mctp_dst *dst)
955	{
956	const unsigned int max_depth = 32;
957	unsigned int depth, mtu = 0;
958	int rc = -EHOSTUNREACH;
959
960	rcu_read_lock();
961
962	for (depth = 0; depth < max_depth; depth++) {
963	struct mctp_route *rt;
964
965	rt = mctp_route_lookup_single(net, dnet, daddr);
966	if (!rt)
967	break;
968
969	/* clamp mtu to the smallest in the path, allowing 0
970	* to specify no restrictions
971	*/
972	if (mtu && rt->mtu)
973	mtu = min(mtu, rt->mtu);
974	else
975	mtu = mtu ?: rt->mtu;
976
977	if (rt->dst_type == MCTP_ROUTE_DIRECT) {
978	if (dst)
979	mctp_dst_from_route(dst, eid: daddr, mtu, route: rt);
980	rc = 0;
981	break;
982
983	} else if (rt->dst_type == MCTP_ROUTE_GATEWAY) {
984	daddr = rt->gateway.eid;
985	}
986	}
987
988	rcu_read_unlock();
989
990	return rc;
991	}
992
993	static int mctp_route_lookup_null(struct net *net, struct net_device *dev,
994	struct mctp_dst *dst)
995	{
996	int rc = -EHOSTUNREACH;
997	struct mctp_route *rt;
998
999	rcu_read_lock();
1000
1001	list_for_each_entry_rcu(rt, &net->mctp.routes, list) {
1002	if (rt->dst_type != MCTP_ROUTE_DIRECT || rt->type != RTN_LOCAL)
1003	continue;
1004
1005	if (rt->dev->dev != dev)
1006	continue;
1007
1008	mctp_dst_from_route(dst, eid: 0, mtu: 0, route: rt);
1009	rc = 0;
1010	break;
1011	}
1012
1013	rcu_read_unlock();
1014
1015	return rc;
1016	}
1017
1018	static int mctp_do_fragment_route(struct mctp_dst *dst, struct sk_buff *skb,
1019	unsigned int mtu, u8 tag)
1020	{
1021	const unsigned int hlen = sizeof(struct mctp_hdr);
1022	struct mctp_hdr *hdr, *hdr2;
1023	unsigned int pos, size, headroom;
1024	struct sk_buff *skb2;
1025	int rc;
1026	u8 seq;
1027
1028	hdr = mctp_hdr(skb);
1029	seq = 0;
1030	rc = 0;
1031
1032	if (mtu < hlen + 1) {
1033	kfree_skb(skb);
1034	return -EMSGSIZE;
1035	}
1036
1037	/* keep same headroom as the original skb */
1038	headroom = skb_headroom(skb);
1039
1040	/* we've got the header */
1041	skb_pull(skb, len: hlen);
1042
1043	for (pos = 0; pos < skb->len;) {
1044	/* size of message payload */
1045	size = min(mtu - hlen, skb->len - pos);
1046
1047	skb2 = alloc_skb(size: headroom + hlen + size, GFP_KERNEL);
1048	if (!skb2) {
1049	rc = -ENOMEM;
1050	break;
1051	}
1052
1053	/* generic skb copy */
1054	skb2->protocol = skb->protocol;
1055	skb2->priority = skb->priority;
1056	skb2->dev = skb->dev;
1057	memcpy(skb2->cb, skb->cb, sizeof(skb2->cb));
1058
1059	if (skb->sk)
1060	skb_set_owner_w(skb: skb2, sk: skb->sk);
1061
1062	/* establish packet */
1063	skb_reserve(skb: skb2, len: headroom);
1064	skb_reset_network_header(skb: skb2);
1065	skb_put(skb: skb2, len: hlen + size);
1066	skb2->transport_header = skb2->network_header + hlen;
1067
1068	/* copy header fields, calculate SOM/EOM flags & seq */
1069	hdr2 = mctp_hdr(skb: skb2);
1070	hdr2->ver = hdr->ver;
1071	hdr2->dest = hdr->dest;
1072	hdr2->src = hdr->src;
1073	hdr2->flags_seq_tag = tag &
1074	(MCTP_HDR_TAG_MASK | MCTP_HDR_FLAG_TO);
1075
1076	if (pos == 0)
1077	hdr2->flags_seq_tag |= MCTP_HDR_FLAG_SOM;
1078
1079	if (pos + size == skb->len)
1080	hdr2->flags_seq_tag |= MCTP_HDR_FLAG_EOM;
1081
1082	hdr2->flags_seq_tag |= seq << MCTP_HDR_SEQ_SHIFT;
1083
1084	/* copy message payload */
1085	skb_copy_bits(skb, offset: pos, to: skb_transport_header(skb: skb2), len: size);
1086
1087	/* we need to copy the extensions, for MCTP flow data */
1088	skb_ext_copy(dst: skb2, src: skb);
1089
1090	/* do route */
1091	rc = dst->output(dst, skb2);
1092	if (rc)
1093	break;
1094
1095	seq = (seq + 1) & MCTP_HDR_SEQ_MASK;
1096	pos += size;
1097	}
1098
1099	consume_skb(skb);
1100	return rc;
1101	}
1102
1103	int mctp_local_output(struct sock *sk, struct mctp_dst *dst,
1104	struct sk_buff *skb, mctp_eid_t daddr, u8 req_tag)
1105	{
1106	struct mctp_sock *msk = container_of(sk, struct mctp_sock, sk);
1107	struct mctp_sk_key *key;
1108	struct mctp_hdr *hdr;
1109	unsigned long flags;
1110	unsigned int netid;
1111	unsigned int mtu;
1112	mctp_eid_t saddr;
1113	int rc;
1114	u8 tag;
1115
1116	KUNIT_STATIC_STUB_REDIRECT(mctp_local_output, sk, dst, skb, daddr,
1117	req_tag);
1118
1119	rc = -ENODEV;
1120
1121	spin_lock_irqsave(&dst->dev->addrs_lock, flags);
1122	if (dst->dev->num_addrs == 0) {
1123	rc = -EHOSTUNREACH;
1124	} else {
1125	/* use the outbound interface's first address as our source */
1126	saddr = dst->dev->addrs[0];
1127	rc = 0;
1128	}
1129	spin_unlock_irqrestore(lock: &dst->dev->addrs_lock, flags);
1130	netid = READ_ONCE(dst->dev->net);
1131
1132	if (rc)
1133	goto out_release;
1134
1135	if (req_tag & MCTP_TAG_OWNER) {
1136	if (req_tag & MCTP_TAG_PREALLOC)
1137	key = mctp_lookup_prealloc_tag(msk, netid, daddr,
1138	req_tag, tagp: &tag);
1139	else
1140	key = mctp_alloc_local_tag(msk, netid, local: saddr, peer: daddr,
1141	manual: false, tagp: &tag);
1142
1143	if (IS_ERR(ptr: key)) {
1144	rc = PTR_ERR(ptr: key);
1145	goto out_release;
1146	}
1147	mctp_skb_set_flow(skb, key);
1148	/* done with the key in this scope */
1149	mctp_key_unref(key);
1150	tag |= MCTP_HDR_FLAG_TO;
1151	} else {
1152	key = NULL;
1153	tag = req_tag & MCTP_TAG_MASK;
1154	}
1155
1156	skb->pkt_type = PACKET_OUTGOING;
1157	skb->protocol = htons(ETH_P_MCTP);
1158	skb->priority = 0;
1159	skb_reset_transport_header(skb);
1160	skb_push(skb, len: sizeof(struct mctp_hdr));
1161	skb_reset_network_header(skb);
1162	skb->dev = dst->dev->dev;
1163
1164	/* set up common header fields */
1165	hdr = mctp_hdr(skb);
1166	hdr->ver = 1;
1167	hdr->dest = daddr;
1168	hdr->src = saddr;
1169
1170	mtu = dst->mtu;
1171
1172	if (skb->len + sizeof(struct mctp_hdr) <= mtu) {
1173	hdr->flags_seq_tag = MCTP_HDR_FLAG_SOM |
1174	MCTP_HDR_FLAG_EOM | tag;
1175	rc = dst->output(dst, skb);
1176	} else {
1177	rc = mctp_do_fragment_route(dst, skb, mtu, tag);
1178	}
1179
1180	/* route output functions consume the skb, even on error */
1181	skb = NULL;
1182
1183	out_release:
1184	kfree_skb(skb);
1185	return rc;
1186	}
1187
1188	/* route management */
1189
1190	/* mctp_route_add(): Add the provided route, previously allocated via
1191	* mctp_route_alloc(). On success, takes ownership of @rt, which includes a
1192	* hold on rt->dev for usage in the route table. On failure a caller will want
1193	* to mctp_route_release().
1194	*
1195	* We expect that the caller has set rt->type, rt->dst_type, rt->min, rt->max,
1196	* rt->mtu and either rt->dev (with a reference held appropriately) or
1197	* rt->gateway. Other fields will be populated.
1198	*/
1199	static int mctp_route_add(struct net *net, struct mctp_route *rt)
1200	{
1201	struct mctp_route *ert;
1202
1203	if (!mctp_address_unicast(eid: rt->min) || !mctp_address_unicast(eid: rt->max))
1204	return -EINVAL;
1205
1206	if (rt->dst_type == MCTP_ROUTE_DIRECT && !rt->dev)
1207	return -EINVAL;
1208
1209	if (rt->dst_type == MCTP_ROUTE_GATEWAY && !rt->gateway.eid)
1210	return -EINVAL;
1211
1212	switch (rt->type) {
1213	case RTN_LOCAL:
1214	rt->output = mctp_dst_input;
1215	break;
1216	case RTN_UNICAST:
1217	rt->output = mctp_dst_output;
1218	break;
1219	default:
1220	return -EINVAL;
1221	}
1222
1223	ASSERT_RTNL();
1224
1225	/* Prevent duplicate identical routes. */
1226	list_for_each_entry(ert, &net->mctp.routes, list) {
1227	if (mctp_rt_compare_exact(rt1: rt, rt2: ert)) {
1228	return -EEXIST;
1229	}
1230	}
1231
1232	list_add_rcu(new: &rt->list, head: &net->mctp.routes);
1233
1234	return 0;
1235	}
1236
1237	static int mctp_route_remove(struct net *net, unsigned int netid,
1238	mctp_eid_t daddr_start, unsigned int daddr_extent,
1239	unsigned char type)
1240	{
1241	struct mctp_route *rt, *tmp;
1242	mctp_eid_t daddr_end;
1243	bool dropped;
1244
1245	if (daddr_extent > 0xff || daddr_start + daddr_extent >= 255)
1246	return -EINVAL;
1247
1248	daddr_end = daddr_start + daddr_extent;
1249	dropped = false;
1250
1251	ASSERT_RTNL();
1252
1253	list_for_each_entry_safe(rt, tmp, &net->mctp.routes, list) {
1254	if (mctp_route_netid(rt) == netid &&
1255	rt->min == daddr_start && rt->max == daddr_end &&
1256	rt->type == type) {
1257	list_del_rcu(entry: &rt->list);
1258	/* TODO: immediate RTM_DELROUTE */
1259	mctp_route_release(rt);
1260	dropped = true;
1261	}
1262	}
1263
1264	return dropped ? 0 : -ENOENT;
1265	}
1266
1267	int mctp_route_add_local(struct mctp_dev *mdev, mctp_eid_t addr)
1268	{
1269	struct mctp_route *rt;
1270	int rc;
1271
1272	rt = mctp_route_alloc();
1273	if (!rt)
1274	return -ENOMEM;
1275
1276	rt->min = addr;
1277	rt->max = addr;
1278	rt->dst_type = MCTP_ROUTE_DIRECT;
1279	rt->dev = mdev;
1280	rt->type = RTN_LOCAL;
1281
1282	mctp_dev_hold(mdev: rt->dev);
1283
1284	rc = mctp_route_add(net: dev_net(dev: mdev->dev), rt);
1285	if (rc)
1286	mctp_route_release(rt);
1287
1288	return rc;
1289	}
1290
1291	int mctp_route_remove_local(struct mctp_dev *mdev, mctp_eid_t addr)
1292	{
1293	return mctp_route_remove(net: dev_net(dev: mdev->dev), netid: mdev->net,
1294	daddr_start: addr, daddr_extent: 0, type: RTN_LOCAL);
1295	}
1296
1297	/* removes all entries for a given device */
1298	void mctp_route_remove_dev(struct mctp_dev *mdev)
1299	{
1300	struct net *net = dev_net(dev: mdev->dev);
1301	struct mctp_route *rt, *tmp;
1302
1303	ASSERT_RTNL();
1304	list_for_each_entry_safe(rt, tmp, &net->mctp.routes, list) {
1305	if (rt->dst_type == MCTP_ROUTE_DIRECT && rt->dev == mdev) {
1306	list_del_rcu(entry: &rt->list);
1307	/* TODO: immediate RTM_DELROUTE */
1308	mctp_route_release(rt);
1309	}
1310	}
1311	}
1312
1313	/* Incoming packet-handling */
1314
1315	static int mctp_pkttype_receive(struct sk_buff *skb, struct net_device *dev,
1316	struct packet_type *pt,
1317	struct net_device *orig_dev)
1318	{
1319	struct net *net = dev_net(dev);
1320	struct mctp_dev *mdev;
1321	struct mctp_skb_cb *cb;
1322	struct mctp_dst dst;
1323	struct mctp_hdr *mh;
1324	int rc;
1325
1326	rcu_read_lock();
1327	mdev = __mctp_dev_get(dev);
1328	rcu_read_unlock();
1329	if (!mdev) {
1330	/* basic non-data sanity checks */
1331	goto err_drop;
1332	}
1333
1334	if (!pskb_may_pull(skb, len: sizeof(struct mctp_hdr)))
1335	goto err_drop;
1336
1337	skb_reset_transport_header(skb);
1338	skb_reset_network_header(skb);
1339
1340	/* We have enough for a header; decode and route */
1341	mh = mctp_hdr(skb);
1342	if (mh->ver < MCTP_VER_MIN || mh->ver > MCTP_VER_MAX)
1343	goto err_drop;
1344
1345	/* source must be valid unicast or null; drop reserved ranges and
1346	* broadcast
1347	*/
1348	if (!(mctp_address_unicast(eid: mh->src) || mctp_address_null(eid: mh->src)))
1349	goto err_drop;
1350
1351	/* dest address: as above, but allow broadcast */
1352	if (!(mctp_address_unicast(eid: mh->dest) || mctp_address_null(eid: mh->dest) ||
1353	mctp_address_broadcast(eid: mh->dest)))
1354	goto err_drop;
1355
1356	/* MCTP drivers must populate halen/haddr */
1357	if (dev->type == ARPHRD_MCTP) {
1358	cb = mctp_cb(skb);
1359	} else {
1360	cb = __mctp_cb(skb);
1361	cb->halen = 0;
1362	}
1363	cb->net = READ_ONCE(mdev->net);
1364	cb->ifindex = dev->ifindex;
1365
1366	rc = mctp_route_lookup(net, dnet: cb->net, daddr: mh->dest, dst: &dst);
1367
1368	/* NULL EID, but addressed to our physical address */
1369	if (rc && mh->dest == MCTP_ADDR_NULL && skb->pkt_type == PACKET_HOST)
1370	rc = mctp_route_lookup_null(net, dev, dst: &dst);
1371
1372	if (rc)
1373	goto err_drop;
1374
1375	dst.output(&dst, skb);
1376	mctp_dst_release(dst: &dst);
1377	mctp_dev_put(mdev);
1378
1379	return NET_RX_SUCCESS;
1380
1381	err_drop:
1382	kfree_skb(skb);
1383	mctp_dev_put(mdev);
1384	return NET_RX_DROP;
1385	}
1386
1387	static struct packet_type mctp_packet_type = {
1388	.type = cpu_to_be16(ETH_P_MCTP),
1389	.func = mctp_pkttype_receive,
1390	};
1391
1392	/* netlink interface */
1393
1394	static const struct nla_policy rta_mctp_policy[RTA_MAX + 1] = {
1395	[RTA_DST] = { .type = NLA_U8 },
1396	[RTA_METRICS] = { .type = NLA_NESTED },
1397	[RTA_OIF] = { .type = NLA_U32 },
1398	[RTA_GATEWAY] = NLA_POLICY_EXACT_LEN(sizeof(struct mctp_fq_addr)),
1399	};
1400
1401	static const struct nla_policy rta_metrics_policy[RTAX_MAX + 1] = {
1402	[RTAX_MTU] = { .type = NLA_U32 },
1403	};
1404
1405	/* base parsing; common to both _lookup and _populate variants.
1406	*
1407	* For gateway routes (which have a RTA_GATEWAY, and no RTA_OIF), we populate
1408	* *gatweayp. for direct routes (RTA_OIF, no RTA_GATEWAY), we populate *mdev.
1409	*/
1410	static int mctp_route_nlparse_common(struct net *net, struct nlmsghdr *nlh,
1411	struct netlink_ext_ack *extack,
1412	struct nlattr **tb, struct rtmsg **rtm,
1413	struct mctp_dev **mdev,
1414	struct mctp_fq_addr *gatewayp,
1415	mctp_eid_t *daddr_start)
1416	{
1417	struct mctp_fq_addr *gateway = NULL;
1418	unsigned int ifindex = 0;
1419	struct net_device *dev;
1420	int rc;
1421
1422	rc = nlmsg_parse(nlh, hdrlen: sizeof(struct rtmsg), tb, RTA_MAX,
1423	policy: rta_mctp_policy, extack);
1424	if (rc < 0) {
1425	NL_SET_ERR_MSG(extack, "incorrect format");
1426	return rc;
1427	}
1428
1429	if (!tb[RTA_DST]) {
1430	NL_SET_ERR_MSG(extack, "dst EID missing");
1431	return -EINVAL;
1432	}
1433	*daddr_start = nla_get_u8(nla: tb[RTA_DST]);
1434
1435	if (tb[RTA_OIF])
1436	ifindex = nla_get_u32(nla: tb[RTA_OIF]);
1437
1438	if (tb[RTA_GATEWAY])
1439	gateway = nla_data(nla: tb[RTA_GATEWAY]);
1440
1441	if (ifindex && gateway) {
1442	NL_SET_ERR_MSG(extack,
1443	"cannot specify both ifindex and gateway");
1444	return -EINVAL;
1445
1446	} else if (ifindex) {
1447	dev = __dev_get_by_index(net, ifindex);
1448	if (!dev) {
1449	NL_SET_ERR_MSG(extack, "bad ifindex");
1450	return -ENODEV;
1451	}
1452	*mdev = mctp_dev_get_rtnl(dev);
1453	if (!*mdev)
1454	return -ENODEV;
1455	gatewayp->eid = 0;
1456
1457	} else if (gateway) {
1458	if (!mctp_address_unicast(eid: gateway->eid)) {
1459	NL_SET_ERR_MSG(extack, "bad gateway");
1460	return -EINVAL;
1461	}
1462
1463	gatewayp->eid = gateway->eid;
1464	gatewayp->net = gateway->net != MCTP_NET_ANY ?
1465	gateway->net :
1466	READ_ONCE(net->mctp.default_net);
1467	*mdev = NULL;
1468
1469	} else {
1470	NL_SET_ERR_MSG(extack, "no route output provided");
1471	return -EINVAL;
1472	}
1473
1474	*rtm = nlmsg_data(nlh);
1475	if ((*rtm)->rtm_family != AF_MCTP) {
1476	NL_SET_ERR_MSG(extack, "route family must be AF_MCTP");
1477	return -EINVAL;
1478	}
1479
1480	if ((*rtm)->rtm_type != RTN_UNICAST) {
1481	NL_SET_ERR_MSG(extack, "rtm_type must be RTN_UNICAST");
1482	return -EINVAL;
1483	}
1484
1485	return 0;
1486	}
1487
1488	/* Route parsing for lookup operations; we only need the "route target"
1489	* components (ie., network and dest-EID range).
1490	*/
1491	static int mctp_route_nlparse_lookup(struct net *net, struct nlmsghdr *nlh,
1492	struct netlink_ext_ack *extack,
1493	unsigned char *type, unsigned int *netid,
1494	mctp_eid_t *daddr_start,
1495	unsigned int *daddr_extent)
1496	{
1497	struct nlattr *tb[RTA_MAX + 1];
1498	struct mctp_fq_addr gw;
1499	struct mctp_dev *mdev;
1500	struct rtmsg *rtm;
1501	int rc;
1502
1503	rc = mctp_route_nlparse_common(net, nlh, extack, tb, rtm: &rtm,
1504	mdev: &mdev, gatewayp: &gw, daddr_start);
1505	if (rc)
1506	return rc;
1507
1508	if (mdev) {
1509	*netid = mdev->net;
1510	} else if (gw.eid) {
1511	*netid = gw.net;
1512	} else {
1513	/* bug: _nlparse_common should not allow this */
1514	return -1;
1515	}
1516
1517	*type = rtm->rtm_type;
1518	*daddr_extent = rtm->rtm_dst_len;
1519
1520	return 0;
1521	}
1522
1523	/* Full route parse for RTM_NEWROUTE: populate @rt. On success,
1524	* MCTP_ROUTE_DIRECT routes (ie, those with a direct dev) will hold a reference
1525	* to that dev.
1526	*/
1527	static int mctp_route_nlparse_populate(struct net *net, struct nlmsghdr *nlh,
1528	struct netlink_ext_ack *extack,
1529	struct mctp_route *rt)
1530	{
1531	struct nlattr *tbx[RTAX_MAX + 1];
1532	struct nlattr *tb[RTA_MAX + 1];
1533	unsigned int daddr_extent;
1534	struct mctp_fq_addr gw;
1535	mctp_eid_t daddr_start;
1536	struct mctp_dev *dev;
1537	struct rtmsg *rtm;
1538	u32 mtu = 0;
1539	int rc;
1540
1541	rc = mctp_route_nlparse_common(net, nlh, extack, tb, rtm: &rtm,
1542	mdev: &dev, gatewayp: &gw, daddr_start: &daddr_start);
1543	if (rc)
1544	return rc;
1545
1546	daddr_extent = rtm->rtm_dst_len;
1547
1548	if (daddr_extent > 0xff || daddr_extent + daddr_start >= 255) {
1549	NL_SET_ERR_MSG(extack, "invalid eid range");
1550	return -EINVAL;
1551	}
1552
1553	if (tb[RTA_METRICS]) {
1554	rc = nla_parse_nested(tb: tbx, RTAX_MAX, nla: tb[RTA_METRICS],
1555	policy: rta_metrics_policy, NULL);
1556	if (rc < 0) {
1557	NL_SET_ERR_MSG(extack, "incorrect RTA_METRICS format");
1558	return rc;
1559	}
1560	if (tbx[RTAX_MTU])
1561	mtu = nla_get_u32(nla: tbx[RTAX_MTU]);
1562	}
1563
1564	rt->type = rtm->rtm_type;
1565	rt->min = daddr_start;
1566	rt->max = daddr_start + daddr_extent;
1567	rt->mtu = mtu;
1568	if (gw.eid) {
1569	rt->dst_type = MCTP_ROUTE_GATEWAY;
1570	rt->gateway.eid = gw.eid;
1571	rt->gateway.net = gw.net;
1572	} else {
1573	rt->dst_type = MCTP_ROUTE_DIRECT;
1574	rt->dev = dev;
1575	mctp_dev_hold(mdev: rt->dev);
1576	}
1577
1578	return 0;
1579	}
1580
1581	static int mctp_newroute(struct sk_buff *skb, struct nlmsghdr *nlh,
1582	struct netlink_ext_ack *extack)
1583	{
1584	struct net *net = sock_net(sk: skb->sk);
1585	struct mctp_route *rt;
1586	int rc;
1587
1588	rt = mctp_route_alloc();
1589	if (!rt)
1590	return -ENOMEM;
1591
1592	rc = mctp_route_nlparse_populate(net, nlh, extack, rt);
1593	if (rc < 0)
1594	goto err_free;
1595
1596	if (rt->dst_type == MCTP_ROUTE_DIRECT &&
1597	rt->dev->dev->flags & IFF_LOOPBACK) {
1598	NL_SET_ERR_MSG(extack, "no routes to loopback");
1599	rc = -EINVAL;
1600	goto err_free;
1601	}
1602
1603	rc = mctp_route_add(net, rt);
1604	if (!rc)
1605	return 0;
1606
1607	err_free:
1608	mctp_route_release(rt);
1609	return rc;
1610	}
1611
1612	static int mctp_delroute(struct sk_buff *skb, struct nlmsghdr *nlh,
1613	struct netlink_ext_ack *extack)
1614	{
1615	struct net *net = sock_net(sk: skb->sk);
1616	unsigned int netid, daddr_extent;
1617	unsigned char type = RTN_UNSPEC;
1618	mctp_eid_t daddr_start;
1619	int rc;
1620
1621	rc = mctp_route_nlparse_lookup(net, nlh, extack, type: &type, netid: &netid,
1622	daddr_start: &daddr_start, daddr_extent: &daddr_extent);
1623	if (rc < 0)
1624	return rc;
1625
1626	/* we only have unicast routes */
1627	if (type != RTN_UNICAST)
1628	return -EINVAL;
1629
1630	rc = mctp_route_remove(net, netid, daddr_start, daddr_extent, type);
1631	return rc;
1632	}
1633
1634	static int mctp_fill_rtinfo(struct sk_buff *skb, struct mctp_route *rt,
1635	u32 portid, u32 seq, int event, unsigned int flags)
1636	{
1637	struct nlmsghdr *nlh;
1638	struct rtmsg *hdr;
1639	void *metrics;
1640
1641	nlh = nlmsg_put(skb, portid, seq, type: event, payload: sizeof(*hdr), flags);
1642	if (!nlh)
1643	return -EMSGSIZE;
1644
1645	hdr = nlmsg_data(nlh);
1646	hdr->rtm_family = AF_MCTP;
1647
1648	/* we use the _len fields as a number of EIDs, rather than
1649	* a number of bits in the address
1650	*/
1651	hdr->rtm_dst_len = rt->max - rt->min;
1652	hdr->rtm_src_len = 0;
1653	hdr->rtm_tos = 0;
1654	hdr->rtm_table = RT_TABLE_DEFAULT;
1655	hdr->rtm_protocol = RTPROT_STATIC; /* everything is user-defined */
1656	hdr->rtm_type = rt->type;
1657
1658	if (nla_put_u8(skb, attrtype: RTA_DST, value: rt->min))
1659	goto cancel;
1660
1661	metrics = nla_nest_start_noflag(skb, attrtype: RTA_METRICS);
1662	if (!metrics)
1663	goto cancel;
1664
1665	if (rt->mtu) {
1666	if (nla_put_u32(skb, RTAX_MTU, value: rt->mtu))
1667	goto cancel;
1668	}
1669
1670	nla_nest_end(skb, start: metrics);
1671
1672	if (rt->dst_type == MCTP_ROUTE_DIRECT) {
1673	hdr->rtm_scope = RT_SCOPE_LINK;
1674	if (nla_put_u32(skb, attrtype: RTA_OIF, value: rt->dev->dev->ifindex))
1675	goto cancel;
1676	} else if (rt->dst_type == MCTP_ROUTE_GATEWAY) {
1677	hdr->rtm_scope = RT_SCOPE_UNIVERSE;
1678	if (nla_put(skb, attrtype: RTA_GATEWAY,
1679	attrlen: sizeof(rt->gateway), data: &rt->gateway))
1680	goto cancel;
1681	}
1682
1683	nlmsg_end(skb, nlh);
1684
1685	return 0;
1686
1687	cancel:
1688	nlmsg_cancel(skb, nlh);
1689	return -EMSGSIZE;
1690	}
1691
1692	static int mctp_dump_rtinfo(struct sk_buff *skb, struct netlink_callback *cb)
1693	{
1694	struct net *net = sock_net(sk: skb->sk);
1695	struct mctp_route *rt;
1696	int s_idx, idx;
1697
1698	/* TODO: allow filtering on route data, possibly under
1699	* cb->strict_check
1700	*/
1701
1702	/* TODO: change to struct overlay */
1703	s_idx = cb->args[0];
1704	idx = 0;
1705
1706	rcu_read_lock();
1707	list_for_each_entry_rcu(rt, &net->mctp.routes, list) {
1708	if (idx++ < s_idx)
1709	continue;
1710	if (mctp_fill_rtinfo(skb, rt,
1711	NETLINK_CB(cb->skb).portid,
1712	seq: cb->nlh->nlmsg_seq,
1713	RTM_NEWROUTE, NLM_F_MULTI) < 0)
1714	break;
1715	}
1716
1717	rcu_read_unlock();
1718	cb->args[0] = idx;
1719
1720	return skb->len;
1721	}
1722
1723	/* net namespace implementation */
1724	static int __net_init mctp_routes_net_init(struct net *net)
1725	{
1726	struct netns_mctp *ns = &net->mctp;
1727
1728	INIT_LIST_HEAD(list: &ns->routes);
1729	hash_init(ns->binds);
1730	mutex_init(&ns->bind_lock);
1731	INIT_HLIST_HEAD(&ns->keys);
1732	spin_lock_init(&ns->keys_lock);
1733	WARN_ON(mctp_default_net_set(net, MCTP_INITIAL_DEFAULT_NET));
1734	return 0;
1735	}
1736
1737	static void __net_exit mctp_routes_net_exit(struct net *net)
1738	{
1739	struct mctp_route *rt;
1740
1741	rcu_read_lock();
1742	list_for_each_entry_rcu(rt, &net->mctp.routes, list)
1743	mctp_route_release(rt);
1744	rcu_read_unlock();
1745	}
1746
1747	static struct pernet_operations mctp_net_ops = {
1748	.init = mctp_routes_net_init,
1749	.exit = mctp_routes_net_exit,
1750	};
1751
1752	static const struct rtnl_msg_handler mctp_route_rtnl_msg_handlers[] = {
1753	{THIS_MODULE, PF_MCTP, RTM_NEWROUTE, mctp_newroute, NULL, 0},
1754	{THIS_MODULE, PF_MCTP, RTM_DELROUTE, mctp_delroute, NULL, 0},
1755	{THIS_MODULE, PF_MCTP, RTM_GETROUTE, NULL, mctp_dump_rtinfo, 0},
1756	};
1757
1758	int __init mctp_routes_init(void)
1759	{
1760	int err;
1761
1762	dev_add_pack(pt: &mctp_packet_type);
1763
1764	err = register_pernet_subsys(&mctp_net_ops);
1765	if (err)
1766	goto err_pernet;
1767
1768	err = rtnl_register_many(mctp_route_rtnl_msg_handlers);
1769	if (err)
1770	goto err_rtnl;
1771
1772	return 0;
1773
1774	err_rtnl:
1775	unregister_pernet_subsys(&mctp_net_ops);
1776	err_pernet:
1777	dev_remove_pack(pt: &mctp_packet_type);
1778	return err;
1779	}
1780
1781	void mctp_routes_exit(void)
1782	{
1783	rtnl_unregister_many(mctp_route_rtnl_msg_handlers);
1784	unregister_pernet_subsys(&mctp_net_ops);
1785	dev_remove_pack(pt: &mctp_packet_type);
1786	}
1787
1788	#if IS_ENABLED(CONFIG_MCTP_TEST)
1789	#include "test/route-test.c"
1790	#endif
1791