ffe9ce5b43
https://source.android.com/docs/security/bulletin/2023-12-01 * tag 'ASB-2023-12-05_11-5.4' of https://android.googlesource.com/kernel/common: ANDROID: ABI: Update allowed list for QCOM BACKPORT: ALSA: compress: Allow pause and resume during draining UPSTREAM: netfilter: nf_tables: pass context to nft_set_destroy() UPSTREAM: netfilter: nf_tables: don't skip expired elements during walk ANDROID: GKI: db845c: Update symbols list and ABI on rpmsg_register_device_override ANDROID: Use GKI Dr. No OWNERS file ANDROID: Remove android/OWNERs file FROMGIT: Input: uinput - allow injecting event times ANDROID: fix up rpmsg_device ABI break ANDROID: fix up platform_device ABI break UPSTREAM: rpmsg: Fix possible refcount leak in rpmsg_register_device_override() UPSTREAM: rpmsg: glink: Release driver_override BACKPORT: rpmsg: Fix calling device_lock() on non-initialized device BACKPORT: rpmsg: Fix kfree() of static memory on setting driver_override UPSTREAM: rpmsg: Constify local variable in field store macro UPSTREAM: driver: platform: Add helper for safer setting of driver_override BACKPORT: firmware_loader: Abort all upcoming firmware load request once reboot triggered UPSTREAM: firmware_loader: Refactor kill_pending_fw_fallback_reqs() Revert "perf: Disallow mis-matched inherited group reads" Revert "xfrm: fix a data-race in xfrm_gen_index()" Revert "Bluetooth: hci_core: Fix build warnings" Revert "xfrm: interface: use DEV_STATS_INC()" Revert "netfilter: conntrack: allow sctp hearbeat after connection re-use" Revert "netfilter: conntrack: don't refresh sctp entries in closed state" Revert "netfilter: handle the connecting collision properly in nf_conntrack_proto_sctp" Reapply "netfilter: conntrack: don't refresh sctp entries in closed state" Reapply "netfilter: conntrack: allow sctp hearbeat after connection re-use" Linux 5.4.259 xfrm6: fix inet6_dev refcount underflow problem Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name Bluetooth: hci_sock: fix slab oob read in create_monitor_event phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins phy: mapphone-mdm6600: Fix runtime PM for remove phy: mapphone-mdm6600: Fix runtime disable on probe ASoC: pxa: fix a memory leak in probe() gpio: vf610: set value before the direction to avoid a glitch s390/pci: fix iommu bitmap allocation perf: Disallow mis-matched inherited group reads USB: serial: option: add Fibocom to DELL custom modem FM101R-GL USB: serial: option: add entry for Sierra EM9191 with new firmware USB: serial: option: add Telit LE910C4-WWX 0x1035 composition ACPI: irq: Fix incorrect return value in acpi_register_gsi() Revert "pinctrl: avoid unsafe code pattern in find_pinctrl()" mmc: core: Capture correct oemid-bits for eMMC cards mmc: core: sdio: hold retuning if sdio in 1-bit mode mtd: physmap-core: Restore map_rom fallback mtd: spinand: micron: correct bitmask for ecc status mtd: rawnand: qcom: Unmap the right resource upon probe failure Bluetooth: hci_event: Fix using memcmp when comparing keys HID: multitouch: Add required quirk for Synaptics 0xcd7e device btrfs: fix some -Wmaybe-uninitialized warnings in ioctl.c drm: panel-orientation-quirks: Add quirk for One Mix 2S sky2: Make sure there is at least one frag_addr available regulator/core: Revert "fix kobject release warning and memory leak in regulator_register()" wifi: cfg80211: avoid leaking stack data into trace wifi: mac80211: allow transmitting EAPOL frames with tainted key Bluetooth: hci_core: Fix build warnings Bluetooth: Avoid redundant authentication HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event tracing: relax trace_event_eval_update() execution with cond_resched() ata: libata-eh: Fix compilation warning in ata_eh_link_report() gpio: timberdale: Fix potential deadlock on &tgpio->lock overlayfs: set ctime when setting mtime and atime i2c: mux: Avoid potential false error message in i2c_mux_add_adapter btrfs: initialize start_slot in btrfs_log_prealloc_extents btrfs: return -EUCLEAN for delayed tree ref with a ref count not equals to 1 ARM: dts: ti: omap: Fix noisy serial with overrun-throttle-ms for mapphone ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CBA ACPI: resource: Skip IRQ override on ASUS ExpertBook B1502CBA ACPI: resource: Skip IRQ override on Asus Expertbook B2402CBA ACPI: resource: Add Asus ExpertBook B2502 to Asus quirks ACPI: resource: Skip IRQ override on Asus Vivobook S5602ZA ACPI: resource: Add ASUS model S5402ZA to quirks ACPI: resource: Skip IRQ override on Asus Vivobook K3402ZA/K3502ZA ACPI: resources: Add DMI-based legacy IRQ override quirk ACPI: Drop acpi_dev_irqresource_disabled() resource: Add irqresource_disabled() net: pktgen: Fix interface flags printing netfilter: nft_set_rbtree: .deactivate fails if element has expired neighbor: tracing: Move pin6 inside CONFIG_IPV6=y section net/sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve i40e: prevent crash on probe if hw registers have invalid values net: usb: smsc95xx: Fix an error code in smsc95xx_reset() ipv4: fib: annotate races around nh->nh_saddr_genid and nh->nh_saddr tun: prevent negative ifindex tcp: tsq: relax tcp_small_queue_check() when rtx queue contains a single skb tcp: fix excessive TLP and RACK timeouts from HZ rounding net: rfkill: gpio: prevent value glitch during probe net: ipv6: fix return value check in esp_remove_trailer net: ipv4: fix return value check in esp_remove_trailer xfrm: interface: use DEV_STATS_INC() xfrm: fix a data-race in xfrm_gen_index() qed: fix LL2 RX buffer allocation netfilter: nft_payload: fix wrong mac header matching KVM: x86: Mask LVTPC when handling a PMI regmap: fix NULL deref on lookup nfc: nci: fix possible NULL pointer dereference in send_acknowledge() ice: fix over-shifted variable Bluetooth: avoid memcmp() out of bounds warning Bluetooth: hci_event: Fix coding style Bluetooth: vhci: Fix race when opening vhci device Bluetooth: Fix a refcnt underflow problem for hci_conn Bluetooth: Reject connection with the device which has same BD_ADDR Bluetooth: hci_event: Ignore NULL link key usb: hub: Guard against accesses to uninitialized BOS descriptors Documentation: sysctl: align cells in second content column dev_forward_skb: do not scrub skb mark within the same name space ravb: Fix use-after-free issue in ravb_tx_timeout_work() powerpc/64e: Fix wrong test in __ptep_test_and_clear_young() powerpc/8xx: Fix pte_access_permitted() for PAGE_NONE dmaengine: mediatek: Fix deadlock caused by synchronize_irq() x86/cpu: Fix AMD erratum #1485 on Zen4-based CPUs usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call usb: gadget: udc-xilinx: replace memcpy with memcpy_toio pinctrl: avoid unsafe code pattern in find_pinctrl() cgroup: Remove duplicates in cgroup v1 tasks file Input: xpad - add PXN V900 support Input: psmouse - fix fast_reconnect function for PS/2 mode Input: powermate - fix use-after-free in powermate_config_complete ceph: fix incorrect revoked caps assert in ceph_fill_file_size() libceph: use kernel_connect() mcb: remove is_added flag from mcb_device struct iio: pressure: ms5611: ms5611_prom_is_valid false negative bug iio: pressure: dps310: Adjust Timeout Settings iio: pressure: bmp280: Fix NULL pointer exception usb: musb: Modify the "HWVers" register address usb: musb: Get the musb_qh poniter after musb_giveback usb: dwc3: Soft reset phy on probe for host net: usb: dm9601: fix uninitialized variable use in dm9601_mdio_read usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer dmaengine: stm32-mdma: abort resume if no ongoing transfer workqueue: Override implicit ordered attribute in workqueue_apply_unbound_cpumask() nfc: nci: assert requested protocol is valid net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn() ixgbe: fix crash with empty VF macvlan list drm/vmwgfx: fix typo of sizeof argument xen-netback: use default TX queue size for vifs mlxsw: fix mlxsw_sp2_nve_vxlan_learning_set() return type ieee802154: ca8210: Fix a potential UAF in ca8210_probe ravb: Fix up dma_free_coherent() call in ravb_remove() drm/msm/dsi: skip the wait for video mode done if not applicable drm: etvnaviv: fix bad backport leading to warning net: prevent address rewrite in kernel_bind() quota: Fix slow quotaoff HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect pwm: hibvt: Explicitly set .polarity in .get_state() lib/test_meminit: fix off-by-one error in test_pages() RDMA/cxgb4: Check skb value for failure to allocate Reapply "ANDROID: Revert "tracing/ring-buffer: Have polling block on watermark"" Revert "ring-buffer: Update "shortest_full" in polling" Revert "ANDROID: Revert "tracing/ring-buffer: Have polling block on watermark"" Revert "net: bridge: use DEV_STATS_INC()" FROMLIST: lib/test_meminit: fix off-by-one error in test_pages() Linux 5.4.258 xen/events: replace evtchn_rwlock with RCU ima: rework CONFIG_IMA dependency block NFS: Fix a race in __nfs_list_for_each_server() parisc: Restore __ldcw_align for PA-RISC 2.0 processors RDMA/mlx5: Fix NULL string error RDMA/siw: Fix connection failure handling RDMA/uverbs: Fix typo of sizeof argument RDMA/cma: Fix truncation compilation warning in make_cma_ports gpio: pxa: disable pinctrl calls for MMP_GPIO gpio: aspeed: fix the GPIO number passed to pinctrl_gpio_set_config() IB/mlx4: Fix the size of a buffer in add_port_entries() RDMA/core: Require admin capabilities to set system parameters cpupower: add Makefile dependencies for install targets sctp: update hb timer immediately after users change hb_interval sctp: update transport state when processing a dupcook packet tcp: fix delayed ACKs for MSS boundary condition tcp: fix quick-ack counting to count actual ACKs of new data net: stmmac: dwmac-stm32: fix resume on STM32 MCU netfilter: handle the connecting collision properly in nf_conntrack_proto_sctp net: nfc: llcp: Add lock when modifying device list net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg net: dsa: mv88e6xxx: Avoid EEPROM timeout when EEPROM is absent ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data() net: fix possible store tearing in neigh_periodic_work() modpost: add missing else to the "of" check NFSv4: Fix a nfs4_state_manager() race NFS: Add a helper nfs_client_for_each_server() NFS4: Trace state recovery operation wifi: mt76: mt76x02: fix MT76x0 external LNA gain handling wifi: mwifiex: Fix tlv_buf_left calculation scsi: target: core: Fix deadlock due to recursive locking drivers/net: process the result of hdlc_open() and add call of hdlc_close() in uhdlc_close() qed/red_ll2: Fix undefined behavior bug in struct qed_ll2_info ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet regmap: rbtree: Fix wrong register marked as in-cache when creating new node wifi: iwlwifi: dbg_ini: fix structure packing ubi: Refuse attaching if mtd's erasesize is 0 net: prevent rewrite of msg_name in sock_sendmsg() net: replace calls to sock->ops->connect() with kernel_connect() fs: binfmt_elf_efpic: fix personality for ELF-FDPIC scsi: zfcp: Fix a double put in zfcp_port_enqueue() ata: libata-sata: increase PMP SRST timeout to 10s Revert "PCI: qcom: Disable write access to read only registers for IP v2.3.3" ata: libata-core: Do not register PM operations for SAS ports rbd: take header_rwsem in rbd_dev_refresh() only when updating ata: libata-core: Fix port and device removal rbd: decouple parent info read-in from updating rbd_dev ata: libata-core: Fix ata_port_request_pm() locking rbd: decouple header read-in from updating rbd_dev->header rbd: move rbd_dev_refresh() definition ring-buffer: Update "shortest_full" in polling i2c: i801: unregister tco_pdev in i801_probe() error path net: thunderbolt: Fix TCPv6 GSO checksum calculation ata: libata-scsi: ignore reserved bits for REPORT SUPPORTED OPERATION CODES btrfs: properly report 0 avail for very full file systems ALSA: hda: Disable power save for solving pop issue on Lenovo ThinkCentre M70q nilfs2: fix potential use after free in nilfs_gccache_submit_read_data() serial: 8250_port: Check IRQ data before use Smack:- Use overlay inode label in smack_inode_copy_up() smack: Retrieve transmuting information in smack_inode_getsecurity() smack: Record transmuting in smk_transmuted i40e: fix return of uninitialized aq_ret in i40e_set_vsi_promisc i40e: always propagate error value in i40e_set_vsi_promisc() ring-buffer: Avoid softlockup in ring_buffer_resize() selftests/ftrace: Correctly enable event in instance-event.tc i40e: improve locking of mac_filter_hash watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not already running watchdog: iTCO_wdt: No need to stop the timer in probe nvme-pci: do not set the NUMA node of device if it has none fbdev/sh7760fb: Depend on FB=y ncsi: Propagate carrier gain/loss events to the NCSI controller powerpc/watchpoints: Annotate atomic context in more places bpf: Clarify error expectations from bpf_clone_redirect spi: nxp-fspi: reset the FLSHxCR1 registers ata: libata-eh: do not clear ATA_PFLAG_EH_PENDING in ata_eh_reset() parisc: irq: Make irq_stack_union static to avoid sparse warning parisc: drivers: Fix sparse warning parisc: iosapic.c: Fix sparse warnings parisc: sba: Fix compile warning wrt list of SBA devices gpio: pmic-eic-sprd: Add can_sleep flag for PMIC EIC chip xtensa: boot/lib: fix function prototypes xtensa: boot: don't add include-dirs xtensa: iss/network: make functions static xtensa: add default definition for XCHAL_HAVE_DIV32 bus: ti-sysc: Fix SYSC_QUIRK_SWSUP_SIDLE_ACT handling for uart wake-up ARM: dts: ti: omap: motorola-mapphone: Fix abe_clkctrl warning on boot clk: tegra: fix error return case for recalc_rate scsi: qla2xxx: Fix deletion race condition MIPS: Alchemy: only build mmc support helpers if au1xmmc is enabled scsi: qla2xxx: Fix update_fcport for current_topology ata: libata: disallow dev-initiated LPM transitions to unsupported states Input: i8042 - add quirk for TUXEDO Gemini 17 Gen1/Clevo PD70PN drm/amd/display: prevent potential division by zero errors i2c: mux: demux-pinctrl: check the return value of devm_kstrdup() drm/amd/display: Fix LFC multiplier changing erratically gpio: tb10x: Fix an error handling path in tb10x_gpio_probe() drm/amd/display: Reinstate LFC optimization netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP net: rds: Fix possible NULL-pointer dereference team: fix null-ptr-deref when team device type is changed net: bridge: use DEV_STATS_INC() net: hns3: add 5ms delay before clear firmware reset irq source dccp: fix dccp_v4_err()/dccp_v6_err() again powerpc/perf/hv-24x7: Update domain value check ipv4: fix null-deref in ipv4_link_failure i40e: Fix VF VLAN offloading when port VLAN is configured i40e: Fix warning message and call stack during rmmod i40e driver i40e: Remove scheduling while atomic possibility i40e: Fix for persistent lldp support ASoC: imx-audmix: Fix return error with devm_clk_get() selftests: tls: swap the TX and RX sockets in some tests ASoC: meson: spdifin: start hw on dai probe selftests/tls: Add {} to avoid static checker warning ext4: do not let fstrim block system suspend bpf: Avoid deadlock when using queue and stack maps from NMI ext4: move setting of trimmed bit into ext4_try_to_trim_range() netfilter: nf_tables: disallow element removal on anonymous sets ext4: replace the traditional ternary conditional operator with with max()/min() ext4: mark group as trimmed only if it was fully scanned ext4: change s_last_trim_minblks type to unsigned long ext4: scope ret locally in ext4_try_to_trim_range() ext4: add new helper interface ext4_try_to_trim_range() ext4: remove the 'group' parameter of ext4_trim_extent ata: libahci: clear pending interrupt status tracing: Increase trace array ref count on enable and filter files SUNRPC: Mark the cred for revalidation if the server rejects it NFS/pNFS: Report EINVAL errors from connect() to the server Revert "drm/panel: simple: Add missing connector type and pixel format for AUO T215HVN01" Revert "usb: typec: bus: verify partner exists in typec_altmode_attention" Revert "fs/nls: make load_nls() take a const parameter" Revert "ip_tunnels: use DEV_STATS_INC()" Linux 5.4.257 net/sched: Retire rsvp classifier drm/amdgpu: fix amdgpu_cs_p1_user_fence mtd: rawnand: brcmnand: Fix ECC level field setting for v7.2 controller ext4: fix rec_len verify error scsi: megaraid_sas: Fix deadlock on firmware crashdump i2c: aspeed: Reset the i2c controller when timeout occurs tracefs: Add missing lockdown check to tracefs_create_dir() nfsd: fix change_info in NFSv4 RENAME replies tracing: Have option files inc the trace array ref count tracing: Have current_trace inc the trace array ref count btrfs: fix lockdep splat and potential deadlock after failure running delayed items attr: block mode changes of symlinks md/raid1: fix error: ISO C90 forbids mixed declarations selftests: tracing: Fix to unmount tracefs for recovering environment btrfs: compare the correct fsid/metadata_uuid in btrfs_validate_super btrfs: add a helper to read the superblock metadata_uuid btrfs: move btrfs_pinned_by_swapfile prototype into volumes.h perf tools: Add an option to build without libbfd perf jevents: Make build dependency on test JSONs tools features: Add feature test to check if libbfd has buildid support kobject: Add sanity check for kset->kobj.ktype in kset_register() media: pci: ipu3-cio2: Initialise timing struct to avoid a compiler warning serial: cpm_uart: Avoid suspicious locking scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show() usb: gadget: fsl_qe_udc: validate endpoint index for ch9 udc media: pci: cx23885: replace BUG with error return media: tuners: qt1010: replace BUG_ON with a regular error media: az6007: Fix null-ptr-deref in az6007_i2c_xfer() media: anysee: fix null-ptr-deref in anysee_master_xfer media: af9005: Fix null-ptr-deref in af9005_i2c_xfer media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer() media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer powerpc/pseries: fix possible memory leak in ibmebus_bus_init() jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount() ext2: fix datatype of block number in ext2_xattr_set2() md: raid1: fix potential OOB in raid1_remove_disk() bus: ti-sysc: Configure uart quirks for k3 SoC drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable() wifi: mac80211_hwsim: drop short frames alx: fix OOB-read compiler warning mmc: sdhci-esdhc-imx: improve ESDHC_FLAG_ERR010450 tpm_tis: Resend command to recover from data transfer errors crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui() wifi: mwifiex: fix fortify warning wifi: ath9k: fix printk specifier devlink: remove reload failed checks in params get/set callbacks hw_breakpoint: fix single-stepping when using bpf_overflow_handler perf/smmuv3: Enable HiSilicon Erratum 162001900 quirk for HIP08/09 ACPI: video: Add backlight=native DMI quirk for Lenovo Ideapad Z470 kernel/fork: beware of __put_task_struct() calling context ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer locks: fix KASAN: use-after-free in trace_event_raw_event_filelock_lock btrfs: output extra debug info if we failed to find an inline backref autofs: fix memory leak of waitqueues in autofs_catatonic_mode parisc: Drop loops_per_jiffy from per_cpu struct drm/amd/display: Fix a bug when searching for insert_above_mpcc kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg(). ixgbe: fix timestamp configuration code net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict() platform/mellanox: mlxbf-tmfifo: Drop jumbo frames mlxbf-tmfifo: sparse tags for config access platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors kcm: Fix memory leak in error path of kcm_sendmsg() r8152: check budget for r8152_poll() net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all() net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc() net: ipv4: fix one memleak in __inet_del_ifa() clk: imx8mm: Move 1443X/1416X PLL clock structure to common place ARM: dts: BCM5301X: Extend RAM to full 256MB for Linksys EA6500 V2 usb: typec: bus: verify partner exists in typec_altmode_attention usb: typec: tcpm: Refactor tcpm_handle_vdm_request usb: typec: tcpm: Refactor tcpm_handle_vdm_request payload handling perf tools: Handle old data in PERF_RECORD_ATTR perf hists browser: Fix hierarchy mode header mtd: rawnand: brcmnand: Fix potential false time out warning mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write mtd: rawnand: brcmnand: Fix crash during the panic_write btrfs: use the correct superblock to compare fsid in btrfs_validate_super btrfs: don't start transaction when joining with TRANS_JOIN_NOSTART fuse: nlookup missing decrement in fuse_direntplus_link ata: pata_ftide010: Add missing MODULE_DESCRIPTION ata: sata_gemini: Add missing MODULE_DESCRIPTION sh: boards: Fix CEU buffer size passed to dma_declare_coherent_memory() net: hns3: fix the port information display when sfp is absent netfilter: nfnetlink_osf: avoid OOB read ip_tunnels: use DEV_STATS_INC() idr: fix param name in idr_alloc_cyclic() doc s390/zcrypt: don't leak memory if dev_set_name() fails igb: Change IGB_MIN to allow set rx/tx value between 64 and 80 igbvf: Change IGBVF_MIN to allow set rx/tx value between 64 and 80 igc: Change IGC_MIN to allow set rx/tx value between 64 and 80 kcm: Destroy mutex in kcm_exit_net() net: sched: sch_qfq: Fix UAF in qfq_dequeue() af_unix: Fix data race around sk->sk_err. af_unix: Fix data-races around sk->sk_shutdown. af_unix: Fix data-race around unix_tot_inflight. af_unix: Fix data-races around user->unix_inflight. net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr veth: Fixing transmit return status for dropped packets igb: disable virtualization features on 82580 net: read sk->sk_family once in sk_mc_loop() ipv4: annotate data-races around fi->fib_dead sctp: annotate data-races around sk->sk_wmem_queued pwm: lpc32xx: Remove handling of PWM channels watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load perf top: Don't pass an ERR_PTR() directly to perf_session__delete() x86/virt: Drop unnecessary check on extended CPUID level in cpu_has_svm() perf annotate bpf: Don't enclose non-debug code with an assert() kconfig: fix possible buffer overflow NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info soc: qcom: qmi_encdec: Restrict string length in decode clk: qcom: gcc-mdm9615: use proper parent for pll0_vote clock parisc: led: Reduce CPU overhead for disk & lan LED computation parisc: led: Fix LAN receive and transmit LEDs lib/test_meminit: allocate pages up to order MAX_ORDER drm/ast: Fix DRAM init on AST2200 fbdev/ep93xx-fb: Do not assign to struct fb_info.dev scsi: qla2xxx: Remove unsupported ql2xenabledif option scsi: qla2xxx: Turn off noisy message log scsi: qla2xxx: Fix erroneous link up failure scsi: qla2xxx: fix inconsistent TMF timeout net/ipv6: SKB symmetric hash should incorporate transport ports drm: fix double free for gbo in drm_gem_vram_init and drm_gem_vram_create udf: initialize newblock to 0 usb: typec: tcpci: clear the fault status bit serial: sc16is7xx: fix broken port 0 uart init sc16is7xx: Set iobase to device index cpufreq: brcmstb-avs-cpufreq: Fix -Warray-bounds bug crypto: stm32 - fix loop iterating through scatterlist for DMA s390/ipl: add missing secure/has_secure file to ipl type 'unknown' pstore/ram: Check start of empty przs during init fsverity: skip PKCS#7 parser when keyring is empty net: handle ARPHRD_PPP in dev_is_mac_header_xmit() X.509: if signature is unsupported skip validation dccp: Fix out of bounds access in DCCP error handler dlm: fix plock lookup when using multiple lockspaces parisc: Fix /proc/cpuinfo output for lscpu procfs: block chmod on /proc/thread-self/comm Revert "PCI: Mark NVIDIA T4 GPUs to avoid bus reset" ntb: Fix calculation ntb_transport_tx_free_entry() ntb: Clean up tx tail index on link down ntb: Drop packets when qp link is down media: dvb: symbol fixup for dvb_attach() xtensa: PMU: fix base address for the newer hardware backlight/lv5207lp: Compare against struct fb_info.device backlight/bd6107: Compare against struct fb_info.device backlight/gpio_backlight: Compare against struct fb_info.device ARM: OMAP2+: Fix -Warray-bounds warning in _pwrdm_state_switch() ipmi_si: fix a memleak in try_smi_init() ALSA: pcm: Fix missing fixup call in compat hw_refine ioctl PM / devfreq: Fix leak in devfreq_dev_release() igb: set max size RX buffer when store bad packet is enabled skbuff: skb_segment, Call zero copy functions before using skbuff frags netfilter: xt_sctp: validate the flag_info count netfilter: xt_u32: validate user space input netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU virtio_ring: fix avail_wrap_counter in virtqueue_add_packed cpufreq: Fix the race condition while updating the transition_task of policy dmaengine: ste_dma40: Add missing IRQ check in d40_probe um: Fix hostaudio build errors mtd: rawnand: fsmc: handle clk prepare error in fsmc_nand_resume() rpmsg: glink: Add check for kstrdup phy/rockchip: inno-hdmi: do not power on rk3328 post pll on reg write phy/rockchip: inno-hdmi: round fractal pixclock in rk3328 recalc_rate phy/rockchip: inno-hdmi: use correct vco_div_5 macro on rk3328 tracing: Fix race issue between cpu buffer write and swap x86/speculation: Mark all Skylake CPUs as vulnerable to GDS HID: multitouch: Correct devm device reference for hidinput input_dev name HID: logitech-dj: Fix error handling in logi_dj_recv_switch_to_dj_mode() RDMA/siw: Correct wrong debug message RDMA/siw: Balance the reference of cep->kref in the error path Revert "IB/isert: Fix incorrect release of isert connection" amba: bus: fix refcount leak serial: tegra: handle clk prepare error in tegra_uart_hw_init() scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock scsi: core: Use 32-bit hostnum in scsi_host_lookup() media: ov2680: Fix regulators being left enabled on ov2680_power_on() errors media: ov2680: Fix vflip / hflip set functions media: ov2680: Fix ov2680_bayer_order() media: ov2680: Remove auto-gain and auto-exposure controls media: i2c: ov2680: Set V4L2_CTRL_FLAG_MODIFY_LAYOUT on flips media: ov5640: Enable MIPI interface in ov5640_set_power_mipi() media: i2c: ov5640: Configure HVP lines in s_power callback USB: gadget: f_mass_storage: Fix unused variable warning media: go7007: Remove redundant if statement iommu/vt-d: Fix to flush cache of PASID directory table IB/uverbs: Fix an potential error pointer dereference driver core: test_async: fix an error code dma-buf/sync_file: Fix docs syntax coresight: tmc: Explicit type conversions to prevent integer overflow scsi: qedf: Do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly scsi: qedf: Do not touch __user pointer in qedf_dbg_debug_cmd_read() directly scsi: qedf: Do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly x86/APM: drop the duplicate APM_MINOR_DEV macro serial: sprd: Fix DMA buffer leak issue serial: sprd: Assign sprd_port after initialized to avoid wrong access serial: sprd: remove redundant sprd_port cleanup serial: sprd: getting port index via serial aliases only scsi: qla4xxx: Add length check when parsing nlattrs scsi: be2iscsi: Add length check when parsing nlattrs scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param() usb: phy: mxs: fix getting wrong state with mxs_phy_is_otg_host() media: mediatek: vcodec: Return NULL if no vdec_fb is found media: cx24120: Add retval check for cx24120_message_send() media: dvb-usb: m920x: Fix a potential memory leak in m920x_i2c_xfer() media: dib7000p: Fix potential division by zero drivers: usb: smsusb: fix error handling code in smsusb_init_device media: v4l2-core: Fix a potential resource leak in v4l2_fwnode_parse_link() media: v4l2-fwnode: simplify v4l2_fwnode_parse_link media: v4l2-fwnode: fix v4l2_fwnode_parse_link handling NFS: Guard against READDIR loop when entry names exceed MAXNAMELEN NFSD: da_addr_body field missing in some GETDEVICEINFO replies fs: lockd: avoid possible wrong NULL parameter jfs: validate max amount of blocks before allocation. powerpc/iommu: Fix notifiers being shared by PCI and VIO buses nfs/blocklayout: Use the passed in gfp flags wifi: ath10k: Use RMW accessors for changing LNKCTL drm/radeon: Use RMW accessors for changing LNKCTL drm/radeon: Prefer pcie_capability_read_word() drm/radeon: Replace numbers with PCI_EXP_LNKCTL2 definitions drm/radeon: Correct Transmit Margin masks drm/amdgpu: Use RMW accessors for changing LNKCTL drm/amdgpu: Prefer pcie_capability_read_word() drm/amdgpu: Replace numbers with PCI_EXP_LNKCTL2 definitions drm/amdgpu: Correct Transmit Margin masks PCI: Add #defines for Enter Compliance, Transmit Margin powerpc/fadump: reset dump area size if fadump memory reserve fails clk: imx: composite-8m: fix clock pauses when set_rate would be a no-op PCI/ASPM: Use RMW accessors for changing LNKCTL PCI: pciehp: Use RMW accessors for changing LNKCTL PCI: Mark NVIDIA T4 GPUs to avoid bus reset clk: sunxi-ng: Modify mismatched function name drivers: clk: keystone: Fix parameter judgment in _of_pll_clk_init() ipmi:ssif: Fix a memory leak when scanning for an adapter ipmi:ssif: Add check for kstrdup ALSA: ac97: Fix possible error value of *rac97 of: unittest: Fix overlay type in apply/revert check drm/mediatek: Fix potential memory leak if vmap() fail audit: fix possible soft lockup in __audit_inode_child() smackfs: Prevent underflow in smk_set_cipso() drm/msm/mdp5: Don't leak some plane state ima: Remove deprecated IMA_TRUSTED_KEYRING Kconfig drm/panel: simple: Add missing connector type and pixel format for AUO T215HVN01 drm/armada: Fix off-by-one error in armada_overlay_get_property() of: unittest: fix null pointer dereferencing in of_unittest_find_node_by_name() drm/tegra: dpaux: Fix incorrect return value of platform_get_irq drm/tegra: Remove superfluous error messages around platform_get_irq() md/md-bitmap: hold 'reconfig_mutex' in backlog_store() md/bitmap: don't set max_write_behind if there is no write mostly device drm/amdgpu: Update min() to min_t() in 'amdgpu_info_ioctl' arm64: dts: qcom: sdm845: Add missing RPMh power domain to GCC ARM: dts: BCM53573: Fix Ethernet info for Luxul devices drm: adv7511: Fix low refresh rate register for ADV7533/5 ARM: dts: samsung: s5pv210-smdkv210: correct ethernet reg addresses (split) ARM: dts: s5pv210: add dummy 5V regulator for backlight on SMDKv210 ARM: dts: s5pv210: correct ethernet unit address in SMDKV210 ARM: dts: s5pv210: use defines for IRQ flags in SMDKV210 ARM: dts: s5pv210: add RTC 32 KHz clock in SMDKV210 ARM: dts: samsung: s3c6410-mini6410: correct ethernet reg addresses (split) ARM: dts: s3c64xx: align pinctrl with dtschema ARM: dts: s3c6410: align node SROM bus node name with dtschema in Mini6410 ARM: dts: s3c6410: move fixed clocks under root node in Mini6410 drm/etnaviv: fix dumping of active MMU context ARM: dts: BCM53573: Use updated "spi-gpio" binding properties ARM: dts: BCM53573: Add cells sizes to PCIe node ARM: dts: BCM53573: Drop nonexistent "default-off" LED trigger drm/amdgpu: avoid integer overflow warning in amdgpu_device_resize_fb_bar() quota: fix dqput() to follow the guarantees dquot_srcu should provide quota: add new helper dquot_active() quota: rename dquot_active() to inode_quota_active() quota: factor out dquot_write_dquot() quota: avoid increasing DQST_LOOKUPS when iterating over dirty/inuse list drm/bridge: tc358764: Fix debug print parameter order netrom: Deny concurrent connect(). net/sched: sch_hfsc: Ensure inner classes have fsc curve mlxsw: i2c: Limit single transaction buffer size mlxsw: i2c: Fix chunk size setting in output mailbox buffer net: arcnet: Do not call kfree_skb() under local_irq_disable() wifi: ath9k: use IS_ERR() with debugfs_create_dir() wifi: mwifiex: avoid possible NULL skb pointer dereference wifi: ath9k: protect WMI command response buffer replacement with a lock wifi: ath9k: fix races between ath9k_wmi_cmd and ath9k_wmi_ctrl_rx wifi: mwifiex: Fix missed return in oob checks failed path wifi: mwifiex: fix memory leak in mwifiex_histogram_read() fs: ocfs2: namei: check return value of ocfs2_add_entry() lwt: Check LWTUNNEL_XMIT_CONTINUE strictly lwt: Fix return values of BPF xmit ops hwrng: iproc-rng200 - Implement suspend and resume calls hwrng: iproc-rng200 - use semicolons rather than commas to separate statements crypto: caam - fix unchecked return value error Bluetooth: nokia: fix value check in nokia_bluetooth_serdev_probe() crypto: stm32 - Properly handle pm_runtime_get failing wifi: mwifiex: fix error recovery in PCIE buffer descriptor management mwifiex: switch from 'pci_' to 'dma_' API wifi: mwifiex: Fix OOB and integer underflow when rx packets can: gs_usb: gs_usb_receive_bulk_callback(): count RX overflow errors also in case of OOM spi: tegra20-sflash: fix to check return value of platform_get_irq() in tegra_sflash_probe() regmap: rbtree: Use alloc_flags for memory allocations tcp: tcp_enter_quickack_mode() should be static bpf: Clear the probe_addr for uprobe cpufreq: powernow-k8: Use related_cpus instead of cpus in driver.exit() perf/imx_ddr: don't enable counter0 if none of 4 counters are used x86/decompressor: Don't rely on upper 32 bits of GPRs being preserved x86/boot: Annotate local functions x86/asm: Make more symbols local OPP: Fix passing 0 to PTR_ERR in _opp_attach_genpd() tmpfs: verify {g,u}id mount options correctly fs: Fix error checking for d_hash_and_lookup() new helper: lookup_positive_unlocked() eventfd: prevent underflow for eventfd semaphores eventfd: Export eventfd_ctx_do_read() reiserfs: Check the return value from __getblk() Revert "net: macsec: preserve ingress frame ordering" udf: Handle error when adding extent to a file udf: Check consistency of Space Bitmap Descriptor powerpc/32s: Fix assembler warning about r0 net: Avoid address overwrite in kernel_connect platform/mellanox: Fix mlxbf-tmfifo not handling all virtio CONSOLE notifications ALSA: seq: oss: Fix racy open/close of MIDI devices scsi: storvsc: Always set no_report_opcodes cifs: add a warning when the in-flight count goes negative sctp: handle invalid error codes without calling BUG() bnx2x: fix page fault following EEH recovery netlabel: fix shift wrapping bug in netlbl_catmap_setlong() scsi: qedi: Fix potential deadlock on &qedi_percpu->p_work_lock idmaengine: make FSL_EDMA and INTEL_IDMA64 depends on HAS_IOMEM net: usb: qmi_wwan: add Quectel EM05GV2 clk: fixed-mmio: make COMMON_CLK_FIXED_MMIO depend on HAS_IOMEM security: keys: perform capable check only on privileged operations platform/x86: huawei-wmi: Silence ambient light sensor platform/x86: intel: hid: Always call BTNL ACPI method ASoC: atmel: Fix the 8K sample parameter in I2SC master ASoc: codecs: ES8316: Fix DMIC config fs/nls: make load_nls() take a const parameter s390/dasd: fix hanging device after request requeue s390/dasd: use correct number of retries for ERP requests m68k: Fix invalid .section syntax vxlan: generalize vxlan_parse_gpe_hdr and remove unused args ethernet: atheros: fix return value check in atl1c_tso_csum() ASoC: da7219: Check for failure reading AAD IRQ events ASoC: da7219: Flush pending AAD IRQ when suspending 9p: virtio: make sure 'offs' is initialized in zc_request pinctrl: amd: Don't show `Invalid config param` errors nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers() fsi: master-ast-cf: Add MODULE_FIRMWARE macro firmware: stratix10-svc: Fix an NULL vs IS_ERR() bug in probe serial: sc16is7xx: fix bug when first setting GPIO direction Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition staging: rtl8712: fix race condition HID: wacom: remove the battery when the EKR is off USB: serial: option: add FOXCONN T99W368/T99W373 product USB: serial: option: add Quectel EM05G variant (0x030e) modules: only allow symbol_get of EXPORT_SYMBOL_GPL modules rtc: ds1685: use EXPORT_SYMBOL_GPL for ds1685_rtc_poweroff net: enetc: use EXPORT_SYMBOL_GPL for enetc_phc_index mmc: au1xmmc: force non-modular build and remove symbol_get usage ARM: pxa: remove use of symbol_get() erofs: ensure that the post-EOF tails are all zeroed Linux 5.4.256 Revert "MIPS: Alchemy: fix dbdma2" powerpc/pmac/smp: Drop unnecessary volatile qualifier powerpc/pmac/smp: Avoid unused-variable warnings Revert "drm/display/dp: Fix the DP DSC Receiver cap size" Revert "macsec: Fix traffic counters/statistics" Revert "macsec: use DEV_STATS_INC()" ANDROID: GKI: add back pm_runtime_get_if_in_use() Revert "interconnect: Add helpers for enabling/disabling a path" Revert "interconnect: Do not skip aggregation for disabled paths" Revert "ALSA: pcm: Set per-card upper limit of PCM buffer allocations" Revert "ALSA: pcm: Use SG-buffer only when direct DMA is available" Revert "ALSA: pcm: Fix potential data race at PCM memory allocation helpers" Revert "ALSA: pcm: Fix build error on m68k and others" Revert "Revert "ALSA: pcm: Use SG-buffer only when direct DMA is available"" Revert "ALSA: pcm: Check for null pointer of pointer substream before dereferencing it" Linux 5.4.255 dma-buf/sw_sync: Avoid recursive lock during fence signal pinctrl: renesas: rza2: Add lock around pinctrl_generic{{add,remove}_group,{add,remove}_function} clk: Fix undefined reference to `clk_rate_exclusive_{get,put}' scsi: core: raid_class: Remove raid_component_add() scsi: snic: Fix double free in snic_tgt_create() irqchip/mips-gic: Don't touch vl_map if a local interrupt is not routable Documentation/sysctl: document page_lock_unfairness ALSA: pcm: Check for null pointer of pointer substream before dereferencing it interconnect: Do not skip aggregation for disabled paths Revert "ALSA: pcm: Use SG-buffer only when direct DMA is available" ALSA: pcm: Fix build error on m68k and others rtnetlink: Reject negative ifindexes in RTM_NEWLINK mm: allow a controlled amount of unfairness in the page lock x86/fpu: Set X86_FEATURE_OSXSAVE feature after enabling OSXSAVE in CR4 drm/display/dp: Fix the DP DSC Receiver cap size PCI: acpiphp: Use pci_assign_unassigned_bridge_resources() only for non-root bus media: vcodec: Fix potential array out-of-bounds in encoder queue_setup radix tree: remove unused variable lib/clz_ctz.c: Fix __clzdi2() and __ctzdi2() for 32-bit kernels batman-adv: Hold rtnl lock during MTU update via netlink batman-adv: Fix batadv_v_ogm_aggr_send memory leak batman-adv: Fix TT global entry leak when client roamed back batman-adv: Do not get eth header before batadv_check_management_packet batman-adv: Don't increase MTU when set by user batman-adv: Trigger events for auto adjusted MTU nfsd: Fix race to FREE_STATEID and cl_revoked clk: Fix slab-out-of-bounds error in devm_clk_release() NFSv4: Fix dropped lock for racing OPEN and delegation return ibmveth: Use dcbf rather than dcbfl bonding: fix macvlan over alb bond support net: remove bond_slave_has_mac_rcu() net/sched: fix a qdisc modification with ambiguous command request igb: Avoid starting unnecessary workqueues net: validate veth and vxcan peer ifindexes net: bcmgenet: Fix return value check for fixed_phy_register() net: bgmac: Fix return value check for fixed_phy_register() ipvlan: Fix a reference count leak warning in ipvlan_ns_exit() dccp: annotate data-races in dccp_poll() sock: annotate data-races around prot->memory_pressure octeontx2-af: SDP: fix receive link config tracing: Fix memleak due to race between current_tracer and trace drm/amd/display: check TG is non-null before checking if enabled drm/amd/display: do not wait for mpc idle if tg is disabled ASoC: fsl_sai: Disable bit clock with transmitter ASoC: fsl_sai: Add new added registers and new bit definition ASoC: fsl_sai: Refine enable/disable TE/RE sequence in trigger() regmap: Account for register length in SMBus I/O limits ALSA: pcm: Fix potential data race at PCM memory allocation helpers ALSA: pcm: Use SG-buffer only when direct DMA is available ALSA: pcm: Set per-card upper limit of PCM buffer allocations dm integrity: reduce vmalloc space footprint on 32-bit architectures dm integrity: increase RECALC_SECTORS to improve recalculate speed fbdev: fix potential OOB read in fast_imageblit() fbdev: Fix sys_imageblit() for arbitrary image widths fbdev: Improve performance of sys_imageblit() MIPS: cpu-features: Use boot_cpu_type for CPU type based features MIPS: cpu-features: Enable octeon_cache by cpu_type fs: dlm: fix mismatch of plock results from userspace fs: dlm: use dlm_plock_info for do_unlock_close fs: dlm: change plock interrupted message to debug again fs: dlm: add pid to debug log dlm: replace usage of found with dedicated list iterator variable dlm: improve plock logging if interrupted PCI: acpiphp: Reassign resources on bridge if necessary net: phy: broadcom: stub c45 read/write for 54810 mmc: f-sdh30: fix order of function calls in sdhci_f_sdh30_remove net: xfrm: Amend XFRMA_SEC_CTX nla_policy structure net: fix the RTO timer retransmitting skb every 1ms if linear option is enabled virtio-net: set queues after driver_ok af_unix: Fix null-ptr-deref in unix_stream_sendpage(). netfilter: set default timeout to 3 secs for sctp shutdown send and recv state mmc: block: Fix in_flight[issue_type] value error mmc: wbsd: fix double mmc_free_host() in wbsd_init() cifs: Release folio lock on fscache read hit. ALSA: usb-audio: Add support for Mythware XA001AU capture and playback interfaces. serial: 8250: Fix oops for port->pm on uart_change_pm() ASoC: meson: axg-tdm-formatter: fix channel slot allocation ASoC: rt5665: add missed regulator_bulk_disable ARM: dts: imx: Set default tuning step for imx6sx usdhc ARM: dts: imx: Set default tuning step for imx7d usdhc ARM: dts: imx: Adjust dma-apbh node name ARM: dts: imx7s: Drop dma-apb interrupt-names bus: ti-sysc: Flush posted write on enable before reset bus: ti-sysc: Improve reset to work with modules with no sysconfig net: do not allow gso_size to be set to GSO_BY_FRAGS sock: Fix misuse of sk_under_memory_pressure() net: dsa: mv88e6xxx: Wait for EEPROM done before HW reset i40e: fix misleading debug logs team: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves netfilter: nft_dynset: disallow object maps ipvs: fix racy memcpy in proc_do_sync_threshold selftests: mirror_gre_changes: Tighten up the TTL test match xfrm: add NULL check in xfrm_update_ae_params ip_vti: fix potential slab-use-after-free in decode_session6 ip6_vti: fix slab-use-after-free in decode_session6 xfrm: fix slab-use-after-free in decode_session6 xfrm: interface: rename xfrm_interface.c to xfrm_interface_core.c net: af_key: fix sadb_x_filter validation net: xfrm: Fix xfrm_address_filter OOB read btrfs: fix BUG_ON condition in btrfs_cancel_balance tty: serial: fsl_lpuart: Clear the error flags by writing 1 for lpuart32 platforms powerpc/rtas_flash: allow user copy to flash block cache objects fbdev: mmp: fix value check in mmphw_probe() i2c: bcm-iproc: Fix bcm_iproc_i2c_isr deadlock issue virtio-mmio: don't break lifecycle of vm_dev virtio-mmio: Use to_virtio_mmio_device() to simply code virtio-mmio: convert to devm_platform_ioremap_resource nfsd: Remove incorrect check in nfsd4_validate_stateid nfsd4: kill warnings on testing stateids with mismatched clientids net/ncsi: Fix gma flag setting after response tracing/probes: Fix to update dynamic data counter if fetcharg uses it tracing/probes: Have process_fetch_insn() take a void * instead of pt_regs leds: trigger: netdev: Recheck NETDEV_LED_MODE_LINKUP on dev rename mmc: sunxi: fix deferred probing mmc: bcm2835: fix deferred probing USB: dwc3: qcom: fix NULL-deref on suspend usb: dwc3: qcom: Add helper functions to enable,disable wake irqs interconnect: Add helpers for enabling/disabling a path interconnect: Move internal structs into a separate file irqchip/mips-gic: Use raw spinlock for gic_lock irqchip/mips-gic: Get rid of the reliance on irq_cpu_online() ALSA: hda: Fix unhandled register update during auto-suspend period PM: runtime: Add pm_runtime_get_if_active() PM-runtime: add tracepoints for usage_count changes iommu/amd: Fix "Guest Virtual APIC Table Root Pointer" configuration in IRTE iio: addac: stx104: Fix race condition when converting analog-to-digital iio: addac: stx104: Fix race condition for stx104_write_raw() iio: stx104: Move to addac subdirectory iio: adc: stx104: Implement and utilize register structures iio: adc: stx104: Utilize iomap interface iio: add addac subdirectory IMA: allow/fix UML builds powerpc/kasan: Disable KCOV in KASAN code ALSA: hda: fix a possible null-pointer dereference due to data race in snd_hdac_regmap_sync() ALSA: hda/realtek: Add quirks for Unis H3C Desktop B760 & Q760 drm/amdgpu: Fix potential fence use-after-free v2 Bluetooth: L2CAP: Fix use-after-free pcmcia: rsrc_nonstatic: Fix memory leak in nonstatic_release_resource_db() gfs2: Fix possible data races in gfs2_show_options() usb: chipidea: imx: don't request QoS for imx8ulp media: platform: mediatek: vpu: fix NULL ptr dereference media: v4l2-mem2mem: add lock to protect parameter num_rdy FS: JFS: Check for read-only mounted filesystem in txBegin FS: JFS: Fix null-ptr-deref Read in txBegin MIPS: dec: prom: Address -Warray-bounds warning fs: jfs: Fix UBSAN: array-index-out-of-bounds in dbAllocDmapLev udf: Fix uninitialized array access for some pathnames ovl: check type and offset of struct vfsmount in ovl_entry HID: add quirk for 03f0:464a HP Elite Presenter Mouse quota: fix warning in dqgrab() quota: Properly disable quotas when add_dquot_ref() fails ALSA: emu10k1: roll up loops in DSP setup code for Audigy drm/radeon: Fix integer overflow in radeon_cs_parser_init macsec: use DEV_STATS_INC() macsec: Fix traffic counters/statistics selftests: forwarding: tc_flower: Relax success criterion mmc: sdhci-f-sdh30: Replace with sdhci_pltfm mmc: sdhci_f_sdh30: convert to devm_platform_ioremap_resource Conflicts: drivers/devfreq/devfreq.c drivers/mmc/core/block.c drivers/rpmsg/qcom_glink_native.c include/net/tcp.h Change-Id: Ic33d13451796752e101ed9f9bdb8c80a580af8b5
4368 lines
106 KiB
C
4368 lines
106 KiB
C
// SPDX-License-Identifier: GPL-2.0-or-later
|
|
/*
|
|
* drivers/net/macsec.c - MACsec device
|
|
*
|
|
* Copyright (c) 2015 Sabrina Dubroca <sd@queasysnail.net>
|
|
*/
|
|
|
|
#include <linux/types.h>
|
|
#include <linux/skbuff.h>
|
|
#include <linux/socket.h>
|
|
#include <linux/module.h>
|
|
#include <crypto/aead.h>
|
|
#include <linux/etherdevice.h>
|
|
#include <linux/netdevice.h>
|
|
#include <linux/rtnetlink.h>
|
|
#include <linux/refcount.h>
|
|
#include <net/genetlink.h>
|
|
#include <net/sock.h>
|
|
#include <net/gro_cells.h>
|
|
#include <net/macsec.h>
|
|
#include <linux/if_arp.h>
|
|
#include <linux/phy.h>
|
|
#include <linux/byteorder/generic.h>
|
|
|
|
#include <uapi/linux/if_macsec.h>
|
|
|
|
#define MACSEC_SCI_LEN 8
|
|
|
|
/* SecTAG length = macsec_eth_header without the optional SCI */
|
|
#define MACSEC_TAG_LEN 6
|
|
|
|
struct macsec_eth_header {
|
|
struct ethhdr eth;
|
|
/* SecTAG */
|
|
u8 tci_an;
|
|
#if defined(__LITTLE_ENDIAN_BITFIELD)
|
|
u8 short_length:6,
|
|
unused:2;
|
|
#elif defined(__BIG_ENDIAN_BITFIELD)
|
|
u8 unused:2,
|
|
short_length:6;
|
|
#else
|
|
#error "Please fix <asm/byteorder.h>"
|
|
#endif
|
|
__be32 packet_number;
|
|
u8 secure_channel_id[8]; /* optional */
|
|
} __packed;
|
|
|
|
#define MACSEC_TCI_VERSION 0x80
|
|
#define MACSEC_TCI_ES 0x40 /* end station */
|
|
#define MACSEC_TCI_SC 0x20 /* SCI present */
|
|
#define MACSEC_TCI_SCB 0x10 /* epon */
|
|
#define MACSEC_TCI_E 0x08 /* encryption */
|
|
#define MACSEC_TCI_C 0x04 /* changed text */
|
|
#define MACSEC_AN_MASK 0x03 /* association number */
|
|
#define MACSEC_TCI_CONFID (MACSEC_TCI_E | MACSEC_TCI_C)
|
|
|
|
/* minimum secure data length deemed "not short", see IEEE 802.1AE-2006 9.7 */
|
|
#define MIN_NON_SHORT_LEN 48
|
|
|
|
#define GCM_AES_IV_LEN 12
|
|
#define DEFAULT_ICV_LEN 16
|
|
|
|
#define for_each_rxsc(secy, sc) \
|
|
for (sc = rcu_dereference_bh(secy->rx_sc); \
|
|
sc; \
|
|
sc = rcu_dereference_bh(sc->next))
|
|
#define for_each_rxsc_rtnl(secy, sc) \
|
|
for (sc = rtnl_dereference(secy->rx_sc); \
|
|
sc; \
|
|
sc = rtnl_dereference(sc->next))
|
|
|
|
#define pn_same_half(pn1, pn2) (!(((pn1) >> 31) ^ ((pn2) >> 31)))
|
|
|
|
struct gcm_iv_xpn {
|
|
union {
|
|
u8 short_secure_channel_id[4];
|
|
ssci_t ssci;
|
|
};
|
|
__be64 pn;
|
|
} __packed;
|
|
|
|
struct gcm_iv {
|
|
union {
|
|
u8 secure_channel_id[8];
|
|
sci_t sci;
|
|
};
|
|
__be32 pn;
|
|
};
|
|
|
|
#define MACSEC_VALIDATE_DEFAULT MACSEC_VALIDATE_STRICT
|
|
|
|
struct pcpu_secy_stats {
|
|
struct macsec_dev_stats stats;
|
|
struct u64_stats_sync syncp;
|
|
};
|
|
|
|
/**
|
|
* struct macsec_dev - private data
|
|
* @secy: SecY config
|
|
* @real_dev: pointer to underlying netdevice
|
|
* @stats: MACsec device stats
|
|
* @secys: linked list of SecY's on the underlying device
|
|
* @offload: status of offloading on the MACsec device
|
|
*/
|
|
struct macsec_dev {
|
|
struct macsec_secy secy;
|
|
struct net_device *real_dev;
|
|
struct pcpu_secy_stats __percpu *stats;
|
|
struct list_head secys;
|
|
struct gro_cells gro_cells;
|
|
enum macsec_offload offload;
|
|
};
|
|
|
|
/**
|
|
* struct macsec_rxh_data - rx_handler private argument
|
|
* @secys: linked list of SecY's on this underlying device
|
|
*/
|
|
struct macsec_rxh_data {
|
|
struct list_head secys;
|
|
};
|
|
|
|
static struct macsec_dev *macsec_priv(const struct net_device *dev)
|
|
{
|
|
return (struct macsec_dev *)netdev_priv(dev);
|
|
}
|
|
|
|
static struct macsec_rxh_data *macsec_data_rcu(const struct net_device *dev)
|
|
{
|
|
return rcu_dereference_bh(dev->rx_handler_data);
|
|
}
|
|
|
|
static struct macsec_rxh_data *macsec_data_rtnl(const struct net_device *dev)
|
|
{
|
|
return rtnl_dereference(dev->rx_handler_data);
|
|
}
|
|
|
|
struct macsec_cb {
|
|
struct aead_request *req;
|
|
union {
|
|
struct macsec_tx_sa *tx_sa;
|
|
struct macsec_rx_sa *rx_sa;
|
|
};
|
|
u8 assoc_num;
|
|
bool valid;
|
|
bool has_sci;
|
|
};
|
|
|
|
static struct macsec_rx_sa *macsec_rxsa_get(struct macsec_rx_sa __rcu *ptr)
|
|
{
|
|
struct macsec_rx_sa *sa = rcu_dereference_bh(ptr);
|
|
|
|
if (!sa || !sa->active)
|
|
return NULL;
|
|
|
|
if (!refcount_inc_not_zero(&sa->refcnt))
|
|
return NULL;
|
|
|
|
return sa;
|
|
}
|
|
|
|
static void free_rx_sc_rcu(struct rcu_head *head)
|
|
{
|
|
struct macsec_rx_sc *rx_sc = container_of(head, struct macsec_rx_sc, rcu_head);
|
|
|
|
free_percpu(rx_sc->stats);
|
|
kfree(rx_sc);
|
|
}
|
|
|
|
static struct macsec_rx_sc *macsec_rxsc_get(struct macsec_rx_sc *sc)
|
|
{
|
|
return refcount_inc_not_zero(&sc->refcnt) ? sc : NULL;
|
|
}
|
|
|
|
static void macsec_rxsc_put(struct macsec_rx_sc *sc)
|
|
{
|
|
if (refcount_dec_and_test(&sc->refcnt))
|
|
call_rcu(&sc->rcu_head, free_rx_sc_rcu);
|
|
}
|
|
|
|
static void free_rxsa(struct rcu_head *head)
|
|
{
|
|
struct macsec_rx_sa *sa = container_of(head, struct macsec_rx_sa, rcu);
|
|
|
|
crypto_free_aead(sa->key.tfm);
|
|
free_percpu(sa->stats);
|
|
kfree(sa);
|
|
}
|
|
|
|
static void macsec_rxsa_put(struct macsec_rx_sa *sa)
|
|
{
|
|
if (refcount_dec_and_test(&sa->refcnt))
|
|
call_rcu(&sa->rcu, free_rxsa);
|
|
}
|
|
|
|
static struct macsec_tx_sa *macsec_txsa_get(struct macsec_tx_sa __rcu *ptr)
|
|
{
|
|
struct macsec_tx_sa *sa = rcu_dereference_bh(ptr);
|
|
|
|
if (!sa || !sa->active)
|
|
return NULL;
|
|
|
|
if (!refcount_inc_not_zero(&sa->refcnt))
|
|
return NULL;
|
|
|
|
return sa;
|
|
}
|
|
|
|
static void free_txsa(struct rcu_head *head)
|
|
{
|
|
struct macsec_tx_sa *sa = container_of(head, struct macsec_tx_sa, rcu);
|
|
|
|
crypto_free_aead(sa->key.tfm);
|
|
free_percpu(sa->stats);
|
|
kfree(sa);
|
|
}
|
|
|
|
static void macsec_txsa_put(struct macsec_tx_sa *sa)
|
|
{
|
|
if (refcount_dec_and_test(&sa->refcnt))
|
|
call_rcu(&sa->rcu, free_txsa);
|
|
}
|
|
|
|
static struct macsec_cb *macsec_skb_cb(struct sk_buff *skb)
|
|
{
|
|
BUILD_BUG_ON(sizeof(struct macsec_cb) > sizeof(skb->cb));
|
|
return (struct macsec_cb *)skb->cb;
|
|
}
|
|
|
|
#define MACSEC_PORT_ES (htons(0x0001))
|
|
#define MACSEC_PORT_SCB (0x0000)
|
|
#define MACSEC_UNDEF_SCI ((__force sci_t)0xffffffffffffffffULL)
|
|
#define MACSEC_UNDEF_SSCI ((__force ssci_t)0xffffffff)
|
|
|
|
#define MACSEC_GCM_AES_128_SAK_LEN 16
|
|
#define MACSEC_GCM_AES_256_SAK_LEN 32
|
|
|
|
#define DEFAULT_SAK_LEN MACSEC_GCM_AES_128_SAK_LEN
|
|
#define DEFAULT_XPN false
|
|
#define DEFAULT_SEND_SCI true
|
|
#define DEFAULT_ENCRYPT false
|
|
#define DEFAULT_ENCODING_SA 0
|
|
|
|
static bool send_sci(const struct macsec_secy *secy)
|
|
{
|
|
const struct macsec_tx_sc *tx_sc = &secy->tx_sc;
|
|
|
|
return tx_sc->send_sci ||
|
|
(secy->n_rx_sc > 1 && !tx_sc->end_station && !tx_sc->scb);
|
|
}
|
|
|
|
static sci_t make_sci(u8 *addr, __be16 port)
|
|
{
|
|
sci_t sci;
|
|
|
|
memcpy(&sci, addr, ETH_ALEN);
|
|
memcpy(((char *)&sci) + ETH_ALEN, &port, sizeof(port));
|
|
|
|
return sci;
|
|
}
|
|
|
|
static sci_t macsec_frame_sci(struct macsec_eth_header *hdr, bool sci_present)
|
|
{
|
|
sci_t sci;
|
|
|
|
if (sci_present)
|
|
memcpy(&sci, hdr->secure_channel_id,
|
|
sizeof(hdr->secure_channel_id));
|
|
else
|
|
sci = make_sci(hdr->eth.h_source, MACSEC_PORT_ES);
|
|
|
|
return sci;
|
|
}
|
|
|
|
static unsigned int macsec_sectag_len(bool sci_present)
|
|
{
|
|
return MACSEC_TAG_LEN + (sci_present ? MACSEC_SCI_LEN : 0);
|
|
}
|
|
|
|
static unsigned int macsec_hdr_len(bool sci_present)
|
|
{
|
|
return macsec_sectag_len(sci_present) + ETH_HLEN;
|
|
}
|
|
|
|
static unsigned int macsec_extra_len(bool sci_present)
|
|
{
|
|
return macsec_sectag_len(sci_present) + sizeof(__be16);
|
|
}
|
|
|
|
/* Fill SecTAG according to IEEE 802.1AE-2006 10.5.3 */
|
|
static void macsec_fill_sectag(struct macsec_eth_header *h,
|
|
const struct macsec_secy *secy, u32 pn,
|
|
bool sci_present)
|
|
{
|
|
const struct macsec_tx_sc *tx_sc = &secy->tx_sc;
|
|
|
|
memset(&h->tci_an, 0, macsec_sectag_len(sci_present));
|
|
h->eth.h_proto = htons(ETH_P_MACSEC);
|
|
|
|
if (sci_present) {
|
|
h->tci_an |= MACSEC_TCI_SC;
|
|
memcpy(&h->secure_channel_id, &secy->sci,
|
|
sizeof(h->secure_channel_id));
|
|
} else {
|
|
if (tx_sc->end_station)
|
|
h->tci_an |= MACSEC_TCI_ES;
|
|
if (tx_sc->scb)
|
|
h->tci_an |= MACSEC_TCI_SCB;
|
|
}
|
|
|
|
h->packet_number = htonl(pn);
|
|
|
|
/* with GCM, C/E clear for !encrypt, both set for encrypt */
|
|
if (tx_sc->encrypt)
|
|
h->tci_an |= MACSEC_TCI_CONFID;
|
|
else if (secy->icv_len != DEFAULT_ICV_LEN)
|
|
h->tci_an |= MACSEC_TCI_C;
|
|
|
|
h->tci_an |= tx_sc->encoding_sa;
|
|
}
|
|
|
|
static void macsec_set_shortlen(struct macsec_eth_header *h, size_t data_len)
|
|
{
|
|
if (data_len < MIN_NON_SHORT_LEN)
|
|
h->short_length = data_len;
|
|
}
|
|
|
|
/* Checks if a MACsec interface is being offloaded to an hardware engine */
|
|
static bool macsec_is_offloaded(struct macsec_dev *macsec)
|
|
{
|
|
if (macsec->offload == MACSEC_OFFLOAD_PHY)
|
|
return true;
|
|
|
|
return false;
|
|
}
|
|
|
|
/* Checks if underlying layers implement MACsec offloading functions. */
|
|
static bool macsec_check_offload(enum macsec_offload offload,
|
|
struct macsec_dev *macsec)
|
|
{
|
|
if (!macsec || !macsec->real_dev)
|
|
return false;
|
|
|
|
if (offload == MACSEC_OFFLOAD_PHY)
|
|
return macsec->real_dev->phydev &&
|
|
macsec->real_dev->phydev->macsec_ops;
|
|
|
|
return false;
|
|
}
|
|
|
|
static const struct macsec_ops *__macsec_get_ops(enum macsec_offload offload,
|
|
struct macsec_dev *macsec,
|
|
struct macsec_context *ctx)
|
|
{
|
|
if (ctx) {
|
|
memset(ctx, 0, sizeof(*ctx));
|
|
ctx->offload = offload;
|
|
|
|
if (offload == MACSEC_OFFLOAD_PHY)
|
|
ctx->phydev = macsec->real_dev->phydev;
|
|
}
|
|
|
|
return macsec->real_dev->phydev->macsec_ops;
|
|
}
|
|
|
|
/* Returns a pointer to the MACsec ops struct if any and updates the MACsec
|
|
* context device reference if provided.
|
|
*/
|
|
static const struct macsec_ops *macsec_get_ops(struct macsec_dev *macsec,
|
|
struct macsec_context *ctx)
|
|
{
|
|
if (!macsec_check_offload(macsec->offload, macsec))
|
|
return NULL;
|
|
|
|
return __macsec_get_ops(macsec->offload, macsec, ctx);
|
|
}
|
|
|
|
/* validate MACsec packet according to IEEE 802.1AE-2018 9.12 */
|
|
static bool macsec_validate_skb(struct sk_buff *skb, u16 icv_len, bool xpn)
|
|
{
|
|
struct macsec_eth_header *h = (struct macsec_eth_header *)skb->data;
|
|
int len = skb->len - 2 * ETH_ALEN;
|
|
int extra_len = macsec_extra_len(!!(h->tci_an & MACSEC_TCI_SC)) + icv_len;
|
|
|
|
/* a) It comprises at least 17 octets */
|
|
if (skb->len <= 16)
|
|
return false;
|
|
|
|
/* b) MACsec EtherType: already checked */
|
|
|
|
/* c) V bit is clear */
|
|
if (h->tci_an & MACSEC_TCI_VERSION)
|
|
return false;
|
|
|
|
/* d) ES or SCB => !SC */
|
|
if ((h->tci_an & MACSEC_TCI_ES || h->tci_an & MACSEC_TCI_SCB) &&
|
|
(h->tci_an & MACSEC_TCI_SC))
|
|
return false;
|
|
|
|
/* e) Bits 7 and 8 of octet 4 of the SecTAG are clear */
|
|
if (h->unused)
|
|
return false;
|
|
|
|
/* rx.pn != 0 if not XPN (figure 10-5 with 802.11AEbw-2013 amendment) */
|
|
if (!h->packet_number && !xpn)
|
|
return false;
|
|
|
|
/* length check, f) g) h) i) */
|
|
if (h->short_length)
|
|
return len == extra_len + h->short_length;
|
|
return len >= extra_len + MIN_NON_SHORT_LEN;
|
|
}
|
|
|
|
#define MACSEC_NEEDED_HEADROOM (macsec_extra_len(true))
|
|
#define MACSEC_NEEDED_TAILROOM MACSEC_STD_ICV_LEN
|
|
|
|
static void macsec_fill_iv_xpn(unsigned char *iv, ssci_t ssci, u64 pn,
|
|
salt_t salt)
|
|
{
|
|
struct gcm_iv_xpn *gcm_iv = (struct gcm_iv_xpn *)iv;
|
|
|
|
gcm_iv->ssci = ssci ^ salt.ssci;
|
|
gcm_iv->pn = cpu_to_be64(pn) ^ salt.pn;
|
|
}
|
|
|
|
static void macsec_fill_iv(unsigned char *iv, sci_t sci, u32 pn)
|
|
{
|
|
struct gcm_iv *gcm_iv = (struct gcm_iv *)iv;
|
|
|
|
gcm_iv->sci = sci;
|
|
gcm_iv->pn = htonl(pn);
|
|
}
|
|
|
|
static struct macsec_eth_header *macsec_ethhdr(struct sk_buff *skb)
|
|
{
|
|
return (struct macsec_eth_header *)skb_mac_header(skb);
|
|
}
|
|
|
|
static void __macsec_pn_wrapped(struct macsec_secy *secy,
|
|
struct macsec_tx_sa *tx_sa)
|
|
{
|
|
pr_debug("PN wrapped, transitioning to !oper\n");
|
|
tx_sa->active = false;
|
|
if (secy->protect_frames)
|
|
secy->operational = false;
|
|
}
|
|
|
|
void macsec_pn_wrapped(struct macsec_secy *secy, struct macsec_tx_sa *tx_sa)
|
|
{
|
|
spin_lock_bh(&tx_sa->lock);
|
|
__macsec_pn_wrapped(secy, tx_sa);
|
|
spin_unlock_bh(&tx_sa->lock);
|
|
}
|
|
EXPORT_SYMBOL_GPL(macsec_pn_wrapped);
|
|
|
|
static pn_t tx_sa_update_pn(struct macsec_tx_sa *tx_sa,
|
|
struct macsec_secy *secy)
|
|
{
|
|
pn_t pn;
|
|
|
|
spin_lock_bh(&tx_sa->lock);
|
|
|
|
pn = tx_sa->next_pn_halves;
|
|
if (secy->xpn)
|
|
tx_sa->next_pn++;
|
|
else
|
|
tx_sa->next_pn_halves.lower++;
|
|
|
|
if (tx_sa->next_pn == 0)
|
|
__macsec_pn_wrapped(secy, tx_sa);
|
|
spin_unlock_bh(&tx_sa->lock);
|
|
|
|
return pn;
|
|
}
|
|
|
|
static void macsec_encrypt_finish(struct sk_buff *skb, struct net_device *dev)
|
|
{
|
|
struct macsec_dev *macsec = netdev_priv(dev);
|
|
|
|
skb->dev = macsec->real_dev;
|
|
skb_reset_mac_header(skb);
|
|
skb->protocol = eth_hdr(skb)->h_proto;
|
|
}
|
|
|
|
static void macsec_count_tx(struct sk_buff *skb, struct macsec_tx_sc *tx_sc,
|
|
struct macsec_tx_sa *tx_sa)
|
|
{
|
|
struct pcpu_tx_sc_stats *txsc_stats = this_cpu_ptr(tx_sc->stats);
|
|
|
|
u64_stats_update_begin(&txsc_stats->syncp);
|
|
if (tx_sc->encrypt) {
|
|
txsc_stats->stats.OutOctetsEncrypted += skb->len;
|
|
txsc_stats->stats.OutPktsEncrypted++;
|
|
this_cpu_inc(tx_sa->stats->OutPktsEncrypted);
|
|
} else {
|
|
txsc_stats->stats.OutOctetsProtected += skb->len;
|
|
txsc_stats->stats.OutPktsProtected++;
|
|
this_cpu_inc(tx_sa->stats->OutPktsProtected);
|
|
}
|
|
u64_stats_update_end(&txsc_stats->syncp);
|
|
}
|
|
|
|
static void count_tx(struct net_device *dev, int ret, int len)
|
|
{
|
|
if (likely(ret == NET_XMIT_SUCCESS || ret == NET_XMIT_CN)) {
|
|
struct pcpu_sw_netstats *stats = this_cpu_ptr(dev->tstats);
|
|
|
|
u64_stats_update_begin(&stats->syncp);
|
|
stats->tx_packets++;
|
|
stats->tx_bytes += len;
|
|
u64_stats_update_end(&stats->syncp);
|
|
}
|
|
}
|
|
|
|
static void macsec_encrypt_done(struct crypto_async_request *base, int err)
|
|
{
|
|
struct sk_buff *skb = base->data;
|
|
struct net_device *dev = skb->dev;
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
struct macsec_tx_sa *sa = macsec_skb_cb(skb)->tx_sa;
|
|
int len, ret;
|
|
|
|
aead_request_free(macsec_skb_cb(skb)->req);
|
|
|
|
rcu_read_lock_bh();
|
|
macsec_encrypt_finish(skb, dev);
|
|
macsec_count_tx(skb, &macsec->secy.tx_sc, macsec_skb_cb(skb)->tx_sa);
|
|
len = skb->len;
|
|
ret = dev_queue_xmit(skb);
|
|
count_tx(dev, ret, len);
|
|
rcu_read_unlock_bh();
|
|
|
|
macsec_txsa_put(sa);
|
|
dev_put(dev);
|
|
}
|
|
|
|
static struct aead_request *macsec_alloc_req(struct crypto_aead *tfm,
|
|
unsigned char **iv,
|
|
struct scatterlist **sg,
|
|
int num_frags)
|
|
{
|
|
size_t size, iv_offset, sg_offset;
|
|
struct aead_request *req;
|
|
void *tmp;
|
|
|
|
size = sizeof(struct aead_request) + crypto_aead_reqsize(tfm);
|
|
iv_offset = size;
|
|
size += GCM_AES_IV_LEN;
|
|
|
|
size = ALIGN(size, __alignof__(struct scatterlist));
|
|
sg_offset = size;
|
|
size += sizeof(struct scatterlist) * num_frags;
|
|
|
|
tmp = kmalloc(size, GFP_ATOMIC);
|
|
if (!tmp)
|
|
return NULL;
|
|
|
|
*iv = (unsigned char *)(tmp + iv_offset);
|
|
*sg = (struct scatterlist *)(tmp + sg_offset);
|
|
req = tmp;
|
|
|
|
aead_request_set_tfm(req, tfm);
|
|
|
|
return req;
|
|
}
|
|
|
|
static struct sk_buff *macsec_encrypt(struct sk_buff *skb,
|
|
struct net_device *dev)
|
|
{
|
|
int ret;
|
|
struct scatterlist *sg;
|
|
struct sk_buff *trailer;
|
|
unsigned char *iv;
|
|
struct ethhdr *eth;
|
|
struct macsec_eth_header *hh;
|
|
size_t unprotected_len;
|
|
struct aead_request *req;
|
|
struct macsec_secy *secy;
|
|
struct macsec_tx_sc *tx_sc;
|
|
struct macsec_tx_sa *tx_sa;
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
bool sci_present;
|
|
pn_t pn;
|
|
|
|
secy = &macsec->secy;
|
|
tx_sc = &secy->tx_sc;
|
|
|
|
/* 10.5.1 TX SA assignment */
|
|
tx_sa = macsec_txsa_get(tx_sc->sa[tx_sc->encoding_sa]);
|
|
if (!tx_sa) {
|
|
secy->operational = false;
|
|
kfree_skb(skb);
|
|
return ERR_PTR(-EINVAL);
|
|
}
|
|
|
|
if (unlikely(skb_headroom(skb) < MACSEC_NEEDED_HEADROOM ||
|
|
skb_tailroom(skb) < MACSEC_NEEDED_TAILROOM)) {
|
|
struct sk_buff *nskb = skb_copy_expand(skb,
|
|
MACSEC_NEEDED_HEADROOM,
|
|
MACSEC_NEEDED_TAILROOM,
|
|
GFP_ATOMIC);
|
|
if (likely(nskb)) {
|
|
consume_skb(skb);
|
|
skb = nskb;
|
|
} else {
|
|
macsec_txsa_put(tx_sa);
|
|
kfree_skb(skb);
|
|
return ERR_PTR(-ENOMEM);
|
|
}
|
|
} else {
|
|
skb = skb_unshare(skb, GFP_ATOMIC);
|
|
if (!skb) {
|
|
macsec_txsa_put(tx_sa);
|
|
return ERR_PTR(-ENOMEM);
|
|
}
|
|
}
|
|
|
|
unprotected_len = skb->len;
|
|
eth = eth_hdr(skb);
|
|
sci_present = send_sci(secy);
|
|
hh = skb_push(skb, macsec_extra_len(sci_present));
|
|
memmove(hh, eth, 2 * ETH_ALEN);
|
|
|
|
pn = tx_sa_update_pn(tx_sa, secy);
|
|
if (pn.full64 == 0) {
|
|
macsec_txsa_put(tx_sa);
|
|
kfree_skb(skb);
|
|
return ERR_PTR(-ENOLINK);
|
|
}
|
|
macsec_fill_sectag(hh, secy, pn.lower, sci_present);
|
|
macsec_set_shortlen(hh, unprotected_len - 2 * ETH_ALEN);
|
|
|
|
skb_put(skb, secy->icv_len);
|
|
|
|
if (skb->len - ETH_HLEN > macsec_priv(dev)->real_dev->mtu) {
|
|
struct pcpu_secy_stats *secy_stats = this_cpu_ptr(macsec->stats);
|
|
|
|
u64_stats_update_begin(&secy_stats->syncp);
|
|
secy_stats->stats.OutPktsTooLong++;
|
|
u64_stats_update_end(&secy_stats->syncp);
|
|
|
|
macsec_txsa_put(tx_sa);
|
|
kfree_skb(skb);
|
|
return ERR_PTR(-EINVAL);
|
|
}
|
|
|
|
ret = skb_cow_data(skb, 0, &trailer);
|
|
if (unlikely(ret < 0)) {
|
|
macsec_txsa_put(tx_sa);
|
|
kfree_skb(skb);
|
|
return ERR_PTR(ret);
|
|
}
|
|
|
|
req = macsec_alloc_req(tx_sa->key.tfm, &iv, &sg, ret);
|
|
if (!req) {
|
|
macsec_txsa_put(tx_sa);
|
|
kfree_skb(skb);
|
|
return ERR_PTR(-ENOMEM);
|
|
}
|
|
|
|
if (secy->xpn)
|
|
macsec_fill_iv_xpn(iv, tx_sa->ssci, pn.full64, tx_sa->key.salt);
|
|
else
|
|
macsec_fill_iv(iv, secy->sci, pn.lower);
|
|
|
|
sg_init_table(sg, ret);
|
|
ret = skb_to_sgvec(skb, sg, 0, skb->len);
|
|
if (unlikely(ret < 0)) {
|
|
aead_request_free(req);
|
|
macsec_txsa_put(tx_sa);
|
|
kfree_skb(skb);
|
|
return ERR_PTR(ret);
|
|
}
|
|
|
|
if (tx_sc->encrypt) {
|
|
int len = skb->len - macsec_hdr_len(sci_present) -
|
|
secy->icv_len;
|
|
aead_request_set_crypt(req, sg, sg, len, iv);
|
|
aead_request_set_ad(req, macsec_hdr_len(sci_present));
|
|
} else {
|
|
aead_request_set_crypt(req, sg, sg, 0, iv);
|
|
aead_request_set_ad(req, skb->len - secy->icv_len);
|
|
}
|
|
|
|
macsec_skb_cb(skb)->req = req;
|
|
macsec_skb_cb(skb)->tx_sa = tx_sa;
|
|
aead_request_set_callback(req, 0, macsec_encrypt_done, skb);
|
|
|
|
dev_hold(skb->dev);
|
|
ret = crypto_aead_encrypt(req);
|
|
if (ret == -EINPROGRESS) {
|
|
return ERR_PTR(ret);
|
|
} else if (ret != 0) {
|
|
dev_put(skb->dev);
|
|
kfree_skb(skb);
|
|
aead_request_free(req);
|
|
macsec_txsa_put(tx_sa);
|
|
return ERR_PTR(-EINVAL);
|
|
}
|
|
|
|
dev_put(skb->dev);
|
|
aead_request_free(req);
|
|
macsec_txsa_put(tx_sa);
|
|
|
|
return skb;
|
|
}
|
|
|
|
static bool macsec_post_decrypt(struct sk_buff *skb, struct macsec_secy *secy, u32 pn)
|
|
{
|
|
struct macsec_rx_sa *rx_sa = macsec_skb_cb(skb)->rx_sa;
|
|
struct pcpu_rx_sc_stats *rxsc_stats = this_cpu_ptr(rx_sa->sc->stats);
|
|
struct macsec_eth_header *hdr = macsec_ethhdr(skb);
|
|
u32 lowest_pn = 0;
|
|
|
|
spin_lock(&rx_sa->lock);
|
|
if (rx_sa->next_pn_halves.lower >= secy->replay_window)
|
|
lowest_pn = rx_sa->next_pn_halves.lower - secy->replay_window;
|
|
|
|
/* Now perform replay protection check again
|
|
* (see IEEE 802.1AE-2006 figure 10-5)
|
|
*/
|
|
if (secy->replay_protect && pn < lowest_pn &&
|
|
(!secy->xpn || pn_same_half(pn, lowest_pn))) {
|
|
spin_unlock(&rx_sa->lock);
|
|
u64_stats_update_begin(&rxsc_stats->syncp);
|
|
rxsc_stats->stats.InPktsLate++;
|
|
u64_stats_update_end(&rxsc_stats->syncp);
|
|
return false;
|
|
}
|
|
|
|
if (secy->validate_frames != MACSEC_VALIDATE_DISABLED) {
|
|
u64_stats_update_begin(&rxsc_stats->syncp);
|
|
if (hdr->tci_an & MACSEC_TCI_E)
|
|
rxsc_stats->stats.InOctetsDecrypted += skb->len;
|
|
else
|
|
rxsc_stats->stats.InOctetsValidated += skb->len;
|
|
u64_stats_update_end(&rxsc_stats->syncp);
|
|
}
|
|
|
|
if (!macsec_skb_cb(skb)->valid) {
|
|
spin_unlock(&rx_sa->lock);
|
|
|
|
/* 10.6.5 */
|
|
if (hdr->tci_an & MACSEC_TCI_C ||
|
|
secy->validate_frames == MACSEC_VALIDATE_STRICT) {
|
|
u64_stats_update_begin(&rxsc_stats->syncp);
|
|
rxsc_stats->stats.InPktsNotValid++;
|
|
u64_stats_update_end(&rxsc_stats->syncp);
|
|
return false;
|
|
}
|
|
|
|
u64_stats_update_begin(&rxsc_stats->syncp);
|
|
if (secy->validate_frames == MACSEC_VALIDATE_CHECK) {
|
|
rxsc_stats->stats.InPktsInvalid++;
|
|
this_cpu_inc(rx_sa->stats->InPktsInvalid);
|
|
} else if (pn < lowest_pn) {
|
|
rxsc_stats->stats.InPktsDelayed++;
|
|
} else {
|
|
rxsc_stats->stats.InPktsUnchecked++;
|
|
}
|
|
u64_stats_update_end(&rxsc_stats->syncp);
|
|
} else {
|
|
u64_stats_update_begin(&rxsc_stats->syncp);
|
|
if (pn < lowest_pn) {
|
|
rxsc_stats->stats.InPktsDelayed++;
|
|
} else {
|
|
rxsc_stats->stats.InPktsOK++;
|
|
this_cpu_inc(rx_sa->stats->InPktsOK);
|
|
}
|
|
u64_stats_update_end(&rxsc_stats->syncp);
|
|
|
|
// Instead of "pn >=" - to support pn overflow in xpn
|
|
if (pn + 1 > rx_sa->next_pn_halves.lower) {
|
|
rx_sa->next_pn_halves.lower = pn + 1;
|
|
} else if (secy->xpn &&
|
|
!pn_same_half(pn, rx_sa->next_pn_halves.lower)) {
|
|
rx_sa->next_pn_halves.upper++;
|
|
rx_sa->next_pn_halves.lower = pn + 1;
|
|
}
|
|
|
|
spin_unlock(&rx_sa->lock);
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
static void macsec_reset_skb(struct sk_buff *skb, struct net_device *dev)
|
|
{
|
|
skb->pkt_type = PACKET_HOST;
|
|
skb->protocol = eth_type_trans(skb, dev);
|
|
|
|
skb_reset_network_header(skb);
|
|
if (!skb_transport_header_was_set(skb))
|
|
skb_reset_transport_header(skb);
|
|
skb_reset_mac_len(skb);
|
|
}
|
|
|
|
static void macsec_finalize_skb(struct sk_buff *skb, u8 icv_len, u8 hdr_len)
|
|
{
|
|
skb->ip_summed = CHECKSUM_NONE;
|
|
memmove(skb->data + hdr_len, skb->data, 2 * ETH_ALEN);
|
|
skb_pull(skb, hdr_len);
|
|
pskb_trim_unique(skb, skb->len - icv_len);
|
|
}
|
|
|
|
static void count_rx(struct net_device *dev, int len)
|
|
{
|
|
struct pcpu_sw_netstats *stats = this_cpu_ptr(dev->tstats);
|
|
|
|
u64_stats_update_begin(&stats->syncp);
|
|
stats->rx_packets++;
|
|
stats->rx_bytes += len;
|
|
u64_stats_update_end(&stats->syncp);
|
|
}
|
|
|
|
static void macsec_decrypt_done(struct crypto_async_request *base, int err)
|
|
{
|
|
struct sk_buff *skb = base->data;
|
|
struct net_device *dev = skb->dev;
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
struct macsec_rx_sa *rx_sa = macsec_skb_cb(skb)->rx_sa;
|
|
struct macsec_rx_sc *rx_sc = rx_sa->sc;
|
|
int len;
|
|
u32 pn;
|
|
|
|
aead_request_free(macsec_skb_cb(skb)->req);
|
|
|
|
if (!err)
|
|
macsec_skb_cb(skb)->valid = true;
|
|
|
|
rcu_read_lock_bh();
|
|
pn = ntohl(macsec_ethhdr(skb)->packet_number);
|
|
if (!macsec_post_decrypt(skb, &macsec->secy, pn)) {
|
|
rcu_read_unlock_bh();
|
|
kfree_skb(skb);
|
|
goto out;
|
|
}
|
|
|
|
macsec_finalize_skb(skb, macsec->secy.icv_len,
|
|
macsec_extra_len(macsec_skb_cb(skb)->has_sci));
|
|
macsec_reset_skb(skb, macsec->secy.netdev);
|
|
|
|
len = skb->len;
|
|
if (gro_cells_receive(&macsec->gro_cells, skb) == NET_RX_SUCCESS)
|
|
count_rx(dev, len);
|
|
|
|
rcu_read_unlock_bh();
|
|
|
|
out:
|
|
macsec_rxsa_put(rx_sa);
|
|
macsec_rxsc_put(rx_sc);
|
|
dev_put(dev);
|
|
}
|
|
|
|
static struct sk_buff *macsec_decrypt(struct sk_buff *skb,
|
|
struct net_device *dev,
|
|
struct macsec_rx_sa *rx_sa,
|
|
sci_t sci,
|
|
struct macsec_secy *secy)
|
|
{
|
|
int ret;
|
|
struct scatterlist *sg;
|
|
struct sk_buff *trailer;
|
|
unsigned char *iv;
|
|
struct aead_request *req;
|
|
struct macsec_eth_header *hdr;
|
|
u32 hdr_pn;
|
|
u16 icv_len = secy->icv_len;
|
|
|
|
macsec_skb_cb(skb)->valid = false;
|
|
skb = skb_share_check(skb, GFP_ATOMIC);
|
|
if (!skb)
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
ret = skb_cow_data(skb, 0, &trailer);
|
|
if (unlikely(ret < 0)) {
|
|
kfree_skb(skb);
|
|
return ERR_PTR(ret);
|
|
}
|
|
req = macsec_alloc_req(rx_sa->key.tfm, &iv, &sg, ret);
|
|
if (!req) {
|
|
kfree_skb(skb);
|
|
return ERR_PTR(-ENOMEM);
|
|
}
|
|
|
|
hdr = (struct macsec_eth_header *)skb->data;
|
|
hdr_pn = ntohl(hdr->packet_number);
|
|
|
|
if (secy->xpn) {
|
|
pn_t recovered_pn = rx_sa->next_pn_halves;
|
|
|
|
recovered_pn.lower = hdr_pn;
|
|
if (hdr_pn < rx_sa->next_pn_halves.lower &&
|
|
!pn_same_half(hdr_pn, rx_sa->next_pn_halves.lower))
|
|
recovered_pn.upper++;
|
|
|
|
macsec_fill_iv_xpn(iv, rx_sa->ssci, recovered_pn.full64,
|
|
rx_sa->key.salt);
|
|
} else {
|
|
macsec_fill_iv(iv, sci, hdr_pn);
|
|
}
|
|
|
|
sg_init_table(sg, ret);
|
|
ret = skb_to_sgvec(skb, sg, 0, skb->len);
|
|
if (unlikely(ret < 0)) {
|
|
aead_request_free(req);
|
|
kfree_skb(skb);
|
|
return ERR_PTR(ret);
|
|
}
|
|
|
|
if (hdr->tci_an & MACSEC_TCI_E) {
|
|
/* confidentiality: ethernet + macsec header
|
|
* authenticated, encrypted payload
|
|
*/
|
|
int len = skb->len - macsec_hdr_len(macsec_skb_cb(skb)->has_sci);
|
|
|
|
aead_request_set_crypt(req, sg, sg, len, iv);
|
|
aead_request_set_ad(req, macsec_hdr_len(macsec_skb_cb(skb)->has_sci));
|
|
skb = skb_unshare(skb, GFP_ATOMIC);
|
|
if (!skb) {
|
|
aead_request_free(req);
|
|
return ERR_PTR(-ENOMEM);
|
|
}
|
|
} else {
|
|
/* integrity only: all headers + data authenticated */
|
|
aead_request_set_crypt(req, sg, sg, icv_len, iv);
|
|
aead_request_set_ad(req, skb->len - icv_len);
|
|
}
|
|
|
|
macsec_skb_cb(skb)->req = req;
|
|
skb->dev = dev;
|
|
aead_request_set_callback(req, 0, macsec_decrypt_done, skb);
|
|
|
|
dev_hold(dev);
|
|
ret = crypto_aead_decrypt(req);
|
|
if (ret == -EINPROGRESS) {
|
|
return ERR_PTR(ret);
|
|
} else if (ret != 0) {
|
|
/* decryption/authentication failed
|
|
* 10.6 if validateFrames is disabled, deliver anyway
|
|
*/
|
|
if (ret != -EBADMSG) {
|
|
kfree_skb(skb);
|
|
skb = ERR_PTR(ret);
|
|
}
|
|
} else {
|
|
macsec_skb_cb(skb)->valid = true;
|
|
}
|
|
dev_put(dev);
|
|
|
|
aead_request_free(req);
|
|
|
|
return skb;
|
|
}
|
|
|
|
static struct macsec_rx_sc *find_rx_sc(struct macsec_secy *secy, sci_t sci)
|
|
{
|
|
struct macsec_rx_sc *rx_sc;
|
|
|
|
for_each_rxsc(secy, rx_sc) {
|
|
if (rx_sc->sci == sci)
|
|
return rx_sc;
|
|
}
|
|
|
|
return NULL;
|
|
}
|
|
|
|
static struct macsec_rx_sc *find_rx_sc_rtnl(struct macsec_secy *secy, sci_t sci)
|
|
{
|
|
struct macsec_rx_sc *rx_sc;
|
|
|
|
for_each_rxsc_rtnl(secy, rx_sc) {
|
|
if (rx_sc->sci == sci)
|
|
return rx_sc;
|
|
}
|
|
|
|
return NULL;
|
|
}
|
|
|
|
static enum rx_handler_result handle_not_macsec(struct sk_buff *skb)
|
|
{
|
|
/* Deliver to the uncontrolled port by default */
|
|
enum rx_handler_result ret = RX_HANDLER_PASS;
|
|
struct ethhdr *hdr = eth_hdr(skb);
|
|
struct macsec_rxh_data *rxd;
|
|
struct macsec_dev *macsec;
|
|
|
|
rcu_read_lock();
|
|
rxd = macsec_data_rcu(skb->dev);
|
|
|
|
list_for_each_entry_rcu(macsec, &rxd->secys, secys) {
|
|
struct sk_buff *nskb;
|
|
struct pcpu_secy_stats *secy_stats = this_cpu_ptr(macsec->stats);
|
|
struct net_device *ndev = macsec->secy.netdev;
|
|
|
|
/* If h/w offloading is enabled, HW decodes frames and strips
|
|
* the SecTAG, so we have to deduce which port to deliver to.
|
|
*/
|
|
if (macsec_is_offloaded(macsec) && netif_running(ndev)) {
|
|
if (hdr->h_proto == htons(ETH_P_PAE))
|
|
continue;
|
|
|
|
if (ndev->flags & IFF_PROMISC) {
|
|
nskb = skb_clone(skb, GFP_ATOMIC);
|
|
if (!nskb)
|
|
break;
|
|
|
|
count_rx(ndev, nskb->len);
|
|
nskb->dev = ndev;
|
|
netif_rx(nskb);
|
|
} else if (ether_addr_equal_64bits(hdr->h_dest,
|
|
ndev->dev_addr)) {
|
|
/* exact match, divert skb to this port */
|
|
skb->dev = ndev;
|
|
skb->pkt_type = PACKET_HOST;
|
|
count_rx(ndev, skb->len);
|
|
ret = RX_HANDLER_ANOTHER;
|
|
goto out;
|
|
} else if (is_multicast_ether_addr_64bits(hdr->h_dest)) {
|
|
/* multicast frame, deliver on this port too */
|
|
nskb = skb_clone(skb, GFP_ATOMIC);
|
|
if (!nskb)
|
|
break;
|
|
|
|
nskb->dev = ndev;
|
|
if (ether_addr_equal_64bits(hdr->h_dest,
|
|
ndev->broadcast))
|
|
nskb->pkt_type = PACKET_BROADCAST;
|
|
else
|
|
nskb->pkt_type = PACKET_MULTICAST;
|
|
|
|
count_rx(ndev, nskb->len);
|
|
netif_rx(nskb);
|
|
}
|
|
continue;
|
|
}
|
|
|
|
/* 10.6 If the management control validateFrames is not
|
|
* Strict, frames without a SecTAG are received, counted, and
|
|
* delivered to the Controlled Port
|
|
*/
|
|
if (macsec->secy.validate_frames == MACSEC_VALIDATE_STRICT) {
|
|
u64_stats_update_begin(&secy_stats->syncp);
|
|
secy_stats->stats.InPktsNoTag++;
|
|
u64_stats_update_end(&secy_stats->syncp);
|
|
continue;
|
|
}
|
|
|
|
/* deliver on this port */
|
|
nskb = skb_clone(skb, GFP_ATOMIC);
|
|
if (!nskb)
|
|
break;
|
|
|
|
nskb->dev = ndev;
|
|
|
|
if (netif_rx(nskb) == NET_RX_SUCCESS) {
|
|
u64_stats_update_begin(&secy_stats->syncp);
|
|
secy_stats->stats.InPktsUntagged++;
|
|
u64_stats_update_end(&secy_stats->syncp);
|
|
}
|
|
}
|
|
|
|
out:
|
|
rcu_read_unlock();
|
|
return ret;
|
|
}
|
|
|
|
static rx_handler_result_t macsec_handle_frame(struct sk_buff **pskb)
|
|
{
|
|
struct sk_buff *skb = *pskb;
|
|
struct net_device *dev = skb->dev;
|
|
struct macsec_eth_header *hdr;
|
|
struct macsec_secy *secy = NULL;
|
|
struct macsec_rx_sc *rx_sc;
|
|
struct macsec_rx_sa *rx_sa;
|
|
struct macsec_rxh_data *rxd;
|
|
struct macsec_dev *macsec;
|
|
unsigned int len;
|
|
sci_t sci;
|
|
u32 hdr_pn;
|
|
bool cbit;
|
|
struct pcpu_rx_sc_stats *rxsc_stats;
|
|
struct pcpu_secy_stats *secy_stats;
|
|
bool pulled_sci;
|
|
int ret;
|
|
|
|
if (skb_headroom(skb) < ETH_HLEN)
|
|
goto drop_direct;
|
|
|
|
hdr = macsec_ethhdr(skb);
|
|
if (hdr->eth.h_proto != htons(ETH_P_MACSEC))
|
|
return handle_not_macsec(skb);
|
|
|
|
skb = skb_unshare(skb, GFP_ATOMIC);
|
|
*pskb = skb;
|
|
if (!skb)
|
|
return RX_HANDLER_CONSUMED;
|
|
|
|
pulled_sci = pskb_may_pull(skb, macsec_extra_len(true));
|
|
if (!pulled_sci) {
|
|
if (!pskb_may_pull(skb, macsec_extra_len(false)))
|
|
goto drop_direct;
|
|
}
|
|
|
|
hdr = macsec_ethhdr(skb);
|
|
|
|
/* Frames with a SecTAG that has the TCI E bit set but the C
|
|
* bit clear are discarded, as this reserved encoding is used
|
|
* to identify frames with a SecTAG that are not to be
|
|
* delivered to the Controlled Port.
|
|
*/
|
|
if ((hdr->tci_an & (MACSEC_TCI_C | MACSEC_TCI_E)) == MACSEC_TCI_E)
|
|
return RX_HANDLER_PASS;
|
|
|
|
/* now, pull the extra length */
|
|
if (hdr->tci_an & MACSEC_TCI_SC) {
|
|
if (!pulled_sci)
|
|
goto drop_direct;
|
|
}
|
|
|
|
/* ethernet header is part of crypto processing */
|
|
skb_push(skb, ETH_HLEN);
|
|
|
|
macsec_skb_cb(skb)->has_sci = !!(hdr->tci_an & MACSEC_TCI_SC);
|
|
macsec_skb_cb(skb)->assoc_num = hdr->tci_an & MACSEC_AN_MASK;
|
|
sci = macsec_frame_sci(hdr, macsec_skb_cb(skb)->has_sci);
|
|
|
|
rcu_read_lock();
|
|
rxd = macsec_data_rcu(skb->dev);
|
|
|
|
list_for_each_entry_rcu(macsec, &rxd->secys, secys) {
|
|
struct macsec_rx_sc *sc = find_rx_sc(&macsec->secy, sci);
|
|
|
|
sc = sc ? macsec_rxsc_get(sc) : NULL;
|
|
|
|
if (sc) {
|
|
secy = &macsec->secy;
|
|
rx_sc = sc;
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (!secy)
|
|
goto nosci;
|
|
|
|
dev = secy->netdev;
|
|
macsec = macsec_priv(dev);
|
|
secy_stats = this_cpu_ptr(macsec->stats);
|
|
rxsc_stats = this_cpu_ptr(rx_sc->stats);
|
|
|
|
if (!macsec_validate_skb(skb, secy->icv_len, secy->xpn)) {
|
|
u64_stats_update_begin(&secy_stats->syncp);
|
|
secy_stats->stats.InPktsBadTag++;
|
|
u64_stats_update_end(&secy_stats->syncp);
|
|
goto drop_nosa;
|
|
}
|
|
|
|
rx_sa = macsec_rxsa_get(rx_sc->sa[macsec_skb_cb(skb)->assoc_num]);
|
|
if (!rx_sa) {
|
|
/* 10.6.1 if the SA is not in use */
|
|
|
|
/* If validateFrames is Strict or the C bit in the
|
|
* SecTAG is set, discard
|
|
*/
|
|
if (hdr->tci_an & MACSEC_TCI_C ||
|
|
secy->validate_frames == MACSEC_VALIDATE_STRICT) {
|
|
u64_stats_update_begin(&rxsc_stats->syncp);
|
|
rxsc_stats->stats.InPktsNotUsingSA++;
|
|
u64_stats_update_end(&rxsc_stats->syncp);
|
|
goto drop_nosa;
|
|
}
|
|
|
|
/* not Strict, the frame (with the SecTAG and ICV
|
|
* removed) is delivered to the Controlled Port.
|
|
*/
|
|
u64_stats_update_begin(&rxsc_stats->syncp);
|
|
rxsc_stats->stats.InPktsUnusedSA++;
|
|
u64_stats_update_end(&rxsc_stats->syncp);
|
|
goto deliver;
|
|
}
|
|
|
|
/* First, PN check to avoid decrypting obviously wrong packets */
|
|
hdr_pn = ntohl(hdr->packet_number);
|
|
if (secy->replay_protect) {
|
|
bool late;
|
|
|
|
spin_lock(&rx_sa->lock);
|
|
late = rx_sa->next_pn_halves.lower >= secy->replay_window &&
|
|
hdr_pn < (rx_sa->next_pn_halves.lower - secy->replay_window);
|
|
|
|
if (secy->xpn)
|
|
late = late && pn_same_half(rx_sa->next_pn_halves.lower, hdr_pn);
|
|
spin_unlock(&rx_sa->lock);
|
|
|
|
if (late) {
|
|
u64_stats_update_begin(&rxsc_stats->syncp);
|
|
rxsc_stats->stats.InPktsLate++;
|
|
u64_stats_update_end(&rxsc_stats->syncp);
|
|
goto drop;
|
|
}
|
|
}
|
|
|
|
macsec_skb_cb(skb)->rx_sa = rx_sa;
|
|
|
|
/* Disabled && !changed text => skip validation */
|
|
if (hdr->tci_an & MACSEC_TCI_C ||
|
|
secy->validate_frames != MACSEC_VALIDATE_DISABLED)
|
|
skb = macsec_decrypt(skb, dev, rx_sa, sci, secy);
|
|
|
|
if (IS_ERR(skb)) {
|
|
/* the decrypt callback needs the reference */
|
|
if (PTR_ERR(skb) != -EINPROGRESS) {
|
|
macsec_rxsa_put(rx_sa);
|
|
macsec_rxsc_put(rx_sc);
|
|
}
|
|
rcu_read_unlock();
|
|
*pskb = NULL;
|
|
return RX_HANDLER_CONSUMED;
|
|
}
|
|
|
|
if (!macsec_post_decrypt(skb, secy, hdr_pn))
|
|
goto drop;
|
|
|
|
deliver:
|
|
macsec_finalize_skb(skb, secy->icv_len,
|
|
macsec_extra_len(macsec_skb_cb(skb)->has_sci));
|
|
macsec_reset_skb(skb, secy->netdev);
|
|
|
|
if (rx_sa)
|
|
macsec_rxsa_put(rx_sa);
|
|
macsec_rxsc_put(rx_sc);
|
|
|
|
skb_orphan(skb);
|
|
len = skb->len;
|
|
ret = gro_cells_receive(&macsec->gro_cells, skb);
|
|
if (ret == NET_RX_SUCCESS)
|
|
count_rx(dev, len);
|
|
else
|
|
macsec->secy.netdev->stats.rx_dropped++;
|
|
|
|
rcu_read_unlock();
|
|
|
|
*pskb = NULL;
|
|
return RX_HANDLER_CONSUMED;
|
|
|
|
drop:
|
|
macsec_rxsa_put(rx_sa);
|
|
drop_nosa:
|
|
macsec_rxsc_put(rx_sc);
|
|
rcu_read_unlock();
|
|
drop_direct:
|
|
kfree_skb(skb);
|
|
*pskb = NULL;
|
|
return RX_HANDLER_CONSUMED;
|
|
|
|
nosci:
|
|
/* 10.6.1 if the SC is not found */
|
|
cbit = !!(hdr->tci_an & MACSEC_TCI_C);
|
|
if (!cbit)
|
|
macsec_finalize_skb(skb, DEFAULT_ICV_LEN,
|
|
macsec_extra_len(macsec_skb_cb(skb)->has_sci));
|
|
|
|
list_for_each_entry_rcu(macsec, &rxd->secys, secys) {
|
|
struct sk_buff *nskb;
|
|
|
|
secy_stats = this_cpu_ptr(macsec->stats);
|
|
|
|
/* If validateFrames is Strict or the C bit in the
|
|
* SecTAG is set, discard
|
|
*/
|
|
if (cbit ||
|
|
macsec->secy.validate_frames == MACSEC_VALIDATE_STRICT) {
|
|
u64_stats_update_begin(&secy_stats->syncp);
|
|
secy_stats->stats.InPktsNoSCI++;
|
|
u64_stats_update_end(&secy_stats->syncp);
|
|
continue;
|
|
}
|
|
|
|
/* not strict, the frame (with the SecTAG and ICV
|
|
* removed) is delivered to the Controlled Port.
|
|
*/
|
|
nskb = skb_clone(skb, GFP_ATOMIC);
|
|
if (!nskb)
|
|
break;
|
|
|
|
macsec_reset_skb(nskb, macsec->secy.netdev);
|
|
|
|
ret = netif_rx(nskb);
|
|
if (ret == NET_RX_SUCCESS) {
|
|
u64_stats_update_begin(&secy_stats->syncp);
|
|
secy_stats->stats.InPktsUnknownSCI++;
|
|
u64_stats_update_end(&secy_stats->syncp);
|
|
} else {
|
|
macsec->secy.netdev->stats.rx_dropped++;
|
|
}
|
|
}
|
|
|
|
rcu_read_unlock();
|
|
*pskb = skb;
|
|
return RX_HANDLER_PASS;
|
|
}
|
|
|
|
static struct crypto_aead *macsec_alloc_tfm(char *key, int key_len, int icv_len)
|
|
{
|
|
struct crypto_aead *tfm;
|
|
int ret;
|
|
|
|
tfm = crypto_alloc_aead("gcm(aes)", 0, 0);
|
|
|
|
if (IS_ERR(tfm))
|
|
return tfm;
|
|
|
|
ret = crypto_aead_setkey(tfm, key, key_len);
|
|
if (ret < 0)
|
|
goto fail;
|
|
|
|
ret = crypto_aead_setauthsize(tfm, icv_len);
|
|
if (ret < 0)
|
|
goto fail;
|
|
|
|
return tfm;
|
|
fail:
|
|
crypto_free_aead(tfm);
|
|
return ERR_PTR(ret);
|
|
}
|
|
|
|
static int init_rx_sa(struct macsec_rx_sa *rx_sa, char *sak, int key_len,
|
|
int icv_len)
|
|
{
|
|
rx_sa->stats = alloc_percpu(struct macsec_rx_sa_stats);
|
|
if (!rx_sa->stats)
|
|
return -ENOMEM;
|
|
|
|
rx_sa->key.tfm = macsec_alloc_tfm(sak, key_len, icv_len);
|
|
if (IS_ERR(rx_sa->key.tfm)) {
|
|
free_percpu(rx_sa->stats);
|
|
return PTR_ERR(rx_sa->key.tfm);
|
|
}
|
|
|
|
rx_sa->ssci = MACSEC_UNDEF_SSCI;
|
|
rx_sa->active = false;
|
|
rx_sa->next_pn = 1;
|
|
refcount_set(&rx_sa->refcnt, 1);
|
|
spin_lock_init(&rx_sa->lock);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void clear_rx_sa(struct macsec_rx_sa *rx_sa)
|
|
{
|
|
rx_sa->active = false;
|
|
|
|
macsec_rxsa_put(rx_sa);
|
|
}
|
|
|
|
static void free_rx_sc(struct macsec_rx_sc *rx_sc)
|
|
{
|
|
int i;
|
|
|
|
for (i = 0; i < MACSEC_NUM_AN; i++) {
|
|
struct macsec_rx_sa *sa = rtnl_dereference(rx_sc->sa[i]);
|
|
|
|
RCU_INIT_POINTER(rx_sc->sa[i], NULL);
|
|
if (sa)
|
|
clear_rx_sa(sa);
|
|
}
|
|
|
|
macsec_rxsc_put(rx_sc);
|
|
}
|
|
|
|
static struct macsec_rx_sc *del_rx_sc(struct macsec_secy *secy, sci_t sci)
|
|
{
|
|
struct macsec_rx_sc *rx_sc, __rcu **rx_scp;
|
|
|
|
for (rx_scp = &secy->rx_sc, rx_sc = rtnl_dereference(*rx_scp);
|
|
rx_sc;
|
|
rx_scp = &rx_sc->next, rx_sc = rtnl_dereference(*rx_scp)) {
|
|
if (rx_sc->sci == sci) {
|
|
if (rx_sc->active)
|
|
secy->n_rx_sc--;
|
|
rcu_assign_pointer(*rx_scp, rx_sc->next);
|
|
return rx_sc;
|
|
}
|
|
}
|
|
|
|
return NULL;
|
|
}
|
|
|
|
static struct macsec_rx_sc *create_rx_sc(struct net_device *dev, sci_t sci)
|
|
{
|
|
struct macsec_rx_sc *rx_sc;
|
|
struct macsec_dev *macsec;
|
|
struct net_device *real_dev = macsec_priv(dev)->real_dev;
|
|
struct macsec_rxh_data *rxd = macsec_data_rtnl(real_dev);
|
|
struct macsec_secy *secy;
|
|
|
|
list_for_each_entry(macsec, &rxd->secys, secys) {
|
|
if (find_rx_sc_rtnl(&macsec->secy, sci))
|
|
return ERR_PTR(-EEXIST);
|
|
}
|
|
|
|
rx_sc = kzalloc(sizeof(*rx_sc), GFP_KERNEL);
|
|
if (!rx_sc)
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
rx_sc->stats = netdev_alloc_pcpu_stats(struct pcpu_rx_sc_stats);
|
|
if (!rx_sc->stats) {
|
|
kfree(rx_sc);
|
|
return ERR_PTR(-ENOMEM);
|
|
}
|
|
|
|
rx_sc->sci = sci;
|
|
rx_sc->active = true;
|
|
refcount_set(&rx_sc->refcnt, 1);
|
|
|
|
secy = &macsec_priv(dev)->secy;
|
|
rcu_assign_pointer(rx_sc->next, secy->rx_sc);
|
|
rcu_assign_pointer(secy->rx_sc, rx_sc);
|
|
|
|
if (rx_sc->active)
|
|
secy->n_rx_sc++;
|
|
|
|
return rx_sc;
|
|
}
|
|
|
|
static int init_tx_sa(struct macsec_tx_sa *tx_sa, char *sak, int key_len,
|
|
int icv_len)
|
|
{
|
|
tx_sa->stats = alloc_percpu(struct macsec_tx_sa_stats);
|
|
if (!tx_sa->stats)
|
|
return -ENOMEM;
|
|
|
|
tx_sa->key.tfm = macsec_alloc_tfm(sak, key_len, icv_len);
|
|
if (IS_ERR(tx_sa->key.tfm)) {
|
|
free_percpu(tx_sa->stats);
|
|
return PTR_ERR(tx_sa->key.tfm);
|
|
}
|
|
|
|
tx_sa->ssci = MACSEC_UNDEF_SSCI;
|
|
tx_sa->active = false;
|
|
refcount_set(&tx_sa->refcnt, 1);
|
|
spin_lock_init(&tx_sa->lock);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void clear_tx_sa(struct macsec_tx_sa *tx_sa)
|
|
{
|
|
tx_sa->active = false;
|
|
|
|
macsec_txsa_put(tx_sa);
|
|
}
|
|
|
|
static struct genl_family macsec_fam;
|
|
|
|
static struct net_device *get_dev_from_nl(struct net *net,
|
|
struct nlattr **attrs)
|
|
{
|
|
int ifindex = nla_get_u32(attrs[MACSEC_ATTR_IFINDEX]);
|
|
struct net_device *dev;
|
|
|
|
dev = __dev_get_by_index(net, ifindex);
|
|
if (!dev)
|
|
return ERR_PTR(-ENODEV);
|
|
|
|
if (!netif_is_macsec(dev))
|
|
return ERR_PTR(-ENODEV);
|
|
|
|
return dev;
|
|
}
|
|
|
|
static enum macsec_offload nla_get_offload(const struct nlattr *nla)
|
|
{
|
|
return (__force enum macsec_offload)nla_get_u8(nla);
|
|
}
|
|
|
|
static sci_t nla_get_sci(const struct nlattr *nla)
|
|
{
|
|
return (__force sci_t)nla_get_u64(nla);
|
|
}
|
|
|
|
static int nla_put_sci(struct sk_buff *skb, int attrtype, sci_t value,
|
|
int padattr)
|
|
{
|
|
return nla_put_u64_64bit(skb, attrtype, (__force u64)value, padattr);
|
|
}
|
|
|
|
static ssci_t nla_get_ssci(const struct nlattr *nla)
|
|
{
|
|
return (__force ssci_t)nla_get_u32(nla);
|
|
}
|
|
|
|
static int nla_put_ssci(struct sk_buff *skb, int attrtype, ssci_t value)
|
|
{
|
|
return nla_put_u32(skb, attrtype, (__force u64)value);
|
|
}
|
|
|
|
static struct macsec_tx_sa *get_txsa_from_nl(struct net *net,
|
|
struct nlattr **attrs,
|
|
struct nlattr **tb_sa,
|
|
struct net_device **devp,
|
|
struct macsec_secy **secyp,
|
|
struct macsec_tx_sc **scp,
|
|
u8 *assoc_num)
|
|
{
|
|
struct net_device *dev;
|
|
struct macsec_secy *secy;
|
|
struct macsec_tx_sc *tx_sc;
|
|
struct macsec_tx_sa *tx_sa;
|
|
|
|
if (!tb_sa[MACSEC_SA_ATTR_AN])
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
*assoc_num = nla_get_u8(tb_sa[MACSEC_SA_ATTR_AN]);
|
|
|
|
dev = get_dev_from_nl(net, attrs);
|
|
if (IS_ERR(dev))
|
|
return ERR_CAST(dev);
|
|
|
|
if (*assoc_num >= MACSEC_NUM_AN)
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
secy = &macsec_priv(dev)->secy;
|
|
tx_sc = &secy->tx_sc;
|
|
|
|
tx_sa = rtnl_dereference(tx_sc->sa[*assoc_num]);
|
|
if (!tx_sa)
|
|
return ERR_PTR(-ENODEV);
|
|
|
|
*devp = dev;
|
|
*scp = tx_sc;
|
|
*secyp = secy;
|
|
return tx_sa;
|
|
}
|
|
|
|
static struct macsec_rx_sc *get_rxsc_from_nl(struct net *net,
|
|
struct nlattr **attrs,
|
|
struct nlattr **tb_rxsc,
|
|
struct net_device **devp,
|
|
struct macsec_secy **secyp)
|
|
{
|
|
struct net_device *dev;
|
|
struct macsec_secy *secy;
|
|
struct macsec_rx_sc *rx_sc;
|
|
sci_t sci;
|
|
|
|
dev = get_dev_from_nl(net, attrs);
|
|
if (IS_ERR(dev))
|
|
return ERR_CAST(dev);
|
|
|
|
secy = &macsec_priv(dev)->secy;
|
|
|
|
if (!tb_rxsc[MACSEC_RXSC_ATTR_SCI])
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
sci = nla_get_sci(tb_rxsc[MACSEC_RXSC_ATTR_SCI]);
|
|
rx_sc = find_rx_sc_rtnl(secy, sci);
|
|
if (!rx_sc)
|
|
return ERR_PTR(-ENODEV);
|
|
|
|
*secyp = secy;
|
|
*devp = dev;
|
|
|
|
return rx_sc;
|
|
}
|
|
|
|
static struct macsec_rx_sa *get_rxsa_from_nl(struct net *net,
|
|
struct nlattr **attrs,
|
|
struct nlattr **tb_rxsc,
|
|
struct nlattr **tb_sa,
|
|
struct net_device **devp,
|
|
struct macsec_secy **secyp,
|
|
struct macsec_rx_sc **scp,
|
|
u8 *assoc_num)
|
|
{
|
|
struct macsec_rx_sc *rx_sc;
|
|
struct macsec_rx_sa *rx_sa;
|
|
|
|
if (!tb_sa[MACSEC_SA_ATTR_AN])
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
*assoc_num = nla_get_u8(tb_sa[MACSEC_SA_ATTR_AN]);
|
|
if (*assoc_num >= MACSEC_NUM_AN)
|
|
return ERR_PTR(-EINVAL);
|
|
|
|
rx_sc = get_rxsc_from_nl(net, attrs, tb_rxsc, devp, secyp);
|
|
if (IS_ERR(rx_sc))
|
|
return ERR_CAST(rx_sc);
|
|
|
|
rx_sa = rtnl_dereference(rx_sc->sa[*assoc_num]);
|
|
if (!rx_sa)
|
|
return ERR_PTR(-ENODEV);
|
|
|
|
*scp = rx_sc;
|
|
return rx_sa;
|
|
}
|
|
|
|
static const struct nla_policy macsec_genl_policy[NUM_MACSEC_ATTR] = {
|
|
[MACSEC_ATTR_IFINDEX] = { .type = NLA_U32 },
|
|
[MACSEC_ATTR_RXSC_CONFIG] = { .type = NLA_NESTED },
|
|
[MACSEC_ATTR_SA_CONFIG] = { .type = NLA_NESTED },
|
|
[MACSEC_ATTR_OFFLOAD] = { .type = NLA_NESTED },
|
|
};
|
|
|
|
static const struct nla_policy macsec_genl_rxsc_policy[NUM_MACSEC_RXSC_ATTR] = {
|
|
[MACSEC_RXSC_ATTR_SCI] = { .type = NLA_U64 },
|
|
[MACSEC_RXSC_ATTR_ACTIVE] = { .type = NLA_U8 },
|
|
};
|
|
|
|
static const struct nla_policy macsec_genl_sa_policy[NUM_MACSEC_SA_ATTR] = {
|
|
[MACSEC_SA_ATTR_AN] = { .type = NLA_U8 },
|
|
[MACSEC_SA_ATTR_ACTIVE] = { .type = NLA_U8 },
|
|
[MACSEC_SA_ATTR_PN] = { .type = NLA_MIN_LEN, .len = 4 },
|
|
[MACSEC_SA_ATTR_KEYID] = { .type = NLA_BINARY,
|
|
.len = MACSEC_KEYID_LEN, },
|
|
[MACSEC_SA_ATTR_KEY] = { .type = NLA_BINARY,
|
|
.len = MACSEC_MAX_KEY_LEN, },
|
|
[MACSEC_SA_ATTR_SSCI] = { .type = NLA_U32 },
|
|
[MACSEC_SA_ATTR_SALT] = { .type = NLA_BINARY,
|
|
.len = MACSEC_SALT_LEN, },
|
|
};
|
|
|
|
static const struct nla_policy macsec_genl_offload_policy[NUM_MACSEC_OFFLOAD_ATTR] = {
|
|
[MACSEC_OFFLOAD_ATTR_TYPE] = { .type = NLA_U8 },
|
|
};
|
|
|
|
/* Offloads an operation to a device driver */
|
|
static int macsec_offload(int (* const func)(struct macsec_context *),
|
|
struct macsec_context *ctx)
|
|
{
|
|
int ret;
|
|
|
|
if (unlikely(!func))
|
|
return 0;
|
|
|
|
if (ctx->offload == MACSEC_OFFLOAD_PHY)
|
|
mutex_lock(&ctx->phydev->lock);
|
|
|
|
/* Phase I: prepare. The drive should fail here if there are going to be
|
|
* issues in the commit phase.
|
|
*/
|
|
ctx->prepare = true;
|
|
ret = (*func)(ctx);
|
|
if (ret)
|
|
goto phy_unlock;
|
|
|
|
/* Phase II: commit. This step cannot fail. */
|
|
ctx->prepare = false;
|
|
ret = (*func)(ctx);
|
|
/* This should never happen: commit is not allowed to fail */
|
|
if (unlikely(ret))
|
|
WARN(1, "MACsec offloading commit failed (%d)\n", ret);
|
|
|
|
phy_unlock:
|
|
if (ctx->offload == MACSEC_OFFLOAD_PHY)
|
|
mutex_unlock(&ctx->phydev->lock);
|
|
|
|
return ret;
|
|
}
|
|
|
|
static int parse_sa_config(struct nlattr **attrs, struct nlattr **tb_sa)
|
|
{
|
|
if (!attrs[MACSEC_ATTR_SA_CONFIG])
|
|
return -EINVAL;
|
|
|
|
if (nla_parse_nested_deprecated(tb_sa, MACSEC_SA_ATTR_MAX, attrs[MACSEC_ATTR_SA_CONFIG], macsec_genl_sa_policy, NULL))
|
|
return -EINVAL;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int parse_rxsc_config(struct nlattr **attrs, struct nlattr **tb_rxsc)
|
|
{
|
|
if (!attrs[MACSEC_ATTR_RXSC_CONFIG])
|
|
return -EINVAL;
|
|
|
|
if (nla_parse_nested_deprecated(tb_rxsc, MACSEC_RXSC_ATTR_MAX, attrs[MACSEC_ATTR_RXSC_CONFIG], macsec_genl_rxsc_policy, NULL))
|
|
return -EINVAL;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static bool validate_add_rxsa(struct nlattr **attrs)
|
|
{
|
|
if (!attrs[MACSEC_SA_ATTR_AN] ||
|
|
!attrs[MACSEC_SA_ATTR_KEY] ||
|
|
!attrs[MACSEC_SA_ATTR_KEYID])
|
|
return false;
|
|
|
|
if (nla_get_u8(attrs[MACSEC_SA_ATTR_AN]) >= MACSEC_NUM_AN)
|
|
return false;
|
|
|
|
if (attrs[MACSEC_SA_ATTR_PN] &&
|
|
*(u64 *)nla_data(attrs[MACSEC_SA_ATTR_PN]) == 0)
|
|
return false;
|
|
|
|
if (attrs[MACSEC_SA_ATTR_ACTIVE]) {
|
|
if (nla_get_u8(attrs[MACSEC_SA_ATTR_ACTIVE]) > 1)
|
|
return false;
|
|
}
|
|
|
|
if (nla_len(attrs[MACSEC_SA_ATTR_KEYID]) != MACSEC_KEYID_LEN)
|
|
return false;
|
|
|
|
return true;
|
|
}
|
|
|
|
static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info)
|
|
{
|
|
struct net_device *dev;
|
|
struct nlattr **attrs = info->attrs;
|
|
struct macsec_secy *secy;
|
|
struct macsec_rx_sc *rx_sc;
|
|
struct macsec_rx_sa *rx_sa;
|
|
unsigned char assoc_num;
|
|
int pn_len;
|
|
struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
|
|
struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1];
|
|
int err;
|
|
|
|
if (!attrs[MACSEC_ATTR_IFINDEX])
|
|
return -EINVAL;
|
|
|
|
if (parse_sa_config(attrs, tb_sa))
|
|
return -EINVAL;
|
|
|
|
if (parse_rxsc_config(attrs, tb_rxsc))
|
|
return -EINVAL;
|
|
|
|
if (!validate_add_rxsa(tb_sa))
|
|
return -EINVAL;
|
|
|
|
rtnl_lock();
|
|
rx_sc = get_rxsc_from_nl(genl_info_net(info), attrs, tb_rxsc, &dev, &secy);
|
|
if (IS_ERR(rx_sc)) {
|
|
rtnl_unlock();
|
|
return PTR_ERR(rx_sc);
|
|
}
|
|
|
|
assoc_num = nla_get_u8(tb_sa[MACSEC_SA_ATTR_AN]);
|
|
|
|
if (nla_len(tb_sa[MACSEC_SA_ATTR_KEY]) != secy->key_len) {
|
|
pr_notice("macsec: nl: add_rxsa: bad key length: %d != %d\n",
|
|
nla_len(tb_sa[MACSEC_SA_ATTR_KEY]), secy->key_len);
|
|
rtnl_unlock();
|
|
return -EINVAL;
|
|
}
|
|
|
|
pn_len = secy->xpn ? MACSEC_XPN_PN_LEN : MACSEC_DEFAULT_PN_LEN;
|
|
if (nla_len(tb_sa[MACSEC_SA_ATTR_PN]) != pn_len) {
|
|
pr_notice("macsec: nl: add_rxsa: bad pn length: %d != %d\n",
|
|
nla_len(tb_sa[MACSEC_SA_ATTR_PN]), pn_len);
|
|
rtnl_unlock();
|
|
return -EINVAL;
|
|
}
|
|
|
|
if (secy->xpn) {
|
|
if (!tb_sa[MACSEC_SA_ATTR_SSCI] || !tb_sa[MACSEC_SA_ATTR_SALT]) {
|
|
rtnl_unlock();
|
|
return -EINVAL;
|
|
}
|
|
|
|
if (nla_len(tb_sa[MACSEC_SA_ATTR_SALT]) != MACSEC_SALT_LEN) {
|
|
pr_notice("macsec: nl: add_rxsa: bad salt length: %d != %d\n",
|
|
nla_len(tb_sa[MACSEC_SA_ATTR_SALT]),
|
|
MACSEC_SA_ATTR_SALT);
|
|
rtnl_unlock();
|
|
return -EINVAL;
|
|
}
|
|
}
|
|
|
|
rx_sa = rtnl_dereference(rx_sc->sa[assoc_num]);
|
|
if (rx_sa) {
|
|
rtnl_unlock();
|
|
return -EBUSY;
|
|
}
|
|
|
|
rx_sa = kmalloc(sizeof(*rx_sa), GFP_KERNEL);
|
|
if (!rx_sa) {
|
|
rtnl_unlock();
|
|
return -ENOMEM;
|
|
}
|
|
|
|
err = init_rx_sa(rx_sa, nla_data(tb_sa[MACSEC_SA_ATTR_KEY]),
|
|
secy->key_len, secy->icv_len);
|
|
if (err < 0) {
|
|
kfree(rx_sa);
|
|
rtnl_unlock();
|
|
return err;
|
|
}
|
|
|
|
if (tb_sa[MACSEC_SA_ATTR_PN]) {
|
|
spin_lock_bh(&rx_sa->lock);
|
|
rx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]);
|
|
spin_unlock_bh(&rx_sa->lock);
|
|
}
|
|
|
|
if (tb_sa[MACSEC_SA_ATTR_ACTIVE])
|
|
rx_sa->active = !!nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]);
|
|
|
|
rx_sa->sc = rx_sc;
|
|
|
|
/* If h/w offloading is available, propagate to the device */
|
|
if (macsec_is_offloaded(netdev_priv(dev))) {
|
|
const struct macsec_ops *ops;
|
|
struct macsec_context ctx;
|
|
|
|
ops = macsec_get_ops(netdev_priv(dev), &ctx);
|
|
if (!ops) {
|
|
err = -EOPNOTSUPP;
|
|
goto cleanup;
|
|
}
|
|
|
|
ctx.sa.assoc_num = assoc_num;
|
|
ctx.sa.rx_sa = rx_sa;
|
|
ctx.secy = secy;
|
|
memcpy(ctx.sa.key, nla_data(tb_sa[MACSEC_SA_ATTR_KEY]),
|
|
MACSEC_KEYID_LEN);
|
|
|
|
err = macsec_offload(ops->mdo_add_rxsa, &ctx);
|
|
if (err)
|
|
goto cleanup;
|
|
}
|
|
|
|
if (secy->xpn) {
|
|
rx_sa->ssci = nla_get_ssci(tb_sa[MACSEC_SA_ATTR_SSCI]);
|
|
nla_memcpy(rx_sa->key.salt.bytes, tb_sa[MACSEC_SA_ATTR_SALT],
|
|
MACSEC_SALT_LEN);
|
|
}
|
|
|
|
nla_memcpy(rx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEYID], MACSEC_KEYID_LEN);
|
|
rcu_assign_pointer(rx_sc->sa[assoc_num], rx_sa);
|
|
|
|
rtnl_unlock();
|
|
|
|
return 0;
|
|
|
|
cleanup:
|
|
kfree(rx_sa);
|
|
rtnl_unlock();
|
|
return err;
|
|
}
|
|
|
|
static bool validate_add_rxsc(struct nlattr **attrs)
|
|
{
|
|
if (!attrs[MACSEC_RXSC_ATTR_SCI])
|
|
return false;
|
|
|
|
if (attrs[MACSEC_RXSC_ATTR_ACTIVE]) {
|
|
if (nla_get_u8(attrs[MACSEC_RXSC_ATTR_ACTIVE]) > 1)
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
static int macsec_add_rxsc(struct sk_buff *skb, struct genl_info *info)
|
|
{
|
|
struct net_device *dev;
|
|
sci_t sci = MACSEC_UNDEF_SCI;
|
|
struct nlattr **attrs = info->attrs;
|
|
struct macsec_rx_sc *rx_sc;
|
|
struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
|
|
struct macsec_secy *secy;
|
|
bool was_active;
|
|
int ret;
|
|
|
|
if (!attrs[MACSEC_ATTR_IFINDEX])
|
|
return -EINVAL;
|
|
|
|
if (parse_rxsc_config(attrs, tb_rxsc))
|
|
return -EINVAL;
|
|
|
|
if (!validate_add_rxsc(tb_rxsc))
|
|
return -EINVAL;
|
|
|
|
rtnl_lock();
|
|
dev = get_dev_from_nl(genl_info_net(info), attrs);
|
|
if (IS_ERR(dev)) {
|
|
rtnl_unlock();
|
|
return PTR_ERR(dev);
|
|
}
|
|
|
|
secy = &macsec_priv(dev)->secy;
|
|
sci = nla_get_sci(tb_rxsc[MACSEC_RXSC_ATTR_SCI]);
|
|
|
|
rx_sc = create_rx_sc(dev, sci);
|
|
if (IS_ERR(rx_sc)) {
|
|
rtnl_unlock();
|
|
return PTR_ERR(rx_sc);
|
|
}
|
|
|
|
was_active = rx_sc->active;
|
|
if (tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE])
|
|
rx_sc->active = !!nla_get_u8(tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]);
|
|
|
|
if (macsec_is_offloaded(netdev_priv(dev))) {
|
|
const struct macsec_ops *ops;
|
|
struct macsec_context ctx;
|
|
|
|
ops = macsec_get_ops(netdev_priv(dev), &ctx);
|
|
if (!ops) {
|
|
ret = -EOPNOTSUPP;
|
|
goto cleanup;
|
|
}
|
|
|
|
ctx.rx_sc = rx_sc;
|
|
ctx.secy = secy;
|
|
|
|
ret = macsec_offload(ops->mdo_add_rxsc, &ctx);
|
|
if (ret)
|
|
goto cleanup;
|
|
}
|
|
|
|
rtnl_unlock();
|
|
|
|
return 0;
|
|
|
|
cleanup:
|
|
rx_sc->active = was_active;
|
|
rtnl_unlock();
|
|
return ret;
|
|
}
|
|
|
|
static bool validate_add_txsa(struct nlattr **attrs)
|
|
{
|
|
if (!attrs[MACSEC_SA_ATTR_AN] ||
|
|
!attrs[MACSEC_SA_ATTR_PN] ||
|
|
!attrs[MACSEC_SA_ATTR_KEY] ||
|
|
!attrs[MACSEC_SA_ATTR_KEYID])
|
|
return false;
|
|
|
|
if (nla_get_u8(attrs[MACSEC_SA_ATTR_AN]) >= MACSEC_NUM_AN)
|
|
return false;
|
|
|
|
if (nla_get_u32(attrs[MACSEC_SA_ATTR_PN]) == 0)
|
|
return false;
|
|
|
|
if (attrs[MACSEC_SA_ATTR_ACTIVE]) {
|
|
if (nla_get_u8(attrs[MACSEC_SA_ATTR_ACTIVE]) > 1)
|
|
return false;
|
|
}
|
|
|
|
if (nla_len(attrs[MACSEC_SA_ATTR_KEYID]) != MACSEC_KEYID_LEN)
|
|
return false;
|
|
|
|
return true;
|
|
}
|
|
|
|
static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info)
|
|
{
|
|
struct net_device *dev;
|
|
struct nlattr **attrs = info->attrs;
|
|
struct macsec_secy *secy;
|
|
struct macsec_tx_sc *tx_sc;
|
|
struct macsec_tx_sa *tx_sa;
|
|
unsigned char assoc_num;
|
|
int pn_len;
|
|
struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1];
|
|
bool was_operational;
|
|
int err;
|
|
|
|
if (!attrs[MACSEC_ATTR_IFINDEX])
|
|
return -EINVAL;
|
|
|
|
if (parse_sa_config(attrs, tb_sa))
|
|
return -EINVAL;
|
|
|
|
if (!validate_add_txsa(tb_sa))
|
|
return -EINVAL;
|
|
|
|
rtnl_lock();
|
|
dev = get_dev_from_nl(genl_info_net(info), attrs);
|
|
if (IS_ERR(dev)) {
|
|
rtnl_unlock();
|
|
return PTR_ERR(dev);
|
|
}
|
|
|
|
secy = &macsec_priv(dev)->secy;
|
|
tx_sc = &secy->tx_sc;
|
|
|
|
assoc_num = nla_get_u8(tb_sa[MACSEC_SA_ATTR_AN]);
|
|
|
|
if (nla_len(tb_sa[MACSEC_SA_ATTR_KEY]) != secy->key_len) {
|
|
pr_notice("macsec: nl: add_txsa: bad key length: %d != %d\n",
|
|
nla_len(tb_sa[MACSEC_SA_ATTR_KEY]), secy->key_len);
|
|
rtnl_unlock();
|
|
return -EINVAL;
|
|
}
|
|
|
|
pn_len = secy->xpn ? MACSEC_XPN_PN_LEN : MACSEC_DEFAULT_PN_LEN;
|
|
if (nla_len(tb_sa[MACSEC_SA_ATTR_PN]) != pn_len) {
|
|
pr_notice("macsec: nl: add_txsa: bad pn length: %d != %d\n",
|
|
nla_len(tb_sa[MACSEC_SA_ATTR_PN]), pn_len);
|
|
rtnl_unlock();
|
|
return -EINVAL;
|
|
}
|
|
|
|
if (secy->xpn) {
|
|
if (!tb_sa[MACSEC_SA_ATTR_SSCI] || !tb_sa[MACSEC_SA_ATTR_SALT]) {
|
|
rtnl_unlock();
|
|
return -EINVAL;
|
|
}
|
|
|
|
if (nla_len(tb_sa[MACSEC_SA_ATTR_SALT]) != MACSEC_SALT_LEN) {
|
|
pr_notice("macsec: nl: add_txsa: bad salt length: %d != %d\n",
|
|
nla_len(tb_sa[MACSEC_SA_ATTR_SALT]),
|
|
MACSEC_SA_ATTR_SALT);
|
|
rtnl_unlock();
|
|
return -EINVAL;
|
|
}
|
|
}
|
|
|
|
tx_sa = rtnl_dereference(tx_sc->sa[assoc_num]);
|
|
if (tx_sa) {
|
|
rtnl_unlock();
|
|
return -EBUSY;
|
|
}
|
|
|
|
tx_sa = kmalloc(sizeof(*tx_sa), GFP_KERNEL);
|
|
if (!tx_sa) {
|
|
rtnl_unlock();
|
|
return -ENOMEM;
|
|
}
|
|
|
|
err = init_tx_sa(tx_sa, nla_data(tb_sa[MACSEC_SA_ATTR_KEY]),
|
|
secy->key_len, secy->icv_len);
|
|
if (err < 0) {
|
|
kfree(tx_sa);
|
|
rtnl_unlock();
|
|
return err;
|
|
}
|
|
|
|
spin_lock_bh(&tx_sa->lock);
|
|
tx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]);
|
|
spin_unlock_bh(&tx_sa->lock);
|
|
|
|
if (tb_sa[MACSEC_SA_ATTR_ACTIVE])
|
|
tx_sa->active = !!nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]);
|
|
|
|
was_operational = secy->operational;
|
|
if (assoc_num == tx_sc->encoding_sa && tx_sa->active)
|
|
secy->operational = true;
|
|
|
|
/* If h/w offloading is available, propagate to the device */
|
|
if (macsec_is_offloaded(netdev_priv(dev))) {
|
|
const struct macsec_ops *ops;
|
|
struct macsec_context ctx;
|
|
|
|
ops = macsec_get_ops(netdev_priv(dev), &ctx);
|
|
if (!ops) {
|
|
err = -EOPNOTSUPP;
|
|
goto cleanup;
|
|
}
|
|
|
|
ctx.sa.assoc_num = assoc_num;
|
|
ctx.sa.tx_sa = tx_sa;
|
|
ctx.secy = secy;
|
|
memcpy(ctx.sa.key, nla_data(tb_sa[MACSEC_SA_ATTR_KEY]),
|
|
MACSEC_KEYID_LEN);
|
|
|
|
err = macsec_offload(ops->mdo_add_txsa, &ctx);
|
|
if (err)
|
|
goto cleanup;
|
|
}
|
|
|
|
if (secy->xpn) {
|
|
tx_sa->ssci = nla_get_ssci(tb_sa[MACSEC_SA_ATTR_SSCI]);
|
|
nla_memcpy(tx_sa->key.salt.bytes, tb_sa[MACSEC_SA_ATTR_SALT],
|
|
MACSEC_SALT_LEN);
|
|
}
|
|
|
|
nla_memcpy(tx_sa->key.id, tb_sa[MACSEC_SA_ATTR_KEYID], MACSEC_KEYID_LEN);
|
|
rcu_assign_pointer(tx_sc->sa[assoc_num], tx_sa);
|
|
|
|
rtnl_unlock();
|
|
|
|
return 0;
|
|
|
|
cleanup:
|
|
secy->operational = was_operational;
|
|
kfree(tx_sa);
|
|
rtnl_unlock();
|
|
return err;
|
|
}
|
|
|
|
static int macsec_del_rxsa(struct sk_buff *skb, struct genl_info *info)
|
|
{
|
|
struct nlattr **attrs = info->attrs;
|
|
struct net_device *dev;
|
|
struct macsec_secy *secy;
|
|
struct macsec_rx_sc *rx_sc;
|
|
struct macsec_rx_sa *rx_sa;
|
|
u8 assoc_num;
|
|
struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
|
|
struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1];
|
|
int ret;
|
|
|
|
if (!attrs[MACSEC_ATTR_IFINDEX])
|
|
return -EINVAL;
|
|
|
|
if (parse_sa_config(attrs, tb_sa))
|
|
return -EINVAL;
|
|
|
|
if (parse_rxsc_config(attrs, tb_rxsc))
|
|
return -EINVAL;
|
|
|
|
rtnl_lock();
|
|
rx_sa = get_rxsa_from_nl(genl_info_net(info), attrs, tb_rxsc, tb_sa,
|
|
&dev, &secy, &rx_sc, &assoc_num);
|
|
if (IS_ERR(rx_sa)) {
|
|
rtnl_unlock();
|
|
return PTR_ERR(rx_sa);
|
|
}
|
|
|
|
if (rx_sa->active) {
|
|
rtnl_unlock();
|
|
return -EBUSY;
|
|
}
|
|
|
|
/* If h/w offloading is available, propagate to the device */
|
|
if (macsec_is_offloaded(netdev_priv(dev))) {
|
|
const struct macsec_ops *ops;
|
|
struct macsec_context ctx;
|
|
|
|
ops = macsec_get_ops(netdev_priv(dev), &ctx);
|
|
if (!ops) {
|
|
ret = -EOPNOTSUPP;
|
|
goto cleanup;
|
|
}
|
|
|
|
ctx.sa.assoc_num = assoc_num;
|
|
ctx.sa.rx_sa = rx_sa;
|
|
ctx.secy = secy;
|
|
|
|
ret = macsec_offload(ops->mdo_del_rxsa, &ctx);
|
|
if (ret)
|
|
goto cleanup;
|
|
}
|
|
|
|
RCU_INIT_POINTER(rx_sc->sa[assoc_num], NULL);
|
|
clear_rx_sa(rx_sa);
|
|
|
|
rtnl_unlock();
|
|
|
|
return 0;
|
|
|
|
cleanup:
|
|
rtnl_unlock();
|
|
return ret;
|
|
}
|
|
|
|
static int macsec_del_rxsc(struct sk_buff *skb, struct genl_info *info)
|
|
{
|
|
struct nlattr **attrs = info->attrs;
|
|
struct net_device *dev;
|
|
struct macsec_secy *secy;
|
|
struct macsec_rx_sc *rx_sc;
|
|
sci_t sci;
|
|
struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
|
|
int ret;
|
|
|
|
if (!attrs[MACSEC_ATTR_IFINDEX])
|
|
return -EINVAL;
|
|
|
|
if (parse_rxsc_config(attrs, tb_rxsc))
|
|
return -EINVAL;
|
|
|
|
if (!tb_rxsc[MACSEC_RXSC_ATTR_SCI])
|
|
return -EINVAL;
|
|
|
|
rtnl_lock();
|
|
dev = get_dev_from_nl(genl_info_net(info), info->attrs);
|
|
if (IS_ERR(dev)) {
|
|
rtnl_unlock();
|
|
return PTR_ERR(dev);
|
|
}
|
|
|
|
secy = &macsec_priv(dev)->secy;
|
|
sci = nla_get_sci(tb_rxsc[MACSEC_RXSC_ATTR_SCI]);
|
|
|
|
rx_sc = del_rx_sc(secy, sci);
|
|
if (!rx_sc) {
|
|
rtnl_unlock();
|
|
return -ENODEV;
|
|
}
|
|
|
|
/* If h/w offloading is available, propagate to the device */
|
|
if (macsec_is_offloaded(netdev_priv(dev))) {
|
|
const struct macsec_ops *ops;
|
|
struct macsec_context ctx;
|
|
|
|
ops = macsec_get_ops(netdev_priv(dev), &ctx);
|
|
if (!ops) {
|
|
ret = -EOPNOTSUPP;
|
|
goto cleanup;
|
|
}
|
|
|
|
ctx.rx_sc = rx_sc;
|
|
ctx.secy = secy;
|
|
ret = macsec_offload(ops->mdo_del_rxsc, &ctx);
|
|
if (ret)
|
|
goto cleanup;
|
|
}
|
|
|
|
free_rx_sc(rx_sc);
|
|
rtnl_unlock();
|
|
|
|
return 0;
|
|
|
|
cleanup:
|
|
rtnl_unlock();
|
|
return ret;
|
|
}
|
|
|
|
static int macsec_del_txsa(struct sk_buff *skb, struct genl_info *info)
|
|
{
|
|
struct nlattr **attrs = info->attrs;
|
|
struct net_device *dev;
|
|
struct macsec_secy *secy;
|
|
struct macsec_tx_sc *tx_sc;
|
|
struct macsec_tx_sa *tx_sa;
|
|
u8 assoc_num;
|
|
struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1];
|
|
int ret;
|
|
|
|
if (!attrs[MACSEC_ATTR_IFINDEX])
|
|
return -EINVAL;
|
|
|
|
if (parse_sa_config(attrs, tb_sa))
|
|
return -EINVAL;
|
|
|
|
rtnl_lock();
|
|
tx_sa = get_txsa_from_nl(genl_info_net(info), attrs, tb_sa,
|
|
&dev, &secy, &tx_sc, &assoc_num);
|
|
if (IS_ERR(tx_sa)) {
|
|
rtnl_unlock();
|
|
return PTR_ERR(tx_sa);
|
|
}
|
|
|
|
if (tx_sa->active) {
|
|
rtnl_unlock();
|
|
return -EBUSY;
|
|
}
|
|
|
|
/* If h/w offloading is available, propagate to the device */
|
|
if (macsec_is_offloaded(netdev_priv(dev))) {
|
|
const struct macsec_ops *ops;
|
|
struct macsec_context ctx;
|
|
|
|
ops = macsec_get_ops(netdev_priv(dev), &ctx);
|
|
if (!ops) {
|
|
ret = -EOPNOTSUPP;
|
|
goto cleanup;
|
|
}
|
|
|
|
ctx.sa.assoc_num = assoc_num;
|
|
ctx.sa.tx_sa = tx_sa;
|
|
ctx.secy = secy;
|
|
|
|
ret = macsec_offload(ops->mdo_del_txsa, &ctx);
|
|
if (ret)
|
|
goto cleanup;
|
|
}
|
|
|
|
RCU_INIT_POINTER(tx_sc->sa[assoc_num], NULL);
|
|
clear_tx_sa(tx_sa);
|
|
|
|
rtnl_unlock();
|
|
|
|
return 0;
|
|
|
|
cleanup:
|
|
rtnl_unlock();
|
|
return ret;
|
|
}
|
|
|
|
static bool validate_upd_sa(struct nlattr **attrs)
|
|
{
|
|
if (!attrs[MACSEC_SA_ATTR_AN] ||
|
|
attrs[MACSEC_SA_ATTR_KEY] ||
|
|
attrs[MACSEC_SA_ATTR_KEYID] ||
|
|
attrs[MACSEC_SA_ATTR_SSCI] ||
|
|
attrs[MACSEC_SA_ATTR_SALT])
|
|
return false;
|
|
|
|
if (nla_get_u8(attrs[MACSEC_SA_ATTR_AN]) >= MACSEC_NUM_AN)
|
|
return false;
|
|
|
|
if (attrs[MACSEC_SA_ATTR_PN] && nla_get_u32(attrs[MACSEC_SA_ATTR_PN]) == 0)
|
|
return false;
|
|
|
|
if (attrs[MACSEC_SA_ATTR_ACTIVE]) {
|
|
if (nla_get_u8(attrs[MACSEC_SA_ATTR_ACTIVE]) > 1)
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
static int macsec_upd_txsa(struct sk_buff *skb, struct genl_info *info)
|
|
{
|
|
struct nlattr **attrs = info->attrs;
|
|
struct net_device *dev;
|
|
struct macsec_secy *secy;
|
|
struct macsec_tx_sc *tx_sc;
|
|
struct macsec_tx_sa *tx_sa;
|
|
u8 assoc_num;
|
|
struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1];
|
|
bool was_operational, was_active;
|
|
pn_t prev_pn;
|
|
int ret = 0;
|
|
|
|
prev_pn.full64 = 0;
|
|
|
|
if (!attrs[MACSEC_ATTR_IFINDEX])
|
|
return -EINVAL;
|
|
|
|
if (parse_sa_config(attrs, tb_sa))
|
|
return -EINVAL;
|
|
|
|
if (!validate_upd_sa(tb_sa))
|
|
return -EINVAL;
|
|
|
|
rtnl_lock();
|
|
tx_sa = get_txsa_from_nl(genl_info_net(info), attrs, tb_sa,
|
|
&dev, &secy, &tx_sc, &assoc_num);
|
|
if (IS_ERR(tx_sa)) {
|
|
rtnl_unlock();
|
|
return PTR_ERR(tx_sa);
|
|
}
|
|
|
|
if (tb_sa[MACSEC_SA_ATTR_PN]) {
|
|
int pn_len;
|
|
|
|
pn_len = secy->xpn ? MACSEC_XPN_PN_LEN : MACSEC_DEFAULT_PN_LEN;
|
|
if (nla_len(tb_sa[MACSEC_SA_ATTR_PN]) != pn_len) {
|
|
pr_notice("macsec: nl: upd_txsa: bad pn length: %d != %d\n",
|
|
nla_len(tb_sa[MACSEC_SA_ATTR_PN]), pn_len);
|
|
rtnl_unlock();
|
|
return -EINVAL;
|
|
}
|
|
|
|
spin_lock_bh(&tx_sa->lock);
|
|
prev_pn = tx_sa->next_pn_halves;
|
|
tx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]);
|
|
spin_unlock_bh(&tx_sa->lock);
|
|
}
|
|
|
|
was_active = tx_sa->active;
|
|
if (tb_sa[MACSEC_SA_ATTR_ACTIVE])
|
|
tx_sa->active = nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]);
|
|
|
|
was_operational = secy->operational;
|
|
if (assoc_num == tx_sc->encoding_sa)
|
|
secy->operational = tx_sa->active;
|
|
|
|
/* If h/w offloading is available, propagate to the device */
|
|
if (macsec_is_offloaded(netdev_priv(dev))) {
|
|
const struct macsec_ops *ops;
|
|
struct macsec_context ctx;
|
|
|
|
ops = macsec_get_ops(netdev_priv(dev), &ctx);
|
|
if (!ops) {
|
|
ret = -EOPNOTSUPP;
|
|
goto cleanup;
|
|
}
|
|
|
|
ctx.sa.assoc_num = assoc_num;
|
|
ctx.sa.tx_sa = tx_sa;
|
|
ctx.secy = secy;
|
|
|
|
ret = macsec_offload(ops->mdo_upd_txsa, &ctx);
|
|
if (ret)
|
|
goto cleanup;
|
|
}
|
|
|
|
rtnl_unlock();
|
|
|
|
return 0;
|
|
|
|
cleanup:
|
|
if (tb_sa[MACSEC_SA_ATTR_PN]) {
|
|
spin_lock_bh(&tx_sa->lock);
|
|
tx_sa->next_pn_halves = prev_pn;
|
|
spin_unlock_bh(&tx_sa->lock);
|
|
}
|
|
tx_sa->active = was_active;
|
|
secy->operational = was_operational;
|
|
rtnl_unlock();
|
|
return ret;
|
|
}
|
|
|
|
static int macsec_upd_rxsa(struct sk_buff *skb, struct genl_info *info)
|
|
{
|
|
struct nlattr **attrs = info->attrs;
|
|
struct net_device *dev;
|
|
struct macsec_secy *secy;
|
|
struct macsec_rx_sc *rx_sc;
|
|
struct macsec_rx_sa *rx_sa;
|
|
u8 assoc_num;
|
|
struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
|
|
struct nlattr *tb_sa[MACSEC_SA_ATTR_MAX + 1];
|
|
bool was_active;
|
|
pn_t prev_pn;
|
|
int ret = 0;
|
|
|
|
prev_pn.full64 = 0;
|
|
|
|
if (!attrs[MACSEC_ATTR_IFINDEX])
|
|
return -EINVAL;
|
|
|
|
if (parse_rxsc_config(attrs, tb_rxsc))
|
|
return -EINVAL;
|
|
|
|
if (parse_sa_config(attrs, tb_sa))
|
|
return -EINVAL;
|
|
|
|
if (!validate_upd_sa(tb_sa))
|
|
return -EINVAL;
|
|
|
|
rtnl_lock();
|
|
rx_sa = get_rxsa_from_nl(genl_info_net(info), attrs, tb_rxsc, tb_sa,
|
|
&dev, &secy, &rx_sc, &assoc_num);
|
|
if (IS_ERR(rx_sa)) {
|
|
rtnl_unlock();
|
|
return PTR_ERR(rx_sa);
|
|
}
|
|
|
|
if (tb_sa[MACSEC_SA_ATTR_PN]) {
|
|
int pn_len;
|
|
|
|
pn_len = secy->xpn ? MACSEC_XPN_PN_LEN : MACSEC_DEFAULT_PN_LEN;
|
|
if (nla_len(tb_sa[MACSEC_SA_ATTR_PN]) != pn_len) {
|
|
pr_notice("macsec: nl: upd_rxsa: bad pn length: %d != %d\n",
|
|
nla_len(tb_sa[MACSEC_SA_ATTR_PN]), pn_len);
|
|
rtnl_unlock();
|
|
return -EINVAL;
|
|
}
|
|
|
|
spin_lock_bh(&rx_sa->lock);
|
|
prev_pn = rx_sa->next_pn_halves;
|
|
rx_sa->next_pn = nla_get_u64(tb_sa[MACSEC_SA_ATTR_PN]);
|
|
spin_unlock_bh(&rx_sa->lock);
|
|
}
|
|
|
|
was_active = rx_sa->active;
|
|
if (tb_sa[MACSEC_SA_ATTR_ACTIVE])
|
|
rx_sa->active = nla_get_u8(tb_sa[MACSEC_SA_ATTR_ACTIVE]);
|
|
|
|
/* If h/w offloading is available, propagate to the device */
|
|
if (macsec_is_offloaded(netdev_priv(dev))) {
|
|
const struct macsec_ops *ops;
|
|
struct macsec_context ctx;
|
|
|
|
ops = macsec_get_ops(netdev_priv(dev), &ctx);
|
|
if (!ops) {
|
|
ret = -EOPNOTSUPP;
|
|
goto cleanup;
|
|
}
|
|
|
|
ctx.sa.assoc_num = assoc_num;
|
|
ctx.sa.rx_sa = rx_sa;
|
|
ctx.secy = secy;
|
|
|
|
ret = macsec_offload(ops->mdo_upd_rxsa, &ctx);
|
|
if (ret)
|
|
goto cleanup;
|
|
}
|
|
|
|
rtnl_unlock();
|
|
return 0;
|
|
|
|
cleanup:
|
|
if (tb_sa[MACSEC_SA_ATTR_PN]) {
|
|
spin_lock_bh(&rx_sa->lock);
|
|
rx_sa->next_pn_halves = prev_pn;
|
|
spin_unlock_bh(&rx_sa->lock);
|
|
}
|
|
rx_sa->active = was_active;
|
|
rtnl_unlock();
|
|
return ret;
|
|
}
|
|
|
|
static int macsec_upd_rxsc(struct sk_buff *skb, struct genl_info *info)
|
|
{
|
|
struct nlattr **attrs = info->attrs;
|
|
struct net_device *dev;
|
|
struct macsec_secy *secy;
|
|
struct macsec_rx_sc *rx_sc;
|
|
struct nlattr *tb_rxsc[MACSEC_RXSC_ATTR_MAX + 1];
|
|
unsigned int prev_n_rx_sc;
|
|
bool was_active;
|
|
int ret;
|
|
|
|
if (!attrs[MACSEC_ATTR_IFINDEX])
|
|
return -EINVAL;
|
|
|
|
if (parse_rxsc_config(attrs, tb_rxsc))
|
|
return -EINVAL;
|
|
|
|
if (!validate_add_rxsc(tb_rxsc))
|
|
return -EINVAL;
|
|
|
|
rtnl_lock();
|
|
rx_sc = get_rxsc_from_nl(genl_info_net(info), attrs, tb_rxsc, &dev, &secy);
|
|
if (IS_ERR(rx_sc)) {
|
|
rtnl_unlock();
|
|
return PTR_ERR(rx_sc);
|
|
}
|
|
|
|
was_active = rx_sc->active;
|
|
prev_n_rx_sc = secy->n_rx_sc;
|
|
if (tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]) {
|
|
bool new = !!nla_get_u8(tb_rxsc[MACSEC_RXSC_ATTR_ACTIVE]);
|
|
|
|
if (rx_sc->active != new)
|
|
secy->n_rx_sc += new ? 1 : -1;
|
|
|
|
rx_sc->active = new;
|
|
}
|
|
|
|
/* If h/w offloading is available, propagate to the device */
|
|
if (macsec_is_offloaded(netdev_priv(dev))) {
|
|
const struct macsec_ops *ops;
|
|
struct macsec_context ctx;
|
|
|
|
ops = macsec_get_ops(netdev_priv(dev), &ctx);
|
|
if (!ops) {
|
|
ret = -EOPNOTSUPP;
|
|
goto cleanup;
|
|
}
|
|
|
|
ctx.rx_sc = rx_sc;
|
|
ctx.secy = secy;
|
|
|
|
ret = macsec_offload(ops->mdo_upd_rxsc, &ctx);
|
|
if (ret)
|
|
goto cleanup;
|
|
}
|
|
|
|
rtnl_unlock();
|
|
|
|
return 0;
|
|
|
|
cleanup:
|
|
secy->n_rx_sc = prev_n_rx_sc;
|
|
rx_sc->active = was_active;
|
|
rtnl_unlock();
|
|
return ret;
|
|
}
|
|
|
|
static bool macsec_is_configured(struct macsec_dev *macsec)
|
|
{
|
|
struct macsec_secy *secy = &macsec->secy;
|
|
struct macsec_tx_sc *tx_sc = &secy->tx_sc;
|
|
int i;
|
|
|
|
if (secy->n_rx_sc > 0)
|
|
return true;
|
|
|
|
for (i = 0; i < MACSEC_NUM_AN; i++)
|
|
if (tx_sc->sa[i])
|
|
return true;
|
|
|
|
return false;
|
|
}
|
|
|
|
static int macsec_upd_offload(struct sk_buff *skb, struct genl_info *info)
|
|
{
|
|
struct nlattr *tb_offload[MACSEC_OFFLOAD_ATTR_MAX + 1];
|
|
enum macsec_offload offload, prev_offload;
|
|
int (*func)(struct macsec_context *ctx);
|
|
struct nlattr **attrs = info->attrs;
|
|
struct net_device *dev;
|
|
const struct macsec_ops *ops;
|
|
struct macsec_context ctx;
|
|
struct macsec_dev *macsec;
|
|
int ret;
|
|
|
|
if (!attrs[MACSEC_ATTR_IFINDEX])
|
|
return -EINVAL;
|
|
|
|
if (!attrs[MACSEC_ATTR_OFFLOAD])
|
|
return -EINVAL;
|
|
|
|
if (nla_parse_nested_deprecated(tb_offload, MACSEC_OFFLOAD_ATTR_MAX,
|
|
attrs[MACSEC_ATTR_OFFLOAD],
|
|
macsec_genl_offload_policy, NULL))
|
|
return -EINVAL;
|
|
|
|
dev = get_dev_from_nl(genl_info_net(info), attrs);
|
|
if (IS_ERR(dev))
|
|
return PTR_ERR(dev);
|
|
macsec = macsec_priv(dev);
|
|
|
|
offload = nla_get_u8(tb_offload[MACSEC_OFFLOAD_ATTR_TYPE]);
|
|
if (macsec->offload == offload)
|
|
return 0;
|
|
|
|
/* Check if the offloading mode is supported by the underlying layers */
|
|
if (offload != MACSEC_OFFLOAD_OFF &&
|
|
!macsec_check_offload(offload, macsec))
|
|
return -EOPNOTSUPP;
|
|
|
|
/* Check if the net device is busy. */
|
|
if (netif_running(dev))
|
|
return -EBUSY;
|
|
|
|
rtnl_lock();
|
|
|
|
prev_offload = macsec->offload;
|
|
macsec->offload = offload;
|
|
|
|
/* Check if the device already has rules configured: we do not support
|
|
* rules migration.
|
|
*/
|
|
if (macsec_is_configured(macsec)) {
|
|
ret = -EBUSY;
|
|
goto rollback;
|
|
}
|
|
|
|
ops = __macsec_get_ops(offload == MACSEC_OFFLOAD_OFF ? prev_offload : offload,
|
|
macsec, &ctx);
|
|
if (!ops) {
|
|
ret = -EOPNOTSUPP;
|
|
goto rollback;
|
|
}
|
|
|
|
if (prev_offload == MACSEC_OFFLOAD_OFF)
|
|
func = ops->mdo_add_secy;
|
|
else
|
|
func = ops->mdo_del_secy;
|
|
|
|
ctx.secy = &macsec->secy;
|
|
ret = macsec_offload(func, &ctx);
|
|
if (ret)
|
|
goto rollback;
|
|
|
|
rtnl_unlock();
|
|
return 0;
|
|
|
|
rollback:
|
|
macsec->offload = prev_offload;
|
|
|
|
rtnl_unlock();
|
|
return ret;
|
|
}
|
|
|
|
static void get_tx_sa_stats(struct net_device *dev, int an,
|
|
struct macsec_tx_sa *tx_sa,
|
|
struct macsec_tx_sa_stats *sum)
|
|
{
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
int cpu;
|
|
|
|
/* If h/w offloading is available, propagate to the device */
|
|
if (macsec_is_offloaded(macsec)) {
|
|
const struct macsec_ops *ops;
|
|
struct macsec_context ctx;
|
|
|
|
ops = macsec_get_ops(macsec, &ctx);
|
|
if (ops) {
|
|
ctx.sa.assoc_num = an;
|
|
ctx.sa.tx_sa = tx_sa;
|
|
ctx.stats.tx_sa_stats = sum;
|
|
ctx.secy = &macsec_priv(dev)->secy;
|
|
macsec_offload(ops->mdo_get_tx_sa_stats, &ctx);
|
|
}
|
|
return;
|
|
}
|
|
|
|
for_each_possible_cpu(cpu) {
|
|
const struct macsec_tx_sa_stats *stats =
|
|
per_cpu_ptr(tx_sa->stats, cpu);
|
|
|
|
sum->OutPktsProtected += stats->OutPktsProtected;
|
|
sum->OutPktsEncrypted += stats->OutPktsEncrypted;
|
|
}
|
|
}
|
|
|
|
static int copy_tx_sa_stats(struct sk_buff *skb, struct macsec_tx_sa_stats *sum)
|
|
{
|
|
if (nla_put_u32(skb, MACSEC_SA_STATS_ATTR_OUT_PKTS_PROTECTED,
|
|
sum->OutPktsProtected) ||
|
|
nla_put_u32(skb, MACSEC_SA_STATS_ATTR_OUT_PKTS_ENCRYPTED,
|
|
sum->OutPktsEncrypted))
|
|
return -EMSGSIZE;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void get_rx_sa_stats(struct net_device *dev,
|
|
struct macsec_rx_sc *rx_sc, int an,
|
|
struct macsec_rx_sa *rx_sa,
|
|
struct macsec_rx_sa_stats *sum)
|
|
{
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
int cpu;
|
|
|
|
/* If h/w offloading is available, propagate to the device */
|
|
if (macsec_is_offloaded(macsec)) {
|
|
const struct macsec_ops *ops;
|
|
struct macsec_context ctx;
|
|
|
|
ops = macsec_get_ops(macsec, &ctx);
|
|
if (ops) {
|
|
ctx.sa.assoc_num = an;
|
|
ctx.sa.rx_sa = rx_sa;
|
|
ctx.stats.rx_sa_stats = sum;
|
|
ctx.secy = &macsec_priv(dev)->secy;
|
|
ctx.rx_sc = rx_sc;
|
|
macsec_offload(ops->mdo_get_rx_sa_stats, &ctx);
|
|
}
|
|
return;
|
|
}
|
|
|
|
for_each_possible_cpu(cpu) {
|
|
const struct macsec_rx_sa_stats *stats =
|
|
per_cpu_ptr(rx_sa->stats, cpu);
|
|
|
|
sum->InPktsOK += stats->InPktsOK;
|
|
sum->InPktsInvalid += stats->InPktsInvalid;
|
|
sum->InPktsNotValid += stats->InPktsNotValid;
|
|
sum->InPktsNotUsingSA += stats->InPktsNotUsingSA;
|
|
sum->InPktsUnusedSA += stats->InPktsUnusedSA;
|
|
}
|
|
}
|
|
|
|
static int copy_rx_sa_stats(struct sk_buff *skb,
|
|
struct macsec_rx_sa_stats *sum)
|
|
{
|
|
if (nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_OK, sum->InPktsOK) ||
|
|
nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_INVALID,
|
|
sum->InPktsInvalid) ||
|
|
nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_NOT_VALID,
|
|
sum->InPktsNotValid) ||
|
|
nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_NOT_USING_SA,
|
|
sum->InPktsNotUsingSA) ||
|
|
nla_put_u32(skb, MACSEC_SA_STATS_ATTR_IN_PKTS_UNUSED_SA,
|
|
sum->InPktsUnusedSA))
|
|
return -EMSGSIZE;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void get_rx_sc_stats(struct net_device *dev,
|
|
struct macsec_rx_sc *rx_sc,
|
|
struct macsec_rx_sc_stats *sum)
|
|
{
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
int cpu;
|
|
|
|
/* If h/w offloading is available, propagate to the device */
|
|
if (macsec_is_offloaded(macsec)) {
|
|
const struct macsec_ops *ops;
|
|
struct macsec_context ctx;
|
|
|
|
ops = macsec_get_ops(macsec, &ctx);
|
|
if (ops) {
|
|
ctx.stats.rx_sc_stats = sum;
|
|
ctx.secy = &macsec_priv(dev)->secy;
|
|
ctx.rx_sc = rx_sc;
|
|
macsec_offload(ops->mdo_get_rx_sc_stats, &ctx);
|
|
}
|
|
return;
|
|
}
|
|
|
|
for_each_possible_cpu(cpu) {
|
|
const struct pcpu_rx_sc_stats *stats;
|
|
struct macsec_rx_sc_stats tmp;
|
|
unsigned int start;
|
|
|
|
stats = per_cpu_ptr(rx_sc->stats, cpu);
|
|
do {
|
|
start = u64_stats_fetch_begin_irq(&stats->syncp);
|
|
memcpy(&tmp, &stats->stats, sizeof(tmp));
|
|
} while (u64_stats_fetch_retry_irq(&stats->syncp, start));
|
|
|
|
sum->InOctetsValidated += tmp.InOctetsValidated;
|
|
sum->InOctetsDecrypted += tmp.InOctetsDecrypted;
|
|
sum->InPktsUnchecked += tmp.InPktsUnchecked;
|
|
sum->InPktsDelayed += tmp.InPktsDelayed;
|
|
sum->InPktsOK += tmp.InPktsOK;
|
|
sum->InPktsInvalid += tmp.InPktsInvalid;
|
|
sum->InPktsLate += tmp.InPktsLate;
|
|
sum->InPktsNotValid += tmp.InPktsNotValid;
|
|
sum->InPktsNotUsingSA += tmp.InPktsNotUsingSA;
|
|
sum->InPktsUnusedSA += tmp.InPktsUnusedSA;
|
|
}
|
|
}
|
|
|
|
static int copy_rx_sc_stats(struct sk_buff *skb, struct macsec_rx_sc_stats *sum)
|
|
{
|
|
if (nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_OCTETS_VALIDATED,
|
|
sum->InOctetsValidated,
|
|
MACSEC_RXSC_STATS_ATTR_PAD) ||
|
|
nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_OCTETS_DECRYPTED,
|
|
sum->InOctetsDecrypted,
|
|
MACSEC_RXSC_STATS_ATTR_PAD) ||
|
|
nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_UNCHECKED,
|
|
sum->InPktsUnchecked,
|
|
MACSEC_RXSC_STATS_ATTR_PAD) ||
|
|
nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_DELAYED,
|
|
sum->InPktsDelayed,
|
|
MACSEC_RXSC_STATS_ATTR_PAD) ||
|
|
nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_OK,
|
|
sum->InPktsOK,
|
|
MACSEC_RXSC_STATS_ATTR_PAD) ||
|
|
nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_INVALID,
|
|
sum->InPktsInvalid,
|
|
MACSEC_RXSC_STATS_ATTR_PAD) ||
|
|
nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_LATE,
|
|
sum->InPktsLate,
|
|
MACSEC_RXSC_STATS_ATTR_PAD) ||
|
|
nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_NOT_VALID,
|
|
sum->InPktsNotValid,
|
|
MACSEC_RXSC_STATS_ATTR_PAD) ||
|
|
nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_NOT_USING_SA,
|
|
sum->InPktsNotUsingSA,
|
|
MACSEC_RXSC_STATS_ATTR_PAD) ||
|
|
nla_put_u64_64bit(skb, MACSEC_RXSC_STATS_ATTR_IN_PKTS_UNUSED_SA,
|
|
sum->InPktsUnusedSA,
|
|
MACSEC_RXSC_STATS_ATTR_PAD))
|
|
return -EMSGSIZE;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void get_tx_sc_stats(struct net_device *dev,
|
|
struct macsec_tx_sc_stats *sum)
|
|
{
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
int cpu;
|
|
|
|
/* If h/w offloading is available, propagate to the device */
|
|
if (macsec_is_offloaded(macsec)) {
|
|
const struct macsec_ops *ops;
|
|
struct macsec_context ctx;
|
|
|
|
ops = macsec_get_ops(macsec, &ctx);
|
|
if (ops) {
|
|
ctx.stats.tx_sc_stats = sum;
|
|
ctx.secy = &macsec_priv(dev)->secy;
|
|
macsec_offload(ops->mdo_get_tx_sc_stats, &ctx);
|
|
}
|
|
return;
|
|
}
|
|
|
|
for_each_possible_cpu(cpu) {
|
|
const struct pcpu_tx_sc_stats *stats;
|
|
struct macsec_tx_sc_stats tmp;
|
|
unsigned int start;
|
|
|
|
stats = per_cpu_ptr(macsec_priv(dev)->secy.tx_sc.stats, cpu);
|
|
do {
|
|
start = u64_stats_fetch_begin_irq(&stats->syncp);
|
|
memcpy(&tmp, &stats->stats, sizeof(tmp));
|
|
} while (u64_stats_fetch_retry_irq(&stats->syncp, start));
|
|
|
|
sum->OutPktsProtected += tmp.OutPktsProtected;
|
|
sum->OutPktsEncrypted += tmp.OutPktsEncrypted;
|
|
sum->OutOctetsProtected += tmp.OutOctetsProtected;
|
|
sum->OutOctetsEncrypted += tmp.OutOctetsEncrypted;
|
|
}
|
|
}
|
|
|
|
static int copy_tx_sc_stats(struct sk_buff *skb, struct macsec_tx_sc_stats *sum)
|
|
{
|
|
if (nla_put_u64_64bit(skb, MACSEC_TXSC_STATS_ATTR_OUT_PKTS_PROTECTED,
|
|
sum->OutPktsProtected,
|
|
MACSEC_TXSC_STATS_ATTR_PAD) ||
|
|
nla_put_u64_64bit(skb, MACSEC_TXSC_STATS_ATTR_OUT_PKTS_ENCRYPTED,
|
|
sum->OutPktsEncrypted,
|
|
MACSEC_TXSC_STATS_ATTR_PAD) ||
|
|
nla_put_u64_64bit(skb, MACSEC_TXSC_STATS_ATTR_OUT_OCTETS_PROTECTED,
|
|
sum->OutOctetsProtected,
|
|
MACSEC_TXSC_STATS_ATTR_PAD) ||
|
|
nla_put_u64_64bit(skb, MACSEC_TXSC_STATS_ATTR_OUT_OCTETS_ENCRYPTED,
|
|
sum->OutOctetsEncrypted,
|
|
MACSEC_TXSC_STATS_ATTR_PAD))
|
|
return -EMSGSIZE;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void get_secy_stats(struct net_device *dev, struct macsec_dev_stats *sum)
|
|
{
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
int cpu;
|
|
|
|
/* If h/w offloading is available, propagate to the device */
|
|
if (macsec_is_offloaded(macsec)) {
|
|
const struct macsec_ops *ops;
|
|
struct macsec_context ctx;
|
|
|
|
ops = macsec_get_ops(macsec, &ctx);
|
|
if (ops) {
|
|
ctx.stats.dev_stats = sum;
|
|
ctx.secy = &macsec_priv(dev)->secy;
|
|
macsec_offload(ops->mdo_get_dev_stats, &ctx);
|
|
}
|
|
return;
|
|
}
|
|
|
|
for_each_possible_cpu(cpu) {
|
|
const struct pcpu_secy_stats *stats;
|
|
struct macsec_dev_stats tmp;
|
|
unsigned int start;
|
|
|
|
stats = per_cpu_ptr(macsec_priv(dev)->stats, cpu);
|
|
do {
|
|
start = u64_stats_fetch_begin_irq(&stats->syncp);
|
|
memcpy(&tmp, &stats->stats, sizeof(tmp));
|
|
} while (u64_stats_fetch_retry_irq(&stats->syncp, start));
|
|
|
|
sum->OutPktsUntagged += tmp.OutPktsUntagged;
|
|
sum->InPktsUntagged += tmp.InPktsUntagged;
|
|
sum->OutPktsTooLong += tmp.OutPktsTooLong;
|
|
sum->InPktsNoTag += tmp.InPktsNoTag;
|
|
sum->InPktsBadTag += tmp.InPktsBadTag;
|
|
sum->InPktsUnknownSCI += tmp.InPktsUnknownSCI;
|
|
sum->InPktsNoSCI += tmp.InPktsNoSCI;
|
|
sum->InPktsOverrun += tmp.InPktsOverrun;
|
|
}
|
|
}
|
|
|
|
static int copy_secy_stats(struct sk_buff *skb, struct macsec_dev_stats *sum)
|
|
{
|
|
if (nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_OUT_PKTS_UNTAGGED,
|
|
sum->OutPktsUntagged,
|
|
MACSEC_SECY_STATS_ATTR_PAD) ||
|
|
nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_UNTAGGED,
|
|
sum->InPktsUntagged,
|
|
MACSEC_SECY_STATS_ATTR_PAD) ||
|
|
nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_OUT_PKTS_TOO_LONG,
|
|
sum->OutPktsTooLong,
|
|
MACSEC_SECY_STATS_ATTR_PAD) ||
|
|
nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_NO_TAG,
|
|
sum->InPktsNoTag,
|
|
MACSEC_SECY_STATS_ATTR_PAD) ||
|
|
nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_BAD_TAG,
|
|
sum->InPktsBadTag,
|
|
MACSEC_SECY_STATS_ATTR_PAD) ||
|
|
nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_UNKNOWN_SCI,
|
|
sum->InPktsUnknownSCI,
|
|
MACSEC_SECY_STATS_ATTR_PAD) ||
|
|
nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_NO_SCI,
|
|
sum->InPktsNoSCI,
|
|
MACSEC_SECY_STATS_ATTR_PAD) ||
|
|
nla_put_u64_64bit(skb, MACSEC_SECY_STATS_ATTR_IN_PKTS_OVERRUN,
|
|
sum->InPktsOverrun,
|
|
MACSEC_SECY_STATS_ATTR_PAD))
|
|
return -EMSGSIZE;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int nla_put_secy(struct macsec_secy *secy, struct sk_buff *skb)
|
|
{
|
|
struct macsec_tx_sc *tx_sc = &secy->tx_sc;
|
|
struct nlattr *secy_nest = nla_nest_start_noflag(skb,
|
|
MACSEC_ATTR_SECY);
|
|
u64 csid;
|
|
|
|
if (!secy_nest)
|
|
return 1;
|
|
|
|
switch (secy->key_len) {
|
|
case MACSEC_GCM_AES_128_SAK_LEN:
|
|
csid = secy->xpn ? MACSEC_CIPHER_ID_GCM_AES_XPN_128 : MACSEC_DEFAULT_CIPHER_ID;
|
|
break;
|
|
case MACSEC_GCM_AES_256_SAK_LEN:
|
|
csid = secy->xpn ? MACSEC_CIPHER_ID_GCM_AES_XPN_256 : MACSEC_CIPHER_ID_GCM_AES_256;
|
|
break;
|
|
default:
|
|
goto cancel;
|
|
}
|
|
|
|
if (nla_put_sci(skb, MACSEC_SECY_ATTR_SCI, secy->sci,
|
|
MACSEC_SECY_ATTR_PAD) ||
|
|
nla_put_u64_64bit(skb, MACSEC_SECY_ATTR_CIPHER_SUITE,
|
|
csid, MACSEC_SECY_ATTR_PAD) ||
|
|
nla_put_u8(skb, MACSEC_SECY_ATTR_ICV_LEN, secy->icv_len) ||
|
|
nla_put_u8(skb, MACSEC_SECY_ATTR_OPER, secy->operational) ||
|
|
nla_put_u8(skb, MACSEC_SECY_ATTR_PROTECT, secy->protect_frames) ||
|
|
nla_put_u8(skb, MACSEC_SECY_ATTR_REPLAY, secy->replay_protect) ||
|
|
nla_put_u8(skb, MACSEC_SECY_ATTR_VALIDATE, secy->validate_frames) ||
|
|
nla_put_u8(skb, MACSEC_SECY_ATTR_ENCRYPT, tx_sc->encrypt) ||
|
|
nla_put_u8(skb, MACSEC_SECY_ATTR_INC_SCI, tx_sc->send_sci) ||
|
|
nla_put_u8(skb, MACSEC_SECY_ATTR_ES, tx_sc->end_station) ||
|
|
nla_put_u8(skb, MACSEC_SECY_ATTR_SCB, tx_sc->scb) ||
|
|
nla_put_u8(skb, MACSEC_SECY_ATTR_ENCODING_SA, tx_sc->encoding_sa))
|
|
goto cancel;
|
|
|
|
if (secy->replay_protect) {
|
|
if (nla_put_u32(skb, MACSEC_SECY_ATTR_WINDOW, secy->replay_window))
|
|
goto cancel;
|
|
}
|
|
|
|
nla_nest_end(skb, secy_nest);
|
|
return 0;
|
|
|
|
cancel:
|
|
nla_nest_cancel(skb, secy_nest);
|
|
return 1;
|
|
}
|
|
|
|
static noinline_for_stack int
|
|
dump_secy(struct macsec_secy *secy, struct net_device *dev,
|
|
struct sk_buff *skb, struct netlink_callback *cb)
|
|
{
|
|
struct macsec_tx_sc_stats tx_sc_stats = {0, };
|
|
struct macsec_tx_sa_stats tx_sa_stats = {0, };
|
|
struct macsec_rx_sc_stats rx_sc_stats = {0, };
|
|
struct macsec_rx_sa_stats rx_sa_stats = {0, };
|
|
struct macsec_dev *macsec = netdev_priv(dev);
|
|
struct macsec_dev_stats dev_stats = {0, };
|
|
struct macsec_tx_sc *tx_sc = &secy->tx_sc;
|
|
struct nlattr *txsa_list, *rxsc_list;
|
|
struct macsec_rx_sc *rx_sc;
|
|
struct nlattr *attr;
|
|
void *hdr;
|
|
int i, j;
|
|
|
|
hdr = genlmsg_put(skb, NETLINK_CB(cb->skb).portid, cb->nlh->nlmsg_seq,
|
|
&macsec_fam, NLM_F_MULTI, MACSEC_CMD_GET_TXSC);
|
|
if (!hdr)
|
|
return -EMSGSIZE;
|
|
|
|
genl_dump_check_consistent(cb, hdr);
|
|
|
|
if (nla_put_u32(skb, MACSEC_ATTR_IFINDEX, dev->ifindex))
|
|
goto nla_put_failure;
|
|
|
|
attr = nla_nest_start_noflag(skb, MACSEC_ATTR_OFFLOAD);
|
|
if (!attr)
|
|
goto nla_put_failure;
|
|
if (nla_put_u8(skb, MACSEC_OFFLOAD_ATTR_TYPE, macsec->offload))
|
|
goto nla_put_failure;
|
|
nla_nest_end(skb, attr);
|
|
|
|
if (nla_put_secy(secy, skb))
|
|
goto nla_put_failure;
|
|
|
|
attr = nla_nest_start_noflag(skb, MACSEC_ATTR_TXSC_STATS);
|
|
if (!attr)
|
|
goto nla_put_failure;
|
|
|
|
get_tx_sc_stats(dev, &tx_sc_stats);
|
|
if (copy_tx_sc_stats(skb, &tx_sc_stats)) {
|
|
nla_nest_cancel(skb, attr);
|
|
goto nla_put_failure;
|
|
}
|
|
nla_nest_end(skb, attr);
|
|
|
|
attr = nla_nest_start_noflag(skb, MACSEC_ATTR_SECY_STATS);
|
|
if (!attr)
|
|
goto nla_put_failure;
|
|
get_secy_stats(dev, &dev_stats);
|
|
if (copy_secy_stats(skb, &dev_stats)) {
|
|
nla_nest_cancel(skb, attr);
|
|
goto nla_put_failure;
|
|
}
|
|
nla_nest_end(skb, attr);
|
|
|
|
txsa_list = nla_nest_start_noflag(skb, MACSEC_ATTR_TXSA_LIST);
|
|
if (!txsa_list)
|
|
goto nla_put_failure;
|
|
for (i = 0, j = 1; i < MACSEC_NUM_AN; i++) {
|
|
struct macsec_tx_sa *tx_sa = rtnl_dereference(tx_sc->sa[i]);
|
|
struct nlattr *txsa_nest;
|
|
u64 pn;
|
|
int pn_len;
|
|
|
|
if (!tx_sa)
|
|
continue;
|
|
|
|
txsa_nest = nla_nest_start_noflag(skb, j++);
|
|
if (!txsa_nest) {
|
|
nla_nest_cancel(skb, txsa_list);
|
|
goto nla_put_failure;
|
|
}
|
|
|
|
attr = nla_nest_start_noflag(skb, MACSEC_SA_ATTR_STATS);
|
|
if (!attr) {
|
|
nla_nest_cancel(skb, txsa_nest);
|
|
nla_nest_cancel(skb, txsa_list);
|
|
goto nla_put_failure;
|
|
}
|
|
memset(&tx_sa_stats, 0, sizeof(tx_sa_stats));
|
|
get_tx_sa_stats(dev, i, tx_sa, &tx_sa_stats);
|
|
if (copy_tx_sa_stats(skb, &tx_sa_stats)) {
|
|
nla_nest_cancel(skb, attr);
|
|
nla_nest_cancel(skb, txsa_nest);
|
|
nla_nest_cancel(skb, txsa_list);
|
|
goto nla_put_failure;
|
|
}
|
|
nla_nest_end(skb, attr);
|
|
|
|
if (secy->xpn) {
|
|
pn = tx_sa->next_pn;
|
|
pn_len = MACSEC_XPN_PN_LEN;
|
|
} else {
|
|
pn = tx_sa->next_pn_halves.lower;
|
|
pn_len = MACSEC_DEFAULT_PN_LEN;
|
|
}
|
|
|
|
if (nla_put_u8(skb, MACSEC_SA_ATTR_AN, i) ||
|
|
nla_put(skb, MACSEC_SA_ATTR_PN, pn_len, &pn) ||
|
|
nla_put(skb, MACSEC_SA_ATTR_KEYID, MACSEC_KEYID_LEN, tx_sa->key.id) ||
|
|
(secy->xpn && nla_put_ssci(skb, MACSEC_SA_ATTR_SSCI, tx_sa->ssci)) ||
|
|
nla_put_u8(skb, MACSEC_SA_ATTR_ACTIVE, tx_sa->active)) {
|
|
nla_nest_cancel(skb, txsa_nest);
|
|
nla_nest_cancel(skb, txsa_list);
|
|
goto nla_put_failure;
|
|
}
|
|
|
|
nla_nest_end(skb, txsa_nest);
|
|
}
|
|
nla_nest_end(skb, txsa_list);
|
|
|
|
rxsc_list = nla_nest_start_noflag(skb, MACSEC_ATTR_RXSC_LIST);
|
|
if (!rxsc_list)
|
|
goto nla_put_failure;
|
|
|
|
j = 1;
|
|
for_each_rxsc_rtnl(secy, rx_sc) {
|
|
int k;
|
|
struct nlattr *rxsa_list;
|
|
struct nlattr *rxsc_nest = nla_nest_start_noflag(skb, j++);
|
|
|
|
if (!rxsc_nest) {
|
|
nla_nest_cancel(skb, rxsc_list);
|
|
goto nla_put_failure;
|
|
}
|
|
|
|
if (nla_put_u8(skb, MACSEC_RXSC_ATTR_ACTIVE, rx_sc->active) ||
|
|
nla_put_sci(skb, MACSEC_RXSC_ATTR_SCI, rx_sc->sci,
|
|
MACSEC_RXSC_ATTR_PAD)) {
|
|
nla_nest_cancel(skb, rxsc_nest);
|
|
nla_nest_cancel(skb, rxsc_list);
|
|
goto nla_put_failure;
|
|
}
|
|
|
|
attr = nla_nest_start_noflag(skb, MACSEC_RXSC_ATTR_STATS);
|
|
if (!attr) {
|
|
nla_nest_cancel(skb, rxsc_nest);
|
|
nla_nest_cancel(skb, rxsc_list);
|
|
goto nla_put_failure;
|
|
}
|
|
memset(&rx_sc_stats, 0, sizeof(rx_sc_stats));
|
|
get_rx_sc_stats(dev, rx_sc, &rx_sc_stats);
|
|
if (copy_rx_sc_stats(skb, &rx_sc_stats)) {
|
|
nla_nest_cancel(skb, attr);
|
|
nla_nest_cancel(skb, rxsc_nest);
|
|
nla_nest_cancel(skb, rxsc_list);
|
|
goto nla_put_failure;
|
|
}
|
|
nla_nest_end(skb, attr);
|
|
|
|
rxsa_list = nla_nest_start_noflag(skb,
|
|
MACSEC_RXSC_ATTR_SA_LIST);
|
|
if (!rxsa_list) {
|
|
nla_nest_cancel(skb, rxsc_nest);
|
|
nla_nest_cancel(skb, rxsc_list);
|
|
goto nla_put_failure;
|
|
}
|
|
|
|
for (i = 0, k = 1; i < MACSEC_NUM_AN; i++) {
|
|
struct macsec_rx_sa *rx_sa = rtnl_dereference(rx_sc->sa[i]);
|
|
struct nlattr *rxsa_nest;
|
|
u64 pn;
|
|
int pn_len;
|
|
|
|
if (!rx_sa)
|
|
continue;
|
|
|
|
rxsa_nest = nla_nest_start_noflag(skb, k++);
|
|
if (!rxsa_nest) {
|
|
nla_nest_cancel(skb, rxsa_list);
|
|
nla_nest_cancel(skb, rxsc_nest);
|
|
nla_nest_cancel(skb, rxsc_list);
|
|
goto nla_put_failure;
|
|
}
|
|
|
|
attr = nla_nest_start_noflag(skb,
|
|
MACSEC_SA_ATTR_STATS);
|
|
if (!attr) {
|
|
nla_nest_cancel(skb, rxsa_list);
|
|
nla_nest_cancel(skb, rxsc_nest);
|
|
nla_nest_cancel(skb, rxsc_list);
|
|
goto nla_put_failure;
|
|
}
|
|
memset(&rx_sa_stats, 0, sizeof(rx_sa_stats));
|
|
get_rx_sa_stats(dev, rx_sc, i, rx_sa, &rx_sa_stats);
|
|
if (copy_rx_sa_stats(skb, &rx_sa_stats)) {
|
|
nla_nest_cancel(skb, attr);
|
|
nla_nest_cancel(skb, rxsa_list);
|
|
nla_nest_cancel(skb, rxsc_nest);
|
|
nla_nest_cancel(skb, rxsc_list);
|
|
goto nla_put_failure;
|
|
}
|
|
nla_nest_end(skb, attr);
|
|
|
|
if (secy->xpn) {
|
|
pn = rx_sa->next_pn;
|
|
pn_len = MACSEC_XPN_PN_LEN;
|
|
} else {
|
|
pn = rx_sa->next_pn_halves.lower;
|
|
pn_len = MACSEC_DEFAULT_PN_LEN;
|
|
}
|
|
|
|
if (nla_put_u8(skb, MACSEC_SA_ATTR_AN, i) ||
|
|
nla_put(skb, MACSEC_SA_ATTR_PN, pn_len, &pn) ||
|
|
nla_put(skb, MACSEC_SA_ATTR_KEYID, MACSEC_KEYID_LEN, rx_sa->key.id) ||
|
|
(secy->xpn && nla_put_ssci(skb, MACSEC_SA_ATTR_SSCI, rx_sa->ssci)) ||
|
|
nla_put_u8(skb, MACSEC_SA_ATTR_ACTIVE, rx_sa->active)) {
|
|
nla_nest_cancel(skb, rxsa_nest);
|
|
nla_nest_cancel(skb, rxsc_nest);
|
|
nla_nest_cancel(skb, rxsc_list);
|
|
goto nla_put_failure;
|
|
}
|
|
nla_nest_end(skb, rxsa_nest);
|
|
}
|
|
|
|
nla_nest_end(skb, rxsa_list);
|
|
nla_nest_end(skb, rxsc_nest);
|
|
}
|
|
|
|
nla_nest_end(skb, rxsc_list);
|
|
|
|
genlmsg_end(skb, hdr);
|
|
|
|
return 0;
|
|
|
|
nla_put_failure:
|
|
genlmsg_cancel(skb, hdr);
|
|
return -EMSGSIZE;
|
|
}
|
|
|
|
static int macsec_generation = 1; /* protected by RTNL */
|
|
|
|
static int macsec_dump_txsc(struct sk_buff *skb, struct netlink_callback *cb)
|
|
{
|
|
struct net *net = sock_net(skb->sk);
|
|
struct net_device *dev;
|
|
int dev_idx, d;
|
|
|
|
dev_idx = cb->args[0];
|
|
|
|
d = 0;
|
|
rtnl_lock();
|
|
|
|
cb->seq = macsec_generation;
|
|
|
|
for_each_netdev(net, dev) {
|
|
struct macsec_secy *secy;
|
|
|
|
if (d < dev_idx)
|
|
goto next;
|
|
|
|
if (!netif_is_macsec(dev))
|
|
goto next;
|
|
|
|
secy = &macsec_priv(dev)->secy;
|
|
if (dump_secy(secy, dev, skb, cb) < 0)
|
|
goto done;
|
|
next:
|
|
d++;
|
|
}
|
|
|
|
done:
|
|
rtnl_unlock();
|
|
cb->args[0] = d;
|
|
return skb->len;
|
|
}
|
|
|
|
static const struct genl_ops macsec_genl_ops[] = {
|
|
{
|
|
.cmd = MACSEC_CMD_GET_TXSC,
|
|
.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
|
|
.dumpit = macsec_dump_txsc,
|
|
},
|
|
{
|
|
.cmd = MACSEC_CMD_ADD_RXSC,
|
|
.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
|
|
.doit = macsec_add_rxsc,
|
|
.flags = GENL_ADMIN_PERM,
|
|
},
|
|
{
|
|
.cmd = MACSEC_CMD_DEL_RXSC,
|
|
.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
|
|
.doit = macsec_del_rxsc,
|
|
.flags = GENL_ADMIN_PERM,
|
|
},
|
|
{
|
|
.cmd = MACSEC_CMD_UPD_RXSC,
|
|
.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
|
|
.doit = macsec_upd_rxsc,
|
|
.flags = GENL_ADMIN_PERM,
|
|
},
|
|
{
|
|
.cmd = MACSEC_CMD_ADD_TXSA,
|
|
.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
|
|
.doit = macsec_add_txsa,
|
|
.flags = GENL_ADMIN_PERM,
|
|
},
|
|
{
|
|
.cmd = MACSEC_CMD_DEL_TXSA,
|
|
.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
|
|
.doit = macsec_del_txsa,
|
|
.flags = GENL_ADMIN_PERM,
|
|
},
|
|
{
|
|
.cmd = MACSEC_CMD_UPD_TXSA,
|
|
.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
|
|
.doit = macsec_upd_txsa,
|
|
.flags = GENL_ADMIN_PERM,
|
|
},
|
|
{
|
|
.cmd = MACSEC_CMD_ADD_RXSA,
|
|
.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
|
|
.doit = macsec_add_rxsa,
|
|
.flags = GENL_ADMIN_PERM,
|
|
},
|
|
{
|
|
.cmd = MACSEC_CMD_DEL_RXSA,
|
|
.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
|
|
.doit = macsec_del_rxsa,
|
|
.flags = GENL_ADMIN_PERM,
|
|
},
|
|
{
|
|
.cmd = MACSEC_CMD_UPD_RXSA,
|
|
.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
|
|
.doit = macsec_upd_rxsa,
|
|
.flags = GENL_ADMIN_PERM,
|
|
},
|
|
{
|
|
.cmd = MACSEC_CMD_UPD_OFFLOAD,
|
|
.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
|
|
.doit = macsec_upd_offload,
|
|
.flags = GENL_ADMIN_PERM,
|
|
},
|
|
};
|
|
|
|
static struct genl_family macsec_fam __ro_after_init = {
|
|
.name = MACSEC_GENL_NAME,
|
|
.hdrsize = 0,
|
|
.version = MACSEC_GENL_VERSION,
|
|
.maxattr = MACSEC_ATTR_MAX,
|
|
.policy = macsec_genl_policy,
|
|
.netnsok = true,
|
|
.module = THIS_MODULE,
|
|
.ops = macsec_genl_ops,
|
|
.n_ops = ARRAY_SIZE(macsec_genl_ops),
|
|
};
|
|
|
|
static netdev_tx_t macsec_start_xmit(struct sk_buff *skb,
|
|
struct net_device *dev)
|
|
{
|
|
struct macsec_dev *macsec = netdev_priv(dev);
|
|
struct macsec_secy *secy = &macsec->secy;
|
|
struct pcpu_secy_stats *secy_stats;
|
|
int ret, len;
|
|
|
|
if (macsec_is_offloaded(netdev_priv(dev))) {
|
|
skb->dev = macsec->real_dev;
|
|
return dev_queue_xmit(skb);
|
|
}
|
|
|
|
if (macsec_is_offloaded(netdev_priv(dev))) {
|
|
skb->dev = macsec->real_dev;
|
|
ret = dev_queue_xmit(skb);
|
|
len = skb->len;
|
|
count_tx(dev, ret, len);
|
|
return ret;
|
|
}
|
|
|
|
/* 10.5 */
|
|
if (!secy->protect_frames) {
|
|
secy_stats = this_cpu_ptr(macsec->stats);
|
|
u64_stats_update_begin(&secy_stats->syncp);
|
|
secy_stats->stats.OutPktsUntagged++;
|
|
u64_stats_update_end(&secy_stats->syncp);
|
|
skb->dev = macsec->real_dev;
|
|
len = skb->len;
|
|
ret = dev_queue_xmit(skb);
|
|
count_tx(dev, ret, len);
|
|
return ret;
|
|
}
|
|
|
|
if (!secy->operational) {
|
|
kfree_skb(skb);
|
|
dev->stats.tx_dropped++;
|
|
return NETDEV_TX_OK;
|
|
}
|
|
|
|
skb = macsec_encrypt(skb, dev);
|
|
if (IS_ERR(skb)) {
|
|
if (PTR_ERR(skb) != -EINPROGRESS)
|
|
dev->stats.tx_dropped++;
|
|
return NETDEV_TX_OK;
|
|
}
|
|
|
|
macsec_count_tx(skb, &macsec->secy.tx_sc, macsec_skb_cb(skb)->tx_sa);
|
|
|
|
macsec_encrypt_finish(skb, dev);
|
|
len = skb->len;
|
|
ret = dev_queue_xmit(skb);
|
|
count_tx(dev, ret, len);
|
|
return ret;
|
|
}
|
|
|
|
#define MACSEC_FEATURES \
|
|
(NETIF_F_SG | NETIF_F_HIGHDMA | NETIF_F_FRAGLIST)
|
|
|
|
static int macsec_dev_init(struct net_device *dev)
|
|
{
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
struct net_device *real_dev = macsec->real_dev;
|
|
int err;
|
|
|
|
dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats);
|
|
if (!dev->tstats)
|
|
return -ENOMEM;
|
|
|
|
err = gro_cells_init(&macsec->gro_cells, dev);
|
|
if (err) {
|
|
free_percpu(dev->tstats);
|
|
return err;
|
|
}
|
|
|
|
dev->features = real_dev->features & MACSEC_FEATURES;
|
|
dev->features |= NETIF_F_LLTX | NETIF_F_GSO_SOFTWARE;
|
|
|
|
dev->needed_headroom = real_dev->needed_headroom +
|
|
MACSEC_NEEDED_HEADROOM;
|
|
dev->needed_tailroom = real_dev->needed_tailroom +
|
|
MACSEC_NEEDED_TAILROOM;
|
|
|
|
if (is_zero_ether_addr(dev->dev_addr))
|
|
eth_hw_addr_inherit(dev, real_dev);
|
|
if (is_zero_ether_addr(dev->broadcast))
|
|
memcpy(dev->broadcast, real_dev->broadcast, dev->addr_len);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void macsec_dev_uninit(struct net_device *dev)
|
|
{
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
|
|
gro_cells_destroy(&macsec->gro_cells);
|
|
free_percpu(dev->tstats);
|
|
}
|
|
|
|
static netdev_features_t macsec_fix_features(struct net_device *dev,
|
|
netdev_features_t features)
|
|
{
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
struct net_device *real_dev = macsec->real_dev;
|
|
|
|
features &= (real_dev->features & MACSEC_FEATURES) |
|
|
NETIF_F_GSO_SOFTWARE | NETIF_F_SOFT_FEATURES;
|
|
features |= NETIF_F_LLTX;
|
|
|
|
return features;
|
|
}
|
|
|
|
static int macsec_dev_open(struct net_device *dev)
|
|
{
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
struct net_device *real_dev = macsec->real_dev;
|
|
int err;
|
|
|
|
err = dev_uc_add(real_dev, dev->dev_addr);
|
|
if (err < 0)
|
|
return err;
|
|
|
|
if (dev->flags & IFF_ALLMULTI) {
|
|
err = dev_set_allmulti(real_dev, 1);
|
|
if (err < 0)
|
|
goto del_unicast;
|
|
}
|
|
|
|
if (dev->flags & IFF_PROMISC) {
|
|
err = dev_set_promiscuity(real_dev, 1);
|
|
if (err < 0)
|
|
goto clear_allmulti;
|
|
}
|
|
|
|
/* If h/w offloading is available, propagate to the device */
|
|
if (macsec_is_offloaded(macsec)) {
|
|
const struct macsec_ops *ops;
|
|
struct macsec_context ctx;
|
|
|
|
ops = macsec_get_ops(netdev_priv(dev), &ctx);
|
|
if (!ops) {
|
|
err = -EOPNOTSUPP;
|
|
goto clear_allmulti;
|
|
}
|
|
|
|
ctx.secy = &macsec->secy;
|
|
err = macsec_offload(ops->mdo_dev_open, &ctx);
|
|
if (err)
|
|
goto clear_allmulti;
|
|
}
|
|
|
|
if (netif_carrier_ok(real_dev))
|
|
netif_carrier_on(dev);
|
|
|
|
return 0;
|
|
clear_allmulti:
|
|
if (dev->flags & IFF_ALLMULTI)
|
|
dev_set_allmulti(real_dev, -1);
|
|
del_unicast:
|
|
dev_uc_del(real_dev, dev->dev_addr);
|
|
netif_carrier_off(dev);
|
|
return err;
|
|
}
|
|
|
|
static int macsec_dev_stop(struct net_device *dev)
|
|
{
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
struct net_device *real_dev = macsec->real_dev;
|
|
|
|
netif_carrier_off(dev);
|
|
|
|
/* If h/w offloading is available, propagate to the device */
|
|
if (macsec_is_offloaded(macsec)) {
|
|
const struct macsec_ops *ops;
|
|
struct macsec_context ctx;
|
|
|
|
ops = macsec_get_ops(macsec, &ctx);
|
|
if (ops) {
|
|
ctx.secy = &macsec->secy;
|
|
macsec_offload(ops->mdo_dev_stop, &ctx);
|
|
}
|
|
}
|
|
|
|
dev_mc_unsync(real_dev, dev);
|
|
dev_uc_unsync(real_dev, dev);
|
|
|
|
if (dev->flags & IFF_ALLMULTI)
|
|
dev_set_allmulti(real_dev, -1);
|
|
|
|
if (dev->flags & IFF_PROMISC)
|
|
dev_set_promiscuity(real_dev, -1);
|
|
|
|
dev_uc_del(real_dev, dev->dev_addr);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void macsec_dev_change_rx_flags(struct net_device *dev, int change)
|
|
{
|
|
struct net_device *real_dev = macsec_priv(dev)->real_dev;
|
|
|
|
if (!(dev->flags & IFF_UP))
|
|
return;
|
|
|
|
if (change & IFF_ALLMULTI)
|
|
dev_set_allmulti(real_dev, dev->flags & IFF_ALLMULTI ? 1 : -1);
|
|
|
|
if (change & IFF_PROMISC)
|
|
dev_set_promiscuity(real_dev,
|
|
dev->flags & IFF_PROMISC ? 1 : -1);
|
|
}
|
|
|
|
static void macsec_dev_set_rx_mode(struct net_device *dev)
|
|
{
|
|
struct net_device *real_dev = macsec_priv(dev)->real_dev;
|
|
|
|
dev_mc_sync(real_dev, dev);
|
|
dev_uc_sync(real_dev, dev);
|
|
}
|
|
|
|
static sci_t dev_to_sci(struct net_device *dev, __be16 port)
|
|
{
|
|
return make_sci(dev->dev_addr, port);
|
|
}
|
|
|
|
static int macsec_set_mac_address(struct net_device *dev, void *p)
|
|
{
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
struct net_device *real_dev = macsec->real_dev;
|
|
struct sockaddr *addr = p;
|
|
int err;
|
|
|
|
if (!is_valid_ether_addr(addr->sa_data))
|
|
return -EADDRNOTAVAIL;
|
|
|
|
if (!(dev->flags & IFF_UP))
|
|
goto out;
|
|
|
|
err = dev_uc_add(real_dev, addr->sa_data);
|
|
if (err < 0)
|
|
return err;
|
|
|
|
dev_uc_del(real_dev, dev->dev_addr);
|
|
|
|
out:
|
|
ether_addr_copy(dev->dev_addr, addr->sa_data);
|
|
macsec->secy.sci = dev_to_sci(dev, MACSEC_PORT_ES);
|
|
return 0;
|
|
}
|
|
|
|
static int macsec_change_mtu(struct net_device *dev, int new_mtu)
|
|
{
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
unsigned int extra = macsec->secy.icv_len + macsec_extra_len(true);
|
|
|
|
if (macsec->real_dev->mtu - extra < new_mtu)
|
|
return -ERANGE;
|
|
|
|
dev->mtu = new_mtu;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static void macsec_get_stats64(struct net_device *dev,
|
|
struct rtnl_link_stats64 *s)
|
|
{
|
|
int cpu;
|
|
|
|
if (!dev->tstats)
|
|
return;
|
|
|
|
for_each_possible_cpu(cpu) {
|
|
struct pcpu_sw_netstats *stats;
|
|
struct pcpu_sw_netstats tmp;
|
|
int start;
|
|
|
|
stats = per_cpu_ptr(dev->tstats, cpu);
|
|
do {
|
|
start = u64_stats_fetch_begin_irq(&stats->syncp);
|
|
tmp.rx_packets = stats->rx_packets;
|
|
tmp.rx_bytes = stats->rx_bytes;
|
|
tmp.tx_packets = stats->tx_packets;
|
|
tmp.tx_bytes = stats->tx_bytes;
|
|
} while (u64_stats_fetch_retry_irq(&stats->syncp, start));
|
|
|
|
s->rx_packets += tmp.rx_packets;
|
|
s->rx_bytes += tmp.rx_bytes;
|
|
s->tx_packets += tmp.tx_packets;
|
|
s->tx_bytes += tmp.tx_bytes;
|
|
}
|
|
|
|
s->rx_dropped = dev->stats.rx_dropped;
|
|
s->tx_dropped = dev->stats.tx_dropped;
|
|
}
|
|
|
|
static int macsec_get_iflink(const struct net_device *dev)
|
|
{
|
|
return macsec_priv(dev)->real_dev->ifindex;
|
|
}
|
|
|
|
static const struct net_device_ops macsec_netdev_ops = {
|
|
.ndo_init = macsec_dev_init,
|
|
.ndo_uninit = macsec_dev_uninit,
|
|
.ndo_open = macsec_dev_open,
|
|
.ndo_stop = macsec_dev_stop,
|
|
.ndo_fix_features = macsec_fix_features,
|
|
.ndo_change_mtu = macsec_change_mtu,
|
|
.ndo_set_rx_mode = macsec_dev_set_rx_mode,
|
|
.ndo_change_rx_flags = macsec_dev_change_rx_flags,
|
|
.ndo_set_mac_address = macsec_set_mac_address,
|
|
.ndo_start_xmit = macsec_start_xmit,
|
|
.ndo_get_stats64 = macsec_get_stats64,
|
|
.ndo_get_iflink = macsec_get_iflink,
|
|
};
|
|
|
|
static const struct device_type macsec_type = {
|
|
.name = "macsec",
|
|
};
|
|
|
|
static const struct nla_policy macsec_rtnl_policy[IFLA_MACSEC_MAX + 1] = {
|
|
[IFLA_MACSEC_SCI] = { .type = NLA_U64 },
|
|
[IFLA_MACSEC_PORT] = { .type = NLA_U16 },
|
|
[IFLA_MACSEC_ICV_LEN] = { .type = NLA_U8 },
|
|
[IFLA_MACSEC_CIPHER_SUITE] = { .type = NLA_U64 },
|
|
[IFLA_MACSEC_WINDOW] = { .type = NLA_U32 },
|
|
[IFLA_MACSEC_ENCODING_SA] = { .type = NLA_U8 },
|
|
[IFLA_MACSEC_ENCRYPT] = { .type = NLA_U8 },
|
|
[IFLA_MACSEC_PROTECT] = { .type = NLA_U8 },
|
|
[IFLA_MACSEC_INC_SCI] = { .type = NLA_U8 },
|
|
[IFLA_MACSEC_ES] = { .type = NLA_U8 },
|
|
[IFLA_MACSEC_SCB] = { .type = NLA_U8 },
|
|
[IFLA_MACSEC_REPLAY_PROTECT] = { .type = NLA_U8 },
|
|
[IFLA_MACSEC_VALIDATION] = { .type = NLA_U8 },
|
|
};
|
|
|
|
static void macsec_free_netdev(struct net_device *dev)
|
|
{
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
|
|
free_percpu(macsec->stats);
|
|
free_percpu(macsec->secy.tx_sc.stats);
|
|
|
|
}
|
|
|
|
static void macsec_setup(struct net_device *dev)
|
|
{
|
|
ether_setup(dev);
|
|
dev->min_mtu = 0;
|
|
dev->max_mtu = ETH_MAX_MTU;
|
|
dev->priv_flags |= IFF_NO_QUEUE;
|
|
dev->netdev_ops = &macsec_netdev_ops;
|
|
dev->needs_free_netdev = true;
|
|
dev->priv_destructor = macsec_free_netdev;
|
|
SET_NETDEV_DEVTYPE(dev, &macsec_type);
|
|
|
|
eth_zero_addr(dev->broadcast);
|
|
}
|
|
|
|
static int macsec_changelink_common(struct net_device *dev,
|
|
struct nlattr *data[])
|
|
{
|
|
struct macsec_secy *secy;
|
|
struct macsec_tx_sc *tx_sc;
|
|
|
|
secy = &macsec_priv(dev)->secy;
|
|
tx_sc = &secy->tx_sc;
|
|
|
|
if (data[IFLA_MACSEC_ENCODING_SA]) {
|
|
struct macsec_tx_sa *tx_sa;
|
|
|
|
tx_sc->encoding_sa = nla_get_u8(data[IFLA_MACSEC_ENCODING_SA]);
|
|
tx_sa = rtnl_dereference(tx_sc->sa[tx_sc->encoding_sa]);
|
|
|
|
secy->operational = tx_sa && tx_sa->active;
|
|
}
|
|
|
|
if (data[IFLA_MACSEC_WINDOW])
|
|
secy->replay_window = nla_get_u32(data[IFLA_MACSEC_WINDOW]);
|
|
|
|
if (data[IFLA_MACSEC_ENCRYPT])
|
|
tx_sc->encrypt = !!nla_get_u8(data[IFLA_MACSEC_ENCRYPT]);
|
|
|
|
if (data[IFLA_MACSEC_PROTECT])
|
|
secy->protect_frames = !!nla_get_u8(data[IFLA_MACSEC_PROTECT]);
|
|
|
|
if (data[IFLA_MACSEC_INC_SCI])
|
|
tx_sc->send_sci = !!nla_get_u8(data[IFLA_MACSEC_INC_SCI]);
|
|
|
|
if (data[IFLA_MACSEC_ES])
|
|
tx_sc->end_station = !!nla_get_u8(data[IFLA_MACSEC_ES]);
|
|
|
|
if (data[IFLA_MACSEC_SCB])
|
|
tx_sc->scb = !!nla_get_u8(data[IFLA_MACSEC_SCB]);
|
|
|
|
if (data[IFLA_MACSEC_REPLAY_PROTECT])
|
|
secy->replay_protect = !!nla_get_u8(data[IFLA_MACSEC_REPLAY_PROTECT]);
|
|
|
|
if (data[IFLA_MACSEC_VALIDATION])
|
|
secy->validate_frames = nla_get_u8(data[IFLA_MACSEC_VALIDATION]);
|
|
|
|
if (data[IFLA_MACSEC_CIPHER_SUITE]) {
|
|
switch (nla_get_u64(data[IFLA_MACSEC_CIPHER_SUITE])) {
|
|
case MACSEC_CIPHER_ID_GCM_AES_128:
|
|
case MACSEC_DEFAULT_CIPHER_ID:
|
|
secy->key_len = MACSEC_GCM_AES_128_SAK_LEN;
|
|
secy->xpn = false;
|
|
break;
|
|
case MACSEC_CIPHER_ID_GCM_AES_256:
|
|
secy->key_len = MACSEC_GCM_AES_256_SAK_LEN;
|
|
secy->xpn = false;
|
|
break;
|
|
case MACSEC_CIPHER_ID_GCM_AES_XPN_128:
|
|
secy->key_len = MACSEC_GCM_AES_128_SAK_LEN;
|
|
secy->xpn = true;
|
|
break;
|
|
case MACSEC_CIPHER_ID_GCM_AES_XPN_256:
|
|
secy->key_len = MACSEC_GCM_AES_256_SAK_LEN;
|
|
secy->xpn = true;
|
|
break;
|
|
default:
|
|
return -EINVAL;
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int macsec_changelink(struct net_device *dev, struct nlattr *tb[],
|
|
struct nlattr *data[],
|
|
struct netlink_ext_ack *extack)
|
|
{
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
struct macsec_tx_sc tx_sc;
|
|
struct macsec_secy secy;
|
|
int ret;
|
|
|
|
if (!data)
|
|
return 0;
|
|
|
|
if (data[IFLA_MACSEC_CIPHER_SUITE] ||
|
|
data[IFLA_MACSEC_ICV_LEN] ||
|
|
data[IFLA_MACSEC_SCI] ||
|
|
data[IFLA_MACSEC_PORT])
|
|
return -EINVAL;
|
|
|
|
/* Keep a copy of unmodified secy and tx_sc, in case the offload
|
|
* propagation fails, to revert macsec_changelink_common.
|
|
*/
|
|
memcpy(&secy, &macsec->secy, sizeof(secy));
|
|
memcpy(&tx_sc, &macsec->secy.tx_sc, sizeof(tx_sc));
|
|
|
|
ret = macsec_changelink_common(dev, data);
|
|
if (ret)
|
|
return ret;
|
|
|
|
/* If h/w offloading is available, propagate to the device */
|
|
if (macsec_is_offloaded(macsec)) {
|
|
const struct macsec_ops *ops;
|
|
struct macsec_context ctx;
|
|
int ret;
|
|
|
|
ops = macsec_get_ops(netdev_priv(dev), &ctx);
|
|
if (!ops) {
|
|
ret = -EOPNOTSUPP;
|
|
goto cleanup;
|
|
}
|
|
|
|
ctx.secy = &macsec->secy;
|
|
ret = macsec_offload(ops->mdo_upd_secy, &ctx);
|
|
if (ret)
|
|
goto cleanup;
|
|
}
|
|
|
|
return 0;
|
|
|
|
cleanup:
|
|
memcpy(&macsec->secy.tx_sc, &tx_sc, sizeof(tx_sc));
|
|
memcpy(&macsec->secy, &secy, sizeof(secy));
|
|
|
|
return ret;
|
|
}
|
|
|
|
static void macsec_del_dev(struct macsec_dev *macsec)
|
|
{
|
|
int i;
|
|
|
|
while (macsec->secy.rx_sc) {
|
|
struct macsec_rx_sc *rx_sc = rtnl_dereference(macsec->secy.rx_sc);
|
|
|
|
rcu_assign_pointer(macsec->secy.rx_sc, rx_sc->next);
|
|
free_rx_sc(rx_sc);
|
|
}
|
|
|
|
for (i = 0; i < MACSEC_NUM_AN; i++) {
|
|
struct macsec_tx_sa *sa = rtnl_dereference(macsec->secy.tx_sc.sa[i]);
|
|
|
|
if (sa) {
|
|
RCU_INIT_POINTER(macsec->secy.tx_sc.sa[i], NULL);
|
|
clear_tx_sa(sa);
|
|
}
|
|
}
|
|
}
|
|
|
|
static void macsec_common_dellink(struct net_device *dev, struct list_head *head)
|
|
{
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
struct net_device *real_dev = macsec->real_dev;
|
|
|
|
unregister_netdevice_queue(dev, head);
|
|
list_del_rcu(&macsec->secys);
|
|
macsec_del_dev(macsec);
|
|
netdev_upper_dev_unlink(real_dev, dev);
|
|
|
|
macsec_generation++;
|
|
}
|
|
|
|
static void macsec_dellink(struct net_device *dev, struct list_head *head)
|
|
{
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
struct net_device *real_dev = macsec->real_dev;
|
|
struct macsec_rxh_data *rxd = macsec_data_rtnl(real_dev);
|
|
|
|
/* If h/w offloading is available, propagate to the device */
|
|
if (macsec_is_offloaded(macsec)) {
|
|
const struct macsec_ops *ops;
|
|
struct macsec_context ctx;
|
|
|
|
ops = macsec_get_ops(netdev_priv(dev), &ctx);
|
|
if (ops) {
|
|
ctx.secy = &macsec->secy;
|
|
macsec_offload(ops->mdo_del_secy, &ctx);
|
|
}
|
|
}
|
|
|
|
macsec_common_dellink(dev, head);
|
|
|
|
if (list_empty(&rxd->secys)) {
|
|
netdev_rx_handler_unregister(real_dev);
|
|
kfree(rxd);
|
|
}
|
|
}
|
|
|
|
static int register_macsec_dev(struct net_device *real_dev,
|
|
struct net_device *dev)
|
|
{
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
struct macsec_rxh_data *rxd = macsec_data_rtnl(real_dev);
|
|
|
|
if (!rxd) {
|
|
int err;
|
|
|
|
rxd = kmalloc(sizeof(*rxd), GFP_KERNEL);
|
|
if (!rxd)
|
|
return -ENOMEM;
|
|
|
|
INIT_LIST_HEAD(&rxd->secys);
|
|
|
|
err = netdev_rx_handler_register(real_dev, macsec_handle_frame,
|
|
rxd);
|
|
if (err < 0) {
|
|
kfree(rxd);
|
|
return err;
|
|
}
|
|
}
|
|
|
|
list_add_tail_rcu(&macsec->secys, &rxd->secys);
|
|
return 0;
|
|
}
|
|
|
|
static bool sci_exists(struct net_device *dev, sci_t sci)
|
|
{
|
|
struct macsec_rxh_data *rxd = macsec_data_rtnl(dev);
|
|
struct macsec_dev *macsec;
|
|
|
|
list_for_each_entry(macsec, &rxd->secys, secys) {
|
|
if (macsec->secy.sci == sci)
|
|
return true;
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
static int macsec_add_dev(struct net_device *dev, sci_t sci, u8 icv_len)
|
|
{
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
struct macsec_secy *secy = &macsec->secy;
|
|
|
|
macsec->stats = netdev_alloc_pcpu_stats(struct pcpu_secy_stats);
|
|
if (!macsec->stats)
|
|
return -ENOMEM;
|
|
|
|
secy->tx_sc.stats = netdev_alloc_pcpu_stats(struct pcpu_tx_sc_stats);
|
|
if (!secy->tx_sc.stats) {
|
|
free_percpu(macsec->stats);
|
|
return -ENOMEM;
|
|
}
|
|
|
|
if (sci == MACSEC_UNDEF_SCI)
|
|
sci = dev_to_sci(dev, MACSEC_PORT_ES);
|
|
|
|
secy->netdev = dev;
|
|
secy->operational = true;
|
|
secy->key_len = DEFAULT_SAK_LEN;
|
|
secy->icv_len = icv_len;
|
|
secy->validate_frames = MACSEC_VALIDATE_DEFAULT;
|
|
secy->protect_frames = true;
|
|
secy->replay_protect = false;
|
|
secy->xpn = DEFAULT_XPN;
|
|
|
|
secy->sci = sci;
|
|
secy->tx_sc.active = true;
|
|
secy->tx_sc.encoding_sa = DEFAULT_ENCODING_SA;
|
|
secy->tx_sc.encrypt = DEFAULT_ENCRYPT;
|
|
secy->tx_sc.send_sci = DEFAULT_SEND_SCI;
|
|
secy->tx_sc.end_station = false;
|
|
secy->tx_sc.scb = false;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int macsec_newlink(struct net *net, struct net_device *dev,
|
|
struct nlattr *tb[], struct nlattr *data[],
|
|
struct netlink_ext_ack *extack)
|
|
{
|
|
struct macsec_dev *macsec = macsec_priv(dev);
|
|
rx_handler_func_t *rx_handler;
|
|
u8 icv_len = DEFAULT_ICV_LEN;
|
|
struct net_device *real_dev;
|
|
int err, mtu;
|
|
sci_t sci;
|
|
|
|
if (!tb[IFLA_LINK])
|
|
return -EINVAL;
|
|
real_dev = __dev_get_by_index(net, nla_get_u32(tb[IFLA_LINK]));
|
|
if (!real_dev)
|
|
return -ENODEV;
|
|
if (real_dev->type != ARPHRD_ETHER)
|
|
return -EINVAL;
|
|
|
|
dev->priv_flags |= IFF_MACSEC;
|
|
|
|
macsec->real_dev = real_dev;
|
|
|
|
if (data && data[IFLA_MACSEC_OFFLOAD])
|
|
macsec->offload = nla_get_offload(data[IFLA_MACSEC_OFFLOAD]);
|
|
else
|
|
/* MACsec offloading is off by default */
|
|
macsec->offload = MACSEC_OFFLOAD_OFF;
|
|
|
|
/* Check if the offloading mode is supported by the underlying layers */
|
|
if (macsec->offload != MACSEC_OFFLOAD_OFF &&
|
|
!macsec_check_offload(macsec->offload, macsec))
|
|
return -EOPNOTSUPP;
|
|
|
|
/* send_sci must be set to true when transmit sci explicitly is set */
|
|
if ((data && data[IFLA_MACSEC_SCI]) &&
|
|
(data && data[IFLA_MACSEC_INC_SCI])) {
|
|
u8 send_sci = !!nla_get_u8(data[IFLA_MACSEC_INC_SCI]);
|
|
|
|
if (!send_sci)
|
|
return -EINVAL;
|
|
}
|
|
|
|
if (data && data[IFLA_MACSEC_ICV_LEN])
|
|
icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]);
|
|
mtu = real_dev->mtu - icv_len - macsec_extra_len(true);
|
|
if (mtu < 0)
|
|
dev->mtu = 0;
|
|
else
|
|
dev->mtu = mtu;
|
|
|
|
rx_handler = rtnl_dereference(real_dev->rx_handler);
|
|
if (rx_handler && rx_handler != macsec_handle_frame)
|
|
return -EBUSY;
|
|
|
|
err = register_netdevice(dev);
|
|
if (err < 0)
|
|
return err;
|
|
|
|
err = netdev_upper_dev_link(real_dev, dev, extack);
|
|
if (err < 0)
|
|
goto unregister;
|
|
|
|
/* need to be already registered so that ->init has run and
|
|
* the MAC addr is set
|
|
*/
|
|
if (data && data[IFLA_MACSEC_SCI])
|
|
sci = nla_get_sci(data[IFLA_MACSEC_SCI]);
|
|
else if (data && data[IFLA_MACSEC_PORT])
|
|
sci = dev_to_sci(dev, nla_get_be16(data[IFLA_MACSEC_PORT]));
|
|
else
|
|
sci = dev_to_sci(dev, MACSEC_PORT_ES);
|
|
|
|
if (rx_handler && sci_exists(real_dev, sci)) {
|
|
err = -EBUSY;
|
|
goto unlink;
|
|
}
|
|
|
|
err = macsec_add_dev(dev, sci, icv_len);
|
|
if (err)
|
|
goto unlink;
|
|
|
|
if (data) {
|
|
err = macsec_changelink_common(dev, data);
|
|
if (err)
|
|
goto del_dev;
|
|
}
|
|
|
|
/* If h/w offloading is available, propagate to the device */
|
|
if (macsec_is_offloaded(macsec)) {
|
|
const struct macsec_ops *ops;
|
|
struct macsec_context ctx;
|
|
|
|
ops = macsec_get_ops(macsec, &ctx);
|
|
if (ops) {
|
|
ctx.secy = &macsec->secy;
|
|
err = macsec_offload(ops->mdo_add_secy, &ctx);
|
|
if (err)
|
|
goto del_dev;
|
|
}
|
|
}
|
|
|
|
err = register_macsec_dev(real_dev, dev);
|
|
if (err < 0)
|
|
goto del_dev;
|
|
|
|
netif_stacked_transfer_operstate(real_dev, dev);
|
|
linkwatch_fire_event(dev);
|
|
|
|
macsec_generation++;
|
|
|
|
return 0;
|
|
|
|
del_dev:
|
|
macsec_del_dev(macsec);
|
|
unlink:
|
|
netdev_upper_dev_unlink(real_dev, dev);
|
|
unregister:
|
|
unregister_netdevice(dev);
|
|
return err;
|
|
}
|
|
|
|
static int macsec_validate_attr(struct nlattr *tb[], struct nlattr *data[],
|
|
struct netlink_ext_ack *extack)
|
|
{
|
|
u64 csid = MACSEC_DEFAULT_CIPHER_ID;
|
|
u8 icv_len = DEFAULT_ICV_LEN;
|
|
int flag;
|
|
bool es, scb, sci;
|
|
|
|
if (!data)
|
|
return 0;
|
|
|
|
if (data[IFLA_MACSEC_CIPHER_SUITE])
|
|
csid = nla_get_u64(data[IFLA_MACSEC_CIPHER_SUITE]);
|
|
|
|
if (data[IFLA_MACSEC_ICV_LEN]) {
|
|
icv_len = nla_get_u8(data[IFLA_MACSEC_ICV_LEN]);
|
|
if (icv_len != DEFAULT_ICV_LEN) {
|
|
char dummy_key[DEFAULT_SAK_LEN] = { 0 };
|
|
struct crypto_aead *dummy_tfm;
|
|
|
|
dummy_tfm = macsec_alloc_tfm(dummy_key,
|
|
DEFAULT_SAK_LEN,
|
|
icv_len);
|
|
if (IS_ERR(dummy_tfm))
|
|
return PTR_ERR(dummy_tfm);
|
|
crypto_free_aead(dummy_tfm);
|
|
}
|
|
}
|
|
|
|
switch (csid) {
|
|
case MACSEC_CIPHER_ID_GCM_AES_128:
|
|
case MACSEC_CIPHER_ID_GCM_AES_256:
|
|
case MACSEC_CIPHER_ID_GCM_AES_XPN_128:
|
|
case MACSEC_CIPHER_ID_GCM_AES_XPN_256:
|
|
case MACSEC_DEFAULT_CIPHER_ID:
|
|
if (icv_len < MACSEC_MIN_ICV_LEN ||
|
|
icv_len > MACSEC_STD_ICV_LEN)
|
|
return -EINVAL;
|
|
break;
|
|
default:
|
|
return -EINVAL;
|
|
}
|
|
|
|
if (data[IFLA_MACSEC_ENCODING_SA]) {
|
|
if (nla_get_u8(data[IFLA_MACSEC_ENCODING_SA]) >= MACSEC_NUM_AN)
|
|
return -EINVAL;
|
|
}
|
|
|
|
for (flag = IFLA_MACSEC_ENCODING_SA + 1;
|
|
flag < IFLA_MACSEC_VALIDATION;
|
|
flag++) {
|
|
if (data[flag]) {
|
|
if (nla_get_u8(data[flag]) > 1)
|
|
return -EINVAL;
|
|
}
|
|
}
|
|
|
|
es = data[IFLA_MACSEC_ES] ? nla_get_u8(data[IFLA_MACSEC_ES]) : false;
|
|
sci = data[IFLA_MACSEC_INC_SCI] ? nla_get_u8(data[IFLA_MACSEC_INC_SCI]) : false;
|
|
scb = data[IFLA_MACSEC_SCB] ? nla_get_u8(data[IFLA_MACSEC_SCB]) : false;
|
|
|
|
if ((sci && (scb || es)) || (scb && es))
|
|
return -EINVAL;
|
|
|
|
if (data[IFLA_MACSEC_VALIDATION] &&
|
|
nla_get_u8(data[IFLA_MACSEC_VALIDATION]) > MACSEC_VALIDATE_MAX)
|
|
return -EINVAL;
|
|
|
|
if ((data[IFLA_MACSEC_REPLAY_PROTECT] &&
|
|
nla_get_u8(data[IFLA_MACSEC_REPLAY_PROTECT])) &&
|
|
!data[IFLA_MACSEC_WINDOW])
|
|
return -EINVAL;
|
|
|
|
return 0;
|
|
}
|
|
|
|
static struct net *macsec_get_link_net(const struct net_device *dev)
|
|
{
|
|
return dev_net(macsec_priv(dev)->real_dev);
|
|
}
|
|
|
|
static size_t macsec_get_size(const struct net_device *dev)
|
|
{
|
|
return nla_total_size_64bit(8) + /* IFLA_MACSEC_SCI */
|
|
nla_total_size(1) + /* IFLA_MACSEC_ICV_LEN */
|
|
nla_total_size_64bit(8) + /* IFLA_MACSEC_CIPHER_SUITE */
|
|
nla_total_size(4) + /* IFLA_MACSEC_WINDOW */
|
|
nla_total_size(1) + /* IFLA_MACSEC_ENCODING_SA */
|
|
nla_total_size(1) + /* IFLA_MACSEC_ENCRYPT */
|
|
nla_total_size(1) + /* IFLA_MACSEC_PROTECT */
|
|
nla_total_size(1) + /* IFLA_MACSEC_INC_SCI */
|
|
nla_total_size(1) + /* IFLA_MACSEC_ES */
|
|
nla_total_size(1) + /* IFLA_MACSEC_SCB */
|
|
nla_total_size(1) + /* IFLA_MACSEC_REPLAY_PROTECT */
|
|
nla_total_size(1) + /* IFLA_MACSEC_VALIDATION */
|
|
0;
|
|
}
|
|
|
|
static int macsec_fill_info(struct sk_buff *skb,
|
|
const struct net_device *dev)
|
|
{
|
|
struct macsec_secy *secy = &macsec_priv(dev)->secy;
|
|
struct macsec_tx_sc *tx_sc = &secy->tx_sc;
|
|
u64 csid;
|
|
|
|
switch (secy->key_len) {
|
|
case MACSEC_GCM_AES_128_SAK_LEN:
|
|
csid = secy->xpn ? MACSEC_CIPHER_ID_GCM_AES_XPN_128 : MACSEC_DEFAULT_CIPHER_ID;
|
|
break;
|
|
case MACSEC_GCM_AES_256_SAK_LEN:
|
|
csid = secy->xpn ? MACSEC_CIPHER_ID_GCM_AES_XPN_256 : MACSEC_CIPHER_ID_GCM_AES_256;
|
|
break;
|
|
default:
|
|
goto nla_put_failure;
|
|
}
|
|
|
|
if (nla_put_sci(skb, IFLA_MACSEC_SCI, secy->sci,
|
|
IFLA_MACSEC_PAD) ||
|
|
nla_put_u8(skb, IFLA_MACSEC_ICV_LEN, secy->icv_len) ||
|
|
nla_put_u64_64bit(skb, IFLA_MACSEC_CIPHER_SUITE,
|
|
csid, IFLA_MACSEC_PAD) ||
|
|
nla_put_u8(skb, IFLA_MACSEC_ENCODING_SA, tx_sc->encoding_sa) ||
|
|
nla_put_u8(skb, IFLA_MACSEC_ENCRYPT, tx_sc->encrypt) ||
|
|
nla_put_u8(skb, IFLA_MACSEC_PROTECT, secy->protect_frames) ||
|
|
nla_put_u8(skb, IFLA_MACSEC_INC_SCI, tx_sc->send_sci) ||
|
|
nla_put_u8(skb, IFLA_MACSEC_ES, tx_sc->end_station) ||
|
|
nla_put_u8(skb, IFLA_MACSEC_SCB, tx_sc->scb) ||
|
|
nla_put_u8(skb, IFLA_MACSEC_REPLAY_PROTECT, secy->replay_protect) ||
|
|
nla_put_u8(skb, IFLA_MACSEC_VALIDATION, secy->validate_frames) ||
|
|
0)
|
|
goto nla_put_failure;
|
|
|
|
if (secy->replay_protect) {
|
|
if (nla_put_u32(skb, IFLA_MACSEC_WINDOW, secy->replay_window))
|
|
goto nla_put_failure;
|
|
}
|
|
|
|
return 0;
|
|
|
|
nla_put_failure:
|
|
return -EMSGSIZE;
|
|
}
|
|
|
|
static struct rtnl_link_ops macsec_link_ops __read_mostly = {
|
|
.kind = "macsec",
|
|
.priv_size = sizeof(struct macsec_dev),
|
|
.maxtype = IFLA_MACSEC_MAX,
|
|
.policy = macsec_rtnl_policy,
|
|
.setup = macsec_setup,
|
|
.validate = macsec_validate_attr,
|
|
.newlink = macsec_newlink,
|
|
.changelink = macsec_changelink,
|
|
.dellink = macsec_dellink,
|
|
.get_size = macsec_get_size,
|
|
.fill_info = macsec_fill_info,
|
|
.get_link_net = macsec_get_link_net,
|
|
};
|
|
|
|
static bool is_macsec_master(struct net_device *dev)
|
|
{
|
|
return rcu_access_pointer(dev->rx_handler) == macsec_handle_frame;
|
|
}
|
|
|
|
static int macsec_notify(struct notifier_block *this, unsigned long event,
|
|
void *ptr)
|
|
{
|
|
struct net_device *real_dev = netdev_notifier_info_to_dev(ptr);
|
|
LIST_HEAD(head);
|
|
|
|
if (!is_macsec_master(real_dev))
|
|
return NOTIFY_DONE;
|
|
|
|
switch (event) {
|
|
case NETDEV_DOWN:
|
|
case NETDEV_UP:
|
|
case NETDEV_CHANGE: {
|
|
struct macsec_dev *m, *n;
|
|
struct macsec_rxh_data *rxd;
|
|
|
|
rxd = macsec_data_rtnl(real_dev);
|
|
list_for_each_entry_safe(m, n, &rxd->secys, secys) {
|
|
struct net_device *dev = m->secy.netdev;
|
|
|
|
netif_stacked_transfer_operstate(real_dev, dev);
|
|
}
|
|
break;
|
|
}
|
|
case NETDEV_UNREGISTER: {
|
|
struct macsec_dev *m, *n;
|
|
struct macsec_rxh_data *rxd;
|
|
|
|
rxd = macsec_data_rtnl(real_dev);
|
|
list_for_each_entry_safe(m, n, &rxd->secys, secys) {
|
|
macsec_common_dellink(m->secy.netdev, &head);
|
|
}
|
|
|
|
netdev_rx_handler_unregister(real_dev);
|
|
kfree(rxd);
|
|
|
|
unregister_netdevice_many(&head);
|
|
break;
|
|
}
|
|
case NETDEV_CHANGEMTU: {
|
|
struct macsec_dev *m;
|
|
struct macsec_rxh_data *rxd;
|
|
|
|
rxd = macsec_data_rtnl(real_dev);
|
|
list_for_each_entry(m, &rxd->secys, secys) {
|
|
struct net_device *dev = m->secy.netdev;
|
|
unsigned int mtu = real_dev->mtu - (m->secy.icv_len +
|
|
macsec_extra_len(true));
|
|
|
|
if (dev->mtu > mtu)
|
|
dev_set_mtu(dev, mtu);
|
|
}
|
|
}
|
|
}
|
|
|
|
return NOTIFY_OK;
|
|
}
|
|
|
|
static struct notifier_block macsec_notifier = {
|
|
.notifier_call = macsec_notify,
|
|
};
|
|
|
|
static int __init macsec_init(void)
|
|
{
|
|
int err;
|
|
|
|
pr_info("MACsec IEEE 802.1AE\n");
|
|
err = register_netdevice_notifier(&macsec_notifier);
|
|
if (err)
|
|
return err;
|
|
|
|
err = rtnl_link_register(&macsec_link_ops);
|
|
if (err)
|
|
goto notifier;
|
|
|
|
err = genl_register_family(&macsec_fam);
|
|
if (err)
|
|
goto rtnl;
|
|
|
|
return 0;
|
|
|
|
rtnl:
|
|
rtnl_link_unregister(&macsec_link_ops);
|
|
notifier:
|
|
unregister_netdevice_notifier(&macsec_notifier);
|
|
return err;
|
|
}
|
|
|
|
static void __exit macsec_exit(void)
|
|
{
|
|
genl_unregister_family(&macsec_fam);
|
|
rtnl_link_unregister(&macsec_link_ops);
|
|
unregister_netdevice_notifier(&macsec_notifier);
|
|
rcu_barrier();
|
|
}
|
|
|
|
module_init(macsec_init);
|
|
module_exit(macsec_exit);
|
|
|
|
MODULE_ALIAS_RTNL_LINK("macsec");
|
|
MODULE_ALIAS_GENL_FAMILY("macsec");
|
|
|
|
MODULE_DESCRIPTION("MACsec IEEE 802.1AE");
|
|
MODULE_LICENSE("GPL v2");
|