[linux-2.6-block.git] / net / tls / tls_strp.c

// SPDX-License-Identifier: GPL-2.0-only
/* Copyright (c) 2016 Tom Herbert <tom@herbertland.com> */

#include <linux/skbuff.h>
#include <linux/workqueue.h>
#include <net/strparser.h>
#include <net/tcp.h>
#include <net/sock.h>
#include <net/tls.h>

#include "tls.h"

static struct workqueue_struct *tls_strp_wq;

static void tls_strp_abort_strp(struct tls_strparser *strp, int err)
{
	if (strp->stopped)
		return;

	strp->stopped = 1;

	/* Report an error on the lower socket */
	strp->sk->sk_err = -err;
	sk_error_report(strp->sk);
}

static void tls_strp_anchor_free(struct tls_strparser *strp)
{
	struct skb_shared_info *shinfo = skb_shinfo(strp->anchor);

	DEBUG_NET_WARN_ON_ONCE(atomic_read(&shinfo->dataref) != 1);
	shinfo->frag_list = NULL;
	consume_skb(strp->anchor);
	strp->anchor = NULL;
}

static struct sk_buff *
tls_strp_skb_copy(struct tls_strparser *strp, struct sk_buff *in_skb,
		  int offset, int len)
{
	struct sk_buff *skb;
	int i, err;

	skb = alloc_skb_with_frags(0, len, TLS_PAGE_ORDER,
				   &err, strp->sk->sk_allocation);
	if (!skb)
		return NULL;

	for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
		skb_frag_t *frag = &skb_shinfo(skb)->frags[i];

		WARN_ON_ONCE(skb_copy_bits(in_skb, offset,
					   skb_frag_address(frag),
					   skb_frag_size(frag)));
		offset += skb_frag_size(frag);
	}

	skb->len = len;
	skb->data_len = len;
	skb_copy_header(skb, in_skb);
	return skb;
}

/* Create a new skb with the contents of input copied to its page frags */
static struct sk_buff *tls_strp_msg_make_copy(struct tls_strparser *strp)
{
	struct strp_msg *rxm;
	struct sk_buff *skb;

	skb = tls_strp_skb_copy(strp, strp->anchor, strp->stm.offset,
				strp->stm.full_len);
	if (!skb)
		return NULL;

	rxm = strp_msg(skb);
	rxm->offset = 0;
	return skb;
}

/* Steal the input skb, input msg is invalid after calling this function */
struct sk_buff *tls_strp_msg_detach(struct tls_sw_context_rx *ctx)
{
	struct tls_strparser *strp = &ctx->strp;

#ifdef CONFIG_TLS_DEVICE
	DEBUG_NET_WARN_ON_ONCE(!strp->anchor->decrypted);
#else
	/* This function turns an input into an output,
	 * that can only happen if we have offload.
	 */
	WARN_ON(1);
#endif

	if (strp->copy_mode) {
		struct sk_buff *skb;

		/* Replace anchor with an empty skb, this is a little
		 * dangerous but __tls_cur_msg() warns on empty skbs
		 * so hopefully we'll catch abuses.
		 */
		skb = alloc_skb(0, strp->sk->sk_allocation);
		if (!skb)
			return NULL;

		swap(strp->anchor, skb);
		return skb;
	}

	return tls_strp_msg_make_copy(strp);
}

/* Force the input skb to be in copy mode. The data ownership remains
 * with the input skb itself (meaning unpause will wipe it) but it can
 * be modified.
 */
int tls_strp_msg_cow(struct tls_sw_context_rx *ctx)
{
	struct tls_strparser *strp = &ctx->strp;
	struct sk_buff *skb;

	if (strp->copy_mode)
		return 0;

	skb = tls_strp_msg_make_copy(strp);
	if (!skb)
		return -ENOMEM;

	tls_strp_anchor_free(strp);
	strp->anchor = skb;

	tcp_read_done(strp->sk, strp->stm.full_len);
	strp->copy_mode = 1;

	return 0;
}

/* Make a clone (in the skb sense) of the input msg to keep a reference
 * to the underlying data. The reference-holding skbs get placed on
 * @dst.
 */
int tls_strp_msg_hold(struct tls_strparser *strp, struct sk_buff_head *dst)
{
	struct skb_shared_info *shinfo = skb_shinfo(strp->anchor);

	if (strp->copy_mode) {
		struct sk_buff *skb;

		WARN_ON_ONCE(!shinfo->nr_frags);

		/* We can't skb_clone() the anchor, it gets wiped by unpause */
		skb = alloc_skb(0, strp->sk->sk_allocation);
		if (!skb)
			return -ENOMEM;

		__skb_queue_tail(dst, strp->anchor);
		strp->anchor = skb;
	} else {
		struct sk_buff *iter, *clone;
		int chunk, len, offset;

		offset = strp->stm.offset;
		len = strp->stm.full_len;
		iter = shinfo->frag_list;

		while (len > 0) {
			if (iter->len <= offset) {
				offset -= iter->len;
				goto next;
			}

			chunk = iter->len - offset;
			offset = 0;

			clone = skb_clone(iter, strp->sk->sk_allocation);
			if (!clone)
				return -ENOMEM;
			__skb_queue_tail(dst, clone);

			len -= chunk;
next:
			iter = iter->next;
		}
	}

	return 0;
}

static void tls_strp_flush_anchor_copy(struct tls_strparser *strp)
{
	struct skb_shared_info *shinfo = skb_shinfo(strp->anchor);
	int i;

	DEBUG_NET_WARN_ON_ONCE(atomic_read(&shinfo->dataref) != 1);

	for (i = 0; i < shinfo->nr_frags; i++)
		__skb_frag_unref(&shinfo->frags[i], false);
	shinfo->nr_frags = 0;
	strp->copy_mode = 0;
}

static int tls_strp_copyin(read_descriptor_t *desc, struct sk_buff *in_skb,
			   unsigned int offset, size_t in_len)
{
	struct tls_strparser *strp = (struct tls_strparser *)desc->arg.data;
	struct sk_buff *skb;
	skb_frag_t *frag;
	size_t len, chunk;
	int sz;

	if (strp->msg_ready)
		return 0;

	skb = strp->anchor;
	frag = &skb_shinfo(skb)->frags[skb->len / PAGE_SIZE];

	len = in_len;
	/* First make sure we got the header */
	if (!strp->stm.full_len) {
		/* Assume one page is more than enough for headers */
		chunk =	min_t(size_t, len, PAGE_SIZE - skb_frag_size(frag));
		WARN_ON_ONCE(skb_copy_bits(in_skb, offset,
					   skb_frag_address(frag) +
					   skb_frag_size(frag),
					   chunk));

		skb->len += chunk;
		skb->data_len += chunk;
		skb_frag_size_add(frag, chunk);

		sz = tls_rx_msg_size(strp, skb);
		if (sz < 0) {
			desc->error = sz;
			return 0;
		}

		/* We may have over-read, sz == 0 is guaranteed under-read */
		if (unlikely(sz && sz < skb->len)) {
			int over = skb->len - sz;

			WARN_ON_ONCE(over > chunk);
			skb->len -= over;
			skb->data_len -= over;
			skb_frag_size_add(frag, -over);

			chunk -= over;
		}

		frag++;
		len -= chunk;
		offset += chunk;

		strp->stm.full_len = sz;
		if (!strp->stm.full_len)
			goto read_done;
	}

	/* Load up more data */
	while (len && strp->stm.full_len > skb->len) {
		chunk =	min_t(size_t, len, strp->stm.full_len - skb->len);
		chunk = min_t(size_t, chunk, PAGE_SIZE - skb_frag_size(frag));
		WARN_ON_ONCE(skb_copy_bits(in_skb, offset,
					   skb_frag_address(frag) +
					   skb_frag_size(frag),
					   chunk));

		skb->len += chunk;
		skb->data_len += chunk;
		skb_frag_size_add(frag, chunk);
		frag++;
		len -= chunk;
		offset += chunk;
	}

	if (strp->stm.full_len == skb->len) {
		desc->count = 0;

		strp->msg_ready = 1;
		tls_rx_msg_ready(strp);
	}

read_done:
	return in_len - len;
}

static int tls_strp_read_copyin(struct tls_strparser *strp)
{
	struct socket *sock = strp->sk->sk_socket;
	read_descriptor_t desc;

	desc.arg.data = strp;
	desc.error = 0;
	desc.count = 1; /* give more than one skb per call */

	/* sk should be locked here, so okay to do read_sock */
	sock->ops->read_sock(strp->sk, &desc, tls_strp_copyin);

	return desc.error;
}

static int tls_strp_read_copy(struct tls_strparser *strp, bool qshort)
{
	struct skb_shared_info *shinfo;
	struct page *page;
	int need_spc, len;

	/* If the rbuf is small or rcv window has collapsed to 0 we need
	 * to read the data out. Otherwise the connection will stall.
	 * Without pressure threshold of INT_MAX will never be ready.
	 */
	if (likely(qshort && !tcp_epollin_ready(strp->sk, INT_MAX)))
		return 0;

	shinfo = skb_shinfo(strp->anchor);
	shinfo->frag_list = NULL;

	/* If we don't know the length go max plus page for cipher overhead */
	need_spc = strp->stm.full_len ?: TLS_MAX_PAYLOAD_SIZE + PAGE_SIZE;

	for (len = need_spc; len > 0; len -= PAGE_SIZE) {
		page = alloc_page(strp->sk->sk_allocation);
		if (!page) {
			tls_strp_flush_anchor_copy(strp);
			return -ENOMEM;
		}

		skb_fill_page_desc(strp->anchor, shinfo->nr_frags++,
				   page, 0, 0);
	}

	strp->copy_mode = 1;
	strp->stm.offset = 0;

	strp->anchor->len = 0;
	strp->anchor->data_len = 0;
	strp->anchor->truesize = round_up(need_spc, PAGE_SIZE);

	tls_strp_read_copyin(strp);

	return 0;
}

static bool tls_strp_check_queue_ok(struct tls_strparser *strp)
{
	unsigned int len = strp->stm.offset + strp->stm.full_len;
	struct sk_buff *first, *skb;
	u32 seq;

	first = skb_shinfo(strp->anchor)->frag_list;
	skb = first;
	seq = TCP_SKB_CB(first)->seq;

	/* Make sure there's no duplicate data in the queue,
	 * and the decrypted status matches.
	 */
	while (skb->len < len) {
		seq += skb->len;
		len -= skb->len;
		skb = skb->next;

		if (TCP_SKB_CB(skb)->seq != seq)
			return false;
		if (skb_cmp_decrypted(first, skb))
			return false;
	}

	return true;
}

static void tls_strp_load_anchor_with_queue(struct tls_strparser *strp, int len)
{
	struct tcp_sock *tp = tcp_sk(strp->sk);
	struct sk_buff *first;
	u32 offset;

	first = tcp_recv_skb(strp->sk, tp->copied_seq, &offset);
	if (WARN_ON_ONCE(!first))
		return;

	/* Bestow the state onto the anchor */
	strp->anchor->len = offset + len;
	strp->anchor->data_len = offset + len;
	strp->anchor->truesize = offset + len;

	skb_shinfo(strp->anchor)->frag_list = first;

	skb_copy_header(strp->anchor, first);
	strp->anchor->destructor = NULL;

	strp->stm.offset = offset;
}

void tls_strp_msg_load(struct tls_strparser *strp, bool force_refresh)
{
	struct strp_msg *rxm;
	struct tls_msg *tlm;

	DEBUG_NET_WARN_ON_ONCE(!strp->msg_ready);
	DEBUG_NET_WARN_ON_ONCE(!strp->stm.full_len);

	if (!strp->copy_mode && force_refresh) {
		if (WARN_ON(tcp_inq(strp->sk) < strp->stm.full_len))
			return;

		tls_strp_load_anchor_with_queue(strp, strp->stm.full_len);
	}

	rxm = strp_msg(strp->anchor);
	rxm->full_len	= strp->stm.full_len;
	rxm->offset	= strp->stm.offset;
	tlm = tls_msg(strp->anchor);
	tlm->control	= strp->mark;
}

/* Called with lock held on lower socket */
static int tls_strp_read_sock(struct tls_strparser *strp)
{
	int sz, inq;

	inq = tcp_inq(strp->sk);
	if (inq < 1)
		return 0;

	if (unlikely(strp->copy_mode))
		return tls_strp_read_copyin(strp);

	if (inq < strp->stm.full_len)
		return tls_strp_read_copy(strp, true);

	if (!strp->stm.full_len) {
		tls_strp_load_anchor_with_queue(strp, inq);

		sz = tls_rx_msg_size(strp, strp->anchor);
		if (sz < 0) {
			tls_strp_abort_strp(strp, sz);
			return sz;
		}

		strp->stm.full_len = sz;

		if (!strp->stm.full_len || inq < strp->stm.full_len)
			return tls_strp_read_copy(strp, true);
	}

	if (!tls_strp_check_queue_ok(strp))
		return tls_strp_read_copy(strp, false);

	strp->msg_ready = 1;
	tls_rx_msg_ready(strp);

	return 0;
}

void tls_strp_check_rcv(struct tls_strparser *strp)
{
	if (unlikely(strp->stopped) || strp->msg_ready)
		return;

	if (tls_strp_read_sock(strp) == -ENOMEM)
		queue_work(tls_strp_wq, &strp->work);
}

/* Lower sock lock held */
void tls_strp_data_ready(struct tls_strparser *strp)
{
	/* This check is needed to synchronize with do_tls_strp_work.
	 * do_tls_strp_work acquires a process lock (lock_sock) whereas
	 * the lock held here is bh_lock_sock. The two locks can be
	 * held by different threads at the same time, but bh_lock_sock
	 * allows a thread in BH context to safely check if the process
	 * lock is held. In this case, if the lock is held, queue work.
	 */
	if (sock_owned_by_user_nocheck(strp->sk)) {
		queue_work(tls_strp_wq, &strp->work);
		return;
	}

	tls_strp_check_rcv(strp);
}

static void tls_strp_work(struct work_struct *w)
{
	struct tls_strparser *strp =
		container_of(w, struct tls_strparser, work);

	lock_sock(strp->sk);
	tls_strp_check_rcv(strp);
	release_sock(strp->sk);
}

void tls_strp_msg_done(struct tls_strparser *strp)
{
	WARN_ON(!strp->stm.full_len);

	if (likely(!strp->copy_mode))
		tcp_read_done(strp->sk, strp->stm.full_len);
	else
		tls_strp_flush_anchor_copy(strp);

	strp->msg_ready = 0;
	memset(&strp->stm, 0, sizeof(strp->stm));

	tls_strp_check_rcv(strp);
}

void tls_strp_stop(struct tls_strparser *strp)
{
	strp->stopped = 1;
}

int tls_strp_init(struct tls_strparser *strp, struct sock *sk)
{
	memset(strp, 0, sizeof(*strp));

	strp->sk = sk;

	strp->anchor = alloc_skb(0, GFP_KERNEL);
	if (!strp->anchor)
		return -ENOMEM;

	INIT_WORK(&strp->work, tls_strp_work);

	return 0;
}

/* strp must already be stopped so that tls_strp_recv will no longer be called.
 * Note that tls_strp_done is not called with the lower socket held.
 */
void tls_strp_done(struct tls_strparser *strp)
{
	WARN_ON(!strp->stopped);

	cancel_work_sync(&strp->work);
	tls_strp_anchor_free(strp);
}

int __init tls_strp_dev_init(void)
{
	tls_strp_wq = create_workqueue("tls-strp");
	if (unlikely(!tls_strp_wq))
		return -ENOMEM;

	return 0;
}

void tls_strp_dev_exit(void)
{
	destroy_workqueue(tls_strp_wq);
}
Commit	Line	Data
c618db2a	1	// SPDX-License-Identifier: GPL-2.0-only
84c61fe1	2	/* Copyright (c) 2016 Tom Herbert <tom@herbertland.com> */
c618db2a JK	3
c618db2a JK	4	#include <linux/skbuff.h>
84c61fe1 JK	5	#include <linux/workqueue.h>
	6	#include <net/strparser.h>
	7	#include <net/tcp.h>
	8	#include <net/sock.h>
	9	#include <net/tls.h>
c618db2a JK	10
	11	#include "tls.h"
	12
84c61fe1 JK	13	static struct workqueue_struct *tls_strp_wq;
	14
	15	static void tls_strp_abort_strp(struct tls_strparser *strp, int err)
	16	{
	17	if (strp->stopped)
	18	return;
	19
	20	strp->stopped = 1;
	21
	22	/* Report an error on the lower socket */
	23	strp->sk->sk_err = -err;
	24	sk_error_report(strp->sk);
	25	}
	26
	27	static void tls_strp_anchor_free(struct tls_strparser *strp)
d4e5db64	28	{
84c61fe1 JK	29	struct skb_shared_info *shinfo = skb_shinfo(strp->anchor);
	30
	31	DEBUG_NET_WARN_ON_ONCE(atomic_read(&shinfo->dataref) != 1);
	32	shinfo->frag_list = NULL;
	33	consume_skb(strp->anchor);
	34	strp->anchor = NULL;
	35	}
	36
c1c607b1 JK	37	static struct sk_buff *
	38	tls_strp_skb_copy(struct tls_strparser strp, struct sk_buff in_skb,
	39	int offset, int len)
84c61fe1	40	{
d4e5db64	41	struct sk_buff *skb;
c1c607b1	42	int i, err;
84c61fe1	43
c1c607b1	44	skb = alloc_skb_with_frags(0, len, TLS_PAGE_ORDER,
84c61fe1 JK	45	&err, strp->sk->sk_allocation);
	46	if (!skb)
	47	return NULL;
	48
84c61fe1 JK	49	for (i = 0; i < skb_shinfo(skb)->nr_frags; i++) {
84c61fe1 JK	50	skb_frag_t *frag = &skb_shinfo(skb)->frags[i];
d4e5db64	51
c1c607b1	52	WARN_ON_ONCE(skb_copy_bits(in_skb, offset,
84c61fe1 JK	53	skb_frag_address(frag),
	54	skb_frag_size(frag)));
	55	offset += skb_frag_size(frag);
	56	}
	57
c1c607b1 JK	58	skb->len = len;
	59	skb->data_len = len;
	60	skb_copy_header(skb, in_skb);
	61	return skb;
	62	}
	63
	64	/* Create a new skb with the contents of input copied to its page frags */
	65	static struct sk_buff tls_strp_msg_make_copy(struct tls_strparser strp)
	66	{
	67	struct strp_msg *rxm;
	68	struct sk_buff *skb;
	69
	70	skb = tls_strp_skb_copy(strp, strp->anchor, strp->stm.offset,
	71	strp->stm.full_len);
	72	if (!skb)
	73	return NULL;
	74
84c61fe1 JK	75	rxm = strp_msg(skb);
84c61fe1 JK	76	rxm->offset = 0;
d4e5db64 JK	77	return skb;
	78	}
	79
84c61fe1 JK	80	/* Steal the input skb, input msg is invalid after calling this function */
	81	struct sk_buff tls_strp_msg_detach(struct tls_sw_context_rx ctx)
	82	{
	83	struct tls_strparser *strp = &ctx->strp;
	84
	85	#ifdef CONFIG_TLS_DEVICE
	86	DEBUG_NET_WARN_ON_ONCE(!strp->anchor->decrypted);
	87	#else
	88	/* This function turns an input into an output,
	89	* that can only happen if we have offload.
	90	*/
	91	WARN_ON(1);
	92	#endif
	93
	94	if (strp->copy_mode) {
	95	struct sk_buff *skb;
	96
	97	/* Replace anchor with an empty skb, this is a little
	98	* dangerous but __tls_cur_msg() warns on empty skbs
	99	* so hopefully we'll catch abuses.
	100	*/
	101	skb = alloc_skb(0, strp->sk->sk_allocation);
	102	if (!skb)
	103	return NULL;
	104
	105	swap(strp->anchor, skb);
	106	return skb;
	107	}
	108
	109	return tls_strp_msg_make_copy(strp);
	110	}
	111
	112	/* Force the input skb to be in copy mode. The data ownership remains
	113	* with the input skb itself (meaning unpause will wipe it) but it can
	114	* be modified.
	115	*/
8b3c59a7 JK	116	int tls_strp_msg_cow(struct tls_sw_context_rx *ctx)
8b3c59a7 JK	117	{
84c61fe1 JK	118	struct tls_strparser *strp = &ctx->strp;
	119	struct sk_buff *skb;
	120
	121	if (strp->copy_mode)
	122	return 0;
	123
	124	skb = tls_strp_msg_make_copy(strp);
	125	if (!skb)
	126	return -ENOMEM;
	127
	128	tls_strp_anchor_free(strp);
	129	strp->anchor = skb;
	130
	131	tcp_read_done(strp->sk, strp->stm.full_len);
	132	strp->copy_mode = 1;
	133
	134	return 0;
	135	}
	136
	137	/* Make a clone (in the skb sense) of the input msg to keep a reference
	138	* to the underlying data. The reference-holding skbs get placed on
	139	* @dst.
	140	*/
	141	int tls_strp_msg_hold(struct tls_strparser strp, struct sk_buff_head dst)
	142	{
	143	struct skb_shared_info *shinfo = skb_shinfo(strp->anchor);
	144
	145	if (strp->copy_mode) {
	146	struct sk_buff *skb;
	147
	148	WARN_ON_ONCE(!shinfo->nr_frags);
	149
	150	/* We can't skb_clone() the anchor, it gets wiped by unpause */
	151	skb = alloc_skb(0, strp->sk->sk_allocation);
	152	if (!skb)
	153	return -ENOMEM;
	154
	155	__skb_queue_tail(dst, strp->anchor);
	156	strp->anchor = skb;
	157	} else {
	158	struct sk_buff iter, clone;
	159	int chunk, len, offset;
	160
	161	offset = strp->stm.offset;
	162	len = strp->stm.full_len;
	163	iter = shinfo->frag_list;
	164
	165	while (len > 0) {
	166	if (iter->len <= offset) {
	167	offset -= iter->len;
	168	goto next;
	169	}
	170
	171	chunk = iter->len - offset;
	172	offset = 0;
	173
	174	clone = skb_clone(iter, strp->sk->sk_allocation);
	175	if (!clone)
	176	return -ENOMEM;
	177	__skb_queue_tail(dst, clone);
	178
	179	len -= chunk;
	180	next:
	181	iter = iter->next;
182	}
183	}
184
185	return 0;
186	}
187
188	static void tls_strp_flush_anchor_copy(struct tls_strparser *strp)
189	{
190	struct skb_shared_info *shinfo = skb_shinfo(strp->anchor);
191	int i;
192
193	DEBUG_NET_WARN_ON_ONCE(atomic_read(&shinfo->dataref) != 1);
194
195	for (i = 0; i < shinfo->nr_frags; i++)
196	__skb_frag_unref(&shinfo->frags[i], false);
197	shinfo->nr_frags = 0;
198	strp->copy_mode = 0;
199	}
200
201	static int tls_strp_copyin(read_descriptor_t desc, struct sk_buff in_skb,
202	unsigned int offset, size_t in_len)
203	{
204	struct tls_strparser strp = (struct tls_strparser )desc->arg.data;
84c61fe1 JK	205	struct sk_buff *skb;
84c61fe1 JK	206	skb_frag_t *frag;
8fd1e151 YL	207	size_t len, chunk;
8fd1e151 YL	208	int sz;
84c61fe1 JK	209
	210	if (strp->msg_ready)
	211	return 0;
	212
	213	skb = strp->anchor;
	214	frag = &skb_shinfo(skb)->frags[skb->len / PAGE_SIZE];
	215
	216	len = in_len;
	217	/* First make sure we got the header */
	218	if (!strp->stm.full_len) {
	219	/* Assume one page is more than enough for headers */
	220	chunk = min_t(size_t, len, PAGE_SIZE - skb_frag_size(frag));
	221	WARN_ON_ONCE(skb_copy_bits(in_skb, offset,
	222	skb_frag_address(frag) +
	223	skb_frag_size(frag),
	224	chunk));
	225
8b0c0dc9 JK	226	skb->len += chunk;
	227	skb->data_len += chunk;
	228	skb_frag_size_add(frag, chunk);
	229
	230	sz = tls_rx_msg_size(strp, skb);
84c61fe1 JK	231	if (sz < 0) {
	232	desc->error = sz;
	233	return 0;
	234	}
	235
	236	/* We may have over-read, sz == 0 is guaranteed under-read */
8b0c0dc9 JK	237	if (unlikely(sz && sz < skb->len)) {
	238	int over = skb->len - sz;
	239
	240	WARN_ON_ONCE(over > chunk);
	241	skb->len -= over;
	242	skb->data_len -= over;
	243	skb_frag_size_add(frag, -over);
	244
	245	chunk -= over;
	246	}
84c61fe1	247
84c61fe1 JK	248	frag++;
	249	len -= chunk;
	250	offset += chunk;
	251
	252	strp->stm.full_len = sz;
	253	if (!strp->stm.full_len)
	254	goto read_done;
	255	}
	256
	257	/* Load up more data */
	258	while (len && strp->stm.full_len > skb->len) {
	259	chunk = min_t(size_t, len, strp->stm.full_len - skb->len);
	260	chunk = min_t(size_t, chunk, PAGE_SIZE - skb_frag_size(frag));
	261	WARN_ON_ONCE(skb_copy_bits(in_skb, offset,
	262	skb_frag_address(frag) +
	263	skb_frag_size(frag),
	264	chunk));
	265
	266	skb->len += chunk;
	267	skb->data_len += chunk;
	268	skb_frag_size_add(frag, chunk);
	269	frag++;
	270	len -= chunk;
	271	offset += chunk;
	272	}
	273
	274	if (strp->stm.full_len == skb->len) {
	275	desc->count = 0;
	276
	277	strp->msg_ready = 1;
	278	tls_rx_msg_ready(strp);
	279	}
	280
	281	read_done:
	282	return in_len - len;
	283	}
	284
	285	static int tls_strp_read_copyin(struct tls_strparser *strp)
	286	{
	287	struct socket *sock = strp->sk->sk_socket;
	288	read_descriptor_t desc;
	289
	290	desc.arg.data = strp;
	291	desc.error = 0;
	292	desc.count = 1; /* give more than one skb per call */
	293
	294	/* sk should be locked here, so okay to do read_sock */
	295	sock->ops->read_sock(strp->sk, &desc, tls_strp_copyin);
	296
	297	return desc.error;
	298	}
	299
0d87bbd3	300	static int tls_strp_read_copy(struct tls_strparser *strp, bool qshort)
84c61fe1 JK	301	{
	302	struct skb_shared_info *shinfo;
	303	struct page *page;
	304	int need_spc, len;
	305
	306	/* If the rbuf is small or rcv window has collapsed to 0 we need
	307	* to read the data out. Otherwise the connection will stall.
	308	* Without pressure threshold of INT_MAX will never be ready.
	309	*/
0d87bbd3	310	if (likely(qshort && !tcp_epollin_ready(strp->sk, INT_MAX)))
84c61fe1 JK	311	return 0;
	312
	313	shinfo = skb_shinfo(strp->anchor);
	314	shinfo->frag_list = NULL;
	315
	316	/* If we don't know the length go max plus page for cipher overhead */
	317	need_spc = strp->stm.full_len ?: TLS_MAX_PAYLOAD_SIZE + PAGE_SIZE;
	318
	319	for (len = need_spc; len > 0; len -= PAGE_SIZE) {
	320	page = alloc_page(strp->sk->sk_allocation);
	321	if (!page) {
	322	tls_strp_flush_anchor_copy(strp);
	323	return -ENOMEM;
	324	}
	325
	326	skb_fill_page_desc(strp->anchor, shinfo->nr_frags++,
	327	page, 0, 0);
	328	}
	329
	330	strp->copy_mode = 1;
	331	strp->stm.offset = 0;
	332
	333	strp->anchor->len = 0;
	334	strp->anchor->data_len = 0;
	335	strp->anchor->truesize = round_up(need_spc, PAGE_SIZE);
	336
	337	tls_strp_read_copyin(strp);
	338
	339	return 0;
	340	}
	341
14c4be92	342	static bool tls_strp_check_queue_ok(struct tls_strparser *strp)
0d87bbd3 JK	343	{
0d87bbd3 JK	344	unsigned int len = strp->stm.offset + strp->stm.full_len;
14c4be92	345	struct sk_buff first, skb;
0d87bbd3 JK	346	u32 seq;
0d87bbd3 JK	347
14c4be92 JK	348	first = skb_shinfo(strp->anchor)->frag_list;
	349	skb = first;
	350	seq = TCP_SKB_CB(first)->seq;
0d87bbd3	351
14c4be92 JK	352	/* Make sure there's no duplicate data in the queue,
	353	* and the decrypted status matches.
	354	*/
0d87bbd3 JK	355	while (skb->len < len) {
	356	seq += skb->len;
	357	len -= skb->len;
	358	skb = skb->next;
	359
	360	if (TCP_SKB_CB(skb)->seq != seq)
	361	return false;
14c4be92 JK	362	if (skb_cmp_decrypted(first, skb))
14c4be92 JK	363	return false;
0d87bbd3 JK	364	}
	365
	366	return true;
	367	}
	368
84c61fe1 JK	369	static void tls_strp_load_anchor_with_queue(struct tls_strparser *strp, int len)
	370	{
	371	struct tcp_sock *tp = tcp_sk(strp->sk);
	372	struct sk_buff *first;
	373	u32 offset;
	374
	375	first = tcp_recv_skb(strp->sk, tp->copied_seq, &offset);
	376	if (WARN_ON_ONCE(!first))
	377	return;
	378
	379	/* Bestow the state onto the anchor */
	380	strp->anchor->len = offset + len;
	381	strp->anchor->data_len = offset + len;
	382	strp->anchor->truesize = offset + len;
	383
	384	skb_shinfo(strp->anchor)->frag_list = first;
	385
	386	skb_copy_header(strp->anchor, first);
	387	strp->anchor->destructor = NULL;
	388
	389	strp->stm.offset = offset;
	390	}
	391
	392	void tls_strp_msg_load(struct tls_strparser *strp, bool force_refresh)
	393	{
	394	struct strp_msg *rxm;
	395	struct tls_msg *tlm;
	396
	397	DEBUG_NET_WARN_ON_ONCE(!strp->msg_ready);
	398	DEBUG_NET_WARN_ON_ONCE(!strp->stm.full_len);
	399
	400	if (!strp->copy_mode && force_refresh) {
	401	if (WARN_ON(tcp_inq(strp->sk) < strp->stm.full_len))
	402	return;
	403
	404	tls_strp_load_anchor_with_queue(strp, strp->stm.full_len);
	405	}
	406
	407	rxm = strp_msg(strp->anchor);
	408	rxm->full_len = strp->stm.full_len;
	409	rxm->offset = strp->stm.offset;
	410	tlm = tls_msg(strp->anchor);
	411	tlm->control = strp->mark;
	412	}
	413
	414	/* Called with lock held on lower socket */
	415	static int tls_strp_read_sock(struct tls_strparser *strp)
	416	{
	417	int sz, inq;
	418
	419	inq = tcp_inq(strp->sk);
	420	if (inq < 1)
	421	return 0;
	422
	423	if (unlikely(strp->copy_mode))
	424	return tls_strp_read_copyin(strp);
	425
	426	if (inq < strp->stm.full_len)
0d87bbd3	427	return tls_strp_read_copy(strp, true);
84c61fe1 JK	428
	429	if (!strp->stm.full_len) {
	430	tls_strp_load_anchor_with_queue(strp, inq);
	431
	432	sz = tls_rx_msg_size(strp, strp->anchor);
	433	if (sz < 0) {
	434	tls_strp_abort_strp(strp, sz);
	435	return sz;
	436	}
	437
	438	strp->stm.full_len = sz;
	439
	440	if (!strp->stm.full_len \|\| inq < strp->stm.full_len)
0d87bbd3	441	return tls_strp_read_copy(strp, true);
84c61fe1 JK	442	}
84c61fe1 JK	443
14c4be92	444	if (!tls_strp_check_queue_ok(strp))
0d87bbd3 JK	445	return tls_strp_read_copy(strp, false);
0d87bbd3 JK	446
84c61fe1 JK	447	strp->msg_ready = 1;
	448	tls_rx_msg_ready(strp);
	449
	450	return 0;
	451	}
	452
	453	void tls_strp_check_rcv(struct tls_strparser *strp)
	454	{
	455	if (unlikely(strp->stopped) \|\| strp->msg_ready)
	456	return;
	457
	458	if (tls_strp_read_sock(strp) == -ENOMEM)
	459	queue_work(tls_strp_wq, &strp->work);
	460	}
	461
	462	/* Lower sock lock held */
	463	void tls_strp_data_ready(struct tls_strparser *strp)
	464	{
	465	/* This check is needed to synchronize with do_tls_strp_work.
	466	* do_tls_strp_work acquires a process lock (lock_sock) whereas
	467	* the lock held here is bh_lock_sock. The two locks can be
	468	* held by different threads at the same time, but bh_lock_sock
	469	* allows a thread in BH context to safely check if the process
	470	* lock is held. In this case, if the lock is held, queue work.
	471	*/
	472	if (sock_owned_by_user_nocheck(strp->sk)) {
	473	queue_work(tls_strp_wq, &strp->work);
	474	return;
	475	}
	476
	477	tls_strp_check_rcv(strp);
	478	}
	479
	480	static void tls_strp_work(struct work_struct *w)
	481	{
	482	struct tls_strparser *strp =
	483	container_of(w, struct tls_strparser, work);
	484
	485	lock_sock(strp->sk);
	486	tls_strp_check_rcv(strp);
	487	release_sock(strp->sk);
	488	}
	489
	490	void tls_strp_msg_done(struct tls_strparser *strp)
	491	{
	492	WARN_ON(!strp->stm.full_len);
	493
	494	if (likely(!strp->copy_mode))
	495	tcp_read_done(strp->sk, strp->stm.full_len);
	496	else
	497	tls_strp_flush_anchor_copy(strp);
	498
	499	strp->msg_ready = 0;
	500	memset(&strp->stm, 0, sizeof(strp->stm));
	501
	502	tls_strp_check_rcv(strp);
	503	}
	504
	505	void tls_strp_stop(struct tls_strparser *strp)
	506	{
	507	strp->stopped = 1;
	508	}
	509
	510	int tls_strp_init(struct tls_strparser strp, struct sock sk)
511	{
512	memset(strp, 0, sizeof(*strp));
513
514	strp->sk = sk;
515
516	strp->anchor = alloc_skb(0, GFP_KERNEL);
517	if (!strp->anchor)
518	return -ENOMEM;
519
520	INIT_WORK(&strp->work, tls_strp_work);
8b3c59a7	521
8b3c59a7 JK	522	return 0;
	523	}
	524
84c61fe1 JK	525	/* strp must already be stopped so that tls_strp_recv will no longer be called.
	526	* Note that tls_strp_done is not called with the lower socket held.
	527	*/
	528	void tls_strp_done(struct tls_strparser *strp)
c618db2a	529	{
84c61fe1	530	WARN_ON(!strp->stopped);
c618db2a	531
84c61fe1 JK	532	cancel_work_sync(&strp->work);
	533	tls_strp_anchor_free(strp);
	534	}
	535
	536	int __init tls_strp_dev_init(void)
	537	{
d11ef9cc	538	tls_strp_wq = create_workqueue("tls-strp");
84c61fe1	539	if (unlikely(!tls_strp_wq))
c618db2a	540	return -ENOMEM;
84c61fe1	541
c618db2a JK	542	return 0;
c618db2a JK	543	}
84c61fe1 JK	544
	545	void tls_strp_dev_exit(void)
	546	{
	547	destroy_workqueue(tls_strp_wq);
	548	}