net/core/sock_diag.c

   1 /* License: GPL */
   2
   3 #include <linux/filter.h>
   4 #include <linux/mutex.h>
   5 #include <linux/socket.h>
   6 #include <linux/skbuff.h>
   7 #include <net/netlink.h>
   8 #include <net/net_namespace.h>
   9 #include <linux/module.h>
  10 #include <net/sock.h>
  11 #include <linux/kernel.h>
  12 #include <linux/tcp.h>
  13 #include <linux/workqueue.h>
  14 #include <linux/nospec.h>
  15 #include <linux/cookie.h>
  16 #include <linux/inet_diag.h>
  17 #include <linux/sock_diag.h>
  18
  19 static const struct sock_diag_handler __rcu *sock_diag_handlers[AF_MAX];
  20
  21 static const struct sock_diag_inet_compat __rcu *inet_rcv_compat;
  22
  23 static struct workqueue_struct *broadcast_wq;
  24
  25 DEFINE_COOKIE(sock_cookie);
  26
  27 u64 __sock_gen_cookie(struct sock *sk)
  28 {
  29         u64 res = atomic64_read(&sk->sk_cookie);
  30
  31         if (!res) {
  32                 u64 new = gen_cookie_next(&sock_cookie);
  33
  34                 atomic64_cmpxchg(&sk->sk_cookie, res, new);
  35
  36                 /* Another thread might have changed sk_cookie before us. */
  37                 res = atomic64_read(&sk->sk_cookie);
  38         }
  39         return res;
  40 }
  41
  42 int sock_diag_check_cookie(struct sock *sk, const __u32 *cookie)
  43 {
  44         u64 res;
  45
  46         if (cookie[0] == INET_DIAG_NOCOOKIE && cookie[1] == INET_DIAG_NOCOOKIE)
  47                 return 0;
  48
  49         res = sock_gen_cookie(sk);
  50         if ((u32)res != cookie[0] || (u32)(res >> 32) != cookie[1])
  51                 return -ESTALE;
  52
  53         return 0;
  54 }
  55 EXPORT_SYMBOL_GPL(sock_diag_check_cookie);
  56
  57 void sock_diag_save_cookie(struct sock *sk, __u32 *cookie)
  58 {
  59         u64 res = sock_gen_cookie(sk);
  60
  61         cookie[0] = (u32)res;
  62         cookie[1] = (u32)(res >> 32);
  63 }
  64 EXPORT_SYMBOL_GPL(sock_diag_save_cookie);
  65
  66 int sock_diag_put_meminfo(struct sock *sk, struct sk_buff *skb, int attrtype)
  67 {
  68         u32 mem[SK_MEMINFO_VARS];
  69
  70         sk_get_meminfo(sk, mem);
  71
  72         return nla_put(skb, attrtype, sizeof(mem), &mem);
  73 }
  74 EXPORT_SYMBOL_GPL(sock_diag_put_meminfo);
  75
  76 int sock_diag_put_filterinfo(bool may_report_filterinfo, struct sock *sk,
  77                              struct sk_buff *skb, int attrtype)
  78 {
  79         struct sock_fprog_kern *fprog;
  80         struct sk_filter *filter;
  81         struct nlattr *attr;
  82         unsigned int flen;
  83         int err = 0;
  84
  85         if (!may_report_filterinfo) {
  86                 nla_reserve(skb, attrtype, 0);
  87                 return 0;
  88         }
  89
  90         rcu_read_lock();
  91         filter = rcu_dereference(sk->sk_filter);
  92         if (!filter)
  93                 goto out;
  94
  95         fprog = filter->prog->orig_prog;
  96         if (!fprog)
  97                 goto out;
  98
  99         flen = bpf_classic_proglen(fprog);
 100
 101         attr = nla_reserve(skb, attrtype, flen);
 102         if (attr == NULL) {
 103                 err = -EMSGSIZE;
 104                 goto out;
 105         }
 106
 107         memcpy(nla_data(attr), fprog->filter, flen);
 108 out:
 109         rcu_read_unlock();
 110         return err;
 111 }
 112 EXPORT_SYMBOL(sock_diag_put_filterinfo);
 113
 114 struct broadcast_sk {
 115         struct sock *sk;
 116         struct work_struct work;
 117 };
 118
 119 static size_t sock_diag_nlmsg_size(void)
 120 {
 121         return NLMSG_ALIGN(sizeof(struct inet_diag_msg)
 122                + nla_total_size(sizeof(u8)) /* INET_DIAG_PROTOCOL */
 123                + nla_total_size_64bit(sizeof(struct tcp_info))); /* INET_DIAG_INFO */
 124 }
 125
 126 static const struct sock_diag_handler *sock_diag_lock_handler(int family)
 127 {
 128         const struct sock_diag_handler *handler;
 129
 130         rcu_read_lock();
 131         handler = rcu_dereference(sock_diag_handlers[family]);
 132         if (handler && !try_module_get(handler->owner))
 133                 handler = NULL;
 134         rcu_read_unlock();
 135
 136         return handler;
 137 }
 138
 139 static void sock_diag_unlock_handler(const struct sock_diag_handler *handler)
 140 {
 141         module_put(handler->owner);
 142 }
 143
 144 static void sock_diag_broadcast_destroy_work(struct work_struct *work)
 145 {
 146         struct broadcast_sk *bsk =
 147                 container_of(work, struct broadcast_sk, work);
 148         struct sock *sk = bsk->sk;
 149         const struct sock_diag_handler *hndl;
 150         struct sk_buff *skb;
 151         const enum sknetlink_groups group = sock_diag_destroy_group(sk);
 152         int err = -1;
 153
 154         WARN_ON(group == SKNLGRP_NONE);
 155
 156         skb = nlmsg_new(sock_diag_nlmsg_size(), GFP_KERNEL);
 157         if (!skb)
 158                 goto out;
 159
 160         hndl = sock_diag_lock_handler(sk->sk_family);
 161         if (hndl) {
 162                 if (hndl->get_info)
 163                         err = hndl->get_info(skb, sk);
 164                 sock_diag_unlock_handler(hndl);
 165         }
 166         if (!err)
 167                 nlmsg_multicast(sock_net(sk)->diag_nlsk, skb, 0, group,
 168                                 GFP_KERNEL);
 169         else
 170                 kfree_skb(skb);
 171 out:
 172         sk_destruct(sk);
 173         kfree(bsk);
 174 }
 175
 176 void sock_diag_broadcast_destroy(struct sock *sk)
 177 {
 178         /* Note, this function is often called from an interrupt context. */
 179         struct broadcast_sk *bsk =
 180                 kmalloc(sizeof(struct broadcast_sk), GFP_ATOMIC);
 181         if (!bsk)
 182                 return sk_destruct(sk);
 183         bsk->sk = sk;
 184         INIT_WORK(&bsk->work, sock_diag_broadcast_destroy_work);
 185         queue_work(broadcast_wq, &bsk->work);
 186 }
 187
 188 void sock_diag_register_inet_compat(const struct sock_diag_inet_compat *ptr)
 189 {
 190         xchg(&inet_rcv_compat, RCU_INITIALIZER(ptr));
 191 }
 192 EXPORT_SYMBOL_GPL(sock_diag_register_inet_compat);
 193
 194 void sock_diag_unregister_inet_compat(const struct sock_diag_inet_compat *ptr)
 195 {
 196         const struct sock_diag_inet_compat *old;
 197
 198         old = unrcu_pointer(xchg(&inet_rcv_compat, NULL));
 199         WARN_ON_ONCE(old != ptr);
 200 }
 201 EXPORT_SYMBOL_GPL(sock_diag_unregister_inet_compat);
 202
 203 int sock_diag_register(const struct sock_diag_handler *hndl)
 204 {
 205         int family = hndl->family;
 206
 207         if (family >= AF_MAX)
 208                 return -EINVAL;
 209
 210         return !cmpxchg((const struct sock_diag_handler **)
 211                                 &sock_diag_handlers[family],
 212                         NULL, hndl) ? 0 : -EBUSY;
 213 }
 214 EXPORT_SYMBOL_GPL(sock_diag_register);
 215
 216 void sock_diag_unregister(const struct sock_diag_handler *hndl)
 217 {
 218         int family = hndl->family;
 219
 220         if (family >= AF_MAX)
 221                 return;
 222
 223         xchg((const struct sock_diag_handler **)&sock_diag_handlers[family],
 224              NULL);
 225 }
 226 EXPORT_SYMBOL_GPL(sock_diag_unregister);
 227
 228 static int __sock_diag_cmd(struct sk_buff *skb, struct nlmsghdr *nlh)
 229 {
 230         int err;
 231         struct sock_diag_req *req = nlmsg_data(nlh);
 232         const struct sock_diag_handler *hndl;
 233
 234         if (nlmsg_len(nlh) < sizeof(*req))
 235                 return -EINVAL;
 236
 237         if (req->sdiag_family >= AF_MAX)
 238                 return -EINVAL;
 239         req->sdiag_family = array_index_nospec(req->sdiag_family, AF_MAX);
 240
 241         if (!rcu_access_pointer(sock_diag_handlers[req->sdiag_family]))
 242                 sock_load_diag_module(req->sdiag_family, 0);
 243
 244         hndl = sock_diag_lock_handler(req->sdiag_family);
 245         if (hndl == NULL)
 246                 return -ENOENT;
 247
 248         if (nlh->nlmsg_type == SOCK_DIAG_BY_FAMILY)
 249                 err = hndl->dump(skb, nlh);
 250         else if (nlh->nlmsg_type == SOCK_DESTROY && hndl->destroy)
 251                 err = hndl->destroy(skb, nlh);
 252         else
 253                 err = -EOPNOTSUPP;
 254         sock_diag_unlock_handler(hndl);
 255
 256         return err;
 257 }
 258
 259 static int sock_diag_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
 260                              struct netlink_ext_ack *extack)
 261 {
 262         const struct sock_diag_inet_compat *ptr;
 263         int ret;
 264
 265         switch (nlh->nlmsg_type) {
 266         case TCPDIAG_GETSOCK:
 267         case DCCPDIAG_GETSOCK:
 268
 269                 if (!rcu_access_pointer(inet_rcv_compat))
 270                         sock_load_diag_module(AF_INET, 0);
 271
 272                 rcu_read_lock();
 273                 ptr = rcu_dereference(inet_rcv_compat);
 274                 if (ptr && !try_module_get(ptr->owner))
 275                         ptr = NULL;
 276                 rcu_read_unlock();
 277
 278                 ret = -EOPNOTSUPP;
 279                 if (ptr) {
 280                         ret = ptr->fn(skb, nlh);
 281                         module_put(ptr->owner);
 282                 }
 283
 284                 return ret;
 285         case SOCK_DIAG_BY_FAMILY:
 286         case SOCK_DESTROY:
 287                 return __sock_diag_cmd(skb, nlh);
 288         default:
 289                 return -EINVAL;
 290         }
 291 }
 292
 293 static void sock_diag_rcv(struct sk_buff *skb)
 294 {
 295         netlink_rcv_skb(skb, &sock_diag_rcv_msg);
 296 }
 297
 298 static int sock_diag_bind(struct net *net, int group)
 299 {
 300         switch (group) {
 301         case SKNLGRP_INET_TCP_DESTROY:
 302         case SKNLGRP_INET_UDP_DESTROY:
 303                 if (!rcu_access_pointer(sock_diag_handlers[AF_INET]))
 304                         sock_load_diag_module(AF_INET, 0);
 305                 break;
 306         case SKNLGRP_INET6_TCP_DESTROY:
 307         case SKNLGRP_INET6_UDP_DESTROY:
 308                 if (!rcu_access_pointer(sock_diag_handlers[AF_INET6]))
 309                         sock_load_diag_module(AF_INET6, 0);
 310                 break;
 311         }
 312         return 0;
 313 }
 314
 315 int sock_diag_destroy(struct sock *sk, int err)
 316 {
 317         if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN))
 318                 return -EPERM;
 319
 320         if (!sk->sk_prot->diag_destroy)
 321                 return -EOPNOTSUPP;
 322
 323         return sk->sk_prot->diag_destroy(sk, err);
 324 }
 325 EXPORT_SYMBOL_GPL(sock_diag_destroy);
 326
 327 static int __net_init diag_net_init(struct net *net)
 328 {
 329         struct netlink_kernel_cfg cfg = {
 330                 .groups = SKNLGRP_MAX,
 331                 .input  = sock_diag_rcv,
 332                 .bind   = sock_diag_bind,
 333                 .flags  = NL_CFG_F_NONROOT_RECV,
 334         };
 335
 336         net->diag_nlsk = netlink_kernel_create(net, NETLINK_SOCK_DIAG, &cfg);
 337         return net->diag_nlsk == NULL ? -ENOMEM : 0;
 338 }
 339
 340 static void __net_exit diag_net_exit(struct net *net)
 341 {
 342         netlink_kernel_release(net->diag_nlsk);
 343         net->diag_nlsk = NULL;
 344 }
 345
 346 static struct pernet_operations diag_net_ops = {
 347         .init = diag_net_init,
 348         .exit = diag_net_exit,
 349 };
 350
 351 static int __init sock_diag_init(void)
 352 {
 353         broadcast_wq = alloc_workqueue("sock_diag_events", 0, 0);
 354         BUG_ON(!broadcast_wq);
 355         return register_pernet_subsys(&diag_net_ops);
 356 }
 357 device_initcall(sock_diag_init);