1
// SPDX-License-Identifier: GPL-2.0-or-later
2
/*
3
 *	Generic address resolution entity
4
 *
5
 *	Authors:
6
 *	Pedro Roque		<[email protected]>
7
 *	Alexey Kuznetsov	<[email protected]>
8
 *
9
 *	Fixes:
10
 *	Vitaly E. Lavrov	releasing NULL neighbor in neigh_add.
11
 *	Harald Welte		Add neighbour cache statistics like rtstat
12
 */
13

14
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
15

16
#include <linux/slab.h>
17
#include <linux/types.h>
18
#include <linux/kernel.h>
19
#include <linux/module.h>
20
#include <linux/socket.h>
21
#include <linux/netdevice.h>
22
#include <linux/proc_fs.h>
23
#ifdef CONFIG_SYSCTL
24
#include <linux/sysctl.h>
25
#endif
26
#include <linux/times.h>
27
#include <net/net_namespace.h>
28
#include <net/neighbour.h>
29
#include <net/arp.h>
30
#include <net/dst.h>
31
#include <net/ip.h>
32
#include <net/sock.h>
33
#include <net/netevent.h>
34
#include <net/netlink.h>
35
#include <linux/rtnetlink.h>
36
#include <linux/random.h>
37
#include <linux/string.h>
38
#include <linux/log2.h>
39
#include <linux/inetdevice.h>
40
#include <net/addrconf.h>
41

42
#include <trace/events/neigh.h>
43

44
#define NEIGH_DEBUG 1
45
#define neigh_dbg(level, fmt, ...)		\
46
do {						\
47
	if (level <= NEIGH_DEBUG)		\
48
		pr_debug(fmt, ##__VA_ARGS__);	\
49
} while (0)
50

51
#define PNEIGH_HASHMASK		0xF
52

53
static void neigh_timer_handler(struct timer_list *t);
54
static void __neigh_notify(struct neighbour *n, int type, int flags,
55
			   u32 pid);
56
static void neigh_update_notify(struct neighbour *neigh, u32 nlmsg_pid);
57
static void pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev,
58
			  bool skip_perm);
59

60
#ifdef CONFIG_PROC_FS
61
static const struct seq_operations neigh_stat_seq_ops;
62
#endif
63

64
static struct hlist_head *neigh_get_dev_table(struct net_device *dev, int family)
65
{
66
	int i;
67

68
	switch (family) {
69
	default:
70
		DEBUG_NET_WARN_ON_ONCE(1);
71
		fallthrough; /* to avoid panic by null-ptr-deref */
72
	case AF_INET:
73
		i = NEIGH_ARP_TABLE;
74
		break;
75
	case AF_INET6:
76
		i = NEIGH_ND_TABLE;
77
		break;
78
	}
79

80
	return &dev->neighbours[i];
81
}
82

83
/*
84
   Neighbour hash table buckets are protected with rwlock tbl->lock.
85

86
   - All the scans/updates to hash buckets MUST be made under this lock.
87
   - NOTHING clever should be made under this lock: no callbacks
88
     to protocol backends, no attempts to send something to network.
89
     It will result in deadlocks, if backend/driver wants to use neighbour
90
     cache.
91
   - If the entry requires some non-trivial actions, increase
92
     its reference count and release table lock.
93

94
   Neighbour entries are protected:
95
   - with reference count.
96
   - with rwlock neigh->lock
97

98
   Reference count prevents destruction.
99

100
   neigh->lock mainly serializes ll address data and its validity state.
101
   However, the same lock is used to protect another entry fields:
102
    - timer
103
    - resolution queue
104

105
   Again, nothing clever shall be made under neigh->lock,
106
   the most complicated procedure, which we allow is dev->hard_header.
107
   It is supposed, that dev->hard_header is simplistic and does
108
   not make callbacks to neighbour tables.
109
 */
110

111
static int neigh_blackhole(struct neighbour *neigh, struct sk_buff *skb)
112
{
113
	kfree_skb(skb);
114
	return -ENETDOWN;
115
}
116

117
static void neigh_cleanup_and_release(struct neighbour *neigh)
118
{
119
	trace_neigh_cleanup_and_release(neigh, 0);
120
	__neigh_notify(neigh, RTM_DELNEIGH, 0, 0);
121
	call_netevent_notifiers(NETEVENT_NEIGH_UPDATE, neigh);
122
	neigh_release(neigh);
123
}
124

125
/*
126
 * It is random distribution in the interval (1/2)*base...(3/2)*base.
127
 * It corresponds to default IPv6 settings and is not overridable,
128
 * because it is really reasonable choice.
129
 */
130

131
unsigned long neigh_rand_reach_time(unsigned long base)
132
{
133
	return base ? get_random_u32_below(base) + (base >> 1) : 0;
134
}
135
EXPORT_SYMBOL(neigh_rand_reach_time);
136

137
static void neigh_mark_dead(struct neighbour *n)
138
{
139
	n->dead = 1;
140
	if (!list_empty(&n->gc_list)) {
141
		list_del_init(&n->gc_list);
142
		atomic_dec(&n->tbl->gc_entries);
143
	}
144
	if (!list_empty(&n->managed_list))
145
		list_del_init(&n->managed_list);
146
}
147

148
static void neigh_update_gc_list(struct neighbour *n)
149
{
150
	bool on_gc_list, exempt_from_gc;
151

152
	write_lock_bh(&n->tbl->lock);
153
	write_lock(&n->lock);
154
	if (n->dead)
155
		goto out;
156

157
	/* remove from the gc list if new state is permanent or if neighbor is
158
	 * externally learned / validated; otherwise entry should be on the gc
159
	 * list
160
	 */
161
	exempt_from_gc = n->nud_state & NUD_PERMANENT ||
162
			 n->flags & (NTF_EXT_LEARNED | NTF_EXT_VALIDATED);
163
	on_gc_list = !list_empty(&n->gc_list);
164

165
	if (exempt_from_gc && on_gc_list) {
166
		list_del_init(&n->gc_list);
167
		atomic_dec(&n->tbl->gc_entries);
168
	} else if (!exempt_from_gc && !on_gc_list) {
169
		/* add entries to the tail; cleaning removes from the front */
170
		list_add_tail(&n->gc_list, &n->tbl->gc_list);
171
		atomic_inc(&n->tbl->gc_entries);
172
	}
173
out:
174
	write_unlock(&n->lock);
175
	write_unlock_bh(&n->tbl->lock);
176
}
177

178
static void neigh_update_managed_list(struct neighbour *n)
179
{
180
	bool on_managed_list, add_to_managed;
181

182
	write_lock_bh(&n->tbl->lock);
183
	write_lock(&n->lock);
184
	if (n->dead)
185
		goto out;
186

187
	add_to_managed = n->flags & NTF_MANAGED;
188
	on_managed_list = !list_empty(&n->managed_list);
189

190
	if (!add_to_managed && on_managed_list)
191
		list_del_init(&n->managed_list);
192
	else if (add_to_managed && !on_managed_list)
193
		list_add_tail(&n->managed_list, &n->tbl->managed_list);
194
out:
195
	write_unlock(&n->lock);
196
	write_unlock_bh(&n->tbl->lock);
197
}
198

199
static void neigh_update_flags(struct neighbour *neigh, u32 flags, int *notify,
200
			       bool *gc_update, bool *managed_update)
201
{
202
	u32 ndm_flags, old_flags = neigh->flags;
203

204
	if (!(flags & NEIGH_UPDATE_F_ADMIN))
205
		return;
206

207
	ndm_flags  = (flags & NEIGH_UPDATE_F_EXT_LEARNED) ? NTF_EXT_LEARNED : 0;
208
	ndm_flags |= (flags & NEIGH_UPDATE_F_MANAGED) ? NTF_MANAGED : 0;
209
	ndm_flags |= (flags & NEIGH_UPDATE_F_EXT_VALIDATED) ? NTF_EXT_VALIDATED : 0;
210

211
	if ((old_flags ^ ndm_flags) & NTF_EXT_LEARNED) {
212
		if (ndm_flags & NTF_EXT_LEARNED)
213
			neigh->flags |= NTF_EXT_LEARNED;
214
		else
215
			neigh->flags &= ~NTF_EXT_LEARNED;
216
		*notify = 1;
217
		*gc_update = true;
218
	}
219
	if ((old_flags ^ ndm_flags) & NTF_MANAGED) {
220
		if (ndm_flags & NTF_MANAGED)
221
			neigh->flags |= NTF_MANAGED;
222
		else
223
			neigh->flags &= ~NTF_MANAGED;
224
		*notify = 1;
225
		*managed_update = true;
226
	}
227
	if ((old_flags ^ ndm_flags) & NTF_EXT_VALIDATED) {
228
		if (ndm_flags & NTF_EXT_VALIDATED)
229
			neigh->flags |= NTF_EXT_VALIDATED;
230
		else
231
			neigh->flags &= ~NTF_EXT_VALIDATED;
232
		*notify = 1;
233
		*gc_update = true;
234
	}
235
}
236

237
bool neigh_remove_one(struct neighbour *n)
238
{
239
	bool retval = false;
240

241
	write_lock(&n->lock);
242
	if (refcount_read(&n->refcnt) == 1) {
243
		hlist_del_rcu(&n->hash);
244
		hlist_del_rcu(&n->dev_list);
245
		neigh_mark_dead(n);
246
		retval = true;
247
	}
248
	write_unlock(&n->lock);
249
	if (retval)
250
		neigh_cleanup_and_release(n);
251
	return retval;
252
}
253

254
static int neigh_forced_gc(struct neigh_table *tbl)
255
{
256
	int max_clean = atomic_read(&tbl->gc_entries) -
257
			READ_ONCE(tbl->gc_thresh2);
258
	u64 tmax = ktime_get_ns() + NSEC_PER_MSEC;
259
	unsigned long tref = jiffies - 5 * HZ;
260
	struct neighbour *n, *tmp;
261
	int shrunk = 0;
262
	int loop = 0;
263

264
	NEIGH_CACHE_STAT_INC(tbl, forced_gc_runs);
265

266
	write_lock_bh(&tbl->lock);
267

268
	list_for_each_entry_safe(n, tmp, &tbl->gc_list, gc_list) {
269
		if (refcount_read(&n->refcnt) == 1) {
270
			bool remove = false;
271

272
			write_lock(&n->lock);
273
			if ((n->nud_state == NUD_FAILED) ||
274
			    (n->nud_state == NUD_NOARP) ||
275
			    (tbl->is_multicast &&
276
			     tbl->is_multicast(n->primary_key)) ||
277
			    !time_in_range(n->updated, tref, jiffies))
278
				remove = true;
279
			write_unlock(&n->lock);
280

281
			if (remove && neigh_remove_one(n))
282
				shrunk++;
283
			if (shrunk >= max_clean)
284
				break;
285
			if (++loop == 16) {
286
				if (ktime_get_ns() > tmax)
287
					goto unlock;
288
				loop = 0;
289
			}
290
		}
291
	}
292

293
	WRITE_ONCE(tbl->last_flush, jiffies);
294
unlock:
295
	write_unlock_bh(&tbl->lock);
296

297
	return shrunk;
298
}
299

300
static void neigh_add_timer(struct neighbour *n, unsigned long when)
301
{
302
	/* Use safe distance from the jiffies - LONG_MAX point while timer
303
	 * is running in DELAY/PROBE state but still show to user space
304
	 * large times in the past.
305
	 */
306
	unsigned long mint = jiffies - (LONG_MAX - 86400 * HZ);
307

308
	neigh_hold(n);
309
	if (!time_in_range(n->confirmed, mint, jiffies))
310
		n->confirmed = mint;
311
	if (time_before(n->used, n->confirmed))
312
		n->used = n->confirmed;
313
	if (unlikely(mod_timer(&n->timer, when))) {
314
		printk("NEIGH: BUG, double timer add, state is %x\n",
315
		       n->nud_state);
316
		dump_stack();
317
	}
318
}
319

320
static int neigh_del_timer(struct neighbour *n)
321
{
322
	if ((n->nud_state & NUD_IN_TIMER) &&
323
	    timer_delete(&n->timer)) {
324
		neigh_release(n);
325
		return 1;
326
	}
327
	return 0;
328
}
329

330
static struct neigh_parms *neigh_get_dev_parms_rcu(struct net_device *dev,
331
						   int family)
332
{
333
	switch (family) {
334
	case AF_INET:
335
		return __in_dev_arp_parms_get_rcu(dev);
336
	case AF_INET6:
337
		return __in6_dev_nd_parms_get_rcu(dev);
338
	}
339
	return NULL;
340
}
341

342
static void neigh_parms_qlen_dec(struct net_device *dev, int family)
343
{
344
	struct neigh_parms *p;
345

346
	rcu_read_lock();
347
	p = neigh_get_dev_parms_rcu(dev, family);
348
	if (p)
349
		p->qlen--;
350
	rcu_read_unlock();
351
}
352

353
static void pneigh_queue_purge(struct sk_buff_head *list, struct net *net,
354
			       int family)
355
{
356
	struct sk_buff_head tmp;
357
	unsigned long flags;
358
	struct sk_buff *skb;
359

360
	skb_queue_head_init(&tmp);
361
	spin_lock_irqsave(&list->lock, flags);
362
	skb = skb_peek(list);
363
	while (skb != NULL) {
364
		struct sk_buff *skb_next = skb_peek_next(skb, list);
365
		struct net_device *dev = skb->dev;
366

367
		if (net == NULL || net_eq(dev_net(dev), net)) {
368
			neigh_parms_qlen_dec(dev, family);
369
			__skb_unlink(skb, list);
370
			__skb_queue_tail(&tmp, skb);
371
		}
372
		skb = skb_next;
373
	}
374
	spin_unlock_irqrestore(&list->lock, flags);
375

376
	while ((skb = __skb_dequeue(&tmp))) {
377
		dev_put(skb->dev);
378
		kfree_skb(skb);
379
	}
380
}
381

382
static void neigh_flush_one(struct neighbour *n)
383
{
384
	hlist_del_rcu(&n->hash);
385
	hlist_del_rcu(&n->dev_list);
386

387
	write_lock(&n->lock);
388

389
	neigh_del_timer(n);
390
	neigh_mark_dead(n);
391

392
	if (refcount_read(&n->refcnt) != 1) {
393
		/* The most unpleasant situation.
394
		 * We must destroy neighbour entry,
395
		 * but someone still uses it.
396
		 *
397
		 * The destroy will be delayed until
398
		 * the last user releases us, but
399
		 * we must kill timers etc. and move
400
		 * it to safe state.
401
		 */
402
		__skb_queue_purge(&n->arp_queue);
403
		n->arp_queue_len_bytes = 0;
404
		WRITE_ONCE(n->output, neigh_blackhole);
405

406
		if (n->nud_state & NUD_VALID)
407
			n->nud_state = NUD_NOARP;
408
		else
409
			n->nud_state = NUD_NONE;
410

411
		neigh_dbg(2, "neigh %p is stray\n", n);
412
	}
413

414
	write_unlock(&n->lock);
415

416
	neigh_cleanup_and_release(n);
417
}
418

419
static void neigh_flush_dev(struct neigh_table *tbl, struct net_device *dev,
420
			    bool skip_perm)
421
{
422
	struct hlist_head *dev_head;
423
	struct hlist_node *tmp;
424
	struct neighbour *n;
425

426
	dev_head = neigh_get_dev_table(dev, tbl->family);
427

428
	hlist_for_each_entry_safe(n, tmp, dev_head, dev_list) {
429
		if (skip_perm &&
430
		    (n->nud_state & NUD_PERMANENT ||
431
		     n->flags & NTF_EXT_VALIDATED))
432
			continue;
433

434
		neigh_flush_one(n);
435
	}
436
}
437

438
static void neigh_flush_table(struct neigh_table *tbl)
439
{
440
	struct neigh_hash_table *nht;
441
	int i;
442

443
	nht = rcu_dereference_protected(tbl->nht,
444
					lockdep_is_held(&tbl->lock));
445

446
	for (i = 0; i < (1 << nht->hash_shift); i++) {
447
		struct hlist_node *tmp;
448
		struct neighbour *n;
449

450
		neigh_for_each_in_bucket_safe(n, tmp, &nht->hash_heads[i])
451
			neigh_flush_one(n);
452
	}
453
}
454

455
void neigh_changeaddr(struct neigh_table *tbl, struct net_device *dev)
456
{
457
	write_lock_bh(&tbl->lock);
458
	neigh_flush_dev(tbl, dev, false);
459
	write_unlock_bh(&tbl->lock);
460
}
461
EXPORT_SYMBOL(neigh_changeaddr);
462

463
static int __neigh_ifdown(struct neigh_table *tbl, struct net_device *dev,
464
			  bool skip_perm)
465
{
466
	write_lock_bh(&tbl->lock);
467
	if (likely(dev)) {
468
		neigh_flush_dev(tbl, dev, skip_perm);
469
	} else {
470
		DEBUG_NET_WARN_ON_ONCE(skip_perm);
471
		neigh_flush_table(tbl);
472
	}
473
	write_unlock_bh(&tbl->lock);
474

475
	pneigh_ifdown(tbl, dev, skip_perm);
476
	pneigh_queue_purge(&tbl->proxy_queue, dev ? dev_net(dev) : NULL,
477
			   tbl->family);
478
	if (skb_queue_empty_lockless(&tbl->proxy_queue))
479
		timer_delete_sync(&tbl->proxy_timer);
480
	return 0;
481
}
482

483
int neigh_carrier_down(struct neigh_table *tbl, struct net_device *dev)
484
{
485
	__neigh_ifdown(tbl, dev, true);
486
	return 0;
487
}
488
EXPORT_SYMBOL(neigh_carrier_down);
489

490
int neigh_ifdown(struct neigh_table *tbl, struct net_device *dev)
491
{
492
	__neigh_ifdown(tbl, dev, false);
493
	return 0;
494
}
495
EXPORT_SYMBOL(neigh_ifdown);
496

497
static struct neighbour *neigh_alloc(struct neigh_table *tbl,
498
				     struct net_device *dev,
499
				     u32 flags, bool exempt_from_gc)
500
{
501
	struct neighbour *n = NULL;
502
	unsigned long now = jiffies;
503
	int entries, gc_thresh3;
504

505
	if (exempt_from_gc)
506
		goto do_alloc;
507

508
	entries = atomic_inc_return(&tbl->gc_entries) - 1;
509
	gc_thresh3 = READ_ONCE(tbl->gc_thresh3);
510
	if (entries >= gc_thresh3 ||
511
	    (entries >= READ_ONCE(tbl->gc_thresh2) &&
512
	     time_after(now, READ_ONCE(tbl->last_flush) + 5 * HZ))) {
513
		if (!neigh_forced_gc(tbl) && entries >= gc_thresh3) {
514
			net_info_ratelimited("%s: neighbor table overflow!\n",
515
					     tbl->id);
516
			NEIGH_CACHE_STAT_INC(tbl, table_fulls);
517
			goto out_entries;
518
		}
519
	}
520

521
do_alloc:
522
	n = kzalloc(tbl->entry_size + dev->neigh_priv_len, GFP_ATOMIC);
523
	if (!n)
524
		goto out_entries;
525

526
	__skb_queue_head_init(&n->arp_queue);
527
	rwlock_init(&n->lock);
528
	seqlock_init(&n->ha_lock);
529
	n->updated	  = n->used = now;
530
	n->nud_state	  = NUD_NONE;
531
	n->output	  = neigh_blackhole;
532
	n->flags	  = flags;
533
	seqlock_init(&n->hh.hh_lock);
534
	n->parms	  = neigh_parms_clone(&tbl->parms);
535
	timer_setup(&n->timer, neigh_timer_handler, 0);
536

537
	NEIGH_CACHE_STAT_INC(tbl, allocs);
538
	n->tbl		  = tbl;
539
	refcount_set(&n->refcnt, 1);
540
	n->dead		  = 1;
541
	INIT_LIST_HEAD(&n->gc_list);
542
	INIT_LIST_HEAD(&n->managed_list);
543

544
	atomic_inc(&tbl->entries);
545
out:
546
	return n;
547

548
out_entries:
549
	if (!exempt_from_gc)
550
		atomic_dec(&tbl->gc_entries);
551
	goto out;
552
}
553

554
static void neigh_get_hash_rnd(u32 *x)
555
{
556
	*x = get_random_u32() | 1;
557
}
558

559
static struct neigh_hash_table *neigh_hash_alloc(unsigned int shift)
560
{
561
	size_t size = (1 << shift) * sizeof(struct hlist_head);
562
	struct hlist_head *hash_heads;
563
	struct neigh_hash_table *ret;
564
	int i;
565

566
	ret = kmalloc(sizeof(*ret), GFP_ATOMIC);
567
	if (!ret)
568
		return NULL;
569

570
	hash_heads = kzalloc(size, GFP_ATOMIC);
571
	if (!hash_heads) {
572
		kfree(ret);
573
		return NULL;
574
	}
575
	ret->hash_heads = hash_heads;
576
	ret->hash_shift = shift;
577
	for (i = 0; i < NEIGH_NUM_HASH_RND; i++)
578
		neigh_get_hash_rnd(&ret->hash_rnd[i]);
579
	return ret;
580
}
581

582
static void neigh_hash_free_rcu(struct rcu_head *head)
583
{
584
	struct neigh_hash_table *nht = container_of(head,
585
						    struct neigh_hash_table,
586
						    rcu);
587

588
	kfree(nht->hash_heads);
589
	kfree(nht);
590
}
591

592
static struct neigh_hash_table *neigh_hash_grow(struct neigh_table *tbl,
593
						unsigned long new_shift)
594
{
595
	unsigned int i, hash;
596
	struct neigh_hash_table *new_nht, *old_nht;
597

598
	NEIGH_CACHE_STAT_INC(tbl, hash_grows);
599

600
	old_nht = rcu_dereference_protected(tbl->nht,
601
					    lockdep_is_held(&tbl->lock));
602
	new_nht = neigh_hash_alloc(new_shift);
603
	if (!new_nht)
604
		return old_nht;
605

606
	for (i = 0; i < (1 << old_nht->hash_shift); i++) {
607
		struct hlist_node *tmp;
608
		struct neighbour *n;
609

610
		neigh_for_each_in_bucket_safe(n, tmp, &old_nht->hash_heads[i]) {
611
			hash = tbl->hash(n->primary_key, n->dev,
612
					 new_nht->hash_rnd);
613

614
			hash >>= (32 - new_nht->hash_shift);
615

616
			hlist_del_rcu(&n->hash);
617
			hlist_add_head_rcu(&n->hash, &new_nht->hash_heads[hash]);
618
		}
619
	}
620

621
	rcu_assign_pointer(tbl->nht, new_nht);
622
	call_rcu(&old_nht->rcu, neigh_hash_free_rcu);
623
	return new_nht;
624
}
625

626
struct neighbour *neigh_lookup(struct neigh_table *tbl, const void *pkey,
627
			       struct net_device *dev)
628
{
629
	struct neighbour *n;
630

631
	NEIGH_CACHE_STAT_INC(tbl, lookups);
632

633
	rcu_read_lock();
634
	n = __neigh_lookup_noref(tbl, pkey, dev);
635
	if (n) {
636
		if (!refcount_inc_not_zero(&n->refcnt))
637
			n = NULL;
638
		NEIGH_CACHE_STAT_INC(tbl, hits);
639
	}
640

641
	rcu_read_unlock();
642
	return n;
643
}
644
EXPORT_SYMBOL(neigh_lookup);
645

646
static struct neighbour *
647
___neigh_create(struct neigh_table *tbl, const void *pkey,
648
		struct net_device *dev, u32 flags,
649
		bool exempt_from_gc, bool want_ref)
650
{
651
	u32 hash_val, key_len = tbl->key_len;
652
	struct neighbour *n1, *rc, *n;
653
	struct neigh_hash_table *nht;
654
	int error;
655

656
	n = neigh_alloc(tbl, dev, flags, exempt_from_gc);
657
	trace_neigh_create(tbl, dev, pkey, n, exempt_from_gc);
658
	if (!n) {
659
		rc = ERR_PTR(-ENOBUFS);
660
		goto out;
661
	}
662

663
	memcpy(n->primary_key, pkey, key_len);
664
	n->dev = dev;
665
	netdev_hold(dev, &n->dev_tracker, GFP_ATOMIC);
666

667
	/* Protocol specific setup. */
668
	if (tbl->constructor &&	(error = tbl->constructor(n)) < 0) {
669
		rc = ERR_PTR(error);
670
		goto out_neigh_release;
671
	}
672

673
	if (dev->netdev_ops->ndo_neigh_construct) {
674
		error = dev->netdev_ops->ndo_neigh_construct(dev, n);
675
		if (error < 0) {
676
			rc = ERR_PTR(error);
677
			goto out_neigh_release;
678
		}
679
	}
680

681
	/* Device specific setup. */
682
	if (n->parms->neigh_setup &&
683
	    (error = n->parms->neigh_setup(n)) < 0) {
684
		rc = ERR_PTR(error);
685
		goto out_neigh_release;
686
	}
687

688
	n->confirmed = jiffies - (NEIGH_VAR(n->parms, BASE_REACHABLE_TIME) << 1);
689

690
	write_lock_bh(&tbl->lock);
691
	nht = rcu_dereference_protected(tbl->nht,
692
					lockdep_is_held(&tbl->lock));
693

694
	if (atomic_read(&tbl->entries) > (1 << nht->hash_shift))
695
		nht = neigh_hash_grow(tbl, nht->hash_shift + 1);
696

697
	hash_val = tbl->hash(n->primary_key, dev, nht->hash_rnd) >> (32 - nht->hash_shift);
698

699
	if (n->parms->dead) {
700
		rc = ERR_PTR(-EINVAL);
701
		goto out_tbl_unlock;
702
	}
703

704
	neigh_for_each_in_bucket(n1, &nht->hash_heads[hash_val]) {
705
		if (dev == n1->dev && !memcmp(n1->primary_key, n->primary_key, key_len)) {
706
			if (want_ref)
707
				neigh_hold(n1);
708
			rc = n1;
709
			goto out_tbl_unlock;
710
		}
711
	}
712

713
	n->dead = 0;
714
	if (!exempt_from_gc)
715
		list_add_tail(&n->gc_list, &n->tbl->gc_list);
716
	if (n->flags & NTF_MANAGED)
717
		list_add_tail(&n->managed_list, &n->tbl->managed_list);
718
	if (want_ref)
719
		neigh_hold(n);
720
	hlist_add_head_rcu(&n->hash, &nht->hash_heads[hash_val]);
721

722
	hlist_add_head_rcu(&n->dev_list,
723
			   neigh_get_dev_table(dev, tbl->family));
724

725
	write_unlock_bh(&tbl->lock);
726
	neigh_dbg(2, "neigh %p is created\n", n);
727
	rc = n;
728
out:
729
	return rc;
730
out_tbl_unlock:
731
	write_unlock_bh(&tbl->lock);
732
out_neigh_release:
733
	if (!exempt_from_gc)
734
		atomic_dec(&tbl->gc_entries);
735
	neigh_release(n);
736
	goto out;
737
}
738

739
struct neighbour *__neigh_create(struct neigh_table *tbl, const void *pkey,
740
				 struct net_device *dev, bool want_ref)
741
{
742
	bool exempt_from_gc = !!(dev->flags & IFF_LOOPBACK);
743

744
	return ___neigh_create(tbl, pkey, dev, 0, exempt_from_gc, want_ref);
745
}
746
EXPORT_SYMBOL(__neigh_create);
747

748
static u32 pneigh_hash(const void *pkey, unsigned int key_len)
749
{
750
	u32 hash_val = *(u32 *)(pkey + key_len - 4);
751
	hash_val ^= (hash_val >> 16);
752
	hash_val ^= hash_val >> 8;
753
	hash_val ^= hash_val >> 4;
754
	hash_val &= PNEIGH_HASHMASK;
755
	return hash_val;
756
}
757

758
struct pneigh_entry *pneigh_lookup(struct neigh_table *tbl,
759
				   struct net *net, const void *pkey,
760
				   struct net_device *dev)
761
{
762
	struct pneigh_entry *n;
763
	unsigned int key_len;
764
	u32 hash_val;
765

766
	key_len = tbl->key_len;
767
	hash_val = pneigh_hash(pkey, key_len);
768
	n = rcu_dereference_check(tbl->phash_buckets[hash_val],
769
				  lockdep_is_held(&tbl->phash_lock));
770

771
	while (n) {
772
		if (!memcmp(n->key, pkey, key_len) &&
773
		    net_eq(pneigh_net(n), net) &&
774
		    (n->dev == dev || !n->dev))
775
			return n;
776

777
		n = rcu_dereference_check(n->next, lockdep_is_held(&tbl->phash_lock));
778
	}
779

780
	return NULL;
781
}
782
EXPORT_IPV6_MOD(pneigh_lookup);
783

784
int pneigh_create(struct neigh_table *tbl, struct net *net,
785
		  const void *pkey, struct net_device *dev,
786
		  u32 flags, u8 protocol, bool permanent)
787
{
788
	struct pneigh_entry *n;
789
	unsigned int key_len;
790
	u32 hash_val;
791
	int err = 0;
792

793
	mutex_lock(&tbl->phash_lock);
794

795
	n = pneigh_lookup(tbl, net, pkey, dev);
796
	if (n)
797
		goto update;
798

799
	key_len = tbl->key_len;
800
	n = kzalloc(sizeof(*n) + key_len, GFP_KERNEL);
801
	if (!n) {
802
		err = -ENOBUFS;
803
		goto out;
804
	}
805

806
	write_pnet(&n->net, net);
807
	memcpy(n->key, pkey, key_len);
808
	n->dev = dev;
809
	netdev_hold(dev, &n->dev_tracker, GFP_KERNEL);
810

811
	if (tbl->pconstructor && tbl->pconstructor(n)) {
812
		netdev_put(dev, &n->dev_tracker);
813
		kfree(n);
814
		err = -ENOBUFS;
815
		goto out;
816
	}
817

818
	hash_val = pneigh_hash(pkey, key_len);
819
	n->next = tbl->phash_buckets[hash_val];
820
	rcu_assign_pointer(tbl->phash_buckets[hash_val], n);
821
update:
822
	WRITE_ONCE(n->flags, flags);
823
	n->permanent = permanent;
824
	WRITE_ONCE(n->protocol, protocol);
825
out:
826
	mutex_unlock(&tbl->phash_lock);
827
	return err;
828
}
829

830
static void pneigh_destroy(struct rcu_head *rcu)
831
{
832
	struct pneigh_entry *n = container_of(rcu, struct pneigh_entry, rcu);
833

834
	netdev_put(n->dev, &n->dev_tracker);
835
	kfree(n);
836
}
837

838
int pneigh_delete(struct neigh_table *tbl, struct net *net, const void *pkey,
839
		  struct net_device *dev)
840
{
841
	struct pneigh_entry *n, __rcu **np;
842
	unsigned int key_len;
843
	u32 hash_val;
844

845
	key_len = tbl->key_len;
846
	hash_val = pneigh_hash(pkey, key_len);
847

848
	mutex_lock(&tbl->phash_lock);
849

850
	for (np = &tbl->phash_buckets[hash_val];
851
	     (n = rcu_dereference_protected(*np, 1)) != NULL;
852
	     np = &n->next) {
853
		if (!memcmp(n->key, pkey, key_len) && n->dev == dev &&
854
		    net_eq(pneigh_net(n), net)) {
855
			rcu_assign_pointer(*np, n->next);
856

857
			mutex_unlock(&tbl->phash_lock);
858

859
			if (tbl->pdestructor)
860
				tbl->pdestructor(n);
861

862
			call_rcu(&n->rcu, pneigh_destroy);
863
			return 0;
864
		}
865
	}
866

867
	mutex_unlock(&tbl->phash_lock);
868
	return -ENOENT;
869
}
870

871
static void pneigh_ifdown(struct neigh_table *tbl, struct net_device *dev,
872
			  bool skip_perm)
873
{
874
	struct pneigh_entry *n, __rcu **np;
875
	LIST_HEAD(head);
876
	u32 h;
877

878
	mutex_lock(&tbl->phash_lock);
879

880
	for (h = 0; h <= PNEIGH_HASHMASK; h++) {
881
		np = &tbl->phash_buckets[h];
882
		while ((n = rcu_dereference_protected(*np, 1)) != NULL) {
883
			if (skip_perm && n->permanent)
884
				goto skip;
885
			if (!dev || n->dev == dev) {
886
				rcu_assign_pointer(*np, n->next);
887
				list_add(&n->free_node, &head);
888
				continue;
889
			}
890
skip:
891
			np = &n->next;
892
		}
893
	}
894

895
	mutex_unlock(&tbl->phash_lock);
896

897
	while (!list_empty(&head)) {
898
		n = list_first_entry(&head, typeof(*n), free_node);
899
		list_del(&n->free_node);
900

901
		if (tbl->pdestructor)
902
			tbl->pdestructor(n);
903

904
		call_rcu(&n->rcu, pneigh_destroy);
905
	}
906
}
907

908
static inline void neigh_parms_put(struct neigh_parms *parms)
909
{
910
	if (refcount_dec_and_test(&parms->refcnt))
911
		kfree(parms);
912
}
913

914
/*
915
 *	neighbour must already be out of the table;
916
 *
917
 */
918
void neigh_destroy(struct neighbour *neigh)
919
{
920
	struct net_device *dev = neigh->dev;
921

922
	NEIGH_CACHE_STAT_INC(neigh->tbl, destroys);
923

924
	if (!neigh->dead) {
925
		pr_warn("Destroying alive neighbour %p\n", neigh);
926
		dump_stack();
927
		return;
928
	}
929

930
	if (neigh_del_timer(neigh))
931
		pr_warn("Impossible event\n");
932

933
	write_lock_bh(&neigh->lock);
934
	__skb_queue_purge(&neigh->arp_queue);
935
	write_unlock_bh(&neigh->lock);
936
	neigh->arp_queue_len_bytes = 0;
937

938
	if (dev->netdev_ops->ndo_neigh_destroy)
939
		dev->netdev_ops->ndo_neigh_destroy(dev, neigh);
940

941
	netdev_put(dev, &neigh->dev_tracker);
942
	neigh_parms_put(neigh->parms);
943

944
	neigh_dbg(2, "neigh %p is destroyed\n", neigh);
945

946
	atomic_dec(&neigh->tbl->entries);
947
	kfree_rcu(neigh, rcu);
948
}
949
EXPORT_SYMBOL(neigh_destroy);
950

951
/* Neighbour state is suspicious;
952
   disable fast path.
953

954
   Called with write_locked neigh.
955
 */
956
static void neigh_suspect(struct neighbour *neigh)
957
{
958
	neigh_dbg(2, "neigh %p is suspected\n", neigh);
959

960
	WRITE_ONCE(neigh->output, neigh->ops->output);
961
}
962

963
/* Neighbour state is OK;
964
   enable fast path.
965

966
   Called with write_locked neigh.
967
 */
968
static void neigh_connect(struct neighbour *neigh)
969
{
970
	neigh_dbg(2, "neigh %p is connected\n", neigh);
971

972
	WRITE_ONCE(neigh->output, neigh->ops->connected_output);
973
}
974

975
static void neigh_periodic_work(struct work_struct *work)
976
{
977
	struct neigh_table *tbl = container_of(work, struct neigh_table, gc_work.work);
978
	struct neigh_hash_table *nht;
979
	struct hlist_node *tmp;
980
	struct neighbour *n;
981
	unsigned int i;
982

983
	NEIGH_CACHE_STAT_INC(tbl, periodic_gc_runs);
984

985
	write_lock_bh(&tbl->lock);
986
	nht = rcu_dereference_protected(tbl->nht,
987
					lockdep_is_held(&tbl->lock));
988

989
	/*
990
	 *	periodically recompute ReachableTime from random function
991
	 */
992

993
	if (time_after(jiffies, tbl->last_rand + 300 * HZ)) {
994
		struct neigh_parms *p;
995

996
		WRITE_ONCE(tbl->last_rand, jiffies);
997
		list_for_each_entry(p, &tbl->parms_list, list)
998
			p->reachable_time =
999
				neigh_rand_reach_time(NEIGH_VAR(p, BASE_REACHABLE_TIME));
1000
	}
1001

1002
	if (atomic_read(&tbl->entries) < READ_ONCE(tbl->gc_thresh1))
1003
		goto out;
1004

1005
	for (i = 0 ; i < (1 << nht->hash_shift); i++) {
1006
		neigh_for_each_in_bucket_safe(n, tmp, &nht->hash_heads[i]) {
1007
			unsigned int state;
1008

1009
			write_lock(&n->lock);
1010

1011
			state = n->nud_state;
1012
			if ((state & (NUD_PERMANENT | NUD_IN_TIMER)) ||
1013
			    (n->flags &
1014
			     (NTF_EXT_LEARNED | NTF_EXT_VALIDATED))) {
1015
				write_unlock(&n->lock);
1016
				continue;
1017
			}
1018

1019
			if (time_before(n->used, n->confirmed) &&
1020
			    time_is_before_eq_jiffies(n->confirmed))
1021
				n->used = n->confirmed;
1022

1023
			if (refcount_read(&n->refcnt) == 1 &&
1024
			    (state == NUD_FAILED ||
1025
			     !time_in_range_open(jiffies, n->used,
1026
						 n->used + NEIGH_VAR(n->parms, GC_STALETIME)))) {
1027
				hlist_del_rcu(&n->hash);
1028
				hlist_del_rcu(&n->dev_list);
1029
				neigh_mark_dead(n);
1030
				write_unlock(&n->lock);
1031
				neigh_cleanup_and_release(n);
1032
				continue;
1033
			}
1034
			write_unlock(&n->lock);
1035
		}
1036
		/*
1037
		 * It's fine to release lock here, even if hash table
1038
		 * grows while we are preempted.
1039
		 */
1040
		write_unlock_bh(&tbl->lock);
1041
		cond_resched();
1042
		write_lock_bh(&tbl->lock);
1043
		nht = rcu_dereference_protected(tbl->nht,
1044
						lockdep_is_held(&tbl->lock));
1045
	}
1046
out:
1047
	/* Cycle through all hash buckets every BASE_REACHABLE_TIME/2 ticks.
1048
	 * ARP entry timeouts range from 1/2 BASE_REACHABLE_TIME to 3/2
1049
	 * BASE_REACHABLE_TIME.
1050
	 */
1051
	queue_delayed_work(system_power_efficient_wq, &tbl->gc_work,
1052
			      NEIGH_VAR(&tbl->parms, BASE_REACHABLE_TIME) >> 1);
1053
	write_unlock_bh(&tbl->lock);
1054
}
1055

1056
static __inline__ int neigh_max_probes(struct neighbour *n)
1057
{
1058
	struct neigh_parms *p = n->parms;
1059
	return NEIGH_VAR(p, UCAST_PROBES) + NEIGH_VAR(p, APP_PROBES) +
1060
	       (n->nud_state & NUD_PROBE ? NEIGH_VAR(p, MCAST_REPROBES) :
1061
	        NEIGH_VAR(p, MCAST_PROBES));
1062
}
1063

1064
static void neigh_invalidate(struct neighbour *neigh)
1065
	__releases(neigh->lock)
1066
	__acquires(neigh->lock)
1067
{
1068
	struct sk_buff *skb;
1069

1070
	NEIGH_CACHE_STAT_INC(neigh->tbl, res_failed);
1071
	neigh_dbg(2, "neigh %p is failed\n", neigh);
1072
	neigh->updated = jiffies;
1073

1074
	/* It is very thin place. report_unreachable is very complicated
1075
	   routine. Particularly, it can hit the same neighbour entry!
1076

1077
	   So that, we try to be accurate and avoid dead loop. --ANK
1078
	 */
1079
	while (neigh->nud_state == NUD_FAILED &&
1080
	       (skb = __skb_dequeue(&neigh->arp_queue)) != NULL) {
1081
		write_unlock(&neigh->lock);
1082
		neigh->ops->error_report(neigh, skb);
1083
		write_lock(&neigh->lock);
1084
	}
1085
	__skb_queue_purge(&neigh->arp_queue);
1086
	neigh->arp_queue_len_bytes = 0;
1087
}
1088

1089
static void neigh_probe(struct neighbour *neigh)
1090
	__releases(neigh->lock)
1091
{
1092
	struct sk_buff *skb = skb_peek_tail(&neigh->arp_queue);
1093
	/* keep skb alive even if arp_queue overflows */
1094
	if (skb)
1095
		skb = skb_clone(skb, GFP_ATOMIC);
1096
	write_unlock(&neigh->lock);
1097
	if (neigh->ops->solicit)
1098
		neigh->ops->solicit(neigh, skb);
1099
	atomic_inc(&neigh->probes);
1100
	consume_skb(skb);
1101
}
1102

1103
/* Called when a timer expires for a neighbour entry. */
1104

1105
static void neigh_timer_handler(struct timer_list *t)
1106
{
1107
	unsigned long now, next;
1108
	struct neighbour *neigh = timer_container_of(neigh, t, timer);
1109
	unsigned int state;
1110
	int notify = 0;
1111

1112
	write_lock(&neigh->lock);
1113

1114
	state = neigh->nud_state;
1115
	now = jiffies;
1116
	next = now + HZ;
1117

1118
	if (!(state & NUD_IN_TIMER))
1119
		goto out;
1120

1121
	if (state & NUD_REACHABLE) {
1122
		if (time_before_eq(now,
1123
				   neigh->confirmed + neigh->parms->reachable_time)) {
1124
			neigh_dbg(2, "neigh %p is still alive\n", neigh);
1125
			next = neigh->confirmed + neigh->parms->reachable_time;
1126
		} else if (time_before_eq(now,
1127
					  neigh->used +
1128
					  NEIGH_VAR(neigh->parms, DELAY_PROBE_TIME))) {
1129
			neigh_dbg(2, "neigh %p is delayed\n", neigh);
1130
			WRITE_ONCE(neigh->nud_state, NUD_DELAY);
1131
			neigh->updated = jiffies;
1132
			neigh_suspect(neigh);
1133
			next = now + NEIGH_VAR(neigh->parms, DELAY_PROBE_TIME);
1134
		} else {
1135
			neigh_dbg(2, "neigh %p is suspected\n", neigh);
1136
			WRITE_ONCE(neigh->nud_state, NUD_STALE);
1137
			neigh->updated = jiffies;
1138
			neigh_suspect(neigh);
1139
			notify = 1;
1140
		}
1141
	} else if (state & NUD_DELAY) {
1142
		if (time_before_eq(now,
1143
				   neigh->confirmed +
1144
				   NEIGH_VAR(neigh->parms, DELAY_PROBE_TIME))) {
1145
			neigh_dbg(2, "neigh %p is now reachable\n", neigh);
1146
			WRITE_ONCE(neigh->nud_state, NUD_REACHABLE);
1147
			neigh->updated = jiffies;
1148
			neigh_connect(neigh);
1149
			notify = 1;
1150
			next = neigh->confirmed + neigh->parms->reachable_time;
1151
		} else {
1152
			neigh_dbg(2, "neigh %p is probed\n", neigh);
1153
			WRITE_ONCE(neigh->nud_state, NUD_PROBE);
1154
			neigh->updated = jiffies;
1155
			atomic_set(&neigh->probes, 0);
1156
			notify = 1;
1157
			next = now + max(NEIGH_VAR(neigh->parms, RETRANS_TIME),
1158
					 HZ/100);
1159
		}
1160
	} else {
1161
		/* NUD_PROBE|NUD_INCOMPLETE */
1162
		next = now + max(NEIGH_VAR(neigh->parms, RETRANS_TIME), HZ/100);
1163
	}
1164

1165
	if ((neigh->nud_state & (NUD_INCOMPLETE | NUD_PROBE)) &&
1166
	    atomic_read(&neigh->probes) >= neigh_max_probes(neigh)) {
1167
		if (neigh->nud_state == NUD_PROBE &&
1168
		    neigh->flags & NTF_EXT_VALIDATED) {
1169
			WRITE_ONCE(neigh->nud_state, NUD_STALE);
1170
			neigh->updated = jiffies;
1171
		} else {
1172
			WRITE_ONCE(neigh->nud_state, NUD_FAILED);
1173
			neigh_invalidate(neigh);
1174
		}
1175
		notify = 1;
1176
		goto out;
1177
	}
1178

1179
	if (neigh->nud_state & NUD_IN_TIMER) {
1180
		if (time_before(next, jiffies + HZ/100))
1181
			next = jiffies + HZ/100;
1182
		if (!mod_timer(&neigh->timer, next))
1183
			neigh_hold(neigh);
1184
	}
1185
	if (neigh->nud_state & (NUD_INCOMPLETE | NUD_PROBE)) {
1186
		neigh_probe(neigh);
1187
	} else {
1188
out:
1189
		write_unlock(&neigh->lock);
1190
	}
1191

1192
	if (notify)
1193
		neigh_update_notify(neigh, 0);
1194

1195
	trace_neigh_timer_handler(neigh, 0);
1196

1197
	neigh_release(neigh);
1198
}
1199

1200
int __neigh_event_send(struct neighbour *neigh, struct sk_buff *skb,
1201
		       const bool immediate_ok)
1202
{
1203
	int rc;
1204
	bool immediate_probe = false;
1205

1206
	write_lock_bh(&neigh->lock);
1207

1208
	rc = 0;
1209
	if (neigh->nud_state & (NUD_CONNECTED | NUD_DELAY | NUD_PROBE))
1210
		goto out_unlock_bh;
1211
	if (neigh->dead)
1212
		goto out_dead;
1213

1214
	if (!(neigh->nud_state & (NUD_STALE | NUD_INCOMPLETE))) {
1215
		if (NEIGH_VAR(neigh->parms, MCAST_PROBES) +
1216
		    NEIGH_VAR(neigh->parms, APP_PROBES)) {
1217
			unsigned long next, now = jiffies;
1218

1219
			atomic_set(&neigh->probes,
1220
				   NEIGH_VAR(neigh->parms, UCAST_PROBES));
1221
			neigh_del_timer(neigh);
1222
			WRITE_ONCE(neigh->nud_state, NUD_INCOMPLETE);
1223
			neigh->updated = now;
1224
			if (!immediate_ok) {
1225
				next = now + 1;
1226
			} else {
1227
				immediate_probe = true;
1228
				next = now + max(NEIGH_VAR(neigh->parms,
1229
							   RETRANS_TIME),
1230
						 HZ / 100);
1231
			}
1232
			neigh_add_timer(neigh, next);
1233
		} else {
1234
			WRITE_ONCE(neigh->nud_state, NUD_FAILED);
1235
			neigh->updated = jiffies;
1236
			write_unlock_bh(&neigh->lock);
1237

1238
			kfree_skb_reason(skb, SKB_DROP_REASON_NEIGH_FAILED);
1239
			return 1;
1240
		}
1241
	} else if (neigh->nud_state & NUD_STALE) {
1242
		neigh_dbg(2, "neigh %p is delayed\n", neigh);
1243
		neigh_del_timer(neigh);
1244
		WRITE_ONCE(neigh->nud_state, NUD_DELAY);
1245
		neigh->updated = jiffies;
1246
		neigh_add_timer(neigh, jiffies +
1247
				NEIGH_VAR(neigh->parms, DELAY_PROBE_TIME));
1248
	}
1249

1250
	if (neigh->nud_state == NUD_INCOMPLETE) {
1251
		if (skb) {
1252
			while (neigh->arp_queue_len_bytes + skb->truesize >
1253
			       NEIGH_VAR(neigh->parms, QUEUE_LEN_BYTES)) {
1254
				struct sk_buff *buff;
1255

1256
				buff = __skb_dequeue(&neigh->arp_queue);
1257
				if (!buff)
1258
					break;
1259
				neigh->arp_queue_len_bytes -= buff->truesize;
1260
				kfree_skb_reason(buff, SKB_DROP_REASON_NEIGH_QUEUEFULL);
1261
				NEIGH_CACHE_STAT_INC(neigh->tbl, unres_discards);
1262
			}
1263
			skb_dst_force(skb);
1264
			__skb_queue_tail(&neigh->arp_queue, skb);
1265
			neigh->arp_queue_len_bytes += skb->truesize;
1266
		}
1267
		rc = 1;
1268
	}
1269
out_unlock_bh:
1270
	if (immediate_probe)
1271
		neigh_probe(neigh);
1272
	else
1273
		write_unlock(&neigh->lock);
1274
	local_bh_enable();
1275
	trace_neigh_event_send_done(neigh, rc);
1276
	return rc;
1277

1278
out_dead:
1279
	if (neigh->nud_state & NUD_STALE)
1280
		goto out_unlock_bh;
1281
	write_unlock_bh(&neigh->lock);
1282
	kfree_skb_reason(skb, SKB_DROP_REASON_NEIGH_DEAD);
1283
	trace_neigh_event_send_dead(neigh, 1);
1284
	return 1;
1285
}
1286
EXPORT_SYMBOL(__neigh_event_send);
1287

1288
static void neigh_update_hhs(struct neighbour *neigh)
1289
{
1290
	struct hh_cache *hh;
1291
	void (*update)(struct hh_cache*, const struct net_device*, const unsigned char *)
1292
		= NULL;
1293

1294
	if (neigh->dev->header_ops)
1295
		update = neigh->dev->header_ops->cache_update;
1296

1297
	if (update) {
1298
		hh = &neigh->hh;
1299
		if (READ_ONCE(hh->hh_len)) {
1300
			write_seqlock_bh(&hh->hh_lock);
1301
			update(hh, neigh->dev, neigh->ha);
1302
			write_sequnlock_bh(&hh->hh_lock);
1303
		}
1304
	}
1305
}
1306

1307
/* Generic update routine.
1308
   -- lladdr is new lladdr or NULL, if it is not supplied.
1309
   -- new    is new state.
1310
   -- flags
1311
	NEIGH_UPDATE_F_OVERRIDE allows to override existing lladdr,
1312
				if it is different.
1313
	NEIGH_UPDATE_F_WEAK_OVERRIDE will suspect existing "connected"
1314
				lladdr instead of overriding it
1315
				if it is different.
1316
	NEIGH_UPDATE_F_ADMIN	means that the change is administrative.
1317
	NEIGH_UPDATE_F_USE	means that the entry is user triggered.
1318
	NEIGH_UPDATE_F_MANAGED	means that the entry will be auto-refreshed.
1319
	NEIGH_UPDATE_F_OVERRIDE_ISROUTER allows to override existing
1320
				NTF_ROUTER flag.
1321
	NEIGH_UPDATE_F_ISROUTER	indicates if the neighbour is known as
1322
				a router.
1323
	NEIGH_UPDATE_F_EXT_VALIDATED means that the entry will not be removed
1324
				or invalidated.
1325

1326
   Caller MUST hold reference count on the entry.
1327
 */
1328
static int __neigh_update(struct neighbour *neigh, const u8 *lladdr,
1329
			  u8 new, u32 flags, u32 nlmsg_pid,
1330
			  struct netlink_ext_ack *extack)
1331
{
1332
	bool gc_update = false, managed_update = false;
1333
	int update_isrouter = 0;
1334
	struct net_device *dev;
1335
	int err, notify = 0;
1336
	u8 old;
1337

1338
	trace_neigh_update(neigh, lladdr, new, flags, nlmsg_pid);
1339

1340
	write_lock_bh(&neigh->lock);
1341

1342
	dev    = neigh->dev;
1343
	old    = neigh->nud_state;
1344
	err    = -EPERM;
1345

1346
	if (neigh->dead) {
1347
		NL_SET_ERR_MSG(extack, "Neighbor entry is now dead");
1348
		new = old;
1349
		goto out;
1350
	}
1351
	if (!(flags & NEIGH_UPDATE_F_ADMIN) &&
1352
	    (old & (NUD_NOARP | NUD_PERMANENT)))
1353
		goto out;
1354

1355
	neigh_update_flags(neigh, flags, &notify, &gc_update, &managed_update);
1356
	if (flags & (NEIGH_UPDATE_F_USE | NEIGH_UPDATE_F_MANAGED)) {
1357
		new = old & ~NUD_PERMANENT;
1358
		WRITE_ONCE(neigh->nud_state, new);
1359
		err = 0;
1360
		goto out;
1361
	}
1362

1363
	if (!(new & NUD_VALID)) {
1364
		neigh_del_timer(neigh);
1365
		if (old & NUD_CONNECTED)
1366
			neigh_suspect(neigh);
1367
		WRITE_ONCE(neigh->nud_state, new);
1368
		err = 0;
1369
		notify = old & NUD_VALID;
1370
		if ((old & (NUD_INCOMPLETE | NUD_PROBE)) &&
1371
		    (new & NUD_FAILED)) {
1372
			neigh_invalidate(neigh);
1373
			notify = 1;
1374
		}
1375
		goto out;
1376
	}
1377

1378
	/* Compare new lladdr with cached one */
1379
	if (!dev->addr_len) {
1380
		/* First case: device needs no address. */
1381
		lladdr = neigh->ha;
1382
	} else if (lladdr) {
1383
		/* The second case: if something is already cached
1384
		   and a new address is proposed:
1385
		   - compare new & old
1386
		   - if they are different, check override flag
1387
		 */
1388
		if ((old & NUD_VALID) &&
1389
		    !memcmp(lladdr, neigh->ha, dev->addr_len))
1390
			lladdr = neigh->ha;
1391
	} else {
1392
		/* No address is supplied; if we know something,
1393
		   use it, otherwise discard the request.
1394
		 */
1395
		err = -EINVAL;
1396
		if (!(old & NUD_VALID)) {
1397
			NL_SET_ERR_MSG(extack, "No link layer address given");
1398
			goto out;
1399
		}
1400
		lladdr = neigh->ha;
1401
	}
1402

1403
	/* Update confirmed timestamp for neighbour entry after we
1404
	 * received ARP packet even if it doesn't change IP to MAC binding.
1405
	 */
1406
	if (new & NUD_CONNECTED)
1407
		neigh->confirmed = jiffies;
1408

1409
	/* If entry was valid and address is not changed,
1410
	   do not change entry state, if new one is STALE.
1411
	 */
1412
	err = 0;
1413
	update_isrouter = flags & NEIGH_UPDATE_F_OVERRIDE_ISROUTER;
1414
	if (old & NUD_VALID) {
1415
		if (lladdr != neigh->ha && !(flags & NEIGH_UPDATE_F_OVERRIDE)) {
1416
			update_isrouter = 0;
1417
			if ((flags & NEIGH_UPDATE_F_WEAK_OVERRIDE) &&
1418
			    (old & NUD_CONNECTED)) {
1419
				lladdr = neigh->ha;
1420
				new = NUD_STALE;
1421
			} else
1422
				goto out;
1423
		} else {
1424
			if (lladdr == neigh->ha && new == NUD_STALE &&
1425
			    !(flags & NEIGH_UPDATE_F_ADMIN))
1426
				new = old;
1427
		}
1428
	}
1429

1430
	/* Update timestamp only once we know we will make a change to the
1431
	 * neighbour entry. Otherwise we risk to move the locktime window with
1432
	 * noop updates and ignore relevant ARP updates.
1433
	 */
1434
	if (new != old || lladdr != neigh->ha)
1435
		neigh->updated = jiffies;
1436

1437
	if (new != old) {
1438
		neigh_del_timer(neigh);
1439
		if (new & NUD_PROBE)
1440
			atomic_set(&neigh->probes, 0);
1441
		if (new & NUD_IN_TIMER)
1442
			neigh_add_timer(neigh, (jiffies +
1443
						((new & NUD_REACHABLE) ?
1444
						 neigh->parms->reachable_time :
1445
						 0)));
1446
		WRITE_ONCE(neigh->nud_state, new);
1447
		notify = 1;
1448
	}
1449

1450
	if (lladdr != neigh->ha) {
1451
		write_seqlock(&neigh->ha_lock);
1452
		memcpy(&neigh->ha, lladdr, dev->addr_len);
1453
		write_sequnlock(&neigh->ha_lock);
1454
		neigh_update_hhs(neigh);
1455
		if (!(new & NUD_CONNECTED))
1456
			neigh->confirmed = jiffies -
1457
				      (NEIGH_VAR(neigh->parms, BASE_REACHABLE_TIME) << 1);
1458
		notify = 1;
1459
	}
1460
	if (new == old)
1461
		goto out;
1462
	if (new & NUD_CONNECTED)
1463
		neigh_connect(neigh);
1464
	else
1465
		neigh_suspect(neigh);
1466
	if (!(old & NUD_VALID)) {
1467
		struct sk_buff *skb;
1468

1469
		/* Again: avoid dead loop if something went wrong */
1470

1471
		while (neigh->nud_state & NUD_VALID &&
1472
		       (skb = __skb_dequeue(&neigh->arp_queue)) != NULL) {
1473
			struct dst_entry *dst = skb_dst(skb);
1474
			struct neighbour *n2, *n1 = neigh;
1475
			write_unlock_bh(&neigh->lock);
1476

1477
			rcu_read_lock();
1478

1479
			/* Why not just use 'neigh' as-is?  The problem is that
1480
			 * things such as shaper, eql, and sch_teql can end up
1481
			 * using alternative, different, neigh objects to output
1482
			 * the packet in the output path.  So what we need to do
1483
			 * here is re-lookup the top-level neigh in the path so
1484
			 * we can reinject the packet there.
1485
			 */
1486
			n2 = NULL;
1487
			if (dst &&
1488
			    READ_ONCE(dst->obsolete) != DST_OBSOLETE_DEAD) {
1489
				n2 = dst_neigh_lookup_skb(dst, skb);
1490
				if (n2)
1491
					n1 = n2;
1492
			}
1493
			READ_ONCE(n1->output)(n1, skb);
1494
			if (n2)
1495
				neigh_release(n2);
1496
			rcu_read_unlock();
1497

1498
			write_lock_bh(&neigh->lock);
1499
		}
1500
		__skb_queue_purge(&neigh->arp_queue);
1501
		neigh->arp_queue_len_bytes = 0;
1502
	}
1503
out:
1504
	if (update_isrouter)
1505
		neigh_update_is_router(neigh, flags, &notify);
1506
	write_unlock_bh(&neigh->lock);
1507
	if (((new ^ old) & NUD_PERMANENT) || gc_update)
1508
		neigh_update_gc_list(neigh);
1509
	if (managed_update)
1510
		neigh_update_managed_list(neigh);
1511
	if (notify)
1512
		neigh_update_notify(neigh, nlmsg_pid);
1513
	trace_neigh_update_done(neigh, err);
1514
	return err;
1515
}
1516

1517
int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new,
1518
		 u32 flags, u32 nlmsg_pid)
1519
{
1520
	return __neigh_update(neigh, lladdr, new, flags, nlmsg_pid, NULL);
1521
}
1522
EXPORT_SYMBOL(neigh_update);
1523

1524
/* Update the neigh to listen temporarily for probe responses, even if it is
1525
 * in a NUD_FAILED state. The caller has to hold neigh->lock for writing.
1526
 */
1527
void __neigh_set_probe_once(struct neighbour *neigh)
1528
{
1529
	if (neigh->dead)
1530
		return;
1531
	neigh->updated = jiffies;
1532
	if (!(neigh->nud_state & NUD_FAILED))
1533
		return;
1534
	WRITE_ONCE(neigh->nud_state, NUD_INCOMPLETE);
1535
	atomic_set(&neigh->probes, neigh_max_probes(neigh));
1536
	neigh_add_timer(neigh,
1537
			jiffies + max(NEIGH_VAR(neigh->parms, RETRANS_TIME),
1538
				      HZ/100));
1539
}
1540
EXPORT_SYMBOL(__neigh_set_probe_once);
1541

1542
struct neighbour *neigh_event_ns(struct neigh_table *tbl,
1543
				 u8 *lladdr, void *saddr,
1544
				 struct net_device *dev)
1545
{
1546
	struct neighbour *neigh = __neigh_lookup(tbl, saddr, dev,
1547
						 lladdr || !dev->addr_len);
1548
	if (neigh)
1549
		neigh_update(neigh, lladdr, NUD_STALE,
1550
			     NEIGH_UPDATE_F_OVERRIDE, 0);
1551
	return neigh;
1552
}
1553
EXPORT_SYMBOL(neigh_event_ns);
1554

1555
/* called with read_lock_bh(&n->lock); */
1556
static void neigh_hh_init(struct neighbour *n)
1557
{
1558
	struct net_device *dev = n->dev;
1559
	__be16 prot = n->tbl->protocol;
1560
	struct hh_cache	*hh = &n->hh;
1561

1562
	write_lock_bh(&n->lock);
1563

1564
	/* Only one thread can come in here and initialize the
1565
	 * hh_cache entry.
1566
	 */
1567
	if (!hh->hh_len)
1568
		dev->header_ops->cache(n, hh, prot);
1569

1570
	write_unlock_bh(&n->lock);
1571
}
1572

1573
/* Slow and careful. */
1574

1575
int neigh_resolve_output(struct neighbour *neigh, struct sk_buff *skb)
1576
{
1577
	int rc = 0;
1578

1579
	if (!neigh_event_send(neigh, skb)) {
1580
		int err;
1581
		struct net_device *dev = neigh->dev;
1582
		unsigned int seq;
1583

1584
		if (dev->header_ops->cache && !READ_ONCE(neigh->hh.hh_len))
1585
			neigh_hh_init(neigh);
1586

1587
		do {
1588
			__skb_pull(skb, skb_network_offset(skb));
1589
			seq = read_seqbegin(&neigh->ha_lock);
1590
			err = dev_hard_header(skb, dev, ntohs(skb->protocol),
1591
					      neigh->ha, NULL, skb->len);
1592
		} while (read_seqretry(&neigh->ha_lock, seq));
1593

1594
		if (err >= 0)
1595
			rc = dev_queue_xmit(skb);
1596
		else
1597
			goto out_kfree_skb;
1598
	}
1599
out:
1600
	return rc;
1601
out_kfree_skb:
1602
	rc = -EINVAL;
1603
	kfree_skb_reason(skb, SKB_DROP_REASON_NEIGH_HH_FILLFAIL);
1604
	goto out;
1605
}
1606
EXPORT_SYMBOL(neigh_resolve_output);
1607

1608
/* As fast as possible without hh cache */
1609

1610
int neigh_connected_output(struct neighbour *neigh, struct sk_buff *skb)
1611
{
1612
	struct net_device *dev = neigh->dev;
1613
	unsigned int seq;
1614
	int err;
1615

1616
	do {
1617
		__skb_pull(skb, skb_network_offset(skb));
1618
		seq = read_seqbegin(&neigh->ha_lock);
1619
		err = dev_hard_header(skb, dev, ntohs(skb->protocol),
1620
				      neigh->ha, NULL, skb->len);
1621
	} while (read_seqretry(&neigh->ha_lock, seq));
1622

1623
	if (err >= 0)
1624
		err = dev_queue_xmit(skb);
1625
	else {
1626
		err = -EINVAL;
1627
		kfree_skb_reason(skb, SKB_DROP_REASON_NEIGH_HH_FILLFAIL);
1628
	}
1629
	return err;
1630
}
1631
EXPORT_SYMBOL(neigh_connected_output);
1632

1633
int neigh_direct_output(struct neighbour *neigh, struct sk_buff *skb)
1634
{
1635
	return dev_queue_xmit(skb);
1636
}
1637
EXPORT_SYMBOL(neigh_direct_output);
1638

1639
static void neigh_managed_work(struct work_struct *work)
1640
{
1641
	struct neigh_table *tbl = container_of(work, struct neigh_table,
1642
					       managed_work.work);
1643
	struct neighbour *neigh;
1644

1645
	write_lock_bh(&tbl->lock);
1646
	list_for_each_entry(neigh, &tbl->managed_list, managed_list)
1647
		neigh_event_send_probe(neigh, NULL, false);
1648
	queue_delayed_work(system_power_efficient_wq, &tbl->managed_work,
1649
			   NEIGH_VAR(&tbl->parms, INTERVAL_PROBE_TIME_MS));
1650
	write_unlock_bh(&tbl->lock);
1651
}
1652

1653
static void neigh_proxy_process(struct timer_list *t)
1654
{
1655
	struct neigh_table *tbl = timer_container_of(tbl, t, proxy_timer);
1656
	long sched_next = 0;
1657
	unsigned long now = jiffies;
1658
	struct sk_buff *skb, *n;
1659

1660
	spin_lock(&tbl->proxy_queue.lock);
1661

1662
	skb_queue_walk_safe(&tbl->proxy_queue, skb, n) {
1663
		long tdif = NEIGH_CB(skb)->sched_next - now;
1664

1665
		if (tdif <= 0) {
1666
			struct net_device *dev = skb->dev;
1667

1668
			neigh_parms_qlen_dec(dev, tbl->family);
1669
			__skb_unlink(skb, &tbl->proxy_queue);
1670

1671
			if (tbl->proxy_redo && netif_running(dev)) {
1672
				rcu_read_lock();
1673
				tbl->proxy_redo(skb);
1674
				rcu_read_unlock();
1675
			} else {
1676
				kfree_skb(skb);
1677
			}
1678

1679
			dev_put(dev);
1680
		} else if (!sched_next || tdif < sched_next)
1681
			sched_next = tdif;
1682
	}
1683
	timer_delete(&tbl->proxy_timer);
1684
	if (sched_next)
1685
		mod_timer(&tbl->proxy_timer, jiffies + sched_next);
1686
	spin_unlock(&tbl->proxy_queue.lock);
1687
}
1688

1689
static unsigned long neigh_proxy_delay(struct neigh_parms *p)
1690
{
1691
	/* If proxy_delay is zero, do not call get_random_u32_below()
1692
	 * as it is undefined behavior.
1693
	 */
1694
	unsigned long proxy_delay = NEIGH_VAR(p, PROXY_DELAY);
1695

1696
	return proxy_delay ?
1697
	       jiffies + get_random_u32_below(proxy_delay) : jiffies;
1698
}
1699

1700
void pneigh_enqueue(struct neigh_table *tbl, struct neigh_parms *p,
1701
		    struct sk_buff *skb)
1702
{
1703
	unsigned long sched_next = neigh_proxy_delay(p);
1704

1705
	if (p->qlen > NEIGH_VAR(p, PROXY_QLEN)) {
1706
		kfree_skb(skb);
1707
		return;
1708
	}
1709

1710
	NEIGH_CB(skb)->sched_next = sched_next;
1711
	NEIGH_CB(skb)->flags |= LOCALLY_ENQUEUED;
1712

1713
	spin_lock(&tbl->proxy_queue.lock);
1714
	if (timer_delete(&tbl->proxy_timer)) {
1715
		if (time_before(tbl->proxy_timer.expires, sched_next))
1716
			sched_next = tbl->proxy_timer.expires;
1717
	}
1718
	skb_dst_drop(skb);
1719
	dev_hold(skb->dev);
1720
	__skb_queue_tail(&tbl->proxy_queue, skb);
1721
	p->qlen++;
1722
	mod_timer(&tbl->proxy_timer, sched_next);
1723
	spin_unlock(&tbl->proxy_queue.lock);
1724
}
1725
EXPORT_SYMBOL(pneigh_enqueue);
1726

1727
static inline struct neigh_parms *lookup_neigh_parms(struct neigh_table *tbl,
1728
						      struct net *net, int ifindex)
1729
{
1730
	struct neigh_parms *p;
1731

1732
	list_for_each_entry(p, &tbl->parms_list, list) {
1733
		if ((p->dev && p->dev->ifindex == ifindex && net_eq(neigh_parms_net(p), net)) ||
1734
		    (!p->dev && !ifindex && net_eq(net, &init_net)))
1735
			return p;
1736
	}
1737

1738
	return NULL;
1739
}
1740

1741
struct neigh_parms *neigh_parms_alloc(struct net_device *dev,
1742
				      struct neigh_table *tbl)
1743
{
1744
	struct neigh_parms *p;
1745
	struct net *net = dev_net(dev);
1746
	const struct net_device_ops *ops = dev->netdev_ops;
1747

1748
	p = kmemdup(&tbl->parms, sizeof(*p), GFP_KERNEL);
1749
	if (p) {
1750
		p->tbl		  = tbl;
1751
		refcount_set(&p->refcnt, 1);
1752
		p->reachable_time =
1753
				neigh_rand_reach_time(NEIGH_VAR(p, BASE_REACHABLE_TIME));
1754
		p->qlen = 0;
1755
		netdev_hold(dev, &p->dev_tracker, GFP_KERNEL);
1756
		p->dev = dev;
1757
		write_pnet(&p->net, net);
1758
		p->sysctl_table = NULL;
1759

1760
		if (ops->ndo_neigh_setup && ops->ndo_neigh_setup(dev, p)) {
1761
			netdev_put(dev, &p->dev_tracker);
1762
			kfree(p);
1763
			return NULL;
1764
		}
1765

1766
		write_lock_bh(&tbl->lock);
1767
		list_add(&p->list, &tbl->parms.list);
1768
		write_unlock_bh(&tbl->lock);
1769

1770
		neigh_parms_data_state_cleanall(p);
1771
	}
1772
	return p;
1773
}
1774
EXPORT_SYMBOL(neigh_parms_alloc);
1775

1776
static void neigh_rcu_free_parms(struct rcu_head *head)
1777
{
1778
	struct neigh_parms *parms =
1779
		container_of(head, struct neigh_parms, rcu_head);
1780

1781
	neigh_parms_put(parms);
1782
}
1783

1784
void neigh_parms_release(struct neigh_table *tbl, struct neigh_parms *parms)
1785
{
1786
	if (!parms || parms == &tbl->parms)
1787
		return;
1788
	write_lock_bh(&tbl->lock);
1789
	list_del(&parms->list);
1790
	parms->dead = 1;
1791
	write_unlock_bh(&tbl->lock);
1792
	netdev_put(parms->dev, &parms->dev_tracker);
1793
	call_rcu(&parms->rcu_head, neigh_rcu_free_parms);
1794
}
1795
EXPORT_SYMBOL(neigh_parms_release);
1796

1797
static struct lock_class_key neigh_table_proxy_queue_class;
1798

1799
static struct neigh_table __rcu *neigh_tables[NEIGH_NR_TABLES] __read_mostly;
1800

1801
void neigh_table_init(int index, struct neigh_table *tbl)
1802
{
1803
	unsigned long now = jiffies;
1804
	unsigned long phsize;
1805

1806
	INIT_LIST_HEAD(&tbl->parms_list);
1807
	INIT_LIST_HEAD(&tbl->gc_list);
1808
	INIT_LIST_HEAD(&tbl->managed_list);
1809

1810
	list_add(&tbl->parms.list, &tbl->parms_list);
1811
	write_pnet(&tbl->parms.net, &init_net);
1812
	refcount_set(&tbl->parms.refcnt, 1);
1813
	tbl->parms.reachable_time =
1814
			  neigh_rand_reach_time(NEIGH_VAR(&tbl->parms, BASE_REACHABLE_TIME));
1815
	tbl->parms.qlen = 0;
1816

1817
	tbl->stats = alloc_percpu(struct neigh_statistics);
1818
	if (!tbl->stats)
1819
		panic("cannot create neighbour cache statistics");
1820

1821
#ifdef CONFIG_PROC_FS
1822
	if (!proc_create_seq_data(tbl->id, 0, init_net.proc_net_stat,
1823
			      &neigh_stat_seq_ops, tbl))
1824
		panic("cannot create neighbour proc dir entry");
1825
#endif
1826

1827
	RCU_INIT_POINTER(tbl->nht, neigh_hash_alloc(3));
1828

1829
	phsize = (PNEIGH_HASHMASK + 1) * sizeof(struct pneigh_entry *);
1830
	tbl->phash_buckets = kzalloc(phsize, GFP_KERNEL);
1831

1832
	if (!tbl->nht || !tbl->phash_buckets)
1833
		panic("cannot allocate neighbour cache hashes");
1834

1835
	if (!tbl->entry_size)
1836
		tbl->entry_size = ALIGN(offsetof(struct neighbour, primary_key) +
1837
					tbl->key_len, NEIGH_PRIV_ALIGN);
1838
	else
1839
		WARN_ON(tbl->entry_size % NEIGH_PRIV_ALIGN);
1840

1841
	rwlock_init(&tbl->lock);
1842
	mutex_init(&tbl->phash_lock);
1843

1844
	INIT_DEFERRABLE_WORK(&tbl->gc_work, neigh_periodic_work);
1845
	queue_delayed_work(system_power_efficient_wq, &tbl->gc_work,
1846
			tbl->parms.reachable_time);
1847
	INIT_DEFERRABLE_WORK(&tbl->managed_work, neigh_managed_work);
1848
	queue_delayed_work(system_power_efficient_wq, &tbl->managed_work, 0);
1849

1850
	timer_setup(&tbl->proxy_timer, neigh_proxy_process, 0);
1851
	skb_queue_head_init_class(&tbl->proxy_queue,
1852
			&neigh_table_proxy_queue_class);
1853

1854
	tbl->last_flush = now;
1855
	tbl->last_rand	= now + tbl->parms.reachable_time * 20;
1856

1857
	rcu_assign_pointer(neigh_tables[index], tbl);
1858
}
1859
EXPORT_SYMBOL(neigh_table_init);
1860

1861
/*
1862
 * Only called from ndisc_cleanup(), which means this is dead code
1863
 * because we no longer can unload IPv6 module.
1864
 */
1865
int neigh_table_clear(int index, struct neigh_table *tbl)
1866
{
1867
	RCU_INIT_POINTER(neigh_tables[index], NULL);
1868
	synchronize_rcu();
1869

1870
	/* It is not clean... Fix it to unload IPv6 module safely */
1871
	cancel_delayed_work_sync(&tbl->managed_work);
1872
	cancel_delayed_work_sync(&tbl->gc_work);
1873
	timer_delete_sync(&tbl->proxy_timer);
1874
	pneigh_queue_purge(&tbl->proxy_queue, NULL, tbl->family);
1875
	neigh_ifdown(tbl, NULL);
1876
	if (atomic_read(&tbl->entries))
1877
		pr_crit("neighbour leakage\n");
1878

1879
	call_rcu(&rcu_dereference_protected(tbl->nht, 1)->rcu,
1880
		 neigh_hash_free_rcu);
1881
	tbl->nht = NULL;
1882

1883
	kfree(tbl->phash_buckets);
1884
	tbl->phash_buckets = NULL;
1885

1886
	remove_proc_entry(tbl->id, init_net.proc_net_stat);
1887

1888
	free_percpu(tbl->stats);
1889
	tbl->stats = NULL;
1890

1891
	return 0;
1892
}
1893
EXPORT_SYMBOL(neigh_table_clear);
1894

1895
static struct neigh_table *neigh_find_table(int family)
1896
{
1897
	struct neigh_table *tbl = NULL;
1898

1899
	switch (family) {
1900
	case AF_INET:
1901
		tbl = rcu_dereference_rtnl(neigh_tables[NEIGH_ARP_TABLE]);
1902
		break;
1903
	case AF_INET6:
1904
		tbl = rcu_dereference_rtnl(neigh_tables[NEIGH_ND_TABLE]);
1905
		break;
1906
	}
1907

1908
	return tbl;
1909
}
1910

1911
const struct nla_policy nda_policy[NDA_MAX+1] = {
1912
	[NDA_UNSPEC]		= { .strict_start_type = NDA_NH_ID },
1913
	[NDA_DST]		= { .type = NLA_BINARY, .len = MAX_ADDR_LEN },
1914
	[NDA_LLADDR]		= { .type = NLA_BINARY, .len = MAX_ADDR_LEN },
1915
	[NDA_CACHEINFO]		= { .len = sizeof(struct nda_cacheinfo) },
1916
	[NDA_PROBES]		= { .type = NLA_U32 },
1917
	[NDA_VLAN]		= { .type = NLA_U16 },
1918
	[NDA_PORT]		= { .type = NLA_U16 },
1919
	[NDA_VNI]		= { .type = NLA_U32 },
1920
	[NDA_IFINDEX]		= { .type = NLA_U32 },
1921
	[NDA_MASTER]		= { .type = NLA_U32 },
1922
	[NDA_PROTOCOL]		= { .type = NLA_U8 },
1923
	[NDA_NH_ID]		= { .type = NLA_U32 },
1924
	[NDA_FLAGS_EXT]		= NLA_POLICY_MASK(NLA_U32, NTF_EXT_MASK),
1925
	[NDA_FDB_EXT_ATTRS]	= { .type = NLA_NESTED },
1926
};
1927

1928
static int neigh_delete(struct sk_buff *skb, struct nlmsghdr *nlh,
1929
			struct netlink_ext_ack *extack)
1930
{
1931
	struct net *net = sock_net(skb->sk);
1932
	struct ndmsg *ndm;
1933
	struct nlattr *dst_attr;
1934
	struct neigh_table *tbl;
1935
	struct neighbour *neigh;
1936
	struct net_device *dev = NULL;
1937
	int err = -EINVAL;
1938

1939
	ASSERT_RTNL();
1940
	if (nlmsg_len(nlh) < sizeof(*ndm))
1941
		goto out;
1942

1943
	dst_attr = nlmsg_find_attr(nlh, sizeof(*ndm), NDA_DST);
1944
	if (!dst_attr) {
1945
		NL_SET_ERR_MSG(extack, "Network address not specified");
1946
		goto out;
1947
	}
1948

1949
	ndm = nlmsg_data(nlh);
1950
	if (ndm->ndm_ifindex) {
1951
		dev = __dev_get_by_index(net, ndm->ndm_ifindex);
1952
		if (dev == NULL) {
1953
			err = -ENODEV;
1954
			goto out;
1955
		}
1956
	}
1957

1958
	tbl = neigh_find_table(ndm->ndm_family);
1959
	if (tbl == NULL)
1960
		return -EAFNOSUPPORT;
1961

1962
	if (nla_len(dst_attr) < (int)tbl->key_len) {
1963
		NL_SET_ERR_MSG(extack, "Invalid network address");
1964
		goto out;
1965
	}
1966

1967
	if (ndm->ndm_flags & NTF_PROXY) {
1968
		err = pneigh_delete(tbl, net, nla_data(dst_attr), dev);
1969
		goto out;
1970
	}
1971

1972
	if (dev == NULL)
1973
		goto out;
1974

1975
	neigh = neigh_lookup(tbl, nla_data(dst_attr), dev);
1976
	if (neigh == NULL) {
1977
		err = -ENOENT;
1978
		goto out;
1979
	}
1980

1981
	err = __neigh_update(neigh, NULL, NUD_FAILED,
1982
			     NEIGH_UPDATE_F_OVERRIDE | NEIGH_UPDATE_F_ADMIN,
1983
			     NETLINK_CB(skb).portid, extack);
1984
	write_lock_bh(&tbl->lock);
1985
	neigh_release(neigh);
1986
	neigh_remove_one(neigh);
1987
	write_unlock_bh(&tbl->lock);
1988

1989
out:
1990
	return err;
1991
}
1992

1993
static int neigh_add(struct sk_buff *skb, struct nlmsghdr *nlh,
1994
		     struct netlink_ext_ack *extack)
1995
{
1996
	int flags = NEIGH_UPDATE_F_ADMIN | NEIGH_UPDATE_F_OVERRIDE |
1997
		    NEIGH_UPDATE_F_OVERRIDE_ISROUTER;
1998
	struct net *net = sock_net(skb->sk);
1999
	struct ndmsg *ndm;
2000
	struct nlattr *tb[NDA_MAX+1];
2001
	struct neigh_table *tbl;
2002
	struct net_device *dev = NULL;
2003
	struct neighbour *neigh;
2004
	void *dst, *lladdr;
2005
	u8 protocol = 0;
2006
	u32 ndm_flags;
2007
	int err;
2008

2009
	ASSERT_RTNL();
2010
	err = nlmsg_parse_deprecated(nlh, sizeof(*ndm), tb, NDA_MAX,
2011
				     nda_policy, extack);
2012
	if (err < 0)
2013
		goto out;
2014

2015
	err = -EINVAL;
2016
	if (!tb[NDA_DST]) {
2017
		NL_SET_ERR_MSG(extack, "Network address not specified");
2018
		goto out;
2019
	}
2020

2021
	ndm = nlmsg_data(nlh);
2022
	ndm_flags = ndm->ndm_flags;
2023
	if (tb[NDA_FLAGS_EXT]) {
2024
		u32 ext = nla_get_u32(tb[NDA_FLAGS_EXT]);
2025

2026
		BUILD_BUG_ON(sizeof(neigh->flags) * BITS_PER_BYTE <
2027
			     (sizeof(ndm->ndm_flags) * BITS_PER_BYTE +
2028
			      hweight32(NTF_EXT_MASK)));
2029
		ndm_flags |= (ext << NTF_EXT_SHIFT);
2030
	}
2031
	if (ndm->ndm_ifindex) {
2032
		dev = __dev_get_by_index(net, ndm->ndm_ifindex);
2033
		if (dev == NULL) {
2034
			err = -ENODEV;
2035
			goto out;
2036
		}
2037

2038
		if (tb[NDA_LLADDR] && nla_len(tb[NDA_LLADDR]) < dev->addr_len) {
2039
			NL_SET_ERR_MSG(extack, "Invalid link address");
2040
			goto out;
2041
		}
2042
	}
2043

2044
	tbl = neigh_find_table(ndm->ndm_family);
2045
	if (tbl == NULL)
2046
		return -EAFNOSUPPORT;
2047

2048
	if (nla_len(tb[NDA_DST]) < (int)tbl->key_len) {
2049
		NL_SET_ERR_MSG(extack, "Invalid network address");
2050
		goto out;
2051
	}
2052

2053
	dst = nla_data(tb[NDA_DST]);
2054
	lladdr = tb[NDA_LLADDR] ? nla_data(tb[NDA_LLADDR]) : NULL;
2055

2056
	if (tb[NDA_PROTOCOL])
2057
		protocol = nla_get_u8(tb[NDA_PROTOCOL]);
2058
	if (ndm_flags & NTF_PROXY) {
2059
		if (ndm_flags & (NTF_MANAGED | NTF_EXT_VALIDATED)) {
2060
			NL_SET_ERR_MSG(extack, "Invalid NTF_* flag combination");
2061
			goto out;
2062
		}
2063

2064
		err = pneigh_create(tbl, net, dst, dev, ndm_flags, protocol,
2065
				    !!(ndm->ndm_state & NUD_PERMANENT));
2066
		goto out;
2067
	}
2068

2069
	if (!dev) {
2070
		NL_SET_ERR_MSG(extack, "Device not specified");
2071
		goto out;
2072
	}
2073

2074
	if (tbl->allow_add && !tbl->allow_add(dev, extack)) {
2075
		err = -EINVAL;
2076
		goto out;
2077
	}
2078

2079
	neigh = neigh_lookup(tbl, dst, dev);
2080
	if (neigh == NULL) {
2081
		bool ndm_permanent  = ndm->ndm_state & NUD_PERMANENT;
2082
		bool exempt_from_gc = ndm_permanent ||
2083
				      ndm_flags & (NTF_EXT_LEARNED |
2084
						   NTF_EXT_VALIDATED);
2085

2086
		if (!(nlh->nlmsg_flags & NLM_F_CREATE)) {
2087
			err = -ENOENT;
2088
			goto out;
2089
		}
2090
		if (ndm_permanent && (ndm_flags & NTF_MANAGED)) {
2091
			NL_SET_ERR_MSG(extack, "Invalid NTF_* flag for permanent entry");
2092
			err = -EINVAL;
2093
			goto out;
2094
		}
2095
		if (ndm_flags & NTF_EXT_VALIDATED) {
2096
			u8 state = ndm->ndm_state;
2097

2098
			/* NTF_USE and NTF_MANAGED will result in the neighbor
2099
			 * being created with an invalid state (NUD_NONE).
2100
			 */
2101
			if (ndm_flags & (NTF_USE | NTF_MANAGED))
2102
				state = NUD_NONE;
2103

2104
			if (!(state & NUD_VALID)) {
2105
				NL_SET_ERR_MSG(extack,
2106
					       "Cannot create externally validated neighbor with an invalid state");
2107
				err = -EINVAL;
2108
				goto out;
2109
			}
2110
		}
2111

2112
		neigh = ___neigh_create(tbl, dst, dev,
2113
					ndm_flags &
2114
					(NTF_EXT_LEARNED | NTF_MANAGED |
2115
					 NTF_EXT_VALIDATED),
2116
					exempt_from_gc, true);
2117
		if (IS_ERR(neigh)) {
2118
			err = PTR_ERR(neigh);
2119
			goto out;
2120
		}
2121
	} else {
2122
		if (nlh->nlmsg_flags & NLM_F_EXCL) {
2123
			err = -EEXIST;
2124
			neigh_release(neigh);
2125
			goto out;
2126
		}
2127
		if (ndm_flags & NTF_EXT_VALIDATED) {
2128
			u8 state = ndm->ndm_state;
2129

2130
			/* NTF_USE and NTF_MANAGED do not update the existing
2131
			 * state other than clearing it if it was
2132
			 * NUD_PERMANENT.
2133
			 */
2134
			if (ndm_flags & (NTF_USE | NTF_MANAGED))
2135
				state = READ_ONCE(neigh->nud_state) & ~NUD_PERMANENT;
2136

2137
			if (!(state & NUD_VALID)) {
2138
				NL_SET_ERR_MSG(extack,
2139
					       "Cannot mark neighbor as externally validated with an invalid state");
2140
				err = -EINVAL;
2141
				neigh_release(neigh);
2142
				goto out;
2143
			}
2144
		}
2145

2146
		if (!(nlh->nlmsg_flags & NLM_F_REPLACE))
2147
			flags &= ~(NEIGH_UPDATE_F_OVERRIDE |
2148
				   NEIGH_UPDATE_F_OVERRIDE_ISROUTER);
2149
	}
2150

2151
	if (protocol)
2152
		neigh->protocol = protocol;
2153
	if (ndm_flags & NTF_EXT_LEARNED)
2154
		flags |= NEIGH_UPDATE_F_EXT_LEARNED;
2155
	if (ndm_flags & NTF_ROUTER)
2156
		flags |= NEIGH_UPDATE_F_ISROUTER;
2157
	if (ndm_flags & NTF_MANAGED)
2158
		flags |= NEIGH_UPDATE_F_MANAGED;
2159
	if (ndm_flags & NTF_USE)
2160
		flags |= NEIGH_UPDATE_F_USE;
2161
	if (ndm_flags & NTF_EXT_VALIDATED)
2162
		flags |= NEIGH_UPDATE_F_EXT_VALIDATED;
2163

2164
	err = __neigh_update(neigh, lladdr, ndm->ndm_state, flags,
2165
			     NETLINK_CB(skb).portid, extack);
2166
	if (!err && ndm_flags & (NTF_USE | NTF_MANAGED))
2167
		neigh_event_send(neigh, NULL);
2168
	neigh_release(neigh);
2169
out:
2170
	return err;
2171
}
2172

2173
static int neightbl_fill_parms(struct sk_buff *skb, struct neigh_parms *parms)
2174
{
2175
	struct nlattr *nest;
2176

2177
	nest = nla_nest_start_noflag(skb, NDTA_PARMS);
2178
	if (nest == NULL)
2179
		return -ENOBUFS;
2180

2181
	if ((parms->dev &&
2182
	     nla_put_u32(skb, NDTPA_IFINDEX, parms->dev->ifindex)) ||
2183
	    nla_put_u32(skb, NDTPA_REFCNT, refcount_read(&parms->refcnt)) ||
2184
	    nla_put_u32(skb, NDTPA_QUEUE_LENBYTES,
2185
			NEIGH_VAR(parms, QUEUE_LEN_BYTES)) ||
2186
	    /* approximative value for deprecated QUEUE_LEN (in packets) */
2187
	    nla_put_u32(skb, NDTPA_QUEUE_LEN,
2188
			NEIGH_VAR(parms, QUEUE_LEN_BYTES) / SKB_TRUESIZE(ETH_FRAME_LEN)) ||
2189
	    nla_put_u32(skb, NDTPA_PROXY_QLEN, NEIGH_VAR(parms, PROXY_QLEN)) ||
2190
	    nla_put_u32(skb, NDTPA_APP_PROBES, NEIGH_VAR(parms, APP_PROBES)) ||
2191
	    nla_put_u32(skb, NDTPA_UCAST_PROBES,
2192
			NEIGH_VAR(parms, UCAST_PROBES)) ||
2193
	    nla_put_u32(skb, NDTPA_MCAST_PROBES,
2194
			NEIGH_VAR(parms, MCAST_PROBES)) ||
2195
	    nla_put_u32(skb, NDTPA_MCAST_REPROBES,
2196
			NEIGH_VAR(parms, MCAST_REPROBES)) ||
2197
	    nla_put_msecs(skb, NDTPA_REACHABLE_TIME, parms->reachable_time,
2198
			  NDTPA_PAD) ||
2199
	    nla_put_msecs(skb, NDTPA_BASE_REACHABLE_TIME,
2200
			  NEIGH_VAR(parms, BASE_REACHABLE_TIME), NDTPA_PAD) ||
2201
	    nla_put_msecs(skb, NDTPA_GC_STALETIME,
2202
			  NEIGH_VAR(parms, GC_STALETIME), NDTPA_PAD) ||
2203
	    nla_put_msecs(skb, NDTPA_DELAY_PROBE_TIME,
2204
			  NEIGH_VAR(parms, DELAY_PROBE_TIME), NDTPA_PAD) ||
2205
	    nla_put_msecs(skb, NDTPA_RETRANS_TIME,
2206
			  NEIGH_VAR(parms, RETRANS_TIME), NDTPA_PAD) ||
2207
	    nla_put_msecs(skb, NDTPA_ANYCAST_DELAY,
2208
			  NEIGH_VAR(parms, ANYCAST_DELAY), NDTPA_PAD) ||
2209
	    nla_put_msecs(skb, NDTPA_PROXY_DELAY,
2210
			  NEIGH_VAR(parms, PROXY_DELAY), NDTPA_PAD) ||
2211
	    nla_put_msecs(skb, NDTPA_LOCKTIME,
2212
			  NEIGH_VAR(parms, LOCKTIME), NDTPA_PAD) ||
2213
	    nla_put_msecs(skb, NDTPA_INTERVAL_PROBE_TIME_MS,
2214
			  NEIGH_VAR(parms, INTERVAL_PROBE_TIME_MS), NDTPA_PAD))
2215
		goto nla_put_failure;
2216
	return nla_nest_end(skb, nest);
2217

2218
nla_put_failure:
2219
	nla_nest_cancel(skb, nest);
2220
	return -EMSGSIZE;
2221
}
2222

2223
static int neightbl_fill_info(struct sk_buff *skb, struct neigh_table *tbl,
2224
			      u32 pid, u32 seq, int type, int flags)
2225
{
2226
	struct nlmsghdr *nlh;
2227
	struct ndtmsg *ndtmsg;
2228

2229
	nlh = nlmsg_put(skb, pid, seq, type, sizeof(*ndtmsg), flags);
2230
	if (nlh == NULL)
2231
		return -EMSGSIZE;
2232

2233
	ndtmsg = nlmsg_data(nlh);
2234

2235
	read_lock_bh(&tbl->lock);
2236
	ndtmsg->ndtm_family = tbl->family;
2237
	ndtmsg->ndtm_pad1   = 0;
2238
	ndtmsg->ndtm_pad2   = 0;
2239

2240
	if (nla_put_string(skb, NDTA_NAME, tbl->id) ||
2241
	    nla_put_msecs(skb, NDTA_GC_INTERVAL, READ_ONCE(tbl->gc_interval),
2242
			  NDTA_PAD) ||
2243
	    nla_put_u32(skb, NDTA_THRESH1, READ_ONCE(tbl->gc_thresh1)) ||
2244
	    nla_put_u32(skb, NDTA_THRESH2, READ_ONCE(tbl->gc_thresh2)) ||
2245
	    nla_put_u32(skb, NDTA_THRESH3, READ_ONCE(tbl->gc_thresh3)))
2246
		goto nla_put_failure;
2247
	{
2248
		unsigned long now = jiffies;
2249
		long flush_delta = now - READ_ONCE(tbl->last_flush);
2250
		long rand_delta = now - READ_ONCE(tbl->last_rand);
2251
		struct neigh_hash_table *nht;
2252
		struct ndt_config ndc = {
2253
			.ndtc_key_len		= tbl->key_len,
2254
			.ndtc_entry_size	= tbl->entry_size,
2255
			.ndtc_entries		= atomic_read(&tbl->entries),
2256
			.ndtc_last_flush	= jiffies_to_msecs(flush_delta),
2257
			.ndtc_last_rand		= jiffies_to_msecs(rand_delta),
2258
			.ndtc_proxy_qlen	= READ_ONCE(tbl->proxy_queue.qlen),
2259
		};
2260

2261
		rcu_read_lock();
2262
		nht = rcu_dereference(tbl->nht);
2263
		ndc.ndtc_hash_rnd = nht->hash_rnd[0];
2264
		ndc.ndtc_hash_mask = ((1 << nht->hash_shift) - 1);
2265
		rcu_read_unlock();
2266

2267
		if (nla_put(skb, NDTA_CONFIG, sizeof(ndc), &ndc))
2268
			goto nla_put_failure;
2269
	}
2270

2271
	{
2272
		int cpu;
2273
		struct ndt_stats ndst;
2274

2275
		memset(&ndst, 0, sizeof(ndst));
2276

2277
		for_each_possible_cpu(cpu) {
2278
			struct neigh_statistics	*st;
2279

2280
			st = per_cpu_ptr(tbl->stats, cpu);
2281
			ndst.ndts_allocs		+= READ_ONCE(st->allocs);
2282
			ndst.ndts_destroys		+= READ_ONCE(st->destroys);
2283
			ndst.ndts_hash_grows		+= READ_ONCE(st->hash_grows);
2284
			ndst.ndts_res_failed		+= READ_ONCE(st->res_failed);
2285
			ndst.ndts_lookups		+= READ_ONCE(st->lookups);
2286
			ndst.ndts_hits			+= READ_ONCE(st->hits);
2287
			ndst.ndts_rcv_probes_mcast	+= READ_ONCE(st->rcv_probes_mcast);
2288
			ndst.ndts_rcv_probes_ucast	+= READ_ONCE(st->rcv_probes_ucast);
2289
			ndst.ndts_periodic_gc_runs	+= READ_ONCE(st->periodic_gc_runs);
2290
			ndst.ndts_forced_gc_runs	+= READ_ONCE(st->forced_gc_runs);
2291
			ndst.ndts_table_fulls		+= READ_ONCE(st->table_fulls);
2292
		}
2293

2294
		if (nla_put_64bit(skb, NDTA_STATS, sizeof(ndst), &ndst,
2295
				  NDTA_PAD))
2296
			goto nla_put_failure;
2297
	}
2298

2299
	BUG_ON(tbl->parms.dev);
2300
	if (neightbl_fill_parms(skb, &tbl->parms) < 0)
2301
		goto nla_put_failure;
2302

2303
	read_unlock_bh(&tbl->lock);
2304
	nlmsg_end(skb, nlh);
2305
	return 0;
2306

2307
nla_put_failure:
2308
	read_unlock_bh(&tbl->lock);
2309
	nlmsg_cancel(skb, nlh);
2310
	return -EMSGSIZE;
2311
}
2312

2313
static int neightbl_fill_param_info(struct sk_buff *skb,
2314
				    struct neigh_table *tbl,
2315
				    struct neigh_parms *parms,
2316
				    u32 pid, u32 seq, int type,
2317
				    unsigned int flags)
2318
{
2319
	struct ndtmsg *ndtmsg;
2320
	struct nlmsghdr *nlh;
2321

2322
	nlh = nlmsg_put(skb, pid, seq, type, sizeof(*ndtmsg), flags);
2323
	if (nlh == NULL)
2324
		return -EMSGSIZE;
2325

2326
	ndtmsg = nlmsg_data(nlh);
2327

2328
	read_lock_bh(&tbl->lock);
2329
	ndtmsg->ndtm_family = tbl->family;
2330
	ndtmsg->ndtm_pad1   = 0;
2331
	ndtmsg->ndtm_pad2   = 0;
2332

2333
	if (nla_put_string(skb, NDTA_NAME, tbl->id) < 0 ||
2334
	    neightbl_fill_parms(skb, parms) < 0)
2335
		goto errout;
2336

2337
	read_unlock_bh(&tbl->lock);
2338
	nlmsg_end(skb, nlh);
2339
	return 0;
2340
errout:
2341
	read_unlock_bh(&tbl->lock);
2342
	nlmsg_cancel(skb, nlh);
2343
	return -EMSGSIZE;
2344
}
2345

2346
static const struct nla_policy nl_neightbl_policy[NDTA_MAX+1] = {
2347
	[NDTA_NAME]		= { .type = NLA_STRING },
2348
	[NDTA_THRESH1]		= { .type = NLA_U32 },
2349
	[NDTA_THRESH2]		= { .type = NLA_U32 },
2350
	[NDTA_THRESH3]		= { .type = NLA_U32 },
2351
	[NDTA_GC_INTERVAL]	= { .type = NLA_U64 },
2352
	[NDTA_PARMS]		= { .type = NLA_NESTED },
2353
};
2354

2355
static const struct nla_policy nl_ntbl_parm_policy[NDTPA_MAX+1] = {
2356
	[NDTPA_IFINDEX]			= { .type = NLA_U32 },
2357
	[NDTPA_QUEUE_LEN]		= { .type = NLA_U32 },
2358
	[NDTPA_QUEUE_LENBYTES]		= { .type = NLA_U32 },
2359
	[NDTPA_PROXY_QLEN]		= { .type = NLA_U32 },
2360
	[NDTPA_APP_PROBES]		= { .type = NLA_U32 },
2361
	[NDTPA_UCAST_PROBES]		= { .type = NLA_U32 },
2362
	[NDTPA_MCAST_PROBES]		= { .type = NLA_U32 },
2363
	[NDTPA_MCAST_REPROBES]		= { .type = NLA_U32 },
2364
	[NDTPA_BASE_REACHABLE_TIME]	= { .type = NLA_U64 },
2365
	[NDTPA_GC_STALETIME]		= { .type = NLA_U64 },
2366
	[NDTPA_DELAY_PROBE_TIME]	= { .type = NLA_U64 },
2367
	[NDTPA_RETRANS_TIME]		= { .type = NLA_U64 },
2368
	[NDTPA_ANYCAST_DELAY]		= { .type = NLA_U64 },
2369
	[NDTPA_PROXY_DELAY]		= { .type = NLA_U64 },
2370
	[NDTPA_LOCKTIME]		= { .type = NLA_U64 },
2371
	[NDTPA_INTERVAL_PROBE_TIME_MS]	= { .type = NLA_U64, .min = 1 },
2372
};
2373

2374
static int neightbl_set(struct sk_buff *skb, struct nlmsghdr *nlh,
2375
			struct netlink_ext_ack *extack)
2376
{
2377
	struct net *net = sock_net(skb->sk);
2378
	struct neigh_table *tbl;
2379
	struct ndtmsg *ndtmsg;
2380
	struct nlattr *tb[NDTA_MAX+1];
2381
	bool found = false;
2382
	int err, tidx;
2383

2384
	err = nlmsg_parse_deprecated(nlh, sizeof(*ndtmsg), tb, NDTA_MAX,
2385
				     nl_neightbl_policy, extack);
2386
	if (err < 0)
2387
		goto errout;
2388

2389
	if (tb[NDTA_NAME] == NULL) {
2390
		err = -EINVAL;
2391
		goto errout;
2392
	}
2393

2394
	ndtmsg = nlmsg_data(nlh);
2395

2396
	for (tidx = 0; tidx < NEIGH_NR_TABLES; tidx++) {
2397
		tbl = rcu_dereference_rtnl(neigh_tables[tidx]);
2398
		if (!tbl)
2399
			continue;
2400
		if (ndtmsg->ndtm_family && tbl->family != ndtmsg->ndtm_family)
2401
			continue;
2402
		if (nla_strcmp(tb[NDTA_NAME], tbl->id) == 0) {
2403
			found = true;
2404
			break;
2405
		}
2406
	}
2407

2408
	if (!found)
2409
		return -ENOENT;
2410

2411
	/*
2412
	 * We acquire tbl->lock to be nice to the periodic timers and
2413
	 * make sure they always see a consistent set of values.
2414
	 */
2415
	write_lock_bh(&tbl->lock);
2416

2417
	if (tb[NDTA_PARMS]) {
2418
		struct nlattr *tbp[NDTPA_MAX+1];
2419
		struct neigh_parms *p;
2420
		int i, ifindex = 0;
2421

2422
		err = nla_parse_nested_deprecated(tbp, NDTPA_MAX,
2423
						  tb[NDTA_PARMS],
2424
						  nl_ntbl_parm_policy, extack);
2425
		if (err < 0)
2426
			goto errout_tbl_lock;
2427

2428
		if (tbp[NDTPA_IFINDEX])
2429
			ifindex = nla_get_u32(tbp[NDTPA_IFINDEX]);
2430

2431
		p = lookup_neigh_parms(tbl, net, ifindex);
2432
		if (p == NULL) {
2433
			err = -ENOENT;
2434
			goto errout_tbl_lock;
2435
		}
2436

2437
		for (i = 1; i <= NDTPA_MAX; i++) {
2438
			if (tbp[i] == NULL)
2439
				continue;
2440

2441
			switch (i) {
2442
			case NDTPA_QUEUE_LEN:
2443
				NEIGH_VAR_SET(p, QUEUE_LEN_BYTES,
2444
					      nla_get_u32(tbp[i]) *
2445
					      SKB_TRUESIZE(ETH_FRAME_LEN));
2446
				break;
2447
			case NDTPA_QUEUE_LENBYTES:
2448
				NEIGH_VAR_SET(p, QUEUE_LEN_BYTES,
2449
					      nla_get_u32(tbp[i]));
2450
				break;
2451
			case NDTPA_PROXY_QLEN:
2452
				NEIGH_VAR_SET(p, PROXY_QLEN,
2453
					      nla_get_u32(tbp[i]));
2454
				break;
2455
			case NDTPA_APP_PROBES:
2456
				NEIGH_VAR_SET(p, APP_PROBES,
2457
					      nla_get_u32(tbp[i]));
2458
				break;
2459
			case NDTPA_UCAST_PROBES:
2460
				NEIGH_VAR_SET(p, UCAST_PROBES,
2461
					      nla_get_u32(tbp[i]));
2462
				break;
2463
			case NDTPA_MCAST_PROBES:
2464
				NEIGH_VAR_SET(p, MCAST_PROBES,
2465
					      nla_get_u32(tbp[i]));
2466
				break;
2467
			case NDTPA_MCAST_REPROBES:
2468
				NEIGH_VAR_SET(p, MCAST_REPROBES,
2469
					      nla_get_u32(tbp[i]));
2470
				break;
2471
			case NDTPA_BASE_REACHABLE_TIME:
2472
				NEIGH_VAR_SET(p, BASE_REACHABLE_TIME,
2473
					      nla_get_msecs(tbp[i]));
2474
				/* update reachable_time as well, otherwise, the change will
2475
				 * only be effective after the next time neigh_periodic_work
2476
				 * decides to recompute it (can be multiple minutes)
2477
				 */
2478
				p->reachable_time =
2479
					neigh_rand_reach_time(NEIGH_VAR(p, BASE_REACHABLE_TIME));
2480
				break;
2481
			case NDTPA_GC_STALETIME:
2482
				NEIGH_VAR_SET(p, GC_STALETIME,
2483
					      nla_get_msecs(tbp[i]));
2484
				break;
2485
			case NDTPA_DELAY_PROBE_TIME:
2486
				NEIGH_VAR_SET(p, DELAY_PROBE_TIME,
2487
					      nla_get_msecs(tbp[i]));
2488
				call_netevent_notifiers(NETEVENT_DELAY_PROBE_TIME_UPDATE, p);
2489
				break;
2490
			case NDTPA_INTERVAL_PROBE_TIME_MS:
2491
				NEIGH_VAR_SET(p, INTERVAL_PROBE_TIME_MS,
2492
					      nla_get_msecs(tbp[i]));
2493
				break;
2494
			case NDTPA_RETRANS_TIME:
2495
				NEIGH_VAR_SET(p, RETRANS_TIME,
2496
					      nla_get_msecs(tbp[i]));
2497
				break;
2498
			case NDTPA_ANYCAST_DELAY:
2499
				NEIGH_VAR_SET(p, ANYCAST_DELAY,
2500
					      nla_get_msecs(tbp[i]));
2501
				break;
2502
			case NDTPA_PROXY_DELAY:
2503
				NEIGH_VAR_SET(p, PROXY_DELAY,
2504
					      nla_get_msecs(tbp[i]));
2505
				break;
2506
			case NDTPA_LOCKTIME:
2507
				NEIGH_VAR_SET(p, LOCKTIME,
2508
					      nla_get_msecs(tbp[i]));
2509
				break;
2510
			}
2511
		}
2512
	}
2513

2514
	err = -ENOENT;
2515
	if ((tb[NDTA_THRESH1] || tb[NDTA_THRESH2] ||
2516
	     tb[NDTA_THRESH3] || tb[NDTA_GC_INTERVAL]) &&
2517
	    !net_eq(net, &init_net))
2518
		goto errout_tbl_lock;
2519

2520
	if (tb[NDTA_THRESH1])
2521
		WRITE_ONCE(tbl->gc_thresh1, nla_get_u32(tb[NDTA_THRESH1]));
2522

2523
	if (tb[NDTA_THRESH2])
2524
		WRITE_ONCE(tbl->gc_thresh2, nla_get_u32(tb[NDTA_THRESH2]));
2525

2526
	if (tb[NDTA_THRESH3])
2527
		WRITE_ONCE(tbl->gc_thresh3, nla_get_u32(tb[NDTA_THRESH3]));
2528

2529
	if (tb[NDTA_GC_INTERVAL])
2530
		WRITE_ONCE(tbl->gc_interval, nla_get_msecs(tb[NDTA_GC_INTERVAL]));
2531

2532
	err = 0;
2533

2534
errout_tbl_lock:
2535
	write_unlock_bh(&tbl->lock);
2536
errout:
2537
	return err;
2538
}
2539

2540
static int neightbl_valid_dump_info(const struct nlmsghdr *nlh,
2541
				    struct netlink_ext_ack *extack)
2542
{
2543
	struct ndtmsg *ndtm;
2544

2545
	ndtm = nlmsg_payload(nlh, sizeof(*ndtm));
2546
	if (!ndtm) {
2547
		NL_SET_ERR_MSG(extack, "Invalid header for neighbor table dump request");
2548
		return -EINVAL;
2549
	}
2550

2551
	if (ndtm->ndtm_pad1  || ndtm->ndtm_pad2) {
2552
		NL_SET_ERR_MSG(extack, "Invalid values in header for neighbor table dump request");
2553
		return -EINVAL;
2554
	}
2555

2556
	if (nlmsg_attrlen(nlh, sizeof(*ndtm))) {
2557
		NL_SET_ERR_MSG(extack, "Invalid data after header in neighbor table dump request");
2558
		return -EINVAL;
2559
	}
2560

2561
	return 0;
2562
}
2563

2564
static int neightbl_dump_info(struct sk_buff *skb, struct netlink_callback *cb)
2565
{
2566
	const struct nlmsghdr *nlh = cb->nlh;
2567
	struct net *net = sock_net(skb->sk);
2568
	int family, tidx, nidx = 0;
2569
	int tbl_skip = cb->args[0];
2570
	int neigh_skip = cb->args[1];
2571
	struct neigh_table *tbl;
2572

2573
	if (cb->strict_check) {
2574
		int err = neightbl_valid_dump_info(nlh, cb->extack);
2575

2576
		if (err < 0)
2577
			return err;
2578
	}
2579

2580
	family = ((struct rtgenmsg *)nlmsg_data(nlh))->rtgen_family;
2581

2582
	for (tidx = 0; tidx < NEIGH_NR_TABLES; tidx++) {
2583
		struct neigh_parms *p;
2584

2585
		tbl = rcu_dereference_rtnl(neigh_tables[tidx]);
2586
		if (!tbl)
2587
			continue;
2588

2589
		if (tidx < tbl_skip || (family && tbl->family != family))
2590
			continue;
2591

2592
		if (neightbl_fill_info(skb, tbl, NETLINK_CB(cb->skb).portid,
2593
				       nlh->nlmsg_seq, RTM_NEWNEIGHTBL,
2594
				       NLM_F_MULTI) < 0)
2595
			break;
2596

2597
		nidx = 0;
2598
		p = list_next_entry(&tbl->parms, list);
2599
		list_for_each_entry_from(p, &tbl->parms_list, list) {
2600
			if (!net_eq(neigh_parms_net(p), net))
2601
				continue;
2602

2603
			if (nidx < neigh_skip)
2604
				goto next;
2605

2606
			if (neightbl_fill_param_info(skb, tbl, p,
2607
						     NETLINK_CB(cb->skb).portid,
2608
						     nlh->nlmsg_seq,
2609
						     RTM_NEWNEIGHTBL,
2610
						     NLM_F_MULTI) < 0)
2611
				goto out;
2612
		next:
2613
			nidx++;
2614
		}
2615

2616
		neigh_skip = 0;
2617
	}
2618
out:
2619
	cb->args[0] = tidx;
2620
	cb->args[1] = nidx;
2621

2622
	return skb->len;
2623
}
2624

2625
static int neigh_fill_info(struct sk_buff *skb, struct neighbour *neigh,
2626
			   u32 pid, u32 seq, int type, unsigned int flags)
2627
{
2628
	u32 neigh_flags, neigh_flags_ext;
2629
	unsigned long now = jiffies;
2630
	struct nda_cacheinfo ci;
2631
	struct nlmsghdr *nlh;
2632
	struct ndmsg *ndm;
2633

2634
	nlh = nlmsg_put(skb, pid, seq, type, sizeof(*ndm), flags);
2635
	if (nlh == NULL)
2636
		return -EMSGSIZE;
2637

2638
	neigh_flags_ext = neigh->flags >> NTF_EXT_SHIFT;
2639
	neigh_flags     = neigh->flags & NTF_OLD_MASK;
2640

2641
	ndm = nlmsg_data(nlh);
2642
	ndm->ndm_family	 = neigh->ops->family;
2643
	ndm->ndm_pad1    = 0;
2644
	ndm->ndm_pad2    = 0;
2645
	ndm->ndm_flags	 = neigh_flags;
2646
	ndm->ndm_type	 = neigh->type;
2647
	ndm->ndm_ifindex = neigh->dev->ifindex;
2648

2649
	if (nla_put(skb, NDA_DST, neigh->tbl->key_len, neigh->primary_key))
2650
		goto nla_put_failure;
2651

2652
	read_lock_bh(&neigh->lock);
2653
	ndm->ndm_state	 = neigh->nud_state;
2654
	if (neigh->nud_state & NUD_VALID) {
2655
		char haddr[MAX_ADDR_LEN];
2656

2657
		neigh_ha_snapshot(haddr, neigh, neigh->dev);
2658
		if (nla_put(skb, NDA_LLADDR, neigh->dev->addr_len, haddr) < 0) {
2659
			read_unlock_bh(&neigh->lock);
2660
			goto nla_put_failure;
2661
		}
2662
	}
2663

2664
	ci.ndm_used	 = jiffies_to_clock_t(now - neigh->used);
2665
	ci.ndm_confirmed = jiffies_to_clock_t(now - neigh->confirmed);
2666
	ci.ndm_updated	 = jiffies_to_clock_t(now - neigh->updated);
2667
	ci.ndm_refcnt	 = refcount_read(&neigh->refcnt) - 1;
2668
	read_unlock_bh(&neigh->lock);
2669

2670
	if (nla_put_u32(skb, NDA_PROBES, atomic_read(&neigh->probes)) ||
2671
	    nla_put(skb, NDA_CACHEINFO, sizeof(ci), &ci))
2672
		goto nla_put_failure;
2673

2674
	if (neigh->protocol && nla_put_u8(skb, NDA_PROTOCOL, neigh->protocol))
2675
		goto nla_put_failure;
2676
	if (neigh_flags_ext && nla_put_u32(skb, NDA_FLAGS_EXT, neigh_flags_ext))
2677
		goto nla_put_failure;
2678

2679
	nlmsg_end(skb, nlh);
2680
	return 0;
2681

2682
nla_put_failure:
2683
	nlmsg_cancel(skb, nlh);
2684
	return -EMSGSIZE;
2685
}
2686

2687
static int pneigh_fill_info(struct sk_buff *skb, struct pneigh_entry *pn,
2688
			    u32 pid, u32 seq, int type, unsigned int flags,
2689
			    struct neigh_table *tbl)
2690
{
2691
	u32 neigh_flags, neigh_flags_ext;
2692
	struct nlmsghdr *nlh;
2693
	struct ndmsg *ndm;
2694
	u8 protocol;
2695

2696
	nlh = nlmsg_put(skb, pid, seq, type, sizeof(*ndm), flags);
2697
	if (nlh == NULL)
2698
		return -EMSGSIZE;
2699

2700
	neigh_flags = READ_ONCE(pn->flags);
2701
	neigh_flags_ext = neigh_flags >> NTF_EXT_SHIFT;
2702
	neigh_flags &= NTF_OLD_MASK;
2703

2704
	ndm = nlmsg_data(nlh);
2705
	ndm->ndm_family	 = tbl->family;
2706
	ndm->ndm_pad1    = 0;
2707
	ndm->ndm_pad2    = 0;
2708
	ndm->ndm_flags	 = neigh_flags | NTF_PROXY;
2709
	ndm->ndm_type	 = RTN_UNICAST;
2710
	ndm->ndm_ifindex = pn->dev ? pn->dev->ifindex : 0;
2711
	ndm->ndm_state	 = NUD_NONE;
2712

2713
	if (nla_put(skb, NDA_DST, tbl->key_len, pn->key))
2714
		goto nla_put_failure;
2715

2716
	protocol = READ_ONCE(pn->protocol);
2717
	if (protocol && nla_put_u8(skb, NDA_PROTOCOL, protocol))
2718
		goto nla_put_failure;
2719
	if (neigh_flags_ext && nla_put_u32(skb, NDA_FLAGS_EXT, neigh_flags_ext))
2720
		goto nla_put_failure;
2721

2722
	nlmsg_end(skb, nlh);
2723
	return 0;
2724

2725
nla_put_failure:
2726
	nlmsg_cancel(skb, nlh);
2727
	return -EMSGSIZE;
2728
}
2729

2730
static void neigh_update_notify(struct neighbour *neigh, u32 nlmsg_pid)
2731
{
2732
	call_netevent_notifiers(NETEVENT_NEIGH_UPDATE, neigh);
2733
	__neigh_notify(neigh, RTM_NEWNEIGH, 0, nlmsg_pid);
2734
}
2735

2736
static bool neigh_master_filtered(struct net_device *dev, int master_idx)
2737
{
2738
	struct net_device *master;
2739

2740
	if (!master_idx)
2741
		return false;
2742

2743
	master = dev ? netdev_master_upper_dev_get_rcu(dev) : NULL;
2744

2745
	/* 0 is already used to denote NDA_MASTER wasn't passed, therefore need another
2746
	 * invalid value for ifindex to denote "no master".
2747
	 */
2748
	if (master_idx == -1)
2749
		return !!master;
2750

2751
	if (!master || master->ifindex != master_idx)
2752
		return true;
2753

2754
	return false;
2755
}
2756

2757
static bool neigh_ifindex_filtered(struct net_device *dev, int filter_idx)
2758
{
2759
	if (filter_idx && (!dev || dev->ifindex != filter_idx))
2760
		return true;
2761

2762
	return false;
2763
}
2764

2765
struct neigh_dump_filter {
2766
	int master_idx;
2767
	int dev_idx;
2768
};
2769

2770
static int neigh_dump_table(struct neigh_table *tbl, struct sk_buff *skb,
2771
			    struct netlink_callback *cb,
2772
			    struct neigh_dump_filter *filter)
2773
{
2774
	struct net *net = sock_net(skb->sk);
2775
	struct neighbour *n;
2776
	int err = 0, h, s_h = cb->args[1];
2777
	int idx, s_idx = idx = cb->args[2];
2778
	struct neigh_hash_table *nht;
2779
	unsigned int flags = NLM_F_MULTI;
2780

2781
	if (filter->dev_idx || filter->master_idx)
2782
		flags |= NLM_F_DUMP_FILTERED;
2783

2784
	nht = rcu_dereference(tbl->nht);
2785

2786
	for (h = s_h; h < (1 << nht->hash_shift); h++) {
2787
		if (h > s_h)
2788
			s_idx = 0;
2789
		idx = 0;
2790
		neigh_for_each_in_bucket_rcu(n, &nht->hash_heads[h]) {
2791
			if (idx < s_idx || !net_eq(dev_net(n->dev), net))
2792
				goto next;
2793
			if (neigh_ifindex_filtered(n->dev, filter->dev_idx) ||
2794
			    neigh_master_filtered(n->dev, filter->master_idx))
2795
				goto next;
2796
			err = neigh_fill_info(skb, n, NETLINK_CB(cb->skb).portid,
2797
					      cb->nlh->nlmsg_seq,
2798
					      RTM_NEWNEIGH, flags);
2799
			if (err < 0)
2800
				goto out;
2801
next:
2802
			idx++;
2803
		}
2804
	}
2805
out:
2806
	cb->args[1] = h;
2807
	cb->args[2] = idx;
2808
	return err;
2809
}
2810

2811
static int pneigh_dump_table(struct neigh_table *tbl, struct sk_buff *skb,
2812
			     struct netlink_callback *cb,
2813
			     struct neigh_dump_filter *filter)
2814
{
2815
	struct pneigh_entry *n;
2816
	struct net *net = sock_net(skb->sk);
2817
	int err = 0, h, s_h = cb->args[3];
2818
	int idx, s_idx = idx = cb->args[4];
2819
	unsigned int flags = NLM_F_MULTI;
2820

2821
	if (filter->dev_idx || filter->master_idx)
2822
		flags |= NLM_F_DUMP_FILTERED;
2823

2824
	for (h = s_h; h <= PNEIGH_HASHMASK; h++) {
2825
		if (h > s_h)
2826
			s_idx = 0;
2827
		for (n = rcu_dereference(tbl->phash_buckets[h]), idx = 0;
2828
		     n;
2829
		     n = rcu_dereference(n->next)) {
2830
			if (idx < s_idx || pneigh_net(n) != net)
2831
				goto next;
2832
			if (neigh_ifindex_filtered(n->dev, filter->dev_idx) ||
2833
			    neigh_master_filtered(n->dev, filter->master_idx))
2834
				goto next;
2835
			err = pneigh_fill_info(skb, n, NETLINK_CB(cb->skb).portid,
2836
					       cb->nlh->nlmsg_seq,
2837
					       RTM_NEWNEIGH, flags, tbl);
2838
			if (err < 0)
2839
				goto out;
2840
		next:
2841
			idx++;
2842
		}
2843
	}
2844

2845
out:
2846
	cb->args[3] = h;
2847
	cb->args[4] = idx;
2848
	return err;
2849
}
2850

2851
static int neigh_valid_dump_req(const struct nlmsghdr *nlh,
2852
				bool strict_check,
2853
				struct neigh_dump_filter *filter,
2854
				struct netlink_ext_ack *extack)
2855
{
2856
	struct nlattr *tb[NDA_MAX + 1];
2857
	int err, i;
2858

2859
	if (strict_check) {
2860
		struct ndmsg *ndm;
2861

2862
		ndm = nlmsg_payload(nlh, sizeof(*ndm));
2863
		if (!ndm) {
2864
			NL_SET_ERR_MSG(extack, "Invalid header for neighbor dump request");
2865
			return -EINVAL;
2866
		}
2867

2868
		if (ndm->ndm_pad1  || ndm->ndm_pad2  || ndm->ndm_ifindex ||
2869
		    ndm->ndm_state || ndm->ndm_type) {
2870
			NL_SET_ERR_MSG(extack, "Invalid values in header for neighbor dump request");
2871
			return -EINVAL;
2872
		}
2873

2874
		if (ndm->ndm_flags & ~NTF_PROXY) {
2875
			NL_SET_ERR_MSG(extack, "Invalid flags in header for neighbor dump request");
2876
			return -EINVAL;
2877
		}
2878

2879
		err = nlmsg_parse_deprecated_strict(nlh, sizeof(struct ndmsg),
2880
						    tb, NDA_MAX, nda_policy,
2881
						    extack);
2882
	} else {
2883
		err = nlmsg_parse_deprecated(nlh, sizeof(struct ndmsg), tb,
2884
					     NDA_MAX, nda_policy, extack);
2885
	}
2886
	if (err < 0)
2887
		return err;
2888

2889
	for (i = 0; i <= NDA_MAX; ++i) {
2890
		if (!tb[i])
2891
			continue;
2892

2893
		/* all new attributes should require strict_check */
2894
		switch (i) {
2895
		case NDA_IFINDEX:
2896
			filter->dev_idx = nla_get_u32(tb[i]);
2897
			break;
2898
		case NDA_MASTER:
2899
			filter->master_idx = nla_get_u32(tb[i]);
2900
			break;
2901
		default:
2902
			if (strict_check) {
2903
				NL_SET_ERR_MSG(extack, "Unsupported attribute in neighbor dump request");
2904
				return -EINVAL;
2905
			}
2906
		}
2907
	}
2908

2909
	return 0;
2910
}
2911

2912
static int neigh_dump_info(struct sk_buff *skb, struct netlink_callback *cb)
2913
{
2914
	const struct nlmsghdr *nlh = cb->nlh;
2915
	struct neigh_dump_filter filter = {};
2916
	struct neigh_table *tbl;
2917
	int t, family, s_t;
2918
	int proxy = 0;
2919
	int err;
2920

2921
	family = ((struct rtgenmsg *)nlmsg_data(nlh))->rtgen_family;
2922

2923
	/* check for full ndmsg structure presence, family member is
2924
	 * the same for both structures
2925
	 */
2926
	if (nlmsg_len(nlh) >= sizeof(struct ndmsg) &&
2927
	    ((struct ndmsg *)nlmsg_data(nlh))->ndm_flags == NTF_PROXY)
2928
		proxy = 1;
2929

2930
	err = neigh_valid_dump_req(nlh, cb->strict_check, &filter, cb->extack);
2931
	if (err < 0 && cb->strict_check)
2932
		return err;
2933
	err = 0;
2934

2935
	s_t = cb->args[0];
2936

2937
	rcu_read_lock();
2938
	for (t = 0; t < NEIGH_NR_TABLES; t++) {
2939
		tbl = rcu_dereference(neigh_tables[t]);
2940

2941
		if (!tbl)
2942
			continue;
2943
		if (t < s_t || (family && tbl->family != family))
2944
			continue;
2945
		if (t > s_t)
2946
			memset(&cb->args[1], 0, sizeof(cb->args) -
2947
						sizeof(cb->args[0]));
2948
		if (proxy)
2949
			err = pneigh_dump_table(tbl, skb, cb, &filter);
2950
		else
2951
			err = neigh_dump_table(tbl, skb, cb, &filter);
2952
		if (err < 0)
2953
			break;
2954
	}
2955
	rcu_read_unlock();
2956

2957
	cb->args[0] = t;
2958
	return err;
2959
}
2960

2961
static struct ndmsg *neigh_valid_get_req(const struct nlmsghdr *nlh,
2962
					 struct nlattr **tb,
2963
					 struct netlink_ext_ack *extack)
2964
{
2965
	struct ndmsg *ndm;
2966
	int err, i;
2967

2968
	ndm = nlmsg_payload(nlh, sizeof(*ndm));
2969
	if (!ndm) {
2970
		NL_SET_ERR_MSG(extack, "Invalid header for neighbor get request");
2971
		return ERR_PTR(-EINVAL);
2972
	}
2973

2974
	if (ndm->ndm_pad1  || ndm->ndm_pad2  || ndm->ndm_state ||
2975
	    ndm->ndm_type) {
2976
		NL_SET_ERR_MSG(extack, "Invalid values in header for neighbor get request");
2977
		return ERR_PTR(-EINVAL);
2978
	}
2979

2980
	if (ndm->ndm_flags & ~NTF_PROXY) {
2981
		NL_SET_ERR_MSG(extack, "Invalid flags in header for neighbor get request");
2982
		return ERR_PTR(-EINVAL);
2983
	}
2984

2985
	if (!(ndm->ndm_flags & NTF_PROXY) && !ndm->ndm_ifindex) {
2986
		NL_SET_ERR_MSG(extack, "No device specified");
2987
		return ERR_PTR(-EINVAL);
2988
	}
2989

2990
	err = nlmsg_parse_deprecated_strict(nlh, sizeof(struct ndmsg), tb,
2991
					    NDA_MAX, nda_policy, extack);
2992
	if (err < 0)
2993
		return ERR_PTR(err);
2994

2995
	for (i = 0; i <= NDA_MAX; ++i) {
2996
		switch (i) {
2997
		case NDA_DST:
2998
			if (!tb[i]) {
2999
				NL_SET_ERR_ATTR_MISS(extack, NULL, NDA_DST);
3000
				return ERR_PTR(-EINVAL);
3001
			}
3002
			break;
3003
		default:
3004
			if (!tb[i])
3005
				continue;
3006

3007
			NL_SET_ERR_MSG(extack, "Unsupported attribute in neighbor get request");
3008
			return ERR_PTR(-EINVAL);
3009
		}
3010
	}
3011

3012
	return ndm;
3013
}
3014

3015
static inline size_t neigh_nlmsg_size(void)
3016
{
3017
	return NLMSG_ALIGN(sizeof(struct ndmsg))
3018
	       + nla_total_size(MAX_ADDR_LEN) /* NDA_DST */
3019
	       + nla_total_size(MAX_ADDR_LEN) /* NDA_LLADDR */
3020
	       + nla_total_size(sizeof(struct nda_cacheinfo))
3021
	       + nla_total_size(4)  /* NDA_PROBES */
3022
	       + nla_total_size(4)  /* NDA_FLAGS_EXT */
3023
	       + nla_total_size(1); /* NDA_PROTOCOL */
3024
}
3025

3026
static inline size_t pneigh_nlmsg_size(void)
3027
{
3028
	return NLMSG_ALIGN(sizeof(struct ndmsg))
3029
	       + nla_total_size(MAX_ADDR_LEN) /* NDA_DST */
3030
	       + nla_total_size(4)  /* NDA_FLAGS_EXT */
3031
	       + nla_total_size(1); /* NDA_PROTOCOL */
3032
}
3033

3034
static int neigh_get(struct sk_buff *in_skb, struct nlmsghdr *nlh,
3035
		     struct netlink_ext_ack *extack)
3036
{
3037
	struct net *net = sock_net(in_skb->sk);
3038
	u32 pid = NETLINK_CB(in_skb).portid;
3039
	struct nlattr *tb[NDA_MAX + 1];
3040
	struct net_device *dev = NULL;
3041
	u32 seq = nlh->nlmsg_seq;
3042
	struct neigh_table *tbl;
3043
	struct neighbour *neigh;
3044
	struct sk_buff *skb;
3045
	struct ndmsg *ndm;
3046
	void *dst;
3047
	int err;
3048

3049
	ndm = neigh_valid_get_req(nlh, tb, extack);
3050
	if (IS_ERR(ndm))
3051
		return PTR_ERR(ndm);
3052

3053
	if (ndm->ndm_flags & NTF_PROXY)
3054
		skb = nlmsg_new(neigh_nlmsg_size(), GFP_KERNEL);
3055
	else
3056
		skb = nlmsg_new(pneigh_nlmsg_size(), GFP_KERNEL);
3057
	if (!skb)
3058
		return -ENOBUFS;
3059

3060
	rcu_read_lock();
3061

3062
	tbl = neigh_find_table(ndm->ndm_family);
3063
	if (!tbl) {
3064
		NL_SET_ERR_MSG(extack, "Unsupported family in header for neighbor get request");
3065
		err = -EAFNOSUPPORT;
3066
		goto err_unlock;
3067
	}
3068

3069
	if (nla_len(tb[NDA_DST]) != (int)tbl->key_len) {
3070
		NL_SET_ERR_MSG(extack, "Invalid network address in neighbor get request");
3071
		err = -EINVAL;
3072
		goto err_unlock;
3073
	}
3074

3075
	dst = nla_data(tb[NDA_DST]);
3076

3077
	if (ndm->ndm_ifindex) {
3078
		dev = dev_get_by_index_rcu(net, ndm->ndm_ifindex);
3079
		if (!dev) {
3080
			NL_SET_ERR_MSG(extack, "Unknown device ifindex");
3081
			err = -ENODEV;
3082
			goto err_unlock;
3083
		}
3084
	}
3085

3086
	if (ndm->ndm_flags & NTF_PROXY) {
3087
		struct pneigh_entry *pn;
3088

3089
		pn = pneigh_lookup(tbl, net, dst, dev);
3090
		if (!pn) {
3091
			NL_SET_ERR_MSG(extack, "Proxy neighbour entry not found");
3092
			err = -ENOENT;
3093
			goto err_unlock;
3094
		}
3095

3096
		err = pneigh_fill_info(skb, pn, pid, seq, RTM_NEWNEIGH, 0, tbl);
3097
		if (err)
3098
			goto err_unlock;
3099
	} else {
3100
		neigh = neigh_lookup(tbl, dst, dev);
3101
		if (!neigh) {
3102
			NL_SET_ERR_MSG(extack, "Neighbour entry not found");
3103
			err = -ENOENT;
3104
			goto err_unlock;
3105
		}
3106

3107
		err = neigh_fill_info(skb, neigh, pid, seq, RTM_NEWNEIGH, 0);
3108
		neigh_release(neigh);
3109
		if (err)
3110
			goto err_unlock;
3111
	}
3112

3113
	rcu_read_unlock();
3114

3115
	return rtnl_unicast(skb, net, pid);
3116
err_unlock:
3117
	rcu_read_unlock();
3118
	kfree_skb(skb);
3119
	return err;
3120
}
3121

3122
void neigh_for_each(struct neigh_table *tbl, void (*cb)(struct neighbour *, void *), void *cookie)
3123
{
3124
	int chain;
3125
	struct neigh_hash_table *nht;
3126

3127
	rcu_read_lock();
3128
	nht = rcu_dereference(tbl->nht);
3129

3130
	read_lock_bh(&tbl->lock); /* avoid resizes */
3131
	for (chain = 0; chain < (1 << nht->hash_shift); chain++) {
3132
		struct neighbour *n;
3133

3134
		neigh_for_each_in_bucket(n, &nht->hash_heads[chain])
3135
			cb(n, cookie);
3136
	}
3137
	read_unlock_bh(&tbl->lock);
3138
	rcu_read_unlock();
3139
}
3140
EXPORT_SYMBOL(neigh_for_each);
3141

3142
/* The tbl->lock must be held as a writer and BH disabled. */
3143
void __neigh_for_each_release(struct neigh_table *tbl,
3144
			      int (*cb)(struct neighbour *))
3145
{
3146
	struct neigh_hash_table *nht;
3147
	int chain;
3148

3149
	nht = rcu_dereference_protected(tbl->nht,
3150
					lockdep_is_held(&tbl->lock));
3151
	for (chain = 0; chain < (1 << nht->hash_shift); chain++) {
3152
		struct hlist_node *tmp;
3153
		struct neighbour *n;
3154

3155
		neigh_for_each_in_bucket_safe(n, tmp, &nht->hash_heads[chain]) {
3156
			int release;
3157

3158
			write_lock(&n->lock);
3159
			release = cb(n);
3160
			if (release) {
3161
				hlist_del_rcu(&n->hash);
3162
				hlist_del_rcu(&n->dev_list);
3163
				neigh_mark_dead(n);
3164
			}
3165
			write_unlock(&n->lock);
3166
			if (release)
3167
				neigh_cleanup_and_release(n);
3168
		}
3169
	}
3170
}
3171
EXPORT_SYMBOL(__neigh_for_each_release);
3172

3173
int neigh_xmit(int index, struct net_device *dev,
3174
	       const void *addr, struct sk_buff *skb)
3175
{
3176
	int err = -EAFNOSUPPORT;
3177

3178
	if (likely(index < NEIGH_NR_TABLES)) {
3179
		struct neigh_table *tbl;
3180
		struct neighbour *neigh;
3181

3182
		rcu_read_lock();
3183
		tbl = rcu_dereference(neigh_tables[index]);
3184
		if (!tbl)
3185
			goto out_unlock;
3186
		if (index == NEIGH_ARP_TABLE) {
3187
			u32 key = *((u32 *)addr);
3188

3189
			neigh = __ipv4_neigh_lookup_noref(dev, key);
3190
		} else {
3191
			neigh = __neigh_lookup_noref(tbl, addr, dev);
3192
		}
3193
		if (!neigh)
3194
			neigh = __neigh_create(tbl, addr, dev, false);
3195
		err = PTR_ERR(neigh);
3196
		if (IS_ERR(neigh)) {
3197
			rcu_read_unlock();
3198
			goto out_kfree_skb;
3199
		}
3200
		err = READ_ONCE(neigh->output)(neigh, skb);
3201
out_unlock:
3202
		rcu_read_unlock();
3203
	}
3204
	else if (index == NEIGH_LINK_TABLE) {
3205
		err = dev_hard_header(skb, dev, ntohs(skb->protocol),
3206
				      addr, NULL, skb->len);
3207
		if (err < 0)
3208
			goto out_kfree_skb;
3209
		err = dev_queue_xmit(skb);
3210
	}
3211
out:
3212
	return err;
3213
out_kfree_skb:
3214
	kfree_skb(skb);
3215
	goto out;
3216
}
3217
EXPORT_SYMBOL(neigh_xmit);
3218

3219
#ifdef CONFIG_PROC_FS
3220

3221
static struct neighbour *neigh_get_valid(struct seq_file *seq,
3222
					 struct neighbour *n,
3223
					 loff_t *pos)
3224
{
3225
	struct neigh_seq_state *state = seq->private;
3226
	struct net *net = seq_file_net(seq);
3227

3228
	if (!net_eq(dev_net(n->dev), net))
3229
		return NULL;
3230

3231
	if (state->neigh_sub_iter) {
3232
		loff_t fakep = 0;
3233
		void *v;
3234

3235
		v = state->neigh_sub_iter(state, n, pos ? pos : &fakep);
3236
		if (!v)
3237
			return NULL;
3238
		if (pos)
3239
			return v;
3240
	}
3241

3242
	if (!(state->flags & NEIGH_SEQ_SKIP_NOARP))
3243
		return n;
3244

3245
	if (READ_ONCE(n->nud_state) & ~NUD_NOARP)
3246
		return n;
3247

3248
	return NULL;
3249
}
3250

3251
static struct neighbour *neigh_get_first(struct seq_file *seq)
3252
{
3253
	struct neigh_seq_state *state = seq->private;
3254
	struct neigh_hash_table *nht = state->nht;
3255
	struct neighbour *n, *tmp;
3256

3257
	state->flags &= ~NEIGH_SEQ_IS_PNEIGH;
3258

3259
	while (++state->bucket < (1 << nht->hash_shift)) {
3260
		neigh_for_each_in_bucket(n, &nht->hash_heads[state->bucket]) {
3261
			tmp = neigh_get_valid(seq, n, NULL);
3262
			if (tmp)
3263
				return tmp;
3264
		}
3265
	}
3266

3267
	return NULL;
3268
}
3269

3270
static struct neighbour *neigh_get_next(struct seq_file *seq,
3271
					struct neighbour *n,
3272
					loff_t *pos)
3273
{
3274
	struct neigh_seq_state *state = seq->private;
3275
	struct neighbour *tmp;
3276

3277
	if (state->neigh_sub_iter) {
3278
		void *v = state->neigh_sub_iter(state, n, pos);
3279

3280
		if (v)
3281
			return n;
3282
	}
3283

3284
	hlist_for_each_entry_continue(n, hash) {
3285
		tmp = neigh_get_valid(seq, n, pos);
3286
		if (tmp) {
3287
			n = tmp;
3288
			goto out;
3289
		}
3290
	}
3291

3292
	n = neigh_get_first(seq);
3293
out:
3294
	if (n && pos)
3295
		--(*pos);
3296

3297
	return n;
3298
}
3299

3300
static struct neighbour *neigh_get_idx(struct seq_file *seq, loff_t *pos)
3301
{
3302
	struct neighbour *n = neigh_get_first(seq);
3303

3304
	if (n) {
3305
		--(*pos);
3306
		while (*pos) {
3307
			n = neigh_get_next(seq, n, pos);
3308
			if (!n)
3309
				break;
3310
		}
3311
	}
3312
	return *pos ? NULL : n;
3313
}
3314

3315
static struct pneigh_entry *pneigh_get_first(struct seq_file *seq)
3316
{
3317
	struct neigh_seq_state *state = seq->private;
3318
	struct net *net = seq_file_net(seq);
3319
	struct neigh_table *tbl = state->tbl;
3320
	struct pneigh_entry *pn = NULL;
3321
	int bucket;
3322

3323
	state->flags |= NEIGH_SEQ_IS_PNEIGH;
3324
	for (bucket = 0; bucket <= PNEIGH_HASHMASK; bucket++) {
3325
		pn = rcu_dereference(tbl->phash_buckets[bucket]);
3326

3327
		while (pn && !net_eq(pneigh_net(pn), net))
3328
			pn = rcu_dereference(pn->next);
3329
		if (pn)
3330
			break;
3331
	}
3332
	state->bucket = bucket;
3333

3334
	return pn;
3335
}
3336

3337
static struct pneigh_entry *pneigh_get_next(struct seq_file *seq,
3338
					    struct pneigh_entry *pn,
3339
					    loff_t *pos)
3340
{
3341
	struct neigh_seq_state *state = seq->private;
3342
	struct net *net = seq_file_net(seq);
3343
	struct neigh_table *tbl = state->tbl;
3344

3345
	do {
3346
		pn = rcu_dereference(pn->next);
3347
	} while (pn && !net_eq(pneigh_net(pn), net));
3348

3349
	while (!pn) {
3350
		if (++state->bucket > PNEIGH_HASHMASK)
3351
			break;
3352

3353
		pn = rcu_dereference(tbl->phash_buckets[state->bucket]);
3354

3355
		while (pn && !net_eq(pneigh_net(pn), net))
3356
			pn = rcu_dereference(pn->next);
3357
		if (pn)
3358
			break;
3359
	}
3360

3361
	if (pn && pos)
3362
		--(*pos);
3363

3364
	return pn;
3365
}
3366

3367
static struct pneigh_entry *pneigh_get_idx(struct seq_file *seq, loff_t *pos)
3368
{
3369
	struct pneigh_entry *pn = pneigh_get_first(seq);
3370

3371
	if (pn) {
3372
		--(*pos);
3373
		while (*pos) {
3374
			pn = pneigh_get_next(seq, pn, pos);
3375
			if (!pn)
3376
				break;
3377
		}
3378
	}
3379
	return *pos ? NULL : pn;
3380
}
3381

3382
static void *neigh_get_idx_any(struct seq_file *seq, loff_t *pos)
3383
{
3384
	struct neigh_seq_state *state = seq->private;
3385
	void *rc;
3386
	loff_t idxpos = *pos;
3387

3388
	rc = neigh_get_idx(seq, &idxpos);
3389
	if (!rc && !(state->flags & NEIGH_SEQ_NEIGH_ONLY))
3390
		rc = pneigh_get_idx(seq, &idxpos);
3391

3392
	return rc;
3393
}
3394

3395
void *neigh_seq_start(struct seq_file *seq, loff_t *pos, struct neigh_table *tbl, unsigned int neigh_seq_flags)
3396
	__acquires(tbl->lock)
3397
	__acquires(rcu)
3398
{
3399
	struct neigh_seq_state *state = seq->private;
3400

3401
	state->tbl = tbl;
3402
	state->bucket = -1;
3403
	state->flags = (neigh_seq_flags & ~NEIGH_SEQ_IS_PNEIGH);
3404

3405
	rcu_read_lock();
3406
	state->nht = rcu_dereference(tbl->nht);
3407
	read_lock_bh(&tbl->lock);
3408

3409
	return *pos ? neigh_get_idx_any(seq, pos) : SEQ_START_TOKEN;
3410
}
3411
EXPORT_SYMBOL(neigh_seq_start);
3412

3413
void *neigh_seq_next(struct seq_file *seq, void *v, loff_t *pos)
3414
{
3415
	struct neigh_seq_state *state;
3416
	void *rc;
3417

3418
	if (v == SEQ_START_TOKEN) {
3419
		rc = neigh_get_first(seq);
3420
		goto out;
3421
	}
3422

3423
	state = seq->private;
3424
	if (!(state->flags & NEIGH_SEQ_IS_PNEIGH)) {
3425
		rc = neigh_get_next(seq, v, NULL);
3426
		if (rc)
3427
			goto out;
3428
		if (!(state->flags & NEIGH_SEQ_NEIGH_ONLY))
3429
			rc = pneigh_get_first(seq);
3430
	} else {
3431
		BUG_ON(state->flags & NEIGH_SEQ_NEIGH_ONLY);
3432
		rc = pneigh_get_next(seq, v, NULL);
3433
	}
3434
out:
3435
	++(*pos);
3436
	return rc;
3437
}
3438
EXPORT_SYMBOL(neigh_seq_next);
3439

3440
void neigh_seq_stop(struct seq_file *seq, void *v)
3441
	__releases(tbl->lock)
3442
	__releases(rcu)
3443
{
3444
	struct neigh_seq_state *state = seq->private;
3445
	struct neigh_table *tbl = state->tbl;
3446

3447
	read_unlock_bh(&tbl->lock);
3448
	rcu_read_unlock();
3449
}
3450
EXPORT_SYMBOL(neigh_seq_stop);
3451

3452
/* statistics via seq_file */
3453

3454
static void *neigh_stat_seq_start(struct seq_file *seq, loff_t *pos)
3455
{
3456
	struct neigh_table *tbl = pde_data(file_inode(seq->file));
3457
	int cpu;
3458

3459
	if (*pos == 0)
3460
		return SEQ_START_TOKEN;
3461

3462
	for (cpu = *pos-1; cpu < nr_cpu_ids; ++cpu) {
3463
		if (!cpu_possible(cpu))
3464
			continue;
3465
		*pos = cpu+1;
3466
		return per_cpu_ptr(tbl->stats, cpu);
3467
	}
3468
	return NULL;
3469
}
3470

3471
static void *neigh_stat_seq_next(struct seq_file *seq, void *v, loff_t *pos)
3472
{
3473
	struct neigh_table *tbl = pde_data(file_inode(seq->file));
3474
	int cpu;
3475

3476
	for (cpu = *pos; cpu < nr_cpu_ids; ++cpu) {
3477
		if (!cpu_possible(cpu))
3478
			continue;
3479
		*pos = cpu+1;
3480
		return per_cpu_ptr(tbl->stats, cpu);
3481
	}
3482
	(*pos)++;
3483
	return NULL;
3484
}
3485

3486
static void neigh_stat_seq_stop(struct seq_file *seq, void *v)
3487
{
3488

3489
}
3490

3491
static int neigh_stat_seq_show(struct seq_file *seq, void *v)
3492
{
3493
	struct neigh_table *tbl = pde_data(file_inode(seq->file));
3494
	struct neigh_statistics *st = v;
3495

3496
	if (v == SEQ_START_TOKEN) {
3497
		seq_puts(seq, "entries  allocs   destroys hash_grows lookups  hits     res_failed rcv_probes_mcast rcv_probes_ucast periodic_gc_runs forced_gc_runs unresolved_discards table_fulls\n");
3498
		return 0;
3499
	}
3500

3501
	seq_printf(seq, "%08x %08lx %08lx %08lx   %08lx %08lx %08lx   "
3502
			"%08lx         %08lx         %08lx         "
3503
			"%08lx       %08lx            %08lx\n",
3504
		   atomic_read(&tbl->entries),
3505

3506
		   st->allocs,
3507
		   st->destroys,
3508
		   st->hash_grows,
3509

3510
		   st->lookups,
3511
		   st->hits,
3512

3513
		   st->res_failed,
3514

3515
		   st->rcv_probes_mcast,
3516
		   st->rcv_probes_ucast,
3517

3518
		   st->periodic_gc_runs,
3519
		   st->forced_gc_runs,
3520
		   st->unres_discards,
3521
		   st->table_fulls
3522
		   );
3523

3524
	return 0;
3525
}
3526

3527
static const struct seq_operations neigh_stat_seq_ops = {
3528
	.start	= neigh_stat_seq_start,
3529
	.next	= neigh_stat_seq_next,
3530
	.stop	= neigh_stat_seq_stop,
3531
	.show	= neigh_stat_seq_show,
3532
};
3533
#endif /* CONFIG_PROC_FS */
3534

3535
static void __neigh_notify(struct neighbour *n, int type, int flags,
3536
			   u32 pid)
3537
{
3538
	struct sk_buff *skb;
3539
	int err = -ENOBUFS;
3540
	struct net *net;
3541

3542
	rcu_read_lock();
3543
	net = dev_net_rcu(n->dev);
3544
	skb = nlmsg_new(neigh_nlmsg_size(), GFP_ATOMIC);
3545
	if (skb == NULL)
3546
		goto errout;
3547

3548
	err = neigh_fill_info(skb, n, pid, 0, type, flags);
3549
	if (err < 0) {
3550
		/* -EMSGSIZE implies BUG in neigh_nlmsg_size() */
3551
		WARN_ON(err == -EMSGSIZE);
3552
		kfree_skb(skb);
3553
		goto errout;
3554
	}
3555
	rtnl_notify(skb, net, 0, RTNLGRP_NEIGH, NULL, GFP_ATOMIC);
3556
	goto out;
3557
errout:
3558
	rtnl_set_sk_err(net, RTNLGRP_NEIGH, err);
3559
out:
3560
	rcu_read_unlock();
3561
}
3562

3563
void neigh_app_ns(struct neighbour *n)
3564
{
3565
	__neigh_notify(n, RTM_GETNEIGH, NLM_F_REQUEST, 0);
3566
}
3567
EXPORT_SYMBOL(neigh_app_ns);
3568

3569
#ifdef CONFIG_SYSCTL
3570
static int unres_qlen_max = INT_MAX / SKB_TRUESIZE(ETH_FRAME_LEN);
3571

3572
static int proc_unres_qlen(const struct ctl_table *ctl, int write,
3573
			   void *buffer, size_t *lenp, loff_t *ppos)
3574
{
3575
	int size, ret;
3576
	struct ctl_table tmp = *ctl;
3577

3578
	tmp.extra1 = SYSCTL_ZERO;
3579
	tmp.extra2 = &unres_qlen_max;
3580
	tmp.data = &size;
3581

3582
	size = *(int *)ctl->data / SKB_TRUESIZE(ETH_FRAME_LEN);
3583
	ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);
3584

3585
	if (write && !ret)
3586
		*(int *)ctl->data = size * SKB_TRUESIZE(ETH_FRAME_LEN);
3587
	return ret;
3588
}
3589

3590
static void neigh_copy_dflt_parms(struct net *net, struct neigh_parms *p,
3591
				  int index)
3592
{
3593
	struct net_device *dev;
3594
	int family = neigh_parms_family(p);
3595

3596
	rcu_read_lock();
3597
	for_each_netdev_rcu(net, dev) {
3598
		struct neigh_parms *dst_p =
3599
				neigh_get_dev_parms_rcu(dev, family);
3600

3601
		if (dst_p && !test_bit(index, dst_p->data_state))
3602
			dst_p->data[index] = p->data[index];
3603
	}
3604
	rcu_read_unlock();
3605
}
3606

3607
static void neigh_proc_update(const struct ctl_table *ctl, int write)
3608
{
3609
	struct net_device *dev = ctl->extra1;
3610
	struct neigh_parms *p = ctl->extra2;
3611
	struct net *net = neigh_parms_net(p);
3612
	int index = (int *) ctl->data - p->data;
3613

3614
	if (!write)
3615
		return;
3616

3617
	set_bit(index, p->data_state);
3618
	if (index == NEIGH_VAR_DELAY_PROBE_TIME)
3619
		call_netevent_notifiers(NETEVENT_DELAY_PROBE_TIME_UPDATE, p);
3620
	if (!dev) /* NULL dev means this is default value */
3621
		neigh_copy_dflt_parms(net, p, index);
3622
}
3623

3624
static int neigh_proc_dointvec_zero_intmax(const struct ctl_table *ctl, int write,
3625
					   void *buffer, size_t *lenp,
3626
					   loff_t *ppos)
3627
{
3628
	struct ctl_table tmp = *ctl;
3629
	int ret;
3630

3631
	tmp.extra1 = SYSCTL_ZERO;
3632
	tmp.extra2 = SYSCTL_INT_MAX;
3633

3634
	ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);
3635
	neigh_proc_update(ctl, write);
3636
	return ret;
3637
}
3638

3639
static int neigh_proc_dointvec_ms_jiffies_positive(const struct ctl_table *ctl, int write,
3640
						   void *buffer, size_t *lenp, loff_t *ppos)
3641
{
3642
	struct ctl_table tmp = *ctl;
3643
	int ret;
3644

3645
	int min = msecs_to_jiffies(1);
3646

3647
	tmp.extra1 = &min;
3648
	tmp.extra2 = NULL;
3649

3650
	ret = proc_dointvec_ms_jiffies_minmax(&tmp, write, buffer, lenp, ppos);
3651
	neigh_proc_update(ctl, write);
3652
	return ret;
3653
}
3654

3655
int neigh_proc_dointvec(const struct ctl_table *ctl, int write, void *buffer,
3656
			size_t *lenp, loff_t *ppos)
3657
{
3658
	int ret = proc_dointvec(ctl, write, buffer, lenp, ppos);
3659

3660
	neigh_proc_update(ctl, write);
3661
	return ret;
3662
}
3663
EXPORT_SYMBOL(neigh_proc_dointvec);
3664

3665
int neigh_proc_dointvec_jiffies(const struct ctl_table *ctl, int write, void *buffer,
3666
				size_t *lenp, loff_t *ppos)
3667
{
3668
	int ret = proc_dointvec_jiffies(ctl, write, buffer, lenp, ppos);
3669

3670
	neigh_proc_update(ctl, write);
3671
	return ret;
3672
}
3673
EXPORT_SYMBOL(neigh_proc_dointvec_jiffies);
3674

3675
static int neigh_proc_dointvec_userhz_jiffies(const struct ctl_table *ctl, int write,
3676
					      void *buffer, size_t *lenp,
3677
					      loff_t *ppos)
3678
{
3679
	int ret = proc_dointvec_userhz_jiffies(ctl, write, buffer, lenp, ppos);
3680

3681
	neigh_proc_update(ctl, write);
3682
	return ret;
3683
}
3684

3685
int neigh_proc_dointvec_ms_jiffies(const struct ctl_table *ctl, int write,
3686
				   void *buffer, size_t *lenp, loff_t *ppos)
3687
{
3688
	int ret = proc_dointvec_ms_jiffies(ctl, write, buffer, lenp, ppos);
3689

3690
	neigh_proc_update(ctl, write);
3691
	return ret;
3692
}
3693
EXPORT_SYMBOL(neigh_proc_dointvec_ms_jiffies);
3694

3695
static int neigh_proc_dointvec_unres_qlen(const struct ctl_table *ctl, int write,
3696
					  void *buffer, size_t *lenp,
3697
					  loff_t *ppos)
3698
{
3699
	int ret = proc_unres_qlen(ctl, write, buffer, lenp, ppos);
3700

3701
	neigh_proc_update(ctl, write);
3702
	return ret;
3703
}
3704

3705
static int neigh_proc_base_reachable_time(const struct ctl_table *ctl, int write,
3706
					  void *buffer, size_t *lenp,
3707
					  loff_t *ppos)
3708
{
3709
	struct neigh_parms *p = ctl->extra2;
3710
	int ret;
3711

3712
	if (strcmp(ctl->procname, "base_reachable_time") == 0)
3713
		ret = neigh_proc_dointvec_jiffies(ctl, write, buffer, lenp, ppos);
3714
	else if (strcmp(ctl->procname, "base_reachable_time_ms") == 0)
3715
		ret = neigh_proc_dointvec_ms_jiffies(ctl, write, buffer, lenp, ppos);
3716
	else
3717
		ret = -1;
3718

3719
	if (write && ret == 0) {
3720
		/* update reachable_time as well, otherwise, the change will
3721
		 * only be effective after the next time neigh_periodic_work
3722
		 * decides to recompute it
3723
		 */
3724
		p->reachable_time =
3725
			neigh_rand_reach_time(NEIGH_VAR(p, BASE_REACHABLE_TIME));
3726
	}
3727
	return ret;
3728
}
3729

3730
#define NEIGH_PARMS_DATA_OFFSET(index)	\
3731
	(&((struct neigh_parms *) 0)->data[index])
3732

3733
#define NEIGH_SYSCTL_ENTRY(attr, data_attr, name, mval, proc) \
3734
	[NEIGH_VAR_ ## attr] = { \
3735
		.procname	= name, \
3736
		.data		= NEIGH_PARMS_DATA_OFFSET(NEIGH_VAR_ ## data_attr), \
3737
		.maxlen		= sizeof(int), \
3738
		.mode		= mval, \
3739
		.proc_handler	= proc, \
3740
	}
3741

3742
#define NEIGH_SYSCTL_ZERO_INTMAX_ENTRY(attr, name) \
3743
	NEIGH_SYSCTL_ENTRY(attr, attr, name, 0644, neigh_proc_dointvec_zero_intmax)
3744

3745
#define NEIGH_SYSCTL_JIFFIES_ENTRY(attr, name) \
3746
	NEIGH_SYSCTL_ENTRY(attr, attr, name, 0644, neigh_proc_dointvec_jiffies)
3747

3748
#define NEIGH_SYSCTL_USERHZ_JIFFIES_ENTRY(attr, name) \
3749
	NEIGH_SYSCTL_ENTRY(attr, attr, name, 0644, neigh_proc_dointvec_userhz_jiffies)
3750

3751
#define NEIGH_SYSCTL_MS_JIFFIES_POSITIVE_ENTRY(attr, name) \
3752
	NEIGH_SYSCTL_ENTRY(attr, attr, name, 0644, neigh_proc_dointvec_ms_jiffies_positive)
3753

3754
#define NEIGH_SYSCTL_MS_JIFFIES_REUSED_ENTRY(attr, data_attr, name) \
3755
	NEIGH_SYSCTL_ENTRY(attr, data_attr, name, 0644, neigh_proc_dointvec_ms_jiffies)
3756

3757
#define NEIGH_SYSCTL_UNRES_QLEN_REUSED_ENTRY(attr, data_attr, name) \
3758
	NEIGH_SYSCTL_ENTRY(attr, data_attr, name, 0644, neigh_proc_dointvec_unres_qlen)
3759

3760
static struct neigh_sysctl_table {
3761
	struct ctl_table_header *sysctl_header;
3762
	struct ctl_table neigh_vars[NEIGH_VAR_MAX];
3763
} neigh_sysctl_template __read_mostly = {
3764
	.neigh_vars = {
3765
		NEIGH_SYSCTL_ZERO_INTMAX_ENTRY(MCAST_PROBES, "mcast_solicit"),
3766
		NEIGH_SYSCTL_ZERO_INTMAX_ENTRY(UCAST_PROBES, "ucast_solicit"),
3767
		NEIGH_SYSCTL_ZERO_INTMAX_ENTRY(APP_PROBES, "app_solicit"),
3768
		NEIGH_SYSCTL_ZERO_INTMAX_ENTRY(MCAST_REPROBES, "mcast_resolicit"),
3769
		NEIGH_SYSCTL_USERHZ_JIFFIES_ENTRY(RETRANS_TIME, "retrans_time"),
3770
		NEIGH_SYSCTL_JIFFIES_ENTRY(BASE_REACHABLE_TIME, "base_reachable_time"),
3771
		NEIGH_SYSCTL_JIFFIES_ENTRY(DELAY_PROBE_TIME, "delay_first_probe_time"),
3772
		NEIGH_SYSCTL_MS_JIFFIES_POSITIVE_ENTRY(INTERVAL_PROBE_TIME_MS,
3773
						       "interval_probe_time_ms"),
3774
		NEIGH_SYSCTL_JIFFIES_ENTRY(GC_STALETIME, "gc_stale_time"),
3775
		NEIGH_SYSCTL_ZERO_INTMAX_ENTRY(QUEUE_LEN_BYTES, "unres_qlen_bytes"),
3776
		NEIGH_SYSCTL_ZERO_INTMAX_ENTRY(PROXY_QLEN, "proxy_qlen"),
3777
		NEIGH_SYSCTL_USERHZ_JIFFIES_ENTRY(ANYCAST_DELAY, "anycast_delay"),
3778
		NEIGH_SYSCTL_USERHZ_JIFFIES_ENTRY(PROXY_DELAY, "proxy_delay"),
3779
		NEIGH_SYSCTL_USERHZ_JIFFIES_ENTRY(LOCKTIME, "locktime"),
3780
		NEIGH_SYSCTL_UNRES_QLEN_REUSED_ENTRY(QUEUE_LEN, QUEUE_LEN_BYTES, "unres_qlen"),
3781
		NEIGH_SYSCTL_MS_JIFFIES_REUSED_ENTRY(RETRANS_TIME_MS, RETRANS_TIME, "retrans_time_ms"),
3782
		NEIGH_SYSCTL_MS_JIFFIES_REUSED_ENTRY(BASE_REACHABLE_TIME_MS, BASE_REACHABLE_TIME, "base_reachable_time_ms"),
3783
		[NEIGH_VAR_GC_INTERVAL] = {
3784
			.procname	= "gc_interval",
3785
			.maxlen		= sizeof(int),
3786
			.mode		= 0644,
3787
			.proc_handler	= proc_dointvec_jiffies,
3788
		},
3789
		[NEIGH_VAR_GC_THRESH1] = {
3790
			.procname	= "gc_thresh1",
3791
			.maxlen		= sizeof(int),
3792
			.mode		= 0644,
3793
			.extra1		= SYSCTL_ZERO,
3794
			.extra2		= SYSCTL_INT_MAX,
3795
			.proc_handler	= proc_dointvec_minmax,
3796
		},
3797
		[NEIGH_VAR_GC_THRESH2] = {
3798
			.procname	= "gc_thresh2",
3799
			.maxlen		= sizeof(int),
3800
			.mode		= 0644,
3801
			.extra1		= SYSCTL_ZERO,
3802
			.extra2		= SYSCTL_INT_MAX,
3803
			.proc_handler	= proc_dointvec_minmax,
3804
		},
3805
		[NEIGH_VAR_GC_THRESH3] = {
3806
			.procname	= "gc_thresh3",
3807
			.maxlen		= sizeof(int),
3808
			.mode		= 0644,
3809
			.extra1		= SYSCTL_ZERO,
3810
			.extra2		= SYSCTL_INT_MAX,
3811
			.proc_handler	= proc_dointvec_minmax,
3812
		},
3813
	},
3814
};
3815

3816
int neigh_sysctl_register(struct net_device *dev, struct neigh_parms *p,
3817
			  proc_handler *handler)
3818
{
3819
	int i;
3820
	struct neigh_sysctl_table *t;
3821
	const char *dev_name_source;
3822
	char neigh_path[ sizeof("net//neigh/") + IFNAMSIZ + IFNAMSIZ ];
3823
	char *p_name;
3824
	size_t neigh_vars_size;
3825

3826
	t = kmemdup(&neigh_sysctl_template, sizeof(*t), GFP_KERNEL_ACCOUNT);
3827
	if (!t)
3828
		goto err;
3829

3830
	for (i = 0; i < NEIGH_VAR_GC_INTERVAL; i++) {
3831
		t->neigh_vars[i].data += (long) p;
3832
		t->neigh_vars[i].extra1 = dev;
3833
		t->neigh_vars[i].extra2 = p;
3834
	}
3835

3836
	neigh_vars_size = ARRAY_SIZE(t->neigh_vars);
3837
	if (dev) {
3838
		dev_name_source = dev->name;
3839
		/* Terminate the table early */
3840
		neigh_vars_size = NEIGH_VAR_BASE_REACHABLE_TIME_MS + 1;
3841
	} else {
3842
		struct neigh_table *tbl = p->tbl;
3843
		dev_name_source = "default";
3844
		t->neigh_vars[NEIGH_VAR_GC_INTERVAL].data = &tbl->gc_interval;
3845
		t->neigh_vars[NEIGH_VAR_GC_THRESH1].data = &tbl->gc_thresh1;
3846
		t->neigh_vars[NEIGH_VAR_GC_THRESH2].data = &tbl->gc_thresh2;
3847
		t->neigh_vars[NEIGH_VAR_GC_THRESH3].data = &tbl->gc_thresh3;
3848
	}
3849

3850
	if (handler) {
3851
		/* RetransTime */
3852
		t->neigh_vars[NEIGH_VAR_RETRANS_TIME].proc_handler = handler;
3853
		/* ReachableTime */
3854
		t->neigh_vars[NEIGH_VAR_BASE_REACHABLE_TIME].proc_handler = handler;
3855
		/* RetransTime (in milliseconds)*/
3856
		t->neigh_vars[NEIGH_VAR_RETRANS_TIME_MS].proc_handler = handler;
3857
		/* ReachableTime (in milliseconds) */
3858
		t->neigh_vars[NEIGH_VAR_BASE_REACHABLE_TIME_MS].proc_handler = handler;
3859
	} else {
3860
		/* Those handlers will update p->reachable_time after
3861
		 * base_reachable_time(_ms) is set to ensure the new timer starts being
3862
		 * applied after the next neighbour update instead of waiting for
3863
		 * neigh_periodic_work to update its value (can be multiple minutes)
3864
		 * So any handler that replaces them should do this as well
3865
		 */
3866
		/* ReachableTime */
3867
		t->neigh_vars[NEIGH_VAR_BASE_REACHABLE_TIME].proc_handler =
3868
			neigh_proc_base_reachable_time;
3869
		/* ReachableTime (in milliseconds) */
3870
		t->neigh_vars[NEIGH_VAR_BASE_REACHABLE_TIME_MS].proc_handler =
3871
			neigh_proc_base_reachable_time;
3872
	}
3873

3874
	switch (neigh_parms_family(p)) {
3875
	case AF_INET:
3876
	      p_name = "ipv4";
3877
	      break;
3878
	case AF_INET6:
3879
	      p_name = "ipv6";
3880
	      break;
3881
	default:
3882
	      BUG();
3883
	}
3884

3885
	snprintf(neigh_path, sizeof(neigh_path), "net/%s/neigh/%s",
3886
		p_name, dev_name_source);
3887
	t->sysctl_header = register_net_sysctl_sz(neigh_parms_net(p),
3888
						  neigh_path, t->neigh_vars,
3889
						  neigh_vars_size);
3890
	if (!t->sysctl_header)
3891
		goto free;
3892

3893
	p->sysctl_table = t;
3894
	return 0;
3895

3896
free:
3897
	kfree(t);
3898
err:
3899
	return -ENOBUFS;
3900
}
3901
EXPORT_SYMBOL(neigh_sysctl_register);
3902

3903
void neigh_sysctl_unregister(struct neigh_parms *p)
3904
{
3905
	if (p->sysctl_table) {
3906
		struct neigh_sysctl_table *t = p->sysctl_table;
3907
		p->sysctl_table = NULL;
3908
		unregister_net_sysctl_table(t->sysctl_header);
3909
		kfree(t);
3910
	}
3911
}
3912
EXPORT_SYMBOL(neigh_sysctl_unregister);
3913

3914
#endif	/* CONFIG_SYSCTL */
3915

3916
static const struct rtnl_msg_handler neigh_rtnl_msg_handlers[] __initconst = {
3917
	{.msgtype = RTM_NEWNEIGH, .doit = neigh_add},
3918
	{.msgtype = RTM_DELNEIGH, .doit = neigh_delete},
3919
	{.msgtype = RTM_GETNEIGH, .doit = neigh_get, .dumpit = neigh_dump_info,
3920
	 .flags = RTNL_FLAG_DOIT_UNLOCKED | RTNL_FLAG_DUMP_UNLOCKED},
3921
	{.msgtype = RTM_GETNEIGHTBL, .dumpit = neightbl_dump_info},
3922
	{.msgtype = RTM_SETNEIGHTBL, .doit = neightbl_set},
3923
};
3924

3925
static int __init neigh_init(void)
3926
{
3927
	rtnl_register_many(neigh_rtnl_msg_handlers);
3928
	return 0;
3929
}
3930

3931
subsys_initcall(neigh_init);
3932

3933