1 /*
2 * Copyright (c) 2010-2021 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28 /*
29 * Copyright (c) 2009 Bruce Simpson.
30 * All rights reserved.
31 *
32 * Redistribution and use in source and binary forms, with or without
33 * modification, are permitted provided that the following conditions
34 * are met:
35 * 1. Redistributions of source code must retain the above copyright
36 * notice, this list of conditions and the following disclaimer.
37 * 2. Redistributions in binary form must reproduce the above copyright
38 * notice, this list of conditions and the following disclaimer in the
39 * documentation and/or other materials provided with the distribution.
40 * 3. The name of the author may not be used to endorse or promote
41 * products derived from this software without specific prior written
42 * permission.
43 *
44 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
45 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
46 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
47 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
48 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
49 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
50 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
51 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
52 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
53 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
54 * SUCH DAMAGE.
55 */
56
57 /*
58 * IPv6 multicast socket, group, and socket option processing module.
59 * Normative references: RFC 2292, RFC 3492, RFC 3542, RFC 3678, RFC 3810.
60 */
61
62 #include <sys/cdefs.h>
63
64 #include <sys/param.h>
65 #include <sys/systm.h>
66 #include <sys/kernel.h>
67 #include <sys/malloc.h>
68 #include <sys/mbuf.h>
69 #include <sys/protosw.h>
70 #include <sys/socket.h>
71 #include <sys/socketvar.h>
72 #include <sys/protosw.h>
73 #include <sys/sysctl.h>
74 #include <sys/tree.h>
75 #include <sys/mcache.h>
76
77 #include <kern/zalloc.h>
78
79 #include <pexpert/pexpert.h>
80
81 #include <net/if.h>
82 #include <net/if_dl.h>
83 #include <net/net_api_stats.h>
84 #include <net/route.h>
85
86 #include <netinet/in.h>
87 #include <netinet/in_var.h>
88 #include <netinet6/in6_var.h>
89 #include <netinet/ip6.h>
90 #include <netinet/icmp6.h>
91 #include <netinet6/ip6_var.h>
92 #include <netinet/in_pcb.h>
93 #include <netinet/tcp.h>
94 #include <netinet/tcp_seq.h>
95 #include <netinet/tcp_var.h>
96 #include <netinet6/nd6.h>
97 #include <netinet6/mld6_var.h>
98 #include <netinet6/scope6_var.h>
99
100 static void im6f_commit(struct in6_mfilter *);
101 static int im6f_get_source(struct in6_mfilter *imf,
102 const struct sockaddr_in6 *psin,
103 struct in6_msource **);
104 static struct in6_msource *
105 im6f_graft(struct in6_mfilter *, const uint8_t,
106 const struct sockaddr_in6 *);
107 static int im6f_prune(struct in6_mfilter *, const struct sockaddr_in6 *);
108 static void im6f_rollback(struct in6_mfilter *);
109 static void im6f_reap(struct in6_mfilter *);
110 static int im6o_grow(struct ip6_moptions *);
111 static size_t im6o_match_group(const struct ip6_moptions *,
112 const struct ifnet *, const struct sockaddr_in6 *);
113 static struct in6_msource *
114 im6o_match_source(const struct ip6_moptions *,
115 const size_t, const struct sockaddr_in6 *);
116 static void im6s_merge(struct ip6_msource *ims,
117 const struct in6_msource *lims, const int rollback);
118 static int in6_mc_get(struct ifnet *, const struct in6_addr *,
119 struct in6_multi **);
120 static int in6m_get_source(struct in6_multi *inm,
121 const struct in6_addr *addr, const int noalloc,
122 struct ip6_msource **pims);
123 static int in6m_is_ifp_detached(const struct in6_multi *);
124 static int in6m_merge(struct in6_multi *, /*const*/ struct in6_mfilter *);
125 static void in6m_reap(struct in6_multi *);
126 static struct ip6_moptions *
127 in6p_findmoptions(struct inpcb *);
128 static int in6p_get_source_filters(struct inpcb *, struct sockopt *);
129 static int in6p_lookup_v4addr(struct ipv6_mreq *, struct ip_mreq *);
130 static int in6p_join_group(struct inpcb *, struct sockopt *);
131 static int in6p_leave_group(struct inpcb *, struct sockopt *);
132 static struct ifnet *
133 in6p_lookup_mcast_ifp(const struct inpcb *,
134 const struct sockaddr_in6 *);
135 static int in6p_block_unblock_source(struct inpcb *, struct sockopt *);
136 static int in6p_set_multicast_if(struct inpcb *, struct sockopt *);
137 static int in6p_set_source_filters(struct inpcb *, struct sockopt *);
138 static int sysctl_ip6_mcast_filters SYSCTL_HANDLER_ARGS;
139 static __inline__ int ip6_msource_cmp(const struct ip6_msource *,
140 const struct ip6_msource *);
141
142 SYSCTL_DECL(_net_inet6_ip6); /* XXX Not in any common header. */
143
144 SYSCTL_NODE(_net_inet6_ip6, OID_AUTO, mcast, CTLFLAG_RW | CTLFLAG_LOCKED, 0, "IPv6 multicast");
145
146 static unsigned long in6_mcast_maxgrpsrc = IPV6_MAX_GROUP_SRC_FILTER;
147 SYSCTL_LONG(_net_inet6_ip6_mcast, OID_AUTO, maxgrpsrc,
148 CTLFLAG_RW | CTLFLAG_LOCKED, &in6_mcast_maxgrpsrc,
149 "Max source filters per group");
150
151 static unsigned long in6_mcast_maxsocksrc = IPV6_MAX_SOCK_SRC_FILTER;
152 SYSCTL_LONG(_net_inet6_ip6_mcast, OID_AUTO, maxsocksrc,
153 CTLFLAG_RW | CTLFLAG_LOCKED, &in6_mcast_maxsocksrc,
154 "Max source filters per socket");
155
156 int in6_mcast_loop = IPV6_DEFAULT_MULTICAST_LOOP;
157 SYSCTL_INT(_net_inet6_ip6_mcast, OID_AUTO, loop, CTLFLAG_RW | CTLFLAG_LOCKED,
158 &in6_mcast_loop, 0, "Loopback multicast datagrams by default");
159
160 SYSCTL_NODE(_net_inet6_ip6_mcast, OID_AUTO, filters,
161 CTLFLAG_RD | CTLFLAG_LOCKED, sysctl_ip6_mcast_filters,
162 "Per-interface stack-wide source filters");
163
164 RB_GENERATE_PREV(ip6_msource_tree, ip6_msource, im6s_link, ip6_msource_cmp);
165
166 #define IN6M_TRACE_HIST_SIZE 32 /* size of trace history */
167
168 /* For gdb */
169 __private_extern__ unsigned int in6m_trace_hist_size = IN6M_TRACE_HIST_SIZE;
170
171 struct in6_multi_dbg {
172 struct in6_multi in6m; /* in6_multi */
173 u_int16_t in6m_refhold_cnt; /* # of ref */
174 u_int16_t in6m_refrele_cnt; /* # of rele */
175 /*
176 * Circular lists of in6m_addref and in6m_remref callers.
177 */
178 ctrace_t in6m_refhold[IN6M_TRACE_HIST_SIZE];
179 ctrace_t in6m_refrele[IN6M_TRACE_HIST_SIZE];
180 /*
181 * Trash list linkage
182 */
183 TAILQ_ENTRY(in6_multi_dbg) in6m_trash_link;
184 };
185
186 /* Lock group and attribute for in6_multihead_lock lock */
187 static LCK_ATTR_DECLARE(in6_multihead_lock_attr, 0, 0);
188 static LCK_GRP_DECLARE(in6_multihead_lock_grp, "in6_multihead");
189
190 /* List of trash in6_multi entries protected by in6m_trash_lock */
191 static TAILQ_HEAD(, in6_multi_dbg) in6m_trash_head;
192 static LCK_MTX_DECLARE_ATTR(in6m_trash_lock, &in6_multihead_lock_grp,
193 &in6_multihead_lock_attr);
194
195 #if DEBUG
196 static unsigned int in6m_debug = 1; /* debugging (enabled) */
197 #else
198 static unsigned int in6m_debug; /* debugging (disabled) */
199 #endif /* !DEBUG */
200 static struct zone *in6m_zone; /* zone for in6_multi */
201 #define IN6M_ZONE_NAME "in6_multi" /* zone name */
202
203 static ZONE_DEFINE(imm_zone, "in6_multi_mship",
204 sizeof(struct in6_multi_mship), ZC_ZFREE_CLEARMEM);
205
206 static ZONE_DEFINE(ip6ms_zone, "ip6_msource",
207 sizeof(struct ip6_msource), ZC_ZFREE_CLEARMEM);
208
209 static ZONE_DEFINE(in6ms_zone, "in6_msource",
210 sizeof(struct in6_msource), ZC_ZFREE_CLEARMEM);
211
212 static LCK_RW_DECLARE_ATTR(in6_multihead_lock, &in6_multihead_lock_grp,
213 &in6_multihead_lock_attr);
214 struct in6_multihead in6_multihead;
215
216 static struct in6_multi *in6_multi_alloc(zalloc_flags_t);
217 static void in6_multi_free(struct in6_multi *);
218 static void in6_multi_attach(struct in6_multi *);
219 static struct in6_multi_mship *in6_multi_mship_alloc(zalloc_flags_t);
220 static void in6_multi_mship_free(struct in6_multi_mship *);
221 static void in6m_trace(struct in6_multi *, int);
222
223 static struct ip6_msource *ip6ms_alloc(zalloc_flags_t);
224 static void ip6ms_free(struct ip6_msource *);
225 static struct in6_msource *in6ms_alloc(zalloc_flags_t);
226 static void in6ms_free(struct in6_msource *);
227
228 /*
229 * IPv6 source tree comparison function.
230 *
231 * An ordered predicate is necessary; bcmp() is not documented to return
232 * an indication of order, memcmp() is, and is an ISO C99 requirement.
233 */
234 static __inline int
ip6_msource_cmp(const struct ip6_msource * a,const struct ip6_msource * b)235 ip6_msource_cmp(const struct ip6_msource *a, const struct ip6_msource *b)
236 {
237 return memcmp(&a->im6s_addr, &b->im6s_addr, sizeof(struct in6_addr));
238 }
239
240 /*
241 * Inline function which wraps assertions for a valid ifp.
242 */
243 static __inline__ int
in6m_is_ifp_detached(const struct in6_multi * inm)244 in6m_is_ifp_detached(const struct in6_multi *inm)
245 {
246 VERIFY(inm->in6m_ifma != NULL);
247 VERIFY(inm->in6m_ifp == inm->in6m_ifma->ifma_ifp);
248
249 return !ifnet_is_attached(inm->in6m_ifp, 0);
250 }
251
252 /*
253 * Initialize an in6_mfilter structure to a known state at t0, t1
254 * with an empty source filter list.
255 */
256 static __inline__ void
im6f_init(struct in6_mfilter * imf,const uint8_t st0,const uint8_t st1)257 im6f_init(struct in6_mfilter *imf, const uint8_t st0, const uint8_t st1)
258 {
259 memset(imf, 0, sizeof(struct in6_mfilter));
260 RB_INIT(&imf->im6f_sources);
261 imf->im6f_st[0] = st0;
262 imf->im6f_st[1] = st1;
263 }
264
265 /*
266 * Resize the ip6_moptions vector to the next power-of-two minus 1.
267 */
268 static int
im6o_grow(struct ip6_moptions * imo)269 im6o_grow(struct ip6_moptions *imo)
270 {
271 struct in6_multi **nmships;
272 struct in6_multi **omships;
273 struct in6_mfilter *nmfilters;
274 struct in6_mfilter *omfilters;
275 size_t idx;
276 size_t oldmax;
277 size_t newmax;
278
279 IM6O_LOCK_ASSERT_HELD(imo);
280
281 nmships = NULL;
282 nmfilters = NULL;
283 omships = imo->im6o_membership;
284 omfilters = imo->im6o_mfilters;
285 oldmax = imo->im6o_max_memberships;
286 newmax = ((oldmax + 1) * 2) - 1;
287
288 if (newmax > IPV6_MAX_MEMBERSHIPS) {
289 return ETOOMANYREFS;
290 }
291
292 if ((nmships = krealloc_type(struct in6_multi *, oldmax, newmax,
293 omships, Z_WAITOK | Z_ZERO)) == NULL) {
294 return ENOMEM;
295 }
296
297 imo->im6o_membership = nmships;
298
299 if ((nmfilters = krealloc_type(struct in6_mfilter, oldmax, newmax,
300 omfilters, Z_WAITOK | Z_ZERO)) == NULL) {
301 return ENOMEM;
302 }
303
304 imo->im6o_mfilters = nmfilters;
305
306 /* Initialize newly allocated source filter heads. */
307 for (idx = oldmax; idx < newmax; idx++) {
308 im6f_init(&nmfilters[idx], MCAST_UNDEFINED, MCAST_EXCLUDE);
309 }
310
311 imo->im6o_max_memberships = (u_short)newmax;
312
313 return 0;
314 }
315
316 /*
317 * Find an IPv6 multicast group entry for this ip6_moptions instance
318 * which matches the specified group, and optionally an interface.
319 * Return its index into the array, or -1 if not found.
320 */
321 static size_t
im6o_match_group(const struct ip6_moptions * imo,const struct ifnet * ifp,const struct sockaddr_in6 * group)322 im6o_match_group(const struct ip6_moptions *imo, const struct ifnet *ifp,
323 const struct sockaddr_in6 *group)
324 {
325 const struct sockaddr_in6 *gsin6;
326 struct in6_multi *pinm;
327 int idx;
328 int nmships;
329
330 IM6O_LOCK_ASSERT_HELD(__DECONST(struct ip6_moptions *, imo));
331
332 gsin6 = group;
333
334 /* The im6o_membership array may be lazy allocated. */
335 if (imo->im6o_membership == NULL || imo->im6o_num_memberships == 0) {
336 return -1;
337 }
338
339 nmships = imo->im6o_num_memberships;
340 for (idx = 0; idx < nmships; idx++) {
341 pinm = imo->im6o_membership[idx];
342 if (pinm == NULL) {
343 continue;
344 }
345 IN6M_LOCK(pinm);
346 if ((ifp == NULL || (pinm->in6m_ifp == ifp)) &&
347 in6_are_addr_equal_scoped(&pinm->in6m_addr,
348 &gsin6->sin6_addr, pinm->ifscope, gsin6->sin6_scope_id)) {
349 IN6M_UNLOCK(pinm);
350 break;
351 }
352 IN6M_UNLOCK(pinm);
353 }
354 if (idx >= nmships) {
355 idx = -1;
356 }
357
358 return idx;
359 }
360
361 /*
362 * Find an IPv6 multicast source entry for this imo which matches
363 * the given group index for this socket, and source address.
364 *
365 * XXX TODO: The scope ID, if present in src, is stripped before
366 * any comparison. We SHOULD enforce scope/zone checks where the source
367 * filter entry has a link scope.
368 *
369 * NOTE: This does not check if the entry is in-mode, merely if
370 * it exists, which may not be the desired behaviour.
371 */
372 static struct in6_msource *
im6o_match_source(const struct ip6_moptions * imo,const size_t gidx,const struct sockaddr_in6 * src)373 im6o_match_source(const struct ip6_moptions *imo, const size_t gidx,
374 const struct sockaddr_in6 *src)
375 {
376 struct ip6_msource find;
377 struct in6_mfilter *imf;
378 struct ip6_msource *ims;
379 const struct sockaddr_in6 *psa;
380
381 IM6O_LOCK_ASSERT_HELD(__DECONST(struct ip6_moptions *, imo));
382
383 VERIFY(src->sin6_family == AF_INET6);
384 VERIFY(gidx != (size_t)-1 && gidx < imo->im6o_num_memberships);
385
386 /* The im6o_mfilters array may be lazy allocated. */
387 if (imo->im6o_mfilters == NULL) {
388 return NULL;
389 }
390 imf = &imo->im6o_mfilters[gidx];
391
392 psa = src;
393 find.im6s_addr = psa->sin6_addr;
394 in6_clearscope(&find.im6s_addr); /* XXX */
395 ims = RB_FIND(ip6_msource_tree, &imf->im6f_sources, &find);
396
397 return (struct in6_msource *)ims;
398 }
399
400 /*
401 * Perform filtering for multicast datagrams on a socket by group and source.
402 *
403 * Returns 0 if a datagram should be allowed through, or various error codes
404 * if the socket was not a member of the group, or the source was muted, etc.
405 */
406 int
im6o_mc_filter(const struct ip6_moptions * imo,struct ifnet * ifp,const struct sockaddr_in6 * group,const struct sockaddr_in6 * src)407 im6o_mc_filter(const struct ip6_moptions *imo, struct ifnet *ifp,
408 const struct sockaddr_in6 *group, const struct sockaddr_in6 *src)
409 {
410 size_t gidx;
411 struct in6_msource *ims;
412 int mode;
413
414 IM6O_LOCK_ASSERT_HELD(__DECONST(struct ip6_moptions *, imo));
415 VERIFY(ifp != NULL);
416
417 struct sockaddr_in6 group_tmp = *group;
418 if (!in6_embedded_scope) {
419 group_tmp.sin6_scope_id = in6_addr2scopeid(ifp, &group_tmp.sin6_addr);
420 }
421 gidx = im6o_match_group(imo, ifp, &group_tmp);
422 if (gidx == (size_t)-1) {
423 return MCAST_NOTGMEMBER;
424 }
425
426 /*
427 * Check if the source was included in an (S,G) join.
428 * Allow reception on exclusive memberships by default,
429 * reject reception on inclusive memberships by default.
430 * Exclude source only if an in-mode exclude filter exists.
431 * Include source only if an in-mode include filter exists.
432 * NOTE: We are comparing group state here at MLD t1 (now)
433 * with socket-layer t0 (since last downcall).
434 */
435 mode = imo->im6o_mfilters[gidx].im6f_st[1];
436 ims = im6o_match_source(imo, gidx, src);
437
438 if ((ims == NULL && mode == MCAST_INCLUDE) ||
439 (ims != NULL && ims->im6sl_st[0] != mode)) {
440 return MCAST_NOTSMEMBER;
441 }
442
443 return MCAST_PASS;
444 }
445
446 /*
447 * Find and return a reference to an in6_multi record for (ifp, group),
448 * and bump its reference count.
449 * If one does not exist, try to allocate it, and update link-layer multicast
450 * filters on ifp to listen for group.
451 * Assumes the IN6_MULTI lock is held across the call.
452 * Return 0 if successful, otherwise return an appropriate error code.
453 */
454 static int
in6_mc_get(struct ifnet * ifp,const struct in6_addr * group,struct in6_multi ** pinm)455 in6_mc_get(struct ifnet *ifp, const struct in6_addr *group,
456 struct in6_multi **pinm)
457 {
458 struct sockaddr_in6 gsin6;
459 struct ifmultiaddr *ifma;
460 struct in6_multi *inm;
461 int error;
462
463 *pinm = NULL;
464
465 in6_multihead_lock_shared();
466 IN6_LOOKUP_MULTI(group, ifp, inm);
467 if (inm != NULL) {
468 IN6M_LOCK(inm);
469 VERIFY(inm->in6m_reqcnt >= 1);
470 inm->in6m_reqcnt++;
471 VERIFY(inm->in6m_reqcnt != 0);
472 *pinm = inm;
473 IN6M_UNLOCK(inm);
474 in6_multihead_lock_done();
475 /*
476 * We already joined this group; return the in6m
477 * with a refcount held (via lookup) for caller.
478 */
479 return 0;
480 }
481 in6_multihead_lock_done();
482
483 memset(&gsin6, 0, sizeof(gsin6));
484 gsin6.sin6_family = AF_INET6;
485 gsin6.sin6_len = sizeof(struct sockaddr_in6);
486 gsin6.sin6_addr = *group;
487
488 /*
489 * Check if a link-layer group is already associated
490 * with this network-layer group on the given ifnet.
491 */
492 error = if_addmulti(ifp, (struct sockaddr *)&gsin6, &ifma);
493 if (error != 0) {
494 return error;
495 }
496
497 /*
498 * See comments in in6m_remref() for access to ifma_protospec.
499 */
500 in6_multihead_lock_exclusive();
501 IFMA_LOCK(ifma);
502 if ((inm = ifma->ifma_protospec) != NULL) {
503 VERIFY(ifma->ifma_addr != NULL);
504 VERIFY(ifma->ifma_addr->sa_family == AF_INET6);
505 IN6M_ADDREF(inm); /* for caller */
506 IFMA_UNLOCK(ifma);
507 IN6M_LOCK(inm);
508 VERIFY(inm->in6m_ifma == ifma);
509 VERIFY(inm->in6m_ifp == ifp);
510 VERIFY(in6_are_addr_equal_scoped(&inm->in6m_addr, group, inm->ifscope, ifp->if_index));
511 if (inm->in6m_debug & IFD_ATTACHED) {
512 VERIFY(inm->in6m_reqcnt >= 1);
513 inm->in6m_reqcnt++;
514 VERIFY(inm->in6m_reqcnt != 0);
515 *pinm = inm;
516 IN6M_UNLOCK(inm);
517 in6_multihead_lock_done();
518 IFMA_REMREF(ifma);
519 /*
520 * We lost the race with another thread doing
521 * in6_mc_get(); since this group has already
522 * been joined; return the inm with a refcount
523 * held for caller.
524 */
525 return 0;
526 }
527 /*
528 * We lost the race with another thread doing in6_delmulti();
529 * the inm referring to the ifma has been detached, thus we
530 * reattach it back to the in6_multihead list, and return the
531 * inm with a refcount held for the caller.
532 */
533 in6_multi_attach(inm);
534 VERIFY((inm->in6m_debug &
535 (IFD_ATTACHED | IFD_TRASHED)) == IFD_ATTACHED);
536 *pinm = inm;
537 IN6M_UNLOCK(inm);
538 in6_multihead_lock_done();
539 IFMA_REMREF(ifma);
540 return 0;
541 }
542 IFMA_UNLOCK(ifma);
543
544 /*
545 * A new in6_multi record is needed; allocate and initialize it.
546 * We DO NOT perform an MLD join as the in6_ layer may need to
547 * push an initial source list down to MLD to support SSM.
548 *
549 * The initial source filter state is INCLUDE, {} as per the RFC.
550 * Pending state-changes per group are subject to a bounds check.
551 */
552 inm = in6_multi_alloc(Z_WAITOK);
553
554 IN6M_LOCK(inm);
555 inm->in6m_addr = *group;
556 inm->ifscope = in6_addr2scopeid(ifp, &inm->in6m_addr);
557 inm->in6m_ifp = ifp;
558 inm->in6m_mli = MLD_IFINFO(ifp);
559 VERIFY(inm->in6m_mli != NULL);
560 MLI_ADDREF(inm->in6m_mli);
561 inm->in6m_ifma = ifma; /* keep refcount from if_addmulti() */
562 inm->in6m_state = MLD_NOT_MEMBER;
563 /*
564 * Pending state-changes per group are subject to a bounds check.
565 */
566 inm->in6m_scq.ifq_maxlen = MLD_MAX_STATE_CHANGES;
567 inm->in6m_st[0].iss_fmode = MCAST_UNDEFINED;
568 inm->in6m_st[1].iss_fmode = MCAST_UNDEFINED;
569 RB_INIT(&inm->in6m_srcs);
570 *pinm = inm;
571 in6_multi_attach(inm);
572 VERIFY((inm->in6m_debug &
573 (IFD_ATTACHED | IFD_TRASHED)) == IFD_ATTACHED);
574 IN6M_ADDREF_LOCKED(inm); /* for caller */
575 IN6M_UNLOCK(inm);
576
577 IFMA_LOCK(ifma);
578 VERIFY(ifma->ifma_protospec == NULL);
579 ifma->ifma_protospec = inm;
580 IFMA_UNLOCK(ifma);
581 in6_multihead_lock_done();
582
583 return 0;
584 }
585
586 /*
587 * Clear recorded source entries for a group.
588 * Used by the MLD code. Caller must hold the IN6_MULTI lock.
589 * FIXME: Should reap.
590 */
591 void
in6m_clear_recorded(struct in6_multi * inm)592 in6m_clear_recorded(struct in6_multi *inm)
593 {
594 struct ip6_msource *ims;
595
596 IN6M_LOCK_ASSERT_HELD(inm);
597
598 RB_FOREACH(ims, ip6_msource_tree, &inm->in6m_srcs) {
599 if (ims->im6s_stp) {
600 ims->im6s_stp = 0;
601 --inm->in6m_st[1].iss_rec;
602 }
603 }
604 VERIFY(inm->in6m_st[1].iss_rec == 0);
605 }
606
607 /*
608 * Record a source as pending for a Source-Group MLDv2 query.
609 * This lives here as it modifies the shared tree.
610 *
611 * inm is the group descriptor.
612 * naddr is the address of the source to record in network-byte order.
613 *
614 * If the net.inet6.mld.sgalloc sysctl is non-zero, we will
615 * lazy-allocate a source node in response to an SG query.
616 * Otherwise, no allocation is performed. This saves some memory
617 * with the trade-off that the source will not be reported to the
618 * router if joined in the window between the query response and
619 * the group actually being joined on the local host.
620 *
621 * VIMAGE: XXX: Currently the mld_sgalloc feature has been removed.
622 * This turns off the allocation of a recorded source entry if
623 * the group has not been joined.
624 *
625 * Return 0 if the source didn't exist or was already marked as recorded.
626 * Return 1 if the source was marked as recorded by this function.
627 * Return <0 if any error occured (negated errno code).
628 */
629 int
in6m_record_source(struct in6_multi * inm,const struct in6_addr * addr)630 in6m_record_source(struct in6_multi *inm, const struct in6_addr *addr)
631 {
632 struct ip6_msource find;
633 struct ip6_msource *ims, *nims;
634
635 IN6M_LOCK_ASSERT_HELD(inm);
636
637 find.im6s_addr = *addr;
638 ims = RB_FIND(ip6_msource_tree, &inm->in6m_srcs, &find);
639 if (ims && ims->im6s_stp) {
640 return 0;
641 }
642 if (ims == NULL) {
643 if (inm->in6m_nsrc == in6_mcast_maxgrpsrc) {
644 return -ENOSPC;
645 }
646 nims = ip6ms_alloc(Z_WAITOK);
647 nims->im6s_addr = find.im6s_addr;
648 RB_INSERT(ip6_msource_tree, &inm->in6m_srcs, nims);
649 ++inm->in6m_nsrc;
650 ims = nims;
651 }
652
653 /*
654 * Mark the source as recorded and update the recorded
655 * source count.
656 */
657 ++ims->im6s_stp;
658 ++inm->in6m_st[1].iss_rec;
659
660 return 1;
661 }
662
663 /*
664 * Return a pointer to an in6_msource owned by an in6_mfilter,
665 * given its source address.
666 * Lazy-allocate if needed. If this is a new entry its filter state is
667 * undefined at t0.
668 *
669 * imf is the filter set being modified.
670 * addr is the source address.
671 *
672 * Caller is expected to be holding im6o_lock.
673 */
674 static int
im6f_get_source(struct in6_mfilter * imf,const struct sockaddr_in6 * psin,struct in6_msource ** plims)675 im6f_get_source(struct in6_mfilter *imf, const struct sockaddr_in6 *psin,
676 struct in6_msource **plims)
677 {
678 struct ip6_msource find;
679 struct ip6_msource *ims;
680 struct in6_msource *lims;
681 int error;
682
683 error = 0;
684 ims = NULL;
685 lims = NULL;
686
687 find.im6s_addr = psin->sin6_addr;
688 ims = RB_FIND(ip6_msource_tree, &imf->im6f_sources, &find);
689 lims = (struct in6_msource *)ims;
690 if (lims == NULL) {
691 if (imf->im6f_nsrc == in6_mcast_maxsocksrc) {
692 return ENOSPC;
693 }
694 lims = in6ms_alloc(Z_WAITOK);
695 lims->im6s_addr = find.im6s_addr;
696 lims->im6sl_st[0] = MCAST_UNDEFINED;
697 RB_INSERT(ip6_msource_tree, &imf->im6f_sources,
698 (struct ip6_msource *)lims);
699 ++imf->im6f_nsrc;
700 }
701
702 *plims = lims;
703
704 return error;
705 }
706
707 /*
708 * Graft a source entry into an existing socket-layer filter set,
709 * maintaining any required invariants and checking allocations.
710 *
711 * The source is marked as being in the new filter mode at t1.
712 *
713 * Return the pointer to the new node, otherwise return NULL.
714 *
715 * Caller is expected to be holding im6o_lock.
716 */
717 static struct in6_msource *
im6f_graft(struct in6_mfilter * imf,const uint8_t st1,const struct sockaddr_in6 * psin)718 im6f_graft(struct in6_mfilter *imf, const uint8_t st1,
719 const struct sockaddr_in6 *psin)
720 {
721 struct in6_msource *lims;
722
723 lims = in6ms_alloc(Z_WAITOK);
724 lims->im6s_addr = psin->sin6_addr;
725 lims->im6sl_st[0] = MCAST_UNDEFINED;
726 lims->im6sl_st[1] = st1;
727 RB_INSERT(ip6_msource_tree, &imf->im6f_sources,
728 (struct ip6_msource *)lims);
729 ++imf->im6f_nsrc;
730
731 return lims;
732 }
733
734 /*
735 * Prune a source entry from an existing socket-layer filter set,
736 * maintaining any required invariants and checking allocations.
737 *
738 * The source is marked as being left at t1, it is not freed.
739 *
740 * Return 0 if no error occurred, otherwise return an errno value.
741 *
742 * Caller is expected to be holding im6o_lock.
743 */
744 static int
im6f_prune(struct in6_mfilter * imf,const struct sockaddr_in6 * psin)745 im6f_prune(struct in6_mfilter *imf, const struct sockaddr_in6 *psin)
746 {
747 struct ip6_msource find;
748 struct ip6_msource *ims;
749 struct in6_msource *lims;
750
751 find.im6s_addr = psin->sin6_addr;
752 ims = RB_FIND(ip6_msource_tree, &imf->im6f_sources, &find);
753 if (ims == NULL) {
754 return ENOENT;
755 }
756 lims = (struct in6_msource *)ims;
757 lims->im6sl_st[1] = MCAST_UNDEFINED;
758 return 0;
759 }
760
761 /*
762 * Revert socket-layer filter set deltas at t1 to t0 state.
763 *
764 * Caller is expected to be holding im6o_lock.
765 */
766 static void
im6f_rollback(struct in6_mfilter * imf)767 im6f_rollback(struct in6_mfilter *imf)
768 {
769 struct ip6_msource *ims, *tims;
770 struct in6_msource *lims;
771
772 RB_FOREACH_SAFE(ims, ip6_msource_tree, &imf->im6f_sources, tims) {
773 lims = (struct in6_msource *)ims;
774 if (lims->im6sl_st[0] == lims->im6sl_st[1]) {
775 /* no change at t1 */
776 continue;
777 } else if (lims->im6sl_st[0] != MCAST_UNDEFINED) {
778 /* revert change to existing source at t1 */
779 lims->im6sl_st[1] = lims->im6sl_st[0];
780 } else {
781 /* revert source added t1 */
782 MLD_PRINTF(("%s: free in6ms 0x%llx\n", __func__,
783 (uint64_t)VM_KERNEL_ADDRPERM(lims)));
784 RB_REMOVE(ip6_msource_tree, &imf->im6f_sources, ims);
785 in6ms_free(lims);
786 imf->im6f_nsrc--;
787 }
788 }
789 imf->im6f_st[1] = imf->im6f_st[0];
790 }
791
792 /*
793 * Mark socket-layer filter set as INCLUDE {} at t1.
794 *
795 * Caller is expected to be holding im6o_lock.
796 */
797 void
im6f_leave(struct in6_mfilter * imf)798 im6f_leave(struct in6_mfilter *imf)
799 {
800 struct ip6_msource *ims;
801 struct in6_msource *lims;
802
803 RB_FOREACH(ims, ip6_msource_tree, &imf->im6f_sources) {
804 lims = (struct in6_msource *)ims;
805 lims->im6sl_st[1] = MCAST_UNDEFINED;
806 }
807 imf->im6f_st[1] = MCAST_INCLUDE;
808 }
809
810 /*
811 * Mark socket-layer filter set deltas as committed.
812 *
813 * Caller is expected to be holding im6o_lock.
814 */
815 static void
im6f_commit(struct in6_mfilter * imf)816 im6f_commit(struct in6_mfilter *imf)
817 {
818 struct ip6_msource *ims;
819 struct in6_msource *lims;
820
821 RB_FOREACH(ims, ip6_msource_tree, &imf->im6f_sources) {
822 lims = (struct in6_msource *)ims;
823 lims->im6sl_st[0] = lims->im6sl_st[1];
824 }
825 imf->im6f_st[0] = imf->im6f_st[1];
826 }
827
828 /*
829 * Reap unreferenced sources from socket-layer filter set.
830 *
831 * Caller is expected to be holding im6o_lock.
832 */
833 static void
im6f_reap(struct in6_mfilter * imf)834 im6f_reap(struct in6_mfilter *imf)
835 {
836 struct ip6_msource *ims, *tims;
837 struct in6_msource *lims;
838
839 RB_FOREACH_SAFE(ims, ip6_msource_tree, &imf->im6f_sources, tims) {
840 lims = (struct in6_msource *)ims;
841 if ((lims->im6sl_st[0] == MCAST_UNDEFINED) &&
842 (lims->im6sl_st[1] == MCAST_UNDEFINED)) {
843 MLD_PRINTF(("%s: free in6ms 0x%llx\n", __func__,
844 (uint64_t)VM_KERNEL_ADDRPERM(lims)));
845 RB_REMOVE(ip6_msource_tree, &imf->im6f_sources, ims);
846 in6ms_free(lims);
847 imf->im6f_nsrc--;
848 }
849 }
850 }
851
852 /*
853 * Purge socket-layer filter set.
854 *
855 * Caller is expected to be holding im6o_lock.
856 */
857 void
im6f_purge(struct in6_mfilter * imf)858 im6f_purge(struct in6_mfilter *imf)
859 {
860 struct ip6_msource *ims, *tims;
861 struct in6_msource *lims;
862
863 RB_FOREACH_SAFE(ims, ip6_msource_tree, &imf->im6f_sources, tims) {
864 lims = (struct in6_msource *)ims;
865 MLD_PRINTF(("%s: free in6ms 0x%llx\n", __func__,
866 (uint64_t)VM_KERNEL_ADDRPERM(lims)));
867 RB_REMOVE(ip6_msource_tree, &imf->im6f_sources, ims);
868 in6ms_free(lims);
869 imf->im6f_nsrc--;
870 }
871 imf->im6f_st[0] = imf->im6f_st[1] = MCAST_UNDEFINED;
872 VERIFY(RB_EMPTY(&imf->im6f_sources));
873 }
874
875 /*
876 * Look up a source filter entry for a multicast group.
877 *
878 * inm is the group descriptor to work with.
879 * addr is the IPv6 address to look up.
880 * noalloc may be non-zero to suppress allocation of sources.
881 * *pims will be set to the address of the retrieved or allocated source.
882 *
883 * Return 0 if successful, otherwise return a non-zero error code.
884 */
885 static int
in6m_get_source(struct in6_multi * inm,const struct in6_addr * addr,const int noalloc,struct ip6_msource ** pims)886 in6m_get_source(struct in6_multi *inm, const struct in6_addr *addr,
887 const int noalloc, struct ip6_msource **pims)
888 {
889 struct ip6_msource find;
890 struct ip6_msource *ims, *nims;
891
892 IN6M_LOCK_ASSERT_HELD(inm);
893
894 find.im6s_addr = *addr;
895 ims = RB_FIND(ip6_msource_tree, &inm->in6m_srcs, &find);
896 if (ims == NULL && !noalloc) {
897 if (inm->in6m_nsrc == in6_mcast_maxgrpsrc) {
898 return ENOSPC;
899 }
900 nims = ip6ms_alloc(Z_WAITOK);
901 nims->im6s_addr = *addr;
902 RB_INSERT(ip6_msource_tree, &inm->in6m_srcs, nims);
903 ++inm->in6m_nsrc;
904 ims = nims;
905 MLD_PRINTF(("%s: allocated %s as 0x%llx\n", __func__,
906 ip6_sprintf(addr), (uint64_t)VM_KERNEL_ADDRPERM(ims)));
907 }
908
909 *pims = ims;
910 return 0;
911 }
912
913 /*
914 * Helper function to derive the filter mode on a source entry
915 * from its internal counters. Predicates are:
916 * A source is only excluded if all listeners exclude it.
917 * A source is only included if no listeners exclude it,
918 * and at least one listener includes it.
919 * May be used by ifmcstat(8).
920 */
921 uint8_t
im6s_get_mode(const struct in6_multi * inm,const struct ip6_msource * ims,uint8_t t)922 im6s_get_mode(const struct in6_multi *inm, const struct ip6_msource *ims,
923 uint8_t t)
924 {
925 IN6M_LOCK_ASSERT_HELD(__DECONST(struct in6_multi *, inm));
926
927 t = !!t;
928 if (inm->in6m_st[t].iss_ex > 0 &&
929 inm->in6m_st[t].iss_ex == ims->im6s_st[t].ex) {
930 return MCAST_EXCLUDE;
931 } else if (ims->im6s_st[t].in > 0 && ims->im6s_st[t].ex == 0) {
932 return MCAST_INCLUDE;
933 }
934 return MCAST_UNDEFINED;
935 }
936
937 /*
938 * Merge socket-layer source into MLD-layer source.
939 * If rollback is non-zero, perform the inverse of the merge.
940 */
941 static void
im6s_merge(struct ip6_msource * ims,const struct in6_msource * lims,const int rollback)942 im6s_merge(struct ip6_msource *ims, const struct in6_msource *lims,
943 const int rollback)
944 {
945 int n = rollback ? -1 : 1;
946
947 if (lims->im6sl_st[0] == MCAST_EXCLUDE) {
948 MLD_PRINTF(("%s: t1 ex -= %d on %s\n", __func__, n,
949 ip6_sprintf(&lims->im6s_addr)));
950 ims->im6s_st[1].ex -= n;
951 } else if (lims->im6sl_st[0] == MCAST_INCLUDE) {
952 MLD_PRINTF(("%s: t1 in -= %d on %s\n", __func__, n,
953 ip6_sprintf(&lims->im6s_addr)));
954 ims->im6s_st[1].in -= n;
955 }
956
957 if (lims->im6sl_st[1] == MCAST_EXCLUDE) {
958 MLD_PRINTF(("%s: t1 ex += %d on %s\n", __func__, n,
959 ip6_sprintf(&lims->im6s_addr)));
960 ims->im6s_st[1].ex += n;
961 } else if (lims->im6sl_st[1] == MCAST_INCLUDE) {
962 MLD_PRINTF(("%s: t1 in += %d on %s\n", __func__, n,
963 ip6_sprintf(&lims->im6s_addr)));
964 ims->im6s_st[1].in += n;
965 }
966 }
967
968 /*
969 * Atomically update the global in6_multi state, when a membership's
970 * filter list is being updated in any way.
971 *
972 * imf is the per-inpcb-membership group filter pointer.
973 * A fake imf may be passed for in-kernel consumers.
974 *
975 * XXX This is a candidate for a set-symmetric-difference style loop
976 * which would eliminate the repeated lookup from root of ims nodes,
977 * as they share the same key space.
978 *
979 * If any error occurred this function will back out of refcounts
980 * and return a non-zero value.
981 */
982 static int
in6m_merge(struct in6_multi * inm,struct in6_mfilter * imf)983 in6m_merge(struct in6_multi *inm, /*const*/ struct in6_mfilter *imf)
984 {
985 struct ip6_msource *ims, *nims = NULL;
986 struct in6_msource *lims;
987 int schanged, error;
988 int nsrc0, nsrc1;
989
990 IN6M_LOCK_ASSERT_HELD(inm);
991
992 schanged = 0;
993 error = 0;
994 nsrc1 = nsrc0 = 0;
995
996 /*
997 * Update the source filters first, as this may fail.
998 * Maintain count of in-mode filters at t0, t1. These are
999 * used to work out if we transition into ASM mode or not.
1000 * Maintain a count of source filters whose state was
1001 * actually modified by this operation.
1002 */
1003 RB_FOREACH(ims, ip6_msource_tree, &imf->im6f_sources) {
1004 lims = (struct in6_msource *)ims;
1005 if (lims->im6sl_st[0] == imf->im6f_st[0]) {
1006 nsrc0++;
1007 }
1008 if (lims->im6sl_st[1] == imf->im6f_st[1]) {
1009 nsrc1++;
1010 }
1011 if (lims->im6sl_st[0] == lims->im6sl_st[1]) {
1012 continue;
1013 }
1014 error = in6m_get_source(inm, &lims->im6s_addr, 0, &nims);
1015 ++schanged;
1016 if (error) {
1017 break;
1018 }
1019 im6s_merge(nims, lims, 0);
1020 }
1021 if (error) {
1022 struct ip6_msource *bims;
1023
1024 RB_FOREACH_REVERSE_FROM(ims, ip6_msource_tree, nims) {
1025 lims = (struct in6_msource *)ims;
1026 if (lims->im6sl_st[0] == lims->im6sl_st[1]) {
1027 continue;
1028 }
1029 (void) in6m_get_source(inm, &lims->im6s_addr, 1, &bims);
1030 if (bims == NULL) {
1031 continue;
1032 }
1033 im6s_merge(bims, lims, 1);
1034 }
1035 goto out_reap;
1036 }
1037
1038 MLD_PRINTF(("%s: imf filters in-mode: %d at t0, %d at t1\n",
1039 __func__, nsrc0, nsrc1));
1040
1041 /* Handle transition between INCLUDE {n} and INCLUDE {} on socket. */
1042 if (imf->im6f_st[0] == imf->im6f_st[1] &&
1043 imf->im6f_st[1] == MCAST_INCLUDE) {
1044 if (nsrc1 == 0) {
1045 MLD_PRINTF(("%s: --in on inm at t1\n", __func__));
1046 --inm->in6m_st[1].iss_in;
1047 }
1048 }
1049
1050 /* Handle filter mode transition on socket. */
1051 if (imf->im6f_st[0] != imf->im6f_st[1]) {
1052 MLD_PRINTF(("%s: imf transition %d to %d\n",
1053 __func__, imf->im6f_st[0], imf->im6f_st[1]));
1054
1055 if (imf->im6f_st[0] == MCAST_EXCLUDE) {
1056 MLD_PRINTF(("%s: --ex on inm at t1\n", __func__));
1057 --inm->in6m_st[1].iss_ex;
1058 } else if (imf->im6f_st[0] == MCAST_INCLUDE) {
1059 MLD_PRINTF(("%s: --in on inm at t1\n", __func__));
1060 --inm->in6m_st[1].iss_in;
1061 }
1062
1063 if (imf->im6f_st[1] == MCAST_EXCLUDE) {
1064 MLD_PRINTF(("%s: ex++ on inm at t1\n", __func__));
1065 inm->in6m_st[1].iss_ex++;
1066 } else if (imf->im6f_st[1] == MCAST_INCLUDE && nsrc1 > 0) {
1067 MLD_PRINTF(("%s: in++ on inm at t1\n", __func__));
1068 inm->in6m_st[1].iss_in++;
1069 }
1070 }
1071
1072 /*
1073 * Track inm filter state in terms of listener counts.
1074 * If there are any exclusive listeners, stack-wide
1075 * membership is exclusive.
1076 * Otherwise, if only inclusive listeners, stack-wide is inclusive.
1077 * If no listeners remain, state is undefined at t1,
1078 * and the MLD lifecycle for this group should finish.
1079 */
1080 if (inm->in6m_st[1].iss_ex > 0) {
1081 MLD_PRINTF(("%s: transition to EX\n", __func__));
1082 inm->in6m_st[1].iss_fmode = MCAST_EXCLUDE;
1083 } else if (inm->in6m_st[1].iss_in > 0) {
1084 MLD_PRINTF(("%s: transition to IN\n", __func__));
1085 inm->in6m_st[1].iss_fmode = MCAST_INCLUDE;
1086 } else {
1087 MLD_PRINTF(("%s: transition to UNDEF\n", __func__));
1088 inm->in6m_st[1].iss_fmode = MCAST_UNDEFINED;
1089 }
1090
1091 /* Decrement ASM listener count on transition out of ASM mode. */
1092 if (imf->im6f_st[0] == MCAST_EXCLUDE && nsrc0 == 0) {
1093 if ((imf->im6f_st[1] != MCAST_EXCLUDE) ||
1094 (imf->im6f_st[1] == MCAST_EXCLUDE && nsrc1 > 0)) {
1095 MLD_PRINTF(("%s: --asm on inm at t1\n", __func__));
1096 --inm->in6m_st[1].iss_asm;
1097 }
1098 }
1099
1100 /* Increment ASM listener count on transition to ASM mode. */
1101 if (imf->im6f_st[1] == MCAST_EXCLUDE && nsrc1 == 0) {
1102 MLD_PRINTF(("%s: asm++ on inm at t1\n", __func__));
1103 inm->in6m_st[1].iss_asm++;
1104 }
1105
1106 MLD_PRINTF(("%s: merged imf 0x%llx to inm 0x%llx\n", __func__,
1107 (uint64_t)VM_KERNEL_ADDRPERM(imf),
1108 (uint64_t)VM_KERNEL_ADDRPERM(inm)));
1109 in6m_print(inm);
1110
1111 out_reap:
1112 if (schanged > 0) {
1113 MLD_PRINTF(("%s: sources changed; reaping\n", __func__));
1114 in6m_reap(inm);
1115 }
1116 return error;
1117 }
1118
1119 /*
1120 * Mark an in6_multi's filter set deltas as committed.
1121 * Called by MLD after a state change has been enqueued.
1122 */
1123 void
in6m_commit(struct in6_multi * inm)1124 in6m_commit(struct in6_multi *inm)
1125 {
1126 struct ip6_msource *ims;
1127
1128 IN6M_LOCK_ASSERT_HELD(inm);
1129
1130 MLD_PRINTF(("%s: commit inm 0x%llx\n", __func__,
1131 (uint64_t)VM_KERNEL_ADDRPERM(inm)));
1132 MLD_PRINTF(("%s: pre commit:\n", __func__));
1133 in6m_print(inm);
1134
1135 RB_FOREACH(ims, ip6_msource_tree, &inm->in6m_srcs) {
1136 ims->im6s_st[0] = ims->im6s_st[1];
1137 }
1138 inm->in6m_st[0] = inm->in6m_st[1];
1139 }
1140
1141 /*
1142 * Reap unreferenced nodes from an in6_multi's filter set.
1143 */
1144 static void
in6m_reap(struct in6_multi * inm)1145 in6m_reap(struct in6_multi *inm)
1146 {
1147 struct ip6_msource *ims, *tims;
1148
1149 IN6M_LOCK_ASSERT_HELD(inm);
1150
1151 RB_FOREACH_SAFE(ims, ip6_msource_tree, &inm->in6m_srcs, tims) {
1152 if (ims->im6s_st[0].ex > 0 || ims->im6s_st[0].in > 0 ||
1153 ims->im6s_st[1].ex > 0 || ims->im6s_st[1].in > 0 ||
1154 ims->im6s_stp != 0) {
1155 continue;
1156 }
1157 MLD_PRINTF(("%s: free ims 0x%llx\n", __func__,
1158 (uint64_t)VM_KERNEL_ADDRPERM(ims)));
1159 RB_REMOVE(ip6_msource_tree, &inm->in6m_srcs, ims);
1160 ip6ms_free(ims);
1161 inm->in6m_nsrc--;
1162 }
1163 }
1164
1165 /*
1166 * Purge all source nodes from an in6_multi's filter set.
1167 */
1168 void
in6m_purge(struct in6_multi * inm)1169 in6m_purge(struct in6_multi *inm)
1170 {
1171 struct ip6_msource *ims, *tims;
1172
1173 IN6M_LOCK_ASSERT_HELD(inm);
1174
1175 RB_FOREACH_SAFE(ims, ip6_msource_tree, &inm->in6m_srcs, tims) {
1176 MLD_PRINTF(("%s: free ims 0x%llx\n", __func__,
1177 (uint64_t)VM_KERNEL_ADDRPERM(ims)));
1178 RB_REMOVE(ip6_msource_tree, &inm->in6m_srcs, ims);
1179 ip6ms_free(ims);
1180 inm->in6m_nsrc--;
1181 }
1182 }
1183
1184 /*
1185 * Join a multicast address w/o sources.
1186 * KAME compatibility entry point.
1187 *
1188 */
1189 struct in6_multi_mship *
in6_joingroup(struct ifnet * ifp,struct in6_addr * mcaddr,int * errorp,int delay)1190 in6_joingroup(struct ifnet *ifp, struct in6_addr *mcaddr,
1191 int *errorp, int delay)
1192 {
1193 struct in6_multi_mship *imm;
1194 int error;
1195
1196 *errorp = 0;
1197
1198 imm = in6_multi_mship_alloc(Z_WAITOK);
1199
1200 error = in6_mc_join(ifp, mcaddr, NULL, &imm->i6mm_maddr, delay);
1201 if (error) {
1202 *errorp = error;
1203 in6_multi_mship_free(imm);
1204 return NULL;
1205 }
1206
1207 return imm;
1208 }
1209
1210 /*
1211 * Leave a multicast address w/o sources.
1212 * KAME compatibility entry point.
1213 */
1214 int
in6_leavegroup(struct in6_multi_mship * imm)1215 in6_leavegroup(struct in6_multi_mship *imm)
1216 {
1217 if (imm->i6mm_maddr != NULL) {
1218 in6_mc_leave(imm->i6mm_maddr, NULL);
1219 IN6M_REMREF(imm->i6mm_maddr);
1220 imm->i6mm_maddr = NULL;
1221 }
1222 in6_multi_mship_free(imm);
1223 return 0;
1224 }
1225
1226 /*
1227 * Join a multicast group; real entry point.
1228 *
1229 * Only preserves atomicity at inm level.
1230 * NOTE: imf argument cannot be const due to sys/tree.h limitations.
1231 *
1232 * If the MLD downcall fails, the group is not joined, and an error
1233 * code is returned.
1234 */
1235 int
in6_mc_join(struct ifnet * ifp,const struct in6_addr * mcaddr,struct in6_mfilter * imf,struct in6_multi ** pinm,const int delay)1236 in6_mc_join(struct ifnet *ifp, const struct in6_addr *mcaddr,
1237 /*const*/ struct in6_mfilter *imf, struct in6_multi **pinm,
1238 const int delay)
1239 {
1240 struct in6_mfilter timf;
1241 struct in6_multi *inm = NULL;
1242 int error = 0;
1243 struct mld_tparams mtp;
1244
1245 /*
1246 * Sanity: Check scope zone ID was set for ifp, if and
1247 * only if group is scoped to an interface.
1248 */
1249 VERIFY(IN6_IS_ADDR_MULTICAST(mcaddr));
1250 if (in6_embedded_scope && (IN6_IS_ADDR_MC_LINKLOCAL(mcaddr) ||
1251 IN6_IS_ADDR_MC_INTFACELOCAL(mcaddr))) {
1252 VERIFY(mcaddr->s6_addr16[1] != 0);
1253 }
1254
1255 MLD_PRINTF(("%s: join %s on 0x%llx(%s))\n", __func__,
1256 ip6_sprintf(mcaddr), (uint64_t)VM_KERNEL_ADDRPERM(ifp),
1257 if_name(ifp)));
1258
1259 bzero(&mtp, sizeof(mtp));
1260 *pinm = NULL;
1261
1262 /*
1263 * If no imf was specified (i.e. kernel consumer),
1264 * fake one up and assume it is an ASM join.
1265 */
1266 if (imf == NULL) {
1267 im6f_init(&timf, MCAST_UNDEFINED, MCAST_EXCLUDE);
1268 imf = &timf;
1269 }
1270
1271 error = in6_mc_get(ifp, mcaddr, &inm);
1272 if (error) {
1273 MLD_PRINTF(("%s: in6_mc_get() failure\n", __func__));
1274 return error;
1275 }
1276
1277 MLD_PRINTF(("%s: merge inm state\n", __func__));
1278
1279 IN6M_LOCK(inm);
1280 error = in6m_merge(inm, imf);
1281 if (error) {
1282 MLD_PRINTF(("%s: failed to merge inm state\n", __func__));
1283 goto out_in6m_release;
1284 }
1285
1286 MLD_PRINTF(("%s: doing mld downcall\n", __func__));
1287 error = mld_change_state(inm, &mtp, delay);
1288 if (error) {
1289 MLD_PRINTF(("%s: failed to update source\n", __func__));
1290 im6f_rollback(imf);
1291 goto out_in6m_release;
1292 }
1293
1294 out_in6m_release:
1295 if (error) {
1296 MLD_PRINTF(("%s: dropping ref on 0x%llx\n", __func__,
1297 (uint64_t)VM_KERNEL_ADDRPERM(inm)));
1298 IN6M_UNLOCK(inm);
1299 IN6M_REMREF(inm);
1300 } else {
1301 IN6M_UNLOCK(inm);
1302 *pinm = inm; /* keep refcount from in6_mc_get() */
1303 }
1304
1305 /* schedule timer now that we've dropped the lock(s) */
1306 mld_set_timeout(&mtp);
1307
1308 return error;
1309 }
1310
1311 /*
1312 * Leave a multicast group; real entry point.
1313 * All source filters will be expunged.
1314 *
1315 * Only preserves atomicity at inm level.
1316 *
1317 * Holding the write lock for the INP which contains imf
1318 * is highly advisable. We can't assert for it as imf does not
1319 * contain a back-pointer to the owning inp.
1320 *
1321 * Note: This is not the same as in6m_release(*) as this function also
1322 * makes a state change downcall into MLD.
1323 */
1324 int
in6_mc_leave(struct in6_multi * inm,struct in6_mfilter * imf)1325 in6_mc_leave(struct in6_multi *inm, /*const*/ struct in6_mfilter *imf)
1326 {
1327 struct in6_mfilter timf;
1328 int error, lastref;
1329 struct mld_tparams mtp;
1330
1331 bzero(&mtp, sizeof(mtp));
1332 error = 0;
1333
1334 IN6M_LOCK_ASSERT_NOTHELD(inm);
1335
1336 in6_multihead_lock_exclusive();
1337 IN6M_LOCK(inm);
1338
1339 MLD_PRINTF(("%s: leave inm 0x%llx, %s/%s%d, imf 0x%llx\n", __func__,
1340 (uint64_t)VM_KERNEL_ADDRPERM(inm), ip6_sprintf(&inm->in6m_addr),
1341 (in6m_is_ifp_detached(inm) ? "null" : inm->in6m_ifp->if_name),
1342 inm->in6m_ifp->if_unit, (uint64_t)VM_KERNEL_ADDRPERM(imf)));
1343
1344 /*
1345 * If no imf was specified (i.e. kernel consumer),
1346 * fake one up and assume it is an ASM join.
1347 */
1348 if (imf == NULL) {
1349 im6f_init(&timf, MCAST_EXCLUDE, MCAST_UNDEFINED);
1350 imf = &timf;
1351 }
1352
1353 /*
1354 * Begin state merge transaction at MLD layer.
1355 *
1356 * As this particular invocation should not cause any memory
1357 * to be allocated, and there is no opportunity to roll back
1358 * the transaction, it MUST NOT fail.
1359 */
1360 MLD_PRINTF(("%s: merge inm state\n", __func__));
1361
1362 error = in6m_merge(inm, imf);
1363 KASSERT(error == 0, ("%s: failed to merge inm state\n", __func__));
1364
1365 MLD_PRINTF(("%s: doing mld downcall\n", __func__));
1366 error = mld_change_state(inm, &mtp, 0);
1367 #if MLD_DEBUG
1368 if (error) {
1369 MLD_PRINTF(("%s: failed mld downcall\n", __func__));
1370 }
1371 #endif
1372 lastref = in6_multi_detach(inm);
1373 VERIFY(!lastref || (!(inm->in6m_debug & IFD_ATTACHED) &&
1374 inm->in6m_reqcnt == 0));
1375 IN6M_UNLOCK(inm);
1376 in6_multihead_lock_done();
1377
1378 if (lastref) {
1379 IN6M_REMREF(inm); /* for in6_multihead list */
1380 }
1381 /* schedule timer now that we've dropped the lock(s) */
1382 mld_set_timeout(&mtp);
1383
1384 return error;
1385 }
1386
1387 /*
1388 * Block or unblock an ASM multicast source on an inpcb.
1389 * This implements the delta-based API described in RFC 3678.
1390 *
1391 * The delta-based API applies only to exclusive-mode memberships.
1392 * An MLD downcall will be performed.
1393 *
1394 * Return 0 if successful, otherwise return an appropriate error code.
1395 */
1396 static int
in6p_block_unblock_source(struct inpcb * inp,struct sockopt * sopt)1397 in6p_block_unblock_source(struct inpcb *inp, struct sockopt *sopt)
1398 {
1399 struct group_source_req gsr;
1400 struct sockaddr_in6 *gsa, *ssa;
1401 struct ifnet *ifp;
1402 struct in6_mfilter *imf;
1403 struct ip6_moptions *imo;
1404 struct in6_msource *ims;
1405 struct in6_multi *inm;
1406 size_t idx;
1407 uint8_t fmode;
1408 int error, doblock;
1409 struct mld_tparams mtp;
1410
1411 bzero(&mtp, sizeof(mtp));
1412 ifp = NULL;
1413 error = 0;
1414 doblock = 0;
1415
1416 memset(&gsr, 0, sizeof(struct group_source_req));
1417 gsa = (struct sockaddr_in6 *)&gsr.gsr_group;
1418 ssa = (struct sockaddr_in6 *)&gsr.gsr_source;
1419
1420 switch (sopt->sopt_name) {
1421 case MCAST_BLOCK_SOURCE:
1422 case MCAST_UNBLOCK_SOURCE:
1423 error = sooptcopyin(sopt, &gsr,
1424 sizeof(struct group_source_req),
1425 sizeof(struct group_source_req));
1426 if (error) {
1427 return error;
1428 }
1429
1430 if (gsa->sin6_family != AF_INET6 ||
1431 gsa->sin6_len != sizeof(struct sockaddr_in6)) {
1432 return EINVAL;
1433 }
1434
1435 if (ssa->sin6_family != AF_INET6 ||
1436 ssa->sin6_len != sizeof(struct sockaddr_in6)) {
1437 return EINVAL;
1438 }
1439
1440 ifnet_head_lock_shared();
1441 if (gsr.gsr_interface == 0 ||
1442 (u_int)if_index < gsr.gsr_interface) {
1443 ifnet_head_done();
1444 return EADDRNOTAVAIL;
1445 }
1446
1447 ifp = ifindex2ifnet[gsr.gsr_interface];
1448 ifnet_head_done();
1449
1450 if (ifp == NULL) {
1451 return EADDRNOTAVAIL;
1452 }
1453
1454 if (sopt->sopt_name == MCAST_BLOCK_SOURCE) {
1455 doblock = 1;
1456 }
1457 break;
1458
1459 default:
1460 MLD_PRINTF(("%s: unknown sopt_name %d\n",
1461 __func__, sopt->sopt_name));
1462 return EOPNOTSUPP;
1463 }
1464
1465 if (!IN6_IS_ADDR_MULTICAST(&gsa->sin6_addr)) {
1466 return EINVAL;
1467 }
1468
1469 (void) in6_setscope(&gsa->sin6_addr, ifp, IN6_NULL_IF_EMBEDDED_SCOPE(&gsa->sin6_scope_id));
1470
1471 /*
1472 * Check if we are actually a member of this group.
1473 */
1474 imo = in6p_findmoptions(inp);
1475 if (imo == NULL) {
1476 return ENOMEM;
1477 }
1478
1479 IM6O_LOCK(imo);
1480 idx = im6o_match_group(imo, ifp, gsa);
1481 if (idx == (size_t)-1 || imo->im6o_mfilters == NULL) {
1482 error = EADDRNOTAVAIL;
1483 goto out_imo_locked;
1484 }
1485
1486 VERIFY(imo->im6o_mfilters != NULL);
1487 imf = &imo->im6o_mfilters[idx];
1488 inm = imo->im6o_membership[idx];
1489
1490 /*
1491 * Attempting to use the delta-based API on an
1492 * non exclusive-mode membership is an error.
1493 */
1494 fmode = imf->im6f_st[0];
1495 if (fmode != MCAST_EXCLUDE) {
1496 error = EINVAL;
1497 goto out_imo_locked;
1498 }
1499
1500 /*
1501 * Deal with error cases up-front:
1502 * Asked to block, but already blocked; or
1503 * Asked to unblock, but nothing to unblock.
1504 * If adding a new block entry, allocate it.
1505 */
1506 ims = im6o_match_source(imo, idx, ssa);
1507 if ((ims != NULL && doblock) || (ims == NULL && !doblock)) {
1508 MLD_PRINTF(("%s: source %s %spresent\n", __func__,
1509 ip6_sprintf(&ssa->sin6_addr),
1510 doblock ? "" : "not "));
1511 error = EADDRNOTAVAIL;
1512 goto out_imo_locked;
1513 }
1514
1515 /*
1516 * Begin state merge transaction at socket layer.
1517 */
1518 if (doblock) {
1519 MLD_PRINTF(("%s: %s source\n", __func__, "block"));
1520 ims = im6f_graft(imf, fmode, ssa);
1521 if (ims == NULL) {
1522 error = ENOMEM;
1523 }
1524 } else {
1525 MLD_PRINTF(("%s: %s source\n", __func__, "allow"));
1526 error = im6f_prune(imf, ssa);
1527 }
1528
1529 if (error) {
1530 MLD_PRINTF(("%s: merge imf state failed\n", __func__));
1531 goto out_im6f_rollback;
1532 }
1533
1534 /*
1535 * Begin state merge transaction at MLD layer.
1536 */
1537 IN6M_LOCK(inm);
1538 MLD_PRINTF(("%s: merge inm state\n", __func__));
1539 error = in6m_merge(inm, imf);
1540 if (error) {
1541 MLD_PRINTF(("%s: failed to merge inm state\n", __func__));
1542 IN6M_UNLOCK(inm);
1543 goto out_im6f_rollback;
1544 }
1545
1546 MLD_PRINTF(("%s: doing mld downcall\n", __func__));
1547 error = mld_change_state(inm, &mtp, 0);
1548 IN6M_UNLOCK(inm);
1549 #if MLD_DEBUG
1550 if (error) {
1551 MLD_PRINTF(("%s: failed mld downcall\n", __func__));
1552 }
1553 #endif
1554
1555 out_im6f_rollback:
1556 if (error) {
1557 im6f_rollback(imf);
1558 } else {
1559 im6f_commit(imf);
1560 }
1561
1562 im6f_reap(imf);
1563
1564 out_imo_locked:
1565 IM6O_UNLOCK(imo);
1566 IM6O_REMREF(imo); /* from in6p_findmoptions() */
1567
1568 /* schedule timer now that we've dropped the lock(s) */
1569 mld_set_timeout(&mtp);
1570
1571 return error;
1572 }
1573
1574 /*
1575 * Given an inpcb, return its multicast options structure pointer. Accepts
1576 * an unlocked inpcb pointer, but will return it locked. May sleep.
1577 *
1578 */
1579 static struct ip6_moptions *
in6p_findmoptions(struct inpcb * inp)1580 in6p_findmoptions(struct inpcb *inp)
1581 {
1582 struct ip6_moptions *imo;
1583 struct in6_multi **immp;
1584 struct in6_mfilter *imfp;
1585 size_t idx;
1586
1587 if ((imo = inp->in6p_moptions) != NULL) {
1588 IM6O_ADDREF(imo); /* for caller */
1589 return imo;
1590 }
1591
1592 imo = ip6_allocmoptions(Z_WAITOK);
1593 if (imo == NULL) {
1594 return NULL;
1595 }
1596
1597 immp = kalloc_type(struct in6_multi *, IPV6_MIN_MEMBERSHIPS,
1598 Z_WAITOK | Z_ZERO | Z_NOFAIL);
1599 imfp = kalloc_type(struct in6_mfilter, IPV6_MIN_MEMBERSHIPS,
1600 Z_WAITOK | Z_ZERO | Z_NOFAIL);
1601
1602 imo->im6o_multicast_ifp = NULL;
1603 imo->im6o_multicast_hlim = (u_char)ip6_defmcasthlim;
1604 imo->im6o_multicast_loop = (u_char)in6_mcast_loop;
1605 imo->im6o_num_memberships = 0;
1606 imo->im6o_max_memberships = IPV6_MIN_MEMBERSHIPS;
1607 imo->im6o_membership = immp;
1608
1609 /* Initialize per-group source filters. */
1610 for (idx = 0; idx < IPV6_MIN_MEMBERSHIPS; idx++) {
1611 im6f_init(&imfp[idx], MCAST_UNDEFINED, MCAST_EXCLUDE);
1612 }
1613
1614 imo->im6o_mfilters = imfp;
1615 inp->in6p_moptions = imo; /* keep reference from ip6_allocmoptions() */
1616 IM6O_ADDREF(imo); /* for caller */
1617
1618 return imo;
1619 }
1620
1621 /*
1622 * Atomically get source filters on a socket for an IPv6 multicast group.
1623 * Called with INP lock held; returns with lock released.
1624 */
1625 static int
in6p_get_source_filters(struct inpcb * inp,struct sockopt * sopt)1626 in6p_get_source_filters(struct inpcb *inp, struct sockopt *sopt)
1627 {
1628 struct __msfilterreq64 msfr = {}, msfr64;
1629 struct __msfilterreq32 msfr32;
1630 struct sockaddr_in6 *gsa;
1631 struct ifnet *ifp;
1632 struct ip6_moptions *imo;
1633 struct in6_mfilter *imf;
1634 struct ip6_msource *ims;
1635 struct in6_msource *lims;
1636 struct sockaddr_in6 *psin;
1637 struct sockaddr_storage *ptss;
1638 struct sockaddr_storage *tss;
1639 int error;
1640 size_t idx, nsrcs, ncsrcs;
1641 user_addr_t tmp_ptr;
1642
1643 const bool is_currproc_64bit_proc = IS_64BIT_PROCESS(current_proc());
1644
1645 imo = inp->in6p_moptions;
1646 VERIFY(imo != NULL);
1647
1648 if (is_currproc_64bit_proc) {
1649 error = sooptcopyin(sopt, &msfr64,
1650 sizeof(struct __msfilterreq64),
1651 sizeof(struct __msfilterreq64));
1652 if (error) {
1653 return error;
1654 }
1655 /* we never use msfr.msfr_srcs; */
1656 memcpy(&msfr, &msfr64, sizeof(msfr64));
1657 } else {
1658 error = sooptcopyin(sopt, &msfr32,
1659 sizeof(struct __msfilterreq32),
1660 sizeof(struct __msfilterreq32));
1661 if (error) {
1662 return error;
1663 }
1664 /* we never use msfr.msfr_srcs; */
1665 memcpy(&msfr, &msfr32, sizeof(msfr32));
1666 }
1667
1668 if (msfr.msfr_group.ss_family != AF_INET6 ||
1669 msfr.msfr_group.ss_len != sizeof(struct sockaddr_in6)) {
1670 return EINVAL;
1671 }
1672
1673 gsa = (struct sockaddr_in6 *)&msfr.msfr_group;
1674 if (!IN6_IS_ADDR_MULTICAST(&gsa->sin6_addr)) {
1675 return EINVAL;
1676 }
1677
1678 ifnet_head_lock_shared();
1679 if (msfr.msfr_ifindex == 0 || (u_int)if_index < msfr.msfr_ifindex) {
1680 ifnet_head_done();
1681 return EADDRNOTAVAIL;
1682 }
1683 ifp = ifindex2ifnet[msfr.msfr_ifindex];
1684 ifnet_head_done();
1685
1686 if (ifp == NULL) {
1687 return EADDRNOTAVAIL;
1688 }
1689
1690 if ((size_t) msfr.msfr_nsrcs >
1691 UINT32_MAX / sizeof(struct sockaddr_storage)) {
1692 msfr.msfr_nsrcs = UINT32_MAX / sizeof(struct sockaddr_storage);
1693 }
1694
1695 if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc) {
1696 msfr.msfr_nsrcs = (uint32_t)in6_mcast_maxsocksrc;
1697 }
1698
1699 (void)in6_setscope(&gsa->sin6_addr, ifp, IN6_NULL_IF_EMBEDDED_SCOPE(&gsa->sin6_scope_id));
1700
1701 IM6O_LOCK(imo);
1702 /*
1703 * Lookup group on the socket.
1704 */
1705 idx = im6o_match_group(imo, ifp, gsa);
1706 if (idx == (size_t)-1 || imo->im6o_mfilters == NULL) {
1707 IM6O_UNLOCK(imo);
1708 return EADDRNOTAVAIL;
1709 }
1710 imf = &imo->im6o_mfilters[idx];
1711
1712 /*
1713 * Ignore memberships which are in limbo.
1714 */
1715 if (imf->im6f_st[1] == MCAST_UNDEFINED) {
1716 IM6O_UNLOCK(imo);
1717 return EAGAIN;
1718 }
1719 msfr.msfr_fmode = imf->im6f_st[1];
1720
1721 /*
1722 * If the user specified a buffer, copy out the source filter
1723 * entries to userland gracefully.
1724 * We only copy out the number of entries which userland
1725 * has asked for, but we always tell userland how big the
1726 * buffer really needs to be.
1727 */
1728 tss = NULL;
1729
1730 if (is_currproc_64bit_proc) {
1731 tmp_ptr = (user_addr_t)msfr64.msfr_srcs;
1732 } else {
1733 tmp_ptr = CAST_USER_ADDR_T(msfr32.msfr_srcs);
1734 }
1735
1736 if (tmp_ptr != USER_ADDR_NULL && msfr.msfr_nsrcs > 0) {
1737 tss = kalloc_data((size_t) msfr.msfr_nsrcs * sizeof(*tss),
1738 Z_WAITOK | Z_ZERO);
1739 if (tss == NULL) {
1740 IM6O_UNLOCK(imo);
1741 return ENOBUFS;
1742 }
1743 }
1744
1745 /*
1746 * Count number of sources in-mode at t0.
1747 * If buffer space exists and remains, copy out source entries.
1748 */
1749 nsrcs = msfr.msfr_nsrcs;
1750 ncsrcs = 0;
1751 ptss = tss;
1752 RB_FOREACH(ims, ip6_msource_tree, &imf->im6f_sources) {
1753 lims = (struct in6_msource *)ims;
1754 if (lims->im6sl_st[0] == MCAST_UNDEFINED ||
1755 lims->im6sl_st[0] != imf->im6f_st[0]) {
1756 continue;
1757 }
1758 if (tss != NULL && nsrcs > 0) {
1759 psin = (struct sockaddr_in6 *)ptss;
1760 psin->sin6_family = AF_INET6;
1761 psin->sin6_len = sizeof(struct sockaddr_in6);
1762 psin->sin6_addr = lims->im6s_addr;
1763 psin->sin6_port = 0;
1764 --nsrcs;
1765 ++ptss;
1766 ++ncsrcs;
1767 }
1768 }
1769
1770 IM6O_UNLOCK(imo);
1771
1772 if (tss != NULL) {
1773 error = copyout(tss, tmp_ptr, ncsrcs * sizeof(*tss));
1774 kfree_data(tss, (size_t) msfr.msfr_nsrcs * sizeof(*tss));
1775 if (error) {
1776 return error;
1777 }
1778 }
1779
1780 msfr.msfr_nsrcs = (uint32_t)ncsrcs;
1781 if (is_currproc_64bit_proc) {
1782 msfr64.msfr_ifindex = msfr.msfr_ifindex;
1783 msfr64.msfr_fmode = msfr.msfr_fmode;
1784 msfr64.msfr_nsrcs = msfr.msfr_nsrcs;
1785 memcpy(&msfr64.msfr_group, &msfr.msfr_group,
1786 sizeof(struct sockaddr_storage));
1787 error = sooptcopyout(sopt, &msfr64,
1788 sizeof(struct __msfilterreq64));
1789 } else {
1790 msfr32.msfr_ifindex = msfr.msfr_ifindex;
1791 msfr32.msfr_fmode = msfr.msfr_fmode;
1792 msfr32.msfr_nsrcs = msfr.msfr_nsrcs;
1793 memcpy(&msfr32.msfr_group, &msfr.msfr_group,
1794 sizeof(struct sockaddr_storage));
1795 error = sooptcopyout(sopt, &msfr32,
1796 sizeof(struct __msfilterreq32));
1797 }
1798
1799 return error;
1800 }
1801
1802 /*
1803 * Return the IP multicast options in response to user getsockopt().
1804 */
1805 int
ip6_getmoptions(struct inpcb * inp,struct sockopt * sopt)1806 ip6_getmoptions(struct inpcb *inp, struct sockopt *sopt)
1807 {
1808 struct ip6_moptions *im6o;
1809 int error;
1810 u_int optval;
1811
1812 im6o = inp->in6p_moptions;
1813 /*
1814 * If socket is neither of type SOCK_RAW or SOCK_DGRAM,
1815 * or is a divert socket, reject it.
1816 */
1817 if (SOCK_PROTO(inp->inp_socket) == IPPROTO_DIVERT ||
1818 (SOCK_TYPE(inp->inp_socket) != SOCK_RAW &&
1819 SOCK_TYPE(inp->inp_socket) != SOCK_DGRAM)) {
1820 return EOPNOTSUPP;
1821 }
1822
1823 error = 0;
1824 switch (sopt->sopt_name) {
1825 case IPV6_MULTICAST_IF:
1826 if (im6o != NULL) {
1827 IM6O_LOCK(im6o);
1828 }
1829 if (im6o == NULL || im6o->im6o_multicast_ifp == NULL) {
1830 optval = 0;
1831 } else {
1832 optval = im6o->im6o_multicast_ifp->if_index;
1833 }
1834 if (im6o != NULL) {
1835 IM6O_UNLOCK(im6o);
1836 }
1837 error = sooptcopyout(sopt, &optval, sizeof(u_int));
1838 break;
1839
1840 case IPV6_MULTICAST_HOPS:
1841 if (im6o == NULL) {
1842 optval = ip6_defmcasthlim;
1843 } else {
1844 IM6O_LOCK(im6o);
1845 optval = im6o->im6o_multicast_hlim;
1846 IM6O_UNLOCK(im6o);
1847 }
1848 error = sooptcopyout(sopt, &optval, sizeof(u_int));
1849 break;
1850
1851 case IPV6_MULTICAST_LOOP:
1852 if (im6o == NULL) {
1853 optval = in6_mcast_loop; /* XXX VIMAGE */
1854 } else {
1855 IM6O_LOCK(im6o);
1856 optval = im6o->im6o_multicast_loop;
1857 IM6O_UNLOCK(im6o);
1858 }
1859 error = sooptcopyout(sopt, &optval, sizeof(u_int));
1860 break;
1861
1862 case IPV6_MSFILTER:
1863 if (im6o == NULL) {
1864 error = EADDRNOTAVAIL;
1865 } else {
1866 error = in6p_get_source_filters(inp, sopt);
1867 }
1868 break;
1869
1870 default:
1871 error = ENOPROTOOPT;
1872 break;
1873 }
1874
1875 return error;
1876 }
1877
1878 /*
1879 * Look up the ifnet to use for a multicast group membership,
1880 * given the address of an IPv6 group.
1881 *
1882 * This routine exists to support legacy IPv6 multicast applications.
1883 *
1884 * If inp is non-NULL and is bound to an interface, use this socket's
1885 * inp_boundif for any required routing table lookup.
1886 *
1887 * If the route lookup fails, return NULL.
1888 *
1889 * FUTURE: Support multiple forwarding tables for IPv6.
1890 *
1891 * Returns NULL if no ifp could be found.
1892 */
1893 static struct ifnet *
in6p_lookup_mcast_ifp(const struct inpcb * in6p,const struct sockaddr_in6 * gsin6)1894 in6p_lookup_mcast_ifp(const struct inpcb *in6p,
1895 const struct sockaddr_in6 *gsin6)
1896 {
1897 struct route_in6 ro6;
1898 struct ifnet *ifp;
1899 unsigned int ifscope = IFSCOPE_NONE;
1900
1901 VERIFY(in6p == NULL || (in6p->inp_vflag & INP_IPV6));
1902 VERIFY(gsin6->sin6_family == AF_INET6);
1903 if (IN6_IS_ADDR_MULTICAST(&gsin6->sin6_addr) == 0) {
1904 return NULL;
1905 }
1906
1907 if (in6p != NULL && (in6p->inp_flags & INP_BOUND_IF)) {
1908 ifscope = in6p->inp_boundifp->if_index;
1909 }
1910
1911 ifp = NULL;
1912 memset(&ro6, 0, sizeof(struct route_in6));
1913 memcpy(&ro6.ro_dst, gsin6, sizeof(struct sockaddr_in6));
1914 rtalloc_scoped_ign((struct route *)&ro6, 0, ifscope);
1915 if (ro6.ro_rt != NULL) {
1916 ifp = ro6.ro_rt->rt_ifp;
1917 VERIFY(ifp != NULL);
1918 }
1919 ROUTE_RELEASE(&ro6);
1920
1921 return ifp;
1922 }
1923
1924 /*
1925 * Since ipv6_mreq contains an ifindex and ip_mreq contains an AF_INET
1926 * address, we need to lookup the AF_INET address when translating an
1927 * ipv6_mreq structure into an ipmreq structure.
1928 * This is used when userland performs multicast setsockopt() on AF_INET6
1929 * sockets with AF_INET multicast addresses (IPv6 v4 mapped addresses).
1930 */
1931 static int
in6p_lookup_v4addr(struct ipv6_mreq * mreq,struct ip_mreq * v4mreq)1932 in6p_lookup_v4addr(struct ipv6_mreq *mreq, struct ip_mreq *v4mreq)
1933 {
1934 struct ifnet *ifp;
1935 struct ifaddr *ifa;
1936 struct sockaddr_in *sin;
1937
1938 ifnet_head_lock_shared();
1939 if (mreq->ipv6mr_interface > (unsigned int)if_index) {
1940 ifnet_head_done();
1941 return EADDRNOTAVAIL;
1942 } else {
1943 ifp = ifindex2ifnet[mreq->ipv6mr_interface];
1944 }
1945 ifnet_head_done();
1946 if (ifp == NULL) {
1947 return EADDRNOTAVAIL;
1948 }
1949 ifa = ifa_ifpgetprimary(ifp, AF_INET);
1950 if (ifa == NULL) {
1951 return EADDRNOTAVAIL;
1952 }
1953 sin = (struct sockaddr_in *)(uintptr_t)(size_t)ifa->ifa_addr;
1954 v4mreq->imr_interface.s_addr = sin->sin_addr.s_addr;
1955 IFA_REMREF(ifa);
1956
1957 return 0;
1958 }
1959
1960 /*
1961 * Join an IPv6 multicast group, possibly with a source.
1962 *
1963 * FIXME: The KAME use of the unspecified address (::)
1964 * to join *all* multicast groups is currently unsupported.
1965 */
1966 static int
in6p_join_group(struct inpcb * inp,struct sockopt * sopt)1967 in6p_join_group(struct inpcb *inp, struct sockopt *sopt)
1968 {
1969 struct group_source_req gsr;
1970 struct sockaddr_in6 *gsa, *ssa;
1971 struct ifnet *ifp;
1972 struct in6_mfilter *imf;
1973 struct ip6_moptions *imo;
1974 struct in6_multi *inm = NULL;
1975 struct in6_msource *lims = NULL;
1976 size_t idx;
1977 int error, is_new;
1978 struct mld_tparams mtp;
1979
1980 bzero(&mtp, sizeof(mtp));
1981 ifp = NULL;
1982 imf = NULL;
1983 error = 0;
1984 is_new = 0;
1985
1986 memset(&gsr, 0, sizeof(struct group_source_req));
1987 gsa = (struct sockaddr_in6 *)&gsr.gsr_group;
1988 ssa = (struct sockaddr_in6 *)&gsr.gsr_source;
1989
1990 /*
1991 * Chew everything into struct group_source_req.
1992 * Overwrite the port field if present, as the sockaddr
1993 * being copied in may be matched with a binary comparison.
1994 * Ignore passed-in scope ID.
1995 */
1996 switch (sopt->sopt_name) {
1997 case IPV6_JOIN_GROUP: {
1998 struct ipv6_mreq mreq;
1999
2000 error = sooptcopyin(sopt, &mreq, sizeof(struct ipv6_mreq),
2001 sizeof(struct ipv6_mreq));
2002 if (error) {
2003 return error;
2004 }
2005 if (IN6_IS_ADDR_V4MAPPED(&mreq.ipv6mr_multiaddr)) {
2006 struct ip_mreq v4mreq;
2007 struct sockopt v4sopt;
2008
2009 v4mreq.imr_multiaddr.s_addr =
2010 mreq.ipv6mr_multiaddr.s6_addr32[3];
2011 if (mreq.ipv6mr_interface == 0) {
2012 v4mreq.imr_interface.s_addr = INADDR_ANY;
2013 } else {
2014 error = in6p_lookup_v4addr(&mreq, &v4mreq);
2015 }
2016 if (error) {
2017 return error;
2018 }
2019 v4sopt.sopt_dir = SOPT_SET;
2020 v4sopt.sopt_level = sopt->sopt_level;
2021 v4sopt.sopt_name = IP_ADD_MEMBERSHIP;
2022 v4sopt.sopt_val = CAST_USER_ADDR_T(&v4mreq);
2023 v4sopt.sopt_valsize = sizeof(v4mreq);
2024 v4sopt.sopt_p = kernproc;
2025
2026 return inp_join_group(inp, &v4sopt);
2027 }
2028 gsa->sin6_family = AF_INET6;
2029 gsa->sin6_len = sizeof(struct sockaddr_in6);
2030 gsa->sin6_addr = mreq.ipv6mr_multiaddr;
2031
2032 /* Only allow IPv6 multicast addresses */
2033 if (IN6_IS_ADDR_MULTICAST(&gsa->sin6_addr) == 0) {
2034 return EINVAL;
2035 }
2036
2037 if (mreq.ipv6mr_interface == 0) {
2038 ifp = in6p_lookup_mcast_ifp(inp, gsa);
2039 } else {
2040 ifnet_head_lock_shared();
2041 if ((u_int)if_index < mreq.ipv6mr_interface) {
2042 ifnet_head_done();
2043 return EADDRNOTAVAIL;
2044 }
2045 ifp = ifindex2ifnet[mreq.ipv6mr_interface];
2046 ifnet_head_done();
2047 }
2048 MLD_PRINTF(("%s: ipv6mr_interface = %d, ifp = 0x%llx\n",
2049 __func__, mreq.ipv6mr_interface,
2050 (uint64_t)VM_KERNEL_ADDRPERM(ifp)));
2051 break;
2052 }
2053
2054 case MCAST_JOIN_GROUP:
2055 case MCAST_JOIN_SOURCE_GROUP:
2056 if (sopt->sopt_name == MCAST_JOIN_GROUP) {
2057 error = sooptcopyin(sopt, &gsr,
2058 sizeof(struct group_req),
2059 sizeof(struct group_req));
2060 } else if (sopt->sopt_name == MCAST_JOIN_SOURCE_GROUP) {
2061 error = sooptcopyin(sopt, &gsr,
2062 sizeof(struct group_source_req),
2063 sizeof(struct group_source_req));
2064 }
2065 if (error) {
2066 return error;
2067 }
2068
2069 if (gsa->sin6_family != AF_INET6 ||
2070 gsa->sin6_len != sizeof(struct sockaddr_in6)) {
2071 return EINVAL;
2072 }
2073
2074 if (sopt->sopt_name == MCAST_JOIN_SOURCE_GROUP) {
2075 if (ssa->sin6_family != AF_INET6 ||
2076 ssa->sin6_len != sizeof(struct sockaddr_in6)) {
2077 return EINVAL;
2078 }
2079 if (IN6_IS_ADDR_MULTICAST(&ssa->sin6_addr)) {
2080 return EINVAL;
2081 }
2082 /*
2083 * TODO: Validate embedded scope ID in source
2084 * list entry against passed-in ifp, if and only
2085 * if source list filter entry is iface or node local.
2086 */
2087 in6_clearscope(&ssa->sin6_addr);
2088 ssa->sin6_port = 0;
2089 ssa->sin6_scope_id = 0;
2090 }
2091
2092 ifnet_head_lock_shared();
2093 if (gsr.gsr_interface == 0 ||
2094 (u_int)if_index < gsr.gsr_interface) {
2095 ifnet_head_done();
2096 return EADDRNOTAVAIL;
2097 }
2098 ifp = ifindex2ifnet[gsr.gsr_interface];
2099 ifnet_head_done();
2100 break;
2101
2102 default:
2103 MLD_PRINTF(("%s: unknown sopt_name %d\n",
2104 __func__, sopt->sopt_name));
2105 return EOPNOTSUPP;
2106 }
2107
2108 if (!IN6_IS_ADDR_MULTICAST(&gsa->sin6_addr)) {
2109 return EINVAL;
2110 }
2111
2112 if (ifp == NULL || (ifp->if_flags & IFF_MULTICAST) == 0) {
2113 return EADDRNOTAVAIL;
2114 }
2115
2116 INC_ATOMIC_INT64_LIM(net_api_stats.nas_socket_mcast_join_total);
2117 /*
2118 * TBD: revisit the criteria for non-OS initiated joins
2119 */
2120 if (inp->inp_lport == htons(5353)) {
2121 INC_ATOMIC_INT64_LIM(net_api_stats.nas_socket_mcast_join_os_total);
2122 }
2123
2124 gsa->sin6_port = 0;
2125 if (in6_embedded_scope) {
2126 gsa->sin6_scope_id = 0;
2127 }
2128 (void)in6_setscope(&gsa->sin6_addr, ifp, &gsa->sin6_scope_id);
2129 if (!in6_embedded_scope) {
2130 if ((IN6_IS_ADDR_MC_LINKLOCAL(&gsa->sin6_addr) ||
2131 IN6_IS_ADDR_MC_INTFACELOCAL(&gsa->sin6_addr)) &&
2132 gsa->sin6_scope_id == 0) {
2133 return EINVAL;
2134 }
2135 }
2136
2137 /*
2138 * Some addresses are not valid without an embedded scopeid.
2139 * This check must be present because otherwise we will later hit
2140 * a VERIFY() in in6_mc_join().
2141 */
2142 if ((IN6_IS_ADDR_MC_LINKLOCAL(&gsa->sin6_addr) ||
2143 IN6_IS_ADDR_MC_INTFACELOCAL(&gsa->sin6_addr)) &&
2144 gsa->sin6_scope_id == 0) {
2145 return EINVAL;
2146 }
2147
2148 if (in6_embedded_scope) {
2149 gsa->sin6_scope_id = 0;
2150 }
2151
2152 imo = in6p_findmoptions(inp);
2153 if (imo == NULL) {
2154 return ENOMEM;
2155 }
2156
2157 IM6O_LOCK(imo);
2158 idx = im6o_match_group(imo, ifp, gsa);
2159 if (idx == (size_t)-1) {
2160 is_new = 1;
2161 } else {
2162 inm = imo->im6o_membership[idx];
2163 imf = &imo->im6o_mfilters[idx];
2164 if (ssa->sin6_family != AF_UNSPEC) {
2165 /*
2166 * MCAST_JOIN_SOURCE_GROUP on an exclusive membership
2167 * is an error. On an existing inclusive membership,
2168 * it just adds the source to the filter list.
2169 */
2170 if (imf->im6f_st[1] != MCAST_INCLUDE) {
2171 error = EINVAL;
2172 goto out_imo_locked;
2173 }
2174 /*
2175 * Throw out duplicates.
2176 *
2177 * XXX FIXME: This makes a naive assumption that
2178 * even if entries exist for *ssa in this imf,
2179 * they will be rejected as dupes, even if they
2180 * are not valid in the current mode (in-mode).
2181 *
2182 * in6_msource is transactioned just as for anything
2183 * else in SSM -- but note naive use of in6m_graft()
2184 * below for allocating new filter entries.
2185 *
2186 * This is only an issue if someone mixes the
2187 * full-state SSM API with the delta-based API,
2188 * which is discouraged in the relevant RFCs.
2189 */
2190 lims = im6o_match_source(imo, idx, ssa);
2191 if (lims != NULL /*&&
2192 * lims->im6sl_st[1] == MCAST_INCLUDE*/) {
2193 error = EADDRNOTAVAIL;
2194 goto out_imo_locked;
2195 }
2196 } else {
2197 /*
2198 * MCAST_JOIN_GROUP on an existing exclusive
2199 * membership is an error; return EADDRINUSE
2200 * to preserve 4.4BSD API idempotence, and
2201 * avoid tedious detour to code below.
2202 * NOTE: This is bending RFC 3678 a bit.
2203 *
2204 * On an existing inclusive membership, this is also
2205 * an error; if you want to change filter mode,
2206 * you must use the userland API setsourcefilter().
2207 * XXX We don't reject this for imf in UNDEFINED
2208 * state at t1, because allocation of a filter
2209 * is atomic with allocation of a membership.
2210 */
2211 error = EINVAL;
2212 /* See comments above for EADDRINUSE */
2213 if (imf->im6f_st[1] == MCAST_EXCLUDE) {
2214 error = EADDRINUSE;
2215 }
2216 goto out_imo_locked;
2217 }
2218 }
2219
2220 /*
2221 * Begin state merge transaction at socket layer.
2222 */
2223
2224 if (is_new) {
2225 if (imo->im6o_num_memberships == imo->im6o_max_memberships) {
2226 error = im6o_grow(imo);
2227 if (error) {
2228 goto out_imo_locked;
2229 }
2230 }
2231 /*
2232 * Allocate the new slot upfront so we can deal with
2233 * grafting the new source filter in same code path
2234 * as for join-source on existing membership.
2235 */
2236 idx = imo->im6o_num_memberships;
2237 imo->im6o_membership[idx] = NULL;
2238 imo->im6o_num_memberships++;
2239 VERIFY(imo->im6o_mfilters != NULL);
2240 imf = &imo->im6o_mfilters[idx];
2241 VERIFY(RB_EMPTY(&imf->im6f_sources));
2242 }
2243
2244 /*
2245 * Graft new source into filter list for this inpcb's
2246 * membership of the group. The in6_multi may not have
2247 * been allocated yet if this is a new membership, however,
2248 * the in_mfilter slot will be allocated and must be initialized.
2249 *
2250 * Note: Grafting of exclusive mode filters doesn't happen
2251 * in this path.
2252 * XXX: Should check for non-NULL lims (node exists but may
2253 * not be in-mode) for interop with full-state API.
2254 */
2255 if (ssa->sin6_family != AF_UNSPEC) {
2256 /* Membership starts in IN mode */
2257 if (is_new) {
2258 MLD_PRINTF(("%s: new join w/source\n", __func__);
2259 im6f_init(imf, MCAST_UNDEFINED, MCAST_INCLUDE));
2260 } else {
2261 MLD_PRINTF(("%s: %s source\n", __func__, "allow"));
2262 }
2263 lims = im6f_graft(imf, MCAST_INCLUDE, ssa);
2264 if (lims == NULL) {
2265 MLD_PRINTF(("%s: merge imf state failed\n",
2266 __func__));
2267 error = ENOMEM;
2268 goto out_im6o_free;
2269 }
2270 } else {
2271 /* No address specified; Membership starts in EX mode */
2272 if (is_new) {
2273 MLD_PRINTF(("%s: new join w/o source", __func__));
2274 im6f_init(imf, MCAST_UNDEFINED, MCAST_EXCLUDE);
2275 }
2276 }
2277
2278 /*
2279 * Begin state merge transaction at MLD layer.
2280 */
2281
2282 if (is_new) {
2283 VERIFY(inm == NULL);
2284 error = in6_mc_join(ifp, &gsa->sin6_addr, imf, &inm, 0);
2285 VERIFY(inm != NULL || error != 0);
2286
2287 if (error) {
2288 goto out_im6o_free;
2289 }
2290 imo->im6o_membership[idx] = inm; /* from in6_mc_join() */
2291 } else {
2292 MLD_PRINTF(("%s: merge inm state\n", __func__));
2293 IN6M_LOCK(inm);
2294 error = in6m_merge(inm, imf);
2295 if (error) {
2296 MLD_PRINTF(("%s: failed to merge inm state\n",
2297 __func__));
2298 IN6M_UNLOCK(inm);
2299 goto out_im6f_rollback;
2300 }
2301 MLD_PRINTF(("%s: doing mld downcall\n", __func__));
2302 error = mld_change_state(inm, &mtp, 0);
2303 IN6M_UNLOCK(inm);
2304 if (error) {
2305 MLD_PRINTF(("%s: failed mld downcall\n",
2306 __func__));
2307 goto out_im6f_rollback;
2308 }
2309 }
2310
2311 out_im6f_rollback:
2312 if (error) {
2313 im6f_rollback(imf);
2314 if (is_new) {
2315 im6f_purge(imf);
2316 } else {
2317 im6f_reap(imf);
2318 }
2319 } else {
2320 im6f_commit(imf);
2321 }
2322
2323 out_im6o_free:
2324 if (error && is_new) {
2325 VERIFY(inm == NULL);
2326 imo->im6o_membership[idx] = NULL;
2327 --imo->im6o_num_memberships;
2328 }
2329
2330 out_imo_locked:
2331 IM6O_UNLOCK(imo);
2332 IM6O_REMREF(imo); /* from in6p_findmoptions() */
2333
2334 /* schedule timer now that we've dropped the lock(s) */
2335 mld_set_timeout(&mtp);
2336
2337 return error;
2338 }
2339
2340 /*
2341 * Leave an IPv6 multicast group on an inpcb, possibly with a source.
2342 */
2343 static int
in6p_leave_group(struct inpcb * inp,struct sockopt * sopt)2344 in6p_leave_group(struct inpcb *inp, struct sockopt *sopt)
2345 {
2346 struct ipv6_mreq mreq;
2347 struct group_source_req gsr;
2348 struct sockaddr_in6 *gsa, *ssa;
2349 struct ifnet *ifp;
2350 struct in6_mfilter *imf;
2351 struct ip6_moptions *imo;
2352 struct in6_msource *ims;
2353 struct in6_multi *inm = NULL;
2354 uint32_t ifindex = 0;
2355 size_t idx;
2356 int error, is_final;
2357 struct mld_tparams mtp;
2358
2359 bzero(&mtp, sizeof(mtp));
2360 ifp = NULL;
2361 error = 0;
2362 is_final = 1;
2363
2364 memset(&gsr, 0, sizeof(struct group_source_req));
2365 gsa = (struct sockaddr_in6 *)&gsr.gsr_group;
2366 ssa = (struct sockaddr_in6 *)&gsr.gsr_source;
2367
2368 /*
2369 * Chew everything passed in up into a struct group_source_req
2370 * as that is easier to process.
2371 * Note: Any embedded scope ID in the multicast group passed
2372 * in by userland is ignored, the interface index is the recommended
2373 * mechanism to specify an interface; see below.
2374 */
2375 switch (sopt->sopt_name) {
2376 case IPV6_LEAVE_GROUP: {
2377 error = sooptcopyin(sopt, &mreq, sizeof(struct ipv6_mreq),
2378 sizeof(struct ipv6_mreq));
2379 if (error) {
2380 return error;
2381 }
2382 if (IN6_IS_ADDR_V4MAPPED(&mreq.ipv6mr_multiaddr)) {
2383 struct ip_mreq v4mreq;
2384 struct sockopt v4sopt;
2385
2386 v4mreq.imr_multiaddr.s_addr =
2387 mreq.ipv6mr_multiaddr.s6_addr32[3];
2388 if (mreq.ipv6mr_interface == 0) {
2389 v4mreq.imr_interface.s_addr = INADDR_ANY;
2390 } else {
2391 error = in6p_lookup_v4addr(&mreq, &v4mreq);
2392 }
2393 if (error) {
2394 return error;
2395 }
2396 v4sopt.sopt_dir = SOPT_SET;
2397 v4sopt.sopt_level = sopt->sopt_level;
2398 v4sopt.sopt_name = IP_DROP_MEMBERSHIP;
2399 v4sopt.sopt_val = CAST_USER_ADDR_T(&v4mreq);
2400 v4sopt.sopt_valsize = sizeof(v4mreq);
2401 v4sopt.sopt_p = kernproc;
2402
2403 return inp_leave_group(inp, &v4sopt);
2404 }
2405 gsa->sin6_family = AF_INET6;
2406 gsa->sin6_len = sizeof(struct sockaddr_in6);
2407 gsa->sin6_addr = mreq.ipv6mr_multiaddr;
2408 gsa->sin6_port = 0;
2409 if (!in6_embedded_scope) {
2410 gsa->sin6_scope_id = 0;
2411 }
2412 ifindex = mreq.ipv6mr_interface;
2413 /* Only allow IPv6 multicast addresses */
2414 if (IN6_IS_ADDR_MULTICAST(&gsa->sin6_addr) == 0) {
2415 return EINVAL;
2416 }
2417 break;
2418 }
2419
2420 case MCAST_LEAVE_GROUP:
2421 case MCAST_LEAVE_SOURCE_GROUP:
2422 if (sopt->sopt_name == MCAST_LEAVE_GROUP) {
2423 error = sooptcopyin(sopt, &gsr,
2424 sizeof(struct group_req),
2425 sizeof(struct group_req));
2426 } else if (sopt->sopt_name == MCAST_LEAVE_SOURCE_GROUP) {
2427 error = sooptcopyin(sopt, &gsr,
2428 sizeof(struct group_source_req),
2429 sizeof(struct group_source_req));
2430 }
2431 if (error) {
2432 return error;
2433 }
2434
2435 if (gsa->sin6_family != AF_INET6 ||
2436 gsa->sin6_len != sizeof(struct sockaddr_in6)) {
2437 return EINVAL;
2438 }
2439 if (sopt->sopt_name == MCAST_LEAVE_SOURCE_GROUP) {
2440 if (ssa->sin6_family != AF_INET6 ||
2441 ssa->sin6_len != sizeof(struct sockaddr_in6)) {
2442 return EINVAL;
2443 }
2444 if (IN6_IS_ADDR_MULTICAST(&ssa->sin6_addr)) {
2445 return EINVAL;
2446 }
2447 /*
2448 * TODO: Validate embedded scope ID in source
2449 * list entry against passed-in ifp, if and only
2450 * if source list filter entry is iface or node local.
2451 */
2452 in6_clearscope(&ssa->sin6_addr);
2453 }
2454 gsa->sin6_port = 0;
2455 if (in6_embedded_scope) {
2456 gsa->sin6_scope_id = 0;
2457 }
2458 ifindex = gsr.gsr_interface;
2459 break;
2460
2461 default:
2462 MLD_PRINTF(("%s: unknown sopt_name %d\n",
2463 __func__, sopt->sopt_name));
2464 return EOPNOTSUPP;
2465 }
2466
2467 if (!IN6_IS_ADDR_MULTICAST(&gsa->sin6_addr)) {
2468 return EINVAL;
2469 }
2470
2471 /*
2472 * Validate interface index if provided. If no interface index
2473 * was provided separately, attempt to look the membership up
2474 * from the default scope as a last resort to disambiguate
2475 * the membership we are being asked to leave.
2476 * XXX SCOPE6 lock potentially taken here.
2477 */
2478 if (ifindex != 0) {
2479 ifnet_head_lock_shared();
2480 if ((u_int)if_index < ifindex) {
2481 ifnet_head_done();
2482 return EADDRNOTAVAIL;
2483 }
2484 ifp = ifindex2ifnet[ifindex];
2485 ifnet_head_done();
2486 if (ifp == NULL) {
2487 return EADDRNOTAVAIL;
2488 }
2489 (void) in6_setscope(&gsa->sin6_addr, ifp, NULL);
2490 if (!in6_embedded_scope) {
2491 gsa->sin6_scope_id = ifindex;
2492 }
2493 } else {
2494 error = sa6_embedscope(gsa, ip6_use_defzone, IN6_NULL_IF_EMBEDDED_SCOPE(&ifindex));
2495 if (error) {
2496 return EADDRNOTAVAIL;
2497 }
2498 /*
2499 * Some badly behaved applications don't pass an ifindex
2500 * or a scope ID, which is an API violation. In this case,
2501 * perform a lookup as per a v6 join.
2502 *
2503 * XXX For now, stomp on zone ID for the corner case.
2504 * This is not the 'KAME way', but we need to see the ifp
2505 * directly until such time as this implementation is
2506 * refactored, assuming the scope IDs are the way to go.
2507 */
2508
2509 if (in6_embedded_scope) {
2510 ifindex = ntohs(gsa->sin6_addr.s6_addr16[1]);
2511 }
2512
2513 if (ifindex == 0) {
2514 MLD_PRINTF(("%s: warning: no ifindex, looking up "
2515 "ifp for group %s.\n", __func__,
2516 ip6_sprintf(&gsa->sin6_addr)));
2517 ifp = in6p_lookup_mcast_ifp(inp, gsa);
2518 } else {
2519 if (!IF_INDEX_IN_RANGE(ifindex)) {
2520 return EADDRNOTAVAIL;
2521 }
2522 ifnet_head_lock_shared();
2523 ifp = ifindex2ifnet[ifindex];
2524 ifnet_head_done();
2525 }
2526 if (ifp == NULL) {
2527 return EADDRNOTAVAIL;
2528 }
2529 }
2530
2531 VERIFY(ifp != NULL);
2532 MLD_PRINTF(("%s: ifp = 0x%llx\n", __func__,
2533 (uint64_t)VM_KERNEL_ADDRPERM(ifp)));
2534
2535 /*
2536 * Find the membership in the membership array.
2537 */
2538 imo = in6p_findmoptions(inp);
2539 if (imo == NULL) {
2540 return ENOMEM;
2541 }
2542
2543 IM6O_LOCK(imo);
2544 idx = im6o_match_group(imo, ifp, gsa);
2545 if (idx == (size_t)-1) {
2546 error = EADDRNOTAVAIL;
2547 goto out_locked;
2548 }
2549 inm = imo->im6o_membership[idx];
2550 imf = &imo->im6o_mfilters[idx];
2551
2552 if (ssa->sin6_family != AF_UNSPEC) {
2553 is_final = 0;
2554 }
2555
2556 /*
2557 * Begin state merge transaction at socket layer.
2558 */
2559
2560 /*
2561 * If we were instructed only to leave a given source, do so.
2562 * MCAST_LEAVE_SOURCE_GROUP is only valid for inclusive memberships.
2563 */
2564 if (is_final) {
2565 im6f_leave(imf);
2566 } else {
2567 if (imf->im6f_st[0] == MCAST_EXCLUDE) {
2568 error = EADDRNOTAVAIL;
2569 goto out_locked;
2570 }
2571 ims = im6o_match_source(imo, idx, ssa);
2572 if (ims == NULL) {
2573 MLD_PRINTF(("%s: source %s %spresent\n", __func__,
2574 ip6_sprintf(&ssa->sin6_addr),
2575 "not "));
2576 error = EADDRNOTAVAIL;
2577 goto out_locked;
2578 }
2579 MLD_PRINTF(("%s: %s source\n", __func__, "block"));
2580 error = im6f_prune(imf, ssa);
2581 if (error) {
2582 MLD_PRINTF(("%s: merge imf state failed\n",
2583 __func__));
2584 goto out_locked;
2585 }
2586 }
2587
2588 /*
2589 * Begin state merge transaction at MLD layer.
2590 */
2591
2592 if (is_final) {
2593 /*
2594 * Give up the multicast address record to which
2595 * the membership points. Reference held in im6o
2596 * will be released below.
2597 */
2598 (void) in6_mc_leave(inm, imf);
2599 } else {
2600 MLD_PRINTF(("%s: merge inm state\n", __func__));
2601 IN6M_LOCK(inm);
2602 error = in6m_merge(inm, imf);
2603 if (error) {
2604 MLD_PRINTF(("%s: failed to merge inm state\n",
2605 __func__));
2606 IN6M_UNLOCK(inm);
2607 goto out_im6f_rollback;
2608 }
2609
2610 MLD_PRINTF(("%s: doing mld downcall\n", __func__));
2611 error = mld_change_state(inm, &mtp, 0);
2612 if (error) {
2613 MLD_PRINTF(("%s: failed mld downcall\n", __func__));
2614 }
2615 IN6M_UNLOCK(inm);
2616 }
2617
2618 out_im6f_rollback:
2619 if (error) {
2620 im6f_rollback(imf);
2621 } else {
2622 im6f_commit(imf);
2623 }
2624
2625 im6f_reap(imf);
2626
2627 if (is_final) {
2628 /* Remove the gap in the membership array. */
2629 VERIFY(inm == imo->im6o_membership[idx]);
2630 imo->im6o_membership[idx] = NULL;
2631 IN6M_REMREF(inm);
2632
2633 for (++idx; idx < imo->im6o_num_memberships; ++idx) {
2634 imo->im6o_membership[idx - 1] = imo->im6o_membership[idx];
2635 imo->im6o_mfilters[idx - 1] = imo->im6o_mfilters[idx];
2636 }
2637 imo->im6o_num_memberships--;
2638 }
2639
2640 out_locked:
2641 IM6O_UNLOCK(imo);
2642 IM6O_REMREF(imo); /* from in6p_findmoptions() */
2643
2644 /* schedule timer now that we've dropped the lock(s) */
2645 mld_set_timeout(&mtp);
2646
2647 return error;
2648 }
2649
2650 /*
2651 * Select the interface for transmitting IPv6 multicast datagrams.
2652 *
2653 * Either an instance of struct in6_addr or an instance of struct ipv6_mreqn
2654 * may be passed to this socket option. An address of in6addr_any or an
2655 * interface index of 0 is used to remove a previous selection.
2656 * When no interface is selected, one is chosen for every send.
2657 */
2658 static int
in6p_set_multicast_if(struct inpcb * inp,struct sockopt * sopt)2659 in6p_set_multicast_if(struct inpcb *inp, struct sockopt *sopt)
2660 {
2661 struct ifnet *ifp;
2662 struct ip6_moptions *imo;
2663 u_int ifindex;
2664 int error;
2665
2666 if (sopt->sopt_valsize != sizeof(u_int)) {
2667 return EINVAL;
2668 }
2669
2670 error = sooptcopyin(sopt, &ifindex, sizeof(u_int), sizeof(u_int));
2671 if (error) {
2672 return error;
2673 }
2674
2675 ifnet_head_lock_shared();
2676 if ((u_int)if_index < ifindex) {
2677 ifnet_head_done();
2678 return EINVAL;
2679 }
2680
2681 ifp = ifindex2ifnet[ifindex];
2682 ifnet_head_done();
2683 if (ifp == NULL || (ifp->if_flags & IFF_MULTICAST) == 0) {
2684 return EADDRNOTAVAIL;
2685 }
2686
2687 imo = in6p_findmoptions(inp);
2688 if (imo == NULL) {
2689 return ENOMEM;
2690 }
2691
2692 IM6O_LOCK(imo);
2693 imo->im6o_multicast_ifp = ifp;
2694 IM6O_UNLOCK(imo);
2695 IM6O_REMREF(imo); /* from in6p_findmoptions() */
2696
2697 return 0;
2698 }
2699
2700 /*
2701 * Atomically set source filters on a socket for an IPv6 multicast group.
2702 *
2703 */
2704 static int
in6p_set_source_filters(struct inpcb * inp,struct sockopt * sopt)2705 in6p_set_source_filters(struct inpcb *inp, struct sockopt *sopt)
2706 {
2707 struct __msfilterreq64 msfr = {}, msfr64;
2708 struct __msfilterreq32 msfr32;
2709 struct sockaddr_in6 *gsa;
2710 struct ifnet *ifp;
2711 struct in6_mfilter *imf;
2712 struct ip6_moptions *imo;
2713 struct in6_multi *inm;
2714 size_t idx;
2715 int error;
2716 user_addr_t tmp_ptr;
2717 struct mld_tparams mtp;
2718
2719 const bool is_currproc_64bit_proc = IS_64BIT_PROCESS(current_proc());
2720
2721 bzero(&mtp, sizeof(mtp));
2722
2723 if (is_currproc_64bit_proc) {
2724 error = sooptcopyin(sopt, &msfr64,
2725 sizeof(struct __msfilterreq64),
2726 sizeof(struct __msfilterreq64));
2727 if (error) {
2728 return error;
2729 }
2730 /* we never use msfr.msfr_srcs; */
2731 memcpy(&msfr, &msfr64, sizeof(msfr64));
2732 } else {
2733 error = sooptcopyin(sopt, &msfr32,
2734 sizeof(struct __msfilterreq32),
2735 sizeof(struct __msfilterreq32));
2736 if (error) {
2737 return error;
2738 }
2739 /* we never use msfr.msfr_srcs; */
2740 memcpy(&msfr, &msfr32, sizeof(msfr32));
2741 }
2742
2743 if ((size_t) msfr.msfr_nsrcs >
2744 UINT32_MAX / sizeof(struct sockaddr_storage)) {
2745 msfr.msfr_nsrcs = UINT32_MAX / sizeof(struct sockaddr_storage);
2746 }
2747
2748 if (msfr.msfr_nsrcs > in6_mcast_maxsocksrc) {
2749 return ENOBUFS;
2750 }
2751
2752 if (msfr.msfr_fmode != MCAST_EXCLUDE &&
2753 msfr.msfr_fmode != MCAST_INCLUDE) {
2754 return EINVAL;
2755 }
2756
2757 if (msfr.msfr_group.ss_family != AF_INET6 ||
2758 msfr.msfr_group.ss_len != sizeof(struct sockaddr_in6)) {
2759 return EINVAL;
2760 }
2761
2762 gsa = (struct sockaddr_in6 *)&msfr.msfr_group;
2763 if (!IN6_IS_ADDR_MULTICAST(&gsa->sin6_addr)) {
2764 return EINVAL;
2765 }
2766
2767 gsa->sin6_port = 0; /* ignore port */
2768
2769 ifnet_head_lock_shared();
2770 if (msfr.msfr_ifindex == 0 || (u_int)if_index < msfr.msfr_ifindex) {
2771 ifnet_head_done();
2772 return EADDRNOTAVAIL;
2773 }
2774 ifp = ifindex2ifnet[msfr.msfr_ifindex];
2775 ifnet_head_done();
2776 if (ifp == NULL) {
2777 return EADDRNOTAVAIL;
2778 }
2779
2780 (void)in6_setscope(&gsa->sin6_addr, ifp, IN6_NULL_IF_EMBEDDED_SCOPE(&gsa->sin6_scope_id));
2781
2782 /*
2783 * Take the INP write lock.
2784 * Check if this socket is a member of this group.
2785 */
2786 imo = in6p_findmoptions(inp);
2787 if (imo == NULL) {
2788 return ENOMEM;
2789 }
2790
2791 IM6O_LOCK(imo);
2792 idx = im6o_match_group(imo, ifp, gsa);
2793 if (idx == (size_t)-1 || imo->im6o_mfilters == NULL) {
2794 error = EADDRNOTAVAIL;
2795 goto out_imo_locked;
2796 }
2797 inm = imo->im6o_membership[idx];
2798 imf = &imo->im6o_mfilters[idx];
2799
2800 /*
2801 * Begin state merge transaction at socket layer.
2802 */
2803
2804 imf->im6f_st[1] = (uint8_t)msfr.msfr_fmode;
2805
2806 /*
2807 * Apply any new source filters, if present.
2808 * Make a copy of the user-space source vector so
2809 * that we may copy them with a single copyin. This
2810 * allows us to deal with page faults up-front.
2811 */
2812 if (msfr.msfr_nsrcs > 0) {
2813 struct in6_msource *lims;
2814 struct sockaddr_in6 *psin;
2815 struct sockaddr_storage *kss, *pkss;
2816 unsigned int i;
2817
2818 if (is_currproc_64bit_proc) {
2819 tmp_ptr = (user_addr_t)msfr64.msfr_srcs;
2820 } else {
2821 tmp_ptr = CAST_USER_ADDR_T(msfr32.msfr_srcs);
2822 }
2823
2824 MLD_PRINTF(("%s: loading %lu source list entries\n",
2825 __func__, (unsigned long)msfr.msfr_nsrcs));
2826 kss = kalloc_data((size_t) msfr.msfr_nsrcs * sizeof(*kss), Z_WAITOK);
2827 if (kss == NULL) {
2828 error = ENOMEM;
2829 goto out_imo_locked;
2830 }
2831
2832 error = copyin(tmp_ptr, kss,
2833 (size_t) msfr.msfr_nsrcs * sizeof(*kss));
2834 if (error) {
2835 kfree_data(kss, (size_t) msfr.msfr_nsrcs * sizeof(*kss));
2836 goto out_imo_locked;
2837 }
2838
2839 /*
2840 * Mark all source filters as UNDEFINED at t1.
2841 * Restore new group filter mode, as im6f_leave()
2842 * will set it to INCLUDE.
2843 */
2844 im6f_leave(imf);
2845 imf->im6f_st[1] = (uint8_t)msfr.msfr_fmode;
2846
2847 /*
2848 * Update socket layer filters at t1, lazy-allocating
2849 * new entries. This saves a bunch of memory at the
2850 * cost of one RB_FIND() per source entry; duplicate
2851 * entries in the msfr_nsrcs vector are ignored.
2852 * If we encounter an error, rollback transaction.
2853 *
2854 * XXX This too could be replaced with a set-symmetric
2855 * difference like loop to avoid walking from root
2856 * every time, as the key space is common.
2857 */
2858 for (i = 0, pkss = kss; i < msfr.msfr_nsrcs; i++, pkss++) {
2859 psin = (struct sockaddr_in6 *)pkss;
2860 if (psin->sin6_family != AF_INET6) {
2861 error = EAFNOSUPPORT;
2862 break;
2863 }
2864 if (psin->sin6_len != sizeof(struct sockaddr_in6)) {
2865 error = EINVAL;
2866 break;
2867 }
2868 if (IN6_IS_ADDR_MULTICAST(&psin->sin6_addr)) {
2869 error = EINVAL;
2870 break;
2871 }
2872 /*
2873 * TODO: Validate embedded scope ID in source
2874 * list entry against passed-in ifp, if and only
2875 * if source list filter entry is iface or node local.
2876 */
2877 in6_clearscope(&psin->sin6_addr);
2878 error = im6f_get_source(imf, psin, &lims);
2879 if (error) {
2880 break;
2881 }
2882 lims->im6sl_st[1] = imf->im6f_st[1];
2883 }
2884 kfree_data(kss, (size_t) msfr.msfr_nsrcs * sizeof(*kss));
2885 }
2886
2887 if (error) {
2888 goto out_im6f_rollback;
2889 }
2890
2891 /*
2892 * Begin state merge transaction at MLD layer.
2893 */
2894 IN6M_LOCK(inm);
2895 MLD_PRINTF(("%s: merge inm state\n", __func__));
2896 error = in6m_merge(inm, imf);
2897 if (error) {
2898 MLD_PRINTF(("%s: failed to merge inm state\n", __func__));
2899 IN6M_UNLOCK(inm);
2900 goto out_im6f_rollback;
2901 }
2902
2903 MLD_PRINTF(("%s: doing mld downcall\n", __func__));
2904 error = mld_change_state(inm, &mtp, 0);
2905 IN6M_UNLOCK(inm);
2906 #if MLD_DEBUG
2907 if (error) {
2908 MLD_PRINTF(("%s: failed mld downcall\n", __func__));
2909 }
2910 #endif
2911
2912 out_im6f_rollback:
2913 if (error) {
2914 im6f_rollback(imf);
2915 } else {
2916 im6f_commit(imf);
2917 }
2918
2919 im6f_reap(imf);
2920
2921 out_imo_locked:
2922 IM6O_UNLOCK(imo);
2923 IM6O_REMREF(imo); /* from in6p_findmoptions() */
2924
2925 /* schedule timer now that we've dropped the lock(s) */
2926 mld_set_timeout(&mtp);
2927
2928 return error;
2929 }
2930
2931 /*
2932 * Set the IP multicast options in response to user setsockopt().
2933 *
2934 * Many of the socket options handled in this function duplicate the
2935 * functionality of socket options in the regular unicast API. However,
2936 * it is not possible to merge the duplicate code, because the idempotence
2937 * of the IPv6 multicast part of the BSD Sockets API must be preserved;
2938 * the effects of these options must be treated as separate and distinct.
2939 *
2940 */
2941 int
ip6_setmoptions(struct inpcb * inp,struct sockopt * sopt)2942 ip6_setmoptions(struct inpcb *inp, struct sockopt *sopt)
2943 {
2944 struct ip6_moptions *im6o;
2945 int error;
2946
2947 error = 0;
2948
2949 /*
2950 * If socket is neither of type SOCK_RAW or SOCK_DGRAM,
2951 * or is a divert socket, reject it.
2952 */
2953 if (SOCK_PROTO(inp->inp_socket) == IPPROTO_DIVERT ||
2954 (SOCK_TYPE(inp->inp_socket) != SOCK_RAW &&
2955 SOCK_TYPE(inp->inp_socket) != SOCK_DGRAM)) {
2956 return EOPNOTSUPP;
2957 }
2958
2959 switch (sopt->sopt_name) {
2960 case IPV6_MULTICAST_IF:
2961 error = in6p_set_multicast_if(inp, sopt);
2962 break;
2963
2964 case IPV6_MULTICAST_HOPS: {
2965 int hlim;
2966
2967 if (sopt->sopt_valsize != sizeof(int)) {
2968 error = EINVAL;
2969 break;
2970 }
2971 error = sooptcopyin(sopt, &hlim, sizeof(hlim), sizeof(int));
2972 if (error) {
2973 break;
2974 }
2975 if (hlim < -1 || hlim > IPV6_MAXHLIM) {
2976 error = EINVAL;
2977 break;
2978 } else if (hlim == -1) {
2979 hlim = ip6_defmcasthlim;
2980 }
2981 im6o = in6p_findmoptions(inp);
2982 if (im6o == NULL) {
2983 error = ENOMEM;
2984 break;
2985 }
2986 IM6O_LOCK(im6o);
2987 im6o->im6o_multicast_hlim = (u_char)hlim;
2988 IM6O_UNLOCK(im6o);
2989 IM6O_REMREF(im6o); /* from in6p_findmoptions() */
2990 break;
2991 }
2992
2993 case IPV6_MULTICAST_LOOP: {
2994 u_int loop;
2995
2996 /*
2997 * Set the loopback flag for outgoing multicast packets.
2998 * Must be zero or one.
2999 */
3000 if (sopt->sopt_valsize != sizeof(u_int)) {
3001 error = EINVAL;
3002 break;
3003 }
3004 error = sooptcopyin(sopt, &loop, sizeof(u_int), sizeof(u_int));
3005 if (error) {
3006 break;
3007 }
3008 if (loop > 1) {
3009 error = EINVAL;
3010 break;
3011 }
3012 im6o = in6p_findmoptions(inp);
3013 if (im6o == NULL) {
3014 error = ENOMEM;
3015 break;
3016 }
3017 IM6O_LOCK(im6o);
3018 im6o->im6o_multicast_loop = (u_char)loop;
3019 IM6O_UNLOCK(im6o);
3020 IM6O_REMREF(im6o); /* from in6p_findmoptions() */
3021 break;
3022 }
3023
3024 case IPV6_JOIN_GROUP:
3025 case MCAST_JOIN_GROUP:
3026 case MCAST_JOIN_SOURCE_GROUP:
3027 error = in6p_join_group(inp, sopt);
3028 break;
3029
3030 case IPV6_LEAVE_GROUP:
3031 case MCAST_LEAVE_GROUP:
3032 case MCAST_LEAVE_SOURCE_GROUP:
3033 error = in6p_leave_group(inp, sopt);
3034 break;
3035
3036 case MCAST_BLOCK_SOURCE:
3037 case MCAST_UNBLOCK_SOURCE:
3038 error = in6p_block_unblock_source(inp, sopt);
3039 break;
3040
3041 case IPV6_MSFILTER:
3042 error = in6p_set_source_filters(inp, sopt);
3043 break;
3044
3045 default:
3046 error = EOPNOTSUPP;
3047 break;
3048 }
3049
3050 return error;
3051 }
3052 /*
3053 * Expose MLD's multicast filter mode and source list(s) to userland,
3054 * keyed by (ifindex, group).
3055 * The filter mode is written out as a uint32_t, followed by
3056 * 0..n of struct in6_addr.
3057 * For use by ifmcstat(8).
3058 */
3059 static int
3060 sysctl_ip6_mcast_filters SYSCTL_HANDLER_ARGS
3061 {
3062 #pragma unused(oidp)
3063
3064 struct in6_addr mcaddr;
3065 struct in6_addr src;
3066 struct ifnet *ifp;
3067 struct in6_multi *inm;
3068 struct in6_multistep step;
3069 struct ip6_msource *ims;
3070 int *name;
3071 int retval = 0;
3072 u_int namelen;
3073 uint32_t fmode, ifindex;
3074
3075 name = (int *)arg1;
3076 namelen = arg2;
3077
3078 if (req->newptr != USER_ADDR_NULL) {
3079 return EPERM;
3080 }
3081
3082 /* int: ifindex + 4 * 32 bits of IPv6 address */
3083 if (namelen != 5) {
3084 return EINVAL;
3085 }
3086
3087 ifindex = name[0];
3088 ifnet_head_lock_shared();
3089 if (ifindex <= 0 || ifindex > (u_int)if_index) {
3090 MLD_PRINTF(("%s: ifindex %u out of range\n",
3091 __func__, ifindex));
3092 ifnet_head_done();
3093 return ENOENT;
3094 }
3095
3096 memcpy(&mcaddr, &name[1], sizeof(struct in6_addr));
3097 if (!IN6_IS_ADDR_MULTICAST(&mcaddr)) {
3098 MLD_PRINTF(("%s: group %s is not multicast\n",
3099 __func__, ip6_sprintf(&mcaddr)));
3100 ifnet_head_done();
3101 return EINVAL;
3102 }
3103
3104 ifp = ifindex2ifnet[ifindex];
3105 ifnet_head_done();
3106 if (ifp == NULL) {
3107 MLD_PRINTF(("%s: no ifp for ifindex %u\n", __func__, ifindex));
3108 return ENOENT;
3109 }
3110 /*
3111 * Internal MLD lookups require that scope/zone ID is set.
3112 */
3113 uint32_t ifscope = IFSCOPE_NONE;
3114 (void)in6_setscope(&mcaddr, ifp, &ifscope);
3115
3116 in6_multihead_lock_shared();
3117 IN6_FIRST_MULTI(step, inm);
3118 while (inm != NULL) {
3119 IN6M_LOCK(inm);
3120 if (inm->in6m_ifp != ifp) {
3121 goto next;
3122 }
3123
3124 if (!in6_are_addr_equal_scoped(&inm->in6m_addr, &mcaddr, inm->ifscope, ifscope)) {
3125 goto next;
3126 }
3127
3128 fmode = inm->in6m_st[1].iss_fmode;
3129 retval = SYSCTL_OUT(req, &fmode, sizeof(uint32_t));
3130 if (retval != 0) {
3131 IN6M_UNLOCK(inm);
3132 break; /* abort */
3133 }
3134 RB_FOREACH(ims, ip6_msource_tree, &inm->in6m_srcs) {
3135 MLD_PRINTF(("%s: visit node 0x%llx\n", __func__,
3136 (uint64_t)VM_KERNEL_ADDRPERM(ims)));
3137 /*
3138 * Only copy-out sources which are in-mode.
3139 */
3140 if (fmode != im6s_get_mode(inm, ims, 1)) {
3141 MLD_PRINTF(("%s: skip non-in-mode\n",
3142 __func__));
3143 continue; /* process next source */
3144 }
3145 src = ims->im6s_addr;
3146 retval = SYSCTL_OUT(req, &src, sizeof(struct in6_addr));
3147 if (retval != 0) {
3148 break; /* process next inm */
3149 }
3150 }
3151 next:
3152 IN6M_UNLOCK(inm);
3153 IN6_NEXT_MULTI(step, inm);
3154 }
3155 in6_multihead_lock_done();
3156
3157 return retval;
3158 }
3159
3160 void
in6_multi_init(void)3161 in6_multi_init(void)
3162 {
3163 PE_parse_boot_argn("ifa_debug", &in6m_debug, sizeof(in6m_debug));
3164
3165 TAILQ_INIT(&in6m_trash_head);
3166
3167 vm_size_t in6m_size = (in6m_debug == 0) ? sizeof(struct in6_multi) :
3168 sizeof(struct in6_multi_dbg);
3169 in6m_zone = zone_create(IN6M_ZONE_NAME, in6m_size, ZC_ZFREE_CLEARMEM);
3170 }
3171
3172 static struct in6_multi *
in6_multi_alloc(zalloc_flags_t how)3173 in6_multi_alloc(zalloc_flags_t how)
3174 {
3175 struct in6_multi *in6m;
3176
3177 in6m = zalloc_flags(in6m_zone, how | Z_ZERO);
3178 if (in6m != NULL) {
3179 lck_mtx_init(&in6m->in6m_lock, &in6_multihead_lock_grp,
3180 &in6_multihead_lock_attr);
3181 in6m->in6m_debug |= IFD_ALLOC;
3182 if (in6m_debug != 0) {
3183 in6m->in6m_debug |= IFD_DEBUG;
3184 in6m->in6m_trace = in6m_trace;
3185 }
3186 in6m->ifscope = IFSCOPE_NONE;
3187 }
3188 return in6m;
3189 }
3190
3191 static void
in6_multi_free(struct in6_multi * in6m)3192 in6_multi_free(struct in6_multi *in6m)
3193 {
3194 IN6M_LOCK(in6m);
3195 if (in6m->in6m_debug & IFD_ATTACHED) {
3196 panic("%s: attached in6m=%p is being freed", __func__, in6m);
3197 /* NOTREACHED */
3198 } else if (in6m->in6m_ifma != NULL) {
3199 panic("%s: ifma not NULL for in6m=%p", __func__, in6m);
3200 /* NOTREACHED */
3201 } else if (!(in6m->in6m_debug & IFD_ALLOC)) {
3202 panic("%s: in6m %p cannot be freed", __func__, in6m);
3203 /* NOTREACHED */
3204 } else if (in6m->in6m_refcount != 0) {
3205 panic("%s: non-zero refcount in6m=%p", __func__, in6m);
3206 /* NOTREACHED */
3207 } else if (in6m->in6m_reqcnt != 0) {
3208 panic("%s: non-zero reqcnt in6m=%p", __func__, in6m);
3209 /* NOTREACHED */
3210 }
3211
3212 /* Free any pending MLDv2 state-change records */
3213 IF_DRAIN(&in6m->in6m_scq);
3214
3215 in6m->in6m_debug &= ~IFD_ALLOC;
3216 if ((in6m->in6m_debug & (IFD_DEBUG | IFD_TRASHED)) ==
3217 (IFD_DEBUG | IFD_TRASHED)) {
3218 lck_mtx_lock(&in6m_trash_lock);
3219 TAILQ_REMOVE(&in6m_trash_head, (struct in6_multi_dbg *)in6m,
3220 in6m_trash_link);
3221 lck_mtx_unlock(&in6m_trash_lock);
3222 in6m->in6m_debug &= ~IFD_TRASHED;
3223 }
3224 IN6M_UNLOCK(in6m);
3225
3226 lck_mtx_destroy(&in6m->in6m_lock, &in6_multihead_lock_grp);
3227 zfree(in6m_zone, in6m);
3228 }
3229
3230 static void
in6_multi_attach(struct in6_multi * in6m)3231 in6_multi_attach(struct in6_multi *in6m)
3232 {
3233 in6_multihead_lock_assert(LCK_RW_ASSERT_EXCLUSIVE);
3234 IN6M_LOCK_ASSERT_HELD(in6m);
3235
3236 if (in6m->in6m_debug & IFD_ATTACHED) {
3237 panic("%s: Attempt to attach an already attached in6m=%p",
3238 __func__, in6m);
3239 /* NOTREACHED */
3240 }
3241
3242 in6m->in6m_reqcnt++;
3243 VERIFY(in6m->in6m_reqcnt == 1);
3244 IN6M_ADDREF_LOCKED(in6m);
3245 in6m->in6m_debug |= IFD_ATTACHED;
3246 /*
3247 * Reattach case: If debugging is enabled, take it
3248 * out of the trash list and clear IFD_TRASHED.
3249 */
3250 if ((in6m->in6m_debug & (IFD_DEBUG | IFD_TRASHED)) ==
3251 (IFD_DEBUG | IFD_TRASHED)) {
3252 /* Become a regular mutex, just in case */
3253 IN6M_CONVERT_LOCK(in6m);
3254 lck_mtx_lock(&in6m_trash_lock);
3255 TAILQ_REMOVE(&in6m_trash_head, (struct in6_multi_dbg *)in6m,
3256 in6m_trash_link);
3257 lck_mtx_unlock(&in6m_trash_lock);
3258 in6m->in6m_debug &= ~IFD_TRASHED;
3259 }
3260
3261 LIST_INSERT_HEAD(&in6_multihead, in6m, in6m_entry);
3262 }
3263
3264 int
in6_multi_detach(struct in6_multi * in6m)3265 in6_multi_detach(struct in6_multi *in6m)
3266 {
3267 in6_multihead_lock_assert(LCK_RW_ASSERT_EXCLUSIVE);
3268 IN6M_LOCK_ASSERT_HELD(in6m);
3269
3270 if (in6m->in6m_reqcnt == 0) {
3271 panic("%s: in6m=%p negative reqcnt", __func__, in6m);
3272 /* NOTREACHED */
3273 }
3274
3275 --in6m->in6m_reqcnt;
3276 if (in6m->in6m_reqcnt > 0) {
3277 return 0;
3278 }
3279
3280 if (!(in6m->in6m_debug & IFD_ATTACHED)) {
3281 panic("%s: Attempt to detach an unattached record in6m=%p",
3282 __func__, in6m);
3283 /* NOTREACHED */
3284 } else if (in6m->in6m_debug & IFD_TRASHED) {
3285 panic("%s: in6m %p is already in trash list", __func__, in6m);
3286 /* NOTREACHED */
3287 }
3288
3289 /*
3290 * NOTE: Caller calls IFMA_REMREF
3291 */
3292 in6m->in6m_debug &= ~IFD_ATTACHED;
3293 LIST_REMOVE(in6m, in6m_entry);
3294
3295 if (in6m->in6m_debug & IFD_DEBUG) {
3296 /* Become a regular mutex, just in case */
3297 IN6M_CONVERT_LOCK(in6m);
3298 lck_mtx_lock(&in6m_trash_lock);
3299 TAILQ_INSERT_TAIL(&in6m_trash_head,
3300 (struct in6_multi_dbg *)in6m, in6m_trash_link);
3301 lck_mtx_unlock(&in6m_trash_lock);
3302 in6m->in6m_debug |= IFD_TRASHED;
3303 }
3304
3305 return 1;
3306 }
3307
3308 void
in6m_addref(struct in6_multi * in6m,int locked)3309 in6m_addref(struct in6_multi *in6m, int locked)
3310 {
3311 if (!locked) {
3312 IN6M_LOCK_SPIN(in6m);
3313 } else {
3314 IN6M_LOCK_ASSERT_HELD(in6m);
3315 }
3316
3317 if (++in6m->in6m_refcount == 0) {
3318 panic("%s: in6m=%p wraparound refcnt", __func__, in6m);
3319 /* NOTREACHED */
3320 } else if (in6m->in6m_trace != NULL) {
3321 (*in6m->in6m_trace)(in6m, TRUE);
3322 }
3323 if (!locked) {
3324 IN6M_UNLOCK(in6m);
3325 }
3326 }
3327
3328 void
in6m_remref(struct in6_multi * in6m,int locked)3329 in6m_remref(struct in6_multi *in6m, int locked)
3330 {
3331 struct ifmultiaddr *ifma;
3332 struct mld_ifinfo *mli;
3333
3334 if (!locked) {
3335 IN6M_LOCK_SPIN(in6m);
3336 } else {
3337 IN6M_LOCK_ASSERT_HELD(in6m);
3338 }
3339
3340 if (in6m->in6m_refcount == 0 || (in6m->in6m_refcount == 1 && locked)) {
3341 panic("%s: in6m=%p negative refcnt", __func__, in6m);
3342 /* NOTREACHED */
3343 } else if (in6m->in6m_trace != NULL) {
3344 (*in6m->in6m_trace)(in6m, FALSE);
3345 }
3346
3347 --in6m->in6m_refcount;
3348 if (in6m->in6m_refcount > 0) {
3349 if (!locked) {
3350 IN6M_UNLOCK(in6m);
3351 }
3352 return;
3353 }
3354
3355 /*
3356 * Synchronization with in6_mc_get(). In the event the in6m has been
3357 * detached, the underlying ifma would still be in the if_multiaddrs
3358 * list, and thus can be looked up via if_addmulti(). At that point,
3359 * the only way to find this in6m is via ifma_protospec. To avoid
3360 * race conditions between the last in6m_remref() of that in6m and its
3361 * use via ifma_protospec, in6_multihead lock is used for serialization.
3362 * In order to avoid violating the lock order, we must drop in6m_lock
3363 * before acquiring in6_multihead lock. To prevent the in6m from being
3364 * freed prematurely, we hold an extra reference.
3365 */
3366 ++in6m->in6m_refcount;
3367 IN6M_UNLOCK(in6m);
3368 in6_multihead_lock_shared();
3369 IN6M_LOCK_SPIN(in6m);
3370 --in6m->in6m_refcount;
3371 if (in6m->in6m_refcount > 0) {
3372 /* We've lost the race, so abort since in6m is still in use */
3373 IN6M_UNLOCK(in6m);
3374 in6_multihead_lock_done();
3375 /* If it was locked, return it as such */
3376 if (locked) {
3377 IN6M_LOCK(in6m);
3378 }
3379 return;
3380 }
3381 in6m_purge(in6m);
3382 ifma = in6m->in6m_ifma;
3383 in6m->in6m_ifma = NULL;
3384 in6m->in6m_ifp = NULL;
3385 mli = in6m->in6m_mli;
3386 in6m->in6m_mli = NULL;
3387 IN6M_UNLOCK(in6m);
3388 IFMA_LOCK_SPIN(ifma);
3389 ifma->ifma_protospec = NULL;
3390 IFMA_UNLOCK(ifma);
3391 in6_multihead_lock_done();
3392
3393 in6_multi_free(in6m);
3394 if_delmulti_ifma(ifma);
3395 /* Release reference held to the underlying ifmultiaddr */
3396 IFMA_REMREF(ifma);
3397
3398 if (mli != NULL) {
3399 MLI_REMREF(mli);
3400 }
3401 }
3402
3403 static void
in6m_trace(struct in6_multi * in6m,int refhold)3404 in6m_trace(struct in6_multi *in6m, int refhold)
3405 {
3406 struct in6_multi_dbg *in6m_dbg = (struct in6_multi_dbg *)in6m;
3407 ctrace_t *tr;
3408 u_int32_t idx;
3409 u_int16_t *cnt;
3410
3411 if (!(in6m->in6m_debug & IFD_DEBUG)) {
3412 panic("%s: in6m %p has no debug structure", __func__, in6m);
3413 /* NOTREACHED */
3414 }
3415 if (refhold) {
3416 cnt = &in6m_dbg->in6m_refhold_cnt;
3417 tr = in6m_dbg->in6m_refhold;
3418 } else {
3419 cnt = &in6m_dbg->in6m_refrele_cnt;
3420 tr = in6m_dbg->in6m_refrele;
3421 }
3422
3423 idx = atomic_add_16_ov(cnt, 1) % IN6M_TRACE_HIST_SIZE;
3424 ctrace_record(&tr[idx]);
3425 }
3426
3427 static struct in6_multi_mship *
in6_multi_mship_alloc(zalloc_flags_t how)3428 in6_multi_mship_alloc(zalloc_flags_t how)
3429 {
3430 return zalloc_flags(imm_zone, how | Z_ZERO);
3431 }
3432
3433 static void
in6_multi_mship_free(struct in6_multi_mship * imm)3434 in6_multi_mship_free(struct in6_multi_mship *imm)
3435 {
3436 if (imm->i6mm_maddr != NULL) {
3437 panic("%s: i6mm_maddr not NULL for imm=%p", __func__, imm);
3438 /* NOTREACHED */
3439 }
3440 zfree(imm_zone, imm);
3441 }
3442
3443 void
in6_multihead_lock_exclusive(void)3444 in6_multihead_lock_exclusive(void)
3445 {
3446 lck_rw_lock_exclusive(&in6_multihead_lock);
3447 }
3448
3449 void
in6_multihead_lock_shared(void)3450 in6_multihead_lock_shared(void)
3451 {
3452 lck_rw_lock_shared(&in6_multihead_lock);
3453 }
3454
3455 void
in6_multihead_lock_assert(int what)3456 in6_multihead_lock_assert(int what)
3457 {
3458 #if !MACH_ASSERT
3459 #pragma unused(what)
3460 #endif
3461 LCK_RW_ASSERT(&in6_multihead_lock, what);
3462 }
3463
3464 void
in6_multihead_lock_done(void)3465 in6_multihead_lock_done(void)
3466 {
3467 lck_rw_done(&in6_multihead_lock);
3468 }
3469
3470 static struct ip6_msource *
ip6ms_alloc(zalloc_flags_t how)3471 ip6ms_alloc(zalloc_flags_t how)
3472 {
3473 return zalloc_flags(ip6ms_zone, how | Z_ZERO);
3474 }
3475
3476 static void
ip6ms_free(struct ip6_msource * i6ms)3477 ip6ms_free(struct ip6_msource *i6ms)
3478 {
3479 zfree(ip6ms_zone, i6ms);
3480 }
3481
3482 static struct in6_msource *
in6ms_alloc(zalloc_flags_t how)3483 in6ms_alloc(zalloc_flags_t how)
3484 {
3485 return zalloc_flags(in6ms_zone, how | Z_ZERO);
3486 }
3487
3488 static void
in6ms_free(struct in6_msource * in6ms)3489 in6ms_free(struct in6_msource *in6ms)
3490 {
3491 zfree(in6ms_zone, in6ms);
3492 }
3493
3494 #ifdef MLD_DEBUG
3495
3496 static const char *in6m_modestrs[] = { "un\n", "in", "ex" };
3497
3498 static const char *
in6m_mode_str(const int mode)3499 in6m_mode_str(const int mode)
3500 {
3501 if (mode >= MCAST_UNDEFINED && mode <= MCAST_EXCLUDE) {
3502 return in6m_modestrs[mode];
3503 }
3504 return "??";
3505 }
3506
3507 static const char *in6m_statestrs[] = {
3508 "not-member\n",
3509 "silent\n",
3510 "reporting\n",
3511 "idle\n",
3512 "lazy\n",
3513 "sleeping\n",
3514 "awakening\n",
3515 "query-pending\n",
3516 "sg-query-pending\n",
3517 "leaving"
3518 };
3519
3520 static const char *
in6m_state_str(const int state)3521 in6m_state_str(const int state)
3522 {
3523 if (state >= MLD_NOT_MEMBER && state <= MLD_LEAVING_MEMBER) {
3524 return in6m_statestrs[state];
3525 }
3526 return "??";
3527 }
3528
3529 /*
3530 * Dump an in6_multi structure to the console.
3531 */
3532 void
in6m_print(const struct in6_multi * inm)3533 in6m_print(const struct in6_multi *inm)
3534 {
3535 int t;
3536
3537 IN6M_LOCK_ASSERT_HELD(__DECONST(struct in6_multi *, inm));
3538
3539 if (mld_debug == 0) {
3540 return;
3541 }
3542
3543 printf("%s: --- begin in6m 0x%llx ---\n", __func__,
3544 (uint64_t)VM_KERNEL_ADDRPERM(inm));
3545 printf("addr %s ifp 0x%llx(%s) ifma 0x%llx\n",
3546 ip6_sprintf(&inm->in6m_addr),
3547 (uint64_t)VM_KERNEL_ADDRPERM(inm->in6m_ifp),
3548 if_name(inm->in6m_ifp),
3549 (uint64_t)VM_KERNEL_ADDRPERM(inm->in6m_ifma));
3550 printf("timer %u state %s refcount %u scq.len %u\n",
3551 inm->in6m_timer,
3552 in6m_state_str(inm->in6m_state),
3553 inm->in6m_refcount,
3554 inm->in6m_scq.ifq_len);
3555 printf("mli 0x%llx nsrc %lu sctimer %u scrv %u\n",
3556 (uint64_t)VM_KERNEL_ADDRPERM(inm->in6m_mli),
3557 inm->in6m_nsrc,
3558 inm->in6m_sctimer,
3559 inm->in6m_scrv);
3560 for (t = 0; t < 2; t++) {
3561 printf("t%d: fmode %s asm %u ex %u in %u rec %u\n", t,
3562 in6m_mode_str(inm->in6m_st[t].iss_fmode),
3563 inm->in6m_st[t].iss_asm,
3564 inm->in6m_st[t].iss_ex,
3565 inm->in6m_st[t].iss_in,
3566 inm->in6m_st[t].iss_rec);
3567 }
3568 printf("%s: --- end in6m 0x%llx ---\n", __func__,
3569 (uint64_t)VM_KERNEL_ADDRPERM(inm));
3570 }
3571
3572 #else
3573
3574 void
in6m_print(__unused const struct in6_multi * inm)3575 in6m_print(__unused const struct in6_multi *inm)
3576 {
3577 }
3578
3579 #endif
3580