1 // SPDX-License-Identifier: GPL-2.0
2 // Copyright (c) 2010-2011 EIA Electronics,
3 //                         Kurt Van Dijck <kurt.van.dijck@eia.be>
4 // Copyright (c) 2010-2011 EIA Electronics,
5 //                         Pieter Beyens <pieter.beyens@eia.be>
6 // Copyright (c) 2017-2019 Pengutronix,
7 //                         Marc Kleine-Budde <kernel@pengutronix.de>
8 // Copyright (c) 2017-2019 Pengutronix,
9 //                         Oleksij Rempel <kernel@pengutronix.de>
10 
11 /* J1939 Address Claiming.
12  * Address Claiming in the kernel
13  * - keeps track of the AC states of ECU's,
14  * - resolves NAME<=>SA taking into account the AC states of ECU's.
15  *
16  * All Address Claim msgs (including host-originated msg) are processed
17  * at the receive path (a sent msg is always received again via CAN echo).
18  * As such, the processing of AC msgs is done in the order on which msgs
19  * are sent on the bus.
20  *
21  * This module doesn't send msgs itself (e.g. replies on Address Claims),
22  * this is the responsibility of a user space application or daemon.
23  */
24 
25 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
26 
27 #include <linux/netdevice.h>
28 #include <linux/skbuff.h>
29 
30 #include "j1939-priv.h"
31 
j1939_skb_to_name(const struct sk_buff * skb)32 static inline name_t j1939_skb_to_name(const struct sk_buff *skb)
33 {
34 	return le64_to_cpup((__le64 *)skb->data);
35 }
36 
j1939_ac_msg_is_request(struct sk_buff * skb)37 static inline bool j1939_ac_msg_is_request(struct sk_buff *skb)
38 {
39 	struct j1939_sk_buff_cb *skcb = j1939_skb_to_cb(skb);
40 	int req_pgn;
41 
42 	if (skb->len < 3 || skcb->addr.pgn != J1939_PGN_REQUEST)
43 		return false;
44 
45 	req_pgn = skb->data[0] | (skb->data[1] << 8) | (skb->data[2] << 16);
46 
47 	return req_pgn == J1939_PGN_ADDRESS_CLAIMED;
48 }
49 
j1939_ac_verify_outgoing(struct j1939_priv * priv,struct sk_buff * skb)50 static int j1939_ac_verify_outgoing(struct j1939_priv *priv,
51 				    struct sk_buff *skb)
52 {
53 	struct j1939_sk_buff_cb *skcb = j1939_skb_to_cb(skb);
54 
55 	if (skb->len != 8) {
56 		netdev_notice(priv->ndev, "tx address claim with dlc %i\n",
57 			      skb->len);
58 		return -EPROTO;
59 	}
60 
61 	if (skcb->addr.src_name != j1939_skb_to_name(skb)) {
62 		netdev_notice(priv->ndev, "tx address claim with different name\n");
63 		return -EPROTO;
64 	}
65 
66 	if (skcb->addr.sa == J1939_NO_ADDR) {
67 		netdev_notice(priv->ndev, "tx address claim with broadcast sa\n");
68 		return -EPROTO;
69 	}
70 
71 	/* ac must always be a broadcast */
72 	if (skcb->addr.dst_name || skcb->addr.da != J1939_NO_ADDR) {
73 		netdev_notice(priv->ndev, "tx address claim with dest, not broadcast\n");
74 		return -EPROTO;
75 	}
76 	return 0;
77 }
78 
j1939_ac_fixup(struct j1939_priv * priv,struct sk_buff * skb)79 int j1939_ac_fixup(struct j1939_priv *priv, struct sk_buff *skb)
80 {
81 	struct j1939_sk_buff_cb *skcb = j1939_skb_to_cb(skb);
82 	int ret;
83 	u8 addr;
84 
85 	/* network mgmt: address claiming msgs */
86 	if (skcb->addr.pgn == J1939_PGN_ADDRESS_CLAIMED) {
87 		struct j1939_ecu *ecu;
88 
89 		ret = j1939_ac_verify_outgoing(priv, skb);
90 		/* return both when failure & when successful */
91 		if (ret < 0)
92 			return ret;
93 		ecu = j1939_ecu_get_by_name(priv, skcb->addr.src_name);
94 		if (!ecu)
95 			return -ENODEV;
96 
97 		if (ecu->addr != skcb->addr.sa)
98 			/* hold further traffic for ecu, remove from parent */
99 			j1939_ecu_unmap(ecu);
100 		j1939_ecu_put(ecu);
101 	} else if (skcb->addr.src_name) {
102 		/* assign source address */
103 		addr = j1939_name_to_addr(priv, skcb->addr.src_name);
104 		if (!j1939_address_is_unicast(addr) &&
105 		    !j1939_ac_msg_is_request(skb)) {
106 			netdev_notice(priv->ndev, "tx drop: invalid sa for name 0x%016llx\n",
107 				      skcb->addr.src_name);
108 			return -EADDRNOTAVAIL;
109 		}
110 		skcb->addr.sa = addr;
111 	}
112 
113 	/* assign destination address */
114 	if (skcb->addr.dst_name) {
115 		addr = j1939_name_to_addr(priv, skcb->addr.dst_name);
116 		if (!j1939_address_is_unicast(addr)) {
117 			netdev_notice(priv->ndev, "tx drop: invalid da for name 0x%016llx\n",
118 				      skcb->addr.dst_name);
119 			return -EADDRNOTAVAIL;
120 		}
121 		skcb->addr.da = addr;
122 	}
123 	return 0;
124 }
125 
j1939_ac_process(struct j1939_priv * priv,struct sk_buff * skb)126 static void j1939_ac_process(struct j1939_priv *priv, struct sk_buff *skb)
127 {
128 	struct j1939_sk_buff_cb *skcb = j1939_skb_to_cb(skb);
129 	struct j1939_ecu *ecu, *prev;
130 	name_t name;
131 
132 	if (skb->len != 8) {
133 		netdev_notice(priv->ndev, "rx address claim with wrong dlc %i\n",
134 			      skb->len);
135 		return;
136 	}
137 
138 	name = j1939_skb_to_name(skb);
139 	skcb->addr.src_name = name;
140 	if (!name) {
141 		netdev_notice(priv->ndev, "rx address claim without name\n");
142 		return;
143 	}
144 
145 	if (!j1939_address_is_valid(skcb->addr.sa)) {
146 		netdev_notice(priv->ndev, "rx address claim with broadcast sa\n");
147 		return;
148 	}
149 
150 	write_lock_bh(&priv->lock);
151 
152 	/* Few words on the ECU ref counting:
153 	 *
154 	 * First we get an ECU handle, either with
155 	 * j1939_ecu_get_by_name_locked() (increments the ref counter)
156 	 * or j1939_ecu_create_locked() (initializes an ECU object
157 	 * with a ref counter of 1).
158 	 *
159 	 * j1939_ecu_unmap_locked() will decrement the ref counter,
160 	 * but only if the ECU was mapped before. So "ecu" still
161 	 * belongs to us.
162 	 *
163 	 * j1939_ecu_timer_start() will increment the ref counter
164 	 * before it starts the timer, so we can put the ecu when
165 	 * leaving this function.
166 	 */
167 	ecu = j1939_ecu_get_by_name_locked(priv, name);
168 
169 	if (ecu && ecu->addr == skcb->addr.sa) {
170 		/* The ISO 11783-5 standard, in "4.5.2 - Address claim
171 		 * requirements", states:
172 		 *   d) No CF shall begin, or resume, transmission on the
173 		 *      network until 250 ms after it has successfully claimed
174 		 *      an address except when responding to a request for
175 		 *      address-claimed.
176 		 *
177 		 * But "Figure 6" and "Figure 7" in "4.5.4.2 - Address-claim
178 		 * prioritization" show that the CF begins the transmission
179 		 * after 250 ms from the first AC (address-claimed) message
180 		 * even if it sends another AC message during that time window
181 		 * to resolve the address contention with another CF.
182 		 *
183 		 * As stated in "4.4.2.3 - Address-claimed message":
184 		 *   In order to successfully claim an address, the CF sending
185 		 *   an address claimed message shall not receive a contending
186 		 *   claim from another CF for at least 250 ms.
187 		 *
188 		 * As stated in "4.4.3.2 - NAME management (NM) message":
189 		 *   1) A commanding CF can
190 		 *      d) request that a CF with a specified NAME transmit
191 		 *         the address-claimed message with its current NAME.
192 		 *   2) A target CF shall
193 		 *      d) send an address-claimed message in response to a
194 		 *         request for a matching NAME
195 		 *
196 		 * Taking the above arguments into account, the 250 ms wait is
197 		 * requested only during network initialization.
198 		 *
199 		 * Do not restart the timer on AC message if both the NAME and
200 		 * the address match and so if the address has already been
201 		 * claimed (timer has expired) or the AC message has been sent
202 		 * to resolve the contention with another CF (timer is still
203 		 * running).
204 		 */
205 		goto out_ecu_put;
206 	}
207 
208 	if (!ecu && j1939_address_is_unicast(skcb->addr.sa))
209 		ecu = j1939_ecu_create_locked(priv, name);
210 
211 	if (IS_ERR_OR_NULL(ecu))
212 		goto out_unlock_bh;
213 
214 	/* cancel pending (previous) address claim */
215 	j1939_ecu_timer_cancel(ecu);
216 
217 	if (j1939_address_is_idle(skcb->addr.sa)) {
218 		j1939_ecu_unmap_locked(ecu);
219 		goto out_ecu_put;
220 	}
221 
222 	/* save new addr */
223 	if (ecu->addr != skcb->addr.sa)
224 		j1939_ecu_unmap_locked(ecu);
225 	ecu->addr = skcb->addr.sa;
226 
227 	prev = j1939_ecu_get_by_addr_locked(priv, skcb->addr.sa);
228 	if (prev) {
229 		if (ecu->name > prev->name) {
230 			j1939_ecu_unmap_locked(ecu);
231 			j1939_ecu_put(prev);
232 			goto out_ecu_put;
233 		} else {
234 			/* kick prev if less or equal */
235 			j1939_ecu_unmap_locked(prev);
236 			j1939_ecu_put(prev);
237 		}
238 	}
239 
240 	j1939_ecu_timer_start(ecu);
241  out_ecu_put:
242 	j1939_ecu_put(ecu);
243  out_unlock_bh:
244 	write_unlock_bh(&priv->lock);
245 }
246 
j1939_ac_recv(struct j1939_priv * priv,struct sk_buff * skb)247 void j1939_ac_recv(struct j1939_priv *priv, struct sk_buff *skb)
248 {
249 	struct j1939_sk_buff_cb *skcb = j1939_skb_to_cb(skb);
250 	struct j1939_ecu *ecu;
251 
252 	/* network mgmt */
253 	if (skcb->addr.pgn == J1939_PGN_ADDRESS_CLAIMED) {
254 		j1939_ac_process(priv, skb);
255 	} else if (j1939_address_is_unicast(skcb->addr.sa)) {
256 		/* assign source name */
257 		ecu = j1939_ecu_get_by_addr(priv, skcb->addr.sa);
258 		if (ecu) {
259 			skcb->addr.src_name = ecu->name;
260 			j1939_ecu_put(ecu);
261 		}
262 	}
263 
264 	/* assign destination name */
265 	ecu = j1939_ecu_get_by_addr(priv, skcb->addr.da);
266 	if (ecu) {
267 		skcb->addr.dst_name = ecu->name;
268 		j1939_ecu_put(ecu);
269 	}
270 }
271