Gitiles
Code Review Sign In
192.168.1.100 / R306 / b760bd950b4f56dbe34f084dbd1c5c6d08ef08e8 / . / ap / os / linux / linux-3.4.x / net / ipv6 / tcp_ipv6.c
blob: 448207e7c452a7932c466afd539a2d5060a3aa33 [file] [log] [blame]
yuezonghe824eb0c2024-06-27 02:32:26 -0700[diff] [blame]1/*
2 * TCP over IPv6
3 * Linux INET6 implementation
4 *
5 * Authors:
6 * Pedro Roque <roque@di.fc.ul.pt>
7 *
8 * Based on:
9 * linux/net/ipv4/tcp.c
10 * linux/net/ipv4/tcp_input.c
11 * linux/net/ipv4/tcp_output.c
12 *
13 * Fixes:
14 * Hideaki YOSHIFUJI : sin6_scope_id support
15 * YOSHIFUJI Hideaki @USAGI and: Support IPV6_V6ONLY socket option, which
16 * Alexey Kuznetsov allow both IPv4 and IPv6 sockets to bind
17 * a single port at the same time.
18 * YOSHIFUJI Hideaki @USAGI: convert /proc/net/tcp6 to seq_file.
19 *
20 * This program is free software; you can redistribute it and/or
21 * modify it under the terms of the GNU General Public License
22 * as published by the Free Software Foundation; either version
23 * 2 of the License, or (at your option) any later version.
24 */
25
26#include <linux/bottom_half.h>
27#include <linux/module.h>
28#include <linux/errno.h>
29#include <linux/types.h>
30#include <linux/socket.h>
31#include <linux/sockios.h>
32#include <linux/net.h>
33#include <linux/jiffies.h>
34#include <linux/in.h>
35#include <linux/in6.h>
36#include <linux/netdevice.h>
37#include <linux/init.h>
38#include <linux/jhash.h>
39#include <linux/ipsec.h>
40#include <linux/times.h>
41#include <linux/slab.h>
42
43#include <linux/ipv6.h>
44#include <linux/icmpv6.h>
45#include <linux/random.h>
46
47#include <net/tcp.h>
48#include <net/ndisc.h>
49#include <net/inet6_hashtables.h>
50#include <net/inet6_connection_sock.h>
51#include <net/ipv6.h>
52#include <net/transp_v6.h>
53#include <net/addrconf.h>
54#include <net/ip6_route.h>
55#include <net/ip6_checksum.h>
56#include <net/inet_ecn.h>
57#include <net/protocol.h>
58#include <net/xfrm.h>
59#include <net/snmp.h>
60#include <net/dsfield.h>
61#include <net/timewait_sock.h>
62#include <net/netdma.h>
63#include <net/inet_common.h>
64#include <net/secure_seq.h>
65#include <net/tcp_memcontrol.h>
66
67#include <asm/uaccess.h>
68
69#include <linux/proc_fs.h>
70#include <linux/seq_file.h>
71
72#include <linux/crypto.h>
73#include <linux/scatterlist.h>
74
75#include <net/netfilter/nf_conntrack.h>
76#include <net/SI/fast_common.h>
77#include <net/SI/sock_track.h>
78
79
80static void tcp_v6_send_reset(struct sock *sk, struct sk_buff *skb);
81static void tcp_v6_reqsk_send_ack(struct sock *sk, struct sk_buff *skb,
82 struct request_sock *req);
83
84static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb);
85static void __tcp_v6_send_check(struct sk_buff *skb,
86 const struct in6_addr *saddr,
87 const struct in6_addr *daddr);
88
89static const struct inet_connection_sock_af_ops ipv6_mapped;
90static const struct inet_connection_sock_af_ops ipv6_specific;
91#ifdef CONFIG_TCP_MD5SIG
92static const struct tcp_sock_af_ops tcp_sock_ipv6_specific;
93static const struct tcp_sock_af_ops tcp_sock_ipv6_mapped_specific;
94#else
95static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(struct sock *sk,
96 const struct in6_addr *addr)
97{
98 return NULL;
99}
100#endif
101
102static void tcp_v6_hash(struct sock *sk)
103{
104 if (sk->sk_state != TCP_CLOSE) {
105 if (inet_csk(sk)->icsk_af_ops == &ipv6_mapped) {
106 tcp_prot.hash(sk);
107 return;
108 }
109 local_bh_disable();
110 __inet6_hash(sk, NULL);
111 local_bh_enable();
112 }
113}
114
115static __inline__ __sum16 tcp_v6_check(int len,
116 const struct in6_addr *saddr,
117 const struct in6_addr *daddr,
118 __wsum base)
119{
120 return csum_ipv6_magic(saddr, daddr, len, IPPROTO_TCP, base);
121}
122
123static __u32 tcp_v6_init_sequence(const struct sk_buff *skb)
124{
125 return secure_tcpv6_sequence_number(ipv6_hdr(skb)->daddr.s6_addr32,
126 ipv6_hdr(skb)->saddr.s6_addr32,
127 tcp_hdr(skb)->dest,
128 tcp_hdr(skb)->source);
129}
130
131static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
132 int addr_len)
133{
134 struct sockaddr_in6 *usin = (struct sockaddr_in6 *) uaddr;
135 struct inet_sock *inet = inet_sk(sk);
136 struct inet_connection_sock *icsk = inet_csk(sk);
137 struct ipv6_pinfo *np = inet6_sk(sk);
138 struct tcp_sock *tp = tcp_sk(sk);
139 struct in6_addr *saddr = NULL, *final_p, final;
140 struct rt6_info *rt;
141 struct ipv6_txoptions *opt;//CVE-2016-3841
142 struct flowi6 fl6;
143 struct dst_entry *dst;
144 int addr_type;
145 int err;
146
147 if (addr_len < SIN6_LEN_RFC2133)
148 return -EINVAL;
149
150 if (usin->sin6_family != AF_INET6)
151 return -EAFNOSUPPORT;
152
153 memset(&fl6, 0, sizeof(fl6));
154
155 if (np->sndflow) {
156 fl6.flowlabel = usin->sin6_flowinfo&IPV6_FLOWINFO_MASK;
157 IP6_ECN_flow_init(fl6.flowlabel);
158 if (fl6.flowlabel&IPV6_FLOWLABEL_MASK) {
159 struct ip6_flowlabel *flowlabel;
160 flowlabel = fl6_sock_lookup(sk, fl6.flowlabel);
161 if (flowlabel == NULL)
162 return -EINVAL;
163 usin->sin6_addr = flowlabel->dst;
164 fl6_sock_release(flowlabel);
165 }
166 }
167
168 /*
169 * connect() to INADDR_ANY means loopback (BSD'ism).
170 */
171
172 if(ipv6_addr_any(&usin->sin6_addr))
173 usin->sin6_addr.s6_addr[15] = 0x1;
174
175 addr_type = ipv6_addr_type(&usin->sin6_addr);
176
177 if(addr_type & IPV6_ADDR_MULTICAST)
178 return -ENETUNREACH;
179
180 if (addr_type&IPV6_ADDR_LINKLOCAL) {
181 if (addr_len >= sizeof(struct sockaddr_in6) &&
182 usin->sin6_scope_id) {
183 /* If interface is set while binding, indices
184 * must coincide.
185 */
186 if (sk->sk_bound_dev_if &&
187 sk->sk_bound_dev_if != usin->sin6_scope_id)
188 return -EINVAL;
189
190 sk->sk_bound_dev_if = usin->sin6_scope_id;
191 }
192
193 /* Connect to link-local address requires an interface */
194 if (!sk->sk_bound_dev_if)
195 return -EINVAL;
196 }
197
198 if (tp->rx_opt.ts_recent_stamp &&
199 !ipv6_addr_equal(&np->daddr, &usin->sin6_addr)) {
200 tp->rx_opt.ts_recent = 0;
201 tp->rx_opt.ts_recent_stamp = 0;
202 tp->write_seq = 0;
203 }
204
205 np->daddr = usin->sin6_addr;
206 np->flow_label = fl6.flowlabel;
207
208 /*
209 * TCP over IPv4
210 */
211
212 if (addr_type == IPV6_ADDR_MAPPED) {
213 u32 exthdrlen = icsk->icsk_ext_hdr_len;
214 struct sockaddr_in sin;
215
216 SOCK_DEBUG(sk, "connect: ipv4 mapped\n");
217
218 if (__ipv6_only_sock(sk))
219 return -ENETUNREACH;
220
221 sin.sin_family = AF_INET;
222 sin.sin_port = usin->sin6_port;
223 sin.sin_addr.s_addr = usin->sin6_addr.s6_addr32[3];
224
225 icsk->icsk_af_ops = &ipv6_mapped;
226 sk->sk_backlog_rcv = tcp_v4_do_rcv;
227#ifdef CONFIG_TCP_MD5SIG
228 tp->af_specific = &tcp_sock_ipv6_mapped_specific;
229#endif
230
231 err = tcp_v4_connect(sk, (struct sockaddr *)&sin, sizeof(sin));
232
233 if (err) {
234 icsk->icsk_ext_hdr_len = exthdrlen;
235 icsk->icsk_af_ops = &ipv6_specific;
236 sk->sk_backlog_rcv = tcp_v6_do_rcv;
237#ifdef CONFIG_TCP_MD5SIG
238 tp->af_specific = &tcp_sock_ipv6_specific;
239#endif
240 goto failure;
241 } else {
242 ipv6_addr_set_v4mapped(inet->inet_saddr, &np->saddr);
243 ipv6_addr_set_v4mapped(inet->inet_rcv_saddr,
244 &np->rcv_saddr);
245 }
246
247 return err;
248 }
249
250 if (!ipv6_addr_any(&np->rcv_saddr))
251 saddr = &np->rcv_saddr;
252
253 fl6.flowi6_proto = IPPROTO_TCP;
254 fl6.daddr = np->daddr;
255 fl6.saddr = saddr ? *saddr : np->saddr;
256 fl6.flowi6_oif = sk->sk_bound_dev_if;
257 fl6.flowi6_mark = sk->sk_mark;
258 fl6.fl6_dport = usin->sin6_port;
259 fl6.fl6_sport = inet->inet_sport;
260
261 //CVE-2016-3841
262 opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk));
263 final_p = fl6_update_dst(&fl6, opt, &final);
264 //CVE-2016-3841final_p = fl6_update_dst(&fl6, np->opt, &final);
265
266 security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
267
268 dst = ip6_dst_lookup_flow(sk, &fl6, final_p, true);
269 if (IS_ERR(dst)) {
270 err = PTR_ERR(dst);
271 goto failure;
272 }
273
274 if (saddr == NULL) {
275 saddr = &fl6.saddr;
276 np->rcv_saddr = *saddr;
277 }
278
279 /* set the source address */
280 np->saddr = *saddr;
281 inet->inet_rcv_saddr = LOOPBACK4_IPV6;
282
283 sk->sk_gso_type = SKB_GSO_TCPV6;
284 __ip6_dst_store(sk, dst, NULL, NULL);
285
286 rt = (struct rt6_info *) dst;
287 if (tcp_death_row.sysctl_tw_recycle &&
288 !tp->rx_opt.ts_recent_stamp &&
289 ipv6_addr_equal(&rt->rt6i_dst.addr, &np->daddr)) {
290 struct inet_peer *peer = rt6_get_peer(rt);
291 /*
292 * VJ's idea. We save last timestamp seen from
293 * the destination in peer table, when entering state
294 * TIME-WAIT * and initialize rx_opt.ts_recent from it,
295 * when trying new connection.
296 */
297 if (peer) {
298 inet_peer_refcheck(peer);
299 if ((u32)get_seconds() - peer->tcp_ts_stamp <= TCP_PAWS_MSL) {
300 tp->rx_opt.ts_recent_stamp = peer->tcp_ts_stamp;
301 tp->rx_opt.ts_recent = peer->tcp_ts;
302 }
303 }
304 }
305
306 icsk->icsk_ext_hdr_len = 0;
307 /*//CVE-2016-3841
308 if (np->opt)
309 icsk->icsk_ext_hdr_len = (np->opt->opt_flen +
310 np->opt->opt_nflen);*/
311 if (opt)
312 icsk->icsk_ext_hdr_len = opt->opt_flen +
313 opt->opt_nflen;
314 //CVE-2016-3841
315
316 tp->rx_opt.mss_clamp = IPV6_MIN_MTU - sizeof(struct tcphdr) - sizeof(struct ipv6hdr);
317
318 inet->inet_dport = usin->sin6_port;
319
320 tcp_set_state(sk, TCP_SYN_SENT);
321 err = inet6_hash_connect(&tcp_death_row, sk);
322 if (err)
323 goto late_failure;
324
325 if (!tp->write_seq)
326 tp->write_seq = secure_tcpv6_sequence_number(np->saddr.s6_addr32,
327 np->daddr.s6_addr32,
328 inet->inet_sport,
329 inet->inet_dport);
330
331 err = tcp_connect(sk);
332 if (err)
333 goto late_failure;
334
335 return 0;
336
337late_failure:
338 tcp_set_state(sk, TCP_CLOSE);
339 __sk_dst_reset(sk);
340failure:
341 inet->inet_dport = 0;
342 sk->sk_route_caps = 0;
343 return err;
344}
345
346static void tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
347 u8 type, u8 code, int offset, __be32 info)
348{
349 const struct ipv6hdr *hdr = (const struct ipv6hdr*)skb->data;
350 const struct tcphdr *th = (struct tcphdr *)(skb->data+offset);
351 struct ipv6_pinfo *np;
352 struct sock *sk;
353 int err;
354 struct tcp_sock *tp;
355 __u32 seq;
356 struct net *net = dev_net(skb->dev);
357
358 sk = inet6_lookup(net, &tcp_hashinfo, &hdr->daddr,
359 th->dest, &hdr->saddr, th->source, skb->dev->ifindex);
360
361 if (sk == NULL) {
362 ICMP6_INC_STATS_BH(net, __in6_dev_get(skb->dev),
363 ICMP6_MIB_INERRORS);
364 return;
365 }
366
367 if (sk->sk_state == TCP_TIME_WAIT) {
368 inet_twsk_put(inet_twsk(sk));
369 return;
370 }
371
372 bh_lock_sock(sk);
373 if (sock_owned_by_user(sk))
374 NET_INC_STATS_BH(net, LINUX_MIB_LOCKDROPPEDICMPS);
375
376 if (sk->sk_state == TCP_CLOSE)
377 goto out;
378
379 if (ipv6_hdr(skb)->hop_limit < inet6_sk(sk)->min_hopcount) {
380 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
381 goto out;
382 }
383
384 tp = tcp_sk(sk);
385 seq = ntohl(th->seq);
386 if (sk->sk_state != TCP_LISTEN &&
387 !between(seq, tp->snd_una, tp->snd_nxt)) {
388 NET_INC_STATS_BH(net, LINUX_MIB_OUTOFWINDOWICMPS);
389 goto out;
390 }
391
392 np = inet6_sk(sk);
393
394 if (type == ICMPV6_PKT_TOOBIG) {
395 struct dst_entry *dst;
396
397 if (sock_owned_by_user(sk))
398 goto out;
399 if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE))
400 goto out;
401
402 /* icmp should have updated the destination cache entry */
403 dst = __sk_dst_check(sk, np->dst_cookie);
404
405 if (dst == NULL) {
406 struct inet_sock *inet = inet_sk(sk);
407 struct flowi6 fl6;
408
409 /* BUGGG_FUTURE: Again, it is not clear how
410 to handle rthdr case. Ignore this complexity
411 for now.
412 */
413 memset(&fl6, 0, sizeof(fl6));
414 fl6.flowi6_proto = IPPROTO_TCP;
415 fl6.daddr = np->daddr;
416 fl6.saddr = np->saddr;
417 fl6.flowi6_oif = sk->sk_bound_dev_if;
418 fl6.flowi6_mark = sk->sk_mark;
419 fl6.fl6_dport = inet->inet_dport;
420 fl6.fl6_sport = inet->inet_sport;
421 security_skb_classify_flow(skb, flowi6_to_flowi(&fl6));
422
423 dst = ip6_dst_lookup_flow(sk, &fl6, NULL, false);
424 if (IS_ERR(dst)) {
425 sk->sk_err_soft = -PTR_ERR(dst);
426 goto out;
427 }
428
429 } else
430 dst_hold(dst);
431
432 if (inet_csk(sk)->icsk_pmtu_cookie > dst_mtu(dst)) {
433 tcp_sync_mss(sk, dst_mtu(dst));
434 tcp_simple_retransmit(sk);
435 } /* else let the usual retransmit timer handle it */
436 dst_release(dst);
437 goto out;
438 }
439
440 icmpv6_err_convert(type, code, &err);
441
442 /* Might be for an request_sock */
443 switch (sk->sk_state) {
444 struct request_sock *req, **prev;
445 case TCP_LISTEN:
446 if (sock_owned_by_user(sk))
447 goto out;
448
449 req = inet6_csk_search_req(sk, &prev, th->dest, &hdr->daddr,
450 &hdr->saddr, inet6_iif(skb));
451 if (!req)
452 goto out;
453
454 /* ICMPs are not backlogged, hence we cannot get
455 * an established socket here.
456 */
457 WARN_ON(req->sk != NULL);
458
459 if (seq != tcp_rsk(req)->snt_isn) {
460 NET_INC_STATS_BH(net, LINUX_MIB_OUTOFWINDOWICMPS);
461 goto out;
462 }
463
464 inet_csk_reqsk_queue_drop(sk, req, prev);
465 goto out;
466
467 case TCP_SYN_SENT:
468 case TCP_SYN_RECV: /* Cannot happen.
469 It can, it SYNs are crossed. --ANK */
470 if (!sock_owned_by_user(sk)) {
471 sk->sk_err = err;
472 sk->sk_error_report(sk); /* Wake people up to see the error (see connect in sock.c) */
473
474 tcp_done(sk);
475 } else
476 sk->sk_err_soft = err;
477 goto out;
478 }
479
480 if (!sock_owned_by_user(sk) && np->recverr) {
481 sk->sk_err = err;
482 sk->sk_error_report(sk);
483 } else
484 sk->sk_err_soft = err;
485
486out:
487 bh_unlock_sock(sk);
488 sock_put(sk);
489}
490
491
492static int tcp_v6_send_synack(struct sock *sk, struct request_sock *req,
493 struct request_values *rvp)
494{
495 struct inet6_request_sock *treq = inet6_rsk(req);
496 struct ipv6_pinfo *np = inet6_sk(sk);
497 struct sk_buff * skb;
498 struct ipv6_txoptions *opt = NULL;
499 struct in6_addr * final_p, final;
500 struct flowi6 fl6;
501 struct dst_entry *dst;
502 int err;
503
504 memset(&fl6, 0, sizeof(fl6));
505 fl6.flowi6_proto = IPPROTO_TCP;
506 fl6.daddr = treq->rmt_addr;
507 fl6.saddr = treq->loc_addr;
508 fl6.flowlabel = 0;
509 fl6.flowi6_oif = treq->iif;
510 fl6.flowi6_mark = sk->sk_mark;
511 fl6.fl6_dport = inet_rsk(req)->rmt_port;
512 fl6.fl6_sport = inet_rsk(req)->loc_port;
513 security_req_classify_flow(req, flowi6_to_flowi(&fl6));
514
515 //CVE-2016-3841opt = np->opt;
516 opt = rcu_dereference_protected(np->opt, sock_owned_by_user(sk));//CVE-2016-3841
517
518 final_p = fl6_update_dst(&fl6, opt, &final);
519
520 dst = ip6_dst_lookup_flow(sk, &fl6, final_p, false);
521 if (IS_ERR(dst)) {
522 err = PTR_ERR(dst);
523 dst = NULL;
524 goto done;
525 }
526 skb = tcp_make_synack(sk, dst, req, rvp);
527 err = -ENOMEM;
528 if (skb) {
529 __tcp_v6_send_check(skb, &treq->loc_addr, &treq->rmt_addr);
530
531 fl6.daddr = treq->rmt_addr;
532 //CVE-2016-3841err = ip6_xmit(sk, skb, &fl6, opt, np->tclass);
533 err = ip6_xmit(sk, skb, &fl6, rcu_dereference(np->opt), np->tclass);//CVE-2016-3841
534 err = net_xmit_eval(err);
535 }
536
537done:
538 //CVE-2016-3841if (opt && opt != np->opt)
539 //CVE-2016-3841sock_kfree_s(sk, opt, opt->tot_len);
540 dst_release(dst);
541 return err;
542}
543
544static int tcp_v6_rtx_synack(struct sock *sk, struct request_sock *req,
545 struct request_values *rvp)
546{
547 TCP_INC_STATS_BH(sock_net(sk), TCP_MIB_RETRANSSEGS);
548 TCP_PKT_STATS_INC(TCP_RETRANS_PKTS);
549 TCP_PKT_STATS_INC(TCP_SEND_DROPS);
550 return tcp_v6_send_synack(sk, req, rvp);
551}
552
553static void tcp_v6_reqsk_destructor(struct request_sock *req)
554{
555 kfree_skb(inet6_rsk(req)->pktopts);
556}
557
558#ifdef CONFIG_TCP_MD5SIG
559static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(struct sock *sk,
560 const struct in6_addr *addr)
561{
562 return tcp_md5_do_lookup(sk, (union tcp_md5_addr *)addr, AF_INET6);
563}
564
565static struct tcp_md5sig_key *tcp_v6_md5_lookup(struct sock *sk,
566 struct sock *addr_sk)
567{
568 return tcp_v6_md5_do_lookup(sk, &inet6_sk(addr_sk)->daddr);
569}
570
571static struct tcp_md5sig_key *tcp_v6_reqsk_md5_lookup(struct sock *sk,
572 struct request_sock *req)
573{
574 return tcp_v6_md5_do_lookup(sk, &inet6_rsk(req)->rmt_addr);
575}
576
577static int tcp_v6_parse_md5_keys (struct sock *sk, char __user *optval,
578 int optlen)
579{
580 struct tcp_md5sig cmd;
581 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&cmd.tcpm_addr;
582
583 if (optlen < sizeof(cmd))
584 return -EINVAL;
585
586 if (copy_from_user(&cmd, optval, sizeof(cmd)))
587 return -EFAULT;
588
589 if (sin6->sin6_family != AF_INET6)
590 return -EINVAL;
591
592 if (!cmd.tcpm_keylen) {
593 if (ipv6_addr_v4mapped(&sin6->sin6_addr))
594 return tcp_md5_do_del(sk, (union tcp_md5_addr *)&sin6->sin6_addr.s6_addr32[3],
595 AF_INET);
596 return tcp_md5_do_del(sk, (union tcp_md5_addr *)&sin6->sin6_addr,
597 AF_INET6);
598 }
599
600 if (cmd.tcpm_keylen > TCP_MD5SIG_MAXKEYLEN)
601 return -EINVAL;
602
603 if (ipv6_addr_v4mapped(&sin6->sin6_addr))
604 return tcp_md5_do_add(sk, (union tcp_md5_addr *)&sin6->sin6_addr.s6_addr32[3],
605 AF_INET, cmd.tcpm_key, cmd.tcpm_keylen, GFP_KERNEL);
606
607 return tcp_md5_do_add(sk, (union tcp_md5_addr *)&sin6->sin6_addr,
608 AF_INET6, cmd.tcpm_key, cmd.tcpm_keylen, GFP_KERNEL);
609}
610
611static int tcp_v6_md5_hash_pseudoheader(struct tcp_md5sig_pool *hp,
612 const struct in6_addr *daddr,
613 const struct in6_addr *saddr, int nbytes)
614{
615 struct tcp6_pseudohdr *bp;
616 struct scatterlist sg;
617
618 bp = &hp->md5_blk.ip6;
619 /* 1. TCP pseudo-header (RFC2460) */
620 bp->saddr = *saddr;
621 bp->daddr = *daddr;
622 bp->protocol = cpu_to_be32(IPPROTO_TCP);
623 bp->len = cpu_to_be32(nbytes);
624
625 sg_init_one(&sg, bp, sizeof(*bp));
626 return crypto_hash_update(&hp->md5_desc, &sg, sizeof(*bp));
627}
628
629static int tcp_v6_md5_hash_hdr(char *md5_hash, struct tcp_md5sig_key *key,
630 const struct in6_addr *daddr, struct in6_addr *saddr,
631 const struct tcphdr *th)
632{
633 struct tcp_md5sig_pool *hp;
634 struct hash_desc *desc;
635
636 hp = tcp_get_md5sig_pool();
637 if (!hp)
638 goto clear_hash_noput;
639 desc = &hp->md5_desc;
640
641 if (crypto_hash_init(desc))
642 goto clear_hash;
643 if (tcp_v6_md5_hash_pseudoheader(hp, daddr, saddr, th->doff << 2))
644 goto clear_hash;
645 if (tcp_md5_hash_header(hp, th))
646 goto clear_hash;
647 if (tcp_md5_hash_key(hp, key))
648 goto clear_hash;
649 if (crypto_hash_final(desc, md5_hash))
650 goto clear_hash;
651
652 tcp_put_md5sig_pool();
653 return 0;
654
655clear_hash:
656 tcp_put_md5sig_pool();
657clear_hash_noput:
658 memset(md5_hash, 0, 16);
659 return 1;
660}
661
662static int tcp_v6_md5_hash_skb(char *md5_hash, struct tcp_md5sig_key *key,
663 const struct sock *sk,
664 const struct request_sock *req,
665 const struct sk_buff *skb)
666{
667 const struct in6_addr *saddr, *daddr;
668 struct tcp_md5sig_pool *hp;
669 struct hash_desc *desc;
670 const struct tcphdr *th = tcp_hdr(skb);
671
672 if (sk) {
673 saddr = &inet6_sk(sk)->saddr;
674 daddr = &inet6_sk(sk)->daddr;
675 } else if (req) {
676 saddr = &inet6_rsk(req)->loc_addr;
677 daddr = &inet6_rsk(req)->rmt_addr;
678 } else {
679 const struct ipv6hdr *ip6h = ipv6_hdr(skb);
680 saddr = &ip6h->saddr;
681 daddr = &ip6h->daddr;
682 }
683
684 hp = tcp_get_md5sig_pool();
685 if (!hp)
686 goto clear_hash_noput;
687 desc = &hp->md5_desc;
688
689 if (crypto_hash_init(desc))
690 goto clear_hash;
691
692 if (tcp_v6_md5_hash_pseudoheader(hp, daddr, saddr, skb->len))
693 goto clear_hash;
694 if (tcp_md5_hash_header(hp, th))
695 goto clear_hash;
696 if (tcp_md5_hash_skb_data(hp, skb, th->doff << 2))
697 goto clear_hash;
698 if (tcp_md5_hash_key(hp, key))
699 goto clear_hash;
700 if (crypto_hash_final(desc, md5_hash))
701 goto clear_hash;
702
703 tcp_put_md5sig_pool();
704 return 0;
705
706clear_hash:
707 tcp_put_md5sig_pool();
708clear_hash_noput:
709 memset(md5_hash, 0, 16);
710 return 1;
711}
712
713static int tcp_v6_inbound_md5_hash(struct sock *sk, const struct sk_buff *skb)
714{
715 const __u8 *hash_location = NULL;
716 struct tcp_md5sig_key *hash_expected;
717 const struct ipv6hdr *ip6h = ipv6_hdr(skb);
718 const struct tcphdr *th = tcp_hdr(skb);
719 int genhash;
720 u8 newhash[16];
721
722 hash_expected = tcp_v6_md5_do_lookup(sk, &ip6h->saddr);
723 hash_location = tcp_parse_md5sig_option(th);
724
725 /* We've parsed the options - do we have a hash? */
726 if (!hash_expected && !hash_location)
727 return 0;
728
729 if (hash_expected && !hash_location) {
730 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPMD5NOTFOUND);
731 return 1;
732 }
733
734 if (!hash_expected && hash_location) {
735 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPMD5UNEXPECTED);
736 return 1;
737 }
738
739 /* check the signature */
740 genhash = tcp_v6_md5_hash_skb(newhash,
741 hash_expected,
742 NULL, NULL, skb);
743
744 if (genhash || memcmp(hash_location, newhash, 16) != 0) {
745 if (net_ratelimit()) {
746 printk(KERN_INFO "MD5 Hash %s for [%pI6c]:%u->[%pI6c]:%u\n",
747 genhash ? "failed" : "mismatch",
748 &ip6h->saddr, ntohs(th->source),
749 &ip6h->daddr, ntohs(th->dest));
750 }
751 return 1;
752 }
753 return 0;
754}
755#endif
756
757struct request_sock_ops tcp6_request_sock_ops __read_mostly = {
758 .family = AF_INET6,
759 .obj_size = sizeof(struct tcp6_request_sock),
760 .rtx_syn_ack = tcp_v6_rtx_synack,
761 .send_ack = tcp_v6_reqsk_send_ack,
762 .destructor = tcp_v6_reqsk_destructor,
763 .send_reset = tcp_v6_send_reset,
764 .syn_ack_timeout = tcp_syn_ack_timeout,
765};
766
767#ifdef CONFIG_TCP_MD5SIG
768static const struct tcp_request_sock_ops tcp_request_sock_ipv6_ops = {
769 .md5_lookup = tcp_v6_reqsk_md5_lookup,
770 .calc_md5_hash = tcp_v6_md5_hash_skb,
771};
772#endif
773
774static void __tcp_v6_send_check(struct sk_buff *skb,
775 const struct in6_addr *saddr, const struct in6_addr *daddr)
776{
777 struct tcphdr *th = tcp_hdr(skb);
778
779 if (skb->ip_summed == CHECKSUM_PARTIAL) {
780 th->check = ~tcp_v6_check(skb->len, saddr, daddr, 0);
781 skb->csum_start = skb_transport_header(skb) - skb->head;
782 skb->csum_offset = offsetof(struct tcphdr, check);
783 } else {
784 th->check = tcp_v6_check(skb->len, saddr, daddr,
785 csum_partial(th, th->doff << 2,
786 skb->csum));
787 }
788}
789
790static void tcp_v6_send_check(struct sock *sk, struct sk_buff *skb)
791{
792 struct ipv6_pinfo *np = inet6_sk(sk);
793
794 __tcp_v6_send_check(skb, &np->saddr, &np->daddr);
795}
796
797static int tcp_v6_gso_send_check(struct sk_buff *skb)
798{
799 const struct ipv6hdr *ipv6h;
800 struct tcphdr *th;
801
802 if (!pskb_may_pull(skb, sizeof(*th)))
803 return -EINVAL;
804
805 ipv6h = ipv6_hdr(skb);
806 th = tcp_hdr(skb);
807
808 th->check = 0;
809 skb->ip_summed = CHECKSUM_PARTIAL;
810 __tcp_v6_send_check(skb, &ipv6h->saddr, &ipv6h->daddr);
811 return 0;
812}
813
814static struct sk_buff **tcp6_gro_receive(struct sk_buff **head,
815 struct sk_buff *skb)
816{
817 const struct ipv6hdr *iph = skb_gro_network_header(skb);
818
819 switch (skb->ip_summed) {
820 case CHECKSUM_COMPLETE:
821 if (!tcp_v6_check(skb_gro_len(skb), &iph->saddr, &iph->daddr,
822 skb->csum)) {
823 skb->ip_summed = CHECKSUM_UNNECESSARY;
824 break;
825 }
826
827 /* fall through */
828 case CHECKSUM_NONE:
829 NAPI_GRO_CB(skb)->flush = 1;
830 return NULL;
831 }
832
833 return tcp_gro_receive(head, skb);
834}
835
836static int tcp6_gro_complete(struct sk_buff *skb)
837{
838 const struct ipv6hdr *iph = ipv6_hdr(skb);
839 struct tcphdr *th = tcp_hdr(skb);
840
841 th->check = ~tcp_v6_check(skb->len - skb_transport_offset(skb),
842 &iph->saddr, &iph->daddr, 0);
843 skb_shinfo(skb)->gso_type = SKB_GSO_TCPV6;
844
845 return tcp_gro_complete(skb);
846}
847
848static void tcp_v6_send_response(struct sk_buff *skb, u32 seq, u32 ack, u32 win,
849 u32 ts, struct tcp_md5sig_key *key, int rst, u8 tclass)
850{
851 const struct tcphdr *th = tcp_hdr(skb);
852 struct tcphdr *t1;
853 struct sk_buff *buff;
854 struct flowi6 fl6;
855 struct net *net = dev_net(skb_dst(skb)->dev);
856 struct sock *ctl_sk = net->ipv6.tcp_sk;
857 unsigned int tot_len = sizeof(struct tcphdr);
858 struct dst_entry *dst;
859 __be32 *topt;
860
861 if (ts)
862 tot_len += TCPOLEN_TSTAMP_ALIGNED;
863#ifdef CONFIG_TCP_MD5SIG
864 if (key)
865 tot_len += TCPOLEN_MD5SIG_ALIGNED;
866#endif
867
868 buff = alloc_skb(MAX_HEADER + sizeof(struct ipv6hdr) + tot_len,
869 GFP_ATOMIC);
870 if (buff == NULL)
871 return;
872
873 skb_reserve(buff, MAX_HEADER + sizeof(struct ipv6hdr) + tot_len);
874
875 t1 = (struct tcphdr *) skb_push(buff, tot_len);
876 skb_reset_transport_header(buff);
877
878 /* Swap the send and the receive. */
879 memset(t1, 0, sizeof(*t1));
880 t1->dest = th->source;
881 t1->source = th->dest;
882 t1->doff = tot_len / 4;
883 t1->seq = htonl(seq);
884 t1->ack_seq = htonl(ack);
885 t1->ack = !rst || !th->ack;
886 t1->rst = rst;
887 t1->window = htons(win);
888
889 topt = (__be32 *)(t1 + 1);
890
891 if (ts) {
892 *topt++ = htonl((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) |
893 (TCPOPT_TIMESTAMP << 8) | TCPOLEN_TIMESTAMP);
894 *topt++ = htonl(tcp_time_stamp);
895 *topt++ = htonl(ts);
896 }
897
898#ifdef CONFIG_TCP_MD5SIG
899 if (key) {
900 *topt++ = htonl((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) |
901 (TCPOPT_MD5SIG << 8) | TCPOLEN_MD5SIG);
902 tcp_v6_md5_hash_hdr((__u8 *)topt, key,
903 &ipv6_hdr(skb)->saddr,
904 &ipv6_hdr(skb)->daddr, t1);
905 }
906#endif
907
908 memset(&fl6, 0, sizeof(fl6));
909 fl6.daddr = ipv6_hdr(skb)->saddr;
910 fl6.saddr = ipv6_hdr(skb)->daddr;
911
912 buff->ip_summed = CHECKSUM_PARTIAL;
913 buff->csum = 0;
914
915 __tcp_v6_send_check(buff, &fl6.saddr, &fl6.daddr);
916
917 fl6.flowi6_proto = IPPROTO_TCP;
918 if (ipv6_addr_type(&fl6.daddr) & IPV6_ADDR_LINKLOCAL)
919 fl6.flowi6_oif = inet6_iif(skb);
920 fl6.fl6_dport = t1->dest;
921 fl6.fl6_sport = t1->source;
922 security_skb_classify_flow(skb, flowi6_to_flowi(&fl6));
923
924 /* Pass a socket to ip6_dst_lookup either it is for RST
925 * Underlying function will use this to retrieve the network
926 * namespace
927 */
928 dst = ip6_dst_lookup_flow(ctl_sk, &fl6, NULL, false);
929 if (!IS_ERR(dst)) {
930 skb_dst_set(buff, dst);
931 ip6_xmit(ctl_sk, buff, &fl6, NULL, tclass);
932 TCP_INC_STATS_BH(net, TCP_MIB_OUTSEGS);
933 TCP_PKT_STATS_INC(TCP_SEND_PKTS);
934 if (rst)
935 {
936 TCP_INC_STATS_BH(net, TCP_MIB_OUTRSTS);
937 TCP_PKT_STATS_INC(TCP_RST_SEND_NUM);
938 }
939 return;
940 }
941
942 kfree_skb(buff);
943}
944
945static void tcp_v6_send_reset(struct sock *sk, struct sk_buff *skb)
946{
947 const struct tcphdr *th = tcp_hdr(skb);
948 u32 seq = 0, ack_seq = 0;
949 struct tcp_md5sig_key *key = NULL;
950#ifdef CONFIG_TCP_MD5SIG
951 const __u8 *hash_location = NULL;
952 struct ipv6hdr *ipv6h = ipv6_hdr(skb);
953 unsigned char newhash[16];
954 int genhash;
955 struct sock *sk1 = NULL;
956#endif
957
958 if (th->rst)
959 return;
960
961 if (!ipv6_unicast_destination(skb))
962 return;
963
964#ifdef CONFIG_TCP_MD5SIG
965 hash_location = tcp_parse_md5sig_option(th);
966 if (!sk && hash_location) {
967 /*
968 * active side is lost. Try to find listening socket through
969 * source port, and then find md5 key through listening socket.
970 * we are not loose security here:
971 * Incoming packet is checked with md5 hash with finding key,
972 * no RST generated if md5 hash doesn't match.
973 */
974 sk1 = inet6_lookup_listener(dev_net(skb_dst(skb)->dev),
975 &tcp_hashinfo, &ipv6h->daddr,
976 ntohs(th->source), inet6_iif(skb));
977 if (!sk1)
978 return;
979
980 rcu_read_lock();
981 key = tcp_v6_md5_do_lookup(sk1, &ipv6h->saddr);
982 if (!key)
983 goto release_sk1;
984
985 genhash = tcp_v6_md5_hash_skb(newhash, key, NULL, NULL, skb);
986 if (genhash || memcmp(hash_location, newhash, 16) != 0)
987 goto release_sk1;
988 } else {
989 key = sk ? tcp_v6_md5_do_lookup(sk, &ipv6h->saddr) : NULL;
990 }
991#endif
992
993 if (th->ack)
994 seq = ntohl(th->ack_seq);
995 else
996 ack_seq = ntohl(th->seq) + th->syn + th->fin + skb->len -
997 (th->doff << 2);
998
999 TCP_SOCK_TRACK(sk, TCP_RST_SEND);
1000 tcp_v6_send_response(skb, seq, ack_seq, 0, 0, key, 1, 0);
1001
1002#ifdef CONFIG_TCP_MD5SIG
1003release_sk1:
1004 if (sk1) {
1005 rcu_read_unlock();
1006 sock_put(sk1);
1007 }
1008#endif
1009}
1010
1011static void tcp_v6_send_ack(struct sk_buff *skb, u32 seq, u32 ack, u32 win, u32 ts,
1012 struct tcp_md5sig_key *key, u8 tclass)
1013{
1014 tcp_v6_send_response(skb, seq, ack, win, ts, key, 0, tclass);
1015}
1016
1017static void tcp_v6_timewait_ack(struct sock *sk, struct sk_buff *skb)
1018{
1019 struct inet_timewait_sock *tw = inet_twsk(sk);
1020 struct tcp_timewait_sock *tcptw = tcp_twsk(sk);
1021
1022 tcp_v6_send_ack(skb, tcptw->tw_snd_nxt, tcptw->tw_rcv_nxt,
1023 tcptw->tw_rcv_wnd >> tw->tw_rcv_wscale,
1024 tcptw->tw_ts_recent, tcp_twsk_md5_key(tcptw),
1025 tw->tw_tclass);
1026
1027 inet_twsk_put(tw);
1028}
1029
1030static void tcp_v6_reqsk_send_ack(struct sock *sk, struct sk_buff *skb,
1031 struct request_sock *req)
1032{
1033 tcp_v6_send_ack(skb, tcp_rsk(req)->snt_isn + 1, tcp_rsk(req)->rcv_isn + 1, req->rcv_wnd, req->ts_recent,
1034 tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->daddr), 0);
1035}
1036
1037
1038static struct sock *tcp_v6_hnd_req(struct sock *sk,struct sk_buff *skb)
1039{
1040 struct request_sock *req, **prev;
1041 const struct tcphdr *th = tcp_hdr(skb);
1042 struct sock *nsk;
1043
1044 /* Find possible connection requests. */
1045 req = inet6_csk_search_req(sk, &prev, th->source,
1046 &ipv6_hdr(skb)->saddr,
1047 &ipv6_hdr(skb)->daddr, inet6_iif(skb));
1048 if (req)
1049 return tcp_check_req(sk, skb, req, prev);
1050
1051 nsk = __inet6_lookup_established(sock_net(sk), &tcp_hashinfo,
1052 &ipv6_hdr(skb)->saddr, th->source,
1053 &ipv6_hdr(skb)->daddr, ntohs(th->dest), inet6_iif(skb));
1054
1055 if (nsk) {
1056 if (nsk->sk_state != TCP_TIME_WAIT) {
1057 bh_lock_sock(nsk);
1058 return nsk;
1059 }
1060 inet_twsk_put(inet_twsk(nsk));
1061 return NULL;
1062 }
1063
1064#ifdef CONFIG_SYN_COOKIES
1065 if (!th->syn)
1066 sk = cookie_v6_check(sk, skb);
1067#endif
1068 return sk;
1069}
1070
1071/* FIXME: this is substantially similar to the ipv4 code.
1072 * Can some kind of merge be done? -- erics
1073 */
1074static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
1075{
1076 struct tcp_extend_values tmp_ext;
1077 struct tcp_options_received tmp_opt;
1078 const u8 *hash_location;
1079 struct request_sock *req;
1080 struct inet6_request_sock *treq;
1081 struct ipv6_pinfo *np = inet6_sk(sk);
1082 struct tcp_sock *tp = tcp_sk(sk);
1083 __u32 isn = TCP_SKB_CB(skb)->when;
1084 struct dst_entry *dst = NULL;
1085 int want_cookie = 0;
1086
1087 if (skb->protocol == htons(ETH_P_IP))
1088 return tcp_v4_conn_request(sk, skb);
1089
1090 if (!ipv6_unicast_destination(skb))
1091 goto drop;
1092
1093 if (inet_csk_reqsk_queue_is_full(sk) && !isn) {
1094 TCP_SOCK_TRACK(sk, TCP_REQ_QUEUE_FULL);
1095 want_cookie = tcp_syn_flood_action(sk, skb, "TCPv6");
1096 if (!want_cookie)
1097 goto drop;
1098 }
1099
1100 if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1)
1101 {
1102 TCP_SOCK_TRACK(sk, TCP_ACCEPT_QUEUE_FULL);
1103 goto drop;
1104 }
1105
1106 req = inet6_reqsk_alloc(&tcp6_request_sock_ops);
1107 if (req == NULL)
1108 goto drop;
1109
1110#ifdef CONFIG_TCP_MD5SIG
1111 tcp_rsk(req)->af_specific = &tcp_request_sock_ipv6_ops;
1112#endif
1113
1114 tcp_clear_options(&tmp_opt);
1115 tmp_opt.mss_clamp = IPV6_MIN_MTU - sizeof(struct tcphdr) - sizeof(struct ipv6hdr);
1116 tmp_opt.user_mss = tp->rx_opt.user_mss;
1117 tcp_parse_options(skb, &tmp_opt, &hash_location, 0);
1118
1119 if (tmp_opt.cookie_plus > 0 &&
1120 tmp_opt.saw_tstamp &&
1121 !tp->rx_opt.cookie_out_never &&
1122 (sysctl_tcp_cookie_size > 0 ||
1123 (tp->cookie_values != NULL &&
1124 tp->cookie_values->cookie_desired > 0))) {
1125 u8 *c;
1126 u32 *d;
1127 u32 *mess = &tmp_ext.cookie_bakery[COOKIE_DIGEST_WORDS];
1128 int l = tmp_opt.cookie_plus - TCPOLEN_COOKIE_BASE;
1129
1130 if (tcp_cookie_generator(&tmp_ext.cookie_bakery[0]) != 0)
1131 goto drop_and_free;
1132
1133 /* Secret recipe starts with IP addresses */
1134 d = (__force u32 *)&ipv6_hdr(skb)->daddr.s6_addr32[0];
1135 *mess++ ^= *d++;
1136 *mess++ ^= *d++;
1137 *mess++ ^= *d++;
1138 *mess++ ^= *d++;
1139 d = (__force u32 *)&ipv6_hdr(skb)->saddr.s6_addr32[0];
1140 *mess++ ^= *d++;
1141 *mess++ ^= *d++;
1142 *mess++ ^= *d++;
1143 *mess++ ^= *d++;
1144
1145 /* plus variable length Initiator Cookie */
1146 c = (u8 *)mess;
1147 while (l-- > 0)
1148 *c++ ^= *hash_location++;
1149
1150 want_cookie = 0; /* not our kind of cookie */
1151 tmp_ext.cookie_out_never = 0; /* false */
1152 tmp_ext.cookie_plus = tmp_opt.cookie_plus;
1153 } else if (!tp->rx_opt.cookie_in_always) {
1154 /* redundant indications, but ensure initialization. */
1155 tmp_ext.cookie_out_never = 1; /* true */
1156 tmp_ext.cookie_plus = 0;
1157 } else {
1158 goto drop_and_free;
1159 }
1160 tmp_ext.cookie_in_always = tp->rx_opt.cookie_in_always;
1161
1162 if (want_cookie && !tmp_opt.saw_tstamp)
1163 tcp_clear_options(&tmp_opt);
1164
1165 tmp_opt.tstamp_ok = tmp_opt.saw_tstamp;
1166 tcp_openreq_init(req, &tmp_opt, skb);
1167
1168 treq = inet6_rsk(req);
1169 treq->rmt_addr = ipv6_hdr(skb)->saddr;
1170 treq->loc_addr = ipv6_hdr(skb)->daddr;
1171 if (!want_cookie || tmp_opt.tstamp_ok)
1172 TCP_ECN_create_request(req, tcp_hdr(skb));
1173
1174 treq->iif = sk->sk_bound_dev_if;
1175
1176 /* So that link locals have meaning */
1177 if (!sk->sk_bound_dev_if &&
1178 ipv6_addr_type(&treq->rmt_addr) & IPV6_ADDR_LINKLOCAL)
1179 treq->iif = inet6_iif(skb);
1180
1181 if (!isn) {
1182 struct inet_peer *peer = NULL;
1183
1184 if (ipv6_opt_accepted(sk, skb) ||
1185 np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
1186 np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) {
1187 atomic_inc(&skb->users);
1188 track_add(skb, 0, USER_INFO, 0);
1189 treq->pktopts = skb;
1190 }
1191
1192 if (want_cookie) {
1193 isn = cookie_v6_init_sequence(sk, skb, &req->mss);
1194 req->cookie_ts = tmp_opt.tstamp_ok;
1195 goto have_isn;
1196 }
1197
1198 /* VJ's idea. We save last timestamp seen
1199 * from the destination in peer table, when entering
1200 * state TIME-WAIT, and check against it before
1201 * accepting new connection request.
1202 *
1203 * If "isn" is not zero, this request hit alive
1204 * timewait bucket, so that all the necessary checks
1205 * are made in the function processing timewait state.
1206 */
1207 if (tmp_opt.saw_tstamp &&
1208 tcp_death_row.sysctl_tw_recycle &&
1209 (dst = inet6_csk_route_req(sk, req)) != NULL &&
1210 (peer = rt6_get_peer((struct rt6_info *)dst)) != NULL &&
1211 ipv6_addr_equal((struct in6_addr *)peer->daddr.addr.a6,
1212 &treq->rmt_addr)) {
1213 inet_peer_refcheck(peer);
1214 if ((u32)get_seconds() - peer->tcp_ts_stamp < TCP_PAWS_MSL &&
1215 (s32)(peer->tcp_ts - req->ts_recent) >
1216 TCP_PAWS_WINDOW) {
1217 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_PAWSPASSIVEREJECTED);
1218 goto drop_and_release;
1219 }
1220 }
1221 /* Kill the following clause, if you dislike this way. */
1222 else if (!sysctl_tcp_syncookies &&
1223 (sysctl_max_syn_backlog - inet_csk_reqsk_queue_len(sk) <
1224 (sysctl_max_syn_backlog >> 2)) &&
1225 (!peer || !peer->tcp_ts_stamp) &&
1226 (!dst || !dst_metric(dst, RTAX_RTT))) {
1227 /* Without syncookies last quarter of
1228 * backlog is filled with destinations,
1229 * proven to be alive.
1230 * It means that we continue to communicate
1231 * to destinations, already remembered
1232 * to the moment of synflood.
1233 */
1234 LIMIT_NETDEBUG(KERN_DEBUG "TCP: drop open request from %pI6/%u\n",
1235 &treq->rmt_addr, ntohs(tcp_hdr(skb)->source));
1236 goto drop_and_release;
1237 }
1238
1239 isn = tcp_v6_init_sequence(skb);
1240 }
1241have_isn:
1242 tcp_rsk(req)->snt_isn = isn;
1243 tcp_rsk(req)->snt_synack = tcp_time_stamp;
1244
1245 security_inet_conn_request(sk, skb, req);
1246
1247 if (tcp_v6_send_synack(sk, req,
1248 (struct request_values *)&tmp_ext) ||
1249 want_cookie)
1250 goto drop_and_free;
1251
1252 inet6_csk_reqsk_queue_hash_add(sk, req, TCP_TIMEOUT_INIT);
1253 return 0;
1254
1255drop_and_release:
1256 dst_release(dst);
1257drop_and_free:
1258 reqsk_free(req);
1259drop:
1260 return 0; /* don't send reset */
1261}
1262
1263static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
1264 struct request_sock *req,
1265 struct dst_entry *dst)
1266{
1267 struct inet6_request_sock *treq;
1268 struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
1269 struct tcp6_sock *newtcp6sk;
1270 struct inet_sock *newinet;
1271 struct tcp_sock *newtp;
1272 struct sock *newsk;
1273 struct ipv6_txoptions *opt;
1274#ifdef CONFIG_TCP_MD5SIG
1275 struct tcp_md5sig_key *key;
1276#endif
1277
1278 if (skb->protocol == htons(ETH_P_IP)) {
1279 /*
1280 * v6 mapped
1281 */
1282
1283 newsk = tcp_v4_syn_recv_sock(sk, skb, req, dst);
1284
1285 if (newsk == NULL)
1286 return NULL;
1287
1288 newtcp6sk = (struct tcp6_sock *)newsk;
1289 inet_sk(newsk)->pinet6 = &newtcp6sk->inet6;
1290
1291 newinet = inet_sk(newsk);
1292 newnp = inet6_sk(newsk);
1293 newtp = tcp_sk(newsk);
1294
1295 memcpy(newnp, np, sizeof(struct ipv6_pinfo));
1296
1297 ipv6_addr_set_v4mapped(newinet->inet_daddr, &newnp->daddr);
1298
1299 ipv6_addr_set_v4mapped(newinet->inet_saddr, &newnp->saddr);
1300
1301 newnp->rcv_saddr = newnp->saddr;
1302
1303 inet_csk(newsk)->icsk_af_ops = &ipv6_mapped;
1304 newsk->sk_backlog_rcv = tcp_v4_do_rcv;
1305#ifdef CONFIG_TCP_MD5SIG
1306 newtp->af_specific = &tcp_sock_ipv6_mapped_specific;
1307#endif
1308 //HubÖÎÀí:CVE-2017-9077
1309 newnp->ipv6_mc_list = NULL;
1310 newnp->ipv6_ac_list = NULL;
1311 newnp->ipv6_fl_list = NULL;
1312 newnp->pktoptions = NULL;
1313 newnp->opt = NULL;
1314 newnp->mcast_oif = inet6_iif(skb);
1315 newnp->mcast_hops = ipv6_hdr(skb)->hop_limit;
1316 newnp->rcv_tclass = ipv6_tclass(ipv6_hdr(skb));
1317
1318 /*
1319 * No need to charge this sock to the relevant IPv6 refcnt debug socks count
1320 * here, tcp_create_openreq_child now does this for us, see the comment in
1321 * that function for the gory details. -acme
1322 */
1323
1324 /* It is tricky place. Until this moment IPv4 tcp
1325 worked with IPv6 icsk.icsk_af_ops.
1326 Sync it now.
1327 */
1328 tcp_sync_mss(newsk, inet_csk(newsk)->icsk_pmtu_cookie);
1329
1330 return newsk;
1331 }
1332
1333 treq = inet6_rsk(req);
1334 //CVE-2016-3841opt = np->opt;
1335
1336 if (sk_acceptq_is_full(sk))
1337 {
1338 TCP_SOCK_TRACK(sk, TCP_ACCEPT_QUEUE_FULL);
1339 goto out_overflow;
1340 }
1341
1342 if (!dst) {
1343 dst = inet6_csk_route_req(sk, req);
1344 if (!dst)
1345 goto out;
1346 }
1347
1348 newsk = tcp_create_openreq_child(sk, req, skb);
1349 if (newsk == NULL)
1350 goto out_nonewsk;
1351
1352 /*
1353 * No need to charge this sock to the relevant IPv6 refcnt debug socks
1354 * count here, tcp_create_openreq_child now does this for us, see the
1355 * comment in that function for the gory details. -acme
1356 */
1357
1358 newsk->sk_gso_type = SKB_GSO_TCPV6;
1359 __ip6_dst_store(newsk, dst, NULL, NULL);
1360
1361 newtcp6sk = (struct tcp6_sock *)newsk;
1362 inet_sk(newsk)->pinet6 = &newtcp6sk->inet6;
1363
1364 newtp = tcp_sk(newsk);
1365 newinet = inet_sk(newsk);
1366 newnp = inet6_sk(newsk);
1367
1368 memcpy(newnp, np, sizeof(struct ipv6_pinfo));
1369
1370 newnp->daddr = treq->rmt_addr;
1371 newnp->saddr = treq->loc_addr;
1372 newnp->rcv_saddr = treq->loc_addr;
1373 newsk->sk_bound_dev_if = treq->iif;
1374
1375 /* Now IPv6 options...
1376
1377 First: no IPv4 options.
1378 */
1379 newinet->inet_opt = NULL;
1380 //HubÖÎÀí:CVE-2017-9077
1381 newnp->ipv6_mc_list = NULL;
1382 newnp->ipv6_ac_list = NULL;
1383 newnp->ipv6_fl_list = NULL;
1384
1385 /* Clone RX bits */
1386 newnp->rxopt.all = np->rxopt.all;
1387
1388 /* Clone pktoptions received with SYN */
1389 newnp->pktoptions = NULL;
1390 if (treq->pktopts != NULL) {
1391 newnp->pktoptions = skb_clone(treq->pktopts, GFP_ATOMIC);
1392 kfree_skb(treq->pktopts);
1393 treq->pktopts = NULL;
1394 if (newnp->pktoptions)
1395 skb_set_owner_r(newnp->pktoptions, newsk);
1396 }
1397 newnp->opt = NULL;
1398 newnp->mcast_oif = inet6_iif(skb);
1399 newnp->mcast_hops = ipv6_hdr(skb)->hop_limit;
1400 newnp->rcv_tclass = ipv6_tclass(ipv6_hdr(skb));
1401
1402 /* Clone native IPv6 options from listening socket (if any)
1403
1404 Yes, keeping reference count would be much more clever,
1405 but we make one more one thing there: reattach optmem
1406 to newsk.
1407 */
1408 opt = rcu_dereference(np->opt);//CVE-2016-3841
1409 if (opt) {
1410 //CVE-2016-3841newnp->opt = ipv6_dup_options(newsk, opt);
1411 opt = ipv6_dup_options(newsk, opt);
1412 RCU_INIT_POINTER(newnp->opt, opt);
1413 /*if (opt != np->opt)
1414 sock_kfree_s(sk, opt, opt->tot_len);//CVE-2016-3841*/
1415 }
1416
1417 inet_csk(newsk)->icsk_ext_hdr_len = 0;
1418 /*//CVE-2016-3841
1419 if (newnp->opt)
1420 inet_csk(newsk)->icsk_ext_hdr_len = (newnp->opt->opt_nflen +
1421 newnp->opt->opt_flen);*/
1422
1423 if (opt)
1424 inet_csk(newsk)->icsk_ext_hdr_len = opt->opt_nflen +
1425 opt->opt_flen;
1426 //CVE-2016-3841
1427 tcp_mtup_init(newsk);
1428 tcp_sync_mss(newsk, dst_mtu(dst));
1429 newtp->advmss = dst_metric_advmss(dst);
1430 if (tcp_sk(sk)->rx_opt.user_mss &&
1431 tcp_sk(sk)->rx_opt.user_mss < newtp->advmss)
1432 newtp->advmss = tcp_sk(sk)->rx_opt.user_mss;
1433
1434 tcp_initialize_rcv_mss(newsk);
1435 if (tcp_rsk(req)->snt_synack)
1436 tcp_valid_rtt_meas(newsk,
1437 tcp_time_stamp - tcp_rsk(req)->snt_synack);
1438 newtp->total_retrans = req->retrans;
1439
1440 newinet->inet_daddr = newinet->inet_saddr = LOOPBACK4_IPV6;
1441 newinet->inet_rcv_saddr = LOOPBACK4_IPV6;
1442
1443#ifdef CONFIG_TCP_MD5SIG
1444 /* Copy over the MD5 key from the original socket */
1445 if ((key = tcp_v6_md5_do_lookup(sk, &newnp->daddr)) != NULL) {
1446 /* We're using one, so create a matching key
1447 * on the newsk structure. If we fail to get
1448 * memory, then we end up not copying the key
1449 * across. Shucks.
1450 */
1451 tcp_md5_do_add(newsk, (union tcp_md5_addr *)&newnp->daddr,
1452 AF_INET6, key->key, key->keylen, GFP_ATOMIC);
1453 }
1454#endif
1455
1456 if (__inet_inherit_port(sk, newsk) < 0) {
1457 inet_csk_prepare_forced_close(newsk);
1458 tcp_done(newsk);
1459 goto out;
1460 }
1461 __inet6_hash(newsk, NULL);
1462
1463 return newsk;
1464
1465out_overflow:
1466 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS);
1467out_nonewsk:
1468 //CVE-2016-3841if (opt && opt != np->opt)
1469 //CVE-2016-3841sock_kfree_s(sk, opt, opt->tot_len);
1470 dst_release(dst);
1471out:
1472 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENDROPS);
1473 return NULL;
1474}
1475
1476static __sum16 tcp_v6_checksum_init(struct sk_buff *skb)
1477{
1478 if (skb->ip_summed == CHECKSUM_COMPLETE) {
1479 if (!tcp_v6_check(skb->len, &ipv6_hdr(skb)->saddr,
1480 &ipv6_hdr(skb)->daddr, skb->csum)) {
1481 skb->ip_summed = CHECKSUM_UNNECESSARY;
1482 return 0;
1483 }
1484 }
1485
1486 skb->csum = ~csum_unfold(tcp_v6_check(skb->len,
1487 &ipv6_hdr(skb)->saddr,
1488 &ipv6_hdr(skb)->daddr, 0));
1489
1490 if (skb->len <= 76) {
1491 return __skb_checksum_complete(skb);
1492 }
1493 return 0;
1494}
1495
1496/* The socket must have it's spinlock held when we get
1497 * here.
1498 *
1499 * We have a potential double-lock case here, so even when
1500 * doing backlog processing we use the BH locking scheme.
1501 * This is because we cannot sleep with the original spinlock
1502 * held.
1503 */
1504static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
1505{
1506 struct ipv6_pinfo *np = inet6_sk(sk);
1507 struct tcp_sock *tp;
1508 struct sk_buff *opt_skb = NULL;
1509
1510 /* Imagine: socket is IPv6. IPv4 packet arrives,
1511 goes to IPv4 receive handler and backlogged.
1512 From backlog it always goes here. Kerboom...
1513 Fortunately, tcp_rcv_established and rcv_established
1514 handle them correctly, but it is not case with
1515 tcp_v6_hnd_req and tcp_v6_send_reset(). --ANK
1516 */
1517
1518 if (skb->protocol == htons(ETH_P_IP))
1519 return tcp_v4_do_rcv(sk, skb);
1520
1521#ifdef CONFIG_TCP_MD5SIG
1522 if (tcp_v6_inbound_md5_hash (sk, skb))
1523 goto discard;
1524#endif
1525
1526 if (sk_filter(sk, skb))
1527 goto discard;
1528
1529 /*
1530 * socket locking is here for SMP purposes as backlog rcv
1531 * is currently called with bh processing disabled.
1532 */
1533
1534 /* Do Stevens' IPV6_PKTOPTIONS.
1535
1536 Yes, guys, it is the only place in our code, where we
1537 may make it not affecting IPv4.
1538 The rest of code is protocol independent,
1539 and I do not like idea to uglify IPv4.
1540
1541 Actually, all the idea behind IPV6_PKTOPTIONS
1542 looks not very well thought. For now we latch
1543 options, received in the last packet, enqueued
1544 by tcp. Feel free to propose better solution.
1545 --ANK (980728)
1546 */
1547 if (np->rxopt.all)
1548 opt_skb = skb_clone(skb, GFP_ATOMIC);
1549
1550 if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */
1551 sock_rps_save_rxhash(sk, skb);
1552 if (tcp_rcv_established(sk, skb, tcp_hdr(skb), skb->len))
1553 goto reset;
1554 if (opt_skb)
1555 goto ipv6_pktoptions;
1556 return 0;
1557 }
1558
1559 if (skb->len < tcp_hdrlen(skb) || tcp_checksum_complete(skb))
1560 goto csum_err;
1561
1562 if (sk->sk_state == TCP_LISTEN) {
1563 struct sock *nsk = tcp_v6_hnd_req(sk, skb);
1564 if (!nsk)
1565 goto discard;
1566
1567 /*
1568 * Queue it on the new socket if the new socket is active,
1569 * otherwise we just shortcircuit this and continue with
1570 * the new socket..
1571 */
1572 if(nsk != sk) {
1573 sock_rps_save_rxhash(nsk, skb);
1574 if (tcp_child_process(sk, nsk, skb))
1575 goto reset;
1576 if (opt_skb)
1577 __kfree_skb(opt_skb);
1578 return 0;
1579 }
1580 } else
1581 sock_rps_save_rxhash(sk, skb);
1582
1583 if (tcp_rcv_state_process(sk, skb, tcp_hdr(skb), skb->len))
1584 goto reset;
1585 if (opt_skb)
1586 goto ipv6_pktoptions;
1587 return 0;
1588
1589reset:
1590 tcp_v6_send_reset(sk, skb);
1591discard:
1592 if (opt_skb)
1593 __kfree_skb(opt_skb);
1594 kfree_skb(skb);
1595 return 0;
1596csum_err:
1597 TCP_INC_STATS_BH(sock_net(sk), TCP_MIB_INERRS);
1598 goto discard;
1599
1600
1601ipv6_pktoptions:
1602 /* Do you ask, what is it?
1603
1604 1. skb was enqueued by tcp.
1605 2. skb is added to tail of read queue, rather than out of order.
1606 3. socket is not in passive state.
1607 4. Finally, it really contains options, which user wants to receive.
1608 */
1609 tp = tcp_sk(sk);
1610 if (TCP_SKB_CB(opt_skb)->end_seq == tp->rcv_nxt &&
1611 !((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))) {
1612 if (np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo)
1613 np->mcast_oif = inet6_iif(opt_skb);
1614 if (np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim)
1615 np->mcast_hops = ipv6_hdr(opt_skb)->hop_limit;
1616 if (np->rxopt.bits.rxtclass)
1617 np->rcv_tclass = ipv6_tclass(ipv6_hdr(opt_skb));
1618 if (ipv6_opt_accepted(sk, opt_skb)) {
1619 skb_set_owner_r(opt_skb, sk);
1620 opt_skb = xchg(&np->pktoptions, opt_skb);
1621 } else {
1622 __kfree_skb(opt_skb);
1623 opt_skb = xchg(&np->pktoptions, NULL);
1624 }
1625 }
1626
1627 kfree_skb(opt_skb);
1628 return 0;
1629}
1630
1631extern void fast_sk_add_ct(struct sk_buff * skb,struct sock *sk);
1632
1633int tcp_v6_rcv(struct sk_buff *skb)
1634{
1635 const struct tcphdr *th;
1636 const struct ipv6hdr *hdr;
1637 struct sock *sk;
1638 int ret;
1639 struct net *net = dev_net(skb->dev);
1640 struct nf_conn *ct = (struct nf_conn *)skb->nfct;
1641
1642 if (skb->pkt_type != PACKET_HOST)
1643 goto discard_it;
1644
1645 /*
1646 * Count it even if it's bad.
1647 */
1648 TCP_INC_STATS_BH(net, TCP_MIB_INSEGS);
1649
1650 TCP_PKT_STATS_INC(TCP_RECV_PKTS);
1651
1652 if (!pskb_may_pull(skb, sizeof(struct tcphdr)))
1653 goto discard_it;
1654
1655 th = tcp_hdr(skb);
1656
1657 if (th->doff < sizeof(struct tcphdr)/4)
1658 goto bad_packet;
1659 if (!pskb_may_pull(skb, th->doff*4))
1660 goto discard_it;
1661
1662 if (!skb_csum_unnecessary(skb) && tcp_v6_checksum_init(skb))
1663 goto bad_packet;
1664
1665 th = tcp_hdr(skb);
1666 hdr = ipv6_hdr(skb);
1667 TCP_SKB_CB(skb)->seq = ntohl(th->seq);
1668 TCP_SKB_CB(skb)->end_seq = (TCP_SKB_CB(skb)->seq + th->syn + th->fin +
1669 skb->len - th->doff*4);
1670 TCP_SKB_CB(skb)->ack_seq = ntohl(th->ack_seq);
1671 TCP_SKB_CB(skb)->when = 0;
1672 TCP_SKB_CB(skb)->ip_dsfield = ipv6_get_dsfield(hdr);
1673 TCP_SKB_CB(skb)->sacked = 0;
1674
1675 //Èç¹û²éÕÒ²»µ½Æ¥ÅäµÄsock,ÔòÖ±½Ó¶ªÆúÊý¾Ý°ü
1676 if (skb->isFastlocal && ct && ct->fast_ct.isFast == FAST_CT_LOCAL6)
1677 {
1678 sk = ct->fast_ct.sk;
1679 }else
1680 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
1681 if (!sk)
1682 goto no_tcp_socket;
1683
1684process:
1685 if (sk->sk_state == TCP_TIME_WAIT)
1686 goto do_time_wait;
1687
1688 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
1689 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
1690 goto discard_and_relse;
1691 }
1692
1693 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
1694 goto discard_and_relse;
1695
1696 if (sk_filter(sk, skb))
1697 goto discard_and_relse;
1698
1699 if (skb->isFastlocal == 0)
1700 fast_sk_add_ct(skb, sk);
1701
1702 /*¿½×Ôip6_input_finish,ÑÓ³ÙÊÍ·Åct*/
1703 if (fast_local6_proc && fastnat_level != FAST_CLOSE && fastnat_level != FAST_CLOSE_KEEP_LINK)
1704 nf_reset(skb);
1705
1706 skb->dev = NULL;
1707
1708 bh_lock_sock_nested(sk);
1709 ret = 0;
1710 if (!sock_owned_by_user(sk)) {
1711#ifdef CONFIG_NET_DMA
1712 struct tcp_sock *tp = tcp_sk(sk);
1713 if (!tp->ucopy.dma_chan && tp->ucopy.pinned_list)
1714 tp->ucopy.dma_chan = net_dma_find_channel();
1715 if (tp->ucopy.dma_chan)
1716 ret = tcp_v6_do_rcv(sk, skb);
1717 else
1718#endif
1719 {
1720 if (!tcp_prequeue(sk, skb))
1721 ret = tcp_v6_do_rcv(sk, skb);
1722 }
1723 } else if (unlikely(sk_add_backlog(sk, skb))) {
1724 bh_unlock_sock(sk);
1725 NET_INC_STATS_BH(net, LINUX_MIB_TCPBACKLOGDROP);
1726 goto discard_and_relse;
1727 }
1728 bh_unlock_sock(sk);
1729
1730 sock_put(sk);
1731 return ret ? -1 : 0;
1732
1733no_tcp_socket:
1734 if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb))
1735 goto discard_it;
1736
1737 if (skb->len < (th->doff<<2) || tcp_checksum_complete(skb)) {
1738bad_packet:
1739 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
1740 } else {
1741 tcp_v6_send_reset(NULL, skb);
1742 }
1743
1744discard_it:
1745
1746 /*
1747 * Discard frame
1748 */
1749
1750 kfree_skb(skb);
1751 return 0;
1752
1753discard_and_relse:
1754 sock_put(sk);
1755 goto discard_it;
1756
1757do_time_wait:
1758 if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
1759 inet_twsk_put(inet_twsk(sk));
1760 goto discard_it;
1761 }
1762
1763 if (skb->len < (th->doff<<2) || tcp_checksum_complete(skb)) {
1764 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
1765 inet_twsk_put(inet_twsk(sk));
1766 goto discard_it;
1767 }
1768
1769 switch (tcp_timewait_state_process(inet_twsk(sk), skb, th)) {
1770 case TCP_TW_SYN:
1771 {
1772 struct sock *sk2;
1773
1774 sk2 = inet6_lookup_listener(dev_net(skb->dev), &tcp_hashinfo,
1775 &ipv6_hdr(skb)->daddr,
1776 ntohs(th->dest), inet6_iif(skb));
1777 if (sk2 != NULL) {
1778 struct inet_timewait_sock *tw = inet_twsk(sk);
1779 inet_twsk_deschedule(tw, &tcp_death_row);
1780 inet_twsk_put(tw);
1781 sk = sk2;
1782 goto process;
1783 }
1784 /* Fall through to ACK */
1785 }
1786 case TCP_TW_ACK:
1787 tcp_v6_timewait_ack(sk, skb);
1788 break;
1789 case TCP_TW_RST:
1790 goto no_tcp_socket;
1791 case TCP_TW_SUCCESS:;
1792 }
1793 goto discard_it;
1794}
1795
1796static struct inet_peer *tcp_v6_get_peer(struct sock *sk, bool *release_it)
1797{
1798 struct rt6_info *rt = (struct rt6_info *) __sk_dst_get(sk);
1799 struct ipv6_pinfo *np = inet6_sk(sk);
1800 struct inet_peer *peer;
1801
1802 if (!rt ||
1803 !ipv6_addr_equal(&np->daddr, &rt->rt6i_dst.addr)) {
1804 peer = inet_getpeer_v6(&np->daddr, 1);
1805 *release_it = true;
1806 } else {
1807 if (!rt->rt6i_peer)
1808 rt6_bind_peer(rt, 1);
1809 peer = rt->rt6i_peer;
1810 *release_it = false;
1811 }
1812
1813 return peer;
1814}
1815
1816static void *tcp_v6_tw_get_peer(struct sock *sk)
1817{
1818 const struct inet6_timewait_sock *tw6 = inet6_twsk(sk);
1819 const struct inet_timewait_sock *tw = inet_twsk(sk);
1820
1821 if (tw->tw_family == AF_INET)
1822 return tcp_v4_tw_get_peer(sk);
1823
1824 return inet_getpeer_v6(&tw6->tw_v6_daddr, 1);
1825}
1826
1827static struct timewait_sock_ops tcp6_timewait_sock_ops = {
1828 .twsk_obj_size = sizeof(struct tcp6_timewait_sock),
1829 .twsk_unique = tcp_twsk_unique,
1830 .twsk_destructor= tcp_twsk_destructor,
1831 .twsk_getpeer = tcp_v6_tw_get_peer,
1832};
1833
1834static const struct inet_connection_sock_af_ops ipv6_specific = {
1835 .queue_xmit = inet6_csk_xmit,
1836 .send_check = tcp_v6_send_check,
1837 .rebuild_header = inet6_sk_rebuild_header,
1838 .conn_request = tcp_v6_conn_request,
1839 .syn_recv_sock = tcp_v6_syn_recv_sock,
1840 .get_peer = tcp_v6_get_peer,
1841 .net_header_len = sizeof(struct ipv6hdr),
1842 .setsockopt = ipv6_setsockopt,
1843 .getsockopt = ipv6_getsockopt,
1844 .addr2sockaddr = inet6_csk_addr2sockaddr,
1845 .sockaddr_len = sizeof(struct sockaddr_in6),
1846 .bind_conflict = inet6_csk_bind_conflict,
1847#ifdef CONFIG_COMPAT
1848 .compat_setsockopt = compat_ipv6_setsockopt,
1849 .compat_getsockopt = compat_ipv6_getsockopt,
1850#endif
1851};
1852
1853#ifdef CONFIG_TCP_MD5SIG
1854static const struct tcp_sock_af_ops tcp_sock_ipv6_specific = {
1855 .md5_lookup = tcp_v6_md5_lookup,
1856 .calc_md5_hash = tcp_v6_md5_hash_skb,
1857 .md5_parse = tcp_v6_parse_md5_keys,
1858};
1859#endif
1860
1861/*
1862 * TCP over IPv4 via INET6 API
1863 */
1864
1865static const struct inet_connection_sock_af_ops ipv6_mapped = {
1866 .queue_xmit = ip_queue_xmit,
1867 .send_check = tcp_v4_send_check,
1868 .rebuild_header = inet_sk_rebuild_header,
1869 .conn_request = tcp_v6_conn_request,
1870 .syn_recv_sock = tcp_v6_syn_recv_sock,
1871 .get_peer = tcp_v4_get_peer,
1872 .net_header_len = sizeof(struct iphdr),
1873 .setsockopt = ipv6_setsockopt,
1874 .getsockopt = ipv6_getsockopt,
1875 .addr2sockaddr = inet6_csk_addr2sockaddr,
1876 .sockaddr_len = sizeof(struct sockaddr_in6),
1877 .bind_conflict = inet6_csk_bind_conflict,
1878#ifdef CONFIG_COMPAT
1879 .compat_setsockopt = compat_ipv6_setsockopt,
1880 .compat_getsockopt = compat_ipv6_getsockopt,
1881#endif
1882};
1883
1884#ifdef CONFIG_TCP_MD5SIG
1885static const struct tcp_sock_af_ops tcp_sock_ipv6_mapped_specific = {
1886 .md5_lookup = tcp_v4_md5_lookup,
1887 .calc_md5_hash = tcp_v4_md5_hash_skb,
1888 .md5_parse = tcp_v6_parse_md5_keys,
1889};
1890#endif
1891
1892/* NOTE: A lot of things set to zero explicitly by call to
1893 * sk_alloc() so need not be done here.
1894 */
1895static int tcp_v6_init_sock(struct sock *sk)
1896{
1897 struct inet_connection_sock *icsk = inet_csk(sk);
1898 struct tcp_sock *tp = tcp_sk(sk);
1899
1900 skb_queue_head_init(&tp->out_of_order_queue);
1901 tcp_init_xmit_timers(sk);
1902 tcp_prequeue_init(tp);
1903
1904 icsk->icsk_rto = TCP_TIMEOUT_INIT;
1905 tp->mdev = TCP_TIMEOUT_INIT;
1906
1907 /* So many TCP implementations out there (incorrectly) count the
1908 * initial SYN frame in their delayed-ACK and congestion control
1909 * algorithms that we must have the following bandaid to talk
1910 * efficiently to them. -DaveM
1911 */
1912 tp->snd_cwnd = 2;
1913
1914 /* See draft-stevens-tcpca-spec-01 for discussion of the
1915 * initialization of these values.
1916 */
1917 tp->snd_ssthresh = TCP_INFINITE_SSTHRESH;
1918 tp->snd_cwnd_clamp = ~0;
1919 tp->mss_cache = TCP_MSS_DEFAULT;
1920
1921 tp->reordering = sysctl_tcp_reordering;
1922
1923 sk->sk_state = TCP_CLOSE;
1924
1925 icsk->icsk_af_ops = &ipv6_specific;
1926 icsk->icsk_ca_ops = &tcp_init_congestion_ops;
1927 icsk->icsk_sync_mss = tcp_sync_mss;
1928 sk->sk_write_space = sk_stream_write_space;
1929 sock_set_flag(sk, SOCK_USE_WRITE_QUEUE);
1930
1931#ifdef CONFIG_TCP_MD5SIG
1932 tp->af_specific = &tcp_sock_ipv6_specific;
1933#endif
1934
1935 /* TCP Cookie Transactions */
1936 if (sysctl_tcp_cookie_size > 0) {
1937 /* Default, cookies without s_data_payload. */
1938 tp->cookie_values =
1939 kzalloc(sizeof(*tp->cookie_values),
1940 sk->sk_allocation);
1941 if (tp->cookie_values != NULL)
1942 kref_init(&tp->cookie_values->kref);
1943 }
1944 /* Presumed zeroed, in order of appearance:
1945 * cookie_in_always, cookie_out_never,
1946 * s_data_constant, s_data_in, s_data_out
1947 */
1948 sk->sk_sndbuf = sysctl_tcp_wmem[1];
1949 sk->sk_rcvbuf = sysctl_tcp_rmem[1];
1950
1951 local_bh_disable();
1952 sock_update_memcg(sk);
1953 sk_sockets_allocated_inc(sk);
1954 local_bh_enable();
1955
1956 return 0;
1957}
1958
1959static void tcp_v6_destroy_sock(struct sock *sk)
1960{
1961 tcp_v4_destroy_sock(sk);
1962 inet6_destroy_sock(sk);
1963}
1964
1965#ifdef CONFIG_PROC_FS
1966/* Proc filesystem TCPv6 sock list dumping. */
1967static void get_openreq6(struct seq_file *seq,
1968 const struct sock *sk, struct request_sock *req, int i, int uid)
1969{
1970 int ttd = req->expires - jiffies;
1971 const struct in6_addr *src = &inet6_rsk(req)->loc_addr;
1972 const struct in6_addr *dest = &inet6_rsk(req)->rmt_addr;
1973
1974 if (ttd < 0)
1975 ttd = 0;
1976
1977 seq_printf(seq,
1978 "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
1979 "%02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %pK\n",
1980 i,
1981 src->s6_addr32[0], src->s6_addr32[1],
1982 src->s6_addr32[2], src->s6_addr32[3],
1983 ntohs(inet_rsk(req)->loc_port),
1984 dest->s6_addr32[0], dest->s6_addr32[1],
1985 dest->s6_addr32[2], dest->s6_addr32[3],
1986 ntohs(inet_rsk(req)->rmt_port),
1987 TCP_SYN_RECV,
1988 0,0, /* could print option size, but that is af dependent. */
1989 1, /* timers active (only the expire timer) */
1990 jiffies_to_clock_t(ttd),
1991 req->retrans,
1992 uid,
1993 0, /* non standard timer */
1994 0, /* open_requests have no inode */
1995 0, req);
1996}
1997
1998static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
1999{
2000 const struct in6_addr *dest, *src;
2001 __u16 destp, srcp;
2002 int timer_active;
2003 unsigned long timer_expires;
2004 const struct inet_sock *inet = inet_sk(sp);
2005 const struct tcp_sock *tp = tcp_sk(sp);
2006 const struct inet_connection_sock *icsk = inet_csk(sp);
2007 const struct ipv6_pinfo *np = inet6_sk(sp);
2008
2009 dest = &np->daddr;
2010 src = &np->rcv_saddr;
2011 destp = ntohs(inet->inet_dport);
2012 srcp = ntohs(inet->inet_sport);
2013
2014 if (icsk->icsk_pending == ICSK_TIME_RETRANS) {
2015 timer_active = 1;
2016 timer_expires = icsk->icsk_timeout;
2017 } else if (icsk->icsk_pending == ICSK_TIME_PROBE0) {
2018 timer_active = 4;
2019 timer_expires = icsk->icsk_timeout;
2020 } else if (timer_pending(&sp->sk_timer)) {
2021 timer_active = 2;
2022 timer_expires = sp->sk_timer.expires;
2023 } else {
2024 timer_active = 0;
2025 timer_expires = jiffies;
2026 }
2027
2028 seq_printf(seq,
2029 "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
2030 "%02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %lu %lu %u %u %d\n",
2031 i,
2032 src->s6_addr32[0], src->s6_addr32[1],
2033 src->s6_addr32[2], src->s6_addr32[3], srcp,
2034 dest->s6_addr32[0], dest->s6_addr32[1],
2035 dest->s6_addr32[2], dest->s6_addr32[3], destp,
2036 sp->sk_state,
2037 tp->write_seq-tp->snd_una,
2038 (sp->sk_state == TCP_LISTEN) ? sp->sk_ack_backlog : (tp->rcv_nxt - tp->copied_seq),
2039 timer_active,
2040 jiffies_to_clock_t(timer_expires - jiffies),
2041 icsk->icsk_retransmits,
2042 sock_i_uid(sp),
2043 icsk->icsk_probes_out,
2044 sock_i_ino(sp),
2045 atomic_read(&sp->sk_refcnt), sp,
2046 jiffies_to_clock_t(icsk->icsk_rto),
2047 jiffies_to_clock_t(icsk->icsk_ack.ato),
2048 (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
2049 tp->snd_cwnd,
2050 tcp_in_initial_slowstart(tp) ? -1 : tp->snd_ssthresh
2051 );
2052}
2053
2054static void get_timewait6_sock(struct seq_file *seq,
2055 struct inet_timewait_sock *tw, int i)
2056{
2057 const struct in6_addr *dest, *src;
2058 __u16 destp, srcp;
2059 const struct inet6_timewait_sock *tw6 = inet6_twsk((struct sock *)tw);
2060 int ttd = tw->tw_ttd - jiffies;
2061
2062 if (ttd < 0)
2063 ttd = 0;
2064
2065 dest = &tw6->tw_v6_daddr;
2066 src = &tw6->tw_v6_rcv_saddr;
2067 destp = ntohs(tw->tw_dport);
2068 srcp = ntohs(tw->tw_sport);
2069
2070 seq_printf(seq,
2071 "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
2072 "%02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %pK\n",
2073 i,
2074 src->s6_addr32[0], src->s6_addr32[1],
2075 src->s6_addr32[2], src->s6_addr32[3], srcp,
2076 dest->s6_addr32[0], dest->s6_addr32[1],
2077 dest->s6_addr32[2], dest->s6_addr32[3], destp,
2078 tw->tw_substate, 0, 0,
2079 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
2080 atomic_read(&tw->tw_refcnt), tw);
2081}
2082
2083static int tcp6_seq_show(struct seq_file *seq, void *v)
2084{
2085 struct tcp_iter_state *st;
2086
2087 if (v == SEQ_START_TOKEN) {
2088 seq_puts(seq,
2089 " sl "
2090 "local_address "
2091 "remote_address "
2092 "st tx_queue rx_queue tr tm->when retrnsmt"
2093 " uid timeout inode\n");
2094 goto out;
2095 }
2096 st = seq->private;
2097
2098 switch (st->state) {
2099 case TCP_SEQ_STATE_LISTENING:
2100 case TCP_SEQ_STATE_ESTABLISHED:
2101 get_tcp6_sock(seq, v, st->num);
2102 break;
2103 case TCP_SEQ_STATE_OPENREQ:
2104 get_openreq6(seq, st->syn_wait_sk, v, st->num, st->uid);
2105 break;
2106 case TCP_SEQ_STATE_TIME_WAIT:
2107 get_timewait6_sock(seq, v, st->num);
2108 break;
2109 }
2110out:
2111 return 0;
2112}
2113
2114static const struct file_operations tcp6_afinfo_seq_fops = {
2115 .owner = THIS_MODULE,
2116 .open = tcp_seq_open,
2117 .read = seq_read,
2118 .llseek = seq_lseek,
2119 .release = seq_release_net
2120};
2121
2122static struct tcp_seq_afinfo tcp6_seq_afinfo = {
2123 .name = "tcp6",
2124 .family = AF_INET6,
2125 .seq_fops = &tcp6_afinfo_seq_fops,
2126 .seq_ops = {
2127 .show = tcp6_seq_show,
2128 },
2129};
2130
2131int __net_init tcp6_proc_init(struct net *net)
2132{
2133 return tcp_proc_register(net, &tcp6_seq_afinfo);
2134}
2135
2136void tcp6_proc_exit(struct net *net)
2137{
2138 tcp_proc_unregister(net, &tcp6_seq_afinfo);
2139}
2140#endif
2141
2142static void tcp_v6_clear_sk(struct sock *sk, int size)
2143{
2144 struct inet_sock *inet = inet_sk(sk);
2145
2146 /* we do not want to clear pinet6 field, because of RCU lookups */
2147 sk_prot_clear_nulls(sk, offsetof(struct inet_sock, pinet6));
2148
2149 size -= offsetof(struct inet_sock, pinet6) + sizeof(inet->pinet6);
2150 memset(&inet->pinet6 + 1, 0, size);
2151}
2152
2153struct proto tcpv6_prot = {
2154 .name = "TCPv6",
2155 .owner = THIS_MODULE,
2156 .close = tcp_close,
2157 .connect = tcp_v6_connect,
2158 .disconnect = tcp_disconnect,
2159 .accept = inet_csk_accept,
2160 .ioctl = tcp_ioctl,
2161 .init = tcp_v6_init_sock,
2162 .destroy = tcp_v6_destroy_sock,
2163 .shutdown = tcp_shutdown,
2164 .setsockopt = tcp_setsockopt,
2165 .getsockopt = tcp_getsockopt,
2166 .recvmsg = tcp_recvmsg,
2167 .sendmsg = tcp_sendmsg,
2168 .sendpage = tcp_sendpage,
2169 .backlog_rcv = tcp_v6_do_rcv,
2170 .hash = tcp_v6_hash,
2171 .unhash = inet_unhash,
2172 .get_port = inet_csk_get_port,
2173 .enter_memory_pressure = tcp_enter_memory_pressure,
2174 .sockets_allocated = &tcp_sockets_allocated,
2175 .memory_allocated = &tcp_memory_allocated,
2176 .memory_pressure = &tcp_memory_pressure,
2177 .orphan_count = &tcp_orphan_count,
2178 .sysctl_wmem = sysctl_tcp_wmem,
2179 .sysctl_rmem = sysctl_tcp_rmem,
2180 .max_header = MAX_TCP_HEADER,
2181 .obj_size = sizeof(struct tcp6_sock),
2182 .slab_flags = SLAB_DESTROY_BY_RCU,
2183 .twsk_prot = &tcp6_timewait_sock_ops,
2184 .rsk_prot = &tcp6_request_sock_ops,
2185 .h.hashinfo = &tcp_hashinfo,
2186 .no_autobind = true,
2187#ifdef CONFIG_COMPAT
2188 .compat_setsockopt = compat_tcp_setsockopt,
2189 .compat_getsockopt = compat_tcp_getsockopt,
2190#endif
2191#ifdef CONFIG_CGROUP_MEM_RES_CTLR_KMEM
2192 .proto_cgroup = tcp_proto_cgroup,
2193#endif
2194 .clear_sk = tcp_v6_clear_sk,
2195};
2196
2197static const struct inet6_protocol tcpv6_protocol = {
2198 .handler = tcp_v6_rcv,
2199 .err_handler = tcp_v6_err,
2200 .gso_send_check = tcp_v6_gso_send_check,
2201 .gso_segment = tcp_tso_segment,
2202 .gro_receive = tcp6_gro_receive,
2203 .gro_complete = tcp6_gro_complete,
2204 .flags = INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL,
2205};
2206
2207static struct inet_protosw tcpv6_protosw = {
2208 .type = SOCK_STREAM,
2209 .protocol = IPPROTO_TCP,
2210 .prot = &tcpv6_prot,
2211 .ops = &inet6_stream_ops,
2212 .no_check = 0,
2213 .flags = INET_PROTOSW_PERMANENT |
2214 INET_PROTOSW_ICSK,
2215};
2216
2217static int __net_init tcpv6_net_init(struct net *net)
2218{
2219 return inet_ctl_sock_create(&net->ipv6.tcp_sk, PF_INET6,
2220 SOCK_RAW, IPPROTO_TCP, net);
2221}
2222
2223static void __net_exit tcpv6_net_exit(struct net *net)
2224{
2225 inet_ctl_sock_destroy(net->ipv6.tcp_sk);
2226}
2227
2228static void __net_exit tcpv6_net_exit_batch(struct list_head *net_exit_list)
2229{
2230 inet_twsk_purge(&tcp_hashinfo, &tcp_death_row, AF_INET6);
2231}
2232
2233static struct pernet_operations tcpv6_net_ops = {
2234 .init = tcpv6_net_init,
2235 .exit = tcpv6_net_exit,
2236 .exit_batch = tcpv6_net_exit_batch,
2237};
2238
2239int __init tcpv6_init(void)
2240{
2241 int ret;
2242
2243 ret = inet6_add_protocol(&tcpv6_protocol, IPPROTO_TCP);
2244 if (ret)
2245 goto out;
2246
2247 /* register inet6 protocol */
2248 ret = inet6_register_protosw(&tcpv6_protosw);
2249 if (ret)
2250 goto out_tcpv6_protocol;
2251
2252 ret = register_pernet_subsys(&tcpv6_net_ops);
2253 if (ret)
2254 goto out_tcpv6_protosw;
2255out:
2256 return ret;
2257
2258out_tcpv6_protocol:
2259 inet6_del_protocol(&tcpv6_protocol, IPPROTO_TCP);
2260out_tcpv6_protosw:
2261 inet6_unregister_protosw(&tcpv6_protosw);
2262 goto out;
2263}
2264
2265void tcpv6_exit(void)
2266{
2267 unregister_pernet_subsys(&tcpv6_net_ops);
2268 inet6_unregister_protosw(&tcpv6_protosw);
2269 inet6_del_protocol(&tcpv6_protocol, IPPROTO_TCP);
2270}