1
/*
2
 *	TCP over IPv6
3
 *	Linux INET6 implementation
4
 *
5
 *	Authors:
6
 *	Pedro Roque		<[email protected]>
7
 *
8
 *	Based on:
9
 *	linux/net/ipv4/tcp.c
10
 *	linux/net/ipv4/tcp_input.c
11
 *	linux/net/ipv4/tcp_output.c
12
 *
13
 *	Fixes:
14
 *	Hideaki YOSHIFUJI	:	sin6_scope_id support
15
 *	YOSHIFUJI Hideaki @USAGI and:	Support IPV6_V6ONLY socket option, which
16
 *	Alexey Kuznetsov		allow both IPv4 and IPv6 sockets to bind
17
 *					a single port at the same time.
18
 *	YOSHIFUJI Hideaki @USAGI:	convert /proc/net/tcp6 to seq_file.
19
 *
20
 *	This program is free software; you can redistribute it and/or
21
 *      modify it under the terms of the GNU General Public License
22
 *      as published by the Free Software Foundation; either version
23
 *      2 of the License, or (at your option) any later version.
24
 */
25

26
#include <linux/bottom_half.h>
27
#include <linux/module.h>
28
#include <linux/errno.h>
29
#include <linux/types.h>
30
#include <linux/socket.h>
31
#include <linux/sockios.h>
32
#include <linux/net.h>
33
#include <linux/jiffies.h>
34
#include <linux/in.h>
35
#include <linux/in6.h>
36
#include <linux/netdevice.h>
37
#include <linux/init.h>
38
#include <linux/jhash.h>
39
#include <linux/ipsec.h>
40
#include <linux/times.h>
41
#include <linux/slab.h>
42

43
#include <linux/ipv6.h>
44
#include <linux/icmpv6.h>
45
#include <linux/random.h>
46

47
#include <net/tcp.h>
48
#include <net/ndisc.h>
49
#include <net/inet6_hashtables.h>
50
#include <net/inet6_connection_sock.h>
51
#include <net/ipv6.h>
52
#include <net/transp_v6.h>
53
#include <net/addrconf.h>
54
#include <net/ip6_route.h>
55
#include <net/ip6_checksum.h>
56
#include <net/inet_ecn.h>
57
#include <net/protocol.h>
58
#include <net/xfrm.h>
59
#include <net/snmp.h>
60
#include <net/dsfield.h>
61
#include <net/timewait_sock.h>
62
#include <net/netdma.h>
63
#include <net/inet_common.h>
64

65
#include <asm/uaccess.h>
66

67
#include <linux/proc_fs.h>
68
#include <linux/seq_file.h>
69

70
#include <linux/crypto.h>
71
#include <linux/scatterlist.h>
72

73
static void	tcp_v6_send_reset(struct sock *sk, struct sk_buff *skb);
74
static void	tcp_v6_reqsk_send_ack(struct sock *sk, struct sk_buff *skb,
75
				      struct request_sock *req);
76

77
static int	tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb);
78
static void	__tcp_v6_send_check(struct sk_buff *skb,
79
				    const struct in6_addr *saddr,
80
				    const struct in6_addr *daddr);
81

82
static const struct inet_connection_sock_af_ops ipv6_mapped;
83
static const struct inet_connection_sock_af_ops ipv6_specific;
84
#ifdef CONFIG_TCP_MD5SIG
85
static const struct tcp_sock_af_ops tcp_sock_ipv6_specific;
86
static const struct tcp_sock_af_ops tcp_sock_ipv6_mapped_specific;
87
#else
88
static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(struct sock *sk,
89
						   const struct in6_addr *addr)
90
{
91
	return NULL;
92
}
93
#endif
94

95
static void tcp_v6_hash(struct sock *sk)
96
{
97
	if (sk->sk_state != TCP_CLOSE) {
98
		if (inet_csk(sk)->icsk_af_ops == &ipv6_mapped) {
99
			tcp_prot.hash(sk);
100
			return;
101
		}
102
		local_bh_disable();
103
		__inet6_hash(sk, NULL);
104
		local_bh_enable();
105
	}
106
}
107

108
static __inline__ __sum16 tcp_v6_check(int len,
109
				   const struct in6_addr *saddr,
110
				   const struct in6_addr *daddr,
111
				   __wsum base)
112
{
113
	return csum_ipv6_magic(saddr, daddr, len, IPPROTO_TCP, base);
114
}
115

116
static __u32 tcp_v6_init_sequence(struct sk_buff *skb)
117
{
118
	return secure_tcpv6_sequence_number(ipv6_hdr(skb)->daddr.s6_addr32,
119
					    ipv6_hdr(skb)->saddr.s6_addr32,
120
					    tcp_hdr(skb)->dest,
121
					    tcp_hdr(skb)->source);
122
}
123

124
static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
125
			  int addr_len)
126
{
127
	struct sockaddr_in6 *usin = (struct sockaddr_in6 *) uaddr;
128
	struct inet_sock *inet = inet_sk(sk);
129
	struct inet_connection_sock *icsk = inet_csk(sk);
130
	struct ipv6_pinfo *np = inet6_sk(sk);
131
	struct tcp_sock *tp = tcp_sk(sk);
132
	struct in6_addr *saddr = NULL, *final_p, final;
133
	struct rt6_info *rt;
134
	struct flowi6 fl6;
135
	struct dst_entry *dst;
136
	int addr_type;
137
	int err;
138

139
	if (addr_len < SIN6_LEN_RFC2133)
140
		return -EINVAL;
141

142
	if (usin->sin6_family != AF_INET6)
143
		return -EAFNOSUPPORT;
144

145
	memset(&fl6, 0, sizeof(fl6));
146

147
	if (np->sndflow) {
148
		fl6.flowlabel = usin->sin6_flowinfo&IPV6_FLOWINFO_MASK;
149
		IP6_ECN_flow_init(fl6.flowlabel);
150
		if (fl6.flowlabel&IPV6_FLOWLABEL_MASK) {
151
			struct ip6_flowlabel *flowlabel;
152
			flowlabel = fl6_sock_lookup(sk, fl6.flowlabel);
153
			if (flowlabel == NULL)
154
				return -EINVAL;
155
			ipv6_addr_copy(&usin->sin6_addr, &flowlabel->dst);
156
			fl6_sock_release(flowlabel);
157
		}
158
	}
159

160
	/*
161
	 *	connect() to INADDR_ANY means loopback (BSD'ism).
162
	 */
163

164
	if(ipv6_addr_any(&usin->sin6_addr))
165
		usin->sin6_addr.s6_addr[15] = 0x1;
166

167
	addr_type = ipv6_addr_type(&usin->sin6_addr);
168

169
	if(addr_type & IPV6_ADDR_MULTICAST)
170
		return -ENETUNREACH;
171

172
	if (addr_type&IPV6_ADDR_LINKLOCAL) {
173
		if (addr_len >= sizeof(struct sockaddr_in6) &&
174
		    usin->sin6_scope_id) {
175
			/* If interface is set while binding, indices
176
			 * must coincide.
177
			 */
178
			if (sk->sk_bound_dev_if &&
179
			    sk->sk_bound_dev_if != usin->sin6_scope_id)
180
				return -EINVAL;
181

182
			sk->sk_bound_dev_if = usin->sin6_scope_id;
183
		}
184

185
		/* Connect to link-local address requires an interface */
186
		if (!sk->sk_bound_dev_if)
187
			return -EINVAL;
188
	}
189

190
	if (tp->rx_opt.ts_recent_stamp &&
191
	    !ipv6_addr_equal(&np->daddr, &usin->sin6_addr)) {
192
		tp->rx_opt.ts_recent = 0;
193
		tp->rx_opt.ts_recent_stamp = 0;
194
		tp->write_seq = 0;
195
	}
196

197
	ipv6_addr_copy(&np->daddr, &usin->sin6_addr);
198
	np->flow_label = fl6.flowlabel;
199

200
	/*
201
	 *	TCP over IPv4
202
	 */
203

204
	if (addr_type == IPV6_ADDR_MAPPED) {
205
		u32 exthdrlen = icsk->icsk_ext_hdr_len;
206
		struct sockaddr_in sin;
207

208
		SOCK_DEBUG(sk, "connect: ipv4 mapped\n");
209

210
		if (__ipv6_only_sock(sk))
211
			return -ENETUNREACH;
212

213
		sin.sin_family = AF_INET;
214
		sin.sin_port = usin->sin6_port;
215
		sin.sin_addr.s_addr = usin->sin6_addr.s6_addr32[3];
216

217
		icsk->icsk_af_ops = &ipv6_mapped;
218
		sk->sk_backlog_rcv = tcp_v4_do_rcv;
219
#ifdef CONFIG_TCP_MD5SIG
220
		tp->af_specific = &tcp_sock_ipv6_mapped_specific;
221
#endif
222

223
		err = tcp_v4_connect(sk, (struct sockaddr *)&sin, sizeof(sin));
224

225
		if (err) {
226
			icsk->icsk_ext_hdr_len = exthdrlen;
227
			icsk->icsk_af_ops = &ipv6_specific;
228
			sk->sk_backlog_rcv = tcp_v6_do_rcv;
229
#ifdef CONFIG_TCP_MD5SIG
230
			tp->af_specific = &tcp_sock_ipv6_specific;
231
#endif
232
			goto failure;
233
		} else {
234
			ipv6_addr_set_v4mapped(inet->inet_saddr, &np->saddr);
235
			ipv6_addr_set_v4mapped(inet->inet_rcv_saddr,
236
					       &np->rcv_saddr);
237
		}
238

239
		return err;
240
	}
241

242
	if (!ipv6_addr_any(&np->rcv_saddr))
243
		saddr = &np->rcv_saddr;
244

245
	fl6.flowi6_proto = IPPROTO_TCP;
246
	ipv6_addr_copy(&fl6.daddr, &np->daddr);
247
	ipv6_addr_copy(&fl6.saddr,
248
		       (saddr ? saddr : &np->saddr));
249
	fl6.flowi6_oif = sk->sk_bound_dev_if;
250
	fl6.flowi6_mark = sk->sk_mark;
251
	fl6.fl6_dport = usin->sin6_port;
252
	fl6.fl6_sport = inet->inet_sport;
253

254
	final_p = fl6_update_dst(&fl6, np->opt, &final);
255

256
	security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
257

258
	dst = ip6_dst_lookup_flow(sk, &fl6, final_p, true);
259
	if (IS_ERR(dst)) {
260
		err = PTR_ERR(dst);
261
		goto failure;
262
	}
263

264
	if (saddr == NULL) {
265
		saddr = &fl6.saddr;
266
		ipv6_addr_copy(&np->rcv_saddr, saddr);
267
	}
268

269
	/* set the source address */
270
	ipv6_addr_copy(&np->saddr, saddr);
271
	inet->inet_rcv_saddr = LOOPBACK4_IPV6;
272

273
	sk->sk_gso_type = SKB_GSO_TCPV6;
274
	__ip6_dst_store(sk, dst, NULL, NULL);
275

276
	rt = (struct rt6_info *) dst;
277
	if (tcp_death_row.sysctl_tw_recycle &&
278
	    !tp->rx_opt.ts_recent_stamp &&
279
	    ipv6_addr_equal(&rt->rt6i_dst.addr, &np->daddr)) {
280
		struct inet_peer *peer = rt6_get_peer(rt);
281
		/*
282
		 * VJ's idea. We save last timestamp seen from
283
		 * the destination in peer table, when entering state
284
		 * TIME-WAIT * and initialize rx_opt.ts_recent from it,
285
		 * when trying new connection.
286
		 */
287
		if (peer) {
288
			inet_peer_refcheck(peer);
289
			if ((u32)get_seconds() - peer->tcp_ts_stamp <= TCP_PAWS_MSL) {
290
				tp->rx_opt.ts_recent_stamp = peer->tcp_ts_stamp;
291
				tp->rx_opt.ts_recent = peer->tcp_ts;
292
			}
293
		}
294
	}
295

296
	icsk->icsk_ext_hdr_len = 0;
297
	if (np->opt)
298
		icsk->icsk_ext_hdr_len = (np->opt->opt_flen +
299
					  np->opt->opt_nflen);
300

301
	tp->rx_opt.mss_clamp = IPV6_MIN_MTU - sizeof(struct tcphdr) - sizeof(struct ipv6hdr);
302

303
	inet->inet_dport = usin->sin6_port;
304

305
	tcp_set_state(sk, TCP_SYN_SENT);
306
	err = inet6_hash_connect(&tcp_death_row, sk);
307
	if (err)
308
		goto late_failure;
309

310
	if (!tp->write_seq)
311
		tp->write_seq = secure_tcpv6_sequence_number(np->saddr.s6_addr32,
312
							     np->daddr.s6_addr32,
313
							     inet->inet_sport,
314
							     inet->inet_dport);
315

316
	err = tcp_connect(sk);
317
	if (err)
318
		goto late_failure;
319

320
	return 0;
321

322
late_failure:
323
	tcp_set_state(sk, TCP_CLOSE);
324
	__sk_dst_reset(sk);
325
failure:
326
	inet->inet_dport = 0;
327
	sk->sk_route_caps = 0;
328
	return err;
329
}
330

331
static void tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
332
		u8 type, u8 code, int offset, __be32 info)
333
{
334
	const struct ipv6hdr *hdr = (const struct ipv6hdr*)skb->data;
335
	const struct tcphdr *th = (struct tcphdr *)(skb->data+offset);
336
	struct ipv6_pinfo *np;
337
	struct sock *sk;
338
	int err;
339
	struct tcp_sock *tp;
340
	__u32 seq;
341
	struct net *net = dev_net(skb->dev);
342

343
	sk = inet6_lookup(net, &tcp_hashinfo, &hdr->daddr,
344
			th->dest, &hdr->saddr, th->source, skb->dev->ifindex);
345

346
	if (sk == NULL) {
347
		ICMP6_INC_STATS_BH(net, __in6_dev_get(skb->dev),
348
				   ICMP6_MIB_INERRORS);
349
		return;
350
	}
351

352
	if (sk->sk_state == TCP_TIME_WAIT) {
353
		inet_twsk_put(inet_twsk(sk));
354
		return;
355
	}
356

357
	bh_lock_sock(sk);
358
	if (sock_owned_by_user(sk))
359
		NET_INC_STATS_BH(net, LINUX_MIB_LOCKDROPPEDICMPS);
360

361
	if (sk->sk_state == TCP_CLOSE)
362
		goto out;
363

364
	if (ipv6_hdr(skb)->hop_limit < inet6_sk(sk)->min_hopcount) {
365
		NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
366
		goto out;
367
	}
368

369
	tp = tcp_sk(sk);
370
	seq = ntohl(th->seq);
371
	if (sk->sk_state != TCP_LISTEN &&
372
	    !between(seq, tp->snd_una, tp->snd_nxt)) {
373
		NET_INC_STATS_BH(net, LINUX_MIB_OUTOFWINDOWICMPS);
374
		goto out;
375
	}
376

377
	np = inet6_sk(sk);
378

379
	if (type == ICMPV6_PKT_TOOBIG) {
380
		struct dst_entry *dst;
381

382
		if (sock_owned_by_user(sk))
383
			goto out;
384
		if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE))
385
			goto out;
386

387
		/* icmp should have updated the destination cache entry */
388
		dst = __sk_dst_check(sk, np->dst_cookie);
389

390
		if (dst == NULL) {
391
			struct inet_sock *inet = inet_sk(sk);
392
			struct flowi6 fl6;
393

394
			/* BUGGG_FUTURE: Again, it is not clear how
395
			   to handle rthdr case. Ignore this complexity
396
			   for now.
397
			 */
398
			memset(&fl6, 0, sizeof(fl6));
399
			fl6.flowi6_proto = IPPROTO_TCP;
400
			ipv6_addr_copy(&fl6.daddr, &np->daddr);
401
			ipv6_addr_copy(&fl6.saddr, &np->saddr);
402
			fl6.flowi6_oif = sk->sk_bound_dev_if;
403
			fl6.flowi6_mark = sk->sk_mark;
404
			fl6.fl6_dport = inet->inet_dport;
405
			fl6.fl6_sport = inet->inet_sport;
406
			security_skb_classify_flow(skb, flowi6_to_flowi(&fl6));
407

408
			dst = ip6_dst_lookup_flow(sk, &fl6, NULL, false);
409
			if (IS_ERR(dst)) {
410
				sk->sk_err_soft = -PTR_ERR(dst);
411
				goto out;
412
			}
413

414
		} else
415
			dst_hold(dst);
416

417
		if (inet_csk(sk)->icsk_pmtu_cookie > dst_mtu(dst)) {
418
			tcp_sync_mss(sk, dst_mtu(dst));
419
			tcp_simple_retransmit(sk);
420
		} /* else let the usual retransmit timer handle it */
421
		dst_release(dst);
422
		goto out;
423
	}
424

425
	icmpv6_err_convert(type, code, &err);
426

427
	/* Might be for an request_sock */
428
	switch (sk->sk_state) {
429
		struct request_sock *req, **prev;
430
	case TCP_LISTEN:
431
		if (sock_owned_by_user(sk))
432
			goto out;
433

434
		req = inet6_csk_search_req(sk, &prev, th->dest, &hdr->daddr,
435
					   &hdr->saddr, inet6_iif(skb));
436
		if (!req)
437
			goto out;
438

439
		/* ICMPs are not backlogged, hence we cannot get
440
		 * an established socket here.
441
		 */
442
		WARN_ON(req->sk != NULL);
443

444
		if (seq != tcp_rsk(req)->snt_isn) {
445
			NET_INC_STATS_BH(net, LINUX_MIB_OUTOFWINDOWICMPS);
446
			goto out;
447
		}
448

449
		inet_csk_reqsk_queue_drop(sk, req, prev);
450
		goto out;
451

452
	case TCP_SYN_SENT:
453
	case TCP_SYN_RECV:  /* Cannot happen.
454
			       It can, it SYNs are crossed. --ANK */
455
		if (!sock_owned_by_user(sk)) {
456
			sk->sk_err = err;
457
			sk->sk_error_report(sk);		/* Wake people up to see the error (see connect in sock.c) */
458

459
			tcp_done(sk);
460
		} else
461
			sk->sk_err_soft = err;
462
		goto out;
463
	}
464

465
	if (!sock_owned_by_user(sk) && np->recverr) {
466
		sk->sk_err = err;
467
		sk->sk_error_report(sk);
468
	} else
469
		sk->sk_err_soft = err;
470

471
out:
472
	bh_unlock_sock(sk);
473
	sock_put(sk);
474
}
475

476

477
static int tcp_v6_send_synack(struct sock *sk, struct request_sock *req,
478
			      struct request_values *rvp)
479
{
480
	struct inet6_request_sock *treq = inet6_rsk(req);
481
	struct ipv6_pinfo *np = inet6_sk(sk);
482
	struct sk_buff * skb;
483
	struct ipv6_txoptions *opt = NULL;
484
	struct in6_addr * final_p, final;
485
	struct flowi6 fl6;
486
	struct dst_entry *dst;
487
	int err;
488

489
	memset(&fl6, 0, sizeof(fl6));
490
	fl6.flowi6_proto = IPPROTO_TCP;
491
	ipv6_addr_copy(&fl6.daddr, &treq->rmt_addr);
492
	ipv6_addr_copy(&fl6.saddr, &treq->loc_addr);
493
	fl6.flowlabel = 0;
494
	fl6.flowi6_oif = treq->iif;
495
	fl6.flowi6_mark = sk->sk_mark;
496
	fl6.fl6_dport = inet_rsk(req)->rmt_port;
497
	fl6.fl6_sport = inet_rsk(req)->loc_port;
498
	security_req_classify_flow(req, flowi6_to_flowi(&fl6));
499

500
	opt = np->opt;
501
	final_p = fl6_update_dst(&fl6, opt, &final);
502

503
	dst = ip6_dst_lookup_flow(sk, &fl6, final_p, false);
504
	if (IS_ERR(dst)) {
505
		err = PTR_ERR(dst);
506
		dst = NULL;
507
		goto done;
508
	}
509
	skb = tcp_make_synack(sk, dst, req, rvp);
510
	err = -ENOMEM;
511
	if (skb) {
512
		__tcp_v6_send_check(skb, &treq->loc_addr, &treq->rmt_addr);
513

514
		ipv6_addr_copy(&fl6.daddr, &treq->rmt_addr);
515
		err = ip6_xmit(sk, skb, &fl6, opt);
516
		err = net_xmit_eval(err);
517
	}
518

519
done:
520
	if (opt && opt != np->opt)
521
		sock_kfree_s(sk, opt, opt->tot_len);
522
	dst_release(dst);
523
	return err;
524
}
525

526
static int tcp_v6_rtx_synack(struct sock *sk, struct request_sock *req,
527
			     struct request_values *rvp)
528
{
529
	TCP_INC_STATS_BH(sock_net(sk), TCP_MIB_RETRANSSEGS);
530
	return tcp_v6_send_synack(sk, req, rvp);
531
}
532

533
static inline void syn_flood_warning(struct sk_buff *skb)
534
{
535
#ifdef CONFIG_SYN_COOKIES
536
	if (sysctl_tcp_syncookies)
537
		printk(KERN_INFO
538
		       "TCPv6: Possible SYN flooding on port %d. "
539
		       "Sending cookies.\n", ntohs(tcp_hdr(skb)->dest));
540
	else
541
#endif
542
		printk(KERN_INFO
543
		       "TCPv6: Possible SYN flooding on port %d. "
544
		       "Dropping request.\n", ntohs(tcp_hdr(skb)->dest));
545
}
546

547
static void tcp_v6_reqsk_destructor(struct request_sock *req)
548
{
549
	kfree_skb(inet6_rsk(req)->pktopts);
550
}
551

552
#ifdef CONFIG_TCP_MD5SIG
553
static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(struct sock *sk,
554
						   const struct in6_addr *addr)
555
{
556
	struct tcp_sock *tp = tcp_sk(sk);
557
	int i;
558

559
	BUG_ON(tp == NULL);
560

561
	if (!tp->md5sig_info || !tp->md5sig_info->entries6)
562
		return NULL;
563

564
	for (i = 0; i < tp->md5sig_info->entries6; i++) {
565
		if (ipv6_addr_equal(&tp->md5sig_info->keys6[i].addr, addr))
566
			return &tp->md5sig_info->keys6[i].base;
567
	}
568
	return NULL;
569
}
570

571
static struct tcp_md5sig_key *tcp_v6_md5_lookup(struct sock *sk,
572
						struct sock *addr_sk)
573
{
574
	return tcp_v6_md5_do_lookup(sk, &inet6_sk(addr_sk)->daddr);
575
}
576

577
static struct tcp_md5sig_key *tcp_v6_reqsk_md5_lookup(struct sock *sk,
578
						      struct request_sock *req)
579
{
580
	return tcp_v6_md5_do_lookup(sk, &inet6_rsk(req)->rmt_addr);
581
}
582

583
static int tcp_v6_md5_do_add(struct sock *sk, const struct in6_addr *peer,
584
			     char *newkey, u8 newkeylen)
585
{
586
	/* Add key to the list */
587
	struct tcp_md5sig_key *key;
588
	struct tcp_sock *tp = tcp_sk(sk);
589
	struct tcp6_md5sig_key *keys;
590

591
	key = tcp_v6_md5_do_lookup(sk, peer);
592
	if (key) {
593
		/* modify existing entry - just update that one */
594
		kfree(key->key);
595
		key->key = newkey;
596
		key->keylen = newkeylen;
597
	} else {
598
		/* reallocate new list if current one is full. */
599
		if (!tp->md5sig_info) {
600
			tp->md5sig_info = kzalloc(sizeof(*tp->md5sig_info), GFP_ATOMIC);
601
			if (!tp->md5sig_info) {
602
				kfree(newkey);
603
				return -ENOMEM;
604
			}
605
			sk_nocaps_add(sk, NETIF_F_GSO_MASK);
606
		}
607
		if (tcp_alloc_md5sig_pool(sk) == NULL) {
608
			kfree(newkey);
609
			return -ENOMEM;
610
		}
611
		if (tp->md5sig_info->alloced6 == tp->md5sig_info->entries6) {
612
			keys = kmalloc((sizeof (tp->md5sig_info->keys6[0]) *
613
				       (tp->md5sig_info->entries6 + 1)), GFP_ATOMIC);
614

615
			if (!keys) {
616
				tcp_free_md5sig_pool();
617
				kfree(newkey);
618
				return -ENOMEM;
619
			}
620

621
			if (tp->md5sig_info->entries6)
622
				memmove(keys, tp->md5sig_info->keys6,
623
					(sizeof (tp->md5sig_info->keys6[0]) *
624
					 tp->md5sig_info->entries6));
625

626
			kfree(tp->md5sig_info->keys6);
627
			tp->md5sig_info->keys6 = keys;
628
			tp->md5sig_info->alloced6++;
629
		}
630

631
		ipv6_addr_copy(&tp->md5sig_info->keys6[tp->md5sig_info->entries6].addr,
632
			       peer);
633
		tp->md5sig_info->keys6[tp->md5sig_info->entries6].base.key = newkey;
634
		tp->md5sig_info->keys6[tp->md5sig_info->entries6].base.keylen = newkeylen;
635

636
		tp->md5sig_info->entries6++;
637
	}
638
	return 0;
639
}
640

641
static int tcp_v6_md5_add_func(struct sock *sk, struct sock *addr_sk,
642
			       u8 *newkey, __u8 newkeylen)
643
{
644
	return tcp_v6_md5_do_add(sk, &inet6_sk(addr_sk)->daddr,
645
				 newkey, newkeylen);
646
}
647

648
static int tcp_v6_md5_do_del(struct sock *sk, const struct in6_addr *peer)
649
{
650
	struct tcp_sock *tp = tcp_sk(sk);
651
	int i;
652

653
	for (i = 0; i < tp->md5sig_info->entries6; i++) {
654
		if (ipv6_addr_equal(&tp->md5sig_info->keys6[i].addr, peer)) {
655
			/* Free the key */
656
			kfree(tp->md5sig_info->keys6[i].base.key);
657
			tp->md5sig_info->entries6--;
658

659
			if (tp->md5sig_info->entries6 == 0) {
660
				kfree(tp->md5sig_info->keys6);
661
				tp->md5sig_info->keys6 = NULL;
662
				tp->md5sig_info->alloced6 = 0;
663
			} else {
664
				/* shrink the database */
665
				if (tp->md5sig_info->entries6 != i)
666
					memmove(&tp->md5sig_info->keys6[i],
667
						&tp->md5sig_info->keys6[i+1],
668
						(tp->md5sig_info->entries6 - i)
669
						* sizeof (tp->md5sig_info->keys6[0]));
670
			}
671
			tcp_free_md5sig_pool();
672
			return 0;
673
		}
674
	}
675
	return -ENOENT;
676
}
677

678
static void tcp_v6_clear_md5_list (struct sock *sk)
679
{
680
	struct tcp_sock *tp = tcp_sk(sk);
681
	int i;
682

683
	if (tp->md5sig_info->entries6) {
684
		for (i = 0; i < tp->md5sig_info->entries6; i++)
685
			kfree(tp->md5sig_info->keys6[i].base.key);
686
		tp->md5sig_info->entries6 = 0;
687
		tcp_free_md5sig_pool();
688
	}
689

690
	kfree(tp->md5sig_info->keys6);
691
	tp->md5sig_info->keys6 = NULL;
692
	tp->md5sig_info->alloced6 = 0;
693

694
	if (tp->md5sig_info->entries4) {
695
		for (i = 0; i < tp->md5sig_info->entries4; i++)
696
			kfree(tp->md5sig_info->keys4[i].base.key);
697
		tp->md5sig_info->entries4 = 0;
698
		tcp_free_md5sig_pool();
699
	}
700

701
	kfree(tp->md5sig_info->keys4);
702
	tp->md5sig_info->keys4 = NULL;
703
	tp->md5sig_info->alloced4 = 0;
704
}
705

706
static int tcp_v6_parse_md5_keys (struct sock *sk, char __user *optval,
707
				  int optlen)
708
{
709
	struct tcp_md5sig cmd;
710
	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&cmd.tcpm_addr;
711
	u8 *newkey;
712

713
	if (optlen < sizeof(cmd))
714
		return -EINVAL;
715

716
	if (copy_from_user(&cmd, optval, sizeof(cmd)))
717
		return -EFAULT;
718

719
	if (sin6->sin6_family != AF_INET6)
720
		return -EINVAL;
721

722
	if (!cmd.tcpm_keylen) {
723
		if (!tcp_sk(sk)->md5sig_info)
724
			return -ENOENT;
725
		if (ipv6_addr_v4mapped(&sin6->sin6_addr))
726
			return tcp_v4_md5_do_del(sk, sin6->sin6_addr.s6_addr32[3]);
727
		return tcp_v6_md5_do_del(sk, &sin6->sin6_addr);
728
	}
729

730
	if (cmd.tcpm_keylen > TCP_MD5SIG_MAXKEYLEN)
731
		return -EINVAL;
732

733
	if (!tcp_sk(sk)->md5sig_info) {
734
		struct tcp_sock *tp = tcp_sk(sk);
735
		struct tcp_md5sig_info *p;
736

737
		p = kzalloc(sizeof(struct tcp_md5sig_info), GFP_KERNEL);
738
		if (!p)
739
			return -ENOMEM;
740

741
		tp->md5sig_info = p;
742
		sk_nocaps_add(sk, NETIF_F_GSO_MASK);
743
	}
744

745
	newkey = kmemdup(cmd.tcpm_key, cmd.tcpm_keylen, GFP_KERNEL);
746
	if (!newkey)
747
		return -ENOMEM;
748
	if (ipv6_addr_v4mapped(&sin6->sin6_addr)) {
749
		return tcp_v4_md5_do_add(sk, sin6->sin6_addr.s6_addr32[3],
750
					 newkey, cmd.tcpm_keylen);
751
	}
752
	return tcp_v6_md5_do_add(sk, &sin6->sin6_addr, newkey, cmd.tcpm_keylen);
753
}
754

755
static int tcp_v6_md5_hash_pseudoheader(struct tcp_md5sig_pool *hp,
756
					const struct in6_addr *daddr,
757
					const struct in6_addr *saddr, int nbytes)
758
{
759
	struct tcp6_pseudohdr *bp;
760
	struct scatterlist sg;
761

762
	bp = &hp->md5_blk.ip6;
763
	/* 1. TCP pseudo-header (RFC2460) */
764
	ipv6_addr_copy(&bp->saddr, saddr);
765
	ipv6_addr_copy(&bp->daddr, daddr);
766
	bp->protocol = cpu_to_be32(IPPROTO_TCP);
767
	bp->len = cpu_to_be32(nbytes);
768

769
	sg_init_one(&sg, bp, sizeof(*bp));
770
	return crypto_hash_update(&hp->md5_desc, &sg, sizeof(*bp));
771
}
772

773
static int tcp_v6_md5_hash_hdr(char *md5_hash, struct tcp_md5sig_key *key,
774
			       const struct in6_addr *daddr, struct in6_addr *saddr,
775
			       struct tcphdr *th)
776
{
777
	struct tcp_md5sig_pool *hp;
778
	struct hash_desc *desc;
779

780
	hp = tcp_get_md5sig_pool();
781
	if (!hp)
782
		goto clear_hash_noput;
783
	desc = &hp->md5_desc;
784

785
	if (crypto_hash_init(desc))
786
		goto clear_hash;
787
	if (tcp_v6_md5_hash_pseudoheader(hp, daddr, saddr, th->doff << 2))
788
		goto clear_hash;
789
	if (tcp_md5_hash_header(hp, th))
790
		goto clear_hash;
791
	if (tcp_md5_hash_key(hp, key))
792
		goto clear_hash;
793
	if (crypto_hash_final(desc, md5_hash))
794
		goto clear_hash;
795

796
	tcp_put_md5sig_pool();
797
	return 0;
798

799
clear_hash:
800
	tcp_put_md5sig_pool();
801
clear_hash_noput:
802
	memset(md5_hash, 0, 16);
803
	return 1;
804
}
805

806
static int tcp_v6_md5_hash_skb(char *md5_hash, struct tcp_md5sig_key *key,
807
			       struct sock *sk, struct request_sock *req,
808
			       struct sk_buff *skb)
809
{
810
	const struct in6_addr *saddr, *daddr;
811
	struct tcp_md5sig_pool *hp;
812
	struct hash_desc *desc;
813
	struct tcphdr *th = tcp_hdr(skb);
814

815
	if (sk) {
816
		saddr = &inet6_sk(sk)->saddr;
817
		daddr = &inet6_sk(sk)->daddr;
818
	} else if (req) {
819
		saddr = &inet6_rsk(req)->loc_addr;
820
		daddr = &inet6_rsk(req)->rmt_addr;
821
	} else {
822
		const struct ipv6hdr *ip6h = ipv6_hdr(skb);
823
		saddr = &ip6h->saddr;
824
		daddr = &ip6h->daddr;
825
	}
826

827
	hp = tcp_get_md5sig_pool();
828
	if (!hp)
829
		goto clear_hash_noput;
830
	desc = &hp->md5_desc;
831

832
	if (crypto_hash_init(desc))
833
		goto clear_hash;
834

835
	if (tcp_v6_md5_hash_pseudoheader(hp, daddr, saddr, skb->len))
836
		goto clear_hash;
837
	if (tcp_md5_hash_header(hp, th))
838
		goto clear_hash;
839
	if (tcp_md5_hash_skb_data(hp, skb, th->doff << 2))
840
		goto clear_hash;
841
	if (tcp_md5_hash_key(hp, key))
842
		goto clear_hash;
843
	if (crypto_hash_final(desc, md5_hash))
844
		goto clear_hash;
845

846
	tcp_put_md5sig_pool();
847
	return 0;
848

849
clear_hash:
850
	tcp_put_md5sig_pool();
851
clear_hash_noput:
852
	memset(md5_hash, 0, 16);
853
	return 1;
854
}
855

856
static int tcp_v6_inbound_md5_hash (struct sock *sk, struct sk_buff *skb)
857
{
858
	__u8 *hash_location = NULL;
859
	struct tcp_md5sig_key *hash_expected;
860
	const struct ipv6hdr *ip6h = ipv6_hdr(skb);
861
	struct tcphdr *th = tcp_hdr(skb);
862
	int genhash;
863
	u8 newhash[16];
864

865
	hash_expected = tcp_v6_md5_do_lookup(sk, &ip6h->saddr);
866
	hash_location = tcp_parse_md5sig_option(th);
867

868
	/* We've parsed the options - do we have a hash? */
869
	if (!hash_expected && !hash_location)
870
		return 0;
871

872
	if (hash_expected && !hash_location) {
873
		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPMD5NOTFOUND);
874
		return 1;
875
	}
876

877
	if (!hash_expected && hash_location) {
878
		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPMD5UNEXPECTED);
879
		return 1;
880
	}
881

882
	/* check the signature */
883
	genhash = tcp_v6_md5_hash_skb(newhash,
884
				      hash_expected,
885
				      NULL, NULL, skb);
886

887
	if (genhash || memcmp(hash_location, newhash, 16) != 0) {
888
		if (net_ratelimit()) {
889
			printk(KERN_INFO "MD5 Hash %s for [%pI6c]:%u->[%pI6c]:%u\n",
890
			       genhash ? "failed" : "mismatch",
891
			       &ip6h->saddr, ntohs(th->source),
892
			       &ip6h->daddr, ntohs(th->dest));
893
		}
894
		return 1;
895
	}
896
	return 0;
897
}
898
#endif
899

900
struct request_sock_ops tcp6_request_sock_ops __read_mostly = {
901
	.family		=	AF_INET6,
902
	.obj_size	=	sizeof(struct tcp6_request_sock),
903
	.rtx_syn_ack	=	tcp_v6_rtx_synack,
904
	.send_ack	=	tcp_v6_reqsk_send_ack,
905
	.destructor	=	tcp_v6_reqsk_destructor,
906
	.send_reset	=	tcp_v6_send_reset,
907
	.syn_ack_timeout = 	tcp_syn_ack_timeout,
908
};
909

910
#ifdef CONFIG_TCP_MD5SIG
911
static const struct tcp_request_sock_ops tcp_request_sock_ipv6_ops = {
912
	.md5_lookup	=	tcp_v6_reqsk_md5_lookup,
913
	.calc_md5_hash	=	tcp_v6_md5_hash_skb,
914
};
915
#endif
916

917
static void __tcp_v6_send_check(struct sk_buff *skb,
918
				const struct in6_addr *saddr, const struct in6_addr *daddr)
919
{
920
	struct tcphdr *th = tcp_hdr(skb);
921

922
	if (skb->ip_summed == CHECKSUM_PARTIAL) {
923
		th->check = ~tcp_v6_check(skb->len, saddr, daddr, 0);
924
		skb->csum_start = skb_transport_header(skb) - skb->head;
925
		skb->csum_offset = offsetof(struct tcphdr, check);
926
	} else {
927
		th->check = tcp_v6_check(skb->len, saddr, daddr,
928
					 csum_partial(th, th->doff << 2,
929
						      skb->csum));
930
	}
931
}
932

933
static void tcp_v6_send_check(struct sock *sk, struct sk_buff *skb)
934
{
935
	struct ipv6_pinfo *np = inet6_sk(sk);
936

937
	__tcp_v6_send_check(skb, &np->saddr, &np->daddr);
938
}
939

940
static int tcp_v6_gso_send_check(struct sk_buff *skb)
941
{
942
	const struct ipv6hdr *ipv6h;
943
	struct tcphdr *th;
944

945
	if (!pskb_may_pull(skb, sizeof(*th)))
946
		return -EINVAL;
947

948
	ipv6h = ipv6_hdr(skb);
949
	th = tcp_hdr(skb);
950

951
	th->check = 0;
952
	skb->ip_summed = CHECKSUM_PARTIAL;
953
	__tcp_v6_send_check(skb, &ipv6h->saddr, &ipv6h->daddr);
954
	return 0;
955
}
956

957
static struct sk_buff **tcp6_gro_receive(struct sk_buff **head,
958
					 struct sk_buff *skb)
959
{
960
	const struct ipv6hdr *iph = skb_gro_network_header(skb);
961

962
	switch (skb->ip_summed) {
963
	case CHECKSUM_COMPLETE:
964
		if (!tcp_v6_check(skb_gro_len(skb), &iph->saddr, &iph->daddr,
965
				  skb->csum)) {
966
			skb->ip_summed = CHECKSUM_UNNECESSARY;
967
			break;
968
		}
969

970
		/* fall through */
971
	case CHECKSUM_NONE:
972
		NAPI_GRO_CB(skb)->flush = 1;
973
		return NULL;
974
	}
975

976
	return tcp_gro_receive(head, skb);
977
}
978

979
static int tcp6_gro_complete(struct sk_buff *skb)
980
{
981
	const struct ipv6hdr *iph = ipv6_hdr(skb);
982
	struct tcphdr *th = tcp_hdr(skb);
983

984
	th->check = ~tcp_v6_check(skb->len - skb_transport_offset(skb),
985
				  &iph->saddr, &iph->daddr, 0);
986
	skb_shinfo(skb)->gso_type = SKB_GSO_TCPV6;
987

988
	return tcp_gro_complete(skb);
989
}
990

991
static void tcp_v6_send_response(struct sk_buff *skb, u32 seq, u32 ack, u32 win,
992
				 u32 ts, struct tcp_md5sig_key *key, int rst)
993
{
994
	struct tcphdr *th = tcp_hdr(skb), *t1;
995
	struct sk_buff *buff;
996
	struct flowi6 fl6;
997
	struct net *net = dev_net(skb_dst(skb)->dev);
998
	struct sock *ctl_sk = net->ipv6.tcp_sk;
999
	unsigned int tot_len = sizeof(struct tcphdr);
1000
	struct dst_entry *dst;
1001
	__be32 *topt;
1002

1003
	if (ts)
1004
		tot_len += TCPOLEN_TSTAMP_ALIGNED;
1005
#ifdef CONFIG_TCP_MD5SIG
1006
	if (key)
1007
		tot_len += TCPOLEN_MD5SIG_ALIGNED;
1008
#endif
1009

1010
	buff = alloc_skb(MAX_HEADER + sizeof(struct ipv6hdr) + tot_len,
1011
			 GFP_ATOMIC);
1012
	if (buff == NULL)
1013
		return;
1014

1015
	skb_reserve(buff, MAX_HEADER + sizeof(struct ipv6hdr) + tot_len);
1016

1017
	t1 = (struct tcphdr *) skb_push(buff, tot_len);
1018
	skb_reset_transport_header(buff);
1019

1020
	/* Swap the send and the receive. */
1021
	memset(t1, 0, sizeof(*t1));
1022
	t1->dest = th->source;
1023
	t1->source = th->dest;
1024
	t1->doff = tot_len / 4;
1025
	t1->seq = htonl(seq);
1026
	t1->ack_seq = htonl(ack);
1027
	t1->ack = !rst || !th->ack;
1028
	t1->rst = rst;
1029
	t1->window = htons(win);
1030

1031
	topt = (__be32 *)(t1 + 1);
1032

1033
	if (ts) {
1034
		*topt++ = htonl((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) |
1035
				(TCPOPT_TIMESTAMP << 8) | TCPOLEN_TIMESTAMP);
1036
		*topt++ = htonl(tcp_time_stamp);
1037
		*topt++ = htonl(ts);
1038
	}
1039

1040
#ifdef CONFIG_TCP_MD5SIG
1041
	if (key) {
1042
		*topt++ = htonl((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) |
1043
				(TCPOPT_MD5SIG << 8) | TCPOLEN_MD5SIG);
1044
		tcp_v6_md5_hash_hdr((__u8 *)topt, key,
1045
				    &ipv6_hdr(skb)->saddr,
1046
				    &ipv6_hdr(skb)->daddr, t1);
1047
	}
1048
#endif
1049

1050
	memset(&fl6, 0, sizeof(fl6));
1051
	ipv6_addr_copy(&fl6.daddr, &ipv6_hdr(skb)->saddr);
1052
	ipv6_addr_copy(&fl6.saddr, &ipv6_hdr(skb)->daddr);
1053

1054
	buff->ip_summed = CHECKSUM_PARTIAL;
1055
	buff->csum = 0;
1056

1057
	__tcp_v6_send_check(buff, &fl6.saddr, &fl6.daddr);
1058

1059
	fl6.flowi6_proto = IPPROTO_TCP;
1060
	fl6.flowi6_oif = inet6_iif(skb);
1061
	fl6.fl6_dport = t1->dest;
1062
	fl6.fl6_sport = t1->source;
1063
	security_skb_classify_flow(skb, flowi6_to_flowi(&fl6));
1064

1065
	/* Pass a socket to ip6_dst_lookup either it is for RST
1066
	 * Underlying function will use this to retrieve the network
1067
	 * namespace
1068
	 */
1069
	dst = ip6_dst_lookup_flow(ctl_sk, &fl6, NULL, false);
1070
	if (!IS_ERR(dst)) {
1071
		skb_dst_set(buff, dst);
1072
		ip6_xmit(ctl_sk, buff, &fl6, NULL);
1073
		TCP_INC_STATS_BH(net, TCP_MIB_OUTSEGS);
1074
		if (rst)
1075
			TCP_INC_STATS_BH(net, TCP_MIB_OUTRSTS);
1076
		return;
1077
	}
1078

1079
	kfree_skb(buff);
1080
}
1081

1082
static void tcp_v6_send_reset(struct sock *sk, struct sk_buff *skb)
1083
{
1084
	struct tcphdr *th = tcp_hdr(skb);
1085
	u32 seq = 0, ack_seq = 0;
1086
	struct tcp_md5sig_key *key = NULL;
1087

1088
	if (th->rst)
1089
		return;
1090

1091
	if (!ipv6_unicast_destination(skb))
1092
		return;
1093

1094
#ifdef CONFIG_TCP_MD5SIG
1095
	if (sk)
1096
		key = tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->daddr);
1097
#endif
1098

1099
	if (th->ack)
1100
		seq = ntohl(th->ack_seq);
1101
	else
1102
		ack_seq = ntohl(th->seq) + th->syn + th->fin + skb->len -
1103
			  (th->doff << 2);
1104

1105
	tcp_v6_send_response(skb, seq, ack_seq, 0, 0, key, 1);
1106
}
1107

1108
static void tcp_v6_send_ack(struct sk_buff *skb, u32 seq, u32 ack, u32 win, u32 ts,
1109
			    struct tcp_md5sig_key *key)
1110
{
1111
	tcp_v6_send_response(skb, seq, ack, win, ts, key, 0);
1112
}
1113

1114
static void tcp_v6_timewait_ack(struct sock *sk, struct sk_buff *skb)
1115
{
1116
	struct inet_timewait_sock *tw = inet_twsk(sk);
1117
	struct tcp_timewait_sock *tcptw = tcp_twsk(sk);
1118

1119
	tcp_v6_send_ack(skb, tcptw->tw_snd_nxt, tcptw->tw_rcv_nxt,
1120
			tcptw->tw_rcv_wnd >> tw->tw_rcv_wscale,
1121
			tcptw->tw_ts_recent, tcp_twsk_md5_key(tcptw));
1122

1123
	inet_twsk_put(tw);
1124
}
1125

1126
static void tcp_v6_reqsk_send_ack(struct sock *sk, struct sk_buff *skb,
1127
				  struct request_sock *req)
1128
{
1129
	tcp_v6_send_ack(skb, tcp_rsk(req)->snt_isn + 1, tcp_rsk(req)->rcv_isn + 1, req->rcv_wnd, req->ts_recent,
1130
			tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->daddr));
1131
}
1132

1133

1134
static struct sock *tcp_v6_hnd_req(struct sock *sk,struct sk_buff *skb)
1135
{
1136
	struct request_sock *req, **prev;
1137
	const struct tcphdr *th = tcp_hdr(skb);
1138
	struct sock *nsk;
1139

1140
	/* Find possible connection requests. */
1141
	req = inet6_csk_search_req(sk, &prev, th->source,
1142
				   &ipv6_hdr(skb)->saddr,
1143
				   &ipv6_hdr(skb)->daddr, inet6_iif(skb));
1144
	if (req)
1145
		return tcp_check_req(sk, skb, req, prev);
1146

1147
	nsk = __inet6_lookup_established(sock_net(sk), &tcp_hashinfo,
1148
			&ipv6_hdr(skb)->saddr, th->source,
1149
			&ipv6_hdr(skb)->daddr, ntohs(th->dest), inet6_iif(skb));
1150

1151
	if (nsk) {
1152
		if (nsk->sk_state != TCP_TIME_WAIT) {
1153
			bh_lock_sock(nsk);
1154
			return nsk;
1155
		}
1156
		inet_twsk_put(inet_twsk(nsk));
1157
		return NULL;
1158
	}
1159

1160
#ifdef CONFIG_SYN_COOKIES
1161
	if (!th->syn)
1162
		sk = cookie_v6_check(sk, skb);
1163
#endif
1164
	return sk;
1165
}
1166

1167
/* FIXME: this is substantially similar to the ipv4 code.
1168
 * Can some kind of merge be done? -- erics
1169
 */
1170
static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
1171
{
1172
	struct tcp_extend_values tmp_ext;
1173
	struct tcp_options_received tmp_opt;
1174
	u8 *hash_location;
1175
	struct request_sock *req;
1176
	struct inet6_request_sock *treq;
1177
	struct ipv6_pinfo *np = inet6_sk(sk);
1178
	struct tcp_sock *tp = tcp_sk(sk);
1179
	__u32 isn = TCP_SKB_CB(skb)->when;
1180
	struct dst_entry *dst = NULL;
1181
#ifdef CONFIG_SYN_COOKIES
1182
	int want_cookie = 0;
1183
#else
1184
#define want_cookie 0
1185
#endif
1186

1187
	if (skb->protocol == htons(ETH_P_IP))
1188
		return tcp_v4_conn_request(sk, skb);
1189

1190
	if (!ipv6_unicast_destination(skb))
1191
		goto drop;
1192

1193
	if (inet_csk_reqsk_queue_is_full(sk) && !isn) {
1194
		if (net_ratelimit())
1195
			syn_flood_warning(skb);
1196
#ifdef CONFIG_SYN_COOKIES
1197
		if (sysctl_tcp_syncookies)
1198
			want_cookie = 1;
1199
		else
1200
#endif
1201
		goto drop;
1202
	}
1203

1204
	if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1)
1205
		goto drop;
1206

1207
	req = inet6_reqsk_alloc(&tcp6_request_sock_ops);
1208
	if (req == NULL)
1209
		goto drop;
1210

1211
#ifdef CONFIG_TCP_MD5SIG
1212
	tcp_rsk(req)->af_specific = &tcp_request_sock_ipv6_ops;
1213
#endif
1214

1215
	tcp_clear_options(&tmp_opt);
1216
	tmp_opt.mss_clamp = IPV6_MIN_MTU - sizeof(struct tcphdr) - sizeof(struct ipv6hdr);
1217
	tmp_opt.user_mss = tp->rx_opt.user_mss;
1218
	tcp_parse_options(skb, &tmp_opt, &hash_location, 0);
1219

1220
	if (tmp_opt.cookie_plus > 0 &&
1221
	    tmp_opt.saw_tstamp &&
1222
	    !tp->rx_opt.cookie_out_never &&
1223
	    (sysctl_tcp_cookie_size > 0 ||
1224
	     (tp->cookie_values != NULL &&
1225
	      tp->cookie_values->cookie_desired > 0))) {
1226
		u8 *c;
1227
		u32 *d;
1228
		u32 *mess = &tmp_ext.cookie_bakery[COOKIE_DIGEST_WORDS];
1229
		int l = tmp_opt.cookie_plus - TCPOLEN_COOKIE_BASE;
1230

1231
		if (tcp_cookie_generator(&tmp_ext.cookie_bakery[0]) != 0)
1232
			goto drop_and_free;
1233

1234
		/* Secret recipe starts with IP addresses */
1235
		d = (__force u32 *)&ipv6_hdr(skb)->daddr.s6_addr32[0];
1236
		*mess++ ^= *d++;
1237
		*mess++ ^= *d++;
1238
		*mess++ ^= *d++;
1239
		*mess++ ^= *d++;
1240
		d = (__force u32 *)&ipv6_hdr(skb)->saddr.s6_addr32[0];
1241
		*mess++ ^= *d++;
1242
		*mess++ ^= *d++;
1243
		*mess++ ^= *d++;
1244
		*mess++ ^= *d++;
1245

1246
		/* plus variable length Initiator Cookie */
1247
		c = (u8 *)mess;
1248
		while (l-- > 0)
1249
			*c++ ^= *hash_location++;
1250

1251
#ifdef CONFIG_SYN_COOKIES
1252
		want_cookie = 0;	/* not our kind of cookie */
1253
#endif
1254
		tmp_ext.cookie_out_never = 0; /* false */
1255
		tmp_ext.cookie_plus = tmp_opt.cookie_plus;
1256
	} else if (!tp->rx_opt.cookie_in_always) {
1257
		/* redundant indications, but ensure initialization. */
1258
		tmp_ext.cookie_out_never = 1; /* true */
1259
		tmp_ext.cookie_plus = 0;
1260
	} else {
1261
		goto drop_and_free;
1262
	}
1263
	tmp_ext.cookie_in_always = tp->rx_opt.cookie_in_always;
1264

1265
	if (want_cookie && !tmp_opt.saw_tstamp)
1266
		tcp_clear_options(&tmp_opt);
1267

1268
	tmp_opt.tstamp_ok = tmp_opt.saw_tstamp;
1269
	tcp_openreq_init(req, &tmp_opt, skb);
1270

1271
	treq = inet6_rsk(req);
1272
	ipv6_addr_copy(&treq->rmt_addr, &ipv6_hdr(skb)->saddr);
1273
	ipv6_addr_copy(&treq->loc_addr, &ipv6_hdr(skb)->daddr);
1274
	if (!want_cookie || tmp_opt.tstamp_ok)
1275
		TCP_ECN_create_request(req, tcp_hdr(skb));
1276

1277
	if (!isn) {
1278
		struct inet_peer *peer = NULL;
1279

1280
		if (ipv6_opt_accepted(sk, skb) ||
1281
		    np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
1282
		    np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) {
1283
			atomic_inc(&skb->users);
1284
			treq->pktopts = skb;
1285
		}
1286
		treq->iif = sk->sk_bound_dev_if;
1287

1288
		/* So that link locals have meaning */
1289
		if (!sk->sk_bound_dev_if &&
1290
		    ipv6_addr_type(&treq->rmt_addr) & IPV6_ADDR_LINKLOCAL)
1291
			treq->iif = inet6_iif(skb);
1292

1293
		if (want_cookie) {
1294
			isn = cookie_v6_init_sequence(sk, skb, &req->mss);
1295
			req->cookie_ts = tmp_opt.tstamp_ok;
1296
			goto have_isn;
1297
		}
1298

1299
		/* VJ's idea. We save last timestamp seen
1300
		 * from the destination in peer table, when entering
1301
		 * state TIME-WAIT, and check against it before
1302
		 * accepting new connection request.
1303
		 *
1304
		 * If "isn" is not zero, this request hit alive
1305
		 * timewait bucket, so that all the necessary checks
1306
		 * are made in the function processing timewait state.
1307
		 */
1308
		if (tmp_opt.saw_tstamp &&
1309
		    tcp_death_row.sysctl_tw_recycle &&
1310
		    (dst = inet6_csk_route_req(sk, req)) != NULL &&
1311
		    (peer = rt6_get_peer((struct rt6_info *)dst)) != NULL &&
1312
		    ipv6_addr_equal((struct in6_addr *)peer->daddr.addr.a6,
1313
				    &treq->rmt_addr)) {
1314
			inet_peer_refcheck(peer);
1315
			if ((u32)get_seconds() - peer->tcp_ts_stamp < TCP_PAWS_MSL &&
1316
			    (s32)(peer->tcp_ts - req->ts_recent) >
1317
							TCP_PAWS_WINDOW) {
1318
				NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_PAWSPASSIVEREJECTED);
1319
				goto drop_and_release;
1320
			}
1321
		}
1322
		/* Kill the following clause, if you dislike this way. */
1323
		else if (!sysctl_tcp_syncookies &&
1324
			 (sysctl_max_syn_backlog - inet_csk_reqsk_queue_len(sk) <
1325
			  (sysctl_max_syn_backlog >> 2)) &&
1326
			 (!peer || !peer->tcp_ts_stamp) &&
1327
			 (!dst || !dst_metric(dst, RTAX_RTT))) {
1328
			/* Without syncookies last quarter of
1329
			 * backlog is filled with destinations,
1330
			 * proven to be alive.
1331
			 * It means that we continue to communicate
1332
			 * to destinations, already remembered
1333
			 * to the moment of synflood.
1334
			 */
1335
			LIMIT_NETDEBUG(KERN_DEBUG "TCP: drop open request from %pI6/%u\n",
1336
				       &treq->rmt_addr, ntohs(tcp_hdr(skb)->source));
1337
			goto drop_and_release;
1338
		}
1339

1340
		isn = tcp_v6_init_sequence(skb);
1341
	}
1342
have_isn:
1343
	tcp_rsk(req)->snt_isn = isn;
1344

1345
	security_inet_conn_request(sk, skb, req);
1346

1347
	if (tcp_v6_send_synack(sk, req,
1348
			       (struct request_values *)&tmp_ext) ||
1349
	    want_cookie)
1350
		goto drop_and_free;
1351

1352
	inet6_csk_reqsk_queue_hash_add(sk, req, TCP_TIMEOUT_INIT);
1353
	return 0;
1354

1355
drop_and_release:
1356
	dst_release(dst);
1357
drop_and_free:
1358
	reqsk_free(req);
1359
drop:
1360
	return 0; /* don't send reset */
1361
}
1362

1363
static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
1364
					  struct request_sock *req,
1365
					  struct dst_entry *dst)
1366
{
1367
	struct inet6_request_sock *treq;
1368
	struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
1369
	struct tcp6_sock *newtcp6sk;
1370
	struct inet_sock *newinet;
1371
	struct tcp_sock *newtp;
1372
	struct sock *newsk;
1373
	struct ipv6_txoptions *opt;
1374
#ifdef CONFIG_TCP_MD5SIG
1375
	struct tcp_md5sig_key *key;
1376
#endif
1377

1378
	if (skb->protocol == htons(ETH_P_IP)) {
1379
		/*
1380
		 *	v6 mapped
1381
		 */
1382

1383
		newsk = tcp_v4_syn_recv_sock(sk, skb, req, dst);
1384

1385
		if (newsk == NULL)
1386
			return NULL;
1387

1388
		newtcp6sk = (struct tcp6_sock *)newsk;
1389
		inet_sk(newsk)->pinet6 = &newtcp6sk->inet6;
1390

1391
		newinet = inet_sk(newsk);
1392
		newnp = inet6_sk(newsk);
1393
		newtp = tcp_sk(newsk);
1394

1395
		memcpy(newnp, np, sizeof(struct ipv6_pinfo));
1396

1397
		ipv6_addr_set_v4mapped(newinet->inet_daddr, &newnp->daddr);
1398

1399
		ipv6_addr_set_v4mapped(newinet->inet_saddr, &newnp->saddr);
1400

1401
		ipv6_addr_copy(&newnp->rcv_saddr, &newnp->saddr);
1402

1403
		inet_csk(newsk)->icsk_af_ops = &ipv6_mapped;
1404
		newsk->sk_backlog_rcv = tcp_v4_do_rcv;
1405
#ifdef CONFIG_TCP_MD5SIG
1406
		newtp->af_specific = &tcp_sock_ipv6_mapped_specific;
1407
#endif
1408

1409
		newnp->pktoptions  = NULL;
1410
		newnp->opt	   = NULL;
1411
		newnp->mcast_oif   = inet6_iif(skb);
1412
		newnp->mcast_hops  = ipv6_hdr(skb)->hop_limit;
1413

1414
		/*
1415
		 * No need to charge this sock to the relevant IPv6 refcnt debug socks count
1416
		 * here, tcp_create_openreq_child now does this for us, see the comment in
1417
		 * that function for the gory details. -acme
1418
		 */
1419

1420
		/* It is tricky place. Until this moment IPv4 tcp
1421
		   worked with IPv6 icsk.icsk_af_ops.
1422
		   Sync it now.
1423
		 */
1424
		tcp_sync_mss(newsk, inet_csk(newsk)->icsk_pmtu_cookie);
1425

1426
		return newsk;
1427
	}
1428

1429
	treq = inet6_rsk(req);
1430
	opt = np->opt;
1431

1432
	if (sk_acceptq_is_full(sk))
1433
		goto out_overflow;
1434

1435
	if (!dst) {
1436
		dst = inet6_csk_route_req(sk, req);
1437
		if (!dst)
1438
			goto out;
1439
	}
1440

1441
	newsk = tcp_create_openreq_child(sk, req, skb);
1442
	if (newsk == NULL)
1443
		goto out_nonewsk;
1444

1445
	/*
1446
	 * No need to charge this sock to the relevant IPv6 refcnt debug socks
1447
	 * count here, tcp_create_openreq_child now does this for us, see the
1448
	 * comment in that function for the gory details. -acme
1449
	 */
1450

1451
	newsk->sk_gso_type = SKB_GSO_TCPV6;
1452
	__ip6_dst_store(newsk, dst, NULL, NULL);
1453

1454
	newtcp6sk = (struct tcp6_sock *)newsk;
1455
	inet_sk(newsk)->pinet6 = &newtcp6sk->inet6;
1456

1457
	newtp = tcp_sk(newsk);
1458
	newinet = inet_sk(newsk);
1459
	newnp = inet6_sk(newsk);
1460

1461
	memcpy(newnp, np, sizeof(struct ipv6_pinfo));
1462

1463
	ipv6_addr_copy(&newnp->daddr, &treq->rmt_addr);
1464
	ipv6_addr_copy(&newnp->saddr, &treq->loc_addr);
1465
	ipv6_addr_copy(&newnp->rcv_saddr, &treq->loc_addr);
1466
	newsk->sk_bound_dev_if = treq->iif;
1467

1468
	/* Now IPv6 options...
1469

1470
	   First: no IPv4 options.
1471
	 */
1472
	newinet->inet_opt = NULL;
1473
	newnp->ipv6_fl_list = NULL;
1474

1475
	/* Clone RX bits */
1476
	newnp->rxopt.all = np->rxopt.all;
1477

1478
	/* Clone pktoptions received with SYN */
1479
	newnp->pktoptions = NULL;
1480
	if (treq->pktopts != NULL) {
1481
		newnp->pktoptions = skb_clone(treq->pktopts, GFP_ATOMIC);
1482
		kfree_skb(treq->pktopts);
1483
		treq->pktopts = NULL;
1484
		if (newnp->pktoptions)
1485
			skb_set_owner_r(newnp->pktoptions, newsk);
1486
	}
1487
	newnp->opt	  = NULL;
1488
	newnp->mcast_oif  = inet6_iif(skb);
1489
	newnp->mcast_hops = ipv6_hdr(skb)->hop_limit;
1490

1491
	/* Clone native IPv6 options from listening socket (if any)
1492

1493
	   Yes, keeping reference count would be much more clever,
1494
	   but we make one more one thing there: reattach optmem
1495
	   to newsk.
1496
	 */
1497
	if (opt) {
1498
		newnp->opt = ipv6_dup_options(newsk, opt);
1499
		if (opt != np->opt)
1500
			sock_kfree_s(sk, opt, opt->tot_len);
1501
	}
1502

1503
	inet_csk(newsk)->icsk_ext_hdr_len = 0;
1504
	if (newnp->opt)
1505
		inet_csk(newsk)->icsk_ext_hdr_len = (newnp->opt->opt_nflen +
1506
						     newnp->opt->opt_flen);
1507

1508
	tcp_mtup_init(newsk);
1509
	tcp_sync_mss(newsk, dst_mtu(dst));
1510
	newtp->advmss = dst_metric_advmss(dst);
1511
	tcp_initialize_rcv_mss(newsk);
1512

1513
	newinet->inet_daddr = newinet->inet_saddr = LOOPBACK4_IPV6;
1514
	newinet->inet_rcv_saddr = LOOPBACK4_IPV6;
1515

1516
#ifdef CONFIG_TCP_MD5SIG
1517
	/* Copy over the MD5 key from the original socket */
1518
	if ((key = tcp_v6_md5_do_lookup(sk, &newnp->daddr)) != NULL) {
1519
		/* We're using one, so create a matching key
1520
		 * on the newsk structure. If we fail to get
1521
		 * memory, then we end up not copying the key
1522
		 * across. Shucks.
1523
		 */
1524
		char *newkey = kmemdup(key->key, key->keylen, GFP_ATOMIC);
1525
		if (newkey != NULL)
1526
			tcp_v6_md5_do_add(newsk, &newnp->daddr,
1527
					  newkey, key->keylen);
1528
	}
1529
#endif
1530

1531
	if (__inet_inherit_port(sk, newsk) < 0) {
1532
		sock_put(newsk);
1533
		goto out;
1534
	}
1535
	__inet6_hash(newsk, NULL);
1536

1537
	return newsk;
1538

1539
out_overflow:
1540
	NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS);
1541
out_nonewsk:
1542
	if (opt && opt != np->opt)
1543
		sock_kfree_s(sk, opt, opt->tot_len);
1544
	dst_release(dst);
1545
out:
1546
	NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENDROPS);
1547
	return NULL;
1548
}
1549

1550
static __sum16 tcp_v6_checksum_init(struct sk_buff *skb)
1551
{
1552
	if (skb->ip_summed == CHECKSUM_COMPLETE) {
1553
		if (!tcp_v6_check(skb->len, &ipv6_hdr(skb)->saddr,
1554
				  &ipv6_hdr(skb)->daddr, skb->csum)) {
1555
			skb->ip_summed = CHECKSUM_UNNECESSARY;
1556
			return 0;
1557
		}
1558
	}
1559

1560
	skb->csum = ~csum_unfold(tcp_v6_check(skb->len,
1561
					      &ipv6_hdr(skb)->saddr,
1562
					      &ipv6_hdr(skb)->daddr, 0));
1563

1564
	if (skb->len <= 76) {
1565
		return __skb_checksum_complete(skb);
1566
	}
1567
	return 0;
1568
}
1569

1570
/* The socket must have it's spinlock held when we get
1571
 * here.
1572
 *
1573
 * We have a potential double-lock case here, so even when
1574
 * doing backlog processing we use the BH locking scheme.
1575
 * This is because we cannot sleep with the original spinlock
1576
 * held.
1577
 */
1578
static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
1579
{
1580
	struct ipv6_pinfo *np = inet6_sk(sk);
1581
	struct tcp_sock *tp;
1582
	struct sk_buff *opt_skb = NULL;
1583

1584
	/* Imagine: socket is IPv6. IPv4 packet arrives,
1585
	   goes to IPv4 receive handler and backlogged.
1586
	   From backlog it always goes here. Kerboom...
1587
	   Fortunately, tcp_rcv_established and rcv_established
1588
	   handle them correctly, but it is not case with
1589
	   tcp_v6_hnd_req and tcp_v6_send_reset().   --ANK
1590
	 */
1591

1592
	if (skb->protocol == htons(ETH_P_IP))
1593
		return tcp_v4_do_rcv(sk, skb);
1594

1595
#ifdef CONFIG_TCP_MD5SIG
1596
	if (tcp_v6_inbound_md5_hash (sk, skb))
1597
		goto discard;
1598
#endif
1599

1600
	if (sk_filter(sk, skb))
1601
		goto discard;
1602

1603
	/*
1604
	 *	socket locking is here for SMP purposes as backlog rcv
1605
	 *	is currently called with bh processing disabled.
1606
	 */
1607

1608
	/* Do Stevens' IPV6_PKTOPTIONS.
1609

1610
	   Yes, guys, it is the only place in our code, where we
1611
	   may make it not affecting IPv4.
1612
	   The rest of code is protocol independent,
1613
	   and I do not like idea to uglify IPv4.
1614

1615
	   Actually, all the idea behind IPV6_PKTOPTIONS
1616
	   looks not very well thought. For now we latch
1617
	   options, received in the last packet, enqueued
1618
	   by tcp. Feel free to propose better solution.
1619
					       --ANK (980728)
1620
	 */
1621
	if (np->rxopt.all)
1622
		opt_skb = skb_clone(skb, GFP_ATOMIC);
1623

1624
	if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */
1625
		sock_rps_save_rxhash(sk, skb->rxhash);
1626
		if (tcp_rcv_established(sk, skb, tcp_hdr(skb), skb->len))
1627
			goto reset;
1628
		if (opt_skb)
1629
			goto ipv6_pktoptions;
1630
		return 0;
1631
	}
1632

1633
	if (skb->len < tcp_hdrlen(skb) || tcp_checksum_complete(skb))
1634
		goto csum_err;
1635

1636
	if (sk->sk_state == TCP_LISTEN) {
1637
		struct sock *nsk = tcp_v6_hnd_req(sk, skb);
1638
		if (!nsk)
1639
			goto discard;
1640

1641
		/*
1642
		 * Queue it on the new socket if the new socket is active,
1643
		 * otherwise we just shortcircuit this and continue with
1644
		 * the new socket..
1645
		 */
1646
		if(nsk != sk) {
1647
			sock_rps_save_rxhash(nsk, skb->rxhash);
1648
			if (tcp_child_process(sk, nsk, skb))
1649
				goto reset;
1650
			if (opt_skb)
1651
				__kfree_skb(opt_skb);
1652
			return 0;
1653
		}
1654
	} else
1655
		sock_rps_save_rxhash(sk, skb->rxhash);
1656

1657
	if (tcp_rcv_state_process(sk, skb, tcp_hdr(skb), skb->len))
1658
		goto reset;
1659
	if (opt_skb)
1660
		goto ipv6_pktoptions;
1661
	return 0;
1662

1663
reset:
1664
	tcp_v6_send_reset(sk, skb);
1665
discard:
1666
	if (opt_skb)
1667
		__kfree_skb(opt_skb);
1668
	kfree_skb(skb);
1669
	return 0;
1670
csum_err:
1671
	TCP_INC_STATS_BH(sock_net(sk), TCP_MIB_INERRS);
1672
	goto discard;
1673

1674

1675
ipv6_pktoptions:
1676
	/* Do you ask, what is it?
1677

1678
	   1. skb was enqueued by tcp.
1679
	   2. skb is added to tail of read queue, rather than out of order.
1680
	   3. socket is not in passive state.
1681
	   4. Finally, it really contains options, which user wants to receive.
1682
	 */
1683
	tp = tcp_sk(sk);
1684
	if (TCP_SKB_CB(opt_skb)->end_seq == tp->rcv_nxt &&
1685
	    !((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))) {
1686
		if (np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo)
1687
			np->mcast_oif = inet6_iif(opt_skb);
1688
		if (np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim)
1689
			np->mcast_hops = ipv6_hdr(opt_skb)->hop_limit;
1690
		if (ipv6_opt_accepted(sk, opt_skb)) {
1691
			skb_set_owner_r(opt_skb, sk);
1692
			opt_skb = xchg(&np->pktoptions, opt_skb);
1693
		} else {
1694
			__kfree_skb(opt_skb);
1695
			opt_skb = xchg(&np->pktoptions, NULL);
1696
		}
1697
	}
1698

1699
	kfree_skb(opt_skb);
1700
	return 0;
1701
}
1702

1703
static int tcp_v6_rcv(struct sk_buff *skb)
1704
{
1705
	struct tcphdr *th;
1706
	const struct ipv6hdr *hdr;
1707
	struct sock *sk;
1708
	int ret;
1709
	struct net *net = dev_net(skb->dev);
1710

1711
	if (skb->pkt_type != PACKET_HOST)
1712
		goto discard_it;
1713

1714
	/*
1715
	 *	Count it even if it's bad.
1716
	 */
1717
	TCP_INC_STATS_BH(net, TCP_MIB_INSEGS);
1718

1719
	if (!pskb_may_pull(skb, sizeof(struct tcphdr)))
1720
		goto discard_it;
1721

1722
	th = tcp_hdr(skb);
1723

1724
	if (th->doff < sizeof(struct tcphdr)/4)
1725
		goto bad_packet;
1726
	if (!pskb_may_pull(skb, th->doff*4))
1727
		goto discard_it;
1728

1729
	if (!skb_csum_unnecessary(skb) && tcp_v6_checksum_init(skb))
1730
		goto bad_packet;
1731

1732
	th = tcp_hdr(skb);
1733
	hdr = ipv6_hdr(skb);
1734
	TCP_SKB_CB(skb)->seq = ntohl(th->seq);
1735
	TCP_SKB_CB(skb)->end_seq = (TCP_SKB_CB(skb)->seq + th->syn + th->fin +
1736
				    skb->len - th->doff*4);
1737
	TCP_SKB_CB(skb)->ack_seq = ntohl(th->ack_seq);
1738
	TCP_SKB_CB(skb)->when = 0;
1739
	TCP_SKB_CB(skb)->flags = ipv6_get_dsfield(hdr);
1740
	TCP_SKB_CB(skb)->sacked = 0;
1741

1742
	sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
1743
	if (!sk)
1744
		goto no_tcp_socket;
1745

1746
process:
1747
	if (sk->sk_state == TCP_TIME_WAIT)
1748
		goto do_time_wait;
1749

1750
	if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
1751
		NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
1752
		goto discard_and_relse;
1753
	}
1754

1755
	if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
1756
		goto discard_and_relse;
1757

1758
	if (sk_filter(sk, skb))
1759
		goto discard_and_relse;
1760

1761
	skb->dev = NULL;
1762

1763
	bh_lock_sock_nested(sk);
1764
	ret = 0;
1765
	if (!sock_owned_by_user(sk)) {
1766
#ifdef CONFIG_NET_DMA
1767
		struct tcp_sock *tp = tcp_sk(sk);
1768
		if (!tp->ucopy.dma_chan && tp->ucopy.pinned_list)
1769
			tp->ucopy.dma_chan = dma_find_channel(DMA_MEMCPY);
1770
		if (tp->ucopy.dma_chan)
1771
			ret = tcp_v6_do_rcv(sk, skb);
1772
		else
1773
#endif
1774
		{
1775
			if (!tcp_prequeue(sk, skb))
1776
				ret = tcp_v6_do_rcv(sk, skb);
1777
		}
1778
	} else if (unlikely(sk_add_backlog(sk, skb))) {
1779
		bh_unlock_sock(sk);
1780
		NET_INC_STATS_BH(net, LINUX_MIB_TCPBACKLOGDROP);
1781
		goto discard_and_relse;
1782
	}
1783
	bh_unlock_sock(sk);
1784

1785
	sock_put(sk);
1786
	return ret ? -1 : 0;
1787

1788
no_tcp_socket:
1789
	if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb))
1790
		goto discard_it;
1791

1792
	if (skb->len < (th->doff<<2) || tcp_checksum_complete(skb)) {
1793
bad_packet:
1794
		TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
1795
	} else {
1796
		tcp_v6_send_reset(NULL, skb);
1797
	}
1798

1799
discard_it:
1800

1801
	/*
1802
	 *	Discard frame
1803
	 */
1804

1805
	kfree_skb(skb);
1806
	return 0;
1807

1808
discard_and_relse:
1809
	sock_put(sk);
1810
	goto discard_it;
1811

1812
do_time_wait:
1813
	if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
1814
		inet_twsk_put(inet_twsk(sk));
1815
		goto discard_it;
1816
	}
1817

1818
	if (skb->len < (th->doff<<2) || tcp_checksum_complete(skb)) {
1819
		TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
1820
		inet_twsk_put(inet_twsk(sk));
1821
		goto discard_it;
1822
	}
1823

1824
	switch (tcp_timewait_state_process(inet_twsk(sk), skb, th)) {
1825
	case TCP_TW_SYN:
1826
	{
1827
		struct sock *sk2;
1828

1829
		sk2 = inet6_lookup_listener(dev_net(skb->dev), &tcp_hashinfo,
1830
					    &ipv6_hdr(skb)->daddr,
1831
					    ntohs(th->dest), inet6_iif(skb));
1832
		if (sk2 != NULL) {
1833
			struct inet_timewait_sock *tw = inet_twsk(sk);
1834
			inet_twsk_deschedule(tw, &tcp_death_row);
1835
			inet_twsk_put(tw);
1836
			sk = sk2;
1837
			goto process;
1838
		}
1839
		/* Fall through to ACK */
1840
	}
1841
	case TCP_TW_ACK:
1842
		tcp_v6_timewait_ack(sk, skb);
1843
		break;
1844
	case TCP_TW_RST:
1845
		goto no_tcp_socket;
1846
	case TCP_TW_SUCCESS:;
1847
	}
1848
	goto discard_it;
1849
}
1850

1851
static struct inet_peer *tcp_v6_get_peer(struct sock *sk, bool *release_it)
1852
{
1853
	struct rt6_info *rt = (struct rt6_info *) __sk_dst_get(sk);
1854
	struct ipv6_pinfo *np = inet6_sk(sk);
1855
	struct inet_peer *peer;
1856

1857
	if (!rt ||
1858
	    !ipv6_addr_equal(&np->daddr, &rt->rt6i_dst.addr)) {
1859
		peer = inet_getpeer_v6(&np->daddr, 1);
1860
		*release_it = true;
1861
	} else {
1862
		if (!rt->rt6i_peer)
1863
			rt6_bind_peer(rt, 1);
1864
		peer = rt->rt6i_peer;
1865
		*release_it = false;
1866
	}
1867

1868
	return peer;
1869
}
1870

1871
static void *tcp_v6_tw_get_peer(struct sock *sk)
1872
{
1873
	struct inet6_timewait_sock *tw6 = inet6_twsk(sk);
1874
	struct inet_timewait_sock *tw = inet_twsk(sk);
1875

1876
	if (tw->tw_family == AF_INET)
1877
		return tcp_v4_tw_get_peer(sk);
1878

1879
	return inet_getpeer_v6(&tw6->tw_v6_daddr, 1);
1880
}
1881

1882
static struct timewait_sock_ops tcp6_timewait_sock_ops = {
1883
	.twsk_obj_size	= sizeof(struct tcp6_timewait_sock),
1884
	.twsk_unique	= tcp_twsk_unique,
1885
	.twsk_destructor= tcp_twsk_destructor,
1886
	.twsk_getpeer	= tcp_v6_tw_get_peer,
1887
};
1888

1889
static const struct inet_connection_sock_af_ops ipv6_specific = {
1890
	.queue_xmit	   = inet6_csk_xmit,
1891
	.send_check	   = tcp_v6_send_check,
1892
	.rebuild_header	   = inet6_sk_rebuild_header,
1893
	.conn_request	   = tcp_v6_conn_request,
1894
	.syn_recv_sock	   = tcp_v6_syn_recv_sock,
1895
	.get_peer	   = tcp_v6_get_peer,
1896
	.net_header_len	   = sizeof(struct ipv6hdr),
1897
	.setsockopt	   = ipv6_setsockopt,
1898
	.getsockopt	   = ipv6_getsockopt,
1899
	.addr2sockaddr	   = inet6_csk_addr2sockaddr,
1900
	.sockaddr_len	   = sizeof(struct sockaddr_in6),
1901
	.bind_conflict	   = inet6_csk_bind_conflict,
1902
#ifdef CONFIG_COMPAT
1903
	.compat_setsockopt = compat_ipv6_setsockopt,
1904
	.compat_getsockopt = compat_ipv6_getsockopt,
1905
#endif
1906
};
1907

1908
#ifdef CONFIG_TCP_MD5SIG
1909
static const struct tcp_sock_af_ops tcp_sock_ipv6_specific = {
1910
	.md5_lookup	=	tcp_v6_md5_lookup,
1911
	.calc_md5_hash	=	tcp_v6_md5_hash_skb,
1912
	.md5_add	=	tcp_v6_md5_add_func,
1913
	.md5_parse	=	tcp_v6_parse_md5_keys,
1914
};
1915
#endif
1916

1917
/*
1918
 *	TCP over IPv4 via INET6 API
1919
 */
1920

1921
static const struct inet_connection_sock_af_ops ipv6_mapped = {
1922
	.queue_xmit	   = ip_queue_xmit,
1923
	.send_check	   = tcp_v4_send_check,
1924
	.rebuild_header	   = inet_sk_rebuild_header,
1925
	.conn_request	   = tcp_v6_conn_request,
1926
	.syn_recv_sock	   = tcp_v6_syn_recv_sock,
1927
	.get_peer	   = tcp_v4_get_peer,
1928
	.net_header_len	   = sizeof(struct iphdr),
1929
	.setsockopt	   = ipv6_setsockopt,
1930
	.getsockopt	   = ipv6_getsockopt,
1931
	.addr2sockaddr	   = inet6_csk_addr2sockaddr,
1932
	.sockaddr_len	   = sizeof(struct sockaddr_in6),
1933
	.bind_conflict	   = inet6_csk_bind_conflict,
1934
#ifdef CONFIG_COMPAT
1935
	.compat_setsockopt = compat_ipv6_setsockopt,
1936
	.compat_getsockopt = compat_ipv6_getsockopt,
1937
#endif
1938
};
1939

1940
#ifdef CONFIG_TCP_MD5SIG
1941
static const struct tcp_sock_af_ops tcp_sock_ipv6_mapped_specific = {
1942
	.md5_lookup	=	tcp_v4_md5_lookup,
1943
	.calc_md5_hash	=	tcp_v4_md5_hash_skb,
1944
	.md5_add	=	tcp_v6_md5_add_func,
1945
	.md5_parse	=	tcp_v6_parse_md5_keys,
1946
};
1947
#endif
1948

1949
/* NOTE: A lot of things set to zero explicitly by call to
1950
 *       sk_alloc() so need not be done here.
1951
 */
1952
static int tcp_v6_init_sock(struct sock *sk)
1953
{
1954
	struct inet_connection_sock *icsk = inet_csk(sk);
1955
	struct tcp_sock *tp = tcp_sk(sk);
1956

1957
	skb_queue_head_init(&tp->out_of_order_queue);
1958
	tcp_init_xmit_timers(sk);
1959
	tcp_prequeue_init(tp);
1960

1961
	icsk->icsk_rto = TCP_TIMEOUT_INIT;
1962
	tp->mdev = TCP_TIMEOUT_INIT;
1963

1964
	/* So many TCP implementations out there (incorrectly) count the
1965
	 * initial SYN frame in their delayed-ACK and congestion control
1966
	 * algorithms that we must have the following bandaid to talk
1967
	 * efficiently to them.  -DaveM
1968
	 */
1969
	tp->snd_cwnd = 2;
1970

1971
	/* See draft-stevens-tcpca-spec-01 for discussion of the
1972
	 * initialization of these values.
1973
	 */
1974
	tp->snd_ssthresh = TCP_INFINITE_SSTHRESH;
1975
	tp->snd_cwnd_clamp = ~0;
1976
	tp->mss_cache = TCP_MSS_DEFAULT;
1977

1978
	tp->reordering = sysctl_tcp_reordering;
1979

1980
	sk->sk_state = TCP_CLOSE;
1981

1982
	icsk->icsk_af_ops = &ipv6_specific;
1983
	icsk->icsk_ca_ops = &tcp_init_congestion_ops;
1984
	icsk->icsk_sync_mss = tcp_sync_mss;
1985
	sk->sk_write_space = sk_stream_write_space;
1986
	sock_set_flag(sk, SOCK_USE_WRITE_QUEUE);
1987

1988
#ifdef CONFIG_TCP_MD5SIG
1989
	tp->af_specific = &tcp_sock_ipv6_specific;
1990
#endif
1991

1992
	/* TCP Cookie Transactions */
1993
	if (sysctl_tcp_cookie_size > 0) {
1994
		/* Default, cookies without s_data_payload. */
1995
		tp->cookie_values =
1996
			kzalloc(sizeof(*tp->cookie_values),
1997
				sk->sk_allocation);
1998
		if (tp->cookie_values != NULL)
1999
			kref_init(&tp->cookie_values->kref);
2000
	}
2001
	/* Presumed zeroed, in order of appearance:
2002
	 *	cookie_in_always, cookie_out_never,
2003
	 *	s_data_constant, s_data_in, s_data_out
2004
	 */
2005
	sk->sk_sndbuf = sysctl_tcp_wmem[1];
2006
	sk->sk_rcvbuf = sysctl_tcp_rmem[1];
2007

2008
	local_bh_disable();
2009
	percpu_counter_inc(&tcp_sockets_allocated);
2010
	local_bh_enable();
2011

2012
	return 0;
2013
}
2014

2015
static void tcp_v6_destroy_sock(struct sock *sk)
2016
{
2017
#ifdef CONFIG_TCP_MD5SIG
2018
	/* Clean up the MD5 key list */
2019
	if (tcp_sk(sk)->md5sig_info)
2020
		tcp_v6_clear_md5_list(sk);
2021
#endif
2022
	tcp_v4_destroy_sock(sk);
2023
	inet6_destroy_sock(sk);
2024
}
2025

2026
#ifdef CONFIG_PROC_FS
2027
/* Proc filesystem TCPv6 sock list dumping. */
2028
static void get_openreq6(struct seq_file *seq,
2029
			 struct sock *sk, struct request_sock *req, int i, int uid)
2030
{
2031
	int ttd = req->expires - jiffies;
2032
	const struct in6_addr *src = &inet6_rsk(req)->loc_addr;
2033
	const struct in6_addr *dest = &inet6_rsk(req)->rmt_addr;
2034

2035
	if (ttd < 0)
2036
		ttd = 0;
2037

2038
	seq_printf(seq,
2039
		   "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
2040
		   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %pK\n",
2041
		   i,
2042
		   src->s6_addr32[0], src->s6_addr32[1],
2043
		   src->s6_addr32[2], src->s6_addr32[3],
2044
		   ntohs(inet_rsk(req)->loc_port),
2045
		   dest->s6_addr32[0], dest->s6_addr32[1],
2046
		   dest->s6_addr32[2], dest->s6_addr32[3],
2047
		   ntohs(inet_rsk(req)->rmt_port),
2048
		   TCP_SYN_RECV,
2049
		   0,0, /* could print option size, but that is af dependent. */
2050
		   1,   /* timers active (only the expire timer) */
2051
		   jiffies_to_clock_t(ttd),
2052
		   req->retrans,
2053
		   uid,
2054
		   0,  /* non standard timer */
2055
		   0, /* open_requests have no inode */
2056
		   0, req);
2057
}
2058

2059
static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
2060
{
2061
	const struct in6_addr *dest, *src;
2062
	__u16 destp, srcp;
2063
	int timer_active;
2064
	unsigned long timer_expires;
2065
	struct inet_sock *inet = inet_sk(sp);
2066
	struct tcp_sock *tp = tcp_sk(sp);
2067
	const struct inet_connection_sock *icsk = inet_csk(sp);
2068
	struct ipv6_pinfo *np = inet6_sk(sp);
2069

2070
	dest  = &np->daddr;
2071
	src   = &np->rcv_saddr;
2072
	destp = ntohs(inet->inet_dport);
2073
	srcp  = ntohs(inet->inet_sport);
2074

2075
	if (icsk->icsk_pending == ICSK_TIME_RETRANS) {
2076
		timer_active	= 1;
2077
		timer_expires	= icsk->icsk_timeout;
2078
	} else if (icsk->icsk_pending == ICSK_TIME_PROBE0) {
2079
		timer_active	= 4;
2080
		timer_expires	= icsk->icsk_timeout;
2081
	} else if (timer_pending(&sp->sk_timer)) {
2082
		timer_active	= 2;
2083
		timer_expires	= sp->sk_timer.expires;
2084
	} else {
2085
		timer_active	= 0;
2086
		timer_expires = jiffies;
2087
	}
2088

2089
	seq_printf(seq,
2090
		   "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
2091
		   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %pK %lu %lu %u %u %d\n",
2092
		   i,
2093
		   src->s6_addr32[0], src->s6_addr32[1],
2094
		   src->s6_addr32[2], src->s6_addr32[3], srcp,
2095
		   dest->s6_addr32[0], dest->s6_addr32[1],
2096
		   dest->s6_addr32[2], dest->s6_addr32[3], destp,
2097
		   sp->sk_state,
2098
		   tp->write_seq-tp->snd_una,
2099
		   (sp->sk_state == TCP_LISTEN) ? sp->sk_ack_backlog : (tp->rcv_nxt - tp->copied_seq),
2100
		   timer_active,
2101
		   jiffies_to_clock_t(timer_expires - jiffies),
2102
		   icsk->icsk_retransmits,
2103
		   sock_i_uid(sp),
2104
		   icsk->icsk_probes_out,
2105
		   sock_i_ino(sp),
2106
		   atomic_read(&sp->sk_refcnt), sp,
2107
		   jiffies_to_clock_t(icsk->icsk_rto),
2108
		   jiffies_to_clock_t(icsk->icsk_ack.ato),
2109
		   (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
2110
		   tp->snd_cwnd,
2111
		   tcp_in_initial_slowstart(tp) ? -1 : tp->snd_ssthresh
2112
		   );
2113
}
2114

2115
static void get_timewait6_sock(struct seq_file *seq,
2116
			       struct inet_timewait_sock *tw, int i)
2117
{
2118
	const struct in6_addr *dest, *src;
2119
	__u16 destp, srcp;
2120
	struct inet6_timewait_sock *tw6 = inet6_twsk((struct sock *)tw);
2121
	int ttd = tw->tw_ttd - jiffies;
2122

2123
	if (ttd < 0)
2124
		ttd = 0;
2125

2126
	dest = &tw6->tw_v6_daddr;
2127
	src  = &tw6->tw_v6_rcv_saddr;
2128
	destp = ntohs(tw->tw_dport);
2129
	srcp  = ntohs(tw->tw_sport);
2130

2131
	seq_printf(seq,
2132
		   "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
2133
		   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %pK\n",
2134
		   i,
2135
		   src->s6_addr32[0], src->s6_addr32[1],
2136
		   src->s6_addr32[2], src->s6_addr32[3], srcp,
2137
		   dest->s6_addr32[0], dest->s6_addr32[1],
2138
		   dest->s6_addr32[2], dest->s6_addr32[3], destp,
2139
		   tw->tw_substate, 0, 0,
2140
		   3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
2141
		   atomic_read(&tw->tw_refcnt), tw);
2142
}
2143

2144
static int tcp6_seq_show(struct seq_file *seq, void *v)
2145
{
2146
	struct tcp_iter_state *st;
2147

2148
	if (v == SEQ_START_TOKEN) {
2149
		seq_puts(seq,
2150
			 "  sl  "
2151
			 "local_address                         "
2152
			 "remote_address                        "
2153
			 "st tx_queue rx_queue tr tm->when retrnsmt"
2154
			 "   uid  timeout inode\n");
2155
		goto out;
2156
	}
2157
	st = seq->private;
2158

2159
	switch (st->state) {
2160
	case TCP_SEQ_STATE_LISTENING:
2161
	case TCP_SEQ_STATE_ESTABLISHED:
2162
		get_tcp6_sock(seq, v, st->num);
2163
		break;
2164
	case TCP_SEQ_STATE_OPENREQ:
2165
		get_openreq6(seq, st->syn_wait_sk, v, st->num, st->uid);
2166
		break;
2167
	case TCP_SEQ_STATE_TIME_WAIT:
2168
		get_timewait6_sock(seq, v, st->num);
2169
		break;
2170
	}
2171
out:
2172
	return 0;
2173
}
2174

2175
static struct tcp_seq_afinfo tcp6_seq_afinfo = {
2176
	.name		= "tcp6",
2177
	.family		= AF_INET6,
2178
	.seq_fops	= {
2179
		.owner		= THIS_MODULE,
2180
	},
2181
	.seq_ops	= {
2182
		.show		= tcp6_seq_show,
2183
	},
2184
};
2185

2186
int __net_init tcp6_proc_init(struct net *net)
2187
{
2188
	return tcp_proc_register(net, &tcp6_seq_afinfo);
2189
}
2190

2191
void tcp6_proc_exit(struct net *net)
2192
{
2193
	tcp_proc_unregister(net, &tcp6_seq_afinfo);
2194
}
2195
#endif
2196

2197
struct proto tcpv6_prot = {
2198
	.name			= "TCPv6",
2199
	.owner			= THIS_MODULE,
2200
	.close			= tcp_close,
2201
	.connect		= tcp_v6_connect,
2202
	.disconnect		= tcp_disconnect,
2203
	.accept			= inet_csk_accept,
2204
	.ioctl			= tcp_ioctl,
2205
	.init			= tcp_v6_init_sock,
2206
	.destroy		= tcp_v6_destroy_sock,
2207
	.shutdown		= tcp_shutdown,
2208
	.setsockopt		= tcp_setsockopt,
2209
	.getsockopt		= tcp_getsockopt,
2210
	.recvmsg		= tcp_recvmsg,
2211
	.sendmsg		= tcp_sendmsg,
2212
	.sendpage		= tcp_sendpage,
2213
	.backlog_rcv		= tcp_v6_do_rcv,
2214
	.hash			= tcp_v6_hash,
2215
	.unhash			= inet_unhash,
2216
	.get_port		= inet_csk_get_port,
2217
	.enter_memory_pressure	= tcp_enter_memory_pressure,
2218
	.sockets_allocated	= &tcp_sockets_allocated,
2219
	.memory_allocated	= &tcp_memory_allocated,
2220
	.memory_pressure	= &tcp_memory_pressure,
2221
	.orphan_count		= &tcp_orphan_count,
2222
	.sysctl_mem		= sysctl_tcp_mem,
2223
	.sysctl_wmem		= sysctl_tcp_wmem,
2224
	.sysctl_rmem		= sysctl_tcp_rmem,
2225
	.max_header		= MAX_TCP_HEADER,
2226
	.obj_size		= sizeof(struct tcp6_sock),
2227
	.slab_flags		= SLAB_DESTROY_BY_RCU,
2228
	.twsk_prot		= &tcp6_timewait_sock_ops,
2229
	.rsk_prot		= &tcp6_request_sock_ops,
2230
	.h.hashinfo		= &tcp_hashinfo,
2231
	.no_autobind		= true,
2232
#ifdef CONFIG_COMPAT
2233
	.compat_setsockopt	= compat_tcp_setsockopt,
2234
	.compat_getsockopt	= compat_tcp_getsockopt,
2235
#endif
2236
};
2237

2238
static const struct inet6_protocol tcpv6_protocol = {
2239
	.handler	=	tcp_v6_rcv,
2240
	.err_handler	=	tcp_v6_err,
2241
	.gso_send_check	=	tcp_v6_gso_send_check,
2242
	.gso_segment	=	tcp_tso_segment,
2243
	.gro_receive	=	tcp6_gro_receive,
2244
	.gro_complete	=	tcp6_gro_complete,
2245
	.flags		=	INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL,
2246
};
2247

2248
static struct inet_protosw tcpv6_protosw = {
2249
	.type		=	SOCK_STREAM,
2250
	.protocol	=	IPPROTO_TCP,
2251
	.prot		=	&tcpv6_prot,
2252
	.ops		=	&inet6_stream_ops,
2253
	.no_check	=	0,
2254
	.flags		=	INET_PROTOSW_PERMANENT |
2255
				INET_PROTOSW_ICSK,
2256
};
2257

2258
static int __net_init tcpv6_net_init(struct net *net)
2259
{
2260
	return inet_ctl_sock_create(&net->ipv6.tcp_sk, PF_INET6,
2261
				    SOCK_RAW, IPPROTO_TCP, net);
2262
}
2263

2264
static void __net_exit tcpv6_net_exit(struct net *net)
2265
{
2266
	inet_ctl_sock_destroy(net->ipv6.tcp_sk);
2267
}
2268

2269
static void __net_exit tcpv6_net_exit_batch(struct list_head *net_exit_list)
2270
{
2271
	inet_twsk_purge(&tcp_hashinfo, &tcp_death_row, AF_INET6);
2272
}
2273

2274
static struct pernet_operations tcpv6_net_ops = {
2275
	.init	    = tcpv6_net_init,
2276
	.exit	    = tcpv6_net_exit,
2277
	.exit_batch = tcpv6_net_exit_batch,
2278
};
2279

2280
int __init tcpv6_init(void)
2281
{
2282
	int ret;
2283

2284
	ret = inet6_add_protocol(&tcpv6_protocol, IPPROTO_TCP);
2285
	if (ret)
2286
		goto out;
2287

2288
	/* register inet6 protocol */
2289
	ret = inet6_register_protosw(&tcpv6_protosw);
2290
	if (ret)
2291
		goto out_tcpv6_protocol;
2292

2293
	ret = register_pernet_subsys(&tcpv6_net_ops);
2294
	if (ret)
2295
		goto out_tcpv6_protosw;
2296
out:
2297
	return ret;
2298

2299
out_tcpv6_protocol:
2300
	inet6_del_protocol(&tcpv6_protocol, IPPROTO_TCP);
2301
out_tcpv6_protosw:
2302
	inet6_unregister_protosw(&tcpv6_protosw);
2303
	goto out;
2304
}
2305

2306
void tcpv6_exit(void)
2307
{
2308
	unregister_pernet_subsys(&tcpv6_net_ops);
2309
	inet6_unregister_protosw(&tcpv6_protosw);
2310
	inet6_del_protocol(&tcpv6_protocol, IPPROTO_TCP);
2311
}
2312

2313