1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * TCP over IPv6
4 * Linux INET6 implementation
5 *
6 * Authors:
7 * Pedro Roque <roque@di.fc.ul.pt>
8 *
9 * Based on:
10 * linux/net/ipv4/tcp.c
11 * linux/net/ipv4/tcp_input.c
12 * linux/net/ipv4/tcp_output.c
13 *
14 * Fixes:
15 * Hideaki YOSHIFUJI : sin6_scope_id support
16 * YOSHIFUJI Hideaki @USAGI and: Support IPV6_V6ONLY socket option, which
17 * Alexey Kuznetsov allow both IPv4 and IPv6 sockets to bind
18 * a single port at the same time.
19 * YOSHIFUJI Hideaki @USAGI: convert /proc/net/tcp6 to seq_file.
20 */
21
22 #include <linux/bottom_half.h>
23 #include <linux/module.h>
24 #include <linux/errno.h>
25 #include <linux/types.h>
26 #include <linux/socket.h>
27 #include <linux/sockios.h>
28 #include <linux/net.h>
29 #include <linux/jiffies.h>
30 #include <linux/in.h>
31 #include <linux/in6.h>
32 #include <linux/netdevice.h>
33 #include <linux/init.h>
34 #include <linux/jhash.h>
35 #include <linux/ipsec.h>
36 #include <linux/times.h>
37 #include <linux/slab.h>
38 #include <linux/uaccess.h>
39 #include <linux/ipv6.h>
40 #include <linux/icmpv6.h>
41 #include <linux/random.h>
42 #include <linux/indirect_call_wrapper.h>
43
44 #include <net/tcp.h>
45 #include <net/ndisc.h>
46 #include <net/inet6_hashtables.h>
47 #include <net/inet6_connection_sock.h>
48 #include <net/ipv6.h>
49 #include <net/transp_v6.h>
50 #include <net/addrconf.h>
51 #include <net/ip6_route.h>
52 #include <net/ip6_checksum.h>
53 #include <net/inet_ecn.h>
54 #include <net/protocol.h>
55 #include <net/xfrm.h>
56 #include <net/snmp.h>
57 #include <net/dsfield.h>
58 #include <net/timewait_sock.h>
59 #include <net/inet_common.h>
60 #include <net/secure_seq.h>
61 #include <net/busy_poll.h>
62
63 #include <linux/proc_fs.h>
64 #include <linux/seq_file.h>
65
66 #include <crypto/hash.h>
67 #include <linux/scatterlist.h>
68
69 #include <trace/events/tcp.h>
70
71 static void tcp_v6_send_reset(const struct sock *sk, struct sk_buff *skb);
72 static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb,
73 struct request_sock *req);
74
75 INDIRECT_CALLABLE_SCOPE int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb);
76
77 static const struct inet_connection_sock_af_ops ipv6_mapped;
78 const struct inet_connection_sock_af_ops ipv6_specific;
79 #ifdef CONFIG_TCP_MD5SIG
80 static const struct tcp_sock_af_ops tcp_sock_ipv6_specific;
81 static const struct tcp_sock_af_ops tcp_sock_ipv6_mapped_specific;
82 #else
tcp_v6_md5_do_lookup(const struct sock * sk,const struct in6_addr * addr,int l3index)83 static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(const struct sock *sk,
84 const struct in6_addr *addr,
85 int l3index)
86 {
87 return NULL;
88 }
89 #endif
90
91 /* Helper returning the inet6 address from a given tcp socket.
92 * It can be used in TCP stack instead of inet6_sk(sk).
93 * This avoids a dereference and allow compiler optimizations.
94 * It is a specialized version of inet6_sk_generic().
95 */
96 #define tcp_inet6_sk(sk) (&container_of_const(tcp_sk(sk), \
97 struct tcp6_sock, tcp)->inet6)
98
inet6_sk_rx_dst_set(struct sock * sk,const struct sk_buff * skb)99 static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
100 {
101 struct dst_entry *dst = skb_dst(skb);
102
103 if (dst && dst_hold_safe(dst)) {
104 const struct rt6_info *rt = (const struct rt6_info *)dst;
105
106 rcu_assign_pointer(sk->sk_rx_dst, dst);
107 sk->sk_rx_dst_ifindex = skb->skb_iif;
108 sk->sk_rx_dst_cookie = rt6_get_cookie(rt);
109 }
110 }
111
tcp_v6_init_seq(const struct sk_buff * skb)112 static u32 tcp_v6_init_seq(const struct sk_buff *skb)
113 {
114 return secure_tcpv6_seq(ipv6_hdr(skb)->daddr.s6_addr32,
115 ipv6_hdr(skb)->saddr.s6_addr32,
116 tcp_hdr(skb)->dest,
117 tcp_hdr(skb)->source);
118 }
119
tcp_v6_init_ts_off(const struct net * net,const struct sk_buff * skb)120 static u32 tcp_v6_init_ts_off(const struct net *net, const struct sk_buff *skb)
121 {
122 return secure_tcpv6_ts_off(net, ipv6_hdr(skb)->daddr.s6_addr32,
123 ipv6_hdr(skb)->saddr.s6_addr32);
124 }
125
tcp_v6_pre_connect(struct sock * sk,struct sockaddr * uaddr,int addr_len)126 static int tcp_v6_pre_connect(struct sock *sk, struct sockaddr *uaddr,
127 int addr_len)
128 {
129 /* This check is replicated from tcp_v6_connect() and intended to
130 * prevent BPF program called below from accessing bytes that are out
131 * of the bound specified by user in addr_len.
132 */
133 if (addr_len < SIN6_LEN_RFC2133)
134 return -EINVAL;
135
136 sock_owned_by_me(sk);
137
138 return BPF_CGROUP_RUN_PROG_INET6_CONNECT(sk, uaddr, &addr_len);
139 }
140
tcp_v6_connect(struct sock * sk,struct sockaddr * uaddr,int addr_len)141 static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
142 int addr_len)
143 {
144 struct sockaddr_in6 *usin = (struct sockaddr_in6 *) uaddr;
145 struct inet_connection_sock *icsk = inet_csk(sk);
146 struct in6_addr *saddr = NULL, *final_p, final;
147 struct inet_timewait_death_row *tcp_death_row;
148 struct ipv6_pinfo *np = tcp_inet6_sk(sk);
149 struct inet_sock *inet = inet_sk(sk);
150 struct tcp_sock *tp = tcp_sk(sk);
151 struct net *net = sock_net(sk);
152 struct ipv6_txoptions *opt;
153 struct dst_entry *dst;
154 struct flowi6 fl6;
155 int addr_type;
156 int err;
157
158 if (addr_len < SIN6_LEN_RFC2133)
159 return -EINVAL;
160
161 if (usin->sin6_family != AF_INET6)
162 return -EAFNOSUPPORT;
163
164 memset(&fl6, 0, sizeof(fl6));
165
166 if (np->sndflow) {
167 fl6.flowlabel = usin->sin6_flowinfo&IPV6_FLOWINFO_MASK;
168 IP6_ECN_flow_init(fl6.flowlabel);
169 if (fl6.flowlabel&IPV6_FLOWLABEL_MASK) {
170 struct ip6_flowlabel *flowlabel;
171 flowlabel = fl6_sock_lookup(sk, fl6.flowlabel);
172 if (IS_ERR(flowlabel))
173 return -EINVAL;
174 fl6_sock_release(flowlabel);
175 }
176 }
177
178 /*
179 * connect() to INADDR_ANY means loopback (BSD'ism).
180 */
181
182 if (ipv6_addr_any(&usin->sin6_addr)) {
183 if (ipv6_addr_v4mapped(&sk->sk_v6_rcv_saddr))
184 ipv6_addr_set_v4mapped(htonl(INADDR_LOOPBACK),
185 &usin->sin6_addr);
186 else
187 usin->sin6_addr = in6addr_loopback;
188 }
189
190 addr_type = ipv6_addr_type(&usin->sin6_addr);
191
192 if (addr_type & IPV6_ADDR_MULTICAST)
193 return -ENETUNREACH;
194
195 if (addr_type&IPV6_ADDR_LINKLOCAL) {
196 if (addr_len >= sizeof(struct sockaddr_in6) &&
197 usin->sin6_scope_id) {
198 /* If interface is set while binding, indices
199 * must coincide.
200 */
201 if (!sk_dev_equal_l3scope(sk, usin->sin6_scope_id))
202 return -EINVAL;
203
204 sk->sk_bound_dev_if = usin->sin6_scope_id;
205 }
206
207 /* Connect to link-local address requires an interface */
208 if (!sk->sk_bound_dev_if)
209 return -EINVAL;
210 }
211
212 if (tp->rx_opt.ts_recent_stamp &&
213 !ipv6_addr_equal(&sk->sk_v6_daddr, &usin->sin6_addr)) {
214 tp->rx_opt.ts_recent = 0;
215 tp->rx_opt.ts_recent_stamp = 0;
216 WRITE_ONCE(tp->write_seq, 0);
217 }
218
219 sk->sk_v6_daddr = usin->sin6_addr;
220 np->flow_label = fl6.flowlabel;
221
222 /*
223 * TCP over IPv4
224 */
225
226 if (addr_type & IPV6_ADDR_MAPPED) {
227 u32 exthdrlen = icsk->icsk_ext_hdr_len;
228 struct sockaddr_in sin;
229
230 if (ipv6_only_sock(sk))
231 return -ENETUNREACH;
232
233 sin.sin_family = AF_INET;
234 sin.sin_port = usin->sin6_port;
235 sin.sin_addr.s_addr = usin->sin6_addr.s6_addr32[3];
236
237 /* Paired with READ_ONCE() in tcp_(get|set)sockopt() */
238 WRITE_ONCE(icsk->icsk_af_ops, &ipv6_mapped);
239 if (sk_is_mptcp(sk))
240 mptcpv6_handle_mapped(sk, true);
241 sk->sk_backlog_rcv = tcp_v4_do_rcv;
242 #ifdef CONFIG_TCP_MD5SIG
243 tp->af_specific = &tcp_sock_ipv6_mapped_specific;
244 #endif
245
246 err = tcp_v4_connect(sk, (struct sockaddr *)&sin, sizeof(sin));
247
248 if (err) {
249 icsk->icsk_ext_hdr_len = exthdrlen;
250 /* Paired with READ_ONCE() in tcp_(get|set)sockopt() */
251 WRITE_ONCE(icsk->icsk_af_ops, &ipv6_specific);
252 if (sk_is_mptcp(sk))
253 mptcpv6_handle_mapped(sk, false);
254 sk->sk_backlog_rcv = tcp_v6_do_rcv;
255 #ifdef CONFIG_TCP_MD5SIG
256 tp->af_specific = &tcp_sock_ipv6_specific;
257 #endif
258 goto failure;
259 }
260 np->saddr = sk->sk_v6_rcv_saddr;
261
262 return err;
263 }
264
265 if (!ipv6_addr_any(&sk->sk_v6_rcv_saddr))
266 saddr = &sk->sk_v6_rcv_saddr;
267
268 fl6.flowi6_proto = IPPROTO_TCP;
269 fl6.daddr = sk->sk_v6_daddr;
270 fl6.saddr = saddr ? *saddr : np->saddr;
271 fl6.flowlabel = ip6_make_flowinfo(np->tclass, np->flow_label);
272 fl6.flowi6_oif = sk->sk_bound_dev_if;
273 fl6.flowi6_mark = sk->sk_mark;
274 fl6.fl6_dport = usin->sin6_port;
275 fl6.fl6_sport = inet->inet_sport;
276 fl6.flowi6_uid = sk->sk_uid;
277
278 opt = rcu_dereference_protected(np->opt, lockdep_sock_is_held(sk));
279 final_p = fl6_update_dst(&fl6, opt, &final);
280
281 security_sk_classify_flow(sk, flowi6_to_flowi_common(&fl6));
282
283 dst = ip6_dst_lookup_flow(net, sk, &fl6, final_p);
284 if (IS_ERR(dst)) {
285 err = PTR_ERR(dst);
286 goto failure;
287 }
288
289 tcp_death_row = &sock_net(sk)->ipv4.tcp_death_row;
290
291 if (!saddr) {
292 saddr = &fl6.saddr;
293
294 err = inet_bhash2_update_saddr(sk, saddr, AF_INET6);
295 if (err)
296 goto failure;
297 }
298
299 /* set the source address */
300 np->saddr = *saddr;
301 inet->inet_rcv_saddr = LOOPBACK4_IPV6;
302
303 sk->sk_gso_type = SKB_GSO_TCPV6;
304 ip6_dst_store(sk, dst, NULL, NULL);
305
306 icsk->icsk_ext_hdr_len = 0;
307 if (opt)
308 icsk->icsk_ext_hdr_len = opt->opt_flen +
309 opt->opt_nflen;
310
311 tp->rx_opt.mss_clamp = IPV6_MIN_MTU - sizeof(struct tcphdr) - sizeof(struct ipv6hdr);
312
313 inet->inet_dport = usin->sin6_port;
314
315 tcp_set_state(sk, TCP_SYN_SENT);
316 err = inet6_hash_connect(tcp_death_row, sk);
317 if (err)
318 goto late_failure;
319
320 sk_set_txhash(sk);
321
322 if (likely(!tp->repair)) {
323 if (!tp->write_seq)
324 WRITE_ONCE(tp->write_seq,
325 secure_tcpv6_seq(np->saddr.s6_addr32,
326 sk->sk_v6_daddr.s6_addr32,
327 inet->inet_sport,
328 inet->inet_dport));
329 tp->tsoffset = secure_tcpv6_ts_off(net, np->saddr.s6_addr32,
330 sk->sk_v6_daddr.s6_addr32);
331 }
332
333 if (tcp_fastopen_defer_connect(sk, &err))
334 return err;
335 if (err)
336 goto late_failure;
337
338 err = tcp_connect(sk);
339 if (err)
340 goto late_failure;
341
342 return 0;
343
344 late_failure:
345 tcp_set_state(sk, TCP_CLOSE);
346 inet_bhash2_reset_saddr(sk);
347 failure:
348 inet->inet_dport = 0;
349 sk->sk_route_caps = 0;
350 return err;
351 }
352
tcp_v6_mtu_reduced(struct sock * sk)353 static void tcp_v6_mtu_reduced(struct sock *sk)
354 {
355 struct dst_entry *dst;
356 u32 mtu;
357
358 if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE))
359 return;
360
361 mtu = READ_ONCE(tcp_sk(sk)->mtu_info);
362
363 /* Drop requests trying to increase our current mss.
364 * Check done in __ip6_rt_update_pmtu() is too late.
365 */
366 if (tcp_mtu_to_mss(sk, mtu) >= tcp_sk(sk)->mss_cache)
367 return;
368
369 dst = inet6_csk_update_pmtu(sk, mtu);
370 if (!dst)
371 return;
372
373 if (inet_csk(sk)->icsk_pmtu_cookie > dst_mtu(dst)) {
374 tcp_sync_mss(sk, dst_mtu(dst));
375 tcp_simple_retransmit(sk);
376 }
377 }
378
tcp_v6_err(struct sk_buff * skb,struct inet6_skb_parm * opt,u8 type,u8 code,int offset,__be32 info)379 static int tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
380 u8 type, u8 code, int offset, __be32 info)
381 {
382 const struct ipv6hdr *hdr = (const struct ipv6hdr *)skb->data;
383 const struct tcphdr *th = (struct tcphdr *)(skb->data+offset);
384 struct net *net = dev_net(skb->dev);
385 struct request_sock *fastopen;
386 struct ipv6_pinfo *np;
387 struct tcp_sock *tp;
388 __u32 seq, snd_una;
389 struct sock *sk;
390 bool fatal;
391 int err;
392
393 sk = __inet6_lookup_established(net, net->ipv4.tcp_death_row.hashinfo,
394 &hdr->daddr, th->dest,
395 &hdr->saddr, ntohs(th->source),
396 skb->dev->ifindex, inet6_sdif(skb));
397
398 if (!sk) {
399 __ICMP6_INC_STATS(net, __in6_dev_get(skb->dev),
400 ICMP6_MIB_INERRORS);
401 return -ENOENT;
402 }
403
404 if (sk->sk_state == TCP_TIME_WAIT) {
405 inet_twsk_put(inet_twsk(sk));
406 return 0;
407 }
408 seq = ntohl(th->seq);
409 fatal = icmpv6_err_convert(type, code, &err);
410 if (sk->sk_state == TCP_NEW_SYN_RECV) {
411 tcp_req_err(sk, seq, fatal);
412 return 0;
413 }
414
415 bh_lock_sock(sk);
416 if (sock_owned_by_user(sk) && type != ICMPV6_PKT_TOOBIG)
417 __NET_INC_STATS(net, LINUX_MIB_LOCKDROPPEDICMPS);
418
419 if (sk->sk_state == TCP_CLOSE)
420 goto out;
421
422 if (static_branch_unlikely(&ip6_min_hopcount)) {
423 /* min_hopcount can be changed concurrently from do_ipv6_setsockopt() */
424 if (ipv6_hdr(skb)->hop_limit < READ_ONCE(tcp_inet6_sk(sk)->min_hopcount)) {
425 __NET_INC_STATS(net, LINUX_MIB_TCPMINTTLDROP);
426 goto out;
427 }
428 }
429
430 tp = tcp_sk(sk);
431 /* XXX (TFO) - tp->snd_una should be ISN (tcp_create_openreq_child() */
432 fastopen = rcu_dereference(tp->fastopen_rsk);
433 snd_una = fastopen ? tcp_rsk(fastopen)->snt_isn : tp->snd_una;
434 if (sk->sk_state != TCP_LISTEN &&
435 !between(seq, snd_una, tp->snd_nxt)) {
436 __NET_INC_STATS(net, LINUX_MIB_OUTOFWINDOWICMPS);
437 goto out;
438 }
439
440 np = tcp_inet6_sk(sk);
441
442 if (type == NDISC_REDIRECT) {
443 if (!sock_owned_by_user(sk)) {
444 struct dst_entry *dst = __sk_dst_check(sk, np->dst_cookie);
445
446 if (dst)
447 dst->ops->redirect(dst, sk, skb);
448 }
449 goto out;
450 }
451
452 if (type == ICMPV6_PKT_TOOBIG) {
453 u32 mtu = ntohl(info);
454
455 /* We are not interested in TCP_LISTEN and open_requests
456 * (SYN-ACKs send out by Linux are always <576bytes so
457 * they should go through unfragmented).
458 */
459 if (sk->sk_state == TCP_LISTEN)
460 goto out;
461
462 if (!ip6_sk_accept_pmtu(sk))
463 goto out;
464
465 if (mtu < IPV6_MIN_MTU)
466 goto out;
467
468 WRITE_ONCE(tp->mtu_info, mtu);
469
470 if (!sock_owned_by_user(sk))
471 tcp_v6_mtu_reduced(sk);
472 else if (!test_and_set_bit(TCP_MTU_REDUCED_DEFERRED,
473 &sk->sk_tsq_flags))
474 sock_hold(sk);
475 goto out;
476 }
477
478
479 /* Might be for an request_sock */
480 switch (sk->sk_state) {
481 case TCP_SYN_SENT:
482 case TCP_SYN_RECV:
483 /* Only in fast or simultaneous open. If a fast open socket is
484 * already accepted it is treated as a connected one below.
485 */
486 if (fastopen && !fastopen->sk)
487 break;
488
489 ipv6_icmp_error(sk, skb, err, th->dest, ntohl(info), (u8 *)th);
490
491 if (!sock_owned_by_user(sk))
492 tcp_done_with_error(sk, err);
493 else
494 WRITE_ONCE(sk->sk_err_soft, err);
495 goto out;
496 case TCP_LISTEN:
497 break;
498 default:
499 /* check if this ICMP message allows revert of backoff.
500 * (see RFC 6069)
501 */
502 if (!fastopen && type == ICMPV6_DEST_UNREACH &&
503 code == ICMPV6_NOROUTE)
504 tcp_ld_RTO_revert(sk, seq);
505 }
506
507 if (!sock_owned_by_user(sk) && np->recverr) {
508 WRITE_ONCE(sk->sk_err, err);
509 sk_error_report(sk);
510 } else {
511 WRITE_ONCE(sk->sk_err_soft, err);
512 }
513 out:
514 bh_unlock_sock(sk);
515 sock_put(sk);
516 return 0;
517 }
518
519
tcp_v6_send_synack(const struct sock * sk,struct dst_entry * dst,struct flowi * fl,struct request_sock * req,struct tcp_fastopen_cookie * foc,enum tcp_synack_type synack_type,struct sk_buff * syn_skb)520 static int tcp_v6_send_synack(const struct sock *sk, struct dst_entry *dst,
521 struct flowi *fl,
522 struct request_sock *req,
523 struct tcp_fastopen_cookie *foc,
524 enum tcp_synack_type synack_type,
525 struct sk_buff *syn_skb)
526 {
527 struct inet_request_sock *ireq = inet_rsk(req);
528 const struct ipv6_pinfo *np = tcp_inet6_sk(sk);
529 struct ipv6_txoptions *opt;
530 struct flowi6 *fl6 = &fl->u.ip6;
531 struct sk_buff *skb;
532 int err = -ENOMEM;
533 u8 tclass;
534
535 /* First, grab a route. */
536 if (!dst && (dst = inet6_csk_route_req(sk, fl6, req,
537 IPPROTO_TCP)) == NULL)
538 goto done;
539
540 skb = tcp_make_synack(sk, dst, req, foc, synack_type, syn_skb);
541
542 if (skb) {
543 __tcp_v6_send_check(skb, &ireq->ir_v6_loc_addr,
544 &ireq->ir_v6_rmt_addr);
545
546 fl6->daddr = ireq->ir_v6_rmt_addr;
547 if (np->repflow && ireq->pktopts)
548 fl6->flowlabel = ip6_flowlabel(ipv6_hdr(ireq->pktopts));
549
550 tclass = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_reflect_tos) ?
551 (tcp_rsk(req)->syn_tos & ~INET_ECN_MASK) |
552 (np->tclass & INET_ECN_MASK) :
553 np->tclass;
554
555 if (!INET_ECN_is_capable(tclass) &&
556 tcp_bpf_ca_needs_ecn((struct sock *)req))
557 tclass |= INET_ECN_ECT_0;
558
559 rcu_read_lock();
560 opt = ireq->ipv6_opt;
561 if (!opt)
562 opt = rcu_dereference(np->opt);
563 err = ip6_xmit(sk, skb, fl6, skb->mark ? : READ_ONCE(sk->sk_mark),
564 opt, tclass, sk->sk_priority);
565 rcu_read_unlock();
566 err = net_xmit_eval(err);
567 }
568
569 done:
570 return err;
571 }
572
573
tcp_v6_reqsk_destructor(struct request_sock * req)574 static void tcp_v6_reqsk_destructor(struct request_sock *req)
575 {
576 kfree(inet_rsk(req)->ipv6_opt);
577 consume_skb(inet_rsk(req)->pktopts);
578 }
579
580 #ifdef CONFIG_TCP_MD5SIG
tcp_v6_md5_do_lookup(const struct sock * sk,const struct in6_addr * addr,int l3index)581 static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(const struct sock *sk,
582 const struct in6_addr *addr,
583 int l3index)
584 {
585 return tcp_md5_do_lookup(sk, l3index,
586 (union tcp_md5_addr *)addr, AF_INET6);
587 }
588
tcp_v6_md5_lookup(const struct sock * sk,const struct sock * addr_sk)589 static struct tcp_md5sig_key *tcp_v6_md5_lookup(const struct sock *sk,
590 const struct sock *addr_sk)
591 {
592 int l3index;
593
594 l3index = l3mdev_master_ifindex_by_index(sock_net(sk),
595 addr_sk->sk_bound_dev_if);
596 return tcp_v6_md5_do_lookup(sk, &addr_sk->sk_v6_daddr,
597 l3index);
598 }
599
tcp_v6_parse_md5_keys(struct sock * sk,int optname,sockptr_t optval,int optlen)600 static int tcp_v6_parse_md5_keys(struct sock *sk, int optname,
601 sockptr_t optval, int optlen)
602 {
603 struct tcp_md5sig cmd;
604 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&cmd.tcpm_addr;
605 int l3index = 0;
606 u8 prefixlen;
607 u8 flags;
608
609 if (optlen < sizeof(cmd))
610 return -EINVAL;
611
612 if (copy_from_sockptr(&cmd, optval, sizeof(cmd)))
613 return -EFAULT;
614
615 if (sin6->sin6_family != AF_INET6)
616 return -EINVAL;
617
618 flags = cmd.tcpm_flags & TCP_MD5SIG_FLAG_IFINDEX;
619
620 if (optname == TCP_MD5SIG_EXT &&
621 cmd.tcpm_flags & TCP_MD5SIG_FLAG_PREFIX) {
622 prefixlen = cmd.tcpm_prefixlen;
623 if (prefixlen > 128 || (ipv6_addr_v4mapped(&sin6->sin6_addr) &&
624 prefixlen > 32))
625 return -EINVAL;
626 } else {
627 prefixlen = ipv6_addr_v4mapped(&sin6->sin6_addr) ? 32 : 128;
628 }
629
630 if (optname == TCP_MD5SIG_EXT && cmd.tcpm_ifindex &&
631 cmd.tcpm_flags & TCP_MD5SIG_FLAG_IFINDEX) {
632 struct net_device *dev;
633
634 rcu_read_lock();
635 dev = dev_get_by_index_rcu(sock_net(sk), cmd.tcpm_ifindex);
636 if (dev && netif_is_l3_master(dev))
637 l3index = dev->ifindex;
638 rcu_read_unlock();
639
640 /* ok to reference set/not set outside of rcu;
641 * right now device MUST be an L3 master
642 */
643 if (!dev || !l3index)
644 return -EINVAL;
645 }
646
647 if (!cmd.tcpm_keylen) {
648 if (ipv6_addr_v4mapped(&sin6->sin6_addr))
649 return tcp_md5_do_del(sk, (union tcp_md5_addr *)&sin6->sin6_addr.s6_addr32[3],
650 AF_INET, prefixlen,
651 l3index, flags);
652 return tcp_md5_do_del(sk, (union tcp_md5_addr *)&sin6->sin6_addr,
653 AF_INET6, prefixlen, l3index, flags);
654 }
655
656 if (cmd.tcpm_keylen > TCP_MD5SIG_MAXKEYLEN)
657 return -EINVAL;
658
659 if (ipv6_addr_v4mapped(&sin6->sin6_addr))
660 return tcp_md5_do_add(sk, (union tcp_md5_addr *)&sin6->sin6_addr.s6_addr32[3],
661 AF_INET, prefixlen, l3index, flags,
662 cmd.tcpm_key, cmd.tcpm_keylen);
663
664 return tcp_md5_do_add(sk, (union tcp_md5_addr *)&sin6->sin6_addr,
665 AF_INET6, prefixlen, l3index, flags,
666 cmd.tcpm_key, cmd.tcpm_keylen);
667 }
668
tcp_v6_md5_hash_headers(struct tcp_md5sig_pool * hp,const struct in6_addr * daddr,const struct in6_addr * saddr,const struct tcphdr * th,int nbytes)669 static int tcp_v6_md5_hash_headers(struct tcp_md5sig_pool *hp,
670 const struct in6_addr *daddr,
671 const struct in6_addr *saddr,
672 const struct tcphdr *th, int nbytes)
673 {
674 struct tcp6_pseudohdr *bp;
675 struct scatterlist sg;
676 struct tcphdr *_th;
677
678 bp = hp->scratch;
679 /* 1. TCP pseudo-header (RFC2460) */
680 bp->saddr = *saddr;
681 bp->daddr = *daddr;
682 bp->protocol = cpu_to_be32(IPPROTO_TCP);
683 bp->len = cpu_to_be32(nbytes);
684
685 _th = (struct tcphdr *)(bp + 1);
686 memcpy(_th, th, sizeof(*th));
687 _th->check = 0;
688
689 sg_init_one(&sg, bp, sizeof(*bp) + sizeof(*th));
690 ahash_request_set_crypt(hp->md5_req, &sg, NULL,
691 sizeof(*bp) + sizeof(*th));
692 return crypto_ahash_update(hp->md5_req);
693 }
694
tcp_v6_md5_hash_hdr(char * md5_hash,const struct tcp_md5sig_key * key,const struct in6_addr * daddr,struct in6_addr * saddr,const struct tcphdr * th)695 static int tcp_v6_md5_hash_hdr(char *md5_hash, const struct tcp_md5sig_key *key,
696 const struct in6_addr *daddr, struct in6_addr *saddr,
697 const struct tcphdr *th)
698 {
699 struct tcp_md5sig_pool *hp;
700 struct ahash_request *req;
701
702 hp = tcp_get_md5sig_pool();
703 if (!hp)
704 goto clear_hash_noput;
705 req = hp->md5_req;
706
707 if (crypto_ahash_init(req))
708 goto clear_hash;
709 if (tcp_v6_md5_hash_headers(hp, daddr, saddr, th, th->doff << 2))
710 goto clear_hash;
711 if (tcp_md5_hash_key(hp, key))
712 goto clear_hash;
713 ahash_request_set_crypt(req, NULL, md5_hash, 0);
714 if (crypto_ahash_final(req))
715 goto clear_hash;
716
717 tcp_put_md5sig_pool();
718 return 0;
719
720 clear_hash:
721 tcp_put_md5sig_pool();
722 clear_hash_noput:
723 memset(md5_hash, 0, 16);
724 return 1;
725 }
726
tcp_v6_md5_hash_skb(char * md5_hash,const struct tcp_md5sig_key * key,const struct sock * sk,const struct sk_buff * skb)727 static int tcp_v6_md5_hash_skb(char *md5_hash,
728 const struct tcp_md5sig_key *key,
729 const struct sock *sk,
730 const struct sk_buff *skb)
731 {
732 const struct in6_addr *saddr, *daddr;
733 struct tcp_md5sig_pool *hp;
734 struct ahash_request *req;
735 const struct tcphdr *th = tcp_hdr(skb);
736
737 if (sk) { /* valid for establish/request sockets */
738 saddr = &sk->sk_v6_rcv_saddr;
739 daddr = &sk->sk_v6_daddr;
740 } else {
741 const struct ipv6hdr *ip6h = ipv6_hdr(skb);
742 saddr = &ip6h->saddr;
743 daddr = &ip6h->daddr;
744 }
745
746 hp = tcp_get_md5sig_pool();
747 if (!hp)
748 goto clear_hash_noput;
749 req = hp->md5_req;
750
751 if (crypto_ahash_init(req))
752 goto clear_hash;
753
754 if (tcp_v6_md5_hash_headers(hp, daddr, saddr, th, skb->len))
755 goto clear_hash;
756 if (tcp_md5_hash_skb_data(hp, skb, th->doff << 2))
757 goto clear_hash;
758 if (tcp_md5_hash_key(hp, key))
759 goto clear_hash;
760 ahash_request_set_crypt(req, NULL, md5_hash, 0);
761 if (crypto_ahash_final(req))
762 goto clear_hash;
763
764 tcp_put_md5sig_pool();
765 return 0;
766
767 clear_hash:
768 tcp_put_md5sig_pool();
769 clear_hash_noput:
770 memset(md5_hash, 0, 16);
771 return 1;
772 }
773
774 #endif
775
tcp_v6_init_req(struct request_sock * req,const struct sock * sk_listener,struct sk_buff * skb)776 static void tcp_v6_init_req(struct request_sock *req,
777 const struct sock *sk_listener,
778 struct sk_buff *skb)
779 {
780 bool l3_slave = ipv6_l3mdev_skb(TCP_SKB_CB(skb)->header.h6.flags);
781 struct inet_request_sock *ireq = inet_rsk(req);
782 const struct ipv6_pinfo *np = tcp_inet6_sk(sk_listener);
783
784 ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr;
785 ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
786
787 /* So that link locals have meaning */
788 if ((!sk_listener->sk_bound_dev_if || l3_slave) &&
789 ipv6_addr_type(&ireq->ir_v6_rmt_addr) & IPV6_ADDR_LINKLOCAL)
790 ireq->ir_iif = tcp_v6_iif(skb);
791
792 if (!TCP_SKB_CB(skb)->tcp_tw_isn &&
793 (ipv6_opt_accepted(sk_listener, skb, &TCP_SKB_CB(skb)->header.h6) ||
794 np->rxopt.bits.rxinfo ||
795 np->rxopt.bits.rxoinfo || np->rxopt.bits.rxhlim ||
796 np->rxopt.bits.rxohlim || np->repflow)) {
797 refcount_inc(&skb->users);
798 ireq->pktopts = skb;
799 }
800 }
801
tcp_v6_route_req(const struct sock * sk,struct sk_buff * skb,struct flowi * fl,struct request_sock * req)802 static struct dst_entry *tcp_v6_route_req(const struct sock *sk,
803 struct sk_buff *skb,
804 struct flowi *fl,
805 struct request_sock *req)
806 {
807 tcp_v6_init_req(req, sk, skb);
808
809 if (security_inet_conn_request(sk, skb, req))
810 return NULL;
811
812 return inet6_csk_route_req(sk, &fl->u.ip6, req, IPPROTO_TCP);
813 }
814
815 struct request_sock_ops tcp6_request_sock_ops __read_mostly = {
816 .family = AF_INET6,
817 .obj_size = sizeof(struct tcp6_request_sock),
818 .rtx_syn_ack = tcp_rtx_synack,
819 .send_ack = tcp_v6_reqsk_send_ack,
820 .destructor = tcp_v6_reqsk_destructor,
821 .send_reset = tcp_v6_send_reset,
822 .syn_ack_timeout = tcp_syn_ack_timeout,
823 };
824
825 const struct tcp_request_sock_ops tcp_request_sock_ipv6_ops = {
826 .mss_clamp = IPV6_MIN_MTU - sizeof(struct tcphdr) -
827 sizeof(struct ipv6hdr),
828 #ifdef CONFIG_TCP_MD5SIG
829 .req_md5_lookup = tcp_v6_md5_lookup,
830 .calc_md5_hash = tcp_v6_md5_hash_skb,
831 #endif
832 #ifdef CONFIG_SYN_COOKIES
833 .cookie_init_seq = cookie_v6_init_sequence,
834 #endif
835 .route_req = tcp_v6_route_req,
836 .init_seq = tcp_v6_init_seq,
837 .init_ts_off = tcp_v6_init_ts_off,
838 .send_synack = tcp_v6_send_synack,
839 };
840
tcp_v6_send_response(const struct sock * sk,struct sk_buff * skb,u32 seq,u32 ack,u32 win,u32 tsval,u32 tsecr,int oif,struct tcp_md5sig_key * key,int rst,u8 tclass,__be32 label,u32 priority,u32 txhash)841 static void tcp_v6_send_response(const struct sock *sk, struct sk_buff *skb, u32 seq,
842 u32 ack, u32 win, u32 tsval, u32 tsecr,
843 int oif, struct tcp_md5sig_key *key, int rst,
844 u8 tclass, __be32 label, u32 priority, u32 txhash)
845 {
846 const struct tcphdr *th = tcp_hdr(skb);
847 struct tcphdr *t1;
848 struct sk_buff *buff;
849 struct flowi6 fl6;
850 struct net *net = sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev);
851 struct sock *ctl_sk = net->ipv6.tcp_sk;
852 unsigned int tot_len = sizeof(struct tcphdr);
853 __be32 mrst = 0, *topt;
854 struct dst_entry *dst;
855 __u32 mark = 0;
856
857 if (tsecr)
858 tot_len += TCPOLEN_TSTAMP_ALIGNED;
859 #ifdef CONFIG_TCP_MD5SIG
860 if (key)
861 tot_len += TCPOLEN_MD5SIG_ALIGNED;
862 #endif
863
864 #ifdef CONFIG_MPTCP
865 if (rst && !key) {
866 mrst = mptcp_reset_option(skb);
867
868 if (mrst)
869 tot_len += sizeof(__be32);
870 }
871 #endif
872
873 buff = alloc_skb(MAX_TCP_HEADER, GFP_ATOMIC);
874 if (!buff)
875 return;
876
877 skb_reserve(buff, MAX_TCP_HEADER);
878
879 t1 = skb_push(buff, tot_len);
880 skb_reset_transport_header(buff);
881
882 /* Swap the send and the receive. */
883 memset(t1, 0, sizeof(*t1));
884 t1->dest = th->source;
885 t1->source = th->dest;
886 t1->doff = tot_len / 4;
887 t1->seq = htonl(seq);
888 t1->ack_seq = htonl(ack);
889 t1->ack = !rst || !th->ack;
890 t1->rst = rst;
891 t1->window = htons(win);
892
893 topt = (__be32 *)(t1 + 1);
894
895 if (tsecr) {
896 *topt++ = htonl((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) |
897 (TCPOPT_TIMESTAMP << 8) | TCPOLEN_TIMESTAMP);
898 *topt++ = htonl(tsval);
899 *topt++ = htonl(tsecr);
900 }
901
902 if (mrst)
903 *topt++ = mrst;
904
905 #ifdef CONFIG_TCP_MD5SIG
906 if (key) {
907 *topt++ = htonl((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) |
908 (TCPOPT_MD5SIG << 8) | TCPOLEN_MD5SIG);
909 tcp_v6_md5_hash_hdr((__u8 *)topt, key,
910 &ipv6_hdr(skb)->saddr,
911 &ipv6_hdr(skb)->daddr, t1);
912 }
913 #endif
914
915 memset(&fl6, 0, sizeof(fl6));
916 fl6.daddr = ipv6_hdr(skb)->saddr;
917 fl6.saddr = ipv6_hdr(skb)->daddr;
918 fl6.flowlabel = label;
919
920 buff->ip_summed = CHECKSUM_PARTIAL;
921
922 __tcp_v6_send_check(buff, &fl6.saddr, &fl6.daddr);
923
924 fl6.flowi6_proto = IPPROTO_TCP;
925 if (rt6_need_strict(&fl6.daddr) && !oif)
926 fl6.flowi6_oif = tcp_v6_iif(skb);
927 else {
928 if (!oif && netif_index_is_l3_master(net, skb->skb_iif))
929 oif = skb->skb_iif;
930
931 fl6.flowi6_oif = oif;
932 }
933
934 if (sk) {
935 if (sk->sk_state == TCP_TIME_WAIT)
936 mark = inet_twsk(sk)->tw_mark;
937 else
938 mark = READ_ONCE(sk->sk_mark);
939 skb_set_delivery_time(buff, tcp_transmit_time(sk), true);
940 }
941 if (txhash) {
942 /* autoflowlabel/skb_get_hash_flowi6 rely on buff->hash */
943 skb_set_hash(buff, txhash, PKT_HASH_TYPE_L4);
944 }
945 fl6.flowi6_mark = IP6_REPLY_MARK(net, skb->mark) ?: mark;
946 fl6.fl6_dport = t1->dest;
947 fl6.fl6_sport = t1->source;
948 fl6.flowi6_uid = sock_net_uid(net, sk && sk_fullsock(sk) ? sk : NULL);
949 security_skb_classify_flow(skb, flowi6_to_flowi_common(&fl6));
950
951 /* Pass a socket to ip6_dst_lookup either it is for RST
952 * Underlying function will use this to retrieve the network
953 * namespace
954 */
955 if (sk && sk->sk_state != TCP_TIME_WAIT)
956 dst = ip6_dst_lookup_flow(net, sk, &fl6, NULL); /*sk's xfrm_policy can be referred*/
957 else
958 dst = ip6_dst_lookup_flow(net, ctl_sk, &fl6, NULL);
959 if (!IS_ERR(dst)) {
960 skb_dst_set(buff, dst);
961 ip6_xmit(ctl_sk, buff, &fl6, fl6.flowi6_mark, NULL,
962 tclass & ~INET_ECN_MASK, priority);
963 TCP_INC_STATS(net, TCP_MIB_OUTSEGS);
964 if (rst)
965 TCP_INC_STATS(net, TCP_MIB_OUTRSTS);
966 return;
967 }
968
969 kfree_skb(buff);
970 }
971
tcp_v6_send_reset(const struct sock * sk,struct sk_buff * skb)972 static void tcp_v6_send_reset(const struct sock *sk, struct sk_buff *skb)
973 {
974 const struct tcphdr *th = tcp_hdr(skb);
975 struct ipv6hdr *ipv6h = ipv6_hdr(skb);
976 u32 seq = 0, ack_seq = 0;
977 struct tcp_md5sig_key *key = NULL;
978 #ifdef CONFIG_TCP_MD5SIG
979 const __u8 *hash_location = NULL;
980 unsigned char newhash[16];
981 int genhash;
982 struct sock *sk1 = NULL;
983 #endif
984 __be32 label = 0;
985 u32 priority = 0;
986 struct net *net;
987 u32 txhash = 0;
988 int oif = 0;
989
990 if (th->rst)
991 return;
992
993 /* If sk not NULL, it means we did a successful lookup and incoming
994 * route had to be correct. prequeue might have dropped our dst.
995 */
996 if (!sk && !ipv6_unicast_destination(skb))
997 return;
998
999 net = sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev);
1000 #ifdef CONFIG_TCP_MD5SIG
1001 rcu_read_lock();
1002 hash_location = tcp_parse_md5sig_option(th);
1003 if (sk && sk_fullsock(sk)) {
1004 int l3index;
1005
1006 /* sdif set, means packet ingressed via a device
1007 * in an L3 domain and inet_iif is set to it.
1008 */
1009 l3index = tcp_v6_sdif(skb) ? tcp_v6_iif_l3_slave(skb) : 0;
1010 key = tcp_v6_md5_do_lookup(sk, &ipv6h->saddr, l3index);
1011 } else if (hash_location) {
1012 int dif = tcp_v6_iif_l3_slave(skb);
1013 int sdif = tcp_v6_sdif(skb);
1014 int l3index;
1015
1016 /*
1017 * active side is lost. Try to find listening socket through
1018 * source port, and then find md5 key through listening socket.
1019 * we are not loose security here:
1020 * Incoming packet is checked with md5 hash with finding key,
1021 * no RST generated if md5 hash doesn't match.
1022 */
1023 sk1 = inet6_lookup_listener(net, net->ipv4.tcp_death_row.hashinfo,
1024 NULL, 0, &ipv6h->saddr, th->source,
1025 &ipv6h->daddr, ntohs(th->source),
1026 dif, sdif);
1027 if (!sk1)
1028 goto out;
1029
1030 /* sdif set, means packet ingressed via a device
1031 * in an L3 domain and dif is set to it.
1032 */
1033 l3index = tcp_v6_sdif(skb) ? dif : 0;
1034
1035 key = tcp_v6_md5_do_lookup(sk1, &ipv6h->saddr, l3index);
1036 if (!key)
1037 goto out;
1038
1039 genhash = tcp_v6_md5_hash_skb(newhash, key, NULL, skb);
1040 if (genhash || memcmp(hash_location, newhash, 16) != 0)
1041 goto out;
1042 }
1043 #endif
1044
1045 if (th->ack)
1046 seq = ntohl(th->ack_seq);
1047 else
1048 ack_seq = ntohl(th->seq) + th->syn + th->fin + skb->len -
1049 (th->doff << 2);
1050
1051 if (sk) {
1052 oif = sk->sk_bound_dev_if;
1053 if (sk_fullsock(sk)) {
1054 const struct ipv6_pinfo *np = tcp_inet6_sk(sk);
1055
1056 trace_tcp_send_reset(sk, skb);
1057 if (np->repflow)
1058 label = ip6_flowlabel(ipv6h);
1059 priority = sk->sk_priority;
1060 txhash = sk->sk_txhash;
1061 }
1062 if (sk->sk_state == TCP_TIME_WAIT) {
1063 label = cpu_to_be32(inet_twsk(sk)->tw_flowlabel);
1064 priority = inet_twsk(sk)->tw_priority;
1065 txhash = inet_twsk(sk)->tw_txhash;
1066 }
1067 } else {
1068 if (net->ipv6.sysctl.flowlabel_reflect & FLOWLABEL_REFLECT_TCP_RESET)
1069 label = ip6_flowlabel(ipv6h);
1070 }
1071
1072 tcp_v6_send_response(sk, skb, seq, ack_seq, 0, 0, 0, oif, key, 1,
1073 ipv6_get_dsfield(ipv6h), label, priority, txhash);
1074
1075 #ifdef CONFIG_TCP_MD5SIG
1076 out:
1077 rcu_read_unlock();
1078 #endif
1079 }
1080
tcp_v6_send_ack(const struct sock * sk,struct sk_buff * skb,u32 seq,u32 ack,u32 win,u32 tsval,u32 tsecr,int oif,struct tcp_md5sig_key * key,u8 tclass,__be32 label,u32 priority,u32 txhash)1081 static void tcp_v6_send_ack(const struct sock *sk, struct sk_buff *skb, u32 seq,
1082 u32 ack, u32 win, u32 tsval, u32 tsecr, int oif,
1083 struct tcp_md5sig_key *key, u8 tclass,
1084 __be32 label, u32 priority, u32 txhash)
1085 {
1086 tcp_v6_send_response(sk, skb, seq, ack, win, tsval, tsecr, oif, key, 0,
1087 tclass, label, priority, txhash);
1088 }
1089
tcp_v6_timewait_ack(struct sock * sk,struct sk_buff * skb)1090 static void tcp_v6_timewait_ack(struct sock *sk, struct sk_buff *skb)
1091 {
1092 struct inet_timewait_sock *tw = inet_twsk(sk);
1093 struct tcp_timewait_sock *tcptw = tcp_twsk(sk);
1094
1095 tcp_v6_send_ack(sk, skb, tcptw->tw_snd_nxt, tcptw->tw_rcv_nxt,
1096 tcptw->tw_rcv_wnd >> tw->tw_rcv_wscale,
1097 tcp_time_stamp_raw() + tcptw->tw_ts_offset,
1098 tcptw->tw_ts_recent, tw->tw_bound_dev_if, tcp_twsk_md5_key(tcptw),
1099 tw->tw_tclass, cpu_to_be32(tw->tw_flowlabel), tw->tw_priority,
1100 tw->tw_txhash);
1101
1102 inet_twsk_put(tw);
1103 }
1104
tcp_v6_reqsk_send_ack(const struct sock * sk,struct sk_buff * skb,struct request_sock * req)1105 static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb,
1106 struct request_sock *req)
1107 {
1108 int l3index;
1109
1110 l3index = tcp_v6_sdif(skb) ? tcp_v6_iif_l3_slave(skb) : 0;
1111
1112 /* sk->sk_state == TCP_LISTEN -> for regular TCP_SYN_RECV
1113 * sk->sk_state == TCP_SYN_RECV -> for Fast Open.
1114 */
1115 /* RFC 7323 2.3
1116 * The window field (SEG.WND) of every outgoing segment, with the
1117 * exception of <SYN> segments, MUST be right-shifted by
1118 * Rcv.Wind.Shift bits:
1119 */
1120 tcp_v6_send_ack(sk, skb, (sk->sk_state == TCP_LISTEN) ?
1121 tcp_rsk(req)->snt_isn + 1 : tcp_sk(sk)->snd_nxt,
1122 tcp_rsk(req)->rcv_nxt,
1123 req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale,
1124 tcp_time_stamp_raw() + tcp_rsk(req)->ts_off,
1125 READ_ONCE(req->ts_recent), sk->sk_bound_dev_if,
1126 tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->saddr, l3index),
1127 ipv6_get_dsfield(ipv6_hdr(skb)), 0,
1128 READ_ONCE(sk->sk_priority),
1129 READ_ONCE(tcp_rsk(req)->txhash));
1130 }
1131
1132
tcp_v6_cookie_check(struct sock * sk,struct sk_buff * skb)1133 static struct sock *tcp_v6_cookie_check(struct sock *sk, struct sk_buff *skb)
1134 {
1135 #ifdef CONFIG_SYN_COOKIES
1136 const struct tcphdr *th = tcp_hdr(skb);
1137
1138 if (!th->syn)
1139 sk = cookie_v6_check(sk, skb);
1140 #endif
1141 return sk;
1142 }
1143
tcp_v6_get_syncookie(struct sock * sk,struct ipv6hdr * iph,struct tcphdr * th,u32 * cookie)1144 u16 tcp_v6_get_syncookie(struct sock *sk, struct ipv6hdr *iph,
1145 struct tcphdr *th, u32 *cookie)
1146 {
1147 u16 mss = 0;
1148 #ifdef CONFIG_SYN_COOKIES
1149 mss = tcp_get_syncookie_mss(&tcp6_request_sock_ops,
1150 &tcp_request_sock_ipv6_ops, sk, th);
1151 if (mss) {
1152 *cookie = __cookie_v6_init_sequence(iph, th, &mss);
1153 tcp_synq_overflow(sk);
1154 }
1155 #endif
1156 return mss;
1157 }
1158
tcp_v6_conn_request(struct sock * sk,struct sk_buff * skb)1159 static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
1160 {
1161 if (skb->protocol == htons(ETH_P_IP))
1162 return tcp_v4_conn_request(sk, skb);
1163
1164 if (!ipv6_unicast_destination(skb))
1165 goto drop;
1166
1167 if (ipv6_addr_v4mapped(&ipv6_hdr(skb)->saddr)) {
1168 __IP6_INC_STATS(sock_net(sk), NULL, IPSTATS_MIB_INHDRERRORS);
1169 return 0;
1170 }
1171
1172 return tcp_conn_request(&tcp6_request_sock_ops,
1173 &tcp_request_sock_ipv6_ops, sk, skb);
1174
1175 drop:
1176 tcp_listendrop(sk);
1177 return 0; /* don't send reset */
1178 }
1179
tcp_v6_restore_cb(struct sk_buff * skb)1180 static void tcp_v6_restore_cb(struct sk_buff *skb)
1181 {
1182 /* We need to move header back to the beginning if xfrm6_policy_check()
1183 * and tcp_v6_fill_cb() are going to be called again.
1184 * ip6_datagram_recv_specific_ctl() also expects IP6CB to be there.
1185 */
1186 memmove(IP6CB(skb), &TCP_SKB_CB(skb)->header.h6,
1187 sizeof(struct inet6_skb_parm));
1188 }
1189
tcp_v6_syn_recv_sock(const struct sock * sk,struct sk_buff * skb,struct request_sock * req,struct dst_entry * dst,struct request_sock * req_unhash,bool * own_req)1190 static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *skb,
1191 struct request_sock *req,
1192 struct dst_entry *dst,
1193 struct request_sock *req_unhash,
1194 bool *own_req)
1195 {
1196 struct inet_request_sock *ireq;
1197 struct ipv6_pinfo *newnp;
1198 const struct ipv6_pinfo *np = tcp_inet6_sk(sk);
1199 struct ipv6_txoptions *opt;
1200 struct inet_sock *newinet;
1201 bool found_dup_sk = false;
1202 struct tcp_sock *newtp;
1203 struct sock *newsk;
1204 #ifdef CONFIG_TCP_MD5SIG
1205 struct tcp_md5sig_key *key;
1206 int l3index;
1207 #endif
1208 struct flowi6 fl6;
1209
1210 if (skb->protocol == htons(ETH_P_IP)) {
1211 /*
1212 * v6 mapped
1213 */
1214
1215 newsk = tcp_v4_syn_recv_sock(sk, skb, req, dst,
1216 req_unhash, own_req);
1217
1218 if (!newsk)
1219 return NULL;
1220
1221 inet_sk(newsk)->pinet6 = tcp_inet6_sk(newsk);
1222
1223 newnp = tcp_inet6_sk(newsk);
1224 newtp = tcp_sk(newsk);
1225
1226 memcpy(newnp, np, sizeof(struct ipv6_pinfo));
1227
1228 newnp->saddr = newsk->sk_v6_rcv_saddr;
1229
1230 inet_csk(newsk)->icsk_af_ops = &ipv6_mapped;
1231 if (sk_is_mptcp(newsk))
1232 mptcpv6_handle_mapped(newsk, true);
1233 newsk->sk_backlog_rcv = tcp_v4_do_rcv;
1234 #ifdef CONFIG_TCP_MD5SIG
1235 newtp->af_specific = &tcp_sock_ipv6_mapped_specific;
1236 #endif
1237
1238 newnp->ipv6_mc_list = NULL;
1239 newnp->ipv6_ac_list = NULL;
1240 newnp->ipv6_fl_list = NULL;
1241 newnp->pktoptions = NULL;
1242 newnp->opt = NULL;
1243 newnp->mcast_oif = inet_iif(skb);
1244 newnp->mcast_hops = ip_hdr(skb)->ttl;
1245 newnp->rcv_flowinfo = 0;
1246 if (np->repflow)
1247 newnp->flow_label = 0;
1248
1249 /*
1250 * No need to charge this sock to the relevant IPv6 refcnt debug socks count
1251 * here, tcp_create_openreq_child now does this for us, see the comment in
1252 * that function for the gory details. -acme
1253 */
1254
1255 /* It is tricky place. Until this moment IPv4 tcp
1256 worked with IPv6 icsk.icsk_af_ops.
1257 Sync it now.
1258 */
1259 tcp_sync_mss(newsk, inet_csk(newsk)->icsk_pmtu_cookie);
1260
1261 return newsk;
1262 }
1263
1264 ireq = inet_rsk(req);
1265
1266 if (sk_acceptq_is_full(sk))
1267 goto out_overflow;
1268
1269 if (!dst) {
1270 dst = inet6_csk_route_req(sk, &fl6, req, IPPROTO_TCP);
1271 if (!dst)
1272 goto out;
1273 }
1274
1275 newsk = tcp_create_openreq_child(sk, req, skb);
1276 if (!newsk)
1277 goto out_nonewsk;
1278
1279 /*
1280 * No need to charge this sock to the relevant IPv6 refcnt debug socks
1281 * count here, tcp_create_openreq_child now does this for us, see the
1282 * comment in that function for the gory details. -acme
1283 */
1284
1285 newsk->sk_gso_type = SKB_GSO_TCPV6;
1286 inet6_sk_rx_dst_set(newsk, skb);
1287
1288 inet_sk(newsk)->pinet6 = tcp_inet6_sk(newsk);
1289
1290 newtp = tcp_sk(newsk);
1291 newinet = inet_sk(newsk);
1292 newnp = tcp_inet6_sk(newsk);
1293
1294 memcpy(newnp, np, sizeof(struct ipv6_pinfo));
1295
1296 ip6_dst_store(newsk, dst, NULL, NULL);
1297
1298 newsk->sk_v6_daddr = ireq->ir_v6_rmt_addr;
1299 newnp->saddr = ireq->ir_v6_loc_addr;
1300 newsk->sk_v6_rcv_saddr = ireq->ir_v6_loc_addr;
1301 newsk->sk_bound_dev_if = ireq->ir_iif;
1302
1303 /* Now IPv6 options...
1304
1305 First: no IPv4 options.
1306 */
1307 newinet->inet_opt = NULL;
1308 newnp->ipv6_mc_list = NULL;
1309 newnp->ipv6_ac_list = NULL;
1310 newnp->ipv6_fl_list = NULL;
1311
1312 /* Clone RX bits */
1313 newnp->rxopt.all = np->rxopt.all;
1314
1315 newnp->pktoptions = NULL;
1316 newnp->opt = NULL;
1317 newnp->mcast_oif = tcp_v6_iif(skb);
1318 newnp->mcast_hops = ipv6_hdr(skb)->hop_limit;
1319 newnp->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(skb));
1320 if (np->repflow)
1321 newnp->flow_label = ip6_flowlabel(ipv6_hdr(skb));
1322
1323 /* Set ToS of the new socket based upon the value of incoming SYN.
1324 * ECT bits are set later in tcp_init_transfer().
1325 */
1326 if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_reflect_tos))
1327 newnp->tclass = tcp_rsk(req)->syn_tos & ~INET_ECN_MASK;
1328
1329 /* Clone native IPv6 options from listening socket (if any)
1330
1331 Yes, keeping reference count would be much more clever,
1332 but we make one more one thing there: reattach optmem
1333 to newsk.
1334 */
1335 opt = ireq->ipv6_opt;
1336 if (!opt)
1337 opt = rcu_dereference(np->opt);
1338 if (opt) {
1339 opt = ipv6_dup_options(newsk, opt);
1340 RCU_INIT_POINTER(newnp->opt, opt);
1341 }
1342 inet_csk(newsk)->icsk_ext_hdr_len = 0;
1343 if (opt)
1344 inet_csk(newsk)->icsk_ext_hdr_len = opt->opt_nflen +
1345 opt->opt_flen;
1346
1347 tcp_ca_openreq_child(newsk, dst);
1348
1349 tcp_sync_mss(newsk, dst_mtu(dst));
1350 newtp->advmss = tcp_mss_clamp(tcp_sk(sk), dst_metric_advmss(dst));
1351
1352 tcp_initialize_rcv_mss(newsk);
1353
1354 newinet->inet_daddr = newinet->inet_saddr = LOOPBACK4_IPV6;
1355 newinet->inet_rcv_saddr = LOOPBACK4_IPV6;
1356
1357 #ifdef CONFIG_TCP_MD5SIG
1358 l3index = l3mdev_master_ifindex_by_index(sock_net(sk), ireq->ir_iif);
1359
1360 /* Copy over the MD5 key from the original socket */
1361 key = tcp_v6_md5_do_lookup(sk, &newsk->sk_v6_daddr, l3index);
1362 if (key) {
1363 const union tcp_md5_addr *addr;
1364
1365 addr = (union tcp_md5_addr *)&newsk->sk_v6_daddr;
1366 if (tcp_md5_key_copy(newsk, addr, AF_INET6, 128, l3index, key)) {
1367 inet_csk_prepare_forced_close(newsk);
1368 tcp_done(newsk);
1369 goto out;
1370 }
1371 }
1372 #endif
1373
1374 if (__inet_inherit_port(sk, newsk) < 0) {
1375 inet_csk_prepare_forced_close(newsk);
1376 tcp_done(newsk);
1377 goto out;
1378 }
1379 *own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash),
1380 &found_dup_sk);
1381 if (*own_req) {
1382 tcp_move_syn(newtp, req);
1383
1384 /* Clone pktoptions received with SYN, if we own the req */
1385 if (ireq->pktopts) {
1386 newnp->pktoptions = skb_clone_and_charge_r(ireq->pktopts, newsk);
1387 consume_skb(ireq->pktopts);
1388 ireq->pktopts = NULL;
1389 if (newnp->pktoptions)
1390 tcp_v6_restore_cb(newnp->pktoptions);
1391 }
1392 } else {
1393 if (!req_unhash && found_dup_sk) {
1394 /* This code path should only be executed in the
1395 * syncookie case only
1396 */
1397 bh_unlock_sock(newsk);
1398 sock_put(newsk);
1399 newsk = NULL;
1400 }
1401 }
1402
1403 return newsk;
1404
1405 out_overflow:
1406 __NET_INC_STATS(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS);
1407 out_nonewsk:
1408 dst_release(dst);
1409 out:
1410 tcp_listendrop(sk);
1411 return NULL;
1412 }
1413
1414 INDIRECT_CALLABLE_DECLARE(struct dst_entry *ipv4_dst_check(struct dst_entry *,
1415 u32));
1416 /* The socket must have it's spinlock held when we get
1417 * here, unless it is a TCP_LISTEN socket.
1418 *
1419 * We have a potential double-lock case here, so even when
1420 * doing backlog processing we use the BH locking scheme.
1421 * This is because we cannot sleep with the original spinlock
1422 * held.
1423 */
1424 INDIRECT_CALLABLE_SCOPE
tcp_v6_do_rcv(struct sock * sk,struct sk_buff * skb)1425 int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
1426 {
1427 struct ipv6_pinfo *np = tcp_inet6_sk(sk);
1428 struct sk_buff *opt_skb = NULL;
1429 enum skb_drop_reason reason;
1430 struct tcp_sock *tp;
1431
1432 /* Imagine: socket is IPv6. IPv4 packet arrives,
1433 goes to IPv4 receive handler and backlogged.
1434 From backlog it always goes here. Kerboom...
1435 Fortunately, tcp_rcv_established and rcv_established
1436 handle them correctly, but it is not case with
1437 tcp_v6_hnd_req and tcp_v6_send_reset(). --ANK
1438 */
1439
1440 if (skb->protocol == htons(ETH_P_IP))
1441 return tcp_v4_do_rcv(sk, skb);
1442
1443 /*
1444 * socket locking is here for SMP purposes as backlog rcv
1445 * is currently called with bh processing disabled.
1446 */
1447
1448 /* Do Stevens' IPV6_PKTOPTIONS.
1449
1450 Yes, guys, it is the only place in our code, where we
1451 may make it not affecting IPv4.
1452 The rest of code is protocol independent,
1453 and I do not like idea to uglify IPv4.
1454
1455 Actually, all the idea behind IPV6_PKTOPTIONS
1456 looks not very well thought. For now we latch
1457 options, received in the last packet, enqueued
1458 by tcp. Feel free to propose better solution.
1459 --ANK (980728)
1460 */
1461 if (np->rxopt.all)
1462 opt_skb = skb_clone_and_charge_r(skb, sk);
1463
1464 reason = SKB_DROP_REASON_NOT_SPECIFIED;
1465 if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */
1466 struct dst_entry *dst;
1467
1468 dst = rcu_dereference_protected(sk->sk_rx_dst,
1469 lockdep_sock_is_held(sk));
1470
1471 sock_rps_save_rxhash(sk, skb);
1472 sk_mark_napi_id(sk, skb);
1473 if (dst) {
1474 if (sk->sk_rx_dst_ifindex != skb->skb_iif ||
1475 INDIRECT_CALL_1(dst->ops->check, ip6_dst_check,
1476 dst, sk->sk_rx_dst_cookie) == NULL) {
1477 RCU_INIT_POINTER(sk->sk_rx_dst, NULL);
1478 dst_release(dst);
1479 }
1480 }
1481
1482 tcp_rcv_established(sk, skb);
1483 if (opt_skb)
1484 goto ipv6_pktoptions;
1485 return 0;
1486 }
1487
1488 if (tcp_checksum_complete(skb))
1489 goto csum_err;
1490
1491 if (sk->sk_state == TCP_LISTEN) {
1492 struct sock *nsk = tcp_v6_cookie_check(sk, skb);
1493
1494 if (!nsk)
1495 goto discard;
1496
1497 if (nsk != sk) {
1498 if (tcp_child_process(sk, nsk, skb))
1499 goto reset;
1500 if (opt_skb)
1501 __kfree_skb(opt_skb);
1502 return 0;
1503 }
1504 } else
1505 sock_rps_save_rxhash(sk, skb);
1506
1507 if (tcp_rcv_state_process(sk, skb))
1508 goto reset;
1509 if (opt_skb)
1510 goto ipv6_pktoptions;
1511 return 0;
1512
1513 reset:
1514 tcp_v6_send_reset(sk, skb);
1515 discard:
1516 if (opt_skb)
1517 __kfree_skb(opt_skb);
1518 kfree_skb_reason(skb, reason);
1519 return 0;
1520 csum_err:
1521 reason = SKB_DROP_REASON_TCP_CSUM;
1522 trace_tcp_bad_csum(skb);
1523 TCP_INC_STATS(sock_net(sk), TCP_MIB_CSUMERRORS);
1524 TCP_INC_STATS(sock_net(sk), TCP_MIB_INERRS);
1525 goto discard;
1526
1527
1528 ipv6_pktoptions:
1529 /* Do you ask, what is it?
1530
1531 1. skb was enqueued by tcp.
1532 2. skb is added to tail of read queue, rather than out of order.
1533 3. socket is not in passive state.
1534 4. Finally, it really contains options, which user wants to receive.
1535 */
1536 tp = tcp_sk(sk);
1537 if (TCP_SKB_CB(opt_skb)->end_seq == tp->rcv_nxt &&
1538 !((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))) {
1539 if (np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo)
1540 np->mcast_oif = tcp_v6_iif(opt_skb);
1541 if (np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim)
1542 np->mcast_hops = ipv6_hdr(opt_skb)->hop_limit;
1543 if (np->rxopt.bits.rxflow || np->rxopt.bits.rxtclass)
1544 np->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(opt_skb));
1545 if (np->repflow)
1546 np->flow_label = ip6_flowlabel(ipv6_hdr(opt_skb));
1547 if (ipv6_opt_accepted(sk, opt_skb, &TCP_SKB_CB(opt_skb)->header.h6)) {
1548 tcp_v6_restore_cb(opt_skb);
1549 opt_skb = xchg(&np->pktoptions, opt_skb);
1550 } else {
1551 __kfree_skb(opt_skb);
1552 opt_skb = xchg(&np->pktoptions, NULL);
1553 }
1554 }
1555
1556 consume_skb(opt_skb);
1557 return 0;
1558 }
1559
tcp_v6_fill_cb(struct sk_buff * skb,const struct ipv6hdr * hdr,const struct tcphdr * th)1560 static void tcp_v6_fill_cb(struct sk_buff *skb, const struct ipv6hdr *hdr,
1561 const struct tcphdr *th)
1562 {
1563 /* This is tricky: we move IP6CB at its correct location into
1564 * TCP_SKB_CB(). It must be done after xfrm6_policy_check(), because
1565 * _decode_session6() uses IP6CB().
1566 * barrier() makes sure compiler won't play aliasing games.
1567 */
1568 memmove(&TCP_SKB_CB(skb)->header.h6, IP6CB(skb),
1569 sizeof(struct inet6_skb_parm));
1570 barrier();
1571
1572 TCP_SKB_CB(skb)->seq = ntohl(th->seq);
1573 TCP_SKB_CB(skb)->end_seq = (TCP_SKB_CB(skb)->seq + th->syn + th->fin +
1574 skb->len - th->doff*4);
1575 TCP_SKB_CB(skb)->ack_seq = ntohl(th->ack_seq);
1576 TCP_SKB_CB(skb)->tcp_flags = tcp_flag_byte(th);
1577 TCP_SKB_CB(skb)->tcp_tw_isn = 0;
1578 TCP_SKB_CB(skb)->ip_dsfield = ipv6_get_dsfield(hdr);
1579 TCP_SKB_CB(skb)->sacked = 0;
1580 TCP_SKB_CB(skb)->has_rxtstamp =
1581 skb->tstamp || skb_hwtstamps(skb)->hwtstamp;
1582 }
1583
tcp_v6_rcv(struct sk_buff * skb)1584 INDIRECT_CALLABLE_SCOPE int tcp_v6_rcv(struct sk_buff *skb)
1585 {
1586 enum skb_drop_reason drop_reason;
1587 int sdif = inet6_sdif(skb);
1588 int dif = inet6_iif(skb);
1589 const struct tcphdr *th;
1590 const struct ipv6hdr *hdr;
1591 bool refcounted;
1592 struct sock *sk;
1593 int ret;
1594 struct net *net = dev_net(skb->dev);
1595
1596 drop_reason = SKB_DROP_REASON_NOT_SPECIFIED;
1597 if (skb->pkt_type != PACKET_HOST)
1598 goto discard_it;
1599
1600 /*
1601 * Count it even if it's bad.
1602 */
1603 __TCP_INC_STATS(net, TCP_MIB_INSEGS);
1604
1605 if (!pskb_may_pull(skb, sizeof(struct tcphdr)))
1606 goto discard_it;
1607
1608 th = (const struct tcphdr *)skb->data;
1609
1610 if (unlikely(th->doff < sizeof(struct tcphdr) / 4)) {
1611 drop_reason = SKB_DROP_REASON_PKT_TOO_SMALL;
1612 goto bad_packet;
1613 }
1614 if (!pskb_may_pull(skb, th->doff*4))
1615 goto discard_it;
1616
1617 if (skb_checksum_init(skb, IPPROTO_TCP, ip6_compute_pseudo))
1618 goto csum_error;
1619
1620 th = (const struct tcphdr *)skb->data;
1621 hdr = ipv6_hdr(skb);
1622
1623 lookup:
1624 sk = __inet6_lookup_skb(net->ipv4.tcp_death_row.hashinfo, skb, __tcp_hdrlen(th),
1625 th->source, th->dest, inet6_iif(skb), sdif,
1626 &refcounted);
1627 if (!sk)
1628 goto no_tcp_socket;
1629
1630 process:
1631 if (sk->sk_state == TCP_TIME_WAIT)
1632 goto do_time_wait;
1633
1634 if (sk->sk_state == TCP_NEW_SYN_RECV) {
1635 struct request_sock *req = inet_reqsk(sk);
1636 bool req_stolen = false;
1637 struct sock *nsk;
1638
1639 sk = req->rsk_listener;
1640 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
1641 drop_reason = SKB_DROP_REASON_XFRM_POLICY;
1642 else
1643 drop_reason = tcp_inbound_md5_hash(sk, skb,
1644 &hdr->saddr, &hdr->daddr,
1645 AF_INET6, dif, sdif);
1646 if (drop_reason) {
1647 sk_drops_add(sk, skb);
1648 reqsk_put(req);
1649 goto discard_it;
1650 }
1651 if (tcp_checksum_complete(skb)) {
1652 reqsk_put(req);
1653 goto csum_error;
1654 }
1655 if (unlikely(sk->sk_state != TCP_LISTEN)) {
1656 nsk = reuseport_migrate_sock(sk, req_to_sk(req), skb);
1657 if (!nsk) {
1658 inet_csk_reqsk_queue_drop_and_put(sk, req);
1659 goto lookup;
1660 }
1661 sk = nsk;
1662 /* reuseport_migrate_sock() has already held one sk_refcnt
1663 * before returning.
1664 */
1665 } else {
1666 sock_hold(sk);
1667 }
1668 refcounted = true;
1669 nsk = NULL;
1670 if (!tcp_filter(sk, skb)) {
1671 th = (const struct tcphdr *)skb->data;
1672 hdr = ipv6_hdr(skb);
1673 tcp_v6_fill_cb(skb, hdr, th);
1674 nsk = tcp_check_req(sk, skb, req, false, &req_stolen);
1675 } else {
1676 drop_reason = SKB_DROP_REASON_SOCKET_FILTER;
1677 }
1678 if (!nsk) {
1679 reqsk_put(req);
1680 if (req_stolen) {
1681 /* Another cpu got exclusive access to req
1682 * and created a full blown socket.
1683 * Try to feed this packet to this socket
1684 * instead of discarding it.
1685 */
1686 tcp_v6_restore_cb(skb);
1687 sock_put(sk);
1688 goto lookup;
1689 }
1690 goto discard_and_relse;
1691 }
1692 nf_reset_ct(skb);
1693 if (nsk == sk) {
1694 reqsk_put(req);
1695 tcp_v6_restore_cb(skb);
1696 } else if (tcp_child_process(sk, nsk, skb)) {
1697 tcp_v6_send_reset(nsk, skb);
1698 goto discard_and_relse;
1699 } else {
1700 sock_put(sk);
1701 return 0;
1702 }
1703 }
1704
1705 if (static_branch_unlikely(&ip6_min_hopcount)) {
1706 /* min_hopcount can be changed concurrently from do_ipv6_setsockopt() */
1707 if (unlikely(hdr->hop_limit < READ_ONCE(tcp_inet6_sk(sk)->min_hopcount))) {
1708 __NET_INC_STATS(net, LINUX_MIB_TCPMINTTLDROP);
1709 drop_reason = SKB_DROP_REASON_TCP_MINTTL;
1710 goto discard_and_relse;
1711 }
1712 }
1713
1714 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) {
1715 drop_reason = SKB_DROP_REASON_XFRM_POLICY;
1716 goto discard_and_relse;
1717 }
1718
1719 drop_reason = tcp_inbound_md5_hash(sk, skb, &hdr->saddr, &hdr->daddr,
1720 AF_INET6, dif, sdif);
1721 if (drop_reason)
1722 goto discard_and_relse;
1723
1724 nf_reset_ct(skb);
1725
1726 if (tcp_filter(sk, skb)) {
1727 drop_reason = SKB_DROP_REASON_SOCKET_FILTER;
1728 goto discard_and_relse;
1729 }
1730 th = (const struct tcphdr *)skb->data;
1731 hdr = ipv6_hdr(skb);
1732 tcp_v6_fill_cb(skb, hdr, th);
1733
1734 skb->dev = NULL;
1735
1736 if (sk->sk_state == TCP_LISTEN) {
1737 ret = tcp_v6_do_rcv(sk, skb);
1738 goto put_and_return;
1739 }
1740
1741 sk_incoming_cpu_update(sk);
1742
1743 bh_lock_sock_nested(sk);
1744 tcp_segs_in(tcp_sk(sk), skb);
1745 ret = 0;
1746 if (!sock_owned_by_user(sk)) {
1747 ret = tcp_v6_do_rcv(sk, skb);
1748 } else {
1749 if (tcp_add_backlog(sk, skb, &drop_reason))
1750 goto discard_and_relse;
1751 }
1752 bh_unlock_sock(sk);
1753 put_and_return:
1754 if (refcounted)
1755 sock_put(sk);
1756 return ret ? -1 : 0;
1757
1758 no_tcp_socket:
1759 drop_reason = SKB_DROP_REASON_NO_SOCKET;
1760 if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb))
1761 goto discard_it;
1762
1763 tcp_v6_fill_cb(skb, hdr, th);
1764
1765 if (tcp_checksum_complete(skb)) {
1766 csum_error:
1767 drop_reason = SKB_DROP_REASON_TCP_CSUM;
1768 trace_tcp_bad_csum(skb);
1769 __TCP_INC_STATS(net, TCP_MIB_CSUMERRORS);
1770 bad_packet:
1771 __TCP_INC_STATS(net, TCP_MIB_INERRS);
1772 } else {
1773 tcp_v6_send_reset(NULL, skb);
1774 }
1775
1776 discard_it:
1777 SKB_DR_OR(drop_reason, NOT_SPECIFIED);
1778 kfree_skb_reason(skb, drop_reason);
1779 return 0;
1780
1781 discard_and_relse:
1782 sk_drops_add(sk, skb);
1783 if (refcounted)
1784 sock_put(sk);
1785 goto discard_it;
1786
1787 do_time_wait:
1788 if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
1789 drop_reason = SKB_DROP_REASON_XFRM_POLICY;
1790 inet_twsk_put(inet_twsk(sk));
1791 goto discard_it;
1792 }
1793
1794 tcp_v6_fill_cb(skb, hdr, th);
1795
1796 if (tcp_checksum_complete(skb)) {
1797 inet_twsk_put(inet_twsk(sk));
1798 goto csum_error;
1799 }
1800
1801 switch (tcp_timewait_state_process(inet_twsk(sk), skb, th)) {
1802 case TCP_TW_SYN:
1803 {
1804 struct sock *sk2;
1805
1806 sk2 = inet6_lookup_listener(net, net->ipv4.tcp_death_row.hashinfo,
1807 skb, __tcp_hdrlen(th),
1808 &ipv6_hdr(skb)->saddr, th->source,
1809 &ipv6_hdr(skb)->daddr,
1810 ntohs(th->dest),
1811 tcp_v6_iif_l3_slave(skb),
1812 sdif);
1813 if (sk2) {
1814 struct inet_timewait_sock *tw = inet_twsk(sk);
1815 inet_twsk_deschedule_put(tw);
1816 sk = sk2;
1817 tcp_v6_restore_cb(skb);
1818 refcounted = false;
1819 goto process;
1820 }
1821 }
1822 /* to ACK */
1823 fallthrough;
1824 case TCP_TW_ACK:
1825 tcp_v6_timewait_ack(sk, skb);
1826 break;
1827 case TCP_TW_RST:
1828 tcp_v6_send_reset(sk, skb);
1829 inet_twsk_deschedule_put(inet_twsk(sk));
1830 goto discard_it;
1831 case TCP_TW_SUCCESS:
1832 ;
1833 }
1834 goto discard_it;
1835 }
1836
tcp_v6_early_demux(struct sk_buff * skb)1837 void tcp_v6_early_demux(struct sk_buff *skb)
1838 {
1839 struct net *net = dev_net(skb->dev);
1840 const struct ipv6hdr *hdr;
1841 const struct tcphdr *th;
1842 struct sock *sk;
1843
1844 if (skb->pkt_type != PACKET_HOST)
1845 return;
1846
1847 if (!pskb_may_pull(skb, skb_transport_offset(skb) + sizeof(struct tcphdr)))
1848 return;
1849
1850 hdr = ipv6_hdr(skb);
1851 th = tcp_hdr(skb);
1852
1853 if (th->doff < sizeof(struct tcphdr) / 4)
1854 return;
1855
1856 /* Note : We use inet6_iif() here, not tcp_v6_iif() */
1857 sk = __inet6_lookup_established(net, net->ipv4.tcp_death_row.hashinfo,
1858 &hdr->saddr, th->source,
1859 &hdr->daddr, ntohs(th->dest),
1860 inet6_iif(skb), inet6_sdif(skb));
1861 if (sk) {
1862 skb->sk = sk;
1863 skb->destructor = sock_edemux;
1864 if (sk_fullsock(sk)) {
1865 struct dst_entry *dst = rcu_dereference(sk->sk_rx_dst);
1866
1867 if (dst)
1868 dst = dst_check(dst, sk->sk_rx_dst_cookie);
1869 if (dst &&
1870 sk->sk_rx_dst_ifindex == skb->skb_iif)
1871 skb_dst_set_noref(skb, dst);
1872 }
1873 }
1874 }
1875
1876 static struct timewait_sock_ops tcp6_timewait_sock_ops = {
1877 .twsk_obj_size = sizeof(struct tcp6_timewait_sock),
1878 .twsk_unique = tcp_twsk_unique,
1879 .twsk_destructor = tcp_twsk_destructor,
1880 };
1881
tcp_v6_send_check(struct sock * sk,struct sk_buff * skb)1882 INDIRECT_CALLABLE_SCOPE void tcp_v6_send_check(struct sock *sk, struct sk_buff *skb)
1883 {
1884 __tcp_v6_send_check(skb, &sk->sk_v6_rcv_saddr, &sk->sk_v6_daddr);
1885 }
1886
1887 const struct inet_connection_sock_af_ops ipv6_specific = {
1888 .queue_xmit = inet6_csk_xmit,
1889 .send_check = tcp_v6_send_check,
1890 .rebuild_header = inet6_sk_rebuild_header,
1891 .sk_rx_dst_set = inet6_sk_rx_dst_set,
1892 .conn_request = tcp_v6_conn_request,
1893 .syn_recv_sock = tcp_v6_syn_recv_sock,
1894 .net_header_len = sizeof(struct ipv6hdr),
1895 .net_frag_header_len = sizeof(struct frag_hdr),
1896 .setsockopt = ipv6_setsockopt,
1897 .getsockopt = ipv6_getsockopt,
1898 .addr2sockaddr = inet6_csk_addr2sockaddr,
1899 .sockaddr_len = sizeof(struct sockaddr_in6),
1900 .mtu_reduced = tcp_v6_mtu_reduced,
1901 };
1902
1903 #ifdef CONFIG_TCP_MD5SIG
1904 static const struct tcp_sock_af_ops tcp_sock_ipv6_specific = {
1905 .md5_lookup = tcp_v6_md5_lookup,
1906 .calc_md5_hash = tcp_v6_md5_hash_skb,
1907 .md5_parse = tcp_v6_parse_md5_keys,
1908 };
1909 #endif
1910
1911 /*
1912 * TCP over IPv4 via INET6 API
1913 */
1914 static const struct inet_connection_sock_af_ops ipv6_mapped = {
1915 .queue_xmit = ip_queue_xmit,
1916 .send_check = tcp_v4_send_check,
1917 .rebuild_header = inet_sk_rebuild_header,
1918 .sk_rx_dst_set = inet_sk_rx_dst_set,
1919 .conn_request = tcp_v6_conn_request,
1920 .syn_recv_sock = tcp_v6_syn_recv_sock,
1921 .net_header_len = sizeof(struct iphdr),
1922 .setsockopt = ipv6_setsockopt,
1923 .getsockopt = ipv6_getsockopt,
1924 .addr2sockaddr = inet6_csk_addr2sockaddr,
1925 .sockaddr_len = sizeof(struct sockaddr_in6),
1926 .mtu_reduced = tcp_v4_mtu_reduced,
1927 };
1928
1929 #ifdef CONFIG_TCP_MD5SIG
1930 static const struct tcp_sock_af_ops tcp_sock_ipv6_mapped_specific = {
1931 .md5_lookup = tcp_v4_md5_lookup,
1932 .calc_md5_hash = tcp_v4_md5_hash_skb,
1933 .md5_parse = tcp_v6_parse_md5_keys,
1934 };
1935 #endif
1936
1937 /* NOTE: A lot of things set to zero explicitly by call to
1938 * sk_alloc() so need not be done here.
1939 */
tcp_v6_init_sock(struct sock * sk)1940 static int tcp_v6_init_sock(struct sock *sk)
1941 {
1942 struct inet_connection_sock *icsk = inet_csk(sk);
1943
1944 tcp_init_sock(sk);
1945
1946 icsk->icsk_af_ops = &ipv6_specific;
1947
1948 #ifdef CONFIG_TCP_MD5SIG
1949 tcp_sk(sk)->af_specific = &tcp_sock_ipv6_specific;
1950 #endif
1951
1952 return 0;
1953 }
1954
1955 #ifdef CONFIG_PROC_FS
1956 /* Proc filesystem TCPv6 sock list dumping. */
get_openreq6(struct seq_file * seq,const struct request_sock * req,int i)1957 static void get_openreq6(struct seq_file *seq,
1958 const struct request_sock *req, int i)
1959 {
1960 long ttd = req->rsk_timer.expires - jiffies;
1961 const struct in6_addr *src = &inet_rsk(req)->ir_v6_loc_addr;
1962 const struct in6_addr *dest = &inet_rsk(req)->ir_v6_rmt_addr;
1963
1964 if (ttd < 0)
1965 ttd = 0;
1966
1967 seq_printf(seq,
1968 "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
1969 "%02X %08X:%08X %02X:%08lX %08X %5u %8d %d %d %pK\n",
1970 i,
1971 src->s6_addr32[0], src->s6_addr32[1],
1972 src->s6_addr32[2], src->s6_addr32[3],
1973 inet_rsk(req)->ir_num,
1974 dest->s6_addr32[0], dest->s6_addr32[1],
1975 dest->s6_addr32[2], dest->s6_addr32[3],
1976 ntohs(inet_rsk(req)->ir_rmt_port),
1977 TCP_SYN_RECV,
1978 0, 0, /* could print option size, but that is af dependent. */
1979 1, /* timers active (only the expire timer) */
1980 jiffies_to_clock_t(ttd),
1981 req->num_timeout,
1982 from_kuid_munged(seq_user_ns(seq),
1983 sock_i_uid(req->rsk_listener)),
1984 0, /* non standard timer */
1985 0, /* open_requests have no inode */
1986 0, req);
1987 }
1988
get_tcp6_sock(struct seq_file * seq,struct sock * sp,int i)1989 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
1990 {
1991 const struct in6_addr *dest, *src;
1992 __u16 destp, srcp;
1993 int timer_active;
1994 unsigned long timer_expires;
1995 const struct inet_sock *inet = inet_sk(sp);
1996 const struct tcp_sock *tp = tcp_sk(sp);
1997 const struct inet_connection_sock *icsk = inet_csk(sp);
1998 const struct fastopen_queue *fastopenq = &icsk->icsk_accept_queue.fastopenq;
1999 int rx_queue;
2000 int state;
2001
2002 dest = &sp->sk_v6_daddr;
2003 src = &sp->sk_v6_rcv_saddr;
2004 destp = ntohs(inet->inet_dport);
2005 srcp = ntohs(inet->inet_sport);
2006
2007 if (icsk->icsk_pending == ICSK_TIME_RETRANS ||
2008 icsk->icsk_pending == ICSK_TIME_REO_TIMEOUT ||
2009 icsk->icsk_pending == ICSK_TIME_LOSS_PROBE) {
2010 timer_active = 1;
2011 timer_expires = icsk->icsk_timeout;
2012 } else if (icsk->icsk_pending == ICSK_TIME_PROBE0) {
2013 timer_active = 4;
2014 timer_expires = icsk->icsk_timeout;
2015 } else if (timer_pending(&sp->sk_timer)) {
2016 timer_active = 2;
2017 timer_expires = sp->sk_timer.expires;
2018 } else {
2019 timer_active = 0;
2020 timer_expires = jiffies;
2021 }
2022
2023 state = inet_sk_state_load(sp);
2024 if (state == TCP_LISTEN)
2025 rx_queue = READ_ONCE(sp->sk_ack_backlog);
2026 else
2027 /* Because we don't lock the socket,
2028 * we might find a transient negative value.
2029 */
2030 rx_queue = max_t(int, READ_ONCE(tp->rcv_nxt) -
2031 READ_ONCE(tp->copied_seq), 0);
2032
2033 seq_printf(seq,
2034 "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
2035 "%02X %08X:%08X %02X:%08lX %08X %5u %8d %lu %d %pK %lu %lu %u %u %d\n",
2036 i,
2037 src->s6_addr32[0], src->s6_addr32[1],
2038 src->s6_addr32[2], src->s6_addr32[3], srcp,
2039 dest->s6_addr32[0], dest->s6_addr32[1],
2040 dest->s6_addr32[2], dest->s6_addr32[3], destp,
2041 state,
2042 READ_ONCE(tp->write_seq) - tp->snd_una,
2043 rx_queue,
2044 timer_active,
2045 jiffies_delta_to_clock_t(timer_expires - jiffies),
2046 icsk->icsk_retransmits,
2047 from_kuid_munged(seq_user_ns(seq), sock_i_uid(sp)),
2048 icsk->icsk_probes_out,
2049 sock_i_ino(sp),
2050 refcount_read(&sp->sk_refcnt), sp,
2051 jiffies_to_clock_t(icsk->icsk_rto),
2052 jiffies_to_clock_t(icsk->icsk_ack.ato),
2053 (icsk->icsk_ack.quick << 1) | inet_csk_in_pingpong_mode(sp),
2054 tcp_snd_cwnd(tp),
2055 state == TCP_LISTEN ?
2056 fastopenq->max_qlen :
2057 (tcp_in_initial_slowstart(tp) ? -1 : tp->snd_ssthresh)
2058 );
2059 }
2060
get_timewait6_sock(struct seq_file * seq,struct inet_timewait_sock * tw,int i)2061 static void get_timewait6_sock(struct seq_file *seq,
2062 struct inet_timewait_sock *tw, int i)
2063 {
2064 long delta = tw->tw_timer.expires - jiffies;
2065 const struct in6_addr *dest, *src;
2066 __u16 destp, srcp;
2067
2068 dest = &tw->tw_v6_daddr;
2069 src = &tw->tw_v6_rcv_saddr;
2070 destp = ntohs(tw->tw_dport);
2071 srcp = ntohs(tw->tw_sport);
2072
2073 seq_printf(seq,
2074 "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
2075 "%02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %pK\n",
2076 i,
2077 src->s6_addr32[0], src->s6_addr32[1],
2078 src->s6_addr32[2], src->s6_addr32[3], srcp,
2079 dest->s6_addr32[0], dest->s6_addr32[1],
2080 dest->s6_addr32[2], dest->s6_addr32[3], destp,
2081 tw->tw_substate, 0, 0,
2082 3, jiffies_delta_to_clock_t(delta), 0, 0, 0, 0,
2083 refcount_read(&tw->tw_refcnt), tw);
2084 }
2085
tcp6_seq_show(struct seq_file * seq,void * v)2086 static int tcp6_seq_show(struct seq_file *seq, void *v)
2087 {
2088 struct tcp_iter_state *st;
2089 struct sock *sk = v;
2090
2091 if (v == SEQ_START_TOKEN) {
2092 seq_puts(seq,
2093 " sl "
2094 "local_address "
2095 "remote_address "
2096 "st tx_queue rx_queue tr tm->when retrnsmt"
2097 " uid timeout inode\n");
2098 goto out;
2099 }
2100 st = seq->private;
2101
2102 if (sk->sk_state == TCP_TIME_WAIT)
2103 get_timewait6_sock(seq, v, st->num);
2104 else if (sk->sk_state == TCP_NEW_SYN_RECV)
2105 get_openreq6(seq, v, st->num);
2106 else
2107 get_tcp6_sock(seq, v, st->num);
2108 out:
2109 return 0;
2110 }
2111
2112 static const struct seq_operations tcp6_seq_ops = {
2113 .show = tcp6_seq_show,
2114 .start = tcp_seq_start,
2115 .next = tcp_seq_next,
2116 .stop = tcp_seq_stop,
2117 };
2118
2119 static struct tcp_seq_afinfo tcp6_seq_afinfo = {
2120 .family = AF_INET6,
2121 };
2122
tcp6_proc_init(struct net * net)2123 int __net_init tcp6_proc_init(struct net *net)
2124 {
2125 if (!proc_create_net_data("tcp6", 0444, net->proc_net, &tcp6_seq_ops,
2126 sizeof(struct tcp_iter_state), &tcp6_seq_afinfo))
2127 return -ENOMEM;
2128 return 0;
2129 }
2130
tcp6_proc_exit(struct net * net)2131 void tcp6_proc_exit(struct net *net)
2132 {
2133 remove_proc_entry("tcp6", net->proc_net);
2134 }
2135 #endif
2136
2137 struct proto tcpv6_prot = {
2138 .name = "TCPv6",
2139 .owner = THIS_MODULE,
2140 .close = tcp_close,
2141 .pre_connect = tcp_v6_pre_connect,
2142 .connect = tcp_v6_connect,
2143 .disconnect = tcp_disconnect,
2144 .accept = inet_csk_accept,
2145 .ioctl = tcp_ioctl,
2146 .init = tcp_v6_init_sock,
2147 .destroy = tcp_v4_destroy_sock,
2148 .shutdown = tcp_shutdown,
2149 .setsockopt = tcp_setsockopt,
2150 .getsockopt = tcp_getsockopt,
2151 .bpf_bypass_getsockopt = tcp_bpf_bypass_getsockopt,
2152 .keepalive = tcp_set_keepalive,
2153 .recvmsg = tcp_recvmsg,
2154 .sendmsg = tcp_sendmsg,
2155 .splice_eof = tcp_splice_eof,
2156 .backlog_rcv = tcp_v6_do_rcv,
2157 .release_cb = tcp_release_cb,
2158 .hash = inet6_hash,
2159 .unhash = inet_unhash,
2160 .get_port = inet_csk_get_port,
2161 .put_port = inet_put_port,
2162 #ifdef CONFIG_BPF_SYSCALL
2163 .psock_update_sk_prot = tcp_bpf_update_proto,
2164 #endif
2165 .enter_memory_pressure = tcp_enter_memory_pressure,
2166 .leave_memory_pressure = tcp_leave_memory_pressure,
2167 .stream_memory_free = tcp_stream_memory_free,
2168 .sockets_allocated = &tcp_sockets_allocated,
2169
2170 .memory_allocated = &tcp_memory_allocated,
2171 .per_cpu_fw_alloc = &tcp_memory_per_cpu_fw_alloc,
2172
2173 .memory_pressure = &tcp_memory_pressure,
2174 .orphan_count = &tcp_orphan_count,
2175 .sysctl_mem = sysctl_tcp_mem,
2176 .sysctl_wmem_offset = offsetof(struct net, ipv4.sysctl_tcp_wmem),
2177 .sysctl_rmem_offset = offsetof(struct net, ipv4.sysctl_tcp_rmem),
2178 .max_header = MAX_TCP_HEADER,
2179 .obj_size = sizeof(struct tcp6_sock),
2180 .ipv6_pinfo_offset = offsetof(struct tcp6_sock, inet6),
2181 .slab_flags = SLAB_TYPESAFE_BY_RCU,
2182 .twsk_prot = &tcp6_timewait_sock_ops,
2183 .rsk_prot = &tcp6_request_sock_ops,
2184 .h.hashinfo = NULL,
2185 .no_autobind = true,
2186 .diag_destroy = tcp_abort,
2187 };
2188 EXPORT_SYMBOL_GPL(tcpv6_prot);
2189
2190 static const struct inet6_protocol tcpv6_protocol = {
2191 .handler = tcp_v6_rcv,
2192 .err_handler = tcp_v6_err,
2193 .flags = INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL,
2194 };
2195
2196 static struct inet_protosw tcpv6_protosw = {
2197 .type = SOCK_STREAM,
2198 .protocol = IPPROTO_TCP,
2199 .prot = &tcpv6_prot,
2200 .ops = &inet6_stream_ops,
2201 .flags = INET_PROTOSW_PERMANENT |
2202 INET_PROTOSW_ICSK,
2203 };
2204
tcpv6_net_init(struct net * net)2205 static int __net_init tcpv6_net_init(struct net *net)
2206 {
2207 return inet_ctl_sock_create(&net->ipv6.tcp_sk, PF_INET6,
2208 SOCK_RAW, IPPROTO_TCP, net);
2209 }
2210
tcpv6_net_exit(struct net * net)2211 static void __net_exit tcpv6_net_exit(struct net *net)
2212 {
2213 inet_ctl_sock_destroy(net->ipv6.tcp_sk);
2214 }
2215
2216 static struct pernet_operations tcpv6_net_ops = {
2217 .init = tcpv6_net_init,
2218 .exit = tcpv6_net_exit,
2219 };
2220
tcpv6_init(void)2221 int __init tcpv6_init(void)
2222 {
2223 int ret;
2224
2225 ret = inet6_add_protocol(&tcpv6_protocol, IPPROTO_TCP);
2226 if (ret)
2227 goto out;
2228
2229 /* register inet6 protocol */
2230 ret = inet6_register_protosw(&tcpv6_protosw);
2231 if (ret)
2232 goto out_tcpv6_protocol;
2233
2234 ret = register_pernet_subsys(&tcpv6_net_ops);
2235 if (ret)
2236 goto out_tcpv6_protosw;
2237
2238 ret = mptcpv6_init();
2239 if (ret)
2240 goto out_tcpv6_pernet_subsys;
2241
2242 out:
2243 return ret;
2244
2245 out_tcpv6_pernet_subsys:
2246 unregister_pernet_subsys(&tcpv6_net_ops);
2247 out_tcpv6_protosw:
2248 inet6_unregister_protosw(&tcpv6_protosw);
2249 out_tcpv6_protocol:
2250 inet6_del_protocol(&tcpv6_protocol, IPPROTO_TCP);
2251 goto out;
2252 }
2253
tcpv6_exit(void)2254 void tcpv6_exit(void)
2255 {
2256 unregister_pernet_subsys(&tcpv6_net_ops);
2257 inet6_unregister_protosw(&tcpv6_protosw);
2258 inet6_del_protocol(&tcpv6_protocol, IPPROTO_TCP);
2259 }
2260