xref: /openbmc/linux/net/ipv6/tcp_ipv6.c (revision 9d56dd3b083a3bec56e9da35ce07baca81030b03)
1 /*
2  *	TCP over IPv6
3  *	Linux INET6 implementation
4  *
5  *	Authors:
6  *	Pedro Roque		<roque@di.fc.ul.pt>
7  *
8  *	Based on:
9  *	linux/net/ipv4/tcp.c
10  *	linux/net/ipv4/tcp_input.c
11  *	linux/net/ipv4/tcp_output.c
12  *
13  *	Fixes:
14  *	Hideaki YOSHIFUJI	:	sin6_scope_id support
15  *	YOSHIFUJI Hideaki @USAGI and:	Support IPV6_V6ONLY socket option, which
16  *	Alexey Kuznetsov		allow both IPv4 and IPv6 sockets to bind
17  *					a single port at the same time.
18  *	YOSHIFUJI Hideaki @USAGI:	convert /proc/net/tcp6 to seq_file.
19  *
20  *	This program is free software; you can redistribute it and/or
21  *      modify it under the terms of the GNU General Public License
22  *      as published by the Free Software Foundation; either version
23  *      2 of the License, or (at your option) any later version.
24  */
25 
26 #include <linux/bottom_half.h>
27 #include <linux/module.h>
28 #include <linux/errno.h>
29 #include <linux/types.h>
30 #include <linux/socket.h>
31 #include <linux/sockios.h>
32 #include <linux/net.h>
33 #include <linux/jiffies.h>
34 #include <linux/in.h>
35 #include <linux/in6.h>
36 #include <linux/netdevice.h>
37 #include <linux/init.h>
38 #include <linux/jhash.h>
39 #include <linux/ipsec.h>
40 #include <linux/times.h>
41 
42 #include <linux/ipv6.h>
43 #include <linux/icmpv6.h>
44 #include <linux/random.h>
45 
46 #include <net/tcp.h>
47 #include <net/ndisc.h>
48 #include <net/inet6_hashtables.h>
49 #include <net/inet6_connection_sock.h>
50 #include <net/ipv6.h>
51 #include <net/transp_v6.h>
52 #include <net/addrconf.h>
53 #include <net/ip6_route.h>
54 #include <net/ip6_checksum.h>
55 #include <net/inet_ecn.h>
56 #include <net/protocol.h>
57 #include <net/xfrm.h>
58 #include <net/snmp.h>
59 #include <net/dsfield.h>
60 #include <net/timewait_sock.h>
61 #include <net/netdma.h>
62 #include <net/inet_common.h>
63 
64 #include <asm/uaccess.h>
65 
66 #include <linux/proc_fs.h>
67 #include <linux/seq_file.h>
68 
69 #include <linux/crypto.h>
70 #include <linux/scatterlist.h>
71 
72 static void	tcp_v6_send_reset(struct sock *sk, struct sk_buff *skb);
73 static void	tcp_v6_reqsk_send_ack(struct sock *sk, struct sk_buff *skb,
74 				      struct request_sock *req);
75 
76 static int	tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb);
77 
78 static const struct inet_connection_sock_af_ops ipv6_mapped;
79 static const struct inet_connection_sock_af_ops ipv6_specific;
80 #ifdef CONFIG_TCP_MD5SIG
81 static const struct tcp_sock_af_ops tcp_sock_ipv6_specific;
82 static const struct tcp_sock_af_ops tcp_sock_ipv6_mapped_specific;
83 #else
84 static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(struct sock *sk,
85 						   struct in6_addr *addr)
86 {
87 	return NULL;
88 }
89 #endif
90 
91 static void tcp_v6_hash(struct sock *sk)
92 {
93 	if (sk->sk_state != TCP_CLOSE) {
94 		if (inet_csk(sk)->icsk_af_ops == &ipv6_mapped) {
95 			tcp_prot.hash(sk);
96 			return;
97 		}
98 		local_bh_disable();
99 		__inet6_hash(sk, NULL);
100 		local_bh_enable();
101 	}
102 }
103 
104 static __inline__ __sum16 tcp_v6_check(int len,
105 				   struct in6_addr *saddr,
106 				   struct in6_addr *daddr,
107 				   __wsum base)
108 {
109 	return csum_ipv6_magic(saddr, daddr, len, IPPROTO_TCP, base);
110 }
111 
112 static __u32 tcp_v6_init_sequence(struct sk_buff *skb)
113 {
114 	return secure_tcpv6_sequence_number(ipv6_hdr(skb)->daddr.s6_addr32,
115 					    ipv6_hdr(skb)->saddr.s6_addr32,
116 					    tcp_hdr(skb)->dest,
117 					    tcp_hdr(skb)->source);
118 }
119 
120 static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
121 			  int addr_len)
122 {
123 	struct sockaddr_in6 *usin = (struct sockaddr_in6 *) uaddr;
124 	struct inet_sock *inet = inet_sk(sk);
125 	struct inet_connection_sock *icsk = inet_csk(sk);
126 	struct ipv6_pinfo *np = inet6_sk(sk);
127 	struct tcp_sock *tp = tcp_sk(sk);
128 	struct in6_addr *saddr = NULL, *final_p = NULL, final;
129 	struct flowi fl;
130 	struct dst_entry *dst;
131 	int addr_type;
132 	int err;
133 
134 	if (addr_len < SIN6_LEN_RFC2133)
135 		return -EINVAL;
136 
137 	if (usin->sin6_family != AF_INET6)
138 		return(-EAFNOSUPPORT);
139 
140 	memset(&fl, 0, sizeof(fl));
141 
142 	if (np->sndflow) {
143 		fl.fl6_flowlabel = usin->sin6_flowinfo&IPV6_FLOWINFO_MASK;
144 		IP6_ECN_flow_init(fl.fl6_flowlabel);
145 		if (fl.fl6_flowlabel&IPV6_FLOWLABEL_MASK) {
146 			struct ip6_flowlabel *flowlabel;
147 			flowlabel = fl6_sock_lookup(sk, fl.fl6_flowlabel);
148 			if (flowlabel == NULL)
149 				return -EINVAL;
150 			ipv6_addr_copy(&usin->sin6_addr, &flowlabel->dst);
151 			fl6_sock_release(flowlabel);
152 		}
153 	}
154 
155 	/*
156 	 *	connect() to INADDR_ANY means loopback (BSD'ism).
157 	 */
158 
159 	if(ipv6_addr_any(&usin->sin6_addr))
160 		usin->sin6_addr.s6_addr[15] = 0x1;
161 
162 	addr_type = ipv6_addr_type(&usin->sin6_addr);
163 
164 	if(addr_type & IPV6_ADDR_MULTICAST)
165 		return -ENETUNREACH;
166 
167 	if (addr_type&IPV6_ADDR_LINKLOCAL) {
168 		if (addr_len >= sizeof(struct sockaddr_in6) &&
169 		    usin->sin6_scope_id) {
170 			/* If interface is set while binding, indices
171 			 * must coincide.
172 			 */
173 			if (sk->sk_bound_dev_if &&
174 			    sk->sk_bound_dev_if != usin->sin6_scope_id)
175 				return -EINVAL;
176 
177 			sk->sk_bound_dev_if = usin->sin6_scope_id;
178 		}
179 
180 		/* Connect to link-local address requires an interface */
181 		if (!sk->sk_bound_dev_if)
182 			return -EINVAL;
183 	}
184 
185 	if (tp->rx_opt.ts_recent_stamp &&
186 	    !ipv6_addr_equal(&np->daddr, &usin->sin6_addr)) {
187 		tp->rx_opt.ts_recent = 0;
188 		tp->rx_opt.ts_recent_stamp = 0;
189 		tp->write_seq = 0;
190 	}
191 
192 	ipv6_addr_copy(&np->daddr, &usin->sin6_addr);
193 	np->flow_label = fl.fl6_flowlabel;
194 
195 	/*
196 	 *	TCP over IPv4
197 	 */
198 
199 	if (addr_type == IPV6_ADDR_MAPPED) {
200 		u32 exthdrlen = icsk->icsk_ext_hdr_len;
201 		struct sockaddr_in sin;
202 
203 		SOCK_DEBUG(sk, "connect: ipv4 mapped\n");
204 
205 		if (__ipv6_only_sock(sk))
206 			return -ENETUNREACH;
207 
208 		sin.sin_family = AF_INET;
209 		sin.sin_port = usin->sin6_port;
210 		sin.sin_addr.s_addr = usin->sin6_addr.s6_addr32[3];
211 
212 		icsk->icsk_af_ops = &ipv6_mapped;
213 		sk->sk_backlog_rcv = tcp_v4_do_rcv;
214 #ifdef CONFIG_TCP_MD5SIG
215 		tp->af_specific = &tcp_sock_ipv6_mapped_specific;
216 #endif
217 
218 		err = tcp_v4_connect(sk, (struct sockaddr *)&sin, sizeof(sin));
219 
220 		if (err) {
221 			icsk->icsk_ext_hdr_len = exthdrlen;
222 			icsk->icsk_af_ops = &ipv6_specific;
223 			sk->sk_backlog_rcv = tcp_v6_do_rcv;
224 #ifdef CONFIG_TCP_MD5SIG
225 			tp->af_specific = &tcp_sock_ipv6_specific;
226 #endif
227 			goto failure;
228 		} else {
229 			ipv6_addr_set_v4mapped(inet->inet_saddr, &np->saddr);
230 			ipv6_addr_set_v4mapped(inet->inet_rcv_saddr,
231 					       &np->rcv_saddr);
232 		}
233 
234 		return err;
235 	}
236 
237 	if (!ipv6_addr_any(&np->rcv_saddr))
238 		saddr = &np->rcv_saddr;
239 
240 	fl.proto = IPPROTO_TCP;
241 	ipv6_addr_copy(&fl.fl6_dst, &np->daddr);
242 	ipv6_addr_copy(&fl.fl6_src,
243 		       (saddr ? saddr : &np->saddr));
244 	fl.oif = sk->sk_bound_dev_if;
245 	fl.mark = sk->sk_mark;
246 	fl.fl_ip_dport = usin->sin6_port;
247 	fl.fl_ip_sport = inet->inet_sport;
248 
249 	if (np->opt && np->opt->srcrt) {
250 		struct rt0_hdr *rt0 = (struct rt0_hdr *)np->opt->srcrt;
251 		ipv6_addr_copy(&final, &fl.fl6_dst);
252 		ipv6_addr_copy(&fl.fl6_dst, rt0->addr);
253 		final_p = &final;
254 	}
255 
256 	security_sk_classify_flow(sk, &fl);
257 
258 	err = ip6_dst_lookup(sk, &dst, &fl);
259 	if (err)
260 		goto failure;
261 	if (final_p)
262 		ipv6_addr_copy(&fl.fl6_dst, final_p);
263 
264 	err = __xfrm_lookup(sock_net(sk), &dst, &fl, sk, XFRM_LOOKUP_WAIT);
265 	if (err < 0) {
266 		if (err == -EREMOTE)
267 			err = ip6_dst_blackhole(sk, &dst, &fl);
268 		if (err < 0)
269 			goto failure;
270 	}
271 
272 	if (saddr == NULL) {
273 		saddr = &fl.fl6_src;
274 		ipv6_addr_copy(&np->rcv_saddr, saddr);
275 	}
276 
277 	/* set the source address */
278 	ipv6_addr_copy(&np->saddr, saddr);
279 	inet->inet_rcv_saddr = LOOPBACK4_IPV6;
280 
281 	sk->sk_gso_type = SKB_GSO_TCPV6;
282 	__ip6_dst_store(sk, dst, NULL, NULL);
283 
284 	icsk->icsk_ext_hdr_len = 0;
285 	if (np->opt)
286 		icsk->icsk_ext_hdr_len = (np->opt->opt_flen +
287 					  np->opt->opt_nflen);
288 
289 	tp->rx_opt.mss_clamp = IPV6_MIN_MTU - sizeof(struct tcphdr) - sizeof(struct ipv6hdr);
290 
291 	inet->inet_dport = usin->sin6_port;
292 
293 	tcp_set_state(sk, TCP_SYN_SENT);
294 	err = inet6_hash_connect(&tcp_death_row, sk);
295 	if (err)
296 		goto late_failure;
297 
298 	if (!tp->write_seq)
299 		tp->write_seq = secure_tcpv6_sequence_number(np->saddr.s6_addr32,
300 							     np->daddr.s6_addr32,
301 							     inet->inet_sport,
302 							     inet->inet_dport);
303 
304 	err = tcp_connect(sk);
305 	if (err)
306 		goto late_failure;
307 
308 	return 0;
309 
310 late_failure:
311 	tcp_set_state(sk, TCP_CLOSE);
312 	__sk_dst_reset(sk);
313 failure:
314 	inet->inet_dport = 0;
315 	sk->sk_route_caps = 0;
316 	return err;
317 }
318 
319 static void tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
320 		u8 type, u8 code, int offset, __be32 info)
321 {
322 	struct ipv6hdr *hdr = (struct ipv6hdr*)skb->data;
323 	const struct tcphdr *th = (struct tcphdr *)(skb->data+offset);
324 	struct ipv6_pinfo *np;
325 	struct sock *sk;
326 	int err;
327 	struct tcp_sock *tp;
328 	__u32 seq;
329 	struct net *net = dev_net(skb->dev);
330 
331 	sk = inet6_lookup(net, &tcp_hashinfo, &hdr->daddr,
332 			th->dest, &hdr->saddr, th->source, skb->dev->ifindex);
333 
334 	if (sk == NULL) {
335 		ICMP6_INC_STATS_BH(net, __in6_dev_get(skb->dev),
336 				   ICMP6_MIB_INERRORS);
337 		return;
338 	}
339 
340 	if (sk->sk_state == TCP_TIME_WAIT) {
341 		inet_twsk_put(inet_twsk(sk));
342 		return;
343 	}
344 
345 	bh_lock_sock(sk);
346 	if (sock_owned_by_user(sk))
347 		NET_INC_STATS_BH(net, LINUX_MIB_LOCKDROPPEDICMPS);
348 
349 	if (sk->sk_state == TCP_CLOSE)
350 		goto out;
351 
352 	tp = tcp_sk(sk);
353 	seq = ntohl(th->seq);
354 	if (sk->sk_state != TCP_LISTEN &&
355 	    !between(seq, tp->snd_una, tp->snd_nxt)) {
356 		NET_INC_STATS_BH(net, LINUX_MIB_OUTOFWINDOWICMPS);
357 		goto out;
358 	}
359 
360 	np = inet6_sk(sk);
361 
362 	if (type == ICMPV6_PKT_TOOBIG) {
363 		struct dst_entry *dst = NULL;
364 
365 		if (sock_owned_by_user(sk))
366 			goto out;
367 		if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE))
368 			goto out;
369 
370 		/* icmp should have updated the destination cache entry */
371 		dst = __sk_dst_check(sk, np->dst_cookie);
372 
373 		if (dst == NULL) {
374 			struct inet_sock *inet = inet_sk(sk);
375 			struct flowi fl;
376 
377 			/* BUGGG_FUTURE: Again, it is not clear how
378 			   to handle rthdr case. Ignore this complexity
379 			   for now.
380 			 */
381 			memset(&fl, 0, sizeof(fl));
382 			fl.proto = IPPROTO_TCP;
383 			ipv6_addr_copy(&fl.fl6_dst, &np->daddr);
384 			ipv6_addr_copy(&fl.fl6_src, &np->saddr);
385 			fl.oif = sk->sk_bound_dev_if;
386 			fl.mark = sk->sk_mark;
387 			fl.fl_ip_dport = inet->inet_dport;
388 			fl.fl_ip_sport = inet->inet_sport;
389 			security_skb_classify_flow(skb, &fl);
390 
391 			if ((err = ip6_dst_lookup(sk, &dst, &fl))) {
392 				sk->sk_err_soft = -err;
393 				goto out;
394 			}
395 
396 			if ((err = xfrm_lookup(net, &dst, &fl, sk, 0)) < 0) {
397 				sk->sk_err_soft = -err;
398 				goto out;
399 			}
400 
401 		} else
402 			dst_hold(dst);
403 
404 		if (inet_csk(sk)->icsk_pmtu_cookie > dst_mtu(dst)) {
405 			tcp_sync_mss(sk, dst_mtu(dst));
406 			tcp_simple_retransmit(sk);
407 		} /* else let the usual retransmit timer handle it */
408 		dst_release(dst);
409 		goto out;
410 	}
411 
412 	icmpv6_err_convert(type, code, &err);
413 
414 	/* Might be for an request_sock */
415 	switch (sk->sk_state) {
416 		struct request_sock *req, **prev;
417 	case TCP_LISTEN:
418 		if (sock_owned_by_user(sk))
419 			goto out;
420 
421 		req = inet6_csk_search_req(sk, &prev, th->dest, &hdr->daddr,
422 					   &hdr->saddr, inet6_iif(skb));
423 		if (!req)
424 			goto out;
425 
426 		/* ICMPs are not backlogged, hence we cannot get
427 		 * an established socket here.
428 		 */
429 		WARN_ON(req->sk != NULL);
430 
431 		if (seq != tcp_rsk(req)->snt_isn) {
432 			NET_INC_STATS_BH(net, LINUX_MIB_OUTOFWINDOWICMPS);
433 			goto out;
434 		}
435 
436 		inet_csk_reqsk_queue_drop(sk, req, prev);
437 		goto out;
438 
439 	case TCP_SYN_SENT:
440 	case TCP_SYN_RECV:  /* Cannot happen.
441 			       It can, it SYNs are crossed. --ANK */
442 		if (!sock_owned_by_user(sk)) {
443 			sk->sk_err = err;
444 			sk->sk_error_report(sk);		/* Wake people up to see the error (see connect in sock.c) */
445 
446 			tcp_done(sk);
447 		} else
448 			sk->sk_err_soft = err;
449 		goto out;
450 	}
451 
452 	if (!sock_owned_by_user(sk) && np->recverr) {
453 		sk->sk_err = err;
454 		sk->sk_error_report(sk);
455 	} else
456 		sk->sk_err_soft = err;
457 
458 out:
459 	bh_unlock_sock(sk);
460 	sock_put(sk);
461 }
462 
463 
464 static int tcp_v6_send_synack(struct sock *sk, struct request_sock *req,
465 			      struct request_values *rvp)
466 {
467 	struct inet6_request_sock *treq = inet6_rsk(req);
468 	struct ipv6_pinfo *np = inet6_sk(sk);
469 	struct sk_buff * skb;
470 	struct ipv6_txoptions *opt = NULL;
471 	struct in6_addr * final_p = NULL, final;
472 	struct flowi fl;
473 	struct dst_entry *dst;
474 	int err = -1;
475 
476 	memset(&fl, 0, sizeof(fl));
477 	fl.proto = IPPROTO_TCP;
478 	ipv6_addr_copy(&fl.fl6_dst, &treq->rmt_addr);
479 	ipv6_addr_copy(&fl.fl6_src, &treq->loc_addr);
480 	fl.fl6_flowlabel = 0;
481 	fl.oif = treq->iif;
482 	fl.mark = sk->sk_mark;
483 	fl.fl_ip_dport = inet_rsk(req)->rmt_port;
484 	fl.fl_ip_sport = inet_rsk(req)->loc_port;
485 	security_req_classify_flow(req, &fl);
486 
487 	opt = np->opt;
488 	if (opt && opt->srcrt) {
489 		struct rt0_hdr *rt0 = (struct rt0_hdr *) opt->srcrt;
490 		ipv6_addr_copy(&final, &fl.fl6_dst);
491 		ipv6_addr_copy(&fl.fl6_dst, rt0->addr);
492 		final_p = &final;
493 	}
494 
495 	err = ip6_dst_lookup(sk, &dst, &fl);
496 	if (err)
497 		goto done;
498 	if (final_p)
499 		ipv6_addr_copy(&fl.fl6_dst, final_p);
500 	if ((err = xfrm_lookup(sock_net(sk), &dst, &fl, sk, 0)) < 0)
501 		goto done;
502 
503 	skb = tcp_make_synack(sk, dst, req, rvp);
504 	if (skb) {
505 		struct tcphdr *th = tcp_hdr(skb);
506 
507 		th->check = tcp_v6_check(skb->len,
508 					 &treq->loc_addr, &treq->rmt_addr,
509 					 csum_partial(th, skb->len, skb->csum));
510 
511 		ipv6_addr_copy(&fl.fl6_dst, &treq->rmt_addr);
512 		err = ip6_xmit(sk, skb, &fl, opt, 0);
513 		err = net_xmit_eval(err);
514 	}
515 
516 done:
517 	if (opt && opt != np->opt)
518 		sock_kfree_s(sk, opt, opt->tot_len);
519 	dst_release(dst);
520 	return err;
521 }
522 
523 static inline void syn_flood_warning(struct sk_buff *skb)
524 {
525 #ifdef CONFIG_SYN_COOKIES
526 	if (sysctl_tcp_syncookies)
527 		printk(KERN_INFO
528 		       "TCPv6: Possible SYN flooding on port %d. "
529 		       "Sending cookies.\n", ntohs(tcp_hdr(skb)->dest));
530 	else
531 #endif
532 		printk(KERN_INFO
533 		       "TCPv6: Possible SYN flooding on port %d. "
534 		       "Dropping request.\n", ntohs(tcp_hdr(skb)->dest));
535 }
536 
537 static void tcp_v6_reqsk_destructor(struct request_sock *req)
538 {
539 	kfree_skb(inet6_rsk(req)->pktopts);
540 }
541 
542 #ifdef CONFIG_TCP_MD5SIG
543 static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(struct sock *sk,
544 						   struct in6_addr *addr)
545 {
546 	struct tcp_sock *tp = tcp_sk(sk);
547 	int i;
548 
549 	BUG_ON(tp == NULL);
550 
551 	if (!tp->md5sig_info || !tp->md5sig_info->entries6)
552 		return NULL;
553 
554 	for (i = 0; i < tp->md5sig_info->entries6; i++) {
555 		if (ipv6_addr_equal(&tp->md5sig_info->keys6[i].addr, addr))
556 			return &tp->md5sig_info->keys6[i].base;
557 	}
558 	return NULL;
559 }
560 
561 static struct tcp_md5sig_key *tcp_v6_md5_lookup(struct sock *sk,
562 						struct sock *addr_sk)
563 {
564 	return tcp_v6_md5_do_lookup(sk, &inet6_sk(addr_sk)->daddr);
565 }
566 
567 static struct tcp_md5sig_key *tcp_v6_reqsk_md5_lookup(struct sock *sk,
568 						      struct request_sock *req)
569 {
570 	return tcp_v6_md5_do_lookup(sk, &inet6_rsk(req)->rmt_addr);
571 }
572 
573 static int tcp_v6_md5_do_add(struct sock *sk, struct in6_addr *peer,
574 			     char *newkey, u8 newkeylen)
575 {
576 	/* Add key to the list */
577 	struct tcp_md5sig_key *key;
578 	struct tcp_sock *tp = tcp_sk(sk);
579 	struct tcp6_md5sig_key *keys;
580 
581 	key = tcp_v6_md5_do_lookup(sk, peer);
582 	if (key) {
583 		/* modify existing entry - just update that one */
584 		kfree(key->key);
585 		key->key = newkey;
586 		key->keylen = newkeylen;
587 	} else {
588 		/* reallocate new list if current one is full. */
589 		if (!tp->md5sig_info) {
590 			tp->md5sig_info = kzalloc(sizeof(*tp->md5sig_info), GFP_ATOMIC);
591 			if (!tp->md5sig_info) {
592 				kfree(newkey);
593 				return -ENOMEM;
594 			}
595 			sk->sk_route_caps &= ~NETIF_F_GSO_MASK;
596 		}
597 		if (tcp_alloc_md5sig_pool(sk) == NULL) {
598 			kfree(newkey);
599 			return -ENOMEM;
600 		}
601 		if (tp->md5sig_info->alloced6 == tp->md5sig_info->entries6) {
602 			keys = kmalloc((sizeof (tp->md5sig_info->keys6[0]) *
603 				       (tp->md5sig_info->entries6 + 1)), GFP_ATOMIC);
604 
605 			if (!keys) {
606 				tcp_free_md5sig_pool();
607 				kfree(newkey);
608 				return -ENOMEM;
609 			}
610 
611 			if (tp->md5sig_info->entries6)
612 				memmove(keys, tp->md5sig_info->keys6,
613 					(sizeof (tp->md5sig_info->keys6[0]) *
614 					 tp->md5sig_info->entries6));
615 
616 			kfree(tp->md5sig_info->keys6);
617 			tp->md5sig_info->keys6 = keys;
618 			tp->md5sig_info->alloced6++;
619 		}
620 
621 		ipv6_addr_copy(&tp->md5sig_info->keys6[tp->md5sig_info->entries6].addr,
622 			       peer);
623 		tp->md5sig_info->keys6[tp->md5sig_info->entries6].base.key = newkey;
624 		tp->md5sig_info->keys6[tp->md5sig_info->entries6].base.keylen = newkeylen;
625 
626 		tp->md5sig_info->entries6++;
627 	}
628 	return 0;
629 }
630 
631 static int tcp_v6_md5_add_func(struct sock *sk, struct sock *addr_sk,
632 			       u8 *newkey, __u8 newkeylen)
633 {
634 	return tcp_v6_md5_do_add(sk, &inet6_sk(addr_sk)->daddr,
635 				 newkey, newkeylen);
636 }
637 
638 static int tcp_v6_md5_do_del(struct sock *sk, struct in6_addr *peer)
639 {
640 	struct tcp_sock *tp = tcp_sk(sk);
641 	int i;
642 
643 	for (i = 0; i < tp->md5sig_info->entries6; i++) {
644 		if (ipv6_addr_equal(&tp->md5sig_info->keys6[i].addr, peer)) {
645 			/* Free the key */
646 			kfree(tp->md5sig_info->keys6[i].base.key);
647 			tp->md5sig_info->entries6--;
648 
649 			if (tp->md5sig_info->entries6 == 0) {
650 				kfree(tp->md5sig_info->keys6);
651 				tp->md5sig_info->keys6 = NULL;
652 				tp->md5sig_info->alloced6 = 0;
653 			} else {
654 				/* shrink the database */
655 				if (tp->md5sig_info->entries6 != i)
656 					memmove(&tp->md5sig_info->keys6[i],
657 						&tp->md5sig_info->keys6[i+1],
658 						(tp->md5sig_info->entries6 - i)
659 						* sizeof (tp->md5sig_info->keys6[0]));
660 			}
661 			tcp_free_md5sig_pool();
662 			return 0;
663 		}
664 	}
665 	return -ENOENT;
666 }
667 
668 static void tcp_v6_clear_md5_list (struct sock *sk)
669 {
670 	struct tcp_sock *tp = tcp_sk(sk);
671 	int i;
672 
673 	if (tp->md5sig_info->entries6) {
674 		for (i = 0; i < tp->md5sig_info->entries6; i++)
675 			kfree(tp->md5sig_info->keys6[i].base.key);
676 		tp->md5sig_info->entries6 = 0;
677 		tcp_free_md5sig_pool();
678 	}
679 
680 	kfree(tp->md5sig_info->keys6);
681 	tp->md5sig_info->keys6 = NULL;
682 	tp->md5sig_info->alloced6 = 0;
683 
684 	if (tp->md5sig_info->entries4) {
685 		for (i = 0; i < tp->md5sig_info->entries4; i++)
686 			kfree(tp->md5sig_info->keys4[i].base.key);
687 		tp->md5sig_info->entries4 = 0;
688 		tcp_free_md5sig_pool();
689 	}
690 
691 	kfree(tp->md5sig_info->keys4);
692 	tp->md5sig_info->keys4 = NULL;
693 	tp->md5sig_info->alloced4 = 0;
694 }
695 
696 static int tcp_v6_parse_md5_keys (struct sock *sk, char __user *optval,
697 				  int optlen)
698 {
699 	struct tcp_md5sig cmd;
700 	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&cmd.tcpm_addr;
701 	u8 *newkey;
702 
703 	if (optlen < sizeof(cmd))
704 		return -EINVAL;
705 
706 	if (copy_from_user(&cmd, optval, sizeof(cmd)))
707 		return -EFAULT;
708 
709 	if (sin6->sin6_family != AF_INET6)
710 		return -EINVAL;
711 
712 	if (!cmd.tcpm_keylen) {
713 		if (!tcp_sk(sk)->md5sig_info)
714 			return -ENOENT;
715 		if (ipv6_addr_v4mapped(&sin6->sin6_addr))
716 			return tcp_v4_md5_do_del(sk, sin6->sin6_addr.s6_addr32[3]);
717 		return tcp_v6_md5_do_del(sk, &sin6->sin6_addr);
718 	}
719 
720 	if (cmd.tcpm_keylen > TCP_MD5SIG_MAXKEYLEN)
721 		return -EINVAL;
722 
723 	if (!tcp_sk(sk)->md5sig_info) {
724 		struct tcp_sock *tp = tcp_sk(sk);
725 		struct tcp_md5sig_info *p;
726 
727 		p = kzalloc(sizeof(struct tcp_md5sig_info), GFP_KERNEL);
728 		if (!p)
729 			return -ENOMEM;
730 
731 		tp->md5sig_info = p;
732 		sk->sk_route_caps &= ~NETIF_F_GSO_MASK;
733 	}
734 
735 	newkey = kmemdup(cmd.tcpm_key, cmd.tcpm_keylen, GFP_KERNEL);
736 	if (!newkey)
737 		return -ENOMEM;
738 	if (ipv6_addr_v4mapped(&sin6->sin6_addr)) {
739 		return tcp_v4_md5_do_add(sk, sin6->sin6_addr.s6_addr32[3],
740 					 newkey, cmd.tcpm_keylen);
741 	}
742 	return tcp_v6_md5_do_add(sk, &sin6->sin6_addr, newkey, cmd.tcpm_keylen);
743 }
744 
745 static int tcp_v6_md5_hash_pseudoheader(struct tcp_md5sig_pool *hp,
746 					struct in6_addr *daddr,
747 					struct in6_addr *saddr, int nbytes)
748 {
749 	struct tcp6_pseudohdr *bp;
750 	struct scatterlist sg;
751 
752 	bp = &hp->md5_blk.ip6;
753 	/* 1. TCP pseudo-header (RFC2460) */
754 	ipv6_addr_copy(&bp->saddr, saddr);
755 	ipv6_addr_copy(&bp->daddr, daddr);
756 	bp->protocol = cpu_to_be32(IPPROTO_TCP);
757 	bp->len = cpu_to_be32(nbytes);
758 
759 	sg_init_one(&sg, bp, sizeof(*bp));
760 	return crypto_hash_update(&hp->md5_desc, &sg, sizeof(*bp));
761 }
762 
763 static int tcp_v6_md5_hash_hdr(char *md5_hash, struct tcp_md5sig_key *key,
764 			       struct in6_addr *daddr, struct in6_addr *saddr,
765 			       struct tcphdr *th)
766 {
767 	struct tcp_md5sig_pool *hp;
768 	struct hash_desc *desc;
769 
770 	hp = tcp_get_md5sig_pool();
771 	if (!hp)
772 		goto clear_hash_noput;
773 	desc = &hp->md5_desc;
774 
775 	if (crypto_hash_init(desc))
776 		goto clear_hash;
777 	if (tcp_v6_md5_hash_pseudoheader(hp, daddr, saddr, th->doff << 2))
778 		goto clear_hash;
779 	if (tcp_md5_hash_header(hp, th))
780 		goto clear_hash;
781 	if (tcp_md5_hash_key(hp, key))
782 		goto clear_hash;
783 	if (crypto_hash_final(desc, md5_hash))
784 		goto clear_hash;
785 
786 	tcp_put_md5sig_pool();
787 	return 0;
788 
789 clear_hash:
790 	tcp_put_md5sig_pool();
791 clear_hash_noput:
792 	memset(md5_hash, 0, 16);
793 	return 1;
794 }
795 
796 static int tcp_v6_md5_hash_skb(char *md5_hash, struct tcp_md5sig_key *key,
797 			       struct sock *sk, struct request_sock *req,
798 			       struct sk_buff *skb)
799 {
800 	struct in6_addr *saddr, *daddr;
801 	struct tcp_md5sig_pool *hp;
802 	struct hash_desc *desc;
803 	struct tcphdr *th = tcp_hdr(skb);
804 
805 	if (sk) {
806 		saddr = &inet6_sk(sk)->saddr;
807 		daddr = &inet6_sk(sk)->daddr;
808 	} else if (req) {
809 		saddr = &inet6_rsk(req)->loc_addr;
810 		daddr = &inet6_rsk(req)->rmt_addr;
811 	} else {
812 		struct ipv6hdr *ip6h = ipv6_hdr(skb);
813 		saddr = &ip6h->saddr;
814 		daddr = &ip6h->daddr;
815 	}
816 
817 	hp = tcp_get_md5sig_pool();
818 	if (!hp)
819 		goto clear_hash_noput;
820 	desc = &hp->md5_desc;
821 
822 	if (crypto_hash_init(desc))
823 		goto clear_hash;
824 
825 	if (tcp_v6_md5_hash_pseudoheader(hp, daddr, saddr, skb->len))
826 		goto clear_hash;
827 	if (tcp_md5_hash_header(hp, th))
828 		goto clear_hash;
829 	if (tcp_md5_hash_skb_data(hp, skb, th->doff << 2))
830 		goto clear_hash;
831 	if (tcp_md5_hash_key(hp, key))
832 		goto clear_hash;
833 	if (crypto_hash_final(desc, md5_hash))
834 		goto clear_hash;
835 
836 	tcp_put_md5sig_pool();
837 	return 0;
838 
839 clear_hash:
840 	tcp_put_md5sig_pool();
841 clear_hash_noput:
842 	memset(md5_hash, 0, 16);
843 	return 1;
844 }
845 
846 static int tcp_v6_inbound_md5_hash (struct sock *sk, struct sk_buff *skb)
847 {
848 	__u8 *hash_location = NULL;
849 	struct tcp_md5sig_key *hash_expected;
850 	struct ipv6hdr *ip6h = ipv6_hdr(skb);
851 	struct tcphdr *th = tcp_hdr(skb);
852 	int genhash;
853 	u8 newhash[16];
854 
855 	hash_expected = tcp_v6_md5_do_lookup(sk, &ip6h->saddr);
856 	hash_location = tcp_parse_md5sig_option(th);
857 
858 	/* We've parsed the options - do we have a hash? */
859 	if (!hash_expected && !hash_location)
860 		return 0;
861 
862 	if (hash_expected && !hash_location) {
863 		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPMD5NOTFOUND);
864 		return 1;
865 	}
866 
867 	if (!hash_expected && hash_location) {
868 		NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_TCPMD5UNEXPECTED);
869 		return 1;
870 	}
871 
872 	/* check the signature */
873 	genhash = tcp_v6_md5_hash_skb(newhash,
874 				      hash_expected,
875 				      NULL, NULL, skb);
876 
877 	if (genhash || memcmp(hash_location, newhash, 16) != 0) {
878 		if (net_ratelimit()) {
879 			printk(KERN_INFO "MD5 Hash %s for (%pI6, %u)->(%pI6, %u)\n",
880 			       genhash ? "failed" : "mismatch",
881 			       &ip6h->saddr, ntohs(th->source),
882 			       &ip6h->daddr, ntohs(th->dest));
883 		}
884 		return 1;
885 	}
886 	return 0;
887 }
888 #endif
889 
890 struct request_sock_ops tcp6_request_sock_ops __read_mostly = {
891 	.family		=	AF_INET6,
892 	.obj_size	=	sizeof(struct tcp6_request_sock),
893 	.rtx_syn_ack	=	tcp_v6_send_synack,
894 	.send_ack	=	tcp_v6_reqsk_send_ack,
895 	.destructor	=	tcp_v6_reqsk_destructor,
896 	.send_reset	=	tcp_v6_send_reset
897 };
898 
899 #ifdef CONFIG_TCP_MD5SIG
900 static const struct tcp_request_sock_ops tcp_request_sock_ipv6_ops = {
901 	.md5_lookup	=	tcp_v6_reqsk_md5_lookup,
902 	.calc_md5_hash	=	tcp_v6_md5_hash_skb,
903 };
904 #endif
905 
906 static struct timewait_sock_ops tcp6_timewait_sock_ops = {
907 	.twsk_obj_size	= sizeof(struct tcp6_timewait_sock),
908 	.twsk_unique	= tcp_twsk_unique,
909 	.twsk_destructor= tcp_twsk_destructor,
910 };
911 
912 static void tcp_v6_send_check(struct sock *sk, int len, struct sk_buff *skb)
913 {
914 	struct ipv6_pinfo *np = inet6_sk(sk);
915 	struct tcphdr *th = tcp_hdr(skb);
916 
917 	if (skb->ip_summed == CHECKSUM_PARTIAL) {
918 		th->check = ~csum_ipv6_magic(&np->saddr, &np->daddr, len, IPPROTO_TCP,  0);
919 		skb->csum_start = skb_transport_header(skb) - skb->head;
920 		skb->csum_offset = offsetof(struct tcphdr, check);
921 	} else {
922 		th->check = csum_ipv6_magic(&np->saddr, &np->daddr, len, IPPROTO_TCP,
923 					    csum_partial(th, th->doff<<2,
924 							 skb->csum));
925 	}
926 }
927 
928 static int tcp_v6_gso_send_check(struct sk_buff *skb)
929 {
930 	struct ipv6hdr *ipv6h;
931 	struct tcphdr *th;
932 
933 	if (!pskb_may_pull(skb, sizeof(*th)))
934 		return -EINVAL;
935 
936 	ipv6h = ipv6_hdr(skb);
937 	th = tcp_hdr(skb);
938 
939 	th->check = 0;
940 	th->check = ~csum_ipv6_magic(&ipv6h->saddr, &ipv6h->daddr, skb->len,
941 				     IPPROTO_TCP, 0);
942 	skb->csum_start = skb_transport_header(skb) - skb->head;
943 	skb->csum_offset = offsetof(struct tcphdr, check);
944 	skb->ip_summed = CHECKSUM_PARTIAL;
945 	return 0;
946 }
947 
948 static struct sk_buff **tcp6_gro_receive(struct sk_buff **head,
949 					 struct sk_buff *skb)
950 {
951 	struct ipv6hdr *iph = skb_gro_network_header(skb);
952 
953 	switch (skb->ip_summed) {
954 	case CHECKSUM_COMPLETE:
955 		if (!tcp_v6_check(skb_gro_len(skb), &iph->saddr, &iph->daddr,
956 				  skb->csum)) {
957 			skb->ip_summed = CHECKSUM_UNNECESSARY;
958 			break;
959 		}
960 
961 		/* fall through */
962 	case CHECKSUM_NONE:
963 		NAPI_GRO_CB(skb)->flush = 1;
964 		return NULL;
965 	}
966 
967 	return tcp_gro_receive(head, skb);
968 }
969 
970 static int tcp6_gro_complete(struct sk_buff *skb)
971 {
972 	struct ipv6hdr *iph = ipv6_hdr(skb);
973 	struct tcphdr *th = tcp_hdr(skb);
974 
975 	th->check = ~tcp_v6_check(skb->len - skb_transport_offset(skb),
976 				  &iph->saddr, &iph->daddr, 0);
977 	skb_shinfo(skb)->gso_type = SKB_GSO_TCPV6;
978 
979 	return tcp_gro_complete(skb);
980 }
981 
982 static void tcp_v6_send_response(struct sk_buff *skb, u32 seq, u32 ack, u32 win,
983 				 u32 ts, struct tcp_md5sig_key *key, int rst)
984 {
985 	struct tcphdr *th = tcp_hdr(skb), *t1;
986 	struct sk_buff *buff;
987 	struct flowi fl;
988 	struct net *net = dev_net(skb_dst(skb)->dev);
989 	struct sock *ctl_sk = net->ipv6.tcp_sk;
990 	unsigned int tot_len = sizeof(struct tcphdr);
991 	struct dst_entry *dst;
992 	__be32 *topt;
993 
994 	if (ts)
995 		tot_len += TCPOLEN_TSTAMP_ALIGNED;
996 #ifdef CONFIG_TCP_MD5SIG
997 	if (key)
998 		tot_len += TCPOLEN_MD5SIG_ALIGNED;
999 #endif
1000 
1001 	buff = alloc_skb(MAX_HEADER + sizeof(struct ipv6hdr) + tot_len,
1002 			 GFP_ATOMIC);
1003 	if (buff == NULL)
1004 		return;
1005 
1006 	skb_reserve(buff, MAX_HEADER + sizeof(struct ipv6hdr) + tot_len);
1007 
1008 	t1 = (struct tcphdr *) skb_push(buff, tot_len);
1009 	skb_reset_transport_header(skb);
1010 
1011 	/* Swap the send and the receive. */
1012 	memset(t1, 0, sizeof(*t1));
1013 	t1->dest = th->source;
1014 	t1->source = th->dest;
1015 	t1->doff = tot_len / 4;
1016 	t1->seq = htonl(seq);
1017 	t1->ack_seq = htonl(ack);
1018 	t1->ack = !rst || !th->ack;
1019 	t1->rst = rst;
1020 	t1->window = htons(win);
1021 
1022 	topt = (__be32 *)(t1 + 1);
1023 
1024 	if (ts) {
1025 		*topt++ = htonl((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) |
1026 				(TCPOPT_TIMESTAMP << 8) | TCPOLEN_TIMESTAMP);
1027 		*topt++ = htonl(tcp_time_stamp);
1028 		*topt++ = htonl(ts);
1029 	}
1030 
1031 #ifdef CONFIG_TCP_MD5SIG
1032 	if (key) {
1033 		*topt++ = htonl((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) |
1034 				(TCPOPT_MD5SIG << 8) | TCPOLEN_MD5SIG);
1035 		tcp_v6_md5_hash_hdr((__u8 *)topt, key,
1036 				    &ipv6_hdr(skb)->saddr,
1037 				    &ipv6_hdr(skb)->daddr, t1);
1038 	}
1039 #endif
1040 
1041 	buff->csum = csum_partial(t1, tot_len, 0);
1042 
1043 	memset(&fl, 0, sizeof(fl));
1044 	ipv6_addr_copy(&fl.fl6_dst, &ipv6_hdr(skb)->saddr);
1045 	ipv6_addr_copy(&fl.fl6_src, &ipv6_hdr(skb)->daddr);
1046 
1047 	t1->check = csum_ipv6_magic(&fl.fl6_src, &fl.fl6_dst,
1048 				    tot_len, IPPROTO_TCP,
1049 				    buff->csum);
1050 
1051 	fl.proto = IPPROTO_TCP;
1052 	fl.oif = inet6_iif(skb);
1053 	fl.fl_ip_dport = t1->dest;
1054 	fl.fl_ip_sport = t1->source;
1055 	security_skb_classify_flow(skb, &fl);
1056 
1057 	/* Pass a socket to ip6_dst_lookup either it is for RST
1058 	 * Underlying function will use this to retrieve the network
1059 	 * namespace
1060 	 */
1061 	if (!ip6_dst_lookup(ctl_sk, &dst, &fl)) {
1062 		if (xfrm_lookup(net, &dst, &fl, NULL, 0) >= 0) {
1063 			skb_dst_set(buff, dst);
1064 			ip6_xmit(ctl_sk, buff, &fl, NULL, 0);
1065 			TCP_INC_STATS_BH(net, TCP_MIB_OUTSEGS);
1066 			if (rst)
1067 				TCP_INC_STATS_BH(net, TCP_MIB_OUTRSTS);
1068 			return;
1069 		}
1070 	}
1071 
1072 	kfree_skb(buff);
1073 }
1074 
1075 static void tcp_v6_send_reset(struct sock *sk, struct sk_buff *skb)
1076 {
1077 	struct tcphdr *th = tcp_hdr(skb);
1078 	u32 seq = 0, ack_seq = 0;
1079 	struct tcp_md5sig_key *key = NULL;
1080 
1081 	if (th->rst)
1082 		return;
1083 
1084 	if (!ipv6_unicast_destination(skb))
1085 		return;
1086 
1087 #ifdef CONFIG_TCP_MD5SIG
1088 	if (sk)
1089 		key = tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->daddr);
1090 #endif
1091 
1092 	if (th->ack)
1093 		seq = ntohl(th->ack_seq);
1094 	else
1095 		ack_seq = ntohl(th->seq) + th->syn + th->fin + skb->len -
1096 			  (th->doff << 2);
1097 
1098 	tcp_v6_send_response(skb, seq, ack_seq, 0, 0, key, 1);
1099 }
1100 
1101 static void tcp_v6_send_ack(struct sk_buff *skb, u32 seq, u32 ack, u32 win, u32 ts,
1102 			    struct tcp_md5sig_key *key)
1103 {
1104 	tcp_v6_send_response(skb, seq, ack, win, ts, key, 0);
1105 }
1106 
1107 static void tcp_v6_timewait_ack(struct sock *sk, struct sk_buff *skb)
1108 {
1109 	struct inet_timewait_sock *tw = inet_twsk(sk);
1110 	struct tcp_timewait_sock *tcptw = tcp_twsk(sk);
1111 
1112 	tcp_v6_send_ack(skb, tcptw->tw_snd_nxt, tcptw->tw_rcv_nxt,
1113 			tcptw->tw_rcv_wnd >> tw->tw_rcv_wscale,
1114 			tcptw->tw_ts_recent, tcp_twsk_md5_key(tcptw));
1115 
1116 	inet_twsk_put(tw);
1117 }
1118 
1119 static void tcp_v6_reqsk_send_ack(struct sock *sk, struct sk_buff *skb,
1120 				  struct request_sock *req)
1121 {
1122 	tcp_v6_send_ack(skb, tcp_rsk(req)->snt_isn + 1, tcp_rsk(req)->rcv_isn + 1, req->rcv_wnd, req->ts_recent,
1123 			tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->daddr));
1124 }
1125 
1126 
1127 static struct sock *tcp_v6_hnd_req(struct sock *sk,struct sk_buff *skb)
1128 {
1129 	struct request_sock *req, **prev;
1130 	const struct tcphdr *th = tcp_hdr(skb);
1131 	struct sock *nsk;
1132 
1133 	/* Find possible connection requests. */
1134 	req = inet6_csk_search_req(sk, &prev, th->source,
1135 				   &ipv6_hdr(skb)->saddr,
1136 				   &ipv6_hdr(skb)->daddr, inet6_iif(skb));
1137 	if (req)
1138 		return tcp_check_req(sk, skb, req, prev);
1139 
1140 	nsk = __inet6_lookup_established(sock_net(sk), &tcp_hashinfo,
1141 			&ipv6_hdr(skb)->saddr, th->source,
1142 			&ipv6_hdr(skb)->daddr, ntohs(th->dest), inet6_iif(skb));
1143 
1144 	if (nsk) {
1145 		if (nsk->sk_state != TCP_TIME_WAIT) {
1146 			bh_lock_sock(nsk);
1147 			return nsk;
1148 		}
1149 		inet_twsk_put(inet_twsk(nsk));
1150 		return NULL;
1151 	}
1152 
1153 #ifdef CONFIG_SYN_COOKIES
1154 	if (!th->rst && !th->syn && th->ack)
1155 		sk = cookie_v6_check(sk, skb);
1156 #endif
1157 	return sk;
1158 }
1159 
1160 /* FIXME: this is substantially similar to the ipv4 code.
1161  * Can some kind of merge be done? -- erics
1162  */
1163 static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
1164 {
1165 	struct tcp_extend_values tmp_ext;
1166 	struct tcp_options_received tmp_opt;
1167 	u8 *hash_location;
1168 	struct request_sock *req;
1169 	struct inet6_request_sock *treq;
1170 	struct ipv6_pinfo *np = inet6_sk(sk);
1171 	struct tcp_sock *tp = tcp_sk(sk);
1172 	__u32 isn = TCP_SKB_CB(skb)->when;
1173 #ifdef CONFIG_SYN_COOKIES
1174 	int want_cookie = 0;
1175 #else
1176 #define want_cookie 0
1177 #endif
1178 
1179 	if (skb->protocol == htons(ETH_P_IP))
1180 		return tcp_v4_conn_request(sk, skb);
1181 
1182 	if (!ipv6_unicast_destination(skb))
1183 		goto drop;
1184 
1185 	if (inet_csk_reqsk_queue_is_full(sk) && !isn) {
1186 		if (net_ratelimit())
1187 			syn_flood_warning(skb);
1188 #ifdef CONFIG_SYN_COOKIES
1189 		if (sysctl_tcp_syncookies)
1190 			want_cookie = 1;
1191 		else
1192 #endif
1193 		goto drop;
1194 	}
1195 
1196 	if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1)
1197 		goto drop;
1198 
1199 	req = inet6_reqsk_alloc(&tcp6_request_sock_ops);
1200 	if (req == NULL)
1201 		goto drop;
1202 
1203 #ifdef CONFIG_TCP_MD5SIG
1204 	tcp_rsk(req)->af_specific = &tcp_request_sock_ipv6_ops;
1205 #endif
1206 
1207 	tcp_clear_options(&tmp_opt);
1208 	tmp_opt.mss_clamp = IPV6_MIN_MTU - sizeof(struct tcphdr) - sizeof(struct ipv6hdr);
1209 	tmp_opt.user_mss = tp->rx_opt.user_mss;
1210 	tcp_parse_options(skb, &tmp_opt, &hash_location, 0);
1211 
1212 	if (tmp_opt.cookie_plus > 0 &&
1213 	    tmp_opt.saw_tstamp &&
1214 	    !tp->rx_opt.cookie_out_never &&
1215 	    (sysctl_tcp_cookie_size > 0 ||
1216 	     (tp->cookie_values != NULL &&
1217 	      tp->cookie_values->cookie_desired > 0))) {
1218 		u8 *c;
1219 		u32 *d;
1220 		u32 *mess = &tmp_ext.cookie_bakery[COOKIE_DIGEST_WORDS];
1221 		int l = tmp_opt.cookie_plus - TCPOLEN_COOKIE_BASE;
1222 
1223 		if (tcp_cookie_generator(&tmp_ext.cookie_bakery[0]) != 0)
1224 			goto drop_and_free;
1225 
1226 		/* Secret recipe starts with IP addresses */
1227 		d = &ipv6_hdr(skb)->daddr.s6_addr32[0];
1228 		*mess++ ^= *d++;
1229 		*mess++ ^= *d++;
1230 		*mess++ ^= *d++;
1231 		*mess++ ^= *d++;
1232 		d = &ipv6_hdr(skb)->saddr.s6_addr32[0];
1233 		*mess++ ^= *d++;
1234 		*mess++ ^= *d++;
1235 		*mess++ ^= *d++;
1236 		*mess++ ^= *d++;
1237 
1238 		/* plus variable length Initiator Cookie */
1239 		c = (u8 *)mess;
1240 		while (l-- > 0)
1241 			*c++ ^= *hash_location++;
1242 
1243 #ifdef CONFIG_SYN_COOKIES
1244 		want_cookie = 0;	/* not our kind of cookie */
1245 #endif
1246 		tmp_ext.cookie_out_never = 0; /* false */
1247 		tmp_ext.cookie_plus = tmp_opt.cookie_plus;
1248 	} else if (!tp->rx_opt.cookie_in_always) {
1249 		/* redundant indications, but ensure initialization. */
1250 		tmp_ext.cookie_out_never = 1; /* true */
1251 		tmp_ext.cookie_plus = 0;
1252 	} else {
1253 		goto drop_and_free;
1254 	}
1255 	tmp_ext.cookie_in_always = tp->rx_opt.cookie_in_always;
1256 
1257 	if (want_cookie && !tmp_opt.saw_tstamp)
1258 		tcp_clear_options(&tmp_opt);
1259 
1260 	tmp_opt.tstamp_ok = tmp_opt.saw_tstamp;
1261 	tcp_openreq_init(req, &tmp_opt, skb);
1262 
1263 	treq = inet6_rsk(req);
1264 	ipv6_addr_copy(&treq->rmt_addr, &ipv6_hdr(skb)->saddr);
1265 	ipv6_addr_copy(&treq->loc_addr, &ipv6_hdr(skb)->daddr);
1266 	if (!want_cookie)
1267 		TCP_ECN_create_request(req, tcp_hdr(skb));
1268 
1269 	if (want_cookie) {
1270 		isn = cookie_v6_init_sequence(sk, skb, &req->mss);
1271 		req->cookie_ts = tmp_opt.tstamp_ok;
1272 	} else if (!isn) {
1273 		if (ipv6_opt_accepted(sk, skb) ||
1274 		    np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
1275 		    np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) {
1276 			atomic_inc(&skb->users);
1277 			treq->pktopts = skb;
1278 		}
1279 		treq->iif = sk->sk_bound_dev_if;
1280 
1281 		/* So that link locals have meaning */
1282 		if (!sk->sk_bound_dev_if &&
1283 		    ipv6_addr_type(&treq->rmt_addr) & IPV6_ADDR_LINKLOCAL)
1284 			treq->iif = inet6_iif(skb);
1285 
1286 		isn = tcp_v6_init_sequence(skb);
1287 	}
1288 	tcp_rsk(req)->snt_isn = isn;
1289 
1290 	security_inet_conn_request(sk, skb, req);
1291 
1292 	if (tcp_v6_send_synack(sk, req,
1293 			       (struct request_values *)&tmp_ext) ||
1294 	    want_cookie)
1295 		goto drop_and_free;
1296 
1297 	inet6_csk_reqsk_queue_hash_add(sk, req, TCP_TIMEOUT_INIT);
1298 	return 0;
1299 
1300 drop_and_free:
1301 	reqsk_free(req);
1302 drop:
1303 	return 0; /* don't send reset */
1304 }
1305 
1306 static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
1307 					  struct request_sock *req,
1308 					  struct dst_entry *dst)
1309 {
1310 	struct inet6_request_sock *treq;
1311 	struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
1312 	struct tcp6_sock *newtcp6sk;
1313 	struct inet_sock *newinet;
1314 	struct tcp_sock *newtp;
1315 	struct sock *newsk;
1316 	struct ipv6_txoptions *opt;
1317 #ifdef CONFIG_TCP_MD5SIG
1318 	struct tcp_md5sig_key *key;
1319 #endif
1320 
1321 	if (skb->protocol == htons(ETH_P_IP)) {
1322 		/*
1323 		 *	v6 mapped
1324 		 */
1325 
1326 		newsk = tcp_v4_syn_recv_sock(sk, skb, req, dst);
1327 
1328 		if (newsk == NULL)
1329 			return NULL;
1330 
1331 		newtcp6sk = (struct tcp6_sock *)newsk;
1332 		inet_sk(newsk)->pinet6 = &newtcp6sk->inet6;
1333 
1334 		newinet = inet_sk(newsk);
1335 		newnp = inet6_sk(newsk);
1336 		newtp = tcp_sk(newsk);
1337 
1338 		memcpy(newnp, np, sizeof(struct ipv6_pinfo));
1339 
1340 		ipv6_addr_set_v4mapped(newinet->inet_daddr, &newnp->daddr);
1341 
1342 		ipv6_addr_set_v4mapped(newinet->inet_saddr, &newnp->saddr);
1343 
1344 		ipv6_addr_copy(&newnp->rcv_saddr, &newnp->saddr);
1345 
1346 		inet_csk(newsk)->icsk_af_ops = &ipv6_mapped;
1347 		newsk->sk_backlog_rcv = tcp_v4_do_rcv;
1348 #ifdef CONFIG_TCP_MD5SIG
1349 		newtp->af_specific = &tcp_sock_ipv6_mapped_specific;
1350 #endif
1351 
1352 		newnp->pktoptions  = NULL;
1353 		newnp->opt	   = NULL;
1354 		newnp->mcast_oif   = inet6_iif(skb);
1355 		newnp->mcast_hops  = ipv6_hdr(skb)->hop_limit;
1356 
1357 		/*
1358 		 * No need to charge this sock to the relevant IPv6 refcnt debug socks count
1359 		 * here, tcp_create_openreq_child now does this for us, see the comment in
1360 		 * that function for the gory details. -acme
1361 		 */
1362 
1363 		/* It is tricky place. Until this moment IPv4 tcp
1364 		   worked with IPv6 icsk.icsk_af_ops.
1365 		   Sync it now.
1366 		 */
1367 		tcp_sync_mss(newsk, inet_csk(newsk)->icsk_pmtu_cookie);
1368 
1369 		return newsk;
1370 	}
1371 
1372 	treq = inet6_rsk(req);
1373 	opt = np->opt;
1374 
1375 	if (sk_acceptq_is_full(sk))
1376 		goto out_overflow;
1377 
1378 	if (dst == NULL) {
1379 		struct in6_addr *final_p = NULL, final;
1380 		struct flowi fl;
1381 
1382 		memset(&fl, 0, sizeof(fl));
1383 		fl.proto = IPPROTO_TCP;
1384 		ipv6_addr_copy(&fl.fl6_dst, &treq->rmt_addr);
1385 		if (opt && opt->srcrt) {
1386 			struct rt0_hdr *rt0 = (struct rt0_hdr *) opt->srcrt;
1387 			ipv6_addr_copy(&final, &fl.fl6_dst);
1388 			ipv6_addr_copy(&fl.fl6_dst, rt0->addr);
1389 			final_p = &final;
1390 		}
1391 		ipv6_addr_copy(&fl.fl6_src, &treq->loc_addr);
1392 		fl.oif = sk->sk_bound_dev_if;
1393 		fl.mark = sk->sk_mark;
1394 		fl.fl_ip_dport = inet_rsk(req)->rmt_port;
1395 		fl.fl_ip_sport = inet_rsk(req)->loc_port;
1396 		security_req_classify_flow(req, &fl);
1397 
1398 		if (ip6_dst_lookup(sk, &dst, &fl))
1399 			goto out;
1400 
1401 		if (final_p)
1402 			ipv6_addr_copy(&fl.fl6_dst, final_p);
1403 
1404 		if ((xfrm_lookup(sock_net(sk), &dst, &fl, sk, 0)) < 0)
1405 			goto out;
1406 	}
1407 
1408 	newsk = tcp_create_openreq_child(sk, req, skb);
1409 	if (newsk == NULL)
1410 		goto out;
1411 
1412 	/*
1413 	 * No need to charge this sock to the relevant IPv6 refcnt debug socks
1414 	 * count here, tcp_create_openreq_child now does this for us, see the
1415 	 * comment in that function for the gory details. -acme
1416 	 */
1417 
1418 	newsk->sk_gso_type = SKB_GSO_TCPV6;
1419 	__ip6_dst_store(newsk, dst, NULL, NULL);
1420 
1421 	newtcp6sk = (struct tcp6_sock *)newsk;
1422 	inet_sk(newsk)->pinet6 = &newtcp6sk->inet6;
1423 
1424 	newtp = tcp_sk(newsk);
1425 	newinet = inet_sk(newsk);
1426 	newnp = inet6_sk(newsk);
1427 
1428 	memcpy(newnp, np, sizeof(struct ipv6_pinfo));
1429 
1430 	ipv6_addr_copy(&newnp->daddr, &treq->rmt_addr);
1431 	ipv6_addr_copy(&newnp->saddr, &treq->loc_addr);
1432 	ipv6_addr_copy(&newnp->rcv_saddr, &treq->loc_addr);
1433 	newsk->sk_bound_dev_if = treq->iif;
1434 
1435 	/* Now IPv6 options...
1436 
1437 	   First: no IPv4 options.
1438 	 */
1439 	newinet->opt = NULL;
1440 	newnp->ipv6_fl_list = NULL;
1441 
1442 	/* Clone RX bits */
1443 	newnp->rxopt.all = np->rxopt.all;
1444 
1445 	/* Clone pktoptions received with SYN */
1446 	newnp->pktoptions = NULL;
1447 	if (treq->pktopts != NULL) {
1448 		newnp->pktoptions = skb_clone(treq->pktopts, GFP_ATOMIC);
1449 		kfree_skb(treq->pktopts);
1450 		treq->pktopts = NULL;
1451 		if (newnp->pktoptions)
1452 			skb_set_owner_r(newnp->pktoptions, newsk);
1453 	}
1454 	newnp->opt	  = NULL;
1455 	newnp->mcast_oif  = inet6_iif(skb);
1456 	newnp->mcast_hops = ipv6_hdr(skb)->hop_limit;
1457 
1458 	/* Clone native IPv6 options from listening socket (if any)
1459 
1460 	   Yes, keeping reference count would be much more clever,
1461 	   but we make one more one thing there: reattach optmem
1462 	   to newsk.
1463 	 */
1464 	if (opt) {
1465 		newnp->opt = ipv6_dup_options(newsk, opt);
1466 		if (opt != np->opt)
1467 			sock_kfree_s(sk, opt, opt->tot_len);
1468 	}
1469 
1470 	inet_csk(newsk)->icsk_ext_hdr_len = 0;
1471 	if (newnp->opt)
1472 		inet_csk(newsk)->icsk_ext_hdr_len = (newnp->opt->opt_nflen +
1473 						     newnp->opt->opt_flen);
1474 
1475 	tcp_mtup_init(newsk);
1476 	tcp_sync_mss(newsk, dst_mtu(dst));
1477 	newtp->advmss = dst_metric(dst, RTAX_ADVMSS);
1478 	tcp_initialize_rcv_mss(newsk);
1479 
1480 	newinet->inet_daddr = newinet->inet_saddr = LOOPBACK4_IPV6;
1481 	newinet->inet_rcv_saddr = LOOPBACK4_IPV6;
1482 
1483 #ifdef CONFIG_TCP_MD5SIG
1484 	/* Copy over the MD5 key from the original socket */
1485 	if ((key = tcp_v6_md5_do_lookup(sk, &newnp->daddr)) != NULL) {
1486 		/* We're using one, so create a matching key
1487 		 * on the newsk structure. If we fail to get
1488 		 * memory, then we end up not copying the key
1489 		 * across. Shucks.
1490 		 */
1491 		char *newkey = kmemdup(key->key, key->keylen, GFP_ATOMIC);
1492 		if (newkey != NULL)
1493 			tcp_v6_md5_do_add(newsk, &newnp->daddr,
1494 					  newkey, key->keylen);
1495 	}
1496 #endif
1497 
1498 	__inet6_hash(newsk, NULL);
1499 	__inet_inherit_port(sk, newsk);
1500 
1501 	return newsk;
1502 
1503 out_overflow:
1504 	NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS);
1505 out:
1506 	NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENDROPS);
1507 	if (opt && opt != np->opt)
1508 		sock_kfree_s(sk, opt, opt->tot_len);
1509 	dst_release(dst);
1510 	return NULL;
1511 }
1512 
1513 static __sum16 tcp_v6_checksum_init(struct sk_buff *skb)
1514 {
1515 	if (skb->ip_summed == CHECKSUM_COMPLETE) {
1516 		if (!tcp_v6_check(skb->len, &ipv6_hdr(skb)->saddr,
1517 				  &ipv6_hdr(skb)->daddr, skb->csum)) {
1518 			skb->ip_summed = CHECKSUM_UNNECESSARY;
1519 			return 0;
1520 		}
1521 	}
1522 
1523 	skb->csum = ~csum_unfold(tcp_v6_check(skb->len,
1524 					      &ipv6_hdr(skb)->saddr,
1525 					      &ipv6_hdr(skb)->daddr, 0));
1526 
1527 	if (skb->len <= 76) {
1528 		return __skb_checksum_complete(skb);
1529 	}
1530 	return 0;
1531 }
1532 
1533 /* The socket must have it's spinlock held when we get
1534  * here.
1535  *
1536  * We have a potential double-lock case here, so even when
1537  * doing backlog processing we use the BH locking scheme.
1538  * This is because we cannot sleep with the original spinlock
1539  * held.
1540  */
1541 static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
1542 {
1543 	struct ipv6_pinfo *np = inet6_sk(sk);
1544 	struct tcp_sock *tp;
1545 	struct sk_buff *opt_skb = NULL;
1546 
1547 	/* Imagine: socket is IPv6. IPv4 packet arrives,
1548 	   goes to IPv4 receive handler and backlogged.
1549 	   From backlog it always goes here. Kerboom...
1550 	   Fortunately, tcp_rcv_established and rcv_established
1551 	   handle them correctly, but it is not case with
1552 	   tcp_v6_hnd_req and tcp_v6_send_reset().   --ANK
1553 	 */
1554 
1555 	if (skb->protocol == htons(ETH_P_IP))
1556 		return tcp_v4_do_rcv(sk, skb);
1557 
1558 #ifdef CONFIG_TCP_MD5SIG
1559 	if (tcp_v6_inbound_md5_hash (sk, skb))
1560 		goto discard;
1561 #endif
1562 
1563 	if (sk_filter(sk, skb))
1564 		goto discard;
1565 
1566 	/*
1567 	 *	socket locking is here for SMP purposes as backlog rcv
1568 	 *	is currently called with bh processing disabled.
1569 	 */
1570 
1571 	/* Do Stevens' IPV6_PKTOPTIONS.
1572 
1573 	   Yes, guys, it is the only place in our code, where we
1574 	   may make it not affecting IPv4.
1575 	   The rest of code is protocol independent,
1576 	   and I do not like idea to uglify IPv4.
1577 
1578 	   Actually, all the idea behind IPV6_PKTOPTIONS
1579 	   looks not very well thought. For now we latch
1580 	   options, received in the last packet, enqueued
1581 	   by tcp. Feel free to propose better solution.
1582 					       --ANK (980728)
1583 	 */
1584 	if (np->rxopt.all)
1585 		opt_skb = skb_clone(skb, GFP_ATOMIC);
1586 
1587 	if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */
1588 		TCP_CHECK_TIMER(sk);
1589 		if (tcp_rcv_established(sk, skb, tcp_hdr(skb), skb->len))
1590 			goto reset;
1591 		TCP_CHECK_TIMER(sk);
1592 		if (opt_skb)
1593 			goto ipv6_pktoptions;
1594 		return 0;
1595 	}
1596 
1597 	if (skb->len < tcp_hdrlen(skb) || tcp_checksum_complete(skb))
1598 		goto csum_err;
1599 
1600 	if (sk->sk_state == TCP_LISTEN) {
1601 		struct sock *nsk = tcp_v6_hnd_req(sk, skb);
1602 		if (!nsk)
1603 			goto discard;
1604 
1605 		/*
1606 		 * Queue it on the new socket if the new socket is active,
1607 		 * otherwise we just shortcircuit this and continue with
1608 		 * the new socket..
1609 		 */
1610 		if(nsk != sk) {
1611 			if (tcp_child_process(sk, nsk, skb))
1612 				goto reset;
1613 			if (opt_skb)
1614 				__kfree_skb(opt_skb);
1615 			return 0;
1616 		}
1617 	}
1618 
1619 	TCP_CHECK_TIMER(sk);
1620 	if (tcp_rcv_state_process(sk, skb, tcp_hdr(skb), skb->len))
1621 		goto reset;
1622 	TCP_CHECK_TIMER(sk);
1623 	if (opt_skb)
1624 		goto ipv6_pktoptions;
1625 	return 0;
1626 
1627 reset:
1628 	tcp_v6_send_reset(sk, skb);
1629 discard:
1630 	if (opt_skb)
1631 		__kfree_skb(opt_skb);
1632 	kfree_skb(skb);
1633 	return 0;
1634 csum_err:
1635 	TCP_INC_STATS_BH(sock_net(sk), TCP_MIB_INERRS);
1636 	goto discard;
1637 
1638 
1639 ipv6_pktoptions:
1640 	/* Do you ask, what is it?
1641 
1642 	   1. skb was enqueued by tcp.
1643 	   2. skb is added to tail of read queue, rather than out of order.
1644 	   3. socket is not in passive state.
1645 	   4. Finally, it really contains options, which user wants to receive.
1646 	 */
1647 	tp = tcp_sk(sk);
1648 	if (TCP_SKB_CB(opt_skb)->end_seq == tp->rcv_nxt &&
1649 	    !((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))) {
1650 		if (np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo)
1651 			np->mcast_oif = inet6_iif(opt_skb);
1652 		if (np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim)
1653 			np->mcast_hops = ipv6_hdr(opt_skb)->hop_limit;
1654 		if (ipv6_opt_accepted(sk, opt_skb)) {
1655 			skb_set_owner_r(opt_skb, sk);
1656 			opt_skb = xchg(&np->pktoptions, opt_skb);
1657 		} else {
1658 			__kfree_skb(opt_skb);
1659 			opt_skb = xchg(&np->pktoptions, NULL);
1660 		}
1661 	}
1662 
1663 	kfree_skb(opt_skb);
1664 	return 0;
1665 }
1666 
1667 static int tcp_v6_rcv(struct sk_buff *skb)
1668 {
1669 	struct tcphdr *th;
1670 	struct sock *sk;
1671 	int ret;
1672 	struct net *net = dev_net(skb->dev);
1673 
1674 	if (skb->pkt_type != PACKET_HOST)
1675 		goto discard_it;
1676 
1677 	/*
1678 	 *	Count it even if it's bad.
1679 	 */
1680 	TCP_INC_STATS_BH(net, TCP_MIB_INSEGS);
1681 
1682 	if (!pskb_may_pull(skb, sizeof(struct tcphdr)))
1683 		goto discard_it;
1684 
1685 	th = tcp_hdr(skb);
1686 
1687 	if (th->doff < sizeof(struct tcphdr)/4)
1688 		goto bad_packet;
1689 	if (!pskb_may_pull(skb, th->doff*4))
1690 		goto discard_it;
1691 
1692 	if (!skb_csum_unnecessary(skb) && tcp_v6_checksum_init(skb))
1693 		goto bad_packet;
1694 
1695 	th = tcp_hdr(skb);
1696 	TCP_SKB_CB(skb)->seq = ntohl(th->seq);
1697 	TCP_SKB_CB(skb)->end_seq = (TCP_SKB_CB(skb)->seq + th->syn + th->fin +
1698 				    skb->len - th->doff*4);
1699 	TCP_SKB_CB(skb)->ack_seq = ntohl(th->ack_seq);
1700 	TCP_SKB_CB(skb)->when = 0;
1701 	TCP_SKB_CB(skb)->flags = ipv6_get_dsfield(ipv6_hdr(skb));
1702 	TCP_SKB_CB(skb)->sacked = 0;
1703 
1704 	sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
1705 	if (!sk)
1706 		goto no_tcp_socket;
1707 
1708 process:
1709 	if (sk->sk_state == TCP_TIME_WAIT)
1710 		goto do_time_wait;
1711 
1712 	if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
1713 		goto discard_and_relse;
1714 
1715 	if (sk_filter(sk, skb))
1716 		goto discard_and_relse;
1717 
1718 	skb->dev = NULL;
1719 
1720 	bh_lock_sock_nested(sk);
1721 	ret = 0;
1722 	if (!sock_owned_by_user(sk)) {
1723 #ifdef CONFIG_NET_DMA
1724 		struct tcp_sock *tp = tcp_sk(sk);
1725 		if (!tp->ucopy.dma_chan && tp->ucopy.pinned_list)
1726 			tp->ucopy.dma_chan = dma_find_channel(DMA_MEMCPY);
1727 		if (tp->ucopy.dma_chan)
1728 			ret = tcp_v6_do_rcv(sk, skb);
1729 		else
1730 #endif
1731 		{
1732 			if (!tcp_prequeue(sk, skb))
1733 				ret = tcp_v6_do_rcv(sk, skb);
1734 		}
1735 	} else
1736 		sk_add_backlog(sk, skb);
1737 	bh_unlock_sock(sk);
1738 
1739 	sock_put(sk);
1740 	return ret ? -1 : 0;
1741 
1742 no_tcp_socket:
1743 	if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb))
1744 		goto discard_it;
1745 
1746 	if (skb->len < (th->doff<<2) || tcp_checksum_complete(skb)) {
1747 bad_packet:
1748 		TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
1749 	} else {
1750 		tcp_v6_send_reset(NULL, skb);
1751 	}
1752 
1753 discard_it:
1754 
1755 	/*
1756 	 *	Discard frame
1757 	 */
1758 
1759 	kfree_skb(skb);
1760 	return 0;
1761 
1762 discard_and_relse:
1763 	sock_put(sk);
1764 	goto discard_it;
1765 
1766 do_time_wait:
1767 	if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
1768 		inet_twsk_put(inet_twsk(sk));
1769 		goto discard_it;
1770 	}
1771 
1772 	if (skb->len < (th->doff<<2) || tcp_checksum_complete(skb)) {
1773 		TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
1774 		inet_twsk_put(inet_twsk(sk));
1775 		goto discard_it;
1776 	}
1777 
1778 	switch (tcp_timewait_state_process(inet_twsk(sk), skb, th)) {
1779 	case TCP_TW_SYN:
1780 	{
1781 		struct sock *sk2;
1782 
1783 		sk2 = inet6_lookup_listener(dev_net(skb->dev), &tcp_hashinfo,
1784 					    &ipv6_hdr(skb)->daddr,
1785 					    ntohs(th->dest), inet6_iif(skb));
1786 		if (sk2 != NULL) {
1787 			struct inet_timewait_sock *tw = inet_twsk(sk);
1788 			inet_twsk_deschedule(tw, &tcp_death_row);
1789 			inet_twsk_put(tw);
1790 			sk = sk2;
1791 			goto process;
1792 		}
1793 		/* Fall through to ACK */
1794 	}
1795 	case TCP_TW_ACK:
1796 		tcp_v6_timewait_ack(sk, skb);
1797 		break;
1798 	case TCP_TW_RST:
1799 		goto no_tcp_socket;
1800 	case TCP_TW_SUCCESS:;
1801 	}
1802 	goto discard_it;
1803 }
1804 
1805 static int tcp_v6_remember_stamp(struct sock *sk)
1806 {
1807 	/* Alas, not yet... */
1808 	return 0;
1809 }
1810 
1811 static const struct inet_connection_sock_af_ops ipv6_specific = {
1812 	.queue_xmit	   = inet6_csk_xmit,
1813 	.send_check	   = tcp_v6_send_check,
1814 	.rebuild_header	   = inet6_sk_rebuild_header,
1815 	.conn_request	   = tcp_v6_conn_request,
1816 	.syn_recv_sock	   = tcp_v6_syn_recv_sock,
1817 	.remember_stamp	   = tcp_v6_remember_stamp,
1818 	.net_header_len	   = sizeof(struct ipv6hdr),
1819 	.setsockopt	   = ipv6_setsockopt,
1820 	.getsockopt	   = ipv6_getsockopt,
1821 	.addr2sockaddr	   = inet6_csk_addr2sockaddr,
1822 	.sockaddr_len	   = sizeof(struct sockaddr_in6),
1823 	.bind_conflict	   = inet6_csk_bind_conflict,
1824 #ifdef CONFIG_COMPAT
1825 	.compat_setsockopt = compat_ipv6_setsockopt,
1826 	.compat_getsockopt = compat_ipv6_getsockopt,
1827 #endif
1828 };
1829 
1830 #ifdef CONFIG_TCP_MD5SIG
1831 static const struct tcp_sock_af_ops tcp_sock_ipv6_specific = {
1832 	.md5_lookup	=	tcp_v6_md5_lookup,
1833 	.calc_md5_hash	=	tcp_v6_md5_hash_skb,
1834 	.md5_add	=	tcp_v6_md5_add_func,
1835 	.md5_parse	=	tcp_v6_parse_md5_keys,
1836 };
1837 #endif
1838 
1839 /*
1840  *	TCP over IPv4 via INET6 API
1841  */
1842 
1843 static const struct inet_connection_sock_af_ops ipv6_mapped = {
1844 	.queue_xmit	   = ip_queue_xmit,
1845 	.send_check	   = tcp_v4_send_check,
1846 	.rebuild_header	   = inet_sk_rebuild_header,
1847 	.conn_request	   = tcp_v6_conn_request,
1848 	.syn_recv_sock	   = tcp_v6_syn_recv_sock,
1849 	.remember_stamp	   = tcp_v4_remember_stamp,
1850 	.net_header_len	   = sizeof(struct iphdr),
1851 	.setsockopt	   = ipv6_setsockopt,
1852 	.getsockopt	   = ipv6_getsockopt,
1853 	.addr2sockaddr	   = inet6_csk_addr2sockaddr,
1854 	.sockaddr_len	   = sizeof(struct sockaddr_in6),
1855 	.bind_conflict	   = inet6_csk_bind_conflict,
1856 #ifdef CONFIG_COMPAT
1857 	.compat_setsockopt = compat_ipv6_setsockopt,
1858 	.compat_getsockopt = compat_ipv6_getsockopt,
1859 #endif
1860 };
1861 
1862 #ifdef CONFIG_TCP_MD5SIG
1863 static const struct tcp_sock_af_ops tcp_sock_ipv6_mapped_specific = {
1864 	.md5_lookup	=	tcp_v4_md5_lookup,
1865 	.calc_md5_hash	=	tcp_v4_md5_hash_skb,
1866 	.md5_add	=	tcp_v6_md5_add_func,
1867 	.md5_parse	=	tcp_v6_parse_md5_keys,
1868 };
1869 #endif
1870 
1871 /* NOTE: A lot of things set to zero explicitly by call to
1872  *       sk_alloc() so need not be done here.
1873  */
1874 static int tcp_v6_init_sock(struct sock *sk)
1875 {
1876 	struct inet_connection_sock *icsk = inet_csk(sk);
1877 	struct tcp_sock *tp = tcp_sk(sk);
1878 
1879 	skb_queue_head_init(&tp->out_of_order_queue);
1880 	tcp_init_xmit_timers(sk);
1881 	tcp_prequeue_init(tp);
1882 
1883 	icsk->icsk_rto = TCP_TIMEOUT_INIT;
1884 	tp->mdev = TCP_TIMEOUT_INIT;
1885 
1886 	/* So many TCP implementations out there (incorrectly) count the
1887 	 * initial SYN frame in their delayed-ACK and congestion control
1888 	 * algorithms that we must have the following bandaid to talk
1889 	 * efficiently to them.  -DaveM
1890 	 */
1891 	tp->snd_cwnd = 2;
1892 
1893 	/* See draft-stevens-tcpca-spec-01 for discussion of the
1894 	 * initialization of these values.
1895 	 */
1896 	tp->snd_ssthresh = TCP_INFINITE_SSTHRESH;
1897 	tp->snd_cwnd_clamp = ~0;
1898 	tp->mss_cache = TCP_MSS_DEFAULT;
1899 
1900 	tp->reordering = sysctl_tcp_reordering;
1901 
1902 	sk->sk_state = TCP_CLOSE;
1903 
1904 	icsk->icsk_af_ops = &ipv6_specific;
1905 	icsk->icsk_ca_ops = &tcp_init_congestion_ops;
1906 	icsk->icsk_sync_mss = tcp_sync_mss;
1907 	sk->sk_write_space = sk_stream_write_space;
1908 	sock_set_flag(sk, SOCK_USE_WRITE_QUEUE);
1909 
1910 #ifdef CONFIG_TCP_MD5SIG
1911 	tp->af_specific = &tcp_sock_ipv6_specific;
1912 #endif
1913 
1914 	/* TCP Cookie Transactions */
1915 	if (sysctl_tcp_cookie_size > 0) {
1916 		/* Default, cookies without s_data_payload. */
1917 		tp->cookie_values =
1918 			kzalloc(sizeof(*tp->cookie_values),
1919 				sk->sk_allocation);
1920 		if (tp->cookie_values != NULL)
1921 			kref_init(&tp->cookie_values->kref);
1922 	}
1923 	/* Presumed zeroed, in order of appearance:
1924 	 *	cookie_in_always, cookie_out_never,
1925 	 *	s_data_constant, s_data_in, s_data_out
1926 	 */
1927 	sk->sk_sndbuf = sysctl_tcp_wmem[1];
1928 	sk->sk_rcvbuf = sysctl_tcp_rmem[1];
1929 
1930 	local_bh_disable();
1931 	percpu_counter_inc(&tcp_sockets_allocated);
1932 	local_bh_enable();
1933 
1934 	return 0;
1935 }
1936 
1937 static void tcp_v6_destroy_sock(struct sock *sk)
1938 {
1939 #ifdef CONFIG_TCP_MD5SIG
1940 	/* Clean up the MD5 key list */
1941 	if (tcp_sk(sk)->md5sig_info)
1942 		tcp_v6_clear_md5_list(sk);
1943 #endif
1944 	tcp_v4_destroy_sock(sk);
1945 	inet6_destroy_sock(sk);
1946 }
1947 
1948 #ifdef CONFIG_PROC_FS
1949 /* Proc filesystem TCPv6 sock list dumping. */
1950 static void get_openreq6(struct seq_file *seq,
1951 			 struct sock *sk, struct request_sock *req, int i, int uid)
1952 {
1953 	int ttd = req->expires - jiffies;
1954 	struct in6_addr *src = &inet6_rsk(req)->loc_addr;
1955 	struct in6_addr *dest = &inet6_rsk(req)->rmt_addr;
1956 
1957 	if (ttd < 0)
1958 		ttd = 0;
1959 
1960 	seq_printf(seq,
1961 		   "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
1962 		   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p\n",
1963 		   i,
1964 		   src->s6_addr32[0], src->s6_addr32[1],
1965 		   src->s6_addr32[2], src->s6_addr32[3],
1966 		   ntohs(inet_rsk(req)->loc_port),
1967 		   dest->s6_addr32[0], dest->s6_addr32[1],
1968 		   dest->s6_addr32[2], dest->s6_addr32[3],
1969 		   ntohs(inet_rsk(req)->rmt_port),
1970 		   TCP_SYN_RECV,
1971 		   0,0, /* could print option size, but that is af dependent. */
1972 		   1,   /* timers active (only the expire timer) */
1973 		   jiffies_to_clock_t(ttd),
1974 		   req->retrans,
1975 		   uid,
1976 		   0,  /* non standard timer */
1977 		   0, /* open_requests have no inode */
1978 		   0, req);
1979 }
1980 
1981 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
1982 {
1983 	struct in6_addr *dest, *src;
1984 	__u16 destp, srcp;
1985 	int timer_active;
1986 	unsigned long timer_expires;
1987 	struct inet_sock *inet = inet_sk(sp);
1988 	struct tcp_sock *tp = tcp_sk(sp);
1989 	const struct inet_connection_sock *icsk = inet_csk(sp);
1990 	struct ipv6_pinfo *np = inet6_sk(sp);
1991 
1992 	dest  = &np->daddr;
1993 	src   = &np->rcv_saddr;
1994 	destp = ntohs(inet->inet_dport);
1995 	srcp  = ntohs(inet->inet_sport);
1996 
1997 	if (icsk->icsk_pending == ICSK_TIME_RETRANS) {
1998 		timer_active	= 1;
1999 		timer_expires	= icsk->icsk_timeout;
2000 	} else if (icsk->icsk_pending == ICSK_TIME_PROBE0) {
2001 		timer_active	= 4;
2002 		timer_expires	= icsk->icsk_timeout;
2003 	} else if (timer_pending(&sp->sk_timer)) {
2004 		timer_active	= 2;
2005 		timer_expires	= sp->sk_timer.expires;
2006 	} else {
2007 		timer_active	= 0;
2008 		timer_expires = jiffies;
2009 	}
2010 
2011 	seq_printf(seq,
2012 		   "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
2013 		   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %p %lu %lu %u %u %d\n",
2014 		   i,
2015 		   src->s6_addr32[0], src->s6_addr32[1],
2016 		   src->s6_addr32[2], src->s6_addr32[3], srcp,
2017 		   dest->s6_addr32[0], dest->s6_addr32[1],
2018 		   dest->s6_addr32[2], dest->s6_addr32[3], destp,
2019 		   sp->sk_state,
2020 		   tp->write_seq-tp->snd_una,
2021 		   (sp->sk_state == TCP_LISTEN) ? sp->sk_ack_backlog : (tp->rcv_nxt - tp->copied_seq),
2022 		   timer_active,
2023 		   jiffies_to_clock_t(timer_expires - jiffies),
2024 		   icsk->icsk_retransmits,
2025 		   sock_i_uid(sp),
2026 		   icsk->icsk_probes_out,
2027 		   sock_i_ino(sp),
2028 		   atomic_read(&sp->sk_refcnt), sp,
2029 		   jiffies_to_clock_t(icsk->icsk_rto),
2030 		   jiffies_to_clock_t(icsk->icsk_ack.ato),
2031 		   (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
2032 		   tp->snd_cwnd,
2033 		   tcp_in_initial_slowstart(tp) ? -1 : tp->snd_ssthresh
2034 		   );
2035 }
2036 
2037 static void get_timewait6_sock(struct seq_file *seq,
2038 			       struct inet_timewait_sock *tw, int i)
2039 {
2040 	struct in6_addr *dest, *src;
2041 	__u16 destp, srcp;
2042 	struct inet6_timewait_sock *tw6 = inet6_twsk((struct sock *)tw);
2043 	int ttd = tw->tw_ttd - jiffies;
2044 
2045 	if (ttd < 0)
2046 		ttd = 0;
2047 
2048 	dest = &tw6->tw_v6_daddr;
2049 	src  = &tw6->tw_v6_rcv_saddr;
2050 	destp = ntohs(tw->tw_dport);
2051 	srcp  = ntohs(tw->tw_sport);
2052 
2053 	seq_printf(seq,
2054 		   "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
2055 		   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p\n",
2056 		   i,
2057 		   src->s6_addr32[0], src->s6_addr32[1],
2058 		   src->s6_addr32[2], src->s6_addr32[3], srcp,
2059 		   dest->s6_addr32[0], dest->s6_addr32[1],
2060 		   dest->s6_addr32[2], dest->s6_addr32[3], destp,
2061 		   tw->tw_substate, 0, 0,
2062 		   3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
2063 		   atomic_read(&tw->tw_refcnt), tw);
2064 }
2065 
2066 static int tcp6_seq_show(struct seq_file *seq, void *v)
2067 {
2068 	struct tcp_iter_state *st;
2069 
2070 	if (v == SEQ_START_TOKEN) {
2071 		seq_puts(seq,
2072 			 "  sl  "
2073 			 "local_address                         "
2074 			 "remote_address                        "
2075 			 "st tx_queue rx_queue tr tm->when retrnsmt"
2076 			 "   uid  timeout inode\n");
2077 		goto out;
2078 	}
2079 	st = seq->private;
2080 
2081 	switch (st->state) {
2082 	case TCP_SEQ_STATE_LISTENING:
2083 	case TCP_SEQ_STATE_ESTABLISHED:
2084 		get_tcp6_sock(seq, v, st->num);
2085 		break;
2086 	case TCP_SEQ_STATE_OPENREQ:
2087 		get_openreq6(seq, st->syn_wait_sk, v, st->num, st->uid);
2088 		break;
2089 	case TCP_SEQ_STATE_TIME_WAIT:
2090 		get_timewait6_sock(seq, v, st->num);
2091 		break;
2092 	}
2093 out:
2094 	return 0;
2095 }
2096 
2097 static struct tcp_seq_afinfo tcp6_seq_afinfo = {
2098 	.name		= "tcp6",
2099 	.family		= AF_INET6,
2100 	.seq_fops	= {
2101 		.owner		= THIS_MODULE,
2102 	},
2103 	.seq_ops	= {
2104 		.show		= tcp6_seq_show,
2105 	},
2106 };
2107 
2108 int tcp6_proc_init(struct net *net)
2109 {
2110 	return tcp_proc_register(net, &tcp6_seq_afinfo);
2111 }
2112 
2113 void tcp6_proc_exit(struct net *net)
2114 {
2115 	tcp_proc_unregister(net, &tcp6_seq_afinfo);
2116 }
2117 #endif
2118 
2119 struct proto tcpv6_prot = {
2120 	.name			= "TCPv6",
2121 	.owner			= THIS_MODULE,
2122 	.close			= tcp_close,
2123 	.connect		= tcp_v6_connect,
2124 	.disconnect		= tcp_disconnect,
2125 	.accept			= inet_csk_accept,
2126 	.ioctl			= tcp_ioctl,
2127 	.init			= tcp_v6_init_sock,
2128 	.destroy		= tcp_v6_destroy_sock,
2129 	.shutdown		= tcp_shutdown,
2130 	.setsockopt		= tcp_setsockopt,
2131 	.getsockopt		= tcp_getsockopt,
2132 	.recvmsg		= tcp_recvmsg,
2133 	.backlog_rcv		= tcp_v6_do_rcv,
2134 	.hash			= tcp_v6_hash,
2135 	.unhash			= inet_unhash,
2136 	.get_port		= inet_csk_get_port,
2137 	.enter_memory_pressure	= tcp_enter_memory_pressure,
2138 	.sockets_allocated	= &tcp_sockets_allocated,
2139 	.memory_allocated	= &tcp_memory_allocated,
2140 	.memory_pressure	= &tcp_memory_pressure,
2141 	.orphan_count		= &tcp_orphan_count,
2142 	.sysctl_mem		= sysctl_tcp_mem,
2143 	.sysctl_wmem		= sysctl_tcp_wmem,
2144 	.sysctl_rmem		= sysctl_tcp_rmem,
2145 	.max_header		= MAX_TCP_HEADER,
2146 	.obj_size		= sizeof(struct tcp6_sock),
2147 	.slab_flags		= SLAB_DESTROY_BY_RCU,
2148 	.twsk_prot		= &tcp6_timewait_sock_ops,
2149 	.rsk_prot		= &tcp6_request_sock_ops,
2150 	.h.hashinfo		= &tcp_hashinfo,
2151 #ifdef CONFIG_COMPAT
2152 	.compat_setsockopt	= compat_tcp_setsockopt,
2153 	.compat_getsockopt	= compat_tcp_getsockopt,
2154 #endif
2155 };
2156 
2157 static const struct inet6_protocol tcpv6_protocol = {
2158 	.handler	=	tcp_v6_rcv,
2159 	.err_handler	=	tcp_v6_err,
2160 	.gso_send_check	=	tcp_v6_gso_send_check,
2161 	.gso_segment	=	tcp_tso_segment,
2162 	.gro_receive	=	tcp6_gro_receive,
2163 	.gro_complete	=	tcp6_gro_complete,
2164 	.flags		=	INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL,
2165 };
2166 
2167 static struct inet_protosw tcpv6_protosw = {
2168 	.type		=	SOCK_STREAM,
2169 	.protocol	=	IPPROTO_TCP,
2170 	.prot		=	&tcpv6_prot,
2171 	.ops		=	&inet6_stream_ops,
2172 	.no_check	=	0,
2173 	.flags		=	INET_PROTOSW_PERMANENT |
2174 				INET_PROTOSW_ICSK,
2175 };
2176 
2177 static int tcpv6_net_init(struct net *net)
2178 {
2179 	return inet_ctl_sock_create(&net->ipv6.tcp_sk, PF_INET6,
2180 				    SOCK_RAW, IPPROTO_TCP, net);
2181 }
2182 
2183 static void tcpv6_net_exit(struct net *net)
2184 {
2185 	inet_ctl_sock_destroy(net->ipv6.tcp_sk);
2186 }
2187 
2188 static void tcpv6_net_exit_batch(struct list_head *net_exit_list)
2189 {
2190 	inet_twsk_purge(&tcp_hashinfo, &tcp_death_row, AF_INET6);
2191 }
2192 
2193 static struct pernet_operations tcpv6_net_ops = {
2194 	.init	    = tcpv6_net_init,
2195 	.exit	    = tcpv6_net_exit,
2196 	.exit_batch = tcpv6_net_exit_batch,
2197 };
2198 
2199 int __init tcpv6_init(void)
2200 {
2201 	int ret;
2202 
2203 	ret = inet6_add_protocol(&tcpv6_protocol, IPPROTO_TCP);
2204 	if (ret)
2205 		goto out;
2206 
2207 	/* register inet6 protocol */
2208 	ret = inet6_register_protosw(&tcpv6_protosw);
2209 	if (ret)
2210 		goto out_tcpv6_protocol;
2211 
2212 	ret = register_pernet_subsys(&tcpv6_net_ops);
2213 	if (ret)
2214 		goto out_tcpv6_protosw;
2215 out:
2216 	return ret;
2217 
2218 out_tcpv6_protocol:
2219 	inet6_del_protocol(&tcpv6_protocol, IPPROTO_TCP);
2220 out_tcpv6_protosw:
2221 	inet6_unregister_protosw(&tcpv6_protosw);
2222 	goto out;
2223 }
2224 
2225 void tcpv6_exit(void)
2226 {
2227 	unregister_pernet_subsys(&tcpv6_net_ops);
2228 	inet6_unregister_protosw(&tcpv6_protosw);
2229 	inet6_del_protocol(&tcpv6_protocol, IPPROTO_TCP);
2230 }
2231