xref: /openbmc/linux/net/ipv6/tcp_ipv6.c (revision e868d61272caa648214046a096e5a6bfc068dc8c)
1 /*
2  *	TCP over IPv6
3  *	Linux INET6 implementation
4  *
5  *	Authors:
6  *	Pedro Roque		<roque@di.fc.ul.pt>
7  *
8  *	$Id: tcp_ipv6.c,v 1.144 2002/02/01 22:01:04 davem Exp $
9  *
10  *	Based on:
11  *	linux/net/ipv4/tcp.c
12  *	linux/net/ipv4/tcp_input.c
13  *	linux/net/ipv4/tcp_output.c
14  *
15  *	Fixes:
16  *	Hideaki YOSHIFUJI	:	sin6_scope_id support
17  *	YOSHIFUJI Hideaki @USAGI and:	Support IPV6_V6ONLY socket option, which
18  *	Alexey Kuznetsov		allow both IPv4 and IPv6 sockets to bind
19  *					a single port at the same time.
20  *	YOSHIFUJI Hideaki @USAGI:	convert /proc/net/tcp6 to seq_file.
21  *
22  *	This program is free software; you can redistribute it and/or
23  *      modify it under the terms of the GNU General Public License
24  *      as published by the Free Software Foundation; either version
25  *      2 of the License, or (at your option) any later version.
26  */
27 
28 #include <linux/module.h>
29 #include <linux/errno.h>
30 #include <linux/types.h>
31 #include <linux/socket.h>
32 #include <linux/sockios.h>
33 #include <linux/net.h>
34 #include <linux/jiffies.h>
35 #include <linux/in.h>
36 #include <linux/in6.h>
37 #include <linux/netdevice.h>
38 #include <linux/init.h>
39 #include <linux/jhash.h>
40 #include <linux/ipsec.h>
41 #include <linux/times.h>
42 
43 #include <linux/ipv6.h>
44 #include <linux/icmpv6.h>
45 #include <linux/random.h>
46 
47 #include <net/tcp.h>
48 #include <net/ndisc.h>
49 #include <net/inet6_hashtables.h>
50 #include <net/inet6_connection_sock.h>
51 #include <net/ipv6.h>
52 #include <net/transp_v6.h>
53 #include <net/addrconf.h>
54 #include <net/ip6_route.h>
55 #include <net/ip6_checksum.h>
56 #include <net/inet_ecn.h>
57 #include <net/protocol.h>
58 #include <net/xfrm.h>
59 #include <net/addrconf.h>
60 #include <net/snmp.h>
61 #include <net/dsfield.h>
62 #include <net/timewait_sock.h>
63 
64 #include <asm/uaccess.h>
65 
66 #include <linux/proc_fs.h>
67 #include <linux/seq_file.h>
68 
69 #include <linux/crypto.h>
70 #include <linux/scatterlist.h>
71 
72 /* Socket used for sending RSTs and ACKs */
73 static struct socket *tcp6_socket;
74 
75 static void	tcp_v6_send_reset(struct sock *sk, struct sk_buff *skb);
76 static void	tcp_v6_reqsk_send_ack(struct sk_buff *skb, struct request_sock *req);
77 static void	tcp_v6_send_check(struct sock *sk, int len,
78 				  struct sk_buff *skb);
79 
80 static int	tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb);
81 
82 static struct inet_connection_sock_af_ops ipv6_mapped;
83 static struct inet_connection_sock_af_ops ipv6_specific;
84 #ifdef CONFIG_TCP_MD5SIG
85 static struct tcp_sock_af_ops tcp_sock_ipv6_specific;
86 static struct tcp_sock_af_ops tcp_sock_ipv6_mapped_specific;
87 #endif
88 
89 static int tcp_v6_get_port(struct sock *sk, unsigned short snum)
90 {
91 	return inet_csk_get_port(&tcp_hashinfo, sk, snum,
92 				 inet6_csk_bind_conflict);
93 }
94 
95 static void tcp_v6_hash(struct sock *sk)
96 {
97 	if (sk->sk_state != TCP_CLOSE) {
98 		if (inet_csk(sk)->icsk_af_ops == &ipv6_mapped) {
99 			tcp_prot.hash(sk);
100 			return;
101 		}
102 		local_bh_disable();
103 		__inet6_hash(&tcp_hashinfo, sk);
104 		local_bh_enable();
105 	}
106 }
107 
108 static __inline__ __sum16 tcp_v6_check(struct tcphdr *th, int len,
109 				   struct in6_addr *saddr,
110 				   struct in6_addr *daddr,
111 				   __wsum base)
112 {
113 	return csum_ipv6_magic(saddr, daddr, len, IPPROTO_TCP, base);
114 }
115 
116 static __u32 tcp_v6_init_sequence(struct sk_buff *skb)
117 {
118 	return secure_tcpv6_sequence_number(ipv6_hdr(skb)->daddr.s6_addr32,
119 					    ipv6_hdr(skb)->saddr.s6_addr32,
120 					    tcp_hdr(skb)->dest,
121 					    tcp_hdr(skb)->source);
122 }
123 
124 static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
125 			  int addr_len)
126 {
127 	struct sockaddr_in6 *usin = (struct sockaddr_in6 *) uaddr;
128 	struct inet_sock *inet = inet_sk(sk);
129 	struct inet_connection_sock *icsk = inet_csk(sk);
130 	struct ipv6_pinfo *np = inet6_sk(sk);
131 	struct tcp_sock *tp = tcp_sk(sk);
132 	struct in6_addr *saddr = NULL, *final_p = NULL, final;
133 	struct flowi fl;
134 	struct dst_entry *dst;
135 	int addr_type;
136 	int err;
137 
138 	if (addr_len < SIN6_LEN_RFC2133)
139 		return -EINVAL;
140 
141 	if (usin->sin6_family != AF_INET6)
142 		return(-EAFNOSUPPORT);
143 
144 	memset(&fl, 0, sizeof(fl));
145 
146 	if (np->sndflow) {
147 		fl.fl6_flowlabel = usin->sin6_flowinfo&IPV6_FLOWINFO_MASK;
148 		IP6_ECN_flow_init(fl.fl6_flowlabel);
149 		if (fl.fl6_flowlabel&IPV6_FLOWLABEL_MASK) {
150 			struct ip6_flowlabel *flowlabel;
151 			flowlabel = fl6_sock_lookup(sk, fl.fl6_flowlabel);
152 			if (flowlabel == NULL)
153 				return -EINVAL;
154 			ipv6_addr_copy(&usin->sin6_addr, &flowlabel->dst);
155 			fl6_sock_release(flowlabel);
156 		}
157 	}
158 
159 	/*
160 	 *	connect() to INADDR_ANY means loopback (BSD'ism).
161 	 */
162 
163 	if(ipv6_addr_any(&usin->sin6_addr))
164 		usin->sin6_addr.s6_addr[15] = 0x1;
165 
166 	addr_type = ipv6_addr_type(&usin->sin6_addr);
167 
168 	if(addr_type & IPV6_ADDR_MULTICAST)
169 		return -ENETUNREACH;
170 
171 	if (addr_type&IPV6_ADDR_LINKLOCAL) {
172 		if (addr_len >= sizeof(struct sockaddr_in6) &&
173 		    usin->sin6_scope_id) {
174 			/* If interface is set while binding, indices
175 			 * must coincide.
176 			 */
177 			if (sk->sk_bound_dev_if &&
178 			    sk->sk_bound_dev_if != usin->sin6_scope_id)
179 				return -EINVAL;
180 
181 			sk->sk_bound_dev_if = usin->sin6_scope_id;
182 		}
183 
184 		/* Connect to link-local address requires an interface */
185 		if (!sk->sk_bound_dev_if)
186 			return -EINVAL;
187 	}
188 
189 	if (tp->rx_opt.ts_recent_stamp &&
190 	    !ipv6_addr_equal(&np->daddr, &usin->sin6_addr)) {
191 		tp->rx_opt.ts_recent = 0;
192 		tp->rx_opt.ts_recent_stamp = 0;
193 		tp->write_seq = 0;
194 	}
195 
196 	ipv6_addr_copy(&np->daddr, &usin->sin6_addr);
197 	np->flow_label = fl.fl6_flowlabel;
198 
199 	/*
200 	 *	TCP over IPv4
201 	 */
202 
203 	if (addr_type == IPV6_ADDR_MAPPED) {
204 		u32 exthdrlen = icsk->icsk_ext_hdr_len;
205 		struct sockaddr_in sin;
206 
207 		SOCK_DEBUG(sk, "connect: ipv4 mapped\n");
208 
209 		if (__ipv6_only_sock(sk))
210 			return -ENETUNREACH;
211 
212 		sin.sin_family = AF_INET;
213 		sin.sin_port = usin->sin6_port;
214 		sin.sin_addr.s_addr = usin->sin6_addr.s6_addr32[3];
215 
216 		icsk->icsk_af_ops = &ipv6_mapped;
217 		sk->sk_backlog_rcv = tcp_v4_do_rcv;
218 #ifdef CONFIG_TCP_MD5SIG
219 		tp->af_specific = &tcp_sock_ipv6_mapped_specific;
220 #endif
221 
222 		err = tcp_v4_connect(sk, (struct sockaddr *)&sin, sizeof(sin));
223 
224 		if (err) {
225 			icsk->icsk_ext_hdr_len = exthdrlen;
226 			icsk->icsk_af_ops = &ipv6_specific;
227 			sk->sk_backlog_rcv = tcp_v6_do_rcv;
228 #ifdef CONFIG_TCP_MD5SIG
229 			tp->af_specific = &tcp_sock_ipv6_specific;
230 #endif
231 			goto failure;
232 		} else {
233 			ipv6_addr_set(&np->saddr, 0, 0, htonl(0x0000FFFF),
234 				      inet->saddr);
235 			ipv6_addr_set(&np->rcv_saddr, 0, 0, htonl(0x0000FFFF),
236 				      inet->rcv_saddr);
237 		}
238 
239 		return err;
240 	}
241 
242 	if (!ipv6_addr_any(&np->rcv_saddr))
243 		saddr = &np->rcv_saddr;
244 
245 	fl.proto = IPPROTO_TCP;
246 	ipv6_addr_copy(&fl.fl6_dst, &np->daddr);
247 	ipv6_addr_copy(&fl.fl6_src,
248 		       (saddr ? saddr : &np->saddr));
249 	fl.oif = sk->sk_bound_dev_if;
250 	fl.fl_ip_dport = usin->sin6_port;
251 	fl.fl_ip_sport = inet->sport;
252 
253 	if (np->opt && np->opt->srcrt) {
254 		struct rt0_hdr *rt0 = (struct rt0_hdr *)np->opt->srcrt;
255 		ipv6_addr_copy(&final, &fl.fl6_dst);
256 		ipv6_addr_copy(&fl.fl6_dst, rt0->addr);
257 		final_p = &final;
258 	}
259 
260 	security_sk_classify_flow(sk, &fl);
261 
262 	err = ip6_dst_lookup(sk, &dst, &fl);
263 	if (err)
264 		goto failure;
265 	if (final_p)
266 		ipv6_addr_copy(&fl.fl6_dst, final_p);
267 
268 	if ((err = xfrm_lookup(&dst, &fl, sk, 1)) < 0)
269 		goto failure;
270 
271 	if (saddr == NULL) {
272 		saddr = &fl.fl6_src;
273 		ipv6_addr_copy(&np->rcv_saddr, saddr);
274 	}
275 
276 	/* set the source address */
277 	ipv6_addr_copy(&np->saddr, saddr);
278 	inet->rcv_saddr = LOOPBACK4_IPV6;
279 
280 	sk->sk_gso_type = SKB_GSO_TCPV6;
281 	__ip6_dst_store(sk, dst, NULL, NULL);
282 
283 	icsk->icsk_ext_hdr_len = 0;
284 	if (np->opt)
285 		icsk->icsk_ext_hdr_len = (np->opt->opt_flen +
286 					  np->opt->opt_nflen);
287 
288 	tp->rx_opt.mss_clamp = IPV6_MIN_MTU - sizeof(struct tcphdr) - sizeof(struct ipv6hdr);
289 
290 	inet->dport = usin->sin6_port;
291 
292 	tcp_set_state(sk, TCP_SYN_SENT);
293 	err = inet6_hash_connect(&tcp_death_row, sk);
294 	if (err)
295 		goto late_failure;
296 
297 	if (!tp->write_seq)
298 		tp->write_seq = secure_tcpv6_sequence_number(np->saddr.s6_addr32,
299 							     np->daddr.s6_addr32,
300 							     inet->sport,
301 							     inet->dport);
302 
303 	err = tcp_connect(sk);
304 	if (err)
305 		goto late_failure;
306 
307 	return 0;
308 
309 late_failure:
310 	tcp_set_state(sk, TCP_CLOSE);
311 	__sk_dst_reset(sk);
312 failure:
313 	inet->dport = 0;
314 	sk->sk_route_caps = 0;
315 	return err;
316 }
317 
318 static void tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
319 		int type, int code, int offset, __be32 info)
320 {
321 	struct ipv6hdr *hdr = (struct ipv6hdr*)skb->data;
322 	const struct tcphdr *th = (struct tcphdr *)(skb->data+offset);
323 	struct ipv6_pinfo *np;
324 	struct sock *sk;
325 	int err;
326 	struct tcp_sock *tp;
327 	__u32 seq;
328 
329 	sk = inet6_lookup(&tcp_hashinfo, &hdr->daddr, th->dest, &hdr->saddr,
330 			  th->source, skb->dev->ifindex);
331 
332 	if (sk == NULL) {
333 		ICMP6_INC_STATS_BH(__in6_dev_get(skb->dev), ICMP6_MIB_INERRORS);
334 		return;
335 	}
336 
337 	if (sk->sk_state == TCP_TIME_WAIT) {
338 		inet_twsk_put(inet_twsk(sk));
339 		return;
340 	}
341 
342 	bh_lock_sock(sk);
343 	if (sock_owned_by_user(sk))
344 		NET_INC_STATS_BH(LINUX_MIB_LOCKDROPPEDICMPS);
345 
346 	if (sk->sk_state == TCP_CLOSE)
347 		goto out;
348 
349 	tp = tcp_sk(sk);
350 	seq = ntohl(th->seq);
351 	if (sk->sk_state != TCP_LISTEN &&
352 	    !between(seq, tp->snd_una, tp->snd_nxt)) {
353 		NET_INC_STATS_BH(LINUX_MIB_OUTOFWINDOWICMPS);
354 		goto out;
355 	}
356 
357 	np = inet6_sk(sk);
358 
359 	if (type == ICMPV6_PKT_TOOBIG) {
360 		struct dst_entry *dst = NULL;
361 
362 		if (sock_owned_by_user(sk))
363 			goto out;
364 		if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE))
365 			goto out;
366 
367 		/* icmp should have updated the destination cache entry */
368 		dst = __sk_dst_check(sk, np->dst_cookie);
369 
370 		if (dst == NULL) {
371 			struct inet_sock *inet = inet_sk(sk);
372 			struct flowi fl;
373 
374 			/* BUGGG_FUTURE: Again, it is not clear how
375 			   to handle rthdr case. Ignore this complexity
376 			   for now.
377 			 */
378 			memset(&fl, 0, sizeof(fl));
379 			fl.proto = IPPROTO_TCP;
380 			ipv6_addr_copy(&fl.fl6_dst, &np->daddr);
381 			ipv6_addr_copy(&fl.fl6_src, &np->saddr);
382 			fl.oif = sk->sk_bound_dev_if;
383 			fl.fl_ip_dport = inet->dport;
384 			fl.fl_ip_sport = inet->sport;
385 			security_skb_classify_flow(skb, &fl);
386 
387 			if ((err = ip6_dst_lookup(sk, &dst, &fl))) {
388 				sk->sk_err_soft = -err;
389 				goto out;
390 			}
391 
392 			if ((err = xfrm_lookup(&dst, &fl, sk, 0)) < 0) {
393 				sk->sk_err_soft = -err;
394 				goto out;
395 			}
396 
397 		} else
398 			dst_hold(dst);
399 
400 		if (inet_csk(sk)->icsk_pmtu_cookie > dst_mtu(dst)) {
401 			tcp_sync_mss(sk, dst_mtu(dst));
402 			tcp_simple_retransmit(sk);
403 		} /* else let the usual retransmit timer handle it */
404 		dst_release(dst);
405 		goto out;
406 	}
407 
408 	icmpv6_err_convert(type, code, &err);
409 
410 	/* Might be for an request_sock */
411 	switch (sk->sk_state) {
412 		struct request_sock *req, **prev;
413 	case TCP_LISTEN:
414 		if (sock_owned_by_user(sk))
415 			goto out;
416 
417 		req = inet6_csk_search_req(sk, &prev, th->dest, &hdr->daddr,
418 					   &hdr->saddr, inet6_iif(skb));
419 		if (!req)
420 			goto out;
421 
422 		/* ICMPs are not backlogged, hence we cannot get
423 		 * an established socket here.
424 		 */
425 		BUG_TRAP(req->sk == NULL);
426 
427 		if (seq != tcp_rsk(req)->snt_isn) {
428 			NET_INC_STATS_BH(LINUX_MIB_OUTOFWINDOWICMPS);
429 			goto out;
430 		}
431 
432 		inet_csk_reqsk_queue_drop(sk, req, prev);
433 		goto out;
434 
435 	case TCP_SYN_SENT:
436 	case TCP_SYN_RECV:  /* Cannot happen.
437 			       It can, it SYNs are crossed. --ANK */
438 		if (!sock_owned_by_user(sk)) {
439 			sk->sk_err = err;
440 			sk->sk_error_report(sk);		/* Wake people up to see the error (see connect in sock.c) */
441 
442 			tcp_done(sk);
443 		} else
444 			sk->sk_err_soft = err;
445 		goto out;
446 	}
447 
448 	if (!sock_owned_by_user(sk) && np->recverr) {
449 		sk->sk_err = err;
450 		sk->sk_error_report(sk);
451 	} else
452 		sk->sk_err_soft = err;
453 
454 out:
455 	bh_unlock_sock(sk);
456 	sock_put(sk);
457 }
458 
459 
460 static int tcp_v6_send_synack(struct sock *sk, struct request_sock *req,
461 			      struct dst_entry *dst)
462 {
463 	struct inet6_request_sock *treq = inet6_rsk(req);
464 	struct ipv6_pinfo *np = inet6_sk(sk);
465 	struct sk_buff * skb;
466 	struct ipv6_txoptions *opt = NULL;
467 	struct in6_addr * final_p = NULL, final;
468 	struct flowi fl;
469 	int err = -1;
470 
471 	memset(&fl, 0, sizeof(fl));
472 	fl.proto = IPPROTO_TCP;
473 	ipv6_addr_copy(&fl.fl6_dst, &treq->rmt_addr);
474 	ipv6_addr_copy(&fl.fl6_src, &treq->loc_addr);
475 	fl.fl6_flowlabel = 0;
476 	fl.oif = treq->iif;
477 	fl.fl_ip_dport = inet_rsk(req)->rmt_port;
478 	fl.fl_ip_sport = inet_sk(sk)->sport;
479 	security_req_classify_flow(req, &fl);
480 
481 	if (dst == NULL) {
482 		opt = np->opt;
483 		if (opt == NULL &&
484 		    np->rxopt.bits.osrcrt == 2 &&
485 		    treq->pktopts) {
486 			struct sk_buff *pktopts = treq->pktopts;
487 			struct inet6_skb_parm *rxopt = IP6CB(pktopts);
488 			if (rxopt->srcrt)
489 				opt = ipv6_invert_rthdr(sk,
490 			  (struct ipv6_rt_hdr *)(skb_network_header(pktopts) +
491 						 rxopt->srcrt));
492 		}
493 
494 		if (opt && opt->srcrt) {
495 			struct rt0_hdr *rt0 = (struct rt0_hdr *) opt->srcrt;
496 			ipv6_addr_copy(&final, &fl.fl6_dst);
497 			ipv6_addr_copy(&fl.fl6_dst, rt0->addr);
498 			final_p = &final;
499 		}
500 
501 		err = ip6_dst_lookup(sk, &dst, &fl);
502 		if (err)
503 			goto done;
504 		if (final_p)
505 			ipv6_addr_copy(&fl.fl6_dst, final_p);
506 		if ((err = xfrm_lookup(&dst, &fl, sk, 0)) < 0)
507 			goto done;
508 	}
509 
510 	skb = tcp_make_synack(sk, dst, req);
511 	if (skb) {
512 		struct tcphdr *th = tcp_hdr(skb);
513 
514 		th->check = tcp_v6_check(th, skb->len,
515 					 &treq->loc_addr, &treq->rmt_addr,
516 					 csum_partial((char *)th, skb->len, skb->csum));
517 
518 		ipv6_addr_copy(&fl.fl6_dst, &treq->rmt_addr);
519 		err = ip6_xmit(sk, skb, &fl, opt, 0);
520 		err = net_xmit_eval(err);
521 	}
522 
523 done:
524 	if (opt && opt != np->opt)
525 		sock_kfree_s(sk, opt, opt->tot_len);
526 	dst_release(dst);
527 	return err;
528 }
529 
530 static void tcp_v6_reqsk_destructor(struct request_sock *req)
531 {
532 	if (inet6_rsk(req)->pktopts)
533 		kfree_skb(inet6_rsk(req)->pktopts);
534 }
535 
536 #ifdef CONFIG_TCP_MD5SIG
537 static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(struct sock *sk,
538 						   struct in6_addr *addr)
539 {
540 	struct tcp_sock *tp = tcp_sk(sk);
541 	int i;
542 
543 	BUG_ON(tp == NULL);
544 
545 	if (!tp->md5sig_info || !tp->md5sig_info->entries6)
546 		return NULL;
547 
548 	for (i = 0; i < tp->md5sig_info->entries6; i++) {
549 		if (ipv6_addr_cmp(&tp->md5sig_info->keys6[i].addr, addr) == 0)
550 			return (struct tcp_md5sig_key *)&tp->md5sig_info->keys6[i];
551 	}
552 	return NULL;
553 }
554 
555 static struct tcp_md5sig_key *tcp_v6_md5_lookup(struct sock *sk,
556 						struct sock *addr_sk)
557 {
558 	return tcp_v6_md5_do_lookup(sk, &inet6_sk(addr_sk)->daddr);
559 }
560 
561 static struct tcp_md5sig_key *tcp_v6_reqsk_md5_lookup(struct sock *sk,
562 						      struct request_sock *req)
563 {
564 	return tcp_v6_md5_do_lookup(sk, &inet6_rsk(req)->rmt_addr);
565 }
566 
567 static int tcp_v6_md5_do_add(struct sock *sk, struct in6_addr *peer,
568 			     char *newkey, u8 newkeylen)
569 {
570 	/* Add key to the list */
571 	struct tcp6_md5sig_key *key;
572 	struct tcp_sock *tp = tcp_sk(sk);
573 	struct tcp6_md5sig_key *keys;
574 
575 	key = (struct tcp6_md5sig_key*) tcp_v6_md5_do_lookup(sk, peer);
576 	if (key) {
577 		/* modify existing entry - just update that one */
578 		kfree(key->key);
579 		key->key = newkey;
580 		key->keylen = newkeylen;
581 	} else {
582 		/* reallocate new list if current one is full. */
583 		if (!tp->md5sig_info) {
584 			tp->md5sig_info = kzalloc(sizeof(*tp->md5sig_info), GFP_ATOMIC);
585 			if (!tp->md5sig_info) {
586 				kfree(newkey);
587 				return -ENOMEM;
588 			}
589 		}
590 		tcp_alloc_md5sig_pool();
591 		if (tp->md5sig_info->alloced6 == tp->md5sig_info->entries6) {
592 			keys = kmalloc((sizeof (tp->md5sig_info->keys6[0]) *
593 				       (tp->md5sig_info->entries6 + 1)), GFP_ATOMIC);
594 
595 			if (!keys) {
596 				tcp_free_md5sig_pool();
597 				kfree(newkey);
598 				return -ENOMEM;
599 			}
600 
601 			if (tp->md5sig_info->entries6)
602 				memmove(keys, tp->md5sig_info->keys6,
603 					(sizeof (tp->md5sig_info->keys6[0]) *
604 					 tp->md5sig_info->entries6));
605 
606 			kfree(tp->md5sig_info->keys6);
607 			tp->md5sig_info->keys6 = keys;
608 			tp->md5sig_info->alloced6++;
609 		}
610 
611 		ipv6_addr_copy(&tp->md5sig_info->keys6[tp->md5sig_info->entries6].addr,
612 			       peer);
613 		tp->md5sig_info->keys6[tp->md5sig_info->entries6].key = newkey;
614 		tp->md5sig_info->keys6[tp->md5sig_info->entries6].keylen = newkeylen;
615 
616 		tp->md5sig_info->entries6++;
617 	}
618 	return 0;
619 }
620 
621 static int tcp_v6_md5_add_func(struct sock *sk, struct sock *addr_sk,
622 			       u8 *newkey, __u8 newkeylen)
623 {
624 	return tcp_v6_md5_do_add(sk, &inet6_sk(addr_sk)->daddr,
625 				 newkey, newkeylen);
626 }
627 
628 static int tcp_v6_md5_do_del(struct sock *sk, struct in6_addr *peer)
629 {
630 	struct tcp_sock *tp = tcp_sk(sk);
631 	int i;
632 
633 	for (i = 0; i < tp->md5sig_info->entries6; i++) {
634 		if (ipv6_addr_cmp(&tp->md5sig_info->keys6[i].addr, peer) == 0) {
635 			/* Free the key */
636 			kfree(tp->md5sig_info->keys6[i].key);
637 			tp->md5sig_info->entries6--;
638 
639 			if (tp->md5sig_info->entries6 == 0) {
640 				kfree(tp->md5sig_info->keys6);
641 				tp->md5sig_info->keys6 = NULL;
642 
643 				tcp_free_md5sig_pool();
644 
645 				return 0;
646 			} else {
647 				/* shrink the database */
648 				if (tp->md5sig_info->entries6 != i)
649 					memmove(&tp->md5sig_info->keys6[i],
650 						&tp->md5sig_info->keys6[i+1],
651 						(tp->md5sig_info->entries6 - i)
652 						* sizeof (tp->md5sig_info->keys6[0]));
653 			}
654 		}
655 	}
656 	return -ENOENT;
657 }
658 
659 static void tcp_v6_clear_md5_list (struct sock *sk)
660 {
661 	struct tcp_sock *tp = tcp_sk(sk);
662 	int i;
663 
664 	if (tp->md5sig_info->entries6) {
665 		for (i = 0; i < tp->md5sig_info->entries6; i++)
666 			kfree(tp->md5sig_info->keys6[i].key);
667 		tp->md5sig_info->entries6 = 0;
668 		tcp_free_md5sig_pool();
669 	}
670 
671 	kfree(tp->md5sig_info->keys6);
672 	tp->md5sig_info->keys6 = NULL;
673 	tp->md5sig_info->alloced6 = 0;
674 
675 	if (tp->md5sig_info->entries4) {
676 		for (i = 0; i < tp->md5sig_info->entries4; i++)
677 			kfree(tp->md5sig_info->keys4[i].key);
678 		tp->md5sig_info->entries4 = 0;
679 		tcp_free_md5sig_pool();
680 	}
681 
682 	kfree(tp->md5sig_info->keys4);
683 	tp->md5sig_info->keys4 = NULL;
684 	tp->md5sig_info->alloced4 = 0;
685 }
686 
687 static int tcp_v6_parse_md5_keys (struct sock *sk, char __user *optval,
688 				  int optlen)
689 {
690 	struct tcp_md5sig cmd;
691 	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&cmd.tcpm_addr;
692 	u8 *newkey;
693 
694 	if (optlen < sizeof(cmd))
695 		return -EINVAL;
696 
697 	if (copy_from_user(&cmd, optval, sizeof(cmd)))
698 		return -EFAULT;
699 
700 	if (sin6->sin6_family != AF_INET6)
701 		return -EINVAL;
702 
703 	if (!cmd.tcpm_keylen) {
704 		if (!tcp_sk(sk)->md5sig_info)
705 			return -ENOENT;
706 		if (ipv6_addr_type(&sin6->sin6_addr) & IPV6_ADDR_MAPPED)
707 			return tcp_v4_md5_do_del(sk, sin6->sin6_addr.s6_addr32[3]);
708 		return tcp_v6_md5_do_del(sk, &sin6->sin6_addr);
709 	}
710 
711 	if (cmd.tcpm_keylen > TCP_MD5SIG_MAXKEYLEN)
712 		return -EINVAL;
713 
714 	if (!tcp_sk(sk)->md5sig_info) {
715 		struct tcp_sock *tp = tcp_sk(sk);
716 		struct tcp_md5sig_info *p;
717 
718 		p = kzalloc(sizeof(struct tcp_md5sig_info), GFP_KERNEL);
719 		if (!p)
720 			return -ENOMEM;
721 
722 		tp->md5sig_info = p;
723 	}
724 
725 	newkey = kmemdup(cmd.tcpm_key, cmd.tcpm_keylen, GFP_KERNEL);
726 	if (!newkey)
727 		return -ENOMEM;
728 	if (ipv6_addr_type(&sin6->sin6_addr) & IPV6_ADDR_MAPPED) {
729 		return tcp_v4_md5_do_add(sk, sin6->sin6_addr.s6_addr32[3],
730 					 newkey, cmd.tcpm_keylen);
731 	}
732 	return tcp_v6_md5_do_add(sk, &sin6->sin6_addr, newkey, cmd.tcpm_keylen);
733 }
734 
735 static int tcp_v6_do_calc_md5_hash(char *md5_hash, struct tcp_md5sig_key *key,
736 				   struct in6_addr *saddr,
737 				   struct in6_addr *daddr,
738 				   struct tcphdr *th, int protocol,
739 				   int tcplen)
740 {
741 	struct scatterlist sg[4];
742 	__u16 data_len;
743 	int block = 0;
744 	__sum16 cksum;
745 	struct tcp_md5sig_pool *hp;
746 	struct tcp6_pseudohdr *bp;
747 	struct hash_desc *desc;
748 	int err;
749 	unsigned int nbytes = 0;
750 
751 	hp = tcp_get_md5sig_pool();
752 	if (!hp) {
753 		printk(KERN_WARNING "%s(): hash pool not found...\n", __FUNCTION__);
754 		goto clear_hash_noput;
755 	}
756 	bp = &hp->md5_blk.ip6;
757 	desc = &hp->md5_desc;
758 
759 	/* 1. TCP pseudo-header (RFC2460) */
760 	ipv6_addr_copy(&bp->saddr, saddr);
761 	ipv6_addr_copy(&bp->daddr, daddr);
762 	bp->len = htonl(tcplen);
763 	bp->protocol = htonl(protocol);
764 
765 	sg_set_buf(&sg[block++], bp, sizeof(*bp));
766 	nbytes += sizeof(*bp);
767 
768 	/* 2. TCP header, excluding options */
769 	cksum = th->check;
770 	th->check = 0;
771 	sg_set_buf(&sg[block++], th, sizeof(*th));
772 	nbytes += sizeof(*th);
773 
774 	/* 3. TCP segment data (if any) */
775 	data_len = tcplen - (th->doff << 2);
776 	if (data_len > 0) {
777 		u8 *data = (u8 *)th + (th->doff << 2);
778 		sg_set_buf(&sg[block++], data, data_len);
779 		nbytes += data_len;
780 	}
781 
782 	/* 4. shared key */
783 	sg_set_buf(&sg[block++], key->key, key->keylen);
784 	nbytes += key->keylen;
785 
786 	/* Now store the hash into the packet */
787 	err = crypto_hash_init(desc);
788 	if (err) {
789 		printk(KERN_WARNING "%s(): hash_init failed\n", __FUNCTION__);
790 		goto clear_hash;
791 	}
792 	err = crypto_hash_update(desc, sg, nbytes);
793 	if (err) {
794 		printk(KERN_WARNING "%s(): hash_update failed\n", __FUNCTION__);
795 		goto clear_hash;
796 	}
797 	err = crypto_hash_final(desc, md5_hash);
798 	if (err) {
799 		printk(KERN_WARNING "%s(): hash_final failed\n", __FUNCTION__);
800 		goto clear_hash;
801 	}
802 
803 	/* Reset header, and free up the crypto */
804 	tcp_put_md5sig_pool();
805 	th->check = cksum;
806 out:
807 	return 0;
808 clear_hash:
809 	tcp_put_md5sig_pool();
810 clear_hash_noput:
811 	memset(md5_hash, 0, 16);
812 	goto out;
813 }
814 
815 static int tcp_v6_calc_md5_hash(char *md5_hash, struct tcp_md5sig_key *key,
816 				struct sock *sk,
817 				struct dst_entry *dst,
818 				struct request_sock *req,
819 				struct tcphdr *th, int protocol,
820 				int tcplen)
821 {
822 	struct in6_addr *saddr, *daddr;
823 
824 	if (sk) {
825 		saddr = &inet6_sk(sk)->saddr;
826 		daddr = &inet6_sk(sk)->daddr;
827 	} else {
828 		saddr = &inet6_rsk(req)->loc_addr;
829 		daddr = &inet6_rsk(req)->rmt_addr;
830 	}
831 	return tcp_v6_do_calc_md5_hash(md5_hash, key,
832 				       saddr, daddr,
833 				       th, protocol, tcplen);
834 }
835 
836 static int tcp_v6_inbound_md5_hash (struct sock *sk, struct sk_buff *skb)
837 {
838 	__u8 *hash_location = NULL;
839 	struct tcp_md5sig_key *hash_expected;
840 	struct ipv6hdr *ip6h = ipv6_hdr(skb);
841 	struct tcphdr *th = tcp_hdr(skb);
842 	int length = (th->doff << 2) - sizeof (*th);
843 	int genhash;
844 	u8 *ptr;
845 	u8 newhash[16];
846 
847 	hash_expected = tcp_v6_md5_do_lookup(sk, &ip6h->saddr);
848 
849 	/* If the TCP option is too short, we can short cut */
850 	if (length < TCPOLEN_MD5SIG)
851 		return hash_expected ? 1 : 0;
852 
853 	/* parse options */
854 	ptr = (u8*)(th + 1);
855 	while (length > 0) {
856 		int opcode = *ptr++;
857 		int opsize;
858 
859 		switch(opcode) {
860 		case TCPOPT_EOL:
861 			goto done_opts;
862 		case TCPOPT_NOP:
863 			length--;
864 			continue;
865 		default:
866 			opsize = *ptr++;
867 			if (opsize < 2 || opsize > length)
868 				goto done_opts;
869 			if (opcode == TCPOPT_MD5SIG) {
870 				hash_location = ptr;
871 				goto done_opts;
872 			}
873 		}
874 		ptr += opsize - 2;
875 		length -= opsize;
876 	}
877 
878 done_opts:
879 	/* do we have a hash as expected? */
880 	if (!hash_expected) {
881 		if (!hash_location)
882 			return 0;
883 		if (net_ratelimit()) {
884 			printk(KERN_INFO "MD5 Hash NOT expected but found "
885 			       "(" NIP6_FMT ", %u)->"
886 			       "(" NIP6_FMT ", %u)\n",
887 			       NIP6(ip6h->saddr), ntohs(th->source),
888 			       NIP6(ip6h->daddr), ntohs(th->dest));
889 		}
890 		return 1;
891 	}
892 
893 	if (!hash_location) {
894 		if (net_ratelimit()) {
895 			printk(KERN_INFO "MD5 Hash expected but NOT found "
896 			       "(" NIP6_FMT ", %u)->"
897 			       "(" NIP6_FMT ", %u)\n",
898 			       NIP6(ip6h->saddr), ntohs(th->source),
899 			       NIP6(ip6h->daddr), ntohs(th->dest));
900 		}
901 		return 1;
902 	}
903 
904 	/* check the signature */
905 	genhash = tcp_v6_do_calc_md5_hash(newhash,
906 					  hash_expected,
907 					  &ip6h->saddr, &ip6h->daddr,
908 					  th, sk->sk_protocol,
909 					  skb->len);
910 	if (genhash || memcmp(hash_location, newhash, 16) != 0) {
911 		if (net_ratelimit()) {
912 			printk(KERN_INFO "MD5 Hash %s for "
913 			       "(" NIP6_FMT ", %u)->"
914 			       "(" NIP6_FMT ", %u)\n",
915 			       genhash ? "failed" : "mismatch",
916 			       NIP6(ip6h->saddr), ntohs(th->source),
917 			       NIP6(ip6h->daddr), ntohs(th->dest));
918 		}
919 		return 1;
920 	}
921 	return 0;
922 }
923 #endif
924 
925 static struct request_sock_ops tcp6_request_sock_ops __read_mostly = {
926 	.family		=	AF_INET6,
927 	.obj_size	=	sizeof(struct tcp6_request_sock),
928 	.rtx_syn_ack	=	tcp_v6_send_synack,
929 	.send_ack	=	tcp_v6_reqsk_send_ack,
930 	.destructor	=	tcp_v6_reqsk_destructor,
931 	.send_reset	=	tcp_v6_send_reset
932 };
933 
934 #ifdef CONFIG_TCP_MD5SIG
935 static struct tcp_request_sock_ops tcp_request_sock_ipv6_ops = {
936 	.md5_lookup	=	tcp_v6_reqsk_md5_lookup,
937 };
938 #endif
939 
940 static struct timewait_sock_ops tcp6_timewait_sock_ops = {
941 	.twsk_obj_size	= sizeof(struct tcp6_timewait_sock),
942 	.twsk_unique	= tcp_twsk_unique,
943 	.twsk_destructor= tcp_twsk_destructor,
944 };
945 
946 static void tcp_v6_send_check(struct sock *sk, int len, struct sk_buff *skb)
947 {
948 	struct ipv6_pinfo *np = inet6_sk(sk);
949 	struct tcphdr *th = tcp_hdr(skb);
950 
951 	if (skb->ip_summed == CHECKSUM_PARTIAL) {
952 		th->check = ~csum_ipv6_magic(&np->saddr, &np->daddr, len, IPPROTO_TCP,  0);
953 		skb->csum_start = skb_transport_header(skb) - skb->head;
954 		skb->csum_offset = offsetof(struct tcphdr, check);
955 	} else {
956 		th->check = csum_ipv6_magic(&np->saddr, &np->daddr, len, IPPROTO_TCP,
957 					    csum_partial((char *)th, th->doff<<2,
958 							 skb->csum));
959 	}
960 }
961 
962 static int tcp_v6_gso_send_check(struct sk_buff *skb)
963 {
964 	struct ipv6hdr *ipv6h;
965 	struct tcphdr *th;
966 
967 	if (!pskb_may_pull(skb, sizeof(*th)))
968 		return -EINVAL;
969 
970 	ipv6h = ipv6_hdr(skb);
971 	th = tcp_hdr(skb);
972 
973 	th->check = 0;
974 	th->check = ~csum_ipv6_magic(&ipv6h->saddr, &ipv6h->daddr, skb->len,
975 				     IPPROTO_TCP, 0);
976 	skb->csum_start = skb_transport_header(skb) - skb->head;
977 	skb->csum_offset = offsetof(struct tcphdr, check);
978 	skb->ip_summed = CHECKSUM_PARTIAL;
979 	return 0;
980 }
981 
982 static void tcp_v6_send_reset(struct sock *sk, struct sk_buff *skb)
983 {
984 	struct tcphdr *th = tcp_hdr(skb), *t1;
985 	struct sk_buff *buff;
986 	struct flowi fl;
987 	int tot_len = sizeof(*th);
988 #ifdef CONFIG_TCP_MD5SIG
989 	struct tcp_md5sig_key *key;
990 #endif
991 
992 	if (th->rst)
993 		return;
994 
995 	if (!ipv6_unicast_destination(skb))
996 		return;
997 
998 #ifdef CONFIG_TCP_MD5SIG
999 	if (sk)
1000 		key = tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->daddr);
1001 	else
1002 		key = NULL;
1003 
1004 	if (key)
1005 		tot_len += TCPOLEN_MD5SIG_ALIGNED;
1006 #endif
1007 
1008 	/*
1009 	 * We need to grab some memory, and put together an RST,
1010 	 * and then put it into the queue to be sent.
1011 	 */
1012 
1013 	buff = alloc_skb(MAX_HEADER + sizeof(struct ipv6hdr) + tot_len,
1014 			 GFP_ATOMIC);
1015 	if (buff == NULL)
1016 		return;
1017 
1018 	skb_reserve(buff, MAX_HEADER + sizeof(struct ipv6hdr) + tot_len);
1019 
1020 	t1 = (struct tcphdr *) skb_push(buff, tot_len);
1021 
1022 	/* Swap the send and the receive. */
1023 	memset(t1, 0, sizeof(*t1));
1024 	t1->dest = th->source;
1025 	t1->source = th->dest;
1026 	t1->doff = tot_len / 4;
1027 	t1->rst = 1;
1028 
1029 	if(th->ack) {
1030 		t1->seq = th->ack_seq;
1031 	} else {
1032 		t1->ack = 1;
1033 		t1->ack_seq = htonl(ntohl(th->seq) + th->syn + th->fin
1034 				    + skb->len - (th->doff<<2));
1035 	}
1036 
1037 #ifdef CONFIG_TCP_MD5SIG
1038 	if (key) {
1039 		__be32 *opt = (__be32*)(t1 + 1);
1040 		opt[0] = htonl((TCPOPT_NOP << 24) |
1041 			       (TCPOPT_NOP << 16) |
1042 			       (TCPOPT_MD5SIG << 8) |
1043 			       TCPOLEN_MD5SIG);
1044 		tcp_v6_do_calc_md5_hash((__u8 *)&opt[1], key,
1045 					&ipv6_hdr(skb)->daddr,
1046 					&ipv6_hdr(skb)->saddr,
1047 					t1, IPPROTO_TCP, tot_len);
1048 	}
1049 #endif
1050 
1051 	buff->csum = csum_partial((char *)t1, sizeof(*t1), 0);
1052 
1053 	memset(&fl, 0, sizeof(fl));
1054 	ipv6_addr_copy(&fl.fl6_dst, &ipv6_hdr(skb)->saddr);
1055 	ipv6_addr_copy(&fl.fl6_src, &ipv6_hdr(skb)->daddr);
1056 
1057 	t1->check = csum_ipv6_magic(&fl.fl6_src, &fl.fl6_dst,
1058 				    sizeof(*t1), IPPROTO_TCP,
1059 				    buff->csum);
1060 
1061 	fl.proto = IPPROTO_TCP;
1062 	fl.oif = inet6_iif(skb);
1063 	fl.fl_ip_dport = t1->dest;
1064 	fl.fl_ip_sport = t1->source;
1065 	security_skb_classify_flow(skb, &fl);
1066 
1067 	/* sk = NULL, but it is safe for now. RST socket required. */
1068 	if (!ip6_dst_lookup(NULL, &buff->dst, &fl)) {
1069 
1070 		if (xfrm_lookup(&buff->dst, &fl, NULL, 0) >= 0) {
1071 			ip6_xmit(tcp6_socket->sk, buff, &fl, NULL, 0);
1072 			TCP_INC_STATS_BH(TCP_MIB_OUTSEGS);
1073 			TCP_INC_STATS_BH(TCP_MIB_OUTRSTS);
1074 			return;
1075 		}
1076 	}
1077 
1078 	kfree_skb(buff);
1079 }
1080 
1081 static void tcp_v6_send_ack(struct tcp_timewait_sock *tw,
1082 			    struct sk_buff *skb, u32 seq, u32 ack, u32 win, u32 ts)
1083 {
1084 	struct tcphdr *th = tcp_hdr(skb), *t1;
1085 	struct sk_buff *buff;
1086 	struct flowi fl;
1087 	int tot_len = sizeof(struct tcphdr);
1088 	__be32 *topt;
1089 #ifdef CONFIG_TCP_MD5SIG
1090 	struct tcp_md5sig_key *key;
1091 	struct tcp_md5sig_key tw_key;
1092 #endif
1093 
1094 #ifdef CONFIG_TCP_MD5SIG
1095 	if (!tw && skb->sk) {
1096 		key = tcp_v6_md5_do_lookup(skb->sk, &ipv6_hdr(skb)->daddr);
1097 	} else if (tw && tw->tw_md5_keylen) {
1098 		tw_key.key = tw->tw_md5_key;
1099 		tw_key.keylen = tw->tw_md5_keylen;
1100 		key = &tw_key;
1101 	} else {
1102 		key = NULL;
1103 	}
1104 #endif
1105 
1106 	if (ts)
1107 		tot_len += TCPOLEN_TSTAMP_ALIGNED;
1108 #ifdef CONFIG_TCP_MD5SIG
1109 	if (key)
1110 		tot_len += TCPOLEN_MD5SIG_ALIGNED;
1111 #endif
1112 
1113 	buff = alloc_skb(MAX_HEADER + sizeof(struct ipv6hdr) + tot_len,
1114 			 GFP_ATOMIC);
1115 	if (buff == NULL)
1116 		return;
1117 
1118 	skb_reserve(buff, MAX_HEADER + sizeof(struct ipv6hdr) + tot_len);
1119 
1120 	t1 = (struct tcphdr *) skb_push(buff,tot_len);
1121 
1122 	/* Swap the send and the receive. */
1123 	memset(t1, 0, sizeof(*t1));
1124 	t1->dest = th->source;
1125 	t1->source = th->dest;
1126 	t1->doff = tot_len/4;
1127 	t1->seq = htonl(seq);
1128 	t1->ack_seq = htonl(ack);
1129 	t1->ack = 1;
1130 	t1->window = htons(win);
1131 
1132 	topt = (__be32 *)(t1 + 1);
1133 
1134 	if (ts) {
1135 		*topt++ = htonl((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) |
1136 				(TCPOPT_TIMESTAMP << 8) | TCPOLEN_TIMESTAMP);
1137 		*topt++ = htonl(tcp_time_stamp);
1138 		*topt = htonl(ts);
1139 	}
1140 
1141 #ifdef CONFIG_TCP_MD5SIG
1142 	if (key) {
1143 		*topt++ = htonl((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) |
1144 				(TCPOPT_MD5SIG << 8) | TCPOLEN_MD5SIG);
1145 		tcp_v6_do_calc_md5_hash((__u8 *)topt, key,
1146 					&ipv6_hdr(skb)->daddr,
1147 					&ipv6_hdr(skb)->saddr,
1148 					t1, IPPROTO_TCP, tot_len);
1149 	}
1150 #endif
1151 
1152 	buff->csum = csum_partial((char *)t1, tot_len, 0);
1153 
1154 	memset(&fl, 0, sizeof(fl));
1155 	ipv6_addr_copy(&fl.fl6_dst, &ipv6_hdr(skb)->saddr);
1156 	ipv6_addr_copy(&fl.fl6_src, &ipv6_hdr(skb)->daddr);
1157 
1158 	t1->check = csum_ipv6_magic(&fl.fl6_src, &fl.fl6_dst,
1159 				    tot_len, IPPROTO_TCP,
1160 				    buff->csum);
1161 
1162 	fl.proto = IPPROTO_TCP;
1163 	fl.oif = inet6_iif(skb);
1164 	fl.fl_ip_dport = t1->dest;
1165 	fl.fl_ip_sport = t1->source;
1166 	security_skb_classify_flow(skb, &fl);
1167 
1168 	if (!ip6_dst_lookup(NULL, &buff->dst, &fl)) {
1169 		if (xfrm_lookup(&buff->dst, &fl, NULL, 0) >= 0) {
1170 			ip6_xmit(tcp6_socket->sk, buff, &fl, NULL, 0);
1171 			TCP_INC_STATS_BH(TCP_MIB_OUTSEGS);
1172 			return;
1173 		}
1174 	}
1175 
1176 	kfree_skb(buff);
1177 }
1178 
1179 static void tcp_v6_timewait_ack(struct sock *sk, struct sk_buff *skb)
1180 {
1181 	struct inet_timewait_sock *tw = inet_twsk(sk);
1182 	struct tcp_timewait_sock *tcptw = tcp_twsk(sk);
1183 
1184 	tcp_v6_send_ack(tcptw, skb, tcptw->tw_snd_nxt, tcptw->tw_rcv_nxt,
1185 			tcptw->tw_rcv_wnd >> tw->tw_rcv_wscale,
1186 			tcptw->tw_ts_recent);
1187 
1188 	inet_twsk_put(tw);
1189 }
1190 
1191 static void tcp_v6_reqsk_send_ack(struct sk_buff *skb, struct request_sock *req)
1192 {
1193 	tcp_v6_send_ack(NULL, skb, tcp_rsk(req)->snt_isn + 1, tcp_rsk(req)->rcv_isn + 1, req->rcv_wnd, req->ts_recent);
1194 }
1195 
1196 
1197 static struct sock *tcp_v6_hnd_req(struct sock *sk,struct sk_buff *skb)
1198 {
1199 	struct request_sock *req, **prev;
1200 	const struct tcphdr *th = tcp_hdr(skb);
1201 	struct sock *nsk;
1202 
1203 	/* Find possible connection requests. */
1204 	req = inet6_csk_search_req(sk, &prev, th->source,
1205 				   &ipv6_hdr(skb)->saddr,
1206 				   &ipv6_hdr(skb)->daddr, inet6_iif(skb));
1207 	if (req)
1208 		return tcp_check_req(sk, skb, req, prev);
1209 
1210 	nsk = __inet6_lookup_established(&tcp_hashinfo, &ipv6_hdr(skb)->saddr,
1211 					 th->source, &ipv6_hdr(skb)->daddr,
1212 					 ntohs(th->dest), inet6_iif(skb));
1213 
1214 	if (nsk) {
1215 		if (nsk->sk_state != TCP_TIME_WAIT) {
1216 			bh_lock_sock(nsk);
1217 			return nsk;
1218 		}
1219 		inet_twsk_put(inet_twsk(nsk));
1220 		return NULL;
1221 	}
1222 
1223 #if 0 /*def CONFIG_SYN_COOKIES*/
1224 	if (!th->rst && !th->syn && th->ack)
1225 		sk = cookie_v6_check(sk, skb, &(IPCB(skb)->opt));
1226 #endif
1227 	return sk;
1228 }
1229 
1230 /* FIXME: this is substantially similar to the ipv4 code.
1231  * Can some kind of merge be done? -- erics
1232  */
1233 static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
1234 {
1235 	struct inet6_request_sock *treq;
1236 	struct ipv6_pinfo *np = inet6_sk(sk);
1237 	struct tcp_options_received tmp_opt;
1238 	struct tcp_sock *tp = tcp_sk(sk);
1239 	struct request_sock *req = NULL;
1240 	__u32 isn = TCP_SKB_CB(skb)->when;
1241 
1242 	if (skb->protocol == htons(ETH_P_IP))
1243 		return tcp_v4_conn_request(sk, skb);
1244 
1245 	if (!ipv6_unicast_destination(skb))
1246 		goto drop;
1247 
1248 	/*
1249 	 *	There are no SYN attacks on IPv6, yet...
1250 	 */
1251 	if (inet_csk_reqsk_queue_is_full(sk) && !isn) {
1252 		if (net_ratelimit())
1253 			printk(KERN_INFO "TCPv6: dropping request, synflood is possible\n");
1254 		goto drop;
1255 	}
1256 
1257 	if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1)
1258 		goto drop;
1259 
1260 	req = inet6_reqsk_alloc(&tcp6_request_sock_ops);
1261 	if (req == NULL)
1262 		goto drop;
1263 
1264 #ifdef CONFIG_TCP_MD5SIG
1265 	tcp_rsk(req)->af_specific = &tcp_request_sock_ipv6_ops;
1266 #endif
1267 
1268 	tcp_clear_options(&tmp_opt);
1269 	tmp_opt.mss_clamp = IPV6_MIN_MTU - sizeof(struct tcphdr) - sizeof(struct ipv6hdr);
1270 	tmp_opt.user_mss = tp->rx_opt.user_mss;
1271 
1272 	tcp_parse_options(skb, &tmp_opt, 0);
1273 
1274 	tmp_opt.tstamp_ok = tmp_opt.saw_tstamp;
1275 	tcp_openreq_init(req, &tmp_opt, skb);
1276 
1277 	treq = inet6_rsk(req);
1278 	ipv6_addr_copy(&treq->rmt_addr, &ipv6_hdr(skb)->saddr);
1279 	ipv6_addr_copy(&treq->loc_addr, &ipv6_hdr(skb)->daddr);
1280 	TCP_ECN_create_request(req, tcp_hdr(skb));
1281 	treq->pktopts = NULL;
1282 	if (ipv6_opt_accepted(sk, skb) ||
1283 	    np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
1284 	    np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) {
1285 		atomic_inc(&skb->users);
1286 		treq->pktopts = skb;
1287 	}
1288 	treq->iif = sk->sk_bound_dev_if;
1289 
1290 	/* So that link locals have meaning */
1291 	if (!sk->sk_bound_dev_if &&
1292 	    ipv6_addr_type(&treq->rmt_addr) & IPV6_ADDR_LINKLOCAL)
1293 		treq->iif = inet6_iif(skb);
1294 
1295 	if (isn == 0)
1296 		isn = tcp_v6_init_sequence(skb);
1297 
1298 	tcp_rsk(req)->snt_isn = isn;
1299 
1300 	security_inet_conn_request(sk, skb, req);
1301 
1302 	if (tcp_v6_send_synack(sk, req, NULL))
1303 		goto drop;
1304 
1305 	inet6_csk_reqsk_queue_hash_add(sk, req, TCP_TIMEOUT_INIT);
1306 	return 0;
1307 
1308 drop:
1309 	if (req)
1310 		reqsk_free(req);
1311 
1312 	return 0; /* don't send reset */
1313 }
1314 
1315 static struct sock * tcp_v6_syn_recv_sock(struct sock *sk, struct sk_buff *skb,
1316 					  struct request_sock *req,
1317 					  struct dst_entry *dst)
1318 {
1319 	struct inet6_request_sock *treq = inet6_rsk(req);
1320 	struct ipv6_pinfo *newnp, *np = inet6_sk(sk);
1321 	struct tcp6_sock *newtcp6sk;
1322 	struct inet_sock *newinet;
1323 	struct tcp_sock *newtp;
1324 	struct sock *newsk;
1325 	struct ipv6_txoptions *opt;
1326 #ifdef CONFIG_TCP_MD5SIG
1327 	struct tcp_md5sig_key *key;
1328 #endif
1329 
1330 	if (skb->protocol == htons(ETH_P_IP)) {
1331 		/*
1332 		 *	v6 mapped
1333 		 */
1334 
1335 		newsk = tcp_v4_syn_recv_sock(sk, skb, req, dst);
1336 
1337 		if (newsk == NULL)
1338 			return NULL;
1339 
1340 		newtcp6sk = (struct tcp6_sock *)newsk;
1341 		inet_sk(newsk)->pinet6 = &newtcp6sk->inet6;
1342 
1343 		newinet = inet_sk(newsk);
1344 		newnp = inet6_sk(newsk);
1345 		newtp = tcp_sk(newsk);
1346 
1347 		memcpy(newnp, np, sizeof(struct ipv6_pinfo));
1348 
1349 		ipv6_addr_set(&newnp->daddr, 0, 0, htonl(0x0000FFFF),
1350 			      newinet->daddr);
1351 
1352 		ipv6_addr_set(&newnp->saddr, 0, 0, htonl(0x0000FFFF),
1353 			      newinet->saddr);
1354 
1355 		ipv6_addr_copy(&newnp->rcv_saddr, &newnp->saddr);
1356 
1357 		inet_csk(newsk)->icsk_af_ops = &ipv6_mapped;
1358 		newsk->sk_backlog_rcv = tcp_v4_do_rcv;
1359 #ifdef CONFIG_TCP_MD5SIG
1360 		newtp->af_specific = &tcp_sock_ipv6_mapped_specific;
1361 #endif
1362 
1363 		newnp->pktoptions  = NULL;
1364 		newnp->opt	   = NULL;
1365 		newnp->mcast_oif   = inet6_iif(skb);
1366 		newnp->mcast_hops  = ipv6_hdr(skb)->hop_limit;
1367 
1368 		/*
1369 		 * No need to charge this sock to the relevant IPv6 refcnt debug socks count
1370 		 * here, tcp_create_openreq_child now does this for us, see the comment in
1371 		 * that function for the gory details. -acme
1372 		 */
1373 
1374 		/* It is tricky place. Until this moment IPv4 tcp
1375 		   worked with IPv6 icsk.icsk_af_ops.
1376 		   Sync it now.
1377 		 */
1378 		tcp_sync_mss(newsk, inet_csk(newsk)->icsk_pmtu_cookie);
1379 
1380 		return newsk;
1381 	}
1382 
1383 	opt = np->opt;
1384 
1385 	if (sk_acceptq_is_full(sk))
1386 		goto out_overflow;
1387 
1388 	if (np->rxopt.bits.osrcrt == 2 &&
1389 	    opt == NULL && treq->pktopts) {
1390 		struct inet6_skb_parm *rxopt = IP6CB(treq->pktopts);
1391 		if (rxopt->srcrt)
1392 			opt = ipv6_invert_rthdr(sk,
1393 		   (struct ipv6_rt_hdr *)(skb_network_header(treq->pktopts) +
1394 					  rxopt->srcrt));
1395 	}
1396 
1397 	if (dst == NULL) {
1398 		struct in6_addr *final_p = NULL, final;
1399 		struct flowi fl;
1400 
1401 		memset(&fl, 0, sizeof(fl));
1402 		fl.proto = IPPROTO_TCP;
1403 		ipv6_addr_copy(&fl.fl6_dst, &treq->rmt_addr);
1404 		if (opt && opt->srcrt) {
1405 			struct rt0_hdr *rt0 = (struct rt0_hdr *) opt->srcrt;
1406 			ipv6_addr_copy(&final, &fl.fl6_dst);
1407 			ipv6_addr_copy(&fl.fl6_dst, rt0->addr);
1408 			final_p = &final;
1409 		}
1410 		ipv6_addr_copy(&fl.fl6_src, &treq->loc_addr);
1411 		fl.oif = sk->sk_bound_dev_if;
1412 		fl.fl_ip_dport = inet_rsk(req)->rmt_port;
1413 		fl.fl_ip_sport = inet_sk(sk)->sport;
1414 		security_req_classify_flow(req, &fl);
1415 
1416 		if (ip6_dst_lookup(sk, &dst, &fl))
1417 			goto out;
1418 
1419 		if (final_p)
1420 			ipv6_addr_copy(&fl.fl6_dst, final_p);
1421 
1422 		if ((xfrm_lookup(&dst, &fl, sk, 0)) < 0)
1423 			goto out;
1424 	}
1425 
1426 	newsk = tcp_create_openreq_child(sk, req, skb);
1427 	if (newsk == NULL)
1428 		goto out;
1429 
1430 	/*
1431 	 * No need to charge this sock to the relevant IPv6 refcnt debug socks
1432 	 * count here, tcp_create_openreq_child now does this for us, see the
1433 	 * comment in that function for the gory details. -acme
1434 	 */
1435 
1436 	newsk->sk_gso_type = SKB_GSO_TCPV6;
1437 	__ip6_dst_store(newsk, dst, NULL, NULL);
1438 
1439 	newtcp6sk = (struct tcp6_sock *)newsk;
1440 	inet_sk(newsk)->pinet6 = &newtcp6sk->inet6;
1441 
1442 	newtp = tcp_sk(newsk);
1443 	newinet = inet_sk(newsk);
1444 	newnp = inet6_sk(newsk);
1445 
1446 	memcpy(newnp, np, sizeof(struct ipv6_pinfo));
1447 
1448 	ipv6_addr_copy(&newnp->daddr, &treq->rmt_addr);
1449 	ipv6_addr_copy(&newnp->saddr, &treq->loc_addr);
1450 	ipv6_addr_copy(&newnp->rcv_saddr, &treq->loc_addr);
1451 	newsk->sk_bound_dev_if = treq->iif;
1452 
1453 	/* Now IPv6 options...
1454 
1455 	   First: no IPv4 options.
1456 	 */
1457 	newinet->opt = NULL;
1458 	newnp->ipv6_fl_list = NULL;
1459 
1460 	/* Clone RX bits */
1461 	newnp->rxopt.all = np->rxopt.all;
1462 
1463 	/* Clone pktoptions received with SYN */
1464 	newnp->pktoptions = NULL;
1465 	if (treq->pktopts != NULL) {
1466 		newnp->pktoptions = skb_clone(treq->pktopts, GFP_ATOMIC);
1467 		kfree_skb(treq->pktopts);
1468 		treq->pktopts = NULL;
1469 		if (newnp->pktoptions)
1470 			skb_set_owner_r(newnp->pktoptions, newsk);
1471 	}
1472 	newnp->opt	  = NULL;
1473 	newnp->mcast_oif  = inet6_iif(skb);
1474 	newnp->mcast_hops = ipv6_hdr(skb)->hop_limit;
1475 
1476 	/* Clone native IPv6 options from listening socket (if any)
1477 
1478 	   Yes, keeping reference count would be much more clever,
1479 	   but we make one more one thing there: reattach optmem
1480 	   to newsk.
1481 	 */
1482 	if (opt) {
1483 		newnp->opt = ipv6_dup_options(newsk, opt);
1484 		if (opt != np->opt)
1485 			sock_kfree_s(sk, opt, opt->tot_len);
1486 	}
1487 
1488 	inet_csk(newsk)->icsk_ext_hdr_len = 0;
1489 	if (newnp->opt)
1490 		inet_csk(newsk)->icsk_ext_hdr_len = (newnp->opt->opt_nflen +
1491 						     newnp->opt->opt_flen);
1492 
1493 	tcp_mtup_init(newsk);
1494 	tcp_sync_mss(newsk, dst_mtu(dst));
1495 	newtp->advmss = dst_metric(dst, RTAX_ADVMSS);
1496 	tcp_initialize_rcv_mss(newsk);
1497 
1498 	newinet->daddr = newinet->saddr = newinet->rcv_saddr = LOOPBACK4_IPV6;
1499 
1500 #ifdef CONFIG_TCP_MD5SIG
1501 	/* Copy over the MD5 key from the original socket */
1502 	if ((key = tcp_v6_md5_do_lookup(sk, &newnp->daddr)) != NULL) {
1503 		/* We're using one, so create a matching key
1504 		 * on the newsk structure. If we fail to get
1505 		 * memory, then we end up not copying the key
1506 		 * across. Shucks.
1507 		 */
1508 		char *newkey = kmemdup(key->key, key->keylen, GFP_ATOMIC);
1509 		if (newkey != NULL)
1510 			tcp_v6_md5_do_add(newsk, &inet6_sk(sk)->daddr,
1511 					  newkey, key->keylen);
1512 	}
1513 #endif
1514 
1515 	__inet6_hash(&tcp_hashinfo, newsk);
1516 	inet_inherit_port(&tcp_hashinfo, sk, newsk);
1517 
1518 	return newsk;
1519 
1520 out_overflow:
1521 	NET_INC_STATS_BH(LINUX_MIB_LISTENOVERFLOWS);
1522 out:
1523 	NET_INC_STATS_BH(LINUX_MIB_LISTENDROPS);
1524 	if (opt && opt != np->opt)
1525 		sock_kfree_s(sk, opt, opt->tot_len);
1526 	dst_release(dst);
1527 	return NULL;
1528 }
1529 
1530 static __sum16 tcp_v6_checksum_init(struct sk_buff *skb)
1531 {
1532 	if (skb->ip_summed == CHECKSUM_COMPLETE) {
1533 		if (!tcp_v6_check(tcp_hdr(skb), skb->len, &ipv6_hdr(skb)->saddr,
1534 				  &ipv6_hdr(skb)->daddr, skb->csum)) {
1535 			skb->ip_summed = CHECKSUM_UNNECESSARY;
1536 			return 0;
1537 		}
1538 	}
1539 
1540 	skb->csum = ~csum_unfold(tcp_v6_check(tcp_hdr(skb), skb->len,
1541 					      &ipv6_hdr(skb)->saddr,
1542 					      &ipv6_hdr(skb)->daddr, 0));
1543 
1544 	if (skb->len <= 76) {
1545 		return __skb_checksum_complete(skb);
1546 	}
1547 	return 0;
1548 }
1549 
1550 /* The socket must have it's spinlock held when we get
1551  * here.
1552  *
1553  * We have a potential double-lock case here, so even when
1554  * doing backlog processing we use the BH locking scheme.
1555  * This is because we cannot sleep with the original spinlock
1556  * held.
1557  */
1558 static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
1559 {
1560 	struct ipv6_pinfo *np = inet6_sk(sk);
1561 	struct tcp_sock *tp;
1562 	struct sk_buff *opt_skb = NULL;
1563 
1564 	/* Imagine: socket is IPv6. IPv4 packet arrives,
1565 	   goes to IPv4 receive handler and backlogged.
1566 	   From backlog it always goes here. Kerboom...
1567 	   Fortunately, tcp_rcv_established and rcv_established
1568 	   handle them correctly, but it is not case with
1569 	   tcp_v6_hnd_req and tcp_v6_send_reset().   --ANK
1570 	 */
1571 
1572 	if (skb->protocol == htons(ETH_P_IP))
1573 		return tcp_v4_do_rcv(sk, skb);
1574 
1575 #ifdef CONFIG_TCP_MD5SIG
1576 	if (tcp_v6_inbound_md5_hash (sk, skb))
1577 		goto discard;
1578 #endif
1579 
1580 	if (sk_filter(sk, skb))
1581 		goto discard;
1582 
1583 	/*
1584 	 *	socket locking is here for SMP purposes as backlog rcv
1585 	 *	is currently called with bh processing disabled.
1586 	 */
1587 
1588 	/* Do Stevens' IPV6_PKTOPTIONS.
1589 
1590 	   Yes, guys, it is the only place in our code, where we
1591 	   may make it not affecting IPv4.
1592 	   The rest of code is protocol independent,
1593 	   and I do not like idea to uglify IPv4.
1594 
1595 	   Actually, all the idea behind IPV6_PKTOPTIONS
1596 	   looks not very well thought. For now we latch
1597 	   options, received in the last packet, enqueued
1598 	   by tcp. Feel free to propose better solution.
1599 					       --ANK (980728)
1600 	 */
1601 	if (np->rxopt.all)
1602 		opt_skb = skb_clone(skb, GFP_ATOMIC);
1603 
1604 	if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */
1605 		TCP_CHECK_TIMER(sk);
1606 		if (tcp_rcv_established(sk, skb, tcp_hdr(skb), skb->len))
1607 			goto reset;
1608 		TCP_CHECK_TIMER(sk);
1609 		if (opt_skb)
1610 			goto ipv6_pktoptions;
1611 		return 0;
1612 	}
1613 
1614 	if (skb->len < tcp_hdrlen(skb) || tcp_checksum_complete(skb))
1615 		goto csum_err;
1616 
1617 	if (sk->sk_state == TCP_LISTEN) {
1618 		struct sock *nsk = tcp_v6_hnd_req(sk, skb);
1619 		if (!nsk)
1620 			goto discard;
1621 
1622 		/*
1623 		 * Queue it on the new socket if the new socket is active,
1624 		 * otherwise we just shortcircuit this and continue with
1625 		 * the new socket..
1626 		 */
1627 		if(nsk != sk) {
1628 			if (tcp_child_process(sk, nsk, skb))
1629 				goto reset;
1630 			if (opt_skb)
1631 				__kfree_skb(opt_skb);
1632 			return 0;
1633 		}
1634 	}
1635 
1636 	TCP_CHECK_TIMER(sk);
1637 	if (tcp_rcv_state_process(sk, skb, tcp_hdr(skb), skb->len))
1638 		goto reset;
1639 	TCP_CHECK_TIMER(sk);
1640 	if (opt_skb)
1641 		goto ipv6_pktoptions;
1642 	return 0;
1643 
1644 reset:
1645 	tcp_v6_send_reset(sk, skb);
1646 discard:
1647 	if (opt_skb)
1648 		__kfree_skb(opt_skb);
1649 	kfree_skb(skb);
1650 	return 0;
1651 csum_err:
1652 	TCP_INC_STATS_BH(TCP_MIB_INERRS);
1653 	goto discard;
1654 
1655 
1656 ipv6_pktoptions:
1657 	/* Do you ask, what is it?
1658 
1659 	   1. skb was enqueued by tcp.
1660 	   2. skb is added to tail of read queue, rather than out of order.
1661 	   3. socket is not in passive state.
1662 	   4. Finally, it really contains options, which user wants to receive.
1663 	 */
1664 	tp = tcp_sk(sk);
1665 	if (TCP_SKB_CB(opt_skb)->end_seq == tp->rcv_nxt &&
1666 	    !((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))) {
1667 		if (np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo)
1668 			np->mcast_oif = inet6_iif(opt_skb);
1669 		if (np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim)
1670 			np->mcast_hops = ipv6_hdr(opt_skb)->hop_limit;
1671 		if (ipv6_opt_accepted(sk, opt_skb)) {
1672 			skb_set_owner_r(opt_skb, sk);
1673 			opt_skb = xchg(&np->pktoptions, opt_skb);
1674 		} else {
1675 			__kfree_skb(opt_skb);
1676 			opt_skb = xchg(&np->pktoptions, NULL);
1677 		}
1678 	}
1679 
1680 	if (opt_skb)
1681 		kfree_skb(opt_skb);
1682 	return 0;
1683 }
1684 
1685 static int tcp_v6_rcv(struct sk_buff **pskb)
1686 {
1687 	struct sk_buff *skb = *pskb;
1688 	struct tcphdr *th;
1689 	struct sock *sk;
1690 	int ret;
1691 
1692 	if (skb->pkt_type != PACKET_HOST)
1693 		goto discard_it;
1694 
1695 	/*
1696 	 *	Count it even if it's bad.
1697 	 */
1698 	TCP_INC_STATS_BH(TCP_MIB_INSEGS);
1699 
1700 	if (!pskb_may_pull(skb, sizeof(struct tcphdr)))
1701 		goto discard_it;
1702 
1703 	th = tcp_hdr(skb);
1704 
1705 	if (th->doff < sizeof(struct tcphdr)/4)
1706 		goto bad_packet;
1707 	if (!pskb_may_pull(skb, th->doff*4))
1708 		goto discard_it;
1709 
1710 	if (!skb_csum_unnecessary(skb) && tcp_v6_checksum_init(skb))
1711 		goto bad_packet;
1712 
1713 	th = tcp_hdr(skb);
1714 	TCP_SKB_CB(skb)->seq = ntohl(th->seq);
1715 	TCP_SKB_CB(skb)->end_seq = (TCP_SKB_CB(skb)->seq + th->syn + th->fin +
1716 				    skb->len - th->doff*4);
1717 	TCP_SKB_CB(skb)->ack_seq = ntohl(th->ack_seq);
1718 	TCP_SKB_CB(skb)->when = 0;
1719 	TCP_SKB_CB(skb)->flags = ipv6_get_dsfield(ipv6_hdr(skb));
1720 	TCP_SKB_CB(skb)->sacked = 0;
1721 
1722 	sk = __inet6_lookup(&tcp_hashinfo, &ipv6_hdr(skb)->saddr, th->source,
1723 			    &ipv6_hdr(skb)->daddr, ntohs(th->dest),
1724 			    inet6_iif(skb));
1725 
1726 	if (!sk)
1727 		goto no_tcp_socket;
1728 
1729 process:
1730 	if (sk->sk_state == TCP_TIME_WAIT)
1731 		goto do_time_wait;
1732 
1733 	if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
1734 		goto discard_and_relse;
1735 
1736 	if (sk_filter(sk, skb))
1737 		goto discard_and_relse;
1738 
1739 	skb->dev = NULL;
1740 
1741 	bh_lock_sock_nested(sk);
1742 	ret = 0;
1743 	if (!sock_owned_by_user(sk)) {
1744 #ifdef CONFIG_NET_DMA
1745 		struct tcp_sock *tp = tcp_sk(sk);
1746 		if (tp->ucopy.dma_chan)
1747 			ret = tcp_v6_do_rcv(sk, skb);
1748 		else
1749 #endif
1750 		{
1751 			if (!tcp_prequeue(sk, skb))
1752 				ret = tcp_v6_do_rcv(sk, skb);
1753 		}
1754 	} else
1755 		sk_add_backlog(sk, skb);
1756 	bh_unlock_sock(sk);
1757 
1758 	sock_put(sk);
1759 	return ret ? -1 : 0;
1760 
1761 no_tcp_socket:
1762 	if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb))
1763 		goto discard_it;
1764 
1765 	if (skb->len < (th->doff<<2) || tcp_checksum_complete(skb)) {
1766 bad_packet:
1767 		TCP_INC_STATS_BH(TCP_MIB_INERRS);
1768 	} else {
1769 		tcp_v6_send_reset(NULL, skb);
1770 	}
1771 
1772 discard_it:
1773 
1774 	/*
1775 	 *	Discard frame
1776 	 */
1777 
1778 	kfree_skb(skb);
1779 	return 0;
1780 
1781 discard_and_relse:
1782 	sock_put(sk);
1783 	goto discard_it;
1784 
1785 do_time_wait:
1786 	if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
1787 		inet_twsk_put(inet_twsk(sk));
1788 		goto discard_it;
1789 	}
1790 
1791 	if (skb->len < (th->doff<<2) || tcp_checksum_complete(skb)) {
1792 		TCP_INC_STATS_BH(TCP_MIB_INERRS);
1793 		inet_twsk_put(inet_twsk(sk));
1794 		goto discard_it;
1795 	}
1796 
1797 	switch (tcp_timewait_state_process(inet_twsk(sk), skb, th)) {
1798 	case TCP_TW_SYN:
1799 	{
1800 		struct sock *sk2;
1801 
1802 		sk2 = inet6_lookup_listener(&tcp_hashinfo,
1803 					    &ipv6_hdr(skb)->daddr,
1804 					    ntohs(th->dest), inet6_iif(skb));
1805 		if (sk2 != NULL) {
1806 			struct inet_timewait_sock *tw = inet_twsk(sk);
1807 			inet_twsk_deschedule(tw, &tcp_death_row);
1808 			inet_twsk_put(tw);
1809 			sk = sk2;
1810 			goto process;
1811 		}
1812 		/* Fall through to ACK */
1813 	}
1814 	case TCP_TW_ACK:
1815 		tcp_v6_timewait_ack(sk, skb);
1816 		break;
1817 	case TCP_TW_RST:
1818 		goto no_tcp_socket;
1819 	case TCP_TW_SUCCESS:;
1820 	}
1821 	goto discard_it;
1822 }
1823 
1824 static int tcp_v6_remember_stamp(struct sock *sk)
1825 {
1826 	/* Alas, not yet... */
1827 	return 0;
1828 }
1829 
1830 static struct inet_connection_sock_af_ops ipv6_specific = {
1831 	.queue_xmit	   = inet6_csk_xmit,
1832 	.send_check	   = tcp_v6_send_check,
1833 	.rebuild_header	   = inet6_sk_rebuild_header,
1834 	.conn_request	   = tcp_v6_conn_request,
1835 	.syn_recv_sock	   = tcp_v6_syn_recv_sock,
1836 	.remember_stamp	   = tcp_v6_remember_stamp,
1837 	.net_header_len	   = sizeof(struct ipv6hdr),
1838 	.setsockopt	   = ipv6_setsockopt,
1839 	.getsockopt	   = ipv6_getsockopt,
1840 	.addr2sockaddr	   = inet6_csk_addr2sockaddr,
1841 	.sockaddr_len	   = sizeof(struct sockaddr_in6),
1842 #ifdef CONFIG_COMPAT
1843 	.compat_setsockopt = compat_ipv6_setsockopt,
1844 	.compat_getsockopt = compat_ipv6_getsockopt,
1845 #endif
1846 };
1847 
1848 #ifdef CONFIG_TCP_MD5SIG
1849 static struct tcp_sock_af_ops tcp_sock_ipv6_specific = {
1850 	.md5_lookup	=	tcp_v6_md5_lookup,
1851 	.calc_md5_hash	=	tcp_v6_calc_md5_hash,
1852 	.md5_add	=	tcp_v6_md5_add_func,
1853 	.md5_parse	=	tcp_v6_parse_md5_keys,
1854 };
1855 #endif
1856 
1857 /*
1858  *	TCP over IPv4 via INET6 API
1859  */
1860 
1861 static struct inet_connection_sock_af_ops ipv6_mapped = {
1862 	.queue_xmit	   = ip_queue_xmit,
1863 	.send_check	   = tcp_v4_send_check,
1864 	.rebuild_header	   = inet_sk_rebuild_header,
1865 	.conn_request	   = tcp_v6_conn_request,
1866 	.syn_recv_sock	   = tcp_v6_syn_recv_sock,
1867 	.remember_stamp	   = tcp_v4_remember_stamp,
1868 	.net_header_len	   = sizeof(struct iphdr),
1869 	.setsockopt	   = ipv6_setsockopt,
1870 	.getsockopt	   = ipv6_getsockopt,
1871 	.addr2sockaddr	   = inet6_csk_addr2sockaddr,
1872 	.sockaddr_len	   = sizeof(struct sockaddr_in6),
1873 #ifdef CONFIG_COMPAT
1874 	.compat_setsockopt = compat_ipv6_setsockopt,
1875 	.compat_getsockopt = compat_ipv6_getsockopt,
1876 #endif
1877 };
1878 
1879 #ifdef CONFIG_TCP_MD5SIG
1880 static struct tcp_sock_af_ops tcp_sock_ipv6_mapped_specific = {
1881 	.md5_lookup	=	tcp_v4_md5_lookup,
1882 	.calc_md5_hash	=	tcp_v4_calc_md5_hash,
1883 	.md5_add	=	tcp_v6_md5_add_func,
1884 	.md5_parse	=	tcp_v6_parse_md5_keys,
1885 };
1886 #endif
1887 
1888 /* NOTE: A lot of things set to zero explicitly by call to
1889  *       sk_alloc() so need not be done here.
1890  */
1891 static int tcp_v6_init_sock(struct sock *sk)
1892 {
1893 	struct inet_connection_sock *icsk = inet_csk(sk);
1894 	struct tcp_sock *tp = tcp_sk(sk);
1895 
1896 	skb_queue_head_init(&tp->out_of_order_queue);
1897 	tcp_init_xmit_timers(sk);
1898 	tcp_prequeue_init(tp);
1899 
1900 	icsk->icsk_rto = TCP_TIMEOUT_INIT;
1901 	tp->mdev = TCP_TIMEOUT_INIT;
1902 
1903 	/* So many TCP implementations out there (incorrectly) count the
1904 	 * initial SYN frame in their delayed-ACK and congestion control
1905 	 * algorithms that we must have the following bandaid to talk
1906 	 * efficiently to them.  -DaveM
1907 	 */
1908 	tp->snd_cwnd = 2;
1909 
1910 	/* See draft-stevens-tcpca-spec-01 for discussion of the
1911 	 * initialization of these values.
1912 	 */
1913 	tp->snd_ssthresh = 0x7fffffff;
1914 	tp->snd_cwnd_clamp = ~0;
1915 	tp->mss_cache = 536;
1916 
1917 	tp->reordering = sysctl_tcp_reordering;
1918 
1919 	sk->sk_state = TCP_CLOSE;
1920 
1921 	icsk->icsk_af_ops = &ipv6_specific;
1922 	icsk->icsk_ca_ops = &tcp_init_congestion_ops;
1923 	icsk->icsk_sync_mss = tcp_sync_mss;
1924 	sk->sk_write_space = sk_stream_write_space;
1925 	sock_set_flag(sk, SOCK_USE_WRITE_QUEUE);
1926 
1927 #ifdef CONFIG_TCP_MD5SIG
1928 	tp->af_specific = &tcp_sock_ipv6_specific;
1929 #endif
1930 
1931 	sk->sk_sndbuf = sysctl_tcp_wmem[1];
1932 	sk->sk_rcvbuf = sysctl_tcp_rmem[1];
1933 
1934 	atomic_inc(&tcp_sockets_allocated);
1935 
1936 	return 0;
1937 }
1938 
1939 static int tcp_v6_destroy_sock(struct sock *sk)
1940 {
1941 #ifdef CONFIG_TCP_MD5SIG
1942 	/* Clean up the MD5 key list */
1943 	if (tcp_sk(sk)->md5sig_info)
1944 		tcp_v6_clear_md5_list(sk);
1945 #endif
1946 	tcp_v4_destroy_sock(sk);
1947 	return inet6_destroy_sock(sk);
1948 }
1949 
1950 #ifdef CONFIG_PROC_FS
1951 /* Proc filesystem TCPv6 sock list dumping. */
1952 static void get_openreq6(struct seq_file *seq,
1953 			 struct sock *sk, struct request_sock *req, int i, int uid)
1954 {
1955 	int ttd = req->expires - jiffies;
1956 	struct in6_addr *src = &inet6_rsk(req)->loc_addr;
1957 	struct in6_addr *dest = &inet6_rsk(req)->rmt_addr;
1958 
1959 	if (ttd < 0)
1960 		ttd = 0;
1961 
1962 	seq_printf(seq,
1963 		   "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
1964 		   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p\n",
1965 		   i,
1966 		   src->s6_addr32[0], src->s6_addr32[1],
1967 		   src->s6_addr32[2], src->s6_addr32[3],
1968 		   ntohs(inet_sk(sk)->sport),
1969 		   dest->s6_addr32[0], dest->s6_addr32[1],
1970 		   dest->s6_addr32[2], dest->s6_addr32[3],
1971 		   ntohs(inet_rsk(req)->rmt_port),
1972 		   TCP_SYN_RECV,
1973 		   0,0, /* could print option size, but that is af dependent. */
1974 		   1,   /* timers active (only the expire timer) */
1975 		   jiffies_to_clock_t(ttd),
1976 		   req->retrans,
1977 		   uid,
1978 		   0,  /* non standard timer */
1979 		   0, /* open_requests have no inode */
1980 		   0, req);
1981 }
1982 
1983 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
1984 {
1985 	struct in6_addr *dest, *src;
1986 	__u16 destp, srcp;
1987 	int timer_active;
1988 	unsigned long timer_expires;
1989 	struct inet_sock *inet = inet_sk(sp);
1990 	struct tcp_sock *tp = tcp_sk(sp);
1991 	const struct inet_connection_sock *icsk = inet_csk(sp);
1992 	struct ipv6_pinfo *np = inet6_sk(sp);
1993 
1994 	dest  = &np->daddr;
1995 	src   = &np->rcv_saddr;
1996 	destp = ntohs(inet->dport);
1997 	srcp  = ntohs(inet->sport);
1998 
1999 	if (icsk->icsk_pending == ICSK_TIME_RETRANS) {
2000 		timer_active	= 1;
2001 		timer_expires	= icsk->icsk_timeout;
2002 	} else if (icsk->icsk_pending == ICSK_TIME_PROBE0) {
2003 		timer_active	= 4;
2004 		timer_expires	= icsk->icsk_timeout;
2005 	} else if (timer_pending(&sp->sk_timer)) {
2006 		timer_active	= 2;
2007 		timer_expires	= sp->sk_timer.expires;
2008 	} else {
2009 		timer_active	= 0;
2010 		timer_expires = jiffies;
2011 	}
2012 
2013 	seq_printf(seq,
2014 		   "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
2015 		   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %lu %d %p %u %u %u %u %d\n",
2016 		   i,
2017 		   src->s6_addr32[0], src->s6_addr32[1],
2018 		   src->s6_addr32[2], src->s6_addr32[3], srcp,
2019 		   dest->s6_addr32[0], dest->s6_addr32[1],
2020 		   dest->s6_addr32[2], dest->s6_addr32[3], destp,
2021 		   sp->sk_state,
2022 		   tp->write_seq-tp->snd_una,
2023 		   (sp->sk_state == TCP_LISTEN) ? sp->sk_ack_backlog : (tp->rcv_nxt - tp->copied_seq),
2024 		   timer_active,
2025 		   jiffies_to_clock_t(timer_expires - jiffies),
2026 		   icsk->icsk_retransmits,
2027 		   sock_i_uid(sp),
2028 		   icsk->icsk_probes_out,
2029 		   sock_i_ino(sp),
2030 		   atomic_read(&sp->sk_refcnt), sp,
2031 		   icsk->icsk_rto,
2032 		   icsk->icsk_ack.ato,
2033 		   (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
2034 		   tp->snd_cwnd, tp->snd_ssthresh>=0xFFFF?-1:tp->snd_ssthresh
2035 		   );
2036 }
2037 
2038 static void get_timewait6_sock(struct seq_file *seq,
2039 			       struct inet_timewait_sock *tw, int i)
2040 {
2041 	struct in6_addr *dest, *src;
2042 	__u16 destp, srcp;
2043 	struct inet6_timewait_sock *tw6 = inet6_twsk((struct sock *)tw);
2044 	int ttd = tw->tw_ttd - jiffies;
2045 
2046 	if (ttd < 0)
2047 		ttd = 0;
2048 
2049 	dest = &tw6->tw_v6_daddr;
2050 	src  = &tw6->tw_v6_rcv_saddr;
2051 	destp = ntohs(tw->tw_dport);
2052 	srcp  = ntohs(tw->tw_sport);
2053 
2054 	seq_printf(seq,
2055 		   "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
2056 		   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p\n",
2057 		   i,
2058 		   src->s6_addr32[0], src->s6_addr32[1],
2059 		   src->s6_addr32[2], src->s6_addr32[3], srcp,
2060 		   dest->s6_addr32[0], dest->s6_addr32[1],
2061 		   dest->s6_addr32[2], dest->s6_addr32[3], destp,
2062 		   tw->tw_substate, 0, 0,
2063 		   3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
2064 		   atomic_read(&tw->tw_refcnt), tw);
2065 }
2066 
2067 static int tcp6_seq_show(struct seq_file *seq, void *v)
2068 {
2069 	struct tcp_iter_state *st;
2070 
2071 	if (v == SEQ_START_TOKEN) {
2072 		seq_puts(seq,
2073 			 "  sl  "
2074 			 "local_address                         "
2075 			 "remote_address                        "
2076 			 "st tx_queue rx_queue tr tm->when retrnsmt"
2077 			 "   uid  timeout inode\n");
2078 		goto out;
2079 	}
2080 	st = seq->private;
2081 
2082 	switch (st->state) {
2083 	case TCP_SEQ_STATE_LISTENING:
2084 	case TCP_SEQ_STATE_ESTABLISHED:
2085 		get_tcp6_sock(seq, v, st->num);
2086 		break;
2087 	case TCP_SEQ_STATE_OPENREQ:
2088 		get_openreq6(seq, st->syn_wait_sk, v, st->num, st->uid);
2089 		break;
2090 	case TCP_SEQ_STATE_TIME_WAIT:
2091 		get_timewait6_sock(seq, v, st->num);
2092 		break;
2093 	}
2094 out:
2095 	return 0;
2096 }
2097 
2098 static struct file_operations tcp6_seq_fops;
2099 static struct tcp_seq_afinfo tcp6_seq_afinfo = {
2100 	.owner		= THIS_MODULE,
2101 	.name		= "tcp6",
2102 	.family		= AF_INET6,
2103 	.seq_show	= tcp6_seq_show,
2104 	.seq_fops	= &tcp6_seq_fops,
2105 };
2106 
2107 int __init tcp6_proc_init(void)
2108 {
2109 	return tcp_proc_register(&tcp6_seq_afinfo);
2110 }
2111 
2112 void tcp6_proc_exit(void)
2113 {
2114 	tcp_proc_unregister(&tcp6_seq_afinfo);
2115 }
2116 #endif
2117 
2118 struct proto tcpv6_prot = {
2119 	.name			= "TCPv6",
2120 	.owner			= THIS_MODULE,
2121 	.close			= tcp_close,
2122 	.connect		= tcp_v6_connect,
2123 	.disconnect		= tcp_disconnect,
2124 	.accept			= inet_csk_accept,
2125 	.ioctl			= tcp_ioctl,
2126 	.init			= tcp_v6_init_sock,
2127 	.destroy		= tcp_v6_destroy_sock,
2128 	.shutdown		= tcp_shutdown,
2129 	.setsockopt		= tcp_setsockopt,
2130 	.getsockopt		= tcp_getsockopt,
2131 	.sendmsg		= tcp_sendmsg,
2132 	.recvmsg		= tcp_recvmsg,
2133 	.backlog_rcv		= tcp_v6_do_rcv,
2134 	.hash			= tcp_v6_hash,
2135 	.unhash			= tcp_unhash,
2136 	.get_port		= tcp_v6_get_port,
2137 	.enter_memory_pressure	= tcp_enter_memory_pressure,
2138 	.sockets_allocated	= &tcp_sockets_allocated,
2139 	.memory_allocated	= &tcp_memory_allocated,
2140 	.memory_pressure	= &tcp_memory_pressure,
2141 	.orphan_count		= &tcp_orphan_count,
2142 	.sysctl_mem		= sysctl_tcp_mem,
2143 	.sysctl_wmem		= sysctl_tcp_wmem,
2144 	.sysctl_rmem		= sysctl_tcp_rmem,
2145 	.max_header		= MAX_TCP_HEADER,
2146 	.obj_size		= sizeof(struct tcp6_sock),
2147 	.twsk_prot		= &tcp6_timewait_sock_ops,
2148 	.rsk_prot		= &tcp6_request_sock_ops,
2149 #ifdef CONFIG_COMPAT
2150 	.compat_setsockopt	= compat_tcp_setsockopt,
2151 	.compat_getsockopt	= compat_tcp_getsockopt,
2152 #endif
2153 };
2154 
2155 static struct inet6_protocol tcpv6_protocol = {
2156 	.handler	=	tcp_v6_rcv,
2157 	.err_handler	=	tcp_v6_err,
2158 	.gso_send_check	=	tcp_v6_gso_send_check,
2159 	.gso_segment	=	tcp_tso_segment,
2160 	.flags		=	INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL,
2161 };
2162 
2163 static struct inet_protosw tcpv6_protosw = {
2164 	.type		=	SOCK_STREAM,
2165 	.protocol	=	IPPROTO_TCP,
2166 	.prot		=	&tcpv6_prot,
2167 	.ops		=	&inet6_stream_ops,
2168 	.capability	=	-1,
2169 	.no_check	=	0,
2170 	.flags		=	INET_PROTOSW_PERMANENT |
2171 				INET_PROTOSW_ICSK,
2172 };
2173 
2174 void __init tcpv6_init(void)
2175 {
2176 	/* register inet6 protocol */
2177 	if (inet6_add_protocol(&tcpv6_protocol, IPPROTO_TCP) < 0)
2178 		printk(KERN_ERR "tcpv6_init: Could not register protocol\n");
2179 	inet6_register_protosw(&tcpv6_protosw);
2180 
2181 	if (inet_csk_ctl_sock_create(&tcp6_socket, PF_INET6, SOCK_RAW,
2182 				     IPPROTO_TCP) < 0)
2183 		panic("Failed to create the TCPv6 control socket.\n");
2184 }
2185