1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3  * INET		An implementation of the TCP/IP protocol suite for the LINUX
4  *		operating system.  INET is implemented using the  BSD Socket
5  *		interface as the means of communication with the user level.
6  *
7  *		Support for INET connection oriented protocols.
8  *
9  * Authors:	See the TCP sources
10  */
11 
12 #include <linux/module.h>
13 #include <linux/jhash.h>
14 
15 #include <net/inet_connection_sock.h>
16 #include <net/inet_hashtables.h>
17 #include <net/inet_timewait_sock.h>
18 #include <net/ip.h>
19 #include <net/route.h>
20 #include <net/tcp_states.h>
21 #include <net/xfrm.h>
22 #include <net/tcp.h>
23 #include <net/sock_reuseport.h>
24 #include <net/addrconf.h>
25 
26 #if IS_ENABLED(CONFIG_IPV6)
27 /* match_sk*_wildcard == true:  IPV6_ADDR_ANY equals to any IPv6 addresses
28  *				if IPv6 only, and any IPv4 addresses
29  *				if not IPv6 only
30  * match_sk*_wildcard == false: addresses must be exactly the same, i.e.
31  *				IPV6_ADDR_ANY only equals to IPV6_ADDR_ANY,
32  *				and 0.0.0.0 equals to 0.0.0.0 only
33  */
34 static bool ipv6_rcv_saddr_equal(const struct in6_addr *sk1_rcv_saddr6,
35 				 const struct in6_addr *sk2_rcv_saddr6,
36 				 __be32 sk1_rcv_saddr, __be32 sk2_rcv_saddr,
37 				 bool sk1_ipv6only, bool sk2_ipv6only,
38 				 bool match_sk1_wildcard,
39 				 bool match_sk2_wildcard)
40 {
41 	int addr_type = ipv6_addr_type(sk1_rcv_saddr6);
42 	int addr_type2 = sk2_rcv_saddr6 ? ipv6_addr_type(sk2_rcv_saddr6) : IPV6_ADDR_MAPPED;
43 
44 	/* if both are mapped, treat as IPv4 */
45 	if (addr_type == IPV6_ADDR_MAPPED && addr_type2 == IPV6_ADDR_MAPPED) {
46 		if (!sk2_ipv6only) {
47 			if (sk1_rcv_saddr == sk2_rcv_saddr)
48 				return true;
49 			return (match_sk1_wildcard && !sk1_rcv_saddr) ||
50 				(match_sk2_wildcard && !sk2_rcv_saddr);
51 		}
52 		return false;
53 	}
54 
55 	if (addr_type == IPV6_ADDR_ANY && addr_type2 == IPV6_ADDR_ANY)
56 		return true;
57 
58 	if (addr_type2 == IPV6_ADDR_ANY && match_sk2_wildcard &&
59 	    !(sk2_ipv6only && addr_type == IPV6_ADDR_MAPPED))
60 		return true;
61 
62 	if (addr_type == IPV6_ADDR_ANY && match_sk1_wildcard &&
63 	    !(sk1_ipv6only && addr_type2 == IPV6_ADDR_MAPPED))
64 		return true;
65 
66 	if (sk2_rcv_saddr6 &&
67 	    ipv6_addr_equal(sk1_rcv_saddr6, sk2_rcv_saddr6))
68 		return true;
69 
70 	return false;
71 }
72 #endif
73 
74 /* match_sk*_wildcard == true:  0.0.0.0 equals to any IPv4 addresses
75  * match_sk*_wildcard == false: addresses must be exactly the same, i.e.
76  *				0.0.0.0 only equals to 0.0.0.0
77  */
78 static bool ipv4_rcv_saddr_equal(__be32 sk1_rcv_saddr, __be32 sk2_rcv_saddr,
79 				 bool sk2_ipv6only, bool match_sk1_wildcard,
80 				 bool match_sk2_wildcard)
81 {
82 	if (!sk2_ipv6only) {
83 		if (sk1_rcv_saddr == sk2_rcv_saddr)
84 			return true;
85 		return (match_sk1_wildcard && !sk1_rcv_saddr) ||
86 			(match_sk2_wildcard && !sk2_rcv_saddr);
87 	}
88 	return false;
89 }
90 
91 bool inet_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2,
92 			  bool match_wildcard)
93 {
94 #if IS_ENABLED(CONFIG_IPV6)
95 	if (sk->sk_family == AF_INET6)
96 		return ipv6_rcv_saddr_equal(&sk->sk_v6_rcv_saddr,
97 					    inet6_rcv_saddr(sk2),
98 					    sk->sk_rcv_saddr,
99 					    sk2->sk_rcv_saddr,
100 					    ipv6_only_sock(sk),
101 					    ipv6_only_sock(sk2),
102 					    match_wildcard,
103 					    match_wildcard);
104 #endif
105 	return ipv4_rcv_saddr_equal(sk->sk_rcv_saddr, sk2->sk_rcv_saddr,
106 				    ipv6_only_sock(sk2), match_wildcard,
107 				    match_wildcard);
108 }
109 EXPORT_SYMBOL(inet_rcv_saddr_equal);
110 
111 bool inet_rcv_saddr_any(const struct sock *sk)
112 {
113 #if IS_ENABLED(CONFIG_IPV6)
114 	if (sk->sk_family == AF_INET6)
115 		return ipv6_addr_any(&sk->sk_v6_rcv_saddr);
116 #endif
117 	return !sk->sk_rcv_saddr;
118 }
119 
120 void inet_get_local_port_range(struct net *net, int *low, int *high)
121 {
122 	unsigned int seq;
123 
124 	do {
125 		seq = read_seqbegin(&net->ipv4.ip_local_ports.lock);
126 
127 		*low = net->ipv4.ip_local_ports.range[0];
128 		*high = net->ipv4.ip_local_ports.range[1];
129 	} while (read_seqretry(&net->ipv4.ip_local_ports.lock, seq));
130 }
131 EXPORT_SYMBOL(inet_get_local_port_range);
132 
133 static int inet_csk_bind_conflict(const struct sock *sk,
134 				  const struct inet_bind_bucket *tb,
135 				  bool relax, bool reuseport_ok)
136 {
137 	struct sock *sk2;
138 	bool reuseport_cb_ok;
139 	bool reuse = sk->sk_reuse;
140 	bool reuseport = !!sk->sk_reuseport;
141 	struct sock_reuseport *reuseport_cb;
142 	kuid_t uid = sock_i_uid((struct sock *)sk);
143 
144 	rcu_read_lock();
145 	reuseport_cb = rcu_dereference(sk->sk_reuseport_cb);
146 	/* paired with WRITE_ONCE() in __reuseport_(add|detach)_closed_sock */
147 	reuseport_cb_ok = !reuseport_cb || READ_ONCE(reuseport_cb->num_closed_socks);
148 	rcu_read_unlock();
149 
150 	/*
151 	 * Unlike other sk lookup places we do not check
152 	 * for sk_net here, since _all_ the socks listed
153 	 * in tb->owners list belong to the same net - the
154 	 * one this bucket belongs to.
155 	 */
156 
157 	sk_for_each_bound(sk2, &tb->owners) {
158 		int bound_dev_if2;
159 
160 		if (sk == sk2)
161 			continue;
162 		bound_dev_if2 = READ_ONCE(sk2->sk_bound_dev_if);
163 		if ((!sk->sk_bound_dev_if ||
164 		     !bound_dev_if2 ||
165 		     sk->sk_bound_dev_if == bound_dev_if2)) {
166 			if (reuse && sk2->sk_reuse &&
167 			    sk2->sk_state != TCP_LISTEN) {
168 				if ((!relax ||
169 				     (!reuseport_ok &&
170 				      reuseport && sk2->sk_reuseport &&
171 				      reuseport_cb_ok &&
172 				      (sk2->sk_state == TCP_TIME_WAIT ||
173 				       uid_eq(uid, sock_i_uid(sk2))))) &&
174 				    inet_rcv_saddr_equal(sk, sk2, true))
175 					break;
176 			} else if (!reuseport_ok ||
177 				   !reuseport || !sk2->sk_reuseport ||
178 				   !reuseport_cb_ok ||
179 				   (sk2->sk_state != TCP_TIME_WAIT &&
180 				    !uid_eq(uid, sock_i_uid(sk2)))) {
181 				if (inet_rcv_saddr_equal(sk, sk2, true))
182 					break;
183 			}
184 		}
185 	}
186 	return sk2 != NULL;
187 }
188 
189 /*
190  * Find an open port number for the socket.  Returns with the
191  * inet_bind_hashbucket lock held.
192  */
193 static struct inet_bind_hashbucket *
194 inet_csk_find_open_port(struct sock *sk, struct inet_bind_bucket **tb_ret, int *port_ret)
195 {
196 	struct inet_hashinfo *hinfo = sk->sk_prot->h.hashinfo;
197 	int port = 0;
198 	struct inet_bind_hashbucket *head;
199 	struct net *net = sock_net(sk);
200 	bool relax = false;
201 	int i, low, high, attempt_half;
202 	struct inet_bind_bucket *tb;
203 	u32 remaining, offset;
204 	int l3mdev;
205 
206 	l3mdev = inet_sk_bound_l3mdev(sk);
207 ports_exhausted:
208 	attempt_half = (sk->sk_reuse == SK_CAN_REUSE) ? 1 : 0;
209 other_half_scan:
210 	inet_get_local_port_range(net, &low, &high);
211 	high++; /* [32768, 60999] -> [32768, 61000[ */
212 	if (high - low < 4)
213 		attempt_half = 0;
214 	if (attempt_half) {
215 		int half = low + (((high - low) >> 2) << 1);
216 
217 		if (attempt_half == 1)
218 			high = half;
219 		else
220 			low = half;
221 	}
222 	remaining = high - low;
223 	if (likely(remaining > 1))
224 		remaining &= ~1U;
225 
226 	offset = prandom_u32() % remaining;
227 	/* __inet_hash_connect() favors ports having @low parity
228 	 * We do the opposite to not pollute connect() users.
229 	 */
230 	offset |= 1U;
231 
232 other_parity_scan:
233 	port = low + offset;
234 	for (i = 0; i < remaining; i += 2, port += 2) {
235 		if (unlikely(port >= high))
236 			port -= remaining;
237 		if (inet_is_local_reserved_port(net, port))
238 			continue;
239 		head = &hinfo->bhash[inet_bhashfn(net, port,
240 						  hinfo->bhash_size)];
241 		spin_lock_bh(&head->lock);
242 		inet_bind_bucket_for_each(tb, &head->chain)
243 			if (net_eq(ib_net(tb), net) && tb->l3mdev == l3mdev &&
244 			    tb->port == port) {
245 				if (!inet_csk_bind_conflict(sk, tb, relax, false))
246 					goto success;
247 				goto next_port;
248 			}
249 		tb = NULL;
250 		goto success;
251 next_port:
252 		spin_unlock_bh(&head->lock);
253 		cond_resched();
254 	}
255 
256 	offset--;
257 	if (!(offset & 1))
258 		goto other_parity_scan;
259 
260 	if (attempt_half == 1) {
261 		/* OK we now try the upper half of the range */
262 		attempt_half = 2;
263 		goto other_half_scan;
264 	}
265 
266 	if (net->ipv4.sysctl_ip_autobind_reuse && !relax) {
267 		/* We still have a chance to connect to different destinations */
268 		relax = true;
269 		goto ports_exhausted;
270 	}
271 	return NULL;
272 success:
273 	*port_ret = port;
274 	*tb_ret = tb;
275 	return head;
276 }
277 
278 static inline int sk_reuseport_match(struct inet_bind_bucket *tb,
279 				     struct sock *sk)
280 {
281 	kuid_t uid = sock_i_uid(sk);
282 
283 	if (tb->fastreuseport <= 0)
284 		return 0;
285 	if (!sk->sk_reuseport)
286 		return 0;
287 	if (rcu_access_pointer(sk->sk_reuseport_cb))
288 		return 0;
289 	if (!uid_eq(tb->fastuid, uid))
290 		return 0;
291 	/* We only need to check the rcv_saddr if this tb was once marked
292 	 * without fastreuseport and then was reset, as we can only know that
293 	 * the fast_*rcv_saddr doesn't have any conflicts with the socks on the
294 	 * owners list.
295 	 */
296 	if (tb->fastreuseport == FASTREUSEPORT_ANY)
297 		return 1;
298 #if IS_ENABLED(CONFIG_IPV6)
299 	if (tb->fast_sk_family == AF_INET6)
300 		return ipv6_rcv_saddr_equal(&tb->fast_v6_rcv_saddr,
301 					    inet6_rcv_saddr(sk),
302 					    tb->fast_rcv_saddr,
303 					    sk->sk_rcv_saddr,
304 					    tb->fast_ipv6_only,
305 					    ipv6_only_sock(sk), true, false);
306 #endif
307 	return ipv4_rcv_saddr_equal(tb->fast_rcv_saddr, sk->sk_rcv_saddr,
308 				    ipv6_only_sock(sk), true, false);
309 }
310 
311 void inet_csk_update_fastreuse(struct inet_bind_bucket *tb,
312 			       struct sock *sk)
313 {
314 	kuid_t uid = sock_i_uid(sk);
315 	bool reuse = sk->sk_reuse && sk->sk_state != TCP_LISTEN;
316 
317 	if (hlist_empty(&tb->owners)) {
318 		tb->fastreuse = reuse;
319 		if (sk->sk_reuseport) {
320 			tb->fastreuseport = FASTREUSEPORT_ANY;
321 			tb->fastuid = uid;
322 			tb->fast_rcv_saddr = sk->sk_rcv_saddr;
323 			tb->fast_ipv6_only = ipv6_only_sock(sk);
324 			tb->fast_sk_family = sk->sk_family;
325 #if IS_ENABLED(CONFIG_IPV6)
326 			tb->fast_v6_rcv_saddr = sk->sk_v6_rcv_saddr;
327 #endif
328 		} else {
329 			tb->fastreuseport = 0;
330 		}
331 	} else {
332 		if (!reuse)
333 			tb->fastreuse = 0;
334 		if (sk->sk_reuseport) {
335 			/* We didn't match or we don't have fastreuseport set on
336 			 * the tb, but we have sk_reuseport set on this socket
337 			 * and we know that there are no bind conflicts with
338 			 * this socket in this tb, so reset our tb's reuseport
339 			 * settings so that any subsequent sockets that match
340 			 * our current socket will be put on the fast path.
341 			 *
342 			 * If we reset we need to set FASTREUSEPORT_STRICT so we
343 			 * do extra checking for all subsequent sk_reuseport
344 			 * socks.
345 			 */
346 			if (!sk_reuseport_match(tb, sk)) {
347 				tb->fastreuseport = FASTREUSEPORT_STRICT;
348 				tb->fastuid = uid;
349 				tb->fast_rcv_saddr = sk->sk_rcv_saddr;
350 				tb->fast_ipv6_only = ipv6_only_sock(sk);
351 				tb->fast_sk_family = sk->sk_family;
352 #if IS_ENABLED(CONFIG_IPV6)
353 				tb->fast_v6_rcv_saddr = sk->sk_v6_rcv_saddr;
354 #endif
355 			}
356 		} else {
357 			tb->fastreuseport = 0;
358 		}
359 	}
360 }
361 
362 /* Obtain a reference to a local port for the given sock,
363  * if snum is zero it means select any available local port.
364  * We try to allocate an odd port (and leave even ports for connect())
365  */
366 int inet_csk_get_port(struct sock *sk, unsigned short snum)
367 {
368 	bool reuse = sk->sk_reuse && sk->sk_state != TCP_LISTEN;
369 	struct inet_hashinfo *hinfo = sk->sk_prot->h.hashinfo;
370 	int ret = 1, port = snum;
371 	struct inet_bind_hashbucket *head;
372 	struct net *net = sock_net(sk);
373 	struct inet_bind_bucket *tb = NULL;
374 	int l3mdev;
375 
376 	l3mdev = inet_sk_bound_l3mdev(sk);
377 
378 	if (!port) {
379 		head = inet_csk_find_open_port(sk, &tb, &port);
380 		if (!head)
381 			return ret;
382 		if (!tb)
383 			goto tb_not_found;
384 		goto success;
385 	}
386 	head = &hinfo->bhash[inet_bhashfn(net, port,
387 					  hinfo->bhash_size)];
388 	spin_lock_bh(&head->lock);
389 	inet_bind_bucket_for_each(tb, &head->chain)
390 		if (net_eq(ib_net(tb), net) && tb->l3mdev == l3mdev &&
391 		    tb->port == port)
392 			goto tb_found;
393 tb_not_found:
394 	tb = inet_bind_bucket_create(hinfo->bind_bucket_cachep,
395 				     net, head, port, l3mdev);
396 	if (!tb)
397 		goto fail_unlock;
398 tb_found:
399 	if (!hlist_empty(&tb->owners)) {
400 		if (sk->sk_reuse == SK_FORCE_REUSE)
401 			goto success;
402 
403 		if ((tb->fastreuse > 0 && reuse) ||
404 		    sk_reuseport_match(tb, sk))
405 			goto success;
406 		if (inet_csk_bind_conflict(sk, tb, true, true))
407 			goto fail_unlock;
408 	}
409 success:
410 	inet_csk_update_fastreuse(tb, sk);
411 
412 	if (!inet_csk(sk)->icsk_bind_hash)
413 		inet_bind_hash(sk, tb, port);
414 	WARN_ON(inet_csk(sk)->icsk_bind_hash != tb);
415 	ret = 0;
416 
417 fail_unlock:
418 	spin_unlock_bh(&head->lock);
419 	return ret;
420 }
421 EXPORT_SYMBOL_GPL(inet_csk_get_port);
422 
423 /*
424  * Wait for an incoming connection, avoid race conditions. This must be called
425  * with the socket locked.
426  */
427 static int inet_csk_wait_for_connect(struct sock *sk, long timeo)
428 {
429 	struct inet_connection_sock *icsk = inet_csk(sk);
430 	DEFINE_WAIT(wait);
431 	int err;
432 
433 	/*
434 	 * True wake-one mechanism for incoming connections: only
435 	 * one process gets woken up, not the 'whole herd'.
436 	 * Since we do not 'race & poll' for established sockets
437 	 * anymore, the common case will execute the loop only once.
438 	 *
439 	 * Subtle issue: "add_wait_queue_exclusive()" will be added
440 	 * after any current non-exclusive waiters, and we know that
441 	 * it will always _stay_ after any new non-exclusive waiters
442 	 * because all non-exclusive waiters are added at the
443 	 * beginning of the wait-queue. As such, it's ok to "drop"
444 	 * our exclusiveness temporarily when we get woken up without
445 	 * having to remove and re-insert us on the wait queue.
446 	 */
447 	for (;;) {
448 		prepare_to_wait_exclusive(sk_sleep(sk), &wait,
449 					  TASK_INTERRUPTIBLE);
450 		release_sock(sk);
451 		if (reqsk_queue_empty(&icsk->icsk_accept_queue))
452 			timeo = schedule_timeout(timeo);
453 		sched_annotate_sleep();
454 		lock_sock(sk);
455 		err = 0;
456 		if (!reqsk_queue_empty(&icsk->icsk_accept_queue))
457 			break;
458 		err = -EINVAL;
459 		if (sk->sk_state != TCP_LISTEN)
460 			break;
461 		err = sock_intr_errno(timeo);
462 		if (signal_pending(current))
463 			break;
464 		err = -EAGAIN;
465 		if (!timeo)
466 			break;
467 	}
468 	finish_wait(sk_sleep(sk), &wait);
469 	return err;
470 }
471 
472 /*
473  * This will accept the next outstanding connection.
474  */
475 struct sock *inet_csk_accept(struct sock *sk, int flags, int *err, bool kern)
476 {
477 	struct inet_connection_sock *icsk = inet_csk(sk);
478 	struct request_sock_queue *queue = &icsk->icsk_accept_queue;
479 	struct request_sock *req;
480 	struct sock *newsk;
481 	int error;
482 
483 	lock_sock(sk);
484 
485 	/* We need to make sure that this socket is listening,
486 	 * and that it has something pending.
487 	 */
488 	error = -EINVAL;
489 	if (sk->sk_state != TCP_LISTEN)
490 		goto out_err;
491 
492 	/* Find already established connection */
493 	if (reqsk_queue_empty(queue)) {
494 		long timeo = sock_rcvtimeo(sk, flags & O_NONBLOCK);
495 
496 		/* If this is a non blocking socket don't sleep */
497 		error = -EAGAIN;
498 		if (!timeo)
499 			goto out_err;
500 
501 		error = inet_csk_wait_for_connect(sk, timeo);
502 		if (error)
503 			goto out_err;
504 	}
505 	req = reqsk_queue_remove(queue, sk);
506 	newsk = req->sk;
507 
508 	if (sk->sk_protocol == IPPROTO_TCP &&
509 	    tcp_rsk(req)->tfo_listener) {
510 		spin_lock_bh(&queue->fastopenq.lock);
511 		if (tcp_rsk(req)->tfo_listener) {
512 			/* We are still waiting for the final ACK from 3WHS
513 			 * so can't free req now. Instead, we set req->sk to
514 			 * NULL to signify that the child socket is taken
515 			 * so reqsk_fastopen_remove() will free the req
516 			 * when 3WHS finishes (or is aborted).
517 			 */
518 			req->sk = NULL;
519 			req = NULL;
520 		}
521 		spin_unlock_bh(&queue->fastopenq.lock);
522 	}
523 
524 out:
525 	release_sock(sk);
526 	if (newsk && mem_cgroup_sockets_enabled) {
527 		int amt;
528 
529 		/* atomically get the memory usage, set and charge the
530 		 * newsk->sk_memcg.
531 		 */
532 		lock_sock(newsk);
533 
534 		/* The socket has not been accepted yet, no need to look at
535 		 * newsk->sk_wmem_queued.
536 		 */
537 		amt = sk_mem_pages(newsk->sk_forward_alloc +
538 				   atomic_read(&newsk->sk_rmem_alloc));
539 		mem_cgroup_sk_alloc(newsk);
540 		if (newsk->sk_memcg && amt)
541 			mem_cgroup_charge_skmem(newsk->sk_memcg, amt,
542 						GFP_KERNEL | __GFP_NOFAIL);
543 
544 		release_sock(newsk);
545 	}
546 	if (req)
547 		reqsk_put(req);
548 	return newsk;
549 out_err:
550 	newsk = NULL;
551 	req = NULL;
552 	*err = error;
553 	goto out;
554 }
555 EXPORT_SYMBOL(inet_csk_accept);
556 
557 /*
558  * Using different timers for retransmit, delayed acks and probes
559  * We may wish use just one timer maintaining a list of expire jiffies
560  * to optimize.
561  */
562 void inet_csk_init_xmit_timers(struct sock *sk,
563 			       void (*retransmit_handler)(struct timer_list *t),
564 			       void (*delack_handler)(struct timer_list *t),
565 			       void (*keepalive_handler)(struct timer_list *t))
566 {
567 	struct inet_connection_sock *icsk = inet_csk(sk);
568 
569 	timer_setup(&icsk->icsk_retransmit_timer, retransmit_handler, 0);
570 	timer_setup(&icsk->icsk_delack_timer, delack_handler, 0);
571 	timer_setup(&sk->sk_timer, keepalive_handler, 0);
572 	icsk->icsk_pending = icsk->icsk_ack.pending = 0;
573 }
574 EXPORT_SYMBOL(inet_csk_init_xmit_timers);
575 
576 void inet_csk_clear_xmit_timers(struct sock *sk)
577 {
578 	struct inet_connection_sock *icsk = inet_csk(sk);
579 
580 	icsk->icsk_pending = icsk->icsk_ack.pending = 0;
581 
582 	sk_stop_timer(sk, &icsk->icsk_retransmit_timer);
583 	sk_stop_timer(sk, &icsk->icsk_delack_timer);
584 	sk_stop_timer(sk, &sk->sk_timer);
585 }
586 EXPORT_SYMBOL(inet_csk_clear_xmit_timers);
587 
588 void inet_csk_delete_keepalive_timer(struct sock *sk)
589 {
590 	sk_stop_timer(sk, &sk->sk_timer);
591 }
592 EXPORT_SYMBOL(inet_csk_delete_keepalive_timer);
593 
594 void inet_csk_reset_keepalive_timer(struct sock *sk, unsigned long len)
595 {
596 	sk_reset_timer(sk, &sk->sk_timer, jiffies + len);
597 }
598 EXPORT_SYMBOL(inet_csk_reset_keepalive_timer);
599 
600 struct dst_entry *inet_csk_route_req(const struct sock *sk,
601 				     struct flowi4 *fl4,
602 				     const struct request_sock *req)
603 {
604 	const struct inet_request_sock *ireq = inet_rsk(req);
605 	struct net *net = read_pnet(&ireq->ireq_net);
606 	struct ip_options_rcu *opt;
607 	struct rtable *rt;
608 
609 	rcu_read_lock();
610 	opt = rcu_dereference(ireq->ireq_opt);
611 
612 	flowi4_init_output(fl4, ireq->ir_iif, ireq->ir_mark,
613 			   RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE,
614 			   sk->sk_protocol, inet_sk_flowi_flags(sk),
615 			   (opt && opt->opt.srr) ? opt->opt.faddr : ireq->ir_rmt_addr,
616 			   ireq->ir_loc_addr, ireq->ir_rmt_port,
617 			   htons(ireq->ir_num), sk->sk_uid);
618 	security_req_classify_flow(req, flowi4_to_flowi_common(fl4));
619 	rt = ip_route_output_flow(net, fl4, sk);
620 	if (IS_ERR(rt))
621 		goto no_route;
622 	if (opt && opt->opt.is_strictroute && rt->rt_uses_gateway)
623 		goto route_err;
624 	rcu_read_unlock();
625 	return &rt->dst;
626 
627 route_err:
628 	ip_rt_put(rt);
629 no_route:
630 	rcu_read_unlock();
631 	__IP_INC_STATS(net, IPSTATS_MIB_OUTNOROUTES);
632 	return NULL;
633 }
634 EXPORT_SYMBOL_GPL(inet_csk_route_req);
635 
636 struct dst_entry *inet_csk_route_child_sock(const struct sock *sk,
637 					    struct sock *newsk,
638 					    const struct request_sock *req)
639 {
640 	const struct inet_request_sock *ireq = inet_rsk(req);
641 	struct net *net = read_pnet(&ireq->ireq_net);
642 	struct inet_sock *newinet = inet_sk(newsk);
643 	struct ip_options_rcu *opt;
644 	struct flowi4 *fl4;
645 	struct rtable *rt;
646 
647 	opt = rcu_dereference(ireq->ireq_opt);
648 	fl4 = &newinet->cork.fl.u.ip4;
649 
650 	flowi4_init_output(fl4, ireq->ir_iif, ireq->ir_mark,
651 			   RT_CONN_FLAGS(sk), RT_SCOPE_UNIVERSE,
652 			   sk->sk_protocol, inet_sk_flowi_flags(sk),
653 			   (opt && opt->opt.srr) ? opt->opt.faddr : ireq->ir_rmt_addr,
654 			   ireq->ir_loc_addr, ireq->ir_rmt_port,
655 			   htons(ireq->ir_num), sk->sk_uid);
656 	security_req_classify_flow(req, flowi4_to_flowi_common(fl4));
657 	rt = ip_route_output_flow(net, fl4, sk);
658 	if (IS_ERR(rt))
659 		goto no_route;
660 	if (opt && opt->opt.is_strictroute && rt->rt_uses_gateway)
661 		goto route_err;
662 	return &rt->dst;
663 
664 route_err:
665 	ip_rt_put(rt);
666 no_route:
667 	__IP_INC_STATS(net, IPSTATS_MIB_OUTNOROUTES);
668 	return NULL;
669 }
670 EXPORT_SYMBOL_GPL(inet_csk_route_child_sock);
671 
672 /* Decide when to expire the request and when to resend SYN-ACK */
673 static void syn_ack_recalc(struct request_sock *req,
674 			   const int max_syn_ack_retries,
675 			   const u8 rskq_defer_accept,
676 			   int *expire, int *resend)
677 {
678 	if (!rskq_defer_accept) {
679 		*expire = req->num_timeout >= max_syn_ack_retries;
680 		*resend = 1;
681 		return;
682 	}
683 	*expire = req->num_timeout >= max_syn_ack_retries &&
684 		  (!inet_rsk(req)->acked || req->num_timeout >= rskq_defer_accept);
685 	/* Do not resend while waiting for data after ACK,
686 	 * start to resend on end of deferring period to give
687 	 * last chance for data or ACK to create established socket.
688 	 */
689 	*resend = !inet_rsk(req)->acked ||
690 		  req->num_timeout >= rskq_defer_accept - 1;
691 }
692 
693 int inet_rtx_syn_ack(const struct sock *parent, struct request_sock *req)
694 {
695 	int err = req->rsk_ops->rtx_syn_ack(parent, req);
696 
697 	if (!err)
698 		req->num_retrans++;
699 	return err;
700 }
701 EXPORT_SYMBOL(inet_rtx_syn_ack);
702 
703 static struct request_sock *inet_reqsk_clone(struct request_sock *req,
704 					     struct sock *sk)
705 {
706 	struct sock *req_sk, *nreq_sk;
707 	struct request_sock *nreq;
708 
709 	nreq = kmem_cache_alloc(req->rsk_ops->slab, GFP_ATOMIC | __GFP_NOWARN);
710 	if (!nreq) {
711 		__NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMIGRATEREQFAILURE);
712 
713 		/* paired with refcount_inc_not_zero() in reuseport_migrate_sock() */
714 		sock_put(sk);
715 		return NULL;
716 	}
717 
718 	req_sk = req_to_sk(req);
719 	nreq_sk = req_to_sk(nreq);
720 
721 	memcpy(nreq_sk, req_sk,
722 	       offsetof(struct sock, sk_dontcopy_begin));
723 	memcpy(&nreq_sk->sk_dontcopy_end, &req_sk->sk_dontcopy_end,
724 	       req->rsk_ops->obj_size - offsetof(struct sock, sk_dontcopy_end));
725 
726 	sk_node_init(&nreq_sk->sk_node);
727 	nreq_sk->sk_tx_queue_mapping = req_sk->sk_tx_queue_mapping;
728 #ifdef CONFIG_SOCK_RX_QUEUE_MAPPING
729 	nreq_sk->sk_rx_queue_mapping = req_sk->sk_rx_queue_mapping;
730 #endif
731 	nreq_sk->sk_incoming_cpu = req_sk->sk_incoming_cpu;
732 
733 	nreq->rsk_listener = sk;
734 
735 	/* We need not acquire fastopenq->lock
736 	 * because the child socket is locked in inet_csk_listen_stop().
737 	 */
738 	if (sk->sk_protocol == IPPROTO_TCP && tcp_rsk(nreq)->tfo_listener)
739 		rcu_assign_pointer(tcp_sk(nreq->sk)->fastopen_rsk, nreq);
740 
741 	return nreq;
742 }
743 
744 static void reqsk_queue_migrated(struct request_sock_queue *queue,
745 				 const struct request_sock *req)
746 {
747 	if (req->num_timeout == 0)
748 		atomic_inc(&queue->young);
749 	atomic_inc(&queue->qlen);
750 }
751 
752 static void reqsk_migrate_reset(struct request_sock *req)
753 {
754 	req->saved_syn = NULL;
755 #if IS_ENABLED(CONFIG_IPV6)
756 	inet_rsk(req)->ipv6_opt = NULL;
757 	inet_rsk(req)->pktopts = NULL;
758 #else
759 	inet_rsk(req)->ireq_opt = NULL;
760 #endif
761 }
762 
763 /* return true if req was found in the ehash table */
764 static bool reqsk_queue_unlink(struct request_sock *req)
765 {
766 	struct inet_hashinfo *hashinfo = req_to_sk(req)->sk_prot->h.hashinfo;
767 	bool found = false;
768 
769 	if (sk_hashed(req_to_sk(req))) {
770 		spinlock_t *lock = inet_ehash_lockp(hashinfo, req->rsk_hash);
771 
772 		spin_lock(lock);
773 		found = __sk_nulls_del_node_init_rcu(req_to_sk(req));
774 		spin_unlock(lock);
775 	}
776 	if (timer_pending(&req->rsk_timer) && del_timer_sync(&req->rsk_timer))
777 		reqsk_put(req);
778 	return found;
779 }
780 
781 bool inet_csk_reqsk_queue_drop(struct sock *sk, struct request_sock *req)
782 {
783 	bool unlinked = reqsk_queue_unlink(req);
784 
785 	if (unlinked) {
786 		reqsk_queue_removed(&inet_csk(sk)->icsk_accept_queue, req);
787 		reqsk_put(req);
788 	}
789 	return unlinked;
790 }
791 EXPORT_SYMBOL(inet_csk_reqsk_queue_drop);
792 
793 void inet_csk_reqsk_queue_drop_and_put(struct sock *sk, struct request_sock *req)
794 {
795 	inet_csk_reqsk_queue_drop(sk, req);
796 	reqsk_put(req);
797 }
798 EXPORT_SYMBOL(inet_csk_reqsk_queue_drop_and_put);
799 
800 static void reqsk_timer_handler(struct timer_list *t)
801 {
802 	struct request_sock *req = from_timer(req, t, rsk_timer);
803 	struct request_sock *nreq = NULL, *oreq = req;
804 	struct sock *sk_listener = req->rsk_listener;
805 	struct inet_connection_sock *icsk;
806 	struct request_sock_queue *queue;
807 	struct net *net;
808 	int max_syn_ack_retries, qlen, expire = 0, resend = 0;
809 
810 	if (inet_sk_state_load(sk_listener) != TCP_LISTEN) {
811 		struct sock *nsk;
812 
813 		nsk = reuseport_migrate_sock(sk_listener, req_to_sk(req), NULL);
814 		if (!nsk)
815 			goto drop;
816 
817 		nreq = inet_reqsk_clone(req, nsk);
818 		if (!nreq)
819 			goto drop;
820 
821 		/* The new timer for the cloned req can decrease the 2
822 		 * by calling inet_csk_reqsk_queue_drop_and_put(), so
823 		 * hold another count to prevent use-after-free and
824 		 * call reqsk_put() just before return.
825 		 */
826 		refcount_set(&nreq->rsk_refcnt, 2 + 1);
827 		timer_setup(&nreq->rsk_timer, reqsk_timer_handler, TIMER_PINNED);
828 		reqsk_queue_migrated(&inet_csk(nsk)->icsk_accept_queue, req);
829 
830 		req = nreq;
831 		sk_listener = nsk;
832 	}
833 
834 	icsk = inet_csk(sk_listener);
835 	net = sock_net(sk_listener);
836 	max_syn_ack_retries = icsk->icsk_syn_retries ? : net->ipv4.sysctl_tcp_synack_retries;
837 	/* Normally all the openreqs are young and become mature
838 	 * (i.e. converted to established socket) for first timeout.
839 	 * If synack was not acknowledged for 1 second, it means
840 	 * one of the following things: synack was lost, ack was lost,
841 	 * rtt is high or nobody planned to ack (i.e. synflood).
842 	 * When server is a bit loaded, queue is populated with old
843 	 * open requests, reducing effective size of queue.
844 	 * When server is well loaded, queue size reduces to zero
845 	 * after several minutes of work. It is not synflood,
846 	 * it is normal operation. The solution is pruning
847 	 * too old entries overriding normal timeout, when
848 	 * situation becomes dangerous.
849 	 *
850 	 * Essentially, we reserve half of room for young
851 	 * embrions; and abort old ones without pity, if old
852 	 * ones are about to clog our table.
853 	 */
854 	queue = &icsk->icsk_accept_queue;
855 	qlen = reqsk_queue_len(queue);
856 	if ((qlen << 1) > max(8U, READ_ONCE(sk_listener->sk_max_ack_backlog))) {
857 		int young = reqsk_queue_len_young(queue) << 1;
858 
859 		while (max_syn_ack_retries > 2) {
860 			if (qlen < young)
861 				break;
862 			max_syn_ack_retries--;
863 			young <<= 1;
864 		}
865 	}
866 	syn_ack_recalc(req, max_syn_ack_retries, READ_ONCE(queue->rskq_defer_accept),
867 		       &expire, &resend);
868 	req->rsk_ops->syn_ack_timeout(req);
869 	if (!expire &&
870 	    (!resend ||
871 	     !inet_rtx_syn_ack(sk_listener, req) ||
872 	     inet_rsk(req)->acked)) {
873 		if (req->num_timeout++ == 0)
874 			atomic_dec(&queue->young);
875 		mod_timer(&req->rsk_timer, jiffies + reqsk_timeout(req, TCP_RTO_MAX));
876 
877 		if (!nreq)
878 			return;
879 
880 		if (!inet_ehash_insert(req_to_sk(nreq), req_to_sk(oreq), NULL)) {
881 			/* delete timer */
882 			inet_csk_reqsk_queue_drop(sk_listener, nreq);
883 			goto no_ownership;
884 		}
885 
886 		__NET_INC_STATS(net, LINUX_MIB_TCPMIGRATEREQSUCCESS);
887 		reqsk_migrate_reset(oreq);
888 		reqsk_queue_removed(&inet_csk(oreq->rsk_listener)->icsk_accept_queue, oreq);
889 		reqsk_put(oreq);
890 
891 		reqsk_put(nreq);
892 		return;
893 	}
894 
895 	/* Even if we can clone the req, we may need not retransmit any more
896 	 * SYN+ACKs (nreq->num_timeout > max_syn_ack_retries, etc), or another
897 	 * CPU may win the "own_req" race so that inet_ehash_insert() fails.
898 	 */
899 	if (nreq) {
900 		__NET_INC_STATS(net, LINUX_MIB_TCPMIGRATEREQFAILURE);
901 no_ownership:
902 		reqsk_migrate_reset(nreq);
903 		reqsk_queue_removed(queue, nreq);
904 		__reqsk_free(nreq);
905 	}
906 
907 drop:
908 	inet_csk_reqsk_queue_drop_and_put(oreq->rsk_listener, oreq);
909 }
910 
911 static void reqsk_queue_hash_req(struct request_sock *req,
912 				 unsigned long timeout)
913 {
914 	timer_setup(&req->rsk_timer, reqsk_timer_handler, TIMER_PINNED);
915 	mod_timer(&req->rsk_timer, jiffies + timeout);
916 
917 	inet_ehash_insert(req_to_sk(req), NULL, NULL);
918 	/* before letting lookups find us, make sure all req fields
919 	 * are committed to memory and refcnt initialized.
920 	 */
921 	smp_wmb();
922 	refcount_set(&req->rsk_refcnt, 2 + 1);
923 }
924 
925 void inet_csk_reqsk_queue_hash_add(struct sock *sk, struct request_sock *req,
926 				   unsigned long timeout)
927 {
928 	reqsk_queue_hash_req(req, timeout);
929 	inet_csk_reqsk_queue_added(sk);
930 }
931 EXPORT_SYMBOL_GPL(inet_csk_reqsk_queue_hash_add);
932 
933 static void inet_clone_ulp(const struct request_sock *req, struct sock *newsk,
934 			   const gfp_t priority)
935 {
936 	struct inet_connection_sock *icsk = inet_csk(newsk);
937 
938 	if (!icsk->icsk_ulp_ops)
939 		return;
940 
941 	if (icsk->icsk_ulp_ops->clone)
942 		icsk->icsk_ulp_ops->clone(req, newsk, priority);
943 }
944 
945 /**
946  *	inet_csk_clone_lock - clone an inet socket, and lock its clone
947  *	@sk: the socket to clone
948  *	@req: request_sock
949  *	@priority: for allocation (%GFP_KERNEL, %GFP_ATOMIC, etc)
950  *
951  *	Caller must unlock socket even in error path (bh_unlock_sock(newsk))
952  */
953 struct sock *inet_csk_clone_lock(const struct sock *sk,
954 				 const struct request_sock *req,
955 				 const gfp_t priority)
956 {
957 	struct sock *newsk = sk_clone_lock(sk, priority);
958 
959 	if (newsk) {
960 		struct inet_connection_sock *newicsk = inet_csk(newsk);
961 
962 		inet_sk_set_state(newsk, TCP_SYN_RECV);
963 		newicsk->icsk_bind_hash = NULL;
964 
965 		inet_sk(newsk)->inet_dport = inet_rsk(req)->ir_rmt_port;
966 		inet_sk(newsk)->inet_num = inet_rsk(req)->ir_num;
967 		inet_sk(newsk)->inet_sport = htons(inet_rsk(req)->ir_num);
968 
969 		/* listeners have SOCK_RCU_FREE, not the children */
970 		sock_reset_flag(newsk, SOCK_RCU_FREE);
971 
972 		inet_sk(newsk)->mc_list = NULL;
973 
974 		newsk->sk_mark = inet_rsk(req)->ir_mark;
975 		atomic64_set(&newsk->sk_cookie,
976 			     atomic64_read(&inet_rsk(req)->ir_cookie));
977 
978 		newicsk->icsk_retransmits = 0;
979 		newicsk->icsk_backoff	  = 0;
980 		newicsk->icsk_probes_out  = 0;
981 		newicsk->icsk_probes_tstamp = 0;
982 
983 		/* Deinitialize accept_queue to trap illegal accesses. */
984 		memset(&newicsk->icsk_accept_queue, 0, sizeof(newicsk->icsk_accept_queue));
985 
986 		inet_clone_ulp(req, newsk, priority);
987 
988 		security_inet_csk_clone(newsk, req);
989 	}
990 	return newsk;
991 }
992 EXPORT_SYMBOL_GPL(inet_csk_clone_lock);
993 
994 /*
995  * At this point, there should be no process reference to this
996  * socket, and thus no user references at all.  Therefore we
997  * can assume the socket waitqueue is inactive and nobody will
998  * try to jump onto it.
999  */
1000 void inet_csk_destroy_sock(struct sock *sk)
1001 {
1002 	WARN_ON(sk->sk_state != TCP_CLOSE);
1003 	WARN_ON(!sock_flag(sk, SOCK_DEAD));
1004 
1005 	/* It cannot be in hash table! */
1006 	WARN_ON(!sk_unhashed(sk));
1007 
1008 	/* If it has not 0 inet_sk(sk)->inet_num, it must be bound */
1009 	WARN_ON(inet_sk(sk)->inet_num && !inet_csk(sk)->icsk_bind_hash);
1010 
1011 	sk->sk_prot->destroy(sk);
1012 
1013 	sk_stream_kill_queues(sk);
1014 
1015 	xfrm_sk_free_policy(sk);
1016 
1017 	sk_refcnt_debug_release(sk);
1018 
1019 	this_cpu_dec(*sk->sk_prot->orphan_count);
1020 
1021 	sock_put(sk);
1022 }
1023 EXPORT_SYMBOL(inet_csk_destroy_sock);
1024 
1025 /* This function allows to force a closure of a socket after the call to
1026  * tcp/dccp_create_openreq_child().
1027  */
1028 void inet_csk_prepare_forced_close(struct sock *sk)
1029 	__releases(&sk->sk_lock.slock)
1030 {
1031 	/* sk_clone_lock locked the socket and set refcnt to 2 */
1032 	bh_unlock_sock(sk);
1033 	sock_put(sk);
1034 	inet_csk_prepare_for_destroy_sock(sk);
1035 	inet_sk(sk)->inet_num = 0;
1036 }
1037 EXPORT_SYMBOL(inet_csk_prepare_forced_close);
1038 
1039 int inet_csk_listen_start(struct sock *sk)
1040 {
1041 	struct inet_connection_sock *icsk = inet_csk(sk);
1042 	struct inet_sock *inet = inet_sk(sk);
1043 	int err = -EADDRINUSE;
1044 
1045 	reqsk_queue_alloc(&icsk->icsk_accept_queue);
1046 
1047 	sk->sk_ack_backlog = 0;
1048 	inet_csk_delack_init(sk);
1049 
1050 	if (sk->sk_txrehash == SOCK_TXREHASH_DEFAULT)
1051 		sk->sk_txrehash = READ_ONCE(sock_net(sk)->core.sysctl_txrehash);
1052 
1053 	/* There is race window here: we announce ourselves listening,
1054 	 * but this transition is still not validated by get_port().
1055 	 * It is OK, because this socket enters to hash table only
1056 	 * after validation is complete.
1057 	 */
1058 	inet_sk_state_store(sk, TCP_LISTEN);
1059 	if (!sk->sk_prot->get_port(sk, inet->inet_num)) {
1060 		inet->inet_sport = htons(inet->inet_num);
1061 
1062 		sk_dst_reset(sk);
1063 		err = sk->sk_prot->hash(sk);
1064 
1065 		if (likely(!err))
1066 			return 0;
1067 	}
1068 
1069 	inet_sk_set_state(sk, TCP_CLOSE);
1070 	return err;
1071 }
1072 EXPORT_SYMBOL_GPL(inet_csk_listen_start);
1073 
1074 static void inet_child_forget(struct sock *sk, struct request_sock *req,
1075 			      struct sock *child)
1076 {
1077 	sk->sk_prot->disconnect(child, O_NONBLOCK);
1078 
1079 	sock_orphan(child);
1080 
1081 	this_cpu_inc(*sk->sk_prot->orphan_count);
1082 
1083 	if (sk->sk_protocol == IPPROTO_TCP && tcp_rsk(req)->tfo_listener) {
1084 		BUG_ON(rcu_access_pointer(tcp_sk(child)->fastopen_rsk) != req);
1085 		BUG_ON(sk != req->rsk_listener);
1086 
1087 		/* Paranoid, to prevent race condition if
1088 		 * an inbound pkt destined for child is
1089 		 * blocked by sock lock in tcp_v4_rcv().
1090 		 * Also to satisfy an assertion in
1091 		 * tcp_v4_destroy_sock().
1092 		 */
1093 		RCU_INIT_POINTER(tcp_sk(child)->fastopen_rsk, NULL);
1094 	}
1095 	inet_csk_destroy_sock(child);
1096 }
1097 
1098 struct sock *inet_csk_reqsk_queue_add(struct sock *sk,
1099 				      struct request_sock *req,
1100 				      struct sock *child)
1101 {
1102 	struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue;
1103 
1104 	spin_lock(&queue->rskq_lock);
1105 	if (unlikely(sk->sk_state != TCP_LISTEN)) {
1106 		inet_child_forget(sk, req, child);
1107 		child = NULL;
1108 	} else {
1109 		req->sk = child;
1110 		req->dl_next = NULL;
1111 		if (queue->rskq_accept_head == NULL)
1112 			WRITE_ONCE(queue->rskq_accept_head, req);
1113 		else
1114 			queue->rskq_accept_tail->dl_next = req;
1115 		queue->rskq_accept_tail = req;
1116 		sk_acceptq_added(sk);
1117 	}
1118 	spin_unlock(&queue->rskq_lock);
1119 	return child;
1120 }
1121 EXPORT_SYMBOL(inet_csk_reqsk_queue_add);
1122 
1123 struct sock *inet_csk_complete_hashdance(struct sock *sk, struct sock *child,
1124 					 struct request_sock *req, bool own_req)
1125 {
1126 	if (own_req) {
1127 		inet_csk_reqsk_queue_drop(req->rsk_listener, req);
1128 		reqsk_queue_removed(&inet_csk(req->rsk_listener)->icsk_accept_queue, req);
1129 
1130 		if (sk != req->rsk_listener) {
1131 			/* another listening sk has been selected,
1132 			 * migrate the req to it.
1133 			 */
1134 			struct request_sock *nreq;
1135 
1136 			/* hold a refcnt for the nreq->rsk_listener
1137 			 * which is assigned in inet_reqsk_clone()
1138 			 */
1139 			sock_hold(sk);
1140 			nreq = inet_reqsk_clone(req, sk);
1141 			if (!nreq) {
1142 				inet_child_forget(sk, req, child);
1143 				goto child_put;
1144 			}
1145 
1146 			refcount_set(&nreq->rsk_refcnt, 1);
1147 			if (inet_csk_reqsk_queue_add(sk, nreq, child)) {
1148 				__NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMIGRATEREQSUCCESS);
1149 				reqsk_migrate_reset(req);
1150 				reqsk_put(req);
1151 				return child;
1152 			}
1153 
1154 			__NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMIGRATEREQFAILURE);
1155 			reqsk_migrate_reset(nreq);
1156 			__reqsk_free(nreq);
1157 		} else if (inet_csk_reqsk_queue_add(sk, req, child)) {
1158 			return child;
1159 		}
1160 	}
1161 	/* Too bad, another child took ownership of the request, undo. */
1162 child_put:
1163 	bh_unlock_sock(child);
1164 	sock_put(child);
1165 	return NULL;
1166 }
1167 EXPORT_SYMBOL(inet_csk_complete_hashdance);
1168 
1169 /*
1170  *	This routine closes sockets which have been at least partially
1171  *	opened, but not yet accepted.
1172  */
1173 void inet_csk_listen_stop(struct sock *sk)
1174 {
1175 	struct inet_connection_sock *icsk = inet_csk(sk);
1176 	struct request_sock_queue *queue = &icsk->icsk_accept_queue;
1177 	struct request_sock *next, *req;
1178 
1179 	/* Following specs, it would be better either to send FIN
1180 	 * (and enter FIN-WAIT-1, it is normal close)
1181 	 * or to send active reset (abort).
1182 	 * Certainly, it is pretty dangerous while synflood, but it is
1183 	 * bad justification for our negligence 8)
1184 	 * To be honest, we are not able to make either
1185 	 * of the variants now.			--ANK
1186 	 */
1187 	while ((req = reqsk_queue_remove(queue, sk)) != NULL) {
1188 		struct sock *child = req->sk, *nsk;
1189 		struct request_sock *nreq;
1190 
1191 		local_bh_disable();
1192 		bh_lock_sock(child);
1193 		WARN_ON(sock_owned_by_user(child));
1194 		sock_hold(child);
1195 
1196 		nsk = reuseport_migrate_sock(sk, child, NULL);
1197 		if (nsk) {
1198 			nreq = inet_reqsk_clone(req, nsk);
1199 			if (nreq) {
1200 				refcount_set(&nreq->rsk_refcnt, 1);
1201 
1202 				if (inet_csk_reqsk_queue_add(nsk, nreq, child)) {
1203 					__NET_INC_STATS(sock_net(nsk),
1204 							LINUX_MIB_TCPMIGRATEREQSUCCESS);
1205 					reqsk_migrate_reset(req);
1206 				} else {
1207 					__NET_INC_STATS(sock_net(nsk),
1208 							LINUX_MIB_TCPMIGRATEREQFAILURE);
1209 					reqsk_migrate_reset(nreq);
1210 					__reqsk_free(nreq);
1211 				}
1212 
1213 				/* inet_csk_reqsk_queue_add() has already
1214 				 * called inet_child_forget() on failure case.
1215 				 */
1216 				goto skip_child_forget;
1217 			}
1218 		}
1219 
1220 		inet_child_forget(sk, req, child);
1221 skip_child_forget:
1222 		reqsk_put(req);
1223 		bh_unlock_sock(child);
1224 		local_bh_enable();
1225 		sock_put(child);
1226 
1227 		cond_resched();
1228 	}
1229 	if (queue->fastopenq.rskq_rst_head) {
1230 		/* Free all the reqs queued in rskq_rst_head. */
1231 		spin_lock_bh(&queue->fastopenq.lock);
1232 		req = queue->fastopenq.rskq_rst_head;
1233 		queue->fastopenq.rskq_rst_head = NULL;
1234 		spin_unlock_bh(&queue->fastopenq.lock);
1235 		while (req != NULL) {
1236 			next = req->dl_next;
1237 			reqsk_put(req);
1238 			req = next;
1239 		}
1240 	}
1241 	WARN_ON_ONCE(sk->sk_ack_backlog);
1242 }
1243 EXPORT_SYMBOL_GPL(inet_csk_listen_stop);
1244 
1245 void inet_csk_addr2sockaddr(struct sock *sk, struct sockaddr *uaddr)
1246 {
1247 	struct sockaddr_in *sin = (struct sockaddr_in *)uaddr;
1248 	const struct inet_sock *inet = inet_sk(sk);
1249 
1250 	sin->sin_family		= AF_INET;
1251 	sin->sin_addr.s_addr	= inet->inet_daddr;
1252 	sin->sin_port		= inet->inet_dport;
1253 }
1254 EXPORT_SYMBOL_GPL(inet_csk_addr2sockaddr);
1255 
1256 static struct dst_entry *inet_csk_rebuild_route(struct sock *sk, struct flowi *fl)
1257 {
1258 	const struct inet_sock *inet = inet_sk(sk);
1259 	const struct ip_options_rcu *inet_opt;
1260 	__be32 daddr = inet->inet_daddr;
1261 	struct flowi4 *fl4;
1262 	struct rtable *rt;
1263 
1264 	rcu_read_lock();
1265 	inet_opt = rcu_dereference(inet->inet_opt);
1266 	if (inet_opt && inet_opt->opt.srr)
1267 		daddr = inet_opt->opt.faddr;
1268 	fl4 = &fl->u.ip4;
1269 	rt = ip_route_output_ports(sock_net(sk), fl4, sk, daddr,
1270 				   inet->inet_saddr, inet->inet_dport,
1271 				   inet->inet_sport, sk->sk_protocol,
1272 				   RT_CONN_FLAGS(sk), sk->sk_bound_dev_if);
1273 	if (IS_ERR(rt))
1274 		rt = NULL;
1275 	if (rt)
1276 		sk_setup_caps(sk, &rt->dst);
1277 	rcu_read_unlock();
1278 
1279 	return &rt->dst;
1280 }
1281 
1282 struct dst_entry *inet_csk_update_pmtu(struct sock *sk, u32 mtu)
1283 {
1284 	struct dst_entry *dst = __sk_dst_check(sk, 0);
1285 	struct inet_sock *inet = inet_sk(sk);
1286 
1287 	if (!dst) {
1288 		dst = inet_csk_rebuild_route(sk, &inet->cork.fl);
1289 		if (!dst)
1290 			goto out;
1291 	}
1292 	dst->ops->update_pmtu(dst, sk, NULL, mtu, true);
1293 
1294 	dst = __sk_dst_check(sk, 0);
1295 	if (!dst)
1296 		dst = inet_csk_rebuild_route(sk, &inet->cork.fl);
1297 out:
1298 	return dst;
1299 }
1300 EXPORT_SYMBOL_GPL(inet_csk_update_pmtu);
1301