xref: /openbmc/linux/net/ipv6/tcp_ipv6.c (revision 4984dd069f2995f239f075199ee8c0d9f020bcd9)
1 /*
2  *	TCP over IPv6
3  *	Linux INET6 implementation
4  *
5  *	Authors:
6  *	Pedro Roque		<roque@di.fc.ul.pt>
7  *
8  *	Based on:
9  *	linux/net/ipv4/tcp.c
10  *	linux/net/ipv4/tcp_input.c
11  *	linux/net/ipv4/tcp_output.c
12  *
13  *	Fixes:
14  *	Hideaki YOSHIFUJI	:	sin6_scope_id support
15  *	YOSHIFUJI Hideaki @USAGI and:	Support IPV6_V6ONLY socket option, which
16  *	Alexey Kuznetsov		allow both IPv4 and IPv6 sockets to bind
17  *					a single port at the same time.
18  *	YOSHIFUJI Hideaki @USAGI:	convert /proc/net/tcp6 to seq_file.
19  *
20  *	This program is free software; you can redistribute it and/or
21  *      modify it under the terms of the GNU General Public License
22  *      as published by the Free Software Foundation; either version
23  *      2 of the License, or (at your option) any later version.
24  */
25 
26 #include <linux/bottom_half.h>
27 #include <linux/module.h>
28 #include <linux/errno.h>
29 #include <linux/types.h>
30 #include <linux/socket.h>
31 #include <linux/sockios.h>
32 #include <linux/net.h>
33 #include <linux/jiffies.h>
34 #include <linux/in.h>
35 #include <linux/in6.h>
36 #include <linux/netdevice.h>
37 #include <linux/init.h>
38 #include <linux/jhash.h>
39 #include <linux/ipsec.h>
40 #include <linux/times.h>
41 #include <linux/slab.h>
42 #include <linux/uaccess.h>
43 #include <linux/ipv6.h>
44 #include <linux/icmpv6.h>
45 #include <linux/random.h>
46 #include <linux/indirect_call_wrapper.h>
47 
48 #include <net/tcp.h>
49 #include <net/ndisc.h>
50 #include <net/inet6_hashtables.h>
51 #include <net/inet6_connection_sock.h>
52 #include <net/ipv6.h>
53 #include <net/transp_v6.h>
54 #include <net/addrconf.h>
55 #include <net/ip6_route.h>
56 #include <net/ip6_checksum.h>
57 #include <net/inet_ecn.h>
58 #include <net/protocol.h>
59 #include <net/xfrm.h>
60 #include <net/snmp.h>
61 #include <net/dsfield.h>
62 #include <net/timewait_sock.h>
63 #include <net/inet_common.h>
64 #include <net/secure_seq.h>
65 #include <net/busy_poll.h>
66 
67 #include <linux/proc_fs.h>
68 #include <linux/seq_file.h>
69 
70 #include <crypto/hash.h>
71 #include <linux/scatterlist.h>
72 
73 #include <trace/events/tcp.h>
74 
75 static void	tcp_v6_send_reset(const struct sock *sk, struct sk_buff *skb);
76 static void	tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb,
77 				      struct request_sock *req);
78 
79 static int	tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb);
80 
81 static const struct inet_connection_sock_af_ops ipv6_mapped;
82 static const struct inet_connection_sock_af_ops ipv6_specific;
83 #ifdef CONFIG_TCP_MD5SIG
84 static const struct tcp_sock_af_ops tcp_sock_ipv6_specific;
85 static const struct tcp_sock_af_ops tcp_sock_ipv6_mapped_specific;
86 #else
87 static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(const struct sock *sk,
88 						   const struct in6_addr *addr)
89 {
90 	return NULL;
91 }
92 #endif
93 
94 /* Helper returning the inet6 address from a given tcp socket.
95  * It can be used in TCP stack instead of inet6_sk(sk).
96  * This avoids a dereference and allow compiler optimizations.
97  * It is a specialized version of inet6_sk_generic().
98  */
99 static struct ipv6_pinfo *tcp_inet6_sk(const struct sock *sk)
100 {
101 	unsigned int offset = sizeof(struct tcp6_sock) - sizeof(struct ipv6_pinfo);
102 
103 	return (struct ipv6_pinfo *)(((u8 *)sk) + offset);
104 }
105 
106 static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
107 {
108 	struct dst_entry *dst = skb_dst(skb);
109 
110 	if (dst && dst_hold_safe(dst)) {
111 		const struct rt6_info *rt = (const struct rt6_info *)dst;
112 
113 		sk->sk_rx_dst = dst;
114 		inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
115 		tcp_inet6_sk(sk)->rx_dst_cookie = rt6_get_cookie(rt);
116 	}
117 }
118 
119 static u32 tcp_v6_init_seq(const struct sk_buff *skb)
120 {
121 	return secure_tcpv6_seq(ipv6_hdr(skb)->daddr.s6_addr32,
122 				ipv6_hdr(skb)->saddr.s6_addr32,
123 				tcp_hdr(skb)->dest,
124 				tcp_hdr(skb)->source);
125 }
126 
127 static u32 tcp_v6_init_ts_off(const struct net *net, const struct sk_buff *skb)
128 {
129 	return secure_tcpv6_ts_off(net, ipv6_hdr(skb)->daddr.s6_addr32,
130 				   ipv6_hdr(skb)->saddr.s6_addr32);
131 }
132 
133 static int tcp_v6_pre_connect(struct sock *sk, struct sockaddr *uaddr,
134 			      int addr_len)
135 {
136 	/* This check is replicated from tcp_v6_connect() and intended to
137 	 * prevent BPF program called below from accessing bytes that are out
138 	 * of the bound specified by user in addr_len.
139 	 */
140 	if (addr_len < SIN6_LEN_RFC2133)
141 		return -EINVAL;
142 
143 	sock_owned_by_me(sk);
144 
145 	return BPF_CGROUP_RUN_PROG_INET6_CONNECT(sk, uaddr);
146 }
147 
148 static int tcp_v6_connect(struct sock *sk, struct sockaddr *uaddr,
149 			  int addr_len)
150 {
151 	struct sockaddr_in6 *usin = (struct sockaddr_in6 *) uaddr;
152 	struct inet_sock *inet = inet_sk(sk);
153 	struct inet_connection_sock *icsk = inet_csk(sk);
154 	struct ipv6_pinfo *np = tcp_inet6_sk(sk);
155 	struct tcp_sock *tp = tcp_sk(sk);
156 	struct in6_addr *saddr = NULL, *final_p, final;
157 	struct ipv6_txoptions *opt;
158 	struct flowi6 fl6;
159 	struct dst_entry *dst;
160 	int addr_type;
161 	int err;
162 	struct inet_timewait_death_row *tcp_death_row = &sock_net(sk)->ipv4.tcp_death_row;
163 
164 	if (addr_len < SIN6_LEN_RFC2133)
165 		return -EINVAL;
166 
167 	if (usin->sin6_family != AF_INET6)
168 		return -EAFNOSUPPORT;
169 
170 	memset(&fl6, 0, sizeof(fl6));
171 
172 	if (np->sndflow) {
173 		fl6.flowlabel = usin->sin6_flowinfo&IPV6_FLOWINFO_MASK;
174 		IP6_ECN_flow_init(fl6.flowlabel);
175 		if (fl6.flowlabel&IPV6_FLOWLABEL_MASK) {
176 			struct ip6_flowlabel *flowlabel;
177 			flowlabel = fl6_sock_lookup(sk, fl6.flowlabel);
178 			if (!flowlabel)
179 				return -EINVAL;
180 			fl6_sock_release(flowlabel);
181 		}
182 	}
183 
184 	/*
185 	 *	connect() to INADDR_ANY means loopback (BSD'ism).
186 	 */
187 
188 	if (ipv6_addr_any(&usin->sin6_addr)) {
189 		if (ipv6_addr_v4mapped(&sk->sk_v6_rcv_saddr))
190 			ipv6_addr_set_v4mapped(htonl(INADDR_LOOPBACK),
191 					       &usin->sin6_addr);
192 		else
193 			usin->sin6_addr = in6addr_loopback;
194 	}
195 
196 	addr_type = ipv6_addr_type(&usin->sin6_addr);
197 
198 	if (addr_type & IPV6_ADDR_MULTICAST)
199 		return -ENETUNREACH;
200 
201 	if (addr_type&IPV6_ADDR_LINKLOCAL) {
202 		if (addr_len >= sizeof(struct sockaddr_in6) &&
203 		    usin->sin6_scope_id) {
204 			/* If interface is set while binding, indices
205 			 * must coincide.
206 			 */
207 			if (!sk_dev_equal_l3scope(sk, usin->sin6_scope_id))
208 				return -EINVAL;
209 
210 			sk->sk_bound_dev_if = usin->sin6_scope_id;
211 		}
212 
213 		/* Connect to link-local address requires an interface */
214 		if (!sk->sk_bound_dev_if)
215 			return -EINVAL;
216 	}
217 
218 	if (tp->rx_opt.ts_recent_stamp &&
219 	    !ipv6_addr_equal(&sk->sk_v6_daddr, &usin->sin6_addr)) {
220 		tp->rx_opt.ts_recent = 0;
221 		tp->rx_opt.ts_recent_stamp = 0;
222 		tp->write_seq = 0;
223 	}
224 
225 	sk->sk_v6_daddr = usin->sin6_addr;
226 	np->flow_label = fl6.flowlabel;
227 
228 	/*
229 	 *	TCP over IPv4
230 	 */
231 
232 	if (addr_type & IPV6_ADDR_MAPPED) {
233 		u32 exthdrlen = icsk->icsk_ext_hdr_len;
234 		struct sockaddr_in sin;
235 
236 		if (__ipv6_only_sock(sk))
237 			return -ENETUNREACH;
238 
239 		sin.sin_family = AF_INET;
240 		sin.sin_port = usin->sin6_port;
241 		sin.sin_addr.s_addr = usin->sin6_addr.s6_addr32[3];
242 
243 		icsk->icsk_af_ops = &ipv6_mapped;
244 		sk->sk_backlog_rcv = tcp_v4_do_rcv;
245 #ifdef CONFIG_TCP_MD5SIG
246 		tp->af_specific = &tcp_sock_ipv6_mapped_specific;
247 #endif
248 
249 		err = tcp_v4_connect(sk, (struct sockaddr *)&sin, sizeof(sin));
250 
251 		if (err) {
252 			icsk->icsk_ext_hdr_len = exthdrlen;
253 			icsk->icsk_af_ops = &ipv6_specific;
254 			sk->sk_backlog_rcv = tcp_v6_do_rcv;
255 #ifdef CONFIG_TCP_MD5SIG
256 			tp->af_specific = &tcp_sock_ipv6_specific;
257 #endif
258 			goto failure;
259 		}
260 		np->saddr = sk->sk_v6_rcv_saddr;
261 
262 		return err;
263 	}
264 
265 	if (!ipv6_addr_any(&sk->sk_v6_rcv_saddr))
266 		saddr = &sk->sk_v6_rcv_saddr;
267 
268 	fl6.flowi6_proto = IPPROTO_TCP;
269 	fl6.daddr = sk->sk_v6_daddr;
270 	fl6.saddr = saddr ? *saddr : np->saddr;
271 	fl6.flowi6_oif = sk->sk_bound_dev_if;
272 	fl6.flowi6_mark = sk->sk_mark;
273 	fl6.fl6_dport = usin->sin6_port;
274 	fl6.fl6_sport = inet->inet_sport;
275 	fl6.flowi6_uid = sk->sk_uid;
276 
277 	opt = rcu_dereference_protected(np->opt, lockdep_sock_is_held(sk));
278 	final_p = fl6_update_dst(&fl6, opt, &final);
279 
280 	security_sk_classify_flow(sk, flowi6_to_flowi(&fl6));
281 
282 	dst = ip6_dst_lookup_flow(sk, &fl6, final_p);
283 	if (IS_ERR(dst)) {
284 		err = PTR_ERR(dst);
285 		goto failure;
286 	}
287 
288 	if (!saddr) {
289 		saddr = &fl6.saddr;
290 		sk->sk_v6_rcv_saddr = *saddr;
291 	}
292 
293 	/* set the source address */
294 	np->saddr = *saddr;
295 	inet->inet_rcv_saddr = LOOPBACK4_IPV6;
296 
297 	sk->sk_gso_type = SKB_GSO_TCPV6;
298 	ip6_dst_store(sk, dst, NULL, NULL);
299 
300 	icsk->icsk_ext_hdr_len = 0;
301 	if (opt)
302 		icsk->icsk_ext_hdr_len = opt->opt_flen +
303 					 opt->opt_nflen;
304 
305 	tp->rx_opt.mss_clamp = IPV6_MIN_MTU - sizeof(struct tcphdr) - sizeof(struct ipv6hdr);
306 
307 	inet->inet_dport = usin->sin6_port;
308 
309 	tcp_set_state(sk, TCP_SYN_SENT);
310 	err = inet6_hash_connect(tcp_death_row, sk);
311 	if (err)
312 		goto late_failure;
313 
314 	sk_set_txhash(sk);
315 
316 	if (likely(!tp->repair)) {
317 		if (!tp->write_seq)
318 			tp->write_seq = secure_tcpv6_seq(np->saddr.s6_addr32,
319 							 sk->sk_v6_daddr.s6_addr32,
320 							 inet->inet_sport,
321 							 inet->inet_dport);
322 		tp->tsoffset = secure_tcpv6_ts_off(sock_net(sk),
323 						   np->saddr.s6_addr32,
324 						   sk->sk_v6_daddr.s6_addr32);
325 	}
326 
327 	if (tcp_fastopen_defer_connect(sk, &err))
328 		return err;
329 	if (err)
330 		goto late_failure;
331 
332 	err = tcp_connect(sk);
333 	if (err)
334 		goto late_failure;
335 
336 	return 0;
337 
338 late_failure:
339 	tcp_set_state(sk, TCP_CLOSE);
340 failure:
341 	inet->inet_dport = 0;
342 	sk->sk_route_caps = 0;
343 	return err;
344 }
345 
346 static void tcp_v6_mtu_reduced(struct sock *sk)
347 {
348 	struct dst_entry *dst;
349 
350 	if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE))
351 		return;
352 
353 	dst = inet6_csk_update_pmtu(sk, tcp_sk(sk)->mtu_info);
354 	if (!dst)
355 		return;
356 
357 	if (inet_csk(sk)->icsk_pmtu_cookie > dst_mtu(dst)) {
358 		tcp_sync_mss(sk, dst_mtu(dst));
359 		tcp_simple_retransmit(sk);
360 	}
361 }
362 
363 static int tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
364 		u8 type, u8 code, int offset, __be32 info)
365 {
366 	const struct ipv6hdr *hdr = (const struct ipv6hdr *)skb->data;
367 	const struct tcphdr *th = (struct tcphdr *)(skb->data+offset);
368 	struct net *net = dev_net(skb->dev);
369 	struct request_sock *fastopen;
370 	struct ipv6_pinfo *np;
371 	struct tcp_sock *tp;
372 	__u32 seq, snd_una;
373 	struct sock *sk;
374 	bool fatal;
375 	int err;
376 
377 	sk = __inet6_lookup_established(net, &tcp_hashinfo,
378 					&hdr->daddr, th->dest,
379 					&hdr->saddr, ntohs(th->source),
380 					skb->dev->ifindex, inet6_sdif(skb));
381 
382 	if (!sk) {
383 		__ICMP6_INC_STATS(net, __in6_dev_get(skb->dev),
384 				  ICMP6_MIB_INERRORS);
385 		return -ENOENT;
386 	}
387 
388 	if (sk->sk_state == TCP_TIME_WAIT) {
389 		inet_twsk_put(inet_twsk(sk));
390 		return 0;
391 	}
392 	seq = ntohl(th->seq);
393 	fatal = icmpv6_err_convert(type, code, &err);
394 	if (sk->sk_state == TCP_NEW_SYN_RECV) {
395 		tcp_req_err(sk, seq, fatal);
396 		return 0;
397 	}
398 
399 	bh_lock_sock(sk);
400 	if (sock_owned_by_user(sk) && type != ICMPV6_PKT_TOOBIG)
401 		__NET_INC_STATS(net, LINUX_MIB_LOCKDROPPEDICMPS);
402 
403 	if (sk->sk_state == TCP_CLOSE)
404 		goto out;
405 
406 	if (ipv6_hdr(skb)->hop_limit < tcp_inet6_sk(sk)->min_hopcount) {
407 		__NET_INC_STATS(net, LINUX_MIB_TCPMINTTLDROP);
408 		goto out;
409 	}
410 
411 	tp = tcp_sk(sk);
412 	/* XXX (TFO) - tp->snd_una should be ISN (tcp_create_openreq_child() */
413 	fastopen = tp->fastopen_rsk;
414 	snd_una = fastopen ? tcp_rsk(fastopen)->snt_isn : tp->snd_una;
415 	if (sk->sk_state != TCP_LISTEN &&
416 	    !between(seq, snd_una, tp->snd_nxt)) {
417 		__NET_INC_STATS(net, LINUX_MIB_OUTOFWINDOWICMPS);
418 		goto out;
419 	}
420 
421 	np = tcp_inet6_sk(sk);
422 
423 	if (type == NDISC_REDIRECT) {
424 		if (!sock_owned_by_user(sk)) {
425 			struct dst_entry *dst = __sk_dst_check(sk, np->dst_cookie);
426 
427 			if (dst)
428 				dst->ops->redirect(dst, sk, skb);
429 		}
430 		goto out;
431 	}
432 
433 	if (type == ICMPV6_PKT_TOOBIG) {
434 		/* We are not interested in TCP_LISTEN and open_requests
435 		 * (SYN-ACKs send out by Linux are always <576bytes so
436 		 * they should go through unfragmented).
437 		 */
438 		if (sk->sk_state == TCP_LISTEN)
439 			goto out;
440 
441 		if (!ip6_sk_accept_pmtu(sk))
442 			goto out;
443 
444 		tp->mtu_info = ntohl(info);
445 		if (!sock_owned_by_user(sk))
446 			tcp_v6_mtu_reduced(sk);
447 		else if (!test_and_set_bit(TCP_MTU_REDUCED_DEFERRED,
448 					   &sk->sk_tsq_flags))
449 			sock_hold(sk);
450 		goto out;
451 	}
452 
453 
454 	/* Might be for an request_sock */
455 	switch (sk->sk_state) {
456 	case TCP_SYN_SENT:
457 	case TCP_SYN_RECV:
458 		/* Only in fast or simultaneous open. If a fast open socket is
459 		 * is already accepted it is treated as a connected one below.
460 		 */
461 		if (fastopen && !fastopen->sk)
462 			break;
463 
464 		if (!sock_owned_by_user(sk)) {
465 			sk->sk_err = err;
466 			sk->sk_error_report(sk);		/* Wake people up to see the error (see connect in sock.c) */
467 
468 			tcp_done(sk);
469 		} else
470 			sk->sk_err_soft = err;
471 		goto out;
472 	}
473 
474 	if (!sock_owned_by_user(sk) && np->recverr) {
475 		sk->sk_err = err;
476 		sk->sk_error_report(sk);
477 	} else
478 		sk->sk_err_soft = err;
479 
480 out:
481 	bh_unlock_sock(sk);
482 	sock_put(sk);
483 	return 0;
484 }
485 
486 
487 static int tcp_v6_send_synack(const struct sock *sk, struct dst_entry *dst,
488 			      struct flowi *fl,
489 			      struct request_sock *req,
490 			      struct tcp_fastopen_cookie *foc,
491 			      enum tcp_synack_type synack_type)
492 {
493 	struct inet_request_sock *ireq = inet_rsk(req);
494 	struct ipv6_pinfo *np = tcp_inet6_sk(sk);
495 	struct ipv6_txoptions *opt;
496 	struct flowi6 *fl6 = &fl->u.ip6;
497 	struct sk_buff *skb;
498 	int err = -ENOMEM;
499 
500 	/* First, grab a route. */
501 	if (!dst && (dst = inet6_csk_route_req(sk, fl6, req,
502 					       IPPROTO_TCP)) == NULL)
503 		goto done;
504 
505 	skb = tcp_make_synack(sk, dst, req, foc, synack_type);
506 
507 	if (skb) {
508 		__tcp_v6_send_check(skb, &ireq->ir_v6_loc_addr,
509 				    &ireq->ir_v6_rmt_addr);
510 
511 		fl6->daddr = ireq->ir_v6_rmt_addr;
512 		if (np->repflow && ireq->pktopts)
513 			fl6->flowlabel = ip6_flowlabel(ipv6_hdr(ireq->pktopts));
514 
515 		rcu_read_lock();
516 		opt = ireq->ipv6_opt;
517 		if (!opt)
518 			opt = rcu_dereference(np->opt);
519 		err = ip6_xmit(sk, skb, fl6, sk->sk_mark, opt, np->tclass);
520 		rcu_read_unlock();
521 		err = net_xmit_eval(err);
522 	}
523 
524 done:
525 	return err;
526 }
527 
528 
529 static void tcp_v6_reqsk_destructor(struct request_sock *req)
530 {
531 	kfree(inet_rsk(req)->ipv6_opt);
532 	kfree_skb(inet_rsk(req)->pktopts);
533 }
534 
535 #ifdef CONFIG_TCP_MD5SIG
536 static struct tcp_md5sig_key *tcp_v6_md5_do_lookup(const struct sock *sk,
537 						   const struct in6_addr *addr)
538 {
539 	return tcp_md5_do_lookup(sk, (union tcp_md5_addr *)addr, AF_INET6);
540 }
541 
542 static struct tcp_md5sig_key *tcp_v6_md5_lookup(const struct sock *sk,
543 						const struct sock *addr_sk)
544 {
545 	return tcp_v6_md5_do_lookup(sk, &addr_sk->sk_v6_daddr);
546 }
547 
548 static int tcp_v6_parse_md5_keys(struct sock *sk, int optname,
549 				 char __user *optval, int optlen)
550 {
551 	struct tcp_md5sig cmd;
552 	struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)&cmd.tcpm_addr;
553 	u8 prefixlen;
554 
555 	if (optlen < sizeof(cmd))
556 		return -EINVAL;
557 
558 	if (copy_from_user(&cmd, optval, sizeof(cmd)))
559 		return -EFAULT;
560 
561 	if (sin6->sin6_family != AF_INET6)
562 		return -EINVAL;
563 
564 	if (optname == TCP_MD5SIG_EXT &&
565 	    cmd.tcpm_flags & TCP_MD5SIG_FLAG_PREFIX) {
566 		prefixlen = cmd.tcpm_prefixlen;
567 		if (prefixlen > 128 || (ipv6_addr_v4mapped(&sin6->sin6_addr) &&
568 					prefixlen > 32))
569 			return -EINVAL;
570 	} else {
571 		prefixlen = ipv6_addr_v4mapped(&sin6->sin6_addr) ? 32 : 128;
572 	}
573 
574 	if (!cmd.tcpm_keylen) {
575 		if (ipv6_addr_v4mapped(&sin6->sin6_addr))
576 			return tcp_md5_do_del(sk, (union tcp_md5_addr *)&sin6->sin6_addr.s6_addr32[3],
577 					      AF_INET, prefixlen);
578 		return tcp_md5_do_del(sk, (union tcp_md5_addr *)&sin6->sin6_addr,
579 				      AF_INET6, prefixlen);
580 	}
581 
582 	if (cmd.tcpm_keylen > TCP_MD5SIG_MAXKEYLEN)
583 		return -EINVAL;
584 
585 	if (ipv6_addr_v4mapped(&sin6->sin6_addr))
586 		return tcp_md5_do_add(sk, (union tcp_md5_addr *)&sin6->sin6_addr.s6_addr32[3],
587 				      AF_INET, prefixlen, cmd.tcpm_key,
588 				      cmd.tcpm_keylen, GFP_KERNEL);
589 
590 	return tcp_md5_do_add(sk, (union tcp_md5_addr *)&sin6->sin6_addr,
591 			      AF_INET6, prefixlen, cmd.tcpm_key,
592 			      cmd.tcpm_keylen, GFP_KERNEL);
593 }
594 
595 static int tcp_v6_md5_hash_headers(struct tcp_md5sig_pool *hp,
596 				   const struct in6_addr *daddr,
597 				   const struct in6_addr *saddr,
598 				   const struct tcphdr *th, int nbytes)
599 {
600 	struct tcp6_pseudohdr *bp;
601 	struct scatterlist sg;
602 	struct tcphdr *_th;
603 
604 	bp = hp->scratch;
605 	/* 1. TCP pseudo-header (RFC2460) */
606 	bp->saddr = *saddr;
607 	bp->daddr = *daddr;
608 	bp->protocol = cpu_to_be32(IPPROTO_TCP);
609 	bp->len = cpu_to_be32(nbytes);
610 
611 	_th = (struct tcphdr *)(bp + 1);
612 	memcpy(_th, th, sizeof(*th));
613 	_th->check = 0;
614 
615 	sg_init_one(&sg, bp, sizeof(*bp) + sizeof(*th));
616 	ahash_request_set_crypt(hp->md5_req, &sg, NULL,
617 				sizeof(*bp) + sizeof(*th));
618 	return crypto_ahash_update(hp->md5_req);
619 }
620 
621 static int tcp_v6_md5_hash_hdr(char *md5_hash, const struct tcp_md5sig_key *key,
622 			       const struct in6_addr *daddr, struct in6_addr *saddr,
623 			       const struct tcphdr *th)
624 {
625 	struct tcp_md5sig_pool *hp;
626 	struct ahash_request *req;
627 
628 	hp = tcp_get_md5sig_pool();
629 	if (!hp)
630 		goto clear_hash_noput;
631 	req = hp->md5_req;
632 
633 	if (crypto_ahash_init(req))
634 		goto clear_hash;
635 	if (tcp_v6_md5_hash_headers(hp, daddr, saddr, th, th->doff << 2))
636 		goto clear_hash;
637 	if (tcp_md5_hash_key(hp, key))
638 		goto clear_hash;
639 	ahash_request_set_crypt(req, NULL, md5_hash, 0);
640 	if (crypto_ahash_final(req))
641 		goto clear_hash;
642 
643 	tcp_put_md5sig_pool();
644 	return 0;
645 
646 clear_hash:
647 	tcp_put_md5sig_pool();
648 clear_hash_noput:
649 	memset(md5_hash, 0, 16);
650 	return 1;
651 }
652 
653 static int tcp_v6_md5_hash_skb(char *md5_hash,
654 			       const struct tcp_md5sig_key *key,
655 			       const struct sock *sk,
656 			       const struct sk_buff *skb)
657 {
658 	const struct in6_addr *saddr, *daddr;
659 	struct tcp_md5sig_pool *hp;
660 	struct ahash_request *req;
661 	const struct tcphdr *th = tcp_hdr(skb);
662 
663 	if (sk) { /* valid for establish/request sockets */
664 		saddr = &sk->sk_v6_rcv_saddr;
665 		daddr = &sk->sk_v6_daddr;
666 	} else {
667 		const struct ipv6hdr *ip6h = ipv6_hdr(skb);
668 		saddr = &ip6h->saddr;
669 		daddr = &ip6h->daddr;
670 	}
671 
672 	hp = tcp_get_md5sig_pool();
673 	if (!hp)
674 		goto clear_hash_noput;
675 	req = hp->md5_req;
676 
677 	if (crypto_ahash_init(req))
678 		goto clear_hash;
679 
680 	if (tcp_v6_md5_hash_headers(hp, daddr, saddr, th, skb->len))
681 		goto clear_hash;
682 	if (tcp_md5_hash_skb_data(hp, skb, th->doff << 2))
683 		goto clear_hash;
684 	if (tcp_md5_hash_key(hp, key))
685 		goto clear_hash;
686 	ahash_request_set_crypt(req, NULL, md5_hash, 0);
687 	if (crypto_ahash_final(req))
688 		goto clear_hash;
689 
690 	tcp_put_md5sig_pool();
691 	return 0;
692 
693 clear_hash:
694 	tcp_put_md5sig_pool();
695 clear_hash_noput:
696 	memset(md5_hash, 0, 16);
697 	return 1;
698 }
699 
700 #endif
701 
702 static bool tcp_v6_inbound_md5_hash(const struct sock *sk,
703 				    const struct sk_buff *skb)
704 {
705 #ifdef CONFIG_TCP_MD5SIG
706 	const __u8 *hash_location = NULL;
707 	struct tcp_md5sig_key *hash_expected;
708 	const struct ipv6hdr *ip6h = ipv6_hdr(skb);
709 	const struct tcphdr *th = tcp_hdr(skb);
710 	int genhash;
711 	u8 newhash[16];
712 
713 	hash_expected = tcp_v6_md5_do_lookup(sk, &ip6h->saddr);
714 	hash_location = tcp_parse_md5sig_option(th);
715 
716 	/* We've parsed the options - do we have a hash? */
717 	if (!hash_expected && !hash_location)
718 		return false;
719 
720 	if (hash_expected && !hash_location) {
721 		NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5NOTFOUND);
722 		return true;
723 	}
724 
725 	if (!hash_expected && hash_location) {
726 		NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5UNEXPECTED);
727 		return true;
728 	}
729 
730 	/* check the signature */
731 	genhash = tcp_v6_md5_hash_skb(newhash,
732 				      hash_expected,
733 				      NULL, skb);
734 
735 	if (genhash || memcmp(hash_location, newhash, 16) != 0) {
736 		NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPMD5FAILURE);
737 		net_info_ratelimited("MD5 Hash %s for [%pI6c]:%u->[%pI6c]:%u\n",
738 				     genhash ? "failed" : "mismatch",
739 				     &ip6h->saddr, ntohs(th->source),
740 				     &ip6h->daddr, ntohs(th->dest));
741 		return true;
742 	}
743 #endif
744 	return false;
745 }
746 
747 static void tcp_v6_init_req(struct request_sock *req,
748 			    const struct sock *sk_listener,
749 			    struct sk_buff *skb)
750 {
751 	bool l3_slave = ipv6_l3mdev_skb(TCP_SKB_CB(skb)->header.h6.flags);
752 	struct inet_request_sock *ireq = inet_rsk(req);
753 	const struct ipv6_pinfo *np = tcp_inet6_sk(sk_listener);
754 
755 	ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr;
756 	ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
757 
758 	/* So that link locals have meaning */
759 	if ((!sk_listener->sk_bound_dev_if || l3_slave) &&
760 	    ipv6_addr_type(&ireq->ir_v6_rmt_addr) & IPV6_ADDR_LINKLOCAL)
761 		ireq->ir_iif = tcp_v6_iif(skb);
762 
763 	if (!TCP_SKB_CB(skb)->tcp_tw_isn &&
764 	    (ipv6_opt_accepted(sk_listener, skb, &TCP_SKB_CB(skb)->header.h6) ||
765 	     np->rxopt.bits.rxinfo ||
766 	     np->rxopt.bits.rxoinfo || np->rxopt.bits.rxhlim ||
767 	     np->rxopt.bits.rxohlim || np->repflow)) {
768 		refcount_inc(&skb->users);
769 		ireq->pktopts = skb;
770 	}
771 }
772 
773 static struct dst_entry *tcp_v6_route_req(const struct sock *sk,
774 					  struct flowi *fl,
775 					  const struct request_sock *req)
776 {
777 	return inet6_csk_route_req(sk, &fl->u.ip6, req, IPPROTO_TCP);
778 }
779 
780 struct request_sock_ops tcp6_request_sock_ops __read_mostly = {
781 	.family		=	AF_INET6,
782 	.obj_size	=	sizeof(struct tcp6_request_sock),
783 	.rtx_syn_ack	=	tcp_rtx_synack,
784 	.send_ack	=	tcp_v6_reqsk_send_ack,
785 	.destructor	=	tcp_v6_reqsk_destructor,
786 	.send_reset	=	tcp_v6_send_reset,
787 	.syn_ack_timeout =	tcp_syn_ack_timeout,
788 };
789 
790 static const struct tcp_request_sock_ops tcp_request_sock_ipv6_ops = {
791 	.mss_clamp	=	IPV6_MIN_MTU - sizeof(struct tcphdr) -
792 				sizeof(struct ipv6hdr),
793 #ifdef CONFIG_TCP_MD5SIG
794 	.req_md5_lookup	=	tcp_v6_md5_lookup,
795 	.calc_md5_hash	=	tcp_v6_md5_hash_skb,
796 #endif
797 	.init_req	=	tcp_v6_init_req,
798 #ifdef CONFIG_SYN_COOKIES
799 	.cookie_init_seq =	cookie_v6_init_sequence,
800 #endif
801 	.route_req	=	tcp_v6_route_req,
802 	.init_seq	=	tcp_v6_init_seq,
803 	.init_ts_off	=	tcp_v6_init_ts_off,
804 	.send_synack	=	tcp_v6_send_synack,
805 };
806 
807 static void tcp_v6_send_response(const struct sock *sk, struct sk_buff *skb, u32 seq,
808 				 u32 ack, u32 win, u32 tsval, u32 tsecr,
809 				 int oif, struct tcp_md5sig_key *key, int rst,
810 				 u8 tclass, __be32 label)
811 {
812 	const struct tcphdr *th = tcp_hdr(skb);
813 	struct tcphdr *t1;
814 	struct sk_buff *buff;
815 	struct flowi6 fl6;
816 	struct net *net = sk ? sock_net(sk) : dev_net(skb_dst(skb)->dev);
817 	struct sock *ctl_sk = net->ipv6.tcp_sk;
818 	unsigned int tot_len = sizeof(struct tcphdr);
819 	struct dst_entry *dst;
820 	__be32 *topt;
821 	__u32 mark = 0;
822 
823 	if (tsecr)
824 		tot_len += TCPOLEN_TSTAMP_ALIGNED;
825 #ifdef CONFIG_TCP_MD5SIG
826 	if (key)
827 		tot_len += TCPOLEN_MD5SIG_ALIGNED;
828 #endif
829 
830 	buff = alloc_skb(MAX_HEADER + sizeof(struct ipv6hdr) + tot_len,
831 			 GFP_ATOMIC);
832 	if (!buff)
833 		return;
834 
835 	skb_reserve(buff, MAX_HEADER + sizeof(struct ipv6hdr) + tot_len);
836 
837 	t1 = skb_push(buff, tot_len);
838 	skb_reset_transport_header(buff);
839 
840 	/* Swap the send and the receive. */
841 	memset(t1, 0, sizeof(*t1));
842 	t1->dest = th->source;
843 	t1->source = th->dest;
844 	t1->doff = tot_len / 4;
845 	t1->seq = htonl(seq);
846 	t1->ack_seq = htonl(ack);
847 	t1->ack = !rst || !th->ack;
848 	t1->rst = rst;
849 	t1->window = htons(win);
850 
851 	topt = (__be32 *)(t1 + 1);
852 
853 	if (tsecr) {
854 		*topt++ = htonl((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) |
855 				(TCPOPT_TIMESTAMP << 8) | TCPOLEN_TIMESTAMP);
856 		*topt++ = htonl(tsval);
857 		*topt++ = htonl(tsecr);
858 	}
859 
860 #ifdef CONFIG_TCP_MD5SIG
861 	if (key) {
862 		*topt++ = htonl((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) |
863 				(TCPOPT_MD5SIG << 8) | TCPOLEN_MD5SIG);
864 		tcp_v6_md5_hash_hdr((__u8 *)topt, key,
865 				    &ipv6_hdr(skb)->saddr,
866 				    &ipv6_hdr(skb)->daddr, t1);
867 	}
868 #endif
869 
870 	memset(&fl6, 0, sizeof(fl6));
871 	fl6.daddr = ipv6_hdr(skb)->saddr;
872 	fl6.saddr = ipv6_hdr(skb)->daddr;
873 	fl6.flowlabel = label;
874 
875 	buff->ip_summed = CHECKSUM_PARTIAL;
876 	buff->csum = 0;
877 
878 	__tcp_v6_send_check(buff, &fl6.saddr, &fl6.daddr);
879 
880 	fl6.flowi6_proto = IPPROTO_TCP;
881 	if (rt6_need_strict(&fl6.daddr) && !oif)
882 		fl6.flowi6_oif = tcp_v6_iif(skb);
883 	else {
884 		if (!oif && netif_index_is_l3_master(net, skb->skb_iif))
885 			oif = skb->skb_iif;
886 
887 		fl6.flowi6_oif = oif;
888 	}
889 
890 	if (sk)
891 		mark = (sk->sk_state == TCP_TIME_WAIT) ?
892 			inet_twsk(sk)->tw_mark : sk->sk_mark;
893 	fl6.flowi6_mark = IP6_REPLY_MARK(net, skb->mark) ?: mark;
894 	fl6.fl6_dport = t1->dest;
895 	fl6.fl6_sport = t1->source;
896 	fl6.flowi6_uid = sock_net_uid(net, sk && sk_fullsock(sk) ? sk : NULL);
897 	security_skb_classify_flow(skb, flowi6_to_flowi(&fl6));
898 
899 	/* Pass a socket to ip6_dst_lookup either it is for RST
900 	 * Underlying function will use this to retrieve the network
901 	 * namespace
902 	 */
903 	dst = ip6_dst_lookup_flow(ctl_sk, &fl6, NULL);
904 	if (!IS_ERR(dst)) {
905 		skb_dst_set(buff, dst);
906 		ip6_xmit(ctl_sk, buff, &fl6, fl6.flowi6_mark, NULL, tclass);
907 		TCP_INC_STATS(net, TCP_MIB_OUTSEGS);
908 		if (rst)
909 			TCP_INC_STATS(net, TCP_MIB_OUTRSTS);
910 		return;
911 	}
912 
913 	kfree_skb(buff);
914 }
915 
916 static void tcp_v6_send_reset(const struct sock *sk, struct sk_buff *skb)
917 {
918 	const struct tcphdr *th = tcp_hdr(skb);
919 	u32 seq = 0, ack_seq = 0;
920 	struct tcp_md5sig_key *key = NULL;
921 #ifdef CONFIG_TCP_MD5SIG
922 	const __u8 *hash_location = NULL;
923 	struct ipv6hdr *ipv6h = ipv6_hdr(skb);
924 	unsigned char newhash[16];
925 	int genhash;
926 	struct sock *sk1 = NULL;
927 #endif
928 	int oif = 0;
929 
930 	if (th->rst)
931 		return;
932 
933 	/* If sk not NULL, it means we did a successful lookup and incoming
934 	 * route had to be correct. prequeue might have dropped our dst.
935 	 */
936 	if (!sk && !ipv6_unicast_destination(skb))
937 		return;
938 
939 #ifdef CONFIG_TCP_MD5SIG
940 	rcu_read_lock();
941 	hash_location = tcp_parse_md5sig_option(th);
942 	if (sk && sk_fullsock(sk)) {
943 		key = tcp_v6_md5_do_lookup(sk, &ipv6h->saddr);
944 	} else if (hash_location) {
945 		/*
946 		 * active side is lost. Try to find listening socket through
947 		 * source port, and then find md5 key through listening socket.
948 		 * we are not loose security here:
949 		 * Incoming packet is checked with md5 hash with finding key,
950 		 * no RST generated if md5 hash doesn't match.
951 		 */
952 		sk1 = inet6_lookup_listener(dev_net(skb_dst(skb)->dev),
953 					   &tcp_hashinfo, NULL, 0,
954 					   &ipv6h->saddr,
955 					   th->source, &ipv6h->daddr,
956 					   ntohs(th->source),
957 					   tcp_v6_iif_l3_slave(skb),
958 					   tcp_v6_sdif(skb));
959 		if (!sk1)
960 			goto out;
961 
962 		key = tcp_v6_md5_do_lookup(sk1, &ipv6h->saddr);
963 		if (!key)
964 			goto out;
965 
966 		genhash = tcp_v6_md5_hash_skb(newhash, key, NULL, skb);
967 		if (genhash || memcmp(hash_location, newhash, 16) != 0)
968 			goto out;
969 	}
970 #endif
971 
972 	if (th->ack)
973 		seq = ntohl(th->ack_seq);
974 	else
975 		ack_seq = ntohl(th->seq) + th->syn + th->fin + skb->len -
976 			  (th->doff << 2);
977 
978 	if (sk) {
979 		oif = sk->sk_bound_dev_if;
980 		if (sk_fullsock(sk))
981 			trace_tcp_send_reset(sk, skb);
982 	}
983 
984 	tcp_v6_send_response(sk, skb, seq, ack_seq, 0, 0, 0, oif, key, 1, 0, 0);
985 
986 #ifdef CONFIG_TCP_MD5SIG
987 out:
988 	rcu_read_unlock();
989 #endif
990 }
991 
992 static void tcp_v6_send_ack(const struct sock *sk, struct sk_buff *skb, u32 seq,
993 			    u32 ack, u32 win, u32 tsval, u32 tsecr, int oif,
994 			    struct tcp_md5sig_key *key, u8 tclass,
995 			    __be32 label)
996 {
997 	tcp_v6_send_response(sk, skb, seq, ack, win, tsval, tsecr, oif, key, 0,
998 			     tclass, label);
999 }
1000 
1001 static void tcp_v6_timewait_ack(struct sock *sk, struct sk_buff *skb)
1002 {
1003 	struct inet_timewait_sock *tw = inet_twsk(sk);
1004 	struct tcp_timewait_sock *tcptw = tcp_twsk(sk);
1005 
1006 	tcp_v6_send_ack(sk, skb, tcptw->tw_snd_nxt, tcptw->tw_rcv_nxt,
1007 			tcptw->tw_rcv_wnd >> tw->tw_rcv_wscale,
1008 			tcp_time_stamp_raw() + tcptw->tw_ts_offset,
1009 			tcptw->tw_ts_recent, tw->tw_bound_dev_if, tcp_twsk_md5_key(tcptw),
1010 			tw->tw_tclass, cpu_to_be32(tw->tw_flowlabel));
1011 
1012 	inet_twsk_put(tw);
1013 }
1014 
1015 static void tcp_v6_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb,
1016 				  struct request_sock *req)
1017 {
1018 	/* sk->sk_state == TCP_LISTEN -> for regular TCP_SYN_RECV
1019 	 * sk->sk_state == TCP_SYN_RECV -> for Fast Open.
1020 	 */
1021 	/* RFC 7323 2.3
1022 	 * The window field (SEG.WND) of every outgoing segment, with the
1023 	 * exception of <SYN> segments, MUST be right-shifted by
1024 	 * Rcv.Wind.Shift bits:
1025 	 */
1026 	tcp_v6_send_ack(sk, skb, (sk->sk_state == TCP_LISTEN) ?
1027 			tcp_rsk(req)->snt_isn + 1 : tcp_sk(sk)->snd_nxt,
1028 			tcp_rsk(req)->rcv_nxt,
1029 			req->rsk_rcv_wnd >> inet_rsk(req)->rcv_wscale,
1030 			tcp_time_stamp_raw() + tcp_rsk(req)->ts_off,
1031 			req->ts_recent, sk->sk_bound_dev_if,
1032 			tcp_v6_md5_do_lookup(sk, &ipv6_hdr(skb)->saddr),
1033 			0, 0);
1034 }
1035 
1036 
1037 static struct sock *tcp_v6_cookie_check(struct sock *sk, struct sk_buff *skb)
1038 {
1039 #ifdef CONFIG_SYN_COOKIES
1040 	const struct tcphdr *th = tcp_hdr(skb);
1041 
1042 	if (!th->syn)
1043 		sk = cookie_v6_check(sk, skb);
1044 #endif
1045 	return sk;
1046 }
1047 
1048 static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
1049 {
1050 	if (skb->protocol == htons(ETH_P_IP))
1051 		return tcp_v4_conn_request(sk, skb);
1052 
1053 	if (!ipv6_unicast_destination(skb))
1054 		goto drop;
1055 
1056 	return tcp_conn_request(&tcp6_request_sock_ops,
1057 				&tcp_request_sock_ipv6_ops, sk, skb);
1058 
1059 drop:
1060 	tcp_listendrop(sk);
1061 	return 0; /* don't send reset */
1062 }
1063 
1064 static void tcp_v6_restore_cb(struct sk_buff *skb)
1065 {
1066 	/* We need to move header back to the beginning if xfrm6_policy_check()
1067 	 * and tcp_v6_fill_cb() are going to be called again.
1068 	 * ip6_datagram_recv_specific_ctl() also expects IP6CB to be there.
1069 	 */
1070 	memmove(IP6CB(skb), &TCP_SKB_CB(skb)->header.h6,
1071 		sizeof(struct inet6_skb_parm));
1072 }
1073 
1074 static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *skb,
1075 					 struct request_sock *req,
1076 					 struct dst_entry *dst,
1077 					 struct request_sock *req_unhash,
1078 					 bool *own_req)
1079 {
1080 	struct inet_request_sock *ireq;
1081 	struct ipv6_pinfo *newnp;
1082 	const struct ipv6_pinfo *np = tcp_inet6_sk(sk);
1083 	struct ipv6_txoptions *opt;
1084 	struct inet_sock *newinet;
1085 	struct tcp_sock *newtp;
1086 	struct sock *newsk;
1087 #ifdef CONFIG_TCP_MD5SIG
1088 	struct tcp_md5sig_key *key;
1089 #endif
1090 	struct flowi6 fl6;
1091 
1092 	if (skb->protocol == htons(ETH_P_IP)) {
1093 		/*
1094 		 *	v6 mapped
1095 		 */
1096 
1097 		newsk = tcp_v4_syn_recv_sock(sk, skb, req, dst,
1098 					     req_unhash, own_req);
1099 
1100 		if (!newsk)
1101 			return NULL;
1102 
1103 		inet_sk(newsk)->pinet6 = tcp_inet6_sk(newsk);
1104 
1105 		newinet = inet_sk(newsk);
1106 		newnp = tcp_inet6_sk(newsk);
1107 		newtp = tcp_sk(newsk);
1108 
1109 		memcpy(newnp, np, sizeof(struct ipv6_pinfo));
1110 
1111 		newnp->saddr = newsk->sk_v6_rcv_saddr;
1112 
1113 		inet_csk(newsk)->icsk_af_ops = &ipv6_mapped;
1114 		newsk->sk_backlog_rcv = tcp_v4_do_rcv;
1115 #ifdef CONFIG_TCP_MD5SIG
1116 		newtp->af_specific = &tcp_sock_ipv6_mapped_specific;
1117 #endif
1118 
1119 		newnp->ipv6_mc_list = NULL;
1120 		newnp->ipv6_ac_list = NULL;
1121 		newnp->ipv6_fl_list = NULL;
1122 		newnp->pktoptions  = NULL;
1123 		newnp->opt	   = NULL;
1124 		newnp->mcast_oif   = inet_iif(skb);
1125 		newnp->mcast_hops  = ip_hdr(skb)->ttl;
1126 		newnp->rcv_flowinfo = 0;
1127 		if (np->repflow)
1128 			newnp->flow_label = 0;
1129 
1130 		/*
1131 		 * No need to charge this sock to the relevant IPv6 refcnt debug socks count
1132 		 * here, tcp_create_openreq_child now does this for us, see the comment in
1133 		 * that function for the gory details. -acme
1134 		 */
1135 
1136 		/* It is tricky place. Until this moment IPv4 tcp
1137 		   worked with IPv6 icsk.icsk_af_ops.
1138 		   Sync it now.
1139 		 */
1140 		tcp_sync_mss(newsk, inet_csk(newsk)->icsk_pmtu_cookie);
1141 
1142 		return newsk;
1143 	}
1144 
1145 	ireq = inet_rsk(req);
1146 
1147 	if (sk_acceptq_is_full(sk))
1148 		goto out_overflow;
1149 
1150 	if (!dst) {
1151 		dst = inet6_csk_route_req(sk, &fl6, req, IPPROTO_TCP);
1152 		if (!dst)
1153 			goto out;
1154 	}
1155 
1156 	newsk = tcp_create_openreq_child(sk, req, skb);
1157 	if (!newsk)
1158 		goto out_nonewsk;
1159 
1160 	/*
1161 	 * No need to charge this sock to the relevant IPv6 refcnt debug socks
1162 	 * count here, tcp_create_openreq_child now does this for us, see the
1163 	 * comment in that function for the gory details. -acme
1164 	 */
1165 
1166 	newsk->sk_gso_type = SKB_GSO_TCPV6;
1167 	ip6_dst_store(newsk, dst, NULL, NULL);
1168 	inet6_sk_rx_dst_set(newsk, skb);
1169 
1170 	inet_sk(newsk)->pinet6 = tcp_inet6_sk(newsk);
1171 
1172 	newtp = tcp_sk(newsk);
1173 	newinet = inet_sk(newsk);
1174 	newnp = tcp_inet6_sk(newsk);
1175 
1176 	memcpy(newnp, np, sizeof(struct ipv6_pinfo));
1177 
1178 	newsk->sk_v6_daddr = ireq->ir_v6_rmt_addr;
1179 	newnp->saddr = ireq->ir_v6_loc_addr;
1180 	newsk->sk_v6_rcv_saddr = ireq->ir_v6_loc_addr;
1181 	newsk->sk_bound_dev_if = ireq->ir_iif;
1182 
1183 	/* Now IPv6 options...
1184 
1185 	   First: no IPv4 options.
1186 	 */
1187 	newinet->inet_opt = NULL;
1188 	newnp->ipv6_mc_list = NULL;
1189 	newnp->ipv6_ac_list = NULL;
1190 	newnp->ipv6_fl_list = NULL;
1191 
1192 	/* Clone RX bits */
1193 	newnp->rxopt.all = np->rxopt.all;
1194 
1195 	newnp->pktoptions = NULL;
1196 	newnp->opt	  = NULL;
1197 	newnp->mcast_oif  = tcp_v6_iif(skb);
1198 	newnp->mcast_hops = ipv6_hdr(skb)->hop_limit;
1199 	newnp->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(skb));
1200 	if (np->repflow)
1201 		newnp->flow_label = ip6_flowlabel(ipv6_hdr(skb));
1202 
1203 	/* Clone native IPv6 options from listening socket (if any)
1204 
1205 	   Yes, keeping reference count would be much more clever,
1206 	   but we make one more one thing there: reattach optmem
1207 	   to newsk.
1208 	 */
1209 	opt = ireq->ipv6_opt;
1210 	if (!opt)
1211 		opt = rcu_dereference(np->opt);
1212 	if (opt) {
1213 		opt = ipv6_dup_options(newsk, opt);
1214 		RCU_INIT_POINTER(newnp->opt, opt);
1215 	}
1216 	inet_csk(newsk)->icsk_ext_hdr_len = 0;
1217 	if (opt)
1218 		inet_csk(newsk)->icsk_ext_hdr_len = opt->opt_nflen +
1219 						    opt->opt_flen;
1220 
1221 	tcp_ca_openreq_child(newsk, dst);
1222 
1223 	tcp_sync_mss(newsk, dst_mtu(dst));
1224 	newtp->advmss = tcp_mss_clamp(tcp_sk(sk), dst_metric_advmss(dst));
1225 
1226 	tcp_initialize_rcv_mss(newsk);
1227 
1228 	newinet->inet_daddr = newinet->inet_saddr = LOOPBACK4_IPV6;
1229 	newinet->inet_rcv_saddr = LOOPBACK4_IPV6;
1230 
1231 #ifdef CONFIG_TCP_MD5SIG
1232 	/* Copy over the MD5 key from the original socket */
1233 	key = tcp_v6_md5_do_lookup(sk, &newsk->sk_v6_daddr);
1234 	if (key) {
1235 		/* We're using one, so create a matching key
1236 		 * on the newsk structure. If we fail to get
1237 		 * memory, then we end up not copying the key
1238 		 * across. Shucks.
1239 		 */
1240 		tcp_md5_do_add(newsk, (union tcp_md5_addr *)&newsk->sk_v6_daddr,
1241 			       AF_INET6, 128, key->key, key->keylen,
1242 			       sk_gfp_mask(sk, GFP_ATOMIC));
1243 	}
1244 #endif
1245 
1246 	if (__inet_inherit_port(sk, newsk) < 0) {
1247 		inet_csk_prepare_forced_close(newsk);
1248 		tcp_done(newsk);
1249 		goto out;
1250 	}
1251 	*own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash));
1252 	if (*own_req) {
1253 		tcp_move_syn(newtp, req);
1254 
1255 		/* Clone pktoptions received with SYN, if we own the req */
1256 		if (ireq->pktopts) {
1257 			newnp->pktoptions = skb_clone(ireq->pktopts,
1258 						      sk_gfp_mask(sk, GFP_ATOMIC));
1259 			consume_skb(ireq->pktopts);
1260 			ireq->pktopts = NULL;
1261 			if (newnp->pktoptions) {
1262 				tcp_v6_restore_cb(newnp->pktoptions);
1263 				skb_set_owner_r(newnp->pktoptions, newsk);
1264 			}
1265 		}
1266 	}
1267 
1268 	return newsk;
1269 
1270 out_overflow:
1271 	__NET_INC_STATS(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS);
1272 out_nonewsk:
1273 	dst_release(dst);
1274 out:
1275 	tcp_listendrop(sk);
1276 	return NULL;
1277 }
1278 
1279 /* The socket must have it's spinlock held when we get
1280  * here, unless it is a TCP_LISTEN socket.
1281  *
1282  * We have a potential double-lock case here, so even when
1283  * doing backlog processing we use the BH locking scheme.
1284  * This is because we cannot sleep with the original spinlock
1285  * held.
1286  */
1287 static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
1288 {
1289 	struct ipv6_pinfo *np = tcp_inet6_sk(sk);
1290 	struct sk_buff *opt_skb = NULL;
1291 	struct tcp_sock *tp;
1292 
1293 	/* Imagine: socket is IPv6. IPv4 packet arrives,
1294 	   goes to IPv4 receive handler and backlogged.
1295 	   From backlog it always goes here. Kerboom...
1296 	   Fortunately, tcp_rcv_established and rcv_established
1297 	   handle them correctly, but it is not case with
1298 	   tcp_v6_hnd_req and tcp_v6_send_reset().   --ANK
1299 	 */
1300 
1301 	if (skb->protocol == htons(ETH_P_IP))
1302 		return tcp_v4_do_rcv(sk, skb);
1303 
1304 	/*
1305 	 *	socket locking is here for SMP purposes as backlog rcv
1306 	 *	is currently called with bh processing disabled.
1307 	 */
1308 
1309 	/* Do Stevens' IPV6_PKTOPTIONS.
1310 
1311 	   Yes, guys, it is the only place in our code, where we
1312 	   may make it not affecting IPv4.
1313 	   The rest of code is protocol independent,
1314 	   and I do not like idea to uglify IPv4.
1315 
1316 	   Actually, all the idea behind IPV6_PKTOPTIONS
1317 	   looks not very well thought. For now we latch
1318 	   options, received in the last packet, enqueued
1319 	   by tcp. Feel free to propose better solution.
1320 					       --ANK (980728)
1321 	 */
1322 	if (np->rxopt.all)
1323 		opt_skb = skb_clone(skb, sk_gfp_mask(sk, GFP_ATOMIC));
1324 
1325 	if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */
1326 		struct dst_entry *dst = sk->sk_rx_dst;
1327 
1328 		sock_rps_save_rxhash(sk, skb);
1329 		sk_mark_napi_id(sk, skb);
1330 		if (dst) {
1331 			if (inet_sk(sk)->rx_dst_ifindex != skb->skb_iif ||
1332 			    dst->ops->check(dst, np->rx_dst_cookie) == NULL) {
1333 				dst_release(dst);
1334 				sk->sk_rx_dst = NULL;
1335 			}
1336 		}
1337 
1338 		tcp_rcv_established(sk, skb);
1339 		if (opt_skb)
1340 			goto ipv6_pktoptions;
1341 		return 0;
1342 	}
1343 
1344 	if (tcp_checksum_complete(skb))
1345 		goto csum_err;
1346 
1347 	if (sk->sk_state == TCP_LISTEN) {
1348 		struct sock *nsk = tcp_v6_cookie_check(sk, skb);
1349 
1350 		if (!nsk)
1351 			goto discard;
1352 
1353 		if (nsk != sk) {
1354 			if (tcp_child_process(sk, nsk, skb))
1355 				goto reset;
1356 			if (opt_skb)
1357 				__kfree_skb(opt_skb);
1358 			return 0;
1359 		}
1360 	} else
1361 		sock_rps_save_rxhash(sk, skb);
1362 
1363 	if (tcp_rcv_state_process(sk, skb))
1364 		goto reset;
1365 	if (opt_skb)
1366 		goto ipv6_pktoptions;
1367 	return 0;
1368 
1369 reset:
1370 	tcp_v6_send_reset(sk, skb);
1371 discard:
1372 	if (opt_skb)
1373 		__kfree_skb(opt_skb);
1374 	kfree_skb(skb);
1375 	return 0;
1376 csum_err:
1377 	TCP_INC_STATS(sock_net(sk), TCP_MIB_CSUMERRORS);
1378 	TCP_INC_STATS(sock_net(sk), TCP_MIB_INERRS);
1379 	goto discard;
1380 
1381 
1382 ipv6_pktoptions:
1383 	/* Do you ask, what is it?
1384 
1385 	   1. skb was enqueued by tcp.
1386 	   2. skb is added to tail of read queue, rather than out of order.
1387 	   3. socket is not in passive state.
1388 	   4. Finally, it really contains options, which user wants to receive.
1389 	 */
1390 	tp = tcp_sk(sk);
1391 	if (TCP_SKB_CB(opt_skb)->end_seq == tp->rcv_nxt &&
1392 	    !((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN))) {
1393 		if (np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo)
1394 			np->mcast_oif = tcp_v6_iif(opt_skb);
1395 		if (np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim)
1396 			np->mcast_hops = ipv6_hdr(opt_skb)->hop_limit;
1397 		if (np->rxopt.bits.rxflow || np->rxopt.bits.rxtclass)
1398 			np->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(opt_skb));
1399 		if (np->repflow)
1400 			np->flow_label = ip6_flowlabel(ipv6_hdr(opt_skb));
1401 		if (ipv6_opt_accepted(sk, opt_skb, &TCP_SKB_CB(opt_skb)->header.h6)) {
1402 			skb_set_owner_r(opt_skb, sk);
1403 			tcp_v6_restore_cb(opt_skb);
1404 			opt_skb = xchg(&np->pktoptions, opt_skb);
1405 		} else {
1406 			__kfree_skb(opt_skb);
1407 			opt_skb = xchg(&np->pktoptions, NULL);
1408 		}
1409 	}
1410 
1411 	kfree_skb(opt_skb);
1412 	return 0;
1413 }
1414 
1415 static void tcp_v6_fill_cb(struct sk_buff *skb, const struct ipv6hdr *hdr,
1416 			   const struct tcphdr *th)
1417 {
1418 	/* This is tricky: we move IP6CB at its correct location into
1419 	 * TCP_SKB_CB(). It must be done after xfrm6_policy_check(), because
1420 	 * _decode_session6() uses IP6CB().
1421 	 * barrier() makes sure compiler won't play aliasing games.
1422 	 */
1423 	memmove(&TCP_SKB_CB(skb)->header.h6, IP6CB(skb),
1424 		sizeof(struct inet6_skb_parm));
1425 	barrier();
1426 
1427 	TCP_SKB_CB(skb)->seq = ntohl(th->seq);
1428 	TCP_SKB_CB(skb)->end_seq = (TCP_SKB_CB(skb)->seq + th->syn + th->fin +
1429 				    skb->len - th->doff*4);
1430 	TCP_SKB_CB(skb)->ack_seq = ntohl(th->ack_seq);
1431 	TCP_SKB_CB(skb)->tcp_flags = tcp_flag_byte(th);
1432 	TCP_SKB_CB(skb)->tcp_tw_isn = 0;
1433 	TCP_SKB_CB(skb)->ip_dsfield = ipv6_get_dsfield(hdr);
1434 	TCP_SKB_CB(skb)->sacked = 0;
1435 	TCP_SKB_CB(skb)->has_rxtstamp =
1436 			skb->tstamp || skb_hwtstamps(skb)->hwtstamp;
1437 }
1438 
1439 INDIRECT_CALLABLE_SCOPE int tcp_v6_rcv(struct sk_buff *skb)
1440 {
1441 	struct sk_buff *skb_to_free;
1442 	int sdif = inet6_sdif(skb);
1443 	const struct tcphdr *th;
1444 	const struct ipv6hdr *hdr;
1445 	bool refcounted;
1446 	struct sock *sk;
1447 	int ret;
1448 	struct net *net = dev_net(skb->dev);
1449 
1450 	if (skb->pkt_type != PACKET_HOST)
1451 		goto discard_it;
1452 
1453 	/*
1454 	 *	Count it even if it's bad.
1455 	 */
1456 	__TCP_INC_STATS(net, TCP_MIB_INSEGS);
1457 
1458 	if (!pskb_may_pull(skb, sizeof(struct tcphdr)))
1459 		goto discard_it;
1460 
1461 	th = (const struct tcphdr *)skb->data;
1462 
1463 	if (unlikely(th->doff < sizeof(struct tcphdr)/4))
1464 		goto bad_packet;
1465 	if (!pskb_may_pull(skb, th->doff*4))
1466 		goto discard_it;
1467 
1468 	if (skb_checksum_init(skb, IPPROTO_TCP, ip6_compute_pseudo))
1469 		goto csum_error;
1470 
1471 	th = (const struct tcphdr *)skb->data;
1472 	hdr = ipv6_hdr(skb);
1473 
1474 lookup:
1475 	sk = __inet6_lookup_skb(&tcp_hashinfo, skb, __tcp_hdrlen(th),
1476 				th->source, th->dest, inet6_iif(skb), sdif,
1477 				&refcounted);
1478 	if (!sk)
1479 		goto no_tcp_socket;
1480 
1481 process:
1482 	if (sk->sk_state == TCP_TIME_WAIT)
1483 		goto do_time_wait;
1484 
1485 	if (sk->sk_state == TCP_NEW_SYN_RECV) {
1486 		struct request_sock *req = inet_reqsk(sk);
1487 		bool req_stolen = false;
1488 		struct sock *nsk;
1489 
1490 		sk = req->rsk_listener;
1491 		if (tcp_v6_inbound_md5_hash(sk, skb)) {
1492 			sk_drops_add(sk, skb);
1493 			reqsk_put(req);
1494 			goto discard_it;
1495 		}
1496 		if (tcp_checksum_complete(skb)) {
1497 			reqsk_put(req);
1498 			goto csum_error;
1499 		}
1500 		if (unlikely(sk->sk_state != TCP_LISTEN)) {
1501 			inet_csk_reqsk_queue_drop_and_put(sk, req);
1502 			goto lookup;
1503 		}
1504 		sock_hold(sk);
1505 		refcounted = true;
1506 		nsk = NULL;
1507 		if (!tcp_filter(sk, skb)) {
1508 			th = (const struct tcphdr *)skb->data;
1509 			hdr = ipv6_hdr(skb);
1510 			tcp_v6_fill_cb(skb, hdr, th);
1511 			nsk = tcp_check_req(sk, skb, req, false, &req_stolen);
1512 		}
1513 		if (!nsk) {
1514 			reqsk_put(req);
1515 			if (req_stolen) {
1516 				/* Another cpu got exclusive access to req
1517 				 * and created a full blown socket.
1518 				 * Try to feed this packet to this socket
1519 				 * instead of discarding it.
1520 				 */
1521 				tcp_v6_restore_cb(skb);
1522 				sock_put(sk);
1523 				goto lookup;
1524 			}
1525 			goto discard_and_relse;
1526 		}
1527 		if (nsk == sk) {
1528 			reqsk_put(req);
1529 			tcp_v6_restore_cb(skb);
1530 		} else if (tcp_child_process(sk, nsk, skb)) {
1531 			tcp_v6_send_reset(nsk, skb);
1532 			goto discard_and_relse;
1533 		} else {
1534 			sock_put(sk);
1535 			return 0;
1536 		}
1537 	}
1538 	if (hdr->hop_limit < tcp_inet6_sk(sk)->min_hopcount) {
1539 		__NET_INC_STATS(net, LINUX_MIB_TCPMINTTLDROP);
1540 		goto discard_and_relse;
1541 	}
1542 
1543 	if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
1544 		goto discard_and_relse;
1545 
1546 	if (tcp_v6_inbound_md5_hash(sk, skb))
1547 		goto discard_and_relse;
1548 
1549 	if (tcp_filter(sk, skb))
1550 		goto discard_and_relse;
1551 	th = (const struct tcphdr *)skb->data;
1552 	hdr = ipv6_hdr(skb);
1553 	tcp_v6_fill_cb(skb, hdr, th);
1554 
1555 	skb->dev = NULL;
1556 
1557 	if (sk->sk_state == TCP_LISTEN) {
1558 		ret = tcp_v6_do_rcv(sk, skb);
1559 		goto put_and_return;
1560 	}
1561 
1562 	sk_incoming_cpu_update(sk);
1563 
1564 	bh_lock_sock_nested(sk);
1565 	tcp_segs_in(tcp_sk(sk), skb);
1566 	ret = 0;
1567 	if (!sock_owned_by_user(sk)) {
1568 		skb_to_free = sk->sk_rx_skb_cache;
1569 		sk->sk_rx_skb_cache = NULL;
1570 		ret = tcp_v6_do_rcv(sk, skb);
1571 	} else {
1572 		if (tcp_add_backlog(sk, skb))
1573 			goto discard_and_relse;
1574 		skb_to_free = NULL;
1575 	}
1576 	bh_unlock_sock(sk);
1577 	if (skb_to_free)
1578 		__kfree_skb(skb_to_free);
1579 put_and_return:
1580 	if (refcounted)
1581 		sock_put(sk);
1582 	return ret ? -1 : 0;
1583 
1584 no_tcp_socket:
1585 	if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb))
1586 		goto discard_it;
1587 
1588 	tcp_v6_fill_cb(skb, hdr, th);
1589 
1590 	if (tcp_checksum_complete(skb)) {
1591 csum_error:
1592 		__TCP_INC_STATS(net, TCP_MIB_CSUMERRORS);
1593 bad_packet:
1594 		__TCP_INC_STATS(net, TCP_MIB_INERRS);
1595 	} else {
1596 		tcp_v6_send_reset(NULL, skb);
1597 	}
1598 
1599 discard_it:
1600 	kfree_skb(skb);
1601 	return 0;
1602 
1603 discard_and_relse:
1604 	sk_drops_add(sk, skb);
1605 	if (refcounted)
1606 		sock_put(sk);
1607 	goto discard_it;
1608 
1609 do_time_wait:
1610 	if (!xfrm6_policy_check(NULL, XFRM_POLICY_IN, skb)) {
1611 		inet_twsk_put(inet_twsk(sk));
1612 		goto discard_it;
1613 	}
1614 
1615 	tcp_v6_fill_cb(skb, hdr, th);
1616 
1617 	if (tcp_checksum_complete(skb)) {
1618 		inet_twsk_put(inet_twsk(sk));
1619 		goto csum_error;
1620 	}
1621 
1622 	switch (tcp_timewait_state_process(inet_twsk(sk), skb, th)) {
1623 	case TCP_TW_SYN:
1624 	{
1625 		struct sock *sk2;
1626 
1627 		sk2 = inet6_lookup_listener(dev_net(skb->dev), &tcp_hashinfo,
1628 					    skb, __tcp_hdrlen(th),
1629 					    &ipv6_hdr(skb)->saddr, th->source,
1630 					    &ipv6_hdr(skb)->daddr,
1631 					    ntohs(th->dest),
1632 					    tcp_v6_iif_l3_slave(skb),
1633 					    sdif);
1634 		if (sk2) {
1635 			struct inet_timewait_sock *tw = inet_twsk(sk);
1636 			inet_twsk_deschedule_put(tw);
1637 			sk = sk2;
1638 			tcp_v6_restore_cb(skb);
1639 			refcounted = false;
1640 			goto process;
1641 		}
1642 	}
1643 		/* to ACK */
1644 		/* fall through */
1645 	case TCP_TW_ACK:
1646 		tcp_v6_timewait_ack(sk, skb);
1647 		break;
1648 	case TCP_TW_RST:
1649 		tcp_v6_send_reset(sk, skb);
1650 		inet_twsk_deschedule_put(inet_twsk(sk));
1651 		goto discard_it;
1652 	case TCP_TW_SUCCESS:
1653 		;
1654 	}
1655 	goto discard_it;
1656 }
1657 
1658 INDIRECT_CALLABLE_SCOPE void tcp_v6_early_demux(struct sk_buff *skb)
1659 {
1660 	const struct ipv6hdr *hdr;
1661 	const struct tcphdr *th;
1662 	struct sock *sk;
1663 
1664 	if (skb->pkt_type != PACKET_HOST)
1665 		return;
1666 
1667 	if (!pskb_may_pull(skb, skb_transport_offset(skb) + sizeof(struct tcphdr)))
1668 		return;
1669 
1670 	hdr = ipv6_hdr(skb);
1671 	th = tcp_hdr(skb);
1672 
1673 	if (th->doff < sizeof(struct tcphdr) / 4)
1674 		return;
1675 
1676 	/* Note : We use inet6_iif() here, not tcp_v6_iif() */
1677 	sk = __inet6_lookup_established(dev_net(skb->dev), &tcp_hashinfo,
1678 					&hdr->saddr, th->source,
1679 					&hdr->daddr, ntohs(th->dest),
1680 					inet6_iif(skb), inet6_sdif(skb));
1681 	if (sk) {
1682 		skb->sk = sk;
1683 		skb->destructor = sock_edemux;
1684 		if (sk_fullsock(sk)) {
1685 			struct dst_entry *dst = READ_ONCE(sk->sk_rx_dst);
1686 
1687 			if (dst)
1688 				dst = dst_check(dst, tcp_inet6_sk(sk)->rx_dst_cookie);
1689 			if (dst &&
1690 			    inet_sk(sk)->rx_dst_ifindex == skb->skb_iif)
1691 				skb_dst_set_noref(skb, dst);
1692 		}
1693 	}
1694 }
1695 
1696 static struct timewait_sock_ops tcp6_timewait_sock_ops = {
1697 	.twsk_obj_size	= sizeof(struct tcp6_timewait_sock),
1698 	.twsk_unique	= tcp_twsk_unique,
1699 	.twsk_destructor = tcp_twsk_destructor,
1700 };
1701 
1702 static const struct inet_connection_sock_af_ops ipv6_specific = {
1703 	.queue_xmit	   = inet6_csk_xmit,
1704 	.send_check	   = tcp_v6_send_check,
1705 	.rebuild_header	   = inet6_sk_rebuild_header,
1706 	.sk_rx_dst_set	   = inet6_sk_rx_dst_set,
1707 	.conn_request	   = tcp_v6_conn_request,
1708 	.syn_recv_sock	   = tcp_v6_syn_recv_sock,
1709 	.net_header_len	   = sizeof(struct ipv6hdr),
1710 	.net_frag_header_len = sizeof(struct frag_hdr),
1711 	.setsockopt	   = ipv6_setsockopt,
1712 	.getsockopt	   = ipv6_getsockopt,
1713 	.addr2sockaddr	   = inet6_csk_addr2sockaddr,
1714 	.sockaddr_len	   = sizeof(struct sockaddr_in6),
1715 #ifdef CONFIG_COMPAT
1716 	.compat_setsockopt = compat_ipv6_setsockopt,
1717 	.compat_getsockopt = compat_ipv6_getsockopt,
1718 #endif
1719 	.mtu_reduced	   = tcp_v6_mtu_reduced,
1720 };
1721 
1722 #ifdef CONFIG_TCP_MD5SIG
1723 static const struct tcp_sock_af_ops tcp_sock_ipv6_specific = {
1724 	.md5_lookup	=	tcp_v6_md5_lookup,
1725 	.calc_md5_hash	=	tcp_v6_md5_hash_skb,
1726 	.md5_parse	=	tcp_v6_parse_md5_keys,
1727 };
1728 #endif
1729 
1730 /*
1731  *	TCP over IPv4 via INET6 API
1732  */
1733 static const struct inet_connection_sock_af_ops ipv6_mapped = {
1734 	.queue_xmit	   = ip_queue_xmit,
1735 	.send_check	   = tcp_v4_send_check,
1736 	.rebuild_header	   = inet_sk_rebuild_header,
1737 	.sk_rx_dst_set	   = inet_sk_rx_dst_set,
1738 	.conn_request	   = tcp_v6_conn_request,
1739 	.syn_recv_sock	   = tcp_v6_syn_recv_sock,
1740 	.net_header_len	   = sizeof(struct iphdr),
1741 	.setsockopt	   = ipv6_setsockopt,
1742 	.getsockopt	   = ipv6_getsockopt,
1743 	.addr2sockaddr	   = inet6_csk_addr2sockaddr,
1744 	.sockaddr_len	   = sizeof(struct sockaddr_in6),
1745 #ifdef CONFIG_COMPAT
1746 	.compat_setsockopt = compat_ipv6_setsockopt,
1747 	.compat_getsockopt = compat_ipv6_getsockopt,
1748 #endif
1749 	.mtu_reduced	   = tcp_v4_mtu_reduced,
1750 };
1751 
1752 #ifdef CONFIG_TCP_MD5SIG
1753 static const struct tcp_sock_af_ops tcp_sock_ipv6_mapped_specific = {
1754 	.md5_lookup	=	tcp_v4_md5_lookup,
1755 	.calc_md5_hash	=	tcp_v4_md5_hash_skb,
1756 	.md5_parse	=	tcp_v6_parse_md5_keys,
1757 };
1758 #endif
1759 
1760 /* NOTE: A lot of things set to zero explicitly by call to
1761  *       sk_alloc() so need not be done here.
1762  */
1763 static int tcp_v6_init_sock(struct sock *sk)
1764 {
1765 	struct inet_connection_sock *icsk = inet_csk(sk);
1766 
1767 	tcp_init_sock(sk);
1768 
1769 	icsk->icsk_af_ops = &ipv6_specific;
1770 
1771 #ifdef CONFIG_TCP_MD5SIG
1772 	tcp_sk(sk)->af_specific = &tcp_sock_ipv6_specific;
1773 #endif
1774 
1775 	return 0;
1776 }
1777 
1778 static void tcp_v6_destroy_sock(struct sock *sk)
1779 {
1780 	tcp_v4_destroy_sock(sk);
1781 	inet6_destroy_sock(sk);
1782 }
1783 
1784 #ifdef CONFIG_PROC_FS
1785 /* Proc filesystem TCPv6 sock list dumping. */
1786 static void get_openreq6(struct seq_file *seq,
1787 			 const struct request_sock *req, int i)
1788 {
1789 	long ttd = req->rsk_timer.expires - jiffies;
1790 	const struct in6_addr *src = &inet_rsk(req)->ir_v6_loc_addr;
1791 	const struct in6_addr *dest = &inet_rsk(req)->ir_v6_rmt_addr;
1792 
1793 	if (ttd < 0)
1794 		ttd = 0;
1795 
1796 	seq_printf(seq,
1797 		   "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
1798 		   "%02X %08X:%08X %02X:%08lX %08X %5u %8d %d %d %pK\n",
1799 		   i,
1800 		   src->s6_addr32[0], src->s6_addr32[1],
1801 		   src->s6_addr32[2], src->s6_addr32[3],
1802 		   inet_rsk(req)->ir_num,
1803 		   dest->s6_addr32[0], dest->s6_addr32[1],
1804 		   dest->s6_addr32[2], dest->s6_addr32[3],
1805 		   ntohs(inet_rsk(req)->ir_rmt_port),
1806 		   TCP_SYN_RECV,
1807 		   0, 0, /* could print option size, but that is af dependent. */
1808 		   1,   /* timers active (only the expire timer) */
1809 		   jiffies_to_clock_t(ttd),
1810 		   req->num_timeout,
1811 		   from_kuid_munged(seq_user_ns(seq),
1812 				    sock_i_uid(req->rsk_listener)),
1813 		   0,  /* non standard timer */
1814 		   0, /* open_requests have no inode */
1815 		   0, req);
1816 }
1817 
1818 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
1819 {
1820 	const struct in6_addr *dest, *src;
1821 	__u16 destp, srcp;
1822 	int timer_active;
1823 	unsigned long timer_expires;
1824 	const struct inet_sock *inet = inet_sk(sp);
1825 	const struct tcp_sock *tp = tcp_sk(sp);
1826 	const struct inet_connection_sock *icsk = inet_csk(sp);
1827 	const struct fastopen_queue *fastopenq = &icsk->icsk_accept_queue.fastopenq;
1828 	int rx_queue;
1829 	int state;
1830 
1831 	dest  = &sp->sk_v6_daddr;
1832 	src   = &sp->sk_v6_rcv_saddr;
1833 	destp = ntohs(inet->inet_dport);
1834 	srcp  = ntohs(inet->inet_sport);
1835 
1836 	if (icsk->icsk_pending == ICSK_TIME_RETRANS ||
1837 	    icsk->icsk_pending == ICSK_TIME_REO_TIMEOUT ||
1838 	    icsk->icsk_pending == ICSK_TIME_LOSS_PROBE) {
1839 		timer_active	= 1;
1840 		timer_expires	= icsk->icsk_timeout;
1841 	} else if (icsk->icsk_pending == ICSK_TIME_PROBE0) {
1842 		timer_active	= 4;
1843 		timer_expires	= icsk->icsk_timeout;
1844 	} else if (timer_pending(&sp->sk_timer)) {
1845 		timer_active	= 2;
1846 		timer_expires	= sp->sk_timer.expires;
1847 	} else {
1848 		timer_active	= 0;
1849 		timer_expires = jiffies;
1850 	}
1851 
1852 	state = inet_sk_state_load(sp);
1853 	if (state == TCP_LISTEN)
1854 		rx_queue = sp->sk_ack_backlog;
1855 	else
1856 		/* Because we don't lock the socket,
1857 		 * we might find a transient negative value.
1858 		 */
1859 		rx_queue = max_t(int, tp->rcv_nxt - tp->copied_seq, 0);
1860 
1861 	seq_printf(seq,
1862 		   "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
1863 		   "%02X %08X:%08X %02X:%08lX %08X %5u %8d %lu %d %pK %lu %lu %u %u %d\n",
1864 		   i,
1865 		   src->s6_addr32[0], src->s6_addr32[1],
1866 		   src->s6_addr32[2], src->s6_addr32[3], srcp,
1867 		   dest->s6_addr32[0], dest->s6_addr32[1],
1868 		   dest->s6_addr32[2], dest->s6_addr32[3], destp,
1869 		   state,
1870 		   tp->write_seq - tp->snd_una,
1871 		   rx_queue,
1872 		   timer_active,
1873 		   jiffies_delta_to_clock_t(timer_expires - jiffies),
1874 		   icsk->icsk_retransmits,
1875 		   from_kuid_munged(seq_user_ns(seq), sock_i_uid(sp)),
1876 		   icsk->icsk_probes_out,
1877 		   sock_i_ino(sp),
1878 		   refcount_read(&sp->sk_refcnt), sp,
1879 		   jiffies_to_clock_t(icsk->icsk_rto),
1880 		   jiffies_to_clock_t(icsk->icsk_ack.ato),
1881 		   (icsk->icsk_ack.quick << 1) | inet_csk_in_pingpong_mode(sp),
1882 		   tp->snd_cwnd,
1883 		   state == TCP_LISTEN ?
1884 			fastopenq->max_qlen :
1885 			(tcp_in_initial_slowstart(tp) ? -1 : tp->snd_ssthresh)
1886 		   );
1887 }
1888 
1889 static void get_timewait6_sock(struct seq_file *seq,
1890 			       struct inet_timewait_sock *tw, int i)
1891 {
1892 	long delta = tw->tw_timer.expires - jiffies;
1893 	const struct in6_addr *dest, *src;
1894 	__u16 destp, srcp;
1895 
1896 	dest = &tw->tw_v6_daddr;
1897 	src  = &tw->tw_v6_rcv_saddr;
1898 	destp = ntohs(tw->tw_dport);
1899 	srcp  = ntohs(tw->tw_sport);
1900 
1901 	seq_printf(seq,
1902 		   "%4d: %08X%08X%08X%08X:%04X %08X%08X%08X%08X:%04X "
1903 		   "%02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %pK\n",
1904 		   i,
1905 		   src->s6_addr32[0], src->s6_addr32[1],
1906 		   src->s6_addr32[2], src->s6_addr32[3], srcp,
1907 		   dest->s6_addr32[0], dest->s6_addr32[1],
1908 		   dest->s6_addr32[2], dest->s6_addr32[3], destp,
1909 		   tw->tw_substate, 0, 0,
1910 		   3, jiffies_delta_to_clock_t(delta), 0, 0, 0, 0,
1911 		   refcount_read(&tw->tw_refcnt), tw);
1912 }
1913 
1914 static int tcp6_seq_show(struct seq_file *seq, void *v)
1915 {
1916 	struct tcp_iter_state *st;
1917 	struct sock *sk = v;
1918 
1919 	if (v == SEQ_START_TOKEN) {
1920 		seq_puts(seq,
1921 			 "  sl  "
1922 			 "local_address                         "
1923 			 "remote_address                        "
1924 			 "st tx_queue rx_queue tr tm->when retrnsmt"
1925 			 "   uid  timeout inode\n");
1926 		goto out;
1927 	}
1928 	st = seq->private;
1929 
1930 	if (sk->sk_state == TCP_TIME_WAIT)
1931 		get_timewait6_sock(seq, v, st->num);
1932 	else if (sk->sk_state == TCP_NEW_SYN_RECV)
1933 		get_openreq6(seq, v, st->num);
1934 	else
1935 		get_tcp6_sock(seq, v, st->num);
1936 out:
1937 	return 0;
1938 }
1939 
1940 static const struct seq_operations tcp6_seq_ops = {
1941 	.show		= tcp6_seq_show,
1942 	.start		= tcp_seq_start,
1943 	.next		= tcp_seq_next,
1944 	.stop		= tcp_seq_stop,
1945 };
1946 
1947 static struct tcp_seq_afinfo tcp6_seq_afinfo = {
1948 	.family		= AF_INET6,
1949 };
1950 
1951 int __net_init tcp6_proc_init(struct net *net)
1952 {
1953 	if (!proc_create_net_data("tcp6", 0444, net->proc_net, &tcp6_seq_ops,
1954 			sizeof(struct tcp_iter_state), &tcp6_seq_afinfo))
1955 		return -ENOMEM;
1956 	return 0;
1957 }
1958 
1959 void tcp6_proc_exit(struct net *net)
1960 {
1961 	remove_proc_entry("tcp6", net->proc_net);
1962 }
1963 #endif
1964 
1965 struct proto tcpv6_prot = {
1966 	.name			= "TCPv6",
1967 	.owner			= THIS_MODULE,
1968 	.close			= tcp_close,
1969 	.pre_connect		= tcp_v6_pre_connect,
1970 	.connect		= tcp_v6_connect,
1971 	.disconnect		= tcp_disconnect,
1972 	.accept			= inet_csk_accept,
1973 	.ioctl			= tcp_ioctl,
1974 	.init			= tcp_v6_init_sock,
1975 	.destroy		= tcp_v6_destroy_sock,
1976 	.shutdown		= tcp_shutdown,
1977 	.setsockopt		= tcp_setsockopt,
1978 	.getsockopt		= tcp_getsockopt,
1979 	.keepalive		= tcp_set_keepalive,
1980 	.recvmsg		= tcp_recvmsg,
1981 	.sendmsg		= tcp_sendmsg,
1982 	.sendpage		= tcp_sendpage,
1983 	.backlog_rcv		= tcp_v6_do_rcv,
1984 	.release_cb		= tcp_release_cb,
1985 	.hash			= inet6_hash,
1986 	.unhash			= inet_unhash,
1987 	.get_port		= inet_csk_get_port,
1988 	.enter_memory_pressure	= tcp_enter_memory_pressure,
1989 	.leave_memory_pressure	= tcp_leave_memory_pressure,
1990 	.stream_memory_free	= tcp_stream_memory_free,
1991 	.sockets_allocated	= &tcp_sockets_allocated,
1992 	.memory_allocated	= &tcp_memory_allocated,
1993 	.memory_pressure	= &tcp_memory_pressure,
1994 	.orphan_count		= &tcp_orphan_count,
1995 	.sysctl_mem		= sysctl_tcp_mem,
1996 	.sysctl_wmem_offset	= offsetof(struct net, ipv4.sysctl_tcp_wmem),
1997 	.sysctl_rmem_offset	= offsetof(struct net, ipv4.sysctl_tcp_rmem),
1998 	.max_header		= MAX_TCP_HEADER,
1999 	.obj_size		= sizeof(struct tcp6_sock),
2000 	.slab_flags		= SLAB_TYPESAFE_BY_RCU,
2001 	.twsk_prot		= &tcp6_timewait_sock_ops,
2002 	.rsk_prot		= &tcp6_request_sock_ops,
2003 	.h.hashinfo		= &tcp_hashinfo,
2004 	.no_autobind		= true,
2005 #ifdef CONFIG_COMPAT
2006 	.compat_setsockopt	= compat_tcp_setsockopt,
2007 	.compat_getsockopt	= compat_tcp_getsockopt,
2008 #endif
2009 	.diag_destroy		= tcp_abort,
2010 };
2011 
2012 /* thinking of making this const? Don't.
2013  * early_demux can change based on sysctl.
2014  */
2015 static struct inet6_protocol tcpv6_protocol = {
2016 	.early_demux	=	tcp_v6_early_demux,
2017 	.early_demux_handler =  tcp_v6_early_demux,
2018 	.handler	=	tcp_v6_rcv,
2019 	.err_handler	=	tcp_v6_err,
2020 	.flags		=	INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL,
2021 };
2022 
2023 static struct inet_protosw tcpv6_protosw = {
2024 	.type		=	SOCK_STREAM,
2025 	.protocol	=	IPPROTO_TCP,
2026 	.prot		=	&tcpv6_prot,
2027 	.ops		=	&inet6_stream_ops,
2028 	.flags		=	INET_PROTOSW_PERMANENT |
2029 				INET_PROTOSW_ICSK,
2030 };
2031 
2032 static int __net_init tcpv6_net_init(struct net *net)
2033 {
2034 	return inet_ctl_sock_create(&net->ipv6.tcp_sk, PF_INET6,
2035 				    SOCK_RAW, IPPROTO_TCP, net);
2036 }
2037 
2038 static void __net_exit tcpv6_net_exit(struct net *net)
2039 {
2040 	inet_ctl_sock_destroy(net->ipv6.tcp_sk);
2041 }
2042 
2043 static void __net_exit tcpv6_net_exit_batch(struct list_head *net_exit_list)
2044 {
2045 	inet_twsk_purge(&tcp_hashinfo, AF_INET6);
2046 }
2047 
2048 static struct pernet_operations tcpv6_net_ops = {
2049 	.init	    = tcpv6_net_init,
2050 	.exit	    = tcpv6_net_exit,
2051 	.exit_batch = tcpv6_net_exit_batch,
2052 };
2053 
2054 int __init tcpv6_init(void)
2055 {
2056 	int ret;
2057 
2058 	ret = inet6_add_protocol(&tcpv6_protocol, IPPROTO_TCP);
2059 	if (ret)
2060 		goto out;
2061 
2062 	/* register inet6 protocol */
2063 	ret = inet6_register_protosw(&tcpv6_protosw);
2064 	if (ret)
2065 		goto out_tcpv6_protocol;
2066 
2067 	ret = register_pernet_subsys(&tcpv6_net_ops);
2068 	if (ret)
2069 		goto out_tcpv6_protosw;
2070 out:
2071 	return ret;
2072 
2073 out_tcpv6_protosw:
2074 	inet6_unregister_protosw(&tcpv6_protosw);
2075 out_tcpv6_protocol:
2076 	inet6_del_protocol(&tcpv6_protocol, IPPROTO_TCP);
2077 	goto out;
2078 }
2079 
2080 void tcpv6_exit(void)
2081 {
2082 	unregister_pernet_subsys(&tcpv6_net_ops);
2083 	inet6_unregister_protosw(&tcpv6_protosw);
2084 	inet6_del_protocol(&tcpv6_protocol, IPPROTO_TCP);
2085 }
2086