1// SPDX-License-Identifier: GPL-2.0-or-later
2/*
3 * INET An implementation of the TCP/IP protocol suite for the LINUX
4 * operating system. INET is implemented using the BSD Socket
5 * interface as the means of communication with the user level.
6 *
7 * Implementation of the Transmission Control Protocol(TCP).
8 *
9 * IPv4 specific functions
10 *
11 * code split from:
12 * linux/ipv4/tcp.c
13 * linux/ipv4/tcp_input.c
14 * linux/ipv4/tcp_output.c
15 *
16 * See tcp.c for author information
17 */
18
19/*
20 * Changes:
21 * David S. Miller : New socket lookup architecture.
22 * This code is dedicated to John Dyson.
23 * David S. Miller : Change semantics of established hash,
24 * half is devoted to TIME_WAIT sockets
25 * and the rest go in the other half.
26 * Andi Kleen : Add support for syncookies and fixed
27 * some bugs: ip options weren't passed to
28 * the TCP layer, missed a check for an
29 * ACK bit.
30 * Andi Kleen : Implemented fast path mtu discovery.
31 * Fixed many serious bugs in the
32 * request_sock handling and moved
33 * most of it into the af independent code.
34 * Added tail drop and some other bugfixes.
35 * Added new listen semantics.
36 * Mike McLagan : Routing by source
37 * Juan Jose Ciarlante: ip_dynaddr bits
38 * Andi Kleen: various fixes.
39 * Vitaly E. Lavrov : Transparent proxy revived after year
40 * coma.
41 * Andi Kleen : Fix new listen.
42 * Andi Kleen : Fix accept error reporting.
43 * YOSHIFUJI Hideaki @USAGI and: Support IPV6_V6ONLY socket option, which
44 * Alexey Kuznetsov allow both IPv4 and IPv6 sockets to bind
45 * a single port at the same time.
46 */
47
48#define pr_fmt(fmt) "TCP: " fmt
49
50#include <linux/bottom_half.h>
51#include <linux/types.h>
52#include <linux/fcntl.h>
53#include <linux/module.h>
54#include <linux/random.h>
55#include <linux/cache.h>
56#include <linux/jhash.h>
57#include <linux/init.h>
58#include <linux/times.h>
59#include <linux/slab.h>
60#include <linux/sched.h>
61
62#include <net/net_namespace.h>
63#include <net/icmp.h>
64#include <net/inet_hashtables.h>
65#include <net/tcp.h>
66#include <net/transp_v6.h>
67#include <net/ipv6.h>
68#include <net/inet_common.h>
69#include <net/timewait_sock.h>
70#include <net/xfrm.h>
71#include <net/secure_seq.h>
72#include <net/busy_poll.h>
73
74#include <linux/inet.h>
75#include <linux/ipv6.h>
76#include <linux/stddef.h>
77#include <linux/proc_fs.h>
78#include <linux/seq_file.h>
79#include <linux/inetdevice.h>
80#include <linux/btf_ids.h>
81
82#include <crypto/hash.h>
83#include <linux/scatterlist.h>
84
85#include <trace/events/tcp.h>
86
87#ifdef CONFIG_TCP_MD5SIG
88static int tcp_v4_md5_hash_hdr(char *md5_hash, const struct tcp_md5sig_key *key,
89 __be32 daddr, __be32 saddr, const struct tcphdr *th);
90#endif
91
92struct inet_hashinfo tcp_hashinfo;
93EXPORT_SYMBOL(tcp_hashinfo);
94
95static DEFINE_PER_CPU(struct sock *, ipv4_tcp_sk);
96
97static u32 tcp_v4_init_seq(const struct sk_buff *skb)
98{
99 return secure_tcp_seq(saddr: ip_hdr(skb)->daddr,
100 daddr: ip_hdr(skb)->saddr,
101 sport: tcp_hdr(skb)->dest,
102 dport: tcp_hdr(skb)->source);
103}
104
105static u32 tcp_v4_init_ts_off(const struct net *net, const struct sk_buff *skb)
106{
107 return secure_tcp_ts_off(net, saddr: ip_hdr(skb)->daddr, daddr: ip_hdr(skb)->saddr);
108}
109
110int tcp_twsk_unique(struct sock *sk, struct sock *sktw, void *twp)
111{
112 int reuse = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_tw_reuse);
113 const struct inet_timewait_sock *tw = inet_twsk(sk: sktw);
114 const struct tcp_timewait_sock *tcptw = tcp_twsk(sk: sktw);
115 struct tcp_sock *tp = tcp_sk(sk);
116
117 if (reuse == 2) {
118 /* Still does not detect *everything* that goes through
119 * lo, since we require a loopback src or dst address
120 * or direct binding to 'lo' interface.
121 */
122 bool loopback = false;
123 if (tw->tw_bound_dev_if == LOOPBACK_IFINDEX)
124 loopback = true;
125#if IS_ENABLED(CONFIG_IPV6)
126 if (tw->tw_family == AF_INET6) {
127 if (ipv6_addr_loopback(a: &tw->tw_v6_daddr) ||
128 ipv6_addr_v4mapped_loopback(a: &tw->tw_v6_daddr) ||
129 ipv6_addr_loopback(a: &tw->tw_v6_rcv_saddr) ||
130 ipv6_addr_v4mapped_loopback(a: &tw->tw_v6_rcv_saddr))
131 loopback = true;
132 } else
133#endif
134 {
135 if (ipv4_is_loopback(addr: tw->tw_daddr) ||
136 ipv4_is_loopback(addr: tw->tw_rcv_saddr))
137 loopback = true;
138 }
139 if (!loopback)
140 reuse = 0;
141 }
142
143 /* With PAWS, it is safe from the viewpoint
144 of data integrity. Even without PAWS it is safe provided sequence
145 spaces do not overlap i.e. at data rates <= 80Mbit/sec.
146
147 Actually, the idea is close to VJ's one, only timestamp cache is
148 held not per host, but per port pair and TW bucket is used as state
149 holder.
150
151 If TW bucket has been already destroyed we fall back to VJ's scheme
152 and use initial timestamp retrieved from peer table.
153 */
154 if (tcptw->tw_ts_recent_stamp &&
155 (!twp || (reuse && time_after32(ktime_get_seconds(),
156 tcptw->tw_ts_recent_stamp)))) {
157 /* In case of repair and re-using TIME-WAIT sockets we still
158 * want to be sure that it is safe as above but honor the
159 * sequence numbers and time stamps set as part of the repair
160 * process.
161 *
162 * Without this check re-using a TIME-WAIT socket with TCP
163 * repair would accumulate a -1 on the repair assigned
164 * sequence number. The first time it is reused the sequence
165 * is -1, the second time -2, etc. This fixes that issue
166 * without appearing to create any others.
167 */
168 if (likely(!tp->repair)) {
169 u32 seq = tcptw->tw_snd_nxt + 65535 + 2;
170
171 if (!seq)
172 seq = 1;
173 WRITE_ONCE(tp->write_seq, seq);
174 tp->rx_opt.ts_recent = tcptw->tw_ts_recent;
175 tp->rx_opt.ts_recent_stamp = tcptw->tw_ts_recent_stamp;
176 }
177 sock_hold(sk: sktw);
178 return 1;
179 }
180
181 return 0;
182}
183EXPORT_SYMBOL_GPL(tcp_twsk_unique);
184
185static int tcp_v4_pre_connect(struct sock *sk, struct sockaddr *uaddr,
186 int addr_len)
187{
188 /* This check is replicated from tcp_v4_connect() and intended to
189 * prevent BPF program called below from accessing bytes that are out
190 * of the bound specified by user in addr_len.
191 */
192 if (addr_len < sizeof(struct sockaddr_in))
193 return -EINVAL;
194
195 sock_owned_by_me(sk);
196
197 return BPF_CGROUP_RUN_PROG_INET4_CONNECT(sk, uaddr, &addr_len);
198}
199
200/* This will initiate an outgoing connection. */
201int tcp_v4_connect(struct sock *sk, struct sockaddr *uaddr, int addr_len)
202{
203 struct sockaddr_in *usin = (struct sockaddr_in *)uaddr;
204 struct inet_timewait_death_row *tcp_death_row;
205 struct inet_sock *inet = inet_sk(sk);
206 struct tcp_sock *tp = tcp_sk(sk);
207 struct ip_options_rcu *inet_opt;
208 struct net *net = sock_net(sk);
209 __be16 orig_sport, orig_dport;
210 __be32 daddr, nexthop;
211 struct flowi4 *fl4;
212 struct rtable *rt;
213 int err;
214
215 if (addr_len < sizeof(struct sockaddr_in))
216 return -EINVAL;
217
218 if (usin->sin_family != AF_INET)
219 return -EAFNOSUPPORT;
220
221 nexthop = daddr = usin->sin_addr.s_addr;
222 inet_opt = rcu_dereference_protected(inet->inet_opt,
223 lockdep_sock_is_held(sk));
224 if (inet_opt && inet_opt->opt.srr) {
225 if (!daddr)
226 return -EINVAL;
227 nexthop = inet_opt->opt.faddr;
228 }
229
230 orig_sport = inet->inet_sport;
231 orig_dport = usin->sin_port;
232 fl4 = &inet->cork.fl.u.ip4;
233 rt = ip_route_connect(fl4, dst: nexthop, src: inet->inet_saddr,
234 oif: sk->sk_bound_dev_if, IPPROTO_TCP, sport: orig_sport,
235 dport: orig_dport, sk);
236 if (IS_ERR(ptr: rt)) {
237 err = PTR_ERR(ptr: rt);
238 if (err == -ENETUNREACH)
239 IP_INC_STATS(net, IPSTATS_MIB_OUTNOROUTES);
240 return err;
241 }
242
243 if (rt->rt_flags & (RTCF_MULTICAST | RTCF_BROADCAST)) {
244 ip_rt_put(rt);
245 return -ENETUNREACH;
246 }
247
248 if (!inet_opt || !inet_opt->opt.srr)
249 daddr = fl4->daddr;
250
251 tcp_death_row = &sock_net(sk)->ipv4.tcp_death_row;
252
253 if (!inet->inet_saddr) {
254 err = inet_bhash2_update_saddr(sk, saddr: &fl4->saddr, AF_INET);
255 if (err) {
256 ip_rt_put(rt);
257 return err;
258 }
259 } else {
260 sk_rcv_saddr_set(sk, addr: inet->inet_saddr);
261 }
262
263 if (tp->rx_opt.ts_recent_stamp && inet->inet_daddr != daddr) {
264 /* Reset inherited state */
265 tp->rx_opt.ts_recent = 0;
266 tp->rx_opt.ts_recent_stamp = 0;
267 if (likely(!tp->repair))
268 WRITE_ONCE(tp->write_seq, 0);
269 }
270
271 inet->inet_dport = usin->sin_port;
272 sk_daddr_set(sk, addr: daddr);
273
274 inet_csk(sk)->icsk_ext_hdr_len = 0;
275 if (inet_opt)
276 inet_csk(sk)->icsk_ext_hdr_len = inet_opt->opt.optlen;
277
278 tp->rx_opt.mss_clamp = TCP_MSS_DEFAULT;
279
280 /* Socket identity is still unknown (sport may be zero).
281 * However we set state to SYN-SENT and not releasing socket
282 * lock select source port, enter ourselves into the hash tables and
283 * complete initialization after this.
284 */
285 tcp_set_state(sk, state: TCP_SYN_SENT);
286 err = inet_hash_connect(death_row: tcp_death_row, sk);
287 if (err)
288 goto failure;
289
290 sk_set_txhash(sk);
291
292 rt = ip_route_newports(fl4, rt, orig_sport, orig_dport,
293 sport: inet->inet_sport, dport: inet->inet_dport, sk);
294 if (IS_ERR(ptr: rt)) {
295 err = PTR_ERR(ptr: rt);
296 rt = NULL;
297 goto failure;
298 }
299 tp->tcp_usec_ts = dst_tcp_usec_ts(dst: &rt->dst);
300 /* OK, now commit destination to socket. */
301 sk->sk_gso_type = SKB_GSO_TCPV4;
302 sk_setup_caps(sk, dst: &rt->dst);
303 rt = NULL;
304
305 if (likely(!tp->repair)) {
306 if (!tp->write_seq)
307 WRITE_ONCE(tp->write_seq,
308 secure_tcp_seq(inet->inet_saddr,
309 inet->inet_daddr,
310 inet->inet_sport,
311 usin->sin_port));
312 WRITE_ONCE(tp->tsoffset,
313 secure_tcp_ts_off(net, inet->inet_saddr,
314 inet->inet_daddr));
315 }
316
317 atomic_set(v: &inet->inet_id, i: get_random_u16());
318
319 if (tcp_fastopen_defer_connect(sk, err: &err))
320 return err;
321 if (err)
322 goto failure;
323
324 err = tcp_connect(sk);
325
326 if (err)
327 goto failure;
328
329 return 0;
330
331failure:
332 /*
333 * This unhashes the socket and releases the local port,
334 * if necessary.
335 */
336 tcp_set_state(sk, state: TCP_CLOSE);
337 inet_bhash2_reset_saddr(sk);
338 ip_rt_put(rt);
339 sk->sk_route_caps = 0;
340 inet->inet_dport = 0;
341 return err;
342}
343EXPORT_SYMBOL(tcp_v4_connect);
344
345/*
346 * This routine reacts to ICMP_FRAG_NEEDED mtu indications as defined in RFC1191.
347 * It can be called through tcp_release_cb() if socket was owned by user
348 * at the time tcp_v4_err() was called to handle ICMP message.
349 */
350void tcp_v4_mtu_reduced(struct sock *sk)
351{
352 struct inet_sock *inet = inet_sk(sk);
353 struct dst_entry *dst;
354 u32 mtu;
355
356 if ((1 << sk->sk_state) & (TCPF_LISTEN | TCPF_CLOSE))
357 return;
358 mtu = READ_ONCE(tcp_sk(sk)->mtu_info);
359 dst = inet_csk_update_pmtu(sk, mtu);
360 if (!dst)
361 return;
362
363 /* Something is about to be wrong... Remember soft error
364 * for the case, if this connection will not able to recover.
365 */
366 if (mtu < dst_mtu(dst) && ip_dont_fragment(sk, dst))
367 WRITE_ONCE(sk->sk_err_soft, EMSGSIZE);
368
369 mtu = dst_mtu(dst);
370
371 if (inet->pmtudisc != IP_PMTUDISC_DONT &&
372 ip_sk_accept_pmtu(sk) &&
373 inet_csk(sk)->icsk_pmtu_cookie > mtu) {
374 tcp_sync_mss(sk, pmtu: mtu);
375
376 /* Resend the TCP packet because it's
377 * clear that the old packet has been
378 * dropped. This is the new "fast" path mtu
379 * discovery.
380 */
381 tcp_simple_retransmit(sk);
382 } /* else let the usual retransmit timer handle it */
383}
384EXPORT_SYMBOL(tcp_v4_mtu_reduced);
385
386static void do_redirect(struct sk_buff *skb, struct sock *sk)
387{
388 struct dst_entry *dst = __sk_dst_check(sk, cookie: 0);
389
390 if (dst)
391 dst->ops->redirect(dst, sk, skb);
392}
393
394
395/* handle ICMP messages on TCP_NEW_SYN_RECV request sockets */
396void tcp_req_err(struct sock *sk, u32 seq, bool abort)
397{
398 struct request_sock *req = inet_reqsk(sk);
399 struct net *net = sock_net(sk);
400
401 /* ICMPs are not backlogged, hence we cannot get
402 * an established socket here.
403 */
404 if (seq != tcp_rsk(req)->snt_isn) {
405 __NET_INC_STATS(net, LINUX_MIB_OUTOFWINDOWICMPS);
406 } else if (abort) {
407 /*
408 * Still in SYN_RECV, just remove it silently.
409 * There is no good way to pass the error to the newly
410 * created socket, and POSIX does not want network
411 * errors returned from accept().
412 */
413 inet_csk_reqsk_queue_drop(sk: req->rsk_listener, req);
414 tcp_listendrop(sk: req->rsk_listener);
415 }
416 reqsk_put(req);
417}
418EXPORT_SYMBOL(tcp_req_err);
419
420/* TCP-LD (RFC 6069) logic */
421void tcp_ld_RTO_revert(struct sock *sk, u32 seq)
422{
423 struct inet_connection_sock *icsk = inet_csk(sk);
424 struct tcp_sock *tp = tcp_sk(sk);
425 struct sk_buff *skb;
426 s32 remaining;
427 u32 delta_us;
428
429 if (sock_owned_by_user(sk))
430 return;
431
432 if (seq != tp->snd_una || !icsk->icsk_retransmits ||
433 !icsk->icsk_backoff)
434 return;
435
436 skb = tcp_rtx_queue_head(sk);
437 if (WARN_ON_ONCE(!skb))
438 return;
439
440 icsk->icsk_backoff--;
441 icsk->icsk_rto = tp->srtt_us ? __tcp_set_rto(tp) : TCP_TIMEOUT_INIT;
442 icsk->icsk_rto = inet_csk_rto_backoff(icsk, TCP_RTO_MAX);
443
444 tcp_mstamp_refresh(tp);
445 delta_us = (u32)(tp->tcp_mstamp - tcp_skb_timestamp_us(skb));
446 remaining = icsk->icsk_rto - usecs_to_jiffies(u: delta_us);
447
448 if (remaining > 0) {
449 inet_csk_reset_xmit_timer(sk, ICSK_TIME_RETRANS,
450 when: remaining, TCP_RTO_MAX);
451 } else {
452 /* RTO revert clocked out retransmission.
453 * Will retransmit now.
454 */
455 tcp_retransmit_timer(sk);
456 }
457}
458EXPORT_SYMBOL(tcp_ld_RTO_revert);
459
460/*
461 * This routine is called by the ICMP module when it gets some
462 * sort of error condition. If err < 0 then the socket should
463 * be closed and the error returned to the user. If err > 0
464 * it's just the icmp type << 8 | icmp code. After adjustment
465 * header points to the first 8 bytes of the tcp header. We need
466 * to find the appropriate port.
467 *
468 * The locking strategy used here is very "optimistic". When
469 * someone else accesses the socket the ICMP is just dropped
470 * and for some paths there is no check at all.
471 * A more general error queue to queue errors for later handling
472 * is probably better.
473 *
474 */
475
476int tcp_v4_err(struct sk_buff *skb, u32 info)
477{
478 const struct iphdr *iph = (const struct iphdr *)skb->data;
479 struct tcphdr *th = (struct tcphdr *)(skb->data + (iph->ihl << 2));
480 struct tcp_sock *tp;
481 const int type = icmp_hdr(skb)->type;
482 const int code = icmp_hdr(skb)->code;
483 struct sock *sk;
484 struct request_sock *fastopen;
485 u32 seq, snd_una;
486 int err;
487 struct net *net = dev_net(dev: skb->dev);
488
489 sk = __inet_lookup_established(net, hashinfo: net->ipv4.tcp_death_row.hashinfo,
490 saddr: iph->daddr, sport: th->dest, daddr: iph->saddr,
491 ntohs(th->source), dif: inet_iif(skb), sdif: 0);
492 if (!sk) {
493 __ICMP_INC_STATS(net, ICMP_MIB_INERRORS);
494 return -ENOENT;
495 }
496 if (sk->sk_state == TCP_TIME_WAIT) {
497 /* To increase the counter of ignored icmps for TCP-AO */
498 tcp_ao_ignore_icmp(sk, AF_INET, type, code);
499 inet_twsk_put(tw: inet_twsk(sk));
500 return 0;
501 }
502 seq = ntohl(th->seq);
503 if (sk->sk_state == TCP_NEW_SYN_RECV) {
504 tcp_req_err(sk, seq, type == ICMP_PARAMETERPROB ||
505 type == ICMP_TIME_EXCEEDED ||
506 (type == ICMP_DEST_UNREACH &&
507 (code == ICMP_NET_UNREACH ||
508 code == ICMP_HOST_UNREACH)));
509 return 0;
510 }
511
512 if (tcp_ao_ignore_icmp(sk, AF_INET, type, code)) {
513 sock_put(sk);
514 return 0;
515 }
516
517 bh_lock_sock(sk);
518 /* If too many ICMPs get dropped on busy
519 * servers this needs to be solved differently.
520 * We do take care of PMTU discovery (RFC1191) special case :
521 * we can receive locally generated ICMP messages while socket is held.
522 */
523 if (sock_owned_by_user(sk)) {
524 if (!(type == ICMP_DEST_UNREACH && code == ICMP_FRAG_NEEDED))
525 __NET_INC_STATS(net, LINUX_MIB_LOCKDROPPEDICMPS);
526 }
527 if (sk->sk_state == TCP_CLOSE)
528 goto out;
529
530 if (static_branch_unlikely(&ip4_min_ttl)) {
531 /* min_ttl can be changed concurrently from do_ip_setsockopt() */
532 if (unlikely(iph->ttl < READ_ONCE(inet_sk(sk)->min_ttl))) {
533 __NET_INC_STATS(net, LINUX_MIB_TCPMINTTLDROP);
534 goto out;
535 }
536 }
537
538 tp = tcp_sk(sk);
539 /* XXX (TFO) - tp->snd_una should be ISN (tcp_create_openreq_child() */
540 fastopen = rcu_dereference(tp->fastopen_rsk);
541 snd_una = fastopen ? tcp_rsk(req: fastopen)->snt_isn : tp->snd_una;
542 if (sk->sk_state != TCP_LISTEN &&
543 !between(seq1: seq, seq2: snd_una, seq3: tp->snd_nxt)) {
544 __NET_INC_STATS(net, LINUX_MIB_OUTOFWINDOWICMPS);
545 goto out;
546 }
547
548 switch (type) {
549 case ICMP_REDIRECT:
550 if (!sock_owned_by_user(sk))
551 do_redirect(skb, sk);
552 goto out;
553 case ICMP_SOURCE_QUENCH:
554 /* Just silently ignore these. */
555 goto out;
556 case ICMP_PARAMETERPROB:
557 err = EPROTO;
558 break;
559 case ICMP_DEST_UNREACH:
560 if (code > NR_ICMP_UNREACH)
561 goto out;
562
563 if (code == ICMP_FRAG_NEEDED) { /* PMTU discovery (RFC1191) */
564 /* We are not interested in TCP_LISTEN and open_requests
565 * (SYN-ACKs send out by Linux are always <576bytes so
566 * they should go through unfragmented).
567 */
568 if (sk->sk_state == TCP_LISTEN)
569 goto out;
570
571 WRITE_ONCE(tp->mtu_info, info);
572 if (!sock_owned_by_user(sk)) {
573 tcp_v4_mtu_reduced(sk);
574 } else {
575 if (!test_and_set_bit(nr: TCP_MTU_REDUCED_DEFERRED, addr: &sk->sk_tsq_flags))
576 sock_hold(sk);
577 }
578 goto out;
579 }
580
581 err = icmp_err_convert[code].errno;
582 /* check if this ICMP message allows revert of backoff.
583 * (see RFC 6069)
584 */
585 if (!fastopen &&
586 (code == ICMP_NET_UNREACH || code == ICMP_HOST_UNREACH))
587 tcp_ld_RTO_revert(sk, seq);
588 break;
589 case ICMP_TIME_EXCEEDED:
590 err = EHOSTUNREACH;
591 break;
592 default:
593 goto out;
594 }
595
596 switch (sk->sk_state) {
597 case TCP_SYN_SENT:
598 case TCP_SYN_RECV:
599 /* Only in fast or simultaneous open. If a fast open socket is
600 * already accepted it is treated as a connected one below.
601 */
602 if (fastopen && !fastopen->sk)
603 break;
604
605 ip_icmp_error(sk, skb, err, port: th->dest, info, payload: (u8 *)th);
606
607 if (!sock_owned_by_user(sk)) {
608 WRITE_ONCE(sk->sk_err, err);
609
610 sk_error_report(sk);
611
612 tcp_done(sk);
613 } else {
614 WRITE_ONCE(sk->sk_err_soft, err);
615 }
616 goto out;
617 }
618
619 /* If we've already connected we will keep trying
620 * until we time out, or the user gives up.
621 *
622 * rfc1122 4.2.3.9 allows to consider as hard errors
623 * only PROTO_UNREACH and PORT_UNREACH (well, FRAG_FAILED too,
624 * but it is obsoleted by pmtu discovery).
625 *
626 * Note, that in modern internet, where routing is unreliable
627 * and in each dark corner broken firewalls sit, sending random
628 * errors ordered by their masters even this two messages finally lose
629 * their original sense (even Linux sends invalid PORT_UNREACHs)
630 *
631 * Now we are in compliance with RFCs.
632 * --ANK (980905)
633 */
634
635 if (!sock_owned_by_user(sk) &&
636 inet_test_bit(RECVERR, sk)) {
637 WRITE_ONCE(sk->sk_err, err);
638 sk_error_report(sk);
639 } else { /* Only an error on timeout */
640 WRITE_ONCE(sk->sk_err_soft, err);
641 }
642
643out:
644 bh_unlock_sock(sk);
645 sock_put(sk);
646 return 0;
647}
648
649void __tcp_v4_send_check(struct sk_buff *skb, __be32 saddr, __be32 daddr)
650{
651 struct tcphdr *th = tcp_hdr(skb);
652
653 th->check = ~tcp_v4_check(len: skb->len, saddr, daddr, base: 0);
654 skb->csum_start = skb_transport_header(skb) - skb->head;
655 skb->csum_offset = offsetof(struct tcphdr, check);
656}
657
658/* This routine computes an IPv4 TCP checksum. */
659void tcp_v4_send_check(struct sock *sk, struct sk_buff *skb)
660{
661 const struct inet_sock *inet = inet_sk(sk);
662
663 __tcp_v4_send_check(skb, saddr: inet->inet_saddr, daddr: inet->inet_daddr);
664}
665EXPORT_SYMBOL(tcp_v4_send_check);
666
667#define REPLY_OPTIONS_LEN (MAX_TCP_OPTION_SPACE / sizeof(__be32))
668
669static bool tcp_v4_ao_sign_reset(const struct sock *sk, struct sk_buff *skb,
670 const struct tcp_ao_hdr *aoh,
671 struct ip_reply_arg *arg, struct tcphdr *reply,
672 __be32 reply_options[REPLY_OPTIONS_LEN])
673{
674#ifdef CONFIG_TCP_AO
675 int sdif = tcp_v4_sdif(skb);
676 int dif = inet_iif(skb);
677 int l3index = sdif ? dif : 0;
678 bool allocated_traffic_key;
679 struct tcp_ao_key *key;
680 char *traffic_key;
681 bool drop = true;
682 u32 ao_sne = 0;
683 u8 keyid;
684
685 rcu_read_lock();
686 if (tcp_ao_prepare_reset(sk, skb, aoh, l3index, ntohl(reply->seq),
687 key: &key, traffic_key: &traffic_key, allocated_traffic_key: &allocated_traffic_key,
688 keyid: &keyid, sne: &ao_sne))
689 goto out;
690
691 reply_options[0] = htonl((TCPOPT_AO << 24) | (tcp_ao_len(key) << 16) |
692 (aoh->rnext_keyid << 8) | keyid);
693 arg->iov[0].iov_len += tcp_ao_len_aligned(key);
694 reply->doff = arg->iov[0].iov_len / 4;
695
696 if (tcp_ao_hash_hdr(AF_INET, ao_hash: (char *)&reply_options[1],
697 key, tkey: traffic_key,
698 daddr: (union tcp_ao_addr *)&ip_hdr(skb)->saddr,
699 saddr: (union tcp_ao_addr *)&ip_hdr(skb)->daddr,
700 th: reply, sne: ao_sne))
701 goto out;
702 drop = false;
703out:
704 rcu_read_unlock();
705 if (allocated_traffic_key)
706 kfree(objp: traffic_key);
707 return drop;
708#else
709 return true;
710#endif
711}
712
713/*
714 * This routine will send an RST to the other tcp.
715 *
716 * Someone asks: why I NEVER use socket parameters (TOS, TTL etc.)
717 * for reset.
718 * Answer: if a packet caused RST, it is not for a socket
719 * existing in our system, if it is matched to a socket,
720 * it is just duplicate segment or bug in other side's TCP.
721 * So that we build reply only basing on parameters
722 * arrived with segment.
723 * Exception: precedence violation. We do not implement it in any case.
724 */
725
726static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb)
727{
728 const struct tcphdr *th = tcp_hdr(skb);
729 struct {
730 struct tcphdr th;
731 __be32 opt[REPLY_OPTIONS_LEN];
732 } rep;
733 const __u8 *md5_hash_location = NULL;
734 const struct tcp_ao_hdr *aoh;
735 struct ip_reply_arg arg;
736#ifdef CONFIG_TCP_MD5SIG
737 struct tcp_md5sig_key *key = NULL;
738 unsigned char newhash[16];
739 struct sock *sk1 = NULL;
740 int genhash;
741#endif
742 u64 transmit_time = 0;
743 struct sock *ctl_sk;
744 struct net *net;
745 u32 txhash = 0;
746
747 /* Never send a reset in response to a reset. */
748 if (th->rst)
749 return;
750
751 /* If sk not NULL, it means we did a successful lookup and incoming
752 * route had to be correct. prequeue might have dropped our dst.
753 */
754 if (!sk && skb_rtable(skb)->rt_type != RTN_LOCAL)
755 return;
756
757 /* Swap the send and the receive. */
758 memset(&rep, 0, sizeof(rep));
759 rep.th.dest = th->source;
760 rep.th.source = th->dest;
761 rep.th.doff = sizeof(struct tcphdr) / 4;
762 rep.th.rst = 1;
763
764 if (th->ack) {
765 rep.th.seq = th->ack_seq;
766 } else {
767 rep.th.ack = 1;
768 rep.th.ack_seq = htonl(ntohl(th->seq) + th->syn + th->fin +
769 skb->len - (th->doff << 2));
770 }
771
772 memset(&arg, 0, sizeof(arg));
773 arg.iov[0].iov_base = (unsigned char *)&rep;
774 arg.iov[0].iov_len = sizeof(rep.th);
775
776 net = sk ? sock_net(sk) : dev_net(dev: skb_dst(skb)->dev);
777
778 /* Invalid TCP option size or twice included auth */
779 if (tcp_parse_auth_options(th: tcp_hdr(skb), md5_hash: &md5_hash_location, aoh: &aoh))
780 return;
781
782 if (aoh && tcp_v4_ao_sign_reset(sk, skb, aoh, arg: &arg, reply: &rep.th, reply_options: rep.opt))
783 return;
784
785#ifdef CONFIG_TCP_MD5SIG
786 rcu_read_lock();
787 if (sk && sk_fullsock(sk)) {
788 const union tcp_md5_addr *addr;
789 int l3index;
790
791 /* sdif set, means packet ingressed via a device
792 * in an L3 domain and inet_iif is set to it.
793 */
794 l3index = tcp_v4_sdif(skb) ? inet_iif(skb) : 0;
795 addr = (union tcp_md5_addr *)&ip_hdr(skb)->saddr;
796 key = tcp_md5_do_lookup(sk, l3index, addr, AF_INET);
797 } else if (md5_hash_location) {
798 const union tcp_md5_addr *addr;
799 int sdif = tcp_v4_sdif(skb);
800 int dif = inet_iif(skb);
801 int l3index;
802
803 /*
804 * active side is lost. Try to find listening socket through
805 * source port, and then find md5 key through listening socket.
806 * we are not loose security here:
807 * Incoming packet is checked with md5 hash with finding key,
808 * no RST generated if md5 hash doesn't match.
809 */
810 sk1 = __inet_lookup_listener(net, hashinfo: net->ipv4.tcp_death_row.hashinfo,
811 NULL, doff: 0, saddr: ip_hdr(skb)->saddr,
812 sport: th->source, daddr: ip_hdr(skb)->daddr,
813 ntohs(th->source), dif, sdif);
814 /* don't send rst if it can't find key */
815 if (!sk1)
816 goto out;
817
818 /* sdif set, means packet ingressed via a device
819 * in an L3 domain and dif is set to it.
820 */
821 l3index = sdif ? dif : 0;
822 addr = (union tcp_md5_addr *)&ip_hdr(skb)->saddr;
823 key = tcp_md5_do_lookup(sk: sk1, l3index, addr, AF_INET);
824 if (!key)
825 goto out;
826
827
828 genhash = tcp_v4_md5_hash_skb(md5_hash: newhash, key, NULL, skb);
829 if (genhash || memcmp(p: md5_hash_location, q: newhash, size: 16) != 0)
830 goto out;
831
832 }
833
834 if (key) {
835 rep.opt[0] = htonl((TCPOPT_NOP << 24) |
836 (TCPOPT_NOP << 16) |
837 (TCPOPT_MD5SIG << 8) |
838 TCPOLEN_MD5SIG);
839 /* Update length and the length the header thinks exists */
840 arg.iov[0].iov_len += TCPOLEN_MD5SIG_ALIGNED;
841 rep.th.doff = arg.iov[0].iov_len / 4;
842
843 tcp_v4_md5_hash_hdr(md5_hash: (__u8 *) &rep.opt[1],
844 key, daddr: ip_hdr(skb)->saddr,
845 saddr: ip_hdr(skb)->daddr, th: &rep.th);
846 }
847#endif
848 /* Can't co-exist with TCPMD5, hence check rep.opt[0] */
849 if (rep.opt[0] == 0) {
850 __be32 mrst = mptcp_reset_option(skb);
851
852 if (mrst) {
853 rep.opt[0] = mrst;
854 arg.iov[0].iov_len += sizeof(mrst);
855 rep.th.doff = arg.iov[0].iov_len / 4;
856 }
857 }
858
859 arg.csum = csum_tcpudp_nofold(saddr: ip_hdr(skb)->daddr,
860 daddr: ip_hdr(skb)->saddr, /* XXX */
861 len: arg.iov[0].iov_len, IPPROTO_TCP, sum: 0);
862 arg.csumoffset = offsetof(struct tcphdr, check) / 2;
863 arg.flags = (sk && inet_sk_transparent(sk)) ? IP_REPLY_ARG_NOSRCCHECK : 0;
864
865 /* When socket is gone, all binding information is lost.
866 * routing might fail in this case. No choice here, if we choose to force
867 * input interface, we will misroute in case of asymmetric route.
868 */
869 if (sk) {
870 arg.bound_dev_if = sk->sk_bound_dev_if;
871 if (sk_fullsock(sk))
872 trace_tcp_send_reset(sk, skb);
873 }
874
875 BUILD_BUG_ON(offsetof(struct sock, sk_bound_dev_if) !=
876 offsetof(struct inet_timewait_sock, tw_bound_dev_if));
877
878 arg.tos = ip_hdr(skb)->tos;
879 arg.uid = sock_net_uid(net, sk: sk && sk_fullsock(sk) ? sk : NULL);
880 local_bh_disable();
881 ctl_sk = this_cpu_read(ipv4_tcp_sk);
882 sock_net_set(sk: ctl_sk, net);
883 if (sk) {
884 ctl_sk->sk_mark = (sk->sk_state == TCP_TIME_WAIT) ?
885 inet_twsk(sk)->tw_mark : sk->sk_mark;
886 ctl_sk->sk_priority = (sk->sk_state == TCP_TIME_WAIT) ?
887 inet_twsk(sk)->tw_priority : READ_ONCE(sk->sk_priority);
888 transmit_time = tcp_transmit_time(sk);
889 xfrm_sk_clone_policy(sk: ctl_sk, osk: sk);
890 txhash = (sk->sk_state == TCP_TIME_WAIT) ?
891 inet_twsk(sk)->tw_txhash : sk->sk_txhash;
892 } else {
893 ctl_sk->sk_mark = 0;
894 ctl_sk->sk_priority = 0;
895 }
896 ip_send_unicast_reply(sk: ctl_sk,
897 skb, sopt: &TCP_SKB_CB(skb)->header.h4.opt,
898 daddr: ip_hdr(skb)->saddr, saddr: ip_hdr(skb)->daddr,
899 arg: &arg, len: arg.iov[0].iov_len,
900 transmit_time, txhash);
901
902 xfrm_sk_free_policy(sk: ctl_sk);
903 sock_net_set(sk: ctl_sk, net: &init_net);
904 __TCP_INC_STATS(net, TCP_MIB_OUTSEGS);
905 __TCP_INC_STATS(net, TCP_MIB_OUTRSTS);
906 local_bh_enable();
907
908#ifdef CONFIG_TCP_MD5SIG
909out:
910 rcu_read_unlock();
911#endif
912}
913
914/* The code following below sending ACKs in SYN-RECV and TIME-WAIT states
915 outside socket context is ugly, certainly. What can I do?
916 */
917
918static void tcp_v4_send_ack(const struct sock *sk,
919 struct sk_buff *skb, u32 seq, u32 ack,
920 u32 win, u32 tsval, u32 tsecr, int oif,
921 struct tcp_key *key,
922 int reply_flags, u8 tos, u32 txhash)
923{
924 const struct tcphdr *th = tcp_hdr(skb);
925 struct {
926 struct tcphdr th;
927 __be32 opt[(MAX_TCP_OPTION_SPACE >> 2)];
928 } rep;
929 struct net *net = sock_net(sk);
930 struct ip_reply_arg arg;
931 struct sock *ctl_sk;
932 u64 transmit_time;
933
934 memset(&rep.th, 0, sizeof(struct tcphdr));
935 memset(&arg, 0, sizeof(arg));
936
937 arg.iov[0].iov_base = (unsigned char *)&rep;
938 arg.iov[0].iov_len = sizeof(rep.th);
939 if (tsecr) {
940 rep.opt[0] = htonl((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) |
941 (TCPOPT_TIMESTAMP << 8) |
942 TCPOLEN_TIMESTAMP);
943 rep.opt[1] = htonl(tsval);
944 rep.opt[2] = htonl(tsecr);
945 arg.iov[0].iov_len += TCPOLEN_TSTAMP_ALIGNED;
946 }
947
948 /* Swap the send and the receive. */
949 rep.th.dest = th->source;
950 rep.th.source = th->dest;
951 rep.th.doff = arg.iov[0].iov_len / 4;
952 rep.th.seq = htonl(seq);
953 rep.th.ack_seq = htonl(ack);
954 rep.th.ack = 1;
955 rep.th.window = htons(win);
956
957#ifdef CONFIG_TCP_MD5SIG
958 if (tcp_key_is_md5(key)) {
959 int offset = (tsecr) ? 3 : 0;
960
961 rep.opt[offset++] = htonl((TCPOPT_NOP << 24) |
962 (TCPOPT_NOP << 16) |
963 (TCPOPT_MD5SIG << 8) |
964 TCPOLEN_MD5SIG);
965 arg.iov[0].iov_len += TCPOLEN_MD5SIG_ALIGNED;
966 rep.th.doff = arg.iov[0].iov_len/4;
967
968 tcp_v4_md5_hash_hdr(md5_hash: (__u8 *) &rep.opt[offset],
969 key: key->md5_key, daddr: ip_hdr(skb)->saddr,
970 saddr: ip_hdr(skb)->daddr, th: &rep.th);
971 }
972#endif
973#ifdef CONFIG_TCP_AO
974 if (tcp_key_is_ao(key)) {
975 int offset = (tsecr) ? 3 : 0;
976
977 rep.opt[offset++] = htonl((TCPOPT_AO << 24) |
978 (tcp_ao_len(key->ao_key) << 16) |
979 (key->ao_key->sndid << 8) |
980 key->rcv_next);
981 arg.iov[0].iov_len += tcp_ao_len_aligned(key: key->ao_key);
982 rep.th.doff = arg.iov[0].iov_len / 4;
983
984 tcp_ao_hash_hdr(AF_INET, ao_hash: (char *)&rep.opt[offset],
985 key: key->ao_key, tkey: key->traffic_key,
986 daddr: (union tcp_ao_addr *)&ip_hdr(skb)->saddr,
987 saddr: (union tcp_ao_addr *)&ip_hdr(skb)->daddr,
988 th: &rep.th, sne: key->sne);
989 }
990#endif
991 arg.flags = reply_flags;
992 arg.csum = csum_tcpudp_nofold(saddr: ip_hdr(skb)->daddr,
993 daddr: ip_hdr(skb)->saddr, /* XXX */
994 len: arg.iov[0].iov_len, IPPROTO_TCP, sum: 0);
995 arg.csumoffset = offsetof(struct tcphdr, check) / 2;
996 if (oif)
997 arg.bound_dev_if = oif;
998 arg.tos = tos;
999 arg.uid = sock_net_uid(net, sk: sk_fullsock(sk) ? sk : NULL);
1000 local_bh_disable();
1001 ctl_sk = this_cpu_read(ipv4_tcp_sk);
1002 sock_net_set(sk: ctl_sk, net);
1003 ctl_sk->sk_mark = (sk->sk_state == TCP_TIME_WAIT) ?
1004 inet_twsk(sk)->tw_mark : READ_ONCE(sk->sk_mark);
1005 ctl_sk->sk_priority = (sk->sk_state == TCP_TIME_WAIT) ?
1006 inet_twsk(sk)->tw_priority : READ_ONCE(sk->sk_priority);
1007 transmit_time = tcp_transmit_time(sk);
1008 ip_send_unicast_reply(sk: ctl_sk,
1009 skb, sopt: &TCP_SKB_CB(skb)->header.h4.opt,
1010 daddr: ip_hdr(skb)->saddr, saddr: ip_hdr(skb)->daddr,
1011 arg: &arg, len: arg.iov[0].iov_len,
1012 transmit_time, txhash);
1013
1014 sock_net_set(sk: ctl_sk, net: &init_net);
1015 __TCP_INC_STATS(net, TCP_MIB_OUTSEGS);
1016 local_bh_enable();
1017}
1018
1019static void tcp_v4_timewait_ack(struct sock *sk, struct sk_buff *skb)
1020{
1021 struct inet_timewait_sock *tw = inet_twsk(sk);
1022 struct tcp_timewait_sock *tcptw = tcp_twsk(sk);
1023 struct tcp_key key = {};
1024#ifdef CONFIG_TCP_AO
1025 struct tcp_ao_info *ao_info;
1026
1027 if (static_branch_unlikely(&tcp_ao_needed.key)) {
1028 /* FIXME: the segment to-be-acked is not verified yet */
1029 ao_info = rcu_dereference(tcptw->ao_info);
1030 if (ao_info) {
1031 const struct tcp_ao_hdr *aoh;
1032
1033 if (tcp_parse_auth_options(th: tcp_hdr(skb), NULL, aoh: &aoh)) {
1034 inet_twsk_put(tw);
1035 return;
1036 }
1037
1038 if (aoh)
1039 key.ao_key = tcp_ao_established_key(ao: ao_info, sndid: aoh->rnext_keyid, rcvid: -1);
1040 }
1041 }
1042 if (key.ao_key) {
1043 struct tcp_ao_key *rnext_key;
1044
1045 key.traffic_key = snd_other_key(key: key.ao_key);
1046 key.sne = READ_ONCE(ao_info->snd_sne);
1047 rnext_key = READ_ONCE(ao_info->rnext_key);
1048 key.rcv_next = rnext_key->rcvid;
1049 key.type = TCP_KEY_AO;
1050#else
1051 if (0) {
1052#endif
1053#ifdef CONFIG_TCP_MD5SIG
1054 } else if (static_branch_unlikely(&tcp_md5_needed.key)) {
1055 key.md5_key = tcp_twsk_md5_key(tcptw);
1056 if (key.md5_key)
1057 key.type = TCP_KEY_MD5;
1058#endif
1059 }
1060
1061 tcp_v4_send_ack(sk, skb,
1062 seq: tcptw->tw_snd_nxt, ack: tcptw->tw_rcv_nxt,
1063 win: tcptw->tw_rcv_wnd >> tw->tw_rcv_wscale,
1064 tsval: tcp_tw_tsval(tcptw),
1065 tsecr: tcptw->tw_ts_recent,
1066 oif: tw->tw_bound_dev_if, key: &key,
1067 reply_flags: tw->tw_transparent ? IP_REPLY_ARG_NOSRCCHECK : 0,
1068 tos: tw->tw_tos,
1069 txhash: tw->tw_txhash);
1070
1071 inet_twsk_put(tw);
1072}
1073
1074static void tcp_v4_reqsk_send_ack(const struct sock *sk, struct sk_buff *skb,
1075 struct request_sock *req)
1076{
1077 struct tcp_key key = {};
1078
1079 /* sk->sk_state == TCP_LISTEN -> for regular TCP_SYN_RECV
1080 * sk->sk_state == TCP_SYN_RECV -> for Fast Open.
1081 */
1082 u32 seq = (sk->sk_state == TCP_LISTEN) ? tcp_rsk(req)->snt_isn + 1 :
1083 tcp_sk(sk)->snd_nxt;
1084
1085#ifdef CONFIG_TCP_AO
1086 if (static_branch_unlikely(&tcp_ao_needed.key) &&
1087 tcp_rsk_used_ao(req)) {
1088 const union tcp_md5_addr *addr;
1089 const struct tcp_ao_hdr *aoh;
1090 int l3index;
1091
1092 /* Invalid TCP option size or twice included auth */
1093 if (tcp_parse_auth_options(th: tcp_hdr(skb), NULL, aoh: &aoh))
1094 return;
1095 if (!aoh)
1096 return;
1097
1098 addr = (union tcp_md5_addr *)&ip_hdr(skb)->saddr;
1099 l3index = tcp_v4_sdif(skb) ? inet_iif(skb) : 0;
1100 key.ao_key = tcp_ao_do_lookup(sk, l3index, addr, AF_INET,
1101 sndid: aoh->rnext_keyid, rcvid: -1);
1102 if (unlikely(!key.ao_key)) {
1103 /* Send ACK with any matching MKT for the peer */
1104 key.ao_key = tcp_ao_do_lookup(sk, l3index, addr, AF_INET, sndid: -1, rcvid: -1);
1105 /* Matching key disappeared (user removed the key?)
1106 * let the handshake timeout.
1107 */
1108 if (!key.ao_key) {
1109 net_info_ratelimited("TCP-AO key for (%pI4, %d)->(%pI4, %d) suddenly disappeared, won't ACK new connection\n",
1110 addr,
1111 ntohs(tcp_hdr(skb)->source),
1112 &ip_hdr(skb)->daddr,
1113 ntohs(tcp_hdr(skb)->dest));
1114 return;
1115 }
1116 }
1117 key.traffic_key = kmalloc(size: tcp_ao_digest_size(key: key.ao_key), GFP_ATOMIC);
1118 if (!key.traffic_key)
1119 return;
1120
1121 key.type = TCP_KEY_AO;
1122 key.rcv_next = aoh->keyid;
1123 tcp_v4_ao_calc_key_rsk(mkt: key.ao_key, key: key.traffic_key, req);
1124#else
1125 if (0) {
1126#endif
1127#ifdef CONFIG_TCP_MD5SIG
1128 } else if (static_branch_unlikely(&tcp_md5_needed.key)) {
1129 const union tcp_md5_addr *addr;
1130 int l3index;
1131
1132 addr = (union tcp_md5_addr *)&ip_hdr(skb)->saddr;
1133 l3index = tcp_v4_sdif(skb) ? inet_iif(skb) : 0;
1134 key.md5_key = tcp_md5_do_lookup(sk, l3index, addr, AF_INET);
1135 if (key.md5_key)
1136 key.type = TCP_KEY_MD5;
1137#endif
1138 }
1139
1140 /* RFC 7323 2.3
1141 * The window field (SEG.WND) of every outgoing segment, with the
1142 * exception of <SYN> segments, MUST be right-shifted by
1143 * Rcv.Wind.Shift bits:
1144 */
1145 tcp_v4_send_ack(sk, skb, seq,
1146 ack: tcp_rsk(req)->rcv_nxt,
1147 win: req->rsk_rcv_wnd >> inet_rsk(sk: req)->rcv_wscale,
1148 tsval: tcp_rsk_tsval(treq: tcp_rsk(req)),
1149 READ_ONCE(req->ts_recent),
1150 oif: 0, key: &key,
1151 reply_flags: inet_rsk(sk: req)->no_srccheck ? IP_REPLY_ARG_NOSRCCHECK : 0,
1152 tos: ip_hdr(skb)->tos,
1153 READ_ONCE(tcp_rsk(req)->txhash));
1154 if (tcp_key_is_ao(key: &key))
1155 kfree(objp: key.traffic_key);
1156}
1157
1158/*
1159 * Send a SYN-ACK after having received a SYN.
1160 * This still operates on a request_sock only, not on a big
1161 * socket.
1162 */
1163static int tcp_v4_send_synack(const struct sock *sk, struct dst_entry *dst,
1164 struct flowi *fl,
1165 struct request_sock *req,
1166 struct tcp_fastopen_cookie *foc,
1167 enum tcp_synack_type synack_type,
1168 struct sk_buff *syn_skb)
1169{
1170 const struct inet_request_sock *ireq = inet_rsk(sk: req);
1171 struct flowi4 fl4;
1172 int err = -1;
1173 struct sk_buff *skb;
1174 u8 tos;
1175
1176 /* First, grab a route. */
1177 if (!dst && (dst = inet_csk_route_req(sk, fl4: &fl4, req)) == NULL)
1178 return -1;
1179
1180 skb = tcp_make_synack(sk, dst, req, foc, synack_type, syn_skb);
1181
1182 if (skb) {
1183 __tcp_v4_send_check(skb, saddr: ireq->ir_loc_addr, daddr: ireq->ir_rmt_addr);
1184
1185 tos = READ_ONCE(inet_sk(sk)->tos);
1186
1187 if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_reflect_tos))
1188 tos = (tcp_rsk(req)->syn_tos & ~INET_ECN_MASK) |
1189 (tos & INET_ECN_MASK);
1190
1191 if (!INET_ECN_is_capable(dsfield: tos) &&
1192 tcp_bpf_ca_needs_ecn(sk: (struct sock *)req))
1193 tos |= INET_ECN_ECT_0;
1194
1195 rcu_read_lock();
1196 err = ip_build_and_send_pkt(skb, sk, saddr: ireq->ir_loc_addr,
1197 daddr: ireq->ir_rmt_addr,
1198 rcu_dereference(ireq->ireq_opt),
1199 tos);
1200 rcu_read_unlock();
1201 err = net_xmit_eval(err);
1202 }
1203
1204 return err;
1205}
1206
1207/*
1208 * IPv4 request_sock destructor.
1209 */
1210static void tcp_v4_reqsk_destructor(struct request_sock *req)
1211{
1212 kfree(rcu_dereference_protected(inet_rsk(req)->ireq_opt, 1));
1213}
1214
1215#ifdef CONFIG_TCP_MD5SIG
1216/*
1217 * RFC2385 MD5 checksumming requires a mapping of
1218 * IP address->MD5 Key.
1219 * We need to maintain these in the sk structure.
1220 */
1221
1222DEFINE_STATIC_KEY_DEFERRED_FALSE(tcp_md5_needed, HZ);
1223EXPORT_SYMBOL(tcp_md5_needed);
1224
1225static bool better_md5_match(struct tcp_md5sig_key *old, struct tcp_md5sig_key *new)
1226{
1227 if (!old)
1228 return true;
1229
1230 /* l3index always overrides non-l3index */
1231 if (old->l3index && new->l3index == 0)
1232 return false;
1233 if (old->l3index == 0 && new->l3index)
1234 return true;
1235
1236 return old->prefixlen < new->prefixlen;
1237}
1238
1239/* Find the Key structure for an address. */
1240struct tcp_md5sig_key *__tcp_md5_do_lookup(const struct sock *sk, int l3index,
1241 const union tcp_md5_addr *addr,
1242 int family, bool any_l3index)
1243{
1244 const struct tcp_sock *tp = tcp_sk(sk);
1245 struct tcp_md5sig_key *key;
1246 const struct tcp_md5sig_info *md5sig;
1247 __be32 mask;
1248 struct tcp_md5sig_key *best_match = NULL;
1249 bool match;
1250
1251 /* caller either holds rcu_read_lock() or socket lock */
1252 md5sig = rcu_dereference_check(tp->md5sig_info,
1253 lockdep_sock_is_held(sk));
1254 if (!md5sig)
1255 return NULL;
1256
1257 hlist_for_each_entry_rcu(key, &md5sig->head, node,
1258 lockdep_sock_is_held(sk)) {
1259 if (key->family != family)
1260 continue;
1261 if (!any_l3index && key->flags & TCP_MD5SIG_FLAG_IFINDEX &&
1262 key->l3index != l3index)
1263 continue;
1264 if (family == AF_INET) {
1265 mask = inet_make_mask(logmask: key->prefixlen);
1266 match = (key->addr.a4.s_addr & mask) ==
1267 (addr->a4.s_addr & mask);
1268#if IS_ENABLED(CONFIG_IPV6)
1269 } else if (family == AF_INET6) {
1270 match = ipv6_prefix_equal(addr1: &key->addr.a6, addr2: &addr->a6,
1271 prefixlen: key->prefixlen);
1272#endif
1273 } else {
1274 match = false;
1275 }
1276
1277 if (match && better_md5_match(old: best_match, new: key))
1278 best_match = key;
1279 }
1280 return best_match;
1281}
1282EXPORT_SYMBOL(__tcp_md5_do_lookup);
1283
1284static struct tcp_md5sig_key *tcp_md5_do_lookup_exact(const struct sock *sk,
1285 const union tcp_md5_addr *addr,
1286 int family, u8 prefixlen,
1287 int l3index, u8 flags)
1288{
1289 const struct tcp_sock *tp = tcp_sk(sk);
1290 struct tcp_md5sig_key *key;
1291 unsigned int size = sizeof(struct in_addr);
1292 const struct tcp_md5sig_info *md5sig;
1293
1294 /* caller either holds rcu_read_lock() or socket lock */
1295 md5sig = rcu_dereference_check(tp->md5sig_info,
1296 lockdep_sock_is_held(sk));
1297 if (!md5sig)
1298 return NULL;
1299#if IS_ENABLED(CONFIG_IPV6)
1300 if (family == AF_INET6)
1301 size = sizeof(struct in6_addr);
1302#endif
1303 hlist_for_each_entry_rcu(key, &md5sig->head, node,
1304 lockdep_sock_is_held(sk)) {
1305 if (key->family != family)
1306 continue;
1307 if ((key->flags & TCP_MD5SIG_FLAG_IFINDEX) != (flags & TCP_MD5SIG_FLAG_IFINDEX))
1308 continue;
1309 if (key->l3index != l3index)
1310 continue;
1311 if (!memcmp(p: &key->addr, q: addr, size) &&
1312 key->prefixlen == prefixlen)
1313 return key;
1314 }
1315 return NULL;
1316}
1317
1318struct tcp_md5sig_key *tcp_v4_md5_lookup(const struct sock *sk,
1319 const struct sock *addr_sk)
1320{
1321 const union tcp_md5_addr *addr;
1322 int l3index;
1323
1324 l3index = l3mdev_master_ifindex_by_index(net: sock_net(sk),
1325 ifindex: addr_sk->sk_bound_dev_if);
1326 addr = (const union tcp_md5_addr *)&addr_sk->sk_daddr;
1327 return tcp_md5_do_lookup(sk, l3index, addr, AF_INET);
1328}
1329EXPORT_SYMBOL(tcp_v4_md5_lookup);
1330
1331static int tcp_md5sig_info_add(struct sock *sk, gfp_t gfp)
1332{
1333 struct tcp_sock *tp = tcp_sk(sk);
1334 struct tcp_md5sig_info *md5sig;
1335
1336 md5sig = kmalloc(size: sizeof(*md5sig), flags: gfp);
1337 if (!md5sig)
1338 return -ENOMEM;
1339
1340 sk_gso_disable(sk);
1341 INIT_HLIST_HEAD(&md5sig->head);
1342 rcu_assign_pointer(tp->md5sig_info, md5sig);
1343 return 0;
1344}
1345
1346/* This can be called on a newly created socket, from other files */
1347static int __tcp_md5_do_add(struct sock *sk, const union tcp_md5_addr *addr,
1348 int family, u8 prefixlen, int l3index, u8 flags,
1349 const u8 *newkey, u8 newkeylen, gfp_t gfp)
1350{
1351 /* Add Key to the list */
1352 struct tcp_md5sig_key *key;
1353 struct tcp_sock *tp = tcp_sk(sk);
1354 struct tcp_md5sig_info *md5sig;
1355
1356 key = tcp_md5_do_lookup_exact(sk, addr, family, prefixlen, l3index, flags);
1357 if (key) {
1358 /* Pre-existing entry - just update that one.
1359 * Note that the key might be used concurrently.
1360 * data_race() is telling kcsan that we do not care of
1361 * key mismatches, since changing MD5 key on live flows
1362 * can lead to packet drops.
1363 */
1364 data_race(memcpy(key->key, newkey, newkeylen));
1365
1366 /* Pairs with READ_ONCE() in tcp_md5_hash_key().
1367 * Also note that a reader could catch new key->keylen value
1368 * but old key->key[], this is the reason we use __GFP_ZERO
1369 * at sock_kmalloc() time below these lines.
1370 */
1371 WRITE_ONCE(key->keylen, newkeylen);
1372
1373 return 0;
1374 }
1375
1376 md5sig = rcu_dereference_protected(tp->md5sig_info,
1377 lockdep_sock_is_held(sk));
1378
1379 key = sock_kmalloc(sk, size: sizeof(*key), priority: gfp | __GFP_ZERO);
1380 if (!key)
1381 return -ENOMEM;
1382
1383 memcpy(key->key, newkey, newkeylen);
1384 key->keylen = newkeylen;
1385 key->family = family;
1386 key->prefixlen = prefixlen;
1387 key->l3index = l3index;
1388 key->flags = flags;
1389 memcpy(&key->addr, addr,
1390 (IS_ENABLED(CONFIG_IPV6) && family == AF_INET6) ? sizeof(struct in6_addr) :
1391 sizeof(struct in_addr));
1392 hlist_add_head_rcu(n: &key->node, h: &md5sig->head);
1393 return 0;
1394}
1395
1396int tcp_md5_do_add(struct sock *sk, const union tcp_md5_addr *addr,
1397 int family, u8 prefixlen, int l3index, u8 flags,
1398 const u8 *newkey, u8 newkeylen)
1399{
1400 struct tcp_sock *tp = tcp_sk(sk);
1401
1402 if (!rcu_dereference_protected(tp->md5sig_info, lockdep_sock_is_held(sk))) {
1403 if (tcp_md5_alloc_sigpool())
1404 return -ENOMEM;
1405
1406 if (tcp_md5sig_info_add(sk, GFP_KERNEL)) {
1407 tcp_md5_release_sigpool();
1408 return -ENOMEM;
1409 }
1410
1411 if (!static_branch_inc(&tcp_md5_needed.key)) {
1412 struct tcp_md5sig_info *md5sig;
1413
1414 md5sig = rcu_dereference_protected(tp->md5sig_info, lockdep_sock_is_held(sk));
1415 rcu_assign_pointer(tp->md5sig_info, NULL);
1416 kfree_rcu(md5sig, rcu);
1417 tcp_md5_release_sigpool();
1418 return -EUSERS;
1419 }
1420 }
1421
1422 return __tcp_md5_do_add(sk, addr, family, prefixlen, l3index, flags,
1423 newkey, newkeylen, GFP_KERNEL);
1424}
1425EXPORT_SYMBOL(tcp_md5_do_add);
1426
1427int tcp_md5_key_copy(struct sock *sk, const union tcp_md5_addr *addr,
1428 int family, u8 prefixlen, int l3index,
1429 struct tcp_md5sig_key *key)
1430{
1431 struct tcp_sock *tp = tcp_sk(sk);
1432
1433 if (!rcu_dereference_protected(tp->md5sig_info, lockdep_sock_is_held(sk))) {
1434 tcp_md5_add_sigpool();
1435
1436 if (tcp_md5sig_info_add(sk, gfp: sk_gfp_mask(sk, GFP_ATOMIC))) {
1437 tcp_md5_release_sigpool();
1438 return -ENOMEM;
1439 }
1440
1441 if (!static_key_fast_inc_not_disabled(key: &tcp_md5_needed.key.key)) {
1442 struct tcp_md5sig_info *md5sig;
1443
1444 md5sig = rcu_dereference_protected(tp->md5sig_info, lockdep_sock_is_held(sk));
1445 net_warn_ratelimited("Too many TCP-MD5 keys in the system\n");
1446 rcu_assign_pointer(tp->md5sig_info, NULL);
1447 kfree_rcu(md5sig, rcu);
1448 tcp_md5_release_sigpool();
1449 return -EUSERS;
1450 }
1451 }
1452
1453 return __tcp_md5_do_add(sk, addr, family, prefixlen, l3index,
1454 flags: key->flags, newkey: key->key, newkeylen: key->keylen,
1455 gfp: sk_gfp_mask(sk, GFP_ATOMIC));
1456}
1457EXPORT_SYMBOL(tcp_md5_key_copy);
1458
1459int tcp_md5_do_del(struct sock *sk, const union tcp_md5_addr *addr, int family,
1460 u8 prefixlen, int l3index, u8 flags)
1461{
1462 struct tcp_md5sig_key *key;
1463
1464 key = tcp_md5_do_lookup_exact(sk, addr, family, prefixlen, l3index, flags);
1465 if (!key)
1466 return -ENOENT;
1467 hlist_del_rcu(n: &key->node);
1468 atomic_sub(i: sizeof(*key), v: &sk->sk_omem_alloc);
1469 kfree_rcu(key, rcu);
1470 return 0;
1471}
1472EXPORT_SYMBOL(tcp_md5_do_del);
1473
1474void tcp_clear_md5_list(struct sock *sk)
1475{
1476 struct tcp_sock *tp = tcp_sk(sk);
1477 struct tcp_md5sig_key *key;
1478 struct hlist_node *n;
1479 struct tcp_md5sig_info *md5sig;
1480
1481 md5sig = rcu_dereference_protected(tp->md5sig_info, 1);
1482
1483 hlist_for_each_entry_safe(key, n, &md5sig->head, node) {
1484 hlist_del_rcu(n: &key->node);
1485 atomic_sub(i: sizeof(*key), v: &sk->sk_omem_alloc);
1486 kfree_rcu(key, rcu);
1487 }
1488}
1489
1490static int tcp_v4_parse_md5_keys(struct sock *sk, int optname,
1491 sockptr_t optval, int optlen)
1492{
1493 struct tcp_md5sig cmd;
1494 struct sockaddr_in *sin = (struct sockaddr_in *)&cmd.tcpm_addr;
1495 const union tcp_md5_addr *addr;
1496 u8 prefixlen = 32;
1497 int l3index = 0;
1498 bool l3flag;
1499 u8 flags;
1500
1501 if (optlen < sizeof(cmd))
1502 return -EINVAL;
1503
1504 if (copy_from_sockptr(dst: &cmd, src: optval, size: sizeof(cmd)))
1505 return -EFAULT;
1506
1507 if (sin->sin_family != AF_INET)
1508 return -EINVAL;
1509
1510 flags = cmd.tcpm_flags & TCP_MD5SIG_FLAG_IFINDEX;
1511 l3flag = cmd.tcpm_flags & TCP_MD5SIG_FLAG_IFINDEX;
1512
1513 if (optname == TCP_MD5SIG_EXT &&
1514 cmd.tcpm_flags & TCP_MD5SIG_FLAG_PREFIX) {
1515 prefixlen = cmd.tcpm_prefixlen;
1516 if (prefixlen > 32)
1517 return -EINVAL;
1518 }
1519
1520 if (optname == TCP_MD5SIG_EXT && cmd.tcpm_ifindex &&
1521 cmd.tcpm_flags & TCP_MD5SIG_FLAG_IFINDEX) {
1522 struct net_device *dev;
1523
1524 rcu_read_lock();
1525 dev = dev_get_by_index_rcu(net: sock_net(sk), ifindex: cmd.tcpm_ifindex);
1526 if (dev && netif_is_l3_master(dev))
1527 l3index = dev->ifindex;
1528
1529 rcu_read_unlock();
1530
1531 /* ok to reference set/not set outside of rcu;
1532 * right now device MUST be an L3 master
1533 */
1534 if (!dev || !l3index)
1535 return -EINVAL;
1536 }
1537
1538 addr = (union tcp_md5_addr *)&sin->sin_addr.s_addr;
1539
1540 if (!cmd.tcpm_keylen)
1541 return tcp_md5_do_del(sk, addr, AF_INET, prefixlen, l3index, flags);
1542
1543 if (cmd.tcpm_keylen > TCP_MD5SIG_MAXKEYLEN)
1544 return -EINVAL;
1545
1546 /* Don't allow keys for peers that have a matching TCP-AO key.
1547 * See the comment in tcp_ao_add_cmd()
1548 */
1549 if (tcp_ao_required(sk, saddr: addr, AF_INET, l3index: l3flag ? l3index : -1, stat_inc: false))
1550 return -EKEYREJECTED;
1551
1552 return tcp_md5_do_add(sk, addr, AF_INET, prefixlen, l3index, flags,
1553 cmd.tcpm_key, cmd.tcpm_keylen);
1554}
1555
1556static int tcp_v4_md5_hash_headers(struct tcp_sigpool *hp,
1557 __be32 daddr, __be32 saddr,
1558 const struct tcphdr *th, int nbytes)
1559{
1560 struct tcp4_pseudohdr *bp;
1561 struct scatterlist sg;
1562 struct tcphdr *_th;
1563
1564 bp = hp->scratch;
1565 bp->saddr = saddr;
1566 bp->daddr = daddr;
1567 bp->pad = 0;
1568 bp->protocol = IPPROTO_TCP;
1569 bp->len = cpu_to_be16(nbytes);
1570
1571 _th = (struct tcphdr *)(bp + 1);
1572 memcpy(_th, th, sizeof(*th));
1573 _th->check = 0;
1574
1575 sg_init_one(&sg, bp, sizeof(*bp) + sizeof(*th));
1576 ahash_request_set_crypt(req: hp->req, src: &sg, NULL,
1577 nbytes: sizeof(*bp) + sizeof(*th));
1578 return crypto_ahash_update(req: hp->req);
1579}
1580
1581static int tcp_v4_md5_hash_hdr(char *md5_hash, const struct tcp_md5sig_key *key,
1582 __be32 daddr, __be32 saddr, const struct tcphdr *th)
1583{
1584 struct tcp_sigpool hp;
1585
1586 if (tcp_sigpool_start(id: tcp_md5_sigpool_id, c: &hp))
1587 goto clear_hash_nostart;
1588
1589 if (crypto_ahash_init(req: hp.req))
1590 goto clear_hash;
1591 if (tcp_v4_md5_hash_headers(hp: &hp, daddr, saddr, th, nbytes: th->doff << 2))
1592 goto clear_hash;
1593 if (tcp_md5_hash_key(hp: &hp, key))
1594 goto clear_hash;
1595 ahash_request_set_crypt(req: hp.req, NULL, result: md5_hash, nbytes: 0);
1596 if (crypto_ahash_final(req: hp.req))
1597 goto clear_hash;
1598
1599 tcp_sigpool_end(c: &hp);
1600 return 0;
1601
1602clear_hash:
1603 tcp_sigpool_end(c: &hp);
1604clear_hash_nostart:
1605 memset(md5_hash, 0, 16);
1606 return 1;
1607}
1608
1609int tcp_v4_md5_hash_skb(char *md5_hash, const struct tcp_md5sig_key *key,
1610 const struct sock *sk,
1611 const struct sk_buff *skb)
1612{
1613 const struct tcphdr *th = tcp_hdr(skb);
1614 struct tcp_sigpool hp;
1615 __be32 saddr, daddr;
1616
1617 if (sk) { /* valid for establish/request sockets */
1618 saddr = sk->sk_rcv_saddr;
1619 daddr = sk->sk_daddr;
1620 } else {
1621 const struct iphdr *iph = ip_hdr(skb);
1622 saddr = iph->saddr;
1623 daddr = iph->daddr;
1624 }
1625
1626 if (tcp_sigpool_start(id: tcp_md5_sigpool_id, c: &hp))
1627 goto clear_hash_nostart;
1628
1629 if (crypto_ahash_init(req: hp.req))
1630 goto clear_hash;
1631
1632 if (tcp_v4_md5_hash_headers(hp: &hp, daddr, saddr, th, nbytes: skb->len))
1633 goto clear_hash;
1634 if (tcp_sigpool_hash_skb_data(hp: &hp, skb, header_len: th->doff << 2))
1635 goto clear_hash;
1636 if (tcp_md5_hash_key(hp: &hp, key))
1637 goto clear_hash;
1638 ahash_request_set_crypt(req: hp.req, NULL, result: md5_hash, nbytes: 0);
1639 if (crypto_ahash_final(req: hp.req))
1640 goto clear_hash;
1641
1642 tcp_sigpool_end(c: &hp);
1643 return 0;
1644
1645clear_hash:
1646 tcp_sigpool_end(c: &hp);
1647clear_hash_nostart:
1648 memset(md5_hash, 0, 16);
1649 return 1;
1650}
1651EXPORT_SYMBOL(tcp_v4_md5_hash_skb);
1652
1653#endif
1654
1655static void tcp_v4_init_req(struct request_sock *req,
1656 const struct sock *sk_listener,
1657 struct sk_buff *skb)
1658{
1659 struct inet_request_sock *ireq = inet_rsk(sk: req);
1660 struct net *net = sock_net(sk: sk_listener);
1661
1662 sk_rcv_saddr_set(sk: req_to_sk(req), addr: ip_hdr(skb)->daddr);
1663 sk_daddr_set(sk: req_to_sk(req), addr: ip_hdr(skb)->saddr);
1664 RCU_INIT_POINTER(ireq->ireq_opt, tcp_v4_save_options(net, skb));
1665}
1666
1667static struct dst_entry *tcp_v4_route_req(const struct sock *sk,
1668 struct sk_buff *skb,
1669 struct flowi *fl,
1670 struct request_sock *req)
1671{
1672 tcp_v4_init_req(req, sk_listener: sk, skb);
1673
1674 if (security_inet_conn_request(sk, skb, req))
1675 return NULL;
1676
1677 return inet_csk_route_req(sk, fl4: &fl->u.ip4, req);
1678}
1679
1680struct request_sock_ops tcp_request_sock_ops __read_mostly = {
1681 .family = PF_INET,
1682 .obj_size = sizeof(struct tcp_request_sock),
1683 .rtx_syn_ack = tcp_rtx_synack,
1684 .send_ack = tcp_v4_reqsk_send_ack,
1685 .destructor = tcp_v4_reqsk_destructor,
1686 .send_reset = tcp_v4_send_reset,
1687 .syn_ack_timeout = tcp_syn_ack_timeout,
1688};
1689
1690const struct tcp_request_sock_ops tcp_request_sock_ipv4_ops = {
1691 .mss_clamp = TCP_MSS_DEFAULT,
1692#ifdef CONFIG_TCP_MD5SIG
1693 .req_md5_lookup = tcp_v4_md5_lookup,
1694 .calc_md5_hash = tcp_v4_md5_hash_skb,
1695#endif
1696#ifdef CONFIG_TCP_AO
1697 .ao_lookup = tcp_v4_ao_lookup_rsk,
1698 .ao_calc_key = tcp_v4_ao_calc_key_rsk,
1699 .ao_synack_hash = tcp_v4_ao_synack_hash,
1700#endif
1701#ifdef CONFIG_SYN_COOKIES
1702 .cookie_init_seq = cookie_v4_init_sequence,
1703#endif
1704 .route_req = tcp_v4_route_req,
1705 .init_seq = tcp_v4_init_seq,
1706 .init_ts_off = tcp_v4_init_ts_off,
1707 .send_synack = tcp_v4_send_synack,
1708};
1709
1710int tcp_v4_conn_request(struct sock *sk, struct sk_buff *skb)
1711{
1712 /* Never answer to SYNs send to broadcast or multicast */
1713 if (skb_rtable(skb)->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST))
1714 goto drop;
1715
1716 return tcp_conn_request(rsk_ops: &tcp_request_sock_ops,
1717 af_ops: &tcp_request_sock_ipv4_ops, sk, skb);
1718
1719drop:
1720 tcp_listendrop(sk);
1721 return 0;
1722}
1723EXPORT_SYMBOL(tcp_v4_conn_request);
1724
1725
1726/*
1727 * The three way handshake has completed - we got a valid synack -
1728 * now create the new socket.
1729 */
1730struct sock *tcp_v4_syn_recv_sock(const struct sock *sk, struct sk_buff *skb,
1731 struct request_sock *req,
1732 struct dst_entry *dst,
1733 struct request_sock *req_unhash,
1734 bool *own_req)
1735{
1736 struct inet_request_sock *ireq;
1737 bool found_dup_sk = false;
1738 struct inet_sock *newinet;
1739 struct tcp_sock *newtp;
1740 struct sock *newsk;
1741#ifdef CONFIG_TCP_MD5SIG
1742 const union tcp_md5_addr *addr;
1743 struct tcp_md5sig_key *key;
1744 int l3index;
1745#endif
1746 struct ip_options_rcu *inet_opt;
1747
1748 if (sk_acceptq_is_full(sk))
1749 goto exit_overflow;
1750
1751 newsk = tcp_create_openreq_child(sk, req, skb);
1752 if (!newsk)
1753 goto exit_nonewsk;
1754
1755 newsk->sk_gso_type = SKB_GSO_TCPV4;
1756 inet_sk_rx_dst_set(sk: newsk, skb);
1757
1758 newtp = tcp_sk(newsk);
1759 newinet = inet_sk(newsk);
1760 ireq = inet_rsk(sk: req);
1761 sk_daddr_set(sk: newsk, addr: ireq->ir_rmt_addr);
1762 sk_rcv_saddr_set(sk: newsk, addr: ireq->ir_loc_addr);
1763 newsk->sk_bound_dev_if = ireq->ir_iif;
1764 newinet->inet_saddr = ireq->ir_loc_addr;
1765 inet_opt = rcu_dereference(ireq->ireq_opt);
1766 RCU_INIT_POINTER(newinet->inet_opt, inet_opt);
1767 newinet->mc_index = inet_iif(skb);
1768 newinet->mc_ttl = ip_hdr(skb)->ttl;
1769 newinet->rcv_tos = ip_hdr(skb)->tos;
1770 inet_csk(sk: newsk)->icsk_ext_hdr_len = 0;
1771 if (inet_opt)
1772 inet_csk(sk: newsk)->icsk_ext_hdr_len = inet_opt->opt.optlen;
1773 atomic_set(v: &newinet->inet_id, i: get_random_u16());
1774
1775 /* Set ToS of the new socket based upon the value of incoming SYN.
1776 * ECT bits are set later in tcp_init_transfer().
1777 */
1778 if (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_reflect_tos))
1779 newinet->tos = tcp_rsk(req)->syn_tos & ~INET_ECN_MASK;
1780
1781 if (!dst) {
1782 dst = inet_csk_route_child_sock(sk, newsk, req);
1783 if (!dst)
1784 goto put_and_exit;
1785 } else {
1786 /* syncookie case : see end of cookie_v4_check() */
1787 }
1788 sk_setup_caps(sk: newsk, dst);
1789
1790 tcp_ca_openreq_child(sk: newsk, dst);
1791
1792 tcp_sync_mss(sk: newsk, pmtu: dst_mtu(dst));
1793 newtp->advmss = tcp_mss_clamp(tcp_sk(sk), mss: dst_metric_advmss(dst));
1794
1795 tcp_initialize_rcv_mss(sk: newsk);
1796
1797#ifdef CONFIG_TCP_MD5SIG
1798 l3index = l3mdev_master_ifindex_by_index(net: sock_net(sk), ifindex: ireq->ir_iif);
1799 /* Copy over the MD5 key from the original socket */
1800 addr = (union tcp_md5_addr *)&newinet->inet_daddr;
1801 key = tcp_md5_do_lookup(sk, l3index, addr, AF_INET);
1802 if (key && !tcp_rsk_used_ao(req)) {
1803 if (tcp_md5_key_copy(newsk, addr, AF_INET, 32, l3index, key))
1804 goto put_and_exit;
1805 sk_gso_disable(sk: newsk);
1806 }
1807#endif
1808#ifdef CONFIG_TCP_AO
1809 if (tcp_ao_copy_all_matching(sk, newsk, req, skb, AF_INET))
1810 goto put_and_exit; /* OOM, release back memory */
1811#endif
1812
1813 if (__inet_inherit_port(sk, child: newsk) < 0)
1814 goto put_and_exit;
1815 *own_req = inet_ehash_nolisten(sk: newsk, osk: req_to_sk(req: req_unhash),
1816 found_dup_sk: &found_dup_sk);
1817 if (likely(*own_req)) {
1818 tcp_move_syn(tp: newtp, req);
1819 ireq->ireq_opt = NULL;
1820 } else {
1821 newinet->inet_opt = NULL;
1822
1823 if (!req_unhash && found_dup_sk) {
1824 /* This code path should only be executed in the
1825 * syncookie case only
1826 */
1827 bh_unlock_sock(newsk);
1828 sock_put(sk: newsk);
1829 newsk = NULL;
1830 }
1831 }
1832 return newsk;
1833
1834exit_overflow:
1835 NET_INC_STATS(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS);
1836exit_nonewsk:
1837 dst_release(dst);
1838exit:
1839 tcp_listendrop(sk);
1840 return NULL;
1841put_and_exit:
1842 newinet->inet_opt = NULL;
1843 inet_csk_prepare_forced_close(sk: newsk);
1844 tcp_done(sk: newsk);
1845 goto exit;
1846}
1847EXPORT_SYMBOL(tcp_v4_syn_recv_sock);
1848
1849static struct sock *tcp_v4_cookie_check(struct sock *sk, struct sk_buff *skb)
1850{
1851#ifdef CONFIG_SYN_COOKIES
1852 const struct tcphdr *th = tcp_hdr(skb);
1853
1854 if (!th->syn)
1855 sk = cookie_v4_check(sk, skb);
1856#endif
1857 return sk;
1858}
1859
1860u16 tcp_v4_get_syncookie(struct sock *sk, struct iphdr *iph,
1861 struct tcphdr *th, u32 *cookie)
1862{
1863 u16 mss = 0;
1864#ifdef CONFIG_SYN_COOKIES
1865 mss = tcp_get_syncookie_mss(rsk_ops: &tcp_request_sock_ops,
1866 af_ops: &tcp_request_sock_ipv4_ops, sk, th);
1867 if (mss) {
1868 *cookie = __cookie_v4_init_sequence(iph, th, mssp: &mss);
1869 tcp_synq_overflow(sk);
1870 }
1871#endif
1872 return mss;
1873}
1874
1875INDIRECT_CALLABLE_DECLARE(struct dst_entry *ipv4_dst_check(struct dst_entry *,
1876 u32));
1877/* The socket must have it's spinlock held when we get
1878 * here, unless it is a TCP_LISTEN socket.
1879 *
1880 * We have a potential double-lock case here, so even when
1881 * doing backlog processing we use the BH locking scheme.
1882 * This is because we cannot sleep with the original spinlock
1883 * held.
1884 */
1885int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
1886{
1887 enum skb_drop_reason reason;
1888 struct sock *rsk;
1889
1890 if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */
1891 struct dst_entry *dst;
1892
1893 dst = rcu_dereference_protected(sk->sk_rx_dst,
1894 lockdep_sock_is_held(sk));
1895
1896 sock_rps_save_rxhash(sk, skb);
1897 sk_mark_napi_id(sk, skb);
1898 if (dst) {
1899 if (sk->sk_rx_dst_ifindex != skb->skb_iif ||
1900 !INDIRECT_CALL_1(dst->ops->check, ipv4_dst_check,
1901 dst, 0)) {
1902 RCU_INIT_POINTER(sk->sk_rx_dst, NULL);
1903 dst_release(dst);
1904 }
1905 }
1906 tcp_rcv_established(sk, skb);
1907 return 0;
1908 }
1909
1910 if (tcp_checksum_complete(skb))
1911 goto csum_err;
1912
1913 if (sk->sk_state == TCP_LISTEN) {
1914 struct sock *nsk = tcp_v4_cookie_check(sk, skb);
1915
1916 if (!nsk)
1917 return 0;
1918 if (nsk != sk) {
1919 reason = tcp_child_process(parent: sk, child: nsk, skb);
1920 if (reason) {
1921 rsk = nsk;
1922 goto reset;
1923 }
1924 return 0;
1925 }
1926 } else
1927 sock_rps_save_rxhash(sk, skb);
1928
1929 reason = tcp_rcv_state_process(sk, skb);
1930 if (reason) {
1931 rsk = sk;
1932 goto reset;
1933 }
1934 return 0;
1935
1936reset:
1937 tcp_v4_send_reset(sk: rsk, skb);
1938discard:
1939 kfree_skb_reason(skb, reason);
1940 /* Be careful here. If this function gets more complicated and
1941 * gcc suffers from register pressure on the x86, sk (in %ebx)
1942 * might be destroyed here. This current version compiles correctly,
1943 * but you have been warned.
1944 */
1945 return 0;
1946
1947csum_err:
1948 reason = SKB_DROP_REASON_TCP_CSUM;
1949 trace_tcp_bad_csum(skb);
1950 TCP_INC_STATS(sock_net(sk), TCP_MIB_CSUMERRORS);
1951 TCP_INC_STATS(sock_net(sk), TCP_MIB_INERRS);
1952 goto discard;
1953}
1954EXPORT_SYMBOL(tcp_v4_do_rcv);
1955
1956int tcp_v4_early_demux(struct sk_buff *skb)
1957{
1958 struct net *net = dev_net(dev: skb->dev);
1959 const struct iphdr *iph;
1960 const struct tcphdr *th;
1961 struct sock *sk;
1962
1963 if (skb->pkt_type != PACKET_HOST)
1964 return 0;
1965
1966 if (!pskb_may_pull(skb, len: skb_transport_offset(skb) + sizeof(struct tcphdr)))
1967 return 0;
1968
1969 iph = ip_hdr(skb);
1970 th = tcp_hdr(skb);
1971
1972 if (th->doff < sizeof(struct tcphdr) / 4)
1973 return 0;
1974
1975 sk = __inet_lookup_established(net, hashinfo: net->ipv4.tcp_death_row.hashinfo,
1976 saddr: iph->saddr, sport: th->source,
1977 daddr: iph->daddr, ntohs(th->dest),
1978 dif: skb->skb_iif, sdif: inet_sdif(skb));
1979 if (sk) {
1980 skb->sk = sk;
1981 skb->destructor = sock_edemux;
1982 if (sk_fullsock(sk)) {
1983 struct dst_entry *dst = rcu_dereference(sk->sk_rx_dst);
1984
1985 if (dst)
1986 dst = dst_check(dst, cookie: 0);
1987 if (dst &&
1988 sk->sk_rx_dst_ifindex == skb->skb_iif)
1989 skb_dst_set_noref(skb, dst);
1990 }
1991 }
1992 return 0;
1993}
1994
1995bool tcp_add_backlog(struct sock *sk, struct sk_buff *skb,
1996 enum skb_drop_reason *reason)
1997{
1998 u32 limit, tail_gso_size, tail_gso_segs;
1999 struct skb_shared_info *shinfo;
2000 const struct tcphdr *th;
2001 struct tcphdr *thtail;
2002 struct sk_buff *tail;
2003 unsigned int hdrlen;
2004 bool fragstolen;
2005 u32 gso_segs;
2006 u32 gso_size;
2007 int delta;
2008
2009 /* In case all data was pulled from skb frags (in __pskb_pull_tail()),
2010 * we can fix skb->truesize to its real value to avoid future drops.
2011 * This is valid because skb is not yet charged to the socket.
2012 * It has been noticed pure SACK packets were sometimes dropped
2013 * (if cooked by drivers without copybreak feature).
2014 */
2015 skb_condense(skb);
2016
2017 skb_dst_drop(skb);
2018
2019 if (unlikely(tcp_checksum_complete(skb))) {
2020 bh_unlock_sock(sk);
2021 trace_tcp_bad_csum(skb);
2022 *reason = SKB_DROP_REASON_TCP_CSUM;
2023 __TCP_INC_STATS(sock_net(sk), TCP_MIB_CSUMERRORS);
2024 __TCP_INC_STATS(sock_net(sk), TCP_MIB_INERRS);
2025 return true;
2026 }
2027
2028 /* Attempt coalescing to last skb in backlog, even if we are
2029 * above the limits.
2030 * This is okay because skb capacity is limited to MAX_SKB_FRAGS.
2031 */
2032 th = (const struct tcphdr *)skb->data;
2033 hdrlen = th->doff * 4;
2034
2035 tail = sk->sk_backlog.tail;
2036 if (!tail)
2037 goto no_coalesce;
2038 thtail = (struct tcphdr *)tail->data;
2039
2040 if (TCP_SKB_CB(tail)->end_seq != TCP_SKB_CB(skb)->seq ||
2041 TCP_SKB_CB(tail)->ip_dsfield != TCP_SKB_CB(skb)->ip_dsfield ||
2042 ((TCP_SKB_CB(tail)->tcp_flags |
2043 TCP_SKB_CB(skb)->tcp_flags) & (TCPHDR_SYN | TCPHDR_RST | TCPHDR_URG)) ||
2044 !((TCP_SKB_CB(tail)->tcp_flags &
2045 TCP_SKB_CB(skb)->tcp_flags) & TCPHDR_ACK) ||
2046 ((TCP_SKB_CB(tail)->tcp_flags ^
2047 TCP_SKB_CB(skb)->tcp_flags) & (TCPHDR_ECE | TCPHDR_CWR)) ||
2048#ifdef CONFIG_TLS_DEVICE
2049 tail->decrypted != skb->decrypted ||
2050#endif
2051 !mptcp_skb_can_collapse(to: tail, from: skb) ||
2052 thtail->doff != th->doff ||
2053 memcmp(p: thtail + 1, q: th + 1, size: hdrlen - sizeof(*th)))
2054 goto no_coalesce;
2055
2056 __skb_pull(skb, len: hdrlen);
2057
2058 shinfo = skb_shinfo(skb);
2059 gso_size = shinfo->gso_size ?: skb->len;
2060 gso_segs = shinfo->gso_segs ?: 1;
2061
2062 shinfo = skb_shinfo(tail);
2063 tail_gso_size = shinfo->gso_size ?: (tail->len - hdrlen);
2064 tail_gso_segs = shinfo->gso_segs ?: 1;
2065
2066 if (skb_try_coalesce(to: tail, from: skb, fragstolen: &fragstolen, delta_truesize: &delta)) {
2067 TCP_SKB_CB(tail)->end_seq = TCP_SKB_CB(skb)->end_seq;
2068
2069 if (likely(!before(TCP_SKB_CB(skb)->ack_seq, TCP_SKB_CB(tail)->ack_seq))) {
2070 TCP_SKB_CB(tail)->ack_seq = TCP_SKB_CB(skb)->ack_seq;
2071 thtail->window = th->window;
2072 }
2073
2074 /* We have to update both TCP_SKB_CB(tail)->tcp_flags and
2075 * thtail->fin, so that the fast path in tcp_rcv_established()
2076 * is not entered if we append a packet with a FIN.
2077 * SYN, RST, URG are not present.
2078 * ACK is set on both packets.
2079 * PSH : we do not really care in TCP stack,
2080 * at least for 'GRO' packets.
2081 */
2082 thtail->fin |= th->fin;
2083 TCP_SKB_CB(tail)->tcp_flags |= TCP_SKB_CB(skb)->tcp_flags;
2084
2085 if (TCP_SKB_CB(skb)->has_rxtstamp) {
2086 TCP_SKB_CB(tail)->has_rxtstamp = true;
2087 tail->tstamp = skb->tstamp;
2088 skb_hwtstamps(skb: tail)->hwtstamp = skb_hwtstamps(skb)->hwtstamp;
2089 }
2090
2091 /* Not as strict as GRO. We only need to carry mss max value */
2092 shinfo->gso_size = max(gso_size, tail_gso_size);
2093 shinfo->gso_segs = min_t(u32, gso_segs + tail_gso_segs, 0xFFFF);
2094
2095 sk->sk_backlog.len += delta;
2096 __NET_INC_STATS(sock_net(sk),
2097 LINUX_MIB_TCPBACKLOGCOALESCE);
2098 kfree_skb_partial(skb, head_stolen: fragstolen);
2099 return false;
2100 }
2101 __skb_push(skb, len: hdrlen);
2102
2103no_coalesce:
2104 limit = (u32)READ_ONCE(sk->sk_rcvbuf) + (u32)(READ_ONCE(sk->sk_sndbuf) >> 1);
2105
2106 /* Only socket owner can try to collapse/prune rx queues
2107 * to reduce memory overhead, so add a little headroom here.
2108 * Few sockets backlog are possibly concurrently non empty.
2109 */
2110 limit += 64 * 1024;
2111
2112 if (unlikely(sk_add_backlog(sk, skb, limit))) {
2113 bh_unlock_sock(sk);
2114 *reason = SKB_DROP_REASON_SOCKET_BACKLOG;
2115 __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPBACKLOGDROP);
2116 return true;
2117 }
2118 return false;
2119}
2120EXPORT_SYMBOL(tcp_add_backlog);
2121
2122int tcp_filter(struct sock *sk, struct sk_buff *skb)
2123{
2124 struct tcphdr *th = (struct tcphdr *)skb->data;
2125
2126 return sk_filter_trim_cap(sk, skb, cap: th->doff * 4);
2127}
2128EXPORT_SYMBOL(tcp_filter);
2129
2130static void tcp_v4_restore_cb(struct sk_buff *skb)
2131{
2132 memmove(IPCB(skb), &TCP_SKB_CB(skb)->header.h4,
2133 sizeof(struct inet_skb_parm));
2134}
2135
2136static void tcp_v4_fill_cb(struct sk_buff *skb, const struct iphdr *iph,
2137 const struct tcphdr *th)
2138{
2139 /* This is tricky : We move IPCB at its correct location into TCP_SKB_CB()
2140 * barrier() makes sure compiler wont play fool^Waliasing games.
2141 */
2142 memmove(&TCP_SKB_CB(skb)->header.h4, IPCB(skb),
2143 sizeof(struct inet_skb_parm));
2144 barrier();
2145
2146 TCP_SKB_CB(skb)->seq = ntohl(th->seq);
2147 TCP_SKB_CB(skb)->end_seq = (TCP_SKB_CB(skb)->seq + th->syn + th->fin +
2148 skb->len - th->doff * 4);
2149 TCP_SKB_CB(skb)->ack_seq = ntohl(th->ack_seq);
2150 TCP_SKB_CB(skb)->tcp_flags = tcp_flag_byte(th);
2151 TCP_SKB_CB(skb)->tcp_tw_isn = 0;
2152 TCP_SKB_CB(skb)->ip_dsfield = ipv4_get_dsfield(iph);
2153 TCP_SKB_CB(skb)->sacked = 0;
2154 TCP_SKB_CB(skb)->has_rxtstamp =
2155 skb->tstamp || skb_hwtstamps(skb)->hwtstamp;
2156}
2157
2158/*
2159 * From tcp_input.c
2160 */
2161
2162int tcp_v4_rcv(struct sk_buff *skb)
2163{
2164 struct net *net = dev_net(dev: skb->dev);
2165 enum skb_drop_reason drop_reason;
2166 int sdif = inet_sdif(skb);
2167 int dif = inet_iif(skb);
2168 const struct iphdr *iph;
2169 const struct tcphdr *th;
2170 bool refcounted;
2171 struct sock *sk;
2172 int ret;
2173
2174 drop_reason = SKB_DROP_REASON_NOT_SPECIFIED;
2175 if (skb->pkt_type != PACKET_HOST)
2176 goto discard_it;
2177
2178 /* Count it even if it's bad */
2179 __TCP_INC_STATS(net, TCP_MIB_INSEGS);
2180
2181 if (!pskb_may_pull(skb, len: sizeof(struct tcphdr)))
2182 goto discard_it;
2183
2184 th = (const struct tcphdr *)skb->data;
2185
2186 if (unlikely(th->doff < sizeof(struct tcphdr) / 4)) {
2187 drop_reason = SKB_DROP_REASON_PKT_TOO_SMALL;
2188 goto bad_packet;
2189 }
2190 if (!pskb_may_pull(skb, len: th->doff * 4))
2191 goto discard_it;
2192
2193 /* An explanation is required here, I think.
2194 * Packet length and doff are validated by header prediction,
2195 * provided case of th->doff==0 is eliminated.
2196 * So, we defer the checks. */
2197
2198 if (skb_checksum_init(skb, IPPROTO_TCP, inet_compute_pseudo))
2199 goto csum_error;
2200
2201 th = (const struct tcphdr *)skb->data;
2202 iph = ip_hdr(skb);
2203lookup:
2204 sk = __inet_lookup_skb(hashinfo: net->ipv4.tcp_death_row.hashinfo,
2205 skb, doff: __tcp_hdrlen(th), sport: th->source,
2206 dport: th->dest, sdif, refcounted: &refcounted);
2207 if (!sk)
2208 goto no_tcp_socket;
2209
2210process:
2211 if (sk->sk_state == TCP_TIME_WAIT)
2212 goto do_time_wait;
2213
2214 if (sk->sk_state == TCP_NEW_SYN_RECV) {
2215 struct request_sock *req = inet_reqsk(sk);
2216 bool req_stolen = false;
2217 struct sock *nsk;
2218
2219 sk = req->rsk_listener;
2220 if (!xfrm4_policy_check(sk, dir: XFRM_POLICY_IN, skb))
2221 drop_reason = SKB_DROP_REASON_XFRM_POLICY;
2222 else
2223 drop_reason = tcp_inbound_hash(sk, req, skb,
2224 saddr: &iph->saddr, daddr: &iph->daddr,
2225 AF_INET, dif, sdif);
2226 if (unlikely(drop_reason)) {
2227 sk_drops_add(sk, skb);
2228 reqsk_put(req);
2229 goto discard_it;
2230 }
2231 if (tcp_checksum_complete(skb)) {
2232 reqsk_put(req);
2233 goto csum_error;
2234 }
2235 if (unlikely(sk->sk_state != TCP_LISTEN)) {
2236 nsk = reuseport_migrate_sock(sk, migrating_sk: req_to_sk(req), skb);
2237 if (!nsk) {
2238 inet_csk_reqsk_queue_drop_and_put(sk, req);
2239 goto lookup;
2240 }
2241 sk = nsk;
2242 /* reuseport_migrate_sock() has already held one sk_refcnt
2243 * before returning.
2244 */
2245 } else {
2246 /* We own a reference on the listener, increase it again
2247 * as we might lose it too soon.
2248 */
2249 sock_hold(sk);
2250 }
2251 refcounted = true;
2252 nsk = NULL;
2253 if (!tcp_filter(sk, skb)) {
2254 th = (const struct tcphdr *)skb->data;
2255 iph = ip_hdr(skb);
2256 tcp_v4_fill_cb(skb, iph, th);
2257 nsk = tcp_check_req(sk, skb, req, fastopen: false, lost_race: &req_stolen);
2258 } else {
2259 drop_reason = SKB_DROP_REASON_SOCKET_FILTER;
2260 }
2261 if (!nsk) {
2262 reqsk_put(req);
2263 if (req_stolen) {
2264 /* Another cpu got exclusive access to req
2265 * and created a full blown socket.
2266 * Try to feed this packet to this socket
2267 * instead of discarding it.
2268 */
2269 tcp_v4_restore_cb(skb);
2270 sock_put(sk);
2271 goto lookup;
2272 }
2273 goto discard_and_relse;
2274 }
2275 nf_reset_ct(skb);
2276 if (nsk == sk) {
2277 reqsk_put(req);
2278 tcp_v4_restore_cb(skb);
2279 } else {
2280 drop_reason = tcp_child_process(parent: sk, child: nsk, skb);
2281 if (drop_reason) {
2282 tcp_v4_send_reset(sk: nsk, skb);
2283 goto discard_and_relse;
2284 }
2285 sock_put(sk);
2286 return 0;
2287 }
2288 }
2289
2290 if (static_branch_unlikely(&ip4_min_ttl)) {
2291 /* min_ttl can be changed concurrently from do_ip_setsockopt() */
2292 if (unlikely(iph->ttl < READ_ONCE(inet_sk(sk)->min_ttl))) {
2293 __NET_INC_STATS(net, LINUX_MIB_TCPMINTTLDROP);
2294 drop_reason = SKB_DROP_REASON_TCP_MINTTL;
2295 goto discard_and_relse;
2296 }
2297 }
2298
2299 if (!xfrm4_policy_check(sk, dir: XFRM_POLICY_IN, skb)) {
2300 drop_reason = SKB_DROP_REASON_XFRM_POLICY;
2301 goto discard_and_relse;
2302 }
2303
2304 drop_reason = tcp_inbound_hash(sk, NULL, skb, saddr: &iph->saddr, daddr: &iph->daddr,
2305 AF_INET, dif, sdif);
2306 if (drop_reason)
2307 goto discard_and_relse;
2308
2309 nf_reset_ct(skb);
2310
2311 if (tcp_filter(sk, skb)) {
2312 drop_reason = SKB_DROP_REASON_SOCKET_FILTER;
2313 goto discard_and_relse;
2314 }
2315 th = (const struct tcphdr *)skb->data;
2316 iph = ip_hdr(skb);
2317 tcp_v4_fill_cb(skb, iph, th);
2318
2319 skb->dev = NULL;
2320
2321 if (sk->sk_state == TCP_LISTEN) {
2322 ret = tcp_v4_do_rcv(sk, skb);
2323 goto put_and_return;
2324 }
2325
2326 sk_incoming_cpu_update(sk);
2327
2328 bh_lock_sock_nested(sk);
2329 tcp_segs_in(tcp_sk(sk), skb);
2330 ret = 0;
2331 if (!sock_owned_by_user(sk)) {
2332 ret = tcp_v4_do_rcv(sk, skb);
2333 } else {
2334 if (tcp_add_backlog(sk, skb, &drop_reason))
2335 goto discard_and_relse;
2336 }
2337 bh_unlock_sock(sk);
2338
2339put_and_return:
2340 if (refcounted)
2341 sock_put(sk);
2342
2343 return ret;
2344
2345no_tcp_socket:
2346 drop_reason = SKB_DROP_REASON_NO_SOCKET;
2347 if (!xfrm4_policy_check(NULL, dir: XFRM_POLICY_IN, skb))
2348 goto discard_it;
2349
2350 tcp_v4_fill_cb(skb, iph, th);
2351
2352 if (tcp_checksum_complete(skb)) {
2353csum_error:
2354 drop_reason = SKB_DROP_REASON_TCP_CSUM;
2355 trace_tcp_bad_csum(skb);
2356 __TCP_INC_STATS(net, TCP_MIB_CSUMERRORS);
2357bad_packet:
2358 __TCP_INC_STATS(net, TCP_MIB_INERRS);
2359 } else {
2360 tcp_v4_send_reset(NULL, skb);
2361 }
2362
2363discard_it:
2364 SKB_DR_OR(drop_reason, NOT_SPECIFIED);
2365 /* Discard frame. */
2366 kfree_skb_reason(skb, reason: drop_reason);
2367 return 0;
2368
2369discard_and_relse:
2370 sk_drops_add(sk, skb);
2371 if (refcounted)
2372 sock_put(sk);
2373 goto discard_it;
2374
2375do_time_wait:
2376 if (!xfrm4_policy_check(NULL, dir: XFRM_POLICY_IN, skb)) {
2377 drop_reason = SKB_DROP_REASON_XFRM_POLICY;
2378 inet_twsk_put(tw: inet_twsk(sk));
2379 goto discard_it;
2380 }
2381
2382 tcp_v4_fill_cb(skb, iph, th);
2383
2384 if (tcp_checksum_complete(skb)) {
2385 inet_twsk_put(tw: inet_twsk(sk));
2386 goto csum_error;
2387 }
2388 switch (tcp_timewait_state_process(tw: inet_twsk(sk), skb, th)) {
2389 case TCP_TW_SYN: {
2390 struct sock *sk2 = inet_lookup_listener(net,
2391 hashinfo: net->ipv4.tcp_death_row.hashinfo,
2392 skb, doff: __tcp_hdrlen(th),
2393 saddr: iph->saddr, sport: th->source,
2394 daddr: iph->daddr, dport: th->dest,
2395 dif: inet_iif(skb),
2396 sdif);
2397 if (sk2) {
2398 inet_twsk_deschedule_put(tw: inet_twsk(sk));
2399 sk = sk2;
2400 tcp_v4_restore_cb(skb);
2401 refcounted = false;
2402 goto process;
2403 }
2404 }
2405 /* to ACK */
2406 fallthrough;
2407 case TCP_TW_ACK:
2408 tcp_v4_timewait_ack(sk, skb);
2409 break;
2410 case TCP_TW_RST:
2411 tcp_v4_send_reset(sk, skb);
2412 inet_twsk_deschedule_put(tw: inet_twsk(sk));
2413 goto discard_it;
2414 case TCP_TW_SUCCESS:;
2415 }
2416 goto discard_it;
2417}
2418
2419static struct timewait_sock_ops tcp_timewait_sock_ops = {
2420 .twsk_obj_size = sizeof(struct tcp_timewait_sock),
2421 .twsk_unique = tcp_twsk_unique,
2422 .twsk_destructor= tcp_twsk_destructor,
2423};
2424
2425void inet_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
2426{
2427 struct dst_entry *dst = skb_dst(skb);
2428
2429 if (dst && dst_hold_safe(dst)) {
2430 rcu_assign_pointer(sk->sk_rx_dst, dst);
2431 sk->sk_rx_dst_ifindex = skb->skb_iif;
2432 }
2433}
2434EXPORT_SYMBOL(inet_sk_rx_dst_set);
2435
2436const struct inet_connection_sock_af_ops ipv4_specific = {
2437 .queue_xmit = ip_queue_xmit,
2438 .send_check = tcp_v4_send_check,
2439 .rebuild_header = inet_sk_rebuild_header,
2440 .sk_rx_dst_set = inet_sk_rx_dst_set,
2441 .conn_request = tcp_v4_conn_request,
2442 .syn_recv_sock = tcp_v4_syn_recv_sock,
2443 .net_header_len = sizeof(struct iphdr),
2444 .setsockopt = ip_setsockopt,
2445 .getsockopt = ip_getsockopt,
2446 .addr2sockaddr = inet_csk_addr2sockaddr,
2447 .sockaddr_len = sizeof(struct sockaddr_in),
2448 .mtu_reduced = tcp_v4_mtu_reduced,
2449};
2450EXPORT_SYMBOL(ipv4_specific);
2451
2452#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO)
2453static const struct tcp_sock_af_ops tcp_sock_ipv4_specific = {
2454#ifdef CONFIG_TCP_MD5SIG
2455 .md5_lookup = tcp_v4_md5_lookup,
2456 .calc_md5_hash = tcp_v4_md5_hash_skb,
2457 .md5_parse = tcp_v4_parse_md5_keys,
2458#endif
2459#ifdef CONFIG_TCP_AO
2460 .ao_lookup = tcp_v4_ao_lookup,
2461 .calc_ao_hash = tcp_v4_ao_hash_skb,
2462 .ao_parse = tcp_v4_parse_ao,
2463 .ao_calc_key_sk = tcp_v4_ao_calc_key_sk,
2464#endif
2465};
2466#endif
2467
2468/* NOTE: A lot of things set to zero explicitly by call to
2469 * sk_alloc() so need not be done here.
2470 */
2471static int tcp_v4_init_sock(struct sock *sk)
2472{
2473 struct inet_connection_sock *icsk = inet_csk(sk);
2474
2475 tcp_init_sock(sk);
2476
2477 icsk->icsk_af_ops = &ipv4_specific;
2478
2479#if defined(CONFIG_TCP_MD5SIG) || defined(CONFIG_TCP_AO)
2480 tcp_sk(sk)->af_specific = &tcp_sock_ipv4_specific;
2481#endif
2482
2483 return 0;
2484}
2485
2486#ifdef CONFIG_TCP_MD5SIG
2487static void tcp_md5sig_info_free_rcu(struct rcu_head *head)
2488{
2489 struct tcp_md5sig_info *md5sig;
2490
2491 md5sig = container_of(head, struct tcp_md5sig_info, rcu);
2492 kfree(objp: md5sig);
2493 static_branch_slow_dec_deferred(&tcp_md5_needed);
2494 tcp_md5_release_sigpool();
2495}
2496#endif
2497
2498void tcp_v4_destroy_sock(struct sock *sk)
2499{
2500 struct tcp_sock *tp = tcp_sk(sk);
2501
2502 trace_tcp_destroy_sock(sk);
2503
2504 tcp_clear_xmit_timers(sk);
2505
2506 tcp_cleanup_congestion_control(sk);
2507
2508 tcp_cleanup_ulp(sk);
2509
2510 /* Cleanup up the write buffer. */
2511 tcp_write_queue_purge(sk);
2512
2513 /* Check if we want to disable active TFO */
2514 tcp_fastopen_active_disable_ofo_check(sk);
2515
2516 /* Cleans up our, hopefully empty, out_of_order_queue. */
2517 skb_rbtree_purge(root: &tp->out_of_order_queue);
2518
2519#ifdef CONFIG_TCP_MD5SIG
2520 /* Clean up the MD5 key list, if any */
2521 if (tp->md5sig_info) {
2522 struct tcp_md5sig_info *md5sig;
2523
2524 md5sig = rcu_dereference_protected(tp->md5sig_info, 1);
2525 tcp_clear_md5_list(sk);
2526 call_rcu(head: &md5sig->rcu, func: tcp_md5sig_info_free_rcu);
2527 rcu_assign_pointer(tp->md5sig_info, NULL);
2528 }
2529#endif
2530 tcp_ao_destroy_sock(sk, twsk: false);
2531
2532 /* Clean up a referenced TCP bind bucket. */
2533 if (inet_csk(sk)->icsk_bind_hash)
2534 inet_put_port(sk);
2535
2536 BUG_ON(rcu_access_pointer(tp->fastopen_rsk));
2537
2538 /* If socket is aborted during connect operation */
2539 tcp_free_fastopen_req(tp);
2540 tcp_fastopen_destroy_cipher(sk);
2541 tcp_saved_syn_free(tp);
2542
2543 sk_sockets_allocated_dec(sk);
2544}
2545EXPORT_SYMBOL(tcp_v4_destroy_sock);
2546
2547#ifdef CONFIG_PROC_FS
2548/* Proc filesystem TCP sock list dumping. */
2549
2550static unsigned short seq_file_family(const struct seq_file *seq);
2551
2552static bool seq_sk_match(struct seq_file *seq, const struct sock *sk)
2553{
2554 unsigned short family = seq_file_family(seq);
2555
2556 /* AF_UNSPEC is used as a match all */
2557 return ((family == AF_UNSPEC || family == sk->sk_family) &&
2558 net_eq(net1: sock_net(sk), net2: seq_file_net(seq)));
2559}
2560
2561/* Find a non empty bucket (starting from st->bucket)
2562 * and return the first sk from it.
2563 */
2564static void *listening_get_first(struct seq_file *seq)
2565{
2566 struct inet_hashinfo *hinfo = seq_file_net(seq)->ipv4.tcp_death_row.hashinfo;
2567 struct tcp_iter_state *st = seq->private;
2568
2569 st->offset = 0;
2570 for (; st->bucket <= hinfo->lhash2_mask; st->bucket++) {
2571 struct inet_listen_hashbucket *ilb2;
2572 struct hlist_nulls_node *node;
2573 struct sock *sk;
2574
2575 ilb2 = &hinfo->lhash2[st->bucket];
2576 if (hlist_nulls_empty(h: &ilb2->nulls_head))
2577 continue;
2578
2579 spin_lock(lock: &ilb2->lock);
2580 sk_nulls_for_each(sk, node, &ilb2->nulls_head) {
2581 if (seq_sk_match(seq, sk))
2582 return sk;
2583 }
2584 spin_unlock(lock: &ilb2->lock);
2585 }
2586
2587 return NULL;
2588}
2589
2590/* Find the next sk of "cur" within the same bucket (i.e. st->bucket).
2591 * If "cur" is the last one in the st->bucket,
2592 * call listening_get_first() to return the first sk of the next
2593 * non empty bucket.
2594 */
2595static void *listening_get_next(struct seq_file *seq, void *cur)
2596{
2597 struct tcp_iter_state *st = seq->private;
2598 struct inet_listen_hashbucket *ilb2;
2599 struct hlist_nulls_node *node;
2600 struct inet_hashinfo *hinfo;
2601 struct sock *sk = cur;
2602
2603 ++st->num;
2604 ++st->offset;
2605
2606 sk = sk_nulls_next(sk);
2607 sk_nulls_for_each_from(sk, node) {
2608 if (seq_sk_match(seq, sk))
2609 return sk;
2610 }
2611
2612 hinfo = seq_file_net(seq)->ipv4.tcp_death_row.hashinfo;
2613 ilb2 = &hinfo->lhash2[st->bucket];
2614 spin_unlock(lock: &ilb2->lock);
2615 ++st->bucket;
2616 return listening_get_first(seq);
2617}
2618
2619static void *listening_get_idx(struct seq_file *seq, loff_t *pos)
2620{
2621 struct tcp_iter_state *st = seq->private;
2622 void *rc;
2623
2624 st->bucket = 0;
2625 st->offset = 0;
2626 rc = listening_get_first(seq);
2627
2628 while (rc && *pos) {
2629 rc = listening_get_next(seq, cur: rc);
2630 --*pos;
2631 }
2632 return rc;
2633}
2634
2635static inline bool empty_bucket(struct inet_hashinfo *hinfo,
2636 const struct tcp_iter_state *st)
2637{
2638 return hlist_nulls_empty(h: &hinfo->ehash[st->bucket].chain);
2639}
2640
2641/*
2642 * Get first established socket starting from bucket given in st->bucket.
2643 * If st->bucket is zero, the very first socket in the hash is returned.
2644 */
2645static void *established_get_first(struct seq_file *seq)
2646{
2647 struct inet_hashinfo *hinfo = seq_file_net(seq)->ipv4.tcp_death_row.hashinfo;
2648 struct tcp_iter_state *st = seq->private;
2649
2650 st->offset = 0;
2651 for (; st->bucket <= hinfo->ehash_mask; ++st->bucket) {
2652 struct sock *sk;
2653 struct hlist_nulls_node *node;
2654 spinlock_t *lock = inet_ehash_lockp(hashinfo: hinfo, hash: st->bucket);
2655
2656 cond_resched();
2657
2658 /* Lockless fast path for the common case of empty buckets */
2659 if (empty_bucket(hinfo, st))
2660 continue;
2661
2662 spin_lock_bh(lock);
2663 sk_nulls_for_each(sk, node, &hinfo->ehash[st->bucket].chain) {
2664 if (seq_sk_match(seq, sk))
2665 return sk;
2666 }
2667 spin_unlock_bh(lock);
2668 }
2669
2670 return NULL;
2671}
2672
2673static void *established_get_next(struct seq_file *seq, void *cur)
2674{
2675 struct inet_hashinfo *hinfo = seq_file_net(seq)->ipv4.tcp_death_row.hashinfo;
2676 struct tcp_iter_state *st = seq->private;
2677 struct hlist_nulls_node *node;
2678 struct sock *sk = cur;
2679
2680 ++st->num;
2681 ++st->offset;
2682
2683 sk = sk_nulls_next(sk);
2684
2685 sk_nulls_for_each_from(sk, node) {
2686 if (seq_sk_match(seq, sk))
2687 return sk;
2688 }
2689
2690 spin_unlock_bh(lock: inet_ehash_lockp(hashinfo: hinfo, hash: st->bucket));
2691 ++st->bucket;
2692 return established_get_first(seq);
2693}
2694
2695static void *