]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/blob - net/mptcp/subflow.c
projects / mirror_ubuntu-jammy-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
[mirror_ubuntu-jammy-kernel.git] / net / mptcp / subflow.c
1 // SPDX-License-Identifier: GPL-2.0
2 /* Multipath TCP
3 *
4 * Copyright (c) 2017 - 2019, Intel Corporation.
5 */
6
7 #define pr_fmt(fmt) "MPTCP: " fmt
8
9 #include <linux/kernel.h>
10 #include <linux/module.h>
11 #include <linux/netdevice.h>
12 #include <crypto/algapi.h>
13 #include <crypto/sha2.h>
14 #include <net/sock.h>
15 #include <net/inet_common.h>
16 #include <net/inet_hashtables.h>
17 #include <net/protocol.h>
18 #include <net/tcp.h>
19 #if IS_ENABLED(CONFIG_MPTCP_IPV6)
20 #include <net/ip6_route.h>
21 #include <net/transp_v6.h>
22 #endif
23 #include <net/mptcp.h>
24 #include <uapi/linux/mptcp.h>
25 #include "protocol.h"
26 #include "mib.h"
27
28 static void mptcp_subflow_ops_undo_override(struct sock *ssk);
29
30 static void SUBFLOW_REQ_INC_STATS(struct request_sock *req,
31 enum linux_mptcp_mib_field field)
32 {
33 MPTCP_INC_STATS(sock_net(req_to_sk(req)), field);
34 }
35
36 static void subflow_req_destructor(struct request_sock *req)
37 {
38 struct mptcp_subflow_request_sock *subflow_req = mptcp_subflow_rsk(req);
39
40 pr_debug("subflow_req=%p", subflow_req);
41
42 if (subflow_req->msk)
43 sock_put((struct sock *)subflow_req->msk);
44
45 mptcp_token_destroy_request(req);
46 tcp_request_sock_ops.destructor(req);
47 }
48
49 static void subflow_generate_hmac(u64 key1, u64 key2, u32 nonce1, u32 nonce2,
50 void *hmac)
51 {
52 u8 msg[8];
53
54 put_unaligned_be32(nonce1, &msg[0]);
55 put_unaligned_be32(nonce2, &msg[4]);
56
57 mptcp_crypto_hmac_sha(key1, key2, msg, 8, hmac);
58 }
59
60 static bool mptcp_can_accept_new_subflow(const struct mptcp_sock *msk)
61 {
62 return mptcp_is_fully_established((void *)msk) &&
63 READ_ONCE(msk->pm.accept_subflow);
64 }
65
66 /* validate received token and create truncated hmac and nonce for SYN-ACK */
67 static void subflow_req_create_thmac(struct mptcp_subflow_request_sock *subflow_req)
68 {
69 struct mptcp_sock *msk = subflow_req->msk;
70 u8 hmac[SHA256_DIGEST_SIZE];
71
72 get_random_bytes(&subflow_req->local_nonce, sizeof(u32));
73
74 subflow_generate_hmac(msk->local_key, msk->remote_key,
75 subflow_req->local_nonce,
76 subflow_req->remote_nonce, hmac);
77
78 subflow_req->thmac = get_unaligned_be64(hmac);
79 }
80
81 static struct mptcp_sock *subflow_token_join_request(struct request_sock *req)
82 {
83 struct mptcp_subflow_request_sock *subflow_req = mptcp_subflow_rsk(req);
84 struct mptcp_sock *msk;
85 int local_id;
86
87 msk = mptcp_token_get_sock(subflow_req->token);
88 if (!msk) {
89 SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINNOTOKEN);
90 return NULL;
91 }
92
93 local_id = mptcp_pm_get_local_id(msk, (struct sock_common *)req);
94 if (local_id < 0) {
95 sock_put((struct sock *)msk);
96 return NULL;
97 }
98 subflow_req->local_id = local_id;
99
100 return msk;
101 }
102
103 static void subflow_init_req(struct request_sock *req, const struct sock *sk_listener)
104 {
105 struct mptcp_subflow_request_sock *subflow_req = mptcp_subflow_rsk(req);
106
107 subflow_req->mp_capable = 0;
108 subflow_req->mp_join = 0;
109 subflow_req->msk = NULL;
110 mptcp_token_init_request(req);
111 }
112
113 static bool subflow_use_different_sport(struct mptcp_sock *msk, const struct sock *sk)
114 {
115 return inet_sk(sk)->inet_sport != inet_sk((struct sock *)msk)->inet_sport;
116 }
117
118 /* Init mptcp request socket.
119 *
120 * Returns an error code if a JOIN has failed and a TCP reset
121 * should be sent.
122 */
123 static int subflow_check_req(struct request_sock *req,
124 const struct sock *sk_listener,
125 struct sk_buff *skb)
126 {
127 struct mptcp_subflow_context *listener = mptcp_subflow_ctx(sk_listener);
128 struct mptcp_subflow_request_sock *subflow_req = mptcp_subflow_rsk(req);
129 struct mptcp_options_received mp_opt;
130
131 pr_debug("subflow_req=%p, listener=%p", subflow_req, listener);
132
133 #ifdef CONFIG_TCP_MD5SIG
134 /* no MPTCP if MD5SIG is enabled on this socket or we may run out of
135 * TCP option space.
136 */
137 if (rcu_access_pointer(tcp_sk(sk_listener)->md5sig_info))
138 return -EINVAL;
139 #endif
140
141 mptcp_get_options(skb, &mp_opt);
142
143 if (mp_opt.mp_capable) {
144 SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_MPCAPABLEPASSIVE);
145
146 if (mp_opt.mp_join)
147 return 0;
148 } else if (mp_opt.mp_join) {
149 SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINSYNRX);
150 }
151
152 if (mp_opt.mp_capable && listener->request_mptcp) {
153 int err, retries = 4;
154
155 subflow_req->ssn_offset = TCP_SKB_CB(skb)->seq;
156 again:
157 do {
158 get_random_bytes(&subflow_req->local_key, sizeof(subflow_req->local_key));
159 } while (subflow_req->local_key == 0);
160
161 if (unlikely(req->syncookie)) {
162 mptcp_crypto_key_sha(subflow_req->local_key,
163 &subflow_req->token,
164 &subflow_req->idsn);
165 if (mptcp_token_exists(subflow_req->token)) {
166 if (retries-- > 0)
167 goto again;
168 } else {
169 subflow_req->mp_capable = 1;
170 }
171 return 0;
172 }
173
174 err = mptcp_token_new_request(req);
175 if (err == 0)
176 subflow_req->mp_capable = 1;
177 else if (retries-- > 0)
178 goto again;
179
180 } else if (mp_opt.mp_join && listener->request_mptcp) {
181 subflow_req->ssn_offset = TCP_SKB_CB(skb)->seq;
182 subflow_req->mp_join = 1;
183 subflow_req->backup = mp_opt.backup;
184 subflow_req->remote_id = mp_opt.join_id;
185 subflow_req->token = mp_opt.token;
186 subflow_req->remote_nonce = mp_opt.nonce;
187 subflow_req->msk = subflow_token_join_request(req);
188
189 /* Can't fall back to TCP in this case. */
190 if (!subflow_req->msk)
191 return -EPERM;
192
193 if (subflow_use_different_sport(subflow_req->msk, sk_listener)) {
194 pr_debug("syn inet_sport=%d %d",
195 ntohs(inet_sk(sk_listener)->inet_sport),
196 ntohs(inet_sk((struct sock *)subflow_req->msk)->inet_sport));
197 if (!mptcp_pm_sport_in_anno_list(subflow_req->msk, sk_listener)) {
198 sock_put((struct sock *)subflow_req->msk);
199 mptcp_token_destroy_request(req);
200 tcp_request_sock_ops.destructor(req);
201 subflow_req->msk = NULL;
202 subflow_req->mp_join = 0;
203 SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_MISMATCHPORTSYNRX);
204 return -EPERM;
205 }
206 SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINPORTSYNRX);
207 }
208
209 subflow_req_create_thmac(subflow_req);
210
211 if (unlikely(req->syncookie)) {
212 if (mptcp_can_accept_new_subflow(subflow_req->msk))
213 subflow_init_req_cookie_join_save(subflow_req, skb);
214 }
215
216 pr_debug("token=%u, remote_nonce=%u msk=%p", subflow_req->token,
217 subflow_req->remote_nonce, subflow_req->msk);
218 }
219
220 return 0;
221 }
222
223 int mptcp_subflow_init_cookie_req(struct request_sock *req,
224 const struct sock *sk_listener,
225 struct sk_buff *skb)
226 {
227 struct mptcp_subflow_context *listener = mptcp_subflow_ctx(sk_listener);
228 struct mptcp_subflow_request_sock *subflow_req = mptcp_subflow_rsk(req);
229 struct mptcp_options_received mp_opt;
230 int err;
231
232 subflow_init_req(req, sk_listener);
233 mptcp_get_options(skb, &mp_opt);
234
235 if (mp_opt.mp_capable && mp_opt.mp_join)
236 return -EINVAL;
237
238 if (mp_opt.mp_capable && listener->request_mptcp) {
239 if (mp_opt.sndr_key == 0)
240 return -EINVAL;
241
242 subflow_req->local_key = mp_opt.rcvr_key;
243 err = mptcp_token_new_request(req);
244 if (err)
245 return err;
246
247 subflow_req->mp_capable = 1;
248 subflow_req->ssn_offset = TCP_SKB_CB(skb)->seq - 1;
249 } else if (mp_opt.mp_join && listener->request_mptcp) {
250 if (!mptcp_token_join_cookie_init_state(subflow_req, skb))
251 return -EINVAL;
252
253 if (mptcp_can_accept_new_subflow(subflow_req->msk))
254 subflow_req->mp_join = 1;
255
256 subflow_req->ssn_offset = TCP_SKB_CB(skb)->seq - 1;
257 }
258
259 return 0;
260 }
261 EXPORT_SYMBOL_GPL(mptcp_subflow_init_cookie_req);
262
263 static struct dst_entry *subflow_v4_route_req(const struct sock *sk,
264 struct sk_buff *skb,
265 struct flowi *fl,
266 struct request_sock *req)
267 {
268 struct dst_entry *dst;
269 int err;
270
271 tcp_rsk(req)->is_mptcp = 1;
272 subflow_init_req(req, sk);
273
274 dst = tcp_request_sock_ipv4_ops.route_req(sk, skb, fl, req);
275 if (!dst)
276 return NULL;
277
278 err = subflow_check_req(req, sk, skb);
279 if (err == 0)
280 return dst;
281
282 dst_release(dst);
283 if (!req->syncookie)
284 tcp_request_sock_ops.send_reset(sk, skb);
285 return NULL;
286 }
287
288 #if IS_ENABLED(CONFIG_MPTCP_IPV6)
289 static struct dst_entry *subflow_v6_route_req(const struct sock *sk,
290 struct sk_buff *skb,
291 struct flowi *fl,
292 struct request_sock *req)
293 {
294 struct dst_entry *dst;
295 int err;
296
297 tcp_rsk(req)->is_mptcp = 1;
298 subflow_init_req(req, sk);
299
300 dst = tcp_request_sock_ipv6_ops.route_req(sk, skb, fl, req);
301 if (!dst)
302 return NULL;
303
304 err = subflow_check_req(req, sk, skb);
305 if (err == 0)
306 return dst;
307
308 dst_release(dst);
309 if (!req->syncookie)
310 tcp6_request_sock_ops.send_reset(sk, skb);
311 return NULL;
312 }
313 #endif
314
315 /* validate received truncated hmac and create hmac for third ACK */
316 static bool subflow_thmac_valid(struct mptcp_subflow_context *subflow)
317 {
318 u8 hmac[SHA256_DIGEST_SIZE];
319 u64 thmac;
320
321 subflow_generate_hmac(subflow->remote_key, subflow->local_key,
322 subflow->remote_nonce, subflow->local_nonce,
323 hmac);
324
325 thmac = get_unaligned_be64(hmac);
326 pr_debug("subflow=%p, token=%u, thmac=%llu, subflow->thmac=%llu\n",
327 subflow, subflow->token,
328 (unsigned long long)thmac,
329 (unsigned long long)subflow->thmac);
330
331 return thmac == subflow->thmac;
332 }
333
334 void mptcp_subflow_reset(struct sock *ssk)
335 {
336 struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk);
337 struct sock *sk = subflow->conn;
338
339 /* must hold: tcp_done() could drop last reference on parent */
340 sock_hold(sk);
341
342 tcp_set_state(ssk, TCP_CLOSE);
343 tcp_send_active_reset(ssk, GFP_ATOMIC);
344 tcp_done(ssk);
345 if (!test_and_set_bit(MPTCP_WORK_CLOSE_SUBFLOW, &mptcp_sk(sk)->flags) &&
346 schedule_work(&mptcp_sk(sk)->work))
347 return; /* worker will put sk for us */
348
349 sock_put(sk);
350 }
351
352 static bool subflow_use_different_dport(struct mptcp_sock *msk, const struct sock *sk)
353 {
354 return inet_sk(sk)->inet_dport != inet_sk((struct sock *)msk)->inet_dport;
355 }
356
357 static void subflow_finish_connect(struct sock *sk, const struct sk_buff *skb)
358 {
359 struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
360 struct mptcp_options_received mp_opt;
361 struct sock *parent = subflow->conn;
362
363 subflow->icsk_af_ops->sk_rx_dst_set(sk, skb);
364
365 if (inet_sk_state_load(parent) == TCP_SYN_SENT) {
366 inet_sk_state_store(parent, TCP_ESTABLISHED);
367 parent->sk_state_change(parent);
368 }
369
370 /* be sure no special action on any packet other than syn-ack */
371 if (subflow->conn_finished)
372 return;
373
374 mptcp_propagate_sndbuf(parent, sk);
375 subflow->rel_write_seq = 1;
376 subflow->conn_finished = 1;
377 subflow->ssn_offset = TCP_SKB_CB(skb)->seq;
378 pr_debug("subflow=%p synack seq=%x", subflow, subflow->ssn_offset);
379
380 mptcp_get_options(skb, &mp_opt);
381 if (subflow->request_mptcp) {
382 if (!mp_opt.mp_capable) {
383 MPTCP_INC_STATS(sock_net(sk),
384 MPTCP_MIB_MPCAPABLEACTIVEFALLBACK);
385 mptcp_do_fallback(sk);
386 pr_fallback(mptcp_sk(subflow->conn));
387 goto fallback;
388 }
389
390 subflow->mp_capable = 1;
391 subflow->can_ack = 1;
392 subflow->remote_key = mp_opt.sndr_key;
393 pr_debug("subflow=%p, remote_key=%llu", subflow,
394 subflow->remote_key);
395 mptcp_finish_connect(sk);
396 } else if (subflow->request_join) {
397 u8 hmac[SHA256_DIGEST_SIZE];
398
399 if (!mp_opt.mp_join)
400 goto do_reset;
401
402 subflow->thmac = mp_opt.thmac;
403 subflow->remote_nonce = mp_opt.nonce;
404 pr_debug("subflow=%p, thmac=%llu, remote_nonce=%u", subflow,
405 subflow->thmac, subflow->remote_nonce);
406
407 if (!subflow_thmac_valid(subflow)) {
408 MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_JOINACKMAC);
409 goto do_reset;
410 }
411
412 subflow_generate_hmac(subflow->local_key, subflow->remote_key,
413 subflow->local_nonce,
414 subflow->remote_nonce,
415 hmac);
416 memcpy(subflow->hmac, hmac, MPTCPOPT_HMAC_LEN);
417
418 if (!mptcp_finish_join(sk))
419 goto do_reset;
420
421 subflow->mp_join = 1;
422 MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_JOINSYNACKRX);
423
424 if (subflow_use_different_dport(mptcp_sk(parent), sk)) {
425 pr_debug("synack inet_dport=%d %d",
426 ntohs(inet_sk(sk)->inet_dport),
427 ntohs(inet_sk(parent)->inet_dport));
428 MPTCP_INC_STATS(sock_net(sk), MPTCP_MIB_JOINPORTSYNACKRX);
429 }
430 } else if (mptcp_check_fallback(sk)) {
431 fallback:
432 mptcp_rcv_space_init(mptcp_sk(parent), sk);
433 }
434 return;
435
436 do_reset:
437 mptcp_subflow_reset(sk);
438 }
439
440 struct request_sock_ops mptcp_subflow_request_sock_ops;
441 EXPORT_SYMBOL_GPL(mptcp_subflow_request_sock_ops);
442 static struct tcp_request_sock_ops subflow_request_sock_ipv4_ops;
443
444 static int subflow_v4_conn_request(struct sock *sk, struct sk_buff *skb)
445 {
446 struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
447
448 pr_debug("subflow=%p", subflow);
449
450 /* Never answer to SYNs sent to broadcast or multicast */
451 if (skb_rtable(skb)->rt_flags & (RTCF_BROADCAST | RTCF_MULTICAST))
452 goto drop;
453
454 return tcp_conn_request(&mptcp_subflow_request_sock_ops,
455 &subflow_request_sock_ipv4_ops,
456 sk, skb);
457 drop:
458 tcp_listendrop(sk);
459 return 0;
460 }
461
462 #if IS_ENABLED(CONFIG_MPTCP_IPV6)
463 static struct tcp_request_sock_ops subflow_request_sock_ipv6_ops;
464 static struct inet_connection_sock_af_ops subflow_v6_specific;
465 static struct inet_connection_sock_af_ops subflow_v6m_specific;
466 static struct proto tcpv6_prot_override;
467
468 static int subflow_v6_conn_request(struct sock *sk, struct sk_buff *skb)
469 {
470 struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
471
472 pr_debug("subflow=%p", subflow);
473
474 if (skb->protocol == htons(ETH_P_IP))
475 return subflow_v4_conn_request(sk, skb);
476
477 if (!ipv6_unicast_destination(skb))
478 goto drop;
479
480 return tcp_conn_request(&mptcp_subflow_request_sock_ops,
481 &subflow_request_sock_ipv6_ops, sk, skb);
482
483 drop:
484 tcp_listendrop(sk);
485 return 0; /* don't send reset */
486 }
487 #endif
488
489 /* validate hmac received in third ACK */
490 static bool subflow_hmac_valid(const struct request_sock *req,
491 const struct mptcp_options_received *mp_opt)
492 {
493 const struct mptcp_subflow_request_sock *subflow_req;
494 u8 hmac[SHA256_DIGEST_SIZE];
495 struct mptcp_sock *msk;
496
497 subflow_req = mptcp_subflow_rsk(req);
498 msk = subflow_req->msk;
499 if (!msk)
500 return false;
501
502 subflow_generate_hmac(msk->remote_key, msk->local_key,
503 subflow_req->remote_nonce,
504 subflow_req->local_nonce, hmac);
505
506 return !crypto_memneq(hmac, mp_opt->hmac, MPTCPOPT_HMAC_LEN);
507 }
508
509 static void mptcp_sock_destruct(struct sock *sk)
510 {
511 /* if new mptcp socket isn't accepted, it is free'd
512 * from the tcp listener sockets request queue, linked
513 * from req->sk. The tcp socket is released.
514 * This calls the ULP release function which will
515 * also remove the mptcp socket, via
516 * sock_put(ctx->conn).
517 *
518 * Problem is that the mptcp socket will be in
519 * ESTABLISHED state and will not have the SOCK_DEAD flag.
520 * Both result in warnings from inet_sock_destruct.
521 */
522
523 if (sk->sk_state == TCP_ESTABLISHED) {
524 sk->sk_state = TCP_CLOSE;
525 WARN_ON_ONCE(sk->sk_socket);
526 sock_orphan(sk);
527 }
528
529 mptcp_destroy_common(mptcp_sk(sk));
530 inet_sock_destruct(sk);
531 }
532
533 static void mptcp_force_close(struct sock *sk)
534 {
535 inet_sk_state_store(sk, TCP_CLOSE);
536 sk_common_release(sk);
537 }
538
539 static void subflow_ulp_fallback(struct sock *sk,
540 struct mptcp_subflow_context *old_ctx)
541 {
542 struct inet_connection_sock *icsk = inet_csk(sk);
543
544 mptcp_subflow_tcp_fallback(sk, old_ctx);
545 icsk->icsk_ulp_ops = NULL;
546 rcu_assign_pointer(icsk->icsk_ulp_data, NULL);
547 tcp_sk(sk)->is_mptcp = 0;
548
549 mptcp_subflow_ops_undo_override(sk);
550 }
551
552 static void subflow_drop_ctx(struct sock *ssk)
553 {
554 struct mptcp_subflow_context *ctx = mptcp_subflow_ctx(ssk);
555
556 if (!ctx)
557 return;
558
559 subflow_ulp_fallback(ssk, ctx);
560 if (ctx->conn)
561 sock_put(ctx->conn);
562
563 kfree_rcu(ctx, rcu);
564 }
565
566 void mptcp_subflow_fully_established(struct mptcp_subflow_context *subflow,
567 struct mptcp_options_received *mp_opt)
568 {
569 struct mptcp_sock *msk = mptcp_sk(subflow->conn);
570
571 subflow->remote_key = mp_opt->sndr_key;
572 subflow->fully_established = 1;
573 subflow->can_ack = 1;
574 WRITE_ONCE(msk->fully_established, true);
575 }
576
577 static struct sock *subflow_syn_recv_sock(const struct sock *sk,
578 struct sk_buff *skb,
579 struct request_sock *req,
580 struct dst_entry *dst,
581 struct request_sock *req_unhash,
582 bool *own_req)
583 {
584 struct mptcp_subflow_context *listener = mptcp_subflow_ctx(sk);
585 struct mptcp_subflow_request_sock *subflow_req;
586 struct mptcp_options_received mp_opt;
587 bool fallback, fallback_is_fatal;
588 struct sock *new_msk = NULL;
589 struct sock *child;
590
591 pr_debug("listener=%p, req=%p, conn=%p", listener, req, listener->conn);
592
593 /* After child creation we must look for 'mp_capable' even when options
594 * are not parsed
595 */
596 mp_opt.mp_capable = 0;
597
598 /* hopefully temporary handling for MP_JOIN+syncookie */
599 subflow_req = mptcp_subflow_rsk(req);
600 fallback_is_fatal = tcp_rsk(req)->is_mptcp && subflow_req->mp_join;
601 fallback = !tcp_rsk(req)->is_mptcp;
602 if (fallback)
603 goto create_child;
604
605 /* if the sk is MP_CAPABLE, we try to fetch the client key */
606 if (subflow_req->mp_capable) {
607 if (TCP_SKB_CB(skb)->seq != subflow_req->ssn_offset + 1) {
608 /* here we can receive and accept an in-window,
609 * out-of-order pkt, which will not carry the MP_CAPABLE
610 * opt even on mptcp enabled paths
611 */
612 goto create_msk;
613 }
614
615 mptcp_get_options(skb, &mp_opt);
616 if (!mp_opt.mp_capable) {
617 fallback = true;
618 goto create_child;
619 }
620
621 create_msk:
622 new_msk = mptcp_sk_clone(listener->conn, &mp_opt, req);
623 if (!new_msk)
624 fallback = true;
625 } else if (subflow_req->mp_join) {
626 mptcp_get_options(skb, &mp_opt);
627 if (!mp_opt.mp_join || !subflow_hmac_valid(req, &mp_opt) ||
628 !mptcp_can_accept_new_subflow(subflow_req->msk)) {
629 SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKMAC);
630 fallback = true;
631 }
632 }
633
634 create_child:
635 child = listener->icsk_af_ops->syn_recv_sock(sk, skb, req, dst,
636 req_unhash, own_req);
637
638 if (child && *own_req) {
639 struct mptcp_subflow_context *ctx = mptcp_subflow_ctx(child);
640
641 tcp_rsk(req)->drop_req = false;
642
643 /* we need to fallback on ctx allocation failure and on pre-reqs
644 * checking above. In the latter scenario we additionally need
645 * to reset the context to non MPTCP status.
646 */
647 if (!ctx || fallback) {
648 if (fallback_is_fatal)
649 goto dispose_child;
650
651 subflow_drop_ctx(child);
652 goto out;
653 }
654
655 if (ctx->mp_capable) {
656 /* this can't race with mptcp_close(), as the msk is
657 * not yet exposted to user-space
658 */
659 inet_sk_state_store((void *)new_msk, TCP_ESTABLISHED);
660
661 /* record the newly created socket as the first msk
662 * subflow, but don't link it yet into conn_list
663 */
664 WRITE_ONCE(mptcp_sk(new_msk)->first, child);
665
666 /* new mpc subflow takes ownership of the newly
667 * created mptcp socket
668 */
669 new_msk->sk_destruct = mptcp_sock_destruct;
670 mptcp_pm_new_connection(mptcp_sk(new_msk), child, 1);
671 mptcp_token_accept(subflow_req, mptcp_sk(new_msk));
672 ctx->conn = new_msk;
673 new_msk = NULL;
674
675 /* with OoO packets we can reach here without ingress
676 * mpc option
677 */
678 if (mp_opt.mp_capable)
679 mptcp_subflow_fully_established(ctx, &mp_opt);
680 } else if (ctx->mp_join) {
681 struct mptcp_sock *owner;
682
683 owner = subflow_req->msk;
684 if (!owner)
685 goto dispose_child;
686
687 /* move the msk reference ownership to the subflow */
688 subflow_req->msk = NULL;
689 ctx->conn = (struct sock *)owner;
690 if (!mptcp_finish_join(child))
691 goto dispose_child;
692
693 SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKRX);
694 tcp_rsk(req)->drop_req = true;
695
696 if (subflow_use_different_sport(owner, sk)) {
697 pr_debug("ack inet_sport=%d %d",
698 ntohs(inet_sk(sk)->inet_sport),
699 ntohs(inet_sk((struct sock *)owner)->inet_sport));
700 if (!mptcp_pm_sport_in_anno_list(owner, sk)) {
701 SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_MISMATCHPORTACKRX);
702 goto out;
703 }
704 SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINPORTACKRX);
705 }
706 }
707 }
708
709 out:
710 /* dispose of the left over mptcp master, if any */
711 if (unlikely(new_msk))
712 mptcp_force_close(new_msk);
713
714 /* check for expected invariant - should never trigger, just help
715 * catching eariler subtle bugs
716 */
717 WARN_ON_ONCE(child && *own_req && tcp_sk(child)->is_mptcp &&
718 (!mptcp_subflow_ctx(child) ||
719 !mptcp_subflow_ctx(child)->conn));
720 return child;
721
722 dispose_child:
723 subflow_drop_ctx(child);
724 tcp_rsk(req)->drop_req = true;
725 inet_csk_prepare_for_destroy_sock(child);
726 tcp_done(child);
727 req->rsk_ops->send_reset(sk, skb);
728
729 /* The last child reference will be released by the caller */
730 return child;
731 }
732
733 static struct inet_connection_sock_af_ops subflow_specific;
734 static struct proto tcp_prot_override;
735
736 enum mapping_status {
737 MAPPING_OK,
738 MAPPING_INVALID,
739 MAPPING_EMPTY,
740 MAPPING_DATA_FIN,
741 MAPPING_DUMMY
742 };
743
744 static u64 expand_seq(u64 old_seq, u16 old_data_len, u64 seq)
745 {
746 if ((u32)seq == (u32)old_seq)
747 return old_seq;
748
749 /* Assume map covers data not mapped yet. */
750 return seq | ((old_seq + old_data_len + 1) & GENMASK_ULL(63, 32));
751 }
752
753 static void warn_bad_map(struct mptcp_subflow_context *subflow, u32 ssn)
754 {
755 WARN_ONCE(1, "Bad mapping: ssn=%d map_seq=%d map_data_len=%d",
756 ssn, subflow->map_subflow_seq, subflow->map_data_len);
757 }
758
759 static bool skb_is_fully_mapped(struct sock *ssk, struct sk_buff *skb)
760 {
761 struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk);
762 unsigned int skb_consumed;
763
764 skb_consumed = tcp_sk(ssk)->copied_seq - TCP_SKB_CB(skb)->seq;
765 if (WARN_ON_ONCE(skb_consumed >= skb->len))
766 return true;
767
768 return skb->len - skb_consumed <= subflow->map_data_len -
769 mptcp_subflow_get_map_offset(subflow);
770 }
771
772 static bool validate_mapping(struct sock *ssk, struct sk_buff *skb)
773 {
774 struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk);
775 u32 ssn = tcp_sk(ssk)->copied_seq - subflow->ssn_offset;
776
777 if (unlikely(before(ssn, subflow->map_subflow_seq))) {
778 /* Mapping covers data later in the subflow stream,
779 * currently unsupported.
780 */
781 warn_bad_map(subflow, ssn);
782 return false;
783 }
784 if (unlikely(!before(ssn, subflow->map_subflow_seq +
785 subflow->map_data_len))) {
786 /* Mapping does covers past subflow data, invalid */
787 warn_bad_map(subflow, ssn + skb->len);
788 return false;
789 }
790 return true;
791 }
792
793 static enum mapping_status get_mapping_status(struct sock *ssk,
794 struct mptcp_sock *msk)
795 {
796 struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk);
797 struct mptcp_ext *mpext;
798 struct sk_buff *skb;
799 u16 data_len;
800 u64 map_seq;
801
802 skb = skb_peek(&ssk->sk_receive_queue);
803 if (!skb)
804 return MAPPING_EMPTY;
805
806 if (mptcp_check_fallback(ssk))
807 return MAPPING_DUMMY;
808
809 mpext = mptcp_get_ext(skb);
810 if (!mpext || !mpext->use_map) {
811 if (!subflow->map_valid && !skb->len) {
812 /* the TCP stack deliver 0 len FIN pkt to the receive
813 * queue, that is the only 0len pkts ever expected here,
814 * and we can admit no mapping only for 0 len pkts
815 */
816 if (!(TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN))
817 WARN_ONCE(1, "0len seq %d:%d flags %x",
818 TCP_SKB_CB(skb)->seq,
819 TCP_SKB_CB(skb)->end_seq,
820 TCP_SKB_CB(skb)->tcp_flags);
821 sk_eat_skb(ssk, skb);
822 return MAPPING_EMPTY;
823 }
824
825 if (!subflow->map_valid)
826 return MAPPING_INVALID;
827
828 goto validate_seq;
829 }
830
831 pr_debug("seq=%llu is64=%d ssn=%u data_len=%u data_fin=%d",
832 mpext->data_seq, mpext->dsn64, mpext->subflow_seq,
833 mpext->data_len, mpext->data_fin);
834
835 data_len = mpext->data_len;
836 if (data_len == 0) {
837 pr_err("Infinite mapping not handled");
838 MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_INFINITEMAPRX);
839 return MAPPING_INVALID;
840 }
841
842 if (mpext->data_fin == 1) {
843 if (data_len == 1) {
844 bool updated = mptcp_update_rcv_data_fin(msk, mpext->data_seq,
845 mpext->dsn64);
846 pr_debug("DATA_FIN with no payload seq=%llu", mpext->data_seq);
847 if (subflow->map_valid) {
848 /* A DATA_FIN might arrive in a DSS
849 * option before the previous mapping
850 * has been fully consumed. Continue
851 * handling the existing mapping.
852 */
853 skb_ext_del(skb, SKB_EXT_MPTCP);
854 return MAPPING_OK;
855 } else {
856 if (updated && schedule_work(&msk->work))
857 sock_hold((struct sock *)msk);
858
859 return MAPPING_DATA_FIN;
860 }
861 } else {
862 u64 data_fin_seq = mpext->data_seq + data_len - 1;
863
864 /* If mpext->data_seq is a 32-bit value, data_fin_seq
865 * must also be limited to 32 bits.
866 */
867 if (!mpext->dsn64)
868 data_fin_seq &= GENMASK_ULL(31, 0);
869
870 mptcp_update_rcv_data_fin(msk, data_fin_seq, mpext->dsn64);
871 pr_debug("DATA_FIN with mapping seq=%llu dsn64=%d",
872 data_fin_seq, mpext->dsn64);
873 }
874
875 /* Adjust for DATA_FIN using 1 byte of sequence space */
876 data_len--;
877 }
878
879 if (!mpext->dsn64) {
880 map_seq = expand_seq(subflow->map_seq, subflow->map_data_len,
881 mpext->data_seq);
882 pr_debug("expanded seq=%llu", subflow->map_seq);
883 } else {
884 map_seq = mpext->data_seq;
885 }
886 WRITE_ONCE(mptcp_sk(subflow->conn)->use_64bit_ack, !!mpext->dsn64);
887
888 if (subflow->map_valid) {
889 /* Allow replacing only with an identical map */
890 if (subflow->map_seq == map_seq &&
891 subflow->map_subflow_seq == mpext->subflow_seq &&
892 subflow->map_data_len == data_len) {
893 skb_ext_del(skb, SKB_EXT_MPTCP);
894 return MAPPING_OK;
895 }
896
897 /* If this skb data are fully covered by the current mapping,
898 * the new map would need caching, which is not supported
899 */
900 if (skb_is_fully_mapped(ssk, skb)) {
901 MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_DSSNOMATCH);
902 return MAPPING_INVALID;
903 }
904
905 /* will validate the next map after consuming the current one */
906 return MAPPING_OK;
907 }
908
909 subflow->map_seq = map_seq;
910 subflow->map_subflow_seq = mpext->subflow_seq;
911 subflow->map_data_len = data_len;
912 subflow->map_valid = 1;
913 subflow->mpc_map = mpext->mpc_map;
914 pr_debug("new map seq=%llu subflow_seq=%u data_len=%u",
915 subflow->map_seq, subflow->map_subflow_seq,
916 subflow->map_data_len);
917
918 validate_seq:
919 /* we revalidate valid mapping on new skb, because we must ensure
920 * the current skb is completely covered by the available mapping
921 */
922 if (!validate_mapping(ssk, skb))
923 return MAPPING_INVALID;
924
925 skb_ext_del(skb, SKB_EXT_MPTCP);
926 return MAPPING_OK;
927 }
928
929 static void mptcp_subflow_discard_data(struct sock *ssk, struct sk_buff *skb,
930 u64 limit)
931 {
932 struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk);
933 bool fin = TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN;
934 u32 incr;
935
936 incr = limit >= skb->len ? skb->len + fin : limit;
937
938 pr_debug("discarding=%d len=%d seq=%d", incr, skb->len,
939 subflow->map_subflow_seq);
940 MPTCP_INC_STATS(sock_net(ssk), MPTCP_MIB_DUPDATA);
941 tcp_sk(ssk)->copied_seq += incr;
942 if (!before(tcp_sk(ssk)->copied_seq, TCP_SKB_CB(skb)->end_seq))
943 sk_eat_skb(ssk, skb);
944 if (mptcp_subflow_get_map_offset(subflow) >= subflow->map_data_len)
945 subflow->map_valid = 0;
946 }
947
948 /* sched mptcp worker to remove the subflow if no more data is pending */
949 static void subflow_sched_work_if_closed(struct mptcp_sock *msk, struct sock *ssk)
950 {
951 struct sock *sk = (struct sock *)msk;
952
953 if (likely(ssk->sk_state != TCP_CLOSE))
954 return;
955
956 if (skb_queue_empty(&ssk->sk_receive_queue) &&
957 !test_and_set_bit(MPTCP_WORK_CLOSE_SUBFLOW, &msk->flags)) {
958 sock_hold(sk);
959 if (!schedule_work(&msk->work))
960 sock_put(sk);
961 }
962 }
963
964 static bool subflow_check_data_avail(struct sock *ssk)
965 {
966 struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk);
967 enum mapping_status status;
968 struct mptcp_sock *msk;
969 struct sk_buff *skb;
970
971 pr_debug("msk=%p ssk=%p data_avail=%d skb=%p", subflow->conn, ssk,
972 subflow->data_avail, skb_peek(&ssk->sk_receive_queue));
973 if (!skb_peek(&ssk->sk_receive_queue))
974 subflow->data_avail = 0;
975 if (subflow->data_avail)
976 return true;
977
978 msk = mptcp_sk(subflow->conn);
979 for (;;) {
980 u64 ack_seq;
981 u64 old_ack;
982
983 status = get_mapping_status(ssk, msk);
984 pr_debug("msk=%p ssk=%p status=%d", msk, ssk, status);
985 if (status == MAPPING_INVALID) {
986 ssk->sk_err = EBADMSG;
987 goto fatal;
988 }
989 if (status == MAPPING_DUMMY) {
990 __mptcp_do_fallback(msk);
991 skb = skb_peek(&ssk->sk_receive_queue);
992 subflow->map_valid = 1;
993 subflow->map_seq = READ_ONCE(msk->ack_seq);
994 subflow->map_data_len = skb->len;
995 subflow->map_subflow_seq = tcp_sk(ssk)->copied_seq -
996 subflow->ssn_offset;
997 subflow->data_avail = MPTCP_SUBFLOW_DATA_AVAIL;
998 return true;
999 }
1000
1001 if (status != MAPPING_OK)
1002 goto no_data;
1003
1004 skb = skb_peek(&ssk->sk_receive_queue);
1005 if (WARN_ON_ONCE(!skb))
1006 goto no_data;
1007
1008 /* if msk lacks the remote key, this subflow must provide an
1009 * MP_CAPABLE-based mapping
1010 */
1011 if (unlikely(!READ_ONCE(msk->can_ack))) {
1012 if (!subflow->mpc_map) {
1013 ssk->sk_err = EBADMSG;
1014 goto fatal;
1015 }
1016 WRITE_ONCE(msk->remote_key, subflow->remote_key);
1017 WRITE_ONCE(msk->ack_seq, subflow->map_seq);
1018 WRITE_ONCE(msk->can_ack, true);
1019 }
1020
1021 old_ack = READ_ONCE(msk->ack_seq);
1022 ack_seq = mptcp_subflow_get_mapped_dsn(subflow);
1023 pr_debug("msk ack_seq=%llx subflow ack_seq=%llx", old_ack,
1024 ack_seq);
1025 if (ack_seq == old_ack) {
1026 subflow->data_avail = MPTCP_SUBFLOW_DATA_AVAIL;
1027 break;
1028 } else if (after64(ack_seq, old_ack)) {
1029 subflow->data_avail = MPTCP_SUBFLOW_OOO_DATA;
1030 break;
1031 }
1032
1033 /* only accept in-sequence mapping. Old values are spurious
1034 * retransmission
1035 */
1036 mptcp_subflow_discard_data(ssk, skb, old_ack - ack_seq);
1037 }
1038 return true;
1039
1040 no_data:
1041 subflow_sched_work_if_closed(msk, ssk);
1042 return false;
1043 fatal:
1044 /* fatal protocol error, close the socket */
1045 /* This barrier is coupled with smp_rmb() in tcp_poll() */
1046 smp_wmb();
1047 ssk->sk_error_report(ssk);
1048 tcp_set_state(ssk, TCP_CLOSE);
1049 tcp_send_active_reset(ssk, GFP_ATOMIC);
1050 subflow->data_avail = 0;
1051 return false;
1052 }
1053
1054 bool mptcp_subflow_data_available(struct sock *sk)
1055 {
1056 struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
1057
1058 /* check if current mapping is still valid */
1059 if (subflow->map_valid &&
1060 mptcp_subflow_get_map_offset(subflow) >= subflow->map_data_len) {
1061 subflow->map_valid = 0;
1062 subflow->data_avail = 0;
1063
1064 pr_debug("Done with mapping: seq=%u data_len=%u",
1065 subflow->map_subflow_seq,
1066 subflow->map_data_len);
1067 }
1068
1069 return subflow_check_data_avail(sk);
1070 }
1071
1072 /* If ssk has an mptcp parent socket, use the mptcp rcvbuf occupancy,
1073 * not the ssk one.
1074 *
1075 * In mptcp, rwin is about the mptcp-level connection data.
1076 *
1077 * Data that is still on the ssk rx queue can thus be ignored,
1078 * as far as mptcp peer is concerened that data is still inflight.
1079 * DSS ACK is updated when skb is moved to the mptcp rx queue.
1080 */
1081 void mptcp_space(const struct sock *ssk, int *space, int *full_space)
1082 {
1083 const struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk);
1084 const struct sock *sk = subflow->conn;
1085
1086 *space = __mptcp_space(sk);
1087 *full_space = tcp_full_space(sk);
1088 }
1089
1090 static void subflow_data_ready(struct sock *sk)
1091 {
1092 struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
1093 u16 state = 1 << inet_sk_state_load(sk);
1094 struct sock *parent = subflow->conn;
1095 struct mptcp_sock *msk;
1096
1097 msk = mptcp_sk(parent);
1098 if (state & TCPF_LISTEN) {
1099 /* MPJ subflow are removed from accept queue before reaching here,
1100 * avoid stray wakeups
1101 */
1102 if (reqsk_queue_empty(&inet_csk(sk)->icsk_accept_queue))
1103 return;
1104
1105 set_bit(MPTCP_DATA_READY, &msk->flags);
1106 parent->sk_data_ready(parent);
1107 return;
1108 }
1109
1110 WARN_ON_ONCE(!__mptcp_check_fallback(msk) && !subflow->mp_capable &&
1111 !subflow->mp_join && !(state & TCPF_CLOSE));
1112
1113 if (mptcp_subflow_data_available(sk))
1114 mptcp_data_ready(parent, sk);
1115 }
1116
1117 static void subflow_write_space(struct sock *ssk)
1118 {
1119 struct sock *sk = mptcp_subflow_ctx(ssk)->conn;
1120
1121 mptcp_propagate_sndbuf(sk, ssk);
1122 mptcp_write_space(sk);
1123 }
1124
1125 void __mptcp_error_report(struct sock *sk)
1126 {
1127 struct mptcp_subflow_context *subflow;
1128 struct mptcp_sock *msk = mptcp_sk(sk);
1129
1130 mptcp_for_each_subflow(msk, subflow) {
1131 struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
1132 int err = sock_error(ssk);
1133
1134 if (!err)
1135 continue;
1136
1137 /* only propagate errors on fallen-back sockets or
1138 * on MPC connect
1139 */
1140 if (sk->sk_state != TCP_SYN_SENT && !__mptcp_check_fallback(msk))
1141 continue;
1142
1143 inet_sk_state_store(sk, inet_sk_state_load(ssk));
1144 sk->sk_err = -err;
1145
1146 /* This barrier is coupled with smp_rmb() in mptcp_poll() */
1147 smp_wmb();
1148 sk->sk_error_report(sk);
1149 break;
1150 }
1151 }
1152
1153 static void subflow_error_report(struct sock *ssk)
1154 {
1155 struct sock *sk = mptcp_subflow_ctx(ssk)->conn;
1156
1157 mptcp_data_lock(sk);
1158 if (!sock_owned_by_user(sk))
1159 __mptcp_error_report(sk);
1160 else
1161 set_bit(MPTCP_ERROR_REPORT, &mptcp_sk(sk)->flags);
1162 mptcp_data_unlock(sk);
1163 }
1164
1165 static struct inet_connection_sock_af_ops *
1166 subflow_default_af_ops(struct sock *sk)
1167 {
1168 #if IS_ENABLED(CONFIG_MPTCP_IPV6)
1169 if (sk->sk_family == AF_INET6)
1170 return &subflow_v6_specific;
1171 #endif
1172 return &subflow_specific;
1173 }
1174
1175 #if IS_ENABLED(CONFIG_MPTCP_IPV6)
1176 void mptcpv6_handle_mapped(struct sock *sk, bool mapped)
1177 {
1178 struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
1179 struct inet_connection_sock *icsk = inet_csk(sk);
1180 struct inet_connection_sock_af_ops *target;
1181
1182 target = mapped ? &subflow_v6m_specific : subflow_default_af_ops(sk);
1183
1184 pr_debug("subflow=%p family=%d ops=%p target=%p mapped=%d",
1185 subflow, sk->sk_family, icsk->icsk_af_ops, target, mapped);
1186
1187 if (likely(icsk->icsk_af_ops == target))
1188 return;
1189
1190 subflow->icsk_af_ops = icsk->icsk_af_ops;
1191 icsk->icsk_af_ops = target;
1192 }
1193 #endif
1194
1195 void mptcp_info2sockaddr(const struct mptcp_addr_info *info,
1196 struct sockaddr_storage *addr,
1197 unsigned short family)
1198 {
1199 memset(addr, 0, sizeof(*addr));
1200 addr->ss_family = family;
1201 if (addr->ss_family == AF_INET) {
1202 struct sockaddr_in *in_addr = (struct sockaddr_in *)addr;
1203
1204 if (info->family == AF_INET)
1205 in_addr->sin_addr = info->addr;
1206 #if IS_ENABLED(CONFIG_MPTCP_IPV6)
1207 else if (ipv6_addr_v4mapped(&info->addr6))
1208 in_addr->sin_addr.s_addr = info->addr6.s6_addr32[3];
1209 #endif
1210 in_addr->sin_port = info->port;
1211 }
1212 #if IS_ENABLED(CONFIG_MPTCP_IPV6)
1213 else if (addr->ss_family == AF_INET6) {
1214 struct sockaddr_in6 *in6_addr = (struct sockaddr_in6 *)addr;
1215
1216 if (info->family == AF_INET)
1217 ipv6_addr_set_v4mapped(info->addr.s_addr,
1218 &in6_addr->sin6_addr);
1219 else
1220 in6_addr->sin6_addr = info->addr6;
1221 in6_addr->sin6_port = info->port;
1222 }
1223 #endif
1224 }
1225
1226 int __mptcp_subflow_connect(struct sock *sk, const struct mptcp_addr_info *loc,
1227 const struct mptcp_addr_info *remote)
1228 {
1229 struct mptcp_sock *msk = mptcp_sk(sk);
1230 struct mptcp_subflow_context *subflow;
1231 struct sockaddr_storage addr;
1232 int remote_id = remote->id;
1233 int local_id = loc->id;
1234 struct socket *sf;
1235 struct sock *ssk;
1236 u32 remote_token;
1237 int addrlen;
1238 int err;
1239
1240 if (!mptcp_is_fully_established(sk))
1241 return -ENOTCONN;
1242
1243 err = mptcp_subflow_create_socket(sk, &sf);
1244 if (err)
1245 return err;
1246
1247 ssk = sf->sk;
1248 subflow = mptcp_subflow_ctx(ssk);
1249 do {
1250 get_random_bytes(&subflow->local_nonce, sizeof(u32));
1251 } while (!subflow->local_nonce);
1252
1253 if (!local_id) {
1254 err = mptcp_pm_get_local_id(msk, (struct sock_common *)ssk);
1255 if (err < 0)
1256 goto failed;
1257
1258 local_id = err;
1259 }
1260
1261 subflow->remote_key = msk->remote_key;
1262 subflow->local_key = msk->local_key;
1263 subflow->token = msk->token;
1264 mptcp_info2sockaddr(loc, &addr, ssk->sk_family);
1265
1266 addrlen = sizeof(struct sockaddr_in);
1267 #if IS_ENABLED(CONFIG_MPTCP_IPV6)
1268 if (addr.ss_family == AF_INET6)
1269 addrlen = sizeof(struct sockaddr_in6);
1270 #endif
1271 ssk->sk_bound_dev_if = loc->ifindex;
1272 err = kernel_bind(sf, (struct sockaddr *)&addr, addrlen);
1273 if (err)
1274 goto failed;
1275
1276 mptcp_crypto_key_sha(subflow->remote_key, &remote_token, NULL);
1277 pr_debug("msk=%p remote_token=%u local_id=%d remote_id=%d", msk,
1278 remote_token, local_id, remote_id);
1279 subflow->remote_token = remote_token;
1280 subflow->local_id = local_id;
1281 subflow->remote_id = remote_id;
1282 subflow->request_join = 1;
1283 subflow->request_bkup = !!(loc->flags & MPTCP_PM_ADDR_FLAG_BACKUP);
1284 mptcp_info2sockaddr(remote, &addr, ssk->sk_family);
1285
1286 mptcp_add_pending_subflow(msk, subflow);
1287 err = kernel_connect(sf, (struct sockaddr *)&addr, addrlen, O_NONBLOCK);
1288 if (err && err != -EINPROGRESS)
1289 goto failed_unlink;
1290
1291 /* discard the subflow socket */
1292 mptcp_sock_graft(ssk, sk->sk_socket);
1293 iput(SOCK_INODE(sf));
1294 return err;
1295
1296 failed_unlink:
1297 spin_lock_bh(&msk->join_list_lock);
1298 list_del(&subflow->node);
1299 spin_unlock_bh(&msk->join_list_lock);
1300
1301 failed:
1302 subflow->disposable = 1;
1303 sock_release(sf);
1304 return err;
1305 }
1306
1307 static void mptcp_attach_cgroup(struct sock *parent, struct sock *child)
1308 {
1309 #ifdef CONFIG_SOCK_CGROUP_DATA
1310 struct sock_cgroup_data *parent_skcd = &parent->sk_cgrp_data,
1311 *child_skcd = &child->sk_cgrp_data;
1312
1313 /* only the additional subflows created by kworkers have to be modified */
1314 if (cgroup_id(sock_cgroup_ptr(parent_skcd)) !=
1315 cgroup_id(sock_cgroup_ptr(child_skcd))) {
1316 #ifdef CONFIG_MEMCG
1317 struct mem_cgroup *memcg = parent->sk_memcg;
1318
1319 mem_cgroup_sk_free(child);
1320 if (memcg && css_tryget(&memcg->css))
1321 child->sk_memcg = memcg;
1322 #endif /* CONFIG_MEMCG */
1323
1324 cgroup_sk_free(child_skcd);
1325 *child_skcd = *parent_skcd;
1326 cgroup_sk_clone(child_skcd);
1327 }
1328 #endif /* CONFIG_SOCK_CGROUP_DATA */
1329 }
1330
1331 static void mptcp_subflow_ops_override(struct sock *ssk)
1332 {
1333 #if IS_ENABLED(CONFIG_MPTCP_IPV6)
1334 if (ssk->sk_prot == &tcpv6_prot)
1335 ssk->sk_prot = &tcpv6_prot_override;
1336 else
1337 #endif
1338 ssk->sk_prot = &tcp_prot_override;
1339 }
1340
1341 static void mptcp_subflow_ops_undo_override(struct sock *ssk)
1342 {
1343 #if IS_ENABLED(CONFIG_MPTCP_IPV6)
1344 if (ssk->sk_prot == &tcpv6_prot_override)
1345 ssk->sk_prot = &tcpv6_prot;
1346 else
1347 #endif
1348 ssk->sk_prot = &tcp_prot;
1349 }
1350 int mptcp_subflow_create_socket(struct sock *sk, struct socket **new_sock)
1351 {
1352 struct mptcp_subflow_context *subflow;
1353 struct net *net = sock_net(sk);
1354 struct socket *sf;
1355 int err;
1356
1357 /* un-accepted server sockets can reach here - on bad configuration
1358 * bail early to avoid greater trouble later
1359 */
1360 if (unlikely(!sk->sk_socket))
1361 return -EINVAL;
1362
1363 err = sock_create_kern(net, sk->sk_family, SOCK_STREAM, IPPROTO_TCP,
1364 &sf);
1365 if (err)
1366 return err;
1367
1368 lock_sock(sf->sk);
1369
1370 /* the newly created socket has to be in the same cgroup as its parent */
1371 mptcp_attach_cgroup(sk, sf->sk);
1372
1373 /* kernel sockets do not by default acquire net ref, but TCP timer
1374 * needs it.
1375 */
1376 sf->sk->sk_net_refcnt = 1;
1377 get_net(net);
1378 #ifdef CONFIG_PROC_FS
1379 this_cpu_add(*net->core.sock_inuse, 1);
1380 #endif
1381 err = tcp_set_ulp(sf->sk, "mptcp");
1382 release_sock(sf->sk);
1383
1384 if (err) {
1385 sock_release(sf);
1386 return err;
1387 }
1388
1389 /* the newly created socket really belongs to the owning MPTCP master
1390 * socket, even if for additional subflows the allocation is performed
1391 * by a kernel workqueue. Adjust inode references, so that the
1392 * procfs/diag interaces really show this one belonging to the correct
1393 * user.
1394 */
1395 SOCK_INODE(sf)->i_ino = SOCK_INODE(sk->sk_socket)->i_ino;
1396 SOCK_INODE(sf)->i_uid = SOCK_INODE(sk->sk_socket)->i_uid;
1397 SOCK_INODE(sf)->i_gid = SOCK_INODE(sk->sk_socket)->i_gid;
1398
1399 subflow = mptcp_subflow_ctx(sf->sk);
1400 pr_debug("subflow=%p", subflow);
1401
1402 *new_sock = sf;
1403 sock_hold(sk);
1404 subflow->conn = sk;
1405 mptcp_subflow_ops_override(sf->sk);
1406
1407 return 0;
1408 }
1409
1410 static struct mptcp_subflow_context *subflow_create_ctx(struct sock *sk,
1411 gfp_t priority)
1412 {
1413 struct inet_connection_sock *icsk = inet_csk(sk);
1414 struct mptcp_subflow_context *ctx;
1415
1416 ctx = kzalloc(sizeof(*ctx), priority);
1417 if (!ctx)
1418 return NULL;
1419
1420 rcu_assign_pointer(icsk->icsk_ulp_data, ctx);
1421 INIT_LIST_HEAD(&ctx->node);
1422 INIT_LIST_HEAD(&ctx->delegated_node);
1423
1424 pr_debug("subflow=%p", ctx);
1425
1426 ctx->tcp_sock = sk;
1427
1428 return ctx;
1429 }
1430
1431 static void __subflow_state_change(struct sock *sk)
1432 {
1433 struct socket_wq *wq;
1434
1435 rcu_read_lock();
1436 wq = rcu_dereference(sk->sk_wq);
1437 if (skwq_has_sleeper(wq))
1438 wake_up_interruptible_all(&wq->wait);
1439 rcu_read_unlock();
1440 }
1441
1442 static bool subflow_is_done(const struct sock *sk)
1443 {
1444 return sk->sk_shutdown & RCV_SHUTDOWN || sk->sk_state == TCP_CLOSE;
1445 }
1446
1447 static void subflow_state_change(struct sock *sk)
1448 {
1449 struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk);
1450 struct sock *parent = subflow->conn;
1451
1452 __subflow_state_change(sk);
1453
1454 if (subflow_simultaneous_connect(sk)) {
1455 mptcp_propagate_sndbuf(parent, sk);
1456 mptcp_do_fallback(sk);
1457 mptcp_rcv_space_init(mptcp_sk(parent), sk);
1458 pr_fallback(mptcp_sk(parent));
1459 subflow->conn_finished = 1;
1460 if (inet_sk_state_load(parent) == TCP_SYN_SENT) {
1461 inet_sk_state_store(parent, TCP_ESTABLISHED);
1462 parent->sk_state_change(parent);
1463 }
1464 }
1465
1466 /* as recvmsg() does not acquire the subflow socket for ssk selection
1467 * a fin packet carrying a DSS can be unnoticed if we don't trigger
1468 * the data available machinery here.
1469 */
1470 if (mptcp_subflow_data_available(sk))
1471 mptcp_data_ready(parent, sk);
1472
1473 subflow_sched_work_if_closed(mptcp_sk(parent), sk);
1474
1475 if (__mptcp_check_fallback(mptcp_sk(parent)) &&
1476 !subflow->rx_eof && subflow_is_done(sk)) {
1477 subflow->rx_eof = 1;
1478 mptcp_subflow_eof(parent);
1479 }
1480 }
1481
1482 static int subflow_ulp_init(struct sock *sk)
1483 {
1484 struct inet_connection_sock *icsk = inet_csk(sk);
1485 struct mptcp_subflow_context *ctx;
1486 struct tcp_sock *tp = tcp_sk(sk);
1487 int err = 0;
1488
1489 /* disallow attaching ULP to a socket unless it has been
1490 * created with sock_create_kern()
1491 */
1492 if (!sk->sk_kern_sock) {
1493 err = -EOPNOTSUPP;
1494 goto out;
1495 }
1496
1497 ctx = subflow_create_ctx(sk, GFP_KERNEL);
1498 if (!ctx) {
1499 err = -ENOMEM;
1500 goto out;
1501 }
1502
1503 pr_debug("subflow=%p, family=%d", ctx, sk->sk_family);
1504
1505 tp->is_mptcp = 1;
1506 ctx->icsk_af_ops = icsk->icsk_af_ops;
1507 icsk->icsk_af_ops = subflow_default_af_ops(sk);
1508 ctx->tcp_data_ready = sk->sk_data_ready;
1509 ctx->tcp_state_change = sk->sk_state_change;
1510 ctx->tcp_write_space = sk->sk_write_space;
1511 ctx->tcp_error_report = sk->sk_error_report;
1512 sk->sk_data_ready = subflow_data_ready;
1513 sk->sk_write_space = subflow_write_space;
1514 sk->sk_state_change = subflow_state_change;
1515 sk->sk_error_report = subflow_error_report;
1516 out:
1517 return err;
1518 }
1519
1520 static void subflow_ulp_release(struct sock *ssk)
1521 {
1522 struct mptcp_subflow_context *ctx = mptcp_subflow_ctx(ssk);
1523 bool release = true;
1524 struct sock *sk;
1525
1526 if (!ctx)
1527 return;
1528
1529 sk = ctx->conn;
1530 if (sk) {
1531 /* if the msk has been orphaned, keep the ctx
1532 * alive, will be freed by __mptcp_close_ssk(),
1533 * when the subflow is still unaccepted
1534 */
1535 release = ctx->disposable || list_empty(&ctx->node);
1536 sock_put(sk);
1537 }
1538
1539 mptcp_subflow_ops_undo_override(ssk);
1540 if (release)
1541 kfree_rcu(ctx, rcu);
1542 }
1543
1544 static void subflow_ulp_clone(const struct request_sock *req,
1545 struct sock *newsk,
1546 const gfp_t priority)
1547 {
1548 struct mptcp_subflow_request_sock *subflow_req = mptcp_subflow_rsk(req);
1549 struct mptcp_subflow_context *old_ctx = mptcp_subflow_ctx(newsk);
1550 struct mptcp_subflow_context *new_ctx;
1551
1552 if (!tcp_rsk(req)->is_mptcp ||
1553 (!subflow_req->mp_capable && !subflow_req->mp_join)) {
1554 subflow_ulp_fallback(newsk, old_ctx);
1555 return;
1556 }
1557
1558 new_ctx = subflow_create_ctx(newsk, priority);
1559 if (!new_ctx) {
1560 subflow_ulp_fallback(newsk, old_ctx);
1561 return;
1562 }
1563
1564 new_ctx->conn_finished = 1;
1565 new_ctx->icsk_af_ops = old_ctx->icsk_af_ops;
1566 new_ctx->tcp_data_ready = old_ctx->tcp_data_ready;
1567 new_ctx->tcp_state_change = old_ctx->tcp_state_change;
1568 new_ctx->tcp_write_space = old_ctx->tcp_write_space;
1569 new_ctx->tcp_error_report = old_ctx->tcp_error_report;
1570 new_ctx->rel_write_seq = 1;
1571 new_ctx->tcp_sock = newsk;
1572
1573 if (subflow_req->mp_capable) {
1574 /* see comments in subflow_syn_recv_sock(), MPTCP connection
1575 * is fully established only after we receive the remote key
1576 */
1577 new_ctx->mp_capable = 1;
1578 new_ctx->local_key = subflow_req->local_key;
1579 new_ctx->token = subflow_req->token;
1580 new_ctx->ssn_offset = subflow_req->ssn_offset;
1581 new_ctx->idsn = subflow_req->idsn;
1582 } else if (subflow_req->mp_join) {
1583 new_ctx->ssn_offset = subflow_req->ssn_offset;
1584 new_ctx->mp_join = 1;
1585 new_ctx->fully_established = 1;
1586 new_ctx->backup = subflow_req->backup;
1587 new_ctx->local_id = subflow_req->local_id;
1588 new_ctx->remote_id = subflow_req->remote_id;
1589 new_ctx->token = subflow_req->token;
1590 new_ctx->thmac = subflow_req->thmac;
1591 }
1592 }
1593
1594 static void tcp_release_cb_override(struct sock *ssk)
1595 {
1596 struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(ssk);
1597
1598 if (mptcp_subflow_has_delegated_action(subflow))
1599 mptcp_subflow_process_delegated(ssk);
1600
1601 tcp_release_cb(ssk);
1602 }
1603
1604 static struct tcp_ulp_ops subflow_ulp_ops __read_mostly = {
1605 .name = "mptcp",
1606 .owner = THIS_MODULE,
1607 .init = subflow_ulp_init,
1608 .release = subflow_ulp_release,
1609 .clone = subflow_ulp_clone,
1610 };
1611
1612 static int subflow_ops_init(struct request_sock_ops *subflow_ops)
1613 {
1614 subflow_ops->obj_size = sizeof(struct mptcp_subflow_request_sock);
1615 subflow_ops->slab_name = "request_sock_subflow";
1616
1617 subflow_ops->slab = kmem_cache_create(subflow_ops->slab_name,
1618 subflow_ops->obj_size, 0,
1619 SLAB_ACCOUNT |
1620 SLAB_TYPESAFE_BY_RCU,
1621 NULL);
1622 if (!subflow_ops->slab)
1623 return -ENOMEM;
1624
1625 subflow_ops->destructor = subflow_req_destructor;
1626
1627 return 0;
1628 }
1629
1630 void __init mptcp_subflow_init(void)
1631 {
1632 mptcp_subflow_request_sock_ops = tcp_request_sock_ops;
1633 if (subflow_ops_init(&mptcp_subflow_request_sock_ops) != 0)
1634 panic("MPTCP: failed to init subflow request sock ops\n");
1635
1636 subflow_request_sock_ipv4_ops = tcp_request_sock_ipv4_ops;
1637 subflow_request_sock_ipv4_ops.route_req = subflow_v4_route_req;
1638
1639 subflow_specific = ipv4_specific;
1640 subflow_specific.conn_request = subflow_v4_conn_request;
1641 subflow_specific.syn_recv_sock = subflow_syn_recv_sock;
1642 subflow_specific.sk_rx_dst_set = subflow_finish_connect;
1643
1644 tcp_prot_override = tcp_prot;
1645 tcp_prot_override.release_cb = tcp_release_cb_override;
1646
1647 #if IS_ENABLED(CONFIG_MPTCP_IPV6)
1648 subflow_request_sock_ipv6_ops = tcp_request_sock_ipv6_ops;
1649 subflow_request_sock_ipv6_ops.route_req = subflow_v6_route_req;
1650
1651 subflow_v6_specific = ipv6_specific;
1652 subflow_v6_specific.conn_request = subflow_v6_conn_request;
1653 subflow_v6_specific.syn_recv_sock = subflow_syn_recv_sock;
1654 subflow_v6_specific.sk_rx_dst_set = subflow_finish_connect;
1655
1656 subflow_v6m_specific = subflow_v6_specific;
1657 subflow_v6m_specific.queue_xmit = ipv4_specific.queue_xmit;
1658 subflow_v6m_specific.send_check = ipv4_specific.send_check;
1659 subflow_v6m_specific.net_header_len = ipv4_specific.net_header_len;
1660 subflow_v6m_specific.mtu_reduced = ipv4_specific.mtu_reduced;
1661 subflow_v6m_specific.net_frag_header_len = 0;
1662
1663 tcpv6_prot_override = tcpv6_prot;
1664 tcpv6_prot_override.release_cb = tcp_release_cb_override;
1665 #endif
1666
1667 mptcp_diag_subflow_init(&subflow_ulp_ops);
1668
1669 if (tcp_register_ulp(&subflow_ulp_ops) != 0)
1670 panic("MPTCP: failed to register subflows to ULP\n");
1671 }
Ubuntu Jammy Linux kernel mirror