1// SPDX-License-Identifier: GPL-2.0-or-later 2/* 3 * RAW sockets for IPv6 4 * Linux INET6 implementation 5 * 6 * Authors: 7 * Pedro Roque <roque@di.fc.ul.pt> 8 * 9 * Adapted from linux/net/ipv4/raw.c 10 * 11 * Fixes: 12 * Hideaki YOSHIFUJI : sin6_scope_id support 13 * YOSHIFUJI,H.@USAGI : raw checksum (RFC2292(bis) compliance) 14 * Kazunori MIYAZAWA @USAGI: change process style to use ip6_append_data 15 */ 16 17#include <linux/errno.h> 18#include <linux/types.h> 19#include <linux/socket.h> 20#include <linux/slab.h> 21#include <linux/sockios.h> 22#include <linux/net.h> 23#include <linux/in6.h> 24#include <linux/netdevice.h> 25#include <linux/if_arp.h> 26#include <linux/icmpv6.h> 27#include <linux/netfilter.h> 28#include <linux/netfilter_ipv6.h> 29#include <linux/skbuff.h> 30#include <linux/compat.h> 31#include <linux/uaccess.h> 32#include <asm/ioctls.h> 33 34#include <net/net_namespace.h> 35#include <net/ip.h> 36#include <net/sock.h> 37#include <net/snmp.h> 38 39#include <net/ipv6.h> 40#include <net/ndisc.h> 41#include <net/protocol.h> 42#include <net/ip6_route.h> 43#include <net/ip6_checksum.h> 44#include <net/addrconf.h> 45#include <net/transp_v6.h> 46#include <net/udp.h> 47#include <net/inet_common.h> 48#include <net/tcp_states.h> 49#if IS_ENABLED(CONFIG_IPV6_MIP6) 50#include <net/mip6.h> 51#endif 52#include <linux/mroute6.h> 53 54#include <net/raw.h> 55#include <net/rawv6.h> 56#include <net/xfrm.h> 57 58#include <linux/proc_fs.h> 59#include <linux/seq_file.h> 60#include <linux/export.h> 61 62#define ICMPV6_HDRLEN 4 /* ICMPv6 header, RFC 4443 Section 2.1 */ 63 64struct raw_hashinfo raw_v6_hashinfo; 65EXPORT_SYMBOL_GPL(raw_v6_hashinfo); 66 67bool raw_v6_match(struct net *net, const struct sock *sk, unsigned short num, 68 const struct in6_addr *loc_addr, 69 const struct in6_addr *rmt_addr, int dif, int sdif) 70{ 71 if (inet_sk(sk)->inet_num != num || 72 !net_eq(sock_net(sk), net) || 73 (!ipv6_addr_any(&sk->sk_v6_daddr) && 74 !ipv6_addr_equal(&sk->sk_v6_daddr, rmt_addr)) || 75 !raw_sk_bound_dev_eq(net, sk->sk_bound_dev_if, 76 dif, sdif)) 77 return false; 78 79 if (ipv6_addr_any(&sk->sk_v6_rcv_saddr) || 80 ipv6_addr_equal(&sk->sk_v6_rcv_saddr, loc_addr) || 81 (ipv6_addr_is_multicast(loc_addr) && 82 inet6_mc_check(sk, loc_addr, rmt_addr))) 83 return true; 84 85 return false; 86} 87EXPORT_SYMBOL_GPL(raw_v6_match); 88 89/* 90 * 0 - deliver 91 * 1 - block 92 */ 93static int icmpv6_filter(const struct sock *sk, const struct sk_buff *skb) 94{ 95 struct icmp6hdr _hdr; 96 const struct icmp6hdr *hdr; 97 98 /* We require only the four bytes of the ICMPv6 header, not any 99 * additional bytes of message body in "struct icmp6hdr". 100 */ 101 hdr = skb_header_pointer(skb, skb_transport_offset(skb), 102 ICMPV6_HDRLEN, &_hdr); 103 if (hdr) { 104 const __u32 *data = &raw6_sk(sk)->filter.data[0]; 105 unsigned int type = hdr->icmp6_type; 106 107 return (data[type >> 5] & (1U << (type & 31))) != 0; 108 } 109 return 1; 110} 111 112#if IS_ENABLED(CONFIG_IPV6_MIP6) 113typedef int mh_filter_t(struct sock *sock, struct sk_buff *skb); 114 115static mh_filter_t __rcu *mh_filter __read_mostly; 116 117int rawv6_mh_filter_register(mh_filter_t filter) 118{ 119 rcu_assign_pointer(mh_filter, filter); 120 return 0; 121} 122EXPORT_SYMBOL(rawv6_mh_filter_register); 123 124int rawv6_mh_filter_unregister(mh_filter_t filter) 125{ 126 RCU_INIT_POINTER(mh_filter, NULL); 127 synchronize_rcu(); 128 return 0; 129} 130EXPORT_SYMBOL(rawv6_mh_filter_unregister); 131 132#endif 133 134/* 135 * demultiplex raw sockets. 136 * (should consider queueing the skb in the sock receive_queue 137 * without calling rawv6.c) 138 * 139 * Caller owns SKB so we must make clones. 140 */ 141static bool ipv6_raw_deliver(struct sk_buff *skb, int nexthdr) 142{ 143 struct net *net = dev_net(skb->dev); 144 const struct in6_addr *saddr; 145 const struct in6_addr *daddr; 146 struct hlist_head *hlist; 147 struct sock *sk; 148 bool delivered = false; 149 __u8 hash; 150 151 saddr = &ipv6_hdr(skb)->saddr; 152 daddr = saddr + 1; 153 154 hash = raw_hashfunc(net, nexthdr); 155 hlist = &raw_v6_hashinfo.ht[hash]; 156 rcu_read_lock(); 157 sk_for_each_rcu(sk, hlist) { 158 int filtered; 159 160 if (!raw_v6_match(net, sk, nexthdr, daddr, saddr, 161 inet6_iif(skb), inet6_sdif(skb))) 162 continue; 163 delivered = true; 164 switch (nexthdr) { 165 case IPPROTO_ICMPV6: 166 filtered = icmpv6_filter(sk, skb); 167 break; 168 169#if IS_ENABLED(CONFIG_IPV6_MIP6) 170 case IPPROTO_MH: 171 { 172 /* XXX: To validate MH only once for each packet, 173 * this is placed here. It should be after checking 174 * xfrm policy, however it doesn't. The checking xfrm 175 * policy is placed in rawv6_rcv() because it is 176 * required for each socket. 177 */ 178 mh_filter_t *filter; 179 180 filter = rcu_dereference(mh_filter); 181 filtered = filter ? (*filter)(sk, skb) : 0; 182 break; 183 } 184#endif 185 default: 186 filtered = 0; 187 break; 188 } 189 190 if (filtered < 0) 191 break; 192 if (filtered == 0) { 193 struct sk_buff *clone = skb_clone(skb, GFP_ATOMIC); 194 195 /* Not releasing hash table! */ 196 if (clone) 197 rawv6_rcv(sk, clone); 198 } 199 } 200 rcu_read_unlock(); 201 return delivered; 202} 203 204bool raw6_local_deliver(struct sk_buff *skb, int nexthdr) 205{ 206 return ipv6_raw_deliver(skb, nexthdr); 207} 208 209/* This cleans up af_inet6 a bit. -DaveM */ 210static int rawv6_bind(struct sock *sk, struct sockaddr *uaddr, int addr_len) 211{ 212 struct inet_sock *inet = inet_sk(sk); 213 struct ipv6_pinfo *np = inet6_sk(sk); 214 struct sockaddr_in6 *addr = (struct sockaddr_in6 *) uaddr; 215 __be32 v4addr = 0; 216 int addr_type; 217 int err; 218 219 if (addr_len < SIN6_LEN_RFC2133) 220 return -EINVAL; 221 222 if (addr->sin6_family != AF_INET6) 223 return -EINVAL; 224 225 addr_type = ipv6_addr_type(&addr->sin6_addr); 226 227 /* Raw sockets are IPv6 only */ 228 if (addr_type == IPV6_ADDR_MAPPED) 229 return -EADDRNOTAVAIL; 230 231 lock_sock(sk); 232 233 err = -EINVAL; 234 if (sk->sk_state != TCP_CLOSE) 235 goto out; 236 237 rcu_read_lock(); 238 /* Check if the address belongs to the host. */ 239 if (addr_type != IPV6_ADDR_ANY) { 240 struct net_device *dev = NULL; 241 242 if (__ipv6_addr_needs_scope_id(addr_type)) { 243 if (addr_len >= sizeof(struct sockaddr_in6) && 244 addr->sin6_scope_id) { 245 /* Override any existing binding, if another 246 * one is supplied by user. 247 */ 248 sk->sk_bound_dev_if = addr->sin6_scope_id; 249 } 250 251 /* Binding to link-local address requires an interface */ 252 if (!sk->sk_bound_dev_if) 253 goto out_unlock; 254 } 255 256 if (sk->sk_bound_dev_if) { 257 err = -ENODEV; 258 dev = dev_get_by_index_rcu(sock_net(sk), 259 sk->sk_bound_dev_if); 260 if (!dev) 261 goto out_unlock; 262 } 263 264 /* ipv4 addr of the socket is invalid. Only the 265 * unspecified and mapped address have a v4 equivalent. 266 */ 267 v4addr = LOOPBACK4_IPV6; 268 if (!(addr_type & IPV6_ADDR_MULTICAST) && 269 !ipv6_can_nonlocal_bind(sock_net(sk), inet)) { 270 err = -EADDRNOTAVAIL; 271 if (!ipv6_chk_addr(sock_net(sk), &addr->sin6_addr, 272 dev, 0)) { 273 goto out_unlock; 274 } 275 } 276 } 277 278 inet->inet_rcv_saddr = inet->inet_saddr = v4addr; 279 sk->sk_v6_rcv_saddr = addr->sin6_addr; 280 if (!(addr_type & IPV6_ADDR_MULTICAST)) 281 np->saddr = addr->sin6_addr; 282 err = 0; 283out_unlock: 284 rcu_read_unlock(); 285out: 286 release_sock(sk); 287 return err; 288} 289 290static void rawv6_err(struct sock *sk, struct sk_buff *skb, 291 struct inet6_skb_parm *opt, 292 u8 type, u8 code, int offset, __be32 info) 293{ 294 struct ipv6_pinfo *np = inet6_sk(sk); 295 int err; 296 int harderr; 297 298 /* Report error on raw socket, if: 299 1. User requested recverr. 300 2. Socket is connected (otherwise the error indication 301 is useless without recverr and error is hard. 302 */ 303 if (!np->recverr && sk->sk_state != TCP_ESTABLISHED) 304 return; 305 306 harderr = icmpv6_err_convert(type, code, &err); 307 if (type == ICMPV6_PKT_TOOBIG) { 308 ip6_sk_update_pmtu(skb, sk, info); 309 harderr = (np->pmtudisc == IPV6_PMTUDISC_DO); 310 } 311 if (type == NDISC_REDIRECT) { 312 ip6_sk_redirect(skb, sk); 313 return; 314 } 315 if (np->recverr) { 316 u8 *payload = skb->data; 317 if (!inet_test_bit(HDRINCL, sk)) 318 payload += offset; 319 ipv6_icmp_error(sk, skb, err, 0, ntohl(info), payload); 320 } 321 322 if (np->recverr || harderr) { 323 sk->sk_err = err; 324 sk_error_report(sk); 325 } 326} 327 328void raw6_icmp_error(struct sk_buff *skb, int nexthdr, 329 u8 type, u8 code, int inner_offset, __be32 info) 330{ 331 struct net *net = dev_net(skb->dev); 332 struct hlist_head *hlist; 333 struct sock *sk; 334 int hash; 335 336 hash = raw_hashfunc(net, nexthdr); 337 hlist = &raw_v6_hashinfo.ht[hash]; 338 rcu_read_lock(); 339 sk_for_each_rcu(sk, hlist) { 340 /* Note: ipv6_hdr(skb) != skb->data */ 341 const struct ipv6hdr *ip6h = (const struct ipv6hdr *)skb->data; 342 343 if (!raw_v6_match(net, sk, nexthdr, &ip6h->saddr, &ip6h->daddr, 344 inet6_iif(skb), inet6_iif(skb))) 345 continue; 346 rawv6_err(sk, skb, NULL, type, code, inner_offset, info); 347 } 348 rcu_read_unlock(); 349} 350 351static inline int rawv6_rcv_skb(struct sock *sk, struct sk_buff *skb) 352{ 353 enum skb_drop_reason reason; 354 355 if ((raw6_sk(sk)->checksum || rcu_access_pointer(sk->sk_filter)) && 356 skb_checksum_complete(skb)) { 357 atomic_inc(&sk->sk_drops); 358 kfree_skb_reason(skb, SKB_DROP_REASON_SKB_CSUM); 359 return NET_RX_DROP; 360 } 361 362 /* Charge it to the socket. */ 363 skb_dst_drop(skb); 364 if (sock_queue_rcv_skb_reason(sk, skb, &reason) < 0) { 365 kfree_skb_reason(skb, reason); 366 return NET_RX_DROP; 367 } 368 369 return 0; 370} 371 372/* 373 * This is next to useless... 374 * if we demultiplex in network layer we don't need the extra call 375 * just to queue the skb... 376 * maybe we could have the network decide upon a hint if it 377 * should call raw_rcv for demultiplexing 378 */ 379int rawv6_rcv(struct sock *sk, struct sk_buff *skb) 380{ 381 struct inet_sock *inet = inet_sk(sk); 382 struct raw6_sock *rp = raw6_sk(sk); 383 384 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) { 385 atomic_inc(&sk->sk_drops); 386 kfree_skb_reason(skb, SKB_DROP_REASON_XFRM_POLICY); 387 return NET_RX_DROP; 388 } 389 nf_reset_ct(skb); 390 391 if (!rp->checksum) 392 skb->ip_summed = CHECKSUM_UNNECESSARY; 393 394 if (skb->ip_summed == CHECKSUM_COMPLETE) { 395 skb_postpull_rcsum(skb, skb_network_header(skb), 396 skb_network_header_len(skb)); 397 if (!csum_ipv6_magic(&ipv6_hdr(skb)->saddr, 398 &ipv6_hdr(skb)->daddr, 399 skb->len, inet->inet_num, skb->csum)) 400 skb->ip_summed = CHECKSUM_UNNECESSARY; 401 } 402 if (!skb_csum_unnecessary(skb)) 403 skb->csum = ~csum_unfold(csum_ipv6_magic(&ipv6_hdr(skb)->saddr, 404 &ipv6_hdr(skb)->daddr, 405 skb->len, 406 inet->inet_num, 0)); 407 408 if (inet_test_bit(HDRINCL, sk)) { 409 if (skb_checksum_complete(skb)) { 410 atomic_inc(&sk->sk_drops); 411 kfree_skb_reason(skb, SKB_DROP_REASON_SKB_CSUM); 412 return NET_RX_DROP; 413 } 414 } 415 416 rawv6_rcv_skb(sk, skb); 417 return 0; 418} 419 420 421/* 422 * This should be easy, if there is something there 423 * we return it, otherwise we block. 424 */ 425 426static int rawv6_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, 427 int flags, int *addr_len) 428{ 429 struct ipv6_pinfo *np = inet6_sk(sk); 430 DECLARE_SOCKADDR(struct sockaddr_in6 *, sin6, msg->msg_name); 431 struct sk_buff *skb; 432 size_t copied; 433 int err; 434 435 if (flags & MSG_OOB) 436 return -EOPNOTSUPP; 437 438 if (flags & MSG_ERRQUEUE) 439 return ipv6_recv_error(sk, msg, len, addr_len); 440 441 if (np->rxpmtu && np->rxopt.bits.rxpmtu) 442 return ipv6_recv_rxpmtu(sk, msg, len, addr_len); 443 444 skb = skb_recv_datagram(sk, flags, &err); 445 if (!skb) 446 goto out; 447 448 copied = skb->len; 449 if (copied > len) { 450 copied = len; 451 msg->msg_flags |= MSG_TRUNC; 452 } 453 454 if (skb_csum_unnecessary(skb)) { 455 err = skb_copy_datagram_msg(skb, 0, msg, copied); 456 } else if (msg->msg_flags&MSG_TRUNC) { 457 if (__skb_checksum_complete(skb)) 458 goto csum_copy_err; 459 err = skb_copy_datagram_msg(skb, 0, msg, copied); 460 } else { 461 err = skb_copy_and_csum_datagram_msg(skb, 0, msg); 462 if (err == -EINVAL) 463 goto csum_copy_err; 464 } 465 if (err) 466 goto out_free; 467 468 /* Copy the address. */ 469 if (sin6) { 470 sin6->sin6_family = AF_INET6; 471 sin6->sin6_port = 0; 472 sin6->sin6_addr = ipv6_hdr(skb)->saddr; 473 sin6->sin6_flowinfo = 0; 474 sin6->sin6_scope_id = ipv6_iface_scope_id(&sin6->sin6_addr, 475 inet6_iif(skb)); 476 *addr_len = sizeof(*sin6); 477 } 478 479 sock_recv_cmsgs(msg, sk, skb); 480 481 if (np->rxopt.all) 482 ip6_datagram_recv_ctl(sk, msg, skb); 483 484 err = copied; 485 if (flags & MSG_TRUNC) 486 err = skb->len; 487 488out_free: 489 skb_free_datagram(sk, skb); 490out: 491 return err; 492 493csum_copy_err: 494 skb_kill_datagram(sk, skb, flags); 495 496 /* Error for blocking case is chosen to masquerade 497 as some normal condition. 498 */ 499 err = (flags&MSG_DONTWAIT) ? -EAGAIN : -EHOSTUNREACH; 500 goto out; 501} 502 503static int rawv6_push_pending_frames(struct sock *sk, struct flowi6 *fl6, 504 struct raw6_sock *rp) 505{ 506 struct ipv6_txoptions *opt; 507 struct sk_buff *skb; 508 int err = 0; 509 int offset; 510 int len; 511 int total_len; 512 __wsum tmp_csum; 513 __sum16 csum; 514 515 if (!rp->checksum) 516 goto send; 517 518 skb = skb_peek(&sk->sk_write_queue); 519 if (!skb) 520 goto out; 521 522 offset = rp->offset; 523 total_len = inet_sk(sk)->cork.base.length; 524 opt = inet6_sk(sk)->cork.opt; 525 total_len -= opt ? opt->opt_flen : 0; 526 527 if (offset >= total_len - 1) { 528 err = -EINVAL; 529 ip6_flush_pending_frames(sk); 530 goto out; 531 } 532 533 /* should be check HW csum miyazawa */ 534 if (skb_queue_len(&sk->sk_write_queue) == 1) { 535 /* 536 * Only one fragment on the socket. 537 */ 538 tmp_csum = skb->csum; 539 } else { 540 struct sk_buff *csum_skb = NULL; 541 tmp_csum = 0; 542 543 skb_queue_walk(&sk->sk_write_queue, skb) { 544 tmp_csum = csum_add(tmp_csum, skb->csum); 545 546 if (csum_skb) 547 continue; 548 549 len = skb->len - skb_transport_offset(skb); 550 if (offset >= len) { 551 offset -= len; 552 continue; 553 } 554 555 csum_skb = skb; 556 } 557 558 skb = csum_skb; 559 } 560 561 offset += skb_transport_offset(skb); 562 err = skb_copy_bits(skb, offset, &csum, 2); 563 if (err < 0) { 564 ip6_flush_pending_frames(sk); 565 goto out; 566 } 567 568 /* in case cksum was not initialized */ 569 if (unlikely(csum)) 570 tmp_csum = csum_sub(tmp_csum, csum_unfold(csum)); 571 572 csum = csum_ipv6_magic(&fl6->saddr, &fl6->daddr, 573 total_len, fl6->flowi6_proto, tmp_csum); 574 575 if (csum == 0 && fl6->flowi6_proto == IPPROTO_UDP) 576 csum = CSUM_MANGLED_0; 577 578 BUG_ON(skb_store_bits(skb, offset, &csum, 2)); 579 580send: 581 err = ip6_push_pending_frames(sk); 582out: 583 return err; 584} 585 586static int rawv6_send_hdrinc(struct sock *sk, struct msghdr *msg, int length, 587 struct flowi6 *fl6, struct dst_entry **dstp, 588 unsigned int flags, const struct sockcm_cookie *sockc) 589{ 590 struct ipv6_pinfo *np = inet6_sk(sk); 591 struct net *net = sock_net(sk); 592 struct ipv6hdr *iph; 593 struct sk_buff *skb; 594 int err; 595 struct rt6_info *rt = (struct rt6_info *)*dstp; 596 int hlen = LL_RESERVED_SPACE(rt->dst.dev); 597 int tlen = rt->dst.dev->needed_tailroom; 598 599 if (length > rt->dst.dev->mtu) { 600 ipv6_local_error(sk, EMSGSIZE, fl6, rt->dst.dev->mtu); 601 return -EMSGSIZE; 602 } 603 if (length < sizeof(struct ipv6hdr)) 604 return -EINVAL; 605 if (flags&MSG_PROBE) 606 goto out; 607 608 skb = sock_alloc_send_skb(sk, 609 length + hlen + tlen + 15, 610 flags & MSG_DONTWAIT, &err); 611 if (!skb) 612 goto error; 613 skb_reserve(skb, hlen); 614 615 skb->protocol = htons(ETH_P_IPV6); 616 skb->priority = READ_ONCE(sk->sk_priority); 617 skb->mark = sockc->mark; 618 skb->tstamp = sockc->transmit_time; 619 620 skb_put(skb, length); 621 skb_reset_network_header(skb); 622 iph = ipv6_hdr(skb); 623 624 skb->ip_summed = CHECKSUM_NONE; 625 626 skb_setup_tx_timestamp(skb, sockc->tsflags); 627 628 if (flags & MSG_CONFIRM) 629 skb_set_dst_pending_confirm(skb, 1); 630 631 skb->transport_header = skb->network_header; 632 err = memcpy_from_msg(iph, msg, length); 633 if (err) { 634 err = -EFAULT; 635 kfree_skb(skb); 636 goto error; 637 } 638 639 skb_dst_set(skb, &rt->dst); 640 *dstp = NULL; 641 642 /* if egress device is enslaved to an L3 master device pass the 643 * skb to its handler for processing 644 */ 645 skb = l3mdev_ip6_out(sk, skb); 646 if (unlikely(!skb)) 647 return 0; 648 649 /* Acquire rcu_read_lock() in case we need to use rt->rt6i_idev 650 * in the error path. Since skb has been freed, the dst could 651 * have been queued for deletion. 652 */ 653 rcu_read_lock(); 654 IP6_UPD_PO_STATS(net, rt->rt6i_idev, IPSTATS_MIB_OUT, skb->len); 655 err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, net, sk, skb, 656 NULL, rt->dst.dev, dst_output); 657 if (err > 0) 658 err = net_xmit_errno(err); 659 if (err) { 660 IP6_INC_STATS(net, rt->rt6i_idev, IPSTATS_MIB_OUTDISCARDS); 661 rcu_read_unlock(); 662 goto error_check; 663 } 664 rcu_read_unlock(); 665out: 666 return 0; 667 668error: 669 IP6_INC_STATS(net, rt->rt6i_idev, IPSTATS_MIB_OUTDISCARDS); 670error_check: 671 if (err == -ENOBUFS && !np->recverr) 672 err = 0; 673 return err; 674} 675 676struct raw6_frag_vec { 677 struct msghdr *msg; 678 int hlen; 679 char c[4]; 680}; 681 682static int rawv6_probe_proto_opt(struct raw6_frag_vec *rfv, struct flowi6 *fl6) 683{ 684 int err = 0; 685 switch (fl6->flowi6_proto) { 686 case IPPROTO_ICMPV6: 687 rfv->hlen = 2; 688 err = memcpy_from_msg(rfv->c, rfv->msg, rfv->hlen); 689 if (!err) { 690 fl6->fl6_icmp_type = rfv->c[0]; 691 fl6->fl6_icmp_code = rfv->c[1]; 692 } 693 break; 694 case IPPROTO_MH: 695 rfv->hlen = 4; 696 err = memcpy_from_msg(rfv->c, rfv->msg, rfv->hlen); 697 if (!err) 698 fl6->fl6_mh_type = rfv->c[2]; 699 } 700 return err; 701} 702 703static int raw6_getfrag(void *from, char *to, int offset, int len, int odd, 704 struct sk_buff *skb) 705{ 706 struct raw6_frag_vec *rfv = from; 707 708 if (offset < rfv->hlen) { 709 int copy = min(rfv->hlen - offset, len); 710 711 if (skb->ip_summed == CHECKSUM_PARTIAL) 712 memcpy(to, rfv->c + offset, copy); 713 else 714 skb->csum = csum_block_add( 715 skb->csum, 716 csum_partial_copy_nocheck(rfv->c + offset, 717 to, copy), 718 odd); 719 720 odd = 0; 721 offset += copy; 722 to += copy; 723 len -= copy; 724 725 if (!len) 726 return 0; 727 } 728 729 offset -= rfv->hlen; 730 731 return ip_generic_getfrag(rfv->msg, to, offset, len, odd, skb); 732} 733 734static int rawv6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) 735{ 736 struct ipv6_txoptions *opt_to_free = NULL; 737 struct ipv6_txoptions opt_space; 738 DECLARE_SOCKADDR(struct sockaddr_in6 *, sin6, msg->msg_name); 739 struct in6_addr *daddr, *final_p, final; 740 struct inet_sock *inet = inet_sk(sk); 741 struct ipv6_pinfo *np = inet6_sk(sk); 742 struct raw6_sock *rp = raw6_sk(sk); 743 struct ipv6_txoptions *opt = NULL; 744 struct ip6_flowlabel *flowlabel = NULL; 745 struct dst_entry *dst = NULL; 746 struct raw6_frag_vec rfv; 747 struct flowi6 fl6; 748 struct ipcm6_cookie ipc6; 749 int addr_len = msg->msg_namelen; 750 int hdrincl; 751 u16 proto; 752 int err; 753 754 /* Rough check on arithmetic overflow, 755 better check is made in ip6_append_data(). 756 */ 757 if (len > INT_MAX) 758 return -EMSGSIZE; 759 760 /* Mirror BSD error message compatibility */ 761 if (msg->msg_flags & MSG_OOB) 762 return -EOPNOTSUPP; 763 764 hdrincl = inet_test_bit(HDRINCL, sk); 765 766 /* 767 * Get and verify the address. 768 */ 769 memset(&fl6, 0, sizeof(fl6)); 770 771 fl6.flowi6_mark = READ_ONCE(sk->sk_mark); 772 fl6.flowi6_uid = sk->sk_uid; 773 774 ipcm6_init(&ipc6); 775 ipc6.sockc.tsflags = READ_ONCE(sk->sk_tsflags); 776 ipc6.sockc.mark = fl6.flowi6_mark; 777 778 if (sin6) { 779 if (addr_len < SIN6_LEN_RFC2133) 780 return -EINVAL; 781 782 if (sin6->sin6_family && sin6->sin6_family != AF_INET6) 783 return -EAFNOSUPPORT; 784 785 /* port is the proto value [0..255] carried in nexthdr */ 786 proto = ntohs(sin6->sin6_port); 787 788 if (!proto) 789 proto = inet->inet_num; 790 else if (proto != inet->inet_num && 791 inet->inet_num != IPPROTO_RAW) 792 return -EINVAL; 793 794 if (proto > 255) 795 return -EINVAL; 796 797 daddr = &sin6->sin6_addr; 798 if (np->sndflow) { 799 fl6.flowlabel = sin6->sin6_flowinfo&IPV6_FLOWINFO_MASK; 800 if (fl6.flowlabel&IPV6_FLOWLABEL_MASK) { 801 flowlabel = fl6_sock_lookup(sk, fl6.flowlabel); 802 if (IS_ERR(flowlabel)) 803 return -EINVAL; 804 } 805 } 806 807 /* 808 * Otherwise it will be difficult to maintain 809 * sk->sk_dst_cache. 810 */ 811 if (sk->sk_state == TCP_ESTABLISHED && 812 ipv6_addr_equal(daddr, &sk->sk_v6_daddr)) 813 daddr = &sk->sk_v6_daddr; 814 815 if (addr_len >= sizeof(struct sockaddr_in6) && 816 sin6->sin6_scope_id && 817 __ipv6_addr_needs_scope_id(__ipv6_addr_type(daddr))) 818 fl6.flowi6_oif = sin6->sin6_scope_id; 819 } else { 820 if (sk->sk_state != TCP_ESTABLISHED) 821 return -EDESTADDRREQ; 822 823 proto = inet->inet_num; 824 daddr = &sk->sk_v6_daddr; 825 fl6.flowlabel = np->flow_label; 826 } 827 828 if (fl6.flowi6_oif == 0) 829 fl6.flowi6_oif = sk->sk_bound_dev_if; 830 831 if (msg->msg_controllen) { 832 opt = &opt_space; 833 memset(opt, 0, sizeof(struct ipv6_txoptions)); 834 opt->tot_len = sizeof(struct ipv6_txoptions); 835 ipc6.opt = opt; 836 837 err = ip6_datagram_send_ctl(sock_net(sk), sk, msg, &fl6, &ipc6); 838 if (err < 0) { 839 fl6_sock_release(flowlabel); 840 return err; 841 } 842 if ((fl6.flowlabel&IPV6_FLOWLABEL_MASK) && !flowlabel) { 843 flowlabel = fl6_sock_lookup(sk, fl6.flowlabel); 844 if (IS_ERR(flowlabel)) 845 return -EINVAL; 846 } 847 if (!(opt->opt_nflen|opt->opt_flen)) 848 opt = NULL; 849 } 850 if (!opt) { 851 opt = txopt_get(np); 852 opt_to_free = opt; 853 } 854 if (flowlabel) 855 opt = fl6_merge_options(&opt_space, flowlabel, opt); 856 opt = ipv6_fixup_options(&opt_space, opt); 857 858 fl6.flowi6_proto = proto; 859 fl6.flowi6_mark = ipc6.sockc.mark; 860 861 if (!hdrincl) { 862 rfv.msg = msg; 863 rfv.hlen = 0; 864 err = rawv6_probe_proto_opt(&rfv, &fl6); 865 if (err) 866 goto out; 867 } 868 869 if (!ipv6_addr_any(daddr)) 870 fl6.daddr = *daddr; 871 else 872 fl6.daddr.s6_addr[15] = 0x1; /* :: means loopback (BSD'ism) */ 873 if (ipv6_addr_any(&fl6.saddr) && !ipv6_addr_any(&np->saddr)) 874 fl6.saddr = np->saddr; 875 876 final_p = fl6_update_dst(&fl6, opt, &final); 877 878 if (!fl6.flowi6_oif && ipv6_addr_is_multicast(&fl6.daddr)) 879 fl6.flowi6_oif = np->mcast_oif; 880 else if (!fl6.flowi6_oif) 881 fl6.flowi6_oif = np->ucast_oif; 882 security_sk_classify_flow(sk, flowi6_to_flowi_common(&fl6)); 883 884 if (hdrincl) 885 fl6.flowi6_flags |= FLOWI_FLAG_KNOWN_NH; 886 887 if (ipc6.tclass < 0) 888 ipc6.tclass = np->tclass; 889 890 fl6.flowlabel = ip6_make_flowinfo(ipc6.tclass, fl6.flowlabel); 891 892 dst = ip6_dst_lookup_flow(sock_net(sk), sk, &fl6, final_p); 893 if (IS_ERR(dst)) { 894 err = PTR_ERR(dst); 895 goto out; 896 } 897 if (ipc6.hlimit < 0) 898 ipc6.hlimit = ip6_sk_dst_hoplimit(np, &fl6, dst); 899 900 if (ipc6.dontfrag < 0) 901 ipc6.dontfrag = np->dontfrag; 902 903 if (msg->msg_flags&MSG_CONFIRM) 904 goto do_confirm; 905 906back_from_confirm: 907 if (hdrincl) 908 err = rawv6_send_hdrinc(sk, msg, len, &fl6, &dst, 909 msg->msg_flags, &ipc6.sockc); 910 else { 911 ipc6.opt = opt; 912 lock_sock(sk); 913 err = ip6_append_data(sk, raw6_getfrag, &rfv, 914 len, 0, &ipc6, &fl6, (struct rt6_info *)dst, 915 msg->msg_flags); 916 917 if (err) 918 ip6_flush_pending_frames(sk); 919 else if (!(msg->msg_flags & MSG_MORE)) 920 err = rawv6_push_pending_frames(sk, &fl6, rp); 921 release_sock(sk); 922 } 923done: 924 dst_release(dst); 925out: 926 fl6_sock_release(flowlabel); 927 txopt_put(opt_to_free); 928 return err < 0 ? err : len; 929do_confirm: 930 if (msg->msg_flags & MSG_PROBE) 931 dst_confirm_neigh(dst, &fl6.daddr); 932 if (!(msg->msg_flags & MSG_PROBE) || len) 933 goto back_from_confirm; 934 err = 0; 935 goto done; 936} 937 938static int rawv6_seticmpfilter(struct sock *sk, int level, int optname, 939 sockptr_t optval, int optlen) 940{ 941 switch (optname) { 942 case ICMPV6_FILTER: 943 if (optlen > sizeof(struct icmp6_filter)) 944 optlen = sizeof(struct icmp6_filter); 945 if (copy_from_sockptr(&raw6_sk(sk)->filter, optval, optlen)) 946 return -EFAULT; 947 return 0; 948 default: 949 return -ENOPROTOOPT; 950 } 951 952 return 0; 953} 954 955static int rawv6_geticmpfilter(struct sock *sk, int level, int optname, 956 char __user *optval, int __user *optlen) 957{ 958 int len; 959 960 switch (optname) { 961 case ICMPV6_FILTER: 962 if (get_user(len, optlen)) 963 return -EFAULT; 964 if (len < 0) 965 return -EINVAL; 966 if (len > sizeof(struct icmp6_filter)) 967 len = sizeof(struct icmp6_filter); 968 if (put_user(len, optlen)) 969 return -EFAULT; 970 if (copy_to_user(optval, &raw6_sk(sk)->filter, len)) 971 return -EFAULT; 972 return 0; 973 default: 974 return -ENOPROTOOPT; 975 } 976 977 return 0; 978} 979 980 981static int do_rawv6_setsockopt(struct sock *sk, int level, int optname, 982 sockptr_t optval, unsigned int optlen) 983{ 984 struct raw6_sock *rp = raw6_sk(sk); 985 int val; 986 987 if (optlen < sizeof(val)) 988 return -EINVAL; 989 990 if (copy_from_sockptr(&val, optval, sizeof(val))) 991 return -EFAULT; 992 993 switch (optname) { 994 case IPV6_HDRINCL: 995 if (sk->sk_type != SOCK_RAW) 996 return -EINVAL; 997 inet_assign_bit(HDRINCL, sk, val); 998 return 0; 999 case IPV6_CHECKSUM: 1000 if (inet_sk(sk)->inet_num == IPPROTO_ICMPV6 && 1001 level == IPPROTO_IPV6) { 1002 /* 1003 * RFC3542 tells that IPV6_CHECKSUM socket 1004 * option in the IPPROTO_IPV6 level is not 1005 * allowed on ICMPv6 sockets. 1006 * If you want to set it, use IPPROTO_RAW 1007 * level IPV6_CHECKSUM socket option 1008 * (Linux extension). 1009 */ 1010 return -EINVAL; 1011 } 1012 1013 /* You may get strange result with a positive odd offset; 1014 RFC2292bis agrees with me. */ 1015 if (val > 0 && (val&1)) 1016 return -EINVAL; 1017 if (val < 0) { 1018 rp->checksum = 0; 1019 } else { 1020 rp->checksum = 1; 1021 rp->offset = val; 1022 } 1023 1024 return 0; 1025 1026 default: 1027 return -ENOPROTOOPT; 1028 } 1029} 1030 1031static int rawv6_setsockopt(struct sock *sk, int level, int optname, 1032 sockptr_t optval, unsigned int optlen) 1033{ 1034 switch (level) { 1035 case SOL_RAW: 1036 break; 1037 1038 case SOL_ICMPV6: 1039 if (inet_sk(sk)->inet_num != IPPROTO_ICMPV6) 1040 return -EOPNOTSUPP; 1041 return rawv6_seticmpfilter(sk, level, optname, optval, optlen); 1042 case SOL_IPV6: 1043 if (optname == IPV6_CHECKSUM || 1044 optname == IPV6_HDRINCL) 1045 break; 1046 fallthrough; 1047 default: 1048 return ipv6_setsockopt(sk, level, optname, optval, optlen); 1049 } 1050 1051 return do_rawv6_setsockopt(sk, level, optname, optval, optlen); 1052} 1053 1054static int do_rawv6_getsockopt(struct sock *sk, int level, int optname, 1055 char __user *optval, int __user *optlen) 1056{ 1057 struct raw6_sock *rp = raw6_sk(sk); 1058 int val, len; 1059 1060 if (get_user(len, optlen)) 1061 return -EFAULT; 1062 1063 switch (optname) { 1064 case IPV6_HDRINCL: 1065 val = inet_test_bit(HDRINCL, sk); 1066 break; 1067 case IPV6_CHECKSUM: 1068 /* 1069 * We allow getsockopt() for IPPROTO_IPV6-level 1070 * IPV6_CHECKSUM socket option on ICMPv6 sockets 1071 * since RFC3542 is silent about it. 1072 */ 1073 if (rp->checksum == 0) 1074 val = -1; 1075 else 1076 val = rp->offset; 1077 break; 1078 1079 default: 1080 return -ENOPROTOOPT; 1081 } 1082 1083 len = min_t(unsigned int, sizeof(int), len); 1084 1085 if (put_user(len, optlen)) 1086 return -EFAULT; 1087 if (copy_to_user(optval, &val, len)) 1088 return -EFAULT; 1089 return 0; 1090} 1091 1092static int rawv6_getsockopt(struct sock *sk, int level, int optname, 1093 char __user *optval, int __user *optlen) 1094{ 1095 switch (level) { 1096 case SOL_RAW: 1097 break; 1098 1099 case SOL_ICMPV6: 1100 if (inet_sk(sk)->inet_num != IPPROTO_ICMPV6) 1101 return -EOPNOTSUPP; 1102 return rawv6_geticmpfilter(sk, level, optname, optval, optlen); 1103 case SOL_IPV6: 1104 if (optname == IPV6_CHECKSUM || 1105 optname == IPV6_HDRINCL) 1106 break; 1107 fallthrough; 1108 default: 1109 return ipv6_getsockopt(sk, level, optname, optval, optlen); 1110 } 1111 1112 return do_rawv6_getsockopt(sk, level, optname, optval, optlen); 1113} 1114 1115static int rawv6_ioctl(struct sock *sk, int cmd, int *karg) 1116{ 1117 switch (cmd) { 1118 case SIOCOUTQ: { 1119 *karg = sk_wmem_alloc_get(sk); 1120 return 0; 1121 } 1122 case SIOCINQ: { 1123 struct sk_buff *skb; 1124 1125 spin_lock_bh(&sk->sk_receive_queue.lock); 1126 skb = skb_peek(&sk->sk_receive_queue); 1127 if (skb) 1128 *karg = skb->len; 1129 else 1130 *karg = 0; 1131 spin_unlock_bh(&sk->sk_receive_queue.lock); 1132 return 0; 1133 } 1134 1135 default: 1136#ifdef CONFIG_IPV6_MROUTE 1137 return ip6mr_ioctl(sk, cmd, karg); 1138#else 1139 return -ENOIOCTLCMD; 1140#endif 1141 } 1142} 1143 1144#ifdef CONFIG_COMPAT 1145static int compat_rawv6_ioctl(struct sock *sk, unsigned int cmd, unsigned long arg) 1146{ 1147 switch (cmd) { 1148 case SIOCOUTQ: 1149 case SIOCINQ: 1150 return -ENOIOCTLCMD; 1151 default: 1152#ifdef CONFIG_IPV6_MROUTE 1153 return ip6mr_compat_ioctl(sk, cmd, compat_ptr(arg)); 1154#else 1155 return -ENOIOCTLCMD; 1156#endif 1157 } 1158} 1159#endif 1160 1161static void rawv6_close(struct sock *sk, long timeout) 1162{ 1163 if (inet_sk(sk)->inet_num == IPPROTO_RAW) 1164 ip6_ra_control(sk, -1); 1165 ip6mr_sk_done(sk); 1166 sk_common_release(sk); 1167} 1168 1169static void raw6_destroy(struct sock *sk) 1170{ 1171 lock_sock(sk); 1172 ip6_flush_pending_frames(sk); 1173 release_sock(sk); 1174} 1175 1176static int rawv6_init_sk(struct sock *sk) 1177{ 1178 struct raw6_sock *rp = raw6_sk(sk); 1179 1180 switch (inet_sk(sk)->inet_num) { 1181 case IPPROTO_ICMPV6: 1182 rp->checksum = 1; 1183 rp->offset = 2; 1184 break; 1185 case IPPROTO_MH: 1186 rp->checksum = 1; 1187 rp->offset = 4; 1188 break; 1189 default: 1190 break; 1191 } 1192 return 0; 1193} 1194 1195struct proto rawv6_prot = { 1196 .name = "RAWv6", 1197 .owner = THIS_MODULE, 1198 .close = rawv6_close, 1199 .destroy = raw6_destroy, 1200 .connect = ip6_datagram_connect_v6_only, 1201 .disconnect = __udp_disconnect, 1202 .ioctl = rawv6_ioctl, 1203 .init = rawv6_init_sk, 1204 .setsockopt = rawv6_setsockopt, 1205 .getsockopt = rawv6_getsockopt, 1206 .sendmsg = rawv6_sendmsg, 1207 .recvmsg = rawv6_recvmsg, 1208 .bind = rawv6_bind, 1209 .backlog_rcv = rawv6_rcv_skb, 1210 .hash = raw_hash_sk, 1211 .unhash = raw_unhash_sk, 1212 .obj_size = sizeof(struct raw6_sock), 1213 .ipv6_pinfo_offset = offsetof(struct raw6_sock, inet6), 1214 .useroffset = offsetof(struct raw6_sock, filter), 1215 .usersize = sizeof_field(struct raw6_sock, filter), 1216 .h.raw_hash = &raw_v6_hashinfo, 1217#ifdef CONFIG_COMPAT 1218 .compat_ioctl = compat_rawv6_ioctl, 1219#endif 1220 .diag_destroy = raw_abort, 1221}; 1222 1223#ifdef CONFIG_PROC_FS 1224static int raw6_seq_show(struct seq_file *seq, void *v) 1225{ 1226 if (v == SEQ_START_TOKEN) { 1227 seq_puts(seq, IPV6_SEQ_DGRAM_HEADER); 1228 } else { 1229 struct sock *sp = v; 1230 __u16 srcp = inet_sk(sp)->inet_num; 1231 ip6_dgram_sock_seq_show(seq, v, srcp, 0, 1232 raw_seq_private(seq)->bucket); 1233 } 1234 return 0; 1235} 1236 1237static const struct seq_operations raw6_seq_ops = { 1238 .start = raw_seq_start, 1239 .next = raw_seq_next, 1240 .stop = raw_seq_stop, 1241 .show = raw6_seq_show, 1242}; 1243 1244static int __net_init raw6_init_net(struct net *net) 1245{ 1246 if (!proc_create_net_data("raw6", 0444, net->proc_net, &raw6_seq_ops, 1247 sizeof(struct raw_iter_state), &raw_v6_hashinfo)) 1248 return -ENOMEM; 1249 1250 return 0; 1251} 1252 1253static void __net_exit raw6_exit_net(struct net *net) 1254{ 1255 remove_proc_entry("raw6", net->proc_net); 1256} 1257 1258static struct pernet_operations raw6_net_ops = { 1259 .init = raw6_init_net, 1260 .exit = raw6_exit_net, 1261}; 1262 1263int __init raw6_proc_init(void) 1264{ 1265 return register_pernet_subsys(&raw6_net_ops); 1266} 1267 1268void raw6_proc_exit(void) 1269{ 1270 unregister_pernet_subsys(&raw6_net_ops); 1271} 1272#endif /* CONFIG_PROC_FS */ 1273 1274/* Same as inet6_dgram_ops, sans udp_poll. */ 1275const struct proto_ops inet6_sockraw_ops = { 1276 .family = PF_INET6, 1277 .owner = THIS_MODULE, 1278 .release = inet6_release, 1279 .bind = inet6_bind, 1280 .connect = inet_dgram_connect, /* ok */ 1281 .socketpair = sock_no_socketpair, /* a do nothing */ 1282 .accept = sock_no_accept, /* a do nothing */ 1283 .getname = inet6_getname, 1284 .poll = datagram_poll, /* ok */ 1285 .ioctl = inet6_ioctl, /* must change */ 1286 .gettstamp = sock_gettstamp, 1287 .listen = sock_no_listen, /* ok */ 1288 .shutdown = inet_shutdown, /* ok */ 1289 .setsockopt = sock_common_setsockopt, /* ok */ 1290 .getsockopt = sock_common_getsockopt, /* ok */ 1291 .sendmsg = inet_sendmsg, /* ok */ 1292 .recvmsg = sock_common_recvmsg, /* ok */ 1293 .mmap = sock_no_mmap, 1294#ifdef CONFIG_COMPAT 1295 .compat_ioctl = inet6_compat_ioctl, 1296#endif 1297}; 1298 1299static struct inet_protosw rawv6_protosw = { 1300 .type = SOCK_RAW, 1301 .protocol = IPPROTO_IP, /* wild card */ 1302 .prot = &rawv6_prot, 1303 .ops = &inet6_sockraw_ops, 1304 .flags = INET_PROTOSW_REUSE, 1305}; 1306 1307int __init rawv6_init(void) 1308{ 1309 return inet6_register_protosw(&rawv6_protosw); 1310} 1311 1312void rawv6_exit(void) 1313{ 1314 inet6_unregister_protosw(&rawv6_protosw); 1315} 1316