~hc/RK356X_SDK_RELEASE.git

..	..	@@ -30,15 +30,15 @@
30	30	* for a valid cookie, so this is an acceptable risk.
31	31	*/
32	32	get_random_bytes(key, sizeof(key));
33		- tcp_fastopen_reset_cipher(net, NULL, key, sizeof(key));
	33	+ tcp_fastopen_reset_cipher(net, NULL, key, NULL);
34	34	}
35	35
36	36	static void tcp_fastopen_ctx_free(struct rcu_head *head)
37	37	{
38	38	struct tcp_fastopen_context *ctx =
39	39	container_of(head, struct tcp_fastopen_context, rcu);
40		- crypto_free_cipher(ctx->tfm);
41		- kfree(ctx);
	40	+
	41	+ kfree_sensitive(ctx);
42	42	}
43	43
44	44	void tcp_fastopen_destroy_cipher(struct sock *sk)
..	..	@@ -67,31 +67,27 @@
67	67	}
68	68
69	69	int tcp_fastopen_reset_cipher(struct net net, struct sock sk,
70		- void *key, unsigned int len)
	70	+ void primary_key, void backup_key)
71	71	{
72	72	struct tcp_fastopen_context ctx, octx;
73	73	struct fastopen_queue *q;
74		- int err;
	74	+ int err = 0;
75	75
76	76	ctx = kmalloc(sizeof(*ctx), GFP_KERNEL);
77		- if (!ctx)
78		- return -ENOMEM;
79		- ctx->tfm = crypto_alloc_cipher("aes", 0, 0);
80		-
81		- if (IS_ERR(ctx->tfm)) {
82		- err = PTR_ERR(ctx->tfm);
83		-error: kfree(ctx);
84		- pr_err("TCP: TFO aes cipher alloc error: %d\n", err);
85		- return err;
	77	+ if (!ctx) {
	78	+ err = -ENOMEM;
	79	+ goto out;
86	80	}
87		- err = crypto_cipher_setkey(ctx->tfm, key, len);
88		- if (err) {
89		- pr_err("TCP: TFO cipher key error: %d\n", err);
90		- crypto_free_cipher(ctx->tfm);
91		- goto error;
92		- }
93		- memcpy(ctx->key, key, len);
94	81
	82	+ ctx->key[0].key[0] = get_unaligned_le64(primary_key);
	83	+ ctx->key[0].key[1] = get_unaligned_le64(primary_key + 8);
	84	+ if (backup_key) {
	85	+ ctx->key[1].key[0] = get_unaligned_le64(backup_key);
	86	+ ctx->key[1].key[1] = get_unaligned_le64(backup_key + 8);
	87	+ ctx->num = 2;
	88	+ } else {
	89	+ ctx->num = 1;
	90	+ }
95	91
96	92	spin_lock(&net->ipv4.tcp_fastopen_ctx_lock);
97	93	if (sk) {
..	..	@@ -108,66 +104,81 @@
108	104
109	105	if (octx)
110	106	call_rcu(&octx->rcu, tcp_fastopen_ctx_free);
	107	+out:
111	108	return err;
112	109	}
113	110
114		-static bool __tcp_fastopen_cookie_gen(struct sock sk, const void path,
115		- struct tcp_fastopen_cookie *foc)
	111	+int tcp_fastopen_get_cipher(struct net net, struct inet_connection_sock icsk,
	112	+ u64 *key)
116	113	{
117	114	struct tcp_fastopen_context *ctx;
118		- bool ok = false;
	115	+ int n_keys = 0, i;
119	116
120	117	rcu_read_lock();
121		-
122		- ctx = rcu_dereference(inet_csk(sk)->icsk_accept_queue.fastopenq.ctx);
123		- if (!ctx)
124		- ctx = rcu_dereference(sock_net(sk)->ipv4.tcp_fastopen_ctx);
125		-
	118	+ if (icsk)
	119	+ ctx = rcu_dereference(icsk->icsk_accept_queue.fastopenq.ctx);
	120	+ else
	121	+ ctx = rcu_dereference(net->ipv4.tcp_fastopen_ctx);
126	122	if (ctx) {
127		- crypto_cipher_encrypt_one(ctx->tfm, foc->val, path);
128		- foc->len = TCP_FASTOPEN_COOKIE_SIZE;
129		- ok = true;
	123	+ n_keys = tcp_fastopen_context_len(ctx);
	124	+ for (i = 0; i < n_keys; i++) {
	125	+ put_unaligned_le64(ctx->key[i].key[0], key + (i * 2));
	126	+ put_unaligned_le64(ctx->key[i].key[1], key + (i * 2) + 1);
	127	+ }
130	128	}
131	129	rcu_read_unlock();
132		- return ok;
	130	+
	131	+ return n_keys;
133	132	}
134	133
135		-/* Generate the fastopen cookie by doing aes128 encryption on both
136		- * the source and destination addresses. Pad 0s for IPv4 or IPv4-mapped-IPv6
137		- * addresses. For the longer IPv6 addresses use CBC-MAC.
138		- *
139		- * XXX (TFO) - refactor when TCP_FASTOPEN_COOKIE_SIZE != AES_BLOCK_SIZE.
140		- */
141		-static bool tcp_fastopen_cookie_gen(struct sock *sk,
142		- struct request_sock *req,
143		- struct sk_buff *syn,
144		- struct tcp_fastopen_cookie *foc)
	134	+static bool __tcp_fastopen_cookie_gen_cipher(struct request_sock *req,
	135	+ struct sk_buff *syn,
	136	+ const siphash_key_t *key,
	137	+ struct tcp_fastopen_cookie *foc)
145	138	{
	139	+ BUILD_BUG_ON(TCP_FASTOPEN_COOKIE_SIZE != sizeof(u64));
	140	+
146	141	if (req->rsk_ops->family == AF_INET) {
147	142	const struct iphdr *iph = ip_hdr(syn);
148	143
149		- __be32 path[4] = { iph->saddr, iph->daddr, 0, 0 };
150		- return __tcp_fastopen_cookie_gen(sk, path, foc);
	144	+ foc->val[0] = cpu_to_le64(siphash(&iph->saddr,
	145	+ sizeof(iph->saddr) +
	146	+ sizeof(iph->daddr),
	147	+ key));
	148	+ foc->len = TCP_FASTOPEN_COOKIE_SIZE;
	149	+ return true;
151	150	}
152		-
153	151	#if IS_ENABLED(CONFIG_IPV6)
154	152	if (req->rsk_ops->family == AF_INET6) {
155	153	const struct ipv6hdr *ip6h = ipv6_hdr(syn);
156		- struct tcp_fastopen_cookie tmp;
157	154
158		- if (__tcp_fastopen_cookie_gen(sk, &ip6h->saddr, &tmp)) {
159		- struct in6_addr *buf = &tmp.addr;
160		- int i;
161		-
162		- for (i = 0; i < 4; i++)
163		- buf->s6_addr32[i] ^= ip6h->daddr.s6_addr32[i];
164		- return __tcp_fastopen_cookie_gen(sk, buf, foc);
165		- }
	155	+ foc->val[0] = cpu_to_le64(siphash(&ip6h->saddr,
	156	+ sizeof(ip6h->saddr) +
	157	+ sizeof(ip6h->daddr),
	158	+ key));
	159	+ foc->len = TCP_FASTOPEN_COOKIE_SIZE;
	160	+ return true;
166	161	}
167	162	#endif
168	163	return false;
169	164	}
170	165
	166	+/* Generate the fastopen cookie by applying SipHash to both the source and
	167	+ * destination addresses.
	168	+ */
	169	+static void tcp_fastopen_cookie_gen(struct sock *sk,
	170	+ struct request_sock *req,
	171	+ struct sk_buff *syn,
	172	+ struct tcp_fastopen_cookie *foc)
	173	+{
	174	+ struct tcp_fastopen_context *ctx;
	175	+
	176	+ rcu_read_lock();
	177	+ ctx = tcp_fastopen_get_ctx(sk);
	178	+ if (ctx)
	179	+ __tcp_fastopen_cookie_gen_cipher(req, syn, &ctx->key[0], foc);
	180	+ rcu_read_unlock();
	181	+}
171	182
172	183	/* If an incoming SYN or SYNACK frame contains a payload and/or FIN,
173	184	* queue this additional data / FIN.
..	..	@@ -212,6 +223,35 @@
212	223	tcp_fin(sk);
213	224	}
214	225
	226	+/* returns 0 - no key match, 1 for primary, 2 for backup */
	227	+static int tcp_fastopen_cookie_gen_check(struct sock *sk,
	228	+ struct request_sock *req,
	229	+ struct sk_buff *syn,
	230	+ struct tcp_fastopen_cookie *orig,
	231	+ struct tcp_fastopen_cookie *valid_foc)
	232	+{
	233	+ struct tcp_fastopen_cookie search_foc = { .len = -1 };
	234	+ struct tcp_fastopen_cookie *foc = valid_foc;
	235	+ struct tcp_fastopen_context *ctx;
	236	+ int i, ret = 0;
	237	+
	238	+ rcu_read_lock();
	239	+ ctx = tcp_fastopen_get_ctx(sk);
	240	+ if (!ctx)
	241	+ goto out;
	242	+ for (i = 0; i < tcp_fastopen_context_len(ctx); i++) {
	243	+ __tcp_fastopen_cookie_gen_cipher(req, syn, &ctx->key[i], foc);
	244	+ if (tcp_fastopen_cookie_match(foc, orig)) {
	245	+ ret = i + 1;
	246	+ goto out;
	247	+ }
	248	+ foc = &search_foc;
	249	+ }
	250	+out:
	251	+ rcu_read_unlock();
	252	+ return ret;
	253	+}
	254	+
215	255	static struct sock tcp_fastopen_create_child(struct sock sk,
216	256	struct sk_buff *skb,
217	257	struct request_sock *req)
..	..	@@ -220,10 +260,6 @@
220	260	struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue;
221	261	struct sock *child;
222	262	bool own_req;
223		-
224		- req->num_retrans = 0;
225		- req->num_timeout = 0;
226		- req->sk = NULL;
227	263
228	264	child = inet_csk(sk)->icsk_af_ops->syn_recv_sock(sk, skb, req, NULL,
229	265	NULL, &own_req);
..	..	@@ -240,7 +276,7 @@
240	276	*/
241	277	tp = tcp_sk(child);
242	278
243		- tp->fastopen_rsk = req;
	279	+ rcu_assign_pointer(tp->fastopen_rsk, req);
244	280	tcp_rsk(req)->tfo_listener = true;
245	281
246	282	/* RFC1323: The window in SYN & SYN/ACK segments is never
..	..	@@ -259,7 +295,7 @@
259	295	refcount_set(&req->rsk_refcnt, 2);
260	296
261	297	/* Now finish processing the fastopen child socket. */
262		- tcp_init_transfer(child, BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB);
	298	+ tcp_init_transfer(child, BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB, skb);
263	299
264	300	tp->rcv_nxt = TCP_SKB_CB(skb)->seq + 1;
265	301
..	..	@@ -276,6 +312,7 @@
276	312	static bool tcp_fastopen_queue_check(struct sock *sk)
277	313	{
278	314	struct fastopen_queue *fastopenq;
	315	+ int max_qlen;
279	316
280	317	/* Make sure the listener has enabled fastopen, and we don't
281	318	* exceed the max # of pending TFO requests allowed before trying
..	..	@@ -288,10 +325,11 @@
288	325	* temporarily vs a server not supporting Fast Open at all.
289	326	*/
290	327	fastopenq = &inet_csk(sk)->icsk_accept_queue.fastopenq;
291		- if (fastopenq->max_qlen == 0)
	328	+ max_qlen = READ_ONCE(fastopenq->max_qlen);
	329	+ if (max_qlen == 0)
292	330	return false;
293	331
294		- if (fastopenq->qlen >= fastopenq->max_qlen) {
	332	+ if (fastopenq->qlen >= max_qlen) {
295	333	struct request_sock *req1;
296	334	spin_lock(&fastopenq->lock);
297	335	req1 = fastopenq->rskq_rst_head;
..	..	@@ -313,7 +351,7 @@
313	351	const struct dst_entry *dst,
314	352	int flag)
315	353	{
316		- return (sock_net(sk)->ipv4.sysctl_tcp_fastopen & flag) \|\|
	354	+ return (READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fastopen) & flag) \|\|
317	355	tcp_sk(sk)->fastopen_no_cookie \|\|
318	356	(dst && dst_metric(dst, RTAX_FASTOPEN_NO_COOKIE));
319	357	}
..	..	@@ -328,9 +366,10 @@
328	366	const struct dst_entry *dst)
329	367	{
330	368	bool syn_data = TCP_SKB_CB(skb)->end_seq != TCP_SKB_CB(skb)->seq + 1;
331		- int tcp_fastopen = sock_net(sk)->ipv4.sysctl_tcp_fastopen;
	369	+ int tcp_fastopen = READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fastopen);
332	370	struct tcp_fastopen_cookie valid_foc = { .len = -1 };
333	371	struct sock *child;
	372	+ int ret = 0;
334	373
335	374	if (foc->len == 0) /* Client requests a cookie */
336	375	NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPFASTOPENCOOKIEREQD);
..	..	@@ -345,31 +384,44 @@
345	384	if (tcp_fastopen_no_cookie(sk, dst, TFO_SERVER_COOKIE_NOT_REQD))
346	385	goto fastopen;
347	386
348		- if (foc->len >= 0 && /* Client presents or requests a cookie */
349		- tcp_fastopen_cookie_gen(sk, req, skb, &valid_foc) &&
350		- foc->len == TCP_FASTOPEN_COOKIE_SIZE &&
351		- foc->len == valid_foc.len &&
352		- !memcmp(foc->val, valid_foc.val, foc->len)) {
353		- /* Cookie is valid. Create a (full) child socket to accept
354		- * the data in SYN before returning a SYN-ACK to ack the
355		- * data. If we fail to create the socket, fall back and
356		- * ack the ISN only but includes the same cookie.
357		- *
358		- * Note: Data-less SYN with valid cookie is allowed to send
359		- * data in SYN_RECV state.
360		- */
361		-fastopen:
362		- child = tcp_fastopen_create_child(sk, skb, req);
363		- if (child) {
364		- foc->len = -1;
	387	+ if (foc->len == 0) {
	388	+ /* Client requests a cookie. */
	389	+ tcp_fastopen_cookie_gen(sk, req, skb, &valid_foc);
	390	+ } else if (foc->len > 0) {
	391	+ ret = tcp_fastopen_cookie_gen_check(sk, req, skb, foc,
	392	+ &valid_foc);
	393	+ if (!ret) {
365	394	NET_INC_STATS(sock_net(sk),
366		- LINUX_MIB_TCPFASTOPENPASSIVE);
367		- return child;
	395	+ LINUX_MIB_TCPFASTOPENPASSIVEFAIL);
	396	+ } else {
	397	+ /* Cookie is valid. Create a (full) child socket to
	398	+ * accept the data in SYN before returning a SYN-ACK to
	399	+ * ack the data. If we fail to create the socket, fall
	400	+ * back and ack the ISN only but includes the same
	401	+ * cookie.
	402	+ *
	403	+ * Note: Data-less SYN with valid cookie is allowed to
	404	+ * send data in SYN_RECV state.
	405	+ */
	406	+fastopen:
	407	+ child = tcp_fastopen_create_child(sk, skb, req);
	408	+ if (child) {
	409	+ if (ret == 2) {
	410	+ valid_foc.exp = foc->exp;
	411	+ *foc = valid_foc;
	412	+ NET_INC_STATS(sock_net(sk),
	413	+ LINUX_MIB_TCPFASTOPENPASSIVEALTKEY);
	414	+ } else {
	415	+ foc->len = -1;
	416	+ }
	417	+ NET_INC_STATS(sock_net(sk),
	418	+ LINUX_MIB_TCPFASTOPENPASSIVE);
	419	+ return child;
	420	+ }
	421	+ NET_INC_STATS(sock_net(sk),
	422	+ LINUX_MIB_TCPFASTOPENPASSIVEFAIL);
368	423	}
369		- NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPFASTOPENPASSIVEFAIL);
370		- } else if (foc->len > 0) /* Client presents an invalid cookie */
371		- NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPFASTOPENPASSIVEFAIL);
372		-
	424	+ }
373	425	valid_foc.exp = foc->exp;
374	426	*foc = valid_foc;
375	427	return NULL;
..	..	@@ -394,7 +446,10 @@
394	446	cookie->len = -1;
395	447	return true;
396	448	}
397		- return cookie->len > 0;
	449	+ if (cookie->len > 0)
	450	+ return true;
	451	+ tcp_sk(sk)->fastopen_client_fail = TFO_COOKIE_UNAVAILABLE;
	452	+ return false;
398	453	}
399	454
400	455	/* This function checks if we want to defer sending SYN until the first
..	..	@@ -453,6 +508,9 @@
453	508	{
454	509	struct net *net = sock_net(sk);
455	510
	511	+ if (!READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fastopen_blackhole_timeout))
	512	+ return;
	513	+
456	514	/* Paired with READ_ONCE() in tcp_fastopen_active_should_disable() */
457	515	WRITE_ONCE(net->ipv4.tfo_active_disable_stamp, jiffies);
458	516
..	..	@@ -471,11 +529,16 @@
471	529	*/
472	530	bool tcp_fastopen_active_should_disable(struct sock *sk)
473	531	{
474		- unsigned int tfo_bh_timeout = sock_net(sk)->ipv4.sysctl_tcp_fastopen_blackhole_timeout;
475		- int tfo_da_times = atomic_read(&sock_net(sk)->ipv4.tfo_active_disable_times);
	532	+ unsigned int tfo_bh_timeout =
	533	+ READ_ONCE(sock_net(sk)->ipv4.sysctl_tcp_fastopen_blackhole_timeout);
476	534	unsigned long timeout;
	535	+ int tfo_da_times;
477	536	int multiplier;
478	537
	538	+ if (!tfo_bh_timeout)
	539	+ return false;
	540	+
	541	+ tfo_da_times = atomic_read(&sock_net(sk)->ipv4.tfo_active_disable_times);
479	542	if (!tfo_da_times)
480	543	return false;
481	544