1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21
22 /*
23 * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
24 */
25
26 /* This file contains all TCP input processing functions. */
27
28 #include <sys/types.h>
29 #include <sys/stream.h>
30 #include <sys/strsun.h>
31 #include <sys/strsubr.h>
32 #include <sys/stropts.h>
33 #include <sys/strlog.h>
34 #define _SUN_TPI_VERSION 2
35 #include <sys/tihdr.h>
36 #include <sys/suntpi.h>
37 #include <sys/xti_inet.h>
38 #include <sys/squeue_impl.h>
39 #include <sys/squeue.h>
40 #include <sys/tsol/tnet.h>
41
42 #include <inet/common.h>
43 #include <inet/ip.h>
44 #include <inet/tcp.h>
45 #include <inet/tcp_impl.h>
46 #include <inet/tcp_cluster.h>
47 #include <inet/proto_set.h>
48 #include <inet/ipsec_impl.h>
49
50 /*
51 * RFC1323-recommended phrasing of TSTAMP option, for easier parsing
52 */
53
54 #ifdef _BIG_ENDIAN
55 #define TCPOPT_NOP_NOP_TSTAMP ((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) | \
56 (TCPOPT_TSTAMP << 8) | 10)
57 #else
58 #define TCPOPT_NOP_NOP_TSTAMP ((10 << 24) | (TCPOPT_TSTAMP << 16) | \
59 (TCPOPT_NOP << 8) | TCPOPT_NOP)
60 #endif
61
62 /*
63 * Flags returned from tcp_parse_options.
64 */
65 #define TCP_OPT_MSS_PRESENT 1
66 #define TCP_OPT_WSCALE_PRESENT 2
67 #define TCP_OPT_TSTAMP_PRESENT 4
68 #define TCP_OPT_SACK_OK_PRESENT 8
69 #define TCP_OPT_SACK_PRESENT 16
70
71 /*
72 * PAWS needs a timer for 24 days. This is the number of ticks in 24 days
73 */
74 #define PAWS_TIMEOUT ((clock_t)(24*24*60*60*hz))
75
76 /*
77 * Since tcp_listener is not cleared atomically with tcp_detached
78 * being cleared we need this extra bit to tell a detached connection
79 * apart from one that is in the process of being accepted.
80 */
81 #define TCP_IS_DETACHED_NONEAGER(tcp) \
82 (TCP_IS_DETACHED(tcp) && \
83 (!(tcp)->tcp_hard_binding))
84
85 /*
86 * Steps to do when a tcp_t moves to TIME-WAIT state.
87 *
88 * This connection is done, we don't need to account for it. Decrement
89 * the listener connection counter if needed.
90 *
91 * Decrement the connection counter of the stack. Note that this counter
92 * is per CPU. So the total number of connections in a stack is the sum of all
93 * of them. Since there is no lock for handling all of them exclusively, the
94 * resulting sum is only an approximation.
95 *
96 * Unconditionally clear the exclusive binding bit so this TIME-WAIT
97 * connection won't interfere with new ones.
98 *
99 * Start the TIME-WAIT timer. If upper layer has not closed the connection,
100 * the timer is handled within the context of this tcp_t. When the timer
101 * fires, tcp_clean_death() is called. If upper layer closes the connection
102 * during this period, tcp_time_wait_append() will be called to add this
103 * tcp_t to the global TIME-WAIT list. Note that this means that the
104 * actual wait time in TIME-WAIT state will be longer than the
105 * tcps_time_wait_interval since the period before upper layer closes the
106 * connection is not accounted for when tcp_time_wait_append() is called.
107 *
108 * If uppser layer has closed the connection, call tcp_time_wait_append()
109 * directly.
110 *
111 */
112 #define SET_TIME_WAIT(tcps, tcp, connp) \
113 { \
114 (tcp)->tcp_state = TCPS_TIME_WAIT; \
115 if ((tcp)->tcp_listen_cnt != NULL) \
116 TCP_DECR_LISTEN_CNT(tcp); \
117 atomic_dec_64( \
118 (uint64_t *)&(tcps)->tcps_sc[CPU->cpu_seqid]->tcp_sc_conn_cnt); \
119 (connp)->conn_exclbind = 0; \
120 if (!TCP_IS_DETACHED(tcp)) { \
121 TCP_TIMER_RESTART(tcp, (tcps)->tcps_time_wait_interval); \
122 } else { \
123 tcp_time_wait_append(tcp); \
124 TCP_DBGSTAT(tcps, tcp_rput_time_wait); \
125 } \
126 }
127
128 /*
129 * If tcp_drop_ack_unsent_cnt is greater than 0, when TCP receives more
130 * than tcp_drop_ack_unsent_cnt number of ACKs which acknowledge unsent
131 * data, TCP will not respond with an ACK. RFC 793 requires that
132 * TCP responds with an ACK for such a bogus ACK. By not following
133 * the RFC, we prevent TCP from getting into an ACK storm if somehow
134 * an attacker successfully spoofs an acceptable segment to our
135 * peer; or when our peer is "confused."
136 */
137 static uint32_t tcp_drop_ack_unsent_cnt = 10;
138
139 /*
140 * To protect TCP against attacker using a small window and requesting
141 * large amount of data (DoS attack by conuming memory), TCP checks the
142 * window advertised in the last ACK of the 3-way handshake. TCP uses
143 * the tcp_mss (the size of one packet) value for comparion. The window
144 * should be larger than tcp_mss. But while a sane TCP should advertise
145 * a receive window larger than or equal to 4*MSS to avoid stop and go
146 * tarrfic, not all TCP stacks do that. This is especially true when
147 * tcp_mss is a big value.
148 *
149 * To work around this issue, an additional fixed value for comparison
150 * is also used. If the advertised window is smaller than both tcp_mss
151 * and tcp_init_wnd_chk, the ACK is considered as invalid. So for large
152 * tcp_mss value (say, 8K), a window larger than tcp_init_wnd_chk but
153 * smaller than 8K is considered to be OK.
154 */
155 static uint32_t tcp_init_wnd_chk = 4096;
156
157 /* Process ICMP source quench message or not. */
158 static boolean_t tcp_icmp_source_quench = B_FALSE;
159
160 static boolean_t tcp_outbound_squeue_switch = B_FALSE;
161
162 static mblk_t *tcp_conn_create_v4(conn_t *, conn_t *, mblk_t *,
163 ip_recv_attr_t *);
164 static mblk_t *tcp_conn_create_v6(conn_t *, conn_t *, mblk_t *,
165 ip_recv_attr_t *);
166 static boolean_t tcp_drop_q0(tcp_t *);
167 static void tcp_icmp_error_ipv6(tcp_t *, mblk_t *, ip_recv_attr_t *);
168 static mblk_t *tcp_input_add_ancillary(tcp_t *, mblk_t *, ip_pkt_t *,
169 ip_recv_attr_t *);
170 static void tcp_input_listener(void *, mblk_t *, void *, ip_recv_attr_t *);
171 static int tcp_parse_options(tcpha_t *, tcp_opt_t *);
172 static void tcp_process_options(tcp_t *, tcpha_t *);
173 static mblk_t *tcp_reass(tcp_t *, mblk_t *, uint32_t);
174 static void tcp_reass_elim_overlap(tcp_t *, mblk_t *);
175 static void tcp_rsrv_input(void *, mblk_t *, void *, ip_recv_attr_t *);
176 static void tcp_set_rto(tcp_t *, time_t);
177 static void tcp_setcred_data(mblk_t *, ip_recv_attr_t *);
178
179 /*
180 * Set the MSS associated with a particular tcp based on its current value,
181 * and a new one passed in. Observe minimums and maximums, and reset other
182 * state variables that we want to view as multiples of MSS.
183 *
184 * The value of MSS could be either increased or descreased.
185 */
186 void
187 tcp_mss_set(tcp_t *tcp, uint32_t mss)
188 {
189 uint32_t mss_max;
190 tcp_stack_t *tcps = tcp->tcp_tcps;
191 conn_t *connp = tcp->tcp_connp;
192
193 if (connp->conn_ipversion == IPV4_VERSION)
194 mss_max = tcps->tcps_mss_max_ipv4;
195 else
196 mss_max = tcps->tcps_mss_max_ipv6;
197
198 if (mss < tcps->tcps_mss_min)
199 mss = tcps->tcps_mss_min;
200 if (mss > mss_max)
201 mss = mss_max;
202 /*
203 * Unless naglim has been set by our client to
204 * a non-mss value, force naglim to track mss.
205 * This can help to aggregate small writes.
206 */
207 if (mss < tcp->tcp_naglim || tcp->tcp_mss == tcp->tcp_naglim)
208 tcp->tcp_naglim = mss;
209 /*
210 * TCP should be able to buffer at least 4 MSS data for obvious
211 * performance reason.
212 */
213 if ((mss << 2) > connp->conn_sndbuf)
214 connp->conn_sndbuf = mss << 2;
215
216 /*
217 * Set the send lowater to at least twice of MSS.
218 */
219 if ((mss << 1) > connp->conn_sndlowat)
220 connp->conn_sndlowat = mss << 1;
221
222 /*
223 * Update tcp_cwnd according to the new value of MSS. Keep the
224 * previous ratio to preserve the transmit rate.
225 */
226 tcp->tcp_cwnd = (tcp->tcp_cwnd / tcp->tcp_mss) * mss;
227 tcp->tcp_cwnd_cnt = 0;
228
229 tcp->tcp_mss = mss;
230 (void) tcp_maxpsz_set(tcp, B_TRUE);
231 }
232
233 /*
234 * Extract option values from a tcp header. We put any found values into the
235 * tcpopt struct and return a bitmask saying which options were found.
236 */
237 static int
238 tcp_parse_options(tcpha_t *tcpha, tcp_opt_t *tcpopt)
239 {
240 uchar_t *endp;
241 int len;
242 uint32_t mss;
243 uchar_t *up = (uchar_t *)tcpha;
244 int found = 0;
245 int32_t sack_len;
246 tcp_seq sack_begin, sack_end;
247 tcp_t *tcp;
248
249 endp = up + TCP_HDR_LENGTH(tcpha);
250 up += TCP_MIN_HEADER_LENGTH;
251 while (up < endp) {
252 len = endp - up;
253 switch (*up) {
254 case TCPOPT_EOL:
255 break;
256
257 case TCPOPT_NOP:
258 up++;
259 continue;
260
261 case TCPOPT_MAXSEG:
262 if (len < TCPOPT_MAXSEG_LEN ||
263 up[1] != TCPOPT_MAXSEG_LEN)
264 break;
265
266 mss = BE16_TO_U16(up+2);
267 /* Caller must handle tcp_mss_min and tcp_mss_max_* */
268 tcpopt->tcp_opt_mss = mss;
269 found |= TCP_OPT_MSS_PRESENT;
270
271 up += TCPOPT_MAXSEG_LEN;
272 continue;
273
274 case TCPOPT_WSCALE:
275 if (len < TCPOPT_WS_LEN || up[1] != TCPOPT_WS_LEN)
276 break;
277
278 if (up[2] > TCP_MAX_WINSHIFT)
279 tcpopt->tcp_opt_wscale = TCP_MAX_WINSHIFT;
280 else
281 tcpopt->tcp_opt_wscale = up[2];
282 found |= TCP_OPT_WSCALE_PRESENT;
283
284 up += TCPOPT_WS_LEN;
285 continue;
286
287 case TCPOPT_SACK_PERMITTED:
288 if (len < TCPOPT_SACK_OK_LEN ||
289 up[1] != TCPOPT_SACK_OK_LEN)
290 break;
291 found |= TCP_OPT_SACK_OK_PRESENT;
292 up += TCPOPT_SACK_OK_LEN;
293 continue;
294
295 case TCPOPT_SACK:
296 if (len <= 2 || up[1] <= 2 || len < up[1])
297 break;
298
299 /* If TCP is not interested in SACK blks... */
300 if ((tcp = tcpopt->tcp) == NULL) {
301 up += up[1];
302 continue;
303 }
304 sack_len = up[1] - TCPOPT_HEADER_LEN;
305 up += TCPOPT_HEADER_LEN;
306
307 /*
308 * If the list is empty, allocate one and assume
309 * nothing is sack'ed.
310 */
311 if (tcp->tcp_notsack_list == NULL) {
312 tcp_notsack_update(&(tcp->tcp_notsack_list),
313 tcp->tcp_suna, tcp->tcp_snxt,
314 &(tcp->tcp_num_notsack_blk),
315 &(tcp->tcp_cnt_notsack_list));
316
317 /*
318 * Make sure tcp_notsack_list is not NULL.
319 * This happens when kmem_alloc(KM_NOSLEEP)
320 * returns NULL.
321 */
322 if (tcp->tcp_notsack_list == NULL) {
323 up += sack_len;
324 continue;
325 }
326 tcp->tcp_fack = tcp->tcp_suna;
327 }
328
329 while (sack_len > 0) {
330 if (up + 8 > endp) {
331 up = endp;
332 break;
333 }
334 sack_begin = BE32_TO_U32(up);
335 up += 4;
336 sack_end = BE32_TO_U32(up);
337 up += 4;
338 sack_len -= 8;
339 /*
340 * Bounds checking. Make sure the SACK
341 * info is within tcp_suna and tcp_snxt.
342 * If this SACK blk is out of bound, ignore
343 * it but continue to parse the following
344 * blks.
345 */
346 if (SEQ_LEQ(sack_end, sack_begin) ||
347 SEQ_LT(sack_begin, tcp->tcp_suna) ||
348 SEQ_GT(sack_end, tcp->tcp_snxt)) {
349 continue;
350 }
351 tcp_notsack_insert(&(tcp->tcp_notsack_list),
352 sack_begin, sack_end,
353 &(tcp->tcp_num_notsack_blk),
354 &(tcp->tcp_cnt_notsack_list));
355 if (SEQ_GT(sack_end, tcp->tcp_fack)) {
356 tcp->tcp_fack = sack_end;
357 }
358 }
359 found |= TCP_OPT_SACK_PRESENT;
360 continue;
361
362 case TCPOPT_TSTAMP:
363 if (len < TCPOPT_TSTAMP_LEN ||
364 up[1] != TCPOPT_TSTAMP_LEN)
365 break;
366
367 tcpopt->tcp_opt_ts_val = BE32_TO_U32(up+2);
368 tcpopt->tcp_opt_ts_ecr = BE32_TO_U32(up+6);
369
370 found |= TCP_OPT_TSTAMP_PRESENT;
371
372 up += TCPOPT_TSTAMP_LEN;
373 continue;
374
375 default:
376 if (len <= 1 || len < (int)up[1] || up[1] == 0)
377 break;
378 up += up[1];
379 continue;
380 }
381 break;
382 }
383 return (found);
384 }
385
386 /*
387 * Process all TCP option in SYN segment. Note that this function should
388 * be called after tcp_set_destination() is called so that the necessary info
389 * from IRE is already set in the tcp structure.
390 *
391 * This function sets up the correct tcp_mss value according to the
392 * MSS option value and our header size. It also sets up the window scale
393 * and timestamp values, and initialize SACK info blocks. But it does not
394 * change receive window size after setting the tcp_mss value. The caller
395 * should do the appropriate change.
396 */
397 static void
398 tcp_process_options(tcp_t *tcp, tcpha_t *tcpha)
399 {
400 int options;
401 tcp_opt_t tcpopt;
402 uint32_t mss_max;
403 char *tmp_tcph;
404 tcp_stack_t *tcps = tcp->tcp_tcps;
405 conn_t *connp = tcp->tcp_connp;
406
407 tcpopt.tcp = NULL;
408 options = tcp_parse_options(tcpha, &tcpopt);
409
410 /*
411 * Process MSS option. Note that MSS option value does not account
412 * for IP or TCP options. This means that it is equal to MTU - minimum
413 * IP+TCP header size, which is 40 bytes for IPv4 and 60 bytes for
414 * IPv6.
415 */
416 if (!(options & TCP_OPT_MSS_PRESENT)) {
417 if (connp->conn_ipversion == IPV4_VERSION)
418 tcpopt.tcp_opt_mss = tcps->tcps_mss_def_ipv4;
419 else
420 tcpopt.tcp_opt_mss = tcps->tcps_mss_def_ipv6;
421 } else {
422 if (connp->conn_ipversion == IPV4_VERSION)
423 mss_max = tcps->tcps_mss_max_ipv4;
424 else
425 mss_max = tcps->tcps_mss_max_ipv6;
426 if (tcpopt.tcp_opt_mss < tcps->tcps_mss_min)
427 tcpopt.tcp_opt_mss = tcps->tcps_mss_min;
428 else if (tcpopt.tcp_opt_mss > mss_max)
429 tcpopt.tcp_opt_mss = mss_max;
430 }
431
432 /* Process Window Scale option. */
433 if (options & TCP_OPT_WSCALE_PRESENT) {
434 tcp->tcp_snd_ws = tcpopt.tcp_opt_wscale;
435 tcp->tcp_snd_ws_ok = B_TRUE;
436 } else {
437 tcp->tcp_snd_ws = B_FALSE;
438 tcp->tcp_snd_ws_ok = B_FALSE;
439 tcp->tcp_rcv_ws = B_FALSE;
440 }
441
442 /* Process Timestamp option. */
443 if ((options & TCP_OPT_TSTAMP_PRESENT) &&
444 (tcp->tcp_snd_ts_ok || TCP_IS_DETACHED(tcp))) {
445 tmp_tcph = (char *)tcp->tcp_tcpha;
446
447 tcp->tcp_snd_ts_ok = B_TRUE;
448 tcp->tcp_ts_recent = tcpopt.tcp_opt_ts_val;
449 tcp->tcp_last_rcv_lbolt = ddi_get_lbolt64();
450 ASSERT(OK_32PTR(tmp_tcph));
451 ASSERT(connp->conn_ht_ulp_len == TCP_MIN_HEADER_LENGTH);
452
453 /* Fill in our template header with basic timestamp option. */
454 tmp_tcph += connp->conn_ht_ulp_len;
455 tmp_tcph[0] = TCPOPT_NOP;
456 tmp_tcph[1] = TCPOPT_NOP;
457 tmp_tcph[2] = TCPOPT_TSTAMP;
458 tmp_tcph[3] = TCPOPT_TSTAMP_LEN;
459 connp->conn_ht_iphc_len += TCPOPT_REAL_TS_LEN;
460 connp->conn_ht_ulp_len += TCPOPT_REAL_TS_LEN;
461 tcp->tcp_tcpha->tha_offset_and_reserved += (3 << 4);
462 } else {
463 tcp->tcp_snd_ts_ok = B_FALSE;
464 }
465
466 /*
467 * Process SACK options. If SACK is enabled for this connection,
468 * then allocate the SACK info structure. Note the following ways
469 * when tcp_snd_sack_ok is set to true.
470 *
471 * For active connection: in tcp_set_destination() called in
472 * tcp_connect().
473 *
474 * For passive connection: in tcp_set_destination() called in
475 * tcp_input_listener().
476 *
477 * That's the reason why the extra TCP_IS_DETACHED() check is there.
478 * That check makes sure that if we did not send a SACK OK option,
479 * we will not enable SACK for this connection even though the other
480 * side sends us SACK OK option. For active connection, the SACK
481 * info structure has already been allocated. So we need to free
482 * it if SACK is disabled.
483 */
484 if ((options & TCP_OPT_SACK_OK_PRESENT) &&
485 (tcp->tcp_snd_sack_ok ||
486 (tcps->tcps_sack_permitted != 0 && TCP_IS_DETACHED(tcp)))) {
487 ASSERT(tcp->tcp_num_sack_blk == 0);
488 ASSERT(tcp->tcp_notsack_list == NULL);
489
490 tcp->tcp_snd_sack_ok = B_TRUE;
491 if (tcp->tcp_snd_ts_ok) {
492 tcp->tcp_max_sack_blk = 3;
493 } else {
494 tcp->tcp_max_sack_blk = 4;
495 }
496 } else if (tcp->tcp_snd_sack_ok) {
497 /*
498 * Resetting tcp_snd_sack_ok to B_FALSE so that
499 * no SACK info will be used for this
500 * connection. This assumes that SACK usage
501 * permission is negotiated. This may need
502 * to be changed once this is clarified.
503 */
504 ASSERT(tcp->tcp_num_sack_blk == 0);
505 ASSERT(tcp->tcp_notsack_list == NULL);
506 tcp->tcp_snd_sack_ok = B_FALSE;
507 }
508
509 /*
510 * Now we know the exact TCP/IP header length, subtract
511 * that from tcp_mss to get our side's MSS.
512 */
513 tcp->tcp_mss -= connp->conn_ht_iphc_len;
514
515 /*
516 * Here we assume that the other side's header size will be equal to
517 * our header size. We calculate the real MSS accordingly. Need to
518 * take into additional stuffs IPsec puts in.
519 *
520 * Real MSS = Opt.MSS - (our TCP/IP header - min TCP/IP header)
521 */
522 tcpopt.tcp_opt_mss -= connp->conn_ht_iphc_len +
523 tcp->tcp_ipsec_overhead -
524 ((connp->conn_ipversion == IPV4_VERSION ?
525 IP_SIMPLE_HDR_LENGTH : IPV6_HDR_LEN) + TCP_MIN_HEADER_LENGTH);
526
527 /*
528 * Set MSS to the smaller one of both ends of the connection.
529 * We should not have called tcp_mss_set() before, but our
530 * side of the MSS should have been set to a proper value
531 * by tcp_set_destination(). tcp_mss_set() will also set up the
532 * STREAM head parameters properly.
533 *
534 * If we have a larger-than-16-bit window but the other side
535 * didn't want to do window scale, tcp_rwnd_set() will take
536 * care of that.
537 */
538 tcp_mss_set(tcp, MIN(tcpopt.tcp_opt_mss, tcp->tcp_mss));
539
540 /*
541 * Initialize tcp_cwnd value. After tcp_mss_set(), tcp_mss has been
542 * updated properly.
543 */
544 TCP_SET_INIT_CWND(tcp, tcp->tcp_mss, tcps->tcps_slow_start_initial);
545 }
546
547 /*
548 * Add a new piece to the tcp reassembly queue. If the gap at the beginning
549 * is filled, return as much as we can. The message passed in may be
550 * multi-part, chained using b_cont. "start" is the starting sequence
551 * number for this piece.
552 */
553 static mblk_t *
554 tcp_reass(tcp_t *tcp, mblk_t *mp, uint32_t start)
555 {
556 uint32_t end;
557 mblk_t *mp1;
558 mblk_t *mp2;
559 mblk_t *next_mp;
560 uint32_t u1;
561 tcp_stack_t *tcps = tcp->tcp_tcps;
562
563
564 /* Walk through all the new pieces. */
565 do {
566 ASSERT((uintptr_t)(mp->b_wptr - mp->b_rptr) <=
567 (uintptr_t)INT_MAX);
568 end = start + (int)(mp->b_wptr - mp->b_rptr);
569 next_mp = mp->b_cont;
570 if (start == end) {
571 /* Empty. Blast it. */
572 freeb(mp);
573 continue;
574 }
575 mp->b_cont = NULL;
576 TCP_REASS_SET_SEQ(mp, start);
577 TCP_REASS_SET_END(mp, end);
578 mp1 = tcp->tcp_reass_tail;
579 if (!mp1) {
580 tcp->tcp_reass_tail = mp;
581 tcp->tcp_reass_head = mp;
582 TCPS_BUMP_MIB(tcps, tcpInDataUnorderSegs);
583 TCPS_UPDATE_MIB(tcps, tcpInDataUnorderBytes,
584 end - start);
585 continue;
586 }
587 /* New stuff completely beyond tail? */
588 if (SEQ_GEQ(start, TCP_REASS_END(mp1))) {
589 /* Link it on end. */
590 mp1->b_cont = mp;
591 tcp->tcp_reass_tail = mp;
592 TCPS_BUMP_MIB(tcps, tcpInDataUnorderSegs);
593 TCPS_UPDATE_MIB(tcps, tcpInDataUnorderBytes,
594 end - start);
595 continue;
596 }
597 mp1 = tcp->tcp_reass_head;
598 u1 = TCP_REASS_SEQ(mp1);
599 /* New stuff at the front? */
600 if (SEQ_LT(start, u1)) {
601 /* Yes... Check for overlap. */
602 mp->b_cont = mp1;
603 tcp->tcp_reass_head = mp;
604 tcp_reass_elim_overlap(tcp, mp);
605 continue;
606 }
607 /*
608 * The new piece fits somewhere between the head and tail.
609 * We find our slot, where mp1 precedes us and mp2 trails.
610 */
611 for (; (mp2 = mp1->b_cont) != NULL; mp1 = mp2) {
612 u1 = TCP_REASS_SEQ(mp2);
613 if (SEQ_LEQ(start, u1))
614 break;
615 }
616 /* Link ourselves in */
617 mp->b_cont = mp2;
618 mp1->b_cont = mp;
619
620 /* Trim overlap with following mblk(s) first */
621 tcp_reass_elim_overlap(tcp, mp);
622
623 /* Trim overlap with preceding mblk */
624 tcp_reass_elim_overlap(tcp, mp1);
625
626 } while (start = end, mp = next_mp);
627 mp1 = tcp->tcp_reass_head;
628 /* Anything ready to go? */
629 if (TCP_REASS_SEQ(mp1) != tcp->tcp_rnxt)
630 return (NULL);
631 /* Eat what we can off the queue */
632 for (;;) {
633 mp = mp1->b_cont;
634 end = TCP_REASS_END(mp1);
635 TCP_REASS_SET_SEQ(mp1, 0);
636 TCP_REASS_SET_END(mp1, 0);
637 if (!mp) {
638 tcp->tcp_reass_tail = NULL;
639 break;
640 }
641 if (end != TCP_REASS_SEQ(mp)) {
642 mp1->b_cont = NULL;
643 break;
644 }
645 mp1 = mp;
646 }
647 mp1 = tcp->tcp_reass_head;
648 tcp->tcp_reass_head = mp;
649 return (mp1);
650 }
651
652 /* Eliminate any overlap that mp may have over later mblks */
653 static void
654 tcp_reass_elim_overlap(tcp_t *tcp, mblk_t *mp)
655 {
656 uint32_t end;
657 mblk_t *mp1;
658 uint32_t u1;
659 tcp_stack_t *tcps = tcp->tcp_tcps;
660
661 end = TCP_REASS_END(mp);
662 while ((mp1 = mp->b_cont) != NULL) {
663 u1 = TCP_REASS_SEQ(mp1);
664 if (!SEQ_GT(end, u1))
665 break;
666 if (!SEQ_GEQ(end, TCP_REASS_END(mp1))) {
667 mp->b_wptr -= end - u1;
668 TCP_REASS_SET_END(mp, u1);
669 TCPS_BUMP_MIB(tcps, tcpInDataPartDupSegs);
670 TCPS_UPDATE_MIB(tcps, tcpInDataPartDupBytes,
671 end - u1);
672 break;
673 }
674 mp->b_cont = mp1->b_cont;
675 TCP_REASS_SET_SEQ(mp1, 0);
676 TCP_REASS_SET_END(mp1, 0);
677 freeb(mp1);
678 TCPS_BUMP_MIB(tcps, tcpInDataDupSegs);
679 TCPS_UPDATE_MIB(tcps, tcpInDataDupBytes, end - u1);
680 }
681 if (!mp1)
682 tcp->tcp_reass_tail = mp;
683 }
684
685 /*
686 * This function does PAWS protection check. Returns B_TRUE if the
687 * segment passes the PAWS test, else returns B_FALSE.
688 */
689 boolean_t
690 tcp_paws_check(tcp_t *tcp, tcpha_t *tcpha, tcp_opt_t *tcpoptp)
691 {
692 uint8_t flags;
693 int options;
694 uint8_t *up;
695 conn_t *connp = tcp->tcp_connp;
696
697 flags = (unsigned int)tcpha->tha_flags & 0xFF;
698 /*
699 * If timestamp option is aligned nicely, get values inline,
700 * otherwise call general routine to parse. Only do that
701 * if timestamp is the only option.
702 */
703 if (TCP_HDR_LENGTH(tcpha) == (uint32_t)TCP_MIN_HEADER_LENGTH +
704 TCPOPT_REAL_TS_LEN &&
705 OK_32PTR((up = ((uint8_t *)tcpha) +
706 TCP_MIN_HEADER_LENGTH)) &&
707 *(uint32_t *)up == TCPOPT_NOP_NOP_TSTAMP) {
708 tcpoptp->tcp_opt_ts_val = ABE32_TO_U32((up+4));
709 tcpoptp->tcp_opt_ts_ecr = ABE32_TO_U32((up+8));
710
711 options = TCP_OPT_TSTAMP_PRESENT;
712 } else {
713 if (tcp->tcp_snd_sack_ok) {
714 tcpoptp->tcp = tcp;
715 } else {
716 tcpoptp->tcp = NULL;
717 }
718 options = tcp_parse_options(tcpha, tcpoptp);
719 }
720
721 if (options & TCP_OPT_TSTAMP_PRESENT) {
722 /*
723 * Do PAWS per RFC 1323 section 4.2. Accept RST
724 * regardless of the timestamp, page 18 RFC 1323.bis.
725 */
726 if ((flags & TH_RST) == 0 &&
727 TSTMP_LT(tcpoptp->tcp_opt_ts_val,
728 tcp->tcp_ts_recent)) {
729 if (LBOLT_FASTPATH64 <
730 (tcp->tcp_last_rcv_lbolt + PAWS_TIMEOUT)) {
731 /* This segment is not acceptable. */
732 return (B_FALSE);
733 } else {
734 /*
735 * Connection has been idle for
736 * too long. Reset the timestamp
737 * and assume the segment is valid.
738 */
739 tcp->tcp_ts_recent =
740 tcpoptp->tcp_opt_ts_val;
741 }
742 }
743 } else {
744 /*
745 * If we don't get a timestamp on every packet, we
746 * figure we can't really trust 'em, so we stop sending
747 * and parsing them.
748 */
749 tcp->tcp_snd_ts_ok = B_FALSE;
750
751 connp->conn_ht_iphc_len -= TCPOPT_REAL_TS_LEN;
752 connp->conn_ht_ulp_len -= TCPOPT_REAL_TS_LEN;
753 tcp->tcp_tcpha->tha_offset_and_reserved -= (3 << 4);
754 /*
755 * Adjust the tcp_mss and tcp_cwnd accordingly. We avoid
756 * doing a slow start here so as to not to lose on the
757 * transfer rate built up so far.
758 */
759 tcp_mss_set(tcp, tcp->tcp_mss + TCPOPT_REAL_TS_LEN);
760 if (tcp->tcp_snd_sack_ok)
761 tcp->tcp_max_sack_blk = 4;
762 }
763 return (B_TRUE);
764 }
765
766 /*
767 * Defense for the SYN attack -
768 * 1. When q0 is full, drop from the tail (tcp_eager_prev_drop_q0) the oldest
769 * one from the list of droppable eagers. This list is a subset of q0.
770 * see comments before the definition of MAKE_DROPPABLE().
771 * 2. Don't drop a SYN request before its first timeout. This gives every
772 * request at least til the first timeout to complete its 3-way handshake.
773 * 3. Maintain tcp_syn_rcvd_timeout as an accurate count of how many
774 * requests currently on the queue that has timed out. This will be used
775 * as an indicator of whether an attack is under way, so that appropriate
776 * actions can be taken. (It's incremented in tcp_timer() and decremented
777 * either when eager goes into ESTABLISHED, or gets freed up.)
778 * 4. The current threshold is - # of timeout > q0len/4 => SYN alert on
779 * # of timeout drops back to <= q0len/32 => SYN alert off
780 */
781 static boolean_t
782 tcp_drop_q0(tcp_t *tcp)
783 {
784 tcp_t *eager;
785 mblk_t *mp;
786 tcp_stack_t *tcps = tcp->tcp_tcps;
787
788 ASSERT(MUTEX_HELD(&tcp->tcp_eager_lock));
789 ASSERT(tcp->tcp_eager_next_q0 != tcp->tcp_eager_prev_q0);
790
791 /* Pick oldest eager from the list of droppable eagers */
792 eager = tcp->tcp_eager_prev_drop_q0;
793
794 /* If list is empty. return B_FALSE */
795 if (eager == tcp) {
796 return (B_FALSE);
797 }
798
799 /* If allocated, the mp will be freed in tcp_clean_death_wrapper() */
800 if ((mp = allocb(0, BPRI_HI)) == NULL)
801 return (B_FALSE);
802
803 /*
804 * Take this eager out from the list of droppable eagers since we are
805 * going to drop it.
806 */
807 MAKE_UNDROPPABLE(eager);
808
809 if (tcp->tcp_connp->conn_debug) {
810 (void) strlog(TCP_MOD_ID, 0, 3, SL_TRACE,
811 "tcp_drop_q0: listen half-open queue (max=%d) overflow"
812 " (%d pending) on %s, drop one", tcps->tcps_conn_req_max_q0,
813 tcp->tcp_conn_req_cnt_q0,
814 tcp_display(tcp, NULL, DISP_PORT_ONLY));
815 }
816
817 TCPS_BUMP_MIB(tcps, tcpHalfOpenDrop);
818
819 /* Put a reference on the conn as we are enqueueing it in the sqeue */
820 CONN_INC_REF(eager->tcp_connp);
821
822 SQUEUE_ENTER_ONE(eager->tcp_connp->conn_sqp, mp,
823 tcp_clean_death_wrapper, eager->tcp_connp, NULL,
824 SQ_FILL, SQTAG_TCP_DROP_Q0);
825
826 return (B_TRUE);
827 }
828
829 /*
830 * Handle a SYN on an AF_INET6 socket; can be either IPv4 or IPv6
831 */
832 static mblk_t *
833 tcp_conn_create_v6(conn_t *lconnp, conn_t *connp, mblk_t *mp,
834 ip_recv_attr_t *ira)
835 {
836 tcp_t *ltcp = lconnp->conn_tcp;
837 tcp_t *tcp = connp->conn_tcp;
838 mblk_t *tpi_mp;
839 ipha_t *ipha;
840 ip6_t *ip6h;
841 sin6_t sin6;
842 uint_t ifindex = ira->ira_ruifindex;
843 tcp_stack_t *tcps = tcp->tcp_tcps;
844
845 if (ira->ira_flags & IRAF_IS_IPV4) {
846 ipha = (ipha_t *)mp->b_rptr;
847
848 connp->conn_ipversion = IPV4_VERSION;
849 IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &connp->conn_laddr_v6);
850 IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &connp->conn_faddr_v6);
851 connp->conn_saddr_v6 = connp->conn_laddr_v6;
852
853 sin6 = sin6_null;
854 sin6.sin6_addr = connp->conn_faddr_v6;
855 sin6.sin6_port = connp->conn_fport;
856 sin6.sin6_family = AF_INET6;
857 sin6.__sin6_src_id = ip_srcid_find_addr(&connp->conn_laddr_v6,
858 IPCL_ZONEID(lconnp), tcps->tcps_netstack);
859
860 if (connp->conn_recv_ancillary.crb_recvdstaddr) {
861 sin6_t sin6d;
862
863 sin6d = sin6_null;
864 sin6d.sin6_addr = connp->conn_laddr_v6;
865 sin6d.sin6_port = connp->conn_lport;
866 sin6d.sin6_family = AF_INET;
867 tpi_mp = mi_tpi_extconn_ind(NULL,
868 (char *)&sin6d, sizeof (sin6_t),
869 (char *)&tcp,
870 (t_scalar_t)sizeof (intptr_t),
871 (char *)&sin6d, sizeof (sin6_t),
872 (t_scalar_t)ltcp->tcp_conn_req_seqnum);
873 } else {
874 tpi_mp = mi_tpi_conn_ind(NULL,
875 (char *)&sin6, sizeof (sin6_t),
876 (char *)&tcp, (t_scalar_t)sizeof (intptr_t),
877 (t_scalar_t)ltcp->tcp_conn_req_seqnum);
878 }
879 } else {
880 ip6h = (ip6_t *)mp->b_rptr;
881
882 connp->conn_ipversion = IPV6_VERSION;
883 connp->conn_laddr_v6 = ip6h->ip6_dst;
884 connp->conn_faddr_v6 = ip6h->ip6_src;
885 connp->conn_saddr_v6 = connp->conn_laddr_v6;
886
887 sin6 = sin6_null;
888 sin6.sin6_addr = connp->conn_faddr_v6;
889 sin6.sin6_port = connp->conn_fport;
890 sin6.sin6_family = AF_INET6;
891 sin6.sin6_flowinfo = ip6h->ip6_vcf & ~IPV6_VERS_AND_FLOW_MASK;
892 sin6.__sin6_src_id = ip_srcid_find_addr(&connp->conn_laddr_v6,
893 IPCL_ZONEID(lconnp), tcps->tcps_netstack);
894
895 if (IN6_IS_ADDR_LINKSCOPE(&ip6h->ip6_src)) {
896 /* Pass up the scope_id of remote addr */
897 sin6.sin6_scope_id = ifindex;
898 } else {
899 sin6.sin6_scope_id = 0;
900 }
901 if (connp->conn_recv_ancillary.crb_recvdstaddr) {
902 sin6_t sin6d;
903
904 sin6d = sin6_null;
905 sin6.sin6_addr = connp->conn_laddr_v6;
906 sin6d.sin6_port = connp->conn_lport;
907 sin6d.sin6_family = AF_INET6;
908 if (IN6_IS_ADDR_LINKSCOPE(&connp->conn_laddr_v6))
909 sin6d.sin6_scope_id = ifindex;
910
911 tpi_mp = mi_tpi_extconn_ind(NULL,
912 (char *)&sin6d, sizeof (sin6_t),
913 (char *)&tcp, (t_scalar_t)sizeof (intptr_t),
914 (char *)&sin6d, sizeof (sin6_t),
915 (t_scalar_t)ltcp->tcp_conn_req_seqnum);
916 } else {
917 tpi_mp = mi_tpi_conn_ind(NULL,
918 (char *)&sin6, sizeof (sin6_t),
919 (char *)&tcp, (t_scalar_t)sizeof (intptr_t),
920 (t_scalar_t)ltcp->tcp_conn_req_seqnum);
921 }
922 }
923
924 tcp->tcp_mss = tcps->tcps_mss_def_ipv6;
925 return (tpi_mp);
926 }
927
928 /* Handle a SYN on an AF_INET socket */
929 static mblk_t *
930 tcp_conn_create_v4(conn_t *lconnp, conn_t *connp, mblk_t *mp,
931 ip_recv_attr_t *ira)
932 {
933 tcp_t *ltcp = lconnp->conn_tcp;
934 tcp_t *tcp = connp->conn_tcp;
935 sin_t sin;
936 mblk_t *tpi_mp = NULL;
937 tcp_stack_t *tcps = tcp->tcp_tcps;
938 ipha_t *ipha;
939
940 ASSERT(ira->ira_flags & IRAF_IS_IPV4);
941 ipha = (ipha_t *)mp->b_rptr;
942
943 connp->conn_ipversion = IPV4_VERSION;
944 IN6_IPADDR_TO_V4MAPPED(ipha->ipha_dst, &connp->conn_laddr_v6);
945 IN6_IPADDR_TO_V4MAPPED(ipha->ipha_src, &connp->conn_faddr_v6);
946 connp->conn_saddr_v6 = connp->conn_laddr_v6;
947
948 sin = sin_null;
949 sin.sin_addr.s_addr = connp->conn_faddr_v4;
950 sin.sin_port = connp->conn_fport;
951 sin.sin_family = AF_INET;
952 if (lconnp->conn_recv_ancillary.crb_recvdstaddr) {
953 sin_t sind;
954
955 sind = sin_null;
956 sind.sin_addr.s_addr = connp->conn_laddr_v4;
957 sind.sin_port = connp->conn_lport;
958 sind.sin_family = AF_INET;
959 tpi_mp = mi_tpi_extconn_ind(NULL,
960 (char *)&sind, sizeof (sin_t), (char *)&tcp,
961 (t_scalar_t)sizeof (intptr_t), (char *)&sind,
962 sizeof (sin_t), (t_scalar_t)ltcp->tcp_conn_req_seqnum);
963 } else {
964 tpi_mp = mi_tpi_conn_ind(NULL,
965 (char *)&sin, sizeof (sin_t),
966 (char *)&tcp, (t_scalar_t)sizeof (intptr_t),
967 (t_scalar_t)ltcp->tcp_conn_req_seqnum);
968 }
969
970 tcp->tcp_mss = tcps->tcps_mss_def_ipv4;
971 return (tpi_mp);
972 }
973
974 /*
975 * Called via squeue to get on to eager's perimeter. It sends a
976 * TH_RST if eager is in the fanout table. The listener wants the
977 * eager to disappear either by means of tcp_eager_blowoff() or
978 * tcp_eager_cleanup() being called. tcp_eager_kill() can also be
979 * called (via squeue) if the eager cannot be inserted in the
980 * fanout table in tcp_input_listener().
981 */
982 /* ARGSUSED */
983 void
984 tcp_eager_kill(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *dummy)
985 {
986 conn_t *econnp = (conn_t *)arg;
987 tcp_t *eager = econnp->conn_tcp;
988 tcp_t *listener = eager->tcp_listener;
989
990 /*
991 * We could be called because listener is closing. Since
992 * the eager was using listener's queue's, we avoid
993 * using the listeners queues from now on.
994 */
995 ASSERT(eager->tcp_detached);
996 econnp->conn_rq = NULL;
997 econnp->conn_wq = NULL;
998
999 /*
1000 * An eager's conn_fanout will be NULL if it's a duplicate
1001 * for an existing 4-tuples in the conn fanout table.
1002 * We don't want to send an RST out in such case.
1003 */
1004 if (econnp->conn_fanout != NULL && eager->tcp_state > TCPS_LISTEN) {
1005 tcp_xmit_ctl("tcp_eager_kill, can't wait",
1006 eager, eager->tcp_snxt, 0, TH_RST);
1007 }
1008
1009 /* We are here because listener wants this eager gone */
1010 if (listener != NULL) {
1011 mutex_enter(&listener->tcp_eager_lock);
1012 tcp_eager_unlink(eager);
1013 if (eager->tcp_tconnind_started) {
1014 /*
1015 * The eager has sent a conn_ind up to the
1016 * listener but listener decides to close
1017 * instead. We need to drop the extra ref
1018 * placed on eager in tcp_input_data() before
1019 * sending the conn_ind to listener.
1020 */
1021 CONN_DEC_REF(econnp);
1022 }
1023 mutex_exit(&listener->tcp_eager_lock);
1024 CONN_DEC_REF(listener->tcp_connp);
1025 }
1026
1027 if (eager->tcp_state != TCPS_CLOSED)
1028 tcp_close_detached(eager);
1029 }
1030
1031 /*
1032 * Reset any eager connection hanging off this listener marked
1033 * with 'seqnum' and then reclaim it's resources.
1034 */
1035 boolean_t
1036 tcp_eager_blowoff(tcp_t *listener, t_scalar_t seqnum)
1037 {
1038 tcp_t *eager;
1039 mblk_t *mp;
1040
1041 eager = listener;
1042 mutex_enter(&listener->tcp_eager_lock);
1043 do {
1044 eager = eager->tcp_eager_next_q;
1045 if (eager == NULL) {
1046 mutex_exit(&listener->tcp_eager_lock);
1047 return (B_FALSE);
1048 }
1049 } while (eager->tcp_conn_req_seqnum != seqnum);
1050
1051 if (eager->tcp_closemp_used) {
1052 mutex_exit(&listener->tcp_eager_lock);
1053 return (B_TRUE);
1054 }
1055 eager->tcp_closemp_used = B_TRUE;
1056 TCP_DEBUG_GETPCSTACK(eager->tcmp_stk, 15);
1057 CONN_INC_REF(eager->tcp_connp);
1058 mutex_exit(&listener->tcp_eager_lock);
1059 mp = &eager->tcp_closemp;
1060 SQUEUE_ENTER_ONE(eager->tcp_connp->conn_sqp, mp, tcp_eager_kill,
1061 eager->tcp_connp, NULL, SQ_FILL, SQTAG_TCP_EAGER_BLOWOFF);
1062 return (B_TRUE);
1063 }
1064
1065 /*
1066 * Reset any eager connection hanging off this listener
1067 * and then reclaim it's resources.
1068 */
1069 void
1070 tcp_eager_cleanup(tcp_t *listener, boolean_t q0_only)
1071 {
1072 tcp_t *eager;
1073 mblk_t *mp;
1074 tcp_stack_t *tcps = listener->tcp_tcps;
1075
1076 ASSERT(MUTEX_HELD(&listener->tcp_eager_lock));
1077
1078 if (!q0_only) {
1079 /* First cleanup q */
1080 TCP_STAT(tcps, tcp_eager_blowoff_q);
1081 eager = listener->tcp_eager_next_q;
1082 while (eager != NULL) {
1083 if (!eager->tcp_closemp_used) {
1084 eager->tcp_closemp_used = B_TRUE;
1085 TCP_DEBUG_GETPCSTACK(eager->tcmp_stk, 15);
1086 CONN_INC_REF(eager->tcp_connp);
1087 mp = &eager->tcp_closemp;
1088 SQUEUE_ENTER_ONE(eager->tcp_connp->conn_sqp, mp,
1089 tcp_eager_kill, eager->tcp_connp, NULL,
1090 SQ_FILL, SQTAG_TCP_EAGER_CLEANUP);
1091 }
1092 eager = eager->tcp_eager_next_q;
1093 }
1094 }
1095 /* Then cleanup q0 */
1096 TCP_STAT(tcps, tcp_eager_blowoff_q0);
1097 eager = listener->tcp_eager_next_q0;
1098 while (eager != listener) {
1099 if (!eager->tcp_closemp_used) {
1100 eager->tcp_closemp_used = B_TRUE;
1101 TCP_DEBUG_GETPCSTACK(eager->tcmp_stk, 15);
1102 CONN_INC_REF(eager->tcp_connp);
1103 mp = &eager->tcp_closemp;
1104 SQUEUE_ENTER_ONE(eager->tcp_connp->conn_sqp, mp,
1105 tcp_eager_kill, eager->tcp_connp, NULL, SQ_FILL,
1106 SQTAG_TCP_EAGER_CLEANUP_Q0);
1107 }
1108 eager = eager->tcp_eager_next_q0;
1109 }
1110 }
1111
1112 /*
1113 * If we are an eager connection hanging off a listener that hasn't
1114 * formally accepted the connection yet, get off his list and blow off
1115 * any data that we have accumulated.
1116 */
1117 void
1118 tcp_eager_unlink(tcp_t *tcp)
1119 {
1120 tcp_t *listener = tcp->tcp_listener;
1121
1122 ASSERT(listener != NULL);
1123 ASSERT(MUTEX_HELD(&listener->tcp_eager_lock));
1124 if (tcp->tcp_eager_next_q0 != NULL) {
1125 ASSERT(tcp->tcp_eager_prev_q0 != NULL);
1126
1127 /* Remove the eager tcp from q0 */
1128 tcp->tcp_eager_next_q0->tcp_eager_prev_q0 =
1129 tcp->tcp_eager_prev_q0;
1130 tcp->tcp_eager_prev_q0->tcp_eager_next_q0 =
1131 tcp->tcp_eager_next_q0;
1132 ASSERT(listener->tcp_conn_req_cnt_q0 > 0);
1133 listener->tcp_conn_req_cnt_q0--;
1134
1135 tcp->tcp_eager_next_q0 = NULL;
1136 tcp->tcp_eager_prev_q0 = NULL;
1137
1138 /*
1139 * Take the eager out, if it is in the list of droppable
1140 * eagers.
1141 */
1142 MAKE_UNDROPPABLE(tcp);
1143
1144 if (tcp->tcp_syn_rcvd_timeout != 0) {
1145 /* we have timed out before */
1146 ASSERT(listener->tcp_syn_rcvd_timeout > 0);
1147 listener->tcp_syn_rcvd_timeout--;
1148 }
1149 } else {
1150 tcp_t **tcpp = &listener->tcp_eager_next_q;
1151 tcp_t *prev = NULL;
1152
1153 for (; tcpp[0]; tcpp = &tcpp[0]->tcp_eager_next_q) {
1154 if (tcpp[0] == tcp) {
1155 if (listener->tcp_eager_last_q == tcp) {
1156 /*
1157 * If we are unlinking the last
1158 * element on the list, adjust
1159 * tail pointer. Set tail pointer
1160 * to nil when list is empty.
1161 */
1162 ASSERT(tcp->tcp_eager_next_q == NULL);
1163 if (listener->tcp_eager_last_q ==
1164 listener->tcp_eager_next_q) {
1165 listener->tcp_eager_last_q =
1166 NULL;
1167 } else {
1168 /*
1169 * We won't get here if there
1170 * is only one eager in the
1171 * list.
1172 */
1173 ASSERT(prev != NULL);
1174 listener->tcp_eager_last_q =
1175 prev;
1176 }
1177 }
1178 tcpp[0] = tcp->tcp_eager_next_q;
1179 tcp->tcp_eager_next_q = NULL;
1180 tcp->tcp_eager_last_q = NULL;
1181 ASSERT(listener->tcp_conn_req_cnt_q > 0);
1182 listener->tcp_conn_req_cnt_q--;
1183 break;
1184 }
1185 prev = tcpp[0];
1186 }
1187 }
1188 tcp->tcp_listener = NULL;
1189 }
1190
1191 /* BEGIN CSTYLED */
1192 /*
1193 *
1194 * The sockfs ACCEPT path:
1195 * =======================
1196 *
1197 * The eager is now established in its own perimeter as soon as SYN is
1198 * received in tcp_input_listener(). When sockfs receives conn_ind, it
1199 * completes the accept processing on the acceptor STREAM. The sending
1200 * of conn_ind part is common for both sockfs listener and a TLI/XTI
1201 * listener but a TLI/XTI listener completes the accept processing
1202 * on the listener perimeter.
1203 *
1204 * Common control flow for 3 way handshake:
1205 * ----------------------------------------
1206 *
1207 * incoming SYN (listener perimeter) -> tcp_input_listener()
1208 *
1209 * incoming SYN-ACK-ACK (eager perim) -> tcp_input_data()
1210 * send T_CONN_IND (listener perim) -> tcp_send_conn_ind()
1211 *
1212 * Sockfs ACCEPT Path:
1213 * -------------------
1214 *
1215 * open acceptor stream (tcp_open allocates tcp_tli_accept()
1216 * as STREAM entry point)
1217 *
1218 * soaccept() sends T_CONN_RES on the acceptor STREAM to tcp_tli_accept()
1219 *
1220 * tcp_tli_accept() extracts the eager and makes the q->q_ptr <-> eager
1221 * association (we are not behind eager's squeue but sockfs is protecting us
1222 * and no one knows about this stream yet. The STREAMS entry point q->q_info
1223 * is changed to point at tcp_wput().
1224 *
1225 * tcp_accept_common() sends any deferred eagers via tcp_send_pending() to
1226 * listener (done on listener's perimeter).
1227 *
1228 * tcp_tli_accept() calls tcp_accept_finish() on eagers perimeter to finish
1229 * accept.
1230 *
1231 * TLI/XTI client ACCEPT path:
1232 * ---------------------------
1233 *
1234 * soaccept() sends T_CONN_RES on the listener STREAM.
1235 *
1236 * tcp_tli_accept() -> tcp_accept_swap() complete the processing and send
1237 * a M_SETOPS mblk to eager perimeter to finish accept (tcp_accept_finish()).
1238 *
1239 * Locks:
1240 * ======
1241 *
1242 * listener->tcp_eager_lock protects the listeners->tcp_eager_next_q0 and
1243 * and listeners->tcp_eager_next_q.
1244 *
1245 * Referencing:
1246 * ============
1247 *
1248 * 1) We start out in tcp_input_listener by eager placing a ref on
1249 * listener and listener adding eager to listeners->tcp_eager_next_q0.
1250 *
1251 * 2) When a SYN-ACK-ACK arrives, we send the conn_ind to listener. Before
1252 * doing so we place a ref on the eager. This ref is finally dropped at the
1253 * end of tcp_accept_finish() while unwinding from the squeue, i.e. the
1254 * reference is dropped by the squeue framework.
1255 *
1256 * 3) The ref on listener placed in 1 above is dropped in tcp_accept_finish
1257 *
1258 * The reference must be released by the same entity that added the reference
1259 * In the above scheme, the eager is the entity that adds and releases the
1260 * references. Note that tcp_accept_finish executes in the squeue of the eager
1261 * (albeit after it is attached to the acceptor stream). Though 1. executes
1262 * in the listener's squeue, the eager is nascent at this point and the
1263 * reference can be considered to have been added on behalf of the eager.
1264 *
1265 * Eager getting a Reset or listener closing:
1266 * ==========================================
1267 *
1268 * Once the listener and eager are linked, the listener never does the unlink.
1269 * If the listener needs to close, tcp_eager_cleanup() is called which queues
1270 * a message on all eager perimeter. The eager then does the unlink, clears
1271 * any pointers to the listener's queue and drops the reference to the
1272 * listener. The listener waits in tcp_close outside the squeue until its
1273 * refcount has dropped to 1. This ensures that the listener has waited for
1274 * all eagers to clear their association with the listener.
1275 *
1276 * Similarly, if eager decides to go away, it can unlink itself and close.
1277 * When the T_CONN_RES comes down, we check if eager has closed. Note that
1278 * the reference to eager is still valid because of the extra ref we put
1279 * in tcp_send_conn_ind.
1280 *
1281 * Listener can always locate the eager under the protection
1282 * of the listener->tcp_eager_lock, and then do a refhold
1283 * on the eager during the accept processing.
1284 *
1285 * The acceptor stream accesses the eager in the accept processing
1286 * based on the ref placed on eager before sending T_conn_ind.
1287 * The only entity that can negate this refhold is a listener close
1288 * which is mutually exclusive with an active acceptor stream.
1289 *
1290 * Eager's reference on the listener
1291 * ===================================
1292 *
1293 * If the accept happens (even on a closed eager) the eager drops its
1294 * reference on the listener at the start of tcp_accept_finish. If the
1295 * eager is killed due to an incoming RST before the T_conn_ind is sent up,
1296 * the reference is dropped in tcp_closei_local. If the listener closes,
1297 * the reference is dropped in tcp_eager_kill. In all cases the reference
1298 * is dropped while executing in the eager's context (squeue).
1299 */
1300 /* END CSTYLED */
1301
1302 /* Process the SYN packet, mp, directed at the listener 'tcp' */
1303
1304 /*
1305 * THIS FUNCTION IS DIRECTLY CALLED BY IP VIA SQUEUE FOR SYN.
1306 * tcp_input_data will not see any packets for listeners since the listener
1307 * has conn_recv set to tcp_input_listener.
1308 */
1309 /* ARGSUSED */
1310 static void
1311 tcp_input_listener(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
1312 {
1313 tcpha_t *tcpha;
1314 uint32_t seg_seq;
1315 tcp_t *eager;
1316 int err;
1317 conn_t *econnp = NULL;
1318 squeue_t *new_sqp;
1319 mblk_t *mp1;
1320 uint_t ip_hdr_len;
1321 conn_t *lconnp = (conn_t *)arg;
1322 tcp_t *listener = lconnp->conn_tcp;
1323 tcp_stack_t *tcps = listener->tcp_tcps;
1324 ip_stack_t *ipst = tcps->tcps_netstack->netstack_ip;
1325 uint_t flags;
1326 mblk_t *tpi_mp;
1327 uint_t ifindex = ira->ira_ruifindex;
1328 boolean_t tlc_set = B_FALSE;
1329
1330 ip_hdr_len = ira->ira_ip_hdr_length;
1331 tcpha = (tcpha_t *)&mp->b_rptr[ip_hdr_len];
1332 flags = (unsigned int)tcpha->tha_flags & 0xFF;
1333
1334 DTRACE_TCP5(receive, mblk_t *, NULL, ip_xmit_attr_t *, lconnp->conn_ixa,
1335 __dtrace_tcp_void_ip_t *, mp->b_rptr, tcp_t *, listener,
1336 __dtrace_tcp_tcph_t *, tcpha);
1337
1338 if (!(flags & TH_SYN)) {
1339 if ((flags & TH_RST) || (flags & TH_URG)) {
1340 freemsg(mp);
1341 return;
1342 }
1343 if (flags & TH_ACK) {
1344 /* Note this executes in listener's squeue */
1345 tcp_xmit_listeners_reset(mp, ira, ipst, lconnp);
1346 return;
1347 }
1348
1349 freemsg(mp);
1350 return;
1351 }
1352
1353 if (listener->tcp_state != TCPS_LISTEN)
1354 goto error2;
1355
1356 ASSERT(IPCL_IS_BOUND(lconnp));
1357
1358 mutex_enter(&listener->tcp_eager_lock);
1359
1360 /*
1361 * The system is under memory pressure, so we need to do our part
1362 * to relieve the pressure. So we only accept new request if there
1363 * is nothing waiting to be accepted or waiting to complete the 3-way
1364 * handshake. This means that busy listener will not get too many
1365 * new requests which they cannot handle in time while non-busy
1366 * listener is still functioning properly.
1367 */
1368 if (tcps->tcps_reclaim && (listener->tcp_conn_req_cnt_q > 0 ||
1369 listener->tcp_conn_req_cnt_q0 > 0)) {
1370 mutex_exit(&listener->tcp_eager_lock);
1371 TCP_STAT(tcps, tcp_listen_mem_drop);
1372 goto error2;
1373 }
1374
1375 if (listener->tcp_conn_req_cnt_q >= listener->tcp_conn_req_max) {
1376 mutex_exit(&listener->tcp_eager_lock);
1377 TCP_STAT(tcps, tcp_listendrop);
1378 TCPS_BUMP_MIB(tcps, tcpListenDrop);
1379 if (lconnp->conn_debug) {
1380 (void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE|SL_ERROR,
1381 "tcp_input_listener: listen backlog (max=%d) "
1382 "overflow (%d pending) on %s",
1383 listener->tcp_conn_req_max,
1384 listener->tcp_conn_req_cnt_q,
1385 tcp_display(listener, NULL, DISP_PORT_ONLY));
1386 }
1387 goto error2;
1388 }
1389
1390 if (listener->tcp_conn_req_cnt_q0 >=
1391 listener->tcp_conn_req_max + tcps->tcps_conn_req_max_q0) {
1392 /*
1393 * Q0 is full. Drop a pending half-open req from the queue
1394 * to make room for the new SYN req. Also mark the time we
1395 * drop a SYN.
1396 *
1397 * A more aggressive defense against SYN attack will
1398 * be to set the "tcp_syn_defense" flag now.
1399 */
1400 TCP_STAT(tcps, tcp_listendropq0);
1401 listener->tcp_last_rcv_lbolt = ddi_get_lbolt64();
1402 if (!tcp_drop_q0(listener)) {
1403 mutex_exit(&listener->tcp_eager_lock);
1404 TCPS_BUMP_MIB(tcps, tcpListenDropQ0);
1405 if (lconnp->conn_debug) {
1406 (void) strlog(TCP_MOD_ID, 0, 3, SL_TRACE,
1407 "tcp_input_listener: listen half-open "
1408 "queue (max=%d) full (%d pending) on %s",
1409 tcps->tcps_conn_req_max_q0,
1410 listener->tcp_conn_req_cnt_q0,
1411 tcp_display(listener, NULL,
1412 DISP_PORT_ONLY));
1413 }
1414 goto error2;
1415 }
1416 }
1417
1418 /*
1419 * Enforce the limit set on the number of connections per listener.
1420 * Note that tlc_cnt starts with 1. So need to add 1 to tlc_max
1421 * for comparison.
1422 */
1423 if (listener->tcp_listen_cnt != NULL) {
1424 tcp_listen_cnt_t *tlc = listener->tcp_listen_cnt;
1425 int64_t now;
1426
1427 if (atomic_add_32_nv(&tlc->tlc_cnt, 1) > tlc->tlc_max + 1) {
1428 mutex_exit(&listener->tcp_eager_lock);
1429 now = ddi_get_lbolt64();
1430 atomic_add_32(&tlc->tlc_cnt, -1);
1431 TCP_STAT(tcps, tcp_listen_cnt_drop);
1432 tlc->tlc_drop++;
1433 if (now - tlc->tlc_report_time >
1434 MSEC_TO_TICK(TCP_TLC_REPORT_INTERVAL)) {
1435 zcmn_err(lconnp->conn_zoneid, CE_WARN,
1436 "Listener (port %d) connection max (%u) "
1437 "reached: %u attempts dropped total\n",
1438 ntohs(listener->tcp_connp->conn_lport),
1439 tlc->tlc_max, tlc->tlc_drop);
1440 tlc->tlc_report_time = now;
1441 }
1442 goto error2;
1443 }
1444 tlc_set = B_TRUE;
1445 }
1446
1447 mutex_exit(&listener->tcp_eager_lock);
1448
1449 /*
1450 * IP sets ira_sqp to either the senders conn_sqp (for loopback)
1451 * or based on the ring (for packets from GLD). Otherwise it is
1452 * set based on lbolt i.e., a somewhat random number.
1453 */
1454 ASSERT(ira->ira_sqp != NULL);
1455 new_sqp = ira->ira_sqp;
1456
1457 econnp = (conn_t *)tcp_get_conn(arg2, tcps);
1458 if (econnp == NULL)
1459 goto error2;
1460
1461 ASSERT(econnp->conn_netstack == lconnp->conn_netstack);
1462 econnp->conn_sqp = new_sqp;
1463 econnp->conn_initial_sqp = new_sqp;
1464 econnp->conn_ixa->ixa_sqp = new_sqp;
1465
1466 econnp->conn_fport = tcpha->tha_lport;
1467 econnp->conn_lport = tcpha->tha_fport;
1468
1469 err = conn_inherit_parent(lconnp, econnp);
1470 if (err != 0)
1471 goto error3;
1472
1473 /* We already know the laddr of the new connection is ours */
1474 econnp->conn_ixa->ixa_src_generation = ipst->ips_src_generation;
1475
1476 ASSERT(OK_32PTR(mp->b_rptr));
1477 ASSERT(IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION ||
1478 IPH_HDR_VERSION(mp->b_rptr) == IPV6_VERSION);
1479
1480 if (lconnp->conn_family == AF_INET) {
1481 ASSERT(IPH_HDR_VERSION(mp->b_rptr) == IPV4_VERSION);
1482 tpi_mp = tcp_conn_create_v4(lconnp, econnp, mp, ira);
1483 } else {
1484 tpi_mp = tcp_conn_create_v6(lconnp, econnp, mp, ira);
1485 }
1486
1487 if (tpi_mp == NULL)
1488 goto error3;
1489
1490 eager = econnp->conn_tcp;
1491 eager->tcp_detached = B_TRUE;
1492 SOCK_CONNID_INIT(eager->tcp_connid);
1493
1494 /*
1495 * Initialize the eager's tcp_t and inherit some parameters from
1496 * the listener.
1497 */
1498 tcp_init_values(eager, listener);
1499
1500 ASSERT((econnp->conn_ixa->ixa_flags &
1501 (IXAF_SET_ULP_CKSUM | IXAF_VERIFY_SOURCE |
1502 IXAF_VERIFY_PMTU | IXAF_VERIFY_LSO)) ==
1503 (IXAF_SET_ULP_CKSUM | IXAF_VERIFY_SOURCE |
1504 IXAF_VERIFY_PMTU | IXAF_VERIFY_LSO));
1505
1506 if (!tcps->tcps_dev_flow_ctl)
1507 econnp->conn_ixa->ixa_flags |= IXAF_NO_DEV_FLOW_CTL;
1508
1509 /* Prepare for diffing against previous packets */
1510 eager->tcp_recvifindex = 0;
1511 eager->tcp_recvhops = 0xffffffffU;
1512
1513 if (!(ira->ira_flags & IRAF_IS_IPV4) && econnp->conn_bound_if == 0) {
1514 if (IN6_IS_ADDR_LINKSCOPE(&econnp->conn_faddr_v6) ||
1515 IN6_IS_ADDR_LINKSCOPE(&econnp->conn_laddr_v6)) {
1516 econnp->conn_incoming_ifindex = ifindex;
1517 econnp->conn_ixa->ixa_flags |= IXAF_SCOPEID_SET;
1518 econnp->conn_ixa->ixa_scopeid = ifindex;
1519 }
1520 }
1521
1522 if ((ira->ira_flags & (IRAF_IS_IPV4|IRAF_IPV4_OPTIONS)) ==
1523 (IRAF_IS_IPV4|IRAF_IPV4_OPTIONS) &&
1524 tcps->tcps_rev_src_routes) {
1525 ipha_t *ipha = (ipha_t *)mp->b_rptr;
1526 ip_pkt_t *ipp = &econnp->conn_xmit_ipp;
1527
1528 /* Source routing option copyover (reverse it) */
1529 err = ip_find_hdr_v4(ipha, ipp, B_TRUE);
1530 if (err != 0) {
1531 freemsg(tpi_mp);
1532 goto error3;
1533 }
1534 ip_pkt_source_route_reverse_v4(ipp);
1535 }
1536
1537 ASSERT(eager->tcp_conn.tcp_eager_conn_ind == NULL);
1538 ASSERT(!eager->tcp_tconnind_started);
1539 /*
1540 * If the SYN came with a credential, it's a loopback packet or a
1541 * labeled packet; attach the credential to the TPI message.
1542 */
1543 if (ira->ira_cred != NULL)
1544 mblk_setcred(tpi_mp, ira->ira_cred, ira->ira_cpid);
1545
1546 eager->tcp_conn.tcp_eager_conn_ind = tpi_mp;
1547 ASSERT(eager->tcp_ordrel_mp == NULL);
1548
1549 /* Inherit the listener's non-STREAMS flag */
1550 if (IPCL_IS_NONSTR(lconnp)) {
1551 econnp->conn_flags |= IPCL_NONSTR;
1552 /* All non-STREAMS tcp_ts are sockets */
1553 eager->tcp_issocket = B_TRUE;
1554 } else {
1555 /*
1556 * Pre-allocate the T_ordrel_ind mblk for TPI socket so that
1557 * at close time, we will always have that to send up.
1558 * Otherwise, we need to do special handling in case the
1559 * allocation fails at that time.
1560 */
1561 if ((eager->tcp_ordrel_mp = mi_tpi_ordrel_ind()) == NULL)
1562 goto error3;
1563 }
1564 /*
1565 * Now that the IP addresses and ports are setup in econnp we
1566 * can do the IPsec policy work.
1567 */
1568 if (ira->ira_flags & IRAF_IPSEC_SECURE) {
1569 if (lconnp->conn_policy != NULL) {
1570 /*
1571 * Inherit the policy from the listener; use
1572 * actions from ira
1573 */
1574 if (!ip_ipsec_policy_inherit(econnp, lconnp, ira)) {
1575 CONN_DEC_REF(econnp);
1576 freemsg(mp);
1577 goto error3;
1578 }
1579 }
1580 }
1581
1582 /*
1583 * tcp_set_destination() may set tcp_rwnd according to the route
1584 * metrics. If it does not, the eager's receive window will be set
1585 * to the listener's receive window later in this function.
1586 */
1587 eager->tcp_rwnd = 0;
1588
1589 if (is_system_labeled()) {
1590 ip_xmit_attr_t *ixa = econnp->conn_ixa;
1591
1592 ASSERT(ira->ira_tsl != NULL);
1593 /* Discard any old label */
1594 if (ixa->ixa_free_flags & IXA_FREE_TSL) {
1595 ASSERT(ixa->ixa_tsl != NULL);
1596 label_rele(ixa->ixa_tsl);
1597 ixa->ixa_free_flags &= ~IXA_FREE_TSL;
1598 ixa->ixa_tsl = NULL;
1599 }
1600 if ((lconnp->conn_mlp_type != mlptSingle ||
1601 lconnp->conn_mac_mode != CONN_MAC_DEFAULT) &&
1602 ira->ira_tsl != NULL) {
1603 /*
1604 * If this is an MLP connection or a MAC-Exempt
1605 * connection with an unlabeled node, packets are to be
1606 * exchanged using the security label of the received
1607 * SYN packet instead of the server application's label.
1608 * tsol_check_dest called from ip_set_destination
1609 * might later update TSF_UNLABELED by replacing
1610 * ixa_tsl with a new label.
1611 */
1612 label_hold(ira->ira_tsl);
1613 ip_xmit_attr_replace_tsl(ixa, ira->ira_tsl);
1614 DTRACE_PROBE2(mlp_syn_accept, conn_t *,
1615 econnp, ts_label_t *, ixa->ixa_tsl)
1616 } else {
1617 ixa->ixa_tsl = crgetlabel(econnp->conn_cred);
1618 DTRACE_PROBE2(syn_accept, conn_t *,
1619 econnp, ts_label_t *, ixa->ixa_tsl)
1620 }
1621 /*
1622 * conn_connect() called from tcp_set_destination will verify
1623 * the destination is allowed to receive packets at the
1624 * security label of the SYN-ACK we are generating. As part of
1625 * that, tsol_check_dest() may create a new effective label for
1626 * this connection.
1627 * Finally conn_connect() will call conn_update_label.
1628 * All that remains for TCP to do is to call
1629 * conn_build_hdr_template which is done as part of
1630 * tcp_set_destination.
1631 */
1632 }
1633
1634 /*
1635 * Since we will clear tcp_listener before we clear tcp_detached
1636 * in the accept code we need tcp_hard_binding aka tcp_accept_inprogress
1637 * so we can tell a TCP_IS_DETACHED_NONEAGER apart.
1638 */
1639 eager->tcp_hard_binding = B_TRUE;
1640
1641 tcp_bind_hash_insert(&tcps->tcps_bind_fanout[
1642 TCP_BIND_HASH(econnp->conn_lport)], eager, 0);
1643
1644 CL_INET_CONNECT(econnp, B_FALSE, err);
1645 if (err != 0) {
1646 tcp_bind_hash_remove(eager);
1647 goto error3;
1648 }
1649
1650 SOCK_CONNID_BUMP(eager->tcp_connid);
1651
1652 /*
1653 * Adapt our mss, ttl, ... based on the remote address.
1654 */
1655
1656 if (tcp_set_destination(eager) != 0) {
1657 TCPS_BUMP_MIB(tcps, tcpAttemptFails);
1658 /* Undo the bind_hash_insert */
1659 tcp_bind_hash_remove(eager);
1660 goto error3;
1661 }
1662
1663 /* Process all TCP options. */
1664 tcp_process_options(eager, tcpha);
1665
1666 /* Is the other end ECN capable? */
1667 if (tcps->tcps_ecn_permitted >= 1 &&
1668 (tcpha->tha_flags & (TH_ECE|TH_CWR)) == (TH_ECE|TH_CWR)) {
1669 eager->tcp_ecn_ok = B_TRUE;
1670 }
1671
1672 /*
1673 * The listener's conn_rcvbuf should be the default window size or a
1674 * window size changed via SO_RCVBUF option. First round up the
1675 * eager's tcp_rwnd to the nearest MSS. Then find out the window
1676 * scale option value if needed. Call tcp_rwnd_set() to finish the
1677 * setting.
1678 *
1679 * Note if there is a rpipe metric associated with the remote host,
1680 * we should not inherit receive window size from listener.
1681 */
1682 eager->tcp_rwnd = MSS_ROUNDUP(
1683 (eager->tcp_rwnd == 0 ? econnp->conn_rcvbuf :
1684 eager->tcp_rwnd), eager->tcp_mss);
1685 if (eager->tcp_snd_ws_ok)
1686 tcp_set_ws_value(eager);
1687 /*
1688 * Note that this is the only place tcp_rwnd_set() is called for
1689 * accepting a connection. We need to call it here instead of
1690 * after the 3-way handshake because we need to tell the other
1691 * side our rwnd in the SYN-ACK segment.
1692 */
1693 (void) tcp_rwnd_set(eager, eager->tcp_rwnd);
1694
1695 ASSERT(eager->tcp_connp->conn_rcvbuf != 0 &&
1696 eager->tcp_connp->conn_rcvbuf == eager->tcp_rwnd);
1697
1698 ASSERT(econnp->conn_rcvbuf != 0 &&
1699 econnp->conn_rcvbuf == eager->tcp_rwnd);
1700
1701 /* Put a ref on the listener for the eager. */
1702 CONN_INC_REF(lconnp);
1703 mutex_enter(&listener->tcp_eager_lock);
1704 listener->tcp_eager_next_q0->tcp_eager_prev_q0 = eager;
1705 eager->tcp_eager_next_q0 = listener->tcp_eager_next_q0;
1706 listener->tcp_eager_next_q0 = eager;
1707 eager->tcp_eager_prev_q0 = listener;
1708
1709 /* Set tcp_listener before adding it to tcp_conn_fanout */
1710 eager->tcp_listener = listener;
1711 eager->tcp_saved_listener = listener;
1712
1713 /*
1714 * Set tcp_listen_cnt so that when the connection is done, the counter
1715 * is decremented.
1716 */
1717 eager->tcp_listen_cnt = listener->tcp_listen_cnt;
1718
1719 /*
1720 * Tag this detached tcp vector for later retrieval
1721 * by our listener client in tcp_accept().
1722 */
1723 eager->tcp_conn_req_seqnum = listener->tcp_conn_req_seqnum;
1724 listener->tcp_conn_req_cnt_q0++;
1725 if (++listener->tcp_conn_req_seqnum == -1) {
1726 /*
1727 * -1 is "special" and defined in TPI as something
1728 * that should never be used in T_CONN_IND
1729 */
1730 ++listener->tcp_conn_req_seqnum;
1731 }
1732 mutex_exit(&listener->tcp_eager_lock);
1733
1734 if (listener->tcp_syn_defense) {
1735 /* Don't drop the SYN that comes from a good IP source */
1736 ipaddr_t *addr_cache;
1737
1738 addr_cache = (ipaddr_t *)(listener->tcp_ip_addr_cache);
1739 if (addr_cache != NULL && econnp->conn_faddr_v4 ==
1740 addr_cache[IP_ADDR_CACHE_HASH(econnp->conn_faddr_v4)]) {
1741 eager->tcp_dontdrop = B_TRUE;
1742 }
1743 }
1744
1745 /*
1746 * We need to insert the eager in its own perimeter but as soon
1747 * as we do that, we expose the eager to the classifier and
1748 * should not touch any field outside the eager's perimeter.
1749 * So do all the work necessary before inserting the eager
1750 * in its own perimeter. Be optimistic that conn_connect()
1751 * will succeed but undo everything if it fails.
1752 */
1753 seg_seq = ntohl(tcpha->tha_seq);
1754 eager->tcp_irs = seg_seq;
1755 eager->tcp_rack = seg_seq;
1756 eager->tcp_rnxt = seg_seq + 1;
1757 eager->tcp_tcpha->tha_ack = htonl(eager->tcp_rnxt);
1758 TCPS_BUMP_MIB(tcps, tcpPassiveOpens);
1759 eager->tcp_state = TCPS_SYN_RCVD;
1760 DTRACE_TCP6(state__change, void, NULL, ip_xmit_attr_t *,
1761 econnp->conn_ixa, void, NULL, tcp_t *, eager, void, NULL,
1762 int32_t, TCPS_LISTEN);
1763
1764 mp1 = tcp_xmit_mp(eager, eager->tcp_xmit_head, eager->tcp_mss,
1765 NULL, NULL, eager->tcp_iss, B_FALSE, NULL, B_FALSE);
1766 if (mp1 == NULL) {
1767 /*
1768 * Increment the ref count as we are going to
1769 * enqueueing an mp in squeue
1770 */
1771 CONN_INC_REF(econnp);
1772 goto error;
1773 }
1774
1775 /*
1776 * We need to start the rto timer. In normal case, we start
1777 * the timer after sending the packet on the wire (or at
1778 * least believing that packet was sent by waiting for
1779 * conn_ip_output() to return). Since this is the first packet
1780 * being sent on the wire for the eager, our initial tcp_rto
1781 * is at least tcp_rexmit_interval_min which is a fairly
1782 * large value to allow the algorithm to adjust slowly to large
1783 * fluctuations of RTT during first few transmissions.
1784 *
1785 * Starting the timer first and then sending the packet in this
1786 * case shouldn't make much difference since tcp_rexmit_interval_min
1787 * is of the order of several 100ms and starting the timer
1788 * first and then sending the packet will result in difference
1789 * of few micro seconds.
1790 *
1791 * Without this optimization, we are forced to hold the fanout
1792 * lock across the ipcl_bind_insert() and sending the packet
1793 * so that we don't race against an incoming packet (maybe RST)
1794 * for this eager.
1795 *
1796 * It is necessary to acquire an extra reference on the eager
1797 * at this point and hold it until after tcp_send_data() to
1798 * ensure against an eager close race.
1799 */
1800
1801 CONN_INC_REF(econnp);
1802
1803 TCP_TIMER_RESTART(eager, eager->tcp_rto);
1804
1805 /*
1806 * Insert the eager in its own perimeter now. We are ready to deal
1807 * with any packets on eager.
1808 */
1809 if (ipcl_conn_insert(econnp) != 0)
1810 goto error;
1811
1812 ASSERT(econnp->conn_ixa->ixa_notify_cookie == econnp->conn_tcp);
1813 freemsg(mp);
1814 /*
1815 * Send the SYN-ACK. Use the right squeue so that conn_ixa is
1816 * only used by one thread at a time.
1817 */
1818 if (econnp->conn_sqp == lconnp->conn_sqp) {
1819 DTRACE_TCP5(send, mblk_t *, NULL, ip_xmit_attr_t *,
1820 econnp->conn_ixa, __dtrace_tcp_void_ip_t *, mp1->b_rptr,
1821 tcp_t *, eager, __dtrace_tcp_tcph_t *,
1822 &mp1->b_rptr[econnp->conn_ixa->ixa_ip_hdr_length]);
1823 (void) conn_ip_output(mp1, econnp->conn_ixa);
1824 CONN_DEC_REF(econnp);
1825 } else {
1826 SQUEUE_ENTER_ONE(econnp->conn_sqp, mp1, tcp_send_synack,
1827 econnp, NULL, SQ_PROCESS, SQTAG_TCP_SEND_SYNACK);
1828 }
1829 return;
1830 error:
1831 freemsg(mp1);
1832 eager->tcp_closemp_used = B_TRUE;
1833 TCP_DEBUG_GETPCSTACK(eager->tcmp_stk, 15);
1834 mp1 = &eager->tcp_closemp;
1835 SQUEUE_ENTER_ONE(econnp->conn_sqp, mp1, tcp_eager_kill,
1836 econnp, NULL, SQ_FILL, SQTAG_TCP_CONN_REQ_2);
1837
1838 /*
1839 * If a connection already exists, send the mp to that connections so
1840 * that it can be appropriately dealt with.
1841 */
1842 ipst = tcps->tcps_netstack->netstack_ip;
1843
1844 if ((econnp = ipcl_classify(mp, ira, ipst)) != NULL) {
1845 if (!IPCL_IS_CONNECTED(econnp)) {
1846 /*
1847 * Something bad happened. ipcl_conn_insert()
1848 * failed because a connection already existed
1849 * in connected hash but we can't find it
1850 * anymore (someone blew it away). Just
1851 * free this message and hopefully remote
1852 * will retransmit at which time the SYN can be
1853 * treated as a new connection or dealth with
1854 * a TH_RST if a connection already exists.
1855 */
1856 CONN_DEC_REF(econnp);
1857 freemsg(mp);
1858 } else {
1859 SQUEUE_ENTER_ONE(econnp->conn_sqp, mp, tcp_input_data,
1860 econnp, ira, SQ_FILL, SQTAG_TCP_CONN_REQ_1);
1861 }
1862 } else {
1863 /* Nobody wants this packet */
1864 freemsg(mp);
1865 }
1866 return;
1867 error3:
1868 CONN_DEC_REF(econnp);
1869 error2:
1870 freemsg(mp);
1871 if (tlc_set)
1872 atomic_add_32(&listener->tcp_listen_cnt->tlc_cnt, -1);
1873 }
1874
1875 /*
1876 * In an ideal case of vertical partition in NUMA architecture, its
1877 * beneficial to have the listener and all the incoming connections
1878 * tied to the same squeue. The other constraint is that incoming
1879 * connections should be tied to the squeue attached to interrupted
1880 * CPU for obvious locality reason so this leaves the listener to
1881 * be tied to the same squeue. Our only problem is that when listener
1882 * is binding, the CPU that will get interrupted by the NIC whose
1883 * IP address the listener is binding to is not even known. So
1884 * the code below allows us to change that binding at the time the
1885 * CPU is interrupted by virtue of incoming connection's squeue.
1886 *
1887 * This is usefull only in case of a listener bound to a specific IP
1888 * address. For other kind of listeners, they get bound the
1889 * very first time and there is no attempt to rebind them.
1890 */
1891 void
1892 tcp_input_listener_unbound(void *arg, mblk_t *mp, void *arg2,
1893 ip_recv_attr_t *ira)
1894 {
1895 conn_t *connp = (conn_t *)arg;
1896 squeue_t *sqp = (squeue_t *)arg2;
1897 squeue_t *new_sqp;
1898 uint32_t conn_flags;
1899
1900 /*
1901 * IP sets ira_sqp to either the senders conn_sqp (for loopback)
1902 * or based on the ring (for packets from GLD). Otherwise it is
1903 * set based on lbolt i.e., a somewhat random number.
1904 */
1905 ASSERT(ira->ira_sqp != NULL);
1906 new_sqp = ira->ira_sqp;
1907
1908 if (connp->conn_fanout == NULL)
1909 goto done;
1910
1911 if (!(connp->conn_flags & IPCL_FULLY_BOUND)) {
1912 mutex_enter(&connp->conn_fanout->connf_lock);
1913 mutex_enter(&connp->conn_lock);
1914 /*
1915 * No one from read or write side can access us now
1916 * except for already queued packets on this squeue.
1917 * But since we haven't changed the squeue yet, they
1918 * can't execute. If they are processed after we have
1919 * changed the squeue, they are sent back to the
1920 * correct squeue down below.
1921 * But a listner close can race with processing of
1922 * incoming SYN. If incoming SYN processing changes
1923 * the squeue then the listener close which is waiting
1924 * to enter the squeue would operate on the wrong
1925 * squeue. Hence we don't change the squeue here unless
1926 * the refcount is exactly the minimum refcount. The
1927 * minimum refcount of 4 is counted as - 1 each for
1928 * TCP and IP, 1 for being in the classifier hash, and
1929 * 1 for the mblk being processed.
1930 */
1931
1932 if (connp->conn_ref != 4 ||
1933 connp->conn_tcp->tcp_state != TCPS_LISTEN) {
1934 mutex_exit(&connp->conn_lock);
1935 mutex_exit(&connp->conn_fanout->connf_lock);
1936 goto done;
1937 }
1938 if (connp->conn_sqp != new_sqp) {
1939 while (connp->conn_sqp != new_sqp)
1940 (void) casptr(&connp->conn_sqp, sqp, new_sqp);
1941 /* No special MT issues for outbound ixa_sqp hint */
1942 connp->conn_ixa->ixa_sqp = new_sqp;
1943 }
1944
1945 do {
1946 conn_flags = connp->conn_flags;
1947 conn_flags |= IPCL_FULLY_BOUND;
1948 (void) cas32(&connp->conn_flags, connp->conn_flags,
1949 conn_flags);
1950 } while (!(connp->conn_flags & IPCL_FULLY_BOUND));
1951
1952 mutex_exit(&connp->conn_fanout->connf_lock);
1953 mutex_exit(&connp->conn_lock);
1954
1955 /*
1956 * Assume we have picked a good squeue for the listener. Make
1957 * subsequent SYNs not try to change the squeue.
1958 */
1959 connp->conn_recv = tcp_input_listener;
1960 }
1961
1962 done:
1963 if (connp->conn_sqp != sqp) {
1964 CONN_INC_REF(connp);
1965 SQUEUE_ENTER_ONE(connp->conn_sqp, mp, connp->conn_recv, connp,
1966 ira, SQ_FILL, SQTAG_TCP_CONN_REQ_UNBOUND);
1967 } else {
1968 tcp_input_listener(connp, mp, sqp, ira);
1969 }
1970 }
1971
1972 /*
1973 * Send up all messages queued on tcp_rcv_list.
1974 */
1975 uint_t
1976 tcp_rcv_drain(tcp_t *tcp)
1977 {
1978 mblk_t *mp;
1979 uint_t ret = 0;
1980 #ifdef DEBUG
1981 uint_t cnt = 0;
1982 #endif
1983 queue_t *q = tcp->tcp_connp->conn_rq;
1984
1985 /* Can't drain on an eager connection */
1986 if (tcp->tcp_listener != NULL)
1987 return (ret);
1988
1989 /* Can't be a non-STREAMS connection */
1990 ASSERT(!IPCL_IS_NONSTR(tcp->tcp_connp));
1991
1992 /* No need for the push timer now. */
1993 if (tcp->tcp_push_tid != 0) {
1994 (void) TCP_TIMER_CANCEL(tcp, tcp->tcp_push_tid);
1995 tcp->tcp_push_tid = 0;
1996 }
1997
1998 /*
1999 * Handle two cases here: we are currently fused or we were
2000 * previously fused and have some urgent data to be delivered
2001 * upstream. The latter happens because we either ran out of
2002 * memory or were detached and therefore sending the SIGURG was
2003 * deferred until this point. In either case we pass control
2004 * over to tcp_fuse_rcv_drain() since it may need to complete
2005 * some work.
2006 */
2007 if ((tcp->tcp_fused || tcp->tcp_fused_sigurg)) {
2008 if (tcp_fuse_rcv_drain(q, tcp, tcp->tcp_fused ? NULL :
2009 &tcp->tcp_fused_sigurg_mp))
2010 return (ret);
2011 }
2012
2013 while ((mp = tcp->tcp_rcv_list) != NULL) {
2014 tcp->tcp_rcv_list = mp->b_next;
2015 mp->b_next = NULL;
2016 #ifdef DEBUG
2017 cnt += msgdsize(mp);
2018 #endif
2019 putnext(q, mp);
2020 }
2021 #ifdef DEBUG
2022 ASSERT(cnt == tcp->tcp_rcv_cnt);
2023 #endif
2024 tcp->tcp_rcv_last_head = NULL;
2025 tcp->tcp_rcv_last_tail = NULL;
2026 tcp->tcp_rcv_cnt = 0;
2027
2028 if (canputnext(q))
2029 return (tcp_rwnd_reopen(tcp));
2030
2031 return (ret);
2032 }
2033
2034 /*
2035 * Queue data on tcp_rcv_list which is a b_next chain.
2036 * tcp_rcv_last_head/tail is the last element of this chain.
2037 * Each element of the chain is a b_cont chain.
2038 *
2039 * M_DATA messages are added to the current element.
2040 * Other messages are added as new (b_next) elements.
2041 */
2042 void
2043 tcp_rcv_enqueue(tcp_t *tcp, mblk_t *mp, uint_t seg_len, cred_t *cr)
2044 {
2045 ASSERT(seg_len == msgdsize(mp));
2046 ASSERT(tcp->tcp_rcv_list == NULL || tcp->tcp_rcv_last_head != NULL);
2047
2048 if (is_system_labeled()) {
2049 ASSERT(cr != NULL || msg_getcred(mp, NULL) != NULL);
2050 /*
2051 * Provide for protocols above TCP such as RPC. NOPID leaves
2052 * db_cpid unchanged.
2053 * The cred could have already been set.
2054 */
2055 if (cr != NULL)
2056 mblk_setcred(mp, cr, NOPID);
2057 }
2058
2059 if (tcp->tcp_rcv_list == NULL) {
2060 ASSERT(tcp->tcp_rcv_last_head == NULL);
2061 tcp->tcp_rcv_list = mp;
2062 tcp->tcp_rcv_last_head = mp;
2063 } else if (DB_TYPE(mp) == DB_TYPE(tcp->tcp_rcv_last_head)) {
2064 tcp->tcp_rcv_last_tail->b_cont = mp;
2065 } else {
2066 tcp->tcp_rcv_last_head->b_next = mp;
2067 tcp->tcp_rcv_last_head = mp;
2068 }
2069
2070 while (mp->b_cont)
2071 mp = mp->b_cont;
2072
2073 tcp->tcp_rcv_last_tail = mp;
2074 tcp->tcp_rcv_cnt += seg_len;
2075 tcp->tcp_rwnd -= seg_len;
2076 }
2077
2078 /* Generate an ACK-only (no data) segment for a TCP endpoint */
2079 mblk_t *
2080 tcp_ack_mp(tcp_t *tcp)
2081 {
2082 uint32_t seq_no;
2083 tcp_stack_t *tcps = tcp->tcp_tcps;
2084 conn_t *connp = tcp->tcp_connp;
2085
2086 /*
2087 * There are a few cases to be considered while setting the sequence no.
2088 * Essentially, we can come here while processing an unacceptable pkt
2089 * in the TCPS_SYN_RCVD state, in which case we set the sequence number
2090 * to snxt (per RFC 793), note the swnd wouldn't have been set yet.
2091 * If we are here for a zero window probe, stick with suna. In all
2092 * other cases, we check if suna + swnd encompasses snxt and set
2093 * the sequence number to snxt, if so. If snxt falls outside the
2094 * window (the receiver probably shrunk its window), we will go with
2095 * suna + swnd, otherwise the sequence no will be unacceptable to the
2096 * receiver.
2097 */
2098 if (tcp->tcp_zero_win_probe) {
2099 seq_no = tcp->tcp_suna;
2100 } else if (tcp->tcp_state == TCPS_SYN_RCVD) {
2101 ASSERT(tcp->tcp_swnd == 0);
2102 seq_no = tcp->tcp_snxt;
2103 } else {
2104 seq_no = SEQ_GT(tcp->tcp_snxt,
2105 (tcp->tcp_suna + tcp->tcp_swnd)) ?
2106 (tcp->tcp_suna + tcp->tcp_swnd) : tcp->tcp_snxt;
2107 }
2108
2109 if (tcp->tcp_valid_bits) {
2110 /*
2111 * For the complex case where we have to send some
2112 * controls (FIN or SYN), let tcp_xmit_mp do it.
2113 */
2114 return (tcp_xmit_mp(tcp, NULL, 0, NULL, NULL, seq_no, B_FALSE,
2115 NULL, B_FALSE));
2116 } else {
2117 /* Generate a simple ACK */
2118 int data_length;
2119 uchar_t *rptr;
2120 tcpha_t *tcpha;
2121 mblk_t *mp1;
2122 int32_t total_hdr_len;
2123 int32_t tcp_hdr_len;
2124 int32_t num_sack_blk = 0;
2125 int32_t sack_opt_len;
2126 ip_xmit_attr_t *ixa = connp->conn_ixa;
2127
2128 /*
2129 * Allocate space for TCP + IP headers
2130 * and link-level header
2131 */
2132 if (tcp->tcp_snd_sack_ok && tcp->tcp_num_sack_blk > 0) {
2133 num_sack_blk = MIN(tcp->tcp_max_sack_blk,
2134 tcp->tcp_num_sack_blk);
2135 sack_opt_len = num_sack_blk * sizeof (sack_blk_t) +
2136 TCPOPT_NOP_LEN * 2 + TCPOPT_HEADER_LEN;
2137 total_hdr_len = connp->conn_ht_iphc_len + sack_opt_len;
2138 tcp_hdr_len = connp->conn_ht_ulp_len + sack_opt_len;
2139 } else {
2140 total_hdr_len = connp->conn_ht_iphc_len;
2141 tcp_hdr_len = connp->conn_ht_ulp_len;
2142 }
2143 mp1 = allocb(total_hdr_len + tcps->tcps_wroff_xtra, BPRI_MED);
2144 if (!mp1)
2145 return (NULL);
2146
2147 /* Update the latest receive window size in TCP header. */
2148 tcp->tcp_tcpha->tha_win =
2149 htons(tcp->tcp_rwnd >> tcp->tcp_rcv_ws);
2150 /* copy in prototype TCP + IP header */
2151 rptr = mp1->b_rptr + tcps->tcps_wroff_xtra;
2152 mp1->b_rptr = rptr;
2153 mp1->b_wptr = rptr + total_hdr_len;
2154 bcopy(connp->conn_ht_iphc, rptr, connp->conn_ht_iphc_len);
2155
2156 tcpha = (tcpha_t *)&rptr[ixa->ixa_ip_hdr_length];
2157
2158 /* Set the TCP sequence number. */
2159 tcpha->tha_seq = htonl(seq_no);
2160
2161 /* Set up the TCP flag field. */
2162 tcpha->tha_flags = (uchar_t)TH_ACK;
2163 if (tcp->tcp_ecn_echo_on)
2164 tcpha->tha_flags |= TH_ECE;
2165
2166 tcp->tcp_rack = tcp->tcp_rnxt;
2167 tcp->tcp_rack_cnt = 0;
2168
2169 /* fill in timestamp option if in use */
2170 if (tcp->tcp_snd_ts_ok) {
2171 uint32_t llbolt = (uint32_t)LBOLT_FASTPATH;
2172
2173 U32_TO_BE32(llbolt,
2174 (char *)tcpha + TCP_MIN_HEADER_LENGTH+4);
2175 U32_TO_BE32(tcp->tcp_ts_recent,
2176 (char *)tcpha + TCP_MIN_HEADER_LENGTH+8);
2177 }
2178
2179 /* Fill in SACK options */
2180 if (num_sack_blk > 0) {
2181 uchar_t *wptr = (uchar_t *)tcpha +
2182 connp->conn_ht_ulp_len;
2183 sack_blk_t *tmp;
2184 int32_t i;
2185
2186 wptr[0] = TCPOPT_NOP;
2187 wptr[1] = TCPOPT_NOP;
2188 wptr[2] = TCPOPT_SACK;
2189 wptr[3] = TCPOPT_HEADER_LEN + num_sack_blk *
2190 sizeof (sack_blk_t);
2191 wptr += TCPOPT_REAL_SACK_LEN;
2192
2193 tmp = tcp->tcp_sack_list;
2194 for (i = 0; i < num_sack_blk; i++) {
2195 U32_TO_BE32(tmp[i].begin, wptr);
2196 wptr += sizeof (tcp_seq);
2197 U32_TO_BE32(tmp[i].end, wptr);
2198 wptr += sizeof (tcp_seq);
2199 }
2200 tcpha->tha_offset_and_reserved +=
2201 ((num_sack_blk * 2 + 1) << 4);
2202 }
2203
2204 ixa->ixa_pktlen = total_hdr_len;
2205
2206 if (ixa->ixa_flags & IXAF_IS_IPV4) {
2207 ((ipha_t *)rptr)->ipha_length = htons(total_hdr_len);
2208 } else {
2209 ip6_t *ip6 = (ip6_t *)rptr;
2210
2211 ip6->ip6_plen = htons(total_hdr_len - IPV6_HDR_LEN);
2212 }
2213
2214 /*
2215 * Prime pump for checksum calculation in IP. Include the
2216 * adjustment for a source route if any.
2217 */
2218 data_length = tcp_hdr_len + connp->conn_sum;
2219 data_length = (data_length >> 16) + (data_length & 0xFFFF);
2220 tcpha->tha_sum = htons(data_length);
2221
2222 if (tcp->tcp_ip_forward_progress) {
2223 tcp->tcp_ip_forward_progress = B_FALSE;
2224 connp->conn_ixa->ixa_flags |= IXAF_REACH_CONF;
2225 } else {
2226 connp->conn_ixa->ixa_flags &= ~IXAF_REACH_CONF;
2227 }
2228 return (mp1);
2229 }
2230 }
2231
2232 /*
2233 * Handle M_DATA messages from IP. Its called directly from IP via
2234 * squeue for received IP packets.
2235 *
2236 * The first argument is always the connp/tcp to which the mp belongs.
2237 * There are no exceptions to this rule. The caller has already put
2238 * a reference on this connp/tcp and once tcp_input_data() returns,
2239 * the squeue will do the refrele.
2240 *
2241 * The TH_SYN for the listener directly go to tcp_input_listener via
2242 * squeue. ICMP errors go directly to tcp_icmp_input().
2243 *
2244 * sqp: NULL = recursive, sqp != NULL means called from squeue
2245 */
2246 void
2247 tcp_input_data(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
2248 {
2249 int32_t bytes_acked;
2250 int32_t gap;
2251 mblk_t *mp1;
2252 uint_t flags;
2253 uint32_t new_swnd = 0;
2254 uchar_t *iphdr;
2255 uchar_t *rptr;
2256 int32_t rgap;
2257 uint32_t seg_ack;
2258 int seg_len;
2259 uint_t ip_hdr_len;
2260 uint32_t seg_seq;
2261 tcpha_t *tcpha;
2262 int urp;
2263 tcp_opt_t tcpopt;
2264 ip_pkt_t ipp;
2265 boolean_t ofo_seg = B_FALSE; /* Out of order segment */
2266 uint32_t cwnd;
2267 uint32_t add;
2268 int npkt;
2269 int mss;
2270 conn_t *connp = (conn_t *)arg;
2271 squeue_t *sqp = (squeue_t *)arg2;
2272 tcp_t *tcp = connp->conn_tcp;
2273 tcp_stack_t *tcps = tcp->tcp_tcps;
2274
2275 /*
2276 * RST from fused tcp loopback peer should trigger an unfuse.
2277 */
2278 if (tcp->tcp_fused) {
2279 TCP_STAT(tcps, tcp_fusion_aborted);
2280 tcp_unfuse(tcp);
2281 }
2282
2283 iphdr = mp->b_rptr;
2284 rptr = mp->b_rptr;
2285 ASSERT(OK_32PTR(rptr));
2286
2287 ip_hdr_len = ira->ira_ip_hdr_length;
2288 if (connp->conn_recv_ancillary.crb_all != 0) {
2289 /*
2290 * Record packet information in the ip_pkt_t
2291 */
2292 ipp.ipp_fields = 0;
2293 if (ira->ira_flags & IRAF_IS_IPV4) {
2294 (void) ip_find_hdr_v4((ipha_t *)rptr, &ipp,
2295 B_FALSE);
2296 } else {
2297 uint8_t nexthdrp;
2298
2299 /*
2300 * IPv6 packets can only be received by applications
2301 * that are prepared to receive IPv6 addresses.
2302 * The IP fanout must ensure this.
2303 */
2304 ASSERT(connp->conn_family == AF_INET6);
2305
2306 (void) ip_find_hdr_v6(mp, (ip6_t *)rptr, B_TRUE, &ipp,
2307 &nexthdrp);
2308 ASSERT(nexthdrp == IPPROTO_TCP);
2309
2310 /* Could have caused a pullup? */
2311 iphdr = mp->b_rptr;
2312 rptr = mp->b_rptr;
2313 }
2314 }
2315 ASSERT(DB_TYPE(mp) == M_DATA);
2316 ASSERT(mp->b_next == NULL);
2317
2318 tcpha = (tcpha_t *)&rptr[ip_hdr_len];
2319 seg_seq = ntohl(tcpha->tha_seq);
2320 seg_ack = ntohl(tcpha->tha_ack);
2321 ASSERT((uintptr_t)(mp->b_wptr - rptr) <= (uintptr_t)INT_MAX);
2322 seg_len = (int)(mp->b_wptr - rptr) -
2323 (ip_hdr_len + TCP_HDR_LENGTH(tcpha));
2324 if ((mp1 = mp->b_cont) != NULL && mp1->b_datap->db_type == M_DATA) {
2325 do {
2326 ASSERT((uintptr_t)(mp1->b_wptr - mp1->b_rptr) <=
2327 (uintptr_t)INT_MAX);
2328 seg_len += (int)(mp1->b_wptr - mp1->b_rptr);
2329 } while ((mp1 = mp1->b_cont) != NULL &&
2330 mp1->b_datap->db_type == M_DATA);
2331 }
2332
2333 DTRACE_TCP5(receive, mblk_t *, NULL, ip_xmit_attr_t *, connp->conn_ixa,
2334 __dtrace_tcp_void_ip_t *, iphdr, tcp_t *, tcp,
2335 __dtrace_tcp_tcph_t *, tcpha);
2336
2337 if (tcp->tcp_state == TCPS_TIME_WAIT) {
2338 tcp_time_wait_processing(tcp, mp, seg_seq, seg_ack,
2339 seg_len, tcpha, ira);
2340 return;
2341 }
2342
2343 if (sqp != NULL) {
2344 /*
2345 * This is the correct place to update tcp_last_recv_time. Note
2346 * that it is also updated for tcp structure that belongs to
2347 * global and listener queues which do not really need updating.
2348 * But that should not cause any harm. And it is updated for
2349 * all kinds of incoming segments, not only for data segments.
2350 */
2351 tcp->tcp_last_recv_time = LBOLT_FASTPATH;
2352 }
2353
2354 flags = (unsigned int)tcpha->tha_flags & 0xFF;
2355
2356 BUMP_LOCAL(tcp->tcp_ibsegs);
2357 DTRACE_PROBE2(tcp__trace__recv, mblk_t *, mp, tcp_t *, tcp);
2358
2359 if ((flags & TH_URG) && sqp != NULL) {
2360 /*
2361 * TCP can't handle urgent pointers that arrive before
2362 * the connection has been accept()ed since it can't
2363 * buffer OOB data. Discard segment if this happens.
2364 *
2365 * We can't just rely on a non-null tcp_listener to indicate
2366 * that the accept() has completed since unlinking of the
2367 * eager and completion of the accept are not atomic.
2368 * tcp_detached, when it is not set (B_FALSE) indicates
2369 * that the accept() has completed.
2370 *
2371 * Nor can it reassemble urgent pointers, so discard
2372 * if it's not the next segment expected.
2373 *
2374 * Otherwise, collapse chain into one mblk (discard if
2375 * that fails). This makes sure the headers, retransmitted
2376 * data, and new data all are in the same mblk.
2377 */
2378 ASSERT(mp != NULL);
2379 if (tcp->tcp_detached || !pullupmsg(mp, -1)) {
2380 freemsg(mp);
2381 return;
2382 }
2383 /* Update pointers into message */
2384 iphdr = rptr = mp->b_rptr;
2385 tcpha = (tcpha_t *)&rptr[ip_hdr_len];
2386 if (SEQ_GT(seg_seq, tcp->tcp_rnxt)) {
2387 /*
2388 * Since we can't handle any data with this urgent
2389 * pointer that is out of sequence, we expunge
2390 * the data. This allows us to still register
2391 * the urgent mark and generate the M_PCSIG,
2392 * which we can do.
2393 */
2394 mp->b_wptr = (uchar_t *)tcpha + TCP_HDR_LENGTH(tcpha);
2395 seg_len = 0;
2396 }
2397 }
2398
2399 switch (tcp->tcp_state) {
2400 case TCPS_SYN_SENT:
2401 if (connp->conn_final_sqp == NULL &&
2402 tcp_outbound_squeue_switch && sqp != NULL) {
2403 ASSERT(connp->conn_initial_sqp == connp->conn_sqp);
2404 connp->conn_final_sqp = sqp;
2405 if (connp->conn_final_sqp != connp->conn_sqp) {
2406 DTRACE_PROBE1(conn__final__sqp__switch,
2407 conn_t *, connp);
2408 CONN_INC_REF(connp);
2409 SQUEUE_SWITCH(connp, connp->conn_final_sqp);
2410 SQUEUE_ENTER_ONE(connp->conn_sqp, mp,
2411 tcp_input_data, connp, ira, ip_squeue_flag,
2412 SQTAG_CONNECT_FINISH);
2413 return;
2414 }
2415 DTRACE_PROBE1(conn__final__sqp__same, conn_t *, connp);
2416 }
2417 if (flags & TH_ACK) {
2418 /*
2419 * Note that our stack cannot send data before a
2420 * connection is established, therefore the
2421 * following check is valid. Otherwise, it has
2422 * to be changed.
2423 */
2424 if (SEQ_LEQ(seg_ack, tcp->tcp_iss) ||
2425 SEQ_GT(seg_ack, tcp->tcp_snxt)) {
2426 freemsg(mp);
2427 if (flags & TH_RST)
2428 return;
2429 tcp_xmit_ctl("TCPS_SYN_SENT-Bad_seq",
2430 tcp, seg_ack, 0, TH_RST);
2431 return;
2432 }
2433 ASSERT(tcp->tcp_suna + 1 == seg_ack);
2434 }
2435 if (flags & TH_RST) {
2436 if (flags & TH_ACK) {
2437 DTRACE_TCP5(connect__refused, mblk_t *, NULL,
2438 ip_xmit_attr_t *, connp->conn_ixa,
2439 void_ip_t *, iphdr, tcp_t *, tcp,
2440 tcph_t *, tcpha);
2441 (void) tcp_clean_death(tcp, ECONNREFUSED);
2442 }
2443 freemsg(mp);
2444 return;
2445 }
2446 if (!(flags & TH_SYN)) {
2447 freemsg(mp);
2448 return;
2449 }
2450
2451 /* Process all TCP options. */
2452 tcp_process_options(tcp, tcpha);
2453 /*
2454 * The following changes our rwnd to be a multiple of the
2455 * MIN(peer MSS, our MSS) for performance reason.
2456 */
2457 (void) tcp_rwnd_set(tcp, MSS_ROUNDUP(connp->conn_rcvbuf,
2458 tcp->tcp_mss));
2459
2460 /* Is the other end ECN capable? */
2461 if (tcp->tcp_ecn_ok) {
2462 if ((flags & (TH_ECE|TH_CWR)) != TH_ECE) {
2463 tcp->tcp_ecn_ok = B_FALSE;
2464 }
2465 }
2466 /*
2467 * Clear ECN flags because it may interfere with later
2468 * processing.
2469 */
2470 flags &= ~(TH_ECE|TH_CWR);
2471
2472 tcp->tcp_irs = seg_seq;
2473 tcp->tcp_rack = seg_seq;
2474 tcp->tcp_rnxt = seg_seq + 1;
2475 tcp->tcp_tcpha->tha_ack = htonl(tcp->tcp_rnxt);
2476 if (!TCP_IS_DETACHED(tcp)) {
2477 /* Allocate room for SACK options if needed. */
2478 connp->conn_wroff = connp->conn_ht_iphc_len;
2479 if (tcp->tcp_snd_sack_ok)
2480 connp->conn_wroff += TCPOPT_MAX_SACK_LEN;
2481 if (!tcp->tcp_loopback)
2482 connp->conn_wroff += tcps->tcps_wroff_xtra;
2483
2484 (void) proto_set_tx_wroff(connp->conn_rq, connp,
2485 connp->conn_wroff);
2486 }
2487 if (flags & TH_ACK) {
2488 /*
2489 * If we can't get the confirmation upstream, pretend
2490 * we didn't even see this one.
2491 *
2492 * XXX: how can we pretend we didn't see it if we
2493 * have updated rnxt et. al.
2494 *
2495 * For loopback we defer sending up the T_CONN_CON
2496 * until after some checks below.
2497 */
2498 mp1 = NULL;
2499 /*
2500 * tcp_sendmsg() checks tcp_state without entering
2501 * the squeue so tcp_state should be updated before
2502 * sending up connection confirmation. Probe the
2503 * state change below when we are sure the connection
2504 * confirmation has been sent.
2505 */
2506 tcp->tcp_state = TCPS_ESTABLISHED;
2507 if (!tcp_conn_con(tcp, iphdr, mp,
2508 tcp->tcp_loopback ? &mp1 : NULL, ira)) {
2509 tcp->tcp_state = TCPS_SYN_SENT;
2510 freemsg(mp);
2511 return;
2512 }
2513 TCPS_CONN_INC(tcps);
2514 /* SYN was acked - making progress */
2515 tcp->tcp_ip_forward_progress = B_TRUE;
2516
2517 /* One for the SYN */
2518 tcp->tcp_suna = tcp->tcp_iss + 1;
2519 tcp->tcp_valid_bits &= ~TCP_ISS_VALID;
2520
2521 /*
2522 * If SYN was retransmitted, need to reset all
2523 * retransmission info. This is because this
2524 * segment will be treated as a dup ACK.
2525 */
2526 if (tcp->tcp_rexmit) {
2527 tcp->tcp_rexmit = B_FALSE;
2528 tcp->tcp_rexmit_nxt = tcp->tcp_snxt;
2529 tcp->tcp_rexmit_max = tcp->tcp_snxt;
2530 tcp->tcp_snd_burst = tcp->tcp_localnet ?
2531 TCP_CWND_INFINITE : TCP_CWND_NORMAL;
2532 tcp->tcp_ms_we_have_waited = 0;
2533
2534 /*
2535 * Set tcp_cwnd back to 1 MSS, per
2536 * recommendation from
2537 * draft-floyd-incr-init-win-01.txt,
2538 * Increasing TCP's Initial Window.
2539 */
2540 tcp->tcp_cwnd = tcp->tcp_mss;
2541 }
2542
2543 tcp->tcp_swl1 = seg_seq;
2544 tcp->tcp_swl2 = seg_ack;
2545
2546 new_swnd = ntohs(tcpha->tha_win);
2547 tcp->tcp_swnd = new_swnd;
2548 if (new_swnd > tcp->tcp_max_swnd)
2549 tcp->tcp_max_swnd = new_swnd;
2550
2551 /*
2552 * Always send the three-way handshake ack immediately
2553 * in order to make the connection complete as soon as
2554 * possible on the accepting host.
2555 */
2556 flags |= TH_ACK_NEEDED;
2557
2558 /*
2559 * Trace connect-established here.
2560 */
2561 DTRACE_TCP5(connect__established, mblk_t *, NULL,
2562 ip_xmit_attr_t *, tcp->tcp_connp->conn_ixa,
2563 void_ip_t *, iphdr, tcp_t *, tcp, tcph_t *, tcpha);
2564
2565 /* Trace change from SYN_SENT -> ESTABLISHED here */
2566 DTRACE_TCP6(state__change, void, NULL, ip_xmit_attr_t *,
2567 connp->conn_ixa, void, NULL, tcp_t *, tcp,
2568 void, NULL, int32_t, TCPS_SYN_SENT);
2569
2570 /*
2571 * Special case for loopback. At this point we have
2572 * received SYN-ACK from the remote endpoint. In
2573 * order to ensure that both endpoints reach the
2574 * fused state prior to any data exchange, the final
2575 * ACK needs to be sent before we indicate T_CONN_CON
2576 * to the module upstream.
2577 */
2578 if (tcp->tcp_loopback) {
2579 mblk_t *ack_mp;
2580
2581 ASSERT(!tcp->tcp_unfusable);
2582 ASSERT(mp1 != NULL);
2583 /*
2584 * For loopback, we always get a pure SYN-ACK
2585 * and only need to send back the final ACK
2586 * with no data (this is because the other
2587 * tcp is ours and we don't do T/TCP). This
2588 * final ACK triggers the passive side to
2589 * perform fusion in ESTABLISHED state.
2590 */
2591 if ((ack_mp = tcp_ack_mp(tcp)) != NULL) {
2592 if (tcp->tcp_ack_tid != 0) {
2593 (void) TCP_TIMER_CANCEL(tcp,
2594 tcp->tcp_ack_tid);
2595 tcp->tcp_ack_tid = 0;
2596 }
2597 tcp_send_data(tcp, ack_mp);
2598 BUMP_LOCAL(tcp->tcp_obsegs);
2599 TCPS_BUMP_MIB(tcps, tcpOutAck);
2600
2601 if (!IPCL_IS_NONSTR(connp)) {
2602 /* Send up T_CONN_CON */
2603 if (ira->ira_cred != NULL) {
2604 mblk_setcred(mp1,
2605 ira->ira_cred,
2606 ira->ira_cpid);
2607 }
2608 putnext(connp->conn_rq, mp1);
2609 } else {
2610 (*connp->conn_upcalls->
2611 su_connected)
2612 (connp->conn_upper_handle,
2613 tcp->tcp_connid,
2614 ira->ira_cred,
2615 ira->ira_cpid);
2616 freemsg(mp1);
2617 }
2618
2619 freemsg(mp);
2620 return;
2621 }
2622 /*
2623 * Forget fusion; we need to handle more
2624 * complex cases below. Send the deferred
2625 * T_CONN_CON message upstream and proceed
2626 * as usual. Mark this tcp as not capable
2627 * of fusion.
2628 */
2629 TCP_STAT(tcps, tcp_fusion_unfusable);
2630 tcp->tcp_unfusable = B_TRUE;
2631 if (!IPCL_IS_NONSTR(connp)) {
2632 if (ira->ira_cred != NULL) {
2633 mblk_setcred(mp1, ira->ira_cred,
2634 ira->ira_cpid);
2635 }
2636 putnext(connp->conn_rq, mp1);
2637 } else {
2638 (*connp->conn_upcalls->su_connected)
2639 (connp->conn_upper_handle,
2640 tcp->tcp_connid, ira->ira_cred,
2641 ira->ira_cpid);
2642 freemsg(mp1);
2643 }
2644 }
2645
2646 /*
2647 * Check to see if there is data to be sent. If
2648 * yes, set the transmit flag. Then check to see
2649 * if received data processing needs to be done.
2650 * If not, go straight to xmit_check. This short
2651 * cut is OK as we don't support T/TCP.
2652 */
2653 if (tcp->tcp_unsent)
2654 flags |= TH_XMIT_NEEDED;
2655
2656 if (seg_len == 0 && !(flags & TH_URG)) {
2657 freemsg(mp);
2658 goto xmit_check;
2659 }
2660
2661 flags &= ~TH_SYN;
2662 seg_seq++;
2663 break;
2664 }
2665 tcp->tcp_state = TCPS_SYN_RCVD;
2666 DTRACE_TCP6(state__change, void, NULL, ip_xmit_attr_t *,
2667 connp->conn_ixa, void_ip_t *, NULL, tcp_t *, tcp,
2668 tcph_t *, NULL, int32_t, TCPS_SYN_SENT);
2669 mp1 = tcp_xmit_mp(tcp, tcp->tcp_xmit_head, tcp->tcp_mss,
2670 NULL, NULL, tcp->tcp_iss, B_FALSE, NULL, B_FALSE);
2671 if (mp1 != NULL) {
2672 tcp_send_data(tcp, mp1);
2673 TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
2674 }
2675 freemsg(mp);
2676 return;
2677 case TCPS_SYN_RCVD:
2678 if (flags & TH_ACK) {
2679 uint32_t pinit_wnd;
2680
2681 /*
2682 * In this state, a SYN|ACK packet is either bogus
2683 * because the other side must be ACKing our SYN which
2684 * indicates it has seen the ACK for their SYN and
2685 * shouldn't retransmit it or we're crossing SYNs
2686 * on active open.
2687 */
2688 if ((flags & TH_SYN) && !tcp->tcp_active_open) {
2689 freemsg(mp);
2690 tcp_xmit_ctl("TCPS_SYN_RCVD-bad_syn",
2691 tcp, seg_ack, 0, TH_RST);
2692 return;
2693 }
2694 /*
2695 * NOTE: RFC 793 pg. 72 says this should be
2696 * tcp->tcp_suna <= seg_ack <= tcp->tcp_snxt
2697 * but that would mean we have an ack that ignored
2698 * our SYN.
2699 */
2700 if (SEQ_LEQ(seg_ack, tcp->tcp_suna) ||
2701 SEQ_GT(seg_ack, tcp->tcp_snxt)) {
2702 freemsg(mp);
2703 tcp_xmit_ctl("TCPS_SYN_RCVD-bad_ack",
2704 tcp, seg_ack, 0, TH_RST);
2705 return;
2706 }
2707 /*
2708 * No sane TCP stack will send such a small window
2709 * without receiving any data. Just drop this invalid
2710 * ACK. We also shorten the abort timeout in case
2711 * this is an attack.
2712 */
2713 pinit_wnd = ntohs(tcpha->tha_win) << tcp->tcp_snd_ws;
2714 if (pinit_wnd < tcp->tcp_mss &&
2715 pinit_wnd < tcp_init_wnd_chk) {
2716 freemsg(mp);
2717 TCP_STAT(tcps, tcp_zwin_ack_syn);
2718 tcp->tcp_second_ctimer_threshold =
2719 tcp_early_abort * SECONDS;
2720 return;
2721 }
2722 }
2723 break;
2724 case TCPS_LISTEN:
2725 /*
2726 * Only a TLI listener can come through this path when a
2727 * acceptor is going back to be a listener and a packet
2728 * for the acceptor hits the classifier. For a socket
2729 * listener, this can never happen because a listener
2730 * can never accept connection on itself and hence a
2731 * socket acceptor can not go back to being a listener.
2732 */
2733 ASSERT(!TCP_IS_SOCKET(tcp));
2734 /*FALLTHRU*/
2735 case TCPS_CLOSED:
2736 case TCPS_BOUND: {
2737 conn_t *new_connp;
2738 ip_stack_t *ipst = tcps->tcps_netstack->netstack_ip;
2739
2740 /*
2741 * Don't accept any input on a closed tcp as this TCP logically
2742 * does not exist on the system. Don't proceed further with
2743 * this TCP. For instance, this packet could trigger another
2744 * close of this tcp which would be disastrous for tcp_refcnt.
2745 * tcp_close_detached / tcp_clean_death / tcp_closei_local must
2746 * be called at most once on a TCP. In this case we need to
2747 * refeed the packet into the classifier and figure out where
2748 * the packet should go.
2749 */
2750 new_connp = ipcl_classify(mp, ira, ipst);
2751 if (new_connp != NULL) {
2752 /* Drops ref on new_connp */
2753 tcp_reinput(new_connp, mp, ira, ipst);
2754 return;
2755 }
2756 /* We failed to classify. For now just drop the packet */
2757 freemsg(mp);
2758 return;
2759 }
2760 case TCPS_IDLE:
2761 /*
2762 * Handle the case where the tcp_clean_death() has happened
2763 * on a connection (application hasn't closed yet) but a packet
2764 * was already queued on squeue before tcp_clean_death()
2765 * was processed. Calling tcp_clean_death() twice on same
2766 * connection can result in weird behaviour.
2767 */
2768 freemsg(mp);
2769 return;
2770 default:
2771 break;
2772 }
2773
2774 /*
2775 * Already on the correct queue/perimeter.
2776 * If this is a detached connection and not an eager
2777 * connection hanging off a listener then new data
2778 * (past the FIN) will cause a reset.
2779 * We do a special check here where it
2780 * is out of the main line, rather than check
2781 * if we are detached every time we see new
2782 * data down below.
2783 */
2784 if (TCP_IS_DETACHED_NONEAGER(tcp) &&
2785 (seg_len > 0 && SEQ_GT(seg_seq + seg_len, tcp->tcp_rnxt))) {
2786 TCPS_BUMP_MIB(tcps, tcpInClosed);
2787 DTRACE_PROBE2(tcp__trace__recv, mblk_t *, mp, tcp_t *, tcp);
2788 freemsg(mp);
2789 tcp_xmit_ctl("new data when detached", tcp,
2790 tcp->tcp_snxt, 0, TH_RST);
2791 (void) tcp_clean_death(tcp, EPROTO);
2792 return;
2793 }
2794
2795 mp->b_rptr = (uchar_t *)tcpha + TCP_HDR_LENGTH(tcpha);
2796 urp = ntohs(tcpha->tha_urp) - TCP_OLD_URP_INTERPRETATION;
2797 new_swnd = ntohs(tcpha->tha_win) <<
2798 ((tcpha->tha_flags & TH_SYN) ? 0 : tcp->tcp_snd_ws);
2799
2800 if (tcp->tcp_snd_ts_ok) {
2801 if (!tcp_paws_check(tcp, tcpha, &tcpopt)) {
2802 /*
2803 * This segment is not acceptable.
2804 * Drop it and send back an ACK.
2805 */
2806 freemsg(mp);
2807 flags |= TH_ACK_NEEDED;
2808 goto ack_check;
2809 }
2810 } else if (tcp->tcp_snd_sack_ok) {
2811 tcpopt.tcp = tcp;
2812 /*
2813 * SACK info in already updated in tcp_parse_options. Ignore
2814 * all other TCP options...
2815 */
2816 (void) tcp_parse_options(tcpha, &tcpopt);
2817 }
2818 try_again:;
2819 mss = tcp->tcp_mss;
2820 gap = seg_seq - tcp->tcp_rnxt;
2821 rgap = tcp->tcp_rwnd - (gap + seg_len);
2822 /*
2823 * gap is the amount of sequence space between what we expect to see
2824 * and what we got for seg_seq. A positive value for gap means
2825 * something got lost. A negative value means we got some old stuff.
2826 */
2827 if (gap < 0) {
2828 /* Old stuff present. Is the SYN in there? */
2829 if (seg_seq == tcp->tcp_irs && (flags & TH_SYN) &&
2830 (seg_len != 0)) {
2831 flags &= ~TH_SYN;
2832 seg_seq++;
2833 urp--;
2834 /* Recompute the gaps after noting the SYN. */
2835 goto try_again;
2836 }
2837 TCPS_BUMP_MIB(tcps, tcpInDataDupSegs);
2838 TCPS_UPDATE_MIB(tcps, tcpInDataDupBytes,
2839 (seg_len > -gap ? -gap : seg_len));
2840 /* Remove the old stuff from seg_len. */
2841 seg_len += gap;
2842 /*
2843 * Anything left?
2844 * Make sure to check for unack'd FIN when rest of data
2845 * has been previously ack'd.
2846 */
2847 if (seg_len < 0 || (seg_len == 0 && !(flags & TH_FIN))) {
2848 /*
2849 * Resets are only valid if they lie within our offered
2850 * window. If the RST bit is set, we just ignore this
2851 * segment.
2852 */
2853 if (flags & TH_RST) {
2854 freemsg(mp);
2855 return;
2856 }
2857
2858 /*
2859 * The arriving of dup data packets indicate that we
2860 * may have postponed an ack for too long, or the other
2861 * side's RTT estimate is out of shape. Start acking
2862 * more often.
2863 */
2864 if (SEQ_GEQ(seg_seq + seg_len - gap, tcp->tcp_rack) &&
2865 tcp->tcp_rack_cnt >= 1 &&
2866 tcp->tcp_rack_abs_max > 2) {
2867 tcp->tcp_rack_abs_max--;
2868 }
2869 tcp->tcp_rack_cur_max = 1;
2870
2871 /*
2872 * This segment is "unacceptable". None of its
2873 * sequence space lies within our advertized window.
2874 *
2875 * Adjust seg_len to the original value for tracing.
2876 */
2877 seg_len -= gap;
2878 if (connp->conn_debug) {
2879 (void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
2880 "tcp_rput: unacceptable, gap %d, rgap %d, "
2881 "flags 0x%x, seg_seq %u, seg_ack %u, "
2882 "seg_len %d, rnxt %u, snxt %u, %s",
2883 gap, rgap, flags, seg_seq, seg_ack,
2884 seg_len, tcp->tcp_rnxt, tcp->tcp_snxt,
2885 tcp_display(tcp, NULL,
2886 DISP_ADDR_AND_PORT));
2887 }
2888
2889 /*
2890 * Arrange to send an ACK in response to the
2891 * unacceptable segment per RFC 793 page 69. There
2892 * is only one small difference between ours and the
2893 * acceptability test in the RFC - we accept ACK-only
2894 * packet with SEG.SEQ = RCV.NXT+RCV.WND and no ACK
2895 * will be generated.
2896 *
2897 * Note that we have to ACK an ACK-only packet at least
2898 * for stacks that send 0-length keep-alives with
2899 * SEG.SEQ = SND.NXT-1 as recommended by RFC1122,
2900 * section 4.2.3.6. As long as we don't ever generate
2901 * an unacceptable packet in response to an incoming
2902 * packet that is unacceptable, it should not cause
2903 * "ACK wars".
2904 */
2905 flags |= TH_ACK_NEEDED;
2906
2907 /*
2908 * Continue processing this segment in order to use the
2909 * ACK information it contains, but skip all other
2910 * sequence-number processing. Processing the ACK
2911 * information is necessary in order to
2912 * re-synchronize connections that may have lost
2913 * synchronization.
2914 *
2915 * We clear seg_len and flag fields related to
2916 * sequence number processing as they are not
2917 * to be trusted for an unacceptable segment.
2918 */
2919 seg_len = 0;
2920 flags &= ~(TH_SYN | TH_FIN | TH_URG);
2921 goto process_ack;
2922 }
2923
2924 /* Fix seg_seq, and chew the gap off the front. */
2925 seg_seq = tcp->tcp_rnxt;
2926 urp += gap;
2927 do {
2928 mblk_t *mp2;
2929 ASSERT((uintptr_t)(mp->b_wptr - mp->b_rptr) <=
2930 (uintptr_t)UINT_MAX);
2931 gap += (uint_t)(mp->b_wptr - mp->b_rptr);
2932 if (gap > 0) {
2933 mp->b_rptr = mp->b_wptr - gap;
2934 break;
2935 }
2936 mp2 = mp;
2937 mp = mp->b_cont;
2938 freeb(mp2);
2939 } while (gap < 0);
2940 /*
2941 * If the urgent data has already been acknowledged, we
2942 * should ignore TH_URG below
2943 */
2944 if (urp < 0)
2945 flags &= ~TH_URG;
2946 }
2947 /*
2948 * rgap is the amount of stuff received out of window. A negative
2949 * value is the amount out of window.
2950 */
2951 if (rgap < 0) {
2952 mblk_t *mp2;
2953
2954 if (tcp->tcp_rwnd == 0) {
2955 TCPS_BUMP_MIB(tcps, tcpInWinProbe);
2956 } else {
2957 TCPS_BUMP_MIB(tcps, tcpInDataPastWinSegs);
2958 TCPS_UPDATE_MIB(tcps, tcpInDataPastWinBytes, -rgap);
2959 }
2960
2961 /*
2962 * seg_len does not include the FIN, so if more than
2963 * just the FIN is out of window, we act like we don't
2964 * see it. (If just the FIN is out of window, rgap
2965 * will be zero and we will go ahead and acknowledge
2966 * the FIN.)
2967 */
2968 flags &= ~TH_FIN;
2969
2970 /* Fix seg_len and make sure there is something left. */
2971 seg_len += rgap;
2972 if (seg_len <= 0) {
2973 /*
2974 * Resets are only valid if they lie within our offered
2975 * window. If the RST bit is set, we just ignore this
2976 * segment.
2977 */
2978 if (flags & TH_RST) {
2979 freemsg(mp);
2980 return;
2981 }
2982
2983 /* Per RFC 793, we need to send back an ACK. */
2984 flags |= TH_ACK_NEEDED;
2985
2986 /*
2987 * Send SIGURG as soon as possible i.e. even
2988 * if the TH_URG was delivered in a window probe
2989 * packet (which will be unacceptable).
2990 *
2991 * We generate a signal if none has been generated
2992 * for this connection or if this is a new urgent
2993 * byte. Also send a zero-length "unmarked" message
2994 * to inform SIOCATMARK that this is not the mark.
2995 *
2996 * tcp_urp_last_valid is cleared when the T_exdata_ind
2997 * is sent up. This plus the check for old data
2998 * (gap >= 0) handles the wraparound of the sequence
2999 * number space without having to always track the
3000 * correct MAX(tcp_urp_last, tcp_rnxt). (BSD tracks
3001 * this max in its rcv_up variable).
3002 *
3003 * This prevents duplicate SIGURGS due to a "late"
3004 * zero-window probe when the T_EXDATA_IND has already
3005 * been sent up.
3006 */
3007 if ((flags & TH_URG) &&
3008 (!tcp->tcp_urp_last_valid || SEQ_GT(urp + seg_seq,
3009 tcp->tcp_urp_last))) {
3010 if (IPCL_IS_NONSTR(connp)) {
3011 if (!TCP_IS_DETACHED(tcp)) {
3012 (*connp->conn_upcalls->
3013 su_signal_oob)
3014 (connp->conn_upper_handle,
3015 urp);
3016 }
3017 } else {
3018 mp1 = allocb(0, BPRI_MED);
3019 if (mp1 == NULL) {
3020 freemsg(mp);
3021 return;
3022 }
3023 if (!TCP_IS_DETACHED(tcp) &&
3024 !putnextctl1(connp->conn_rq,
3025 M_PCSIG, SIGURG)) {
3026 /* Try again on the rexmit. */
3027 freemsg(mp1);
3028 freemsg(mp);
3029 return;
3030 }
3031 /*
3032 * If the next byte would be the mark
3033 * then mark with MARKNEXT else mark
3034 * with NOTMARKNEXT.
3035 */
3036 if (gap == 0 && urp == 0)
3037 mp1->b_flag |= MSGMARKNEXT;
3038 else
3039 mp1->b_flag |= MSGNOTMARKNEXT;
3040 freemsg(tcp->tcp_urp_mark_mp);
3041 tcp->tcp_urp_mark_mp = mp1;
3042 flags |= TH_SEND_URP_MARK;
3043 }
3044 tcp->tcp_urp_last_valid = B_TRUE;
3045 tcp->tcp_urp_last = urp + seg_seq;
3046 }
3047 /*
3048 * If this is a zero window probe, continue to
3049 * process the ACK part. But we need to set seg_len
3050 * to 0 to avoid data processing. Otherwise just
3051 * drop the segment and send back an ACK.
3052 */
3053 if (tcp->tcp_rwnd == 0 && seg_seq == tcp->tcp_rnxt) {
3054 flags &= ~(TH_SYN | TH_URG);
3055 seg_len = 0;
3056 goto process_ack;
3057 } else {
3058 freemsg(mp);
3059 goto ack_check;
3060 }
3061 }
3062 /* Pitch out of window stuff off the end. */
3063 rgap = seg_len;
3064 mp2 = mp;
3065 do {
3066 ASSERT((uintptr_t)(mp2->b_wptr - mp2->b_rptr) <=
3067 (uintptr_t)INT_MAX);
3068 rgap -= (int)(mp2->b_wptr - mp2->b_rptr);
3069 if (rgap < 0) {
3070 mp2->b_wptr += rgap;
3071 if ((mp1 = mp2->b_cont) != NULL) {
3072 mp2->b_cont = NULL;
3073 freemsg(mp1);
3074 }
3075 break;
3076 }
3077 } while ((mp2 = mp2->b_cont) != NULL);
3078 }
3079 ok:;
3080 /*
3081 * TCP should check ECN info for segments inside the window only.
3082 * Therefore the check should be done here.
3083 */
3084 if (tcp->tcp_ecn_ok) {
3085 if (flags & TH_CWR) {
3086 tcp->tcp_ecn_echo_on = B_FALSE;
3087 }
3088 /*
3089 * Note that both ECN_CE and CWR can be set in the
3090 * same segment. In this case, we once again turn
3091 * on ECN_ECHO.
3092 */
3093 if (connp->conn_ipversion == IPV4_VERSION) {
3094 uchar_t tos = ((ipha_t *)rptr)->ipha_type_of_service;
3095
3096 if ((tos & IPH_ECN_CE) == IPH_ECN_CE) {
3097 tcp->tcp_ecn_echo_on = B_TRUE;
3098 }
3099 } else {
3100 uint32_t vcf = ((ip6_t *)rptr)->ip6_vcf;
3101
3102 if ((vcf & htonl(IPH_ECN_CE << 20)) ==
3103 htonl(IPH_ECN_CE << 20)) {
3104 tcp->tcp_ecn_echo_on = B_TRUE;
3105 }
3106 }
3107 }
3108
3109 /*
3110 * Check whether we can update tcp_ts_recent. This test is
3111 * NOT the one in RFC 1323 3.4. It is from Braden, 1993, "TCP
3112 * Extensions for High Performance: An Update", Internet Draft.
3113 */
3114 if (tcp->tcp_snd_ts_ok &&
3115 TSTMP_GEQ(tcpopt.tcp_opt_ts_val, tcp->tcp_ts_recent) &&
3116 SEQ_LEQ(seg_seq, tcp->tcp_rack)) {
3117 tcp->tcp_ts_recent = tcpopt.tcp_opt_ts_val;
3118 tcp->tcp_last_rcv_lbolt = LBOLT_FASTPATH64;
3119 }
3120
3121 if (seg_seq != tcp->tcp_rnxt || tcp->tcp_reass_head) {
3122 /*
3123 * FIN in an out of order segment. We record this in
3124 * tcp_valid_bits and the seq num of FIN in tcp_ofo_fin_seq.
3125 * Clear the FIN so that any check on FIN flag will fail.
3126 * Remember that FIN also counts in the sequence number
3127 * space. So we need to ack out of order FIN only segments.
3128 */
3129 if (flags & TH_FIN) {
3130 tcp->tcp_valid_bits |= TCP_OFO_FIN_VALID;
3131 tcp->tcp_ofo_fin_seq = seg_seq + seg_len;
3132 flags &= ~TH_FIN;
3133 flags |= TH_ACK_NEEDED;
3134 }
3135 if (seg_len > 0) {
3136 /* Fill in the SACK blk list. */
3137 if (tcp->tcp_snd_sack_ok) {
3138 tcp_sack_insert(tcp->tcp_sack_list,
3139 seg_seq, seg_seq + seg_len,
3140 &(tcp->tcp_num_sack_blk));
3141 }
3142
3143 /*
3144 * Attempt reassembly and see if we have something
3145 * ready to go.
3146 */
3147 mp = tcp_reass(tcp, mp, seg_seq);
3148 /* Always ack out of order packets */
3149 flags |= TH_ACK_NEEDED | TH_PUSH;
3150 if (mp) {
3151 ASSERT((uintptr_t)(mp->b_wptr - mp->b_rptr) <=
3152 (uintptr_t)INT_MAX);
3153 seg_len = mp->b_cont ? msgdsize(mp) :
3154 (int)(mp->b_wptr - mp->b_rptr);
3155 seg_seq = tcp->tcp_rnxt;
3156 /*
3157 * A gap is filled and the seq num and len
3158 * of the gap match that of a previously
3159 * received FIN, put the FIN flag back in.
3160 */
3161 if ((tcp->tcp_valid_bits & TCP_OFO_FIN_VALID) &&
3162 seg_seq + seg_len == tcp->tcp_ofo_fin_seq) {
3163 flags |= TH_FIN;
3164 tcp->tcp_valid_bits &=
3165 ~TCP_OFO_FIN_VALID;
3166 }
3167 if (tcp->tcp_reass_tid != 0) {
3168 (void) TCP_TIMER_CANCEL(tcp,
3169 tcp->tcp_reass_tid);
3170 /*
3171 * Restart the timer if there is still
3172 * data in the reassembly queue.
3173 */
3174 if (tcp->tcp_reass_head != NULL) {
3175 tcp->tcp_reass_tid = TCP_TIMER(
3176 tcp, tcp_reass_timer,
3177 tcps->tcps_reass_timeout);
3178 } else {
3179 tcp->tcp_reass_tid = 0;
3180 }
3181 }
3182 } else {
3183 /*
3184 * Keep going even with NULL mp.
3185 * There may be a useful ACK or something else
3186 * we don't want to miss.
3187 *
3188 * But TCP should not perform fast retransmit
3189 * because of the ack number. TCP uses
3190 * seg_len == 0 to determine if it is a pure
3191 * ACK. And this is not a pure ACK.
3192 */
3193 seg_len = 0;
3194 ofo_seg = B_TRUE;
3195
3196 if (tcps->tcps_reass_timeout != 0 &&
3197 tcp->tcp_reass_tid == 0) {
3198 tcp->tcp_reass_tid = TCP_TIMER(tcp,
3199 tcp_reass_timer,
3200 tcps->tcps_reass_timeout);
3201 }
3202 }
3203 }
3204 } else if (seg_len > 0) {
3205 TCPS_BUMP_MIB(tcps, tcpInDataInorderSegs);
3206 TCPS_UPDATE_MIB(tcps, tcpInDataInorderBytes, seg_len);
3207 /*
3208 * If an out of order FIN was received before, and the seq
3209 * num and len of the new segment match that of the FIN,
3210 * put the FIN flag back in.
3211 */
3212 if ((tcp->tcp_valid_bits & TCP_OFO_FIN_VALID) &&
3213 seg_seq + seg_len == tcp->tcp_ofo_fin_seq) {
3214 flags |= TH_FIN;
3215 tcp->tcp_valid_bits &= ~TCP_OFO_FIN_VALID;
3216 }
3217 }
3218 if ((flags & (TH_RST | TH_SYN | TH_URG | TH_ACK)) != TH_ACK) {
3219 if (flags & TH_RST) {
3220 freemsg(mp);
3221 switch (tcp->tcp_state) {
3222 case TCPS_SYN_RCVD:
3223 (void) tcp_clean_death(tcp, ECONNREFUSED);
3224 break;
3225 case TCPS_ESTABLISHED:
3226 case TCPS_FIN_WAIT_1:
3227 case TCPS_FIN_WAIT_2:
3228 case TCPS_CLOSE_WAIT:
3229 (void) tcp_clean_death(tcp, ECONNRESET);
3230 break;
3231 case TCPS_CLOSING:
3232 case TCPS_LAST_ACK:
3233 (void) tcp_clean_death(tcp, 0);
3234 break;
3235 default:
3236 ASSERT(tcp->tcp_state != TCPS_TIME_WAIT);
3237 (void) tcp_clean_death(tcp, ENXIO);
3238 break;
3239 }
3240 return;
3241 }
3242 if (flags & TH_SYN) {
3243 /*
3244 * See RFC 793, Page 71
3245 *
3246 * The seq number must be in the window as it should
3247 * be "fixed" above. If it is outside window, it should
3248 * be already rejected. Note that we allow seg_seq to be
3249 * rnxt + rwnd because we want to accept 0 window probe.
3250 */
3251 ASSERT(SEQ_GEQ(seg_seq, tcp->tcp_rnxt) &&
3252 SEQ_LEQ(seg_seq, tcp->tcp_rnxt + tcp->tcp_rwnd));
3253 freemsg(mp);
3254 /*
3255 * If the ACK flag is not set, just use our snxt as the
3256 * seq number of the RST segment.
3257 */
3258 if (!(flags & TH_ACK)) {
3259 seg_ack = tcp->tcp_snxt;
3260 }
3261 tcp_xmit_ctl("TH_SYN", tcp, seg_ack, seg_seq + 1,
3262 TH_RST|TH_ACK);
3263 ASSERT(tcp->tcp_state != TCPS_TIME_WAIT);
3264 (void) tcp_clean_death(tcp, ECONNRESET);
3265 return;
3266 }
3267 /*
3268 * urp could be -1 when the urp field in the packet is 0
3269 * and TCP_OLD_URP_INTERPRETATION is set. This implies that the urgent
3270 * byte was at seg_seq - 1, in which case we ignore the urgent flag.
3271 */
3272 if (flags & TH_URG && urp >= 0) {
3273 if (!tcp->tcp_urp_last_valid ||
3274 SEQ_GT(urp + seg_seq, tcp->tcp_urp_last)) {
3275 /*
3276 * Non-STREAMS sockets handle the urgent data a litte
3277 * differently from STREAMS based sockets. There is no
3278 * need to mark any mblks with the MSG{NOT,}MARKNEXT
3279 * flags to keep SIOCATMARK happy. Instead a
3280 * su_signal_oob upcall is made to update the mark.
3281 * Neither is a T_EXDATA_IND mblk needed to be
3282 * prepended to the urgent data. The urgent data is
3283 * delivered using the su_recv upcall, where we set
3284 * the MSG_OOB flag to indicate that it is urg data.
3285 *
3286 * Neither TH_SEND_URP_MARK nor TH_MARKNEXT_NEEDED
3287 * are used by non-STREAMS sockets.
3288 */
3289 if (IPCL_IS_NONSTR(connp)) {
3290 if (!TCP_IS_DETACHED(tcp)) {
3291 (*connp->conn_upcalls->su_signal_oob)
3292 (connp->conn_upper_handle, urp);
3293 }
3294 } else {
3295 /*
3296 * If we haven't generated the signal yet for
3297 * this urgent pointer value, do it now. Also,
3298 * send up a zero-length M_DATA indicating
3299 * whether or not this is the mark. The latter
3300 * is not needed when a T_EXDATA_IND is sent up.
3301 * However, if there are allocation failures
3302 * this code relies on the sender retransmitting
3303 * and the socket code for determining the mark
3304 * should not block waiting for the peer to
3305 * transmit. Thus, for simplicity we always
3306 * send up the mark indication.
3307 */
3308 mp1 = allocb(0, BPRI_MED);
3309 if (mp1 == NULL) {
3310 freemsg(mp);
3311 return;
3312 }
3313 if (!TCP_IS_DETACHED(tcp) &&
3314 !putnextctl1(connp->conn_rq, M_PCSIG,
3315 SIGURG)) {
3316 /* Try again on the rexmit. */
3317 freemsg(mp1);
3318 freemsg(mp);
3319 return;
3320 }
3321 /*
3322 * Mark with NOTMARKNEXT for now.
3323 * The code below will change this to MARKNEXT
3324 * if we are at the mark.
3325 *
3326 * If there are allocation failures (e.g. in
3327 * dupmsg below) the next time tcp_input_data
3328 * sees the urgent segment it will send up the
3329 * MSGMARKNEXT message.
3330 */
3331 mp1->b_flag |= MSGNOTMARKNEXT;
3332 freemsg(tcp->tcp_urp_mark_mp);
3333 tcp->tcp_urp_mark_mp = mp1;
3334 flags |= TH_SEND_URP_MARK;
3335 #ifdef DEBUG
3336 (void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
3337 "tcp_rput: sent M_PCSIG 2 seq %x urp %x "
3338 "last %x, %s",
3339 seg_seq, urp, tcp->tcp_urp_last,
3340 tcp_display(tcp, NULL, DISP_PORT_ONLY));
3341 #endif /* DEBUG */
3342 }
3343 tcp->tcp_urp_last_valid = B_TRUE;
3344 tcp->tcp_urp_last = urp + seg_seq;
3345 } else if (tcp->tcp_urp_mark_mp != NULL) {
3346 /*
3347 * An allocation failure prevented the previous
3348 * tcp_input_data from sending up the allocated
3349 * MSG*MARKNEXT message - send it up this time
3350 * around.
3351 */
3352 flags |= TH_SEND_URP_MARK;
3353 }
3354
3355 /*
3356 * If the urgent byte is in this segment, make sure that it is
3357 * all by itself. This makes it much easier to deal with the
3358 * possibility of an allocation failure on the T_exdata_ind.
3359 * Note that seg_len is the number of bytes in the segment, and
3360 * urp is the offset into the segment of the urgent byte.
3361 * urp < seg_len means that the urgent byte is in this segment.
3362 */
3363 if (urp < seg_len) {
3364 if (seg_len != 1) {
3365 uint32_t tmp_rnxt;
3366 /*
3367 * Break it up and feed it back in.
3368 * Re-attach the IP header.
3369 */
3370 mp->b_rptr = iphdr;
3371 if (urp > 0) {
3372 /*
3373 * There is stuff before the urgent
3374 * byte.
3375 */
3376 mp1 = dupmsg(mp);
3377 if (!mp1) {
3378 /*
3379 * Trim from urgent byte on.
3380 * The rest will come back.
3381 */
3382 (void) adjmsg(mp,
3383 urp - seg_len);
3384 tcp_input_data(connp,
3385 mp, NULL, ira);
3386 return;
3387 }
3388 (void) adjmsg(mp1, urp - seg_len);
3389 /* Feed this piece back in. */
3390 tmp_rnxt = tcp->tcp_rnxt;
3391 tcp_input_data(connp, mp1, NULL, ira);
3392 /*
3393 * If the data passed back in was not
3394 * processed (ie: bad ACK) sending
3395 * the remainder back in will cause a
3396 * loop. In this case, drop the
3397 * packet and let the sender try
3398 * sending a good packet.
3399 */
3400 if (tmp_rnxt == tcp->tcp_rnxt) {
3401 freemsg(mp);
3402 return;
3403 }
3404 }
3405 if (urp != seg_len - 1) {
3406 uint32_t tmp_rnxt;
3407 /*
3408 * There is stuff after the urgent
3409 * byte.
3410 */
3411 mp1 = dupmsg(mp);
3412 if (!mp1) {
3413 /*
3414 * Trim everything beyond the
3415 * urgent byte. The rest will
3416 * come back.
3417 */
3418 (void) adjmsg(mp,
3419 urp + 1 - seg_len);
3420 tcp_input_data(connp,
3421 mp, NULL, ira);
3422 return;
3423 }
3424 (void) adjmsg(mp1, urp + 1 - seg_len);
3425 tmp_rnxt = tcp->tcp_rnxt;
3426 tcp_input_data(connp, mp1, NULL, ira);
3427 /*
3428 * If the data passed back in was not
3429 * processed (ie: bad ACK) sending
3430 * the remainder back in will cause a
3431 * loop. In this case, drop the
3432 * packet and let the sender try
3433 * sending a good packet.
3434 */
3435 if (tmp_rnxt == tcp->tcp_rnxt) {
3436 freemsg(mp);
3437 return;
3438 }
3439 }
3440 tcp_input_data(connp, mp, NULL, ira);
3441 return;
3442 }
3443 /*
3444 * This segment contains only the urgent byte. We
3445 * have to allocate the T_exdata_ind, if we can.
3446 */
3447 if (IPCL_IS_NONSTR(connp)) {
3448 int error;
3449
3450 (*connp->conn_upcalls->su_recv)
3451 (connp->conn_upper_handle, mp, seg_len,
3452 MSG_OOB, &error, NULL);
3453 /*
3454 * We should never be in middle of a
3455 * fallback, the squeue guarantees that.
3456 */
3457 ASSERT(error != EOPNOTSUPP);
3458 mp = NULL;
3459 goto update_ack;
3460 } else if (!tcp->tcp_urp_mp) {
3461 struct T_exdata_ind *tei;
3462 mp1 = allocb(sizeof (struct T_exdata_ind),
3463 BPRI_MED);
3464 if (!mp1) {
3465 /*
3466 * Sigh... It'll be back.
3467 * Generate any MSG*MARK message now.
3468 */
3469 freemsg(mp);
3470 seg_len = 0;
3471 if (flags & TH_SEND_URP_MARK) {
3472
3473
3474 ASSERT(tcp->tcp_urp_mark_mp);
3475 tcp->tcp_urp_mark_mp->b_flag &=
3476 ~MSGNOTMARKNEXT;
3477 tcp->tcp_urp_mark_mp->b_flag |=
3478 MSGMARKNEXT;
3479 }
3480 goto ack_check;
3481 }
3482 mp1->b_datap->db_type = M_PROTO;
3483 tei = (struct T_exdata_ind *)mp1->b_rptr;
3484 tei->PRIM_type = T_EXDATA_IND;
3485 tei->MORE_flag = 0;
3486 mp1->b_wptr = (uchar_t *)&tei[1];
3487 tcp->tcp_urp_mp = mp1;
3488 #ifdef DEBUG
3489 (void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
3490 "tcp_rput: allocated exdata_ind %s",
3491 tcp_display(tcp, NULL,
3492 DISP_PORT_ONLY));
3493 #endif /* DEBUG */
3494 /*
3495 * There is no need to send a separate MSG*MARK
3496 * message since the T_EXDATA_IND will be sent
3497 * now.
3498 */
3499 flags &= ~TH_SEND_URP_MARK;
3500 freemsg(tcp->tcp_urp_mark_mp);
3501 tcp->tcp_urp_mark_mp = NULL;
3502 }
3503 /*
3504 * Now we are all set. On the next putnext upstream,
3505 * tcp_urp_mp will be non-NULL and will get prepended
3506 * to what has to be this piece containing the urgent
3507 * byte. If for any reason we abort this segment below,
3508 * if it comes back, we will have this ready, or it
3509 * will get blown off in close.
3510 */
3511 } else if (urp == seg_len) {
3512 /*
3513 * The urgent byte is the next byte after this sequence
3514 * number. If this endpoint is non-STREAMS, then there
3515 * is nothing to do here since the socket has already
3516 * been notified about the urg pointer by the
3517 * su_signal_oob call above.
3518 *
3519 * In case of STREAMS, some more work might be needed.
3520 * If there is data it is marked with MSGMARKNEXT and
3521 * and any tcp_urp_mark_mp is discarded since it is not
3522 * needed. Otherwise, if the code above just allocated
3523 * a zero-length tcp_urp_mark_mp message, that message
3524 * is tagged with MSGMARKNEXT. Sending up these
3525 * MSGMARKNEXT messages makes SIOCATMARK work correctly
3526 * even though the T_EXDATA_IND will not be sent up
3527 * until the urgent byte arrives.
3528 */
3529 if (!IPCL_IS_NONSTR(tcp->tcp_connp)) {
3530 if (seg_len != 0) {
3531 flags |= TH_MARKNEXT_NEEDED;
3532 freemsg(tcp->tcp_urp_mark_mp);
3533 tcp->tcp_urp_mark_mp = NULL;
3534 flags &= ~TH_SEND_URP_MARK;
3535 } else if (tcp->tcp_urp_mark_mp != NULL) {
3536 flags |= TH_SEND_URP_MARK;
3537 tcp->tcp_urp_mark_mp->b_flag &=
3538 ~MSGNOTMARKNEXT;
3539 tcp->tcp_urp_mark_mp->b_flag |=
3540 MSGMARKNEXT;
3541 }
3542 }
3543 #ifdef DEBUG
3544 (void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
3545 "tcp_rput: AT MARK, len %d, flags 0x%x, %s",
3546 seg_len, flags,
3547 tcp_display(tcp, NULL, DISP_PORT_ONLY));
3548 #endif /* DEBUG */
3549 }
3550 #ifdef DEBUG
3551 else {
3552 /* Data left until we hit mark */
3553 (void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
3554 "tcp_rput: URP %d bytes left, %s",
3555 urp - seg_len, tcp_display(tcp, NULL,
3556 DISP_PORT_ONLY));
3557 }
3558 #endif /* DEBUG */
3559 }
3560
3561 process_ack:
3562 if (!(flags & TH_ACK)) {
3563 freemsg(mp);
3564 goto xmit_check;
3565 }
3566 }
3567 bytes_acked = (int)(seg_ack - tcp->tcp_suna);
3568
3569 if (bytes_acked > 0)
3570 tcp->tcp_ip_forward_progress = B_TRUE;
3571 if (tcp->tcp_state == TCPS_SYN_RCVD) {
3572 /*
3573 * tcp_sendmsg() checks tcp_state without entering
3574 * the squeue so tcp_state should be updated before
3575 * sending up a connection confirmation or a new
3576 * connection indication.
3577 */
3578 tcp->tcp_state = TCPS_ESTABLISHED;
3579
3580 /*
3581 * We are seeing the final ack in the three way
3582 * hand shake of a active open'ed connection
3583 * so we must send up a T_CONN_CON
3584 */
3585 if (tcp->tcp_active_open) {
3586 if (!tcp_conn_con(tcp, iphdr, mp, NULL, ira)) {
3587 freemsg(mp);
3588 tcp->tcp_state = TCPS_SYN_RCVD;
3589 return;
3590 }
3591 /*
3592 * Don't fuse the loopback endpoints for
3593 * simultaneous active opens.
3594 */
3595 if (tcp->tcp_loopback) {
3596 TCP_STAT(tcps, tcp_fusion_unfusable);
3597 tcp->tcp_unfusable = B_TRUE;
3598 }
3599 /*
3600 * For simultaneous active open, trace receipt of final
3601 * ACK as tcp:::connect-established.
3602 */
3603 DTRACE_TCP5(connect__established, mblk_t *, NULL,
3604 ip_xmit_attr_t *, connp->conn_ixa, void_ip_t *,
3605 iphdr, tcp_t *, tcp, tcph_t *, tcpha);
3606 } else if (IPCL_IS_NONSTR(connp)) {
3607 /*
3608 * 3-way handshake has completed, so notify socket
3609 * of the new connection.
3610 *
3611 * We are here means eager is fine but it can
3612 * get a TH_RST at any point between now and till
3613 * accept completes and disappear. We need to
3614 * ensure that reference to eager is valid after
3615 * we get out of eager's perimeter. So we do
3616 * an extra refhold.
3617 */
3618 CONN_INC_REF(connp);
3619
3620 if (!tcp_newconn_notify(tcp, ira)) {
3621 /*
3622 * The state-change probe for SYN_RCVD ->
3623 * ESTABLISHED has not fired yet. We reset
3624 * the state to SYN_RCVD so that future
3625 * state-change probes report correct state
3626 * transistions.
3627 */
3628 tcp->tcp_state = TCPS_SYN_RCVD;
3629 freemsg(mp);
3630 /* notification did not go up, so drop ref */
3631 CONN_DEC_REF(connp);
3632 /* ... and close the eager */
3633 ASSERT(TCP_IS_DETACHED(tcp));
3634 (void) tcp_close_detached(tcp);
3635 return;
3636 }
3637 /*
3638 * For passive open, trace receipt of final ACK as
3639 * tcp:::accept-established.
3640 */
3641 DTRACE_TCP5(accept__established, mlbk_t *, NULL,
3642 ip_xmit_attr_t *, connp->conn_ixa, void_ip_t *,
3643 iphdr, tcp_t *, tcp, tcph_t *, tcpha);
3644 } else {
3645 /*
3646 * 3-way handshake complete - this is a STREAMS based
3647 * socket, so pass up the T_CONN_IND.
3648 */
3649 tcp_t *listener = tcp->tcp_listener;
3650 mblk_t *mp = tcp->tcp_conn.tcp_eager_conn_ind;
3651
3652 tcp->tcp_tconnind_started = B_TRUE;
3653 tcp->tcp_conn.tcp_eager_conn_ind = NULL;
3654 ASSERT(mp != NULL);
3655 /*
3656 * We are here means eager is fine but it can
3657 * get a TH_RST at any point between now and till
3658 * accept completes and disappear. We need to
3659 * ensure that reference to eager is valid after
3660 * we get out of eager's perimeter. So we do
3661 * an extra refhold.
3662 */
3663 CONN_INC_REF(connp);
3664
3665 /*
3666 * The listener also exists because of the refhold
3667 * done in tcp_input_listener. Its possible that it
3668 * might have closed. We will check that once we
3669 * get inside listeners context.
3670 */
3671 CONN_INC_REF(listener->tcp_connp);
3672 if (listener->tcp_connp->conn_sqp ==
3673 connp->conn_sqp) {
3674 /*
3675 * We optimize by not calling an SQUEUE_ENTER
3676 * on the listener since we know that the
3677 * listener and eager squeues are the same.
3678 * We are able to make this check safely only
3679 * because neither the eager nor the listener
3680 * can change its squeue. Only an active connect
3681 * can change its squeue
3682 */
3683 tcp_send_conn_ind(listener->tcp_connp, mp,
3684 listener->tcp_connp->conn_sqp);
3685 CONN_DEC_REF(listener->tcp_connp);
3686 } else if (!tcp->tcp_loopback) {
3687 SQUEUE_ENTER_ONE(listener->tcp_connp->conn_sqp,
3688 mp, tcp_send_conn_ind,
3689 listener->tcp_connp, NULL, SQ_FILL,
3690 SQTAG_TCP_CONN_IND);
3691 } else {
3692 SQUEUE_ENTER_ONE(listener->tcp_connp->conn_sqp,
3693 mp, tcp_send_conn_ind,
3694 listener->tcp_connp, NULL, SQ_NODRAIN,
3695 SQTAG_TCP_CONN_IND);
3696 }
3697 /*
3698 * For passive open, trace receipt of final ACK as
3699 * tcp:::accept-established.
3700 */
3701 DTRACE_TCP5(accept__established, mlbk_t *, NULL,
3702 ip_xmit_attr_t *, connp->conn_ixa, void_ip_t *,
3703 iphdr, tcp_t *, tcp, tcph_t *, tcpha);
3704 }
3705 TCPS_CONN_INC(tcps);
3706
3707 tcp->tcp_suna = tcp->tcp_iss + 1; /* One for the SYN */
3708 bytes_acked--;
3709 /* SYN was acked - making progress */
3710 tcp->tcp_ip_forward_progress = B_TRUE;
3711
3712 /*
3713 * If SYN was retransmitted, need to reset all
3714 * retransmission info as this segment will be
3715 * treated as a dup ACK.
3716 */
3717 if (tcp->tcp_rexmit) {
3718 tcp->tcp_rexmit = B_FALSE;
3719 tcp->tcp_rexmit_nxt = tcp->tcp_snxt;
3720 tcp->tcp_rexmit_max = tcp->tcp_snxt;
3721 tcp->tcp_snd_burst = tcp->tcp_localnet ?
3722 TCP_CWND_INFINITE : TCP_CWND_NORMAL;
3723 tcp->tcp_ms_we_have_waited = 0;
3724 tcp->tcp_cwnd = mss;
3725 }
3726
3727 /*
3728 * We set the send window to zero here.
3729 * This is needed if there is data to be
3730 * processed already on the queue.
3731 * Later (at swnd_update label), the
3732 * "new_swnd > tcp_swnd" condition is satisfied
3733 * the XMIT_NEEDED flag is set in the current
3734 * (SYN_RCVD) state. This ensures tcp_wput_data() is
3735 * called if there is already data on queue in
3736 * this state.
3737 */
3738 tcp->tcp_swnd = 0;
3739
3740 if (new_swnd > tcp->tcp_max_swnd)
3741 tcp->tcp_max_swnd = new_swnd;
3742 tcp->tcp_swl1 = seg_seq;
3743 tcp->tcp_swl2 = seg_ack;
3744 tcp->tcp_valid_bits &= ~TCP_ISS_VALID;
3745
3746 /* Trace change from SYN_RCVD -> ESTABLISHED here */
3747 DTRACE_TCP6(state__change, void, NULL, ip_xmit_attr_t *,
3748 connp->conn_ixa, void, NULL, tcp_t *, tcp, void, NULL,
3749 int32_t, TCPS_SYN_RCVD);
3750
3751 /* Fuse when both sides are in ESTABLISHED state */
3752 if (tcp->tcp_loopback && do_tcp_fusion)
3753 tcp_fuse(tcp, iphdr, tcpha);
3754
3755 }
3756 /* This code follows 4.4BSD-Lite2 mostly. */
3757 if (bytes_acked < 0)
3758 goto est;
3759
3760 /*
3761 * If TCP is ECN capable and the congestion experience bit is
3762 * set, reduce tcp_cwnd and tcp_ssthresh. But this should only be
3763 * done once per window (or more loosely, per RTT).
3764 */
3765 if (tcp->tcp_cwr && SEQ_GT(seg_ack, tcp->tcp_cwr_snd_max))
3766 tcp->tcp_cwr = B_FALSE;
3767 if (tcp->tcp_ecn_ok && (flags & TH_ECE)) {
3768 if (!tcp->tcp_cwr) {
3769 npkt = ((tcp->tcp_snxt - tcp->tcp_suna) >> 1) / mss;
3770 tcp->tcp_cwnd_ssthresh = MAX(npkt, 2) * mss;
3771 tcp->tcp_cwnd = npkt * mss;
3772 /*
3773 * If the cwnd is 0, use the timer to clock out
3774 * new segments. This is required by the ECN spec.
3775 */
3776 if (npkt == 0) {
3777 TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
3778 /*
3779 * This makes sure that when the ACK comes
3780 * back, we will increase tcp_cwnd by 1 MSS.
3781 */
3782 tcp->tcp_cwnd_cnt = 0;
3783 }
3784 tcp->tcp_cwr = B_TRUE;
3785 /*
3786 * This marks the end of the current window of in
3787 * flight data. That is why we don't use
3788 * tcp_suna + tcp_swnd. Only data in flight can
3789 * provide ECN info.
3790 */
3791 tcp->tcp_cwr_snd_max = tcp->tcp_snxt;
3792 tcp->tcp_ecn_cwr_sent = B_FALSE;
3793 }
3794 }
3795
3796 mp1 = tcp->tcp_xmit_head;
3797 if (bytes_acked == 0) {
3798 if (!ofo_seg && seg_len == 0 && new_swnd == tcp->tcp_swnd) {
3799 int dupack_cnt;
3800
3801 TCPS_BUMP_MIB(tcps, tcpInDupAck);
3802 /*
3803 * Fast retransmit. When we have seen exactly three
3804 * identical ACKs while we have unacked data
3805 * outstanding we take it as a hint that our peer
3806 * dropped something.
3807 *
3808 * If TCP is retransmitting, don't do fast retransmit.
3809 */
3810 if (mp1 && tcp->tcp_suna != tcp->tcp_snxt &&
3811 ! tcp->tcp_rexmit) {
3812 /* Do Limited Transmit */
3813 if ((dupack_cnt = ++tcp->tcp_dupack_cnt) <
3814 tcps->tcps_dupack_fast_retransmit) {
3815 /*
3816 * RFC 3042
3817 *
3818 * What we need to do is temporarily
3819 * increase tcp_cwnd so that new
3820 * data can be sent if it is allowed
3821 * by the receive window (tcp_rwnd).
3822 * tcp_wput_data() will take care of
3823 * the rest.
3824 *
3825 * If the connection is SACK capable,
3826 * only do limited xmit when there
3827 * is SACK info.
3828 *
3829 * Note how tcp_cwnd is incremented.
3830 * The first dup ACK will increase
3831 * it by 1 MSS. The second dup ACK
3832 * will increase it by 2 MSS. This
3833 * means that only 1 new segment will
3834 * be sent for each dup ACK.
3835 */
3836 if (tcp->tcp_unsent > 0 &&
3837 (!tcp->tcp_snd_sack_ok ||
3838 (tcp->tcp_snd_sack_ok &&
3839 tcp->tcp_notsack_list != NULL))) {
3840 tcp->tcp_cwnd += mss <<
3841 (tcp->tcp_dupack_cnt - 1);
3842 flags |= TH_LIMIT_XMIT;
3843 }
3844 } else if (dupack_cnt ==
3845 tcps->tcps_dupack_fast_retransmit) {
3846
3847 /*
3848 * If we have reduced tcp_ssthresh
3849 * because of ECN, do not reduce it again
3850 * unless it is already one window of data
3851 * away. After one window of data, tcp_cwr
3852 * should then be cleared. Note that
3853 * for non ECN capable connection, tcp_cwr
3854 * should always be false.
3855 *
3856 * Adjust cwnd since the duplicate
3857 * ack indicates that a packet was
3858 * dropped (due to congestion.)
3859 */
3860 if (!tcp->tcp_cwr) {
3861 npkt = ((tcp->tcp_snxt -
3862 tcp->tcp_suna) >> 1) / mss;
3863 tcp->tcp_cwnd_ssthresh = MAX(npkt, 2) *
3864 mss;
3865 tcp->tcp_cwnd = (npkt +
3866 tcp->tcp_dupack_cnt) * mss;
3867 }
3868 if (tcp->tcp_ecn_ok) {
3869 tcp->tcp_cwr = B_TRUE;
3870 tcp->tcp_cwr_snd_max = tcp->tcp_snxt;
3871 tcp->tcp_ecn_cwr_sent = B_FALSE;
3872 }
3873
3874 /*
3875 * We do Hoe's algorithm. Refer to her
3876 * paper "Improving the Start-up Behavior
3877 * of a Congestion Control Scheme for TCP,"
3878 * appeared in SIGCOMM'96.
3879 *
3880 * Save highest seq no we have sent so far.
3881 * Be careful about the invisible FIN byte.
3882 */
3883 if ((tcp->tcp_valid_bits & TCP_FSS_VALID) &&
3884 (tcp->tcp_unsent == 0)) {
3885 tcp->tcp_rexmit_max = tcp->tcp_fss;
3886 } else {
3887 tcp->tcp_rexmit_max = tcp->tcp_snxt;
3888 }
3889
3890 /*
3891 * Do not allow bursty traffic during.
3892 * fast recovery. Refer to Fall and Floyd's
3893 * paper "Simulation-based Comparisons of
3894 * Tahoe, Reno and SACK TCP" (in CCR?)
3895 * This is a best current practise.
3896 */
3897 tcp->tcp_snd_burst = TCP_CWND_SS;
3898
3899 /*
3900 * For SACK:
3901 * Calculate tcp_pipe, which is the
3902 * estimated number of bytes in
3903 * network.
3904 *
3905 * tcp_fack is the highest sack'ed seq num
3906 * TCP has received.
3907 *
3908 * tcp_pipe is explained in the above quoted
3909 * Fall and Floyd's paper. tcp_fack is
3910 * explained in Mathis and Mahdavi's
3911 * "Forward Acknowledgment: Refining TCP
3912 * Congestion Control" in SIGCOMM '96.
3913 */
3914 if (tcp->tcp_snd_sack_ok) {
3915 if (tcp->tcp_notsack_list != NULL) {
3916 tcp->tcp_pipe = tcp->tcp_snxt -
3917 tcp->tcp_fack;
3918 tcp->tcp_sack_snxt = seg_ack;
3919 flags |= TH_NEED_SACK_REXMIT;
3920 } else {
3921 /*
3922 * Always initialize tcp_pipe
3923 * even though we don't have
3924 * any SACK info. If later
3925 * we get SACK info and
3926 * tcp_pipe is not initialized,
3927 * funny things will happen.
3928 */
3929 tcp->tcp_pipe =
3930 tcp->tcp_cwnd_ssthresh;
3931 }
3932 } else {
3933 flags |= TH_REXMIT_NEEDED;
3934 } /* tcp_snd_sack_ok */
3935
3936 } else {
3937 /*
3938 * Here we perform congestion
3939 * avoidance, but NOT slow start.
3940 * This is known as the Fast
3941 * Recovery Algorithm.
3942 */
3943 if (tcp->tcp_snd_sack_ok &&
3944 tcp->tcp_notsack_list != NULL) {
3945 flags |= TH_NEED_SACK_REXMIT;
3946 tcp->tcp_pipe -= mss;
3947 if (tcp->tcp_pipe < 0)
3948 tcp->tcp_pipe = 0;
3949 } else {
3950 /*
3951 * We know that one more packet has
3952 * left the pipe thus we can update
3953 * cwnd.
3954 */
3955 cwnd = tcp->tcp_cwnd + mss;
3956 if (cwnd > tcp->tcp_cwnd_max)
3957 cwnd = tcp->tcp_cwnd_max;
3958 tcp->tcp_cwnd = cwnd;
3959 if (tcp->tcp_unsent > 0)
3960 flags |= TH_XMIT_NEEDED;
3961 }
3962 }
3963 }
3964 } else if (tcp->tcp_zero_win_probe) {
3965 /*
3966 * If the window has opened, need to arrange
3967 * to send additional data.
3968 */
3969 if (new_swnd != 0) {
3970 /* tcp_suna != tcp_snxt */
3971 /* Packet contains a window update */
3972 TCPS_BUMP_MIB(tcps, tcpInWinUpdate);
3973 tcp->tcp_zero_win_probe = 0;
3974 tcp->tcp_timer_backoff = 0;
3975 tcp->tcp_ms_we_have_waited = 0;
3976
3977 /*
3978 * Transmit starting with tcp_suna since
3979 * the one byte probe is not ack'ed.
3980 * If TCP has sent more than one identical
3981 * probe, tcp_rexmit will be set. That means
3982 * tcp_ss_rexmit() will send out the one
3983 * byte along with new data. Otherwise,
3984 * fake the retransmission.
3985 */
3986 flags |= TH_XMIT_NEEDED;
3987 if (!tcp->tcp_rexmit) {
3988 tcp->tcp_rexmit = B_TRUE;
3989 tcp->tcp_dupack_cnt = 0;
3990 tcp->tcp_rexmit_nxt = tcp->tcp_suna;
3991 tcp->tcp_rexmit_max = tcp->tcp_suna + 1;
3992 }
3993 }
3994 }
3995 goto swnd_update;
3996 }
3997
3998 /*
3999 * Check for "acceptability" of ACK value per RFC 793, pages 72 - 73.
4000 * If the ACK value acks something that we have not yet sent, it might
4001 * be an old duplicate segment. Send an ACK to re-synchronize the
4002 * other side.
4003 * Note: reset in response to unacceptable ACK in SYN_RECEIVE
4004 * state is handled above, so we can always just drop the segment and
4005 * send an ACK here.
4006 *
4007 * In the case where the peer shrinks the window, we see the new window
4008 * update, but all the data sent previously is queued up by the peer.
4009 * To account for this, in tcp_process_shrunk_swnd(), the sequence
4010 * number, which was already sent, and within window, is recorded.
4011 * tcp_snxt is then updated.
4012 *
4013 * If the window has previously shrunk, and an ACK for data not yet
4014 * sent, according to tcp_snxt is recieved, it may still be valid. If
4015 * the ACK is for data within the window at the time the window was
4016 * shrunk, then the ACK is acceptable. In this case tcp_snxt is set to
4017 * the sequence number ACK'ed.
4018 *
4019 * If the ACK covers all the data sent at the time the window was
4020 * shrunk, we can now set tcp_is_wnd_shrnk to B_FALSE.
4021 *
4022 * Should we send ACKs in response to ACK only segments?
4023 */
4024
4025 if (SEQ_GT(seg_ack, tcp->tcp_snxt)) {
4026 if ((tcp->tcp_is_wnd_shrnk) &&
4027 (SEQ_LEQ(seg_ack, tcp->tcp_snxt_shrunk))) {
4028 uint32_t data_acked_ahead_snxt;
4029
4030 data_acked_ahead_snxt = seg_ack - tcp->tcp_snxt;
4031 tcp_update_xmit_tail(tcp, seg_ack);
4032 tcp->tcp_unsent -= data_acked_ahead_snxt;
4033 } else {
4034 TCPS_BUMP_MIB(tcps, tcpInAckUnsent);
4035 /* drop the received segment */
4036 freemsg(mp);
4037
4038 /*
4039 * Send back an ACK. If tcp_drop_ack_unsent_cnt is
4040 * greater than 0, check if the number of such
4041 * bogus ACks is greater than that count. If yes,
4042 * don't send back any ACK. This prevents TCP from
4043 * getting into an ACK storm if somehow an attacker
4044 * successfully spoofs an acceptable segment to our
4045 * peer. If this continues (count > 2 X threshold),
4046 * we should abort this connection.
4047 */
4048 if (tcp_drop_ack_unsent_cnt > 0 &&
4049 ++tcp->tcp_in_ack_unsent >
4050 tcp_drop_ack_unsent_cnt) {
4051 TCP_STAT(tcps, tcp_in_ack_unsent_drop);
4052 if (tcp->tcp_in_ack_unsent > 2 *
4053 tcp_drop_ack_unsent_cnt) {
4054 (void) tcp_clean_death(tcp, EPROTO);
4055 }
4056 return;
4057 }
4058 mp = tcp_ack_mp(tcp);
4059 if (mp != NULL) {
4060 BUMP_LOCAL(tcp->tcp_obsegs);
4061 TCPS_BUMP_MIB(tcps, tcpOutAck);
4062 tcp_send_data(tcp, mp);
4063 }
4064 return;
4065 }
4066 } else if (tcp->tcp_is_wnd_shrnk && SEQ_GEQ(seg_ack,
4067 tcp->tcp_snxt_shrunk)) {
4068 tcp->tcp_is_wnd_shrnk = B_FALSE;
4069 }
4070
4071 /*
4072 * TCP gets a new ACK, update the notsack'ed list to delete those
4073 * blocks that are covered by this ACK.
4074 */
4075 if (tcp->tcp_snd_sack_ok && tcp->tcp_notsack_list != NULL) {
4076 tcp_notsack_remove(&(tcp->tcp_notsack_list), seg_ack,
4077 &(tcp->tcp_num_notsack_blk), &(tcp->tcp_cnt_notsack_list));
4078 }
4079
4080 /*
4081 * If we got an ACK after fast retransmit, check to see
4082 * if it is a partial ACK. If it is not and the congestion
4083 * window was inflated to account for the other side's
4084 * cached packets, retract it. If it is, do Hoe's algorithm.
4085 */
4086 if (tcp->tcp_dupack_cnt >= tcps->tcps_dupack_fast_retransmit) {
4087 ASSERT(tcp->tcp_rexmit == B_FALSE);
4088 if (SEQ_GEQ(seg_ack, tcp->tcp_rexmit_max)) {
4089 tcp->tcp_dupack_cnt = 0;
4090 /*
4091 * Restore the orig tcp_cwnd_ssthresh after
4092 * fast retransmit phase.
4093 */
4094 if (tcp->tcp_cwnd > tcp->tcp_cwnd_ssthresh) {
4095 tcp->tcp_cwnd = tcp->tcp_cwnd_ssthresh;
4096 }
4097 tcp->tcp_rexmit_max = seg_ack;
4098 tcp->tcp_cwnd_cnt = 0;
4099 tcp->tcp_snd_burst = tcp->tcp_localnet ?
4100 TCP_CWND_INFINITE : TCP_CWND_NORMAL;
4101
4102 /*
4103 * Remove all notsack info to avoid confusion with
4104 * the next fast retrasnmit/recovery phase.
4105 */
4106 if (tcp->tcp_snd_sack_ok) {
4107 TCP_NOTSACK_REMOVE_ALL(tcp->tcp_notsack_list,
4108 tcp);
4109 }
4110 } else {
4111 if (tcp->tcp_snd_sack_ok &&
4112 tcp->tcp_notsack_list != NULL) {
4113 flags |= TH_NEED_SACK_REXMIT;
4114 tcp->tcp_pipe -= mss;
4115 if (tcp->tcp_pipe < 0)
4116 tcp->tcp_pipe = 0;
4117 } else {
4118 /*
4119 * Hoe's algorithm:
4120 *
4121 * Retransmit the unack'ed segment and
4122 * restart fast recovery. Note that we
4123 * need to scale back tcp_cwnd to the
4124 * original value when we started fast
4125 * recovery. This is to prevent overly
4126 * aggressive behaviour in sending new
4127 * segments.
4128 */
4129 tcp->tcp_cwnd = tcp->tcp_cwnd_ssthresh +
4130 tcps->tcps_dupack_fast_retransmit * mss;
4131 tcp->tcp_cwnd_cnt = tcp->tcp_cwnd;
4132 flags |= TH_REXMIT_NEEDED;
4133 }
4134 }
4135 } else {
4136 tcp->tcp_dupack_cnt = 0;
4137 if (tcp->tcp_rexmit) {
4138 /*
4139 * TCP is retranmitting. If the ACK ack's all
4140 * outstanding data, update tcp_rexmit_max and
4141 * tcp_rexmit_nxt. Otherwise, update tcp_rexmit_nxt
4142 * to the correct value.
4143 *
4144 * Note that SEQ_LEQ() is used. This is to avoid
4145 * unnecessary fast retransmit caused by dup ACKs
4146 * received when TCP does slow start retransmission
4147 * after a time out. During this phase, TCP may
4148 * send out segments which are already received.
4149 * This causes dup ACKs to be sent back.
4150 */
4151 if (SEQ_LEQ(seg_ack, tcp->tcp_rexmit_max)) {
4152 if (SEQ_GT(seg_ack, tcp->tcp_rexmit_nxt)) {
4153 tcp->tcp_rexmit_nxt = seg_ack;
4154 }
4155 if (seg_ack != tcp->tcp_rexmit_max) {
4156 flags |= TH_XMIT_NEEDED;
4157 }
4158 } else {
4159 tcp->tcp_rexmit = B_FALSE;
4160 tcp->tcp_rexmit_nxt = tcp->tcp_snxt;
4161 tcp->tcp_snd_burst = tcp->tcp_localnet ?
4162 TCP_CWND_INFINITE : TCP_CWND_NORMAL;
4163 }
4164 tcp->tcp_ms_we_have_waited = 0;
4165 }
4166 }
4167
4168 TCPS_BUMP_MIB(tcps, tcpInAckSegs);
4169 TCPS_UPDATE_MIB(tcps, tcpInAckBytes, bytes_acked);
4170 tcp->tcp_suna = seg_ack;
4171 if (tcp->tcp_zero_win_probe != 0) {
4172 tcp->tcp_zero_win_probe = 0;
4173 tcp->tcp_timer_backoff = 0;
4174 }
4175
4176 /*
4177 * If tcp_xmit_head is NULL, then it must be the FIN being ack'ed.
4178 * Note that it cannot be the SYN being ack'ed. The code flow
4179 * will not reach here.
4180 */
4181 if (mp1 == NULL) {
4182 goto fin_acked;
4183 }
4184
4185 /*
4186 * Update the congestion window.
4187 *
4188 * If TCP is not ECN capable or TCP is ECN capable but the
4189 * congestion experience bit is not set, increase the tcp_cwnd as
4190 * usual.
4191 */
4192 if (!tcp->tcp_ecn_ok || !(flags & TH_ECE)) {
4193 cwnd = tcp->tcp_cwnd;
4194 add = mss;
4195
4196 if (cwnd >= tcp->tcp_cwnd_ssthresh) {
4197 /*
4198 * This is to prevent an increase of less than 1 MSS of
4199 * tcp_cwnd. With partial increase, tcp_wput_data()
4200 * may send out tinygrams in order to preserve mblk
4201 * boundaries.
4202 *
4203 * By initializing tcp_cwnd_cnt to new tcp_cwnd and
4204 * decrementing it by 1 MSS for every ACKs, tcp_cwnd is
4205 * increased by 1 MSS for every RTTs.
4206 */
4207 if (tcp->tcp_cwnd_cnt <= 0) {
4208 tcp->tcp_cwnd_cnt = cwnd + add;
4209 } else {
4210 tcp->tcp_cwnd_cnt -= add;
4211 add = 0;
4212 }
4213 }
4214 tcp->tcp_cwnd = MIN(cwnd + add, tcp->tcp_cwnd_max);
4215 }
4216
4217 /* See if the latest urgent data has been acknowledged */
4218 if ((tcp->tcp_valid_bits & TCP_URG_VALID) &&
4219 SEQ_GT(seg_ack, tcp->tcp_urg))
4220 tcp->tcp_valid_bits &= ~TCP_URG_VALID;
4221
4222 /* Can we update the RTT estimates? */
4223 if (tcp->tcp_snd_ts_ok) {
4224 /* Ignore zero timestamp echo-reply. */
4225 if (tcpopt.tcp_opt_ts_ecr != 0) {
4226 tcp_set_rto(tcp, (int32_t)LBOLT_FASTPATH -
4227 (int32_t)tcpopt.tcp_opt_ts_ecr);
4228 }
4229
4230 /* If needed, restart the timer. */
4231 if (tcp->tcp_set_timer == 1) {
4232 TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
4233 tcp->tcp_set_timer = 0;
4234 }
4235 /*
4236 * Update tcp_csuna in case the other side stops sending
4237 * us timestamps.
4238 */
4239 tcp->tcp_csuna = tcp->tcp_snxt;
4240 } else if (SEQ_GT(seg_ack, tcp->tcp_csuna)) {
4241 /*
4242 * An ACK sequence we haven't seen before, so get the RTT
4243 * and update the RTO. But first check if the timestamp is
4244 * valid to use.
4245 */
4246 if ((mp1->b_next != NULL) &&
4247 SEQ_GT(seg_ack, (uint32_t)(uintptr_t)(mp1->b_next)))
4248 tcp_set_rto(tcp, (int32_t)LBOLT_FASTPATH -
4249 (int32_t)(intptr_t)mp1->b_prev);
4250 else
4251 TCPS_BUMP_MIB(tcps, tcpRttNoUpdate);
4252
4253 /* Remeber the last sequence to be ACKed */
4254 tcp->tcp_csuna = seg_ack;
4255 if (tcp->tcp_set_timer == 1) {
4256 TCP_TIMER_RESTART(tcp, tcp->tcp_rto);
4257 tcp->tcp_set_timer = 0;
4258 }
4259 } else {
4260 TCPS_BUMP_MIB(tcps, tcpRttNoUpdate);
4261 }
4262
4263 /* Eat acknowledged bytes off the xmit queue. */
4264 for (;;) {
4265 mblk_t *mp2;
4266 uchar_t *wptr;
4267
4268 wptr = mp1->b_wptr;
4269 ASSERT((uintptr_t)(wptr - mp1->b_rptr) <= (uintptr_t)INT_MAX);
4270 bytes_acked -= (int)(wptr - mp1->b_rptr);
4271 if (bytes_acked < 0) {
4272 mp1->b_rptr = wptr + bytes_acked;
4273 /*
4274 * Set a new timestamp if all the bytes timed by the
4275 * old timestamp have been ack'ed.
4276 */
4277 if (SEQ_GT(seg_ack,
4278 (uint32_t)(uintptr_t)(mp1->b_next))) {
4279 mp1->b_prev =
4280 (mblk_t *)(uintptr_t)LBOLT_FASTPATH;
4281 mp1->b_next = NULL;
4282 }
4283 break;
4284 }
4285 mp1->b_next = NULL;
4286 mp1->b_prev = NULL;
4287 mp2 = mp1;
4288 mp1 = mp1->b_cont;
4289
4290 /*
4291 * This notification is required for some zero-copy
4292 * clients to maintain a copy semantic. After the data
4293 * is ack'ed, client is safe to modify or reuse the buffer.
4294 */
4295 if (tcp->tcp_snd_zcopy_aware &&
4296 (mp2->b_datap->db_struioflag & STRUIO_ZCNOTIFY))
4297 tcp_zcopy_notify(tcp);
4298 freeb(mp2);
4299 if (bytes_acked == 0) {
4300 if (mp1 == NULL) {
4301 /* Everything is ack'ed, clear the tail. */
4302 tcp->tcp_xmit_tail = NULL;
4303 /*
4304 * Cancel the timer unless we are still
4305 * waiting for an ACK for the FIN packet.
4306 */
4307 if (tcp->tcp_timer_tid != 0 &&
4308 tcp->tcp_snxt == tcp->tcp_suna) {
4309 (void) TCP_TIMER_CANCEL(tcp,
4310 tcp->tcp_timer_tid);
4311 tcp->tcp_timer_tid = 0;
4312 }
4313 goto pre_swnd_update;
4314 }
4315 if (mp2 != tcp->tcp_xmit_tail)
4316 break;
4317 tcp->tcp_xmit_tail = mp1;
4318 ASSERT((uintptr_t)(mp1->b_wptr - mp1->b_rptr) <=
4319 (uintptr_t)INT_MAX);
4320 tcp->tcp_xmit_tail_unsent = (int)(mp1->b_wptr -
4321 mp1->b_rptr);
4322 break;
4323 }
4324 if (mp1 == NULL) {
4325 /*
4326 * More was acked but there is nothing more
4327 * outstanding. This means that the FIN was
4328 * just acked or that we're talking to a clown.
4329 */
4330 fin_acked:
4331 ASSERT(tcp->tcp_fin_sent);
4332 tcp->tcp_xmit_tail = NULL;
4333 if (tcp->tcp_fin_sent) {
4334 /* FIN was acked - making progress */
4335 if (!tcp->tcp_fin_acked)
4336 tcp->tcp_ip_forward_progress = B_TRUE;
4337 tcp->tcp_fin_acked = B_TRUE;
4338 if (tcp->tcp_linger_tid != 0 &&
4339 TCP_TIMER_CANCEL(tcp,
4340 tcp->tcp_linger_tid) >= 0) {
4341 tcp_stop_lingering(tcp);
4342 freemsg(mp);
4343 mp = NULL;
4344 }
4345 } else {
4346 /*
4347 * We should never get here because
4348 * we have already checked that the
4349 * number of bytes ack'ed should be
4350 * smaller than or equal to what we
4351 * have sent so far (it is the
4352 * acceptability check of the ACK).
4353 * We can only get here if the send
4354 * queue is corrupted.
4355 *
4356 * Terminate the connection and
4357 * panic the system. It is better
4358 * for us to panic instead of
4359 * continuing to avoid other disaster.
4360 */
4361 tcp_xmit_ctl(NULL, tcp, tcp->tcp_snxt,
4362 tcp->tcp_rnxt, TH_RST|TH_ACK);
4363 panic("Memory corruption "
4364 "detected for connection %s.",
4365 tcp_display(tcp, NULL,
4366 DISP_ADDR_AND_PORT));
4367 /*NOTREACHED*/
4368 }
4369 goto pre_swnd_update;
4370 }
4371 ASSERT(mp2 != tcp->tcp_xmit_tail);
4372 }
4373 if (tcp->tcp_unsent) {
4374 flags |= TH_XMIT_NEEDED;
4375 }
4376 pre_swnd_update:
4377 tcp->tcp_xmit_head = mp1;
4378 swnd_update:
4379 /*
4380 * The following check is different from most other implementations.
4381 * For bi-directional transfer, when segments are dropped, the
4382 * "normal" check will not accept a window update in those
4383 * retransmitted segemnts. Failing to do that, TCP may send out
4384 * segments which are outside receiver's window. As TCP accepts
4385 * the ack in those retransmitted segments, if the window update in
4386 * the same segment is not accepted, TCP will incorrectly calculates
4387 * that it can send more segments. This can create a deadlock
4388 * with the receiver if its window becomes zero.
4389 */
4390 if (SEQ_LT(tcp->tcp_swl2, seg_ack) ||
4391 SEQ_LT(tcp->tcp_swl1, seg_seq) ||
4392 (tcp->tcp_swl1 == seg_seq && new_swnd > tcp->tcp_swnd)) {
4393 /*
4394 * The criteria for update is:
4395 *
4396 * 1. the segment acknowledges some data. Or
4397 * 2. the segment is new, i.e. it has a higher seq num. Or
4398 * 3. the segment is not old and the advertised window is
4399 * larger than the previous advertised window.
4400 */
4401 if (tcp->tcp_unsent && new_swnd > tcp->tcp_swnd)
4402 flags |= TH_XMIT_NEEDED;
4403 tcp->tcp_swnd = new_swnd;
4404 if (new_swnd > tcp->tcp_max_swnd)
4405 tcp->tcp_max_swnd = new_swnd;
4406 tcp->tcp_swl1 = seg_seq;
4407 tcp->tcp_swl2 = seg_ack;
4408 }
4409 est:
4410 if (tcp->tcp_state > TCPS_ESTABLISHED) {
4411
4412 switch (tcp->tcp_state) {
4413 case TCPS_FIN_WAIT_1:
4414 if (tcp->tcp_fin_acked) {
4415 tcp->tcp_state = TCPS_FIN_WAIT_2;
4416 DTRACE_TCP6(state__change, void, NULL,
4417 ip_xmit_attr_t *, connp->conn_ixa,
4418 void, NULL, tcp_t *, tcp, void, NULL,
4419 int32_t, TCPS_FIN_WAIT_1);
4420 /*
4421 * We implement the non-standard BSD/SunOS
4422 * FIN_WAIT_2 flushing algorithm.
4423 * If there is no user attached to this
4424 * TCP endpoint, then this TCP struct
4425 * could hang around forever in FIN_WAIT_2
4426 * state if the peer forgets to send us
4427 * a FIN. To prevent this, we wait only
4428 * 2*MSL (a convenient time value) for
4429 * the FIN to arrive. If it doesn't show up,
4430 * we flush the TCP endpoint. This algorithm,
4431 * though a violation of RFC-793, has worked
4432 * for over 10 years in BSD systems.
4433 * Note: SunOS 4.x waits 675 seconds before
4434 * flushing the FIN_WAIT_2 connection.
4435 */
4436 TCP_TIMER_RESTART(tcp,
4437 tcp->tcp_fin_wait_2_flush_interval);
4438 }
4439 break;
4440 case TCPS_FIN_WAIT_2:
4441 break; /* Shutdown hook? */
4442 case TCPS_LAST_ACK:
4443 freemsg(mp);
4444 if (tcp->tcp_fin_acked) {
4445 (void) tcp_clean_death(tcp, 0);
4446 return;
4447 }
4448 goto xmit_check;
4449 case TCPS_CLOSING:
4450 if (tcp->tcp_fin_acked) {
4451 SET_TIME_WAIT(tcps, tcp, connp);
4452 DTRACE_TCP6(state__change, void, NULL,
4453 ip_xmit_attr_t *, connp->conn_ixa, void,
4454 NULL, tcp_t *, tcp, void, NULL, int32_t,
4455 TCPS_CLOSING);
4456 }
4457 /*FALLTHRU*/
4458 case TCPS_CLOSE_WAIT:
4459 freemsg(mp);
4460 goto xmit_check;
4461 default:
4462 ASSERT(tcp->tcp_state != TCPS_TIME_WAIT);
4463 break;
4464 }
4465 }
4466 if (flags & TH_FIN) {
4467 /* Make sure we ack the fin */
4468 flags |= TH_ACK_NEEDED;
4469 if (!tcp->tcp_fin_rcvd) {
4470 tcp->tcp_fin_rcvd = B_TRUE;
4471 tcp->tcp_rnxt++;
4472 tcpha = tcp->tcp_tcpha;
4473 tcpha->tha_ack = htonl(tcp->tcp_rnxt);
4474
4475 /*
4476 * Generate the ordrel_ind at the end unless the
4477 * conn is detached or it is a STREAMS based eager.
4478 * In the eager case we defer the notification until
4479 * tcp_accept_finish has run.
4480 */
4481 if (!TCP_IS_DETACHED(tcp) && (IPCL_IS_NONSTR(connp) ||
4482 (tcp->tcp_listener == NULL &&
4483 !tcp->tcp_hard_binding)))
4484 flags |= TH_ORDREL_NEEDED;
4485 switch (tcp->tcp_state) {
4486 case TCPS_SYN_RCVD:
4487 tcp->tcp_state = TCPS_CLOSE_WAIT;
4488 DTRACE_TCP6(state__change, void, NULL,
4489 ip_xmit_attr_t *, connp->conn_ixa,
4490 void, NULL, tcp_t *, tcp, void, NULL,
4491 int32_t, TCPS_SYN_RCVD);
4492 /* Keepalive? */
4493 break;
4494 case TCPS_ESTABLISHED:
4495 tcp->tcp_state = TCPS_CLOSE_WAIT;
4496 DTRACE_TCP6(state__change, void, NULL,
4497 ip_xmit_attr_t *, connp->conn_ixa,
4498 void, NULL, tcp_t *, tcp, void, NULL,
4499 int32_t, TCPS_ESTABLISHED);
4500 /* Keepalive? */
4501 break;
4502 case TCPS_FIN_WAIT_1:
4503 if (!tcp->tcp_fin_acked) {
4504 tcp->tcp_state = TCPS_CLOSING;
4505 DTRACE_TCP6(state__change, void, NULL,
4506 ip_xmit_attr_t *, connp->conn_ixa,
4507 void, NULL, tcp_t *, tcp, void,
4508 NULL, int32_t, TCPS_FIN_WAIT_1);
4509 break;
4510 }
4511 /* FALLTHRU */
4512 case TCPS_FIN_WAIT_2:
4513 SET_TIME_WAIT(tcps, tcp, connp);
4514 DTRACE_TCP6(state__change, void, NULL,
4515 ip_xmit_attr_t *, connp->conn_ixa, void,
4516 NULL, tcp_t *, tcp, void, NULL, int32_t,
4517 TCPS_FIN_WAIT_2);
4518 if (seg_len) {
4519 /*
4520 * implies data piggybacked on FIN.
4521 * break to handle data.
4522 */
4523 break;
4524 }
4525 freemsg(mp);
4526 goto ack_check;
4527 }
4528 }
4529 }
4530 if (mp == NULL)
4531 goto xmit_check;
4532 if (seg_len == 0) {
4533 freemsg(mp);
4534 goto xmit_check;
4535 }
4536 if (mp->b_rptr == mp->b_wptr) {
4537 /*
4538 * The header has been consumed, so we remove the
4539 * zero-length mblk here.
4540 */
4541 mp1 = mp;
4542 mp = mp->b_cont;
4543 freeb(mp1);
4544 }
4545 update_ack:
4546 tcpha = tcp->tcp_tcpha;
4547 tcp->tcp_rack_cnt++;
4548 {
4549 uint32_t cur_max;
4550
4551 cur_max = tcp->tcp_rack_cur_max;
4552 if (tcp->tcp_rack_cnt >= cur_max) {
4553 /*
4554 * We have more unacked data than we should - send
4555 * an ACK now.
4556 */
4557 flags |= TH_ACK_NEEDED;
4558 cur_max++;
4559 if (cur_max > tcp->tcp_rack_abs_max)
4560 tcp->tcp_rack_cur_max = tcp->tcp_rack_abs_max;
4561 else
4562 tcp->tcp_rack_cur_max = cur_max;
4563 } else if (TCP_IS_DETACHED(tcp)) {
4564 /* We don't have an ACK timer for detached TCP. */
4565 flags |= TH_ACK_NEEDED;
4566 } else if (seg_len < mss) {
4567 /*
4568 * If we get a segment that is less than an mss, and we
4569 * already have unacknowledged data, and the amount
4570 * unacknowledged is not a multiple of mss, then we
4571 * better generate an ACK now. Otherwise, this may be
4572 * the tail piece of a transaction, and we would rather
4573 * wait for the response.
4574 */
4575 uint32_t udif;
4576 ASSERT((uintptr_t)(tcp->tcp_rnxt - tcp->tcp_rack) <=
4577 (uintptr_t)INT_MAX);
4578 udif = (int)(tcp->tcp_rnxt - tcp->tcp_rack);
4579 if (udif && (udif % mss))
4580 flags |= TH_ACK_NEEDED;
4581 else
4582 flags |= TH_ACK_TIMER_NEEDED;
4583 } else {
4584 /* Start delayed ack timer */
4585 flags |= TH_ACK_TIMER_NEEDED;
4586 }
4587 }
4588 tcp->tcp_rnxt += seg_len;
4589 tcpha->tha_ack = htonl(tcp->tcp_rnxt);
4590
4591 if (mp == NULL)
4592 goto xmit_check;
4593
4594 /* Update SACK list */
4595 if (tcp->tcp_snd_sack_ok && tcp->tcp_num_sack_blk > 0) {
4596 tcp_sack_remove(tcp->tcp_sack_list, tcp->tcp_rnxt,
4597 &(tcp->tcp_num_sack_blk));
4598 }
4599
4600 if (tcp->tcp_urp_mp) {
4601 tcp->tcp_urp_mp->b_cont = mp;
4602 mp = tcp->tcp_urp_mp;
4603 tcp->tcp_urp_mp = NULL;
4604 /* Ready for a new signal. */
4605 tcp->tcp_urp_last_valid = B_FALSE;
4606 #ifdef DEBUG
4607 (void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
4608 "tcp_rput: sending exdata_ind %s",
4609 tcp_display(tcp, NULL, DISP_PORT_ONLY));
4610 #endif /* DEBUG */
4611 }
4612
4613 /*
4614 * Check for ancillary data changes compared to last segment.
4615 */
4616 if (connp->conn_recv_ancillary.crb_all != 0) {
4617 mp = tcp_input_add_ancillary(tcp, mp, &ipp, ira);
4618 if (mp == NULL)
4619 return;
4620 }
4621
4622 if (IPCL_IS_NONSTR(connp)) {
4623 /*
4624 * Non-STREAMS socket
4625 */
4626 boolean_t push = flags & (TH_PUSH|TH_FIN);
4627 int error;
4628
4629 if ((*connp->conn_upcalls->su_recv)(
4630 connp->conn_upper_handle,
4631 mp, seg_len, 0, &error, &push) <= 0) {
4632 /*
4633 * We should never be in middle of a
4634 * fallback, the squeue guarantees that.
4635 */
4636 ASSERT(error != EOPNOTSUPP);
4637 if (error == ENOSPC)
4638 tcp->tcp_rwnd -= seg_len;
4639 } else if (push) {
4640 /* PUSH bit set and sockfs is not flow controlled */
4641 flags |= tcp_rwnd_reopen(tcp);
4642 }
4643 } else if (tcp->tcp_listener != NULL || tcp->tcp_hard_binding) {
4644 /*
4645 * Side queue inbound data until the accept happens.
4646 * tcp_accept/tcp_rput drains this when the accept happens.
4647 * M_DATA is queued on b_cont. Otherwise (T_OPTDATA_IND or
4648 * T_EXDATA_IND) it is queued on b_next.
4649 * XXX Make urgent data use this. Requires:
4650 * Removing tcp_listener check for TH_URG
4651 * Making M_PCPROTO and MARK messages skip the eager case
4652 */
4653
4654 tcp_rcv_enqueue(tcp, mp, seg_len, ira->ira_cred);
4655 } else {
4656 /* Active STREAMS socket */
4657 if (mp->b_datap->db_type != M_DATA ||
4658 (flags & TH_MARKNEXT_NEEDED)) {
4659 if (tcp->tcp_rcv_list != NULL) {
4660 flags |= tcp_rcv_drain(tcp);
4661 }
4662 ASSERT(tcp->tcp_rcv_list == NULL ||
4663 tcp->tcp_fused_sigurg);
4664
4665 if (flags & TH_MARKNEXT_NEEDED) {
4666 #ifdef DEBUG
4667 (void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
4668 "tcp_rput: sending MSGMARKNEXT %s",
4669 tcp_display(tcp, NULL,
4670 DISP_PORT_ONLY));
4671 #endif /* DEBUG */
4672 mp->b_flag |= MSGMARKNEXT;
4673 flags &= ~TH_MARKNEXT_NEEDED;
4674 }
4675
4676 if (is_system_labeled())
4677 tcp_setcred_data(mp, ira);
4678
4679 putnext(connp->conn_rq, mp);
4680 if (!canputnext(connp->conn_rq))
4681 tcp->tcp_rwnd -= seg_len;
4682 } else if ((flags & (TH_PUSH|TH_FIN)) ||
4683 tcp->tcp_rcv_cnt + seg_len >= connp->conn_rcvbuf >> 3) {
4684 if (tcp->tcp_rcv_list != NULL) {
4685 /*
4686 * Enqueue the new segment first and then
4687 * call tcp_rcv_drain() to send all data
4688 * up. The other way to do this is to
4689 * send all queued data up and then call
4690 * putnext() to send the new segment up.
4691 * This way can remove the else part later
4692 * on.
4693 *
4694 * We don't do this to avoid one more call to
4695 * canputnext() as tcp_rcv_drain() needs to
4696 * call canputnext().
4697 */
4698 tcp_rcv_enqueue(tcp, mp, seg_len,
4699 ira->ira_cred);
4700 flags |= tcp_rcv_drain(tcp);
4701 } else {
4702 if (is_system_labeled())
4703 tcp_setcred_data(mp, ira);
4704
4705 putnext(connp->conn_rq, mp);
4706 if (!canputnext(connp->conn_rq))
4707 tcp->tcp_rwnd -= seg_len;
4708 }
4709 } else {
4710 /*
4711 * Enqueue all packets when processing an mblk
4712 * from the co queue and also enqueue normal packets.
4713 */
4714 tcp_rcv_enqueue(tcp, mp, seg_len, ira->ira_cred);
4715 }
4716 /*
4717 * Make sure the timer is running if we have data waiting
4718 * for a push bit. This provides resiliency against
4719 * implementations that do not correctly generate push bits.
4720 */
4721 if (tcp->tcp_rcv_list != NULL && tcp->tcp_push_tid == 0) {
4722 /*
4723 * The connection may be closed at this point, so don't
4724 * do anything for a detached tcp.
4725 */
4726 if (!TCP_IS_DETACHED(tcp))
4727 tcp->tcp_push_tid = TCP_TIMER(tcp,
4728 tcp_push_timer,
4729 tcps->tcps_push_timer_interval);
4730 }
4731 }
4732
4733 xmit_check:
4734 /* Is there anything left to do? */
4735 ASSERT(!(flags & TH_MARKNEXT_NEEDED));
4736 if ((flags & (TH_REXMIT_NEEDED|TH_XMIT_NEEDED|TH_ACK_NEEDED|
4737 TH_NEED_SACK_REXMIT|TH_LIMIT_XMIT|TH_ACK_TIMER_NEEDED|
4738 TH_ORDREL_NEEDED|TH_SEND_URP_MARK)) == 0)
4739 goto done;
4740
4741 /* Any transmit work to do and a non-zero window? */
4742 if ((flags & (TH_REXMIT_NEEDED|TH_XMIT_NEEDED|TH_NEED_SACK_REXMIT|
4743 TH_LIMIT_XMIT)) && tcp->tcp_swnd != 0) {
4744 if (flags & TH_REXMIT_NEEDED) {
4745 uint32_t snd_size = tcp->tcp_snxt - tcp->tcp_suna;
4746
4747 TCPS_BUMP_MIB(tcps, tcpOutFastRetrans);
4748 if (snd_size > mss)
4749 snd_size = mss;
4750 if (snd_size > tcp->tcp_swnd)
4751 snd_size = tcp->tcp_swnd;
4752 mp1 = tcp_xmit_mp(tcp, tcp->tcp_xmit_head, snd_size,
4753 NULL, NULL, tcp->tcp_suna, B_TRUE, &snd_size,
4754 B_TRUE);
4755
4756 if (mp1 != NULL) {
4757 tcp->tcp_xmit_head->b_prev =
4758 (mblk_t *)LBOLT_FASTPATH;
4759 tcp->tcp_csuna = tcp->tcp_snxt;
4760 TCPS_BUMP_MIB(tcps, tcpRetransSegs);
4761 TCPS_UPDATE_MIB(tcps, tcpRetransBytes,
4762 snd_size);
4763 tcp_send_data(tcp, mp1);
4764 }
4765 }
4766 if (flags & TH_NEED_SACK_REXMIT) {
4767 tcp_sack_rexmit(tcp, &flags);
4768 }
4769 /*
4770 * For TH_LIMIT_XMIT, tcp_wput_data() is called to send
4771 * out new segment. Note that tcp_rexmit should not be
4772 * set, otherwise TH_LIMIT_XMIT should not be set.
4773 */
4774 if (flags & (TH_XMIT_NEEDED|TH_LIMIT_XMIT)) {
4775 if (!tcp->tcp_rexmit) {
4776 tcp_wput_data(tcp, NULL, B_FALSE);
4777 } else {
4778 tcp_ss_rexmit(tcp);
4779 }
4780 }
4781 /*
4782 * Adjust tcp_cwnd back to normal value after sending
4783 * new data segments.
4784 */
4785 if (flags & TH_LIMIT_XMIT) {
4786 tcp->tcp_cwnd -= mss << (tcp->tcp_dupack_cnt - 1);
4787 /*
4788 * This will restart the timer. Restarting the
4789 * timer is used to avoid a timeout before the
4790 * limited transmitted segment's ACK gets back.
4791 */
4792 if (tcp->tcp_xmit_head != NULL)
4793 tcp->tcp_xmit_head->b_prev =
4794 (mblk_t *)LBOLT_FASTPATH;
4795 }
4796
4797 /* Anything more to do? */
4798 if ((flags & (TH_ACK_NEEDED|TH_ACK_TIMER_NEEDED|
4799 TH_ORDREL_NEEDED|TH_SEND_URP_MARK)) == 0)
4800 goto done;
4801 }
4802 ack_check:
4803 if (flags & TH_SEND_URP_MARK) {
4804 ASSERT(tcp->tcp_urp_mark_mp);
4805 ASSERT(!IPCL_IS_NONSTR(connp));
4806 /*
4807 * Send up any queued data and then send the mark message
4808 */
4809 if (tcp->tcp_rcv_list != NULL) {
4810 flags |= tcp_rcv_drain(tcp);
4811
4812 }
4813 ASSERT(tcp->tcp_rcv_list == NULL || tcp->tcp_fused_sigurg);
4814 mp1 = tcp->tcp_urp_mark_mp;
4815 tcp->tcp_urp_mark_mp = NULL;
4816 if (is_system_labeled())
4817 tcp_setcred_data(mp1, ira);
4818
4819 putnext(connp->conn_rq, mp1);
4820 #ifdef DEBUG
4821 (void) strlog(TCP_MOD_ID, 0, 1, SL_TRACE,
4822 "tcp_rput: sending zero-length %s %s",
4823 ((mp1->b_flag & MSGMARKNEXT) ? "MSGMARKNEXT" :
4824 "MSGNOTMARKNEXT"),
4825 tcp_display(tcp, NULL, DISP_PORT_ONLY));
4826 #endif /* DEBUG */
4827 flags &= ~TH_SEND_URP_MARK;
4828 }
4829 if (flags & TH_ACK_NEEDED) {
4830 /*
4831 * Time to send an ack for some reason.
4832 */
4833 mp1 = tcp_ack_mp(tcp);
4834
4835 if (mp1 != NULL) {
4836 tcp_send_data(tcp, mp1);
4837 BUMP_LOCAL(tcp->tcp_obsegs);
4838 TCPS_BUMP_MIB(tcps, tcpOutAck);
4839 }
4840 if (tcp->tcp_ack_tid != 0) {
4841 (void) TCP_TIMER_CANCEL(tcp, tcp->tcp_ack_tid);
4842 tcp->tcp_ack_tid = 0;
4843 }
4844 }
4845 if (flags & TH_ACK_TIMER_NEEDED) {
4846 /*
4847 * Arrange for deferred ACK or push wait timeout.
4848 * Start timer if it is not already running.
4849 */
4850 if (tcp->tcp_ack_tid == 0) {
4851 tcp->tcp_ack_tid = TCP_TIMER(tcp, tcp_ack_timer,
4852 tcp->tcp_localnet ?
4853 tcps->tcps_local_dack_interval :
4854 tcps->tcps_deferred_ack_interval);
4855 }
4856 }
4857 if (flags & TH_ORDREL_NEEDED) {
4858 /*
4859 * Notify upper layer about an orderly release. If this is
4860 * a non-STREAMS socket, then just make an upcall. For STREAMS
4861 * we send up an ordrel_ind, unless this is an eager, in which
4862 * case the ordrel will be sent when tcp_accept_finish runs.
4863 * Note that for non-STREAMS we make an upcall even if it is an
4864 * eager, because we have an upper handle to send it to.
4865 */
4866 ASSERT(IPCL_IS_NONSTR(connp) || tcp->tcp_listener == NULL);
4867 ASSERT(!tcp->tcp_detached);
4868
4869 if (IPCL_IS_NONSTR(connp)) {
4870 ASSERT(tcp->tcp_ordrel_mp == NULL);
4871 tcp->tcp_ordrel_done = B_TRUE;
4872 (*connp->conn_upcalls->su_opctl)
4873 (connp->conn_upper_handle, SOCK_OPCTL_SHUT_RECV, 0);
4874 goto done;
4875 }
4876
4877 if (tcp->tcp_rcv_list != NULL) {
4878 /*
4879 * Push any mblk(s) enqueued from co processing.
4880 */
4881 flags |= tcp_rcv_drain(tcp);
4882 }
4883 ASSERT(tcp->tcp_rcv_list == NULL || tcp->tcp_fused_sigurg);
4884
4885 mp1 = tcp->tcp_ordrel_mp;
4886 tcp->tcp_ordrel_mp = NULL;
4887 tcp->tcp_ordrel_done = B_TRUE;
4888 putnext(connp->conn_rq, mp1);
4889 }
4890 done:
4891 ASSERT(!(flags & TH_MARKNEXT_NEEDED));
4892 }
4893
4894 /*
4895 * Attach ancillary data to a received TCP segments for the
4896 * ancillary pieces requested by the application that are
4897 * different than they were in the previous data segment.
4898 *
4899 * Save the "current" values once memory allocation is ok so that
4900 * when memory allocation fails we can just wait for the next data segment.
4901 */
4902 static mblk_t *
4903 tcp_input_add_ancillary(tcp_t *tcp, mblk_t *mp, ip_pkt_t *ipp,
4904 ip_recv_attr_t *ira)
4905 {
4906 struct T_optdata_ind *todi;
4907 int optlen;
4908 uchar_t *optptr;
4909 struct T_opthdr *toh;
4910 crb_t addflag; /* Which pieces to add */
4911 mblk_t *mp1;
4912 conn_t *connp = tcp->tcp_connp;
4913
4914 optlen = 0;
4915 addflag.crb_all = 0;
4916 /* If app asked for pktinfo and the index has changed ... */
4917 if (connp->conn_recv_ancillary.crb_ip_recvpktinfo &&
4918 ira->ira_ruifindex != tcp->tcp_recvifindex) {
4919 optlen += sizeof (struct T_opthdr) +
4920 sizeof (struct in6_pktinfo);
4921 addflag.crb_ip_recvpktinfo = 1;
4922 }
4923 /* If app asked for hoplimit and it has changed ... */
4924 if (connp->conn_recv_ancillary.crb_ipv6_recvhoplimit &&
4925 ipp->ipp_hoplimit != tcp->tcp_recvhops) {
4926 optlen += sizeof (struct T_opthdr) + sizeof (uint_t);
4927 addflag.crb_ipv6_recvhoplimit = 1;
4928 }
4929 /* If app asked for tclass and it has changed ... */
4930 if (connp->conn_recv_ancillary.crb_ipv6_recvtclass &&
4931 ipp->ipp_tclass != tcp->tcp_recvtclass) {
4932 optlen += sizeof (struct T_opthdr) + sizeof (uint_t);
4933 addflag.crb_ipv6_recvtclass = 1;
4934 }
4935 /*
4936 * If app asked for hopbyhop headers and it has changed ...
4937 * For security labels, note that (1) security labels can't change on
4938 * a connected socket at all, (2) we're connected to at most one peer,
4939 * (3) if anything changes, then it must be some other extra option.
4940 */
4941 if (connp->conn_recv_ancillary.crb_ipv6_recvhopopts &&
4942 ip_cmpbuf(tcp->tcp_hopopts, tcp->tcp_hopoptslen,
4943 (ipp->ipp_fields & IPPF_HOPOPTS),
4944 ipp->ipp_hopopts, ipp->ipp_hopoptslen)) {
4945 optlen += sizeof (struct T_opthdr) + ipp->ipp_hopoptslen;
4946 addflag.crb_ipv6_recvhopopts = 1;
4947 if (!ip_allocbuf((void **)&tcp->tcp_hopopts,
4948 &tcp->tcp_hopoptslen, (ipp->ipp_fields & IPPF_HOPOPTS),
4949 ipp->ipp_hopopts, ipp->ipp_hopoptslen))
4950 return (mp);
4951 }
4952 /* If app asked for dst headers before routing headers ... */
4953 if (connp->conn_recv_ancillary.crb_ipv6_recvrthdrdstopts &&
4954 ip_cmpbuf(tcp->tcp_rthdrdstopts, tcp->tcp_rthdrdstoptslen,
4955 (ipp->ipp_fields & IPPF_RTHDRDSTOPTS),
4956 ipp->ipp_rthdrdstopts, ipp->ipp_rthdrdstoptslen)) {
4957 optlen += sizeof (struct T_opthdr) +
4958 ipp->ipp_rthdrdstoptslen;
4959 addflag.crb_ipv6_recvrthdrdstopts = 1;
4960 if (!ip_allocbuf((void **)&tcp->tcp_rthdrdstopts,
4961 &tcp->tcp_rthdrdstoptslen,
4962 (ipp->ipp_fields & IPPF_RTHDRDSTOPTS),
4963 ipp->ipp_rthdrdstopts, ipp->ipp_rthdrdstoptslen))
4964 return (mp);
4965 }
4966 /* If app asked for routing headers and it has changed ... */
4967 if (connp->conn_recv_ancillary.crb_ipv6_recvrthdr &&
4968 ip_cmpbuf(tcp->tcp_rthdr, tcp->tcp_rthdrlen,
4969 (ipp->ipp_fields & IPPF_RTHDR),
4970 ipp->ipp_rthdr, ipp->ipp_rthdrlen)) {
4971 optlen += sizeof (struct T_opthdr) + ipp->ipp_rthdrlen;
4972 addflag.crb_ipv6_recvrthdr = 1;
4973 if (!ip_allocbuf((void **)&tcp->tcp_rthdr,
4974 &tcp->tcp_rthdrlen, (ipp->ipp_fields & IPPF_RTHDR),
4975 ipp->ipp_rthdr, ipp->ipp_rthdrlen))
4976 return (mp);
4977 }
4978 /* If app asked for dest headers and it has changed ... */
4979 if ((connp->conn_recv_ancillary.crb_ipv6_recvdstopts ||
4980 connp->conn_recv_ancillary.crb_old_ipv6_recvdstopts) &&
4981 ip_cmpbuf(tcp->tcp_dstopts, tcp->tcp_dstoptslen,
4982 (ipp->ipp_fields & IPPF_DSTOPTS),
4983 ipp->ipp_dstopts, ipp->ipp_dstoptslen)) {
4984 optlen += sizeof (struct T_opthdr) + ipp->ipp_dstoptslen;
4985 addflag.crb_ipv6_recvdstopts = 1;
4986 if (!ip_allocbuf((void **)&tcp->tcp_dstopts,
4987 &tcp->tcp_dstoptslen, (ipp->ipp_fields & IPPF_DSTOPTS),
4988 ipp->ipp_dstopts, ipp->ipp_dstoptslen))
4989 return (mp);
4990 }
4991
4992 if (optlen == 0) {
4993 /* Nothing to add */
4994 return (mp);
4995 }
4996 mp1 = allocb(sizeof (struct T_optdata_ind) + optlen, BPRI_MED);
4997 if (mp1 == NULL) {
4998 /*
4999 * Defer sending ancillary data until the next TCP segment
5000 * arrives.
5001 */
5002 return (mp);
5003 }
5004 mp1->b_cont = mp;
5005 mp = mp1;
5006 mp->b_wptr += sizeof (*todi) + optlen;
5007 mp->b_datap->db_type = M_PROTO;
5008 todi = (struct T_optdata_ind *)mp->b_rptr;
5009 todi->PRIM_type = T_OPTDATA_IND;
5010 todi->DATA_flag = 1; /* MORE data */
5011 todi->OPT_length = optlen;
5012 todi->OPT_offset = sizeof (*todi);
5013 optptr = (uchar_t *)&todi[1];
5014 /*
5015 * If app asked for pktinfo and the index has changed ...
5016 * Note that the local address never changes for the connection.
5017 */
5018 if (addflag.crb_ip_recvpktinfo) {
5019 struct in6_pktinfo *pkti;
5020 uint_t ifindex;
5021
5022 ifindex = ira->ira_ruifindex;
5023 toh = (struct T_opthdr *)optptr;
5024 toh->level = IPPROTO_IPV6;
5025 toh->name = IPV6_PKTINFO;
5026 toh->len = sizeof (*toh) + sizeof (*pkti);
5027 toh->status = 0;
5028 optptr += sizeof (*toh);
5029 pkti = (struct in6_pktinfo *)optptr;
5030 pkti->ipi6_addr = connp->conn_laddr_v6;
5031 pkti->ipi6_ifindex = ifindex;
5032 optptr += sizeof (*pkti);
5033 ASSERT(OK_32PTR(optptr));
5034 /* Save as "last" value */
5035 tcp->tcp_recvifindex = ifindex;
5036 }
5037 /* If app asked for hoplimit and it has changed ... */
5038 if (addflag.crb_ipv6_recvhoplimit) {
5039 toh = (struct T_opthdr *)optptr;
5040 toh->level = IPPROTO_IPV6;
5041 toh->name = IPV6_HOPLIMIT;
5042 toh->len = sizeof (*toh) + sizeof (uint_t);
5043 toh->status = 0;
5044 optptr += sizeof (*toh);
5045 *(uint_t *)optptr = ipp->ipp_hoplimit;
5046 optptr += sizeof (uint_t);
5047 ASSERT(OK_32PTR(optptr));
5048 /* Save as "last" value */
5049 tcp->tcp_recvhops = ipp->ipp_hoplimit;
5050 }
5051 /* If app asked for tclass and it has changed ... */
5052 if (addflag.crb_ipv6_recvtclass) {
5053 toh = (struct T_opthdr *)optptr;
5054 toh->level = IPPROTO_IPV6;
5055 toh->name = IPV6_TCLASS;
5056 toh->len = sizeof (*toh) + sizeof (uint_t);
5057 toh->status = 0;
5058 optptr += sizeof (*toh);
5059 *(uint_t *)optptr = ipp->ipp_tclass;
5060 optptr += sizeof (uint_t);
5061 ASSERT(OK_32PTR(optptr));
5062 /* Save as "last" value */
5063 tcp->tcp_recvtclass = ipp->ipp_tclass;
5064 }
5065 if (addflag.crb_ipv6_recvhopopts) {
5066 toh = (struct T_opthdr *)optptr;
5067 toh->level = IPPROTO_IPV6;
5068 toh->name = IPV6_HOPOPTS;
5069 toh->len = sizeof (*toh) + ipp->ipp_hopoptslen;
5070 toh->status = 0;
5071 optptr += sizeof (*toh);
5072 bcopy((uchar_t *)ipp->ipp_hopopts, optptr, ipp->ipp_hopoptslen);
5073 optptr += ipp->ipp_hopoptslen;
5074 ASSERT(OK_32PTR(optptr));
5075 /* Save as last value */
5076 ip_savebuf((void **)&tcp->tcp_hopopts, &tcp->tcp_hopoptslen,
5077 (ipp->ipp_fields & IPPF_HOPOPTS),
5078 ipp->ipp_hopopts, ipp->ipp_hopoptslen);
5079 }
5080 if (addflag.crb_ipv6_recvrthdrdstopts) {
5081 toh = (struct T_opthdr *)optptr;
5082 toh->level = IPPROTO_IPV6;
5083 toh->name = IPV6_RTHDRDSTOPTS;
5084 toh->len = sizeof (*toh) + ipp->ipp_rthdrdstoptslen;
5085 toh->status = 0;
5086 optptr += sizeof (*toh);
5087 bcopy(ipp->ipp_rthdrdstopts, optptr, ipp->ipp_rthdrdstoptslen);
5088 optptr += ipp->ipp_rthdrdstoptslen;
5089 ASSERT(OK_32PTR(optptr));
5090 /* Save as last value */
5091 ip_savebuf((void **)&tcp->tcp_rthdrdstopts,
5092 &tcp->tcp_rthdrdstoptslen,
5093 (ipp->ipp_fields & IPPF_RTHDRDSTOPTS),
5094 ipp->ipp_rthdrdstopts, ipp->ipp_rthdrdstoptslen);
5095 }
5096 if (addflag.crb_ipv6_recvrthdr) {
5097 toh = (struct T_opthdr *)optptr;
5098 toh->level = IPPROTO_IPV6;
5099 toh->name = IPV6_RTHDR;
5100 toh->len = sizeof (*toh) + ipp->ipp_rthdrlen;
5101 toh->status = 0;
5102 optptr += sizeof (*toh);
5103 bcopy(ipp->ipp_rthdr, optptr, ipp->ipp_rthdrlen);
5104 optptr += ipp->ipp_rthdrlen;
5105 ASSERT(OK_32PTR(optptr));
5106 /* Save as last value */
5107 ip_savebuf((void **)&tcp->tcp_rthdr, &tcp->tcp_rthdrlen,
5108 (ipp->ipp_fields & IPPF_RTHDR),
5109 ipp->ipp_rthdr, ipp->ipp_rthdrlen);
5110 }
5111 if (addflag.crb_ipv6_recvdstopts) {
5112 toh = (struct T_opthdr *)optptr;
5113 toh->level = IPPROTO_IPV6;
5114 toh->name = IPV6_DSTOPTS;
5115 toh->len = sizeof (*toh) + ipp->ipp_dstoptslen;
5116 toh->status = 0;
5117 optptr += sizeof (*toh);
5118 bcopy(ipp->ipp_dstopts, optptr, ipp->ipp_dstoptslen);
5119 optptr += ipp->ipp_dstoptslen;
5120 ASSERT(OK_32PTR(optptr));
5121 /* Save as last value */
5122 ip_savebuf((void **)&tcp->tcp_dstopts, &tcp->tcp_dstoptslen,
5123 (ipp->ipp_fields & IPPF_DSTOPTS),
5124 ipp->ipp_dstopts, ipp->ipp_dstoptslen);
5125 }
5126 ASSERT(optptr == mp->b_wptr);
5127 return (mp);
5128 }
5129
5130 /* The minimum of smoothed mean deviation in RTO calculation. */
5131 #define TCP_SD_MIN 400
5132
5133 /*
5134 * Set RTO for this connection. The formula is from Jacobson and Karels'
5135 * "Congestion Avoidance and Control" in SIGCOMM '88. The variable names
5136 * are the same as those in Appendix A.2 of that paper.
5137 *
5138 * m = new measurement
5139 * sa = smoothed RTT average (8 * average estimates).
5140 * sv = smoothed mean deviation (mdev) of RTT (4 * deviation estimates).
5141 */
5142 static void
5143 tcp_set_rto(tcp_t *tcp, clock_t rtt)
5144 {
5145 long m = TICK_TO_MSEC(rtt);
5146 clock_t sa = tcp->tcp_rtt_sa;
5147 clock_t sv = tcp->tcp_rtt_sd;
5148 clock_t rto;
5149 tcp_stack_t *tcps = tcp->tcp_tcps;
5150
5151 TCPS_BUMP_MIB(tcps, tcpRttUpdate);
5152 tcp->tcp_rtt_update++;
5153
5154 /* tcp_rtt_sa is not 0 means this is a new sample. */
5155 if (sa != 0) {
5156 /*
5157 * Update average estimator:
5158 * new rtt = 7/8 old rtt + 1/8 Error
5159 */
5160
5161 /* m is now Error in estimate. */
5162 m -= sa >> 3;
5163 if ((sa += m) <= 0) {
5164 /*
5165 * Don't allow the smoothed average to be negative.
5166 * We use 0 to denote reinitialization of the
5167 * variables.
5168 */
5169 sa = 1;
5170 }
5171
5172 /*
5173 * Update deviation estimator:
5174 * new mdev = 3/4 old mdev + 1/4 (abs(Error) - old mdev)
5175 */
5176 if (m < 0)
5177 m = -m;
5178 m -= sv >> 2;
5179 sv += m;
5180 } else {
5181 /*
5182 * This follows BSD's implementation. So the reinitialized
5183 * RTO is 3 * m. We cannot go less than 2 because if the
5184 * link is bandwidth dominated, doubling the window size
5185 * during slow start means doubling the RTT. We want to be
5186 * more conservative when we reinitialize our estimates. 3
5187 * is just a convenient number.
5188 */
5189 sa = m << 3;
5190 sv = m << 1;
5191 }
5192 if (sv < TCP_SD_MIN) {
5193 /*
5194 * We do not know that if sa captures the delay ACK
5195 * effect as in a long train of segments, a receiver
5196 * does not delay its ACKs. So set the minimum of sv
5197 * to be TCP_SD_MIN, which is default to 400 ms, twice
5198 * of BSD DATO. That means the minimum of mean
5199 * deviation is 100 ms.
5200 *
5201 */
5202 sv = TCP_SD_MIN;
5203 }
5204 tcp->tcp_rtt_sa = sa;
5205 tcp->tcp_rtt_sd = sv;
5206 /*
5207 * RTO = average estimates (sa / 8) + 4 * deviation estimates (sv)
5208 *
5209 * Add tcp_rexmit_interval extra in case of extreme environment
5210 * where the algorithm fails to work. The default value of
5211 * tcp_rexmit_interval_extra should be 0.
5212 *
5213 * As we use a finer grained clock than BSD and update
5214 * RTO for every ACKs, add in another .25 of RTT to the
5215 * deviation of RTO to accomodate burstiness of 1/4 of
5216 * window size.
5217 */
5218 rto = (sa >> 3) + sv + tcps->tcps_rexmit_interval_extra + (sa >> 5);
5219
5220 TCP_SET_RTO(tcp, rto);
5221
5222 /* Now, we can reset tcp_timer_backoff to use the new RTO... */
5223 tcp->tcp_timer_backoff = 0;
5224 }
5225
5226 /*
5227 * On a labeled system we have some protocols above TCP, such as RPC, which
5228 * appear to assume that every mblk in a chain has a db_credp.
5229 */
5230 static void
5231 tcp_setcred_data(mblk_t *mp, ip_recv_attr_t *ira)
5232 {
5233 ASSERT(is_system_labeled());
5234 ASSERT(ira->ira_cred != NULL);
5235
5236 while (mp != NULL) {
5237 mblk_setcred(mp, ira->ira_cred, NOPID);
5238 mp = mp->b_cont;
5239 }
5240 }
5241
5242 uint_t
5243 tcp_rwnd_reopen(tcp_t *tcp)
5244 {
5245 uint_t ret = 0;
5246 uint_t thwin;
5247 conn_t *connp = tcp->tcp_connp;
5248
5249 /* Learn the latest rwnd information that we sent to the other side. */
5250 thwin = ((uint_t)ntohs(tcp->tcp_tcpha->tha_win))
5251 << tcp->tcp_rcv_ws;
5252 /* This is peer's calculated send window (our receive window). */
5253 thwin -= tcp->tcp_rnxt - tcp->tcp_rack;
5254 /*
5255 * Increase the receive window to max. But we need to do receiver
5256 * SWS avoidance. This means that we need to check the increase of
5257 * of receive window is at least 1 MSS.
5258 */
5259 if (connp->conn_rcvbuf - thwin >= tcp->tcp_mss) {
5260 /*
5261 * If the window that the other side knows is less than max
5262 * deferred acks segments, send an update immediately.
5263 */
5264 if (thwin < tcp->tcp_rack_cur_max * tcp->tcp_mss) {
5265 TCPS_BUMP_MIB(tcp->tcp_tcps, tcpOutWinUpdate);
5266 ret = TH_ACK_NEEDED;
5267 }
5268 tcp->tcp_rwnd = connp->conn_rcvbuf;
5269 }
5270 return (ret);
5271 }
5272
5273 /*
5274 * Handle a packet that has been reclassified by TCP.
5275 * This function drops the ref on connp that the caller had.
5276 */
5277 void
5278 tcp_reinput(conn_t *connp, mblk_t *mp, ip_recv_attr_t *ira, ip_stack_t *ipst)
5279 {
5280 ipsec_stack_t *ipss = ipst->ips_netstack->netstack_ipsec;
5281
5282 if (connp->conn_incoming_ifindex != 0 &&
5283 connp->conn_incoming_ifindex != ira->ira_ruifindex) {
5284 freemsg(mp);
5285 CONN_DEC_REF(connp);
5286 return;
5287 }
5288
5289 if (CONN_INBOUND_POLICY_PRESENT_V6(connp, ipss) ||
5290 (ira->ira_flags & IRAF_IPSEC_SECURE)) {
5291 ip6_t *ip6h;
5292 ipha_t *ipha;
5293
5294 if (ira->ira_flags & IRAF_IS_IPV4) {
5295 ipha = (ipha_t *)mp->b_rptr;
5296 ip6h = NULL;
5297 } else {
5298 ipha = NULL;
5299 ip6h = (ip6_t *)mp->b_rptr;
5300 }
5301 mp = ipsec_check_inbound_policy(mp, connp, ipha, ip6h, ira);
5302 if (mp == NULL) {
5303 BUMP_MIB(&ipst->ips_ip_mib, ipIfStatsInDiscards);
5304 /* Note that mp is NULL */
5305 ip_drop_input("ipIfStatsInDiscards", mp, NULL);
5306 CONN_DEC_REF(connp);
5307 return;
5308 }
5309 }
5310
5311 if (IPCL_IS_TCP(connp)) {
5312 /*
5313 * do not drain, certain use cases can blow
5314 * the stack
5315 */
5316 SQUEUE_ENTER_ONE(connp->conn_sqp, mp,
5317 connp->conn_recv, connp, ira,
5318 SQ_NODRAIN, SQTAG_IP_TCP_INPUT);
5319 } else {
5320 /* Not TCP; must be SOCK_RAW, IPPROTO_TCP */
5321 (connp->conn_recv)(connp, mp, NULL,
5322 ira);
5323 CONN_DEC_REF(connp);
5324 }
5325
5326 }
5327
5328 /* ARGSUSED */
5329 static void
5330 tcp_rsrv_input(void *arg, mblk_t *mp, void *arg2, ip_recv_attr_t *dummy)
5331 {
5332 conn_t *connp = (conn_t *)arg;
5333 tcp_t *tcp = connp->conn_tcp;
5334 queue_t *q = connp->conn_rq;
5335
5336 ASSERT(!IPCL_IS_NONSTR(connp));
5337 mutex_enter(&tcp->tcp_rsrv_mp_lock);
5338 tcp->tcp_rsrv_mp = mp;
5339 mutex_exit(&tcp->tcp_rsrv_mp_lock);
5340
5341 if (TCP_IS_DETACHED(tcp) || q == NULL) {
5342 return;
5343 }
5344
5345 if (tcp->tcp_fused) {
5346 tcp_fuse_backenable(tcp);
5347 return;
5348 }
5349
5350 if (canputnext(q)) {
5351 /* Not flow-controlled, open rwnd */
5352 tcp->tcp_rwnd = connp->conn_rcvbuf;
5353
5354 /*
5355 * Send back a window update immediately if TCP is above
5356 * ESTABLISHED state and the increase of the rcv window
5357 * that the other side knows is at least 1 MSS after flow
5358 * control is lifted.
5359 */
5360 if (tcp->tcp_state >= TCPS_ESTABLISHED &&
5361 tcp_rwnd_reopen(tcp) == TH_ACK_NEEDED) {
5362 tcp_xmit_ctl(NULL, tcp,
5363 (tcp->tcp_swnd == 0) ? tcp->tcp_suna :
5364 tcp->tcp_snxt, tcp->tcp_rnxt, TH_ACK);
5365 }
5366 }
5367 }
5368
5369 /*
5370 * The read side service routine is called mostly when we get back-enabled as a
5371 * result of flow control relief. Since we don't actually queue anything in
5372 * TCP, we have no data to send out of here. What we do is clear the receive
5373 * window, and send out a window update.
5374 */
5375 void
5376 tcp_rsrv(queue_t *q)
5377 {
5378 conn_t *connp = Q_TO_CONN(q);
5379 tcp_t *tcp = connp->conn_tcp;
5380 mblk_t *mp;
5381
5382 /* No code does a putq on the read side */
5383 ASSERT(q->q_first == NULL);
5384
5385 /*
5386 * If tcp->tcp_rsrv_mp == NULL, it means that tcp_rsrv() has already
5387 * been run. So just return.
5388 */
5389 mutex_enter(&tcp->tcp_rsrv_mp_lock);
5390 if ((mp = tcp->tcp_rsrv_mp) == NULL) {
5391 mutex_exit(&tcp->tcp_rsrv_mp_lock);
5392 return;
5393 }
5394 tcp->tcp_rsrv_mp = NULL;
5395 mutex_exit(&tcp->tcp_rsrv_mp_lock);
5396
5397 CONN_INC_REF(connp);
5398 SQUEUE_ENTER_ONE(connp->conn_sqp, mp, tcp_rsrv_input, connp,
5399 NULL, SQ_PROCESS, SQTAG_TCP_RSRV);
5400 }
5401
5402 /* At minimum we need 8 bytes in the TCP header for the lookup */
5403 #define ICMP_MIN_TCP_HDR 8
5404
5405 /*
5406 * tcp_icmp_input is called as conn_recvicmp to process ICMP error messages
5407 * passed up by IP. The message is always received on the correct tcp_t.
5408 * Assumes that IP has pulled up everything up to and including the ICMP header.
5409 */
5410 /* ARGSUSED2 */
5411 void
5412 tcp_icmp_input(void *arg1, mblk_t *mp, void *arg2, ip_recv_attr_t *ira)
5413 {
5414 conn_t *connp = (conn_t *)arg1;
5415 icmph_t *icmph;
5416 ipha_t *ipha;
5417 int iph_hdr_length;
5418 tcpha_t *tcpha;
5419 uint32_t seg_seq;
5420 tcp_t *tcp = connp->conn_tcp;
5421
5422 /* Assume IP provides aligned packets */
5423 ASSERT(OK_32PTR(mp->b_rptr));
5424 ASSERT((MBLKL(mp) >= sizeof (ipha_t)));
5425
5426 /*
5427 * Verify IP version. Anything other than IPv4 or IPv6 packet is sent
5428 * upstream. ICMPv6 is handled in tcp_icmp_error_ipv6.
5429 */
5430 if (!(ira->ira_flags & IRAF_IS_IPV4)) {
5431 tcp_icmp_error_ipv6(tcp, mp, ira);
5432 return;
5433 }
5434
5435 /* Skip past the outer IP and ICMP headers */
5436 iph_hdr_length = ira->ira_ip_hdr_length;
5437 icmph = (icmph_t *)&mp->b_rptr[iph_hdr_length];
5438 /*
5439 * If we don't have the correct outer IP header length
5440 * or if we don't have a complete inner IP header
5441 * drop it.
5442 */
5443 if (iph_hdr_length < sizeof (ipha_t) ||
5444 (ipha_t *)&icmph[1] + 1 > (ipha_t *)mp->b_wptr) {
5445 noticmpv4:
5446 freemsg(mp);
5447 return;
5448 }
5449 ipha = (ipha_t *)&icmph[1];
5450
5451 /* Skip past the inner IP and find the ULP header */
5452 iph_hdr_length = IPH_HDR_LENGTH(ipha);
5453 tcpha = (tcpha_t *)((char *)ipha + iph_hdr_length);
5454 /*
5455 * If we don't have the correct inner IP header length or if the ULP
5456 * is not IPPROTO_TCP or if we don't have at least ICMP_MIN_TCP_HDR
5457 * bytes of TCP header, drop it.
5458 */
5459 if (iph_hdr_length < sizeof (ipha_t) ||
5460 ipha->ipha_protocol != IPPROTO_TCP ||
5461 (uchar_t *)tcpha + ICMP_MIN_TCP_HDR > mp->b_wptr) {
5462 goto noticmpv4;
5463 }
5464
5465 seg_seq = ntohl(tcpha->tha_seq);
5466 switch (icmph->icmph_type) {
5467 case ICMP_DEST_UNREACHABLE:
5468 switch (icmph->icmph_code) {
5469 case ICMP_FRAGMENTATION_NEEDED:
5470 /*
5471 * Update Path MTU, then try to send something out.
5472 */
5473 tcp_update_pmtu(tcp, B_TRUE);
5474 tcp_rexmit_after_error(tcp);
5475 break;
5476 case ICMP_PORT_UNREACHABLE:
5477 case ICMP_PROTOCOL_UNREACHABLE:
5478 switch (tcp->tcp_state) {
5479 case TCPS_SYN_SENT:
5480 case TCPS_SYN_RCVD:
5481 /*
5482 * ICMP can snipe away incipient
5483 * TCP connections as long as
5484 * seq number is same as initial
5485 * send seq number.
5486 */
5487 if (seg_seq == tcp->tcp_iss) {
5488 (void) tcp_clean_death(tcp,
5489 ECONNREFUSED);
5490 }
5491 break;
5492 }
5493 break;
5494 case ICMP_HOST_UNREACHABLE:
5495 case ICMP_NET_UNREACHABLE:
5496 /* Record the error in case we finally time out. */
5497 if (icmph->icmph_code == ICMP_HOST_UNREACHABLE)
5498 tcp->tcp_client_errno = EHOSTUNREACH;
5499 else
5500 tcp->tcp_client_errno = ENETUNREACH;
5501 if (tcp->tcp_state == TCPS_SYN_RCVD) {
5502 if (tcp->tcp_listener != NULL &&
5503 tcp->tcp_listener->tcp_syn_defense) {
5504 /*
5505 * Ditch the half-open connection if we
5506 * suspect a SYN attack is under way.
5507 */
5508 (void) tcp_clean_death(tcp,
5509 tcp->tcp_client_errno);
5510 }
5511 }
5512 break;
5513 default:
5514 break;
5515 }
5516 break;
5517 case ICMP_SOURCE_QUENCH: {
5518 /*
5519 * use a global boolean to control
5520 * whether TCP should respond to ICMP_SOURCE_QUENCH.
5521 * The default is false.
5522 */
5523 if (tcp_icmp_source_quench) {
5524 /*
5525 * Reduce the sending rate as if we got a
5526 * retransmit timeout
5527 */
5528 uint32_t npkt;
5529
5530 npkt = ((tcp->tcp_snxt - tcp->tcp_suna) >> 1) /
5531 tcp->tcp_mss;
5532 tcp->tcp_cwnd_ssthresh = MAX(npkt, 2) * tcp->tcp_mss;
5533 tcp->tcp_cwnd = tcp->tcp_mss;
5534 tcp->tcp_cwnd_cnt = 0;
5535 }
5536 break;
5537 }
5538 }
5539 freemsg(mp);
5540 }
5541
5542 /*
5543 * tcp_icmp_error_ipv6 is called from tcp_icmp_input to process ICMPv6
5544 * error messages passed up by IP.
5545 * Assumes that IP has pulled up all the extension headers as well
5546 * as the ICMPv6 header.
5547 */
5548 static void
5549 tcp_icmp_error_ipv6(tcp_t *tcp, mblk_t *mp, ip_recv_attr_t *ira)
5550 {
5551 icmp6_t *icmp6;
5552 ip6_t *ip6h;
5553 uint16_t iph_hdr_length = ira->ira_ip_hdr_length;
5554 tcpha_t *tcpha;
5555 uint8_t *nexthdrp;
5556 uint32_t seg_seq;
5557
5558 /*
5559 * Verify that we have a complete IP header.
5560 */
5561 ASSERT((MBLKL(mp) >= sizeof (ip6_t)));
5562
5563 icmp6 = (icmp6_t *)&mp->b_rptr[iph_hdr_length];
5564 ip6h = (ip6_t *)&icmp6[1];
5565 /*
5566 * Verify if we have a complete ICMP and inner IP header.
5567 */
5568 if ((uchar_t *)&ip6h[1] > mp->b_wptr) {
5569 noticmpv6:
5570 freemsg(mp);
5571 return;
5572 }
5573
5574 if (!ip_hdr_length_nexthdr_v6(mp, ip6h, &iph_hdr_length, &nexthdrp))
5575 goto noticmpv6;
5576 tcpha = (tcpha_t *)((char *)ip6h + iph_hdr_length);
5577 /*
5578 * Validate inner header. If the ULP is not IPPROTO_TCP or if we don't
5579 * have at least ICMP_MIN_TCP_HDR bytes of TCP header drop the
5580 * packet.
5581 */
5582 if ((*nexthdrp != IPPROTO_TCP) ||
5583 ((uchar_t *)tcpha + ICMP_MIN_TCP_HDR) > mp->b_wptr) {
5584 goto noticmpv6;
5585 }
5586
5587 seg_seq = ntohl(tcpha->tha_seq);
5588 switch (icmp6->icmp6_type) {
5589 case ICMP6_PACKET_TOO_BIG:
5590 /*
5591 * Update Path MTU, then try to send something out.
5592 */
5593 tcp_update_pmtu(tcp, B_TRUE);
5594 tcp_rexmit_after_error(tcp);
5595 break;
5596 case ICMP6_DST_UNREACH:
5597 switch (icmp6->icmp6_code) {
5598 case ICMP6_DST_UNREACH_NOPORT:
5599 if (((tcp->tcp_state == TCPS_SYN_SENT) ||
5600 (tcp->tcp_state == TCPS_SYN_RCVD)) &&
5601 (seg_seq == tcp->tcp_iss)) {
5602 (void) tcp_clean_death(tcp, ECONNREFUSED);
5603 }
5604 break;
5605 case ICMP6_DST_UNREACH_ADMIN:
5606 case ICMP6_DST_UNREACH_NOROUTE:
5607 case ICMP6_DST_UNREACH_BEYONDSCOPE:
5608 case ICMP6_DST_UNREACH_ADDR:
5609 /* Record the error in case we finally time out. */
5610 tcp->tcp_client_errno = EHOSTUNREACH;
5611 if (((tcp->tcp_state == TCPS_SYN_SENT) ||
5612 (tcp->tcp_state == TCPS_SYN_RCVD)) &&
5613 (seg_seq == tcp->tcp_iss)) {
5614 if (tcp->tcp_listener != NULL &&
5615 tcp->tcp_listener->tcp_syn_defense) {
5616 /*
5617 * Ditch the half-open connection if we
5618 * suspect a SYN attack is under way.
5619 */
5620 (void) tcp_clean_death(tcp,
5621 tcp->tcp_client_errno);
5622 }
5623 }
5624
5625
5626 break;
5627 default:
5628 break;
5629 }
5630 break;
5631 case ICMP6_PARAM_PROB:
5632 /* If this corresponds to an ICMP_PROTOCOL_UNREACHABLE */
5633 if (icmp6->icmp6_code == ICMP6_PARAMPROB_NEXTHEADER &&
5634 (uchar_t *)ip6h + icmp6->icmp6_pptr ==
5635 (uchar_t *)nexthdrp) {
5636 if (tcp->tcp_state == TCPS_SYN_SENT ||
5637 tcp->tcp_state == TCPS_SYN_RCVD) {
5638 (void) tcp_clean_death(tcp, ECONNREFUSED);
5639 }
5640 break;
5641 }
5642 break;
5643
5644 case ICMP6_TIME_EXCEEDED:
5645 default:
5646 break;
5647 }
5648 freemsg(mp);
5649 }
5650
5651 /*
5652 * CALLED OUTSIDE OF SQUEUE! It can not follow any pointers that tcp might
5653 * change. But it can refer to fields like tcp_suna and tcp_snxt.
5654 *
5655 * Function tcp_verifyicmp is called as conn_verifyicmp to verify the ICMP
5656 * error messages received by IP. The message is always received on the correct
5657 * tcp_t.
5658 */
5659 /* ARGSUSED */
5660 boolean_t
5661 tcp_verifyicmp(conn_t *connp, void *arg2, icmph_t *icmph, icmp6_t *icmp6,
5662 ip_recv_attr_t *ira)
5663 {
5664 tcpha_t *tcpha = (tcpha_t *)arg2;
5665 uint32_t seq = ntohl(tcpha->tha_seq);
5666 tcp_t *tcp = connp->conn_tcp;
5667
5668 /*
5669 * TCP sequence number contained in payload of the ICMP error message
5670 * should be within the range SND.UNA <= SEG.SEQ < SND.NXT. Otherwise,
5671 * the message is either a stale ICMP error, or an attack from the
5672 * network. Fail the verification.
5673 */
5674 if (SEQ_LT(seq, tcp->tcp_suna) || SEQ_GEQ(seq, tcp->tcp_snxt))
5675 return (B_FALSE);
5676
5677 /* For "too big" we also check the ignore flag */
5678 if (ira->ira_flags & IRAF_IS_IPV4) {
5679 ASSERT(icmph != NULL);
5680 if (icmph->icmph_type == ICMP_DEST_UNREACHABLE &&
5681 icmph->icmph_code == ICMP_FRAGMENTATION_NEEDED &&
5682 tcp->tcp_tcps->tcps_ignore_path_mtu)
5683 return (B_FALSE);
5684 } else {
5685 ASSERT(icmp6 != NULL);
5686 if (icmp6->icmp6_type == ICMP6_PACKET_TOO_BIG &&
5687 tcp->tcp_tcps->tcps_ignore_path_mtu)
5688 return (B_FALSE);
5689 }
5690 return (B_TRUE);
5691 }