xref: /linux/net/ipv4/tcp_fastopen.c (revision 887069f424550ebdcb411166733e1d05002b58e4)
1 // SPDX-License-Identifier: GPL-2.0
2 #include <linux/crypto.h>
3 #include <linux/err.h>
4 #include <linux/init.h>
5 #include <linux/kernel.h>
6 #include <linux/list.h>
7 #include <linux/tcp.h>
8 #include <linux/rcupdate.h>
9 #include <linux/rculist.h>
10 #include <net/inetpeer.h>
11 #include <net/tcp.h>
12 
13 void tcp_fastopen_init_key_once(struct net *net)
14 {
15 	u8 key[TCP_FASTOPEN_KEY_LENGTH];
16 	struct tcp_fastopen_context *ctxt;
17 
18 	rcu_read_lock();
19 	ctxt = rcu_dereference(net->ipv4.tcp_fastopen_ctx);
20 	if (ctxt) {
21 		rcu_read_unlock();
22 		return;
23 	}
24 	rcu_read_unlock();
25 
26 	/* tcp_fastopen_reset_cipher publishes the new context
27 	 * atomically, so we allow this race happening here.
28 	 *
29 	 * All call sites of tcp_fastopen_cookie_gen also check
30 	 * for a valid cookie, so this is an acceptable risk.
31 	 */
32 	get_random_bytes(key, sizeof(key));
33 	tcp_fastopen_reset_cipher(net, NULL, key, NULL);
34 }
35 
36 static void tcp_fastopen_ctx_free(struct rcu_head *head)
37 {
38 	struct tcp_fastopen_context *ctx =
39 	    container_of(head, struct tcp_fastopen_context, rcu);
40 
41 	kfree_sensitive(ctx);
42 }
43 
44 void tcp_fastopen_destroy_cipher(struct sock *sk)
45 {
46 	struct tcp_fastopen_context *ctx;
47 
48 	ctx = rcu_dereference_protected(
49 			inet_csk(sk)->icsk_accept_queue.fastopenq.ctx, 1);
50 	if (ctx)
51 		call_rcu(&ctx->rcu, tcp_fastopen_ctx_free);
52 }
53 
54 void tcp_fastopen_ctx_destroy(struct net *net)
55 {
56 	struct tcp_fastopen_context *ctxt;
57 
58 	ctxt = xchg((__force struct tcp_fastopen_context **)&net->ipv4.tcp_fastopen_ctx, NULL);
59 
60 	if (ctxt)
61 		call_rcu(&ctxt->rcu, tcp_fastopen_ctx_free);
62 }
63 
64 int tcp_fastopen_reset_cipher(struct net *net, struct sock *sk,
65 			      void *primary_key, void *backup_key)
66 {
67 	struct tcp_fastopen_context *ctx, *octx;
68 	struct fastopen_queue *q;
69 	int err = 0;
70 
71 	ctx = kmalloc(sizeof(*ctx), GFP_KERNEL);
72 	if (!ctx) {
73 		err = -ENOMEM;
74 		goto out;
75 	}
76 
77 	ctx->key[0].key[0] = get_unaligned_le64(primary_key);
78 	ctx->key[0].key[1] = get_unaligned_le64(primary_key + 8);
79 	if (backup_key) {
80 		ctx->key[1].key[0] = get_unaligned_le64(backup_key);
81 		ctx->key[1].key[1] = get_unaligned_le64(backup_key + 8);
82 		ctx->num = 2;
83 	} else {
84 		ctx->num = 1;
85 	}
86 
87 	if (sk) {
88 		q = &inet_csk(sk)->icsk_accept_queue.fastopenq;
89 		octx = xchg((__force struct tcp_fastopen_context **)&q->ctx, ctx);
90 	} else {
91 		octx = xchg((__force struct tcp_fastopen_context **)&net->ipv4.tcp_fastopen_ctx, ctx);
92 	}
93 
94 	if (octx)
95 		call_rcu(&octx->rcu, tcp_fastopen_ctx_free);
96 out:
97 	return err;
98 }
99 
100 int tcp_fastopen_get_cipher(struct net *net, struct inet_connection_sock *icsk,
101 			    u64 *key)
102 {
103 	struct tcp_fastopen_context *ctx;
104 	int n_keys = 0, i;
105 
106 	rcu_read_lock();
107 	if (icsk)
108 		ctx = rcu_dereference(icsk->icsk_accept_queue.fastopenq.ctx);
109 	else
110 		ctx = rcu_dereference(net->ipv4.tcp_fastopen_ctx);
111 	if (ctx) {
112 		n_keys = tcp_fastopen_context_len(ctx);
113 		for (i = 0; i < n_keys; i++) {
114 			put_unaligned_le64(ctx->key[i].key[0], key + (i * 2));
115 			put_unaligned_le64(ctx->key[i].key[1], key + (i * 2) + 1);
116 		}
117 	}
118 	rcu_read_unlock();
119 
120 	return n_keys;
121 }
122 
123 static bool __tcp_fastopen_cookie_gen_cipher(struct request_sock *req,
124 					     struct sk_buff *syn,
125 					     const siphash_key_t *key,
126 					     struct tcp_fastopen_cookie *foc)
127 {
128 	BUILD_BUG_ON(TCP_FASTOPEN_COOKIE_SIZE != sizeof(u64));
129 
130 	if (req->rsk_ops->family == AF_INET) {
131 		const struct iphdr *iph = ip_hdr(syn);
132 
133 		foc->val[0] = cpu_to_le64(siphash(&iph->saddr,
134 					  sizeof(iph->saddr) +
135 					  sizeof(iph->daddr),
136 					  key));
137 		foc->len = TCP_FASTOPEN_COOKIE_SIZE;
138 		return true;
139 	}
140 #if IS_ENABLED(CONFIG_IPV6)
141 	if (req->rsk_ops->family == AF_INET6) {
142 		const struct ipv6hdr *ip6h = ipv6_hdr(syn);
143 
144 		foc->val[0] = cpu_to_le64(siphash(&ip6h->saddr,
145 					  sizeof(ip6h->saddr) +
146 					  sizeof(ip6h->daddr),
147 					  key));
148 		foc->len = TCP_FASTOPEN_COOKIE_SIZE;
149 		return true;
150 	}
151 #endif
152 	return false;
153 }
154 
155 /* Generate the fastopen cookie by applying SipHash to both the source and
156  * destination addresses.
157  */
158 static void tcp_fastopen_cookie_gen(struct sock *sk,
159 				    struct request_sock *req,
160 				    struct sk_buff *syn,
161 				    struct tcp_fastopen_cookie *foc)
162 {
163 	struct tcp_fastopen_context *ctx;
164 
165 	rcu_read_lock();
166 	ctx = tcp_fastopen_get_ctx(sk);
167 	if (ctx)
168 		__tcp_fastopen_cookie_gen_cipher(req, syn, &ctx->key[0], foc);
169 	rcu_read_unlock();
170 }
171 
172 /* If an incoming SYN or SYNACK frame contains a payload and/or FIN,
173  * queue this additional data / FIN.
174  */
175 void tcp_fastopen_add_skb(struct sock *sk, struct sk_buff *skb)
176 {
177 	struct tcp_sock *tp = tcp_sk(sk);
178 
179 	if (TCP_SKB_CB(skb)->end_seq == tp->rcv_nxt)
180 		return;
181 
182 	skb = skb_clone(skb, GFP_ATOMIC);
183 	if (!skb)
184 		return;
185 
186 	skb_dst_drop(skb);
187 	/* segs_in has been initialized to 1 in tcp_create_openreq_child().
188 	 * Hence, reset segs_in to 0 before calling tcp_segs_in()
189 	 * to avoid double counting.  Also, tcp_segs_in() expects
190 	 * skb->len to include the tcp_hdrlen.  Hence, it should
191 	 * be called before __skb_pull().
192 	 */
193 	tp->segs_in = 0;
194 	tcp_segs_in(tp, skb);
195 	__skb_pull(skb, tcp_hdrlen(skb));
196 	sk_forced_mem_schedule(sk, skb->truesize);
197 	skb_set_owner_r(skb, sk);
198 
199 	TCP_SKB_CB(skb)->seq++;
200 	TCP_SKB_CB(skb)->tcp_flags &= ~TCPHDR_SYN;
201 
202 	tp->rcv_nxt = TCP_SKB_CB(skb)->end_seq;
203 	__skb_queue_tail(&sk->sk_receive_queue, skb);
204 	tp->syn_data_acked = 1;
205 
206 	/* u64_stats_update_begin(&tp->syncp) not needed here,
207 	 * as we certainly are not changing upper 32bit value (0)
208 	 */
209 	tp->bytes_received = skb->len;
210 
211 	if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN)
212 		tcp_fin(sk);
213 }
214 
215 /* returns 0 - no key match, 1 for primary, 2 for backup */
216 static int tcp_fastopen_cookie_gen_check(struct sock *sk,
217 					 struct request_sock *req,
218 					 struct sk_buff *syn,
219 					 struct tcp_fastopen_cookie *orig,
220 					 struct tcp_fastopen_cookie *valid_foc)
221 {
222 	struct tcp_fastopen_cookie search_foc = { .len = -1 };
223 	struct tcp_fastopen_cookie *foc = valid_foc;
224 	struct tcp_fastopen_context *ctx;
225 	int i, ret = 0;
226 
227 	rcu_read_lock();
228 	ctx = tcp_fastopen_get_ctx(sk);
229 	if (!ctx)
230 		goto out;
231 	for (i = 0; i < tcp_fastopen_context_len(ctx); i++) {
232 		__tcp_fastopen_cookie_gen_cipher(req, syn, &ctx->key[i], foc);
233 		if (tcp_fastopen_cookie_match(foc, orig)) {
234 			ret = i + 1;
235 			goto out;
236 		}
237 		foc = &search_foc;
238 	}
239 out:
240 	rcu_read_unlock();
241 	return ret;
242 }
243 
244 static struct sock *tcp_fastopen_create_child(struct sock *sk,
245 					      struct sk_buff *skb,
246 					      struct request_sock *req)
247 {
248 	struct tcp_sock *tp;
249 	struct request_sock_queue *queue = &inet_csk(sk)->icsk_accept_queue;
250 	struct sock *child;
251 	bool own_req;
252 
253 	child = inet_csk(sk)->icsk_af_ops->syn_recv_sock(sk, skb, req, NULL,
254 							 NULL, &own_req);
255 	if (!child)
256 		return NULL;
257 
258 	spin_lock(&queue->fastopenq.lock);
259 	queue->fastopenq.qlen++;
260 	spin_unlock(&queue->fastopenq.lock);
261 
262 	/* Initialize the child socket. Have to fix some values to take
263 	 * into account the child is a Fast Open socket and is created
264 	 * only out of the bits carried in the SYN packet.
265 	 */
266 	tp = tcp_sk(child);
267 
268 	rcu_assign_pointer(tp->fastopen_rsk, req);
269 	tcp_rsk(req)->tfo_listener = true;
270 
271 	/* RFC1323: The window in SYN & SYN/ACK segments is never
272 	 * scaled. So correct it appropriately.
273 	 */
274 	tp->snd_wnd = ntohs(tcp_hdr(skb)->window);
275 	tp->max_window = tp->snd_wnd;
276 
277 	/* Activate the retrans timer so that SYNACK can be retransmitted.
278 	 * The request socket is not added to the ehash
279 	 * because it's been added to the accept queue directly.
280 	 */
281 	inet_csk_reset_xmit_timer(child, ICSK_TIME_RETRANS,
282 				  TCP_TIMEOUT_INIT, TCP_RTO_MAX);
283 
284 	refcount_set(&req->rsk_refcnt, 2);
285 
286 	/* Now finish processing the fastopen child socket. */
287 	tcp_init_transfer(child, BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB, skb);
288 
289 	tp->rcv_nxt = TCP_SKB_CB(skb)->seq + 1;
290 
291 	tcp_fastopen_add_skb(child, skb);
292 
293 	tcp_rsk(req)->rcv_nxt = tp->rcv_nxt;
294 	tp->rcv_wup = tp->rcv_nxt;
295 	/* tcp_conn_request() is sending the SYNACK,
296 	 * and queues the child into listener accept queue.
297 	 */
298 	return child;
299 }
300 
301 static bool tcp_fastopen_queue_check(struct sock *sk)
302 {
303 	struct fastopen_queue *fastopenq;
304 
305 	/* Make sure the listener has enabled fastopen, and we don't
306 	 * exceed the max # of pending TFO requests allowed before trying
307 	 * to validating the cookie in order to avoid burning CPU cycles
308 	 * unnecessarily.
309 	 *
310 	 * XXX (TFO) - The implication of checking the max_qlen before
311 	 * processing a cookie request is that clients can't differentiate
312 	 * between qlen overflow causing Fast Open to be disabled
313 	 * temporarily vs a server not supporting Fast Open at all.
314 	 */
315 	fastopenq = &inet_csk(sk)->icsk_accept_queue.fastopenq;
316 	if (fastopenq->max_qlen == 0)
317 		return false;
318 
319 	if (fastopenq->qlen >= fastopenq->max_qlen) {
320 		struct request_sock *req1;
321 		spin_lock(&fastopenq->lock);
322 		req1 = fastopenq->rskq_rst_head;
323 		if (!req1 || time_after(req1->rsk_timer.expires, jiffies)) {
324 			__NET_INC_STATS(sock_net(sk),
325 					LINUX_MIB_TCPFASTOPENLISTENOVERFLOW);
326 			spin_unlock(&fastopenq->lock);
327 			return false;
328 		}
329 		fastopenq->rskq_rst_head = req1->dl_next;
330 		fastopenq->qlen--;
331 		spin_unlock(&fastopenq->lock);
332 		reqsk_put(req1);
333 	}
334 	return true;
335 }
336 
337 static bool tcp_fastopen_no_cookie(const struct sock *sk,
338 				   const struct dst_entry *dst,
339 				   int flag)
340 {
341 	return (sock_net(sk)->ipv4.sysctl_tcp_fastopen & flag) ||
342 	       tcp_sk(sk)->fastopen_no_cookie ||
343 	       (dst && dst_metric(dst, RTAX_FASTOPEN_NO_COOKIE));
344 }
345 
346 /* Returns true if we should perform Fast Open on the SYN. The cookie (foc)
347  * may be updated and return the client in the SYN-ACK later. E.g., Fast Open
348  * cookie request (foc->len == 0).
349  */
350 struct sock *tcp_try_fastopen(struct sock *sk, struct sk_buff *skb,
351 			      struct request_sock *req,
352 			      struct tcp_fastopen_cookie *foc,
353 			      const struct dst_entry *dst)
354 {
355 	bool syn_data = TCP_SKB_CB(skb)->end_seq != TCP_SKB_CB(skb)->seq + 1;
356 	int tcp_fastopen = sock_net(sk)->ipv4.sysctl_tcp_fastopen;
357 	struct tcp_fastopen_cookie valid_foc = { .len = -1 };
358 	struct sock *child;
359 	int ret = 0;
360 
361 	if (foc->len == 0) /* Client requests a cookie */
362 		NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPFASTOPENCOOKIEREQD);
363 
364 	if (!((tcp_fastopen & TFO_SERVER_ENABLE) &&
365 	      (syn_data || foc->len >= 0) &&
366 	      tcp_fastopen_queue_check(sk))) {
367 		foc->len = -1;
368 		return NULL;
369 	}
370 
371 	if (tcp_fastopen_no_cookie(sk, dst, TFO_SERVER_COOKIE_NOT_REQD))
372 		goto fastopen;
373 
374 	if (foc->len == 0) {
375 		/* Client requests a cookie. */
376 		tcp_fastopen_cookie_gen(sk, req, skb, &valid_foc);
377 	} else if (foc->len > 0) {
378 		ret = tcp_fastopen_cookie_gen_check(sk, req, skb, foc,
379 						    &valid_foc);
380 		if (!ret) {
381 			NET_INC_STATS(sock_net(sk),
382 				      LINUX_MIB_TCPFASTOPENPASSIVEFAIL);
383 		} else {
384 			/* Cookie is valid. Create a (full) child socket to
385 			 * accept the data in SYN before returning a SYN-ACK to
386 			 * ack the data. If we fail to create the socket, fall
387 			 * back and ack the ISN only but includes the same
388 			 * cookie.
389 			 *
390 			 * Note: Data-less SYN with valid cookie is allowed to
391 			 * send data in SYN_RECV state.
392 			 */
393 fastopen:
394 			child = tcp_fastopen_create_child(sk, skb, req);
395 			if (child) {
396 				if (ret == 2) {
397 					valid_foc.exp = foc->exp;
398 					*foc = valid_foc;
399 					NET_INC_STATS(sock_net(sk),
400 						      LINUX_MIB_TCPFASTOPENPASSIVEALTKEY);
401 				} else {
402 					foc->len = -1;
403 				}
404 				NET_INC_STATS(sock_net(sk),
405 					      LINUX_MIB_TCPFASTOPENPASSIVE);
406 				return child;
407 			}
408 			NET_INC_STATS(sock_net(sk),
409 				      LINUX_MIB_TCPFASTOPENPASSIVEFAIL);
410 		}
411 	}
412 	valid_foc.exp = foc->exp;
413 	*foc = valid_foc;
414 	return NULL;
415 }
416 
417 bool tcp_fastopen_cookie_check(struct sock *sk, u16 *mss,
418 			       struct tcp_fastopen_cookie *cookie)
419 {
420 	const struct dst_entry *dst;
421 
422 	tcp_fastopen_cache_get(sk, mss, cookie);
423 
424 	/* Firewall blackhole issue check */
425 	if (tcp_fastopen_active_should_disable(sk)) {
426 		cookie->len = -1;
427 		return false;
428 	}
429 
430 	dst = __sk_dst_get(sk);
431 
432 	if (tcp_fastopen_no_cookie(sk, dst, TFO_CLIENT_NO_COOKIE)) {
433 		cookie->len = -1;
434 		return true;
435 	}
436 	if (cookie->len > 0)
437 		return true;
438 	tcp_sk(sk)->fastopen_client_fail = TFO_COOKIE_UNAVAILABLE;
439 	return false;
440 }
441 
442 /* This function checks if we want to defer sending SYN until the first
443  * write().  We defer under the following conditions:
444  * 1. fastopen_connect sockopt is set
445  * 2. we have a valid cookie
446  * Return value: return true if we want to defer until application writes data
447  *               return false if we want to send out SYN immediately
448  */
449 bool tcp_fastopen_defer_connect(struct sock *sk, int *err)
450 {
451 	struct tcp_fastopen_cookie cookie = { .len = 0 };
452 	struct tcp_sock *tp = tcp_sk(sk);
453 	u16 mss;
454 
455 	if (tp->fastopen_connect && !tp->fastopen_req) {
456 		if (tcp_fastopen_cookie_check(sk, &mss, &cookie)) {
457 			inet_sk(sk)->defer_connect = 1;
458 			return true;
459 		}
460 
461 		/* Alloc fastopen_req in order for FO option to be included
462 		 * in SYN
463 		 */
464 		tp->fastopen_req = kzalloc(sizeof(*tp->fastopen_req),
465 					   sk->sk_allocation);
466 		if (tp->fastopen_req)
467 			tp->fastopen_req->cookie = cookie;
468 		else
469 			*err = -ENOBUFS;
470 	}
471 	return false;
472 }
473 EXPORT_SYMBOL(tcp_fastopen_defer_connect);
474 
475 /*
476  * The following code block is to deal with middle box issues with TFO:
477  * Middlebox firewall issues can potentially cause server's data being
478  * blackholed after a successful 3WHS using TFO.
479  * The proposed solution is to disable active TFO globally under the
480  * following circumstances:
481  *   1. client side TFO socket receives out of order FIN
482  *   2. client side TFO socket receives out of order RST
483  *   3. client side TFO socket has timed out three times consecutively during
484  *      or after handshake
485  * We disable active side TFO globally for 1hr at first. Then if it
486  * happens again, we disable it for 2h, then 4h, 8h, ...
487  * And we reset the timeout back to 1hr when we see a successful active
488  * TFO connection with data exchanges.
489  */
490 
491 /* Disable active TFO and record current jiffies and
492  * tfo_active_disable_times
493  */
494 void tcp_fastopen_active_disable(struct sock *sk)
495 {
496 	struct net *net = sock_net(sk);
497 
498 	if (!sock_net(sk)->ipv4.sysctl_tcp_fastopen_blackhole_timeout)
499 		return;
500 
501 	/* Paired with READ_ONCE() in tcp_fastopen_active_should_disable() */
502 	WRITE_ONCE(net->ipv4.tfo_active_disable_stamp, jiffies);
503 
504 	/* Paired with smp_rmb() in tcp_fastopen_active_should_disable().
505 	 * We want net->ipv4.tfo_active_disable_stamp to be updated first.
506 	 */
507 	smp_mb__before_atomic();
508 	atomic_inc(&net->ipv4.tfo_active_disable_times);
509 
510 	NET_INC_STATS(net, LINUX_MIB_TCPFASTOPENBLACKHOLE);
511 }
512 
513 /* Calculate timeout for tfo active disable
514  * Return true if we are still in the active TFO disable period
515  * Return false if timeout already expired and we should use active TFO
516  */
517 bool tcp_fastopen_active_should_disable(struct sock *sk)
518 {
519 	unsigned int tfo_bh_timeout = sock_net(sk)->ipv4.sysctl_tcp_fastopen_blackhole_timeout;
520 	unsigned long timeout;
521 	int tfo_da_times;
522 	int multiplier;
523 
524 	if (!tfo_bh_timeout)
525 		return false;
526 
527 	tfo_da_times = atomic_read(&sock_net(sk)->ipv4.tfo_active_disable_times);
528 	if (!tfo_da_times)
529 		return false;
530 
531 	/* Paired with smp_mb__before_atomic() in tcp_fastopen_active_disable() */
532 	smp_rmb();
533 
534 	/* Limit timeout to max: 2^6 * initial timeout */
535 	multiplier = 1 << min(tfo_da_times - 1, 6);
536 
537 	/* Paired with the WRITE_ONCE() in tcp_fastopen_active_disable(). */
538 	timeout = READ_ONCE(sock_net(sk)->ipv4.tfo_active_disable_stamp) +
539 		  multiplier * tfo_bh_timeout * HZ;
540 	if (time_before(jiffies, timeout))
541 		return true;
542 
543 	/* Mark check bit so we can check for successful active TFO
544 	 * condition and reset tfo_active_disable_times
545 	 */
546 	tcp_sk(sk)->syn_fastopen_ch = 1;
547 	return false;
548 }
549 
550 /* Disable active TFO if FIN is the only packet in the ofo queue
551  * and no data is received.
552  * Also check if we can reset tfo_active_disable_times if data is
553  * received successfully on a marked active TFO sockets opened on
554  * a non-loopback interface
555  */
556 void tcp_fastopen_active_disable_ofo_check(struct sock *sk)
557 {
558 	struct tcp_sock *tp = tcp_sk(sk);
559 	struct dst_entry *dst;
560 	struct sk_buff *skb;
561 
562 	if (!tp->syn_fastopen)
563 		return;
564 
565 	if (!tp->data_segs_in) {
566 		skb = skb_rb_first(&tp->out_of_order_queue);
567 		if (skb && !skb_rb_next(skb)) {
568 			if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN) {
569 				tcp_fastopen_active_disable(sk);
570 				return;
571 			}
572 		}
573 	} else if (tp->syn_fastopen_ch &&
574 		   atomic_read(&sock_net(sk)->ipv4.tfo_active_disable_times)) {
575 		dst = sk_dst_get(sk);
576 		if (!(dst && dst->dev && (dst->dev->flags & IFF_LOOPBACK)))
577 			atomic_set(&sock_net(sk)->ipv4.tfo_active_disable_times, 0);
578 		dst_release(dst);
579 	}
580 }
581 
582 void tcp_fastopen_active_detect_blackhole(struct sock *sk, bool expired)
583 {
584 	u32 timeouts = inet_csk(sk)->icsk_retransmits;
585 	struct tcp_sock *tp = tcp_sk(sk);
586 
587 	/* Broken middle-boxes may black-hole Fast Open connection during or
588 	 * even after the handshake. Be extremely conservative and pause
589 	 * Fast Open globally after hitting the third consecutive timeout or
590 	 * exceeding the configured timeout limit.
591 	 */
592 	if ((tp->syn_fastopen || tp->syn_data || tp->syn_data_acked) &&
593 	    (timeouts == 2 || (timeouts < 2 && expired))) {
594 		tcp_fastopen_active_disable(sk);
595 		NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPFASTOPENACTIVEFAIL);
596 	}
597 }
598